Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊
Microsoft 365 email events, including email delivery and blocking events
| Attribute | Value |
|---|---|
| Category | Defender |
| Basic Logs Eligible | ✓ Yes (source) |
| Supports Transformations | ✓ Yes (source) |
| Ingestion API Supported | ✗ No |
| Lake-Only Ingestion | ✓ Yes (source) |
| Azure Monitor Tables Reference | View Documentation |
| Defender XDR Advanced Hunting Schema | View Documentation |
Source: Azure Monitor documentation
| Column Name | Type | Description |
|---|---|---|
| _BilledSize | real | The record size in bytes |
| _IsBillable | string | Specifies whether ingesting the data is billable. When _IsBillable is false ingestion isn't billed to your Azure account |
| AdditionalFields | dynamic | Additional information about the entity or event. |
| AttachmentCount | int | Number of attachments in the email. |
| AuthenticationDetails | string | List of pass or fail verdicts by email authentication protocols like DMARC, DKIM, SPF or a combination of multiple authentication types (CompAuth). |
| BulkComplaintLevel | int | Threshold assigned to email from bulk mailers, a high bulk complaint level (BCL) means the email is more likely to generate complaints, and thus more likely to be spam. |
| Cc | dynamic | Indicates the addresses which are listed in Cc fields of an email |
| ConfidenceLevel | string | List of confidence levels of any spam or phishing verdicts. For spam, this column shows the spam confidence level (SCL), indicating if the email was skipped (-1), found to be not spam (0,1), found to be spam with moderate confidence (5,6), or found to be spam with high confidence (9). For phishing, this column displays whether the confidence level is "High" or "Low". |
| Connectors | string | Custom instructions that define organizational mail flow and how the email was routed. |
| Context | string | Configuration context data of the machine |
| DeliveryAction | string | Action of the delivered email. |
| DeliveryLocation | string | Location of the delivered email: Inbox/Folder, On-premises/External, Junk, Quarantine, Failed, Dropped, Deleted items. |
| DetectionMethods | string | Delivery action of the email: Delivered, Junked, Blocked, or Replaced. |
| DistributionList | string | Name of distribution list that the recipient was a member of and to which the email was sent, if applicable; shows top-level distribution list if nested lists are involved |
| EmailAction | string | Final action taken on the email based on filter verdict, policies, and user actions: Move message to junk mail folder, Add X-header, Modify subject, Redirect message, Delete message, send to quarantine, No action taken, Bcc message. |
| EmailActionPolicy | string | Action policy that took effect: Antispam high-confidence, Antispam, Antispam bulk mail, Antispam phishing, Anti-phishing domain impersonation, Anti-phishing user impersonation, Anti-phishing spoof, Anti-phishing graph impersonation, Antimalware Safe Attachments, Enterprise Transport Rules (ETR). |
| EmailActionPolicyGuid | string | Unique identifier of the policy that took effect. |
| EmailClusterId | long | Identifier of the email cluster. Emails are clustered (grouped) based on heuristic analysis of their contents. |
| EmailDirection | string | Email direction: Inbound, Outbound, Intra-org. |
| EmailLanguage | string | Detected language of the email content. |
| EmailSize | int | Size of the email message. |
| ExchangeTransportRule | string | Mail flow rules (also known as transport rules) are similar to Inbox rules that are available in Outlook and Outlook on the web. The main difference is mail flow rules take action on messages while they're in transit. |
| ForwardingInformation | string | A JSON array of forwarding details including the forwarding user and the forwarding type |
| InternetMessageId | string | Public-facing identifier for the email that is set by the sending email system. |
| IsFirstContact | bool | Is this the first contact between sender and reciever. |
| LastEventExecutionTime | datetime | Date and time (UTC) when the record was updated post merge. |
