title | description | search.appverid | ms.service | ms.subservice | f1.keywords | ms.author | author | ms.localizationpriority | manager | audience | ms.collection | ms.custom | ms.topic | ms.date | |||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
EmailEvents table in the advanced hunting schema |
Learn about events associated with Microsoft 365 emails in the EmailEvents table of the advanced hunting schema |
met150 |
defender-xdr |
adv-hunting |
|
maccruz |
schmurky |
medium |
dansimp |
ITPro |
|
|
reference |
01/16/2024 |
[!INCLUDE Microsoft Defender XDR rebranding]
Applies to:
- Microsoft Defender XDR
The EmailEvents
table in the advanced hunting schema contains information about events involving the processing of emails on Microsoft Defender for Office 365. Use this reference to construct queries that return information from this table.
Tip
For detailed information about the events types (ActionType
values) supported by a table, use the built-in schema reference available in Microsoft Defender XDR.
For information on other tables in the advanced hunting schema, see the advanced hunting reference.
Important
Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
Column name | Data type | Description |
---|---|---|
Timestamp |
datetime |
Date and time when the event was recorded |
NetworkMessageId |
string |
Unique identifier for the email, generated by Microsoft 365 |
InternetMessageId |
string |
Public-facing identifier for the email that is set by the sending email system |
SenderMailFromAddress |
string |
Sender email address in the MAIL FROM header, also known as the envelope sender or the Return-Path address |
SenderFromAddress |
string |
Sender email address in the FROM header, which is visible to email recipients on their email clients |
SenderDisplayName |
string |
Name of the sender displayed in the address book, typically a combination of a given or first name, a middle initial, and a last name or surname |
SenderObjectId |
string |
Unique identifier for the sender's account in Microsoft Entra ID |
SenderMailFromDomain |
string |
Sender domain in the MAIL FROM header, also known as the envelope sender or the Return-Path address |
SenderFromDomain |
string |
Sender domain in the FROM header, which is visible to email recipients on their email clients |
SenderIPv4 |
string |
IPv4 address of the last detected mail server that relayed the message |
SenderIPv6 |
string |
IPv6 address of the last detected mail server that relayed the message |
RecipientEmailAddress |
string |
Email address of the recipient, or email address of the recipient after distribution list expansion |
RecipientObjectId |
string |
Unique identifier for the email recipient in Microsoft Entra ID |
Subject |
string |
Subject of the email |
EmailClusterId |
long |
Identifier for the group of similar emails clustered based on heuristic analysis of their contents |
EmailDirection |
string |
Direction of the email relative to your network: Inbound, Outbound, Intra-org |
DeliveryAction |
string |
Delivery action of the email: Delivered, Junked, Blocked, or Replaced |
DeliveryLocation |
string |
Location where the email was delivered: Inbox/Folder, On-premises/External, Junk, Quarantine, Failed, Dropped, Deleted items |
ThreatTypes |
string |
Verdict from the email filtering stack on whether the email contains malware, phishing, or other threats |
ThreatNames |
string |
Detection name for malware or other threats found |
DetectionMethods |
string |
Methods used to detect malware, phishing, or other threats found in the email |
ConfidenceLevel |
string |
List of confidence levels of any spam or phishing verdicts. For spam, this column shows the spam confidence level (SCL), indicating if the email was skipped (-1), found to be not spam (0,1), found to be spam with moderate confidence (5,6), or found to be spam with high confidence (9). For phishing, this column displays whether the confidence level is "High" or "Low". |
BulkComplaintLevel |
int |
Threshold assigned to email from bulk mailers, a high bulk complaint level (BCL) means the email is more likely to generate complaints, and thus more likely to be spam |
EmailAction |
string |
Final action taken on the email based on filter verdict, policies, and user actions: Move message to junk mail folder, Add X-header, Modify subject, Redirect message, Delete message, send to quarantine, No action taken, Bcc message |
EmailActionPolicy |
string |
Action policy that took effect: Antispam high-confidence, Antispam, Antispam bulk mail, Antispam phishing, Anti-phishing domain impersonation, Anti-phishing user impersonation, Anti-phishing spoof, Anti-phishing graph impersonation, Antimalware, Safe Attachments, Enterprise Transport Rules (ETR) |
EmailActionPolicyGuid |
string |
Unique identifier for the policy that determined the final mail action |
AuthenticationDetails |
string |
List of pass or fail verdicts by email authentication protocols like DMARC, DKIM, SPF or a combination of multiple authentication types (CompAuth) |
AttachmentCount |
int |
Number of attachments in the email |
UrlCount |
int |
Number of embedded URLs in the email |
EmailLanguage |
string |
Detected language of the email content |
Connectors |
string |
Custom instructions that define organizational mail flow and how the email was routed |
OrgLevelAction |
string |
Action taken on the email in response to matches to a policy defined at the organizational level |
OrgLevelPolicy |
string |
Organizational policy that triggered the action taken on the email |
UserLevelAction |
string |
Action taken on the email in response to matches to a mailbox policy defined by the recipient |
UserLevelPolicy |
string |
End-user mailbox policy that triggered the action taken on the email |
ReportId |
string |
Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the DeviceName and Timestamp columns. |
AdditionalFields |
string |
Additional information about the entity or event |
LatestDeliveryLocation * |
string |
Last known location of the email |
LatestDeliveryAction * |
string |
Last known action attempted on an email by the service or by an admin through manual remediation |
Note
* The LatestDeliveryLocation
and LatestDeliveryAction
columns are not available in the Streaming API.