KQL Query email attachments
let domainList = externaldata(domain: string) [@”https://raw.githubusercontent.com/tsirolnik/spam-domains-list/master/spamdomains.txt“] with (format=”txt”);
let excludedDomains = datatable(excludeddomain :string) // Add as many domains you would like to exclude
[“126.com”,”163.com”,”dell.com”,”trustwave.com”,”microsoft.com”,”qq.com”,”accenture.com”,”hp.com”,”google.com”,”amazon.com”];
let Timeframe = 2d; // Choose the best timeframe for your investigation
let SuspiciousEmails = EmailEvents
| where Timestamp > ago(Timeframe)
| where EmailDirection == “Outbound” // Assuming you are looking into mails sent by your organization
| extend EmailDomain = tostring(split(RecipientEmailAddress, ‘@’)[1])
| join kind=inner (domainList) on $left.EmailDomain == $right.domain
| where not(EmailDomain in ([‘excludedDomains’]))
| project Timestamp, NetworkMessageId, SenderMailFromAddress, SenderFromAddress, SenderDisplayName, RecipientEmailAddress, EmailDomain, domain, Subject, LatestDeliveryAction;
SuspiciousEmails
| join (EmailEvents
| summarize count() by NetworkMessageId
| where count_ == 1
| project NetworkMessageId
)on NetworkMessageId
| sort by Timestamp desc
How can i show EmailAttachmentInfo, to show the FileName or Attachment that was being sent ?
let domainList = externaldata(domain: string) [@”https://raw.githubusercontent.com/tsirolnik/spam-domains-list/master/spamdomains.txt”] with (format=”txt”);let excludedDomains = datatable(excludeddomain :string) // Add as many domains you would like to exclude[“126.com”,”163.com”,”dell.com”,”trustwave.com”,”microsoft.com”,”qq.com”,”accenture.com”,”hp.com”,”google.com”,”amazon.com”];let Timeframe = 2d; // Choose the best timeframe for your investigationlet SuspiciousEmails = EmailEvents| where Timestamp > ago(Timeframe)| where EmailDirection == “Outbound” // Assuming you are looking into mails sent by your organization| extend EmailDomain = tostring(split(RecipientEmailAddress, ‘@’)[1])| join kind=inner (domainList) on $left.EmailDomain == $right.domain| where not(EmailDomain in ([‘excludedDomains’]))| project Timestamp, NetworkMessageId, SenderMailFromAddress, SenderFromAddress, SenderDisplayName, RecipientEmailAddress, EmailDomain, domain, Subject, LatestDeliveryAction;SuspiciousEmails| join (EmailEvents| summarize count() by NetworkMessageId| where count_ == 1| project NetworkMessageId)on NetworkMessageId| sort by Timestamp desc How can i show EmailAttachmentInfo, to show the FileName or Attachment that was being sent ? Read More