Additional email data in advanced hunting

Published Dec 14 2020 08:27 AM 1,837 Views
Microsoft

We’re thrilled to share new enhancements to the advanced hunting data for Office 365 in Microsoft 365 Defender. Following your feedback we’ve added new columns and optimized existing columns to provide more email attributes you can hunt across. These additions are now available in public preview.

 

We’ve made the following changes to the EmailEvents and EmailAttachmentInfo tables:

  • Detailed sender info through the following new columns:
    • SenderDisplayName - Name of the sender displayed in the address book, typically a combination of a given or first name, a middle initial, and a last name or surname
    • SenderObjectId - Unique identifier for the sender’s account in Azure AD
  • We’ve also optimized and organized threat detection information, replacing four separate columns for malware and phishing verdict information with three new columns that can accommodate spam and other threat types.

New column

Mapping to previous columns

Description

ThreatTypes

MalwareFilterVerdict

Verdicts from the email filtering stack on whether the email contains malware, phishing, or other threats

PhishFilterVerdict

DetectionMethods

MalwareDetectionMethod

Technologies used to threats. This column will cover spam detection technologies in addition to the previous phishing and malware coverage.

As part of this change, we have updated the set of technologies for Phish/Malware threats, as well as introduced detection tech targeted for Spam verdicts.

(NOTE: This is available in EmailEvents only, but will eventually be added to EmailAttachmentInfo.)

PhishDetectionMethod

ThreatNames

N/A - New

Json of technology used to malware, phishing, or other threats found in the email.

 

If you want to look for a specific threat, you can use the ThreatTypes column. These new columns will be empty if there are no threats—they will no longer be populated with values like with “Null”, “Not phish”, or “Not malware”.

 

Here is an example comparing the values in the old columns and the new columns:

 

Columns

Values

Old columns

 

PhishDetectionMethod

["Anti-spoof: external domain"]

PhishFilterVerdict

Phish

MalwareFilterVerdict

Not malware

MalwareDetectionMethod

null

New columns

 

ThreatTypes

Phish, Spam

ThreatNames

 

DetectionMethods

{"Phish":["Anti-spoof: external domain"],"Spam":["DomainList"]}

 

  • Connectors—this new column in the EmailEvents table provides information about custom instructions that define organizational mail flow and how the email was routed.
  • Additional information on organizational-level policies and user-level policies that were applied on emails during the delivery. This information can help you identify any unintentional delivery of malicious messages (or blocking of benign messages) due to configuration gaps or overrides, such as very broad Safe Sender policies. This information is provided through the following new columns:
    • OrgLevelAction - Action taken on the email in response to matches to a policy defined at the organizational level
    • OrgLevelPolicy - Organizational policy that triggered the action taken on the email
    • UserLevelAction - Action taken on the email in response to matches to a mailbox policy defined by the recipient
    • UserLevelPolicy  - End user mailbox policy that triggered the action taken on the email

 

As always, we’d love to know what you think. Leave us feedback directly on Microsoft 365 security center or contact us at AHfeedback@microsoft.com. 

