Services
Summary
Starting early October 2025, Microsoft Defender for Office 365's Streaming API and Sentinel EmailEvents table will store both current and historical email verdicts and locations, showing multiple records per email. Admins should update queries and dashboards accordingly, using KQL's arg_max to retrieve the latest records.
Details
To improve visibility and alignment across Microsoft Defender for Office 365 and Microsoft Sentinel, we’re updating how email verdict and location changes are handled in the EmailEvents table. This change ensures that Sentinel reflects both current and historical verdicts, enabling more accurate threat analysis and investigation.
When this will happen:General Availability: Rollout begins in early October 2025 and is expected to complete by early November 2025.
How this affects your organization:- Who is affected: Admins using Microsoft Defender for Office 365, Streaming API, and the EmailEvents table in Microsoft Sentinel.
- What will happen:
- The Streaming API will begin streaming updated records when an email’s verdict or location changes.
- Microsoft Sentinel will store both the updated and previous records, rather than replacing them.
- You may see multiple rows for the same email if its verdict or location is updated.
- This update aligns the EmailEvents table in Microsoft Sentinel with the behavior of the Advanced Hunting EmailEvents table.
- Review and update existing queries and dashboards that rely on the EmailEvents table.
- Use the following KQL pattern to retrieve the latest record per email:
summarize arg_max(Timestamp, *) by NetworkMessageId, RecipientEmailAddress
Example query for emails with a "Phish" verdict:
EmailEvents | where ThreatTypes has "Phish" | summarize arg_max(Timestamp, *) by NetworkMessageId, RecipientEmailAddress
Learn more about the arg_max function: KQL arg_max documentation
Compliance considerations:
No compliance considerations identified, review as appropriate for your organization.