Mail Sending Limit Exceeded

# Sentinel - Email sending limit exceeded ## Query Information ### Description Use the below query to review 'Email sending limit exceeded' incidents. #### References ### Microsoft Sentinel ```kql let lookBack = 7d; let IncTitle = "Email sending limit exceeded"; SecurityIncident | where TimeGenerated > ago(lookBack) | where Title == IncTitle | summarize arg_max(TimeGenerated,*) by IncidentNumber | mv-expand AlertIds | extend AlertId = tostring(AlertIds) | join (SecurityAlert) on $left. AlertId == $right. SystemAlertId | mv-expand parse_json(Entities) | extend EType = tostring((Entities.Type)) | where EType == "mailbox" | extend MailboxPrimaryAddress = tostring(Entities.MailboxPrimaryAddress) | extend DisplayName = tostring(Entities.DisplayName) ```

Explanation

This query is used to review incidents where the email sending limit has been exceeded. It looks back at incidents that occurred within the last 7 days and filters for incidents with the title "Email sending limit exceeded". It then retrieves the latest incident information for each incident number and expands the alert IDs. It joins the alert IDs with the security alerts and expands the JSON entities. It filters for entities of type "mailbox" and retrieves the mailbox primary address and display name.

Details

Alex Verboon

Released: November 3, 2023

Tables

SecurityIncidentSecurityAlert

Keywords

Email,sending,limit,exceeded,incidents,lookBack,IncTitle,SecurityIncident,TimeGenerated,ago,Title,IncidentNumber,AlertIds,AlertId,SystemAlertId,parse_json,Entities,EType,mailbox,MailboxPrimaryAddress,DisplayName

Operators

letwheresummarizearg_maxbymv-expandextendjoinonparse_json

KQL Search