Viewing Detected Messages Parent topic

Gain intelligence about the context of a spear-phishing attack by investigating a wide array of information facets. Review the email headers to quickly verify the email message origin and how it was routed. Investigate attacks trending on your network by correlating common characteristics (examples: email subjects that appear to be your Human Resource department or fake internal email addresses). Based on the detections, change your policy configuration and warn your users to take preventive measures against similar attacks.

Procedure

  1. Go to DetectionsDetected Messages.
  2. Specify the search criteria.
    See Detected Message Search Filters.
  3. Press ENTER.
    All email messages matching the search criteria appear.
  4. View the results.
    Header
    Description
    investigate_icon.jpg
    Investigate the email message to learn more about potential threats.
    For details, see Investigating a Detected Message.
    Detected
    View the date and time that the suspicious email message was first detected in TippingPoint Advanced Threat Protection for Email.
    Note
    Note
    There is a short delay between when TippingPoint Advanced Threat Protection for Email receives an email message and when the email message appears on the Detected Messages screen.
    Risk Level
    View the level of potential danger exhibited in a suspicious email message. For details, see Detected Risk.
    Recipients
    View the detected message recipient email addresses.
    To
    View the primary recipient email address in the email header.
    Sender
    View the sending email address of the detected message.
    From
    View the author email address in the email header.
    Email Subject
    View the email subject of the suspicious email message.
    links_icon.jpg
    View the number of email messages with embedded malicious links.
    attachments_icon.jpg
    View the number of email messages with malicious file attachments.
    Threat
    View the name and classification of the discovered threat. For details, see Threat Type Classifications.
    Action
    View the final result after scanning and analyzing the email message. The result is the executed policy action.
    Note
    Note
    In BCC mode and SPAN/TAP mode, the action is always Monitoring only.

Detected Message Search Filters Parent topic

The following table explains the basic search filters for querying suspicious messages. To view the detected messages, go to DetectionsDetected Messages.
Note
Note
Search filters do not accept wildcards. TippingPoint Advanced Threat Protection for Email uses fuzzy logic to match search criteria to email message data.
Filter
Description
Risk level
Select All or the email message risk level.
Action
Select an action from the list.
For details, see Configuring the Actions.
Note
Note
In BCC mode and SPAN/TAP mode, the action is always Monitoring only.
Recipients
Specify one or more recipient email addresses. Use a semicolon to separate multiple recipients.
Period
Select a predefined time range or specify a custom range.
Related information

Applying Advanced Filters Parent topic

In addition to basic filters, you can apply advanced filters to query suspicious messages.

Procedure

  1. Click Show advanced filters.
    The advanced filters appear.
  2. Specify the information to filter.
    Filter
    Description
    Sender
    Specify the sender email address.
    From
    Specify the author email address in the email header.
    To
    Specify a primary recipient email address in the email header.
    Links
    Specify a URL.
    Threat type
    Select a threat type from the list. For details, see Threat Type Classifications.
    Message ID
    Specify the unique message ID.
    Example: 20160603021433.F0304120A7A@example.com
    Source IP
    Specify the MTA IP address nearest to the email sender. The source IP is the IP address of the attack source, compromised MTA, or a botnet with mail relay capabilities.
    A compromised MTA is usually a third-party open mail relay used by attackers to send malicious email messages or spam without detection.
    Note
    Note
    Source IP is the only search filter that requires an exact-string match. TippingPoint Advanced Threat Protection for Email does not use fuzzy logic to match search results for the source IP address.
    Threat name
    Specify the threat name provided by Trend Micro. The dashboard widgets and the Detections tab provide information about threat names.
    For information about threat discovery capabilities, see Scanning / Analysis.
    Subject
    Specify the email message subject.
    Attachment
    Specify an attachment file name.
    Password-protected attachment
    Select email messages that contain a password-protected file.
  3. Click Search.