KEMBAR78
Email (Queries) | PDF | Software | Computing
Scribd
Upload
51 views6 pages

Email (Queries)

The document contains detailed information about various email events, including sender and recipient details, delivery actions, and associated URLs and attachments. It highlights incidents involving HTML attachments, spam detection, and user sign-in logs. Additionally, it includes specific queries and data manipulations related to email and sign-in activities for security and monitoring purposes.

Uploaded by

SANTOSH KUMAR
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
51 views6 pages

Email (Queries)

The document contains detailed information about various email events, including sender and recipient details, delivery actions, and associated URLs and attachments. It highlights incidents involving HTML attachments, spam detection, and user sign-in logs. Additionally, it includes specific queries and data manipulations related to email and sign-in activities for security and monitoring purposes.

Uploaded by

SANTOSH KUMAR
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
You are on page 1/ 6

connectwise pass: mUbGlofZYU04E@C4

Emails delivered with HTML attachments


Incident ID: 49121 IRISNDT\ludy.gonzales
--------------------------------------------
1.SenderDisplayName :Iyamulemye Kazege, Immaculee
1.SenderMailFromAddress :iiyamulemyekazege@cscmonavenir.ca
1.SenderIPv4 :40.107.115.106(canada microsoft corporation)
1.Subject :Invoice S010608027.003
1.list_FileName :Remittance Advice.html
1.FileType : html
1.RecipientEmailAddress : pipelinesafety@transmountain.com
1.DeliveryAction :junked
1.NetworkMessageId : 23121be9-4a53-4478-0e8d-08db104e7d13
1.InternetMessageId ;YT3PR01MB6536DD15FD546F7A0360376EA1A09@YT3PR01MB6536.CANPR
D01.PROD.OUTLOOK.COM
urls 7
https://nddg.cscmonavenir.ca/(elementary school)
https://www.voltage.com/vsn/smhelp/lang/en_US/troubleshooting.htm(voltage secure
mail)

SIA_AutoResponse@singaporeair.com

EmailEvents
| where SenderFromAddress =="dmckenzie_541@live.ca" and TimeGenerated > ago(90d)
and RecipientEmailAddress =="priya_guha@transmountain.com"
| join kind=leftouter EmailUrlInfo on NetworkMessageId
| join kind=leftouter EmailAttachmentInfo on NetworkMessageId
| project SenderFromAddress, Subject, RecipientEmailAddress, DeliveryAction,
NetworkMessageId, UrlCount, Url, AttachmentCount,
FileName,SHA256,SenderDisplayName,SenderFromDomain,AuthenticationDetails,DeliveryLo
cation

EmailEvents
| where Subject contains "subject" and TimeGenerated > ago(30d)
| project
TimeGenerated,AuthenticationDetails,SenderFromDomain,SenderMailFromDomain,SenderFro
mAddress, SenderMailFromAddress,

SenderIPv4,SenderIPv6,RecipientEmailAddress,Subject,DeliveryAction,DeliveryLocation
,
UrlCount, AttachmentCount, NetworkMessageId
//| join EmailAttachmentInfo on NetworkMessageId | distinct FileName, FileType,
SHA256
//| join EmailUrlInfo on NetworkMessageId | distinct Url

IdentityInfo
| where MailAddress contains '@metlabsaust.com.au'
| distinct MailAddress,AccountUPN

EmailEvents
| where SenderFromAddress contains "amanda27948@icloud.com" or SenderFromAddress
contains "abenaika@shufukai.or.jp"
| where RecipientEmailAddress contains "david_trann@transmountain.com" or
RecipientEmailAddress contains "john_zhao@transmountain.com"
| project SenderFromAddress, Subject, RecipientEmailAddress, DeliveryAction,
NetworkMessageId, UrlCount, AttachmentCount,InternetMessageId,sourceIp,Destination
IP

EmailAttachmentInfo
| where SenderFromAddress contains "amanda27948@icloud.com" or SenderFromAddress
contains "abenaika@shufukai.or.jp"
| where RecipientEmailAddress contains "david_trann@transmountain.com" or
RecipientEmailAddress contains "john_zhao@transmountain.com"

