Visualize Phishing Detection Reasons
Visualization Email Phish Detection Reasons
Query
EmailPostDeliveryEvents
| where ThreatTypes == "Phish"
| extend DetectionMethod = tostring(extract(@'Phish":\["(.*?)"]', 1, DetectionMethods))
| summarize TotalEvents = count() by DetectionMethod
| render piechart with(title="Phishing Detection Reason Overview")About this query
Visualize Phishing Detection Reasons
Query Information
Description
This query visualizes the phishing detection reasons in a piechart. This is based on the EmailPostDeliveryEvents table. This table in the advanced hunting schema contains information about post-delivery actions taken on email messages processed by Microsoft 365. Based on this information the differnt detection reasons are visualized.
References
Defender XDR
Sentinel
EmailPostDeliveryEvents
| where ThreatTypes == "Phish"
| extend DetectionMethod = tostring(extract(@'Phish":\["(.*?)"]', 1, DetectionMethods))
| summarize TotalEvents = count() by DetectionMethod
| render piechart with(title="Phishing Detection Reason Overview")
Explanation
This query is designed to create a pie chart that visualizes the reasons why emails were detected as phishing threats. It uses data from the EmailPostDeliveryEvents table, which logs actions taken on emails after they have been delivered in Microsoft 365. The query specifically looks for events where the threat type is "Phish." It extracts the detection method used to identify the phishing threat from the DetectionMethods field. The query then counts the number of events for each detection method and displays this information in a pie chart titled "Phishing Detection Reason Overview." This visualization helps in understanding the distribution of different detection methods used for identifying phishing emails.
Details

Bert-Jan Pals
Released: October 20, 2024
Tables
Keywords
Operators