| LatestDeliveryAction | string | Last known action attempted on an email by the service or by an admin through manual remediation. |
| LatestDeliveryLocation | string | Last known location of the email. |
| NetworkMessageId | string | Unique identifier for the email, generated by Office 365. |
| OrgLevelAction | string | Action taken on the email in response to matches to a policy defined at the organizational level. |
| OrgLevelPolicy | string | Organizational policy that triggered the action taken on the email. |
| RecipientDomain | string | Domain of the recipient of the email. |
| RecipientEmailAddress | string | Recipient email address or email address of the recipient after distribution list expansion. |
| RecipientObjectId | string | Email recipient Azure AD identifier. |
| ReportId | string | Unique identifier for the event. |
| SenderDisplayName | string | Sender email address in the from header, which is visible to email recipients on their email clients. |
| SenderFromAddress | string | Sender domain in the from header, which is visible to email recipients on their email clients. |
| SenderFromDomain | string | Verdict from the email filtering stack on whether the email contains malware, phishing, or other threats. |
| SenderIPv4 | string | IPv4 address of the last detected mail server that relayed the message. |
| SenderIPv6 | string | IPv6 address of the last detected mail server that relayed the message. |
| SenderMailFromAddress | string | Sender email address in the MAIL from header, also known as the envelope sender or the Return-Path address. |
| SenderMailFromDomain | string | Sender domain in the MAIL from header, also known as the envelope sender or the Return-Path address. |
| SenderObjectId | string | Sender email address in the from header, which is visible to email recipients on their email clients. |
| SourceSystem | string | The type of agent the event was collected by. For example, OpsManager for Windows agent, either direct connect or Operations Manager, Linux for all Linux agents, or Azure for Azure Diagnostics |
| Subject | string | Email subject field. |
| TenantId | string | The Log Analytics workspace ID |
| ThreatClassification | string | Indicates the threat classification of the mail |
| ThreatNames | string | Sender email address in the from header, which is visible to email recipients on their email clients. |
| ThreatTypes | string | Verdict from the email filtering stack on whether the email contains malware, phishing, or other threats. |
| TimeGenerated | datetime | Date and time (UTC) when the record was generated. |
| To | dynamic | Indicates the addresses which are listed in To fields of an email |
| Type | string | The name of the table |
| UrlCount | int | Number of embedded URLs in the email. |
| UserLevelAction | string | Action taken on the email in response to matches to a mailbox policy defined by the recipient. |
| UserLevelPolicy | string | End user mailbox policy that triggered the action taken on the email. |
This table is used by the following solutions:
This table is ingested by the following connectors:
| Connector | Selection Criteria |
|---|---|
| Microsoft Defender XDR |
In solution Microsoft Business Applications: EmailDirection == "Outbound"
| Analytic Rule |
|---|
| Dataverse - Terminated employee exfiltration over email |
In solution Threat Intelligence:
| Analytic Rule | Selection Criteria |
|---|---|
| TI Map URL Entity to EmailUrlInfo | |
| TI map Domain entity to EmailEvents | |
| TI map Domain entity to EmailUrlInfo | DeliveryAction !has "Blocked" |
| TI map Email entity to EmailEvents |
In solution Threat Intelligence (NEW):
| Analytic Rule | Selection Criteria |
|---|---|
| TI Map URL Entity to EmailUrlInfo | |
| TI map Domain entity to EmailEvents | |
| TI map Domain entity to EmailUrlInfo | DeliveryAction !has "Blocked" |
| TI map Email entity to EmailEvents |
In solution Business Email Compromise - Financial Fraud:
| Hunting Query | Selection Criteria |
|---|---|
| Email Forwarding Configuration with SAP download |
In solution Microsoft Defender XDR:
| Hunting Query | Selection Criteria |
|---|---|
| Automated email notifications and suspicious sign-in activity | |
