Nov 15 2023 10:17 PM
Nov 16 2023 02:34 AM
Nov 16 2023 02:37 AM
Nov 16 2023 02:29 PM
Hi, The Table EmailEvents has a TimeGenerated Column, if you are not seeing it that is strange.
This is the full code, I'm using (which is the same as you supplied apart from the last line):
let trustedDomains = dynamic(["microsoft.com"]);
let imageFileTypes = dynamic(["png", "jpeg", "svg"]);
EmailEvents
| where EmailDirection == "Inbound"
| where AttachmentCount > 0
| where not(SenderFromDomain has_any (trustedDomains))
| join EmailAttachmentInfo on NetworkMessageId
| where FileType has_any (imageFileTypes)
| summarize count(), arg_max(TimeGenerated,Subject,FileName,SenderDisplayName, RecipientEmailAddress) by SenderFromAddress
If you check the schema, do you see the Column?
Nov 16 2023 07:02 PM
Nov 17 2023 03:47 AM
Nov 17 2023 03:52 AM