Queries for the EmailAttachmentInfo table

For information on using these queries in the Azure portal, see Log Analytics tutorial. For the REST API, see Query.

Files from malicious sender

Finds the first appearance of files sent by a malicious sender in your organization at selected time frame. To see earlier appearances please increase selected time range.

let MaliciousSender = "<insert the sender email address>";
EmailAttachmentInfo
| where SenderFromAddress =~ MaliciousSender
| project SHA256 = tolower(SHA256)
| join (
DeviceFileEvents
) on SHA256
| summarize FirstAppearance = min(Timestamp) by DeviceName, SHA256, FileName 
| take 100

Emails to external domains with attachments

Emails sent to an external domain that include attachments.

EmailEvents
| where EmailDirection == "Outbound" and AttachmentCount > 0
| join EmailAttachmentInfo on NetworkMessageId 
| project Timestamp, Subject, SenderFromAddress, RecipientEmailAddress, NetworkMessageId, FileName, AttachmentCount 
| take 1000