Query Details
Phish Delivered
Query
EmailEvents
| where ThreatTypes in ('Phish', 'Malware')
| where EmailAction !in ('Replace attachment', 'Send to quarantine')
| where EmailDirection == "Inbound"
| where ConfidenceLevel contains "High"
// --- Whitelist ---//
//| where SenderFromAddress !contains "@knowbe4.com" // example whitelist
// --- End Whitelist --- //
| summarize FirstEmail = min(Timestamp), LatestEmail = max(Timestamp), Count = count(), Recipients = make_list(RecipientEmailAddress) by
//--- Uncomment next line to expand each email instance and time of delivery to each recipient ---//
//Timestamp, RecipientEmailAddress, EnvelopeSenderAddress = SenderMailFromAddress,
Subject,
Threat = ThreatTypes,
Reason = extractjson("$.Phish[0]", DetectionMethods),
HeaderFromAddress = SenderFromAddress,
DeliveryAction,
Attachments = AttachmentCount
| project-reorder Threat, Subject, HeaderFromAddress, Reason, Recipients
| sort by LatestEmail
Explanation
This query is filtering email events based on certain criteria such as threat types, email action, email direction, and confidence level. It then summarizes the data by finding the first and latest email timestamps, the count of emails, and creating a list of recipients. It also includes additional information such as the subject, threat type, reason for detection, sender's email address, delivery action, and attachment count. The results are then sorted by the latest email timestamp.
Details
C.J. May
Released: November 8, 2021
Tables
EmailEvents
Keywords
EmailEvents,ThreatTypes,Phish,Malware,EmailAction,Replaceattachment,Sendtoquarantine,EmailDirection,Inbound,ConfidenceLevel,High,SenderFromAddress,Timestamp,RecipientEmailAddress,Threat,DetectionMethods,HeaderFromAddress,SenderMailFromAddress,Subject,DeliveryAction,AttachmentCount,LatestEmail
Operators
wherein!in==containssummarizeminmaxcountmake_listbyproject-reordersort by