KQL hunting email Queries

Look for a certain email

EmailEvents
| where SenderFromAddress contains "Boltinc8@gmail.com"
| project RecipientEmailAddress, Subject

Get email with lab in the name

EmailEvents
| where RecipientEmailAddress matches regex "^lab\\d{1,2}@.+$"
| project SenderFromAddress, RecipientEmailAddress

Get all emails that have a attachment with said name

EmailAttachmentInfo
| where FileName contains "INV9783.pdf"
| project RecipientEmailAddress, FileName, Timestamp, SenderDisplayName, SenderFromAddress

Get all emails from Gmail and count

EmailEvents
| where SenderFromAddress  contains "@gmail.com"
| summarize Count = count() by SenderFromAddress
| project SenderFromAddress, Count

Get all emails with Gmail

EmailEvents
| where SenderFromAddress contains "@gmail.com" 
| project SenderFromAddress, RecipientEmailAddress, Subject

Hunt emails except

EmailEvents
| where not(SenderFromAddress has_any("@yahoo.com", "@gmail.com", "@outlook.com", "@aol.com", "icloud.com"))
| summarize Count = count() by SenderFromAddress
| project SenderFromAddress, Count

Regex pattern matches any character that is not an ASCII character

EmailEvents
| where Subject matches regex @"[^\x00-\x7F]"
| project RecipientEmailAddress, Subject, EmailAction

Finding Chinese character

EmailEvents
| where Subject matches regex @"[\u4E00-\u9FFF]"
| project Timestamp, RecipientEmailAddress, Subject, SenderFromAddress

Finding Spanish character

EmailEvents
| where Subject matches regex @"[áéíóúüñÁÉÍÓÚÜÑ]"
| project Timestamp, RecipientEmailAddress, Subject, SenderFromAddress

All Languages that are not English

EmailEvents
| where isnull(EmailLanguage) or EmailLanguage != "en" // Include emails with no language specified or not in English
| order by EmailLanguage asc // Sort by language in ascending order
| project RecipientEmailAddress, Subject, SenderFromAddress, EmailLanguage

Finding attachments sent from Gmail

EmailAttachmentInfo
| where SenderFromAddress contains "gmail"
| project RecipientEmailAddress, SenderFromAddress, FileName

Finding attachments that are PDF sent from Gmail with a certain size

EmailAttachmentInfo
| where FileType has "pdf"
| where SenderFromAddress contains "gmail"
| where FileSize > 40000 and FileSize < 50000
| extend FileSizeKB = FileSize / 1024.0
| project RecipientEmailAddress, SenderFromAddress, FileName, FileSize, FileSizeKB

Attachments type count

EmailAttachmentInfo
| summarize Count = count() by FileType
| order by Count desc

Email contains in subject

EmailEvents
| where Subject contains "Direct Deposit"
| project SenderFromAddress, RecipientEmailAddress, Subject

Count Sender domain (sent-from)

EmailEvents
| where Timestamp > ago(24h)
| extend SenderDomain = tostring(split(SenderFromAddress, "@")[1])
| summarize count() by SenderDomain
| order by count_ desc

Count delivered-to domains (recipients)

EmailEvents
| where Timestamp > ago(24h)
| extend RecipientDomain = tostring(split(RecipientEmailAddress, "@")[1])
| summarize count() by RecipientDomain
| order by count_ desc

PreviousMicrosoft KQL NextKQL hunting with Azure and Log Analytics

Last updated 3 months ago

hashtagLook for a certain email

hashtagGet email with lab in the name

hashtagGet all emails from Gmail and count

hashtagGet all emails with Gmail

hashtagHunt emails except

hashtagRegex pattern matches any character that is not an ASCII character

hashtagFinding Chinese character

hashtagFinding Spanish character

hashtagFinding attachments sent from Gmail

hashtagFinding attachments that are PDF sent from Gmail with a certain size

hashtagEmail contains in subject

hashtagCount Sender domain (sent-from)

hashtagCount delivered-to domains (recipients)

Look for a certain email

Get email with lab in the name

Get all emails from Gmail and count

Get all emails with Gmail

Hunt emails except

Regex pattern matches any character that is not an ASCII character

Finding Chinese character

Finding Spanish character

Finding attachments sent from Gmail

Finding attachments that are PDF sent from Gmail with a certain size

Email contains in subject

Count Sender domain (sent-from)

Count delivered-to domains (recipients)