EmailEventsEmailEvents

重要

改良的 Microsoft 365 安全性中心現在可用。The improved Microsoft 365 security center is now available. 這個新的體驗會將適用於端點的 Defender、適用於 Office 365 的 Defender、Microsoft 365 Defender 和更多功能帶到 Microsoft 365 安全性中心。This new experience brings Defender for Endpoint, Defender for Office 365, Microsoft 365 Defender, and more into the Microsoft 365 security center. 了解新功能Learn what's new.

適用範圍:Applies to:

  • Microsoft 365 DefenderMicrosoft 365 Defender

[!附注] EmailEvents 高級搜尋 架構中的表格包含有關在 Microsoft Defender for Office 365 上處理電子郵件之事件的相關資訊。The EmailEvents table in the advanced hunting schema contains information about events involving the processing of emails on Microsoft Defender for Office 365. 使用這個參考來建立從此表格取回之資訊的查詢。Use this reference to construct queries that return information from this table.

提示

如需有關資料表所支援之事件種類 () 值的詳細資訊 ActionType ,請使用安全性中心內的內建架構參照。For detailed information about the events types (ActionType values) supported by a table, use the built-in schema reference available in the security center.

如需進階搜捕結構描述中其他表格的資訊,請參閱進階搜捕參考 (部分內容為機器翻譯)。For information on other tables in the advanced hunting schema, see the advanced hunting reference.

