MC1150118 – M365 Change Digest

One-line summary

Microsoft Defender for Office 365 and Sentinel will now store both current and historical email verdict/location changes in the EmailEvents table, improving threat analysis accuracy.

Similar updates

Details

Summary

Starting early October 2025, Microsoft Defender for Office 365's Streaming API and Sentinel EmailEvents table will store both current and historical email verdicts and locations, showing multiple records per email. Admins should update queries and dashboards accordingly, using KQL's arg_max to retrieve the latest records.

Body (from Message Center)

[Introduction]

To improve visibility and alignment across Microsoft Defender for Office 365 and Microsoft Sentinel, we’re updating how email verdict and location changes are handled in the EmailEvents table. This change ensures that Sentinel reflects both current and historical verdicts, enabling more accurate threat analysis and investigation.

[When this will happen:]

General Availability: Rollout begins in early October 2025 and is expected to complete by early November 2025.

[How this affects your organization:]

Who is affected: Admins using Microsoft Defender for Office 365, Streaming API, and the EmailEvents table in Microsoft Sentinel.
What will happen:
- The Streaming API will begin streaming updated records when an email’s verdict or location changes.
- Microsoft Sentinel will store both the updated and previous records, rather than replacing them.
- You may see multiple rows for the same email if its verdict or location is updated.
- This update aligns the EmailEvents table in Microsoft Sentinel with the behavior of the Advanced Hunting EmailEvents table.

[What you can do to prepare:]

Review and update existing queries and dashboards that rely on the EmailEvents table.
Use the following KQL pattern to retrieve the latest record per email:

summarize arg_max(Timestamp, *) by NetworkMessageId, RecipientEmailAddress

Example query for emails with a "Phish" verdict:

EmailEvents
| where ThreatTypes has "Phish"
| summarize arg_max(Timestamp, *) by NetworkMessageId, RecipientEmailAddress

Learn more about the arg_max function: KQL arg_max documentation

[Compliance considerations:]

No compliance considerations identified, review as appropriate for your organization.

Raw JSON (for debugging)

Expand/collapse the full payload below.

Show/hide raw

{
  "snapshot_item": {
    "action_required_by": null,
    "ai_action_required_by": null,
    "ai_actions": [
      "Review and update queries and dashboards using EmailEvents",
      "Use arg_max KQL pattern to get latest records"
    ],
    "ai_master_tags": [
      "Security"
    ],
    "ai_model": "gpt-4.1",
    "ai_summary": "Microsoft Defender for Office 365 and Sentinel will now store both current and historical email verdict/location changes in the EmailEvents table, improving threat analysis accuracy.",
    "ai_topics": [
      "Defender",
      "Sentinel"
    ],
    "category": "planForChange",
    "details_map": {
      "Summary": "Starting early October 2025, Microsoft Defender for Office 365\u0027s Streaming API and Sentinel EmailEvents table will store both current and historical email verdicts and locations, showing multiple records per email. Admins should update queries and dashboards accordingly, using KQL\u0027s arg_max to retrieve the latest records."
    },
    "id": "MC1150118",
    "importance": 1,
    "is_major_change": false,
    "last_modified": "2025-09-08T23:28:17Z",
    "ms_products": [
      "Defender"
    ],
    "platforms": null,
    "roadmap_ids": [],
    "services": [
      "Microsoft Defender XDR"
    ],
    "severity": "normal",
    "tags": [
      "Feature update",
      "Admin impact"
    ],
    "title": "Microsoft Defender for Office 365: New records in Streaming API and Sentinel EmailEvents table"
  }
}