Merge pull request #3374 from MicrosoftDocs/maccruz-teamstables

padmagit77 · web-flow · commit eb5852005d4d · 2025-04-04T19:19:58.000+05:30
Teams tables
diff --git a/defender-xdr/TOC.yml b/defender-xdr/TOC.yml
@@ -306,6 +306,12 @@
             href: advanced-hunting-identitylogonevents-table.md
           - name: IdentityQueryEvents
             href: advanced-hunting-identityqueryevents-table.md
+          - name: MessageEvents
+            href: advanced-hunting-messageevents-table.md
+          - name: MessagePostDeliveryEvents
+            href: advanced-hunting-messagepostdeliveryevents-table.md
+          - name: MessageUrlInfo
+            href: advanced-hunting-messageurlinfo-table.md                                    
           - name: OAuthAppInfo
             href: advanced-hunting-oauthappinfo-table.md            
           - name: UrlClickEvents
diff --git a/defender-xdr/advanced-hunting-messageevents-table.md b/defender-xdr/advanced-hunting-messageevents-table.md
@@ -0,0 +1,76 @@
+---
+title: MessageEvents table in the advanced hunting schema
+description: Learn about the MessageEvents table in the advanced hunting schema which contains details about messages sent and received within your organization at the time of delivery 
+search.appverid: met150
+ms.service: defender-xdr
+ms.subservice: adv-hunting
+f1.keywords: 
+  - NOCSH
+ms.author: maccruz
+author: schmurky
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: 
+- m365-security
+- tier3
+ms.custom:
+- cx-ti
+- cx-ah
+appliesto: 
+- Microsoft Defender XDR 
+ms.topic: reference
+ms.date: 03/18/2025
+---
+
+# MessageEvents (Preview)
+
+[!INCLUDE [Microsoft Defender XDR rebranding](../includes/microsoft-defender.md)]
+
+> [!IMPORTANT]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+The `MessageEvents` table in the [advanced hunting](advanced-hunting-overview.md) schema contains details about messages sent and received within your organization at the time of delivery. Use this reference to construct queries that return information from this table. 
+
+
+For information on other tables in the advanced hunting schema, [see the advanced hunting reference](advanced-hunting-schema-tables.md).
+
+| Column name | Data type | Description |
+|-------------|-----------|-------------|
+| `Timestamp` | `datetime` | Date and time when the event was recorded |
+| `LastEditedTime` | `string` | Date and time when the message was last edited |
+| `TeamsMessageId` | `string` | Unique identifier for the message, as generated by Microsoft 365  |
+| `SenderEmailAddress` | `string` | Email address of the sender |
+| `SenderDisplayName` | `string` | Name of the sender displayed in the address book, typically a combination of a first name, a middle initial, and a last name or surname |
+| `SenderObjectId` | `string` | Unique identifier for the sender’s account  |
+| `SenderType` | `string` | Type of user that sent the message, for example, User, Group, Anonymous  |
+| `RecipientDetails` | `dynamic` | Array of recipient data (RecipientSmtpAddress, RecipientDisplayName, RecipientType, RecipientObjectId) |
+| `IsOwnedThread` | `boolean` | Boolean value indicating whether the message is owned by your organization or not (only the messages owned by your organization can be remediated)|
+| `MessageId` | `string` | Identifier for the message (non-unique)|
+| `ParentMessageId` | `string` | Identifier for the message that the current message was a reply to, otherwise this is the same as the MessageId|
+| `GroupId` | `string` | Identifier for the team or group that the message was sent to|
+| `GroupName` | `string` | Name of the team or group that the message was sent to|
+| `ThreadId` | `string` | Identifier of the channel or chat thread that the message is part of |
+| `ThreadSubtype` | `string` | Indicates the channel type, possible values: None, PrivateChannel|
+| `IsExternalThread` | `boolean` | Indicates if there are external recipients in the thread (1) or none (0) |
+| `MessageFormatType` | `string` |Type of message format; possible values: RichText, Text|
+| `MessageFormatSubtype` | `string` |Subtype of message format, for example, HTML|
+| `MessageVersion` | `string` |Version number of the message|
+| `MessageSubject` | `string` |Subject of the message, if it exists|
+| `ThreatTypes` | `string` |Verdict from the filtering stack on whether the message contains malware, phishing, or other threats|
