| Measurement |
Description |
Measurement Unit |
Interpretation |
| Unique_Senders |
Indicates the number of unique senders of emails. |
Number |
|
| Unique_Receivers |
Indicates the number of unique receivers of emails. |
Number |
|
| Unique_Sender_IPs |
Indicates the number of unique IPs from which emails were sent. |
Number |
|
| Inbound_Mail_Items |
Indicates the number of emails coming into all domains in the monitored tenant. |
Number |
Use the detailed diagnosis of this measure to view the top-10 recipients, in terms of the number of mails they received. This will point administrators to those recipients who have been receiving an abnormally large number of emails and is contributing to the heavy email mail traffic on Exchange Online. |
| Inbound_Mails_Size |
Indicates the total size of emails received by the domains in the monitored tenant. |
GB |
Use the detailed diagnosis of this measure to view the top-10 recipients, in terms of the total size of emails they received. |
| Outbound_Mail_Items |
Indicates the number of emails flowing out of the domains in the monitored tenant. |
Number |
Use the detailed diagnosis of this measure to view the top-10 senders, in terms of the number of mails they sent. This will point administrators to those senders who have been sending an abnormally large number of emails and is contributing to the heavy email mail traffic on Exchange Online. |
| Outbound_Mails_Size |
Indicates the total size of emails sent by the domains in the monitored tenant. |
GB |
Use the detailed diagnosis of this measure to view the top-10 senders, in terms of the total size of emails they sent. |
| Total_Mail_Items |
Indicates the total number of emails sent/received by domains in the monitored tenant. |
Number |
This measure is the sum of the values of the Inbound_Mail_Items and Outbound_Mail_Items measures.
This is a good indicator of the total mail traffic on Exchange Online. If the value of this measure is abnormally high, you can check the values of the Inbound_Mail_Items and Outbound_Mail_Items measures to know what is causing the abnormal traffic - a high volume of incoming mails? or a high volume of outgoing mails? Based on the result, you can use the detailed diagnosis of the corresponding measure to know which exact sender/receiver (as the case may be) is responsible for the abnormal email traffic. |
| Total_Mails_Size |
Indicates the total size of emails sent/received by domains in the monitored tenant. |
GB |
This measure is the sum of the values of the Inbound_Mails_Size and Outbound_Mails_Size measures.
If the value of this measure is abnormally high, you can check the values of the Inbound_Mails_Size and Outbound_Mails_Size measures to determine whether the size of incoming mails is more than that of outgoing mails or vice-versa. If Inbound_Mails_Size is abnormally high, then proceed to determine what type of incoming mails are of an abnormal size - internal mails? or external mails? For this, compare the value of the Size of internal mails received and Size of external mails received measures. Likewise, if the value of the Outbound_Mails_Size measure is very high, then compare the value of the Size of internal mails sent and Size of external mails sent measures to know what type of outbound mail activity is suspect owing to abnormal mail size - outgoing internal mail activity? or outgoing external mail activity? Based on the result, you can use the detailed diagnosis of the corresponding measure to know which exact sender's/receiver's (as the case may be) mail size is much higher than the rest. Such a sender's/receiver's mail activity may have to be investigated. |
| Internal_emails_sent |
Indicates the number of emails sent to receivers who are in the same domain as the senders. |
Number |
If the Total_Mail_Items and Outbound_Mail_Items measures report an abnormally high value, then take a look at this measure to figure out if the abnormal inbound email traffic is owing to too many internal mails being sent. Use the detailed diagnosis of this measure to identify who sent the maximum number of internal mails. |
| Size_Intl_mailsent |
Indicates the total size of emails sent to receivers who are in the same domain as the senders. |
GB |
If the Total_Mail_Size and Outbound_Mails_Size measures report abnormally high values, then take a look at this measure to figure out if there is any internal outbound email activity that is suspicious owing to its abnormal size. Use the detailed diagnosis of the Internal_emails_sent measure to identify who sent internal emails of an abnormal size. The mail activity of such senders can be investigated. |
| Internal_emails_recvd |
Indicates the number of emails received by recipients who are in the same domain as the senders. |
Number |
If the Total_Mail_Items and Inbound_Mail_Items measures report an abnormally high value, then take a look at this measure to figure out if the abnormal inbound email traffic is owing to too many internal mails being received. Use the detailed diagnosis of this measure to identify who received the maximum number of internal mails. |
| Size_Intl_mailrecvd |
Indicates the total size of emails received by recipients who are in the same domain as the senders. |
Number |
If the Total_Mail_Size and Inbound_Mails_Size measures report abnormally high values, then take a look at this measure to figure out if there is any internal inbound email activity that is suspicious owing to its abnormal size. Use the detailed diagnosis of the Internal_emails_recvd measure to identify who received internal emails of an abnormal size. The mail activity of such recipients can be investigated. |
| External_emails_sent |
