Query Details
Security Alert Find Most Phished Users
Query
//Find the most phished users from the last 365 days
//Data connector required for this query - Security Alert (free table that other Defender products send alert info to)
SecurityAlert
| where TimeGenerated > ago (365d)
| where ProviderName == "OATP"
| where AlertName in ("Email messages containing malicious URL removed after delivery", "Email messages containing phish URLs removed after delivery")
| mv-expand todynamic(Entities)
| project Entities
| extend User = tostring(Entities.MailboxPrimaryAddress)
| where isnotempty(User)
| summarize ['Count of Phishing Attempts']=count()by User
| order by ['Count of Phishing Attempts']
Explanation
This query finds the users who have been targeted by phishing attacks in the last 365 days. It uses the Security Alert data connector and filters for alerts related to malicious or phishing emails. It then expands the entities column, extracts the user's email address, and counts the number of phishing attempts for each user. The results are ordered by the count of phishing attempts.
Details
Matt Zorich
Released: June 17, 2022
Tables
SecurityAlert
Keywords
SecurityAlert,TimeGenerated,ProviderName,AlertName,Entities,User
Operators
whereago==inmv-expandprojectextendisnotemptysummarizebyorder by