This article offers a solution for basic logging and reporting of all emails that pass through the Email Security .cloud Service (ESS), when there are large numbers involved.
The scope of the solution is as follows:
The solution consists of configuring a Data Protection policy that will log all inbound or outbound emails (or both) starting from the moment it is activated. Data logged by this policy is fully indexed and held on the service infrastructure for up to 40 days. You may therefore use the Email Track and Trace tool, using the Service filter for Data Protection, to quickly and consistently find and list emails that have triggered the policy up to approximately 1000 results. Past this number, you may use the Reports feature of the portal to obtain reports on emails passed through the service, with up to 500,000 lines of results per report.
Note: This articles predates the ETDR product offering which includes Data Feeds. As such, if you have ETDR, and by extension access to Data Feeds, via it you can get all of the information as well directly into your SIEM, email delivery data is also available. Access to Data Feeds renders this policy unnecessary.
Email Security.cloud
Steps to configure the policy:
OPTIONAL: By default, the Data Protection service logs the following information against the emails it triggers for: Date, Envelope Sender Address, Envelope Recipient Address (only one of the recipient addresses, if more are present) and Subject. If you require more detailed information (HELO, IP, Message-ID, Reply-to and Body-From) to be logged and stored from the headers of the emails that the policy triggers against, proceed with the next step of the guide. Otherwise, you may save and activate the policy as it is and move on to the Report configuration section.
(?:1)?\(((?:HE|EH)LO(?!=)\n?(?:.*?))\)[\s]{1,2}?\((?:\d{1,3}\.){3}\d{1,3}\).*?\n?.+?messagelabs\.com
(?:2)?\(((?:\d{1,3}\.){3}\d{1,3})\).*?\n?.+?messagelabs\.com
(?:3)?^(From:(?:.*?\n){1,4}?)(?=^[\w-]+?:)
(?:4)?^(Reply-to:(?:.*?\n){1,2}?)(?=^[\w-]+?:)
(?:5)?^(Message-ID:(?:.*?\n){1,3}?)(?=^[\w-]+?:)
NOTE: You may consider changing the position of this policy in the Data Protection service policy list. The policy will only log the emails that have reached it, after they will have been processed by all other policies before it, some of which may be configured to Stop evaluation of lower priority policies.
OPTIONAL: If you configured the extra reporting condition Content Regular Expression List in the Data Protection policy, there are certain steps that you need to take in order to ensure that the report will also contain that data. NOTE: For the customer accounts that are provisioned under a partner, or you’re a partner creating these policies/reports on behalf of your client, your partner account won’t work to create this report. You need to use a local user of the account with the correctly configured role.
Steps to configure the report: