Advanced hunting on email threats

%3CLINGO-SUB%20id%3D%22lingo-sub-2922880%22%20slang%3D%22en-US%22%3EAdvanced%20hunting%20on%20email%20threats%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2922880%22%20slang%3D%22en-US%22%3E%3CP%3EHello%20to%20all%20M365%20Defender%20gurus%20out%20there.%3C%2FP%3E%3CP%3EDisclaimer%3A%20I%20am%20new%20to%20M365%20Defender%20and%20my%20question%20may%20be%20obvious%20for%20the%20seasoned%20professional.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESituation%3A%20I%20am%20using%20M365%20Defender's%20Advanced%20hunting%20feature%20and%20have%20created%20a%20query%20that%20focuses%20on%20the%20identification%20of%20specific%20phishing%20emails.%26nbsp%3B%20The%20emails%20are%20in%20an%20M365%20Exchange%20environment.%20The%20query%20works%20and%20returns%20results%20as%20expected.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EChallenge%3A%3C%2FP%3E%3COL%3E%3CLI%3EThe%20results%20table%20does%20not%20allow%20me%20to%20perform%20a%20%22select%20all%22%20rows%2C%20so%20I%20have%20manually%20place%20a%20%22check%20mark%22%20next%20to%20each%20record.%26nbsp%3B%20Is%20that%20normal%3F%3C%2FLI%3E%3CLI%3EWhen%20I%20select%20one%20or%20multiple%20email%20records%20that%20were%20returned%20by%20the%20query%2C%20the%20%22take%20actions%22%20options%20only%20display%20%22Devices%22%20and%20%22Files%22.%20No%20email.%20The%20emails%20are%20in%20an%20M365%20Exchange%20environment.%26nbsp%3B%20Why%20are%20there%20no%20%22email%22%20actions%20available%3F%20Is%20that%20normal%3F%3C%2FLI%3E%3C%2FOL%3E%3CP%3EGoal%3A%3C%2FP%3E%3CP%3EI%20would%20like%20to%20utilize%20the%20custom%20query%20(see%20below)%20to%20identify%20emails%20of%20interest.%26nbsp%3B%20Once%20confirmed%20the%20results%20are%20indeed%20malicious%2Funwanted%20emails%2C%20I%20would%20like%20to%20trigger%20a%20%22remediation%22%20action%20against%20all%20email%20records%20returned%20directly%20within%20the%20%22Advanced%20Hunting%22%20screen%20using%20the%20%22take%20actions%22%20feature.%26nbsp%3B%20The%20desired%20%22remediation%22%20would%20be%20to%20delete%20the%20emails%20from%20the%20user's%20mailboxes.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EQuestion%3A%3C%2FP%3E%3COL%3E%3CLI%3ECan%20the%20goal%20outlined%20above%20be%20accomplished%20via%20the%20%22Advanced%20hunting%22%20feature%20in%20M365%20Defender%3F%20If%20so%2C%20what%20am%20I%20currently%20doing%20wrong%3F%3C%2FLI%3E%3C%2FOL%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EModified%20version%20of%20the%20custom%20query%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CPRE%20class%3D%22lia-code-sample%20language-csharp%22%3E%3CCODE%3EEmailEvents%20%0A%7C%20project%20Timestamp%2C%20Subject%2C%20SenderFromDomain%2C%20EmailAction%2C%20AttachmentCount%2C%20EmailDirection%2C%20DeliveryLocation%0A%7C%20where%20(Subject%20contains%20%22(ABC001)%22)%0A%7C%20limit%20100%20%0A%7C%20order%20by%20Timestamp%3C%2FCODE%3E%3C%2FPRE%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Deleted
Not applicable

Hello to all M365 Defender gurus out there.

Disclaimer: I am new to M365 Defender and my question may be obvious for the seasoned professional.

 

Situation: I am using M365 Defender's Advanced hunting feature and have created a query that focuses on the identification of specific phishing emails.  The emails are in an M365 Exchange environment. The query works and returns results as expected.

 

Challenge:

  1. The results table does not allow me to perform a "select all" rows, so I have manually place a "check mark" next to each record.  Is that normal?
  2. When I select one or multiple email records that were returned by the query, the "take actions" options only display "Devices" and "Files". No email. The emails are in an M365 Exchange environment.  Why are there no "email" actions available? Is that normal?

Goal:

I would like to utilize the custom query (see below) to identify emails of interest.  Once confirmed the results are indeed malicious/unwanted emails, I would like to trigger a "remediation" action against all email records returned directly within the "Advanced Hunting" screen using the "take actions" feature.  The desired "remediation" would be to delete the emails from the user's mailboxes.

 

Question:

  1. Can the goal outlined above be accomplished via the "Advanced hunting" feature in M365 Defender? If so, what am I currently doing wrong?

 

Modified version of the custom query:

 

EmailEvents 
| project Timestamp, Subject, SenderFromDomain, EmailAction, AttachmentCount, EmailDirection, DeliveryLocation
| where (Subject contains "(ABC001)")
| limit 100 
| order by Timestamp

 

0 Replies