microsoft/microsoft365 Dashboards | Integrations | LogScale Documentation

Skip to content

LogScale Documentation Full Library Knowledge Base Release Notes Integrations Query Examples Training API GraphQL API Contacting Support

microsoft/microsoft365 Dashboards

Email IOC detections

Widget	Description	Type
IOC matches - URLs in email	Details of IOC matches for URLs found in email. Hide Query Show Query logscale #logtype = "microsoft365" \| #category = "AdvancedHunting-EmailUrlInfo" \| ioc:lookup(["properties.Url"], type="url", strict="true", confidenceThreshold=?threshold) \| $"microsoft/microsoft365:IOC age and confidence presentation"() \| groupBy([properties.Url, properties.NetworkMessageId], function=[selectLast([@timestamp, "Malicious confidence", "IOC age"])]) \| join({ #logtype = "microsoft365" \| #category = "AdvancedHunting-EmailEvents" \| properties.DeliveryAction = "Delivered" \| "Any delivery?" := "Yes" }, field=[properties.NetworkMessageId], include=["Any delivery?"], mode=left) \| default(value="No", field=["Any delivery?"]) \| groupBy([properties.Url], function=[ selectLast([@timestamp, "Malicious confidence", "IOC age"]), count(properties.NetworkMessageId, distinct=true, as="No. of emails"), { "Any delivery?" = "Yes" \| count() \| _count match { 0 => "Any delivery?" := "No"; * => "Any delivery?" := "Yes" } \| drop(_count) } ]) \| "Any delivery?" = ?anyDelivery \| "Latest email" := formatTime("%b %d %T %Z", field=@timestamp) \| URL := rename(properties.Url) \| table([URL, "Malicious confidence", "No. of emails", "Any delivery?", "Latest email", "IOC age"])	`Table`
Threat trends - sender IP	Number of IOC matches by confidence threshold over time for sending SMTP server IP address. Hide Query Show Query logscale `#logtype = "microsoft365" \| #category = "AdvancedHunting-EmailEvents" \| tenantId=?{tenantId=} \| case { test(?anyDelivery == ""); test(?anyDelivery == "Yes") \| properties.DeliveryAction = "Delivered"; test(?anyDelivery == "No") \| properties.DeliveryAction != "Delivered"; } \| ioc:lookup([properties.SenderIPv4, properties.SenderIPv6], type="ip_address", strict="true", confidenceThreshold=?threshold) \| timechart(ioc[0].malicious_confidence)`	`Time Chart`
IOC matches - sender domains	Details of IOC matches for sender domains used in emails Hide Query Show Query logscale #logtype = "microsoft365" \| #category = "AdvancedHunting-EmailEvents" \| tenantId=?{tenantId=} // We only check for IOC matches against SenderFromDomain here, although we could also do so for SenderMailFromDomain. // We've chosen not to do so, as SenderMailFromDomain seems unlikely to have valuable information, as it is easily spoofed. \| ioc:lookup(["properties.SenderFromDomain"], type="domain", strict="true", confidenceThreshold=?threshold) \| groupBy(["properties.SenderFromDomain"], function=[ count(properties.NetworkMessageId, distinct=true, as="No. of emails"), selectLast([@timestamp, ioc[0].malicious_confidence, ioc[0].last_updated]), { properties.DeliveryAction = "Delivered" \| count() \| _count match { 0 => "Any delivery?" := "No"; => "Any delivery?" := "Yes" } } ]) \| "Any delivery?" = ?anyDelivery \| $"microsoft/microsoft365:IOC age and confidence presentation"() \| "Latest email" := formatTime("%b %d %T %Z", field=@timestamp) \| Domain := rename(properties.SenderFromDomain) \| table(["Domain", "Malicious confidence", "No. of emails", "Any delivery?", "Latest email", "IOC age"])	`Table`
