As part of this update, we have added new columns that enable more relevant and effective investigations. These additions to the EmailEvents, EmailAttachmentInfo, and EmailPostDeliveryEvents tables are currently available in public preview.
We've made the following updates to these tables:
Note: In some cases, a record will not show all the values in this column. This can occur if a partial check was needed to return a verdict for the email.
Here are few examples which make use of these fields:
// Check for spoofing attempts on the domain with SPF fails
EmailEvents |where Timestamp > ago (1d) and DetectionMethods contains "spoof" and SenderFromDomain has "contoso.com"
| project Timestamp, AR=parse_json(AuthenticationDetails) , NetworkMessageId, EmailDirection, Subject, SenderFromAddress, SenderIPv4,ThreatTypes, DetectionMethods, ThreatNames
| evaluate bag_unpack(AR)
| where SPF == "fail"
// Identify potential exfiltration scenarios with querying outbound emails with large attachments
EmailEvents
| where EmailDirection == "Outbound" and AttachmentCount > 0
| join EmailAttachmentInfo on NetworkMessageId, RecipientEmailAddress
| where toint(FileSize) > 10000
Read more about Advanced Hunting over here and learn about the schema for Email tables over here.
To start hunting using these enhancements, turn on public preview features for Microsoft 365 Defender. Leave a comment below for thoughts and questions, or use the feedback button in the portal.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.