Merge pull request #4960 from ajaj-shaikh/patch-13

chrisda · web-flow · commit 9767517f664d · 2025-09-08T08:37:06.000-07:00
Update threat-explorer-real-time-detections-about.md
diff --git a/defender-office-365/threat-explorer-real-time-detections-about.md b/defender-office-365/threat-explorer-real-time-detections-about.md
@@ -7,7 +7,7 @@ ms.author: chrisda
 manager: bagol
 audience: ITPro
 ms.topic: concept-article
-ms.date: 08/28/2025
+ms.date: 09/08/2025
 ms.localizationpriority: medium
 ms.collection:
   - m365-security
@@ -203,7 +203,7 @@ The filterable properties that are available in the **Delivery action** box in t
 |**Advanced**||
 |Internet Message ID|Text. Separate multiple values by commas. <br/><br/> Available in the **Message-ID** header field in the message header. An example value is `<08f1e0f6806a47b4ac103961109ae6ef@server.domain>` (note the angle brackets).|
 |Network message ID|Text. Separate multiple values by commas. <br/><br/> A GUID value that's available in the **X-MS-Exchange-Organization-Network-Message-Id** header field in the message header.|
-|Sender IP|Text. Separate multiple values by commas.|
+|Sender IP²|Text. Separate multiple values by commas.|
 |Attachment SHA256|Text. Separate multiple values by commas.|
 |Cluster ID|Text. Separate multiple values by commas.|
 |Alert ID|Text. Separate multiple values by commas.|
@@ -212,10 +212,10 @@ The filterable properties that are available in the **Delivery action** box in t
 |ZAP URL signal|Text. Separate multiple values by commas.|
 |**Urls**||
 |URL Count|Integer. Separate multiple values by commas.|
-|URL domain²|Text. Separate multiple values by commas.|
-|URL domain and path²|Text. Separate multiple values by commas.|
-|URL²|Text. Separate multiple values by commas.|
-|URL path²|Text. Separate multiple values by commas.|
+|URL domain³|Text. Separate multiple values by commas.|
+|URL domain and path³|Text. Separate multiple values by commas.|
+|URL³|Text. Separate multiple values by commas.|
+|URL path³|Text. Separate multiple values by commas.|
 |URL source|Select one or more values: <ul><li>**Attachments**</li><li>**Cloud attachment**</li><li>**Email body**</li><li>**Email header**</li><li>**QR Code**</li><li>**Subject**</li><li>**Unknown**</li></ul>|
 |Click verdict|Select one or more values: <ul><li>**Allowed**: The user was allowed to open the URL.</li><li>**Block overridden**: The user was blocked from directly opening the URL, but they overrode the block to open the URL.</li><li>**Blocked**: The user was blocked from opening the URL.</li><li>**Error**: The user was presented with the error page, or an error occurred in capturing the verdict.</li><li>**Failure**: An unknown exception occurred while capturing the verdict. The user might have opened the URL.</li><li>**None**: Unable to capture the verdict for the URL. The user might have opened the URL.</li><li>**Pending verdict**: The user was presented with the detonation pending page.</li><li>**Pending verdict bypassed**: The user was presented with the detonation page, but they overrode the message to open the URL.</li></ul>|
 |URL Threat|Select one or more values: <ul><li>**Malware**</li><li>**Phish**</li><li>**Spam**</li></ul>|
@@ -232,19 +232,26 @@ The filterable properties that are available in the **Delivery action** box in t
 |Composite|Select one or more values: <ul><li>**Fail**</li><li>**None**</li><li>**Pass**</li><li>**Soft pass**</li></ul>|
 
 > [!TIP]
-> ¹ **Latest delivery location** doesn't include end-user actions on messages. For example, if the user deleted the message or moved the message to an archive or PST file.
 >
-> There are scenarios where **Original delivery location**/**Latest delivery location** and/or **Delivery action** have the value **Unknown**. For example:
+> - ¹ **Latest delivery location** doesn't include end-user actions on messages. For example, if the user deleted the message or moved the message to an archive or PST file.
 >
-> - The message was delivered (**Delivery action** is **Delivered**), but an Inbox rule moved the message to a default folder other than the Inbox or Junk Email folder (for example, the Draft or Archive folder).
-> - ZAP attempted to move the message after delivery, but the message wasn't found (for example, the user moved or deleted the message).
+>   There are scenarios where **Original delivery location**/**Latest delivery location** and/or **Delivery action** have the value **Unknown**. For example:
 >
-> ² By default, a URL search maps to `http`, unless another value is explicitly specified. For example:
+>   - The message was delivered (**Delivery action** is **Delivered**), but an Inbox rule moved the message to a default folder other than the Inbox or Junk Email folder (for example, the Draft or Archive folder).
+>   - ZAP attempted to move the message after delivery, but the message wasn't found (for example, the user moved or deleted the message).
 >
-> - Searching with and without the `http://` prefix in **URL**, **URL Domain**, and **URL Domain and Path** should show the same results.
-> - Search for the `https://` prefix in **URL**. When no value is specified, the `http://` prefix is assumed.
-> - `/` at the beginning and end of the **URL path**, **URL Domain**, **URL domain and path** fields is ignored.
-> - `/` at the end of the **URL** field is ignored.
+> - ² **Sender IP** values are sometimes logged as empty or 0.0.0.0 in the following scenarios:
+>   - Automatic replies.
+>   - Undelivered email where delivery has failed.
+>   - Email where the sender IP address is Microsoft internal. For example, system generated notifications, alerts, or forwarded messages delivered from Microsoft IP addresses.
+>
+>   IP addresses in these scenarios might be visisble in Exchange message trace.
+>   
+> - ³ By default, a URL search maps to `http`, unless another value is explicitly specified. For example:
+>   - Searching with and without the `http://` prefix in **URL**, **URL Domain**, and **URL Domain and Path** should show the same results.
+>   - Search for the `https://` prefix in **URL**. When no value is specified, the `http://` prefix is assumed.
+>   - `/` at the beginning and end of the **URL path**, **URL Domain**, **URL domain and path** fields is ignored.
+>   - `/` at the end of the **URL** field is ignored.
 
 ### Pivots for the chart in the All email view in Threat Explorer
 
