Available parameters
You can pull information for a message in search detections using the following parameters:
- From (
envelope_from) - From Name
- To (any) (
envelope_to) - To Name (any)
- Cc (any)
- ReplyTo
- Subject (any)
- Sent DateTime (formatted as
YYYY-MM-DDTHH:MM:SS) - Received DateTime (formatted as
YYYY-MM-DDTHH:MM:SS) - final_disposition
- alert_id
- sha256 (attachments)
- ssdeep (attachments)
- name (attachments)
- md5 (attachments)
- Message-ID
- smtp_helo_server_ip
- smtp_previous_hop_ip
- x_originating_ip
- Reason(s) for Detection
In addition to the message parameters above, you can use these additional detection search strings:
- phish_submission
- phish_submission_response
- user_submission
- team_submission
- auto-retraction
- browser_isolation_rewrite
For disposition-specific submission searches, refer to Service Addresses ↗ in the Email Security dashboard.
For Email Security Horizon Enterprise customers, detections search would index for a period of 12 months and rotate over to a rolling 12-month period.
For Email Security Horizon Advantage customers, detections search would index for three months and rotate over to a rolling 3-month period.
For messages that are not detected, the body of the message itself is not retained. Only the metadata such as sender, recipient, subject, message_id, and delivery log will be retained. It is also possible to view the messages as the preview image.
For detections, full messages are retained, including attachments, in addition to the metadata described above. The raw message including attachments can be downloaded as an .eml file.