Connect with experts and redefine what’s possible at work – join us at the Microsoft 365 Community Conference May 6-8. Learn more >

Blog Post

Microsoft Defender XDR Blog

8 MIN READ

Microsoft 365 Defender Streaming API: Identity and CloudApp Events in General Availability

Michael Shalev

Microsoft

May 18, 2022

We're happy to share that Microsoft 365 Defender Streaming API support for the following event types (tables) is General Availability: Identity events IdentityLogonEvents IdentityQueryEven...

Updated Jul 06, 2022

Version 4.0

automation

microsoft defender for cloud apps

microsoft defender for identity

Michael Shalev

Microsoft

Joined November 20, 2016

View Profile

Microsoft Defender XDR Blog

Follow this blog board to get notified when there's new activity

JeremyTBradshaw

Steel Contributor

Aug 28, 2024

Wondering if anyone here can help me to understand, in the Defender Portal (security.microsoft.com), when I'm using Advanced Hunting there, when am I and when am I not querying the streaming API vs the live table (for lack of knowing what else to call the "live table")? Specifically, I'm looking for EmailEvents table entries, filtering by LatestDeliveryLocation, but what I find here - EmailEvents table in the advanced hunting schema - Microsoft Defender XDR | Microsoft Learn - is this:

Note

* The LatestDeliveryLocation and LatestDeliveryAction columns are not available in the Streaming API.

Does it work like this: when I select the time range from the UI menu I'm searching the live table, and when I set timerange in my query, that is searching the streaming API?

Thanks in advance.