Last December Microsoft introduced Microsoft Threat Protection (MTP) including advanced hunting that allows us to run queries across multiple data sources i.e. Microsoft Defender ATP and Office 365 ATP. If you haven’t heard yet about MTP I recommend reading Christian Müller’s blog post Microsoft Threat Protection – unified hunting
Now while the primary purpose of the unified hunting capability is to find information about indicators and entities, we can also use it to get an overview of what’s going on inside the systems that feed information into MTP i.e. Office 365. So, I created a few simple queries that summarizes various attributes from the EmailEvents table.
| Query | Sample Output | |
| EmailEvents | summarize count() by FinalEmailActionPolicy |
 |
|
| EmailEvents | summarize count() by DeliveryAction |
 |
|
| EmailEvents | summarize count() by DeliveryLocation |
 |
|
| EmailEvents | summarize count() by EmailDirection |
 |
|
| EmailEvents | summarize count() by FinalEmailAction |
 |
|
| EmailEvents | summarize count() by FinalEmailActionPolicy |
 |
|
| EmailEvents | summarize count() by tostring(MalwareDetectionMethod) |
 |
|
| EmailEvents | summarize count() by tostring(PhishDetectionMethod) |
 |
|
| EmailEvents | summarize count() by MalwareFilterVerdict |
 |
|
| EmailEvents | summarize count() by PhishFilterVerdict |
 |
|
Now that we know about the possible values the system returns (note that there might be more values), we can start drilling into the details. Let’s assume I want to know more about the e-mails where ATP Safe Links URL Detonation kicked in.
EmailEvents
| where PhishDetectionMethod == @”[“”ATP Safe Links URL Detonation””]”
| project NetworkMessageId, DeliveryAction , DeliveryLocation
| join ( EmailUrlInfo
| project Url, NetworkMessageId )
on NetworkMessageId
| project Url, DeliveryAction , DeliveryLocation
Hope you enjoyed reading this blog post, as always, any comments are welcome
Alex