Message Report

The message report allows you to investigate details about a message. Select ... > View Report or click anywhere on a message row to access the report for that message.

The message report shows details about a message including:

Message direction, Microsoft Message ID, and if the message was read at the time of remediation

Timeline
Verdict and Techniques
Sender Information
Sender Messages
Recipient information including Recipients, Envelope Recipients, and Mailboxes
Links
Attachments
Email Preview

The message report also gives access to Conversation View and EML Downloads.

Timeline

The Timeline for a message is shown on the messages report.

The timeline shows:

Received: when a message was received and details about the message direction
Rule: information about any message rule that was applied
Verdict: information about any verdict that was rendered or applied and who performed the action
Action: information about any action that was taken on the message and who performed the action. This includes:
- Where and how a message was moved
- Information about any remediation errors on the message and which mailboxes had the errors

Verdict and Techniques

The Verdict and Techniques panel shows a visual representation of the verdict applied to a message and techniques detected that may have contributed to the verdict. Techniques are color coded to indicate their severity. Malicious file names/SHA256 and URLs are shown dynamically when available. Static descriptions are shown when dynamic text is not possible.

You can remediate and/or reclassify a message directly from this panel. Click the Remediate & Reclassify button, then follow the directions provided in Move and Reclassify Messages.

Sender Information

The Sender Information panel shows information known about the sender of the message including name, email address, return path, reply to, SMTP server and client IPs, X-Originating IP, and authentication errors. For more information on Authentication errors, see Authentication Error Codes.

Sender Messages

The Sender Messages graph shows the total messages sent and total threat messages sent by the sender of the message over the last 30 days. This can help you quickly see if there is any pattern of threat messages from the user.

Mailbox List

The Mailbox List shows a list of end-user mailboxes that received incoming and internal messages. The list also shows if the message was read prior to the last remediation action and any remediation errors on the message. Remediation errors can occur if a user deleted or moved a messages before the system tried to remediate it.

Recipient Information

The Recipients and Envelope Recipients panels show information about who the message was sent to.

Links and Attachments

The Links and Attachment panels show information about links and attachments found in the message.

Email Preview

The Email Preview allows super-admin and admin users to request and see a message as it appears to the end-user without needing to download the EML file. The message is shown as an image. Click the Open Email Preview button to see the preview.

An audit log record is created when a user previews a message. The audit log is available for download from Administration > Business > Preferences.

Conversation View

Conversation view provides a holistic view of a conversation. Use the conversation view to track the messages in a conversation and gain a complete understanding of the mail flow. This can be useful in determining where a threat originated and how it spread within your organization.

When you are in the message report, click the Conversation View button on the top right of the page to see messages that are connected to a specific email.

Click the + icons to expand nodes of the conversation so you can see messages that came earlier or later in the conversation. Nodes that are expanded are added to the message grid shown below the nodes. Nodes and messages are color-coded to indicate direction: Incoming, Outgoing, or Internal.

The number within the node circle indicates how many addresses the message was sent to. An icon within a node indicates if a threat was detected or a verdict was applied. When you select a node, the corresponding message in the grid is highlighted.

XDR Pivot Menu

If your Secure Email Threat Defense business is integrated with Cisco XDR you can access the XDR pivot menu from within the message report. For information about integrating with XDR, see XDR.