This KQL script provides graphical analysis of email threats in your environment. It uses EmailAction to identify ThreatTypes such as Malware, Phish and Quarantine. It then shows you graphically how many email threats are present and you can use the time parameter to adjust the timespan.
let Threshold = 50;
EmailEvents
| where EmailAction == “Send to quarantine”
| where ThreatTypes has “Malware” or ThreatTypes has “Phish” or ThreatTypes has “Quarantine”
| summarize Count=count() by bin(Timestamp, 1h)
| extend Threshold = Threshold
| render timechart
David Williams Technical 