Microsoft-365-Defender-Hunting-Queries
Microsoft-365-Defender-Hunting-Queries copied to clipboard
Email-Suspicious-Patterns-Analysis.md
Email Trend Analysis Query
Hi, why are you using the union? EmailEvents is providing the threat type , I don't see actual use of EmailAttachmentInfo here which provides additional info on the attachment.
@tali-ash
Hi, You are right both schema does have ThreatTypes, However if you check, search results are not the same from both schema.
Please run below query for last 30 days, results are different.
EmailEvents
| summarize count() by ThreatTypes
| sort by count_
EmailAttachmentInfo
| summarize count() by ThreatTypes
| sort by count_
union EmailEvents, EmailAttachmentInfo
| summarize count() by ThreatTypes
| sort by count_
It is expected, the meaning is different. In EmailEvents it is if the email was identified as threat during the delivery. In EmailAttachmentInfo, it indicate if the attachment is recognized as threat. There can be several attachments in the same email, for each there will be a record in the table, and in EmailEvents there is on record for the email. These two tables are totally different one is logging attachments and one is logging emails.
I don't think the query is now doing what you are willing to get.
@tali-ash Thanks for the explanation, I updated query for the same.