Query Details

MDO Hunting - Exposure Window - Delivery to Remediation

MDO 11 Exposure Window Delivery To Remediation

Query

let Delivered =
    EmailEvents
    | where Timestamp > ago(14d) and ThreatTypes != ""
    | project NetworkMessageId, DeliveredTime = Timestamp, RecipientEmailAddress,
              Subject, ThreatTypes;
EmailPostDeliveryEvents
| where Timestamp > ago(14d)
| join kind=inner Delivered on NetworkMessageId
| extend ExposureMinutes = datetime_diff('minute', Timestamp, DeliveredTime)
| where ExposureMinutes >= 0
| project DeliveredTime, RemediatedTime = Timestamp, ExposureMinutes,
          RecipientEmailAddress, Subject, ThreatTypes, Action, ActionResult
| sort by ExposureMinutes desc

Explanation

This query is designed to measure the effectiveness of Microsoft Defender for Office (MDO) and the Security Operations Center (SOC) by calculating how long a malicious email remains in a mailbox before it is removed. Here's a simplified breakdown:

  1. Purpose: The query aims to determine the "dwell time" of malicious emails, which is the time between when an email is delivered and when it is remediated (removed). This is a key performance indicator (KPI) for assessing the effectiveness of email threat detection and response.

  2. Data Sources: It uses data from Microsoft Threat Protection, specifically focusing on EmailEvents and EmailPostDeliveryEvents.

  3. Process:

    • It first identifies emails delivered in the last 14 days that have been flagged with any threat types.
    • It then matches these emails with post-delivery events to find out when they were remediated.
    • The query calculates the exposure time in minutes for each email, which is the difference between the delivery time and the remediation time.
    • Only emails with a non-negative exposure time are considered, ensuring that only emails that were actually remediated after delivery are included.
    • The results are sorted by exposure time in descending order, highlighting emails that took the longest to remediate.
  4. Outcome: The output provides a list of emails with details such as delivery time, remediation time, exposure time, recipient, subject, threat types, and actions taken. This information can be used to identify areas for improvement in threat detection and response processes.

Details

David Alonso profile picture

David Alonso

Released: July 17, 2026

Tables

EmailEventsEmailPostDeliveryEvents

Keywords

MicrosoftThreatProtectionEmailEventsEmailPostDeliveryEventsNetworkMessageIdDeliveredTimeTimestampRecipientEmailAddressSubjectThreatTypesExposureMinutesActionActionResult

Operators

let|where>and!=projectjoinkind=inneronextenddatetime_diff>=sort bydesc

Tactics

InitialAccess

MITRE Techniques

Actions

GitHub