← Back to SOC feed Coverage →

Top 100 senders

kql MEDIUM Azure-Sentinel
T1566
EmailEvents
huntingmicrosoftofficial
This rule was pulled from an open-source repository and enriched with AI. Validate in a test environment before deploying to production.
View original rule at Azure-Sentinel →
Retrieved: 2026-05-11T11:00:00Z · Confidence: medium

Hunt Hypothesis

This query helps reviewing top 100 senders in your organization in last 30 days

KQL Query

EmailEvents 
| where Timestamp > ago(30d)
| summarize mailCountBySender = count() by SenderMailFromAddress 
| top 100 by mailCountBySender

Analytic Rule Definition

id: cadf6e78-2a9a-4fb5-b788-30a592d699d3
name: Top 100 senders
description: |
  This query helps reviewing top 100 senders in your organization in last 30 days
description-detailed: |
  This query helps reviewing top 100 senders in your organization in last 30 days using Defender for Office 365 data
requiredDataConnectors:
  - connectorId: MicrosoftThreatProtection
    dataTypes:
      - EmailEvents
tactics:
  - InitialAccess
relevantTechniques:
  - T1566
query: |
  EmailEvents 
  | where Timestamp > ago(30d)
  | summarize mailCountBySender = count() by SenderMailFromAddress 
  | top 100 by mailCountBySender
version: 1.0.0

Required Data Sources

Sentinel TableNotes
EmailEventsEnsure this data connector is enabled

False Positive Guidance

MITRE ATT&CK Context

References

Original source: https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/Email and Collaboration Queries/Mailflow/Top 100 senders.yaml