EmailUrlInfo
| where NetworkMessageId contains "9f564617-5dbf-4149-4428-08db2fd605fd" or
NetworkMessageId contains "e857d16c-d973-41f4-3812-08db2fc6b108"

UrlClickEvents
| where Url contains
"https://aadcdn.msftauth.net/shared/1.0/content/images/arrow_left_a9cc2824ef3517b6c
4160dcf8ff7d410.svg"

DeviceNetworkEvents
| where RemoteUrl contains
"https://aadcdn.msftauth.net/shared/1.0/content/images/arrow_left_a9cc2824ef3517b6c
4160dcf8ff7d410.svg"

DeviceNetworkEvents
| search "REMITTANCERECEIPT.HTML"

DeviceFileEvents
| search

CloudAppEvents
| where IPAddress contains "222.227.84.49" or IPAddress contains "17.58.23.183"

powershell.exe -NoExit -ExecutionPolicy Bypass -WindowStyle Hidden


$ErrorActionPreference= 'silentlycontinue';(New-Object
System.Net.WebClient).DownloadFile('http://127.0.0.1/1.exe', 'C:\\test-WDATP-test\\
anyrun.exe');

OfficeActivity
| where UserId contains "nicholas.elek@rethinkfirst.com"
| where Operation == "MailboxDeleteItem" and ResultStatus == "Succeeded" //and
ItemSubject contains "deleted items"
| project TimeGenerated, Operation//, UserIds, ItemSubject, Source

CloudAppEvents
| where AccountDisplayName contains "nicholas.elek@rethinkfirst.com"
//| where operation == "MailboxDeleteItem"
| where ActionType == "FileDeleted"
//| project AccountId,ActionType

qqkz7fq9k@vuakietac.vn

Complete: Review and sign your document!

eran@rethinkfirst.com
Delivered
5b1e6297-103d-4356-b9cd-08dbfb2d20dd

https://811b1c726ed82759.krtra.com/t/XF3vt6goPICp
thumb8940498585.jpg
Drag here to set row groupsDrag here to set column labels
Key
Value
SenderFromAddress
qqkz7fq9k@vuakietac.vn
Subject
Complete: Review and sign your document!
RecipientEmailAddress
eran@rethinkfirst.com
DeliveryAction
Delivered
NetworkMessageId
5b1e6297-103d-4356-b9cd-08dbfb2d20dd
UrlCount
1
Url:https://811b1c726ed82759.krtra.com/t/XF3vt6goPICp
AttachmentCount
FileName
thumb8940498585.jpg
SHA256
98154a3047f205d26718a4b3c7f23210ccdf47d6752291987d97fd5fd7cbee93
SenderDisplayName
DocuOnline® Via E-Review
SenderFromDomain
vuakietac.vn
AuthenticationDetails
{"SPF":"pass","DKIM":"pass","DMARC":"bestguesspass","CompAuth":"pass"}
Drag here to set row groupsDrag here to set column labels
Key
Value
CompAuth
pass
DKIM
pass
DMARC
bestguesspass
DeliveryLocation
Inbox/folder

joseph.ferrito@rethinkfirst.com

https://google.com/url?
sa=t&rct=Kk&q=Fh&esrc=kg&source=web&cd=ZA&cad=rw0v&uact=7&ved=xiqkOMsluFGlj5&url=am
p%2Fgoogle.de%2Famp%2F57c7cIM.gnxltfcxw.shop
%2FVL3CFCacL&usg=NCTCbSL8hCAR&opi=0287772204399

eran@rethinkfirst.com

209.52.88.76

CurrentLocatio Houston, Texas, US

PreviousLocation US
CurrentIPAddress 172.56.51.22
PreviousIPAddress 63.151.242.42
Mail dlieverd from avantsource?tech a spam mail not containing any URL or
attchments Further The mail was not accessed