IOC matches - sender IP	Details of IOC matches for sending SMTP server IP address. Hide Query Show Query logscale #logtype = "microsoft365" \| #category = "AdvancedHunting-EmailEvents" \| tenantId=?{tenantId=} \| ioc:lookup([properties.SenderIPv4, properties.SenderIPv6], type="ip_address", strict="true", confidenceThreshold=?threshold) \| case { properties.SenderIPv4 != "null" \| "Sender IP" := properties.SenderIPv4; "Sender IP" := properties.SenderIPv6 } \| groupBy(["Sender IP"], function=[ count(properties.NetworkMessageId, distinct=true, as="No. of emails"), selectLast([@timestamp, ioc[0].malicious_confidence, ioc[0].last_updated]), { properties.DeliveryAction = "Delivered" \| count() \| _count match { 0 => "Any delivery?" := "No"; => "Any delivery?" := "Yes" } } ]) \| "Any delivery?" = ?anyDelivery \| $"microsoft/microsoft365:IOC age and confidence presentation"() \| "Latest email" := formatTime("%b %d %T %Z", field=@timestamp) \| table(["Sender IP", "Malicious confidence", "No. of emails", "Any delivery?", "Latest email", "IOC age"])	`Table`
Threat trends - domains of URLs in email	Number of IOC matches by confidence threshold over time for domains of URLs found in email. Hide Query Show Query logscale #logtype = "microsoft365" \| #category = "AdvancedHunting-EmailUrlInfo" \| tenantId=?{tenantId=*} \| ioc:lookup(["properties.UrlDomain"], type="domain", strict="true", confidenceThreshold=?threshold) \| join({ #logtype = "microsoft365" \| #category = "AdvancedHunting-EmailEvents" \| properties.DeliveryAction = "Delivered" \| "Any delivery?" := "Yes" }, field=[properties.NetworkMessageId], include=["Any delivery?"], mode=left) \| default(value="No", field=["Any delivery?"]) \| "Any delivery?" = ?anyDelivery \| timechart(ioc[0].malicious_confidence)	`Time Chart`
Threat trends - sender domains	Number of IOC matches by confidence threshold over time for sender domains. This includes only the sender in the SMTP FROM header. Hide Query Show Query logscale #logtype = "microsoft365" \| #category = "AdvancedHunting-EmailEvents" \| tenantId=?{tenantId=} \| case { test(?anyDelivery == ""); test(?anyDelivery == "Yes") \| properties.DeliveryAction = "Delivered"; test(?anyDelivery == "No") \| properties.DeliveryAction != "Delivered"; } // We only check for IOC matches against SenderFromDomain here, although we could also do so for SenderMailFromDomain. // We've chosen not to do so, as SenderMailFromDomain seems unlikely to have valuable information, as it is easily spoofed. \| ioc:lookup(["properties.SenderFromDomain"], type="domain", strict="true", confidenceThreshold=?threshold) \| split(ioc) \| timechart(ioc.malicious_confidence)	`Time Chart`
Threat trends - URLs in email	Number of IOC matches by confidence threshold over time for URLs found in email. Hide Query Show Query logscale #logtype = "microsoft365" \| #category = "AdvancedHunting-EmailUrlInfo" \| tenantId=?{tenantId=*} \| ioc:lookup(["properties.Url"], type="url", strict="true", confidenceThreshold=?threshold) \| join({ #logtype = "microsoft365" \| #category = "AdvancedHunting-EmailEvents" \| properties.DeliveryAction = "Delivered" \| "Any delivery?" := "Yes" }, field=[properties.NetworkMessageId], include=["Any delivery?"], mode=left) \| default(value="No", field=["Any delivery?"]) \| "Any delivery?" = ?anyDelivery \| timechart(ioc[0].malicious_confidence)	`Time Chart`
