Pretty sure I've got the query ready for Custom Detection Rule. Needs to run every 12 hours (looking back at 48 hours' worth of emails) or Daily (looking back at 30 days' worth).
let acceptedDomains = _getEXOAcceptedDomains();
let emails = EmailEvents
| where EmailDirection =~ 'Outbound' and SenderFromDomain in~ (acceptedDomains)
| where InternetMessageId endswith "PROD.OUTLOOK.COM>";
let offences = emails
| summarize MsgsToExtRcptOnThisDay = count() by SenderFromAddress, binDate = bin_at(Timestamp, 24h,datetime(2024-01-01 00:00:00.0-4))
| extend SenderTimeRangeCombo = strcat(SenderFromAddress,'_',binDate)
| where MsgsToExtRcptOnThisDay >= 2000;
offences
| join (
emails
| extend binDate2 = bin_at(Timestamp, 24h,datetime(2024-01-01 00:00:00.0-4))
| extend SenderTimeRangeCombo = strcat(SenderFromAddress,'_',binDate2)
| project SenderFromAddress, SenderTimeRangeCombo, Timestamp, ReportId
) on SenderTimeRangeCombo
| partition by SenderTimeRangeCombo (take 1)My detection rule is created and set to run every 12 hours. I should know within a week or two if it's going to work. When I add a 30d Timestamp filter for the let emails = statement, it produces the expected results.
Published Dec 16, 2024
Version 1.0