| title | description | search.appverid | ms.service | ms.subservice | f1.keywords | ms.author | author | ms.localizationpriority | manager | audience | ms.collection | ms.custom | ms.topic | ms.date | |||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
EmailAttachmentInfo table in the advanced hunting schema |
Learn about email attachment information in the EmailAttachmentInfo table of the advanced hunting schema |
met150 |
defender-xdr |
adv-hunting |
|
maccruz |
schmurky |
medium |
dansimp |
ITPro |
|
|
reference |
12/29/2023 |
[!INCLUDE Microsoft Defender XDR rebranding]
Applies to:
- Microsoft Defender XDR
The EmailAttachmentInfo table in the advanced hunting schema contains information about attachments on emails processed by Microsoft Defender for Office 365. Use this reference to construct queries that return information from this table.
For information on other tables in the advanced hunting schema, see the advanced hunting reference.
Important
Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
| Column name | Data type | Description |
|---|---|---|
Timestamp |
datetime |
Date and time when the event was recorded |
NetworkMessageId |
string |
Unique identifier for the email, generated by Microsoft 365 |
SenderFromAddress |
string |
Sender email address in the FROM header, which is visible to email recipients on their email clients |
SenderDisplayName |
string |
Name of the sender displayed in the address book, typically a combination of a given or first name, a middle initial, and a last name or surname |
SenderObjectId |
string |
Unique identifier for the sender's account in Microsoft Entra ID |
RecipientEmailAddress |
string |
Email address of the recipient, or email address of the recipient after distribution list expansion |
RecipientObjectId |
string |
Unique identifier for the email recipient in Microsoft Entra ID |
FileName |
string |
Name of the file that the recorded action was applied to |
FileType |
string |
File extension type |
SHA256 |
string |
SHA-256 of the file that the recorded action was applied to. This field is usually not populated — use the SHA1 column when available. |
FileSize |
long |
Size of the file in bytes |
ThreatTypes |
string |
Verdict from the email filtering stack on whether the email contains malware, phishing, or other threats |
ThreatNames |
string |
Detection name for malware or other threats found |
DetectionMethods |
string |
Methods used to detect malware, phishing, or other threats found in the email |
ReportId |
string |
Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the DeviceName and Timestamp columns. |