+| `DetectionMethods` | `dynamic` |Methods used to detect malware, phishing, or other threats found in the message|
+| `ConfidenceLevel` | `dynamic` |List of confidence levels for each threat type identified|
+| `DeliveryAction` | `string` |Delivery action of the message: Delivered, Blocked|
+| `DeliveryLocation` | `string` |Location of the message at the time of delivery|
+| `ReportId` | `string` |Unique identifier for the event|
+
+
+
+## Related topics
+- [Advanced hunting overview](advanced-hunting-overview.md)
+- [Learn the query language](advanced-hunting-query-language.md)
+- [Understand the schema](advanced-hunting-schema-tables.md)
+- [Apply query best practices](advanced-hunting-best-practices.md)
+
+
+[!INCLUDE [Microsoft Defender XDR rebranding](../includes/defender-m3d-techcommunity.md)]
diff --git a/defender-xdr/advanced-hunting-messagepostdeliveryevents-table.md b/defender-xdr/advanced-hunting-messagepostdeliveryevents-table.md
@@ -0,0 +1,63 @@
+---
+title: MessagePostDeliveryEvents table in the advanced hunting schema
+description: Learn about the MessagePostDeliveryEvents table in the advanced hunting schema which contains information about security events that occurred after the delivery of a Microsoft Teams message in your organization. 
+search.appverid: met150
+ms.service: defender-xdr
+ms.subservice: adv-hunting
+f1.keywords: 
+  - NOCSH
+ms.author: maccruz
+author: schmurky
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: 
+- m365-security
+- tier3
+ms.custom:
+- cx-ti
+- cx-ah
+appliesto: 
+- Microsoft Defender XDR 
+ms.topic: reference
+ms.date: 03/18/2025
+---
+
+# MessagePostDeliveryEvents (Preview)
+
+[!INCLUDE [Microsoft Defender XDR rebranding](../includes/microsoft-defender.md)]
+
+> [!IMPORTANT]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+The `MessagePostDeliveryEvents` table in the [advanced hunting](advanced-hunting-overview.md) schema contains information about security events that occurred after the delivery of a Microsoft Teams message in your organization. 
+
+For information on other tables in the advanced hunting schema, [see the advanced hunting reference](advanced-hunting-schema-tables.md).
+
+| Column name | Data type | Description |
+|-------------|-----------|-------------|
+| `Timestamp` | `datetime` | Date and time when the event was recorded |
+| `TeamsMessageId` | `string` | Unique identifier for the message, as generated by Microsoft 365  |
+| `Action` | `string` | Action taken on the message: Blocked, Moved to quarantine  |
+| `ActionType` | `string` | Type of activity that triggered the event: Manual remediation, Phish ZAP, Malware ZAP |
+| `ActionTrigger` | `string` | Indicates whether an action was triggered by an administrator (manually or through approval of a pending automated action), or by some special mechanism, such as a ZAP or Dynamic Delivery |
+| `ActionResult` | `string` | Result of the action |
+| `SenderEmailAddress` | `string` | Email address of the sender |
+| `RecipientDetails` | `dynamic` | Array of recipient data (RecipientSmtpAddress, RecipientDisplayName, RecipientType, RecipientObjectId) |
+| `ThreatTypes` | `string` |Verdict from the filtering stack on whether the message contains malware, phishing, or other threats|
+| `ConfidenceLevel` | `dynamic` |List of confidence levels for each threat type identified|
+| `DetectionMethods` | `string` |Methods used to detect malware, phishing, or other threats found in the message|
+| `LatestDeliveryLocation` | `string` |Last known location of the message |
+| `ReportId` | `string` |Unique identifier for the event|
+| `IsExternalThread` | `boolean` |Indicates if there are external recipients in the thread (1) or none (0)|
+
+
+
+## Related topics
+- [Advanced hunting overview](advanced-hunting-overview.md)
+- [Learn the query language](advanced-hunting-query-language.md)
+- [Understand the schema](advanced-hunting-schema-tables.md)
+- [Apply query best practices](advanced-hunting-best-practices.md)
+
+
+[!INCLUDE [Microsoft Defender XDR rebranding](../includes/defender-m3d-techcommunity.md)]
diff --git a/defender-xdr/advanced-hunting-messageurlinfo-table.md b/defender-xdr/advanced-hunting-messageurlinfo-table.md
@@ -0,0 +1,55 @@
+---
+title: MessageUrlInfo table in the advanced hunting schema
+description: Learn about the MessageUrlInfo table in the advanced hunting schema which contains information about URLs sent through Microsoft Teams messages in your organization. 
