Query Details

Visualize Phishing Detection Reasons

Visualization Email Phish Detection Reasons

Query

EmailPostDeliveryEvents
| where ThreatTypes == "Phish"
| extend DetectionMethod = tostring(extract(@'Phish":\["(.*?)"]', 1, DetectionMethods))
| summarize TotalEvents = count() by DetectionMethod
| render piechart with(title="Phishing Detection Reason Overview")

About this query

Visualize Phishing Detection Reasons

Query Information

Description

This query visualizes the phishing detection reasons in a piechart. This is based on the EmailPostDeliveryEvents table. This table in the advanced hunting schema contains information about post-delivery actions taken on email messages processed by Microsoft 365. Based on this information the differnt detection reasons are visualized.

References

Defender XDR

Sentinel

EmailPostDeliveryEvents
| where ThreatTypes == "Phish"
| extend DetectionMethod = tostring(extract(@'Phish":\["(.*?)"]', 1, DetectionMethods))
| summarize TotalEvents = count() by DetectionMethod
| render piechart with(title="Phishing Detection Reason Overview")

Explanation

This query is designed to create a pie chart that visualizes the reasons why emails were detected as phishing threats. It uses data from the EmailPostDeliveryEvents table, which logs actions taken on emails after they have been delivered in Microsoft 365. The query specifically looks for events where the threat type is "Phish." It extracts the detection method used to identify the phishing threat from the DetectionMethods field. The query then counts the number of events for each detection method and displays this information in a pie chart titled "Phishing Detection Reason Overview." This visualization helps in understanding the distribution of different detection methods used for identifying phishing emails.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: October 20, 2024

Tables

EmailPostDeliveryEvents

Keywords

EmailPostDeliveryEventsPhishingDetectionReasonMicrosoft365

Operators

whereextendtostringextractsummarizecountbyrenderwith

Actions

GitHub