| Source table | KQL field | ID format | Example KQL |
|---|---|---|---|
EmailEvents | NetworkMessageId | UUID | EmailEvents | where NetworkMessageId == "<id>" |
EmailPostDeliveryEvents | ReportId | {NetworkMessageId}-{numericSuffix} | EmailPostDeliveryEvents | where ReportId == "<id>" |
AuditLogs | Id | Directory_{correlationId}_{code}_{seq} | AuditLogs | where Id == "<id>" |
SigninLogs | Id | UUID | SigninLogs | where Id == "<id>" |
MicrosoftPurviewInformationProtection | Id | UUID | MicrosoftPurviewInformationProtection | where Id == "<id>" |
CloudAppEvents | ReportId | 79494985_{appId}_{uuid} | CloudAppEvents | where ReportId == "<id>" |
OfficeActivity | OfficeId | UUID | OfficeActivity | where OfficeId == "<id>" |
SecurityAlert | SystemAlertId | UUID | SecurityAlert | where SystemAlertId == "<id>" |
AlertInfo | AlertId | {numericId}_{signedInt} | AlertInfo | where AlertId == "<id>" |
IdentityDirectoryEvents | ReportId | UUID | IdentityDirectoryEvents | where ReportId == "<id>" |
IdentityLogonEvents | ReportId | UUID or 64-char hex | IdentityLogonEvents | where ReportId == "<id>" |
CommonSecurityLog | _ItemId | UUID | CommonSecurityLog | where _ItemId == "<id>" |
AADUserRiskEvents | — | Composite Sentinel key — no single queryable row key | — |
Event ID Mappings
Threat events returned by this API include a ‘platform_events_ids’ array. Each value is a source-system identifier that you can use to look up the original raw log row directly in Microsoft Sentinel (Log analytics).
Use the “source” field on each threat event to identify which table the event originated from, then apply the corresponding KQL field below.