In Email Security, incidents are collections of related emails that could signal a security threat. Managing these emails as a single case helps security teams investigate and respond more efficiently. However, admins can also handle individual emails within an incident if needed.
To take action on a specific email in an incident:
- Go to the Email Security > Incidents Log page.
- Click on the Incident ID.
- Scroll down to the Associated Emails table.
- Select the specific email(s) to manage. The first email in an incident is the original event and can't be recategorized.
- Click Recategorize email(s).
- Select one of the following:
- Recategorize as Phishing: The selected emails remain quarantined and are logged as Phishing. The system learns from this categorization to improve for next time.
- Recategorize as Spam: The selected emails remain quarantined and are logged as Spam. The system learns from this categorization to improve for next time.
- Recategorize as Safe: When in Active protection mode, the selected emails are marked as safe and released back to the end-user's mailbox.
A new incident is created containing the recategorized emails.