Query Details
Security Alert Retrieve Emailfor Suspicious Email Patterns
Query
//When a user is flagged for suspicious email sending patterns retrieve all the email they have sent around the time of the Alert
//Data connector required for this query - Security Alert (free table that other Defender products send alert info to)
//Data connector required for this query - M365 Defender - Email* tables
SecurityAlert
| where TimeGenerated > ago (7d)
| where ProviderName == "OATP"
| where AlertName == "Suspicious email sending patterns detected"
| mv-expand todynamic(Entities)
| extend SenderFromAddress = tolower(tostring(Entities.MailboxPrimaryAddress))
| project AlertTime=TimeGenerated, SenderFromAddress
| join kind=inner (
EmailEvents
)
on SenderFromAddress
| where EmailDirection == "Outbound"
| where TimeGenerated between ((AlertTime - timespan(1h)) .. (AlertTime + timespan(1h)))
| project TimeGenerated, Subject, AttachmentCount, RecipientEmailAddressExplanation
This query retrieves all the emails sent by a user who has been flagged for suspicious email sending patterns. It uses the Security Alert and M365 Defender - Email tables as data sources. The query filters the SecurityAlert table for alerts generated in the last 7 days with the ProviderName "OATP" and AlertName "Suspicious email sending patterns detected". It then expands the Entities column, converts the MailboxPrimaryAddress to lowercase, and projects the AlertTime and SenderFromAddress columns. The query then joins the EmailEvents table based on the SenderFromAddress and filters for outbound emails within an hour of the AlertTime. Finally, it projects the TimeGenerated, Subject, AttachmentCount, and RecipientEmailAddress columns.
Details
Matt Zorich
Released: June 17, 2022
Tables
Keywords
Operators