Forum Discussion

Kyrouz's avatar
Kyrouz
Copper Contributor
Jan 18, 2022

RecipientEmailAddress but recipient information BEFORE DL expansion

I'm trying to get a list of the top email recipients in our environment using the EmailEvents table and RecipientEmailAddress in Defender 365/Sentinel.  But, as the schema says, RecipientEmailAddress is the "address of the recipient, or email address of the recipient after distribution list expansion"

 

How can I query on recipient info before DL expansion?

365
exchange online
Reporting
Sentinel
  • JeremyTBradshaw's avatar
    JeremyTBradshaw
    Steel Contributor
    Aug 28, 2024
    Hey there, I've found EXO Message Trace is the only place to see the DL expand event itself. Note that if you try to get an enhanced report, and only choose the show the Expand event, the report will still have every effective recipient's details within the Recipient_Status column, so it's sort of a disaster anyway. The <=10 day searches are more friendly for this one particular task (expand events).

Resources