KQL hunting email Queries

Look for a certain email

EmailEvents
| where SenderFromAddress contains "Boltinc8@gmail.com"
| project RecipientEmailAddress, Subject

Get email with lab in the name

EmailEvents
| where RecipientEmailAddress matches regex "^lab\\d{1,2}@.+$"
| project SenderFromAddress, RecipientEmailAddress

Get all emails that have a attachment with said name

EmailAttachmentInfo
| where FileName contains "INV9783.pdf"
| project RecipientEmailAddress, FileName, Timestamp, SenderDisplayName, SenderFromAddress

Get all emails from Gmail and count

EmailEvents
| where SenderFromAddress  contains "@gmail.com"
| summarize Count = count() by SenderFromAddress
| project SenderFromAddress, Count

Get all emails with Gmail

EmailEvents
| where SenderFromAddress contains "@gmail.com" 
| project SenderFromAddress, RecipientEmailAddress, Subject

Hunt emails except

EmailEvents
| where not(SenderFromAddress has_any("@yahoo.com", "@gmail.com", "@outlook.com", "@aol.com", "icloud.com"))
| summarize Count = count() by SenderFromAddress
| project SenderFromAddress, Count

Regex pattern matches any character that is not an ASCII character

EmailEvents
| where Subject matches regex @"[^\x00-\x7F]"
| project RecipientEmailAddress, Subject, EmailAction

Finding Chinese character 

EmailEvents
| where Subject matches regex @"[\u4E00-\u9FFF]"
| project Timestamp, RecipientEmailAddress, Subject, SenderFromAddress

Finding Spanish character 

EmailEvents
| where Subject matches regex @"[áéíóúüñÁÉÍÓÚÜÑ]"
| project Timestamp, RecipientEmailAddress, Subject, SenderFromAddress

All Languages that are not English 

EmailEvents
| where isnull(EmailLanguage) or EmailLanguage != "en" // Include emails with no language specified or not in English
| order by EmailLanguage asc // Sort by language in ascending order
| project RecipientEmailAddress, Subject, SenderFromAddress, EmailLanguage

Finding attachments sent from Gmail

EmailAttachmentInfo
| where SenderFromAddress contains "gmail"
| project RecipientEmailAddress, SenderFromAddress, FileName

Finding attachments that are PDF sent from Gmail with a certain size

EmailAttachmentInfo
| where FileType has "pdf"
| where SenderFromAddress contains "gmail"
| where FileSize > 40000 and FileSize < 50000
| extend FileSizeKB = FileSize / 1024.0
| project RecipientEmailAddress, SenderFromAddress, FileName, FileSize, FileSizeKB

Attachments type count

EmailAttachmentInfo
| summarize Count = count() by FileType
| order by Count desc

Email contains in subject

EmailEvents
| where Subject contains "Direct Deposit"
| project SenderFromAddress, RecipientEmailAddress, Subject
PreviousMicrosoft KQLNextKQL Identity-based Attacks

Last updated