cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Advanced hunting on email threats

Deleted
Not applicable

‎Nov 03 2021 11:41 AM

‎Nov 03 2021 11:41 AM

Advanced hunting on email threats

Hello to all M365 Defender gurus out there.

Disclaimer: I am new to M365 Defender and my question may be obvious for the seasoned professional.

 

Situation: I am using M365 Defender's Advanced hunting feature and have created a query that focuses on the identification of specific phishing emails.  The emails are in an M365 Exchange environment. The query works and returns results as expected.

 

Challenge:

  1. The results table does not allow me to perform a "select all" rows, so I have manually place a "check mark" next to each record.  Is that normal?
  2. When I select one or multiple email records that were returned by the query, the "take actions" options only display "Devices" and "Files". No email. The emails are in an M365 Exchange environment.  Why are there no "email" actions available? Is that normal?

Goal:

I would like to utilize the custom query (see below) to identify emails of interest.  Once confirmed the results are indeed malicious/unwanted emails, I would like to trigger a "remediation" action against all email records returned directly within the "Advanced Hunting" screen using the "take actions" feature.  The desired "remediation" would be to delete the emails from the user's mailboxes.

 

Question:

  1. Can the goal outlined above be accomplished via the "Advanced hunting" feature in M365 Defender? If so, what am I currently doing wrong?

 

Modified version of the custom query:

 

 

 

EmailEvents 
| project Timestamp, Subject, SenderFromDomain, EmailAction, AttachmentCount, EmailDirection, DeliveryLocation
| where (Subject contains "(ABC001)")
| limit 100 
| order by Timestamp

 

 

 

1,946 Views
0 Likes
2 Replies
Reply
2 Replies
David Caddick

‎Nov 03 2021 07:53 PM

‎Nov 03 2021 07:53 PM

Re: Advanced hunting on email threats

@Deleted 

 

So just curious - have you tried using the "Threat Explorer"?
https://security.microsoft.com/threatexplorer

 

You can use this and search "All Emails" for "Ignite" & then in the lower half of the console you can choose Select All and the actions available are:

  • Move & Delete
  • Track & Notify
  • Start new Submission

Track & Notify includes:

  1. Trigger Investigation
  2. Investigate Sender
  3. Investigate Recipient
  4. Add to remediation
  5. Contact recipients

Start new Submission includes:

  1. Report clean
  2. Report phishing
  3. Report malware
  4. Report spam

Hope that helps?

 

0 Likes
Reply

‎Nov 04 2021 08:52 AM

‎Nov 04 2021 08:52 AM

Re: Advanced hunting on email threats

Thank you for the suggestion. I did look at "Threat Explorer" and was happy to see the actions. However, I was hoping to utilize the power of the query language to fine-tune these hunts, as it seems the "Threat Explorer" conditions have less meta-data fields available, compared to the Advanced Hunt queries. I am simply questioning, why the "take actions" within the Advanced Hunt results don't allow the same actions that "Threat Explorer" offers for emails.
0 Likes
Reply