Detected Message Search Filters

Gain intelligence about the context of a spear-phishing attack by investigating a wide array of information facets. Review the email headers to quickly verify the email message origin and how it was routed. Investigate attacks trending on your network by correlating common characteristics (examples: email subjects that appear to be your Human Resource department or fake internal email addresses). Based on the detections, change your policy configuration and warn your users to take preventive measures against similar attacks.

  1. Go to Detections > Detected Messages.
  2. Specify the search criteria.

    See Detected Message Search Filters.

  3. Press ENTER.

    All email messages matching the search criteria appear.

  4. View the results.

    Header

    Description

    Investigate the email message to learn more about potential threats.

    For details, see Investigating a Detected Message.

    Detected

    View the date and time that the suspicious email message was first detected in Deep Discovery Email Inspector.

    Note:

    There is a short delay between when Deep Discovery Email Inspector receives an email message and when the email message appears on the Detected Messages screen.

    Risk Level

    View the level of potential danger exhibited in a suspicious email message.

    For details, see Detected Risk.

    Recipients

    View the detected message recipient email addresses.

    Email Header (To)

    View the primary recipient email address in the email header.

    Sender

    View the sending email address of the detected message.

    Email Header (From)

    View the author email address in the email header.

    Email Subject

    View the email subject of the suspicious email message.

    View the number of email messages with embedded malicious links.

    View the number of file attachments that are detected by policy rules.

    Threat

    View the name and classification of the discovered threat.

    For details, see Threat Type Classifications.

    Action
    View the final result after scanning and analyzing the email message. The result is the executed policy action.
    Note:

    In BCC mode and SPAN/TAP mode, the action is always Monitoring only.
Parent topic: Detected Messages

Detected Message Search Filters

The following table explains the basic search filters for querying suspicious messages. To view the detected messages, go to Detections > Detected Messages.

Note:

Search filters do not accept wildcards. Deep Discovery Email Inspector uses fuzzy logic to match search criteria to email message data.

Filter

Description

Threat type

Select All or a threat type from the list.

For details, see Threat Type Classifications.

Risk level

Select All or the email message risk level.

Action

Select All or an action from the list.

This is the action that Deep Discovery Email Inspector applies on email messages when a scanning condition is matched in a policy rule.

For more information, see Policy Rules.

Note:

In BCC mode and SPAN/TAP mode, the action is always Monitoring only.

Period

Select a predefined time range or specify a custom range.

Applying Advanced Filters

In addition to basic filters, you can apply advanced filters to query suspicious messages.

  1. Click Show advanced filters.
  2. Specify the information to filter.

    Filter

    Description

    Sender

    Specify the sender email address.

    Email header (To)

    Specify a primary recipient email address in the email header.

    Message ID

    Specify the unique message ID.

    Example: 20160603021433.F0304120A7A@example.com

    Subject

    Specify the email message subject.

    Direction

    Specify the message direction.

    Rule

    Specify a rule name.

    Email header (From)

    Specify the author email address in the email header.

    URL

    Specify a URL.

    Source IP

    Specify the MTA IP address nearest to the email sender. The source IP is the IP address of the attack source, compromised MTA, or a botnet with mail relay capabilities.

    A compromised MTA is usually a third-party open mail relay used by attackers to send malicious email messages or spam without detection.

    Note:

    The Source IP search filter requires an exact-string match. Deep Discovery Email Inspector does not use fuzzy logic to match search results for the source IP address.

    File name

    Specify an attachment file name.

    Data identifier

    Specify a data identifier name.

    YARA rule name

    Specify the name of a YARA rule.

    Recipient

    Specify a recipient email address. Only one address is allowed.

    Threat name

    Specify the threat name provided by Trend Micro. The dashboard widgets and the Detections tab provide information about threat names.

    For information about threat discovery capabilities, see Scanning / Analysis.

    Sender IP

    Specify the sender IP address.

    If you deploy Deep Discovery Email Inspector as an edge MTA in your network, the sender IP address is the public IP address of the external MTA nearest to your network.

    If you deploy Deep Discovery Email Inspector as a non-edge MTA in your network, the sender IP address is the IP address of the MTA nearest to the edge MTA relay server.

    Note:

    The Sender IP search filter requires an exact-string match. Deep Discovery Email Inspector does not use fuzzy logic to match search results for the sender IP address.

    Policy

    Specify a policy name.

    DLP template

    Specify a DLP template name.

    YARA rule file name

    Specify the name of a YARA rule file.

    Password-protected attachment

    Select email messages that contain a password-protected file.

    Manual email submissions

    Select email messages that are manually submitted to Deep Discovery Email Inspector for analysis by the administrator.

    For more information, see Email Submissions.
  3. Click Search.