KQL Search

Query Details

HomeAI ToolsDevice Query

Temporary Email Addresses

Query

let TempEmailAddresses = externaldata (mail: string) [@'https://raw.githubusercontent.com/jkerai1/TLD-TABL-Block/refs/heads/main/tempmail-abused%20emaildomains.txt'] with (format=csv, ignoreFirstRecord=False);
EmailEvents
| where TimeGenerated > ago(90d)
| where SenderFromDomain has_any (TempEmailAddresses) or RecipientEmailAddress has_any(TempEmailAddresses) 
// Visit https://github.com/jkerai1/TLD-TABL-Block for Block Script

Explanation

This KQL (Kusto Query Language) query is designed to identify email events involving temporary or potentially abused email domains. Here's a simple breakdown of what the query does:

  1. Load Temporary Email Domains: It first loads a list of temporary or abused email domains from an external CSV file hosted on GitHub. This list is stored in a variable called TempEmailAddresses.

  2. Filter Email Events: The query then looks at email events from the EmailEvents table that have occurred in the last 90 days.

  3. Check for Matches: It filters these email events to find any where the sender's domain or the recipient's email address matches any of the domains in the TempEmailAddresses list.

In essence, the query is used to detect email communications that involve potentially suspicious or temporary email domains within the last 90 days.

Details

Jay Kerai profile picture

Jay Kerai

Released: November 11, 2024

Tables

EmailEvents

Keywords

EmailEventsTimeSenderRecipient

Operators

letexternaldatawithformatignoreFirstRecordwhere>agohas_anyor

Actions