Queries for the EmailPostDeliveryEvents table
For information on using these queries in the Azure portal, see Log Analytics tutorial. For the REST API, see Query.
Post-delivery administrator actions
Display post-delivery actions made by Administrator.
EmailPostDeliveryEvents
| where ActionTrigger == 'AdminAction'
| take 100
Unremediated post-delivery phishing email detections
Display post-delivery phishing email detections which was not remediated.
EmailPostDeliveryEvents
| where ActionType == 'Phish ZAP' and ActionResult == 'Error'
| join EmailEvents on NetworkMessageId, RecipientEmailAddress
| take 100
Full email processing details
Emails that include predefined post-delivery actions or automatic rules, by sender and subject.
let mySender = "<insert sender email address>";
let subject = "<insert email subject>";
EmailEvents
| where SenderFromAddress == mySender and Subject == subject
| join EmailPostDeliveryEvents on NetworkMessageId, RecipientEmailAddress
| take 100