Scribd
Upload
13 views

Email(queries)

The document contains detailed information about various email events, including sender and recipient details, delivery actions, and associated URLs and attachments. It highlights incidents involving HTML attachments, spam detection, and user sign-in logs. Additionally, it includes specific queries and data manipulations related to email and sign-in activities for security and monitoring purposes.

Uploaded by

SANTOSH KUMAR
Copyright
© © All Rights Reserved
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
13 views

Email(queries)

The document contains detailed information about various email events, including sender and recipient details, delivery actions, and associated URLs and attachments. It highlights incidents involving HTML attachments, spam detection, and user sign-in logs. Additionally, it includes specific queries and data manipulations related to email and sign-in activities for security and monitoring purposes.

Uploaded by

SANTOSH KUMAR
Copyright
© © All Rights Reserved
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
You are on page 1/ 6

connectwise pass: mUbGlofZYU04E@C4

Emails delivered with HTML attachments


Incident ID: 49121 IRISNDT\ludy.gonzales
--------------------------------------------
1.SenderDisplayName :Iyamulemye Kazege, Immaculee
1.SenderMailFromAddress :[email protected]
1.SenderIPv4 :40.107.115.106(canada microsoft corporation)
1.Subject :Invoice S010608027.003
1.list_FileName :Remittance Advice.html
1.FileType : html
1.RecipientEmailAddress : [email protected]
1.DeliveryAction :junked
1.NetworkMessageId : 23121be9-4a53-4478-0e8d-08db104e7d13
1.InternetMessageId ;[email protected]
D01.PROD.OUTLOOK.COM
urls 7
https://nddg.cscmonavenir.ca/(elementary school)
https://www.voltage.com/vsn/smhelp/lang/en_US/troubleshooting.htm(voltage secure
mail)

[email protected]

EmailEvents
| where SenderFromAddress =="[email protected]" and TimeGenerated > ago(90d)
and RecipientEmailAddress =="[email protected]"
| join kind=leftouter EmailUrlInfo on NetworkMessageId
| join kind=leftouter EmailAttachmentInfo on NetworkMessageId
| project SenderFromAddress, Subject, RecipientEmailAddress, DeliveryAction,
NetworkMessageId, UrlCount, Url, AttachmentCount,
FileName,SHA256,SenderDisplayName,SenderFromDomain,AuthenticationDetails,DeliveryLo
cation

EmailEvents
| where Subject contains "subject" and TimeGenerated > ago(30d)
| project
TimeGenerated,AuthenticationDetails,SenderFromDomain,SenderMailFromDomain,SenderFro
mAddress, SenderMailFromAddress,

SenderIPv4,SenderIPv6,RecipientEmailAddress,Subject,DeliveryAction,DeliveryLocation
,
UrlCount, AttachmentCount, NetworkMessageId
//| join EmailAttachmentInfo on NetworkMessageId | distinct FileName, FileType,
SHA256
//| join EmailUrlInfo on NetworkMessageId | distinct Url

IdentityInfo
| where MailAddress contains '@metlabsaust.com.au'
| distinct MailAddress,AccountUPN

EmailEvents
| where SenderFromAddress contains "[email protected]" or SenderFromAddress
contains "[email protected]"
| where RecipientEmailAddress contains "[email protected]" or
RecipientEmailAddress contains "[email protected]"
| project SenderFromAddress, Subject, RecipientEmailAddress, DeliveryAction,
NetworkMessageId, UrlCount, AttachmentCount,InternetMessageId,sourceIp,Destination
IP

EmailAttachmentInfo
| where SenderFromAddress contains "[email protected]" or SenderFromAddress
contains "[email protected]"
| where RecipientEmailAddress contains "[email protected]" or
RecipientEmailAddress contains "[email protected]"

EmailUrlInfo
| where NetworkMessageId contains "9f564617-5dbf-4149-4428-08db2fd605fd" or
NetworkMessageId contains "e857d16c-d973-41f4-3812-08db2fc6b108"

