Last active
January 18, 2024 15:59
-
-
Save dxflatline/acde39ab675e19220f3773a896eb6e9b to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Descriptor: | |
| Name: EmailHuntingCustomKQL | |
| DisplayName: Defender KQL for email discovery | |
| Description: Skills to query email logs in M365 Advanced Hunting | |
| SkillGroups: | |
| - Format: KQL | |
| Skills: | |
| - Name: GetLatestEmailsByRecipientSender | |
| DisplayName: Get Latest Emails By Recipient or Sender | |
| Description: Fetches the latest emails received or send by the user with the specified email address | |
| Inputs: | |
| - Name: email | |
| Description: The email address of the recipient or sender | |
| Required: true | |
| Settings: | |
| Target: Defender | |
| Template: |- | |
| EmailEvents | |
| | where RecipientEmailAddress =~ '{{email}}' or SenderMailFromAddress =~ '{{email}}' | |
| | project Timestamp, NetworkMessageId, SenderFromAddress, SenderDisplayName, Subject, DeliveryLocation | |
| | top 100 by Timestamp desc |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment