A security analyst in Microsoft 365 Defender is investigating an email-based threat. The analyst needs to find all emails that were initially delivered to user inboxes but were later remediated (e.g., moved to junk, deleted, or quarantined) by Zero-Hour Auto Purge (ZAP). Which advanced hunting tables should the analyst query to get both the original email metadata and the post-delivery remediation events?
Correct. EmailEvents has delivery info; EmailPostDeliveryEvents has ZAP and other post-delivery actions.
Why this answer
To investigate emails that were initially delivered but later remediated by Zero-Hour Auto Purge (ZAP), you need both the original email metadata (from EmailEvents) and the post-delivery remediation actions (from EmailPostDeliveryEvents). EmailEvents provides details like sender, recipient, subject, and delivery status, while EmailPostDeliveryEvents records ZAP actions such as moving to junk, deleting, or quarantining. Querying these two tables together allows you to correlate the initial delivery with the subsequent remediation event.
Exam trap
The trap here is that candidates may think EmailPostDeliveryEvents alone suffices, but without EmailEvents you cannot confirm the original delivery status (e.g., 'Delivered') which is essential to distinguish ZAP from other post-delivery actions like manual user moves.
How to eliminate wrong answers
Option B is wrong because EmailAttachmentInfo only contains metadata about email attachments (e.g., file name, hash) and does not include post-delivery remediation events or original email delivery metadata needed for ZAP investigation. Option C is wrong because EmailUrlInfo only contains URL-related information from emails (e.g., clicked links) and lacks the original email metadata from EmailEvents, so you cannot see the initial delivery status. Option D is wrong because CloudAppEvents tracks activities in Microsoft cloud apps (e.g., SharePoint, OneDrive) and is not related to email delivery or ZAP remediation events in Exchange Online.