Requesting an investigation

This page includes:

• Requesting an investigation
  • About requesting an investigation
  • How to request an IR investigation of a specific scan
  • Feedback on an investigation request
  • Cc'ing investigation requests and responses
  • Troubleshooting - unable to request an investigation

About requesting an investigation

An admin user can request that the FortiMail Workspace Security IR Team investigate the results of a scan. When you request an investigation of a scan, you can indicate that you think the verdict of the scan should be malicious, spam, or clean.

There are generally two scenarios for requesting an investigation:

• You can request an investigation of a scan that has been assigned a malicious or spam verdict, but that you think may be clean. The FortiMail Workspace Security IR Team will review the scan, and release the item from quarantine if it is indeed clean. When possible, an email will be moved to the end-user's Inbox.

• You can request an investigation of a scan that has been assigned a clean verdict, but that you think may in fact be malicious or spam. The FortiMail Workspace Security IR Team will review the scan. If it is indeed malicious or spam, the FortiMail Workspace Security IR Team will adjust the scan verdict accordingly. In addition, the FortiMail Workspace Security IR Team may adjust the FortiMail Workspace Security detection engines to make sure that similar emails in the future will not be assigned a clean verdict.

  If the verdict is changed to malicious or spam, the email may be removed from the end-user's Inbox and quarantined, depending on your organization's quarantine policy.

You can request an investigation for any scan - irrespective of its channel or verdict. You can request an investigation of a scan only when you display the details of the scan in the Scans-details page - not in the summary or preview views.

• You can't request an investigation for an email that was quarantined by Microsoft. [See Quarantined by Microsoft]

• You can't request an investigation of an email that has been assigned a simulation tag. [See Email phishing simulation campaigns]

When you request an investigation, the FortiMail Workspace Security IR Team will respond to your request by email. The email will be sent to the email address that is associated with the admin who made the request. You can also click Scan History in the Scans-details page to monitor the investigation process.

Important: When you want a particular scan to be investigated by FortiMail Workspace Security Support, the "Request Investigation" method described on this page is the best and recommended method. The "Request Investigation" method ensures that the maximum amount of information about the scan is made available to FortiMail Workspace Security Support, so that they can perform the most effective investigation.

• For details on how to request assistance with an issue in FortiMail Workspace Security - not related to a specific scan - see Troubleshooting.

Any FortiMail Workspace Security admin user with the "Administrator" role can request an investigation.

How to request an IR investigation of a specific scan

See the available video.

To request an IR investigation of a specific scan:

1. In FortiMail Workspace Security, in the left navigation menu, select Security Operations > Scans.

2. Locate the scan, and then open the scan in the Scans-details page.

3. Click Request Investigation [] - or click Ask IR [] in the new Compact Scans page.

   

4. Select to investigate the email, file, or URL, or select the suggested verdict:

   1. Clean:

      [The check boxes below appear only for emails only that currently have a spam verdict]

      1. Allowlist against spam: Adds the sender's email address to the Sender Email Address allowlist.

      2. Release similar emails: Changes the verdict of all similar emails that were received during the week before the scan - to Clean.

   2. Spam:

      [The check boxes below appear only for emails only that currently have a clean verdict]

      1. Blocklist sender's address: Adds the sender's email address to the Sender Email Address blocklist.

      2. Change all similar emails to spam: Changes the verdict of all similar emails that were received during the week before the scan - to Spam.

      Note: The if request is made more than 7 days after the scan was performed, then it may not be possible to change the verdicts of some emails because they may no longer exist.

   3. Malicious:

5. Add a comment [this is compulsory].

6. Click Send Request.

Feedback on an investigation request

After you request an investigation of a scan, the FortiMail Workspace Security IR Team will investigate the scan. There are two ways that you can see the status of the investigation request:

• The FortiMail Workspace Security IR Team will send their findings to your organization - by email. The email will be sent to the email address of the admin who made the request.

• You can click Scan History in the Scans-details page [of the relevant scan] to monitor progress of the scan investigation process.

Cc'ing investigation requests and responses

As described above, by default, responses to investigation requests are sent to the email address of the admin who made the request. It is possible to configure FortiMail Workspace Security so that every investigation request and every resulting response is sent to an additional email address. This additional [Cc] email address can be an admin user's email address, or a dedicated address that is used for managing investigation requests. Adding a Cc address enables more effective management of all investigation requests that are requested in your organization. The required configuration can be performed by FortiMail Workspace Security Support only. For assistance, contact FortiMail Workspace Security Support [support@perception-point.io].

You can include the text template below in your email:

Subject: Cc'ing investigation requests and responses

Hi Perception Point Support Team, Organization name: <Your organization name> as it appears in FortiMail Workspace Security We would like every investigation request and every resulting response to be sent to an additional [CC] email address. CC email address: <CC address> Please can you perform the required configuration. [Internal Reference: 1165] Please let us know when this has been done. Thank you

Troubleshooting - unable to request an investigation

If you are unable to request an investigation [the Request Investigation button doesn't appear], check the table below for possible reasons.

Reason	More info...
Quarantined by Microsoft emails	You can't request an investigation for an email that was quarantined by Microsoft. [See Quarantined by Microsoft]
Simulation emails	You can't request an investigation of an email that has been assigned a simulation tag. [See Email phishing simulation campaigns]

See also: 

• Scans