'URL_filtering' Quarantine issue

kostasthedelegate · ‎01-15-2021

Hello

Is there a way to know a mail that goes to quarantine for which URL it goes for?

Are there any logs indicating the exact reason for a quarantined email?

Regards,

Konstantinos

marc.luescherFRE · ‎01-15-2021

That might need a few small changes on your side to be even more helpfull.

The starting point is to use message tracking and check for the URL category filter. This will allow to search if a category filter was the reason. Then you can open the message and check for the URL details to tell you exactly what was happening and which URL triggered the event.

If this not granular enough you can look at the raw data in mail_logs to find out more.

I hope that helps.

-Marc

-

kostasthedelegate · ‎01-19-2021

Hello,

Thanks for the answer @marc.luescherFRE

When you say to check the URL, you mean through ESA or externally?

I will try to test that and see how it goes

Thank you

marc.luescherFRE · ‎01-19-2021

I would first start by checking the URL verdict as reported by the ESA/SMA in message tracking.

Then you might want to get a second opinion on virustotal should you not agree.

kostasthedelegate · ‎01-22-2021

Hello again!!

I checked the URL of the body and they are fine.

There is also an attachment, but I cannot in the message tracking if it has a malicious URL.

Nevertheless the message is quarantined due to URL category.

I have a filter in Content filter for this job in the policy

I would like to ask if the URL logging in oubreak filters will allow the URL details when the URL is found in another section and not in outbreak filters.

Regards,

Konstantinos