IOC matches - domains of URLs in email	Details of IOC matches for domains of URLs found in email. Hide Query Show Query logscale #logtype = "microsoft365" \| #category = "AdvancedHunting-EmailUrlInfo" \| ioc:lookup(["properties.UrlDomain"], type="domain", strict="true", confidenceThreshold=?threshold) \| $"microsoft/microsoft365:IOC age and confidence presentation"() \| groupBy([properties.UrlDomain, properties.NetworkMessageId], function=[selectLast([@timestamp, "Malicious confidence", "IOC age"])]) \| join({ #logtype = "microsoft365" \| #category = "AdvancedHunting-EmailEvents" \| properties.DeliveryAction = "Delivered" \| "Any delivery?" := "Yes" }, field=[properties.NetworkMessageId], include=["Any delivery?"], mode=left) \| default(value="No", field=["Any delivery?"]) \| groupBy([properties.UrlDomain], function=[ selectLast([@timestamp, "Malicious confidence", "IOC age"]), count(properties.NetworkMessageId, distinct=true, as="No. of emails"), { "Any delivery?" = "Yes" \| count() \| _count match { 0 => "Any delivery?" := "No"; * => "Any delivery?" := "Yes" } \| drop(_count) } ]) \| "Any delivery?" = ?anyDelivery \| "Latest email" := formatTime("%b %d %T %Z", field=@timestamp) \| Domain := rename(properties.UrlDomain) \| table([Domain, "Malicious confidence", "No. of emails", "Any delivery?", "Latest email", "IOC age"])	`Table`
Introduction to Indicators of Compromise (IOC) detections	Falcon LogScale includes an integration with CrowdStrike's Falcon Intelligence to provide Falcon LogScale customers with a built-in database of Indicators of Compromise (IOCs). Customers can search their logs for matches against the IOC database and see relevant threat information for each IOC found. Find out more. This dashboard checks a number of email attributes against the IOC database with the `ioc:lookup()` function. Click on the ⫶ button on each IOC detection to start investigating on it.	`Note`

Email forwarding rules

Widget	Description	Type
Mailbox forwarding rules - new and updated	Newly created or updated Mailbox forwarding rules. The events do not include the impacted mailbox to which forwarding has been applied. Hide Query Show Query logscale `#logtype = "microsoft365" \| #category="AdvancedHunting-CloudAppEvents" \| properties.ActionType="Set-Mailbox" \| tenantId=?{tenantId=} \| ?{Freetext=} // Looking for the ForwardingSmtpAddress "parameter" \| regex(".*{\"Name\"\:\s\"ForwardingSmtpAddress\"\,\s\"Value\"\:\s\"(?<ForwardingSmtpAddress>.+?)\"\}", field=@rawstring)`	`Event List`
Inbox email forwarding rules - updated	Updated Inbox rules that forward email. Covers 'ForwardTo, 'ForwardAsAttachmentTo' and 'RedirectTo' rule types. Hide Query Show Query logscale #logtype = "microsoft365" \| #category="AdvancedHunting-CloudAppEvents" \| properties.ActionType="et-InboxRule" \| tenantId=?{tenantId=} \| ?{Freetext=} // Looking for two "parameters": // 1. the name of the rule (that the user gave their rule) // 2. the address to forward to \| regex(".{\"Name\"\:\s\"Name\"\,\s\"Value\"\:\s\"(?<Rulename>.+?)\"\}", field=@rawstring) \| regex(".*{\"Name\"\:\s\"SentTo\"\,\s\"Value\"\:\s\"(?<SentTo>.+?)\"\}", field=@rawstring) \| split(properties.RawEventData.Parameters) \| case { in(properties.RawEventData.Parameters.Name, values=["ForwardTo", "ForwardAsAttachmentTo", "RedirectTo"]) \| Method := properties.RawEventData.Parameters.Name \| Email := properties.RawEventData.Parameters.Value; }	`Event List`
