EmailAttachmentInfo
Applies to:
- Microsoft Defender XDR
The EmailAttachmentInfo
table in the advanced hunting schema contains information about attachments on emails processed by Microsoft Defender for Office 365. Use this reference to construct queries that return information from this table.
For information on other tables in the advanced hunting schema, see the advanced hunting reference.
Important
Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
Column name | Data type | Description |
---|---|---|
Timestamp |
datetime |
Date and time when the event was recorded |
NetworkMessageId |
string |
Unique identifier for the email, generated by Microsoft 365 |
SenderFromAddress |
string |
Sender email address in the FROM header, which is visible to email recipients on their email clients |
SenderDisplayName |
string |
Name of the sender displayed in the address book, typically a combination of a given or first name, a middle initial, and a last name or surname |
SenderObjectId |
string |
Unique identifier for the sender's account in Microsoft Entra ID |
RecipientEmailAddress |
string |
Email address of the recipient, or email address of the recipient after distribution list expansion |
RecipientObjectId |
string |
Unique identifier for the email recipient in Microsoft Entra ID |
FileName |
string |
Name of the file that the recorded action was applied to |
FileType |
string |
File extension type |
SHA256 |
string |
SHA-256 of the file that the recorded action was applied to. This field is usually not populated — use the SHA1 column when available. |
FileSize |
long |
Size of the file in bytes |
ThreatTypes |
string |
Verdict from the email filtering stack on whether the email contains malware, phishing, or other threats |
ThreatNames |
string |
Detection name for malware or other threats found |
DetectionMethods |
string |
Methods used to detect malware, phishing, or other threats found in the email |
ReportId |
string |
Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the DeviceName and Timestamp columns. |
Related topics
- Advanced hunting overview
- Learn the query language
- Use shared queries
- Hunt across devices, emails, apps, and identities
- Understand the schema
- Apply query best practices
Tip
Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender XDR Tech Community.
피드백
https://aka.ms/ContentUserFeedback
출시 예정: 2024년 내내 콘텐츠에 대한 피드백 메커니즘으로 GitHub 문제를 단계적으로 폐지하고 이를 새로운 피드백 시스템으로 바꿀 예정입니다. 자세한 내용은 다음을 참조하세요.다음에 대한 사용자 의견 제출 및 보기