Scans

This section includes:

About Scans

The Scans page lets you see information about the scans that were performed by Perception Point X‑Ray.

If you select a parent organization, then the Scans page will show all scans that were performed in all child organizations.
If you select a child organization, then the Scans page will show the scans that were performed in the selected child organization only.

In addition, you can set various filters to include only specific scans in the displayed list.

To show the Scans page:

In Perception Point X‑Ray, in the left navigation menu, select Security Operations > Scans.

Any admin user with the "Member" role [or higher] can access the Scans page.

Views of the Scans page

The Scans page can show three levels of detail for each scan:

Summary	By default, the Scans page shows a list of scans, and a summary of each scan. Use the available controls to filter the list of scans shown, as described in Setting the scan filter below.	Scans-summary page
Preview or Expanded	You can click any scan in the summary list to expand the results to show additional details about the scan. This view lets you perform a quick incident review.	Scans-preview page
Detailed	You can click the Open Scan button [ or ], on the right of any set of scan results, to see comprehensive details about the scan. The detailed view is useful when you are investigating an incident - it enables you to perform a detailed forensic review of the scan. For details on the structure of the Scans-details page, see Scan details structure.	Scans-details page

Setting the scan filter

There are various ways that you can search and filter the scans that appear in the Scans-summary page. For details, see Filtering scans.

Understanding the scan controls [Summary page]

Select one or more scans to display the available controls.

Download scans

Downloads metadata about the selected scan or the selected scans to your computer - in CSV format. You must select one or more scans before you can download them.

Note 1:	To download the actual email - and not just metadata about the email - open the scan and click the Download button. For details, see Download below.
Note 2:	The Download scans functionality and the Export scans functionality [see below] is the same except that: Download scans: Downloads the scan information in a file. Export scans: Exports the scan information to a file - which is then sent by email.
Note 3:	In the downloaded CSV files, all dates and times are in UTC format. This can't be changed. Times may therefore differ from the times that appear in the UI of the Scans page in Perception Point X‑Ray.
Note 4:	You can download a maximum of 5,000 scans at a time. If you try to download more than 5,000 scans, you may see a message similar to the following: Workaround: If you need to download more than 5,000 scans, try to use the Date Range filter option [and/or any other filter options] to reduce the number of scans in the list to less than 5,000. For example, if there were 12,000 scans from January 2024 until March 2024, use the Date Range [Custom] filter option to first show the scans for January, then February, and then March - making sure to download less than 5,000 scans for each month. See also: Advanced filters

Export scans

Exports metadata about the selected scan or the selected scans - in CSV format. You must select one or more scans before you can export them. The exported data will be contained in a file that is sent as an attachment to an email that is sent to your email address.

Note 1

The Export scans functionality and the Download scans functionality [see above] is the same except that:

Download scans: Downloads the scan information in a file.

Export scans: Exports the scan information to a file - which is then sent by email.

Note 2

In the exported CSV files, all dates and times are in UTC format. This can't be changed. Times may therefore differ from the times that appear in the UI of the Scans page.

Note 3

You can export a maximum of 5,000 scans at a time. If you try to export more than 5,000 scans, you may see a message similar to the following:

Workaround: If you need to export more than 5,000 scans, try to use the Date Range filter option [and/or any other filter options] to reduce the number of scans in the list to less than 5,000. For example, if there were 12,000 scans from January 2024 until March 2024, use the Date Range [Custom] filter option to first show the scans for January, then February, and then March - making sure to export less than 5,000 scans for each month.

Understanding the scan controls [Details page]

When you open a scan to display details of the scan, the following controls are available:

Change verdict

Lets you change the verdict of the scan.

For details on what happens to an email after the verdict is changed, see Changing Verdicts.

Preview

Shows a preview of the email.

Previews are available for emails with malicious, spam, and restricted verdicts - not clean verdicts.
Previews available for 180 days.

By default, previews are not available for emails with clean verdicts. However, after an admin requests an investigation of a clean email, a preview of the email will be available - for 48 hours after the scan was performed. After 48 hours, Perception Point X‑Ray will attempt to retrieve the eml file from the user's Inbox. If the email has already been deleted from the user's Inbox, then the retrieval will fail - and no preview will be avilable. For details about requesting an investigation, see Requesting an investigation.

Note: There is initially no email preview available for clean emails because, without any indication of malicious activity, protecting users' privacy is prioritized - requiring the removal of the ability to view the contents or details of an email.

While you preview an email, you can click Download [] to download an eml file of the email.

Note: The downloaded file will have no extension - for security reasons [as the email may be malicious]. To open the file, add an eml extension to the filename.

Screenshots

Shows screenshots of the malicious URLs that are included in the email.

Scan History

Opens the Scan History pane that shows the history of all the changes that have been made to the scan verdict.

Delete Email

Deletes the email from the recipient's mailbox - without changing the scan verdict.

Details about the scan are not deleted from Perception Point X‑Ray. [You can't delete a scan from Perception Point X‑Ray.]

Note:

The email will be deleted from the recipient's mailbox even if the recipient has moved the email from the Inbox to a different folder in the mailbox.
If the recipient has already deleted the email, then the email will remain in the Deleted Items folder or the Trash folder.
The Action in the scan will be changed to Quarantined.
The Delete Email functionality is available only for Microsoft 365 [Inline and API] and Google Workspace integrations - not for Exchange and "Other" integrations.
The Delete Email functionality is available only if the Perception Point X‑Ray remediation app is enabled.

