Azure Data Explorer
An Azure data analytics service for real-time analysis on large volumes of data streaming from sources including applications, websites, and internet of things devices.
502 questions
Defender for Endpoint Hunting Query E-Mail with Join
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(262.40000000000003, 90%, 35%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPB%3C/text%3E%3C/svg%3E)
Patrick Binder
1
Reputation point
Hi There,
i try to create a Defender for Endpoint query to find out, who opens a Office Macro Dokument which was received via E-Mail wit external Domain before.
The First part of the Query to find out who opens Macro Documents is working see below.
My Problem is to Join the EmailAttachmentInfo Table into my Query. Do you have any Suggestion how to use Join for this suppose.
My QUery until now looks like this.
let unkommonfiletypes = dynamic([".docm",".xlsm",".dot",".wbk",".dotm",".docb",".xlsm",".xlm",".xltm",".xlam",".xla",".ppt",".pptm",".potm",".ppsm",".sldm"]);
let Officeprozesses = dynamic(["WINWORD","EXCEL", "PowerPoint", "Outlook"]);
DeviceProcessEvents
| where Timestamp > ago (1d)
| where FileName has_any (Officeprozesses)
| where ProcessCommandLine has_any (unkommonfiletypes)
| where ProcessCommandLine !has "Template.xlsm"
| where ProcessCommandLine !has "Template.docm"
// The join is not working. I Try to get only Alerts from Files, which are received by Mail before.**
| join (
EmailAttachmentInfo
| where SenderFromAddress !contains "@keyman .com"
| limit 10
) on Report ID*
Any Tips for me ?
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(172.8, 70%, 26%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMM%3C/text%3E%3C/svg%3E)
MartinJaffer-MSFT 26,051 Reputation points2021-07-27T06:18:35.233+00:00 Hello @Patrick Binder and welcome to Microsoft Q&A.
When you say the join is not working, what do you see happen?
Does the query give syntax error?
Does query give too many results?
Does query not give enough results?
Something else? -
MartinJaffer-MSFT 26,051 Reputation points
2021-07-30T04:14:10.06+00:00 I haven't heard back from you. Are you still facing the issue, @Patrick Binder ?
-
MartinJaffer-MSFT 26,051 Reputation points
2021-08-02T17:39:11.757+00:00 If you found your own solution, please share here with the community.
Sign in to comment