Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Important
Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
The MessageEvents table in the advanced hunting schema contains details about messages sent and received within your organization at the time of delivery. Use this reference to construct queries that return information from this table.
For information on other tables in the advanced hunting schema, see the advanced hunting reference.
| Column name | Data type | Description |
|---|---|---|
Timestamp |
datetime |
Date and time when the event was recorded |
LastEditedTime |
string |
Date and time when the message was last edited |
TeamsMessageId |
string |
Unique identifier for the message, as generated by Microsoft 365 |
SenderEmailAddress |
string |
Email address of the sender |
SenderDisplayName |
string |
Name of the sender displayed in the address book, typically a combination of a first name, a middle initial, and a last name or surname |
SenderObjectId |
string |
Unique identifier for the sender’s account |
SenderType |
string |
Type of user that sent the message, for example, User, Group, Anonymous |
RecipientDetails |
dynamic |
Array of recipient data (RecipientSmtpAddress, RecipientDisplayName, RecipientType, RecipientObjectId) |
IsOwnedThread |
boolean |
Boolean value indicating whether the message is owned by your organization or not (only the messages owned by your organization can be remediated) |
MessageId |
string |
Identifier for the message (non-unique) |
ParentMessageId |
string |
Identifier for the message that the current message was a reply to, otherwise this is the same as the MessageId |
GroupId |
string |
Identifier for the team or group that the message was sent to |
GroupName |
string |
Name of the team or group that the message was sent to |
ThreadId |
string |
Identifier of the channel or chat thread that the message is part of |
ThreadSubtype |
string |
Indicates the channel type, possible values: None, PrivateChannel |
IsExternalThread |
boolean |
Indicates if there are external recipients in the thread (1) or none (0) |
MessageFormatType |
string |
Type of message format; possible values: RichText, Text |
MessageFormatSubtype |
string |
Subtype of message format, for example, HTML |
MessageVersion |
string |
Version number of the message |
MessageSubject |
string |
Subject of the message, if it exists |
ThreatTypes |
string |
Verdict from the filtering stack on whether the message contains malware, phishing, or other threats |
DetectionMethods |
dynamic |
Methods used to detect malware, phishing, or other threats found in the message |
ConfidenceLevel |
dynamic |
List of confidence levels for each threat type identified |
DeliveryAction |
string |
Delivery action of the message: Delivered, Blocked |
DeliveryLocation |
string |
Location of the message at the time of delivery |
ReportId |
string |
Unique identifier for the event |
Related topics
Tip
Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender XDR Tech Community.