Forum Discussion

sulaimanncs915's avatar
Copper Contributor
Jun 12, 2024

KQL Query email attachments

let domainList = externaldata(domain: string) [@""] with (format="txt");
let excludedDomains = datatable(excludeddomain :string) // Add as many domains you would like to exclude
let Timeframe = 2d; // Choose the best timeframe for your investigation
let SuspiciousEmails = EmailEvents
| where Timestamp > ago(Timeframe)
| where EmailDirection == "Outbound" // Assuming you are looking into mails sent by your organization
| extend EmailDomain = tostring(split(RecipientEmailAddress, '@')[1])
| join kind=inner (domainList) on $left.EmailDomain == $right.domain
| where not(EmailDomain in (['excludedDomains']))
| project Timestamp, NetworkMessageId, SenderMailFromAddress, SenderFromAddress, SenderDisplayName, RecipientEmailAddress, EmailDomain, domain, Subject, LatestDeliveryAction;
| join (EmailEvents
| summarize count() by NetworkMessageId
| where count_ == 1
| project NetworkMessageId
)on NetworkMessageId
| sort by Timestamp desc



How can i show EmailAttachmentInfo, to show the FileName or Attachment that was being sent ?

No RepliesBe the first to reply
