The Email Incidents > Incidents Log page in Email Security lists all incidents that have been automatically flagged and remediated by the system or manually resolved by admins in the last 365 days.
Note: If Email Security is running on Silent Mode, this page only displays flagged threats without taking any action or remediation. This means your end-users are receiving suspicious emails in their mailboxes, and your organization is not protected. For more information, see Change protection mode of Email Security in Nebula.
This page is used to track historical threats, confirm remediation actions, reclassify threats if desired, or export logs for reporting or compliance. Unlike the Needs attention page, admins do not need to regularly check this page for actions
Incidents log table
The following columns are available on the Incidents log table:
- Incident ID: An ID number associated with the Incident. Click the Incident ID for more details.
- Subject: Email subject.
- Sender: Sender email address.
- Category: Displays whether an email is marked as phishing, spam, or safe. Click filters at the top of the table to quickly filter by the category.
- Recipient Email: User who received the email.
- Recipient Name: User's name.
- Created At: Time the incident was added to the Incidents log page.
- Associated emails: Number of email addresses tied to the same attack or campaign.
- Associated links: Number of links found in the email.
Click Add / Remove Columns to choose which columns to display.
Incident details
Clicking on an Incident ID brings up a slideout with additional details on the email incident:
- Categorization: Current categorization of the email.
- Confidence Score: How confident the AI engine feels in the categorization.
- Resolved by: Nebula Admin who resolved the incident.
- Reporter: System or end-user who reported the first email in this incident.
- Reported on: Time the first email was reported.
- Email Body: Message body contents of the email.
- Headers: Hidden metadata attached to every email.
- Links: URLs present in the email.
- Attachments: Email attachments.
- Sender Relationship Assessment: Diagram verifying where the email originated from.
- Sender Fingerprints: Technical indicators like the sending domain, mail server, and return path analysis.
- Categorization confidence: Visual dial indicating how confident the community was in the categorization.
- Associated Emails: Other email addresses targeted in the same attack or campaign.
Actions
If you need to reclassify an incident, check the checkbox next to the Incident ID and click Actions. Then choose from one of the following:
- Recategorize as Phishing: The emails in this incident remain quarantined and are logged as Phishing. The system learns from this categorization to improve for next time.
- Recategorize as Spam: The emails in this incident remain quarantined and are logged as Spam. The system learns from this categorization to improve for next time.
- Recategorize as Safe: When in Active protection mode, this marks the incident as safe and releases the associated emails back to the end-users mailbox.
Additionally, you can export data from this page with the Export CSV option.
Return to Email Security guide.