Understanding Policy Events

This screen enables you to track the email messages detected with various threats.

Trend Micro Email Security maintains up to 30 days of logs for policy events.

Queries include data for up to seven continuous days in one calendar month or across calendar months.

The Policy Events screen provides the following search criteria:

  • Dates: The time range for your query.

  • Direction: The direction of messages.

  • Recipient: The recipient email address.

  • Sender: The sender email address.

  • Subject: The message subject.

  • Rule Name: The triggered rule that you want to query.

  • Threat Type

    • Ransomware: Query the messages that are identified as ransomware.

    • Malware: Query the messages that triggered the malware criteria.

      When Malware is selected as the threat type, the Detected by field displays with the following options:

      • All: Query all messages.

      • Predictive Machine Learning: Query the messages containing malware, as detected by Predictive Machine Learning.

      • Pattern-based scanning: Query the messages containing malware, as detected by traditional pattern-based scanning.

    • Suspicious Objects: Query the messages that contain suspicious files and URLs.

      • All: Query all messages containing suspicious objects.

      • Suspicious Files: Query all messages containing suspicious files.

      • Suspicious URLs: Query all messages containing suspicious URLs.

    • Data Loss Prevention: Query the messages that triggered the Data Loss Prevention policy.

    • Advanced Persistent Threat: Query the messages that triggered the advanced threat policy.

      • Analyzed advanced threats: Query the messages that are identified as threats according to Virtual Analyzer and the policy configuration

      • Probable advanced threats: Query the messages that are treated as suspicious according to policy configuration or the messages that are not sent to Virtual Analyzer due to exceptions that occurred during analysis.

      • All: query all messages

    • Business Email Compromise (BEC): Query the messages that triggered the Business Email Compromise (BEC) criteria.

      • Analyzed: Query the messages that are verified to be BEC attacks.

      • Probable: Query the messages that are suspected to be BEC attacks.

    • Phishing: Query the messages that triggered the phishing criteria.

    • Domain-based Authentication: Query the messages that failed to pass domain-based authentication.

      • All: Query the messages that failed SPF, DKIM, and DMARC authentication.

      • Sender IP Match: Query the messages that failed Sender IP Match check.

      • SPF: Query the messages that failed SPF check.

      • DKIM: Query the messages that failed DKIM verification.

      • DMARC: Query the messages that failed DMARC authentication.

    • Graymail: Query the messages that triggered the graymail criteria.

      • Marketing message and newsletter

      • Social network notification

      • Forum notification

    • Web Reputation: Query the messages that triggered the Web Reputation criteria.

    • Content: Query the messages that triggered the message content criteria. For example, a message's header, body or attachment matches the specified keywords or expressions.

    • Attachment: Query the messages that triggered the message attachment criteria.

    • Scan Exception: Query the messages that triggered scan exceptions.

    • All: query all messages

  • Message ID: A unique identifier for the message.

When you query the email policy event, Trend Micro Email Security provides a list of all messages that satisfy the criteria.

You can click Search at any time to execute the query again. Use the various criteria fields to restrict your searches.

The most efficient way to track policy events is to provide both sender and recipient email addresses, message subject and message ID within a time range that you want to search. Recipient and Sender cannot use the wild-card character at the same time.

Detailed policy event information is displayed, including:

  • Timestamp: The time the policy event occurred. Click on the Timestamp value to view the event details for a given message.

  • Sender: The sender of the message.

  • Recipient: The recipient of the message.

  • Message Size: The size of the message. This information is not always available.

  • Rule Name: The name of the triggered policy rule that is used to analyze the message.

  • Threat Type: The threat that triggered the policy event.

  • Risk Rating: The risk rating of the message identified by Virtual Analyzer.

  • Action: The action taken on the message. For all the actions, see Actions below.

    • BCC: Send a blind carbon copy (BCC) to the authorized recipients according to the triggered policy.

    • Bypass: Ignore and do not intercepted the message.

    • Change recipient: Change the recipient and redirect the message to a different recipient according to the triggered policy established by the authorized mail administrator of this mail domain.

    • Clean: Clean the message for viruses.

    • Delete Attachment: Delete the attachment from the email message.

    • Deliver: Deliver the message to the downstream MTA responsible for transporting the message to its destination.

    • Insert X-Header: Add an X-Header to the email message header.

    • Insert Stamp: Insert a block of text into the email message body.

    • Delete Message: Delete the message according to the policy established by the authorized mail administrator of this mail domain.

    • Send Notification: Send a notification message to the recipient when the policy is triggered.

    • Quarantine: Hold messages in quarantine as detected spam or graymail before delivery to an email account. Messages held in quarantine can be reviewed and manually deleted or delivered.

    • Tag Subject: Insert a block of text defined in the policy into the message subject line.

    • Encryption in progress: Encrypt the message. After encryption is complete, Trend Micro Email Security will queue the message for delivery.

    • Reject: Block the message before it arrives at Trend Micro Email Security.

  • Scanned File Report: The report for the attached files in the message. If the file is analyzed for advanced threats, the risk level for the file is displayed here. If the report exists, click View report to see the detailed report.

    Detailed reports are available only for suspicious files that are analyzed by Virtual Analyzer.

  • DLP Incident: The information about the DLP incident triggered by the message. Click View Details to check the incident details.

    This information is available only for messages that violated DLP policies.

Note:

If an email message contains multiple recipients, the result will be organized for each recipient separately.