{ "$schema": "https://json-schema.org/draft/2020-12/schema", "$id": "#/components/schemas/microsoft.graph.security.analyzedMessageEvidence", "title": "microsoft.graph.security.analyzedMessageEvidence", "allOf": [ { "$ref": "#/components/schemas/microsoft.graph.security.alertEvidence" }, { "title": "analyzedMessageEvidence", "required": [ "@odata.type" ], "type": "object", "properties": { "antiSpamDirection": { "type": "string", "description": "Direction of the email relative to your network. The possible values are: inbound, outbound or intraorg.", "nullable": true }, "attachmentsCount": { "type": "number", "description": "Number of attachments in the email.", "format": "int64", "nullable": true }, "deliveryAction": { "type": "string", "description": "Delivery action of the email. The possible values are: delivered, deliveredAsSpam, junked, blocked, or replaced.", "nullable": true }, "deliveryLocation": { "type": "string", "description": "Location where the email was delivered. The possible values are: inbox, external, junkFolder, quarantine, failed, dropped, deletedFolder or forwarded.", "nullable": true }, "internetMessageId": { "type": "string", "description": "Public-facing identifier for the email that is set by the sending email system.", "nullable": true }, "language": { "type": "string", "description": "Detected language of the email content.", "nullable": true }, "networkMessageId": { "type": "string", "description": "Unique identifier for the email, generated by Microsoft 365.", "nullable": true }, "p1Sender": { "anyOf": [ { "$ref": "#/components/schemas/microsoft.graph.security.emailSender" }, { "type": "object", "nullable": true } ], "description": "The P1 sender." }, "p2Sender": { "anyOf": [ { "$ref": "#/components/schemas/microsoft.graph.security.emailSender" }, { "type": "object", "nullable": true } ], "description": "The P2 sender." }, "receivedDateTime": { "pattern": "^[0-9]{4,}-(0[1-9]|1[012])-(0[1-9]|[12][0-9]|3[01])T([01][0-9]|2[0-3]):[0-5][0-9]:[0-5][0-9]([.][0-9]{1,12})?(Z|[+-][0-9][0-9]:[0-9][0-9])$", "type": "string", "description": "Date and time when the email was received.", "format": "date-time", "nullable": true }, "recipientEmailAddress": { "type": "string", "description": "Email address of the recipient, or email address of the recipient after distribution list expansion.", "nullable": true }, "senderIp": { "type": "string", "description": "IP address of the last detected mail server that relayed the message.", "nullable": true }, "subject": { "type": "string", "description": "Subject of the email.", "nullable": true }, "threatDetectionMethods": { "type": "array", "items": { "type": "string", "nullable": true }, "description": "Collection of methods used to detect malware, phishing, or other threats found in the email." }, "threats": { "type": "array", "items": { "type": "string", "nullable": true }, "description": "Collection of detection names for malware or other threats found." }, "urlCount": { "type": "number", "description": "Number of embedded URLs in the email.", "format": "int64", "nullable": true }, "urls": { "type": "array", "items": { "type": "string", "nullable": true }, "description": "Collection of the URLs contained in this email." }, "urn": { "type": "string", "description": "Uniform resource name (URN) of the automated investigation where the cluster was identified.", "nullable": true }, "@odata.type": { "type": "string", "default": "#microsoft.graph.security.analyzedMessageEvidence" } } } ], "x-ms-discriminator-value": "#microsoft.graph.security.analyzedMessageEvidence" }