EXPLORE
Sign In
← Back to Explore
kqlHunting

EmailEvents - Sender TLD count

', SenderFromDomain), "/")[0]))

Detection Query

EmailEvents
| extend FQDN = trim_end("(:|\\?).*", tostring(split(trim_start('http(.|)://', SenderFromDomain), "/")[0]))
//| project-reorder FQDN, UrlDomain
| where FQDN contains "."  // exclude singular hostnames used in local name resolution
| where DeliveryAction == "Delivered"
| extend TLD = tostring(split(FQDN, ".")[-1])
| summarize count() by TLD, EmailDirection

Data Sources

EmailEvents

Platforms

office-365

Tags

office-365
Raw Content
EmailEvents
| extend FQDN = trim_end("(:|\\?).*", tostring(split(trim_start('http(.|)://', SenderFromDomain), "/")[0]))
//| project-reorder FQDN, UrlDomain
| where FQDN contains "."  // exclude singular hostnames used in local name resolution
| where DeliveryAction == "Delivered"
| extend TLD = tostring(split(FQDN, ".")[-1])
| summarize count() by TLD, EmailDirection