Nov 04 2021 06:00 AM - edited Nov 04 2021 06:10 AM
Hello to all,
So what I am trying to do is, is to extract extract any items (over x days) where an AIP label has changed from Confidential to another value.
The KEY part though is, that I am also trying to find out IF any of these item have been emailed by ANYONE after the the AIP label change has been made...
I STILL cannot find a way to make a 'complete' match with the 'Item' associated to an email...
I have the following query, which 'maps' against the InformationProtectionEvents, EmailEvents and EmailAttachmentInfo logs:
let LabelChange = InformationProtectionEvents
| where Time > ago(4d)
| where Activity == "DowngradeLabel"
| where LabelNameBefore contains "Confidential" and LabelName !contains "Confidential"
| where ItemPath contains "http"
| extend SenderMailFromAddress = User;
let EmailItem = EmailEvents
| join kind=inner LabelChange on SenderMailFromAddress
| summarize arg_max(TimeGenerated, *) by SenderMailFromAddress;
let EmailAttachment = EmailAttachmentInfo
| join kind=inner EmailItem on SenderObjectId
| summarize arg_max(TimeGenerated, *) by SenderObjectId;
EmailAttachment
| project ItemName, ItemPath, LabelName, LabelNameBefore, User,
SenderMailFromAddress, NetworkMessageId,
FileName, FileType, SenderObjectId
It does NOT perform the 'matching' I require and I would be really open to some suggestions.
Reach out to: @Rod_Trent, @Gary Bushey, @Ofer_Shezaf
Nov 04 2021 07:28 AM
Nov 05 2021 04:05 AM
Nov 05 2021 05:16 AM
Sorry I don't have an example data so this is fake code
EmailEvents
| where AttachmentCount > 0
// this detects the file and its last timestamp
| summarize arg_max(TimeGenerated, *) by SenderMailFromAddress
// add one ms to make the new time *after* the record was found
| extend endtime = TimeGenerated + 1ms
//
// now see if the item is in EmailItems within the new time period
// join to EmailItems ... by ....
// is the email item seen in this new time window?
| where TimeGenerated between (endtime .. now())
We could also use a datatable to fake the tables you are using, this is what I think EmailEvents may look like (or the key columns at least)
let EmailEvents = datatable(AttachmentCount:int, TimeGenerated:datetime, SenderMailFromAddress:string)
[
"0", datetime(2021-11-04T11:36:42.6616095Z),"clive@fake.com",
"1", datetime(2021-11-03T12:30:53.4764186Z),"clive@morefake.com",
"2", datetime(2021-11-02T12:30:53.4764186Z),"clive@morefake.com"
];
EmailEvents
| where AttachmentCount > 0
| summarize arg_max(TimeGenerated, *) by SenderMailFromAddress
| extend endtime = TimeGenerated + 1ms
Nov 05 2021 06:58 AM