Agent Foskett Academy • Lesson 59 • Email Investigation

Investigating OrgLevelAction in Microsoft Defender XDR.

The message was suspicious.

Microsoft identified it.

ThreatTypes classified it.

DetectionMethods explained why.

But Agent Foskett still needed to answer one important question.

What action did the organisation's security policies actually take?

In Microsoft Defender XDR, OrgLevelAction helps defenders understand how organisational policies influenced the handling of suspicious email messages.

Agent Foskett Academy lesson explaining OrgLevelAction in Microsoft Defender XDR
Lesson overview

Learn how to investigate organisational policy actions and connect those decisions to threat classification, delivery outcomes and user exposure evidence.

Review OrgLevelAction evidence
Compare policy action and delivery outcome
Investigate quarantined and blocked messages
Validate Microsoft 365 email security policy behaviour

Why OrgLevelAction matters

DeliveryAction explains what happened to the message. OrgLevelAction helps defenders understand what organisational policy action influenced that outcome.
It explains policy decisionsOrgLevelAction helps defenders understand how Microsoft 365 organisational policies responded to suspicious email messages.
It validates protectionThe field can support reviews of anti-phishing, anti-malware, anti-spam and transport policy behaviour.
It supports investigationsUnderstanding policy action helps explain why a message was delivered, quarantined, blocked or handled another way.

The fields used in this lesson

These fields help defenders understand what Microsoft detected, what policy action was applied and whether users were exposed.
OrgLevelActionThe organisational policy action applied to the message during Microsoft 365 email filtering and handling.
ThreatTypesThreat classification such as phishing, malware, spam, spoofing or another suspicious email category.
DetectionMethodsDetection context that helps explain how Microsoft identified or classified the message.
DeliveryActionThe action Microsoft 365 applied to the email message during delivery and filtering.
DeliveryLocationThe location where the message was placed, such as inbox, junk, quarantine or another destination.
NetworkMessageIdThe message identifier used to connect email, URL, attachment and click evidence.

Step 1 — Review OrgLevelAction

Start by reviewing recent email messages where Microsoft recorded an organisational policy action.
review-orglevelaction.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
  12. 12
EmailEvents
| where Timestamp > ago(30d)
| where isnotempty(OrgLevelAction)
| project Timestamp,
          SenderFromAddress,
          RecipientEmailAddress,
          Subject,
          OrgLevelAction,
          ThreatTypes
| order by Timestamp desc

Step 2 — Summarise policy actions

Summarising OrgLevelAction helps defenders understand which policy actions are most common across the tenant.
summarise-orglevelaction.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
EmailEvents
| where Timestamp > ago(30d)
| where isnotempty(OrgLevelAction)
| summarize MessageCount = count() by OrgLevelAction
| order by MessageCount desc

Step 3 — Investigate quarantined messages

Quarantine outcomes should be reviewed with threat classification and delivery evidence to understand why users were protected.
quarantined-orglevelaction.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
  12. 12
  13. 13
EmailEvents
| where Timestamp > ago(30d)
| where OrgLevelAction has "Quarantine"
| project Timestamp,
          SenderFromAddress,
          RecipientEmailAddress,
          Subject,
          ThreatTypes,
          OrgLevelAction,
          DeliveryAction
| order by Timestamp desc

Step 4 — Investigate blocked messages

Blocked messages can reveal which threats were stopped before reaching users.
blocked-orglevelaction.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
  12. 12
  13. 13
EmailEvents
| where Timestamp > ago(30d)
| where OrgLevelAction has "Block"
| project Timestamp,
          SenderFromAddress,
          RecipientEmailAddress,
          Subject,
          ThreatTypes,
          DetectionMethods,
          OrgLevelAction
| order by Timestamp desc

Step 5 — Compare threat types and policy actions

OrgLevelAction becomes more useful when compared with ThreatTypes and DeliveryAction.
orglevelaction-threattypes.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
EmailEvents
| where Timestamp > ago(30d)
| summarize MessageCount = count()
                            by ThreatTypes,
             OrgLevelAction,
             DeliveryAction
| order by MessageCount desc