Similar scans

Lists similar scans.

Download

Downloads the email or file to your Downloads folder. This may be useful if you want to do further analysis of the email or file. The email or file will be downloaded with a .danger extension appended to it. You can remove the .danger extension - to be left with a .eml file [for emails] that you'll be able to open.

Note:

Make sure to open malicious emails in a safe environment, such as a virtual machine.
You can't download emails or files that have a clean verdict.
The downloaded file will include all attachments to the email.

Resend Email

Resends the email.

Resending emails is typically performed on emails with failed deliveries.

The Resend Email option is available only if the Action that is associated with the scan is not Quarantined.
The Resend Email option is available for only 24 hours after a scan is performed. After 24 hours, and email can't be resent.
The Resend Email option is available for email scans only - not for scans of any other channels.

Add to Allowlist

Allows you to add the sender's email address to an allowlist.

For details, see Allowlists.

Add to Block list

Allows you to add the sender's email address to a block list.

For details, see Blocklists.

Highlighted

Lets you add the Highlighted tag to the scan. You can added the Highlighted tag to scans with malicious verdicts only. This enables you to filter [show] only those scans that have been highlighted. The Highlighted filter control [] appears at the top of the Scans page - under Importance.

You can add the Highlighted tag to a scan only when you display the details of the scan in the Scans-details page.

In the Scans-summary view, the Highlighted icon [light-bulb] appears on the left of the scan entry.

There are three ways that a Highlighted tag can be added:

Admin users can add the Highlighted tag to any malicious scan. This is typically done to be able to easily find scans that the admin users want to discuss with additional parties.
The Perception Point IR Team can manually add the Highlighted tag to any malicious scan that they want to discuss with additional parties.
The Perception Point IR Team can add "decisions" to a scan, and some decisions automatically add the Highlighted tag to the scan.

Request Investigation

Sends a request to the Perception Point IR Team to investigate the scan. For details, see Requesting an investigation.

Release email

Releases the email from quarantine.

The verdict of the email is not changed - if the verdict is Malicious, then the verdict will remain as Malicious.

Note: If you want to release the email AND change the verdict, use the Change Verdict functionality described above.

The Release email button is enabled only if all selected scans are for emails that are quarantined.

Hint: Use the Action > Quarantined advanced filter to ensure that only quarantined emails are displayed. For details, see Advanced filters.

Note:

The Release email bulk action is limited to 1,000 items at one time.
An admin role of "Email Flow Manager" or higher is required in order to have permission to release emails from quarantine.

An "Email Flow Manager" will be able to see only those scans that are currently quarantined.

GPThreat Hunter Summary

When you analyze a malicious scan in the Scans page, you can generate an "easy-to-read" AI-based summary of the significant factors that contributed to the scan verdict. Locate "GPThreat Hunter Summary" in the Scans page, and then click Generate Summary. GPThreat Hunter will almost-instantaneously generate an easy-to-read summary of the scan verdict.

Note: This functionality is available only for email scans that have a malicious verdict.

Performing bulk actions

In the Scans-summary page, it is possible to perform some of the available actions simultaneously on multiple scans. These actions are called bulk actions. The controls for the bulk functions are all grouped together - and appear when at least one scan is selected. The bulk actions that can be performed are shown below:

	Control	Limitations...
1	Download scans	Limited to a maximum of 5,000 items at one time.
2	Export scans	Limited to a maximum of 5,000 items at one time.
3	Change verdicts
4	Resend emails	Limited to a maximum of 1,000 items at one time. Available for only 24 hours after a scan is performed.
5	Release emails	Limited to a maximum of 1,000 items at one time. Available only if all selected scans are for emails that are quarantined.
6	Rescan	This option may not be available.
7	Delete emails

Note: Some bulk-action options may not be available if any of the selected scans are for emails that are:

quarantined
delivered

For details on the bulk actions, see Understanding the scan controls [Summary page] above.

To perform a bulk action:

Open the Scans-summary page.
Filter the scans that are shown. The Advanced Filter may be helpful. For details, see Advanced filters.
Select the required scans.
Click the appropriate bulk-action button to perform the required action.

Getting the URL of the scan

When you are performing troubleshooting actions with Perception Point Support, they may ask you to send the scan URL.

To get the scan URL:

In Perception Point X‑Ray, open the Security Operations > Scans page.
Locate scans for which the scan URL is required.
Click the Open Scan button [ or ] on the right of the scan results - to show details of the scan.

The URL that appears in the browser is the scan URL.

Exporting the scan list

You can export [or download] the list of scans that are displayed in the Scans page. The exported list will be in a .csv file, and will include metadata about the emails.

Note: In the downloaded CSV files, all dates and times are in UTC format. This can't be changed. Times may therefore differ from the times that appear in the UI of the Scans page in Perception Point X‑Ray.

To export the scans list:

In Perception Point X‑Ray, open the Security Operations > Scans page.
Use the available filter controls to display a list of the required scans. For filtering details, see Filtering scans.
Select the Select all scans check box in the top-left of the scans list.
Click either the Export button or the Download "bulk action" button. For details, see Performing bulk actions above.