EmailPostDeliveryEventsEmailPostDeliveryEvents

重要

改良的 Microsoft 365 安全性中心現在可用。The improved Microsoft 365 security center is now available. 這個新的體驗會將適用於端點的 Defender、適用於 Office 365 的 Defender、Microsoft 365 Defender 和更多功能帶到 Microsoft 365 安全性中心。This new experience brings Defender for Endpoint, Defender for Office 365, Microsoft 365 Defender, and more into the Microsoft 365 security center. 了解新功能Learn what's new.

適用於:Applies to:

  • Microsoft 365 DefenderMicrosoft 365 Defender

[!附注] EmailPostDeliveryEvents 高級搜尋 架構中的表格包含對 Microsoft 365 所處理之電子郵件所採取之投遞後動作的相關資訊。The EmailPostDeliveryEvents table in the advanced hunting schema contains information about post-delivery actions taken on email messages processed by Microsoft 365. 使用這個參考來建立從此表格取回之資訊的查詢。Use this reference to construct queries that return information from this table.

提示

如需有關資料表所支援之事件種類 () 值的詳細資訊 ActionType ,請使用安全性中心內的內建架構參照。For detailed information about the events types (ActionType values) supported by a table, use the built-in schema reference available in the security center.

若要取得個別電子郵件訊息的詳細資訊,您也可以使用 EmailEventsEmailAttachmentInfoEmailUrlInfo 資料表。To get more information about individual email messages, you can also use the EmailEvents, EmailAttachmentInfo, and the EmailUrlInfo tables. 如需進階搜捕結構描述中其他表格的資訊,請參閱進階搜捕參考 (部分內容為機器翻譯)。For information on other tables in the advanced hunting schema, see the advanced hunting reference.

欄名稱Column name 資料類型Data type 描述Description
Timestamp datetimedatetime 事件記錄的日期和時間Date and time when the event was recorded
NetworkMessageId stringstring Microsoft 365 產生之電子郵件的唯一識別碼Unique identifier for the email, generated by Microsoft 365
InternetMessageId 字串string 透過傳送電子郵件系統所設定之電子郵件的公開識別碼Public-facing identifier for the email that is set by the sending email system
Action 字串string 對實體採取的動作Action taken on the entity
ActionType stringstring 觸發事件的活動類型:手動修復、網路釣魚 ZAP、惡意程式碼 ZAPType of activity that triggered the event: Manual remediation, Phish ZAP, Malware ZAP
ActionTrigger stringstring 會指出管理員是由系統管理員所觸發的動作,還是透過待處理的自動動作) 或某些特殊的機制(例如 ZAP 或動態傳遞)進行核准 (Indicates whether an action was triggered by an administrator (manually or through approval of a pending automated action), or by some special mechanism, such as a ZAP or Dynamic Delivery
ActionResult stringstring 動作的結果Result of the action
RecipientEmailAddress 字串string 收件者的電子郵件地址,或通訊群組清單展開後之收件者的電子郵件地址Email address of the recipient, or email address of the recipient after distribution list expansion
DeliveryLocation 字串string 傳送電子郵件的位置:收件匣/資料夾、內部部署/外部、垃圾郵件、隔離、失敗、已中斷、刪除的郵件Location where the email was delivered: Inbox/Folder, On-premises/External, Junk, Quarantine, Failed, Dropped, Deleted items
ReportId longlong 以重複計數器為基礎的事件識別碼。Event identifier based on a repeating counter. 若要識別唯一的事件,此資料行必須與 DeviceName 及 Timestamp 資料行一起使用。To identify unique events, this column must be used in conjunction with the DeviceName and Timestamp columns.

支援的事件種類Supported event types

此表格會捕獲具有下列值的事件 ActionTypeThis table captures events with the following ActionType values:

  • 手動修正 –系統管理員會在電子郵件傳送至使用者信箱後,手動對該電子郵件採取動作。Manual remediation – An administrator manually took action on an email message after it was delivered to the user mailbox. 這包括透過 威脅瀏覽器 手動採取的動作,或核准 (AIR) 動作的自動調查和回應This includes actions taken manually through Threat Explorer or approvals of automated investigation and response (AIR) actions.
  • 網路釣魚 ZAP零小時自動清除 (ZAP) 會在傳送後對網路釣魚電子郵件採取動作。Phish ZAPZero-hour auto purge (ZAP) took action on a phishing email after delivery.
  • 惡意程式碼 ZAP –零小時自動清除 (ZAP) 在傳送後,包含惡意程式碼的電子郵件上採取的動作。Malware ZAP – Zero-hour auto purge (ZAP) took action on an email message found containing malware after delivery.