Message details

The message details view is expanded within the mail threats list.

When a message has been quarantined, the Release from quarantine and Delete buttons appear. If you have determined that the message is legitimate (for example, a false positive), you can click Release from quarantine to send it on to the recipient. Alternatively, a message that is definitely malignant can be removed from the system by clicking Delete (this cannot be undone).

Analysis details

The Analysis details section displays detailed information about the message. It includes the number of Attachments detected and an optional details button to view details, the number of URLs detected and an optional details button to view details, the Impact of the detected threat, the Threat, Threat Class, if the message is Relevant (determines if the message is included), and any Action taken.

Message details

The Analysis details section displays further information about the message. It includes the Mail ID with a link to the Message details (the link opens in a new browser tab) plus a link to the network analysis page ( Investigations pages icon ), the Message ID, Size, Time, Sender with a link to the network analysis page ( Investigations pages icon ), Subject, and Recipient also with a link to the network analysis page ( Investigations pages icon ).

Lifecycle

The Lifecycle section contains controls for analysis lifecycle for the message:

  • Click the edit button beside the State entry to edit the state. Select Open, In Progress, or Done from the pull-down menu. Then click Update state to update the lifecycle.

  • Click the edit button beside the Assignee entry to update the analyst working on the message. Select an analyst from the prepopulated pull-down menu. Then click Assign to update the analyst.

Message state

The Message state section displays the status as the message passes through the Analyst processing pipeline:

  • Processing state shows the progress of the message through the pipeline. State is one of Delivery, Done, Dynamic analysis, Local analysis, Quarantined, Received, or Unknown. Click the help icon for a pop-up showing details.

    See the Processing log for the history of the message progress.

  • Delivery status shows the fate of the message. Status is one of Bounce, Next hop, Quarantine, or Unknown. Click the help icon for a pop-up showing details.

    See the Delivery log for the history of the message delivery.

  • Analysis status shows the results of the analysis. Status is one of Complete, Failure: Analysis queue full, Failure: Analyst unreachable, Failure: Processing time, or Unknown. Click the help icon for a pop-up showing details.

  • Last updated is the timestamp from the processing pipeline.

  • Message UUID is the unique identifier of the message.

Message header

The Message header section displays all the available headers extracted from the message. Headers include Date, To, From, Subject, X-Mailer, MIME-Version, Content-Type, and others.

Processing log

The Processing log section displays the history of the progress of the message through the processing pipeline. The progress of the message through the processing pipeline depends on the characteristics of the message and on the email processing mode. The processing begins when the message is Received. It then passes through Local analysis (static analysis). If needed, it is then sent for Dynamic analysis. If analysis finds the message is malignant and quarantine has been enabled, it will be isolated and its status will be Quarantined (see the Quarantine log for the history of the message quarantine). If the Sensor is configured as an MTA, the message is queued for Delivery, either sent to the next hop or quarantined. In all cases, the process is then Done.

Note:

If the process is stopped and restarted, a message can be Recovered from disk, meaning that it was in the middle of analysis when the process was stopped.

A timestamp is generated at the start of each stage.

For each log entry, click the help icon for a pop-up showing details.

If an anomaly is encountered during processing, the status is set to Unknown.

The typical workflow may deviate for a number of reasons:

  • An error occurred during processing that caused the message to fail open. Fail open mechanisms can be configured for the MTA Sensor. Fail open will cause the message to move immediately to Delivery when the Sensor is configured as an MTA. Otherwise it moves to Done. The reason for the fail open is reported in the Message details.

  • Some steps are not required for the analysis of the message. For example, if Local analysis did not identify suspicious artifacts the Dynamic analysis phase is not required.

  • For the MTA Sensor, Delivery is blocked for malicious messages. Note that you can configure the Sensor to sanitize the message.

    There is no Delivery phase for a non-MTA Sensor.

Delivery log

The Delivery log section displays the history of the delivery progress of the message. This log only appears when the Sensor is configured as an MTA. The stage may be Bounce, Next hop, Quarantine, or Unknown.

A timestamp is generated at the start of each stage.

For each log entry, click the help icon for a pop-up showing details.

Quarantine log

The Quarantine log section displays the history of the quarantine actions taken on the message. This log only appears when the message has been quarantined. The stage may be Quarantined, Released by user (user ID shown), Deleted by user (user ID shown), Deleted by retention (system data retention filesystem usage and/or timeout was reached), or Unknown.

A timestamp is generated at the start of each stage.

For each log entry, click the help icon for a pop-up showing details.

Attachments

The Attachments section provides details of the attachment found in the message.

Note:

If there are no attachments in the message, this section will not appear.

URLs

The URLs section provides details of the URLs found in the message.

Note:

If there are no URLs in the message, this section will not appear.

Detections

The Detections section is a list containing details about threats or anomalies that are found in the message and that are not directly associated to a specific URL or attachment. This may include anomalies identified in the analysis of email headers, or the text parts of the message. It displays the following data:

  • Detector To obtain detailed information about the detector that provided the evidence, click the Detector pop-up link.

  • Threat Name of the detected threat or security risk.

  • Threat class Name of the detected threat class.

  • Action Displays the action taken in response to the detected threat: BLOCK, LOG, OFF, or WARN.