topic Threat Emulation policy action "Send" in Firewall and Security Management

Threat Emulation policy action "Send"

imamuzic — Mon, 23 Mar 2026 12:23:34 GMT

Hi guys,

What policy action of type "Send" means in context of Threat Emulation with ICAP? I have a TP gateway (ICAP server) with remote emulation to local TE appliance.

Please see the screenshot attached.

Best Regards,

Igor

Re: Threat Emulation policy action "Send"

PhoneBoy — Mon, 23 Mar 2026 21:44:27 GMT

It would seem to indicate this file was sent for emulation.

Re: Threat Emulation policy action "Send"

the_rock — Tue, 24 Mar 2026 01:09:10 GMT

Exactly means what Phoneboy said.

Re: Threat Emulation policy action "Send"

imamuzic — Tue, 24 Mar 2026 08:43:50 GMT

Great, thanks. That makes sense. I think that "Lggging and Monitoring Admin Guide" under "Using the Action Filter" should be updated to reflect what you wrote above as its current version is a bit misleading about "Send" action:

"User decided to continue transmission after DLP capture. An administrator with full permissions or with the View/Release/Discard DLP messages permission can also decide to continue transmission. Email notification is sent to the user."

Re: Threat Emulation policy action "Send"

PhoneBoy — Tue, 24 Mar 2026 23:41:15 GMT

Possible this is used in both situations.
In any case, tagging @Sergei_Shir

Re: Threat Emulation policy action "Send"

Ronit_Segal — Sun, 29 Mar 2026 07:07:05 GMT

According to @Ran :

Not sure why but I think ICAP generate this weird log. TE does generate these kind of logs.

This looks like a bug, not sure why this log is created like this.

Re: Threat Emulation policy action "Send"

Ronit_Segal — Sun, 29 Mar 2026 11:50:55 GMT

As per RnD:

The logs look like a bug, since “Send” is a feature reserved for DLP.

ICAP sends 'monitor', 'allow', 'prevent' logs.

Therefore, in this case. it is better to open a support ticket.