Transport email forwarding rules - updated	Updated Transport rules that forward email. Covers rules for 'ModerateMessageByUser', 'RedirectMessageTo', 'AddToRecipients' Hide Query Show Query logscale #logtype = "microsoft365" \| #category="AdvancedHunting-CloudAppEvents" \| properties.ActionType="Set-TransportRule" \| tenantId=?{tenantId=} \| ?{Freetext=} // Looking for two "parameters": // 1. the name of the rule (that the user gave their rule) // 2. the address to forward to \| regex(".{\"Name\"\:\s\"Name\"\,\s\"Value\"\:\s\"(?<Rulename>.+?)\"\}", field=@rawstring) \| regex(".{\"Name\"\:\s\"SentTo\"\,\s\"Value\"\:\s\"(?<SentTo>.+?)\"\}", field=@rawstring) \| split(properties.RawEventData.Parameters) \| case { in(properties.RawEventData.Parameters.Name, values=["ModerateMessageByUser", "RedirectMessageTo", "AddToRecipients"]) \| Method := properties.RawEventData.Parameters.Name \| Email := properties.RawEventData.Parameters.Value; }	`Event List`
Transport email forwarding rules - new	Newly created Transport rules that forward email. Covers rules for 'ModerateMessageByUser', 'RedirectMessageTo' and 'AddToRecipients' Hide Query Show Query logscale #logtype = "microsoft365" \| #category="AdvancedHunting-CloudAppEvents" \| properties.ActionType="New-TransportRule" \| tenantId=?{tenantId=} \| ?{Freetext=} // Looking for two "parameters": // 1. the name of the rule (that the user gave their rule) // 2. the address to forward to \| regex(".{\"Name\"\:\s\"Name\"\,\s\"Value\"\:\s\"(?<Rulename>.+?)\"\}", field=@rawstring) \| regex(".{\"Name\"\:\s\"SentTo\"\,\s\"Value\"\:\s\"(?<SentTo>.+?)\"\}", field=@rawstring) \| split(properties.RawEventData.Parameters) \| case { in(properties.RawEventData.Parameters.Name, values=["ModerateMessageByUser", "RedirectMessageTo", "AddToRecipients"]) \| Method := properties.RawEventData.Parameters.Name \| Email := properties.RawEventData.Parameters.Value; }	`Event List`
Inbox email forwarding rules - new	Newly created Inbox rules that forward email. Covers 'ForwardTo, 'ForwardAsAttachmentTo' and 'RedirectTo' rule types. Hide Query Show Query logscale #logtype = "microsoft365" \| #category="AdvancedHunting-CloudAppEvents" \| properties.ActionType="New-InboxRule" \| tenantId=?{tenantId=} \| ?{Freetext=} // Looking for two "parameters": // 1. the name of the rule (that the user gave their rule) // 2. the address to forward to \| regex(".{\"Name\"\:\s\"Name\"\,\s\"Value\"\:\s\"(?<Rulename>.+?)\"\}", field=@rawstring) \| regex(".{\"Name\"\:\s\"SentTo\"\,\s\"Value\"\:\s\"(?<SentTo>.+?)\"\}", field=@rawstring) \| split(properties.RawEventData.Parameters) \| case { in(properties.RawEventData.Parameters.Name, values=["ForwardTo", "ForwardAsAttachmentTo", "RedirectTo"]) \| Method := properties.RawEventData.Parameters.Name \| Email := properties.RawEventData.Parameters.Value; }	`Event List`

Email investigation

Widget	Description	Type
Recipients	Copy/paste a NetworkMessageId into the similarly named parameter, press Apply parameters and the recipients for the email will be shown. Hide Query Show Query logscale `#logtype = "microsoft365" \| test(?NetworkMessageId != "") \| #category = "AdvancedHunting-EmailEvents" \| properties.NetworkMessageId = ?{NetworkMessageId=} \| tenantId = ?{tenantId=} \| properties.DeliveryAction = ?{DeliveryStatus=} \| properties.RecipientEmailAddress = ?{RecipientAddress=*} \| Recipient := rename(properties.RecipientEmailAddress) \| Status := rename(properties.DeliveryAction) \| table([Status, Recipient], limit=20000)`	`Table`
