The Email Incidents > Needs attention page in Email Security displays a list of incidents an admin must manually review and categorize.
Incidents added to this list:
-
User requested release: When an end-user clicks the Ask to release option in the Quarantine Digest email they receive.
- Admins should review the email incident and determine if it is safe to release back to the end-user by categorizing it as safe. If the email is phishing or scam, categorize it accordingly.
-
Categorization needed: When an end-user reports an email, either by forwarding it to the Phishing Mailbox or clicking the Report Phishing button. It can also happen when the system can't automatically classify an email because its confidence score is too low.
- Admins should review the email and categorize it as phishing, spam or safe. If safe, the email is returned to the employee's mailbox.
The goal is to regularly check this page and categorize incidents as they come in. Set up notifications to learn about these incidents and review them in a timely manner. For more information, see Set up Email Security notifications in OneView.
As admins and end-users categorize, report, and request the release of emails, the adaptive AI learns from these behaviors to improve the detection engine. This minimizes the work needed by admins and users over time.
If the protection mode is set to Silent, there should be nothing on this page.
Needs attention table
The following columns are available on the Needs attention table:
- Incident ID: An ID number associated with the Incident. Click the Incident ID for more details.
- Status: Displays if the email requires recategorization or review because an end-user requested a release of an email. Click filters at the top of the table to quickly filter by the status.
- Sender: Sender email address.
- Subject: Email subject.
- Recipient Email: User who received the email.
- Recipient Name: User's name.
- Created At: Time the incident was added to the Needs attention page.
- Associated emails: Number of email addresses tied to the same attack or campaign.
- Associated links: Number of links found in the email.
Click Add / Remove Columns to choose which columns to display.
Incident details
Clicking on an Incident ID brings up a slideout with additional details on the email incident:
- Categorization: Current categorization of the email.
- Confidence Score: How confident the AI engine feels in the categorization.
- Resolved by: OneView Admin who resolved the incident.
- Reporter: System or end-user who reported the first email in this incident.
- Reported on: Time the first email was reported.
- Email Body: Message body contents of the email.
- Headers: Hidden metadata attached to every email.
- Links: URLs present in the email.
- Attachments: Email attachments in the email.
- Sender Relationship Assessment: Shows how familiar or trusted the sender is based on past communication patterns.
- Sender Fingerprints: Technical indicators like the sending domain, mail server, and return path analysis.
- Categorization confidence: Visual dial indicating how confident the community was in the categorization.
- Associated Emails: Other email addresses targeted in the same attack or campaign. For incidents where multiple inboxes received an associated email, refer to the User Requested Release column in this table to identify which user requested release.
Actions menu
Once you've reviewed the incident details, take action on the incident. Check the checkbox next to the Incident ID and click the Actions. Then choose from one of the following:
- Categorize as Phishing: The incident remains quarantined and is logged as Phishing.
- Categorize as Spam: The incident remains quarantined and is logged as Spam.
- Categorize as Safe: Marks the incident as safe and releases the associated email to the mailbox.
Additionally, you can export data from this page with the Export CSV option.
Return to Email Security guide.