We’re thrilled to share new enhancements to the advanced hunting data for Office 365 in Microsoft 365 Defender. Following your feedback we’ve added new columns and optimized existing columns to provide more email attributes you can hunt across. These additions are now available in public preview.
Detailed sender info through the following new columns:
SenderDisplayName - Name of the sender displayed in the address book, typically a combination of a given or first name, a middle initial, and a last name or surname
SenderObjectId - Unique identifier for the sender’s account in Azure AD
We’ve also optimized and organized threat detection information, replacing four separate columns for malware and phishing verdict information with three new columns that can accommodate spam and other threat types.
Mapping to previous columns
Verdicts from the email filtering stack on whether the email contains malware, phishing, or other threats
Technologies used to threats. This column will cover spam detection technologies in addition to the previous phishing and malware coverage.
As part of this change, we have updated the set of technologies for Phish/Malware threats, as well as introduced detection tech targeted for Spam verdicts.
(NOTE: This is available in EmailEvents only, but will eventually be added to EmailAttachmentInfo.)
N/A - New
Json of technology used to malware, phishing, or other threats found in the email.
If you want to look for a specific threat, you can use the ThreatTypes column. These new columns will be empty if there are no threats—they will no longer be populated with values like with “Null”, “Not phish”, or “Not malware”.
Here is an example comparing the values in the old columns and the new columns:
Additional information on organizational-level policies and user-level policies that were applied on emails during the delivery. This information can help you identify any unintentional delivery of malicious messages (or blocking of benign messages) due to configuration gaps or overrides, such as very broad Safe Sender policies. This information is provided through the following new columns:
OrgLevelAction - Action taken on the email in response to matches to a policy defined at the organizational level
OrgLevelPolicy - Organizational policy that triggered the action taken on the email
UserLevelAction - Action taken on the email in response to matches to a mailbox policy defined by the recipient
UserLevelPolicy - End user mailbox policy that triggered the action taken on the email
As always, we’d love to know what you think. Leave us feedback directly on Microsoft 365 security center or contact us at AHfeedback@microsoft.com.