Query Details
Visualization Email Phish Detection Reasons
Query
# Visualize Phishing Detection Reasons ## Query Information #### Description This query visualizes the phishing detection reasons in a piechart. This is based on the EmailPostDeliveryEvents table. This table in the advanced hunting schema contains information about post-delivery actions taken on email messages processed by Microsoft 365. Based on this information the differnt detection reasons are visualized. #### References - https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-emailpostdeliveryevents-table?view=o365-worldwide ## Defender For Endpoint ```KQL EmailPostDeliveryEvents | where ThreatTypes == "Phish" | extend DetectionMethod = tostring(extract(@'Phish":\["(.*?)"]', 1, DetectionMethods)) | summarize TotalEvents = count() by DetectionMethod | render piechart with(title="Phishing Detection Reason Overview") ``` ## Sentinel ```KQL EmailPostDeliveryEvents | where ThreatTypes == "Phish" | extend DetectionMethod = tostring(extract(@'Phish":\["(.*?)"]', 1, DetectionMethods)) | summarize TotalEvents = count() by DetectionMethod | render piechart with(title="Phishing Detection Reason Overview") ```
Explanation
This query visualizes the different reasons for phishing detection in a pie chart. It uses the EmailPostDeliveryEvents table to gather information about post-delivery actions taken on email messages processed by Microsoft 365. The query filters for events where the threat type is "Phish" and then counts the occurrences of each detection method. The resulting data is then rendered as a pie chart with the title "Phishing Detection Reason Overview".
Details
Bert-Jan Pals
Released: November 6, 2023
Tables
EmailPostDeliveryEvents
Keywords
Keywords:EmailPostDeliveryEvents,ThreatTypes,Phish,DetectionMethod,DetectionMethods,TotalEvents,render,piechart,title
Operators
whereextendsummarizerender