%3CLINGO-SUB%20id%3D%22lingo-sub-1985849%22%20slang%3D%22en-US%22%3EAdditional%20email%20data%20in%20advanced%20hunting%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1985849%22%20slang%3D%22en-US%22%3E%3CP%3EWe%E2%80%99re%20thrilled%20to%20share%20new%20enhancements%20to%20the%20advanced%20hunting%20data%20for%20Office%20365%20in%20Microsoft%20365%20Defender.%20Following%20your%20feedback%20we%E2%80%99ve%20added%20new%20columns%20and%20optimized%20existing%20columns%20to%20provide%20more%20email%20attributes%20you%20can%20hunt%20across.%20These%20additions%20are%20now%20available%20in%20public%20preview.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWe%E2%80%99ve%20made%20the%20following%20changes%20to%20the%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fsecurity%2Fmtp%2Fadvanced-hunting-emailevents-table%3Fview%3Do365-worldwide%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%3CSTRONG%3EEmailEvents%3C%2FSTRONG%3E%3C%2FA%3E%20and%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fsecurity%2Fmtp%2Fadvanced-hunting-emailattachmentinfo-table%3Fview%3Do365-worldwide%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%3CSTRONG%3EEmailAttachmentInfo%3C%2FSTRONG%3E%3C%2FA%3E%20tables%3A%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EDetailed%20sender%20info%20through%20the%20following%20new%20columns%3A%3CBR%20%2F%3E%3CUL%3E%0A%3CLI%3E%3CSTRONG%3ESenderDisplayName%20-%20%3C%2FSTRONG%3EName%20of%20the%20sender%20displayed%20in%20the%20address%20book%2C%20typically%20a%20combination%20of%20a%20given%20or%20first%20name%2C%20a%20middle%20initial%2C%20and%20a%20last%20name%20or%20surname%3C%2FLI%3E%0A%3CLI%3E%3CSTRONG%3ESenderObjectId%3C%2FSTRONG%3E%3CSTRONG%3E%20-%20%3C%2FSTRONG%3EUnique%20identifier%20for%20the%20sender%E2%80%99s%20account%20in%20Azure%20AD%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FLI%3E%0A%3CLI%3EWe%E2%80%99ve%20also%20optimized%20and%20organized%20threat%20detection%20information%2C%20replacing%20four%20separate%20columns%20for%20malware%20and%20phishing%20verdict%20information%20with%20three%20new%20columns%20that%20can%20accommodate%20spam%20and%20other%20threat%20types.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CTABLE%20width%3D%22521%22%3E%0A%3CTBODY%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22137%22%3E%3CP%3E%3CSTRONG%3ENew%20column%3C%2FSTRONG%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22185%22%3E%3CP%3E%3CSTRONG%3EMapping%20to%20previous%20columns%3C%2FSTRONG%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22200%22%3E%3CP%3E%3CSTRONG%3EDescription%3C%2FSTRONG%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20rowspan%3D%222%22%20width%3D%22137%22%3E%3CP%3EThreatTypes%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22185%22%3E%3CP%3EMalwareFilterVerdict%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20rowspan%3D%222%22%20width%3D%22200%22%3E%3CP%3EVerdicts%20from%20the%20email%20filtering%20stack%20on%20whether%20the%20email%20contains%20malware%2C%20phishing%2C%20or%20other%20threats%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22185%22%3E%3CP%3EPhishFilterVerdict%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20rowspan%3D%222%22%20width%3D%22137%22%3E%3CP%3EDetectionMethods%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22185%22%3E%3CP%3EMalwareDetectionMethod%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20rowspan%3D%222%22%20width%3D%22200%22%3E%3CP%3ETechnologies%20used%20to%20threats.%20This%20column%20will%20cover%20spam%20detection%20technologies%20in%20addition%20to%20the%20previous%20phishing%20and%20malware%20coverage.%3C%2FP%3E%0A%3CP%3EAs%20part%20of%20this%20change%2C%20we%20have%20updated%20the%20set%20of%20technologies%20for%20Phish%2FMalware%20threats%2C%20as%20well%20as%20introduced%20detection%20tech%20targeted%20for%20Spam%20verdicts.%3C%2FP%3E%0A%3CP%3E(NOTE%3A%20This%20is%20available%20in%20%3CSTRONG%3EEmailEvents%3C%2FSTRONG%3E%20only%2C%20but%20will%20eventually%20be%20added%20to%20EmailAttachmentInfo.)%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22185%22%3E%3CP%3EPhishDetectionMethod%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22137%22%3E%3CP%3EThreatNames%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22185%22%3E%3CP%3EN%2FA%20-%20New%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22200%22%3E%3CP%3EJson%20of%20technology%20used%20to%20malware%2C%20phishing%2C%20or%20other%20threats%20found%20in%20the%20email.%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3C%2FTBODY%3E%0A%3C%2FTABLE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20style%3D%22color%3A%20black%3B%20font-size%3A%2012pt%3B%22%3EIf%20you%20want%20to%20look%20for%20a%20specific%20threat%2C%20you%20can%20use%20the%20%3C%2FSPAN%3E%3CSTRONG%20style%3D%22color%3A%20black%3B%20font-size%3A%2012pt%3B%22%3EThreatTypes%3C%2FSTRONG%3E%3CSPAN%20style%3D%22color%3A%20black%3B%20font-size%3A%2012pt%3B%22%3E%20column.%20These%20new%20columns%20will%20be%20empty%20if%20there%20are%20no%20threats%E2%80%94they%20will%20no%20longer%20be%20populated%20with%20values%20like%20with%20%E2%80%9CNull%E2%80%9D%2C%20%E2%80%9CNot%20phish%E2%80%9D%2C%20or%20%E2%80%9CNot%20malware%E2%80%9D.