Views:
Cloud Email and Collaboration Protection stores data as searchable indexes in cloud databases. Use these log facets to narrow a search to a specific data set. The following tables describe the available log facets for each log type. Some log facets may not show if there is no corresponding data.

Detection Log Facets

Log Facet
Description
Organization
Name of the protected organization.
This facet is available only when you have granted access to services for multiple organizations.
Scan Source
Name of the protected application or service.
Security Filter
Security filter that detected the threat. The security filter includes Advanced Spam Protection, File Blocking, Malware Scanning, Web Reputation, Data Loss Prevention, Keyword Extraction, and Box Shared Links Control.
Threat Type
Type of threat detected.
Detected by
Technology or method through which email messages and files were detected as containing a security threat.
Spam Category
Category of the spam email message detected.
URL Category
Category of the suspicious URL detected.
Affected User
The affected user refers to:
  • For Exchange Online and Gmail, the mailbox of the protected user that received or sent an email message violating a policy
  • For SharePoint Online, OneDrive, Microsoft Teams (Teams), Box, Dropbox, and Google Drive, the user account that uploaded or modified a file violating a policy.
  • For Teams Chat, the user that sent a private chat message violating a policy.
Triggered Policy
Name of the Security Risk Scan policy that was violated.
Action
Action taken for a file or message that violates a policy.
Mail Direction
Inbound or outbound message. This facet only applies to Exchange Online (Inline Mode).
Virus Name
Name of the virus detected.
Suspicious URL
URL that might contain threats.
Domain
Domain detected with ransomware.
Sender
Mailbox that sends the message.
Detection Type
Type of objects submitted to Virtual Analyzer. The objects can be files or URLs.
Risk Level
Risk level of a file or URL classified by Trend Micro Web Reputation Services or Virtual Analyzer.
Triggered Template
Name of the compliance template that was violated to trigger the Data Loss Prevention policy.
Triggered Label
Name of the sensitivity label that was violated to trigger the Data Loss Prevention policy.

Quarantine Log Facets

Log Facet
Description
Organization
Name of the protected organization.
This facet is available only when you have granted access to services for multiple organizations.
Scan Source
Name of the protected application or service.
Security Filter
The security filter includes Virtual Analyzer, File Blocking, Web Reputation, Data Loss Prevention, Malware Scanning, and Threat Mitigation API.
Affected User
For Exchange Online, the mailbox of a protected user that received or sent a message violating a policy. For SharePoint Online, OneDrive, Microsoft Teams (Teams), Box, Dropbox, and Google Drive, the user account that uploaded or modified a file violating a policy.
Quarantine Type
Whether an email message or a file is already quarantined.
Performed by
Administrator or end user who restored or deleted a quarantined item.
Mail Direction
Inbound or outbound email message. This facet only applies to messages protected under Inline Protection.

Audit Logs Log Facets

Log Facet
Description
Organization
Name of the protected organization.
This facet is available only when you have granted access to services for multiple organizations.
User
Name of the user who performs management operations.
Action
Operation that a user performs, including logon events, scheduled user data synchronizations, and policy changes.

API Integration Log Facets

Log Facet
Description
Organization
Name of the protected organization.
This facet is available only when you have granted access to services for multiple organizations.
Scan Source
Name of the protected application or service.
Security Filter
The security filter includes the Threat Remediation API.
Affected User
Exchange Online mailbox that contains an email message matching any item in the Blocked Lists for Exchange Online configured through the Threat Remediation API.
Action
Action taken for an email message matching any item in the Blocked Lists for Exchange Online configured through the Threat Remediation API.

URL Click Tracking Log Facets

Log Facet
Description
Organization
Name of the protected organization.
This facet is available only when you have granted access to services for multiple organizations.
Time of Click
Time when the user clicks the URL.
Action
Action taken when the user clicks the URL.
Sender
Sender of the email message that contains the clicked URL.
Recipient
Recipient of the email message that contains the clicked URL.
URL
URL that the user clicks.
Message ID
Unique ID that identifies the email message containing the clicked URL.

Email Tracking Log Facets

Log Facet
Description
Organization
Name of the protected organization.
This facet is available only when you have granted access to services for multiple organizations.
Delivery Status
Delivery status of the inbound email message routed to Cloud Email and Collaboration Protection for inline protection.
Recipient
Recipient of the inbound email message routed to Cloud Email and Collaboration Protection for inline protection.
Mail Direction
Inbound or outbound email message. This facet only applies to messages protected under Inline Protection.