EmailPostDeliveryEvents
Applies to:
- Microsoft Defender XDR
The EmailPostDeliveryEvents table in the advanced hunting schema contains information about post-delivery actions taken on email messages processed by Microsoft 365. Use this reference to construct queries that return information from this table.
Tip
For detailed information about the events types (ActionType values) supported by a table, use the built-in schema reference available in Microsoft Defender XDR.
To get more information about individual email messages, you can also use the EmailEvents, EmailAttachmentInfo, and the EmailUrlInfo tables. For information on other tables in the advanced hunting schema, see the advanced hunting reference.
Important
Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
| Column name | Data type | Description |
|---|---|---|
Timestamp |
datetime |
Date and time when the event was recorded |
NetworkMessageId |
string |
Unique identifier for the email, generated by Microsoft 365 |
InternetMessageId |
string |
Public-facing identifier for the email that is set by the sending email system |
Action |
string |
Action taken on the entity |
ActionType |
string |
Type of activity that triggered the event: Manual remediation, Phish ZAP, Malware ZAP |
ActionTrigger |
string |
Indicates whether an action was triggered by an administrator (manually or through approval of a pending automated action), or by some special mechanism, such as a ZAP or Dynamic Delivery |
ActionResult |
string |
Result of the action |
RecipientEmailAddress |
string |
Email address of the recipient, or email address of the recipient after distribution list expansion |
DeliveryLocation |
string |
Location where the email was delivered: Inbox/Folder, On-premises/External, Junk, Quarantine, Failed, Dropped, Deleted items |
ThreatTypes |
string |
Verdict from the email filtering stack on whether the email contains malware, phishing, or other threats |
DetectionMethods |
string |
Methods used to detect malware, phishing, or other threats found in the email |
ReportId |
string |
Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the DeviceName and Timestamp columns. |
Supported event types
This table captures events with the following ActionType values:
- Manual remediation – An administrator manually took action on an email message after it was delivered to the user mailbox. This includes actions taken manually through Threat Explorer or approvals of automated investigation and response (AIR) actions.
- Phish ZAP – Zero-hour auto purge (ZAP) took action on a phishing email after delivery.
- Malware ZAP – Zero-hour auto purge (ZAP) took action on an email message found containing malware after delivery.
Related topics
- Advanced hunting overview
- Learn the query language
- Use shared queries
- Hunt across devices, emails, apps, and identities
- Understand the schema
- Apply query best practices
Tip
Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender XDR Tech Community.