advanced-hunting-messagepostdeliveryevents-table.md

title	MessagePostDeliveryEvents table in the advanced hunting schema
description	Learn about the MessagePostDeliveryEvents table in the advanced hunting schema which contains information about security events that occurred after the delivery of a Microsoft Teams message in your organization.
search.appverid	met150
ms.service	defender-xdr
ms.subservice	adv-hunting
f1.keywords	NOCSH
ms.author	pauloliveria
author	poliveria
ms.localizationpriority	medium
manager	orspodek
audience	ITPro
ms.collection	m365-security tier3
ms.custom	cx-ti cx-ah
appliesto	Microsoft Defender XDR Microsoft Sentinel in the Microsoft Defender portal
ms.topic	reference
ms.date	11/18/2025

MessagePostDeliveryEvents

[!INCLUDE Microsoft Defender XDR rebranding]

The MessagePostDeliveryEvents table in the advanced hunting schema contains information about security events that occurred after the delivery of a Microsoft Teams message in your organization.

This advanced hunting table is populated by records from Microsoft Defender for Office 365. If your organization hasn’t deployed the service in Microsoft Defender XDR, queries that use the table aren’t going to work or return any results. For more information about how to deploy Defender for Office 365 in Defender XDR, read Deploy supported services.

For information on other tables in the advanced hunting schema, see the advanced hunting reference.

Column name	Data type	Description
Timestamp	datetime	Date and time when the event was recorded
TeamsMessageId	string	Unique identifier for the message, as generated by Microsoft 365
Action	string	Action taken on the message: Blocked, Moved to quarantine
ActionType	string	Type of activity that triggered the event: Manual remediation, Phish ZAP, Malware ZAP
ActionTrigger	string	Indicates whether an action was triggered by an administrator (manually or through approval of a pending automated action), or by some special mechanism, such as a ZAP or Dynamic Delivery
ActionResult	string	Result of the action
SenderEmailAddress	string	Email address of the sender
RecipientDetails	dynamic	Array of recipient data (RecipientSmtpAddress, RecipientDisplayName, RecipientType, RecipientObjectId)
ThreatTypes	string	Verdict from the filtering stack on whether the message contains malware, phishing, or other threats
ConfidenceLevel	dynamic	List of confidence levels for each threat type identified
DetectionMethods	string	Methods used to detect malware, phishing, or other threats found in the message
LatestDeliveryLocation	string	Last known location of the message
ReportId	string	Unique identifier for the event
IsExternalThread	boolean	Indicates if there are external recipients in the thread (1) or none (0)
SafetyTip	string	The safety tip that has been added on a message, if any

Related topics

• Advanced hunting overview
• Learn the query language
• Understand the schema
• Apply query best practices

[!INCLUDE Microsoft Defender XDR rebranding]