kql
1 TopicHow to KQL query *live* EmailEvents table and NOT the streaming API
EmailEvents table in the advanced hunting schema - Microsoft Defender XDR | Microsoft Learn- this page tells us: Note * The LatestDeliveryLocation and LatestDeliveryAction columns are not available in the Streaming API. I've found that a lot of my queries come back with blank LatestDeliveryLocation. This means I'm searching via the streaming API. But I don't want to do that, I want to search the live EmailEvents table and even want to filter based on LatestDeliveryLocation. I am working in Defender portal, within the Advanced Hunting section. Example query: // Works (time range set in UI dropdown): EmailEvents | where LatestDeliveryLocation in~ ('Quarantine', 'Junk folder') and DeliveryLocation =~ 'Inbox/folder' // Does NOT work: EmailEvents | where TimeGenerated >= ago(1d) | where LatestDeliveryLocation in~ ('Quarantine', 'Junk folder') and DeliveryLocation =~ 'Inbox/folder' So it seems as though if your query sets the time range, you're searching the streaming API. Can anyone please confirm I have this understood correctly? My next question would be, can I add something else to my query to ensure I'll be searching the live table? Microsoft 365 Defender Streaming API: Identity and CloudApp Events in General Availability - Microsoft Community Hub- I asked this in the comments over there too.Solved278Views0likes1Comment