microsoft/microsoft365 Dashboards
Email IOC detections
Widget | Description | Type |
---|---|---|
IOC matches - URLs in email |
Details of IOC matches for URLs found in email.
logscale
| Table |
Threat trends - sender IP |
Number of IOC matches by confidence threshold over time for
sending SMTP server IP address.
logscale
| Time Chart |
IOC matches - sender domains |
Details of IOC matches for sender domains used in emails
logscale
| Table |
IOC matches - sender IP |
Details of IOC matches for sending SMTP server IP address.
logscale
| Table |
Threat trends - domains of URLs in email |
Number of IOC matches by confidence threshold over time for
domains of URLs found in email.
logscale
| Time Chart |
Threat trends - sender domains |
Number of IOC matches by confidence threshold over time for sender
domains. This includes only the sender in the SMTP FROM header.
logscale
| Time Chart |
Threat trends - URLs in email |
Number of IOC matches by confidence threshold over time for URLs
found in email.
logscale
| Time Chart |
IOC matches - domains of URLs in email |
Details of IOC matches for domains of URLs found in email.
logscale
| Table |
Introduction to Indicators of Compromise (IOC) detections |
Falcon LogScale includes an integration with CrowdStrike's Falcon
Intelligence to provide Falcon LogScale customers with a built-in
database of Indicators of Compromise (IOCs). Customers can search
their logs for matches against the IOC database and see relevant
threat information for each IOC found.
Find
out more. This dashboard checks a number of email
attributes against the IOC database with the
ioc:lookup() function. Click on the ⫶
button on each IOC detection to start investigating on it.
| Note |
Email forwarding rules
Widget | Description | Type |
---|---|---|
Mailbox forwarding rules - new and updated |
Newly created or updated Mailbox forwarding rules. The events do
not include the impacted mailbox to which forwarding has been
applied.
logscale
| Event List |
Inbox email forwarding rules - updated |
Updated Inbox rules that forward email. Covers 'ForwardTo,
'ForwardAsAttachmentTo' and 'RedirectTo' rule types.
logscale
| Event List |
Transport email forwarding rules - updated |
Updated Transport rules that forward email. Covers rules for
'ModerateMessageByUser', 'RedirectMessageTo', 'AddToRecipients'
logscale
| Event List |
Transport email forwarding rules - new |
Newly created Transport rules that forward email. Covers rules for
'ModerateMessageByUser', 'RedirectMessageTo' and 'AddToRecipients'
logscale
| Event List |
Inbox email forwarding rules - new |
Newly created Inbox rules that forward email. Covers 'ForwardTo,
'ForwardAsAttachmentTo' and 'RedirectTo' rule types.
logscale
| Event List |
Email investigation
Widget | Description | Type |
---|---|---|
Recipients |
Copy/paste a NetworkMessageId into the
similarly named parameter, press Apply parameters and the
recipients for the email will be shown.
logscale
| Table |
Blocked emails |
Summary information for all emails that have a
DeliveryAction of
Blocked. Note -
ThreatType,
DetectionMethod and
Confidencelevel are not present if the email
was blocked by a rule added by customer or user (i.e. only shown
for emails blocked by Microsoft rules). To see the details of a
blocked message copy/paste a NetworkMessageId into the similarly
named parameter, press Apply parameters and the Email
summary and Email details widgets
will populate with the information for the message.
logscale
| Table |
Email overview |
Summary information for all emails. NetworkMessageId is a unique
ID applied by Microsoft to each email. Emails to multiple
recipients will have the same NetworkMessageId but could have
different delivery status per recipient. The Any
delivery? column indicates Yes if
the delivery status (i.e. DeliveryAction
field) for any recipient was Delivered The
Any URL clicked? column indicates
Yes if any recipient of the message clicked
any URL contained within the email. To see the delivery status and
any URLs clicked per recipient, copy/paste a NetworkMessageId into
the similarly named parameter, press Apply parameters and the
details will be shown in the below widget Email
details.
logscale
| Table |
Users who clicked URL |
Copy/paste a URL into the similarly named parameter and press
Apply parameters to see the user principle name (AccountUPN) of
the account that clicked the URL, along with the time of click.
The widget Recipients of URL will also
populate with the NetworkMessageId, URL and recipient email
address.
logscale
| Event List |
Recipients of URL |
Copy/paste a URL into the similarly named parameter and press
Apply parameters to see which recipients received an email with
that URL present. The widget Users who clicked
URL will also populate with the user principal name
(AccountUPN) name of the account that clicked the URL, along with
the time of click. Copy/paste a NetworkMessageId into the
similarly named parameter and press Apply parameters to see more
information about the email the URL came from.
logscale
| Event List |
Email details |
To see details for an email, copy/paste a
NetworkMessageId into the similarly named
parameter, and press Apply parameters. The
From row refers to the sender in the FROM
SMTP header (which is the sender users will see), and the
MailFrom row refers to that of the MAIL FROM
header (which is the address the server will use to return a
non-delivery report to if the email cannot be delivered).
logscale
| Table |
URLs in email |
Copy/paste a NetworkMessageId into the
similarly named parameter, press Apply parameters and any URLs in
the email will be shown here.
logscale
| Table |
Seeing email details | To see detailed information for an email, paste the NetworkMessageId into similarly named parameter above and press Apply parameters. | Note |
Seeing details about URLs | To see detailed information for an email, type the URL into the similarly named parameter above and press Apply parameters. Currently searching for: {{parameters[URL]}} | Note |
Email overview
Widget | Description | Type |
---|---|---|
Delivered emails with CrowdStrike IOC detections |
Looks at the sending SMTP servers, as well as URLs in the email
body, to find indicators of compromise (IOC). This widget only
looks at delivered emails (to supplement the info on blocked
emails above it). If you would like more details on IOC detections
in your emails in general, see the included IOC dashboard. The
indicators come from CrowdStrike.
logscale
| Time Chart |
Top sender addresses |
Top 10 email sender addresses (includes all email)
logscale
| Table |
Blocked email threats |
Emails blocked by Microsoft365 because they were determined to be
a threat.
logscale
| Time Chart |
Total email volume |
Volume of emails by mail flow type/direction.
logscale
| Time Chart |
Top email sender and receiver pairs |
Top sender/receiver pairs for all email. Shows the unique
sender/receiver pairs of email addresses that exchange the most
number of emails (includes all emails - ‘good' and ‘bad').
logscale
| Table |
Blocked spam mails |
Displays a list of blocked spam Outlook email by tenant ID.
logscale
| Single Value |
Top recipient addresses |
Top 10 recipient email address (includes all email)
logscale
| Table |
Email threat summary
Widget | Description | Type |
---|---|---|
Email threats over time |
Volume of email threats, by threat type, over time
logscale
| Time Chart |
Threat types |
Breakdown of threats by threat type
logscale
| Pie Chart |
Top receivers of email threats |
Top 50 receivers of email threats with the number of threats
received
logscale
| Table |
Total email threats |
Total number of email threats per day with trend line over the
selected time span
logscale
| Single Value |
Top 10 sending IPs of email threats |
Top 10 SMTP server IP addresses that are sending email threats
identified by Microsoft
logscale
| Table |
Top senders of email threats |
Top 10 senders of email threats found by Microsoft
logscale
| Table |