| Bad email percentage of Inbound emails | EmailDirection == "Inbound" |
| Bulk Emails by Sender Bulk Complaint level | EmailDirection == "Inbound" |
| Calculate overall MDO efficacy | ActionType in "AdminSubmissionSubmitted,Malware ZAP,Phish ZAP,Redelivery" |
| CompAuth Failure Trend | |
| DKIM Failure Trend | |
| DMARC Failure Trend | |
| Determine Successfully Delivered Phishing Emails by top IP Addresses | DeliveryAction == "Delivered"ThreatTypes has "Malware"ThreatTypes has "Phish" |
| Determine Successfully Delivered Phishing Emails to Inbox/Junk folder. | DeliveryLocation in "Inbox/folder,Junk folder" |
| Email Top 10 Domains sending Spam | ThreatTypes has "Spam" |
| Email Top 10 Targeted Users (Spam) | ThreatTypes has "Spam" |
| Email Top 15 Domains sending Spam with Additional Details | EmailDirection == "Inbound"ThreatTypes has "Spam" |
| Email Top 15 Targeted Users (Spam) with Additional Details | ThreatTypes has "Spam" |
| Email Top Domains sending Malware | EmailDirection == "Inbound"ThreatTypes has "Malware" |
| Email Top Domains sending Phish | EmailDirection == "Inbound"OrgLevelPolicy != "Phishing simulation"OrgLevelPolicy != "SecOps Mailbox"ThreatTypes has "Phish" |
| Email bombing attacks | DeliveryAction == "Delivered" |
| Files share contents and suspicious sign-in activity | |
| Hunt for email bombing attacks | EmailDirection == "Inbound" |
| Impersonation Detections Trend | DetectionMethods has "Impersonation" |
| Impersonation Detections by Detection Technology | DetectionMethods has "Impersonation" |
| Impersonation Detections by Detection Technology Trend | |
| MDO Threat Protection Detections trend over time | ActionType in "AdminSubmission,Malware ZAP,Phish ZAP,UserSubmission" |
| Malware Detections Trend | ThreatTypes has "Malware" |
| Malware Detections by Detection technology | DetectionMethods has "Malware" |
| Malware Detections by Detection technology Trend | |
| Malware Detections by delivery location | DeliveryLocation in "Failed,Quarantine"DetectionMethods has "Malware"EmailDirection == "Inbound" |
| Message from an Accepted Domain with DMARC TempError | EmailDirection == "Inbound" |
| Phish Detections (High) by delivery location | ConfidenceLevel has_any "Phish"OrgLevelPolicy != "Phishing simulation"OrgLevelPolicy != "SecOps Mailbox" |
| Phish Detections (Normal) by delivery location | ConfidenceLevel has_any "Phish"OrgLevelPolicy != "Phishing simulation"OrgLevelPolicy != "SecOps Mailbox" |
| Phish Detections Trend | OrgLevelPolicy != "Phishing simulation"OrgLevelPolicy != "SecOps Mailbox"ThreatTypes has "Phish" |
| Phish Detections by Detection technology | OrgLevelPolicy != "Phishing simulation"OrgLevelPolicy != "SecOps Mailbox"ThreatTypes has "Phish" |
| Phish Detections by Detection technology Trend | |
| Phish Detections by delivery location trend | DeliveryLocation in "Dropped,Failed,Inbox/folder,Junk folder,Quarantine"DetectionMethods has "Phish"EmailDirection == "Inbound"OrgLevelPolicy != "Phishing simulation"OrgLevelPolicy != "SecOps Mailbox" |
| Quarantine Phish Reason | DeliveryLocation == "Quarantine"DetectionMethods has "Phish"EmailDirection == "Inbound" |
| Quarantine Phish Reason trend | |
| Quarantine Spam Reason | DeliveryLocation == "Quarantine"DetectionMethods has "Spam"EmailDirection == "Inbound" |
| Quarantine Spam Reason trend | |
| Quarantine releases by Detection Types | |
| SPF Failure Trend | |
| Spam Detections (High) by delivery location | ConfidenceLevel has_any "Spam"OrgLevelPolicy != "Phishing simulation"OrgLevelPolicy != "SecOps Mailbox" |
| Spam Detections (Normal) by delivery location | ConfidenceLevel has_any "Spam"OrgLevelPolicy != "Phishing simulation"OrgLevelPolicy != "SecOps Mailbox" |
| Spam Detections by Detection technology | |
| Spam and Phish allowed to inbox by Admin Overrides | |
| Spam and Phish allowed to inbox by User Overrides | |
| Spam detection by IP and its location | |
| Spam detection by delivery location | DeliveryLocation in "Dropped,Failed,Inbox/folder,Junk folder,Quarantine"DetectionMethods has "Spam"EmailDirection == "Inbound" |
| Spam detection technologies | DetectionMethods has "Spam" |
