Microsoft-365-Defender-Hunting-Queries icon indicating copy to clipboard operation
Microsoft-365-Defender-Hunting-Queries copied to clipboard

Published 20 hours ago verified publisher icon microsoft

Email-Suspicious-Patterns-Analysis.md

Open A-dd-Y opened this issue 3 years ago • 5 comments

Email Trend Analysis Query

A-dd-Y avatar Mar 17 '21 19:03 A-dd-Y

CLA assistant check
All CLA requirements met.

ghost avatar Mar 17 '21 19:03 ghost

Hi, why are you using the union? EmailEvents is providing the threat type , I don't see actual use of EmailAttachmentInfo here which provides additional info on the attachment.

tali-ash avatar Mar 22 '21 11:03 tali-ash

@tali-ash

Hi, You are right both schema does have ThreatTypes, However if you check, search results are not the same from both schema.

Please run below query for last 30 days, results are different.

 EmailEvents
 | summarize count() by ThreatTypes
 | sort by count_


EmailAttachmentInfo
 | summarize count() by ThreatTypes
 | sort by count_


union EmailEvents, EmailAttachmentInfo
 | summarize count() by ThreatTypes
 | sort by count_

A-dd-Y avatar Mar 22 '21 12:03 A-dd-Y

It is expected, the meaning is different. In EmailEvents it is if the email was identified as threat during the delivery. In EmailAttachmentInfo, it indicate if the attachment is recognized as threat. There can be several attachments in the same email, for each there will be a record in the table, and in EmailEvents there is on record for the email. These two tables are totally different one is logging attachments and one is logging emails.

I don't think the query is now doing what you are willing to get.

tali-ash avatar Mar 22 '21 12:03 tali-ash

@tali-ash Thanks for the explanation, I updated query for the same.

A-dd-Y avatar Mar 22 '21 13:03 A-dd-Y