check before: 2025-10-01
Product:
Defender, Defender for Office 365, Defender XDR, Stream
Platform:
Online, World tenant
Status:
Change type:
Feature update, Admin impact
Links:
Details:
Summary:
Starting early October 2025, Microsoft Defender for Office 365's Streaming API and Sentinel EmailEvents table will store both current and historical email verdicts and locations, showing multiple records per email. Admins should update queries and dashboards accordingly, using KQL's arg_max to retrieve the latest records.
Details:
[Introduction]
To improve visibility and alignment across Microsoft Defender for Office 365 and Microsoft Sentinel, we're updating how email verdict and location changes are handled in the EmailEvents table. This change ensures that Sentinel reflects both current and historical verdicts, enabling more accurate threat analysis and investigation.
[When this will happen:]
General Availability: Rollout begins in early October 2025 and is expected to complete by early November 2025.
Change Category:
XXXXXXX ... free basic plan only
Scope:
XXXXXXX ... free basic plan only
Release Phase:
Created:
2025-09-09
updated:
2025-09-09
Task Type
XXXXXXX ... free basic plan only
Docu to Check
XXXXXXX ... free basic plan only
MS How does it affect me
XXXXXXX ... free basic plan only
MS Preperations
XXXXXXX ... free basic plan only
MS Urgency
XXXXXXX ... free basic plan only
MS workload name
XXXXXXX ... free basic plan only
summary for non-techies**
Microsoft Defender for Office 365's Streaming API and the Sentinel EmailEvents table will now record both current and historical email statuses, requiring admins to adjust their data analysis processes using Kusto Query Language (KQL) to accommodate this richer data set, with the rollout occurring from early October to early November 2025.
Direct effects for Operations**
Data Retrieval Issues
If admins do not update their queries and dashboards, they may retrieve outdated or incorrect email verdicts, leading to ineffective threat analysis and response.
- roles: IT Admins, Security Analysts
- references: https://learn.microsoft.com/en-us/kusto/query/arg-max-aggregation-function?view=microsoft-fabric
Increased Complexity in Data Analysis
The introduction of multiple records for the same email may complicate data analysis and reporting, potentially leading to confusion and misinterpretation of threat data.
- roles: IT Admins, Security Analysts
- references: https://learn.microsoft.com/en-us/kusto/query/arg-max-aggregation-function?view=microsoft-fabric
Configutation Options**
XXXXXXX ... paid membership only
IT Security**
XXXXXXX ... paid membership only
explanation for non-techies**
XXXXXXX ... free basic plan only
** AI generated content. This information must be reviewed before use.
a free basic plan is required to see more details. Sign up here
A cloudsocut.one plan is required to see all the changed details. If you are already a customer, choose login.
If you are new to cloudscout.one please choose a plan.
Last updated 3 weeks ago ago