+search.appverid: met150
+ms.service: defender-xdr
+ms.subservice: adv-hunting
+f1.keywords: 
+  - NOCSH
+ms.author: maccruz
+author: schmurky
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: 
+- m365-security
+- tier3
+ms.custom:
+- cx-ti
+- cx-ah
+appliesto: 
+- Microsoft Defender XDR 
+ms.topic: reference
+ms.date: 03/18/2025
+---
+
+# MessageUrlInfo (Preview)
+
+[!INCLUDE [Microsoft Defender XDR rebranding](../includes/microsoft-defender.md)]
+
+> [!IMPORTANT]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+The `MessageUrlInfo` table in the [advanced hunting](advanced-hunting-overview.md) schema contains information about URLs sent through Microsoft Teams messages in your organization. 
+
+For information on other tables in the advanced hunting schema, [see the advanced hunting reference](advanced-hunting-schema-tables.md).
+
+| Column name | Data type | Description |
+|-------------|-----------|-------------|
+| `Timestamp` | `datetime` | Date and time when the event was recorded |
+| `TeamsMessageId` | `string` | Unique identifier for the message, as generated by Microsoft 365  |
+| `Url` | `string` |URL from message|
+| `UrlDomain` | `string` |Domain name or host name of the URL|
+| `ThreatTypes` | `string` |Verdict from the filtering stack on whether the message contains malware, phishing, or other threats|
+| `ReportId` | `string` |Unique identifier for the event|
+
+
+
+## Related topics
+- [Advanced hunting overview](advanced-hunting-overview.md)
+- [Learn the query language](advanced-hunting-query-language.md)
+- [Understand the schema](advanced-hunting-schema-tables.md)
+- [Apply query best practices](advanced-hunting-best-practices.md)
+
+
+[!INCLUDE [Microsoft Defender XDR rebranding](../includes/defender-m3d-techcommunity.md)]
diff --git a/defender-xdr/advanced-hunting-schema-tables.md b/defender-xdr/advanced-hunting-schema-tables.md
@@ -100,6 +100,9 @@ The following reference lists all the tables in the schema. Each table name link
 | **[IdentityInfo](advanced-hunting-identityinfo-table.md)** | Account information from various sources, including Microsoft Entra ID |
 | **[IdentityLogonEvents](advanced-hunting-identitylogonevents-table.md)** | Authentication events on Active Directory and Microsoft online services |
 | **[IdentityQueryEvents](advanced-hunting-identityqueryevents-table.md)** | Queries for Active Directory objects, such as users, groups, devices, and domains |
+| **[MessageEvents](advanced-hunting-messageevents-table.md)** (Preview) | Messages sent and received within your organization at the time of delivery |
+| **[MessagePostDeliveryEvents](advanced-hunting-messagepostdeliveryevents-table.md)** (Preview) | Security events that occurred after the delivery of a Microsoft Teams message in your organization |
+| **[MessageUrlInfo](advanced-hunting-messageurlinfo-table.md)** (Preview) | URLs sent through Microsoft Teams messages in your organization |
 | **[OAuthAppInfo](advanced-hunting-oauthappinfo-table.md)** (Preview) | Microsoft 365-connected OAuth applications registered with Microsoft Entra ID and available in the Defender for Cloud Apps app governance capability |
 | **[UrlClickEvents](advanced-hunting-urlclickevents-table.md)** | Safe Links clicks from email messages, Teams, and Office 365 apps |
 
