Email Message Tracking Parent topic

Track any email message that passed through TippingPoint Advanced Threat Protection for Email, including blocked and delivered messages. TippingPoint Advanced Threat Protection for Email records message details, including the sender, recipients, and the taken policy action.
Message tracking logs indicate if an email message was received or sent by TippingPoint Advanced Threat Protection for Email. Message tracking logs also provide evidence about TippingPoint Advanced Threat Protection for Email investigating an email message.
Related information

Querying Message Tracking Logs Parent topic

Procedure

  1. Go to LogsMessage Tracking.
  2. Specify the search criteria.
    Note
    Note
    No wildcards are supported. TippingPoint Advanced Threat Protection for Email uses fuzzy logic to match search results.
    Filter
    Description
    Period
    Select a predefined time range or specify a custom range.
    Recipients
    Specify a recipient email address. Only one address is allowed.
    To
    Specify a primary recipient email address in the email header.
    Sender
    Specify the sender email address.
    From
    Specify the author email address in the email header.
    Subject
    Specify the email message subject.
    Message ID
    Specify the unique message ID.
    Example: 20160603021433.F0304120A7A@example.com
    Source IP
    Specify the MTA IP address nearest to the email sender. The source IP is the IP address of the attack source, compromised MTA, or a botnet with mail relay capabilities.
    A compromised MTA is usually a third-party open mail relay used by attackers to send malicious email messages or spam without detection.
    Risk level
    Select All or the email message risk level.
    Latest status
    Select any of the following check boxes:
    • Deleted from quarantine: Messages that were manually deleted from the Quarantine.
    • Delivered/Processing completed: Messages that were delivered. In BCC mode and SPAN/TAP mode, email messages with this status are discarded.
    • Delivery unsuccessful: Messages that could not be delivered. In BCC mode and SPAN/TAP mode, email messages are never delivered.
    • Quarantined: Messages that were quarantined in keeping with your TippingPoint Advanced Threat Protection for Email policies. In BCC mode and SPAN/TAP mode, email messages are never quarantined.
    • Queued for delivery: Messages that are pending delivery. In BCC mode and SPAN/TAP mode, email messages with this status are queued to be discarded.
    • Queued for sandbox analysis: Messages that are pending analysis.
  3. Click Query.
    Logs matching the search criteria appear in the table. The query results include message ID, recipients, sender, subject, risk level, latest status, and received timestamp.
    Note
    Note
    You can clear the search criteria by clicking Clear filters.
  4. View the results.
    • Click the more_details_arrow.jpg icon next to a row to view detailed information about the email message.
      Field
      Description
      Message details
      Source IP: Displays the MTA IP address nearest to the email message sender.
      Example: 123.123.123.123.
      Processing history
      View how TippingPoint Advanced Threat Protection for Email processed the email message. The following are the possible processing actions:
      • Action set to 'pass':
        • The Pass policy action was applied to the email message.
        • A copy of the email message was released by the user. This only applies if the Strip attachments, redirect links to blocking page, and tag and Strip attachments, redirect links to warning page, and tag policies were applied to the original email message.
      • Deleted: The email message was deleted from the Quarantine folder.
      • Delivered: The email message was delivered.
      • Not analyzed: Virtual Analyzer was unable to complete the analysis for the reason specified.
      • Processing completed: Analysis was completed and the email message was discarded. This is the final status in BCC and SPAN/TAP mode.
      • Quarantined: The email message was quarantined in keeping with your TippingPoint Advanced Threat Protection for Email policies. In BCC mode and SPAN/TAP mode, email messages are never quarantined.
      • Queued for delivery: The email message is pending delivery. In BCC mode and SPAN/TAP mode, email messages with this status are queued to be discarded.
      • Received: The email message was received by TippingPoint Advanced Threat Protection for Email.
      • Sent for analysis: The email message was sent to Virtual Analyzer for analysis.
      • Stripped: Attachments were stripped from the email message and it was passed for delivery.
      Action
      Do any of the following:
      Quarantined Message:
      • View in Quarantine
      • Release from Quarantine
      • View in Threat Messages
      Non-Quarantined Message, with high/medium/low risk level:
      View in Threat Messages
      No Risk Message:
      No Action Links
    Note
    Note
    TippingPoint Advanced Threat Protection for Email sorts logs using UTC 0 time, even if the display is in local time.
  5. Perform additional actions.
    • Click Export to save the query results in a CSV file.
      Note
      Note
      Only the first 50000 entries in the query results are included in the CSV file.
    • The panel at the bottom of the screen shows the total number of objects. If all objects cannot be displayed at the same time, use the pagination controls to view the objects that are hidden from view.