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EHere%20is%20an%20example%20comparing%20the%20values%20in%20the%20old%20columns%20and%20the%20new%20columns%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CTABLE%3E%0A%3CTBODY%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22273%22%3E%3CP%3E%3CSTRONG%3EColumns%3C%2FSTRONG%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22273%22%3E%3CP%3E%3CSTRONG%3EValues%3C%2FSTRONG%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22273%22%3E%3CP%3E%3CSTRONG%3EOld%20columns%3C%2FSTRONG%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22273%22%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22273%22%3E%3CP%3EPhishDetectionMethod%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22273%22%3E%3CP%3E%5B%22Anti-spoof%3A%20external%20domain%22%5D%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22273%22%3E%3CP%3EPhishFilterVerdict%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22273%22%3E%3CP%3EPhish%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22273%22%3E%3CP%3EMalwareFilterVerdict%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22273%22%3E%3CP%3ENot%20malware%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22273%22%3E%3CP%3EMalwareDetectionMethod%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22273%22%3E%3CP%3Enull%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22273%22%3E%3CP%3E%3CSTRONG%3ENew%20columns%3C%2FSTRONG%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22273%22%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22273%22%3E%3CP%3EThreatTypes%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22273%22%3E%3CP%3EPhish%2C%20Spam%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22273%22%3E%3CP%3EThreatNames%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22273%22%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22273%22%3E%3CP%3EDetectionMethods%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22273%22%3E%3CP%3E%7B%22Phish%22%3A%5B%22Anti-spoof%3A%20external%20domain%22%5D%2C%22Spam%22%3A%5B%22DomainList%22%5D%7D%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3C%2FTBODY%3E%0A%3C%2FTABLE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3E%3CSTRONG%3EConnectors%3C%2FSTRONG%3E%E2%80%94this%20new%20column%20in%20the%20%3CSTRONG%3EEmailEvents%3C%2FSTRONG%3E%20table%20provides%20information%20about%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fexchange%2Fmail-flow-best-practices%2Fuse-connectors-to-configure-mail-flow%2Fuse-connectors-to-configure-mail-flow%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3Ecustom%20instructions%20that%20define%20organizational%20mail%20flow%3C%2FA%3E%26nbsp%3Band%20how%20the%20email%20was%20routed.%3C%2FLI%3E%0A%3CLI%3EAdditional%20information%20on%20%3CSTRONG%3Eorganizational-level%20policies%3C%2FSTRONG%3E%20and%20%3CSTRONG%3Euser-level%20policies%3C%2FSTRONG%3E%20that%20were%20applied%20on%20emails%20during%20the%20delivery.%20This%20information%20can%20help%20you%20identify%20any%20unintentional%20delivery%20of%20malicious%20messages%20(or%20blocking%20of%20benign%20messages)%20due%20to%20configuration%20gaps%20or%20overrides%2C%20such%20as%20very%20broad%20Safe%20Sender%20policies.%20This%20information%20is%20provided%20through%20the%20following%20new%20columns%3A%3CUL%3E%0A%3CLI%3E%3CSTRONG%3EOrgLevelAction%3C%2FSTRONG%3E%20-%20Action%20taken%20on%20the%20email%20in%20response%20to%20matches%20to%20a%20policy%20defined%20at%20the%20organizational%20level%3C%2FLI%3E%0A%3CLI%3E%3CSTRONG%3EOrgLevelPolicy%3C%2FSTRONG%3E%20-%20Organizational%20policy%20that%20triggered%20the%20action%20taken%20on%20the%20email%3C%2FLI%3E%0A%3CLI%3E%3CSTRONG%3EUserLevelAction%3C%2FSTRONG%3E%20-%20Action%20taken%20on%20the%20email%20in%20response%20to%20matches%20to%20a%20mailbox%20policy%20defined%20by%20the%20recipient%3C%2FLI%3E%0A%3CLI%3E%3CSTRONG%3EUserLevelPolicy%26nbsp%3B%3C%2FSTRONG%3E%20-%20End%20user%20mailbox%20policy%20that%20triggered%20the%20action%20taken%20on%20the%20email%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAs%20always%2C%26nbsp%3Bwe%E2%80%99d%26nbsp%3Blove%20to%20know%20what%20you%20think.%20Leave%20us%20feedback%26nbsp%3Bdirectly%26nbsp%3Bon%20Microsoft%20365%20security%20center%20or%26nbsp%3Bcontact%20us%20at%26nbsp%3B%3CA%20href%3D%22mailto%3AAHfeedback%40microsoft.com%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3EAHfeedback%40microsoft.com%3C%2FA%3E%3CU%3E.%3C%2FU%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-1985849%22%20slang%3D%22en-US%22%3E%3CP%3EWe%E2%80%99re%20thrilled%20to%20share%20new%20enhancements%20to%20the%20advanced%20hunting%20data%20for%20Office%20365%20in%20Microsoft%20365%20Defender%20.%20Following%20your%20feedback%20we%E2%80%99ve%20added%20new%20columns%20and%20optimized%20existing%20columns%20to%20provide%20more%20email%20attributes%20you%20can%20hunt%20across.%20These%20additions%20are%20now%20available%20in%20public%20preview.%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22NewEmailcolumns.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F240204i17823069858FFB91%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22NewEmailcolumns.png%22%20alt%3D%22NewEmailcolumns.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-TEASER%3E
Version history
Last update:
‎Dec 14 2020 08:32 AM
Updated by:
www.000webhost.com