Events

The Events page provides a detailed log of MetaDefenderCloud Email Security processing history and incidents, including their severity, status, and verdict. This guide explains how to use this page effectively for monitoring and managing security events.

Search and Filtering Options

  • Search Bar: Allows users to search for specific events based on keywords.
  • Status Filter: Filters events based on their current state (e.g., Pending, In Progress, Closed).
  • Verdict Filter: Narrows down events by verdict (e.g., Malicious, Suspicious, Failure to Analyze, Encrypted Content).
  • Time Range: Narrows down events by time range.
  • Advanced Filters: Search and refine event results using multiple parameters such as
    • Status
    • Verdict
    • Message ID
    • Event ID
    • Subject
    • SMTP Sender
    • From: address
    • Recipient
    • Policy Name
    • Attachment Name

Event List

Each row in the event list represents an event with the following details:

  • Time of Event: Timestamp indicating when the event occurred.

  • Event ID: Unique identifier assigned to each security event.

  • Status: The current status of the event:

    • Quarantined: Quarantined content.
    • Delivered: Delivered content.
    • Investigating: Issue under investigation.
    • Released: Released content.
    • Delete: Delete content.
    • Closed: Issue closed without any action.

  • Policy: Indicates the Policy that applied for the the content.

  • Direction: Indicates email direction (inbound/outbound).

  • Affected User: The user impacted by the event.

  • Details: A brief description of the email content or subject.

  • Verdict: Classification of the event based on its analysis:

    • No Threat Detected: No known threat has been detected.
    • Malicious: Identified as a confirmed threat.
    • Suspicious: Potentially harmful but unconfirmed.
    • Failure to Analyze: Could not be analyzed.
    • Encrypted Content: Email contained encrypted data.
    • Unsupported File Type: File format is not supported for analysis.
    • Sanitized: Content has been sanitized.

Viewing Event details

The Event Details page in OPSWAT MetaDefenderCloud Email Security provides an in-depth analysis of a specific email security incident. Users can review verdicts, scan results, file details, and take necessary actions. This guide explains how to navigate and utilize the Event Details page effectively.

Event Header

At the top of the page, users can see:

  • Event ID: Unique identifier for the event.
  • Time of Event: When the event was recorded.
  • Processing Time: The time taken to analyze the email.
  • Policy: Indicates which security policy was applied.

Verdict Section

Displays the security assessment of the email:

  • Verdict (e.g., Malicious, Suspicious, Sanitized)

Asset Details

This section provides metadata about the email:

  • Item type: Type of content.

    • View headers: View the email header for analysis.

  • Affected User: The user(s) affected by the event.

  • Action Taken: Actions performed on the email (e.g., Quarantined, Released).

  • Sent at: Timestamp of when the email was sent.

  • Received at: Timestamp of when the email was received.

  • Quarantine ID: Identifies the quarantined message (if any).

  • Message ID: Unique email message identifier.

  • Subject: The subject of the email.

  • Sender & Recipients: Sender's email address and SMTP server details.

  • From, To & Cc: Identify the sender and recipients listed in the email header.

  • Received from: Endpoint from where email was received.

  • Size: Email content size.

Scan Results

This section provides information about the scans performed on the email:

  • Content list: Displays the different parts of the email, including bodies & attachments.

  • File Overview:

    • File Category & Type (e.g., Adobe Portable Document Format - PDF)
    • File Size & Extension
    • Upload, Scan Time & Duration
    • MD5, SHA-1, SHA-256 Hashes for file integrity verification.

  • Metascan Multiscanning Results:

    • Number of engines that detected threats.
    • List of antivirus engines used.
    • Verdicts from individual security engines.

  • Processing failures: If a processing or sanitization error occurs, a callout will appear with details explaining the reason. Common examples include:

    • Sanitization failure messages
    • Exceeded scanning limits (see Scanning limits for more information)

The scan results for each part can be downloaded as a JSON file by clicking 'Download as JSON'. For details on the JSON structure, refer to: https://www.opswat.com/docs/mdcloud/metadefender-cloud-api-v4#file-lookupbydataid

Actions Panel

Users can take necessary actions on the event:

  • Status: Verify or change the event status.
  • Available Actions:
    • Delete: Remove the email permanently.
    • Release: Allow the email to be delivered to the recipient.

Comments Section

  • Users can add comments for collaboration and tracking.

Audit History

Tracks all actions taken on the event, for example:

  • Email Received Timestamp
  • Status Changes (e.g., "Quarantined" to "Released")
  • User Assignments
  • Comment Additions
  • Final Actions Taken
Type to search, ESC to discard
Type to search, ESC to discard
Type to search, ESC to discard
Next to read:
Quarantine
On This Page
EventsEvent ListViewing Event detailsVerdict SectionAsset DetailsScan ResultsActions PanelComments SectionAudit History