Forum Discussion
KQL QR Code Phishing
let trustedDomains = dynamic(["microsoft.com"]); let imageFileTypes = dynamic(["png", "jpeg", "svg"]); EmailEvents | where EmailDirection == "Inbound" | where AttachmentCount > 0 | where not(Se...
The name 'TimeGenerated' does not refer to any known column, table, variable or function
Hi, The Table EmailEvents has a TimeGenerated Column, if you are not seeing it that is strange.
This is the full code, I'm using (which is the same as you supplied apart from the last line):
let trustedDomains = dynamic(["microsoft.com"]);
let imageFileTypes = dynamic(["png", "jpeg", "svg"]);
EmailEvents
| where EmailDirection == "Inbound"
| where AttachmentCount > 0
| where not(SenderFromDomain has_any (trustedDomains))
| join EmailAttachmentInfo on NetworkMessageId
| where FileType has_any (imageFileTypes)
| summarize count(), arg_max(TimeGenerated,Subject,FileName,SenderDisplayName, RecipientEmailAddress) by SenderFromAddress
If you check the schema, do you see the Column?
- Hi I only have
Timestamp- Sorry I assumed this was in Microsoft Sentinel, if you are in Defender XDR then yes, use TimeStamp instead
- i need to add a line with regex to exclude files starting image001, image002,image003,image004.
- You could use !startswith:
| join EmailAttachmentInfo on NetworkMessageId
| where FileType has_any (imageFileTypes)
| where FileName !startswith "image"