New Teams tables

schmurky · schmurky · commit 829386b921a1 · 2025-03-18T17:17:02.000Z
diff --git a/defender-xdr/TOC.yml b/defender-xdr/TOC.yml
@@ -306,6 +306,12 @@
             href: advanced-hunting-identitylogonevents-table.md
           - name: IdentityQueryEvents
             href: advanced-hunting-identityqueryevents-table.md
+          - name: MessageEvents
+            href: advanced-hunting-messageevents-table.md
+          - name: MessagePostDeliveryEvents
+            href: advanced-hunting-messagepostdeliveryevents-table.md
+          - name: MessageUrlInfo
+            href: advanced-hunting-messageurlinfo-table.md                                    
           - name: UrlClickEvents
             href: advanced-hunting-urlclickevents-table.md
         - name: Custom detections
diff --git a/defender-xdr/advanced-hunting-messageevents-table.md b/defender-xdr/advanced-hunting-messageevents-table.md
@@ -0,0 +1,76 @@
+---
+title: MessageEvents table in the advanced hunting schema
+description: Learn about the MessageEvents table in the advanced hunting schema which contains details about messages sent and received within your organization at the time of delivery 
+search.appverid: met150
+ms.service: defender-xdr
+ms.subservice: adv-hunting
+f1.keywords: 
+  - NOCSH
+ms.author: maccruz
+author: schmurky
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: 
+- m365-security
+- tier3
+ms.custom:
+- cx-ti
+- cx-ah
+appliesto: 
+- Microsoft Defender XDR 
+ms.topic: reference
+ms.date: 03/18/2025
+---
+
+# MessageEvents (Preview)
+
+[!INCLUDE [Microsoft Defender XDR rebranding](../includes/microsoft-defender.md)]
+
+> [!IMPORTANT]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+The `MessageEvents` table in the [advanced hunting](advanced-hunting-overview.md) schema contains details about messages sent and received within your organization at the time of delivery. Use this reference to construct queries that return information from this table. 
+
+
+For information on other tables in the advanced hunting schema, [see the advanced hunting reference](advanced-hunting-schema-tables.md).
+
+| Column name | Data type | Description |
+|-------------|-----------|-------------|
+| `Timestamp` | `datetime` | Date and time when the event was recorded |
+| `LastEditedTime` | `string` | Date and time when the message was last edited |
+| `TeamsMessageId` | `string` | Unique identifier for the message, as generated by Microsoft 365  |
+| `SenderEmailAddress` | `string` | Email address of the sender |
+| `SenderDisplayName` | `string` | Name of the sender displayed in the address book, typically a combination of a first name, a middle initial, and a last name or surname |
+| `SenderObjectId` | `string` | Unique identifier for the sender’s account  |
+| `SenderType` | `string` | Type of user that sent the message, for example, User, Group, Anonymous  |
+| `RecipientDetails` | `dynamic` | Array of recipient data (RecipientEmailAddress, RecipientDisplayName, RecipientType, RecipientObjectId) |
+| `IsOwnedThread` | `boolean` | Boolean value indicating whether the message is owned by your organization or not (only the messages owned by your organization can be remediated)|
+| `MessageId` | `string` | Identifier for the message (non-unique)|
+| `ParentMessageId` | `string` | Identifier for the message that the current message was a reply to, otherwise this is the same as the MessageId|
+| `GroupId` | `string` | Identifier for the team or group that the message was sent to|
+| `GroupName` | `string` | Name of the team or group that the message was sent to|
+| `ThreadId` | `string` | Identifier of the channel or chat thread that the message is part of |
+| `ThreadSubtype` | `string` | Indicates the channel type, possible values: None, PrivateChannel|
+| `IsExternalThread` | `boolean` | Indicates if there are external recipients in the thread (1) or none (0) |
+| `MessageFormatType` | `string` |Type of message format; possible values: RichText, Text|
+| `MessageFormatSubtype` | `string` |Subtype of message format, for example, HTML|
+| `MessageVersion` | `string` |Version number of the message|
+| `MessageSubject` | `string` |Subject of the message, if it exists|
+| `ThreatTypes` | `string` |Verdict from the filtering stack on whether the message contains malware, phishing, or other threats|
+| `DetectionMethods` | `dynamic` |Methods used to detect malware, phishing, or other threats found in the message|
