Investigation Classifications
Investigations in Phishing Response are classified by both type of threat and by severity.
The threat classifications are:
| Threat Classification | Description |
|---|---|
 Malicious |
This option is selected automatically by Phishing Response when it finds one or more indicators of maliciousness in any of the messages in the investigation or the investigation was created from a continuous detection and response (see Phishing Response Settings) campaign. You can also select this option manually when messages in the investigation contain attachment or URL payloads that you believe can threaten your systems. |
 Spam |
This option is selected automatically by Phishing Response when the Agari Trust Score is less than 3.0. You can also select this option manually when you determine that the messages in the investigation are unsolicited commercial email containing no threats. |
 Unknown |
Select this option when you are unsure about the message. |
|
Benign |
The Benign classification is selected automatically for any message that does not match the criteria for Malicious, Spam or Simulation. You can also manually select this option when you are confident that there are no issues with the message. Typically, if you are confident in selecting this option, you can also close the investigation so it no longer appears in the active list. See Close an Investigation. |
 Simulation |
This option is selected automatically only when one of the investigation's phish reports is associated with an IP from a known simulation sender. You can also select this option manually when you know the investigation is a result of your internal action, such as testing. |
The severity classifications are:
| Severity Classification | Description |
|---|---|
| Critical |
This option is selected automatically by Phishing Response when it determines that the threat classification of an investigation is Malicious and 20 or more similar messages are found to be part of the investigation. You can also select this option manually when you determine this investigation requires immediate attention and remediation. |
| High |
This option is selected automatically by Phishing Response when it determines that one of the following is true:
You can also select this option manually when you determine this investigation requires attention and remediation. |
| Medium |
This option is selected automatically by Phishing Response when it determines that one of the following is true:
You can also select this option manually if you do not see significant indicators of maliciousness and want to investigate further. |
| Low | Select this option if you believe there are no threats in this investigation. This will usually mean that the investigation is a candidate to close. See Close an Investigation. |
Initial threat and severity classifications are determined automatically by Phishing Response when it creates a new investigation. You can change them at any time for open investigations to help you organize and prioritize your work in Phishing Response.
For Threat Classification, Phishing Response will assign Malicious, Spam, or Simulation automatically when an investigation is created if the investigation is determined to meet the criteria for that classification. Otherwise, the Threat Classification will be unset:
