Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊
Security events that occur post-delivery, after Microsoft 365 delivers the emails to the recipient mailbox
| Attribute | Value |
|---|---|
| Category | Defender |
| Basic Logs Eligible | ✓ Yes (source) |
| Supports Transformations | ✓ Yes (source) |
| Ingestion API Supported | ✗ No |
| Azure Monitor Tables Reference | View Documentation |
| Defender XDR Advanced Hunting Schema | View Documentation |
Source: Azure Monitor documentation
| Column Name | Type | Description |
|---|---|---|
| _BilledSize | real | The record size in bytes |
| _IsBillable | string | Specifies whether ingesting the data is billable. When _IsBillable is false ingestion isn't billed to your Azure account |
| Action | string | Action taken on the entity |
| ActionResult | string | Result of the action |
| ActionTrigger | string | Indicates whether an action was triggered by an administrator (manually or through approval of a pending automated action), or by some special mechanism, such as a ZAP or String Delivery |
| ActionType | string | Type of activity that triggered the event |
| DeliveryLocation | string | Delivered email location: Inbox/Folder, On-premises/External, Junk, Quarantine, Failed, Dropped, Deleted items |
| DetectionMethods | string | Methods used to detect malware, phishing, or other threats found in the email |
| EmailDirection | string | Direction of the email relative to your network: Inbound, Outbound, Intra-org |
| InternetMessageId | string | Public-facing identifier for the email that is set by the sending email system |
| NetworkMessageId | string | Email unique identifier generated by Office 365 |
| RecipientEmailAddress | string | Recipient email address or email address of the recipient after distribution list expansion |
| ReportId | string | Unique identifier for the event |
| SenderFromAddress | string | Sender email address in the FROM header, which is visible to email recipients on their email clients |
| SourceSystem | string | The type of agent the event was collected by. For example, OpsManager for Windows agent, either direct connect or Operations Manager, Linux for all Linux agents, or Azure for Azure Diagnostics |
| TenantId | string | The Log Analytics workspace ID |
| ThreatTypes | string | Verdict from the email filtering stack on whether the email contains malware, phishing, or other threats |
| TimeGenerated | datetime | Date and time (UTC) when the record was generated |
| Type | string | The name of the table |
This table is used by the following solutions:
This table is ingested by the following connectors:
| Connector | Selection Criteria |
|---|---|
| Microsoft Defender XDR |
In solution Microsoft Defender XDR:
| Hunting Query | Selection Criteria |
|---|---|
| Calculate overall MDO efficacy | |
| MDO Threat Protection Detections trend over time | |
| Post Delivery Events by Admin | |
| Post Delivery Events by Location | |
| Post Delivery Events by ZAP type | |
| Post Delivery Events over time | |
| Quarantine releases by Detection Types | Action == "Quarantine release"DeliveryLocation == "Quarantine" |
| Total number of detections by MDO |
GitHub Only:
| Hunting Query | Selection Criteria |
|---|---|
| Email containing malware accessed on a unmanaged device | |
| MDO daily detection summary report |
In solution Microsoft Defender XDR: Action == "Quarantine release"ActionResult == "Success"
| Workbook |
|---|
| MicrosoftDefenderForOffice365detectionsandinsights |
References by type: 0 connectors, 2 content items, 0 ASIM parsers, 0 other parsers.
| Selection Criteria | Connectors | Content Items | ASIM Parsers | Other Parsers | Total |
|---|---|---|---|---|---|
Action == "Quarantine release"DeliveryLocation == "Quarantine" |
- | 1 | - | - | 1 |
Action == "Quarantine release"ActionResult == "Success" |
- | 1 | - | - | 1 |
| Total | 0 | 2 | 0 | 0 | 2 |
| Value | Connectors | Content Items | ASIM Parsers | Other Parsers | Total |
|---|---|---|---|---|---|
Quarantine release |
- | 2 | - | - | 2 |
| Value | Connectors | Content Items | ASIM Parsers | Other Parsers | Total |
|---|---|---|---|---|---|
Success |
- | 1 | - | - | 1 |
| Value | Connectors | Content Items | ASIM Parsers | Other Parsers | Total |
|---|---|---|---|---|---|
Quarantine |
- | 1 | - | - | 1 |
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