Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊
Defender XDR Only: This table is available in Microsoft Defender XDR advanced hunting but is not available in the Azure Monitor Log Analytics table reference.
Messages sent and received within your organization at the time of delivery
| Attribute | Value |
|---|---|
| Category | XDR |
| Ingestion API Supported | ✗ No |
| Defender XDR Advanced Hunting Schema | View Documentation |
Source: Azure Monitor documentation
| Column Name | Type | Description |
|---|---|---|
| ConfidenceLevel | dynamic | List of confidence levels for each threat type identified |
| DeliveryAction | string | Delivery action of the message: Delivered, Blocked |
| DeliveryLocation | string | Location of the message at the time of delivery |
| DetectionMethods | dynamic | Methods used to detect malware, phishing, or other threats found in the message |
| GroupId | string | Identifier for the team or group that the message was sent to |
| GroupName | string | Name of the team or group that the message was sent to |
| IsExternalThread | boolean | Indicates if there are external recipients in the thread (1) or none (0) |
| IsOwnedThread | boolean | Boolean value indicating whether the message is owned by your organization or not (only the messages owned by your organization can be remediated) |
| LastEditedTime | string | Date and time when the message was last edited |
| MessageFormatSubtype | string | Subtype of message format, for example, HTML |
| MessageFormatType | string | Type of message format; possible values: RichText, Text |
| MessageId | string | Identifier for the message (non-unique) |
| MessageSubject | string | Subject of the message, if it exists |
| MessageVersion | string | Version number of the message |
| ParentMessageId | string | Identifier for the message that the current message was a reply to, otherwise this is the same as the MessageId |
| RecipientDetails | dynamic | Array of recipient data (RecipientSmtpAddress, RecipientDisplayName, RecipientType, RecipientObjectId) |
| ReportId | string | Unique identifier for the event |
| SafetyTip | string | The safety tip that has been added on a message, if any |
| SenderDisplayName | string | Name of the sender displayed in the address book, typically a combination of a first name, a middle initial, and a last name or surname |
| SenderEmailAddress | string | Email address of the sender |
| SenderObjectId | string | Unique identifier for the senderâs account |
| SenderType | string | Type of user that sent the message, for example, User, Group, Anonymous |
| TeamsMessageId | string | Unique identifier for the message, as generated by Microsoft 365 |
| ThreadId | string | Identifier of the channel or chat thread that the message is part of |
| ThreadSubtype | string | Indicates the channel type, possible values: None, PrivateChannel |
| ThreatTypes | string | Verdict from the filtering stack on whether the message contains malware, phishing, or other threats |
| Timestamp | datetime | Date and time when the event was recorded |
This table is used by the following solutions:
In solution Microsoft Defender XDR:
GitHub Only:
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