Cette requête permet de :
- Analyser les réponses automatiques sortantes envoyées par les utilisateurs.
- Identifier les extensions de domaine ciblées.
- Détecter d’éventuelles menaces associées à ces envois.
- Basculer entre une vue statistique ou détaillée selon le besoin.
EmailEvents
// add your automatic replies cases in your languages
| where Subject startswith "Automatic reply:"
| where DeliveryAction has "Delivered" and EmailDirection has "Outbound"
| extend Username = split(RecipientEmailAddress, "@")[0], Domain = tostring(split(RecipientEmailAddress, "@")[1])
| extend DomainParts = split(RecipientEmailAddress, ".")
| extend DomainExtensions = tostring(DomainParts[-1])
| summarize count() by DomainExtensions ,EmailDirection, DeliveryAction,DeliveryLocation, ThreatTypes
// if you want to have deeper information instead of a general view, you can use the next line and remove/comment the previous one
//| distinct SenderDisplayName, SenderMailFromDomain, SenderIPv4, RecipientEmailAddress,DomainExtensions,Domain,Subject, EmailDirection, DeliveryAction, DeliveryLocation, ThreatTypes
Laisser un commentaire