| Spam detection trend | ThreatTypes has "Spam" |
| Spoof Detections Trend | DetectionMethods has "Spoof" |
| Spoof Detections by Detection Technology | DetectionMethods has "Spoof" |
| Spoof Detections by Detection Technology Trend | |
| Spoofing attempts from Specific Domains | DetectionMethods has "spoof" |
| Top 10 External Senders (Spam) | EmailDirection == "Inbound"SenderFromAddress !contains ".yourdomain.com"ThreatTypes has "Spam" |
| Top 10 domains sending Bulk email | EmailDirection == "Inbound" |
| Top Domains Outbound with Emails with Threats Inbound (Partner BEC) | EmailDirection in "Inbound,Outbound" |
| Top Malware Families | ThreatTypes has "Malware" |
| Top Spoof DMARC detections by Sender domain (P1/P2) | DetectionMethods has_any "Phish"EmailDirection == "Inbound" |
| Top Spoof external domain detections by Sender domain (P1/P2) | DetectionMethods has_any "Phish"EmailDirection == "Inbound" |
| Top Spoof intra-org detections by Sender domain (P1/P2) | DetectionMethods has_any "Phish"EmailDirection == "Inbound" |
| Top Users receiving Malware | EmailDirection == "Inbound"ThreatTypes has "Malware" |
| Top Users receiving Phish | EmailDirection == "Inbound"OrgLevelPolicy != "Phishing simulation"OrgLevelPolicy != "SecOps Mailbox"ThreatTypes has "Phish" |
| Top outbound recipient domains sending inbound emails with threats | EmailDirection in "Inbound,Outbound" |
| Total Emails with Admin Overrides (Allow) | OrgLevelAction == "Allow"OrgLevelPolicy != "SecOps Mailbox" |
| Total Emails with Admin Overrides (Block) | OrgLevelAction == "Block" |
| Total Emails with User Overrides (Allow) | UserLevelAction == "Allow" |
| Total Emails with User Overrides (Block) | UserLevelAction == "Block" |
| Total number of detections by MDO | ActionType in "AdminSubmission,Malware ZAP,Phish ZAP,UserSubmission" |
| User Email Submissions (FN) - Top Inbound P2 Senders | EmailDirection == "Inbound" |
| User Email Submissions (FN) - Top Inbound P2 Senders domains | EmailDirection == "Inbound" |
| Zero-day Malware Detections Trend | |
| Zero-day Phish Detections Trend |
GitHub Only:
| Hunting Query | Selection Criteria |
|---|---|
| Attacked more than x times average | |
| Authentication failures by time and authentication type | |
| Campaign with suspicious keywords | DeliveryAction == "Delivered"EmailDirection == "Inbound" |
| Custom detection-Emails with QR from non-prevalent senders | |
| Detections by detection methods | |
| Display Name - Spoof and Impersonation | DeliveryAction == "Delivered"EmailDirection == "Inbound"OrgLevelAction != "Block"SenderDisplayName contains "Microsoft"UserLevelAction != "Block" |
| Email containing malware sent by an internal sender | EmailDirection in "Intra-org,Outbound"SenderFromAddress !startswith "microsoftexchange"SenderFromAddress !startswith "postmaster@"ThreatTypes == "Malware" |
| Email malware detection report | |
| Email sender IP address Geo location information | |
| Emails delivered having URLs from QR codes | DeliveryAction == "Delivered"EmailDirection == "Inbound" |
| Emails with QR codes and suspicious keywords in subject | DeliveryAction == "Delivered"EmailDirection == "Inbound" |
| Emails with QR codes from non-prevalent sender | |
| Good emails from senders with bad patterns | EmailDirection == "Inbound" |
| High Confidence Phish Released | ActionType == "QuarantineReleaseMessage" |
| Hunt for email conversation take over attempts | DeliveryLocation != "Quarantine"EmailDirection == "Inbound"OrgLevelAction != "Block"UserLevelAction != "Block" |
| Hunting for sender patterns | |
| Hunting for user signals-clusters | EmailDirection == "Inbound" |
| Inbound emails with QR code URLs | EmailDirection == "Inbound" |
| Listing Email Remediation Actions via Explorer | LatestDeliveryAction in "Hard delete,Moved to deleted items,Moved to junk folder,Soft delete" |
| Local time to UTC time conversion | DeliveryAction == "Delivered"LatestDeliveryLocation == "Quarantine" |
| MDO daily detection summary report | |
| MDO_CountOfRecipientsEmailaddressbySubject | |
| MDO_CountOfSendersEmailaddressbySubject | |
| MDO_Countofrecipientsemailaddressesbysubject | |
