Advanced Threat Search Tutorial & FAQs
In this article you will learn how to use Advanced Threat Search to find a reported threat, investigate the breadth of impact, and remove it from your domain.
Advanced Threat Search Overview
FAQs
Permissions & Configuration
Q: I'm on Google workspace and I'm getting an error when I try to access the Advanced Threat Search feature. What am I doing wrong?
For schools on Google workspace platform, you will need to enable permissions in order to access and use the Advanced Threat Search feature. For more details, see here: https://knowledgebase.cybernut.com/cybernut-knowledge-base/advanced-threat-search-google
Q: How long does it take for permissions to sync before Advanced Threat Search deletion is available?
Permissions sync generally work pretty quickly (< 15 minutes), but can take up to 24 hours. If you are unable to use Advanced Threat Search immediately after setup, we suggest waiting up to 24 hours before using the feature.
Q: When an admin removes an email across domains, does that include subdomains?
No — removal uses exact domain matching. Subdomains are not included when deleting by domain.
Search
Q: What are the mandatory search fields that need to be provided?
The only search field that is mandatory is setting the timeframe for the search. We have simple presets between 1, 3, 7, 14, 30 days that will search from today back that many days or you can specify a specific set of dates within the last 30 calendar days.
Q: How do I search by recipient email?
This field requires a full and complete email address. It doesn't use any wildcards or other special ways to search (at the moment).
Q: How do I search by Subject?
The subject field is matched by keywords provided and is case insensitive when searching across emails.
Q: How do I search by MessageID?
MessageID is unique identifier that is best used to identify all the recipients that were on that one email. So if one user reported a threat, you can take the messageID from that reported threat and identify all the other recipients of that same email and remediate that email across multiple inboxes.
Q: How do I search by Sender email?
Currently this feature is only available for schools on the Microsoft platform. The sender email also requires the full and complete email address to be provided.
Q: How are search results returned? Why do I only see one result even though the email was sent to more then 1 person?
Search results are grouped by MessageID, so if you have more then one recipient, it will only show up in the results as one email. This will then make it easy for an IT admin to delete that one email across multiple inboxes.
Q: What happens if I use more then search field? I'm not getting any results, but I'm expecting to get some results back.
Using more then one field will narrow as all search criteria will need to be met in order for it to show up in the results.
Deletion & Remediation
Q: Can you delete a single specific email via Advanced Threat Search, or does it delete everything from a domain?
You can target and delete a specific email (soft delete) rather than bulk-deleting everything from a domain.
Q: If I bulk delete via Advanced Threat Search, will I receive a confirmation with the exact count of emails deleted?
No — bulk delete currently follows the same flow as actions taken from the Reported Threats or ATT screens, which does not include a deletion count notification.
Q: Will users be notified when an email is deleted via Advanced Threat Search?
Only if they previously reported the email. If a user reported it, they will receive a feedback email and threat acorns. If they did not report it, they will not be notified.
Q: If an email is deleted via Advanced Threat Search and a user also reported the same email, will they still receive a feedback email and threat acorns?
Yes — the reporter will still receive a feedback email and threat acorns, as the behavior mirrors deletion from the Reported Threats dashboard.