EmailEvents

Applies to:

  • Microsoft Defender XDR

The EmailEvents table in the advanced hunting schema contains information about events involving the processing of emails on Microsoft Defender for Office 365. Use this reference to construct queries that return information from this table.

Tip

For detailed information about the events types (ActionType values) supported by a table, use the built-in schema reference available in Microsoft Defender XDR.

For information on other tables in the advanced hunting schema, see the advanced hunting reference.

Important

Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.

Column name Data type Description
Timestamp datetime Date and time when the event was recorded
NetworkMessageId string Unique identifier for the email, generated by Microsoft 365
InternetMessageId string Public-facing identifier for the email that is set by the sending email system
SenderMailFromAddress string Sender email address in the MAIL FROM header, also known as the envelope sender or the Return-Path address
SenderFromAddress string Sender email address in the FROM header, which is visible to email recipients on their email clients
SenderDisplayName string Name of the sender displayed in the address book, typically a combination of a given or first name, a middle initial, and a last name or surname
SenderObjectId string Unique identifier for the sender's account in Microsoft Entra ID
SenderMailFromDomain string Sender domain in the MAIL FROM header, also known as the envelope sender or the Return-Path address
SenderFromDomain string Sender domain in the FROM header, which is visible to email recipients on their email clients
SenderIPv4 string IPv4 address of the last detected mail server that relayed the message
SenderIPv6 string IPv6 address of the last detected mail server that relayed the message
RecipientEmailAddress string Email address of the recipient, or email address of the recipient after distribution list expansion
RecipientObjectId string Unique identifier for the email recipient in Microsoft Entra ID
Subject string Subject of the email
EmailClusterId long Identifier for the group of similar emails clustered based on heuristic analysis of their contents
EmailDirection string Direction of the email relative to your network: Inbound, Outbound, Intra-org
DeliveryAction string Delivery action of the email: Delivered, Junked, Blocked, or Replaced
DeliveryLocation string Location where the email was delivered: Inbox/Folder, On-premises/External, Junk, Quarantine, Failed, Dropped, Deleted items
ThreatTypes string Verdict from the email filtering stack on whether the email contains malware, phishing, or other threats
ThreatNames string Detection name for malware or other threats found
DetectionMethods string Methods used to detect malware, phishing, or other threats found in the email
ConfidenceLevel string List of confidence levels of any spam or phishing verdicts. For spam, this column shows the spam confidence level (SCL), indicating if the email was skipped (-1), found to be not spam (0,1), found to be spam with moderate confidence (5,6), or found to be spam with high confidence (9). For phishing, this column displays whether the confidence level is "High" or "Low".
BulkComplaintLevel int Threshold assigned to email from bulk mailers, a high bulk complaint level (BCL) means the email is more likely to generate complaints, and thus more likely to be spam
EmailAction string Final action taken on the email based on filter verdict, policies, and user actions: Move message to junk mail folder, Add X-header, Modify subject, Redirect message, Delete message, send to quarantine, No action taken, Bcc message
EmailActionPolicy string Action policy that took effect: Antispam high-confidence, Antispam, Antispam bulk mail, Antispam phishing, Anti-phishing domain impersonation, Anti-phishing user impersonation, Anti-phishing spoof, Anti-phishing graph impersonation, Antimalware, Safe Attachments, Enterprise Transport Rules (ETR)
EmailActionPolicyGuid string Unique identifier for the policy that determined the final mail action
AuthenticationDetails string List of pass or fail verdicts by email authentication protocols like DMARC, DKIM, SPF or a combination of multiple authentication types (CompAuth)
AttachmentCount int Number of attachments in the email
UrlCount int Number of embedded URLs in the email
EmailLanguage string Detected language of the email content
Connectors string Custom instructions that define organizational mail flow and how the email was routed
OrgLevelAction string Action taken on the email in response to matches to a policy defined at the organizational level
OrgLevelPolicy string Organizational policy that triggered the action taken on the email
UserLevelAction string Action taken on the email in response to matches to a mailbox policy defined by the recipient
UserLevelPolicy string End-user mailbox policy that triggered the action taken on the email
ReportId string Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the DeviceName and Timestamp columns.
AdditionalFields string Additional information about the entity or event
LatestDeliveryLocation* string Last known location of the email
LatestDeliveryAction* string Last known action attempted on an email by the service or by an admin through manual remediation

Note

* The LatestDeliveryLocation and LatestDeliveryAction columns are not available in the Streaming API.

Tip

Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender XDR Tech Community.