Updates to Microsoft Defender for Office events in Office 365 Management API

We have been working to meet the extensibility requirements of our customers who are using our detection information within custom tools. As part of this effort, we are enhancing the information around email detections within the Office 365 Management API.

When this will happen

Feature rollout is from the end of March through mid-May.

How this will affect your organization

We are introducing new fields within email message events for Defender for Office 365 (RecordType 28). These new fields are:

  • Delivery Action (original delivery action) – This would help you identify what was the original delivery action on the email.
  • Original Delivery Location – This would help you identify the original delivery location of the email.
  • Latest Delivery location – This would help you identify the latest delivery location of the email for an event. For best
  • Directionality of an email – This would help you identify if an email was inbound, outbound or an intra-org message.
  • ThreatsAndDetectionTech – This would help you identify the threats and the corresponding detection technologies. This field will expose all the threats on an email, including our latest addition on spam verdict. An example of this would be : “Phish: Spoof DMARC“,”Spam: URL malicious reputation

These details already exist within our hunting experiences like Threat Explorer and Email entity page, and we are extending them to the API.

What you need to do to prepare

These are new fields, and this update makes no changes to existing attributes. Therefore, there should be no impact to existing workflows.

Once these are available, you can begin consuming them for your workflows. However, we strongly recommend that you to use the new ThreatsAndDetectionTech field, as it shows multiple verdicts along with updated detection technologies.

In a future update, we will retire the existing fields Verdict and Detection method. Before retiring them, we will provide notification and the timeline.

Message ID: MC244748


No comments yet

Leave a Reply


I've been working with Microsoft Technologies over the last ten years, mainly focused on creating collaboration and productivity solutions that drive the adoption of Microsoft Modern Workplace.

%d bloggers like this: