Views:
This screen enables you to track threat detections in email messages received or sent by Trend Micro Email Security. Trend Micro Email Security maintains up to 90 days of policy event logs. The sliding window for policy event log search is 60 continuous days that may cross calendar months.
Note
Note
The sliding window for policy event log search is 30 days in the Trend Micro Email Security Standard license.
For details about different license versions, see Available License Versions.
The Policy Events screen provides the following search criteria:
  • Period: The time range for your query.
    • Last 1 hour
    • Last 24 hours
    • Last 7 days
    • Last 14 days
    • Last 30 days
    • Custom range
  • Direction: The direction of messages.
    • Incoming
    • Outgoing
  • Recipient: The envelope recipient address. Specify up to 10 email addresses.
  • Sender: The envelope sender address. Specify up to 10 email addresses.
  • Email Header (To): The recipient address in the message header. Specify up to 10 email addresses.
  • Email Header (From): The sender address in the message header. Specify up to 10 email addresses.
    Note
    Note
    Pay attention to the following when setting the preceding four address fields:
    • Specify an exact email address or use wildcards (*) to substitute any characters in a search. In the general format of an email address (local-part@domain), be aware that:
      • The local part must be a wildcard (*) or a character string that does not start with *, for example, *@example.com or test*@example.com.
      • The domain must be a wildcard (*) or a character string that does not end with *, for example, example@* or example@*.test.com.
      • If this field is left blank, *@* is used by default.
    • Use wildcards (*) strategically to expand or narrow your search results. For example, put a wildcard (*) in the domain part to search by a particular user account on all domains or in the local part to match all accounts on a particular domain.
  • Subject: The email message subject.
    The Subject field supports the following:
    • Fuzzy match
      Type one or multiple keywords for a fuzzy match. If you type more than one keyword, all keywords will be matched based on a logical AND, which means the matched subject must contain every keyword. Wildcards (*) will be automatically added before and after each keyword for a fuzzy match.
    • Exact keyword or phrase match
      Enclose a keyword or phrase in quotes for an exact match. Only records that contain the exact keyword or phrase will be matched.
    For example, there are three email subjects:
    • Subject1: Hello world
    • Subject2: Hello new world
    • Subject3: "Hello"
    If you type Hello world in the Subject field, this is a fuzzy match, and Subject1 and Subject2 will be matched. If you type "Hello world", this is an exact match using quotes, and only Subject1 will be matched. If you want to search for Subject3, be aware that quotes are contained by the subject itself. In this particular case, use backslashes (\) as the escape characters and type \"Hello\" for search.
  • Rule Name: The name of the rule that was triggered by email messages.
    The Rule Name field supports the following:
    • A maximum of 20 rules in use will be listed for you to choose when you click in this text box.
    • Select from the rules listed or type keywords for a fuzzy match.
  • Threat Type: The type of threats detected in email messages.
    • All: Query all messages.
    • Domain-based Authentication: Query the messages that failed to pass domain-based authentication.
      • All: Query the messages that failed Sender IP Match, SPF, DKIM and DMARC authentication.
      • Sender IP Match: Query the messages that failed Sender IP Match check.
      • SPF: Query the messages that failed SPF check.
      • DKIM: Query the messages that failed DKIM verification.
      • DMARC: Query the messages that failed DMARC authentication.
    • Ransomware: Query the messages that are identified as ransomware.
      • Detected by Web Reputation:
      • Detected by Pattern-based Scanning
      • Detected by Predictive Machine Learning
      • Detected by Virtual Analyzer
      • Detected by Spam Protection
    • Advanced Persistent Threat: Query the messages that triggered the advanced threat policy.
      • All: Query all messages triggering the advanced threat policy.
      • Analyzed Advanced Threats (Files): Query the messages that are identified as advanced file threats according to Virtual Analyzer and the policy configuration
      • Analyzed Advanced Threats (URLs): Query the messages that are identified as advanced URL threats according to Virtual Analyzer and the policy configuration
      • Probable Advanced Threats: Query the messages that are treated as suspicious according to policy configuration or the messages that are not sent to Virtual Analyzer due to exceptions that occurred during analysis.
    • Malware: Query the messages that triggered the malware criteria.
      When Malware is selected as the threat type, the Detected By field displays with the following options:
      • All: Query all messages triggering the malware criteria.
      • Predictive Machine Learning: Query the messages containing malware, as detected by Predictive Machine Learning.
      • Pattern-based scanning: Query the messages containing malware, as detected by traditional pattern-based scanning.
    • Suspicious Objects: Query the messages that contain suspicious files and URLs.
      • All: Query all messages containing suspicious objects.
      • Suspicious Files (Apex Central): Query all messages containing suspicious files matching the suspicious objects synchronized from Apex Central.
      • Suspicious Files (Trend Vision One): Query all messages containing suspicious files matching the suspicious objects synchronized from Trend Vision One.
