Incidents

This page includes:

About the Incidents page

The Incidents page lets you see a summary of the incidents that were detected by Perception Point X‑Ray in your organization. You can filter the display based on various dimensions, such as time, channel, and scan verdict. By default, the time filter is set to "Last Day".

In the Incidents page, you can also see additional information, such as the most attacked people, the top attacking domains and senders, and as the top impersonated brands.

You can hover over or click much of the data that is shown in the Incidents page - to drill-down and show further details about the associated scans.

Note:

The Incidents page doesn't include any outbound scans - it includes only incoming scans.
Data retention: Data in the Incidents page is maintained by Perception Point X‑Ray for 180 days.

To show the Incidents page:

In Perception Point X‑Ray, in the left navigation menu, select Insights > Incidents.

Any admin user with the "Self Analysis" role [or higher] can access the Incidents page.

Setting the date range

Use the available controls to set the date range.

Understanding the Incidents page

Protection

Indicates the level of protection that has been provided by Perception Point X‑Ray during the specified period. The protection level is based on the number of incidents detected and the number of false negative [FN] scan verdicts that were assigned, as follows:

where:

Incidents detected is the number of malicious and spam verdicts that were assigned during the specified period.
FNs is the number of scans that were originally assigned a clean verdict - and that was thereafter changed to malicious or spam.

Note: 99.95% is the maximum protection level that is displayed - even if there are no FNs.

Incidents and items scanned

Incidents

The total number of incidents that were detected during the selected period.

The total includes incidents that were detected in all protected channels.
The total includes malicious, restricted, and spam incidents.
The total does not include suspicious and simulation scans.

Items scanned

The total number of items that were scanned during the selected period.

The total includes all scans of all items in all protected channels, irrespective of the scan verdict.

Incidents per channel

The number of incidents that were detected in each protected channel - during the selected period.

The total includes malicious, restricted, and spam incidents.
The total shown does not include suspicious and simulation scans.

For details on protected channels, see Bundles and Channels.

Actions

You can hover over any channel to see a breakdown of the detected incidents - by verdict.
You can click any channel to show the list of scans - in the Scans-summary page.

Attack Level

Attack level

An indication of the number of incidents that were detected by Perception Point X‑Ray, relative to the number of scans that were performed. Both malicious and spam verdicts are included in determining the attack level. The range is from Level 1 to Level 5, where Level 5 is the maximum attack level.

Incidents

A breakdown of the scan verdicts that were assigned.

Note: Only malicious and spam incidents are displayed.

Understanding all the verdicts

Verdict

Description

Can be quarantined?

Incident?

Malicious

[]

The scan indicates that the item is malicious. Malicious items are typically quarantined [if the integrated service supports this functionality].

For details on how to configure what happens to emails with malicious verdicts, see Which verdicts cause quarantine

Yes

For details, see Which verdicts cause quarantine

Yes

Spam

[]

The scan indicates that the email is spam. Depending on the settings that have been configured for your organization, the email will be either:

quarantined [if the integrated service supports this functionality]

or
sent to the "Spam" or "Junk" folder of the original recipients.

For details on how to configure what happens to emails with spam verdicts, see Which verdicts cause quarantine

[False positives - Microsoft 365] When spam emails are sent to the "Spam" or "Junk" folders, users can move any of these "spam" emails to their Inboxes, and mark the sender as safe, locally in their email systems. Future emails from this sender will then go to the Inbox and not to the "Spam" or "Junk" folders.

Restricted

[]

The scan detected a file of a type that is included in the list of restricted file types - according to your organization policy. This could include files such as .exe or .docx files.

You can configure Perception Point X‑Ray to quarantine restricted files, or emails that include restricted files. For details see Quarantine.

For details on how to view or manage your set of restricted file types, see Restricted file types.

Note:

Password-protected files that Perception Point X‑Ray is unable to scan can also result in a restricted verdict. For details, see Scanning password-protected attachments.
Emails that are blocked by custom block list entries may also be assigned a restricted verdict. For more details, see Custom blocklists.

Suspicious

[]

The scan is suspicious. The scan detected characteristics that are potentially harmful or indicative of malicious intent, but not conclusively so. Therefore the scan is not necessarily malicious, but it warrants further investigation by the Perception Point IR Team.

Note: The suspicious verdict is primarily for internal use by Perception Point. The suspicious verdict is assigned very seldom.

The suspicious verdict can be assigned manually by the Perception Point IR Team, and it can also be automatically assigned by Perception Point X‑Ray.

Suspicious scans are treated the same as clean scans.
Suspicious emails can't be quarantined.

Clean

[]

If nothing suspicious is detected during a scan, the item is assigned a "clean" verdict.

Clean emails are sent to the Inbox of the recipient.

Actions

You can hover over any verdict-type to see a breakdown of the detected incidents.
You can click any incident-type to show the list of scans in the Scans-summary page.

5 Top attack types over time

Displays the most common attack types that were detected by Perception Point X‑Ray.

Actions

You can hover over any date to see a breakdown of the detected incidents - by detection engine - on that date.

Top attacked...

Shows various attack vectors. You can configure the "top-attacked component". Configuration lets you specify the attack options that will appear in the "top-attacked component, and the order in which these selected options will appear. Click the Settings icon [] to configure the attack vectors that are displayed.

Top attacked people

The people who have received the largest quantity of malicious items. It is recommended that you provide these people with additional cyber-security training.

Top attacking domains/senders

The domains from which most malware was sent.

Top impersonated brands

The brands that were most frequently impersonated.

Top attacked organizations

The organizations that were most frequently attacked.

Top attacked domains

The domains that were most frequently attacked.

Top attacked regions

The regions that were most frequently attacked.

Top attacked countries

The countries that were most frequently attacked.

Highlighted attack types

Various attack types that have been highlighted by the Perception Point IR Team.

Attack types amount

Shows the quantity of various attack types that were detected.