EmailEvents

Applies to:

• Microsoft Defender XDR

The EmailEvents table in the advanced hunting schema contains information about events involving the processing of emails on Microsoft Defender for Office 365. Use this reference to construct queries that return information from this table.

Tip

For detailed information about the events types (ActionType values) supported by a table, use the built-in schema reference available in Microsoft Defender XDR.

For information on other tables in the advanced hunting schema, see the advanced hunting reference.

Important

Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.

Column name	Data type	Description
Timestamp	datetime	Date and time when the event was recorded
NetworkMessageId	string	Unique identifier for the email, generated by Microsoft 365
InternetMessageId	string	Public-facing identifier for the email that is set by the sending email system
SenderMailFromAddress	string	Sender email address in the MAIL FROM header, also known as the envelope sender or the Return-Path address
SenderFromAddress	string	Sender email address in the FROM header, which is visible to email recipients on their email clients
SenderDisplayName	string	Name of the sender displayed in the address book, typically a combination of a given or first name, a middle initial, and a last name or surname
SenderObjectId	string	Unique identifier for the sender's account in Microsoft Entra ID
SenderMailFromDomain	string	Sender domain in the MAIL FROM header, also known as the envelope sender or the Return-Path address
SenderFromDomain	string	Sender domain in the FROM header, which is visible to email recipients on their email clients
SenderIPv4	string	IPv4 address of the last detected mail server that relayed the message
SenderIPv6	string	IPv6 address of the last detected mail server that relayed the message
RecipientEmailAddress	string	Email address of the recipient, or email address of the recipient after distribution list expansion
RecipientObjectId	string	Unique identifier for the email recipient in Microsoft Entra ID
Subject	string	Subject of the email
EmailClusterId	long	Identifier for the group of similar emails clustered based on heuristic analysis of their contents
EmailDirection	string	Direction of the email relative to your network: Inbound, Outbound, Intra-org
DeliveryAction	string	Delivery action of the email: Delivered, Junked, Blocked, or Replaced
DeliveryLocation	string	Location where the email was delivered: Inbox/Folder, On-premises/External, Junk, Quarantine, Failed, Dropped, Deleted items
ThreatTypes	string	Verdict from the email filtering stack on whether the email contains malware, phishing, or other threats
ThreatNames	string	Detection name for malware or other threats found
DetectionMethods	string	Methods used to detect malware, phishing, or other threats found in the email
ConfidenceLevel	string	List of confidence levels of any spam or phishing verdicts. For spam, this column shows the spam confidence level (SCL), indicating if the email was skipped (-1), found to be not spam (0,1), found to be spam with moderate confidence (5,6), or found to be spam with high confidence (9). For phishing, this column displays whether the confidence level is "High" or "Low".
BulkComplaintLevel	int	Threshold assigned to email from bulk mailers, a high bulk complaint level (BCL) means the email is more likely to generate complaints, and thus more likely to be spam
EmailAction	string	Final action taken on the email based on filter verdict, policies, and user actions: Move message to junk mail folder, Add X-header, Modify subject, Redirect message, Delete message, send to quarantine, No action taken, Bcc message
EmailActionPolicy	string	Action policy that took effect: Antispam high-confidence, Antispam, Antispam bulk mail, Antispam phishing, Anti-phishing domain impersonation, Anti-phishing user impersonation, Anti-phishing spoof, Anti-phishing graph impersonation, Antimalware, Safe Attachments, Enterprise Transport Rules (ETR)
EmailActionPolicyGuid	string	Unique identifier for the policy that determined the final mail action
AuthenticationDetails	string	List of pass or fail verdicts by email authentication protocols like DMARC, DKIM, SPF or a combination of multiple authentication types (CompAuth)
AttachmentCount	int	Number of attachments in the email
UrlCount	int	Number of embedded URLs in the email
EmailLanguage	string	Detected language of the email content
Connectors	string	Custom instructions that define organizational mail flow and how the email was routed
OrgLevelAction	string	Action taken on the email in response to matches to a policy defined at the organizational level
OrgLevelPolicy	string	Organizational policy that triggered the action taken on the email
UserLevelAction	string	Action taken on the email in response to matches to a mailbox policy defined by the recipient
UserLevelPolicy	string	End-user mailbox policy that triggered the action taken on the email
ReportId	string	Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the DeviceName and Timestamp columns.
AdditionalFields	string	Additional information about the entity or event
LatestDeliveryLocation*	string	Last known location of the email
LatestDeliveryAction*	string	Last known action attempted on an email by the service or by an admin through manual remediation

Note

* The LatestDeliveryLocation and LatestDeliveryAction columns are not available in the Streaming API.

Related topics

• Advanced hunting overview
• Learn the query language
• Use shared queries
• Hunt across devices, emails, apps, and identities
• Understand the schema
• Apply query best practices

Tip

Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender XDR Tech Community.