      • Suspicious URLs (Apex Central): Query all messages containing suspicious URLs matching the suspicious objects synchronized from Apex Central.
      • Suspicious URLs (Trend Vision One): Query all messages containing suspicious URLs matching the suspicious objects synchronized from Trend Vision One.
    • Scan Exception: Query the messages that triggered scan exceptions.
      • Virtual Analyzer scan exception
      • Virtual Analyzer submission quota exception
      • Password protected attachment
      • Other exceptions
    • Spam: Query the messages that are identified as spam.
    • Business Email Compromise (BEC): Query the messages that triggered the Business Email Compromise (BEC) criteria.
      • All: Query all messages triggering the BEC criteria.
      • Detected by Antispam Engine: Query the messages that are verified to be BEC attacks by the Antispam Engine.
      • Detected by writing style analysis: Query the messages that are verified to be BEC attacks by writing style analysis.
      • Suspected by Antispam Engine: Query the messages that are suspected to be BEC attacks by the Antispam Engine.
    • Phishing: Query the messages that triggered the phishing criteria.
    • Graymail: Query the messages that triggered the graymail criteria.
      • All: Query all graymail messages.
      • Marketing message and newsletter
      • Social network notification
      • Forum notification
      • Bulk email message
    • Web Reputation: Query the messages that triggered the Web Reputation criteria.
    • Content: Query the messages that triggered the message content criteria. For example, a message's header, body or attachment matches the specified keywords or expressions.
    • Attachment: Query the messages that triggered the message attachment criteria.
    • Data Loss Prevention: Query the messages that triggered the Data Loss Prevention policy.
  • Threat Name: The name of threats detected in email messages.
  • Message ID: A unique identifier for the message.
When you query policy event information, use the various criteria fields to restrict your searches. After a query is performed, Trend Micro Email Security provides a list of log records that satisfy the criteria. Select one or more records and click Export Selected to export them to a CSV file. Click Export All to export all the queried log records if needed. If the number of log records to export is large, the export task needs to take time to complete. Go to LogsLog Export Query to check the export status. Note that you can export up to 50,000 log records at a time and the maximum number of times of exporting all the queried log records is 5 per day.
The most efficient way to query policy event information is to provide both sender and recipient email addresses, message subject and message ID within a time range that you want to search. For an email message that has multiple recipients, the result will be organized as one entry.
In addition to the search criteria, detailed policy event information provides the following:
  • Timestamp: The time the policy event occurred. Click on the Timestamp value to view the event details for a given message.
  • Message Size: The size of the message. This information is not always available.
  • Action: The action taken on the email message.
    • Attachment sanitized: Removed active content contained in the attachment.
    • Attachment deleted upon failure to remove active content: Deleted the attachment containing active content that failed to be removed.
    • Attachment deleted: Deleted the attachment from the message.
    • BCC: Sent a blind carbon copy (BCC) to the recipient.
    • Bypassed: Did not intercept the message.
    • Cleaned: Cleaned the message for malware.
    • Delivered: Delivered the message to the recipient.
    • Message deleted: Deleted the entire email message.
    • Notification sent: Sent a notification message to the recipient when a policy was triggered.
    • Quarantined: Held the message in quarantine awaiting user actions on the End User Console. Messages held in quarantine can be reviewed and manually deleted or delivered.
    • Recipient changed: Changed the recipient and redirected the message to a different recipient as configured in the policy triggered.
    • Stamp inserted: Inserted a stamp into the message body.
    • Subject tagged: Inserted configurable text into the message subject line.
    • Submitted for encryption: Submitted to the encryption server for processing. After encryption is complete, Trend Micro Email Security will queue the message for delivery.
    • X-Header inserted: Inserted an X-Header to the message header.
  • (Optional) Risk Rating: The risk rating of the message identified by Virtual Analyzer.
  • (Optional) Violating URLs: The URLs in the message that violated the Web Reputation criteria.
  • (Optional) Violating Files: The files in the message that violated the malware, ransomware, or attachment-related criteria.
  • (Optional) Malware: The specific malware detected in the message.
  • (Optional) Scanned File Reports: The reports for the attached files in messages. If a file is analyzed for advanced threats, the risk level for the file is displayed here. If a report exists, click View Report to see the detailed report.
    Detailed reports are available only for suspicious files that are analyzed by Virtual Analyzer.
  • (Optional) Scanned URL Reports: The reports for the embedded URLs in messages. If a URL is analyzed as advanced threats, the risk level of the URL is displayed here. If a report exists, click View Report to see the detailed report.
  • (Optional) DLP Incident: The information about the DLP incident triggered by the message. Click View Details to check the incident details.
  • (Optional) Analyzed Report: The information about BEC related characteristics that were detected in the message.
  • (Optional) Exception Details: The specific exception that was triggered by the message.
  • (Optional) Antispam Engine Scan Details: The details of the Antispam Engine scan for the message. For details, see Antispam Engine Scan Details.
Related information