Modules - Mail Explorer
Introduction
Mail Explorer allows you to view and search for emails Avanan viewed and processed on the protected email platforms.
It allows administrators to search for emails without using complex queries. To search for specific emails using advanced fields and operators, click Advanced (Custom Queries). The system redirects to the Custom Queries page.
Searching for Emails in Mail Explorer
From the Mail Explorer, you can filter and view emails based on specific search criteria.
To filter emails:
-
Under the Date Received field, select Last or Range and choose the relevant period.
-
Enable the relevant checkboxes and enter the search criteria for the query.
-
Click Search.
Note - Whenever you perform a search operation in Mail Explorer, a log gets generated under System Logs.
Available Search Fields
- Date received
- Detection (Microsoft or Avanan)
- Quarantine State (Microsoft, Google, Avanan or administrators)
- Direction (incoming, outgoing or internal)
- Subject
- Sender Email
- Sender Domain
- Sender Name
- Recipients
- Server IP address
- Client sender IP address
- Attachments MD5
- Links in email body
- Message ID
Contains vs Match
For search fields that need a string as input, administrators can select Match or Contains conditions.
- Match condition - Shows only the emails that exactly match the string.
- Contains condition - Shows the emails that contains the string.
For example, if an email has Check out the invoice for this month as subject and you have searched for Check out this with Match condition, the system does not show the email.
Searching for Emails with Email Subject
When filtering the emails with the subject field, the system shows the search results with this logic:
- If you use the Match condition, the system shows the emails with subjects that exactly match the search input string.
- If you use the Contains condition, the system shows all the emails whose subject contains the words (full words, not parts of them) in the search input string, regardless of their order.
This is how the system performs the search operation:
- Splits the search string in to words, where the delimiter is every character that is not a letter or a number (a-z, A-Z, 0-9)
For example, the search string Check:this out now! is split into the words Check, this, out, now - The subject itself is also split into words like the search string.
For example, for the search subject Check:this out now!, the system also returns Now! Check this: out as a result. - To search for words in specific order in an email subject, use quotation marks ("").
- Special characters will be presented in the results if they are used in the input search string.
- If you enter special characters in the search, the system returns the email subjects with those special characters.
For example, if the search string is "Check this out now!", the system will not return Check:this out now! and Now check this out subjects.
- Returns all the emails whose subject contains all of the search string input words, regardless of their order.
For example, the system returns Now check this out subject also.
Detailed example:
Subject | Search that will return the email | Search that will NOT return the email |
Lorem: ipsum’s dolor sit amet, consectetur adipiscing elit |
|
|
Searching for Emails with Sender Email
While filtering for emails from a specific sender using the Contains condition, Avanan considers the sender's email address as a single string.
Example:
Email Sender | Search that will return the email | Search that will NOT return the email |
john@company.com |
|
|
Searching for Emails with Recipient Address
Recipient address contains a list of all email addresses the email was sent to.
Similar to searching on the subject field, the system splits the input string and the list of email recipients into words, where all non-alphabetical characters are delimiters.
Then, the system searches for emails with the string containing those words (not part of them) in the same order as they appear in the input string.
For example, the recipient john@mycompany.com is split in to three consecutive words: john company com
Email Sender | Search that will return the email | Search that will NOT return the email |
(the email was sent to both the addresses) |
|
|
Searching for Emails with Links in the Email Body
When searching for links in the email body, the system supports searching for three letters and above.
The system returns an email in the results if it contains a link in its body where the search string is either:
- A sub string or a full copy of the link domain without protocol. For example, domain.com
- An exact copy of the entire link, including the full path (not only the domain) and the protocol. For example, https://domain.com/path.html
Example:
Link in email body | Search that will return the email | Search that will NOT return the email |
https://Link_domain.com/path-additionalwords?highlight:yes |
|
|
Searching for Emails Based on Detection
Administrators can search for emails based on the Microsoft and Avanan detections.
In addition, administrators can control the search condition between the Avanan and Microsoft detections.
Examples:
Search for | Mail Explorer Query |
All detected phishing emails |
Avanan detection = Phishing OR Microsoft detection = High-Confidence Phishing |
Microsoft misdetections |
Avanan detection = all but clean AND Microsoft detection = clean |
Microsoft phishing misdetections |
Avanan detection = Phishing, Malware AND Microsoft detection = all but high-confidence phishing |
Searching for Emails Based on Quarantine State
Administrators can search for emails based on the enforcement decision of Microsoft / Google, Avanan, administrators or Avanan analysts (see Incident Response as a Service (IRaaS)).
In addition, the administrators can control the search condition between Avanan and Microsoft / Google enforcement decisions.
Examples:
Search for | Mail Explorer Query |
All quarantined emails |
Avanan detection = Quarantined OR Microsoft / Google = Quarantined |
Google / Microsoft misses |
Avanan = Quarantined AND Microsoft / Google = Not quarantined |
Emails quarantined by administrators |
Avanan = Quarantined by admin AND Microsoft / Google = select all |
Malicious emails that would have been delivered to Junk by Microsoft / Google |
Avanan = Quarantined AND Microsoft / Google = Delivered to Junk |
Mail Explorer AI Assistant
The Mail Explorer AI Assistant allows you to filter emails using prompts in your preferred language, similar to interacting with an AI chatbot such as ChatGPT. With the AI Assistant, you can filter based on many fields, more than those visible in Mail Explorer UI or even in Custom Queries.
Note - The AI Assistant is hosted in the Check Point cloud restricted to the data region of your Avanan Portal. No information or prompts are shared outside Check Point.
To access Mail Explorer AI Assistant:
- Access the Avanan Portal.
- Go to Mail Explorer.
- Click AI Assistant.
- Enter your prompt and click search icon.
Acting on Filtered Results
Restore quarantined emails
To restore the quarantined emails:
- Open Mail Explorer from the left navigation panel.
- Under Filters, define the criteria for filtering the emails and click Search.
- To restore emails from the search criteria, select the emails and click Restore selected emails under
Actions.
Quarantine delivered emails
To quarantine the delivered emails:
- Open Mail Explorer from the left navigation panel.
- Under Filters, define the criteria for filtering the emails and click Search.
- To quarantine emails from the search criteria, select the emails and click Quarantine selected emails
under Actions.
Creating Allow-List and Block-List Rule
Administrators can use the filters in Mail Explorer to create an Anti-Phishing Allow-List or Block-List.
The Anti-Phishing engine automatically marks all the emails matching these filters as clean for Allow-List or as Phishing for Block-List.
Notes:
- The search criteria defined under the Date Received and Quarantine State fields do not apply to any rule.
- Emails are scanned for malware and DLP even if they are in Anti-Phishing Allow-List.
To create a Block-List rule that blocks emails that match the defined criteria, select the filters and click Create Block-List Rule.
Export Results to CSV
To export the search results to CSV:
- Open Mail Explorer from the left navigation panel.
- Under Filters, define the criteria for filtering the emails and click Search.
- Select the emails to export.
- To export all the emails from the search results, under Actions, click Export to CSV.
- To export specific emails from the search results, select the emails and under Actions, click Export to CSV.
Notes:- Only the selected emails will be exported.
- You can export only up to 20000 emails at a time.
- To export all the emails from the search results, under Actions, click Export to CSV.
Getting the Exported CSV File
- If the export contains less than 500 emails, the CSV file gets downloaded immediately.
- If the export contains more than 500 emails, the CSV file gets generated in the background. After the export is complete, the administrator that requested the export receives the CSV file through an email.
Notes:
- You can see the export status under System Settings > System Tasks.
- The export action gets logged under System Settings > System Logs.