Email: helpdesk@telkomuniversity.ac.id

This Portal for internal use only!

All Categories

All Categories

Search

0 Wishlist

Cart

Categories
More Categories Less Categories

iconTicket Service Desk

All Categories

All Categories

Search

0 Wishlist

Cart

Menu
Home/Microsoft/How to KQL query *live* EmailEvents table and NOT the streaming API

How to KQL query *live* EmailEvents table and NOT the streaming API

PuTI / 2024-08-28
How to KQL query *live* EmailEvents table and NOT the streaming API
Microsoft

EmailEvents table in the advanced hunting schema – Microsoft Defender XDR | Microsoft Learn – this page tells us:

Note

* The LatestDeliveryLocation and LatestDeliveryAction columns are not available in the Streaming API.

 

I’ve found that a lot of my queries come back with blank LatestDeliveryLocation.  This means I’m searching via the streaming API.  But I don’t want to do that, I want to search the live EmailEvents table and even want to filter based on LatestDeliveryLocation.  I am working in Defender portal, within the Advanced Hunting section.  Example query:

 

 

 

// Works (time range set in UI dropdown):
EmailEvents
| where LatestDeliveryLocation in~ (‘Quarantine’, ‘Junk folder’) and DeliveryLocation =~ ‘Inbox/folder’

// Does NOT work:
EmailEvents
| where TimeGenerated >= ago(1d)
| where LatestDeliveryLocation in~ (‘Quarantine’, ‘Junk folder’) and DeliveryLocation =~ ‘Inbox/folder’

 

 

 

 

So it seems as though if your query sets the time range, you’re searching the streaming API.  Can anyone please confirm I have this understood correctly?  My next question would be, can I add something else to my query to ensure I’ll be searching the live table?

 

Microsoft 365 Defender Streaming API: Identity and CloudApp Events in General Availability – Microsoft Community Hub – I asked this in the comments over there too.

​EmailEvents table in the advanced hunting schema – Microsoft Defender XDR | Microsoft Learn – this page tells us:Note* The LatestDeliveryLocation and LatestDeliveryAction columns are not available in the Streaming API. I’ve found that a lot of my queries come back with blank LatestDeliveryLocation.  This means I’m searching via the streaming API.  But I don’t want to do that, I want to search the live EmailEvents table and even want to filter based on LatestDeliveryLocation.  I am working in Defender portal, within the Advanced Hunting section.  Example query:   // Works (time range set in UI dropdown):
EmailEvents
| where LatestDeliveryLocation in~ (‘Quarantine’, ‘Junk folder’) and DeliveryLocation =~ ‘Inbox/folder’

// Does NOT work:
EmailEvents
| where TimeGenerated >= ago(1d)
| where LatestDeliveryLocation in~ (‘Quarantine’, ‘Junk folder’) and DeliveryLocation =~ ‘Inbox/folder’    So it seems as though if your query sets the time range, you’re searching the streaming API.  Can anyone please confirm I have this understood correctly?  My next question would be, can I add something else to my query to ensure I’ll be searching the live table? Microsoft 365 Defender Streaming API: Identity and CloudApp Events in General Availability – Microsoft Community Hub – I asked this in the comments over there too.  Read More

Tags:

Related posts

Announcing the General Availability of Windows Server IoT 2025!
2024-11-05

Announcing the General Availability of Windows Server IoT 2025!

Power Automate to update columns for content stored in a document library
2024-11-05

Power Automate to update columns for content stored in a document library

America’s Partner Blog | Partners Make More Possible: Education
2024-11-05

America’s Partner Blog | Partners Make More Possible: Education

Leave a Reply

Your email address will not be published. Required fields are marked *

Adobe
Google for Education
IBM
Matlab
Microsoft
Wordpress
Visual Paradigm
Opensource

Portal Application Package Repository Telkom University, for internal use only, empower civitas academica in study and research.

Information

Contact Us

Copyright © Telkom University. All Rights Reserved. ch