Query Details
Email Events Visualize Post Delivery Actions
Query
//Visualize any post delivery actions such as email being quarantined or deleted by admins
//Data connector required for this query - M365 Defender - Email* tables
EmailPostDeliveryEvents
| where TimeGenerated > ago (90d)
| where Action !in ("None", "Unknown")
| make-series Count=count() on TimeGenerated from ago(45d) to now() step 1d by Action
| render timechart with (title="Email post delivery actions over time")Explanation
This query visualizes any actions taken on emails after they are delivered, such as being quarantined or deleted by administrators. It uses the M365 Defender - Email* tables as the data source. The query filters the data to include events within the last 90 days and excludes actions labeled as "None" or "Unknown". It then groups the events by action type and creates a time series chart showing the count of each action over the past 45 days. The chart is titled "Email post delivery actions over time".
Details
Matt Zorich
Released: June 17, 2022
Tables
EmailPostDeliveryEvents
Keywords
Email,PostDeliveryEvents,TimeGenerated,Action,make-series,Count,render,timechart
Operators
where>ago|in!inmake-seriescount()onfromtonow()steprender