SOLVED

How to KQL query *live* EmailEvents table and NOT the streaming API

Steel Contributor

EmailEvents table in the advanced hunting schema - Microsoft Defender XDR | Microsoft Learn - this page tells us:

Note

* The LatestDeliveryLocation and LatestDeliveryAction columns are not available in the Streaming API.

 

I've found that a lot of my queries come back with blank LatestDeliveryLocation.  This means I'm searching via the streaming API.  But I don't want to do that, I want to search the live EmailEvents table and even want to filter based on LatestDeliveryLocation.  I am working in Defender portal, within the Advanced Hunting section.  Example query:

 

 

 

// Works (time range set in UI dropdown):
EmailEvents 
| where LatestDeliveryLocation in~ ('Quarantine', 'Junk folder') and DeliveryLocation =~ 'Inbox/folder'

// Does NOT work:
EmailEvents 
| where TimeGenerated >= ago(1d)
| where LatestDeliveryLocation in~ ('Quarantine', 'Junk folder') and DeliveryLocation =~ 'Inbox/folder'

 

 

 

 

So it seems as though if your query sets the time range, you're searching the streaming API.  Can anyone please confirm I have this understood correctly?  My next question would be, can I add something else to my query to ensure I'll be searching the live table?

 

Microsoft 365 Defender Streaming API: Identity and CloudApp Events in General Availability - Microso... - I asked this in the comments over there too.

1 Reply
best response confirmed by JeremyTBradshaw (Steel Contributor)
Solution

I tried Bing Chat today to see if it might help me. It has already seen and uses this very post to confirm my theory as fact (i.e., time range in query = streaming API / time range set via selector dropdown in UI = live table).  I guess me and Copilot are taking the cake on this one.  It's now "documented" as truth :).

JeremyTBradshaw_0-1725018030069.png

 

1 best response

Accepted Solutions
best response confirmed by JeremyTBradshaw (Steel Contributor)
Solution

I tried Bing Chat today to see if it might help me. It has already seen and uses this very post to confirm my theory as fact (i.e., time range in query = streaming API / time range set via selector dropdown in UI = live table).  I guess me and Copilot are taking the cake on this one.  It's now "documented" as truth :).

JeremyTBradshaw_0-1725018030069.png

 

View solution in original post