Splunk query for viewing 0365 management activity ...

kojodei789 · ‎01-25-2021

Goodmorning guys much help needed. I have been receiving a lot of phishing attempts to recipients emails. I am looking for the best query that can allow me to see if these emails were filtered as spam or quarantined. Thanks

I have been using query but it doesn't give me if the sender's email is filtered as spam or quarantined Sometimes it does not even work.

sourcetype=0365:management:activity"sender.email@xx.com" AND "recepient.email@hhs.gov"| table sourcetype_time P2Sender recipients{} subject| sort Recepients{}| dedup Recipients {}

kojodei789 · ‎01-26-2021

sourcetype=0365:management:activity"sender.email@xx.com" AND "password expire"| table sourcetype_time P2Sender recipients{} Subject DetectionMethod Verdict| sort Recepients{}| dedup Recipients {}

The password expired is the subject line

Thanks for the reply. So the query above is what I normally use to see the categorization of the email if it is a phishing email or not but I was wondering if there is a query that lets you know if spam filtered

ITWhisperer · ‎01-26-2021

Can you share some examples of the events demonstrating whether the email was quarantined or filtered as spam?

Splunk query for viewing 0365 management activity by the sender of malicious account to recipients

search job inspector

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms