Query Details
Visualization Email Malware Detection Reasons
Query
# Visualize Malware Detection Reasons ## Query Information #### Description This query visualizes the malware detection reasons in a piechart. This is based on the EmailPostDeliveryEvents table. This table in the advanced hunting schema contains information about post-delivery actions taken on email messages processed by Microsoft 365. Based on this information the differnt detection reasons are visualized. #### References - https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-emailpostdeliveryevents-table?view=o365-worldwide ## Defender For Endpoint ```KQL EmailPostDeliveryEvents | where ThreatTypes == "Malware" | extend DetectionMethod = tostring(extract(@'Malware":\["(.*?)"]', 1, DetectionMethods)) | summarize TotalEvents = count() by DetectionMethod | render piechart with(title="Malware Detection Reason Overview") ``` ## Sentinel ```KQL EmailPostDeliveryEvents | where ThreatTypes == "Malware" | extend DetectionMethod = tostring(extract(@'Malware":\["(.*?)"]', 1, DetectionMethods)) | summarize TotalEvents = count() by DetectionMethod | render piechart with(title="Malware Detection Reason Overview") ```
Explanation
This query visualizes the different reasons for malware detection in a pie chart. It uses the EmailPostDeliveryEvents table, which contains information about actions taken on email messages processed by Microsoft 365. The query filters for malware threats and summarizes the count of events by the detection method. The resulting pie chart provides an overview of the different malware detection reasons.
Details
Bert-Jan Pals
Released: November 6, 2023
Tables
EmailPostDeliveryEvents
Keywords
EmailPostDeliveryEvents,ThreatTypes,Malware,DetectionMethod,DetectionMethods,TotalEvents,render,piechart
Operators
whereextendtostringextractsummarizecountbyrender