欄名稱Column name 資料類型Data type 描述Description
Timestamp datetimedatetime 事件記錄的日期和時間Date and time when the event was recorded
NetworkMessageId stringstring Microsoft 365 產生之電子郵件的唯一識別碼Unique identifier for the email, generated by Microsoft 365
InternetMessageId 字串string 透過傳送電子郵件系統所設定之電子郵件的公開識別碼Public-facing identifier for the email that is set by the sending email system
SenderMailFromAddress 字串string [郵件寄件者] 標頭中的寄件者電子郵件地址,又稱為信封寄件者或退回路徑位址Sender email address in the MAIL FROM header, also known as the envelope sender or the Return-Path address
SenderFromAddress 字串string 電子郵件用戶端上的電子郵件收件者看得到 [寄件者] 標題中的寄件者電子郵件地址Sender email address in the FROM header, which is visible to email recipients on their email clients
SenderDisplayName 字串string 顯示在通訊錄中之寄件者的名稱,通常是指定或名字、中間名首字母的組合,以及姓氏或姓的組合Name of the sender displayed in the address book, typically a combination of a given or first name, a middle initial, and a last name or surname
SenderObjectId stringstring Azure AD 中寄件者帳戶的唯一識別碼Unique identifier for the sender’s account in Azure AD
SenderMailFromDomain 字串string [郵件寄件者] 標頭中的寄件者網域,也稱為信封寄件者或退回路徑位址Sender domain in the MAIL FROM header, also known as the envelope sender or the Return-Path address
SenderFromDomain 字串string [寄件者] 標頭中的寄件者網域,可對電子郵件用戶端上的電子郵件收件者顯示Sender domain in the FROM header, which is visible to email recipients on their email clients
SenderIPv4 字串string 轉送郵件的最後偵測郵件伺服器的 IPv4 位址IPv4 address of the last detected mail server that relayed the message
SenderIPv6 字串string 轉送郵件的最後偵測郵件伺服器的 IPv6 位址IPv6 address of the last detected mail server that relayed the message
RecipientEmailAddress 字串string 收件者的電子郵件地址,或通訊群組清單展開後之收件者的電子郵件地址Email address of the recipient, or email address of the recipient after distribution list expansion
RecipientObjectId 字串string Azure AD 中電子郵件收件者的唯一識別碼Unique identifier for the email recipient in Azure AD
Subject 字串string 電子郵件的主旨Subject of the email
EmailClusterId 字串string 根據內容啟發式分析叢集的類似電子郵件群組識別碼Identifier for the group of similar emails clustered based on heuristic analysis of their contents
EmailDirection 字串string 相對於您的網路的電子郵件方向:內送、外寄、組織內部Direction of the email relative to your network: Inbound, Outbound, Intra-org
DeliveryAction 字串string 電子郵件的傳遞動作:已傳送、已標示為垃圾郵件、已封鎖或已取代Delivery action of the email: Delivered, Junked, Blocked, or Replaced
DeliveryLocation 字串string 傳送電子郵件的位置:收件匣/資料夾、內部部署/外部、垃圾郵件、隔離、失敗、已中斷、刪除的郵件Location where the email was delivered: Inbox/Folder, On-premises/External, Junk, Quarantine, Failed, Dropped, Deleted items
ThreatTypes 字串string 從電子郵件篩選棧中判定電子郵件是否包含惡意程式碼、網路釣魚或其他威脅Verdict from the email filtering stack on whether the email contains malware, phishing, or other threats
ThreatNames stringstring 找到惡意程式碼或其他威脅的偵測名稱Detection name for malware or other threats found
DetectionMethods stringstring 用於偵測電子郵件中所發現之惡意程式碼、網路釣魚或其他威脅的方法Methods used to detect malware, phishing, or other threats found in the email
ConfidenceLevel stringstring 任何垃圾郵件或網路釣魚 verdicts 的信賴層級清單。List of confidence levels of any spam or phishing verdicts. 若為垃圾郵件,此欄會顯示「垃圾郵件信賴等級」 (SCL) ,指出是否已略過電子郵件 (-1) ,發現不是垃圾郵件 (0,1) ,發現是具有適中信心的垃圾郵件, (5、6) ,或發現是具有高可信度的垃圾郵件 (9) 。For spam, this column shows the spam confidence level (SCL), indicating if the email was skipped (-1), found to be not spam (0,1), found to be spam with moderate confidence (5,6), or found to be spam with high confidence (9). 若為網路釣魚,此欄會顯示信賴等級為 "High" 或 "Low"。For phishing, this column displays whether the confidence level is "High" or "Low".
EmailAction 字串string 以篩選決策、原則和使用者動作為基礎的最終電子郵件執行動作:將郵件移至垃圾郵件資料夾、新增 X 標頭、修改主旨、重新導向郵件、刪除郵件、傳送至隔離、未採取任何動作、密件副本郵件Final action taken on the email based on filter verdict, policies, and user actions: Move message to junk mail folder, Add X-header, Modify subject, Redirect message, Delete message, send to quarantine, No action taken, Bcc message
EmailActionPolicy 字串string 生效的動作原則:反垃圾郵件 - 高信賴度、反垃圾郵件、反垃圾郵件 - 大宗郵件、反垃圾郵件 - 網路釣魚、反網路釣魚網域模擬、反網路釣魚使用者模擬、反網路釣魚詐騙、反網路釣魚圖形模擬、反惡意程式碼、安全附件、企業傳輸規則 (ETR)Action policy that took effect: Antispam high-confidence, Antispam, Antispam bulk mail, Antispam phishing, Anti-phishing domain impersonation, Anti-phishing user impersonation, Anti-phishing spoof, Anti-phishing graph impersonation, Antimalware, Safe Attachments, Enterprise Transport Rules (ETR)
EmailActionPolicyGuid 字串string 決定最終郵件動作的原則的唯一識別碼Unique identifier for the policy that determined the final mail action
AttachmentCount intint 電子郵件的附件數量Number of attachments in the email
UrlCount intint 電子郵件的內嵌 URL 數量Number of embedded URLs in the email
EmailLanguage 字串string 偵測到的電子郵件內容語言Detected language of the email content
Connectors stringstring 定義組織郵件流程的自訂指示,以及如何路由傳送電子郵件Custom instructions that define organizational mail flow and how the email was routed
OrgLevelAction stringstring 對電子郵件採取的動作,以回應組織層級定義的原則的符合專案Action taken on the email in response to matches to a policy defined at the organizational level
OrgLevelPolicy stringstring 觸發對電子郵件採取之動作的組織原則Organizational policy that triggered the action taken on the email
UserLevelAction stringstring 對電子郵件採取的動作,以回應由收件者所定義的信箱原則的相符專案Action taken on the email in response to matches to a mailbox policy defined by the recipient
UserLevelPolicy stringstring 觸發對電子郵件採取之動作的使用者信箱原則End-user mailbox policy that triggered the action taken on the email
ReportId longlong 以重複計數器為基礎的事件識別碼。Event identifier based on a repeating counter. 若要識別唯一的事件,此資料行必須與 DeviceName 及 Timestamp 資料行一起使用。To identify unique events, this column must be used in conjunction with the DeviceName and Timestamp columns.