Advanced Hunting: Surfacing more email data from Microsoft Defender for Office 365

We’re happy to share new enhancements to the advanced hunting data for Microsoft Defender for Office 365 in Microsoft 365 Defender. As part of this update, we have added new columns and data points to make your investigation experience better and more relevant. These additions will be rolling out in public preview, and should be available within the EmailEvents, EmailAttachmentInfo, and EmailPostDeliveryEvents tables.

When this will happen:

The changes are expected to roll out to Public preview in early August and expect to complete by early September. 

How this will affect your organization:

 We have made the following updates to these tables:

  1. AuthDetails in EmailEvents table – This includes detailed information about the different authentication checks that have been applied or analyzed. This includes the SPF, DKIM, DMARC, and CompAuth methods. While SPF, DKIM, and DMARC are the industry standard checks, composite authentication or compAuth is a value used by Microsoft 365 Defender to determine if the message is authentic.
  2. Filesize in EmailAttachmentInfo table – This covers the size of an attachment within an email. The information is exposed as a raw number, which is the file size in bytes.
  3. Threats and Detection method details in EmailPostDeliveryEvents table – Before the update, the EmailPostDeliveryEvents table already contains information about all actions attempted on email after delivery, examples being ZAP, and Manual Remediation. In addition to the action metadata, we are also adding Threats and Detection method details (if applicable) as separate columns within the table. This is useful for scenarios involving delayed weaponizations or upgraded verdicts, and hunting across these threats. These details are currently not applicable for events with the ActionType Manual Remediation, and for these cases you should look to join these events with EmailEvents table to get the full view. 

What you need to do to prepare:

These are new data points, and this update does not include any changes to existing fields. Therefore, these should not impact your existing workflows, queries and custom detections. Once these are available, you can start consuming them for your workflows.

Message ID: MC276050

No comments yet

Leave a Reply

I've been working with Microsoft Technologies over the last ten years, mainly focused on creating collaboration and productivity solutions that drive the adoption of Microsoft Modern Workplace.

%d bloggers like this: