Queries for the EmailPostDeliveryEvents table

For information on using these queries in the Azure portal, see Log Analytics tutorial. For the REST API, see Query.

Post-delivery administrator actions

Display post-delivery actions made by Administrator.

EmailPostDeliveryEvents
| where ActionTrigger == 'AdminAction'
| take 100 

Unremediated post-delivery phishing email detections

Display post-delivery phishing email detections which was not remediated.

EmailPostDeliveryEvents
| where ActionType == 'Phish ZAP' and ActionResult == 'Error'
| join EmailEvents on NetworkMessageId, RecipientEmailAddress  
| take 100

Full email processing details

Emails that include predefined post-delivery actions or automatic rules, by sender and subject.

let mySender = "<insert sender email address>";
let subject = "<insert email subject>";
EmailEvents
| where SenderFromAddress == mySender and Subject == subject
| join EmailPostDeliveryEvents on NetworkMessageId, RecipientEmailAddress 
| take 100