Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊
Microsoft 365 email events, including email delivery and blocking events
| Attribute | Value |
|---|---|
| Category | Defender |
| Basic Logs Eligible | ✓ Yes (source) |
| Supports Transformations | ✓ Yes (source) |
| Ingestion API Supported | ✗ No |
| Azure Monitor Tables Reference | View Documentation |
| Defender XDR Advanced Hunting Schema | View Documentation |
Source: Azure Monitor documentation
| Column Name | Type | Description |
|---|---|---|
| _BilledSize | real | The record size in bytes |
| _IsBillable | string | Specifies whether ingesting the data is billable. When _IsBillable isfalseingestion isn't billed to your Azure account |
| AdditionalFields | dynamic | Additional information about the entity or event. |
| AttachmentCount | int | Number of attachments in the email. |
| AuthenticationDetails | string | List of pass or fail verdicts by email authentication protocols like DMARC, DKIM, SPF or a combination of multiple authentication types (CompAuth). |
| BulkComplaintLevel | int | Threshold assigned to email from bulk mailers, a high bulk complaint level (BCL) means the email is more likely to generate complaints, and thus more likely to be spam. |
| Cc | dynamic | Indicates the addresses which are listed in Cc fields of an email |
| ConfidenceLevel | string | List of confidence levels of any spam or phishing verdicts. For spam, this column shows the spam confidence level (SCL), indicating if the email was skipped (-1), found to be not spam (0,1), found to be spam with moderate confidence (5,6), or found to be spam with high confidence (9). For phishing, this column displays whether the confidence level is "High" or "Low". |
| Connectors | string | Custom instructions that define organizational mail flow and how the email was routed. |
| Context | string | Configuration context data of the machine |
| DeliveryAction | string | Action of the delivered email. |
| DeliveryLocation | string | Location of the delivered email: Inbox/Folder, On-premises/External, Junk, Quarantine, Failed, Dropped, Deleted items. |
| DetectionMethods | string | Delivery action of the email: Delivered, Junked, Blocked, or Replaced. |
| DistributionList | string | Name of distribution list that the recipient was a member of and to which the email was sent, if applicable; shows top-level distribution list if nested lists are involved |
| EmailAction | string | Final action taken on the email based on filter verdict, policies, and user actions: Move message to junk mail folder, Add X-header, Modify subject, Redirect message, Delete message, send to quarantine, No action taken, Bcc message. |
| EmailActionPolicy | string | Action policy that took effect: Antispam high-confidence, Antispam, Antispam bulk mail, Antispam phishing, Anti-phishing domain impersonation, Anti-phishing user impersonation, Anti-phishing spoof, Anti-phishing graph impersonation, Antimalware Safe Attachments, Enterprise Transport Rules (ETR). |
| EmailActionPolicyGuid | string | Unique identifier of the policy that took effect. |
| EmailClusterId | long | Identifier of the email cluster. Emails are clustered (grouped) based on heuristic analysis of their contents. |
| EmailDirection | string | Email direction: Inbound, Outbound, Intra-org. |
| EmailLanguage | string | Detected language of the email content. |
| EmailSize | int | Size of the email message. |
| ExchangeTransportRule | string | Mail flow rules (also known as transport rules) are similar to Inbox rules that are available in Outlook and Outlook on the web. The main difference is mail flow rules take action on messages while they're in transit. |
| ForwardingInformation | string | A JSON array of forwarding details including the forwarding user and the forwarding type |
| InternetMessageId | string | Public-facing identifier for the email that is set by the sending email system. |
| IsFirstContact | bool | Is this the first contact between sender and reciever. |
| LastEventExecutionTime | datetime | Date and time (UTC) when the record was updated post merge. |
| LatestDeliveryAction | string | Last known action attempted on an email by the service or by an admin through manual remediation. |
| LatestDeliveryLocation | string | Last known location of the email. |
| NetworkMessageId | string | Unique identifier for the email, generated by Office 365. |
| OrgLevelAction | string | Action taken on the email in response to matches to a policy defined at the organizational level. |
| OrgLevelPolicy | string | Organizational policy that triggered the action taken on the email. |
| RecipientDomain | string | Domain of the recipient of the email. |
| RecipientEmailAddress | string | Recipient email address or email address of the recipient after distribution list expansion. |
| RecipientObjectId | string | Email recipient Azure AD identifier. |
