Cortex Advanced Email Security threat detection and issues - The Cortex Advanced Email Security module uses artifact-based, metadata-driven, and LLM-powered engines to generate detections and insights. - Administrator Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR 5.x Documentation
Product
Cortex XDR
License
XDR + Cloud
Creation date
2025-07-13
Last date published
2026-06-11
Category
Administrator Guide
Abstract

The Cortex Advanced Email Security module uses artifact-based, metadata-driven, and LLM-powered engines to generate detections and insights.

The Cortex Advanced Email Security module supports a wide range of detection types, designed to identify malicious, suspicious, or policy-violating emails. These detections are generated by the artifact-based, metadata-driven, and LLM-powered engines described in the Architecture and Data Flow section.

Threat detection categories

All analytics-based detections are documented in the external Analytics Issue Reference, including the following:

  • Issue name

  • Trigger conditions

  • Associated MITRE TTPs (where applicable)

  • Recommended response actions

In addition to Analytics listed in the reference, the module supports the following extended categories:

  • WF Analysis issues: Generated based on WildFire verdicts (malicious/suspicious) for file attachments, where integration is enabled.

  • AURL issues: Based on Advanced URL analysis verdicts (for example, detected phishing kit, dynamic redirects, credential harvesting behavior).

  • IOC-Based issues: Triggered when an email contains known malicious indicators (SHA256, domain, URL, or sender) that match internal or external blocklists.

  • User-Reported Phishing issues : Generated when users forward emails to a designated phishing report address. These issues can be generated independently or correlated with other detection logic if matches are found.

Each issue type may be subject to additional correlation and aggregation into case entities based on shared characteristics, for example, sender, artifact, theme, etc.

Email security issue metadata and fields

Each issue contains a structured set of metadata fields that provide forensic and contextual insight for downstream investigation. Below is a breakdown of key issue fields available via the console, APIs, or case export.

Attribute

Field Name

Description

Issue Name

issue_name

High-level issue classification

Issue Description

issue_description

Human-readable description of the threat

Message ID

internet_message_id

Unique ID of the email message

Conversation ID

conversation_id

Thread/conversation identifier

Email Created Date

created_date

Timestamp when the message was sent

Subject

subject

Subject line of the email

Email Recipient(s)

recipients.name, recipients.email

All TO recipients of the email

CC Recipient(s)

cc_recipients.name, cc_recipients.email

All CC recipients

BCC Recipient(s)

bcc_recipients.name, bcc_recipients.email

All BCC recipients

From Address

from.address

Displayed From: email address

From Display Name

from.name

Display name shown in From field

Sender Address

sender.address

Actual sender address (SMTP-level)

Sender Name

sender.name

Display name of sender (SMTP envelope)

Return-Path

return_path_data.address

Return path address (SMTP envelope)

Attachment SHA256

attachments.hash_str

Hashes of attached files

Attachment Name

attachments.name

Filenames of attached files

URLs

url_verdicts.url_name

URLs extracted from the message body

Internet Message Headers

internet_message_headers

Full set of original headers

Note

Depending on data collection mode and platform capabilities, not all fields may be populated for every message. API and export documentation provides further clarification on optional vs required fields.

Email security issue correlation mechanism

The issue correlation layer is responsible for linking related issues into cohesive cases. Correlation is performed using the following logic.

  • Sender-based correlation: Issues from the same sender with similar delivery patterns across multiple recipients.

  • Artifact-based correlation: Issues with shared attachment hashes, URLs, or domains.

  • User-based correlation: Issues involving the same recipient or identity in a short time window.

Correlated issues are grouped into a single case object with unified investigation timelines and shared contextual insights (for example, conversation metadata, risky user involvement, cumulative score).