Querying Policy Event Logs Parent topic

Procedure

  1. Go to LogsQuery.
  2. Next to Type, select Policy events.
    The query screen for policy event logs appears.
  3. In the second drop-down box next to Type, select one of the following items related to the policy and the rules you configured for the policy:
    • All
    • Virus or malicious code
    • Advanced persistent threat
    • Spyware/grayware
    • C&C email
    • Spam/phish
    • Graymail
    • Web Reputation
      Note
      Note
      If you select Web Reputation, IMSVA displays two additional drop-down lists that contain website content categories. Select any category name to narrow down your log query.
    • DKIM enforcement
    • Attachment
    • Size
    • Content
    • Compliance
    • Scanning exceptions
    • Spam Tagged by Cloud Pre-Filter
    • Suspicious Objects
    • Others
  4. Specify any of the following additional information:
    • Sender
    • Recipient(s)
    • Rule
    • Subject
    • Violating Attachment(s)
    • Message ID
    If you leave any text box blank, all results for that item appear.
  5. Click Display Log. A timestamp, action, rule, and message ID appear for each event.
  6. Click the timestamp link to see the following information:
    • Timestamp
    • Sender
    • Recipient
    • Subject
    • Original size
    • Violating attachments
    • Violation reason
    • Rule(s)
    • Action
    • Message ID
    • Internal ID
    • Scanner
      Note
      Note
      If ATSE is enabled, IMSVA adds the Probable advanced threat option for Violation reason. If both ATSE and Virtual Analyzer are enabled, IMSVA adds the Probable advanced threat or Analyzed advanced threat option for Violation reason.
    • Rule(s)
    • Action
      Note
      Note
      If both ATSE and Virtual Analyzer are enabled, IMSVA adds an option about the status of Virtual Analyzer analysis for Action.
    • Message ID
    • Internal ID
    • Scanner
    • Social engineering attack details
      Note
      Note
      If Virtual Analyzer is not enabled, IMSVA displays Social engineering attack details when a social engineering attack is detected. If Virtual Analyzer is enabled, IMSVA displays Social engineering attack details only when the detected social engineering attack is confirmed by Virtual Analyzer.
    Note
    Note
    If both ATSE and Virtual Analyzer are enabled, IMSVA adds Risk rating to show the risk level for the entire message received from Virtual Analyzer.
  7. Perform any of the additional actions:
    • To change the number of items that appears in the list at a time, select a new display value from the drop-down box on the top of the table.
    • To sort the table, click the column title.
    • To print the query results, click Print current page.
    • To save the query result to a comma-separated value file, click Export to CSV.
    Note
    Note
    • "*A*;*B*" means a string that has A or B.
    • "A*;*B" means a string that starts with A or ends with B.
    • ";" represents the OR operation.