| MDO_SummaryOfSenders | DeliveryLocation in "Inbox/folder,Junk folder,Quarantine" |
| Mail reply to new domain | DeliveryLocation != "Quarantine"EmailDirection == "Inbound"OrgLevelAction != "Block"UserLevelAction != "Block" |
| Mailflow by directionality | |
| Malicious Emails with QR code Urls | |
| Malicious email senders | LatestDeliveryLocation == "Inbox/folder" |
| Malicious emails detected per day | |
| Malicious mails by sender IPs | ThreatTypes has "Malware"ThreatTypes has "Phish" |
| Personalized campaigns based on the first few keywords | DeliveryAction == "Delivered"EmailDirection == "Inbound" |
| Personalized campaigns based on the last few keywords | DeliveryAction == "Delivered"EmailDirection == "Inbound" |
| Punycode lookalikes | |
| Quarantine Release Email Details | ActionType == "QuarantineReleaseMessage" |
| Safe Attachments detections | |
| SafeLinks URL detections | |
| Sender recipient contact establishment | DeliveryAction == "Delivered"EmailDirection == "Inbound"OrgLevelAction != "Block"SenderDisplayName contains "Microsoft"UserLevelAction != "Block" |
| Spoof and impersonation detections by sender IP | DetectionMethods contains "impersonation"DetectionMethods contains "spoof" |
| Spoof and impersonation phish detections | DetectionMethods contains "impersonation"DetectionMethods contains "spoof" |
| Spoof attempts with auth failure | DetectionMethods contains "spoof" |
| Top 10 Domains sending Malicious Emails (Malware+Phish+Spam) | EmailDirection == "Inbound"SenderFromDomain !contains ".yourdomain.com"ThreatTypes has_any "Malware" |
| Top 10 External Senders (Malware) | EmailDirection == "Inbound"SenderFromAddress !contains ".yourdomain.com"ThreatTypes has "Malware" |
| Top 10 External Senders (Phish) | EmailDirection == "Inbound"SenderFromAddress !contains ".yourdomain.com"ThreatTypes has "Phish" |
| Top 10 External Senders (Spam) | EmailDirection == "Inbound"SenderFromAddress !contains ".yourdomain.com"ThreatTypes has "Spam" |
| Top 10 Targeted Users (Malware+Phish+Spam) | EmailDirection == "Inbound"ThreatTypes has "Malware"ThreatTypes has "Phish"ThreatTypes has "Spam" |
| Top 10 URL domains attacking organization | |
| Top 10% of most attacked users | |
| Top 100 malicious email senders | ThreatTypes has "Malware"ThreatTypes has "Phish" |
| Top 100 senders | |
| Top external malicious senders | EmailDirection == "Inbound" |
| Top policies performing admin overrides | OrgLevelAction == "Allow" |
| Top policies performing user overrides | UserLevelAction == "Allow" |
| Top targeted users | ThreatTypes has "Malware"ThreatTypes has "Phish" |
| User clicks on malicious inbound emails | ActionType == "ClickAllowed"EmailDirection == "Inbound"ThreatTypes has_any "Malware" |
| Zero day threats | DetectionMethods has "File Detonation"DetectionMethods has "URL Detonation" |
| referral-phish-emails |
In solution MaturityModelForEventLogManagementM2131: DeliveryAction == "Junked"DetectionMethods contains "spam"
| Workbook |
|---|
| MaturityModelForEventLogManagement_M2131 |
In solution Microsoft Defender XDR: ActionType in "AdminSubmissionSubmitted,Malware ZAP,Phish ZAP,Redelivery,Spam ZAP,UserSubmission"DeliveryAction == "Delivered"DeliveryAction != "Delivered"OrgLevelAction in "Allow,Block"OrgLevelPolicy != "Phishing simulation"OrgLevelPolicy != "SecOps Mailbox"UserLevelAction in "Allow,Block"
| Workbook |
|---|
| MicrosoftDefenderForOffice365detectionsandinsights |
In solution Microsoft Defender for Office 365:
| Workbook | Selection Criteria |
|---|---|
| MicrosoftDefenderForOffice365 |
In solution MicrosoftPurviewInsiderRiskManagement: ActionType in "Add member to role,Add user,InteractiveLogon,RemoteInteractiveLogon,Reset user password,ResourceAccess,Sign-in,Update user"
| Workbook |
|---|
| InsiderRiskManagement |
In solution NISTSP80053:
| Workbook | Selection Criteria |
|---|---|
| NISTSP80053 |
In solution ZeroTrust(TIC3.0): ActionType in "Add member to role,Add user,InteractiveLogon,RemoteInteractiveLogon,Reset user password,ResourceAccess,Sign-in,Update user"
| Workbook |
|---|
| ZeroTrustTIC3 |
References by type: 0 connectors, 94 content items, 0 ASIM parsers, 0 other parsers.
