Email monitoring
Once you have chosen a domain to scan, Email Security allows you to monitor the traffic scanned from your email inboxes.
To monitor your inbox:
- Log in to Zero Trust ↗.
- Select Email Security.
- Under Email Security, select Monitoring.
The dashboard will display the following metrics:
- Email activity
- Disposition evaluation
- Detection details
- Impersonations
- Phish submissions
- Auto-move events
- Detection settings metrics
Email activity aggregates statistics about emails scanned and dispositions assigned (the number of email flagged due to a detection) within a given timeframe.
To view the live number of email scanned and dispositions scanned, enable Live mode.
Email traffic that flows through Email Security is given a final disposition, which represents Email Security's evaluation of that specific message.
Disposition evaluation displays the following dispositions:
- Malicious: Traffic invoked multiple phishing verdict triggers, met thresholds for bad behavior, and is associated with active campaigns.
- Spoof: Traffic associated with phishing campaigns that is either non-compliant with your email authentication policies (SPF ↗, DKIM ↗, DMARC ↗) or has mismatching
Envelope From
andHeader From
values. - Suspicious: Traffic associated with phishing campaigns (and is under further analysis by our automated systems).
- Spam: Traffic associated with non-malicious, commercial campaigns.
- Bulk: Traffic associated with Graymail ↗, that fall in between the definitions of spam and suspicious. For example, a marketing email that intentionally obscures its unsubscribe link.
Detection details displays information about:
- Malicious disposition:
- Email threat types: Top malicious threat types, and their number relative to the total amount of malicious threats received.
- Targeted users: Top number of emails targeted, and their number relative to the total amount of malicious targets.
- Malicious links: A graph displaying the total number of malicious links and their distribution throughout the month.
- Malicious attachments: Number of malicious attachments, and the top types of malicious files received.
- Suspicious disposition:
- Suspicious threat types: Top suspicious threat types, and their number relative to the total amount of threats received.
- Suspicious targets: Top number of emails targeted, and their number relative to the total amount of malicious targets.
- Suspicious links: A graph displaying the total number of suspicious links and their distribution throughout the month.
- Spoof disposition:
- Spoof users (impersonated names): Top number of impersonated names, and their number relative to the total number of detection received.
- Spoof targets: Top number of targeted emails.
- Sender v. envelope mismatch: This field indicates the number of mismatches between the email address the message was sent from, and the email address the message was actually sent from.
Impersonations are a form of phishing attack where the actor pretends to be someone else to steal sensitive information.
Impersonations displays the number of targeted users, and a chart describing the total number of impersonation attempts.
- To view all targeted users, select View all targeted users.
- To view all impersonation emails, select View all impersonation emails.
- To view impersonated users, select View impersonated users.
Refer to Trusted domains to add a trusted domain, and Impersonation registry to add a user to the impersonation registry.
Phishing is a type of attack that involves stealing sensitive information with the aim of using and selling the information.
A phish submission happens when a user or an administrator reports a phishing attack. Refer to Phish submissions to learn how to submit a phish.
Phish submissions displays the following information:
- All submissions: The total number of phish submissions.
- User submissions: The number of phish submissions reported by your users.
- Admin submissions: The number of phish submissions reported by an administrator.
Select Review submissions to review a filtered list of phish submissions reported by your team.
Auto-move events are emails moved to different inboxes based on the disposition Email Security assigned.
This panel shows you the total number of auto-moves and the source folder from which these retractions are originating from.
Refer to Auto-moves to configure auto-move events.
Detection settings metric displays information about:
- Allowed traffic: Traffic that Email Security will exempt emails that match certain patterns from normal detection scanning. Allowed traffic shows metrics on emails that were allowed to go through user inboxes.
- Blocked traffic: Traffic that Email Security automatically blocks from senders. Blocked traffic shows metrics on emails that were blocked from user inboxes.
- Domain age: The number of days since domain registration.
Select Configure to configure policy and rules for allowed traffic, blocked traffic and domain age.