Skip to main content
Skip table of contents

Email Detection Event

Vendor Documentation


Rule Name

Rule Type


Common Event

Email Detection EventBase RuleActivityGeneral Threat Message
Email Detection Event : Email Quarantined

Sub Rule

Failed Activity Quarantined Message
Email Detection Event : Email DeletedSub RuleFailed Activity Threat Deleted
Email Detection Event : Email File SanitizedSub RuleFailed Activity Threat Deleted

Mapping with LogRhythm Schema

Device Key in Log Message

LogRhythm Schema

Data Type

Schema Description

Header (logVer)N/AN/ACEF format version
Header (vendor)N/AN/AAppliance vendor
Header (pname)N/AN/AAppliance product
Header (pver)N/AN/AAppliance version
Header (eventid)N/AN/ASignature ID
Header (eventName)<vendorinfo>Text/StringDescription
Header (severity)<severity>NumberSeverity
Text/StringThe action in the event
• quarantined
• passed
• stripped
• analyzed
• stamped
• subjectsTagged
• deleted
• delivered directly
• cleaned up
• file sanitized
cn1N/AN/AThreat type
cn1labelN/AN/AThreat type label
cn2<size>NumberEmail Size
cn2LabelN/AN/AEmail Size label
cs1<threatname>Text/StringNames of threats in the
cs1LabelN/AN/ANames of threats in the email label
cs2N/AN/AInternal email ID
cs2LabelN/AN/AInternal email ID label
cs3N/AN/AEmail ID
cs3LabelN/AN/AEmail ID label
cs4N/AN/ASender email address
cs4LabelN/AN/ASender email address label
cs5N/AN/ARecipient email address
cs5LabelN/AN/ARecipient email address label
deviceExternalIdN/AN/AAppliance GUID
duser<recipient>Text/StringEmail recipients
dvcN/AN/AAppliance IP address
dvchostN/AN/AAppliance host name
dvcmacN/AN/AAppliance MAC Address
msg<subject>Text/StringEmail subject
rtN/AN/ALog generation time
Format: Unix timestamp (number of milliseconds since Jan 01 1970 UTC)
src<sip>IPSource IP address
suser<sender>Text/StringEmail sender
JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.