Queries for the EmailEvents table
For information on using these queries in the Azure portal, see Log Analytics tutorial. For the REST API, see Query.
Phishing emails from the top 10 sender domains
Get the number of phishing emails from the top ten sender domains.
| where ThreatTypes has "Phish"
| summarize Count = count() by SenderFromDomain
| top 10 by Count
Emails with malware
Get the number of phishing emails from the top ten sender domains.
| where ThreatTypes has "Malware"
| limit 500