Forum Discussion
KQL QR Code Phishing
let trustedDomains = dynamic(["microsoft.com"]); let imageFileTypes = dynamic(["png", "jpeg", "svg"]); EmailEvents | where EmailDirection == "Inbound" | where AttachmentCount > 0 | where not(Se...
Would arg_max work for you? e.g. Use this as your last line
| summarize count(), arg_max(TimeGenerated,Subject,FileName,SenderDisplayName, RecipientEmailAddress) by SenderFromAddress
If we swap to TimeGenerated, we can get a count of each time we see the SenderfromAddress and show with arg_max the last entry for the named columns.
| summarize count(), arg_max(TimeGenerated,Subject,FileName,SenderDisplayName, RecipientEmailAddress) by SenderFromAddress
If we swap to TimeGenerated, we can get a count of each time we see the SenderfromAddress and show with arg_max the last entry for the named columns.
TimeGenerated has error
