Package Contents Explained

This package consists of the following:

Package Contents - Parsers

This package contains the following parsers:

  • microsoft365 - A parser for Microsoft 365™ events streamed with Microsoft 365 Defender™ to Event Hub and sent to LogScale with the Falcon Azure Event Hub Collector. Adds a tag logtype: = microsoft365

Package Contents - Dashboards

This section contains the list of Dashboards included in the package:

  • Email overview - Overview dashboard for email security events, including volumes of email flows, top sender/receivers, ratios of emails with threats etc.

  • Email IOC detections - Scans your email logs for detections of indicators of compromise (IOC), with drill down capabilities for investigating specific indicators.

  • Email threat summary - Information on email threats found in Microsoft 365 Defender™ events including, volume and type of threats, details of email threats etc.

  • Email investigation - helps investigate who received an email with a certain URL, whether they clicked on it etc. Uses parameters to allow search to be narrowed based on to/from addresses, URL, subject line etc.

  • Email forwarding rules - Shows details of Inbox rules, Mailbox rules and Transport rules that are forwarding email.


The advanced hunting schema is updated regularly to add new tables and columns. In some cases, existing columns names are renamed or replaced to improve the user experience. Refer to this article to review naming changes that could impact your queries.