| Selection Criteria | Connectors | Content Items | ASIM Parsers | Other Parsers | Total |
|---|---|---|---|---|---|
EmailDirection == "Inbound" |
- | 11 | - | - | 11 |
DeliveryAction == "Delivered"EmailDirection == "Inbound" |
- | 5 | - | - | 5 |
ThreatTypes has "Spam" |
- | 4 | - | - | 4 |
DetectionMethods has_any "Phish"EmailDirection == "Inbound" |
- | 3 | - | - | 3 |
ThreatTypes has "Malware"ThreatTypes has "Phish" |
- | 3 | - | - | 3 |
DeliveryAction !has "Blocked" |
- | 2 | - | - | 2 |
EmailDirection == "Inbound"SenderFromAddress !contains ".yourdomain.com"ThreatTypes has "Spam" |
- | 2 | - | - | 2 |
ActionType in "AdminSubmission,Malware ZAP,Phish ZAP,UserSubmission" |
- | 2 | - | - | 2 |
DeliveryLocation != "Quarantine"EmailDirection == "Inbound"OrgLevelAction != "Block"UserLevelAction != "Block" |
- | 2 | - | - | 2 |
EmailDirection in "Inbound,Outbound" |
- | 2 | - | - | 2 |
DeliveryAction == "Delivered"EmailDirection == "Inbound"OrgLevelAction != "Block"SenderDisplayName contains "Microsoft"UserLevelAction != "Block" |
- | 2 | - | - | 2 |
ConfidenceLevel has_any "Spam"OrgLevelPolicy != "Phishing simulation"OrgLevelPolicy != "SecOps Mailbox" |
- | 2 | - | - | 2 |
ThreatTypes has "Malware" |
- | 2 | - | - | 2 |
EmailDirection == "Inbound"ThreatTypes has "Malware" |
- | 2 | - | - | 2 |
UserLevelAction == "Allow" |
- | 2 | - | - | 2 |
OrgLevelPolicy != "Phishing simulation"OrgLevelPolicy != "SecOps Mailbox"ThreatTypes has "Phish" |
- | 2 | - | - | 2 |
ConfidenceLevel has_any "Phish"OrgLevelPolicy != "Phishing simulation"OrgLevelPolicy != "SecOps Mailbox" |
- | 2 | - | - | 2 |
EmailDirection == "Inbound"OrgLevelPolicy != "Phishing simulation"OrgLevelPolicy != "SecOps Mailbox"ThreatTypes has "Phish" |
- | 2 | - | - | 2 |
ActionType == "QuarantineReleaseMessage" |
- | 2 | - | - | 2 |
DetectionMethods has "Impersonation" |
- | 2 | - | - | 2 |
DetectionMethods contains "impersonation"DetectionMethods contains "spoof" |
- | 2 | - | - | 2 |
DetectionMethods has "Spoof" |
- | 2 | - | - | 2 |
ActionType in "Add member to role,Add user,InteractiveLogon,RemoteInteractiveLogon,Reset user password,ResourceAccess,Sign-in,Update user" |
- | 2 | - | - | 2 |
EmailDirection == "Outbound" |
- | 1 | - | - | 1 |
DetectionMethods has "spoof" |
- | 1 | - | - | 1 |
DeliveryAction == "Delivered"ThreatTypes has "Malware"ThreatTypes has "Phish" |
- | 1 | - | - | 1 |
DeliveryLocation in "Inbox/folder,Junk folder" |
- | 1 | - | - | 1 |
DetectionMethods contains "spoof" |
- | 1 | - | - | 1 |
ActionType in "AdminSubmissionSubmitted,Malware ZAP,Phish ZAP,Redelivery" |
- | 1 | - | - | 1 |
DeliveryAction == "Delivered"LatestDeliveryLocation == "Quarantine" |
- | 1 | - | - | 1 |
LatestDeliveryLocation == "Inbox/folder" |
- | 1 | - | - | 1 |
EmailDirection == "Inbound"SenderFromDomain !contains ".yourdomain.com"ThreatTypes has_any "Malware" |
- | 1 | - | - | 1 |
EmailDirection == "Inbound"SenderFromAddress !contains ".yourdomain.com"ThreatTypes has "Malware" |
- | 1 | - | - | 1 |
EmailDirection == "Inbound"SenderFromAddress !contains ".yourdomain.com"ThreatTypes has "Phish" |
- | 1 | - | - | 1 |
