Message log page
The Message log page consists of a number of widgets. This page displays a full log of all messages processed by the Sensor, including messages with no URLs or attachments, messages considered benign by the pre-filter, or messages whose artifacts were considered benign during analysis. Details about each message are available with a single click.
At the top of the page is the portal settings widget.
Filters
An easy-to-use filtering mechanism is provided that allows you to focus on the information that you are interested in. Click the icon to expand the Filters widget.
The use of filters is optional.
Click Filter by and select an item from the pull-down menu. Select from Analysis tags, Assigned to, Blocked, Content action, Impact, Lastline mail UUID, Mail analysis status, Mail delivery outcome, Mail ID, Mail processing state, Mail state, Message action, Message log ID, Minimum impact, Recipient, Relevant content, Sender, Subject, Threat, or Threat class.
You can combine multiple filters to narrow the focus. You can also deploy multiple instances of some filters.
Delete an individual filter by clicking the icon. This also collapses the Filters widget.
button next to its entry. Delete all the selected filters by clicking theClick
to apply the selected filters.- Analysis tags
-
Restrict displayed attachments/URLs by their analysis tags. These are labels assigned to a file or URL by the system analysis. They can identify a threat or threat class, or refer to specific malicious behavior that was detected.
- Assigned to
-
Restrict to attachments/URLs assigned to a specific analyst. Enter a valid email address or the value "unassigned".
- Blocked
-
Filter messages/attachments/URLs by their Blocked status, Yes or No.
- Content action
-
Filter messages/attachments/URLs by the action the Sensor took on the event. Select from BLOCK, LOG, TEST, or WARN.
- Impact
-
Filter messages/attachments/URLs by their impact value. Select from Malicious, Suspicious, or Benign.
- Lastline mail UUID
-
Filter messages/attachments/URLs by the VMware NSX Network Detection and Response generated UUID.
- Mail analysis status
-
Filter messages/attachments/URLs by the analysis status. Select from Complete, Fail: Analysis queue full, Fail: Analyst error, Fail: Processing time, or Unknown.
- Mail delivery outcome
-
Filter messages/attachments/URLs by the delivery outcome. Select from Bounce, Next hop, Quarantine, or Unknown.
- Mail ID
-
Filter messages/attachments/URLs by the mail ID.
- Mail processing state
-
Filter messages/attachments/URLs by the mail processing state. Select from Analyst analysis, Delivery, Done, Local analysis, Quarantined, Received, or Unknown.
- Mail state
-
Filter messages/attachments/URLs by the lifecycle status of the analysis. Select from Open, In progress, or Done.
- Message action
-
Filter messages/attachments/URLs by the message action. Select from BLOCK or LOG.
- Message log ID
-
Filter messages/attachments/URLs by the message log ID.
- Minimum impact
-
Display attachments/URLs that scored the minimum impact level. The range is 1 to 100.
- Recipient
-
Restrict to messages with a specific recipient.
- Relevant content
-
Filter messages/attachments/URLs by how relevant they are.
- Sender
-
Restrict to messages sent by a specific address.
- Subject
-
Filter messages/attachments/URLs by the subject line.
- Threat
-
Name of the detected threat or security risk.
- Threat class
-
Name of the detected threat class.
Mail messages
The Mail messages widget is a list displaying all the messages processed by the Sensor.
The quick search field above the list provides fast, as-you-type search. It filters the rows in the list, displaying only those rows that have text, in any field, that matches the query string.
Use the Select pull-down menu for a fine-tuned selection. Its options allow you to select All visible messages or to Clear selection. You can also click the icon in the title row to select all visible messages.
You can also click the icon in the title row to select all visible messages.
Use the Action pull-down menu to update the selected incidents: Update state, Update assignment, Release from quarantine, or Delete from quarantine.
The columns to be displayed in the list can be customized by clicking the icon.
Customize the number of rows to be displayed. The default is 20 entries. Use the and icons to navigate through multiple pages.
Each row is a summary of a message. Click the icon (or anywhere on an entry row) to access a detailed view of this message.
The list of messages contains the following columns:
- Timestamp
-
Indicates when the message was received. The time is shown in the currently selected timezone.
The list is sorted by timestamp, by default in decreasing order (latest attachment at the top). Click the icon to sort the list in increasing order (oldest attachment at the top). Click the icon to toggle to the default.
- Sensor
-
Name of the sensor that detected the message.
- Sender
-
The email address of the sender of the message. This email address may be spoofed.
Click the icon to sort the list alphabetically by the sender.
- Recipient
-
The email address of the recipient of the message.
Click the icon to sort the list alphabetically by the recipient.
- Subject
-
The provided subject of the message.
Click the icon to sort the list alphabetically by the subject.
- Threat
-
Name of the detected threat in the attachment or URL.
Click the icon to sort the list by threat. Initially the list is sorted by decreasing order (most critical at the top).
- Threat class
-
Name of the detected threat class of the attachment or URL.
Click the icon to sort the list by threat class. Initially the list is sorted by decreasing order (most critical at the top).
- Antivirus class
-
A label defining the antivirus class of the downloaded file.
- Malware
-
A label defining the malware type of the downloaded file. If the label has a icon, you can click it for a pop-up description.
- Impact
-
The impact value indicates the critical level of the detected threat and ranges from 1 to 100:
-
Threats that are 70 or above are considered to be critical.
-
Threats that are between 30 and 69 are considered to be medium-risk.
-
Threats that are between 1 and 30 are considered to be benign.
If the icon appears, it indicates the artifact has been blocked.
Click the icon to sort the list by impact.
-
- State
-
Indicates the lifecycle status of the analysis of the message.
- Assignee
-
The username of the analyst currently working on the analysis of the message.
Message details
The message details view is expanded within the mail threats list.
When a message has been quarantined, the Release from quarantine and Delete buttons appear. If you have determined that the message is legitimate (for example, a false positive), you can click Release from quarantine to send it on to the recipient. Alternatively, a message that is definitely malignant can be removed from the system by clicking Delete (this cannot be undone).
Analysis details
The Analysis details section displays detailed information about the message. It includes the number of Attachments detected and an optional button to view details, the number of URLs detected and an optional button to view details, the Impact of the detected threat, the Threat, Threat Class, if the message is Relevant (determines if the message is included), and any Action taken.
Message details
The Analysis details section displays further information about the message. It includes the Mail ID with a link to the Message details (the link opens in a new browser tab) plus a link to the network analysis page ( ), the Message ID, Size, Time, Sender with a link to the network analysis page ( ), Subject, and Recipient also with a link to the network analysis page ( ).
Lifecycle
The Lifecycle section contains controls for analysis lifecycle for the message:
-
Click the button beside the State entry to edit the state. Select Open, In Progress, or Done from the pull-down menu. Then click Update state to update the lifecycle.
-
Click the button beside the Assignee entry to update the analyst working on the message. Select an analyst from the prepopulated pull-down menu. Then click Assign to update the analyst.
Message state
The Message state section displays the status as the message passes through the Analyst processing pipeline:
-
Processing state shows the progress of the message through the pipeline. State is one of Delivery, Done, Dynamic analysis, Local analysis, Quarantined, Received, or Unknown. Click the icon for a pop-up showing details.
See the Processing log for the history of the message progress.
-
Delivery status shows the fate of the message. Status is one of Bounce, Next hop, Quarantine, or Unknown. Click the icon for a pop-up showing details.
See the Delivery log for the history of the message delivery.
-
Analysis status shows the results of the analysis. Status is one of Complete, Failure: Analysis queue full, Failure: Analyst unreachable, Failure: Processing time, or Unknown. Click the icon for a pop-up showing details.
-
Last updated is the timestamp from the processing pipeline.
-
Message UUID is the unique identifier of the message.
Message header
The Message header section displays all the available headers extracted from the message. Headers include Date, To, From, Subject, X-Mailer, MIME-Version, Content-Type, and others.
Processing log
The Processing log section displays the history of the progress of the message through the processing pipeline. The progress of the message through the processing pipeline depends on the characteristics of the message and on the email processing mode. The processing begins when the message is Received. It then passes through Local analysis (static analysis). If needed, it is then sent for Dynamic analysis. If analysis finds the message is malignant and quarantine has been enabled, it will be isolated and its status will be Quarantined (see the Quarantine log for the history of the message quarantine). If the Sensor is configured as an MTA, the message is queued for Delivery, either sent to the next hop or quarantined. In all cases, the process is then Done.
If the process is stopped and restarted, a message can be Recovered from disk, meaning that it was in the middle of analysis when the process was stopped.
A timestamp is generated at the start of each stage.
For each log entry, click the icon for a pop-up showing details.
If an anomaly is encountered during processing, the status is set to Unknown.
The typical workflow may deviate for a number of reasons:
-
An error occurred during processing that caused the message to fail open. Fail open mechanisms can be configured for the MTA Sensor. Fail open will cause the message to move immediately to Delivery when the Sensor is configured as an MTA. Otherwise it moves to Done. The reason for the fail open is reported in the Message details.
-
Some steps are not required for the analysis of the message. For example, if Local analysis did not identify suspicious artifacts the Dynamic analysis phase is not required.
-
For the MTA Sensor, Delivery is blocked for malicious messages. Note that you can configure the Sensor to sanitize the message.
There is no Delivery phase for a non-MTA Sensor.
Delivery log
The Delivery log section displays the history of the delivery progress of the message. This log only appears when the Sensor is configured as an MTA. The stage may be Bounce, Next hop, Quarantine, or Unknown.
A timestamp is generated at the start of each stage.
For each log entry, click the icon for a pop-up showing details.
Quarantine log
The Quarantine log section displays the history of the quarantine actions taken on the message. This log only appears when the message has been quarantined. The stage may be Quarantined, Released by user (user ID shown), Deleted by user (user ID shown), Deleted by retention (system data retention filesystem usage and/or timeout was reached), or Unknown.
A timestamp is generated at the start of each stage.
For each log entry, click the icon for a pop-up showing details.
Attachments
The Attachments section provides details of the attachment found in the message.
If there are no attachments in the message, this section will not appear.
URLs
The URLs section provides details of the URLs found in the message.
If there are no URLs in the message, this section will not appear.
Detections
The Detections section is a list containing details about threats or anomalies that are found in the message and that are not directly associated to a specific URL or attachment. This may include anomalies identified in the analysis of email headers, or the text parts of the message. It displays the following data:
-
Detector — To obtain detailed information about the detector that provided the evidence, click the Detector pop-up link.
-
Threat — Name of the detected threat or security risk.
-
Threat class — Name of the detected threat class.
-
Action — Displays the action taken in response to the detected threat:
BLOCK
,LOG
,OFF
, orWARN
.