Email Message Tracking Parent topic

Track any email message that passed through TippingPoint Advanced Threat Protection for Email, including blocked and delivered messages. TippingPoint Advanced Threat Protection for Email records message details, including the sender, recipients, and the taken policy action.
Message tracking logs indicate if an email message was received or sent by TippingPoint Advanced Threat Protection for Email. Message tracking logs also provide evidence about TippingPoint Advanced Threat Protection for Email investigating an email message.

Querying Message Tracking Logs Parent topic

Procedure

  1. Go to LogsMessage Tracking.
  2. Specify the search criteria.
    Note
    Note
    No wildcards are supported. TippingPoint Advanced Threat Protection for Email uses fuzzy logic to match search results.
    Filter
    Description
    Period
    Select a predefined time range.
    Custom range
    Specify a starting and ending time range.
    Recipients
    Specify recipient email addresses. Use a semicolon to separate multiple recipients.
    Sender
    Specify sender email addresses. Use a semicolon to separate multiple senders.
    Subject
    Specify the email message subject.
    Message ID
    Specify the unique message ID.
    Example: 950124.162336@example.com
    Source IP
    Specify the MTA IP address nearest to the email sender. The source IP is the IP address of the attack source, compromised MTA, or a botnet with mail relay capabilities.
    A compromised MTA is usually a third-party open mail relay used by attackers to send malicious email messages or spam without detection.
    Risk level
    Select the email message risk level. For details about risk levels, see Email Message Risk Levels.
    Latest status
    Select any of the following check boxes:
    • Deleted from quarantine: Messages that were manually deleted from the Quarantine.
    • Delivered/Processing completed: Messages that were delivered. In BCC mode and SPAN/TAP mode, email messages with this status are discarded.
    • Delivery unsuccessful: Messages that could not be delivered. In BCC mode and SPAN/TAP mode, email messages are never delivered.
    • Quarantined: Messages that were quarantined in keeping with your TippingPoint Advanced Threat Protection for Email policies. In BCC mode and SPAN/TAP mode, email messages are never quarantined.
    • Queued for delivery: Messages that are pending delivery. In BCC mode and SPAN/TAP mode, email messages with this status are queued to be discarded.
    • Queued for sandbox analysis: Messages that are pending analysis.
  3. Click Query.
    Logs matching the search criteria appear in the table. The query results include message ID, recipients, sender, subject, risk level, latest status, and received timestamp.
  4. View the results.
    • Click the more_details_arrow.jpg icon next to a row to view detailed information about the email message.
      Field
      Description
      Source IP
      View the MTA IP address nearest to the email message sender.
      Example: 123.123.123.123.
      Processing history
      View how TippingPoint Advanced Threat Protection for Email processed the email message. The following are the possible processing actions:
      • Action set to 'pass':
        • The Pass policy action was applied to the email message.
        • A copy of the email message was released by the user. This only applies if the Strip attachments and tag policy was applied to the original email message.
      • Deleted: The email message was deleted from the Quarantine folder.
      • Delivered: The email message was delivered.
      • Not analyzed: Virtual Analyzer was unable to complete the analysis for the reason specified.
      • Processing completed: Analysis was completed and the email message was discarded. This is the final status in BCC and SPAN/TAP mode.
      • Quarantined: The email message was quarantined in keeping with your TippingPoint Advanced Threat Protection for Email policies. In BCC mode and SPAN/TAP mode, email messages are never quarantined.
      • Queued for delivery: The email message is pending delivery. In BCC mode and SPAN/TAP mode, email messages with this status are queued to be discarded.
      • Received: The email message was received by ATP Email.
      • Sent for analysis: The email message was sent to Virtual Analyzer for analysis.
      • Stripped: Attachments were stripped from the email message and it was passed for delivery.
      Action
      Do any of the following:
      Quarantined Message:
      • View in Quarantine
      • Release from Quarantine
      • View in Threat Messages
      Non-Quarantined Message, with high/medium/low risk level:
      View in Threat Messages
      No Risk Message:
      No Action Links
    Note
    Note
    TippingPoint Advanced Threat Protection for Email sorts logs using UTC 0 time, even if the display is in local time.
  5. Perform additional actions.
    • Click Export to save the query results in a CSV file.
    • From the bottom-right of the control panel, select the results to show per page or view the next results page.