EmailDirection == "Inbound"ThreatTypes has "Malware"ThreatTypes has "Phish"ThreatTypes has "Spam" |
- | 1 | - | - | 1 |
DeliveryAction == "Delivered" |
- | 1 | - | - | 1 |
DeliveryLocation in "Inbox/folder,Junk folder,Quarantine" |
- | 1 | - | - | 1 |
DetectionMethods has "File Detonation"DetectionMethods has "URL Detonation" |
- | 1 | - | - | 1 |
EmailDirection in "Intra-org,Outbound"SenderFromAddress !startswith "microsoftexchange"SenderFromAddress !startswith "postmaster@"ThreatTypes == "Malware" |
- | 1 | - | - | 1 |
DeliveryLocation in "Failed,Quarantine"DetectionMethods has "Malware"EmailDirection == "Inbound" |
- | 1 | - | - | 1 |
DetectionMethods has "Malware" |
- | 1 | - | - | 1 |
OrgLevelAction == "Allow" |
- | 1 | - | - | 1 |
OrgLevelAction == "Allow"OrgLevelPolicy != "SecOps Mailbox" |
- | 1 | - | - | 1 |
OrgLevelAction == "Block" |
- | 1 | - | - | 1 |
UserLevelAction == "Block" |
- | 1 | - | - | 1 |
DeliveryLocation in "Dropped,Failed,Inbox/folder,Junk folder,Quarantine"DetectionMethods has "Phish"EmailDirection == "Inbound"OrgLevelPolicy != "Phishing simulation"OrgLevelPolicy != "SecOps Mailbox" |
- | 1 | - | - | 1 |
DeliveryLocation == "Quarantine"DetectionMethods has "Phish"EmailDirection == "Inbound" |
- | 1 | - | - | 1 |
DeliveryLocation == "Quarantine"DetectionMethods has "Spam"EmailDirection == "Inbound" |
- | 1 | - | - | 1 |
LatestDeliveryAction in "Hard delete,Moved to deleted items,Moved to junk folder,Soft delete" |
- | 1 | - | - | 1 |
DeliveryLocation in "Dropped,Failed,Inbox/folder,Junk folder,Quarantine"DetectionMethods has "Spam"EmailDirection == "Inbound" |
- | 1 | - | - | 1 |
DetectionMethods has "Spam" |
- | 1 | - | - | 1 |
EmailDirection == "Inbound"ThreatTypes has "Spam" |
- | 1 | - | - | 1 |
ActionType == "ClickAllowed"EmailDirection == "Inbound"ThreatTypes has_any "Malware" |
- | 1 | - | - | 1 |
DeliveryAction == "Junked"DetectionMethods contains "spam" |
- | 1 | - | - | 1 |
ActionType in "AdminSubmissionSubmitted,Malware ZAP,Phish ZAP,Redelivery,Spam ZAP,UserSubmission"DeliveryAction == "Delivered"DeliveryAction != "Delivered"OrgLevelAction in "Allow,Block"OrgLevelPolicy != "Phishing simulation"OrgLevelPolicy != "SecOps Mailbox"UserLevelAction in "Allow,Block" |
- | 1 | - | - | 1 |
| Total | 0 | 94 | 0 | 0 | 94 |
| Value | Connectors | Content Items | ASIM Parsers | Other Parsers | Total |
|---|---|---|---|---|---|
Malware ZAP |
- | 4 | - | - | 4 |
Phish ZAP |
- | 4 | - | - | 4 |
UserSubmission |
- | 3 | - | - | 3 |
AdminSubmissionSubmitted |
- | 2 | - | - | 2 |
Redelivery |
- | 2 | - | - | 2 |
AdminSubmission |
- | 2 | - | - | 2 |
QuarantineReleaseMessage |
- | 2 | - | - | 2 |
Add member to role |
- | 2 | - | - | 2 |
Add user |
- | 2 | - | - | 2 |
InteractiveLogon |
- | 2 | - | - | 2 |
RemoteInteractiveLogon |
- | 2 | - | - | 2 |
Reset user password |
- | 2 | - | - | 2 |
ResourceAccess |
- | 2 | - | - | 2 |
Sign-in |
- | 2 | - | - | 2 |
Update user |
- | 2 | - | - | 2 |
ClickAllowed |
- | 1 | - | - | 1 |
Spam ZAP |
- | 1 | - | - | 1 |
| Value | Connectors | Content Items | ASIM Parsers | Other Parsers | Total |
|---|---|---|---|---|---|
has_any Spam |
- | 2 | - | - | 2 |
has_any Phish |
- | 2 | - | - | 2 |
