Add forwarded phishing detection #3
Description
Add KQL query support:
###########################################################
# KQL report in PowerShell
###########################################################
function Get-KQLResults {
param (
[string]$Query
)
<#
Requires the following permissions `ThreatHunting.Read.All`
https://github.com/Spicy-Toaster/PowerShell/blob/main/Get-KQLQuery.ps1
#>
$Output = @()
$Result = Start-MgSecurityHuntingQuery -Query $Query
# Extract keys in the order they appear in the first result
$Keys = $Result.Results[0].AdditionalProperties.Keys
# Collect any additional unique keys from other results while preserving order
$AllKeys = $Keys + (($Result.Results.AdditionalProperties | ForEach-Object { $_.Keys }) | Where-Object { $Keys -notcontains $_ } | Select-Object -Unique)
# Iterate through each result and construct PSCustomObject dynamically
$Result.Results | ForEach-Object {
$Obj = @{}
foreach ($Key in $AllKeys) {
$Obj[$Key] = $_.AdditionalProperties[$Key]
}
$Output += [PSCustomObject]$Obj
}
$Output
}and enrichment:
if ($swIncident.incTitle -eq 'Suspicious sequence of events possibly related to phishing or malware campaign.') {
$emails = Get-KQLResults -Query "EmailEvents | where NetworkMessageId == '$($swIncident.ME_networkMessageId)'"
$swIncident.ME_emails = $emails | Select-Object EmailDirection, DeliveryAction, DeliveryLocation, ThreatTypes, SenderMailFromAddress, RecipientEmailAddress
$swIncident.ME_OutboundDeliveryAction = ($emails | ? { $_.EmailDirection -eq 'Outbound'}).DeliveryAction | Select-Object -Unique
}add tagging
if ($_.ME_OutboundDeliveryAction) {
$OutboundDeliveryActionTag = ''
switch ($_.ME_OutboundDeliveryAction) {
"Blocked" { $OutboundDeliveryActionTag = 'ForwardFailed'}
"Delivered" { $OutboundDeliveryActionTag = 'ForwardedPhishing'}
default {}
}
if (-not $newTags.Contains($OutboundDeliveryActionTag) ) {
$null = $newTags.add($OutboundDeliveryActionTag)
}
}