| ReportId | string | Unique identifier for the event. |
| SenderDisplayName | string | Sender email address in the from header, which is visible to email recipients on their email clients. |
| SenderFromAddress | string | Sender domain in the from header, which is visible to email recipients on their email clients. |
| SenderFromDomain | string | Verdict from the email filtering stack on whether the email contains malware, phishing, or other threats. |
| SenderIPv4 | string | IPv4 address of the last detected mail server that relayed the message. |
| SenderIPv6 | string | IPv6 address of the last detected mail server that relayed the message. |
| SenderMailFromAddress | string | Sender email address in the MAIL from header, also known as the envelope sender or the Return-Path address. |
| SenderMailFromDomain | string | Sender domain in the MAIL from header, also known as the envelope sender or the Return-Path address. |
| SenderObjectId | string | Sender email address in the from header, which is visible to email recipients on their email clients. |
| SourceSystem | string | The type of agent the event was collected by. For example,OpsManagerfor Windows agent, either direct connect or Operations Manager,Linuxfor all Linux agents, orAzurefor Azure Diagnostics |
| Subject | string | Email subject field. |
| TenantId | string | The Log Analytics workspace ID |
| ThreatClassification | string | Indicates the threat classification of the mail |
| ThreatNames | string | Sender email address in the from header, which is visible to email recipients on their email clients. |
| ThreatTypes | string | Verdict from the email filtering stack on whether the email contains malware, phishing, or other threats. |
| TimeGenerated | datetime | Date and time (UTC) when the record was generated. |
| To | dynamic | Indicates the addresses which are listed in To fields of an email |
| Type | string | The name of the table |
| UrlCount | int | Number of embedded URLs in the email. |
| UserLevelAction | string | Action taken on the email in response to matches to a mailbox policy defined by the recipient. |
| UserLevelPolicy | string | End user mailbox policy that triggered the action taken on the email. |
This table is used by the following solutions:
This table is ingested by the following connectors:
| Connector | Selection Criteria |
|---|---|
| Microsoft Defender XDR |
In solution Microsoft Business Applications:
| Analytic Rule | Selection Criteria |
|---|---|
| Dataverse - Terminated employee exfiltration over email |
In solution Threat Intelligence:
| Analytic Rule | Selection Criteria |
|---|---|
| TI Map URL Entity to EmailUrlInfo | |
| TI map Domain entity to EmailEvents | |
| TI map Domain entity to EmailUrlInfo | |
| TI map Email entity to EmailEvents |
In solution Threat Intelligence (NEW):
| Analytic Rule | Selection Criteria |
|---|---|
| TI Map URL Entity to EmailUrlInfo | |
| TI map Domain entity to EmailEvents | |
| TI map Domain entity to EmailUrlInfo | |
| TI map Email entity to EmailEvents |
Standalone Content:
| Analytic Rule | Selection Criteria |
|---|---|
| Star Blizzard C2 Domains August 2022 |
In solution Business Email Compromise - Financial Fraud:
| Hunting Query | Selection Criteria |
|---|---|
| Email Forwarding Configuration with SAP download |
In solution Microsoft Defender XDR:
GitHub Only:
In solution MaturityModelForEventLogManagementM2131:
| Workbook | Selection Criteria |
|---|---|
| MaturityModelForEventLogManagement_M2131 |
In solution Microsoft Defender XDR: ActionType in "AdminSubmissionSubmitted,AttackSimUserSubmission,ClickBlocked,Malware ZAP,Phish ZAP,Spam ZAP,UserSubmission"ActionType == "Automated Remediation"ActionType contains "Submission"ActionType contains "UserSubmission"ActionType contains "ZAP"ActionType has "Malware ZAP"ActionType has "Phish ZAP"ActionType has "Spam ZAP"ActionType has "ZAP"ActionType has_any "ClickAllowed"ActionType has_any "ClickBlocked"ActionType has_any "UrlErrorPage"ActionType has_any "UrlScanInProgress"
| Workbook |
|---|
| MicrosoftDefenderForOffice365detectionsandinsights |
In solution Microsoft Defender for Office 365:
| Workbook | Selection Criteria |
|---|---|
| MicrosoftDefenderForOffice365 |
In solution MicrosoftPurviewInsiderRiskManagement: ActionType in "Add member to role,Add user,InteractiveLogon,RemoteInteractiveLogon,Reset user password,ResourceAccess,Sign-in,Update user"
| Workbook |
|---|
| InsiderRiskManagement |
In solution NISTSP80053:
| Workbook | Selection Criteria |
|---|---|
| NISTSP80053 |
In solution ZeroTrust(TIC3.0):
| Workbook | Selection Criteria |
|---|---|
| ZeroTrustTIC3 |
GitHub Only:
| Workbook | Selection Criteria |
|---|---|
| MicrosoftDefenderForOffice365 | |
| MicrosoftSentinelDeploymentandMigrationTracker | |
| PhishingAnalysis |
References by type: 0 connectors, 4 content items, 0 ASIM parsers, 0 other parsers.