| Value | Connectors | Content Items | ASIM Parsers | Other Parsers | Total |
|---|---|---|---|---|---|
Delivered |
- | 11 | - | - | 11 |
!has Blocked |
- | 2 | - | - | 2 |
Junked |
- | 1 | - | - | 1 |
!= Delivered |
- | 1 | - | - | 1 |
| Value | Connectors | Content Items | ASIM Parsers | Other Parsers | Total |
|---|---|---|---|---|---|
Quarantine |
- | 6 | - | - | 6 |
Inbox/folder |
- | 4 | - | - | 4 |
Junk folder |
- | 4 | - | - | 4 |
Failed |
- | 3 | - | - | 3 |
!= Quarantine |
- | 2 | - | - | 2 |
Dropped |
- | 2 | - | - | 2 |
| Value | Connectors | Content Items | ASIM Parsers | Other Parsers | Total |
|---|---|---|---|---|---|
contains spoof |
- | 3 | - | - | 3 |
has_any Phish |
- | 3 | - | - | 3 |
has Spam |
- | 3 | - | - | 3 |
has Malware |
- | 2 | - | - | 2 |
has Phish |
- | 2 | - | - | 2 |
has Impersonation |
- | 2 | - | - | 2 |
contains impersonation |
- | 2 | - | - | 2 |
has Spoof |
- | 2 | - | - | 2 |
has spoof |
- | 1 | - | - | 1 |
has File Detonation |
- | 1 | - | - | 1 |
has URL Detonation |
- | 1 | - | - | 1 |
contains spam |
- | 1 | - | - | 1 |
| Value | Connectors | Content Items | ASIM Parsers | Other Parsers | Total |
|---|---|---|---|---|---|
Inbound |
- | 42 | - | - | 42 |
Outbound |
- | 4 | - | - | 4 |
Intra-org |
- | 1 | - | - | 1 |
| Value | Connectors | Content Items | ASIM Parsers | Other Parsers | Total |
|---|---|---|---|---|---|
Hard delete |
- | 1 | - | - | 1 |
Moved to deleted items |
- | 1 | - | - | 1 |
Moved to junk folder |
- | 1 | - | - | 1 |
Soft delete |
- | 1 | - | - | 1 |
| Value | Connectors | Content Items | ASIM Parsers | Other Parsers | Total |
|---|---|---|---|---|---|
Quarantine |
- | 1 | - | - | 1 |
Inbox/folder |
- | 1 | - | - | 1 |
| Value | Connectors | Content Items | ASIM Parsers | Other Parsers | Total |
|---|---|---|---|---|---|
!= Block |
- | 4 | - | - | 4 |
Allow |
- | 3 | - | - | 3 |
Block |
- | 2 | - | - | 2 |
| Value | Connectors | Content Items | ASIM Parsers | Other Parsers | Total |
|---|---|---|---|---|---|
!= SecOps Mailbox |
- | 11 | - | - | 11 |
!= Phishing simulation |
- | 10 | - | - | 10 |
| Value | Connectors | Content Items | ASIM Parsers | Other Parsers | Total |
|---|---|---|---|---|---|
contains Microsoft |
- | 2 | - | - | 2 |
| Value | Connectors | Content Items | ASIM Parsers | Other Parsers | Total |
|---|---|---|---|---|---|
!contains .yourdomain.com |
- | 4 | - | - | 4 |
!startswith microsoftexchange |
- | 1 | - | - | 1 |
!startswith postmaster@ |
- | 1 | - | - | 1 |
| Value | Connectors | Content Items | ASIM Parsers | Other Parsers | Total |
|---|---|---|---|---|---|
!contains .yourdomain.com |
- | 1 | - | - | 1 |
| Value | Connectors | Content Items | ASIM Parsers | Other Parsers | Total |
|---|---|---|---|---|---|
has Malware |
- | 10 | - | - | 10 |
has Phish |
- | 10 | - | - | 10 |
has Spam |
- | 8 | - | - | 8 |
has_any Malware |
- | 2 | - | - | 2 |
Malware |
- | 1 | - | - | 1 |
| Value | Connectors | Content Items | ASIM Parsers | Other Parsers | Total |
|---|---|---|---|---|---|
!= Block |
- | 4 | - | - | 4 |
Allow |
- | 3 | - | - | 3 |
Block |
- | 2 | - | - | 2 |
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