This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(102.4, 30%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERL%3C/text%3E%3C/svg%3E)
We see that 90% of the SPAM geared toward students comes from fake Gmail accounts. In Advanced Hunting I created a KQL query to find any Gmail account that sent more than 40 emails from the same account I saved it as a Custom Detection Rule. EmailEvents
| where ingestion_time() > ago(3h)
| where SenderFromDomain == "gmail.com"
| summarize (Timestamp, ReportId)=arg_max(Timestamp, ReportId), EmailCount = count() by SenderFromAddress, DeliveryLocation ,Subject
| where EmailCount >= 40
| sort by EmailCount
This is working great and after a month of testing/running, I wanted to change this so it would trigger the rule to automatically soft delete the emails found. I added the necessary tables (NetworkMessageId, RecipientEmailAddress), which caused the query to fail.
Below is the updated query: EmailEvents
| where ingestion_time() > ago(3h)
| where SenderFromDomain == "gmail.com"
| summarize (Timestamp, ReportId)=arg_max(Timestamp, ReportId), EmailCount = count() by SenderFromAddress, DeliveryLocation ,Subject, NetworkMessageId, RecipientEmailAddress
| where EmailCount >= 40
| sort by EmailCount
What am I doing wrong?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(281.6, 17%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGM%3C/text%3E%3C/svg%3E)
@Runge, Larry Thank you for reaching out to us, could you help us with the error details/with screenshot while executing the above query?
This comment has been deleted due to a violation of our Code of Conduct. The comment was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.
Both queries work in my lab. I am using union Email* since I was unsure of the target table. Try this.
union Email*
| where ingestion_time() > ago(3h)
| where SenderFromDomain contains "gmail"
| summarize (Timestamp, ReportId)=arg_max(Timestamp, ReportId), EmailCount = count() by SenderFromAddress, DeliveryLocation ,Subject, NetworkMessageId, RecipientEmailAddress
| where EmailCount >= 40
| sort by EmailCount
I believe the "union Email*" was the piece I missing.
Thank you!