MC1150118 – Microsoft Defender for Office 365: New records in Streaming API and Sentinel EmailEvents table

Product:

Defender, Defender for Office 365, Defender XDR, Stream

Platform:

Online, World tenant

Status:

Change type:

Feature update, Admin impact

Links:

Details:

Summary:
Starting early October 2025, Microsoft Defender for Office 365's Streaming API and Sentinel EmailEvents table will store both current and historical email verdicts and locations, showing multiple records per email. Admins should update queries and dashboards accordingly, using KQL's arg_max to retrieve the latest records.

Details:
[Introduction]
To improve visibility and alignment across Microsoft Defender for Office 365 and Microsoft Sentinel, we're updating how email verdict and location changes are handled in the EmailEvents table. This change ensures that Sentinel reflects both current and historical verdicts, enabling more accurate threat analysis and investigation.
[When this will happen:]
General Availability: Rollout begins in early October 2025 and is expected to complete by early November 2025.

Change Category:
XXXXXXX ... free basic plan only

Scope:
XXXXXXX ... free basic plan only

Release Phase:

Created:
2025-09-09

updated:
2025-09-09

Task Type

XXXXXXX ... free basic plan only

Docu to Check

XXXXXXX ... free basic plan only

MS How does it affect me

XXXXXXX ... free basic plan only

MS Preperations

XXXXXXX ... free basic plan only

MS Urgency

XXXXXXX ... free basic plan only

MS workload name

XXXXXXX ... free basic plan only

summary for non-techies**

XXXXXXX ... free basic plan only

Direct effects for Operations**

Data Retrieval Issues
If admins do not update their queries and dashboards, they may retrieve outdated or incorrect email verdicts, leading to ineffective threat analysis and response.
   - roles: IT Admins, Security Analysts
   - references: https://learn.microsoft.com/en-us/kusto/query/arg-max-aggregation-function?view=microsoft-fabric

Increased Complexity in Data Analysis
The introduction of multiple records for the same email may complicate data analysis and reporting, potentially leading to confusion and misinterpretation of threat data.
   - roles: IT Admins, Security Analysts
   - references: https://learn.microsoft.com/en-us/kusto/query/arg-max-aggregation-function?view=microsoft-fabric

Configutation Options**

XXXXXXX ... paid membership only

IT Security**

XXXXXXX ... paid membership only

explanation for non-techies**

Imagine you're running a library, and every time a book is borrowed or returned, you update a single record for that book to show its current status. This method works fine until you realize you need to track not just the current status but also the history of each book's journey—who borrowed it, when, and for how long. To do this, you start keeping a detailed log of every transaction for each book, allowing you to see both its current status and its entire borrowing history.

This is similar to the change happening with Microsoft Defender for Office 365's Streaming API and the Sentinel EmailEvents table. Previously, when an email's status (or "verdict") or location changed, only the current status was kept. Now, like our library example, both the current and historical statuses will be recorded. This means that for each email, you might see multiple entries showing how its status has evolved over time.

For those managing these systems, this change means you'll need to adjust how you look at the data. Instead of just seeing the latest status, you'll have a richer history to analyze, which can be very useful for understanding patterns and making informed decisions. It's like having a complete log of a book's history in the library, helping you understand its popularity and usage over time.

To work with this new data format, you'll use a tool called KQL (Kusto Query Language), which helps you filter and sort through these records to find the most recent status of an email, much like using a library catalog to find the latest information about a book. By updating your queries and dashboards, you can ensure you're always looking at the most relevant data.

This change is set to roll out from early October to early November 2025, and it's important for admins using these systems to prepare by reviewing and updating their current processes. There are no compliance issues identified with this update, but it's always a good idea to review changes in the context of your organization's policies.