EmailAttachmentInfo
Note
Want to experience Microsoft Defender XDR? Learn more about how you can evaluate and pilot Microsoft Defender XDR.
Applies to:
- Microsoft Defender XDR
The EmailAttachmentInfo table in the advanced hunting schema contains information about attachments on emails processed by Microsoft Defender for Office 365. Use this reference to construct queries that return information from this table.
For information on other tables in the advanced hunting schema, see the advanced hunting reference.
Important
Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
| Column name | Data type | Description |
|---|---|---|
Timestamp |
datetime |
Date and time when the event was recorded |
NetworkMessageId |
string |
Unique identifier for the email, generated by Microsoft 365 |
SenderFromAddress |
string |
Sender email address in the FROM header, which is visible to email recipients on their email clients |
SenderDisplayName |
string |
Name of the sender displayed in the address book, typically a combination of a given or first name, a middle initial, and a last name or surname |
SenderObjectId |
string |
Unique identifier for the sender's account in Microsoft Entra ID |
RecipientEmailAddress |
string |
Email address of the recipient, or email address of the recipient after distribution list expansion |
RecipientObjectId |
string |
Unique identifier for the email recipient in Microsoft Entra ID |
FileName |
string |
Name of the file that the recorded action was applied to |
FileType |
string |
File extension type |
SHA256 |
string |
SHA-256 of the file that the recorded action was applied to. This field is usually not populated — use the SHA1 column when available. |
FileSize |
long |
Size of the file in bytes |
ThreatTypes |
string |
Verdict from the email filtering stack on whether the email contains malware, phishing, or other threats |
ThreatNames |
string |
Detection name for malware or other threats found |
DetectionMethods |
string |
Methods used to detect malware, phishing, or other threats found in the email |
ReportId |
string |
Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the DeviceName and Timestamp columns. |
Related topics
- Advanced hunting overview
- Learn the query language
- Use shared queries
- Hunt across devices, emails, apps, and identities
- Understand the schema
- Apply query best practices
Tip
Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender XDR Tech Community.
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for