{"id":87,"date":"2024-01-12T09:56:21","date_gmt":"2024-01-12T09:56:21","guid":{"rendered":"https:\/\/cyber-resilience.mobi\/?p=87"},"modified":"2024-01-12T10:03:17","modified_gmt":"2024-01-12T10:03:17","slug":"evenements-suspects-email","status":"publish","type":"post","link":"https:\/\/cyber-resilience.mobi\/?p=87","title":{"rendered":"KQL Ev\u00e8nements suspects Email"},"content":{"rendered":"\n<pre class=\"wp-block-code\"><code>EmailEvents \r\n| where Timestamp between (&lt;start> .. &lt;end>) \/\/Timestamp from the app creation time to few hours upto 24 hours or more \r\n| where EmailDirection in (\"Outbound\") \r\n| project\r\n    RecipientEmailAddress,\r\n    SenderFromAddress,\r\n    SenderMailFromAddress,\r\n    SenderObjectId,\r\n    NetworkMessageId \r\n| summarize\r\n    RecipientCount = dcount(RecipientEmailAddress),\r\n    UniqueEmailSentCount = dcount(NetworkMessageId)\r\n    by SenderFromAddress, SenderMailFromAddress, SenderObjectId\r\n| sort by UniqueEmailSentCount desc \r\n\/\/| where UniqueEmailSentCount > &lt;threshold> \/\/Optional, return only if the sender sent more than the threshold\r\n\/\/| take 100 \/\/Optional, return only top 100\r\n  \r\n\/\/Identify Suspicious Outbound Email Sender\r\nEmailEvents \r\n\/\/| where Timestamp between (&lt;start> .. &lt;end>) \/\/Timestamp from the app creation time to few hours upto 24 hours or more \r\n| where EmailDirection in (\"Outbound\") \r\n| project\r\n    RecipientEmailAddress,\r\n    SenderFromAddress,\r\n    SenderMailFromAddress,\r\n    SenderObjectId, \r\n    DetectionMethods,\r\n    NetworkMessageId \r\n| summarize\r\n    RecipientCount = dcount(RecipientEmailAddress),\r\n    UniqueEmailSentCount = dcount(NetworkMessageId),\r\n    SuspiciousEmailCount = dcountif(NetworkMessageId,isnotempty(DetectionMethods))\r\n    by SenderFromAddress, SenderMailFromAddress, SenderObjectId\r\n| extend SuspiciousEmailPercentage = SuspiciousEmailCount\/UniqueEmailSentCount * 100 \/\/Calculate the percentage of suspicious email compared to all email sent\r\n| sort by SuspiciousEmailPercentage desc \r\n\/\/| where UniqueEmailSentCount > &lt;threshold> \/\/Optional, return only if the sender suspicious email percentage is more than the threshold\r\n\/\/| take 100 \/\/Optional, return only top 100\r\n \r\n\/\/Identify Recent Emails Sent by Restricted Email Sender\r\nAlertEvidence\r\n| where Title has \"User restricted from sending email\"\r\n| project AccountObjectId \/\/Identify the user who are restricted to send email\r\n| join EmailEvents on $left.AccountObjectId == $right.SenderObjectId \/\/Join information from Alert Evidence and Email Events\r\n| project\r\n    Timestamp,\r\n    RecipientEmailAddress,\r\n    SenderFromAddress,\r\n    SenderMailFromAddress,\r\n    SenderObjectId,\r\n    SenderIPv4,\r\n    Subject,\r\n    UrlCount,\r\n    AttachmentCount,\r\n    DetectionMethods,\r\n    AuthenticationDetails, \r\n    NetworkMessageId\r\n| sort by Timestamp desc \r\n\/\/| take 100 \/\/Optional, return only first 100<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[17],"tags":[21,18,19],"class_list":["post-87","post","type-post","status-publish","format-standard","hentry","category-kql","tag-defender","tag-kql","tag-kusto"],"_links":{"self":[{"href":"https:\/\/cyber-resilience.mobi\/index.php?rest_route=\/wp\/v2\/posts\/87","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cyber-resilience.mobi\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cyber-resilience.mobi\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cyber-resilience.mobi\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/cyber-resilience.mobi\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=87"}],"version-history":[{"count":2,"href":"https:\/\/cyber-resilience.mobi\/index.php?rest_route=\/wp\/v2\/posts\/87\/revisions"}],"predecessor-version":[{"id":92,"href":"https:\/\/cyber-resilience.mobi\/index.php?rest_route=\/wp\/v2\/posts\/87\/revisions\/92"}],"wp:attachment":[{"href":"https:\/\/cyber-resilience.mobi\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=87"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cyber-resilience.mobi\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=87"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cyber-resilience.mobi\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=87"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}