+| `ConfidenceLevel` | `dynamic` |List of confidence levels for each threat type identified|
+| `DeliveryAction` | `string` |Delivery action of the message: Delivered, Blocked|
+| `DeliveryLocation` | `string` |Location of the message at the time of delivery|
+| `ReportId` | `string` |Unique identifier for the event|
+
+
+
+## Related topics
+- [Advanced hunting overview](advanced-hunting-overview.md)
+- [Learn the query language](advanced-hunting-query-language.md)
+- [Understand the schema](advanced-hunting-schema-tables.md)
+- [Apply query best practices](advanced-hunting-best-practices.md)
+
+
+[!INCLUDE [Microsoft Defender XDR rebranding](../includes/defender-m3d-techcommunity.md)]
diff --git a/defender-xdr/advanced-hunting-messagepostdeliveryevents-table.md b/defender-xdr/advanced-hunting-messagepostdeliveryevents-table.md
@@ -0,0 +1,63 @@
+---
+title: MessagePostDeliveryEvents table in the advanced hunting schema
+description: Learn about the MessagePostDeliveryEvents table in the advanced hunting schema which contains information about security events that occurred after the delivery of a Microsoft Teams message in your organization. 
+search.appverid: met150
+ms.service: defender-xdr
+ms.subservice: adv-hunting
+f1.keywords: 
+  - NOCSH
+ms.author: maccruz
+author: schmurky
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: 
+- m365-security
+- tier3
+ms.custom:
+- cx-ti
+- cx-ah
+appliesto: 
+- Microsoft Defender XDR 
+ms.topic: reference
+ms.date: 03/18/2025
+---
+
+# MessageEvents (Preview)
+
+[!INCLUDE [Microsoft Defender XDR rebranding](../includes/microsoft-defender.md)]
+
+> [!IMPORTANT]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+The `MessageEvents` table in the [advanced hunting](advanced-hunting-overview.md) schema contains information about security events that occurred after the delivery of a Microsoft Teams message in your organization. 
+
+For information on other tables in the advanced hunting schema, [see the advanced hunting reference](advanced-hunting-schema-tables.md).
+
+| Column name | Data type | Description |
+|-------------|-----------|-------------|
+| `Timestamp` | `datetime` | Date and time when the event was recorded |
+| `TeamsMessageId` | `string` | Unique identifier for the message, as generated by Microsoft 365  |
+| `Action` | `string` | Action taken on the message: Blocked, Moved to quarantine  |
+| `ActionType` | `string` | Type of activity that triggered the event: Manual remediation, Phish ZAP, Malware ZAP |
+| `ActionTrigger` | `string` | Indicates whether an action was triggered by an administrator (manually or through approval of a pending automated action), or by some special mechanism, such as a ZAP or Dynamic Delivery |
+| `ActionResult` | `string` | Result of the action |
+| `SenderEmailAddress` | `string` | Email address of the sender |
+| `RecipientDetails` | `dynamic` | Array of recipient data (RecipientEmailAddress, RecipientDisplayName, RecipientType, RecipientObjectId) |
+| `ThreatTypes` | `string` |Verdict from the filtering stack on whether the message contains malware, phishing, or other threats|
+| `ConfidenceLevel` | `dynamic` |List of confidence levels for each threat type identified|
+| `DetectionMethods` | `string` |Methods used to detect malware, phishing, or other threats found in the message|
+| `LatestDeliveryLocation` | `string` |Last known location of the message |
+| `ReportId` | `string` |Unique identifier for the event|
+| `IsExternalThread` | `boolean` |Indicates if there are external recipients in the thread (1) or none (0)|
+
+
+
+## Related topics
+- [Advanced hunting overview](advanced-hunting-overview.md)
+- [Learn the query language](advanced-hunting-query-language.md)
+- [Understand the schema](advanced-hunting-schema-tables.md)
+- [Apply query best practices](advanced-hunting-best-practices.md)
+
+
+[!INCLUDE [Microsoft Defender XDR rebranding](../includes/defender-m3d-techcommunity.md)]
diff --git a/defender-xdr/advanced-hunting-messageurlinfo-table.md b/defender-xdr/advanced-hunting-messageurlinfo-table.md
@@ -0,0 +1,55 @@
+---
+title: MessageUrlInfo table in the advanced hunting schema
+description: Learn about the MessageUrlInfo table in the advanced hunting schema which contains information about URLs sent through Microsoft Teams messages in your organization. 
+search.appverid: met150
+ms.service: defender-xdr
+ms.subservice: adv-hunting
+f1.keywords: 
