Understanding Policy Events

This screen enables you to track threat detections in email messages received or sent by Trend Micro Email Security. Trend Micro Email Security maintains up to 90 days of policy event logs. The sliding window for policy event log search is 60 continuous days that may across calendar months.

Note:

The sliding window for policy event log search is 30 days in the Trend Micro Email Security Standard license.

For details about different license versions, see Available License Versions.

The Policy Events screen provides the following search criteria:

  • Period: The time range for your query.

    • Last 1 hour

    • Last 24 hours

    • Last 7 days

    • Last 14 days

    • Last 30 days

    • Custom range

  • Direction: The direction of messages.

    • Incoming

    • Outgoing

  • Recipient: The envelope recipient address.

  • Sender: The envelope sender address.

  • Email Header (To):: The recipient address in the message header.

  • Email Header (From):: The sender address in the message header.

    Note:

    Pay attention to the following when setting the preceding four address fields:

    • Specify an exact email address or use wildcards (*) to substitute any characters in a search. In the general format of an email address (local-part@domain), be aware that:

      • The local part must be a wildcard (*) or a character string that does not start with *, for example, *@example.com or test*@example.com.

      • The domain must be a wildcard (*) or a character string that does not end with *, for example, example@* or example@*.test.com.

      • If this field is left blank, *@* is used by default.

    • Use wildcards (*) strategically to expand or narrow your search results. For example, put a wildcard (*) in the domain part to search by a particular user account on all domains or in the local part to match all accounts on a particular domain.

  • Subject: The email message subject.

    The Subject field supports the following:

    • Fuzzy match

      Type one or multiple keywords for a fuzzy match. If you type more than one keyword, all keywords will be matched based on a logical AND, which means the matched subject must contain every keyword. Wildcards (*) will be automatically added before and after each keyword for a fuzzy match.

    • Exact keyword or phrase match

      Enclose a keyword or phrase in quotes for an exact match. Only records that contain the exact keyword or phrase will be matched.

    For example, there are three email subjects:

    • Subject1: Hello world

    • Subject2: Hello new world

    • Subject3: "Hello"

    If you type Hello world in the Subject field, this is a fuzzy match, and Subject1 and Subject2 will be matched. If you type "Hello world", this is an exact match using quotes, and only Subject1 will be matched. If you want to search for Subject3, be aware that quotes are contained by the subject itself. In this particular case, use backslashes (\) as the escape characters and type \"Hello\" for search.

  • Rule Name: The name of the rule that was triggered by email messages.

    The Rule Name field supports the following:

    • A maximum of 20 rules in use will be listed for you to choose when you click in this text box.

    • Select from the rules listed or type keywords for a fuzzy match.

  • Threat Type: The type of threats detected in email messages.

    • All: Query all messages.

    • Domain-based Authentication: Query the messages that failed to pass domain-based authentication.

      • All: Query the messages that failed Sender IP Match, SPF, DKIM and DMARC authentication.

      • Sender IP Match: Query the messages that failed Sender IP Match check.

      • SPF: Query the messages that failed SPF check.

      • DKIM: Query the messages that failed DKIM verification.

      • DMARC: Query the messages that failed DMARC authentication.

    • Ransomware: Query the messages that are identified as ransomware.

    • Advanced Persistent Threat: Query the messages that triggered the advanced threat policy.

      • All: Query all messages triggering the advanced threat policy.

      • Analyzed Advanced Threats (Files): Query the messages that are identified as advanced file threats according to Virtual Analyzer and the policy configuration

      • Analyzed Advanced Threats (URLs): Query the messages that are identified as advanced URL threats according to Virtual Analyzer and the policy configuration

      • Probable Advanced Threats: Query the messages that are treated as suspicious according to policy configuration or the messages that are not sent to Virtual Analyzer due to exceptions that occurred during analysis.

    • Malware: Query the messages that triggered the malware criteria.

      When Malware is selected as the threat type, the Detected By field displays with the following options:

      • All: Query all messages triggering the malware criteria.

      • Predictive Machine Learning: Query the messages containing malware, as detected by Predictive Machine Learning.

      • Pattern-based scanning: Query the messages containing malware, as detected by traditional pattern-based scanning.

    • Suspicious Objects: Query the messages that contain suspicious files and URLs.

      • All: Query all messages containing suspicious objects.

