KQL Search

Query Details

Search For Webmail Users

Query

// "Search for Webmail Users"
DeviceNetworkEvents
| search "webmail"
| where TimeGenerated >= ago (30d)
| where isnotempty( RemoteUrl)
| project TimeGenerated, InitiatingProcessAccountName, InitiatingProcessAccountUpn, InitiatingProcessFileName, RemoteIP, RemotePort, RemoteUrl

Explanation

This query searches for network events related to webmail users in the past 30 days. It looks for events where a remote URL is not empty and then projects specific information like time, account names, file names, IP addresses, ports, and URLs.

Details

Muzammil Mahmood

Released: June 7, 2024

Tables

DeviceNetworkEvents

Keywords

DeviceNetworkEvents,Webmail,Users,TimeGenerated,InitiatingProcessAccountName,InitiatingProcessAccountUpn,InitiatingProcessFileName,RemoteIP,RemotePort,RemoteUrl

Operators

searchwhereisnotemptyproject

KQL Search

Search For Webmail Users

Query

Explanation

Details

Actions