Query Details

Defender for Office - Email File Attachment File Extensions

MDO Email Attachment File Extensions

Query

EmailEvents
| join EmailAttachmentInfo
on $left. NetworkMessageId ==  $right.NetworkMessageId
| extend DotCount = countof(FileName,".")
| extend FileExtension = strcat(".", split(FileName,".",DotCount)[0])
| where DeliveryAction != 'Delivered'
| where DotCount > 0
| project FileName, FileExtension, FileType, DotCount, EmailDirection, ThreatTypes
| summarize Out = countif(EmailDirection == 'Outbound'),In =  countif(EmailDirection == 'Inbound'), Intra = countif(EmailDirection == 'Intra-org'), Unknown = countif(EmailDirection == 'Unknown') by FileExtension
| sort by FileExtension

About this query

Explanation

The queries provided retrieve information about email attachment formats and legacy formats.

The first query provides an overview of email attachment file extensions, including the count of outbound, inbound, intra-org, and unknown email directions for each file extension.

The second query provides details about email attachment file extensions for a specific file extension (specified in the "FileExt" variable). It includes information such as the timestamp, file name, file extension, file type, email direction, threat types, and network message ID.

The third and fourth queries focus on legacy office file formats. They retrieve information about email attachments with file extensions that belong to a predefined list of legacy office formats. The third query provides an overview of the count of outbound, inbound, intra-org, and unknown email directions for each legacy office file extension. The fourth query provides details about the email attachments, including the timestamp, file name, file extension, file type, email direction, threat types, delivery action, delivery location, detection methods, email action, threat names, and network message ID.

The fifth query retrieves details about email attachment file extensions for legacy office formats, specifically for inbound emails. It includes additional information such as the recipient email address, sender information, delivery action, delivery location, detection methods, email action, threat names, and network message ID. It also performs a left outer join with EmailPostDeliveryEvents.

The sixth query provides details about email attachment file extensions for legacy office formats, specifically for inbound emails. It includes additional information such as the recipient email address, sender information, delivery action, delivery location, detection methods, email action, threat names, and network message ID. It also summarizes the count of events by delivery location and renders a pie chart.

The seventh query focuses on file formats blocked by the policy. It retrieves details about email attachment file extensions for a predefined list of legacy office formats. It includes information such as the timestamp, recipient email address, sender information, file name, file extension, file type, email direction, threat types, delivery action, delivery location, detection methods, email action, threat names, and network message ID.

The eighth query retrieves details about legacy office files on SharePoint and OneDrive. It includes information such as the file extension and the count of files for each legacy office file extension.

The ninth query focuses on device file creation events. It retrieves details about files with legacy office file extensions that were created on devices. It includes information such as the timestamp, device name, file name, file extension, folder, initiating process file name, initiating process version info product name, initiating process account UPN, and initiating process account name.

The tenth query is a filtered version of the ninth query, specifically focusing on device file creation events related to office apps. It retrieves details about files with legacy office file extensions that were created on devices by office apps. It includes information such as the timestamp, device name, file name, file extension, folder, initiating process file name, initiating process version info product name, initiating process account UPN, and initiating process account name. It filters out certain processes like "Commvault," "System," "msiexec.exe," and "explorer.exe" and only includes files created by specific office apps (specified in the "officeapps" variable).

Details

Alex Verboon profile picture

Alex Verboon

Released: November 23, 2023

Tables

EmailEvents EmailAttachmentInfo EmailPostDeliveryEvents CloudAppEvents DeviceFileEvents

Keywords

EmailEventsEmailAttachmentInfoDotCountFileNameFileExtensionFileTypeEmailDirectionThreatTypesDeliveryActionTimestampNetworkMessageIdlegacyofficeformatsInboundDeliveryLocationDetectionMethodsEmailActionThreatNamesRecipientEmailAddressSenderFromAddressSenderMailFromAddressSenderFromDomaincount()piechartaceaniappdocmexejarregscrvbevbsCloudAppEventsActionTypeObjectTypeFileLocationRawEventDataActivityObjectsDeviceFileEventsFileInfoFolderPathFolderInitiatingProcessFileNameInitiatingProcessVersionInfoProductNameInitiatingProcessAccountUpnInitiatingProcessAccountNameWINWORD.EXEEXCEL.EXEPOWERPNT.EXESystemmsiexec.exeexplorer.exe

Operators

joinonextendcountofstrcatsplitwhereprojectsummarizecountifbysortletindynamicrenderparse_path

Actions

GitHub