-
Notifications
You must be signed in to change notification settings - Fork 2.9k
/
EmailDelivered-ToInbox.yaml
37 lines (36 loc) · 1.15 KB
/
EmailDelivered-ToInbox.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
id: cdac93ef-56c0-45bf-9e7f-9cbf0ad06123
name: Determine Successfully Delivered Phishing Emails to Inbox/Junk folder.
description: |
This query identifies threats which got successfully delivered to Inbox/Junk folder.
requiredDataConnectors:
- connectorId: OfficeATP
dataTypes:
- EmailEvents
tactics:
- InitialAccess
relevantTechniques:
- T1566
query: |
EmailEvents
| where isnotempty(ThreatTypes) and DeliveryLocation in~ ("Inbox/folder","Junk folder")
| extend Name = tostring(split(SenderFromAddress, '@', 0)[0]), UPNSuffix = tostring(split(SenderFromAddress, '@', 1)[0])
| extend Account_0_Name = Name
| extend Account_0_UPNSuffix = UPNSuffix
| extend IP_0_Address = SenderIPv4
| extend MailBox_0_MailboxPrimaryAddress = RecipientEmailAddress
entityMappings:
- entityType: Account
fieldMappings:
- identifier: Name
columnName: Name
- identifier: UPNSuffix
columnName: UPNSuffix
- entityType: IP
fieldMappings:
- identifier: Address
columnName: SenderIPv4
- entityType: MailBox
fieldMappings:
- identifier: MailboxPrimaryAddress
columnName: RecipientEmailAddress
version: 1.0.1