KQL Search

Query Details

Open Phish Urls In Emails

Query

let OpenPhish = externaldata (Url: string) ["https://openphish.com/feed.txt"];
EmailUrlInfo
| where Url has_any (OpenPhish)
| join EmailEvents on NetworkMessageId

Explanation

This query looks for email events that contain URLs listed in the OpenPhish feed.

Details

Benjamin Zulliger

Released: June 7, 2024

Tables

EmailUrlInfoEmailEvents

Keywords

EmailUrlInfo,Url,OpenPhish,EmailEvents,NetworkMessageId

Operators

has_anyjoin

KQL Search

Open Phish Urls In Emails

Query

Explanation

Details

Actions