This query will use the Sophos Central Email Maiflow connector (avail for Office 365) data to search for a specific URL in your users mail. This may be useful to see how many people saw a certain link or identify who may have interacted with it.
-- Define 'domainName' AS type 'string' /* If you want to see only a specific user, you can include an additional variable by adding another where clause: AND to LIKE '%$$userName$$%' Define 'userName AS type 'string' */ SELECT timestamp AS messageReceivedAt, to AS destInbox, cc, subject, resolved_url AS fullLink, client_ip AS senderIP, "from", envelope_sender AS envelopeSender, reply_to AS replyTo FROM xdr_xge_url_data WHERE domain LIKE '%$$domainName$$%'
All of the columns can be filtered further if you are hunting something more specific. This query will return additional context about the message compared to the canned query (Data Lake > Email > Find Emails with specific text within a URL).
Cheers!
-jk