| Selection Criteria | Connectors | Content Items | ASIM Parsers | Other Parsers | Total |
|---|---|---|---|---|---|
ActionType == "ClickAllowed" |
- | 2 | - | - | 2 |
ActionType in "AdminSubmissionSubmitted,AttackSimUserSubmission,ClickBlocked,Malware ZAP,Phish ZAP,Spam ZAP,UserSubmission"ActionType == "Automated Remediation"ActionType contains "Submission"ActionType contains "UserSubmission"ActionType contains "ZAP"ActionType has "Malware ZAP"ActionType has "Phish ZAP"ActionType has "Spam ZAP"ActionType has "ZAP"ActionType has_any "ClickAllowed"ActionType has_any "ClickBlocked"ActionType has_any "UrlErrorPage"ActionType has_any "UrlScanInProgress" |
- | 1 | - | - | 1 |
ActionType in "Add member to role,Add user,InteractiveLogon,RemoteInteractiveLogon,Reset user password,ResourceAccess,Sign-in,Update user" |
- | 1 | - | - | 1 |
| Total | 0 | 4 | 0 | 0 | 4 |
| Value | Connectors | Content Items | ASIM Parsers | Other Parsers | Total |
|---|---|---|---|---|---|
ClickAllowed |
- | 2 | - | - | 2 |
AdminSubmissionSubmitted |
- | 1 | - | - | 1 |
AttackSimUserSubmission |
- | 1 | - | - | 1 |
ClickBlocked |
- | 1 | - | - | 1 |
Malware ZAP |
- | 1 | - | - | 1 |
Phish ZAP |
- | 1 | - | - | 1 |
Spam ZAP |
- | 1 | - | - | 1 |
UserSubmission |
- | 1 | - | - | 1 |
Automated Remediation |
- | 1 | - | - | 1 |
contains Submission |
- | 1 | - | - | 1 |
contains UserSubmission |
- | 1 | - | - | 1 |
contains ZAP |
- | 1 | - | - | 1 |
has Malware ZAP |
- | 1 | - | - | 1 |
has Phish ZAP |
- | 1 | - | - | 1 |
has Spam ZAP |
- | 1 | - | - | 1 |
has ZAP |
- | 1 | - | - | 1 |
has_any ClickAllowed |
- | 1 | - | - | 1 |
has_any ClickBlocked |
- | 1 | - | - | 1 |
has_any UrlErrorPage |
- | 1 | - | - | 1 |
has_any UrlScanInProgress |
- | 1 | - | - | 1 |
Add member to role |
- | 1 | - | - | 1 |
Add user |
- | 1 | - | - | 1 |
InteractiveLogon |
- | 1 | - | - | 1 |
RemoteInteractiveLogon |
- | 1 | - | - | 1 |
Reset user password |
- | 1 | - | - | 1 |
ResourceAccess |
- | 1 | - | - | 1 |
Sign-in |
- | 1 | - | - | 1 |
Update user |
- | 1 | - | - | 1 |
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