GIM Category: messaging
The Messaging category is for events generated by email and messaging systems. It focuses on activities related to the delivery, handling, and filtering of email messages, such as sending, blocking, rejecting, quarantining, or deleting messages.
These events provide critical visibility into communication flows and security controls. They are especially important for identifying potential phishing attempts, tracking message delivery issues, and investigating the handling of suspicious or malicious emails.
Email sent events represent attempts to deliver an email message from a source system or user to a destination. These events capture the act of transmission, whether successful or failed, and typically include information about the sender, recipient, and delivery system involved.
They provide visibility into normal email usage as well as potential abuse, such as bulk sending or unauthorized outbound messages.
| gim_event_type_code | gim_event_class | gim_event_category | gim_event_subcategory | gim_event_type | description |
|---|---|---|---|---|---|
|
130000 |
messaging |
messaging.email |
email sent |
An attempt was made to send an email |
Email blocked events represent messages that were prevented from being delivered by a security control or filtering system. Blocking typically occurs before the receiving mail server accepts responsibility for the message.
These events are important for identifying the enforcement of spam, phishing, or malware protections, as well as for verifying that email security policies are working as intended.
| gim_event_type_code | gim_event_class | gim_event_category | gim_event_subcategory | gim_event_type | description |
|---|---|---|---|---|---|
|
130500 |
messaging |
messaging.email |
email blocked |
An E-Mail message has been blocked |
Email rejected events represent messages that were refused by the receiving mail server during the delivery process. Unlike blocked messages, which are stopped by a filtering system before acceptance, rejected messages are actively refused after the sending system attempts delivery.
Common reasons for rejection include invalid recipients, blacklisting, or policy-based rules (such as rejecting messages from unauthenticated senders). These events are valuable for troubleshooting delivery issues and for detecting signs of malicious or misconfigured activity.
| gim_event_type_code | gim_event_class | gim_event_category | gim_event_subcategory | gim_event_type | description |
|---|---|---|---|---|---|
|
131000 |
messaging |
messaging.email |
email rejected |
An e-mail message has been rejected |
Email quarantined events represent messages that were delivered to a secure holding area instead of reaching the intended recipient’s inbox. Quarantine is typically used by email security gateways or filtering systems to isolate messages suspected of containing spam, phishing content, or malware.
These events are important for investigations because they indicate suspicious messages that bypassed outright blocking or rejection but were still prevented from reaching end users. Analysts may review quarantined messages to confirm malicious content or release them if safe.
| gim_event_type_code | gim_event_class | gim_event_category | gim_event_subcategory | gim_event_type | description |
|---|---|---|---|---|---|
|
131500 |
messaging |
messaging.email |
email quarantined |
An E-Mail message has been placed into quarantine |
Email deleted events represent messages that have been permanently removed from mail storage. Deletion may occur automatically (for example, by a security system removing confirmed malicious emails), or manually (by an administrator or end user).
Tracking deletion events is useful for understanding remediation actions, enforcing retention policies, and identifying whether suspicious or unwanted messages were successfully removed from user access.
| gim_event_type_code | gim_event_class | gim_event_category | gim_event_subcategory | gim_event_type | description |
|---|---|---|---|---|---|
|
132000 |
messaging |
messaging.email |
email deleted |
An E-Mail message has been deleted |
default
The default subcategory is used for email-related events that do not fit into a more specific subcategory, such as sent, blocked, rejected, quarantined, or deleted. These may include vendor-specific log messages or generic events that cannot be reliably classified.
The default subcategory ensures that all email activity is captured within the model, even when detailed normalization is not possible.
| gim_event_type_code | gim_event_class | gim_event_category | gim_event_subcategory | gim_event_type | description |
|---|---|---|---|---|---|
|
139999 |
messaging |
messaging.default |
message |
E-mail related message |
