I am trying to locate an email which was blocked by Symantec Email Security.Cloud Anti Spam service using the message ID in my Splunk appliance, and only see an entry with a sourcetype:atp and a null incident, usually indicating the email was delivered, while the Anti Spam action was applied.

Email Security.Cloud App for Splunk, correlated with the Email Security.Cloud offer.

This is by design.

The ATP feed will return a result for any message, with a Malware incident if it triggered and Anti Malware detection, and with a null incident in other cases.

The Anti Spam feed is currently graving data from our service logs, which do not contain the message ID. Therefore looking up the email through message ID will not return an Anti Spam source type entry.

If the email is search through the sender, recipient and subject line (available in the Anti Spam feed), Splunk will return 2 entries, the Anti Spam with the verdict and action, and an ATP entry with the email's metadata.

This behavior will be corrected when Anti Spam verdicts will be integrated to the NDF feed, and Anti Spam verdicts will be searchable based on the message ID.