Merge pull request #236 from pawp81/patch-5

tali-ash · web-flow · commit 6b5b4d90fdc0 · 2020-09-30T17:02:03.000+03:00
Create WhenZAPed.md
diff --git a/Initial access/WhenZAPed.md b/Initial access/WhenZAPed.md
@@ -0,0 +1,51 @@
+
+# When email was ZAPed.
+
+This query allows to verify when email matching your search condition (by default based on presence of the URL) were ZAPed and compare it with original delivery time.
+
+## Query
+
+```
+let URL=""; // Put your URL here
+EmailUrlInfo
+| where Url matches regex URL 
+| join (EmailEvents | where DeliveryAction == "Delivered" and EmailDirection == "Inbound") on NetworkMessageId
+| project Timestamp, NetworkMessageId, Url, SenderFromAddress, SenderIPv4, RecipientEmailAddress, Subject,DeliveryAction, DeliveryLocation
+| join (EmailPostDeliveryEvents | where ActionType has "ZAP") on NetworkMessageId,RecipientEmailAddress 
+| extend DeliveryTime=(Timestamp)
+| extend ZAPTime=(Timestamp1)
+| project DeliveryTime, ZAPTime, NetworkMessageId, SenderFromAddress, SenderIPv4,RecipientEmailAddress, Subject, DeliveryAction, DeliveryLocation
+| sort by DeliveryTime  asc
+```
+## Category
+
+This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states.
+
+| Technique, tactic, or state | Covered? (v=yes) | Notes |
+|------------------------|----------|-------|
+| Initial access | x |  |
+| Execution |  |  |
+| Persistence |  |  | 
+| Privilege escalation |  |  |
+| Defense evasion |  |  | 
+| Credential Access |  |  | 
+| Discovery |  |  | 
+| Lateral movement |  |  | 
+| Collection |  |  | 
+| Command and control |  |  | 
+| Exfiltration |  |  | 
+| Impact |  |  |
+| Vulnerability |  |  |
+| Misconfiguration |  |  |
+| Malware, component |  |  |
+
+
+## Contributor info
+
+**Contributor:** Pawel Partyka
+
+**GitHub alias:** pawp81
+
+**Organization:** Microsoft
+
+**Contact info:** @pawp81
