EmailEvents
Office 365 email events, including email delivery and blocking events.
Table attributes
| Attribute | Value |
|---|---|
| Resource types | - |
| Categories | Security |
| Solutions | SecurityInsights |
| Basic log | No |
| Ingestion-time transformation | Yes |
| Sample Queries | Yes |
Columns
| Column | Type | Description |
|---|---|---|
| AdditionalFields | dynamic | Additional information about the entity or event. |
| AttachmentCount | int | Number of attachments in the email. |
| AuthenticationDetails | string | List of pass or fail verdicts by email authentication protocols like DMARC, DKIM, SPF or a combination of multiple authentication types (CompAuth). |
| _BilledSize | real | The record size in bytes |
| BulkComplaintLevel | int | Threshold assigned to email from bulk mailers, a high bulk complaint level (BCL) means the email is more likely to generate complaints, and thus more likely to be spam. |
| ConfidenceLevel | string | List of confidence levels of any spam or phishing verdicts. For spam, this column shows the spam confidence level (SCL), indicating if the email was skipped (-1), found to be not spam (0,1), found to be spam with moderate confidence (5,6), or found to be spam with high confidence (9). For phishing, this column displays whether the confidence level is "High" or "Low". |
| Connectors | string | Custom instructions that define organizational mail flow and how the email was routed. |
| DeliveryAction | string | Action of the delivered email. |
| DeliveryLocation | string | Location of the delivered email: Inbox/Folder, On-premises/External, Junk, Quarantine, Failed, Dropped, Deleted items. |
| DetectionMethods | string | Delivery action of the email: Delivered, Junked, Blocked, or Replaced. |
| EmailAction | string | Final action taken on the email based on filter verdict, policies, and user actions: Move message to junk mail folder, Add X-header, Modify subject, Redirect message, Delete message, send to quarantine, No action taken, Bcc message. |
| EmailActionPolicy | string | Action policy that took effect: Antispam high-confidence, Antispam, Antispam bulk mail, Antispam phishing, Anti-phishing domain impersonation, Anti-phishing user impersonation, Anti-phishing spoof, Anti-phishing graph impersonation, Antimalware Safe Attachments, Enterprise Transport Rules (ETR). |
| EmailActionPolicyGuid | string | Unique identifier of the policy that took effect. |
| EmailClusterId | long | Identifier of the email cluster. Emails are clustered (grouped) based on heuristic analysis of their contents. |
| EmailDirection | string | Email direction: Inbound, Outbound, Intra-org. |
| EmailLanguage | string | Detected language of the email content. |
| InternetMessageId | string | Public-facing identifier for the email that is set by the sending email system. |
| _IsBillable | string | Specifies whether ingesting the data is billable. When _IsBillable is false ingestion isn't billed to your Azure account |
| LatestDeliveryAction | string | Last known action attempted on an email by the service or by an admin through manual remediation. |
| LatestDeliveryLocation | string | Last known location of the email. |
| NetworkMessageId | string | Unique identifier for the email, generated by Office 365. |
| OrgLevelAction | string | Action taken on the email in response to matches to a policy defined at the organizational level. |
| OrgLevelPolicy | string | Organizational policy that triggered the action taken on the email. |
| RecipientEmailAddress | string | Recipient email address or email address of the recipient after distribution list expansion. |
| RecipientObjectId | string | Email recipient Azure AD identifier. |
| ReportId | string | Unique identifier for the event. |
| SenderDisplayName | string | Sender email address in the from header, which is visible to email recipients on their email clients. |
| SenderFromAddress | string | Sender domain in the from header, which is visible to email recipients on their email clients. |
| SenderFromDomain | string | Verdict from the email filtering stack on whether the email contains malware, phishing, or other threats. |
| SenderIPv4 | string | IPv4 address of the last detected mail server that relayed the message. |
| SenderIPv6 | string | IPv6 address of the last detected mail server that relayed the message. |
| SenderMailFromAddress | string | Sender email address in the MAIL from header, also known as the envelope sender or the Return-Path address. |
| SenderMailFromDomain | string | Sender domain in the MAIL from header, also known as the envelope sender or the Return-Path address. |
| SenderObjectId | string | Sender email address in the from header, which is visible to email recipients on their email clients. |
| SourceSystem | string | The type of agent the event was collected by. For example, OpsManager for Windows agent, either direct connect or Operations Manager, Linux for all Linux agents, or Azure for Azure Diagnostics |
| Subject | string | Email subject field. |
| TenantId | string | The Log Analytics workspace ID |
| ThreatNames | string | Sender email address in the from header, which is visible to email recipients on their email clients. |
| ThreatTypes | string | Verdict from the email filtering stack on whether the email contains malware, phishing, or other threats. |
| TimeGenerated | datetime | Date and time (UTC) when the record was generated. |
| Type | string | The name of the table |
| UrlCount | int | Number of embedded URLs in the email. |
| UserLevelAction | string | Action taken on the email in response to matches to a mailbox policy defined by the recipient. |
| UserLevelPolicy | string | End user mailbox policy that triggered the action taken on the email. |
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for