I was trying to check the info of user clicking URLs which were from E-mails, so I joined Emailevents on URLClickevents like below:
| join UrlClickEvents on NetworkMessageId
| where Url contains ""
| project ActionType,AccountUpn,urlrelativeIP=IPAddress,Subject,SenderFromAddress,SenderIPv4,AuthenticationDetails,DeliveryLocation,Url,RecipientEmailAddress,UrlChain
I got result like below:
the pic. is about the same user's log about clicking on a same URL via a single E-mail, I believe they are about a same session, (the user name column has been hidden):
In the left column, it is actually the IP address column in URLclikevents schema, it should be PC's assigned IP address, but we can see that the user has 127.0.0.1 and also the IPV6 version(::1), then the user also has an I.P. address which could be use to access to the internet.
My question is, why is this user(user's PC) has 127.0.0.1(or ::1) as assigned IP address? Some users only have 127.0.0.1(or ::1) in this column, to my knowledge, users can not access to the internet with Loopback Address.
Could anyone please kindly tell me what can cause the log be like this?
Will be very appreciate if someone can help me on this : )