| AdditionalFields |
Additional information about the entity or event |
String |
| AttachmentCount |
Number of attachments in the email |
Int32 |
| AuthenticationDetails |
List of pass or fail verdicts by email authentication protocols like DMARC, DKIM, SPF or a combination of multiple authentication types (CompAuth) |
String |
| BulkComplaintLevel |
Threshold assigned to email from bulk mailers, a high bulk complain level (BCL) means the email is more likely to generate complaints, and thus more likely to be spam |
Int32 |
| Cc |
Indicates the addresses which are listed in Cc fields of an email |
Object |
| ConfidenceLevel |
List of confidence levels of any spam or phishing verdicts. For spam, this column shows the spam confidence level (SCL), indicating if the email was skipped (-1), found to be not spam (0,1), found to be spam with moderate confidence (5,6), or found to be spam with high confidence (9). For phishing, this column displays whether the confidence level is “High” or “Low”. |
String |
| Connectors |
Custom instructions that define organizational mail flow and how the email was routed |
String |
| Context |
Configuration context data of the machine |
String |
| DeliveryAction |
Delivery action of the email: Delivered, Junked, Blocked, or Replaced |
String |
| DeliveryLocation |
Location where the email was delivered: Inbox/Folder, On-premises/External, Junk, Quarantine, Failed, Dropped, Deleted items |
String |
| DetectionMethods |
Methods used to detect malware, phishing, or other threats found in the email |
String |
| DistributionList |
Name of distribution list that the recipient was a member of and to which the email was sent, if applicable; shows top-level distribution list if nested lists are involved |
String |
| EmailAction |
Final action taken on the email based on filter verdict, policies, and user actions: Move message to junk mail folder, Add X-header, Modify subject, Redirect message, Delete message, send to quarantine, No action taken, Bcc message |
String |
| EmailActionPolicy |
Action policy that took effect: Antispam high-confidence, Antispam, Antispam bulk mail, Antispam phishing, Anti-phishing domain impersonation, Anti-phishing user impersonation, Anti-phishing spoof, Anti-phishing graph impersonation, Antimalware Safe Attachments, Enterprise Transport Rules (ETR) |
String |
| EmailActionPolicyGuid |
Unique identifier for the policy that determined the final mail action |
String |
| EmailClusterId |
Identifier for the group of similar emails clustered based on heuristic analysis of their contents |
Int64 |
| EmailDirection |
Direction of the email relative to your network: Inbound, Outbound, Intra-org |
String |
| EmailLanguage |
Detected language of the email content |
String |
| EmailSize |
Size of the email message. |
Int64 |
| ExchangeTransportRule |
Mail flow rules (also known as transport rules) are similar to Inbox rules that are available in Outlook and Outlook on the web. The main difference is mail flow rules take action on messages while they’re in transit. |
String |
| ForwardingInformation |
A JSON array of forwarding details including the forwarding user and the forwarding type |
String |
| InternetMessageId |
Public-facing identifier for the email that is set by the sending email system |
String |
| IsFirstContact |
Is this the first contact between sender and reciever. |
Boolean |
| LatestDeliveryAction |
Last known action attempted on an email by the service or by an admin through manual remediation. |
String |
| LatestDeliveryLocation |
Last known location of the email. |
String |
| NetworkMessageId |
Unique identifier for the email, generated by Microsoft 365 |
String |
| OrgLevelAction |
Action taken on the email in response to matches to a policy defined at the organizational level |
String |
| OrgLevelPolicy |
Organizational policy that triggered the action taken on the email |
String |
| RecipientDomain |
Domain of the recipient of the email. |
String |
| RecipientEmailAddress |
Email address of the recipient, or email address of the recipient after distribution list expansion |
String |
| RecipientObjectId |
Unique identifier for the email recipient in Microsoft Entra ID |
String |
| ReportId |
Unique identifier for the event |
String |
| SenderDisplayName |
Name of the sender displayed in the address book, typically a combination of a given or first name, a middle initial, and a last name or surname |
String |
| SenderFromAddress |
Sender email address in the FROM header, which is visible to email recipients on their email clients |
String |
| SenderFromDomain |
Sender domain in the FROM header, which is visible to email recipients on their email clients |
String |
| SenderIPv4 |
IPv4 address of the last detected mail server that relayed the message |
String |
| SenderIPv6 |
IPv6 address of the last detected mail server that relayed the message |
String |
| SenderMailFromAddress |
Sender email address in the MAIL FROM header, also known as the envelope sender or the Return-Path address |
String |
| SenderMailFromDomain |
Sender domain in the MAIL FROM header, also known as the envelope sender or the Return-Path address |
String |
| SenderObjectId |
Unique identifier for the sender’s account in Microsoft Entra ID |
String |
| SourceSystem |
|
String |
| Subject |
Subject of the email |
String |
| TenantId |
|
String |
| ThreatClassification |
Indicates the threat classification of the mail |
String |
| ThreatNames |
Detection name for malware or other threats found |
String |
| ThreatTypes |
Verdict from the email filtering stack on whether the email contains malware, phishing, or other threats |
String |
| TimeGenerated |
|
DateTime |
| Timestamp |
Date and time when the record was generated |
DateTime |
| To |
Indicates the addresses which are listed in To fields of an email |
Object |
| Type |
|
String |
| UrlCount |
Number of embedded URLs in the email |
Int32 |
| UserLevelAction |
Action taken on the email in response to matches to a mailbox policy defined by the recipient |
String |
| UserLevelPolicy |
End user mailbox policy that triggered the action taken on the email |
String |