{"id":12783,"date":"2025-09-09T09:02:21","date_gmt":"2025-09-09T00:02:21","guid":{"rendered":"https:\/\/m365jp.net\/?p=12783"},"modified":"2025-09-09T09:06:11","modified_gmt":"2025-09-09T00:06:11","slug":"mc1150118-microsoft-defender-for-office-365-new-records-in-streaming-api-and-sentinel-emailevents-table","status":"publish","type":"post","link":"https:\/\/m365jp.net\/index.php\/2025-09-09-mc1150118-microsoft-defender-for-office-365-new-records-in-streaming-api-and-sentinel-emailevents-table","title":{"rendered":"MC1150118 | Microsoft Defender for Office 365: New records in Streaming API and Sentinel EmailEvents table"},"content":{"rendered":"<div class=\"postie-post\">\n<div>\n<hr>\n<table id=\"section\">\n<tbody>\n<tr>\n<th width=\"95%\">MC1150118 | Microsoft Defender for Office 365: New records in Streaming API and Sentinel EmailEvents table<\/th>\n<\/tr>\n<\/tbody>\n<\/table>\n<hr>\n<table id=\"data\">\n<tbody>\n<tr>\n<th>Classification<\/th>\n<td>planForChange<\/td>\n<\/tr>\n<tr>\n<th>Last Updated<\/th>\n<td>09\/08\/2025 23:28:17<\/td>\n<\/tr>\n<tr>\n<th>Start Time<\/th>\n<td>09\/08\/2025 23:28:04<\/td>\n<\/tr>\n<tr>\n<th>End Time<\/th>\n<td>01\/31\/2026 08:00:00<\/td>\n<\/tr>\n<tr>\n<th>Message Content<\/th>\n<td><b>[Introduction]<\/b>  <\/p>\n<p>To improve visibility and alignment across Microsoft Defender for Office 365 and Microsoft Sentinel, we\u2019re updating how email verdict and location changes are handled in the  <i>EmailEvents<\/i> table. This change ensures that Sentinel reflects both current and historical verdicts, enabling more accurate threat analysis and investigation.<\/p>\n<p>  <b>[When this will happen:]<\/b>  <\/p>\n<p><b>General Availability:<\/b> Rollout begins in <b>early October 2025<\/b> and is expected to complete by  <b>early November 2025<\/b>.<\/p>\n<p>  <b>[How this affects your organization:]<\/b>  <\/p>\n<ul>  <\/p>\n<li><b>Who is affected:<\/b> Admins using <i>Microsoft Defender for Office 365<\/i>,  <i>Streaming API<\/i>, and the <i>EmailEvents<\/i> table in Microsoft Sentinel.<\/li>\n<p>  <\/p>\n<li><b>What will happen:<\/b><br \/> \n<ul>  <\/p>\n<li>The <i>Streaming API<\/i> will begin streaming updated records when an email\u2019s verdict or location changes.<\/li>\n<p>  <\/p>\n<li>Microsoft Sentinel will store both the updated and previous records, rather than replacing them.<\/li>\n<p>  <\/p>\n<li>You may see multiple rows for the same email if its verdict or location is updated.<\/li>\n<p>  <\/p>\n<li>This update aligns the <i>EmailEvents<\/i> table in Microsoft Sentinel with the behavior of the  <i>Advanced Hunting<\/i> <i>EmailEvents<\/i> table.<\/li>\n<p>  <\/ul>\n<p>  <\/li>\n<p>  <\/ul>\n<p>  <b>[What you can do to prepare:]<\/b>  <\/p>\n<ul>  <\/p>\n<li>Review and update existing queries and dashboards that rely on the <i>EmailEvents<\/i> table.<\/li>\n<p>  <\/p>\n<li>Use the following KQL pattern to retrieve the latest record per email:<\/li>\n<p>  <\/ul>\n<p>  <\/p>\n<pre>summarize arg_max(Timestamp, *) by NetworkMessageId, RecipientEmailAddress<br><\/pre>\n<p>  <\/p>\n<p>Example query for emails with a &#8220;Phish&#8221; verdict:<\/p>\n<p>  <\/p>\n<pre>EmailEvents<br>| where ThreatTypes has \"Phish\"<br>| summarize arg_max(Timestamp, *) by NetworkMessageId, RecipientEmailAddress<br><\/pre>\n<p>  <\/p>\n<p>Learn more about the <code>arg_max<\/code> function: <a href=\"https:\/\/learn.microsoft.com\/kusto\/query\/arg-max-aggregation-function?view=microsoft-fabric\">  KQL arg_max documentation<\/a><\/p>\n<p><b>[Compliance considerations:]<\/b><\/p>\n<p>No compliance considerations identified, review as appropriate for your organization.  <\/p>\n<p><b><br \/>  <\/b><\/p>\n<p><a href=\"http:\/\/\"><\/a><\/p>\n<p>  <a href=\"https:\/\/learn.microsoft.com\/en-us\/kusto\/query\/arg-max-aggregation-function?view=microsoft-fabric\"><br \/>  <\/a><\/td>\n<\/tr>\n<tr>\n<th>Machine Translation<\/th>\n<td><b>[\u306f\u3058\u3081\u306b]<\/b>  <\/p>\n<p>Microsoft Defender for Office 365\u3068Microsoft Sentinel\u5168\u4f53\u306e\u53ef\u8996\u6027\u3068\u6574\u5408\u6027\u3092\u5411\u4e0a\u3055\u305b\u308b\u305f\u3081\u306b\u3001 <i>EmailEvents<\/i> \u30c6\u30fc\u30d6\u30eb\u3067\u306e\u96fb\u5b50\u30e1\u30fc\u30eb\u306e\u5224\u5b9a\u3068\u5834\u6240\u306e\u5909\u66f4\u306e\u51e6\u7406\u65b9\u6cd5\u3092\u66f4\u65b0\u3057\u3066\u3044\u307e\u3059\u3002\u3053\u306e\u5909\u66f4\u306b\u3088\u308a\u3001Sentinel \u306f\u73fe\u5728\u3068\u904e\u53bb\u306e\u4e21\u65b9\u306e\u8a55\u5b9a\u3092\u53cd\u6620\u3057\u3001\u3088\u308a\u6b63\u78ba\u306a\u8105\u5a01\u5206\u6790\u3068\u8abf\u67fb\u304c\u53ef\u80fd\u306b\u306a\u308a\u307e\u3059\u3002<\/p>\n<p>  <b>[\u3053\u308c\u304c\u3044\u3064\u8d77\u3053\u308b\u304b:]<\/b>  <\/p>\n<p><b>\u4e00\u822c\u63d0\u4f9b<\/b> :\u30ed\u30fc\u30eb\u30a2\u30a6\u30c8\u306f <b>2025 \u5e74 10 \u6708\u521d\u65ec<\/b> \u306b\u958b\u59cb\u3055\u308c\u3001 <b>2025 \u5e74 11 \u6708\u521d\u65ec<\/b>\u307e\u3067\u306b\u5b8c\u4e86\u3059\u308b\u4e88\u5b9a\u3067\u3059\u3002<\/p>\n<p>  <b>[\u3053\u308c\u304c\u3042\u306a\u305f\u306e\u7d44\u7e54\u306b\u4e0e\u3048\u308b\u5f71\u97ff:]<\/b>  <\/p>\n<ul>  <\/p>\n<li><b>\u5f71\u97ff\u3092\u53d7\u3051\u308b\u4eba:<\/b><i>Microsoft Defender for Office 365<\/i>\u3001<i>\u30b9\u30c8\u30ea\u30fc\u30df\u30f3\u30b0 API<\/i>\u3001Microsoft Sentinel \u306e  <i>EmailEvents<\/i> \u30c6\u30fc\u30d6\u30eb\u3092\u4f7f\u7528\u3059\u308b\u7ba1\u7406\u8005\u3002<\/li>\n<p>  <\/p>\n<li><b>\u4f55\u304c\u8d77\u3053\u308b\u304b:<\/b><br \/> \n<ul>  <\/p>\n<li><i>\u30b9\u30c8\u30ea\u30fc\u30df\u30f3\u30b0 API<\/i> \u306f\u3001\u30e1\u30fc\u30eb\u306e\u5224\u5b9a\u307e\u305f\u306f\u5834\u6240\u304c\u5909\u66f4\u3055\u308c\u308b\u3068\u3001\u66f4\u65b0\u3055\u308c\u305f\u30ec\u30b3\u30fc\u30c9\u306e\u30b9\u30c8\u30ea\u30fc\u30df\u30f3\u30b0\u3092\u958b\u59cb\u3057\u307e\u3059\u3002<\/li>\n<p>  <\/p>\n<li>Microsoft Sentinel \u306f\u3001\u66f4\u65b0\u3055\u308c\u305f\u30ec\u30b3\u30fc\u30c9\u3068\u4ee5\u524d\u306e\u30ec\u30b3\u30fc\u30c9\u306e\u4e21\u65b9\u3092\u7f6e\u304d\u63db\u3048\u308b\u306e\u3067\u306f\u306a\u304f\u3001\u4fdd\u5b58\u3057\u307e\u3059\u3002<\/li>\n<p>  <\/p>\n<li>\u540c\u3058\u30e1\u30fc\u30eb\u306e\u5224\u5b9a\u3084\u5834\u6240\u304c\u66f4\u65b0\u3055\u308c\u308b\u3068\u3001\u8907\u6570\u306e\u884c\u304c\u8868\u793a\u3055\u308c\u308b\u3053\u3068\u304c\u3042\u308a\u307e\u3059\u3002<\/li>\n<p>  <\/p>\n<li>\u3053\u306e\u66f4\u65b0\u30d7\u30ed\u30b0\u30e9\u30e0\u306b\u3088\u308a\u3001Microsoft Sentinel \u306e <i>EmailEvents<\/i> \u30c6\u30fc\u30d6\u30eb\u304c <i>Advanced Hunting<\/i>  <i>EmailEvents<\/i> \u30c6\u30fc\u30d6\u30eb\u306e\u52d5\u4f5c\u306b\u5408\u308f\u305b\u3089\u308c\u307e\u3059\u3002<\/li>\n<p>  <\/ul>\n<p>  <\/li>\n<p>  <\/ul>\n<p>  <b>[\u6e96\u5099\u3059\u308b\u305f\u3081\u306b\u3067\u304d\u308b\u3053\u3068:]<\/b>  <\/p>\n<ul>  <\/p>\n<li><i>EmailEvents<\/i> \u30c6\u30fc\u30d6\u30eb\u306b\u4f9d\u5b58\u3059\u308b\u65e2\u5b58\u306e\u30af\u30a8\u30ea\u3068\u30c0\u30c3\u30b7\u30e5\u30dc\u30fc\u30c9\u3092\u78ba\u8a8d\u3057\u3066\u66f4\u65b0\u3057\u307e\u3059\u3002<\/li>\n<p>  <\/p>\n<li>\u6b21\u306e KQL \u30d1\u30bf\u30fc\u30f3\u3092\u4f7f\u7528\u3057\u3066\u3001\u96fb\u5b50\u30e1\u30fc\u30eb\u3054\u3068\u306b\u6700\u65b0\u306e\u30ec\u30b3\u30fc\u30c9\u3092\u53d6\u5f97\u3057\u307e\u3059\u3002<\/li>\n<p>  <\/ul>\n<p>  <\/p>\n<pre>arg_max(Timestamp, *) \u3092 NetworkMessageId\u3001RecipientEmailAddress \u3067\u96c6\u8a08\u3059\u308b<br><\/pre>\n<p>  <\/p>\n<p>&#8220;Phish&#8221; \u5224\u5b9a\u306e\u96fb\u5b50\u30e1\u30fc\u30eb\u306e\u30af\u30a8\u30ea\u306e\u4f8b:<\/p>\n<p>  <\/p>\n<pre>EmailEvents<br>| ThreatTypes \u306b \"Phish\" \u304c\u3042\u308a\u307e\u3059<br>| NetworkMessageId\u3001RecipientEmailAddress \u306b\u3088\u308b arg_max(Timestamp, *) \u3092 summarize<br><\/pre>\n<p>  <\/p>\n<p><code>arg_max<\/code> \u95a2\u6570\u306e\u8a73\u7d30\u306b\u3064\u3044\u3066\u306f\u3001<a href=\"https:\/\/learn.microsoft.com\/kusto\/query\/arg-max-aggregation-function?view=microsoft-fabric\">KQL arg_max \u30c9\u30ad\u30e5\u30e1\u30f3\u30c8\u3092\u53c2\u7167\u3057\u3066\u304f\u3060\u3055\u3044\u3002<\/a><\/p>\n<p><b>[\u30b3\u30f3\u30d7\u30e9\u30a4\u30a2\u30f3\u30b9\u306b\u95a2\u3059\u308b\u8003\u616e\u4e8b\u9805:]<\/b><\/p>\n<p>\u30b3\u30f3\u30d7\u30e9\u30a4\u30a2\u30f3\u30b9\u306b\u95a2\u3059\u308b\u8003\u616e\u4e8b\u9805\u304c\u7279\u5b9a\u3055\u308c\u3066\u3044\u306a\u3044\u5834\u5408\u306f\u3001\u7d44\u7e54\u306b\u5fdc\u3058\u3066\u78ba\u8a8d\u3057\u307e\u3059\u3002<\/p>\n<p><b><br \/>  <\/b><\/p>\n<p><a href=\"http:\/\/\"><\/a><\/p>\n<p>  <a href=\"https:\/\/learn.microsoft.com\/en-us\/kusto\/query\/arg-max-aggregation-function?view=microsoft-fabric\"><br \/>  <\/a><\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>MC1150118 | Microsoft Defender for Office 365: New records in Streaming API and Sentinel EmailEvents table Cla [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-12783","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"_links":{"self":[{"href":"https:\/\/m365jp.net\/index.php\/wp-json\/wp\/v2\/posts\/12783","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/m365jp.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/m365jp.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/m365jp.net\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/m365jp.net\/index.php\/wp-json\/wp\/v2\/comments?post=12783"}],"version-history":[{"count":0,"href":"https:\/\/m365jp.net\/index.php\/wp-json\/wp\/v2\/posts\/12783\/revisions"}],"wp:attachment":[{"href":"https:\/\/m365jp.net\/index.php\/wp-json\/wp\/v2\/media?parent=12783"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/m365jp.net\/index.php\/wp-json\/wp\/v2\/categories?post=12783"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/m365jp.net\/index.php\/wp-json\/wp\/v2\/tags?post=12783"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}