EmailPostDeliveryEvents

Applies to:

  • Microsoft 365 Defender

The EmailPostDeliveryEvents table in the advanced hunting schema contains information about post-delivery actions taken on email messages processed by Microsoft 365. Use this reference to construct queries that return information from this table.

Tip

For detailed information about the events types (ActionType values) supported by a table, use the built-in schema reference available in the security center.

To get more information about individual email messages, you can also use the EmailEvents, EmailAttachmentInfo, and the EmailUrlInfo tables. For information on other tables in the advanced hunting schema, see the advanced hunting reference.

Column name Data type Description
Timestamp datetime Date and time when the event was recorded
EventId string Unique identifier for the event
NetworkMessageId string Unique identifier for the email, generated by Microsoft 365
InternetMessageId string Public-facing identifier for the email that is set by the sending email system
Action string Action taken on the entity
ActionType string Type of activity that triggered the event: Manual remediation, Phish ZAP, Malware ZAP
ActionTrigger string Indicates whether an action was triggered by an administrator (manually or through approval of a pending automated action), or by some special mechanism, such as a ZAP or Dynamic Delivery
ActionResult string Result of the action
RecipientEmailAddress string Email address of the recipient, or email address of the recipient after distribution list expansion
DeliveryLocation string Location where the email was delivered: Inbox/Folder, On-premises/External, Junk, Quarantine, Failed, Dropped, Deleted items

Supported event types

This table captures events with the following ActionType values:

  • Manual remediation – An administrator manually took action on an email message after it was delivered to the user mailbox. This includes actions taken manually through Threat Explorer or approvals of automated investigation and response (AIR) actions.
  • Phish ZAPZero-hour auto purge (ZAP) took action on a phishing email after delivery.
  • Malware ZAP – Zero-hour auto purge (ZAP) took action on an email message found containing malware after delivery.