Query Details
Malicious Email Delivered In Mailbox
Query
# Malicious email delivered in Microsoft 365
### Defender For Endpoint
```
CloudAppEvents
| where ActionType == "TIMailData-Inline"
| extend Classification = parse_json(RawEventData).['Verdict']
| extend EmailSubject = parse_json(RawEventData).['Subject']
| extend ClassificationReason = parse_json(RawEventData).['ThreatsAndDetectionTech']
| extend ConfidentialityLevel = parse_json(RawEventData).['PhishConfidenceLevel']
| extend Recipients = parse_json(RawEventData).['Recipients']
| extend InvestigationLink = parse_json(RawEventData).['EventDeepLink']
| project-reorder
Timestamp,
EmailSubject,
Classification,
ClassificationReason,
ConfidentialityLevel,
Recipients,
InvestigationLink
```
### Sentinel
```
CloudAppEvents
| where ActionType == "TIMailData-Inline"
| extend Classification = parse_json(RawEventData).['Verdict']
| extend EmailSubject = parse_json(RawEventData).['Subject']
| extend ClassificationReason = parse_json(RawEventData).['ThreatsAndDetectionTech']
| extend ConfidentialityLevel = parse_json(RawEventData).['PhishConfidenceLevel']
| extend Recipients = parse_json(RawEventData).['Recipients']
| extend InvestigationLink = parse_json(RawEventData).['EventDeepLink']
| project-reorder
TimeGenerated,
EmailSubject,
Classification,
ClassificationReason,
ConfidentialityLevel,
Recipients,
InvestigationLink
```
Explanation
The query retrieves information about malicious emails delivered in Microsoft 365. It filters events where the ActionType is "TIMailData-Inline" and extracts various attributes such as Classification, EmailSubject, ClassificationReason, ConfidentialityLevel, Recipients, and InvestigationLink from the RawEventData. The results are then reordered and displayed in a specific order. The same query is executed in both Defender for Endpoint and Sentinel.
Details
Bert-Jan Pals
Released: February 14, 2023
Tables
CloudAppEvents
Keywords
CloudAppEvents,ActionType,TIMailData-Inline,Classification,RawEventData,Verdict,Subject,ThreatsAndDetectionTech,PhishConfidenceLevel,Recipients,EventDeepLink,Timestamp,InvestigationLink,TimeGenerated
Operators
whereextendparse_jsonproject-reorder