Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊
Security events that occur post-delivery, after Microsoft 365 delivers the emails to the recipient mailbox
| Attribute | Value |
|---|---|
| Category | Defender |
| Basic Logs Eligible | ✓ Yes (source) |
| Supports Transformations | ✓ Yes (source) |
| Ingestion API Supported | ✗ No |
| Azure Monitor Tables Reference | View Documentation |
| Defender XDR Advanced Hunting Schema | View Documentation |
Source: Azure Monitor documentation
| Column Name | Type | Description |
|---|---|---|
| _BilledSize | real | The record size in bytes |
| _IsBillable | string | Specifies whether ingesting the data is billable. When _IsBillable isfalseingestion isn't billed to your Azure account |
| Action | string | Action taken on the entity |
| ActionResult | string | Result of the action |
| ActionTrigger | string | Indicates whether an action was triggered by an administrator (manually or through approval of a pending automated action), or by some special mechanism, such as a ZAP or String Delivery |
| ActionType | string | Type of activity that triggered the event |
| DeliveryLocation | string | Delivered email location: Inbox/Folder, On-premises/External, Junk, Quarantine, Failed, Dropped, Deleted items |
| DetectionMethods | string | Methods used to detect malware, phishing, or other threats found in the email |
| EmailDirection | string | Direction of the email relative to your network: Inbound, Outbound, Intra-org |
| InternetMessageId | string | Public-facing identifier for the email that is set by the sending email system |
| NetworkMessageId | string | Email unique identifier generated by Office 365 |
| RecipientEmailAddress | string | Recipient email address or email address of the recipient after distribution list expansion |
| ReportId | string | Unique identifier for the event |
| SenderFromAddress | string | Sender email address in the FROM header, which is visible to email recipients on their email clients |
| SourceSystem | string | The type of agent the event was collected by. For example,OpsManagerfor Windows agent, either direct connect or Operations Manager,Linuxfor all Linux agents, orAzurefor Azure Diagnostics |
| TenantId | string | The Log Analytics workspace ID |
| ThreatTypes | string | Verdict from the email filtering stack on whether the email contains malware, phishing, or other threats |
| TimeGenerated | datetime | Date and time (UTC) when the record was generated |
| Type | string | The name of the table |
This table is used by the following solutions:
This table is ingested by the following connectors:
| Connector | Selection Criteria |
|---|---|
| Microsoft Defender XDR |
In solution Microsoft Defender XDR:
GitHub Only:
In solution Microsoft Defender XDR:
| Workbook | Selection Criteria |
|---|---|
| MicrosoftDefenderForOffice365detectionsandinsights |
GitHub Only:
| Workbook | Selection Criteria |
|---|---|
| MicrosoftSentinelDeploymentandMigrationTracker |
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