[Exchange online] How many mailbox received specific email?

%3CLINGO-SUB%20id%3D%22lingo-sub-1048309%22%20slang%3D%22en-US%22%3E%5BExchange%20online%5D%20How%20many%20mailbox%20received%20specific%20email%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1048309%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20am%20new%20to%20Azure%20Sentinel.%20I%20am%20trying%20to%20run%20a%20query%20to%20check%20how%20many%20mailboxes%20received%20a%20particular%20email%20with%20a%20particular%20Subject%2C%20within%20a%20time%20period%20and%20I%20seem%20to%20have%20some%20trouble%2C%20will%20you%20be%20able%20to%20help%3F%20I%20am%20not%20able%20to%20run%20it%20in%20Microsoft%20search%20as%20the%20log%20I%20am%20trying%20to%20look%20at%20is%20more%20than%2030%20days.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EFrom%20the%20query%20I%20ran%3C%2FP%3E%3CDIV%3E%3CDIV%3E%3CFONT%20color%3D%22%230000FF%22%3E%3CSPAN%3EOfficeActivity%3C%2FSPAN%3E%3C%2FFONT%3E%3C%2FDIV%3E%3CDIV%3E%3CFONT%20color%3D%22%230000FF%22%3E%3CSPAN%3E%7C%20%3C%2FSPAN%3E%3CSPAN%3Ewhere%3C%2FSPAN%3E%3CSPAN%3E%20TimeGenerated%20%26gt%3B%20ago(%3C%2FSPAN%3E%3CSPAN%3E360%3C%2FSPAN%3E%3CSPAN%3Ed)%3C%2FSPAN%3E%20%3C%2FFONT%3E%3C%2FDIV%3E%3CDIV%3E%3CFONT%20color%3D%22%230000FF%22%3E%3CSPAN%3E%7C%20%3C%2FSPAN%3E%3CSPAN%3Ewhere%3C%2FSPAN%3E%3CSPAN%3E%20OfficeWorkload%20%3D%3D%20%3C%2FSPAN%3E%3CSPAN%3E%22Exchange%22%3C%2FSPAN%3E%3C%2FFONT%3E%3C%2FDIV%3E%3CDIV%3E%3CFONT%20color%3D%22%230000FF%22%3E%3CSPAN%3E%7C%20%3C%2FSPAN%3E%3CSPAN%3Eextend%3C%2FSPAN%3E%3CSPAN%3E%20Subject_%20%3D%20tostring(parse_json(AffectedItems)%5B%3C%2FSPAN%3E%3CSPAN%3E0%3C%2FSPAN%3E%3CSPAN%3E%5D.Subject)%3C%2FSPAN%3E%20%3C%2FFONT%3E%3C%2FDIV%3E%3CDIV%3E%3CFONT%20color%3D%22%230000FF%22%3E%3CSPAN%3E%7C%20%3C%2FSPAN%3E%3CSPAN%3Ewhere%3C%2FSPAN%3E%3CSPAN%3E%20Subject_%20%3D%3D%20%3C%2FSPAN%3E%3CSPAN%3E%22xxxxxxxxxxx%22%3C%2FSPAN%3E%3C%2FFONT%3E%3C%2FDIV%3E%3CDIV%3E%3CFONT%20color%3D%22%230000FF%22%3E%3CSPAN%3E%7C%20%3C%2FSPAN%3E%3CSPAN%3Esummarize%3C%2FSPAN%3E%20%3CSPAN%3Ecount%3C%2FSPAN%3E%3CSPAN%3E()%20%3C%2FSPAN%3E%3CSPAN%3Eby%3C%2FSPAN%3E%3CSPAN%3E%20Operation%3C%2FSPAN%3E%3C%2FFONT%3E%3C%2FDIV%3E%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3ESo%20far%20I%20can%20see%20the%20operation%20summary%20are%20all%20about%20%22delete%22%20action.%20I%20am%20not%20interested%20in%20knowing%20the%20action%20taken%20after%20the%20email%20has%20been%20delivered%2C%20but%20I%20am%20interested%20who%20received%20the%20email.%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3EWill%20Sentinel%20able%20to%20give%20me%20that%20visibility%3F%3C%2FDIV%3E%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%3EThanks%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1055420%22%20slang%3D%22en-US%22%3ERe%3A%20%5BExchange%20online%5D%20How%20many%20mailbox%20received%20specific%20email%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1055420%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F144420%22%20target%3D%22_blank%22%3E%40Kim%20Kheng%20Tan%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20information%20regarding%20senders%2C%20receivers%20and%20subjects%20are%20available%20through%20the%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fprevious-versions%2Foffice%2Fdeveloper%2Fo365-enterprise-developers%2Fjj984335(v%3Doffice.15)%23permissions%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3E%3CEM%3EMessage%20Trace%20report%20API%3C%2FEM%3E%3C%2FA%3E.%20For%20now%20the%20Office%20365%20Sentinel%20connector%20does%20not%20integrate%20this%20API%2C%20but%20this%20is%20on%20developers'%20road%20map%20(c.f.%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FAzure-Sentinel%2FOFFICE-365-EXCHANGE-Monitor-in-out-mails-senders%2Ftd-p%2F1031544%22%20target%3D%22_self%22%3Ethis%3C%2FA%3E%20post).%20You%20can%20still%20can%20bypass%20this%20constraint%20by%20using%20the%20%3CEM%3EMessage%20Trace%20report%20API%3C%2FEM%3E%26nbsp%3Bthrough%20a%20Logic%20App.%20I%20will%20try%20to%20post%20how%20to%20do%20this%20in%20the%20next%20few%20days.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ENow%2C%20regarding%20the%20logs%20retention%2C%20I%20don't%20think%20MS%20keeps%20those%20logs%20for%20a%20whole%20year%20unless%20you%20ask%20them%20so.%20But%20I'll%20let%20someone%20with%20more%20experience%20give%20you%20a%20hint%20on%20the%20subject.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Occasional Contributor

Hi,

 

I am new to Azure Sentinel. I am trying to run a query to check how many mailboxes received a particular email with a particular Subject, within a time period and I seem to have some trouble, will you be able to help? I am not able to run it in Microsoft search as the log I am trying to look at is more than 30 days.

 

From the query I ran

OfficeActivity
| where TimeGenerated > ago(360d)
| where OfficeWorkload == "Exchange"
| extend Subject_ = tostring(parse_json(AffectedItems)[0].Subject)
| where Subject_ == "xxxxxxxxxxx"
| summarize count() by Operation
 
So far I can see the operation summary are all about "delete" action. I am not interested in knowing the action taken after the email has been delivered, but I am interested who received the email.
Will Sentinel able to give me that visibility?
 
Thanks
1 Reply
Highlighted

@Kim Kheng Tan 

 

The information regarding senders, receivers and subjects are available through the Message Trace report API. For now the Office 365 Sentinel connector does not integrate this API, but this is on developers' road map (c.f. this post). You can still can bypass this constraint by using the Message Trace report API through a Logic App. I will try to post how to do this in the next few days.

 

Now, regarding the logs retention, I don't think MS keeps those logs for a whole year unless you ask them so. But I'll let someone with more experience give you a hint on the subject.