Views:

This screen enables you to track the email messages detected with various threats.

Hosted Email Security maintains up to 30 days of logs for policy events.

Queries include data for up to seven continuous days in one calendar month or across calendar months.

The Policy Events screen provides the following search criteria:

  • Dates: The time range for your query.

  • Direction: The direction of messages.

  • Recipient: The recipient email address.

  • Sender: The sender email address.

  • Subject: The message subject.

  • Rule Name: The triggered rule that you want to query.

  • Threat Type

    • Ransomware: Query the messages that are identified as ransomware.

    • Malware: Query the messages that triggered the malware criteria.

      When Malware is selected as the threat type, the Detected by field displays with the following options:

      • All: Query all messages.

      • Predictive Machine Learning: Query the messages containing malware, as detected by Predictive Machine Learning.

      • Pattern-based scanning: Query the messages containing malware, as detected by traditional pattern-based scanning.

    • Data Loss Prevention: Query the messages that triggered the Data Loss Prevention policy.

    • Advanced Persistent Threat: Query the messages that triggered the advanced threat policy.

      • Analyzed advanced threats: Query the messages that are identified as threats according to Virtual Analyzer and the policy configuration

      • Probable advanced threats: Query the messages that are treated as suspicious according to policy configuration or the messages that are not sent to Virtual Analyzer due to exceptions that occurred during analysis.

      • All: query all messages

    • Business Email Compromise (BEC): Query the messages that triggered the Business Email Compromise (BEC) criteria.

      • Analyzed: Query the messages that are verified to be BEC attacks.

      • Probable: Query the messages that are suspected to be BEC attacks.

    • Phishing: Query the messages that triggered the phishing criteria.

    • Domain-based Authentication: Query the messages that failed to pass domain-based authentication.

      • All: Query the messages that failed SPF, DKIM, and DMARC authentication.

      • SPF: Query the messages that failed SPF check.

      • DKIM: Query the messages that failed DKIM verification.

      • DMARC: Query the messages that failed DMARC authentication.

    • Graymail: Query the messages that triggered the graymail criteria.

      • Marketing message and newsletter

      • Social network notification

      • Forum notification

    • Web Reputation: Query the messages that triggered the Web Reputation criteria.

    • Content: Query the messages that triggered the message content criteria. For example, a message's header, body or attachment matches the specified keywords or expressions.

    • Attachment: Query the messages that triggered the message attachment criteria.

    • Scan Exception: Query the messages that triggered scan exceptions.

    • All: query all messages

  • Message ID: A unique identifier for the message.

When you query the email policy event, Hosted Email Security provides a list of all messages that satisfy the criteria.

You can click Search at any time to execute the query again. Use the various criteria fields to restrict your searches.

The most efficient way to track policy events is to provide both sender and recipient email addresses, message subject and message ID within a time range that you want to search. Recipient and Sender cannot use the wild-card character at the same time.

Detailed policy event information is displayed, including:

  • Timestamp: The time the policy event occurred. Click on the Timestamp value to view the event details for a given message.

  • Sender: The sender of the message.

  • Recipient: The recipient of the message.

  • Message Size: The size of the message. This information is not always available.

  • Rule Name: The name of the triggered policy rule that is used to analyze the message.

  • Threat Type: The threat that triggered the policy event.

  • Risk Rating: The risk rating of the message identified by Virtual Analyzer.

  • Action: The action taken on the message. For all the actions, see Actions below.

    • BCC: A blind carbon copy (BCC) was sent to the authorized recipients according to the Hosted Email Security policy.

    • Bypass: The message has been ignored and was not intercepted by Hosted Email Security.

    • Changed recipient: The recipient has been changed and the message has been redirected to a different recipient according to the Hosted Email Security policy established by the authorized mail administrator of this mail domain.

    • Clean: The message was cleaned for viruses by Hosted Email Security.

    • DeleteAttachment: The attachment in the email message has been deleted by Hosted Email Security.

    • Deliver: The message has been delivered to the downstream MTA that is responsible for transporting the message to its destination.

    • Insert X-Header: An X-Header has been added to the email message header.

    • InsertStamp: A block of text was inserted into the email message body.

    • Message deleted: The message has been deleted by Hosted Email Security according to the policy established by the authorized mail administrator of this mail domain.

    • Notification: A notification was sent to the recipient when the policy rule was triggered.

    • Quarantined: Quarantined messages are blocked as detected spam or graymail before delivery to an email account. Messages held in quarantine can be reviewed and manually deleted or delivered.

    • TagSubject: Inserted a text defined in policy rules into the message subject line.

    • Encryption in progress: The message is being encrypted by Hosted Email Security. After encryption is complete, Hosted Email Security will queue the message for delivery.

    • Rejected: The message has been blocked before it arrives at Hosted Email Security.

  • Scanned File Report: The report for the attached files in the message. If the file is analyzed for advanced threats, the risk level for the file is displayed here. If the report exists, click View report to see the detailed report.

    Detailed reports are available only for suspicious files that are analyzed by Virtual Analyzer.

  • DLP Incident: The information about the DLP incident triggered by the message. Click View Details to check the incident details.

    This information is available only for messages that violated DLP policies.

Note:

If an email message contains multiple recipients, the result will be organized for each recipient separately.

Parent topic: Logs in Hosted Email Security