We’re thrilled to share new enhancements to the advanced hunting data for Office 365 in Microsoft 365 Defender. Following your feedback we’ve added new columns and optimized existing columns to provide more email attributes you can hunt across. These additions are now available in public preview.
We’ve made the following changes to the EmailEvents and EmailAttachmentInfo tables:
- Detailed sender info through the following new columns:
- SenderDisplayName - Name of the sender displayed in the address book, typically a combination of a given or first name, a middle initial, and a last name or surname
- SenderObjectId - Unique identifier for the sender’s account in Azure AD
- We’ve also optimized and organized threat detection information, replacing four separate columns for malware and phishing verdict information with three new columns that can accommodate spam and other threat types.
|
New column
|
Mapping to previous columns
|
Description
|
|
ThreatTypes
|
MalwareFilterVerdict
|
Verdicts from the email filtering stack on whether the email contains malware, phishing, or other threats
|
|
PhishFilterVerdict
|
|
DetectionMethods
|
MalwareDetectionMethod
|
Technologies used to threats. This column will cover spam detection technologies in addition to the previous phishing and malware coverage.
As part of this change, we have updated the set of technologies for Phish/Malware threats, as well as introduced detection tech targeted for Spam verdicts.
(NOTE: This is available in EmailEvents only, but will eventually be added to EmailAttachmentInfo.)
|
|
PhishDetectionMethod
|
|
ThreatNames
|
N/A - New
|
Json of technology used to malware, phishing, or other threats found in the email.
|
If you want to look for a specific threat, you can use the ThreatTypes column. These new columns will be empty if there are no threats—they will no longer be populated with values like with “Null”, “Not phish”, or “Not malware”.
Here is an example comparing the values in the old columns and the new columns:
|
Columns
|
Values
|
|
Old columns
|
|
|
PhishDetectionMethod
|
["Anti-spoof: external domain"]
|
|
PhishFilterVerdict
|
Phish
|
|
MalwareFilterVerdict
|
Not malware
|
|
MalwareDetectionMethod
|
null
|
|
New columns
|
|
|
ThreatTypes
|
Phish, Spam
|
|
ThreatNames
|
|
|
DetectionMethods
|
{"Phish":["Anti-spoof: external domain"],"Spam":["DomainList"]}
|
- Connectors—this new column in the EmailEvents table provides information about custom instructions that define organizational mail flow and how the email was routed.
- Additional information on organizational-level policies and user-level policies that were applied on emails during the delivery. This information can help you identify any unintentional delivery of malicious messages (or blocking of benign messages) due to configuration gaps or overrides, such as very broad Safe Sender policies. This information is provided through the following new columns:
- OrgLevelAction - Action taken on the email in response to matches to a policy defined at the organizational level
- OrgLevelPolicy - Organizational policy that triggered the action taken on the email
- UserLevelAction - Action taken on the email in response to matches to a mailbox policy defined by the recipient
- UserLevelPolicy - End user mailbox policy that triggered the action taken on the email
As always, we’d love to know what you think. Leave us feedback directly on Microsoft 365 security center or contact us at AHfeedback@microsoft.com.