Blocked emails	Summary information for all emails that have a DeliveryAction of Blocked. Note - ThreatType, DetectionMethod and Confidencelevel are not present if the email was blocked by a rule added by customer or user (i.e. only shown for emails blocked by Microsoft rules). To see the details of a blocked message copy/paste a NetworkMessageId into the similarly named parameter, press Apply parameters and the Email summary and Email details widgets will populate with the information for the message. Hide Query Show Query logscale #logtype = "microsoft365" \| #category = "AdvancedHunting-EmailEvents" \| properties.DeliveryAction = "Blocked" \| tenantId = ?{tenantId=} \| properties.NetworkMessageId = ?{NetworkMessageId=} \| properties.SenderFromAddress = ?{SenderAddress=} \| properties.RecipientEmailAddress = ?{RecipientAddress=} \| properties.EmailDirection = ?{EmailDirection=} \| properties.Subject = ?{Subject=} \| properties.ThreatTypes = ?{ThreatType=} \| properties.SenderIPv4 = ?{SenderIP=} OR properties.SenderIPv6 = ?{SenderIP=*} \| groupBy([properties.NetworkMessageId], function=[ selectLast([@timestamp, properties.SenderFromAddress, properties.ThreatTypes, properties.DetectionMethods, properties.ConfidenceLevel]), count(properties.RecipientEmailAddress, as="No. of recipients", distinct=true) ]) \| NetworkMessageId := rename(properties.NetworkMessageId) \| Sender := rename(properties.SenderFromAddress) \| ThreatType := rename(properties.ThreatTypes) \| "Detection method" := rename(properties.DetectionMethods) \| Confidence := rename(properties.ConfidenceLevel) \| table([@timestamp, NetworkMessageId, Sender, "No. of recipients", ThreatType, "Detection method", Confidence])	`Table`
Email overview	Summary information for all emails. NetworkMessageId is a unique ID applied by Microsoft to each email. Emails to multiple recipients will have the same NetworkMessageId but could have different delivery status per recipient. The Any delivery? column indicates Yes if the delivery status (i.e. DeliveryAction field) for any recipient was Delivered The Any URL clicked? column indicates Yes if any recipient of the message clicked any URL contained within the email. To see the delivery status and any URLs clicked per recipient, copy/paste a NetworkMessageId into the similarly named parameter, press Apply parameters and the details will be shown in the below widget Email details . Hide Query Show Query logscale #logtype = "microsoft365" \| #category = "AdvancedHunting-EmailEvents" \| tenantId = ?{tenantId=} \| properties.NetworkMessageId = ?{NetworkMessageId=} \| properties.SenderFromAddress = ?{SenderAddress=} \| properties.RecipientEmailAddress = ?{RecipientAddress=} \| properties.EmailDirection = ?{EmailDirection=} \| properties.DeliveryAction = ?{DeliveryStatus=} \| properties.Subject = ?{Subject=} \| properties.ThreatTypes = ?{ThreatType=} \| properties.SenderIPv4 = ?{SenderIP=} OR properties.SenderIPv6 = ?{SenderIP=} \| groupBy([properties.NetworkMessageId], function=[ selectLast([@timestamp, properties.SenderFromAddress, properties.Subject, properties.EmailDirection, properties.SenderIPv4, properties.SenderIPv6]), count(properties.RecipientEmailAddress, as="No. of recipients", distinct=true), { properties.DeliveryAction = "Delivered" \| count() \| _count match { 0 => "Any delivery?" := "No"; * => "Any delivery?" := "Yes" } } ]) \| case { properties.SenderIPv4 != "null" \| "Sender IP" := properties.SenderIPv4; "Sender IP" := properties.SenderIPv6 } \| join({ #logtype = "microsoft365" \| #category = "AdvancedHunting-UrlClickEvents" \| "Any URL clicked?" := "Yes" }, field=[properties.NetworkMessageId], include=["Any URL clicked?"], mode=left) \| default(field="Any URL clicked?", value="No") \| NetworkMessageId := rename(properties.NetworkMessageId) \| From := rename(properties.SenderFromAddress) \| Subject := rename(properties.Subject) \| Direction := rename(properties.EmailDirection) \| table([@timestamp, NetworkMessageId, From, "Sender IP", Subject, "No. of recipients", Direction, "Any delivery?", "Any URL clicked?"])	`Table`
