Forum Discussion
Deleted
Nov 03, 2021Advanced hunting on email threats
Hello to all M365 Defender gurus out there.
Disclaimer: I am new to M365 Defender and my question may be obvious for the seasoned professional.
Situation: I am using M365 Defender's Advanced hunting feature and have created a query that focuses on the identification of specific phishing emails. The emails are in an M365 Exchange environment. The query works and returns results as expected.
Challenge:
- The results table does not allow me to perform a "select all" rows, so I have manually place a "check mark" next to each record. Is that normal?
- When I select one or multiple email records that were returned by the query, the "take actions" options only display "Devices" and "Files". No email. The emails are in an M365 Exchange environment. Why are there no "email" actions available? Is that normal?
Goal:
I would like to utilize the custom query (see below) to identify emails of interest. Once confirmed the results are indeed malicious/unwanted emails, I would like to trigger a "remediation" action against all email records returned directly within the "Advanced Hunting" screen using the "take actions" feature. The desired "remediation" would be to delete the emails from the user's mailboxes.
Question:
- Can the goal outlined above be accomplished via the "Advanced hunting" feature in M365 Defender? If so, what am I currently doing wrong?
Modified version of the custom query:
EmailEvents
| project Timestamp, Subject, SenderFromDomain, EmailAction, AttachmentCount, EmailDirection, DeliveryLocation
| where (Subject contains "(ABC001)")
| limit 100
| order by Timestamp
- David CaddickIron Contributor
Deleted
So just curious - have you tried using the "Threat Explorer"?
https://security.microsoft.com/threatexplorerYou can use this and search "All Emails" for "Ignite" & then in the lower half of the console you can choose Select All and the actions available are:
- Move & Delete
- Track & Notify
- Start new Submission
Track & Notify includes:
- Trigger Investigation
- Investigate Sender
- Investigate Recipient
- Add to remediation
- Contact recipients
Start new Submission includes:
- Report clean
- Report phishing
- Report malware
- Report spam
Hope that helps?
- DeletedThank you for the suggestion. I did look at "Threat Explorer" and was happy to see the actions. However, I was hoping to utilize the power of the query language to fine-tune these hunts, as it seems the "Threat Explorer" conditions have less meta-data fields available, compared to the Advanced Hunt queries. I am simply questioning, why the "take actions" within the Advanced Hunt results don't allow the same actions that "Threat Explorer" offers for emails.