Home

[Exchange online] How many mailbox received specific email?

%3CLINGO-SUB%20id%3D%22lingo-sub-1048309%22%20slang%3D%22en-US%22%3E%5BExchange%20online%5D%20How%20many%20mailbox%20received%20specific%20email%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1048309%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20am%20new%20to%20Azure%20Sentinel.%20I%20am%20trying%20to%20run%20a%20query%20to%20check%20how%20many%20mailboxes%20received%20a%20particular%20email%20with%20a%20particular%20Subject%2C%20within%20a%20time%20period%20and%20I%20seem%20to%20have%20some%20trouble%2C%20will%20you%20be%20able%20to%20help%3F%20I%20am%20not%20able%20to%20run%20it%20in%20Microsoft%20search%20as%20the%20log%20I%20am%20trying%20to%20look%20at%20is%20more%20than%2030%20days.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EFrom%20the%20query%20I%20ran%3C%2FP%3E%3CDIV%3E%3CDIV%3E%3CFONT%20color%3D%22%230000FF%22%3E%3CSPAN%3EOfficeActivity%3C%2FSPAN%3E%3C%2FFONT%3E%3C%2FDIV%3E%3CDIV%3E%3CFONT%20color%3D%22%230000FF%22%3E%3CSPAN%3E%7C%20%3C%2FSPAN%3E%3CSPAN%3Ewhere%3C%2FSPAN%3E%3CSPAN%3E%20TimeGenerated%20%26gt%3B%20ago(%3C%2FSPAN%3E%3CSPAN%3E360%3C%2FSPAN%3E%3CSPAN%3Ed)%3C%2FSPAN%3E%20%3C%2FFONT%3E%3C%2FDIV%3E%3CDIV%3E%3CFONT%20color%3D%22%230000FF%22%3E%3CSPAN%3E%7C%20%3C%2FSPAN%3E%3CSPAN%3Ewhere%3C%2FSPAN%3E%3CSPAN%3E%20OfficeWorkload%20%3D%3D%20%3C%2FSPAN%3E%3CSPAN%3E%22Exchange%22%3C%2FSPAN%3E%3C%2FFONT%3E%3C%2FDIV%3E%3CDIV%3E%3CFONT%20color%3D%22%230000FF%22%3E%3CSPAN%3E%7C%20%3C%2FSPAN%3E%3CSPAN%3Eextend%3C%2FSPAN%3E%3CSPAN%3E%20Subject_%20%3D%20tostring(parse_json(AffectedItems)%5B%3C%2FSPAN%3E%3CSPAN%3E0%3C%2FSPAN%3E%3CSPAN%3E%5D.Subject)%3C%2FSPAN%3E%20%3C%2FFONT%3E%3C%2FDIV%3E%3CDIV%3E%3CFONT%20color%3D%22%230000FF%22%3E%3CSPAN%3E%7C%20%3C%2FSPAN%3E%3CSPAN%3Ewhere%3C%2FSPAN%3E%3CSPAN%3E%20Subject_%20%3D%3D%20%3C%2FSPAN%3E%3CSPAN%3E%22xxxxxxxxxxx%22%3C%2FSPAN%3E%3C%2FFONT%3E%3C%2FDIV%3E%3CDIV%3E%3CFONT%20color%3D%22%230000FF%22%3E%3CSPAN%3E%7C%20%3C%2FSPAN%3E%3CSPAN%3Esummarize%3C%2FSPAN%3E%20%3CSPAN%3Ecount%3C%2FSPAN%3E%3CSPAN%3E()%20%3C%2FSPAN%3E%3CSPAN%3Eby%3C%2FSPAN%3E%3CSPAN%3E%20Operation%3C%2FSPAN%3E%3C%2FFONT%3E%3C%2FDIV%3E%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3ESo%20far%20I%20can%20see%20the%20operation%20summary%20are%20all%20about%20%22delete%22%20action.%20I%20am%20not%20interested%20in%20knowing%20the%20action%20taken%20after%20the%20email%20has%20been%20delivered%2C%20but%20I%20am%20interested%20who%20received%20the%20email.%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3EWill%20Sentinel%20able%20to%20give%20me%20that%20visibility%3F%3C%2FDIV%3E%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%3EThanks%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FLINGO-BODY%3E
Kim Kheng Tan
Occasional Contributor

Hi,

 

I am new to Azure Sentinel. I am trying to run a query to check how many mailboxes received a particular email with a particular Subject, within a time period and I seem to have some trouble, will you be able to help? I am not able to run it in Microsoft search as the log I am trying to look at is more than 30 days.

 

From the query I ran

OfficeActivity
| where TimeGenerated > ago(360d)
| where OfficeWorkload == "Exchange"
| extend Subject_ = tostring(parse_json(AffectedItems)[0].Subject)
| where Subject_ == "xxxxxxxxxxx"
| summarize count() by Operation
 
So far I can see the operation summary are all about "delete" action. I am not interested in knowing the action taken after the email has been delivered, but I am interested who received the email.
Will Sentinel able to give me that visibility?
 
Thanks
Related Conversations
Tabs and Dark Mode
cjc2112 in Discussions on
46 Replies
Extentions Synchronization
Deleted in Discussions on
3 Replies
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies
How to Prevent Teams from Auto-Launch
chenrylee in Microsoft Teams on
29 Replies
flashing a white screen while open new tab
Deleted in Discussions on
14 Replies
Security Community Webinars
Valon_Kolica in Security, Privacy & Compliance on
13 Replies