Indicates the number of emails sent to receivers who are in a domain different from that of the senders. |
Number |
If the Total_Mail_Items and Outbound_Mail_Items measures report an abnormally high value, then take a look at this measure to figure out if the abnormal outbound email traffic is owing to too many external mails being sent. Use the detailed diagnosis of this measure to identify who sent the maximum number of external mails. |
| Size_exrtl_mailsent |
Indicates the total size of emails sent to receivers who are in a domain different from that of the senders. |
GB |
If the Total_Mail_Size and Outbound_Mails_Size measures report abnormally high values, then take a look at this measure to figure out if there is any external outbound email activity that is suspicious owing to its abnormal size. Use the detailed diagnosis of the External emails sent measure to identify who sent external emails of an abnormal size. The mail activity of such senders can be investigated. |
| External_emails_recvd |
Indicates the number of emails received by recipients who are in a domain different from that of the senders. |
Number |
If the Total_Mail_Items and Inbound_Mail_Items measures report an abnormally high value, then take a look at this measure to figure out if the abnormal inbound email traffic is owing to too many external mails being received. Use the detailed diagnosis of this measure to identify who received the maximum number of external mails. |
| Size_extl_mailrecvd |
Indicates the total size of emails received by recipients who are in a domain different from that of the senders. |
GB |
If the Total_Mail_Size and Inbound_Mails_Size measures report abnormally high values, then take a look at this measure to figure out if there is any external inbound email activity that is suspicious owing to its abnormal size. Use the detailed diagnosis of the External emails received measure to identify who received external emails of an abnormal size. The mail activity of such recipients can be investigated. |
| Nonecnt |
Indicates the number of emails that were rejected or redirected. |
Number |
If this measure reports a non-zero value, then use the detailed diagnosis of the measure to know which messages were rejected/redirected. Using this information, you can figure out if your message flow rules need to be tweaked. |
| Failedcnt |
Indicates the number of messages that could not be delivered. |
Number |
Ideally, the value of this measure should be 0. If this measure reports a non-zero value, it means that one/more messages could not be delivered. In this case, use the detailed diagnosis of this measure to identify the emails for which delivery failed.
An email delivery is considered to have failed if delivery was attempted and it failed or it was not delivered as a result of actions taken by the filtering service - eg., if the message was determined to contain malware. |
| Pendingcnt |
Indicates the number of messages that are waiting to be delivered. |
Number |
Typically, an email's status will be Pending if its delivery is being attempted or re-attempted.
If the value of this measure increases consistently, it could hint at a processing bottleneck on Exchange Online. This may warrant further investigation. In this case, use the detailed diagnosis of this measure to identify the emails that are yet to be delivered. |
| Getting_status |
Indicates the number of emails that are in the Getting status presently. |
Number |
If an email is in the Getting_status, it means that the email was recently received by Office 365, but no other status data is yet available. You may have to check back in a few minutes. |
| Delvrycnt |
Indicates the number of emails that were successfully delivered. |
Number |
A high value is desired for this measure. |
| Resloved |
Indicates the number of emails that are in the RESOLVED status currently. |
Number |
A RESOLVED event is triggered if a message was redirected to a new recipient address based on an Active Directory look up. When this happens, the original recipient address is listed in a separate row in the message trace along with the final delivery status for the message. |
| Filtered_as_spam |
Indicates the number of emails that were filtered as spam. |
Number |
If this measure reports a non-zero value, it means that one/more mails have been identified as spams, and were rejected or blocked (not quarantined). |
| Expandcnt |
Indicates the number of emails in the Expanded state currently. |
Number |
The delivery status of a message is set as Expanded, if the message was sent to a distribution group that was expanded. |
| Quarantined |
Indicates the number of emails that have been quarantined. |
Number |
You can set up quarantine for incoming email messages in Office 365 where messages that have been filtered as spam, bulk mail, phishing mail, mail that contains malware, and mail that matched a specified mail flow rule can be kept for later review.
As an Office 365 user, you can manage messages that were sent to quarantine instead of sent to you in one of two ways: by responding to spam notifications sent to you directly (if your admin has set this up), or by using the Security & Compliance Center.
|
| Unknown |
Indicates the number of emails for which the delivery status is Unknown presently. |
Number |
Ideally, the value of this measure should be 0. |
| Unq_outbud_doms |
Indicates the number of unique domains that sent emails to the domains in the monitored Office 365 tenant. |
Number |
Use the detailed diagnosis of this measure to know the outbound domains. |
| Unq_innbud_doms |
Indicates the number of unique domains that received emails from the domains in the monitored tenant. |
Number |
Use the detailed diagnosis of this measure to know the inbound domains. |