Investigate and respond to email security issues - Investigate the issues generated by the Cortex Advanced Email Security module. - Administrator Guide - Cortex XDR - Cortex

Investigate and respond to email security issues - Investigate the issues generated by the Cortex Advanced Email Security module. - Administrator Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR 5.x Documentation

Product

Cortex XDR

License

XDR + Cloud

Creation date

2025-07-13

Last date published

2026-06-04

Notice

Requires the Cortex Advanced Email Security module.

The Cortex Advanced Email Security module monitors all incoming, outgoing, and draft emails, and generates issues on suspicious emails. If a user sends a large number of emails or if the same email is sent multiple times to the users in the organization, the issues are stitched under one issue in the Email Security Issues table as a multiple event.

To view the Email Security Issues table that displays all the issues that contain a detected threat related to emails and to investigate the issues, go to Modules → Email Security → Email Security Issues.

In addition to all the actions available to issues in general, there are options that are specific to the Cortex Advanced Email Security module:

Click an email security issue to open the email security card where you can investigate the email issue, view the automated remediation actions taken, take any further manual actions required, and see the remediation suggestions.

From the three dot menu, you can open the issue in a new tab, pivot to the causality view, and copy the issue URL.

At the top of the card, you can view information about the issue including the severity, detection tags, category, and detection method. In the tabs, you can see more information about the cause of the issue, take any actions required, and see the remediation suggestions.

The Email Issue causality view offers an interactive visualization of the email security issue generation. It displays the connected the events in the process execution chain to provide immediate, actionable insights into the cause and effect of email security issues.

To open the causality view, right click an email security issue and click Investigate Causality Chain.

The following sections describe the different areas of the causality view:

View the components of the events that generated the issue, including IP address and username of the sender, the alerts that were triggered by the email, and the name of the recipient user or distribution list. Hover over each node to find out more about the components of the causality chain. Click each node to see more details about it in the Issue Overview on the left and in the Events table under the Causality chain.

When you open the causality card for multi-event issues, you can see all the emails and the events that contributed to the triggering of this issue. Click each node to investigate the different components that make up the issues.

Emails stitched together: Displayed in multiple events, it groups together all the events that contributed to the attack.
Click each envelope in the view to see the details of each event separately in the Issue Overview and the Events table.
IP address: Hover to view the number of emails seen from this address and the number of users who used it.
Click to view the geolocation and the Blocklist status in the Issue Overview and the details for the events in the Events table.
Sender username: Hover to view the organizations and the user emails that received emails from this user.
Click to view the details of the user in the Issue Overview and the issues from this domain and activities by the user in the Events table.
Sent emails: Displays the findings for the email event. The number of issues triggered by this email is displayed above the envelope. A lightning symbol above the email indicates an automated remediation action was taken for this email.
Click the number to see the issues generated by the event in a carousel in the Issue Overview.
Click the envelope to see the email details in the Events table.
Click the eye icon to view the email.
- Attachments: Number of attachments in the email.
  Click the number to see each file.
  Click on each file to see the affected endpoints.
  Click each endpoint to see the affected endpoints and related issues in the Events table.
- Links: Number of links in the file.
  Click the number to view each attachment.
  Click each attachment to see its details in the Issue Overview and the Events table.
Recipients: Number of users who received this email. A lightning symbol above the recipient indicates an automated remediation action was taken for this user.
Click the number to see all the user names.
Click each recipient to see their details in the Issue Overview and their issues and past activities in the Events table.

The overview displays detailed information for each email. Every time you click a node in the Causality chain on the right, the information in this pane is updated.

A summary of the email details including the subject, number of users who have opened the email, attachment count, and the attack tactics. To see the full email message, click the eye icon.
In multiple event issues, this panel displays a summary of the issues, identities, endpoints, and attack types involved in the attack. When you click each event in the causality chain, this panel displays the email details common to each event.
For multiple events, this panel displays the mail Indicators like attachment, URL, IP address, and email subject that are shared between the emails stitched together in the issue.
Affected Identities: A summary of the users affected by this issue and the risk score.
Click View All to see all the identities in the Events table.
Affected endpoints: A summary of the endpoints affected by this issue and the risk score.
Click View All to see all the endpoints in the Events table.
Remediation: Remediation actions initiated by email remediation rules. Click the number to view the remediation actions in the Remediation tab of the Issue Events table.
Causality issues: Top issues that were generated by the email detection and their risk scores.
Click View All to see all the causality issues in the Events table.
For every issue that's not Informational, click on three dots to Run Automations.
Issue Tags that represent the detected MITRE ATT&CK tactics.

The Events table displays up to 100,000 related events for the process node which matches the issue criteria. Every time you click a node in the causality chain or in Issue Overview, the information in the table is updated to display the details of the findings. The events in the table can be viewed in the following tabs grouped by the attributes:

Emails with detected threats.
Causality Issues generated based on the email threats.
Affected Endpoints
Remediation actions taken for the emails.

The following quick actions are available out of the box in the causality card:

View Raw Log
Soft Delete Email
Undelete Email
Report As Phishing
Send Warning Email
Move Email to Folder
Mark as Safe: Changes the status of all issues related to the email as Resolved.
Mark as Malicious:

You can activate additional quick actions by first activating them in the Marketplace:

Block Sender Office 365: Blocks the senders of the emails included in the issue.
Unblock Sender Office 365: Unblocks the senders of the emails included in the issue.
Delete Email - Office 365: Deletes the email
Send Email to Recipients - Office 365: Sends an email to the recipients with the parameters you select.

For each quick action from the Marketplace, do the following:

Right click the issue, click Run Automation → Select Automation.
Select the relevant details or type and click OK.

This sends the request to Microsoft Office 365. The verdict on the request is displayed in the War Room of the issue.

These remediation actions are also available from the designated Actions button, located on the top right of the Email card.