Microsoft Entra Suite Tech Accelerator
Aug 14 2024, 07:00 AM - 09:30 AM (PDT)
Microsoft Tech Community

KQL Query email attachments

Copper Contributor

let domainList = externaldata(domain: string) [@"https://raw.githubusercontent.com/tsirolnik/spam-domains-list/master/spamdomains.txt"] with (format="txt");
let excludedDomains = datatable(excludeddomain :string) // Add as many domains you would like to exclude
["126.com","163.com","dell.com","trustwave.com","microsoft.com","qq.com","accenture.com","hp.com","google.com","amazon.com"];
let Timeframe = 2d; // Choose the best timeframe for your investigation
let SuspiciousEmails = EmailEvents
| where Timestamp > ago(Timeframe)
| where EmailDirection == "Outbound" // Assuming you are looking into mails sent by your organization
| extend EmailDomain = tostring(split(RecipientEmailAddress, '@')[1])
| join kind=inner (domainList) on $left.EmailDomain == $right.domain
| where not(EmailDomain in (['excludedDomains']))
| project Timestamp, NetworkMessageId, SenderMailFromAddress, SenderFromAddress, SenderDisplayName, RecipientEmailAddress, EmailDomain, domain, Subject, LatestDeliveryAction;
SuspiciousEmails
| join (EmailEvents
| summarize count() by NetworkMessageId
| where count_ == 1
| project NetworkMessageId
)on NetworkMessageId
| sort by Timestamp desc

 

 

How can i show EmailAttachmentInfo, to show the FileName or Attachment that was being sent ?

0 Replies