Users who clicked URL	Copy/paste a URL into the similarly named parameter and press Apply parameters to see the user principle name (AccountUPN) of the account that clicked the URL, along with the time of click. The widget Recipients of URL will also populate with the NetworkMessageId, URL and recipient email address. Hide Query Show Query logscale `#logtype = "microsoft365" \| test(?URL != "") \| #category = "AdvancedHunting-UrlClickEvents" \| tenantId = ?{tenantId=} \| properties.NetworkMessageId = ?{NetworkMessageId=} \| properties.AccountUpn = ?{AccountUpn=} \| properties.Url=?{URL=*}`	`Event List`
Recipients of URL	Copy/paste a URL into the similarly named parameter and press Apply parameters to see which recipients received an email with that URL present. The widget Users who clicked URL will also populate with the user principal name (AccountUPN) name of the account that clicked the URL, along with the time of click. Copy/paste a NetworkMessageId into the similarly named parameter and press Apply parameters to see more information about the email the URL came from. Hide Query Show Query logscale #logtype = "microsoft365" \| test(?URL != "") \| #category = "AdvancedHunting-EmailEvents" \| tenantId = ?{tenantId=} \| properties.NetworkMessageId = ?{NetworkMessageId=} \| properties.SenderFromAddress = ?{SenderAddress=} \| properties.RecipientEmailAddress = ?{RecipientAddress=} \| properties.DeliveryAction = ?{DeliveryStatus=} \| properties.SenderIPv4 = ?{SenderIP=} OR properties.SenderIPv6 = ?{SenderIP=} \| join({#logtype = "microsoft365" \| #category = "AdvancedHunting-EmailUrlInfo" \| properties.Url=?{URL=*}}, field=properties.NetworkMessageId, include=properties.Url)	`Event List`
Email details	To see details for an email, copy/paste a NetworkMessageId into the similarly named parameter, and press Apply parameters. The From row refers to the sender in the FROM SMTP header (which is the sender users will see), and the MailFrom row refers to that of the MAIL FROM header (which is the address the server will use to return a non-delivery report to if the email cannot be delivered). Hide Query Show Query logscale #logtype = "microsoft365" \| test(?NetworkMessageId != "") \| #category = "AdvancedHunting-EmailEvents" \| properties.NetworkMessageId = ?{NetworkMessageId=} \| tenantId = ?{tenantId=} \| [ selectLast([properties.SenderFromAddress, properties.SenderMailFromAddress, properties.Subject, @timestamp, properties.UrlCount]), count(properties.RecipientEmailAddress, distinct=true, as="No. of recipients") ] // In the case where ?NetworkMessageId is not set, // we repeat the test to clear the results from running `count` on an empty set of events. \| test(?NetworkMessageId != "") \| From := rename(properties.SenderFromAddress) \| MailFrom := rename(properties.SenderMailFromAddress) \| Subject := rename(properties.Subject) \| Received := formatTime("%b %d %T %Z", field=@timestamp) \| table([Received, From, MailFrom, Subject, "No. of recipients"]) \| transpose() \| " " := rename(column) \| " " := rename(row[1])	`Table`
