Queries for the EmailEvents table

For information on using these queries in the Azure portal, see Log Analytics tutorial. For the REST API, see Query.

Phishing emails from the top 10 sender domains

Get the number of phishing emails from the top ten sender domains.

EmailEvents
| where ThreatTypes has "Phish"
| summarize Count = count() by SenderFromDomain
| top 10 by Count 

Emails with malware

Get the number of phishing emails from the top ten sender domains.

EmailEvents
| where ThreatTypes has "Malware"
| limit 500