Admins’ Microsoft 365 Defender portal Advanced Hunting may not show some updated values in two columns for EmailEvents

Title: Admins’ Microsoft 365 Defender portal Advanced Hunting may not show some updated values in two columns for EmailEvents

User impact: Admins’ Microsoft 365 Defender portal Advanced Hunting didn’t show some updated values in two columns for EmailEvents.

More info: Some admins using EmailEvents from the Email & collaboration schema in the Microsoft 365 Defender portal’s Advanced Hunting may have been unable to view some updated values in the LatestDeliveryLocation and LatestDeliveryAction columns for some Microsoft Defender for Office 365 records. Additionally for these records, RecipientEmailAddress in EmailPostDeliveryEvents weren’t in lowercase, which didn’t allow some admins to join EmailPostDeliveryEvents and EmailEvents using RecipientEmailAddress. Admins would have had to manually convert the data to lower case and join.

Final status: We’ve confirmed that the fix successfully deployed to all affected environments, and we’ve verified through monitoring telemetry that the issue is now resolved for all admins.

Scope of impact: Impact may have occurred for some admins attempting to view some updated values in Microsoft Defender for Office 365 columns.

Start time: Tuesday, August 22, 2023, at 12:00 AM UTC

End time: Thursday, September 28, 2023, at 8:30 PM UTC

Root cause: A data inconsistency caused by a coding issue occurred in a section of infrastructure responsible for RecipientEmailAddress values in the post-delivery events via Microsoft Defender for Office 365 that flow into EmailPostDeliveryEvents, resulting in impact.

Next steps:
– We’re further examining the coding issue which first exposed the data inconsistency so we can determine how it was first introduced and better prevent similar future impact.

This is the final update for the event.