analyzedMessageEvidence resource type


An email, or analyzed message, that is reported in the alert as evidence.

Inherits from alertEvidence.


Property Type Description
antiSpamDirection String Direction of the email relative to your network. The possible values are: inbound, outbound or intraorg.
attachmentsCount Int64 Number of attachments in the email.
deliveryAction String Delivery action of the email. The possible values are: delivered, deliveredAsSpam, junked, blocked, or replaced.
deliveryLocation String Location where the email was delivered. The possible values are: inbox, external, junkFolder, quarantine, failed, dropped, deletedFolder or forwarded.
internetMessageId String Public-facing identifier for the email that is set by the sending email system.
language String Detected language of the email content.
networkMessageId String Unique identifier for the email, generated by Microsoft 365.
p1Sender The P1 sender.
p2Sender The P2 sender.
receivedDateTime DateTimeOffset Date and time when the email was received.
recipientEmailAddress String Email address of the recipient, or email address of the recipient after distribution list expansion.
senderIp String IP address of the last detected mail server that relayed the message.
subject String Subject of the email.
threatDetectionMethods String collection Collection of methods used to detect malware, phishing, or other threats found in the email.
threats String collection Collection of detection names for malware or other threats found.
urlCount Int64 Number of embedded URLs in the email.
urls String collection Collection of the URLs contained in this email.
urn String Uniform resource name (URN) of the automated investigation where the cluster was identified.



JSON representation

The following is a JSON representation of the resource.

  "@odata.type": "",
  "createdDateTime": "String (timestamp)",
  "verdict": "String",
  "remediationStatus": "String",
  "remediationStatusDetails": "String",
  "roles": [
  "tags": [
  "networkMessageId": "String",
  "internetMessageId": "String",
  "subject": "String",
  "language": "String",
  "senderIp": "String",
  "recipientEmailAddress": "String",
  "antiSpamDirection": "String",
  "deliveryAction": "String",
  "deliveryLocation": "String",
  "urn": "String",
  "threats": [
  "threatDetectionMethods": [
  "urls": [
  "urlCount": "Integer",
  "attachmentsCount": "Integer",
  "receivedDateTime": "String (timestamp)",
  "p1Sender": {
    "@odata.type": ""
  "p2Sender": {
    "@odata.type": ""