Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊
Information about files attached to emails
| Attribute | Value |
|---|---|
| Category | Defender |
| Basic Logs Eligible | ✓ Yes (source) |
| Supports Transformations | ✓ Yes (source) |
| Ingestion API Supported | ✗ No |
| Azure Monitor Tables Reference | View Documentation |
| Defender XDR Advanced Hunting Schema | View Documentation |
Source: Azure Monitor documentation
| Column Name | Type | Description |
|---|---|---|
| _BilledSize | real | The record size in bytes |
| _IsBillable | string | Specifies whether ingesting the data is billable. When _IsBillable is false ingestion isn't billed to your Azure account |
| DetectionMethods | string | Sender email address in the from header, which is visible to email recipients on their email clients. |
| FileExtension | string | File extension of the attachment. |
| FileName | string | Name of the file that the recorded action was applied to. |
| FileSize | long | Size of the file in bytes. |
| FileType | string | File extension type. |
| NetworkMessageId | string | Unique identifier for the email, generated by Office 365. |
| RecipientEmailAddress | string | Email address of the recipient, or email address of the recipient after distribution list expansion. |
| RecipientObjectId | string | Email recipient unique identifier in Azure AD. |
| ReportId | string | Unique identifier for the event. |
| SenderDisplayName | string | Sender email address in the from header, which is visible to email recipients on their email clients. |
| SenderFromAddress | string | Sender domain in the from header, which is visible to email recipients on their email clients. |
| SenderObjectId | string | Sender email address in the from header, which is visible to email recipients on their email clients. |
| SHA256 | string | SHA-256 of the file that the recorded action was applied to. |
| SourceSystem | string | The type of agent the event was collected by. For example, OpsManager for Windows agent, either direct connect or Operations Manager, Linux for all Linux agents, or Azure for Azure Diagnostics |
| TenantId | string | The Log Analytics workspace ID |
| ThreatNames | string | Sender email address in the from header, which is visible to email recipients on their email clients. |
| ThreatTypes | string | Verdict from the email filtering stack on whether the email contains malware, phishing, or other threats. |
| TimeGenerated | datetime | Date and time (UTC) when the record was generated. |
| Type | string | The name of the table |
This table is used by the following solutions:
This table is ingested by the following connectors:
| Connector | Selection Criteria |
|---|---|
| Microsoft Defender XDR |
In solution Microsoft Defender XDR:
| Hunting Query | Selection Criteria |
|---|---|
| Potentially malicious svg file delivered to Inbox |
GitHub Only:
In solution MaturityModelForEventLogManagementM2131:
| Workbook | Selection Criteria |
|---|---|
| MaturityModelForEventLogManagement_M2131 |
In solution Microsoft Defender for Office 365:
| Workbook | Selection Criteria |
|---|---|
| MicrosoftDefenderForOffice365 |
In solution ZeroTrust(TIC3.0):
| Workbook | Selection Criteria |
|---|---|
| ZeroTrustTIC3 |
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