Query Details
Mass Incoming Email
Query
EmailEvents //--- uncomment the next line and replace example.com with your domain ---// //| where SenderFromDomain != "example.com" | summarize Recipients = dcount(RecipientEmailAddress) by SenderFromAddress, Subject, AttachmentCount, NetworkMessageId, SendTime = Timestamp | where Recipients > 50 | project-reorder Recipients, Subject | sort by SendTime desc
Explanation
This query analyzes email events and summarizes the number of recipients, sender address, subject, attachment count, network message ID, and send time. It filters out events where the sender's domain is "example.com". It then selects events with more than 50 recipients and reorders the columns to display the number of recipients and subject. Finally, it sorts the results by the send time in descending order.
Details
C.J. May
Released: January 3, 2022
Tables
EmailEvents
Keywords
EmailEvents,Recipients,SenderFromAddress,Subject,AttachmentCount,NetworkMessageId,SendTime,Timestamp
Operators
|!=summarizedcountby=where>project-reordersort bydesc