UrlClickEvents
| where Url contains
"https://aadcdn.msftauth.net/shared/1.0/content/images/arrow_left_a9cc2824ef3517b6c
4160dcf8ff7d410.svg"

DeviceNetworkEvents
| where RemoteUrl contains
"https://aadcdn.msftauth.net/shared/1.0/content/images/arrow_left_a9cc2824ef3517b6c
4160dcf8ff7d410.svg"

DeviceNetworkEvents
| search "REMITTANCERECEIPT.HTML"

DeviceFileEvents
| search

CloudAppEvents
| where IPAddress contains "222.227.84.49" or IPAddress contains "17.58.23.183"

powershell.exe -NoExit -ExecutionPolicy Bypass -WindowStyle Hidden


$ErrorActionPreference= 'silentlycontinue';(New-Object
System.Net.WebClient).DownloadFile('http://127.0.0.1/1.exe', 'C:\\test-WDATP-test\\
anyrun.exe');

OfficeActivity
| where UserId contains "[email protected]"
| where Operation == "MailboxDeleteItem" and ResultStatus == "Succeeded" //and
ItemSubject contains "deleted items"
| project TimeGenerated, Operation//, UserIds, ItemSubject, Source

CloudAppEvents
| where AccountDisplayName contains "[email protected]"
//| where operation == "MailboxDeleteItem"
| where ActionType == "FileDeleted"
//| project AccountId,ActionType

[email protected]

Complete: Review and sign your document!

[email protected]
Delivered
5b1e6297-103d-4356-b9cd-08dbfb2d20dd

https://811b1c726ed82759.krtra.com/t/XF3vt6goPICp
thumb8940498585.jpg
Drag here to set row groupsDrag here to set column labels
Key
Value
SenderFromAddress
[email protected]
Subject
Complete: Review and sign your document!
RecipientEmailAddress
[email protected]
DeliveryAction
Delivered
NetworkMessageId
5b1e6297-103d-4356-b9cd-08dbfb2d20dd
UrlCount
1
Url:https://811b1c726ed82759.krtra.com/t/XF3vt6goPICp
AttachmentCount
FileName
thumb8940498585.jpg
SHA256
98154a3047f205d26718a4b3c7f23210ccdf47d6752291987d97fd5fd7cbee93
SenderDisplayName
DocuOnline® Via E-Review
SenderFromDomain
vuakietac.vn
AuthenticationDetails
{"SPF":"pass","DKIM":"pass","DMARC":"bestguesspass","CompAuth":"pass"}
Drag here to set row groupsDrag here to set column labels
Key
Value
CompAuth
pass
DKIM
pass
DMARC
bestguesspass
DeliveryLocation
Inbox/folder

[email protected]

https://google.com/url?
sa=t&rct=Kk&q=Fh&esrc=kg&source=web&cd=ZA&cad=rw0v&uact=7&ved=xiqkOMsluFGlj5&url=am
p%2Fgoogle.de%2Famp%2F57c7cIM.gnxltfcxw.shop
%2FVL3CFCacL&usg=NCTCbSL8hCAR&opi=0287772204399

[email protected]

209.52.88.76

CurrentLocatio Houston, Texas, US

PreviousLocation US
CurrentIPAddress 172.56.51.22
PreviousIPAddress 63.151.242.42
Mail dlieverd from avantsource?tech a spam mail not containing any URL or
attchments Further The mail was not accessed

[email protected]

