EmailEvents
Office 365 email events, including email delivery and blocking events.
Categories
- Security
Solutions
- Microsoft Sentinel
Columns
| Column | Type | Description |
|---|---|---|
| AttachmentCount | int | Number of attachments in the email |
| ConfidenceLevel | string | Number of attachments in the email |
| Connectors | string | Number of attachments in the email |
| DeliveryAction | string | Action of the delivered email |
| DeliveryLocation | string | Location of the delivered email: Inbox/Folder, On-premises/External, Junk, Quarantine, Failed, Dropped, Deleted items |
| DetectionMethods | string | Delivery action of the email: Delivered, Junked, Blocked, or Replaced |
| EmailAction | string | Final action taken on the email based on filter verdict, policies, and user actions: Move message to junk mail folder, Add X-header, Modify subject, Redirect message, Delete message, send to quarantine, No action taken, Bcc message |
| EmailActionPolicy | string | Action policy that took effect: Antispam high-confidence, Antispam, Antispam bulk mail, Antispam phishing, Anti-phishing domain impersonation, Anti-phishing user impersonation, Anti-phishing spoof, Anti-phishing graph impersonation, Antimalware Safe Attachments, Enterprise Transport Rules (ETR) |
| EmailActionPolicyGuid | string | Unique identifier of the policy that took effect |
| EmailClusterId | long | Identifier of the email cluster. Emails are clustered (grouped) based on heuristic analysis of their contents |
| EmailDirection | string | Email direction: Inbound, Outbound, Intra-org |
| EmailLanguage | string | Detected language of the email content |
| InternetMessageId | string | Public-facing identifier for the email that is set by the sending email system |
| NetworkMessageId | string | Unique identifier for the email, generated by Office 365 |
| OrgLevelAction | string | Unique identifier of the policy that took effect |
| OrgLevelPolicy | string | Unique identifier of the policy that took effect |
| RecipientEmailAddress | string | Recipient email address or email address of the recipient after distribution list expansion |
| RecipientObjectId | string | Email recipient Azure AD identifier |
| ReportId | string | Unique identifier for the event |
| SenderDisplayName | string | Sender email address in the from header, which is visible to email recipients on their email clients |
| SenderFromAddress | string | Sender domain in the from header, which is visible to email recipients on their email clients |
| SenderFromDomain | string | Verdict from the email filtering stack on whether the email contains malware, phishing, or other threats |
| SenderIPv4 | string | IPv4 address of the last detected mail server that relayed the message |
| SenderIPv6 | string | IPv6 address of the last detected mail server that relayed the message |
| SenderMailFromAddress | string | Sender email address in the MAIL from header, also known as the envelope sender or the Return-Path address |
| SenderMailFromDomain | string | Sender domain in the MAIL from header, also known as the envelope sender or the Return-Path address |
| SenderObjectId | string | Sender email address in the from header, which is visible to email recipients on their email clients |
| SourceSystem | string | |
| Subject | string | Email subject field |
| TenantId | string | |
| ThreatNames | string | Sender email address in the from header, which is visible to email recipients on their email clients |
| ThreatTypes | string | Verdict from the email filtering stack on whether the email contains malware, phishing, or other threats |
| TimeGenerated | datetime | Date and time (UTC) when the record was generated |
| Type | string | The name of the table |
| UrlCount | int | Number of embedded URLs in the email |
| UserLevelAction | string | Action taken on the email in response to matches to a mailbox policy defined by the recipient |
| UserLevelPolicy | string | End user mailbox policy that triggered the action taken on the email |