Incidents correspond to a threat remediation event and display all the associated messages, by recipient. This guide describes how to access and search the incidents queue. From the Incidents tab, you can:
- View full details of remediation occurrences, including the type of actions taken, and the number of removed or restored messages.
- View individual message details in full, in order to investigate a potential threat or the history of a message.
- Manually remove a malicious message from the user's mailbox, or restore the message if it's later deemed safe.
- Export a single or multiple incidents to a file.
See the Threat Remediation: Removing / Restoring Messages page for further detail on actioning messages.
Incident records are kept for up to one year.
- Log on to the Administration Console.
- Click on the Administration menu item. A menu drop down is displayed.
- Click on the Services | Threat Remediation menu item. The Threat Remediation home page is displayed.
- Click on the Incidents tab. Alternatively, click on the View all Incidents link on the bottom right corner.
- Incidents are displayed in a queue by date order, with the following information displayed:
Column Description Incident ID The unique ID code assigned to the incident. View the "Incident IDs" section of the Targeted Threat Protection: Remediation Overview page for more information. Type Indicates the type of incident, dependent on the settings selected in the Settings page:
- Manual: The administrator was notified of a potential threat, and an action was manually performed.
- Automatic: The identified messages were automatically removed, with the administrator notified.
- Restore: The messages was identified as a potential threat and removed, but subsequently confirmed as safe and restored to the user's mailbox.
- Notify Only: The administrator is notified of identified messages, but no action has yet been taken.
Date Created The date and time the incident first occurred. Last Updated The date and time the incident was last updated. File Hash / Message ID The unique file hash assigned to the message that is used to identify potential threats. Reason The reason behind the incident (e.g "Restoring a message"). Identified Messages The number of identified / actioned messages in the incident. Removed Messages The number of messages identified as a threat, and successfully removed from the user's mailbox. Failed Messages The number of messages identified as a threat, but couldn't be removed from the user's mailbox. This could be due to a variety of factors (e.g. connection issues, the message is already deleted by the user). Restored Messages The number of identified messages confirmed as safe and restored to the user's mailbox.
- Click on the down arrow next to All and select one of the following options:
- Incident ID: Search by the known incident id, as displayed in the Incidents or Logs tabs.
- Attachment File Hash: Search for the incident by the unique file hash assigned to identify the incident. This can be copied from the email notification sent to the administrator.
- Reason: Search for the incident by the known assigned reason (e.g. "Removing a restore", "Removing messages by ID").
- Enter any known message / data identifiers in the Search field.
- Click on the magnifying glass icon or press the Enter key. Your search results display.
- Click on the Export Data button from either:
- The Incidents queue to download the full list.
- The page of an individual incident to download message data for the particular incident.
- The Export Logs Data panel slides into view. Select the boxes of any data columns you want to include in the export.
- Click on the Download button. The CSV file downloads to your machine's desktop.
- Date Range: Select a time period from the drop down menu. Optionally click on Custom Range to display a date / time picker.
- Filters: All incident types display by default. Select one the following:
- Notify Only: Displays incidents where the administrator is notified but no action has been taken.
- Automatic: Displays incidents that have been automatically removed, with the administrator notified.
- Manual: Displays incidents that the administrator has manually performed an action on.
- Restore: Displays incidents confirmed as safe and restored to the user's mailbox.
- Show: By default, 50 incidents display in the queue per page. Select between 50 to 300 incidents per page.
- Custom Settings: Click on the Settings icon in the top right corner to display a pop out panel. Select the boxes of any columns you want to view and click the Apply button. Your custom selections display.