SigninLogs
| union AADNonInteractiveUserSignInLogs
| where TimeGenerated >= ago(30d) // default 30d, modify as you see fit
| where UserPrincipalName contains "[email protected]" // can replace
UserPrincipalName for any other key you want to search
//| where ResultType in ("0", "50140", "50125") // for checking only the successful
sign ins
//| where not(ResultType in ("0", "50140", "50125")) // for checking only the
unsuccessful sign ins
| extend
SIL_deviceId = tostring(DeviceDetail_dynamic.deviceId),
SIL_displayName = tostring(DeviceDetail_dynamic.displayName),
SIL_os = tostring(DeviceDetail_dynamic.operatingSystem),
SIL_trust = tostring(DeviceDetail_dynamic.trustType),
AADN_deviceId = tostring(parse_json(DeviceDetail_string).deviceId),
AADN_displayName = tostring(parse_json(DeviceDetail_string).displayName),
AADN_os = tostring(parse_json(DeviceDetail_string).operatingSystem),
AADN_trust = tostring(parse_json(DeviceDetail_string).trustType),
SIL_city = tostring(LocationDetails_dynamic["city"]),
SIL_state = tostring(LocationDetails_dynamic["state"]),
SIL_country = tostring(LocationDetails_dynamic["countryOrRegion"]),
AADN_city = tostring(parse_json(LocationDetails_string).city),
AADN_state = tostring(parse_json(LocationDetails_string).state),
AADN_country = tostring(parse_json(LocationDetails_string).countryOrRegion),
FstAuthReq = tostring(parse_json(AuthenticationDetails)
[0].authenticationMethod),
FstAuthReqRsult = tostring(parse_json(AuthenticationDetails)
[0].authenticationStepResultDetail),
FstAuthReqRsult_Succ = tostring(parse_json(AuthenticationDetails)
[0].succeeded),
SndAuthReq = tostring(parse_json(AuthenticationDetails)
[1].authenticationMethod),
SndAuthReqRsult = tostring(parse_json(AuthenticationDetails)
[1].authenticationStepResultDetail),
SndAuthReqRsult_Succ = tostring(parse_json(AuthenticationDetails)[1].succeeded)
| project
Type,
TimeGenerated,
//UserPrincipalName, // uncomment if you're checking sign ins by IP or some
other key than UPN
ResultType, ResultDescription,
AuthenticationRequirement,
ResourceDisplayName,
AppDisplayName,
FstAuthReq,
FstAuthReqRsult,
FstAuthReqRsult_Succ,
SndAuthReq,
SndAuthReqRsult,
SndAuthReqRsult_Succ,
deviceId = coalesce(SIL_deviceId, AADN_deviceId),
displayName = coalesce(SIL_displayName, AADN_displayName),
os = coalesce(SIL_os, AADN_os),
trust = coalesce(SIL_trust, AADN_trust),
city = coalesce(SIL_city, AADN_city),
state = coalesce(SIL_state, AADN_state),
country = coalesce(SIL_country, AADN_country),
IPAddress,
UserAgent,
Category
| sort by TimeGenerated desc

EmailEvents
| where SenderFromAddress =="[email protected]" and TimeGenerated > ago(90d)
and RecipientEmailAddress =="[email protected]"
| join kind=leftouter EmailUrlInfo on NetworkMessageId
| join kind=leftouter EmailAttachmentInfo on NetworkMessageId
| project SenderFromAddress, Subject, RecipientEmailAddress, DeliveryAction,
NetworkMessageId, UrlCount, Url, AttachmentCount,
FileName,SHA256,SenderDisplayName,SenderFromDomain,AuthenticationDetails,DeliveryLo
cation

SigninLogs
| search "9f9c4e16-5e25-4304-8ba4-12254f48ae69"
| where IPAddress contains "103.225.222.58"
| project TimeGenerated, LocationDetails["city"], LocationDetails["state"],
LocationDetails["countryOrRegion"], IPAddress, AppDisplayName,
DeviceDetail["browser"], ResultType, AuthenticationRequirement, DeviceDetail,
UserAgent, MfaDetail, UserPrincipalName, ResultDescription,
AuthenticationDetails,ConditionalAccessPolicies,ConditionalAccessStatus

https://portal.azure.com/#settings/directory

You might also like