Created
February 12, 2026 15:00
-
-
Save rebrec/b9ed038bf70ea68018a369051d5ea5d5 to your computer and use it in GitHub Desktop.
[MS DEFENDER KQL] Display Alert details in an easy to read Row format (get mail info, attachements, urls, etc)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| let maliciousTitles = dynamic(["Malicious URL Click", "Potentially malicious URL"]); | |
| let MaliciousUrlClickAlerts = AlertInfo | |
| | where Title has_any(maliciousTitles) | |
| | project AlertId; | |
| // | |
| let AlertDetails = AlertInfo | |
| | where AlertId in (MaliciousUrlClickAlerts) | |
| | project AlertId, AlertTimestamp = Timestamp, Title, Severity, Category; | |
| // | |
| let interestingNIDs = AlertEvidence | |
| | where AlertId in (MaliciousUrlClickAlerts) | |
| | where EntityType == "MailMessage" | |
| | project NetworkMessageId; | |
| // | |
| let evidenceDetails = AlertEvidence | |
| | where AlertId in (MaliciousUrlClickAlerts) | |
| | where EntityType == "MailMessage"; | |
| // | |
| let emails = EmailEvents | |
| | where NetworkMessageId in (interestingNIDs) | |
| | where Timestamp >= ago(90d) | |
| | project-rename TimestampEmail = Timestamp; | |
| // | |
| let attachmentsAndUrls = | |
| union ( | |
| EmailAttachmentInfo | |
| | where NetworkMessageId in (interestingNIDs) | |
| | summarize Attachments = strcat_array(make_list_if(FileName, isnotempty(FileName)), ", "), AttachmentCount = countif(isnotempty(FileName)) by NetworkMessageId | |
| ), | |
| ( | |
| EmailUrlInfo | |
| | where NetworkMessageId in (interestingNIDs) | |
| | summarize Urls = strcat_array(make_list_if(Url, isnotempty(Url)), ", "), UrlCount = countif(isnotempty(Url)) by NetworkMessageId | |
| ); | |
| // | |
| let userPhones = IdentityInfo | |
| | where isnotempty(Phone) | |
| | project AccountUpn, Phone; | |
| // | |
| AlertDetails | |
| | join kind=leftouter evidenceDetails on AlertId | |
| | join kind=leftouter emails on NetworkMessageId | |
| | join kind=leftouter attachmentsAndUrls on NetworkMessageId | |
| | join kind=leftouter userPhones on AccountUpn | |
| | project-away Category, Timestamp, Categories, AttackTechniques, ServiceSource, DetectionSource, EntityType, AdditionalFields, InternetMessageId, SenderMailFromDomain,SenderMailFromAddress, SenderFromDomain, EmailClusterId, AuthenticationDetails,ReportId,RecipientDomain | |
| | summarize | |
| Attachments = any(Attachments), | |
| Urls = any(Urls), | |
| AttachmentCount = any(AttachmentCount), | |
| UrlCount = any(UrlCount), | |
| Phone = any(Phone), | |
| To = any(To) | |
| // by AlertId, AccountUpn, NetworkMessageId, IsFirstContact, AlertTimestamp, SenderFromAddress, SenderIPv4, SenderIPv6, RecipientEmailAddress, Subject | |
| by AlertId, Title, Severity, AccountUpn, NetworkMessageId, TimestampEmail, IsFirstContact, AlertTimestamp, SenderDisplayName, SenderFromAddress, SenderIPv4, SenderIPv6, DeliveryAction, EmailSize,LatestDeliveryLocation, RecipientEmailAddress, Subject | |
| | sort by AlertTimestamp desc |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment