From f196c4249b10e14cb8eaca4246168d9bb23ca930 Mon Sep 17 00:00:00 2001
From: Rayen Messaoudi <20291421+rayenmessaoudi@users.noreply.github.com>
Date: Wed, 11 Dec 2024 14:43:01 +0100
Subject: [PATCH] Update Enhanced Cloudflare Phishing Email Detections.kql

add r2.dev cloudflare domain
---
 DefenderXDR/Enhanced Cloudflare Phishing Email Detections.kql | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/DefenderXDR/Enhanced Cloudflare Phishing Email Detections.kql b/DefenderXDR/Enhanced Cloudflare Phishing Email Detections.kql
index cff6739..f6ee1c2 100644
--- a/DefenderXDR/Enhanced Cloudflare Phishing Email Detections.kql	
+++ b/DefenderXDR/Enhanced Cloudflare Phishing Email Detections.kql	
@@ -12,7 +12,7 @@ let MaliciousDomainTable=externaldata(RawData:string)
 | parse RawData with MaliciousDomain:string;
 EmailUrlInfo
 | where Timestamp > ago(1h)
-| where UrlDomain endswith ".pages.dev" or UrlDomain endswith ".workers.dev"
+| where UrlDomain endswith ".pages.dev" or UrlDomain endswith ".workers.dev" or UrlDomain  endswith ".r2.dev" 
 | join EmailEvents on NetworkMessageId
 | where EmailDirection == "Inbound"
 | where DeliveryAction != "Blocked"