philip.kim@intertrend.com

SigninLogs
| union AADNonInteractiveUserSignInLogs
| where TimeGenerated >= ago(30d) // default 30d, modify as you see fit
| where UserPrincipalName contains "philip.kim@intertrend.com" // can replace
UserPrincipalName for any other key you want to search
//| where ResultType in ("0", "50140", "50125") // for checking only the successful
sign ins
//| where not(ResultType in ("0", "50140", "50125")) // for checking only the
unsuccessful sign ins
| extend
SIL_deviceId = tostring(DeviceDetail_dynamic.deviceId),
SIL_displayName = tostring(DeviceDetail_dynamic.displayName),
SIL_os = tostring(DeviceDetail_dynamic.operatingSystem),
SIL_trust = tostring(DeviceDetail_dynamic.trustType),
AADN_deviceId = tostring(parse_json(DeviceDetail_string).deviceId),
AADN_displayName = tostring(parse_json(DeviceDetail_string).displayName),
AADN_os = tostring(parse_json(DeviceDetail_string).operatingSystem),
AADN_trust = tostring(parse_json(DeviceDetail_string).trustType),
SIL_city = tostring(LocationDetails_dynamic["city"]),
SIL_state = tostring(LocationDetails_dynamic["state"]),
SIL_country = tostring(LocationDetails_dynamic["countryOrRegion"]),
AADN_city = tostring(parse_json(LocationDetails_string).city),
AADN_state = tostring(parse_json(LocationDetails_string).state),
AADN_country = tostring(parse_json(LocationDetails_string).countryOrRegion),
FstAuthReq = tostring(parse_json(AuthenticationDetails)
[0].authenticationMethod),
FstAuthReqRsult = tostring(parse_json(AuthenticationDetails)
[0].authenticationStepResultDetail),
FstAuthReqRsult_Succ = tostring(parse_json(AuthenticationDetails)
[0].succeeded),
SndAuthReq = tostring(parse_json(AuthenticationDetails)
[1].authenticationMethod),
SndAuthReqRsult = tostring(parse_json(AuthenticationDetails)
[1].authenticationStepResultDetail),
SndAuthReqRsult_Succ = tostring(parse_json(AuthenticationDetails)[1].succeeded)
| project
Type,
TimeGenerated,
//UserPrincipalName, // uncomment if you're checking sign ins by IP or some
other key than UPN
ResultType, ResultDescription,
AuthenticationRequirement,
ResourceDisplayName,
AppDisplayName,
FstAuthReq,
FstAuthReqRsult,
FstAuthReqRsult_Succ,
SndAuthReq,
SndAuthReqRsult,
SndAuthReqRsult_Succ,
deviceId = coalesce(SIL_deviceId, AADN_deviceId),
displayName = coalesce(SIL_displayName, AADN_displayName),
os = coalesce(SIL_os, AADN_os),
trust = coalesce(SIL_trust, AADN_trust),
city = coalesce(SIL_city, AADN_city),
state = coalesce(SIL_state, AADN_state),
country = coalesce(SIL_country, AADN_country),
IPAddress,
UserAgent,
Category
| sort by TimeGenerated desc

EmailEvents
| where SenderFromAddress =="info@email.movistar.es" and TimeGenerated > ago(90d)
and RecipientEmailAddress =="evelyn.campos@aludium.com"
| join kind=leftouter EmailUrlInfo on NetworkMessageId
| join kind=leftouter EmailAttachmentInfo on NetworkMessageId
| project SenderFromAddress, Subject, RecipientEmailAddress, DeliveryAction,
NetworkMessageId, UrlCount, Url, AttachmentCount,
FileName,SHA256,SenderDisplayName,SenderFromDomain,AuthenticationDetails,DeliveryLo
cation

SigninLogs
| search "9f9c4e16-5e25-4304-8ba4-12254f48ae69"
| where IPAddress contains "103.225.222.58"
| project TimeGenerated, LocationDetails["city"], LocationDetails["state"],
LocationDetails["countryOrRegion"], IPAddress, AppDisplayName,
DeviceDetail["browser"], ResultType, AuthenticationRequirement, DeviceDetail,
UserAgent, MfaDetail, UserPrincipalName, ResultDescription,
AuthenticationDetails,ConditionalAccessPolicies,ConditionalAccessStatus

https://portal.azure.com/#settings/directory

You might also like