URLs in email	Copy/paste a NetworkMessageId into the similarly named parameter, press Apply parameters and any URLs in the email will be shown here. Hide Query Show Query logscale #logtype = "microsoft365" \| test(?NetworkMessageId != "") \| #category = "AdvancedHunting-EmailUrlInfo" \| properties.NetworkMessageId = ?{NetworkMessageId=} \| tenantId = ?{tenantId=} \| properties.Url = ?{URL=} \| join({ #logtype = "microsoft365" \| #category = "AdvancedHunting-UrlClickEvents" \| properties.AccountUpn = ?{AccountUpn=} \| "Was clicked?" := "Yes" }, field=[properties.NetworkMessageId, properties.Url], include=["Was clicked?", properties.AccountUpn], mode=left) // If AccountUpn parameter is not set, we want the join to be a left join, // but if the parameter IS set, then we want it to be an inner join. // We cannot do that directly, but we emulate it like this. \| properties.AccountUpn = ?{AccountUpn=} \| default(value="No", field=["Was clicked?"]) \| groupBy([properties.Url], function=[selectLast(["Was clicked?"])]) \| "URL" := rename(properties.Url) \| table([URL, "Was clicked?"])	`Table`
Seeing email details	To see detailed information for an email, paste the NetworkMessageId into similarly named parameter above and press Apply parameters.	`Note`
Seeing details about URLs	To see detailed information for an email, type the URL into the similarly named parameter above and press Apply parameters. Currently searching for: {{parameters[URL]}}	`Note`

Email overview

Widget	Description	Type
Delivered emails with CrowdStrike IOC detections	Looks at the sending SMTP servers, as well as URLs in the email body, to find indicators of compromise (IOC). This widget only looks at delivered emails (to supplement the info on blocked emails above it). If you would like more details on IOC detections in your emails in general, see the included IOC dashboard. The indicators come from CrowdStrike. Hide Query Show Query logscale #logtype="microsoft365" \| tenantId=?{tenantId=} \| #category = "AdvancedHunting-EmailEvents" \| properties.DeliveryAction = "Delivered" \| join({ #logtype="microsoft365" \| tenantId=?{tenantId=} \| #category = "AdvancedHunting-EmailUrlInfo" \| ioc:lookup([properties.Url], type="url", confidenceThreshold="unverified") \| case { ioc.detected = "true"; * \| ioc:lookup([properties.UrlDomain], type="domain", strict=true, confidenceThreshold="unverified"); } }, field=properties.NetworkMessageId, mode=left) \| ioc:lookup([properties.SenderIPv4, properties.SenderIPv6], type="ip_address", confidenceThreshold="unverified") \| case { ioc.detected = "true"; * \| ioc:lookup([properties.SenderFromDomain], type="domain", strict=true, confidenceThreshold="unverified"); } \| timechart(function=count(field=properties.NetworkMessageId, distinct=true), span=12h)	`Time Chart`
Top sender addresses	Top 10 email sender addresses (includes all email) Hide Query Show Query logscale `#logtype = "microsoft365" \| #category = "AdvancedHunting-EmailEvents" \| tenantId = ?{tenantId=*} \| top(properties.SenderFromAddress, as="No. of emails sent") \| Sender := rename(properties.SenderFromAddress) \| table([Sender, "No. of emails sent"])`	`Table`
Blocked email threats	Emails blocked by Microsoft365 because they were determined to be a threat. Hide Query Show Query logscale `#logtype = "microsoft365" \| #category="AdvancedHunting-EmailEvents" \| tenantId = ?{tenantId=*} \| !in(properties.ThreatTypes, values=["null", "Spam"]) \| timeChart(properties.ThreatTypes)`	`Time Chart`
Total email volume	Volume of emails by mail flow type/direction. Hide Query Show Query logscale `#logtype = "microsoft365" \| #category="AdvancedHunting-EmailEvents" \| tenantId=?{tenantId=*} \| timeChart(properties.EmailDirection) // Emails sent and received over time`	`Time Chart`
