A KQL Approach to Derive TERRL

By /

Listen to this Post

Introducing Exchange Online Tenant Outbound Email Limits | Microsoft Community Hub
KQL to Calculate Tenant External Recipient Rate Limit

Practice Verified Codes and Commands:

1. KQL Query to Calculate TERRL:

Below is the KQL query to calculate the Tenant External Recipient Rate Limit (TERRL) for the past 30 days in descending order:

let startTime = ago(30d);
let endTime = now();
EmailEvents
| where Timestamp between (startTime .. endTime)
| where EmailDirection == "Outbound"
| where RecipientEmailAddress contains "@"
| summarize TotalEmails = count(), UniqueRecipients = dcount(RecipientEmailAddress) by bin(Timestamp, 1d)
| extend TERRL = toreal(TotalEmails) / toreal(UniqueRecipients)
| order by Timestamp desc

2. PowerShell Command to Check MDO Subscription:

Ensure your tenant has Microsoft Defender for Office 365 (MDO) subscribed:

Get-MsolSubscription | Where-Object { $_.SkuPartNumber -eq "STANDARDPACK" }

3. Linux Command to Monitor Outbound Email Traffic:

Use `tcpdump` to monitor outbound email traffic on a Linux server:

sudo tcpdump -i eth0 port 25 -n -c 100

4. Windows Command to Check Email Queue:

Check the email queue on an Exchange server using PowerShell:

Get-Queue

5. Bash Script to Analyze Email Logs:

Analyze email logs for outbound email patterns:

grep "Outbound" /var/log/mail.log | awk '{print $1, $2, $5}' | sort | uniq -c | sort -nr

What Undercode Say:

The Tenant External Recipient Rate Limit (TERRL) is a critical metric for organizations using Microsoft 365 to monitor and manage outbound email traffic. By leveraging KQL queries, administrators can gain insights into email patterns and ensure compliance with TERRL thresholds. The provided KQL query calculates TERRL over the past 30 days, offering a clear view of outbound email activity. Additionally, PowerShell commands like `Get-MsolSubscription` help verify MDO subscription status, while Linux commands such as `tcpdump` and `grep` enable real-time monitoring and log analysis of email traffic. On Windows, the `Get-Queue` command provides visibility into the email queue, ensuring smooth email delivery. These tools and commands are essential for maintaining email security and performance in enterprise environments. For further reading, refer to the Microsoft Community Hub and the KQL GitHub repository.

References:

Hackers Feeds, Undercode AIFeatured Image

Related Posts: