Detections page

The Detections page consists of a number of widgets. These widgets provide an overview of malicious attachments and URLs, and most recently seen threats.

At the top of the page is the portal settings widget.

Malicious mail

The Malicious mail over time widget provides a graphical overview of the various threats detected in the mail messages analyzed by the server. The x-axis depicts the time (defaults to the portal settings value) and the y-axis the number of relevant messages for a given type of threat.

There are three different types of threats:

  • Malicious mail messages contains attachments or URLs that have been determined to be critical. These mail messages are displayed in red.

  • Suspicious mail messages have been determined to be of medium risk. The threats they contain, while indicating a potential risk, do not need immediate attention. These mail messages are displayed in orange.

  • Benign mail messages are considered low or no risk. These mail messages are displayed in blue.

You can display or hide the different threat types by clicking on their names in the legend at the top of the graph.

When you hover your mouse over a threat on the malicious mail graph, the widget displays a pop-up showing the number of messages and the corresponding threat level detected on that day.

Mail threats graph

The Mail threats graph provides a graphical overview of the various threats detected in the mail messages analyzed by the server. The information is displayed in a layered circle.

  • The innermost ring represents the three different types of threats:

    • Malicious mail messages contains attachments or URLs that have been determined to be critical. These mail messages are displayed in red.

    • Suspicious mail messages have been determined to be of medium risk. The threats they contain, while indicating a potential risk, do not need immediate attention. These mail messages are displayed in orange.

    • Benign mail messages are considered low or no risk. These mail messages are displayed in blue.

  • The middle ring displays the threat class together with the number of relevant threats for each type. Threat classes include malicious downloads, malicious URLs, etc.

  • The outer ring represents the individual threat families that have been detected in the messages. Threat families include malicious binary files, malicious PDF files, malicious URLs, etc.

The widget displays the threat name and a count of occurrences of this threat when you hover your mouse over the graph.

When you click on an item in the graph, it zooms in and displays more details about the selected information type. Clicking again will zoom back out.

If you click an incident type in the inner ring, the graph zooms to display the matching threats in the middle and outer ring. If you click a threat class in the middle ring, the graph zooms to display the matching threat families. If you click the outer ring, the graph zooms to display details about the selected threat.

The legend on the right side of the widget provides a count of the occurrences of the most frequent threats. When you hover your mouse over an item in the legend, a pop-up gives further information about the threat class and the number of incidents. Clicking on the item zooms the graph for the selected threat type and provides more contextual information.

Filters

An easy-to-use filtering mechanism is provided that allows you to focus on the information that you are interested in. Click the plus icon to expand the Filters widget.

Note:

The use of filters is optional.

Click Filter by and select an item from the pull-down menu. Select from Analysis tags, Assigned to, Blocked, Content action, Impact, Lastline mail UUID, Mail analysis status, Mail delivery outcome, Mail ID, Mail processing state, Mail state, Message action, Minimum impact, Recipient, Relevant content, Sender, Subject, Threat, or Threat class.

You can combine multiple filters to narrow the focus. You can also deploy multiple instances of some filters.

Delete an individual filter by clicking the Remove minus button next to its entry. Delete all the selected filters by clicking the cancel/close icon. This also collapses the Filters widget.

Click Apply reload to apply the selected filters.

Analysis tags

Restrict displayed attachments/URLs by their analysis tags. These are labels assigned to a file or URL by the system analysis. They can identify a threat or threat class, or refer to specific malicious behavior that was detected.

Assigned to

Restrict to attachments/URLs assigned to a specific analyst. Enter a valid email address or the value "unassigned".

Blocked

Filter messages/attachments/URLs by their Blocked status, Yes or No.

Content action

Filter messages/attachments/URLs by the action the Sensor took on the event. Select from BLOCK, LOG, TEST, or WARN.

Impact

Filter messages/attachments/URLs by their impact value. Select from Malicious, Suspicious, or Benign.

Lastline mail UUID

Filter messages/attachments/URLs by the VMware NSX Network Detection and Response generated UUID.

Mail analysis status

Filter messages/attachments/URLs by the analysis status. Select from Complete, Fail: Analysis queue full, Fail: Analyst error, Fail: Processing time, or Unknown.

Mail delivery outcome

Filter messages/attachments/URLs by the delivery outcome. Select from Bounce, Next hop, Quarantine, or Unknown.

Mail ID

Filter messages/attachments/URLs by the mail ID.

Mail processing state

Filter messages/attachments/URLs by the mail processing state. Select from Analyst analysis, Delivery, Done, Local analysis, Quarantined, Received, or Unknown.

Mail state

Filter messages/attachments/URLs by the lifecycle status of the analysis. Select from Open, In progress, or Done.

Message action

Filter messages/attachments/URLs by the message action. Select from BLOCK or LOG.

Minimum impact

Display attachments/URLs that scored the minimum impact level. The range is 1 to 100.

Recipient

Restrict to messages with a specific recipient.

Relevant content

Filter messages/attachments/URLs by how relevant they are.

Sender

Restrict to messages sent by a specific address.

Subject

Filter messages/attachments/URLs by the subject line.

Threat

Name of the detected threat or security risk.

Threat class

Name of the detected threat class.

Mail threats list

The Mail threats widget is a list displaying the email messages analyzed in the network.

The quick search field above the list provides fast, as-you-type search. It filters the rows in the list, displaying only those rows that have text, in any field, that matches the query string.

Use the Select pull-down menu for a fine-tuned selection. Its options allow you to select All visible messages or to Clear selection. You can also click the checkbox icon in the title row to select all visible messages.

Use the Action pull-down menu to update the selected incidents: Update state, Update assignment, Release from quarantine, or Delete from quarantine.

Note:

The email list displays all messages detected by all of the sensors. Quarantine actions (release or delete) may take a few seconds to execute as the action needs to be dispatched and executed by the Sensor hosting the specific message. You can monitor progress by refreshing the view or by selecting a specific message.

The system provides feedback about the number of messages selected for the requested action.

The columns to be displayed in the list can be customized by clicking the additional content icon.

Customize the number of rows to be displayed. The default is 20 entries. Use the left arrow (back) and right arrow (forward) icons to navigate through multiple pages.

Each row is a summary of a message. Click the plus icon (or anywhere on an entry row) to access a detailed view of this message.

The list of messages contains the following columns:

Timestamp

Indicates when the message was received. The time is shown in the currently selected timezone.

The list is sorted by timestamp, by default in decreasing order (latest attachment at the top). Click the angle up icon to sort the list in increasing order (oldest attachment at the top). Click the angle down icon to toggle to the default.

Sensor

Name of the sensor that detected the message.

Sender

The email address of the sender of the message. This email address may be spoofed.

Click the sort icon to sort the list alphabetically by the sender.

Recipient

The email address of the recipient of the message.

Click the sort icon to sort the list alphabetically by the recipient.

Subject

The provided subject of the message.

Click the sort icon to sort the list alphabetically by the subject.

Attachments

Lists the number of attachments found in the message. Click the details button to view the Attachments page for details about the attachment.

URLs

Lists the number of URLs found in the message. Click the details button to view the URLs page for details about the URLs.

Threat

Name of the detected threat in the attachment or URL.

Click the sort icon to sort the list by threat. Initially the list is sorted by decreasing order (most critical at the top).

Threat class

Name of the detected threat class of the attachment or URL.

Click the sort icon to sort the list by threat class. Initially the list is sorted by decreasing order (most critical at the top).

Antivirus class

A label defining the antivirus class of the downloaded file.

Malware

A label defining the malware type of the downloaded file. If the label has a tag icon, you can click it for a pop-up description.

Impact

The impact value indicates the critical level of the detected threat and ranges from 1 to 100:

  • Threats that are 70 or above are considered to be critical.

  • Threats that are between 30 and 69 are considered to be medium-risk.

  • Threats that are between 1 and 30 are considered to be benign.

If the stop icon appears, it indicates the artifact has been blocked.

Click the sort icon to sort the list by impact.

State

Indicates the lifecycle status of the analysis of the message.

Assignee

The username of the analyst currently working on the analysis of the message.

Message details

The message details view is expanded within the mail threats list.

When a message has been quarantined, the Release from quarantine and Delete buttons appear. If you have determined that the message is legitimate (for example, a false positive), you can click Release from quarantine to send it on to the recipient. Alternatively, a message that is definitely malignant can be removed from the system by clicking Delete (this cannot be undone).

Analysis details

The Analysis details section displays detailed information about the message. It includes the number of Attachments detected and an optional details button to view details, the number of URLs detected and an optional details button to view details, the Impact of the detected threat, the Threat, Threat Class, if the message is Relevant (determines if the message is included), and any Action taken.