Top email sender and receiver pairs	Top sender/receiver pairs for all email. Shows the unique sender/receiver pairs of email addresses that exchange the most number of emails (includes all emails - ‘good' and ‘bad'). Hide Query Show Query logscale `#logtype = "microsoft365" \| #category = "AdvancedHunting-EmailEvents" \| tenantId = ?{tenantId=*} \| top([properties.SenderFromAddress, properties.RecipientEmailAddress], as=Count) \| Sender := rename(properties.SenderMailFromAddress) \| Recipient := rename(properties.RecipientEmailAddress) \| table([Sender, Recipient, Count])`	`Table`
Blocked spam mails	Displays a list of blocked spam Outlook email by tenant ID. Hide Query Show Query logscale `#logtype = "microsoft365" \| #category = "AdvancedHunting-EmailEvents" \| tenantId = ?{tenantId=*} \| properties.ThreatTypes = "Spam" \| timeChart()`	`Single Value`
Top recipient addresses	Top 10 recipient email address (includes all email) Hide Query Show Query logscale `#logtype = "microsoft365" \| #category = "AdvancedHunting-EmailEvents" \| tenantId = ?{tenantId=*} \| top(properties.RecipientEmailAddress, as="No. of emails received") \| Receiver := rename(properties.RecipientEmailAddress) \| table([Receiver, "No. of emails received"])`	`Table`

Email threat summary

Widget	Description	Type
Email threats over time	Volume of email threats, by threat type, over time Hide Query Show Query logscale `#logtype = "microsoft365" \| #category="AdvancedHunting-EmailEvents" \| tenantId = ?{tenantId=*} \| properties.ThreatTypes != "null" \| timeChart(properties.ThreatTypes, limit=10)`	`Time Chart`
Threat types	Breakdown of threats by threat type Hide Query Show Query logscale `#logtype = "microsoft365" \| #category="AdvancedHunting-EmailEvents" \| tenantId = ?{tenantId=*} \| properties.ThreatTypes != "null" \| top(properties.ThreatTypes, limit=10, rest=others)`	`Pie Chart`
Top receivers of email threats	Top 50 receivers of email threats with the number of threats received Hide Query Show Query logscale `#logtype = "microsoft365" \| #category = "AdvancedHunting-EmailEvents" \| tenantId=?{tenantId=} \| properties.RecipientEmailAddress = ?{RecipientAddress=} \| properties.DeliveryAction = "Blocked" OR (properties.DeliveryAction != "Blocked" AND properties.ThreatTypes != "null") \| top("properties.RecipientEmailAddress", as="No. of emails") \| Recipient := rename("properties.RecipientEmailAddress") \| table(["Recipient", "No. of emails"])`	`Table`
Total email threats	Total number of email threats per day with trend line over the selected time span Hide Query Show Query logscale `#logtype = "microsoft365" \| #category="AdvancedHunting-EmailEvents" \| properties.ThreatTypes != "null" \| tenantId = ?{tenantId=*} \| timeChart(unit="/span to /day")`	`Single Value`
Top 10 sending IPs of email threats	Top 10 SMTP server IP addresses that are sending email threats identified by Microsoft Hide Query Show Query logscale `#logtype = "microsoft365" \| #category = "AdvancedHunting-EmailEvents" \| properties.ThreatTypes != "null" \| tenantId = ?{tenantId=*} \| case { properties.SenderIPv4 != "null" \| "Sender IP" := properties.SenderIPv4; "Sender IP" := properties.SenderIPv6; } \| top("Sender IP", as="No. of emails from")`	`Table`
Top senders of email threats	Top 10 senders of email threats found by Microsoft Hide Query Show Query logscale `#logtype = "microsoft365" \| #category = "AdvancedHunting-EmailEvents" \| properties.ThreatTypes != "null" \| tenantId = ?{tenantId=*} \| top(properties.SenderFromAddress, as="Total threats") \| Sender := rename("properties.SenderFromAddress") \| table([Sender, "Total threats"])`	`Table`

Enter search term