EmailAttachmentInfo 表的查询

有关在 Azure 门户中使用这些查询的信息，请参阅 Log Analytics 教程。 有关 REST API，请参阅查询。

来自恶意发送方的文件

查找组织中恶意发送方在选定时间范围发送的文件的首次出现。 若要查看更早出现的情况，请增加所选时间范围。

let MaliciousSender = "<insert the sender email address>";
EmailAttachmentInfo
| where SenderFromAddress =~ MaliciousSender
| project SHA256 = tolower(SHA256)
| join (
DeviceFileEvents
) on SHA256
| summarize FirstAppearance = min(Timestamp) by DeviceName, SHA256, FileName 
| take 100

向外部域发送带有附件的电子邮件

发送到外部域的带有附件的电子邮件。

EmailEvents
| where EmailDirection == "Outbound" and AttachmentCount > 0
| join EmailAttachmentInfo on NetworkMessageId 
| project Timestamp, Subject, SenderFromAddress, RecipientEmailAddress, NetworkMessageId, FileName, AttachmentCount 
| take 1000