Additional data exposed for Email detections events in the Unified audit log

As part of Roadmap item #70744, Microsoft has enriched the Email detections event data ingested to the Unified audit log with additional details. Those include the following new properties:

  • AdditionalActionsAndResults – The additional actions that were taken on the email, if any. Examples include ZAP or Manual Remediation.
  • Connectors – The list of connectors associated with the message, if any (names and GUIDs included).
  • AuthDetails – The authentication checks that are done for the message. These include the results for SPF, DKIM, DMARC, and CompAuth checks, see example below.
  • SystemOverrides – Overrides that are applicable to the message. These include functionalities such as transport rules or safe sender lists, and can be tenant- or user- configured. The property will also list the result for each override, as well as the FinalOverride in the case where multiple overrides affected the message.
  • Phish Confidence Level – Indicates the confidence level associated with Phish verdict. It can be Normal or High.

To take a look at the new properties, one can use the Search-UnifiedAuditLog to query the Unified audit log for any ThreatIntelligence events, or just use the RecordType value of 28 (see table below). The following example will gather all such events in my tenant for the past 90 days:

$events = Search-UnifiedAuditLog -EndDate (Get-Date) -StartDate (Get-Date).AddDays(-90) -RecordType ThreatIntelligence

As with other event types, the bulk of the important data is stored within the AuditData property, in JSON format. Use the following to parse it:

$events[0].AuditData | ConvertFrom-Json

The result will be a list of all properties supported for the Email message event type within the Management activity API schema. Some of the properties can be further expanded to expose additional details. For example, here is what the AuthDetails property holds for the selected message:

($events[0].AuditData | ConvertFrom-Json).AuthDetails

Name Value
---- -----
SPF Pass
Comp Auth fail

Similarly, we can explore the other newly added properties. Below is an example of a message where the EOP verdict was overwritten by a personal safe list entry:

 ($events[2].AuditData | ConvertFrom-Json).SystemOverrides
Details FinalOverride Result Source
------- ------------- ------ ------
Sender address list Yes Allow User

In a nutshell, some new properties are now being exposed in the audit events, and that’s a good thing. Combined with the data already available, one can now get a better understanding of what the event signaled, and if needed export this data to external SIEM.

For the sake of completeness, one can now also find Submission events as well as Automated investigation and Response (AIR) events. Here’s also a list of RecordType values you can use for each:

Value Member name Description
28 ThreatIntelligence Phishing and malware events from Exchange Online Protection and Microsoft Defender for Office 365.
29 MailSubmission Submission events from Exchange Online Protection and Microsoft Defender for Office 365.
41 ThreatIntelligenceUrl Safe Links time-of-block and block override events from Microsoft Defender for Office 365.
47 ThreatIntelligenceAtpContent Phishing and malware events for files in SharePoint Online, OneDrive for Business, and Microsoft Teams, from Microsoft Defender for Office 365.
64 AirInvestigation Automated investigation and response events, such as investigation details and relevant artifacts, from Microsoft Defender for Office 365 Plan 2.


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.