Message details

The Analysis details section displays further information about the message. It includes the Mail ID with a link to the Message details (the link opens in a new browser tab) plus a link to the network analysis page ( Investigations pages icon ), the Message ID, Size, Time, Sender with a link to the network analysis page ( Investigations pages icon ), Subject, and Recipient also with a link to the network analysis page ( Investigations pages icon ).

Lifecycle

The Lifecycle section contains controls for analysis lifecycle for the message:

  • Click the edit button beside the State entry to edit the state. Select Open, In Progress, or Done from the pull-down menu. Then click Update state to update the lifecycle.

  • Click the edit button beside the Assignee entry to update the analyst working on the message. Select an analyst from the prepopulated pull-down menu. Then click Assign to update the analyst.

Message state

The Message state section displays the status as the message passes through the Analyst processing pipeline:

  • Processing state shows the progress of the message through the pipeline. State is one of Delivery, Done, Dynamic analysis, Local analysis, Quarantined, Received, or Unknown. Click the help icon for a pop-up showing details.

    See the Processing log for the history of the message progress.

  • Delivery status shows the fate of the message. Status is one of Bounce, Next hop, Quarantine, or Unknown. Click the help icon for a pop-up showing details.

    See the Delivery log for the history of the message delivery.

  • Analysis status shows the results of the analysis. Status is one of Complete, Failure: Analysis queue full, Failure: Analyst unreachable, Failure: Processing time, or Unknown. Click the help icon for a pop-up showing details.

  • Last updated is the timestamp from the processing pipeline.

  • Message UUID is the unique identifier of the message.

Message header

The Message header section displays all the available headers extracted from the message. Headers include Date, To, From, Subject, X-Mailer, MIME-Version, Content-Type, and others.

Processing log

The Processing log section displays the history of the progress of the message through the processing pipeline. The progress of the message through the processing pipeline depends on the characteristics of the message and on the email processing mode. The processing begins when the message is Received. It then passes through Local analysis (static analysis). If needed, it is then sent for Dynamic analysis. If analysis finds the message is malignant and quarantine has been enabled, it will be isolated and its status will be Quarantined (see the Quarantine log for the history of the message quarantine). If the Sensor is configured as an MTA, the message is queued for Delivery, either sent to the next hop or quarantined. In all cases, the process is then Done.

Note:

If the process is stopped and restarted, a message can be Recovered from disk, meaning that it was in the middle of analysis when the process was stopped.

A timestamp is generated at the start of each stage.

For each log entry, click the help icon for a pop-up showing details.

If an anomaly is encountered during processing, the status is set to Unknown.

The typical workflow may deviate for a number of reasons:

  • An error occurred during processing that caused the message to fail open. Fail open mechanisms can be configured for the MTA Sensor. Fail open will cause the message to move immediately to Delivery when the Sensor is configured as an MTA. Otherwise it moves to Done. The reason for the fail open is reported in the Message details.

  • Some steps are not required for the analysis of the message. For example, if Local analysis did not identify suspicious artifacts the Dynamic analysis phase is not required.

  • For the MTA Sensor, Delivery is blocked for malicious messages. Note that you can configure the Sensor to sanitize the message.

    There is no Delivery phase for a non-MTA Sensor.

Delivery log

The Delivery log section displays the history of the delivery progress of the message. This log only appears when the Sensor is configured as an MTA. The stage may be Bounce, Next hop, Quarantine, or Unknown.

A timestamp is generated at the start of each stage.

For each log entry, click the help icon for a pop-up showing details.

Quarantine log

The Quarantine log section displays the history of the quarantine actions taken on the message. This log only appears when the message has been quarantined. The stage may be Quarantined, Released by user (user ID shown), Deleted by user (user ID shown), Deleted by retention (system data retention filesystem usage and/or timeout was reached), or Unknown.

A timestamp is generated at the start of each stage.

For each log entry, click the help icon for a pop-up showing details.

Attachments

The Attachments section provides details of the attachment found in the message.

Note:

If there are no attachments in the message, this section will not appear.

URLs

The URLs section provides details of the URLs found in the message.

Note:

If there are no URLs in the message, this section will not appear.

Detections

The Detections section is a list containing details about threats or anomalies that are found in the message and that are not directly associated to a specific URL or attachment. This may include anomalies identified in the analysis of email headers, or the text parts of the message. It displays the following data:

  • Detector To obtain detailed information about the detector that provided the evidence, click the Detector pop-up link.

  • Threat Name of the detected threat or security risk.

  • Threat class Name of the detected threat class.

  • Action Displays the action taken in response to the detected threat: BLOCK, LOG, OFF, or WARN.