We’re thrilled to share new enhancements to the advanced hunting data for Office 365 in Microsoft 365 Defender. Following your feedback we’ve added new columns and optimized existing columns to provide more email attributes you can hunt across. These additions are now available in public preview.
We’ve made the following changes to the EmailEvents and EmailAttachmentInfo tables:
New column |
Mapping to previous columns |
Description |
ThreatTypes |
MalwareFilterVerdict |
Verdicts from the email filtering stack on whether the email contains malware, phishing, or other threats |
PhishFilterVerdict |
||
DetectionMethods |
MalwareDetectionMethod |
Technologies used to threats. This column will cover spam detection technologies in addition to the previous phishing and malware coverage. As part of this change, we have updated the set of technologies for Phish/Malware threats, as well as introduced detection tech targeted for Spam verdicts. (NOTE: This is available in EmailEvents only, but will eventually be added to EmailAttachmentInfo.) |
PhishDetectionMethod |
||
ThreatNames |
N/A - New |
Json of technology used to malware, phishing, or other threats found in the email. |
If you want to look for a specific threat, you can use the ThreatTypes column. These new columns will be empty if there are no threats—they will no longer be populated with values like with “Null”, “Not phish”, or “Not malware”.
Here is an example comparing the values in the old columns and the new columns:
Columns |
Values |
Old columns |
|
PhishDetectionMethod |
["Anti-spoof: external domain"] |
PhishFilterVerdict |
Phish |
MalwareFilterVerdict |
Not malware |
MalwareDetectionMethod |
null |
New columns |
|
ThreatTypes |
Phish, Spam |
ThreatNames |
|
DetectionMethods |
{"Phish":["Anti-spoof: external domain"],"Spam":["DomainList"]} |
As always, we’d love to know what you think. Leave us feedback directly on Microsoft 365 security center or contact us at AHfeedback@microsoft.com.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.