EmailPostDeliveryEvents

Office 365 security events occurred post email delivery to recipient mailbox.

Table attributes

Attribute	Value
Resource types	-
Categories	Security
Solutions	SecurityInsights
Basic log	No
Ingestion-time transformation	Yes
Sample Queries	Yes

Columns

Column	Type	Description
Action	string	Action taken on the entity
ActionResult	string	Result of the action
ActionTrigger	string	Indicates whether an action was triggered by an administrator (manually or through approval of a pending automated action), or by some special mechanism, such as a ZAP or String Delivery
ActionType	string	Type of activity that triggered the event
_BilledSize	real	The record size in bytes
DeliveryLocation	string	Delivered email location: Inbox/Folder, On-premises/External, Junk, Quarantine, Failed, Dropped, Deleted items
DetectionMethods	string	Methods used to detect malware, phishing, or other threats found in the email
InternetMessageId	string	Public-facing identifier for the email that is set by the sending email system
_IsBillable	string	Specifies whether ingesting the data is billable. When _IsBillable is false ingestion isn't billed to your Azure account
NetworkMessageId	string	Email unique identifier generated by Office 365
RecipientEmailAddress	string	Recipient email address or email address of the recipient after distribution list expansion
ReportId	string	Unique identifier for the event
SourceSystem	string	The type of agent the event was collected by. For example, OpsManager for Windows agent, either direct connect or Operations Manager, Linux for all Linux agents, or Azure for Azure Diagnostics
TenantId	string	The Log Analytics workspace ID
ThreatTypes	string	Verdict from the email filtering stack on whether the email contains malware, phishing, or other threats
TimeGenerated	datetime	Date and time (UTC) when the record was generated
Type	string	The name of the table