You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: defender-office-365/threat-explorer-real-time-detections-about.md
+8-2Lines changed: 8 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -232,19 +232,25 @@ The filterable properties that are available in the **Delivery action** box in t
232
232
|Composite|Select one or more values: <ul><li>**Fail**</li><li>**None**</li><li>**Pass**</li><li>**Soft pass**</li></ul>|
233
233
234
234
> [!TIP]
235
-
> ¹ **Latest delivery location** doesn't include end-user actions on messages. For example, if the user deleted the message or moved the message to an archive or PST file.
235
+
> **Latest delivery location** doesn't include end-user actions on messages. For example, if the user deleted the message or moved the message to an archive or PST file.
236
236
>
237
237
> There are scenarios where **Original delivery location**/**Latest delivery location** and/or **Delivery action** have the value **Unknown**. For example:
238
238
>
239
239
> - The message was delivered (**Delivery action** is **Delivered**), but an Inbox rule moved the message to a default folder other than the Inbox or Junk Email folder (for example, the Draft or Archive folder).
240
240
> - ZAP attempted to move the message after delivery, but the message wasn't found (for example, the user moved or deleted the message).
241
241
>
242
-
> ² By default, a URL search maps to `http`, unless another value is explicitly specified. For example:
242
+
> By default, a URL search maps to `http`, unless another value is explicitly specified. For example:
243
243
>
244
244
> - Searching with and without the `http://` prefix in **URL**, **URL Domain**, and **URL Domain and Path** should show the same results.
245
245
> - Search for the `https://` prefix in **URL**. When no value is specified, the `http://` prefix is assumed.
246
246
> -`/` at the beginning and end of the **URL path**, **URL Domain**, **URL domain and path** fields is ignored.
247
247
> -`/` at the end of the **URL** field is ignored.
248
+
>
249
+
> **Sender IP** values are sometimes logged as empty or 0.0.0.0 for the following cases but the IP address might be visible in Exchange Message Trace:
250
+
>
251
+
> - Automatic replies
252
+
> - Undelivered emails where delivery has failed
253
+
> - Emails where sender IP is Microsoft internal IP (such as system generated notifications or alerts, forwarded messages delivered from Microsoft IP etc.)
248
254
249
255
### Pivots for the chart in the All email view in Threat Explorer
0 commit comments