KQL-spørringer

GitHub

Correlate SharePoint email link clicks with subsequent Azure AD sign-ins from a different IP address to detect possible phishing, token theft, or adversary-in-the-middle activity

phishing_detection_sharepoint_email.kql·Identity

PhishingAiTMSuspiciousSignInUrlClickCorrelationSharePointTokenTheft

let WhitelistIP = dynamic(["0.0.0.0"]);
let LookBack = 30m;
let Clicks = UrlClickEvents
    | where TimeGenerated >= ago(LookBack)
    | where Workload == "Email"
    | where Url has "sharepoint.com"
    | project ClickTime = TimeGenerated, AccountUpn, Url, UrlChain, ClickIP = IPAddress;
let SignIns = union isfuzzy=true
        (SigninLogs
        | where TimeGenerated >= ago(LookBack)

Se spørring →

Identify outbound email senders with the highest single-day sending volume over the last 60 days

outbound_senders_report_per_day.kql·Email

OutboundEmailVolumeAnalysisSenderProfilingAnomalyDetection

EmailEvents
| where TimeGenerated > ago(60d)
| where EmailDirection == "Outbound"
| summarize EmailCount = count() by SenderFromAddress, Day = bin(TimeGenerated, 1d)
| summarize TopDailyCount = max(EmailCount) by SenderFromAddress
| sort by TopDailyCount desc

Se spørring →

Identify outbound email senders with the highest single-hour sending volume over the last 60 days

outbound_senders_report_per_hour.kql·Email

OutboundEmailVolumeAnalysisSenderProfilingAnomalyDetection

EmailEvents
| where TimeGenerated > ago(60d)
| where EmailDirection == "Outbound"
| summarize EmailCount = count() by SenderFromAddress, Hour = bin(TimeGenerated, 1h)
| summarize TopHourlyCount = max(EmailCount) by SenderFromAddress
| sort by TopHourlyCount desc

Se spørring →