Microsoft Defender for Office 365: New records in Streaming API and Sentinel EmailEvents table

Originally posted by Microsoft Sep 9, 2025 Uncategorized 0 Comments

Starting early October 2025, Microsoft Defender for Office 365’s Streaming API and Sentinel EmailEvents table will store both current and historical email verdicts and locations, showing multiple records per email. Admins should update queries and dashboards accordingly, using KQL’s arg_max to retrieve the latest records.

Introduction

To improve visibility and alignment across Microsoft Defender for Office 365 and Microsoft Sentinel, we’re updating how email verdict and location changes are handled in the EmailEvents table. This change ensures that Sentinel reflects both current and historical verdicts, enabling more accurate threat analysis and investigation.

When this will happen:

General Availability: Rollout begins in early October 2025 and is expected to complete by early November 2025.

How this affects your organization:

  • Who is affected: Admins using Microsoft Defender for Office 365, Streaming API, and the EmailEvents table in Microsoft Sentinel.
  • What will happen:
    • The Streaming API will begin streaming updated records when an email’s verdict or location changes.
    • Microsoft Sentinel will store both the updated and previous records, rather than replacing them.
    • You may see multiple rows for the same email if its verdict or location is updated.
    • This update aligns the EmailEvents table in Microsoft Sentinel with the behavior of the Advanced Hunting EmailEvents table.

What you can do to prepare:

  • Review and update existing queries and dashboards that rely on the EmailEvents table.
  • Use the following KQL pattern to retrieve the latest record per email:
summarize arg_max(Timestamp, *) by NetworkMessageId, RecipientEmailAddress

Example query for emails with a “Phish” verdict:

EmailEvents| where ThreatTypes has "Phish"| summarize arg_max(Timestamp, *) by NetworkMessageId, RecipientEmailAddress

Learn more about the arg_max function: KQL arg_max documentation

Compliance considerations:

No compliance considerations identified, review as appropriate for your organization.

Message ID: MC1150118

Comments are closed.

Joao Ferreira

I've been working with Microsoft Technologies over the last ten years, mainly focused on creating collaboration and productivity solutions that drive the adoption of Microsoft Modern Workplace.

%d bloggers like this: