Events

The Events page provides a detailed log of MetaDefenderCloud Email Security processing history and incidents, including their severity, status, and verdict. This guide explains how to use this page effectively for monitoring and managing security events.

Search and Filtering Options

  • Search Bar: Allows users to search for specific events based on keywords.
  • Status Filter: Filters events based on their current state (e.g., Pending, In Progress, Closed).
  • Verdict Filter: Narrows down events by verdict (e.g., Malicious, Suspicious, Failure to Analyze, Encrypted Content).
  • Time Range: Narrows down events by time range.
  • Advanced Filters: Search and refine event results using multiple parameters such as
    • Status
    • Email Direction
    • Verdict
    • Message ID
    • Event ID
    • Subject
    • SMTP Sender
    • From: address
    • Recipient
    • Policy Name
    • Attachment Name

Event List

Each row in the event list represents an event with the following details:

  • Time of Event: Timestamp indicating when the event occurred.

  • Event ID: Unique identifier assigned to each security event.

  • Status: The current status of the event:

    • Quarantined: Quarantined content.
    • Delivered: Delivered content.
    • Investigating: Issue under investigation.
    • Released: Released content.
    • Delete: Delete content.
    • Closed: Issue closed without any action.

  • Policy: Indicates the Policy that applied for the the content.

  • Direction: Indicates email direction (inbound/outbound).

  • Affected User: The user impacted by the event.

  • Details: A brief description of the email content or subject.

  • Verdict: See Verdicts.

Viewing Event details

The Event Details page in OPSWAT MetaDefenderCloud Email Security provides an in-depth analysis of a specific email security incident. Users can review verdicts, scan results, file details, and take necessary actions. This guide explains how to navigate and utilize the Event Details page effectively.

Event Header

At the top of the page, users can see:

  • Event ID: Unique identifier for the event.
  • Time of Event: When the event was recorded.
  • Processing Time: The time taken to analyze the email.
  • Policy: Indicates which security policy was applied.

Verdict Section

Displays the security assessment of the email:

  • Verdict (e.g., Malicious, Suspicious, Sanitized). For more details, see Verdicts.

Asset Details

This section provides metadata about the email:

  • Item type: Type of content.

    • View headers: View the email header for analysis.

  • Affected User: The user(s) affected by the event.

  • Action Taken: Actions performed on the email (e.g., Quarantined, Released).

  • Sent at: Timestamp of when the email was sent.

  • Received at: Timestamp of when the email was received.

  • Quarantine ID: Identifies the quarantined message (if any).

  • Message ID: Unique email message identifier.

  • Subject: The subject of the email.

  • Sender & Recipients: Sender's email address and SMTP server details.

  • From, To & Cc: Identify the sender and recipients listed in the email header.

  • Received from: Endpoint from where email was received.

  • Size: Email content size.

Scan Results

This section provides information about the scans performed on the email:

  • Content list: Displays the different parts of the email, including bodies & attachments.

  • File Overview:

    • File Category & Type (e.g., Adobe Portable Document Format - PDF)
    • File Size & Extension
    • Upload, Scan Time & Duration
    • SHA-256 Hash for file integrity verification.

  • Sandbox Analysis (for applicable file types):

    • Verdict: Sandbox analysis verdict.
    • Report: View/download complete Sandbox analysis report.

  • Zero-Day Malware Prevention:

    • Result: Deep CDR sanitization result
    • Reason (when applicable): Sanitization failure reason.

  • Advanced Threat Detection:

    • Result: Aggregated Multiscanning result.
      • Number of engines that detected threats.
      • List of antivirus engines used.
      • Verdicts from individual security engines.

The scan results for each part can be downloaded as a JSON file by clicking 'Download as JSON'. For details on the JSON structure, refer to: https://www.opswat.com/docs/mdcloud/metadefender-cloud-api-v4#file-lookupbydataid

Actions Panel

Users can take necessary actions on the event:

  • Status: Verify or change the event status.
  • Available Actions:
    • Delete: Remove the email permanently.
    • Release: Allow the email to be delivered to the recipient.

Comments Section

  • Users can add comments for collaboration and tracking.

Audit History

Tracks all actions taken on the event, for example:

  • Email Received Timestamp
  • Status Changes (e.g., "Quarantined" to "Released")
  • User Assignments
  • Comment Additions
  • Final Actions Taken
Type to search, ESC to discard
Type to search, ESC to discard
Type to search, ESC to discard
Next to read:
Quarantine
On This Page
EventsEvent ListViewing Event detailsVerdict SectionAsset DetailsScan ResultsActions PanelComments SectionAudit History