Query Details
UNIT42 Abuse Microsoft One Note Files On The Rise
Query
// UNIT42 - Abuse Microsoft OneNote files on the rise // https://www.linkedin.com/posts/activity-7199081015439495168-zjvc/ // Analyzing onenote files sent into your tenant as email attachment. EmailAttachmentInfo | where TimeGenerated > ago(90d) | where FileType=="one;onenote" | join EmailEvents on NetworkMessageId
Explanation
This KQL (Kusto Query Language) query is designed to analyze Microsoft OneNote files that have been sent as email attachments to your organization's email system over the past 90 days. Here's a simple breakdown of what the query does:
- EmailAttachmentInfo: This table contains information about email attachments.
- Time Filter: The query filters for records generated in the last 90 days.
- File Type Filter: It specifically looks for attachments with the file type "one" or "onenote" (which are associated with Microsoft OneNote files).
- Join Operation: It joins the filtered attachment data with the EmailEvents table based on the NetworkMessageId. This allows you to correlate the attachment information with the corresponding email events.
In summary, this query helps you identify and analyze OneNote files that have been sent as email attachments to your organization in the last 90 days.
Details
Steven Lim
Released: August 2, 2024
Tables
EmailAttachmentInfoEmailEvents
Keywords
EmailAttachmentInfoEmailEvents
Operators
|where>ago==joinon