      • Suspicious Files: Query all messages containing suspicious files.

      • Suspicious URLs: Query all messages containing suspicious URLs.

    • Scan Exception: Query the messages that triggered scan exceptions.

      • Virtual Analyzer scan exception

      • Virtual Analyzer submission quota exception

      • Other exceptions

    • Spam: Query the messages that are identified as spam.

    • Business Email Compromise (BEC): Query the messages that triggered the Business Email Compromise (BEC) criteria.

      • All: Query all messages triggering the BEC criteria.

      • Detected by Antispam Engine: Query the messages that are verified to be BEC attacks by the Antispam Engine.

      • Detected by writing style analysis: Query the messages that are verified to be BEC attacks by writing style analysis.

      • Suspected by Antispam Engine: Query the messages that are suspected to be BEC attacks by the Antispam Engine.

    • Phishing: Query the messages that triggered the phishing criteria.

    • Graymail: Query the messages that triggered the graymail criteria.

      • All: Query all graymail messages.

      • Marketing message and newsletter

      • Social network notification

      • Forum notification

      • Bulk email message

    • Web Reputation: Query the messages that triggered the Web Reputation criteria.

    • Content: Query the messages that triggered the message content criteria. For example, a message's header, body or attachment matches the specified keywords or expressions.

    • Attachment: Query the messages that triggered the message attachment criteria.

    • Data Loss Prevention: Query the messages that triggered the Data Loss Prevention policy.

  • Threat Name: The name of threats detected in email messages.

  • Message ID: A unique identifier for the message.

When you query policy event information, use the various criteria fields to restrict your searches. After a query is performed, Trend Micro Email Security provides a list of log records that satisfy the criteria. Select one or more records and click Export to CSV to export them to a CSV file.

The most efficient way to query policy event information is to provide both sender and recipient email addresses, message subject and message ID within a time range that you want to search. For an email message that has multiple recipients, the result will be organized as one entry.

In addition to the search criteria, detailed policy event information provides the following:

  • Timestamp: The time the policy event occurred. Click on the Timestamp value to view the event details for a given message.

  • Message Size: The size of the message. This information is not always available.

  • Action: The action taken on the email message.

    • Attachment deleted: Deleted the attachment from the message.

    • BCC: Sent a blind carbon copy (BCC) to the recipient.

    • Bypassed: Did not intercept the message.

    • Cleaned: Cleaned the message for malware.

    • Delivered: Delivered the message to the recipient.

    • Message deleted: Deleted the entire email message.

    • Notification sent: Sent a notification message to the recipient when a policy was triggered.

    • Quarantined: Held the message in quarantine awaiting user actions on the End User Console. Messages held in quarantine can be reviewed and manually deleted or delivered.

    • Recipient changed: Changed the recipient and redirected the message to a different recipient as configured in the policy triggered.

    • Rejected: Blocked the message before it arrived at Trend Micro Email Security.

    • Stamp inserted: Inserted a stamp into the message body.

    • Subject tagged: Inserted configurable text into the message subject line.

    • Submitted for encryption: Submitted to the encryption server for processing. After encryption is complete, Trend Micro Email Security will queue the message for delivery.

    • X-Header inserted: Inserted an X-Header to the message header.

  • (Optional) Risk Rating: The risk rating of the message identified by Virtual Analyzer.

  • (Optional) Violating URLs: The URLs in the message that violated the Web Reputation criteria.

  • (Optional) Violating Files: The files in the message that violated the malware or ransomware criteria.

  • (Optional) Malware: The specific malware detected in the message.

  • (Optional) Scanned File Reports: The reports for the attached files in messages. If a file is analyzed for advanced threats, the risk level for the file is displayed here. If a report exists, click View Report to see the detailed report.

    Detailed reports are available only for suspicious files that are analyzed by Virtual Analyzer.

  • (Optional) Scanned URL Reports: The reports for the embedded URLs in messages. If a URL is analyzed as advanced threats, the risk level of the URL is displayed here. If a report exists, click View Report to see the detailed report.

  • (Optional) DLP Incident: The information about the DLP incident triggered by the message. Click View Details to check the incident details.

  • (Optional) Analyzed Report: The information about BEC related characteristics that were detected in the message.

  • (Optional) Exception Details: The specific exception that was triggered by the message.