+  - NOCSH
+ms.author: maccruz
+author: schmurky
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: 
+- m365-security
+- tier3
+ms.custom:
+- cx-ti
+- cx-ah
+appliesto: 
+- Microsoft Defender XDR 
+ms.topic: reference
+ms.date: 03/18/2025
+---
+
+# MessageEvents (Preview)
+
+[!INCLUDE [Microsoft Defender XDR rebranding](../includes/microsoft-defender.md)]
+
+> [!IMPORTANT]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+The `MessageUrlInfo` table in the [advanced hunting](advanced-hunting-overview.md) schema contains information about URLs sent through Microsoft Teams messages in your organization. 
+
+For information on other tables in the advanced hunting schema, [see the advanced hunting reference](advanced-hunting-schema-tables.md).
+
+| Column name | Data type | Description |
+|-------------|-----------|-------------|
+| `Timestamp` | `datetime` | Date and time when the event was recorded |
+| `TeamsMessageId` | `string` | Unique identifier for the message, as generated by Microsoft 365  |
+| `Url` | `string` |URL from message|
+| `UrlDomain` | `string` |Domain name or host name of the URL|
+| `ThreatTypes` | `string` |Verdict from the filtering stack on whether the message contains malware, phishing, or other threats|
+| `ReportId` | `string` |Unique identifier for the event|
+
+
+
+## Related topics
+- [Advanced hunting overview](advanced-hunting-overview.md)
+- [Learn the query language](advanced-hunting-query-language.md)
+- [Understand the schema](advanced-hunting-schema-tables.md)
+- [Apply query best practices](advanced-hunting-best-practices.md)
+
+
+[!INCLUDE [Microsoft Defender XDR rebranding](../includes/defender-m3d-techcommunity.md)]
diff --git a/defender-xdr/advanced-hunting-schema-tables.md b/defender-xdr/advanced-hunting-schema-tables.md
@@ -100,6 +100,9 @@ The following reference lists all the tables in the schema. Each table name link
 | **[IdentityInfo](advanced-hunting-identityinfo-table.md)** | Account information from various sources, including Microsoft Entra ID |
 | **[IdentityLogonEvents](advanced-hunting-identitylogonevents-table.md)** | Authentication events on Active Directory and Microsoft online services |
 | **[IdentityQueryEvents](advanced-hunting-identityqueryevents-table.md)** | Queries for Active Directory objects, such as users, groups, devices, and domains |
+| **[MessageEvents](advanced-hunting-messageevents-table.md)** (Preview) | Messages sent and received within your organization at the time of delivery |
+| **[MessagePostDeliveryEvents](advanced-hunting-messagepostdeliveryevents-table.md)** (Preview) | Security events that occurred after the delivery of a Microsoft Teams message in your organization |
+| **[MessageUrlInfo](advanced-hunting-messageurlinfo-table.md)** (Preview) | URLs sent through Microsoft Teams messages in your organization |
 | **[UrlClickEvents](advanced-hunting-urlclickevents-table.md)** | Safe Links clicks from email messages, Teams, and Office 365 apps |
 
 ## Related topics
diff --git a/defender-xdr/whats-new.md b/defender-xdr/whats-new.md
@@ -32,6 +32,13 @@ For more information on what's new with other Microsoft Defender security produc
 
 You can also get product updates and important notifications through the [message center](https://admin.microsoft.com/Adminportal/Home#/MessageCenter).
 
+
+## April 2025
+- (Preview) The following advanced hunting schema tables are now available for preview to help you look through Microsoft Teams events and related information:
+    - The [MessageEvents](advanced-hunting-messageevents-table.md) table contains details about messages sent and received within your organization at the time of delivery.
+    - The [MessagePostDeliveryEvents](advanced-hunting-messagepostdeliveryevents-table.md) table contains information about security events that occurred after the delivery of a Microsoft Teams message in your organization.
+    - The [MessageUrlInfo](advanced-hunting-messageurlinfo-table.md) table contains information about URLs sent through Microsoft Teams messages in your organization.
+
 ## February 2025
 
 - (Preview) IP addresses can now be excluded from automated responses in attack disruption. This feature allows you to exclude specific IPs from automated containment actions triggered by attack disruption. For more information, see [Exclude assets from automated responses in automatic attack disruption](automatic-attack-disruption-exclusions.md).
