EmailEvents

Office 365 email events, including email delivery and blocking events.

Categories

  • Security

Solutions

  • Microsoft Sentinel

Columns

Column Type Description
AttachmentCount int Number of attachments in the email
ConfidenceLevel string Number of attachments in the email
Connectors string Number of attachments in the email
DeliveryAction string Action of the delivered email
DeliveryLocation string Location of the delivered email: Inbox/Folder, On-premises/External, Junk, Quarantine, Failed, Dropped, Deleted items
DetectionMethods string Delivery action of the email: Delivered, Junked, Blocked, or Replaced
EmailAction string Final action taken on the email based on filter verdict, policies, and user actions: Move message to junk mail folder, Add X-header, Modify subject, Redirect message, Delete message, send to quarantine, No action taken, Bcc message
EmailActionPolicy string Action policy that took effect: Antispam high-confidence, Antispam, Antispam bulk mail, Antispam phishing, Anti-phishing domain impersonation, Anti-phishing user impersonation, Anti-phishing spoof, Anti-phishing graph impersonation, Antimalware Safe Attachments, Enterprise Transport Rules (ETR)
EmailActionPolicyGuid string Unique identifier of the policy that took effect
EmailClusterId long Identifier of the email cluster. Emails are clustered (grouped) based on heuristic analysis of their contents
EmailDirection string Email direction: Inbound, Outbound, Intra-org
EmailLanguage string Detected language of the email content
InternetMessageId string Public-facing identifier for the email that is set by the sending email system
NetworkMessageId string Unique identifier for the email, generated by Office 365
OrgLevelAction string Unique identifier of the policy that took effect
OrgLevelPolicy string Unique identifier of the policy that took effect
RecipientEmailAddress string Recipient email address or email address of the recipient after distribution list expansion
RecipientObjectId string Email recipient Azure AD identifier
ReportId string Unique identifier for the event
SenderDisplayName string Sender email address in the from header, which is visible to email recipients on their email clients
SenderFromAddress string Sender domain in the from header, which is visible to email recipients on their email clients
SenderFromDomain string Verdict from the email filtering stack on whether the email contains malware, phishing, or other threats
SenderIPv4 string IPv4 address of the last detected mail server that relayed the message
SenderIPv6 string IPv6 address of the last detected mail server that relayed the message
SenderMailFromAddress string Sender email address in the MAIL from header, also known as the envelope sender or the Return-Path address
SenderMailFromDomain string Sender domain in the MAIL from header, also known as the envelope sender or the Return-Path address
SenderObjectId string Sender email address in the from header, which is visible to email recipients on their email clients
SourceSystem string
Subject string Email subject field
TenantId string
ThreatNames string Sender email address in the from header, which is visible to email recipients on their email clients
ThreatTypes string Verdict from the email filtering stack on whether the email contains malware, phishing, or other threats
TimeGenerated datetime Date and time (UTC) when the record was generated
Type string The name of the table
UrlCount int Number of embedded URLs in the email
UserLevelAction string Action taken on the email in response to matches to a mailbox policy defined by the recipient
UserLevelPolicy string End user mailbox policy that triggered the action taken on the email