From 1e8b96ffe5a967870fb588e7d9c4069c6de0aa68 Mon Sep 17 00:00:00 2001
From: Ben Harris <ben.harris@microsoft.com>
Date: Sun, 7 Dec 2025 11:58:20 +0000
Subject: [PATCH] Fix query conditions for email overrides

Updated queries to filter emails with OrgLevelAction 'Allow' and no ThreatTypes detected for specific types
---
 .../step-by-step-guides/review-allow-entries.md             | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/defender-office-365/step-by-step-guides/review-allow-entries.md b/defender-office-365/step-by-step-guides/review-allow-entries.md
index 12b3d2e9ec..0232f4654d 100644
--- a/defender-office-365/step-by-step-guides/review-allow-entries.md
+++ b/defender-office-365/step-by-step-guides/review-allow-entries.md
@@ -66,7 +66,7 @@ This query looks for emails that were overridden by IP, without any detection th
 
 ```kusto
 EmailEvents
-| where OrgLevelAction == "Allow" and ThreatTypes != ""
+| where OrgLevelAction == "Allow" and ThreatTypes == ""
 |summarize count() by SenderIPv4
 | top 10 by count_
 ```
@@ -77,7 +77,7 @@ This query looks for emails that were overridden by sending domain without any d
 
 ```kusto
 EmailEvents
-| where OrgLevelAction == "Allow" and ThreatTypes != ""
+| where OrgLevelAction == "Allow" and ThreatTypes == ""
 |summarize count() by SenderFromDomain
 | top 10 by count_
 ```
@@ -88,7 +88,7 @@ This query looks for emails that were overridden by sending address without any
 
 ```kusto
 EmailEvents
-| where OrgLevelAction == "Allow" and ThreatTypes != ""
+| where OrgLevelAction == "Allow" and ThreatTypes == ""
 |summarize count() by SenderFromAddress
 | top 10 by count_
 ```