2

Is anyone aware of which timestamp presented in alerts correlates to the actual time the email was removed from the inbox if the systemActionType states "REMOVED_FROM_INBOX"?

My question is specific to the "Gmail phishing" alert source (https://developers.google.com/admin-sdk/alertcenter/reference/alert-types). I have yet to see an endTime that is after the alerts createTime for Phishing reclassification and a review of the alert-types page and definitions makes me assume createTime is the correct time to utilize...... however that makes me confused on why there is an endTime being populated for these types.

Key/Value Description
Phishing reclassification Unopened messages that are detected as phishing post-delivery are automatically reclassified and removed from the user's inbox.
createTime Output only. The time this alert was created.
endTime Optional. The time the event that caused this alert ceased being active. If provided, the end time must not be earlier than the start time. If not provided, it indicates an ongoing alert.

Sample Alert

      "customerId": "<removed>",
      "alertId": "<removed>",
      "createTime": "2021-03-11T18:25:47.538082Z",
      "startTime": "2021-03-11T13:19:50.374062Z",
      "endTime": "2021-03-11T17:53:54.482936Z",
      "type": "Phishing reclassification",
      "source": "Gmail phishing",
      "data": {
        "@type": "type.googleapis.com/google.apps.alertcenter.type.MailPhishing",
        "domainId": {
          "customerPrimaryDomain": "<removed>"
        },
        "maliciousEntity": {
          "fromHeader": "<removed>"
        },
        "messages": [
          {
            "messageId": "<removed>",
            "md5HashMessageBody": "<removed>",
            "md5HashSubject": "<removed>",
            "attachmentsSha256Hash": [
              "<removed>"
            ],
            "recipient": "<removed>",
            "date": "2021-03-11T13:19:50.374062Z"
          }
        ],
        "isInternal": true,
        "systemActionType": "REMOVED_FROM_INBOX"
      },
      "metadata": {
        "customerId": "<removed>",
        "alertId": "<removed>",
        "status": "NOT_STARTED",
        "updateTime": "2021-03-11T18:25:47.538082Z",
        "severity": "MEDIUM",
        "etag": "<removed>"
      }

API Link if you so desire: https://developers.google.com/admin-sdk/alertcenter/reference/rest/v1beta1/alerts

jhorne
  • 23
  • 2
  • Considering that the `endTime` refers to the time when the event ceases to be active, one could think that's the time when the messages are removed from inbox. About `however that makes me confused on why there is an endTime being populated for these types`, if `endTime` was not populated this would be an ongoing event. In any case, do you have a way to reproduce this behavior? – Iamblichus Apr 22 '21 at 08:16
  • I will see if I can have someone help reproduce, however if I am not able, are you able to ask internally which of the timestamps corresponds to the time an email from removed from the inbox? – jhorne Apr 23 '21 at 15:56
  • It looks like the email is removed from the inbox when the actual alert is generated and notifies the admins. If this is not the case please let me know and I will mark as answered. – jhorne Apr 28 '21 at 15:27

1 Answers1

0

Answer:

In Phishing reclassification alerts, the date when each message was removed from inbox (when it was reclassified) corresponds to the date field in each message:

{
 "data": {
   "messages": [
     {
       "date": "2021-03-11T13:19:50.374062Z"
     }
   ]
 }
}

You will notice that it corresponds to the date in startTime. That’s because startTime corresponds to the date when the first message in the report was reclassified (since that’s the first and only reclassified message in this alert).

Reported in Issue Tracker:

The documentation at GmailMessageInfo is not clear on this, since date corresponds to The date the malicious email was sent only in some alert types.

Therefore, I reported a documentation bug in Issue Tracker:

Iamblichus
  • 18,540
  • 2
  • 11
  • 27