Defender API question... EmailEvents Table, IdentityInfo table?

Question

Defender API Question....Is there a way to query the EmailEvents table through an api?&nbsp; Or the Identityinfo table?&nbsp;&nbsp;I'm currently testing through -api-us.securitycenter.microsoft.comand playing around with the available tables to query, there doesn't seem to be much other than the Device* tables.&nbsp;&nbsp;&nbsp;Also, I've got the Microsoft api reference links from here,https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/exposed-apis-list?view=o365-worldwide.&nbsp;And I'm going through the Azure Sentinel Notebooks and the msticpy notebooks,&nbsp;but I'd appreciate any videos or blogs about exploring the tables and data through the api and jupyter notebooks.&nbsp;&nbsp;This is really super cool!&nbsp;&nbsp;&nbsp;&nbsp;

michael shalev · Answer

Hi&nbsp;mathurin68,
&nbsp;
You need to query the Microsoft 365 Defender Advanced Hunting API in order to access email-related events (as these aren't Microsoft Defender for Endpoint events), e.g.:
POST https://api.security.microsoft.com/api/advancedhunting/run&nbsp;&nbsp;

{
&nbsp; &nbsp; "Query": "EmailEvents | where Timestamp &gt; ago(5d) | project Timestamp, SenderFromAddress, SenderFromDomain, SenderIPv4, RecipientEmailAddress | top 10 by Timestamp desc"
}

&nbsp;

Forum Discussion

Defender API question... EmailEvents Table, IdentityInfo table?

1 Reply

Resources