Step 6 — Review delivered messages

Delivered messages with threat context deserve careful review because policy configuration may still allow user exposure.
delivered-orglevelaction.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
  12. 12
  13. 13
EmailEvents
| where Timestamp > ago(30d)
| where DeliveryAction =~ "Delivered"
| project Timestamp,
          SenderFromAddress,
          RecipientEmailAddress,
          Subject,
          ThreatTypes,
          OrgLevelAction,
          DeliveryLocation
| order by Timestamp desc

How to read the results

OrgLevelAction helps explain organisational policy influence. Always compare it with classification and final delivery outcome.
ThreatTypes tells you whatThreatTypes explains the category Microsoft assigned, such as phishing, malware, spam or spoofing.
OrgLevelAction tells you policyOrgLevelAction helps explain what organisational policy action was applied to the message.
DeliveryAction tells you exposureDeliveryAction helps determine whether the message was delivered, blocked, quarantined or handled another way.

Common investigation uses

OrgLevelAction helps defenders explain whether Microsoft 365 policy handling aligns with expected security outcomes.
Phishing investigationsUnderstand how anti-phishing policies handled suspicious messages and whether users were exposed.
Malware investigationsReview whether organisational protections blocked, quarantined or otherwise handled malicious content.
Security control validationConfirm whether Microsoft 365 policies are applying the expected action against suspicious email.

Common mistakes

OrgLevelAction is useful, but it should not be reviewed on its own.
Looking only at DeliveryActionDeliveryAction shows what happened. OrgLevelAction helps explain the policy decision behind the handling.
Ignoring delivered threatsSome suspicious messages may still be delivered depending on policy configuration, confidence and tenant settings.
Skipping threat contextAlways compare OrgLevelAction with ThreatTypes, DetectionMethods, DeliveryLocation and NetworkMessageId.
The message was not only classified. A policy decision was made.
Use OrgLevelAction to understand how organisational email security policies influenced the final outcome.
Back to Academy →

What you learned

OrgLevelAction explains policy actionIt helps defenders understand how organisational policies influenced message handling.
Policy action needs contextReview OrgLevelAction with ThreatTypes, DetectionMethods, DeliveryAction and DeliveryLocation.
Delivered messages still matterIf a suspicious message was delivered, defenders should review policy action and user exposure.

Related Agent Foskett Academy lessons

Investigating EmailEventsStart with core email evidence including sender, recipient, subject and delivery fields.
Investigating DeliveryLocationDetermine where the message ended up after filtering and policy decisions.
Investigating DeliveryActionUnderstand what Microsoft 365 did with the message during delivery.
Investigating ThreatTypesReview whether Microsoft classified the message as phishing, malware, spam, spoofing or another threat type.
Investigating DetectionMethodsUnderstand how Microsoft identified and classified the email threat.
Investigating EmailDirectionDetermine whether the message was inbound, outbound or internal.
Investigating NetworkMessageIdConnect the same email across URL, click and attachment telemetry.
Investigating EmailAuthenticationResultsReview SPF, DKIM, DMARC and composite authentication outcomes.

Coming next

Lesson 60 — Investigating AuthenticationDetails in Microsoft Defender XDRNext, Agent Foskett Academy will explain how defenders use AuthenticationDetails to review SPF, DKIM, DMARC and composite authentication evidence.
Why this mattersOrgLevelAction explains policy action. AuthenticationDetails helps explain whether the message authentication evidence supported the decision.
What you will learn nextLearn how authentication results support spoofing, phishing, impersonation and delivered-email investigations.

Final thought

The message was not just detected. It was handled by policy.
Agent Foskett mindsetDo not stop at what Microsoft called the message. Ask what organisational policy did with it.
Read the actionOrgLevelAction turns policy handling into investigation context.
Develop IT. Protect IT.GEMXIT PTY LTD | GEMXIT UK LTD

Investigating OrgLevelAction in Microsoft Defender XDR

Agent Foskett Academy Lesson 59 teaches defenders how to investigate OrgLevelAction during Microsoft Defender XDR email investigations.

Learn organisational policy action investigation in Defender XDR

This lesson explains how OrgLevelAction, ThreatTypes, DetectionMethods, DeliveryAction, DeliveryLocation and NetworkMessageId help defenders understand how Microsoft 365 organisational policies handled suspicious email.