Codes of Content Filtering expression settings

If logging of audit events and modified settings is enabled in Event Log settings, when expressions of the Content Filtering module are edited, detailed information about the changes is recorded in an Audit Log event.

The following table shows how the settings of expressions of the Content Filtering module are coded in an Audit Log record.

Codes of expression settings on the Main tab in an audit event record

Expression setting in the Content Filtering module	Code in the audit event record	Examples
Status toggle switch in the Expressions table	`scanSettings.cfScanSettings.expressions` `{<expression number>, <expression name>}.enable` Possible values: `true` if the expression is enabled. `false` the expression is disabled. The toggle switch is enabled automatically when the condition is created, and a corresponding audit event is logged.	Rule created with an expression, or a new expression created in an existing rule: `scanSettings.cfScanSettings.expressions{1, Some expression name}.name[][Some expression name]` `scanSettings.cfScanSettings.expressions{1, Some expression name}.Index[][1]` `scanSettings.cfScanSettings.expressions{1, Some expression name}.actions.action[][Skip]` `scanSettings.cfScanSettings.expressions{1, Some expression name}.actions.backup[][true]` `scanSettings.cfScanSettings.expressions{1, Some expression name}.actions.mark[][MARK_FOR_EXPRESSION]` `scanSettings.cfScanSettings.expressions{1, Some expression name}.conditionsJoiningOperation[][AllTrue]` Expression modified: `scanSettings.cfScanSettings.expressions{1, Some expression name}.name[Some expression name][New expression name]` `scanSettings.cfScanSettings.expressions{1, Some expression name}.Index[1][2]` `scanSettings.cfScanSettings.expressions{1, Some expression name}.actions.action[Skip][Reject]` `scanSettings.cfScanSettings.expressions{1, Some expression name}.actions.backup[true][false]` `scanSettings.cfScanSettings.expressions{1, Some expression name}.actions.mark[MARK_FOR_EXPRESSION][NEW_MARK_FOR_EXPRESSION]` `scanSettings.cfScanSettings.expressions{1, Some expression name}.conditionsJoiningOperation[AllTrue][AnyTrue]` Changing the position of an expression changes it for all other expressions of the rule. Therefore, lines about the positions of the other expressions changing are also logged. `scanSettings.cfScanSettings.expressions{2, Some expression 2 name}.Index[2][3]` `scanSettings.cfScanSettings.expressions{3, Some expression 3 name}.Index[3][4] etc` Rule with expression removed or expression removed: `scanSettings.cfScanSettings.expressions{1, New expression name}.enable[false][]` `scanSettings.cfScanSettings.expressions{1, New expression name}.name[New expression name][]` `scanSettings.cfScanSettings.expressions{1, New expression name}.actions.action[Reject][]` `scanSettings.cfScanSettings.expressions{1, New expression name}.actions.backup[false][]` `scanSettings.cfScanSettings.expressions{1, New expression name}.actions.mark[NEW_MARK_FOR_EXPRESSION][]` `scanSettings.cfScanSettings.expressions{1, New expression name}.conditionsJoiningOperation[AnyTrue][]`
Expression name	`scanSettings.cfScanSettings.expressions` `{Number, Name}.name`
Place	`scanSettings.cfScanSettings.expressions` `{<expression number>, <expression name>}.` `conditions{<condition number>, AttachmentFormat}.attachmentFormat.` `dictionaries` The record will contain the IDs of the connected or disconnected dictionaries.
Action if expression matched	`scanSettings.cfScanSettings.expressions` `{<expression number>, <expression name>}.` `actions.action` Possible values: `Skip` if Skip is selected. `DeleteAttachment` if Delete attachment is selected. `Reject` if Reject is selected. `DeleteMessage` if Delete message is selected.
Place original message in Backup	`scanSettings.cfScanSettings.expressions` `{<expression number>, <expression name>}.` `actions.backup`
Text to add to message subject	`scanSettings.cfScanSettings.expressions` `{<expression number>, <expression name>}.` `actions.mark`
Type of logical connection	`scanSettings.cfScanSettings.expressions` `{<expression number>, <expression name>}.` `conditionsJoiningOperation` Possible values: `AllTrue` if Only if all conditions match is selected. `AnyTrue` if If one or more conditions match is selected.

Codes of expression settings on the Actions on headers tab in an audit event record

Expression setting in the Content Filtering module	Code in the audit event record	Examples
Delete headers – Text	`scanSettings.cfScanSettings.expressions` `{<expression number>, <expression name>}.` `headersToChange.headersToDelete.textList`	Rule created with an expression, or a new expression created in an existing rule: `scanSettings.cfScanSettings.expressions` `{1, Some expression name}.headersToChange.` `headersToDelete.textList.Added[X-MS-Exchange-Abc X-MS-Exchange-Def]` Expression modified: `scanSettings.cfScanSettings.expressions` `{1, Some expression name}.headersToChange.` `headersToDelete.textList.Added[X-MS-Exchange-Ghi X-MS-Exchange-Xyz]` `scanSettings.cfScanSettings.expressions` `{1, Some expression name}.headersToChange.` `headersToDelete.textList.Removed[X-MS-Exchange-Def]` Rule with expression removed or expression removed: `scanSettings.cfScanSettings.expressions` `{1, Some expression name}.headersToChange.` `headersToDelete.textList.Removed[X-MS-Exchange-Abc X-MS-Exchange-Ghi X-MS-Exchange-Xyz]`
Delete headers – Wildcard	`scanSettings.cfScanSettings.expressions` `{<expression number>, <expression name>}.` `headersToChange.headersToDelete.wildcardList`	Rule created with an expression, or a new expression created in an existing rule: `scanSettings.cfScanSettings.expressions` `{1, Some expression name}.headersToChange.` `headersToDelete.wildcardList.Added[X-MS-Exchange-%2A]` Expression modified: `scanSettings.cfScanSettings.expressions` `{1, Some expression name}.headersToChange.` `headersToDelete.wildcardList.Added[X-MS-Exchange-%2Aabc]` `scanSettings.cfScanSettings.expressions` `{1, Some expression name}.headersToChange.` `headersToDelete.wildcardList.Removed[X-MS-Exchange-%2A]` Rule with expression removed or expression removed: `scanSettings.cfScanSettings.expressions` `{1, Some expression name}.headersToChange.` `headersToDelete.wildcardList.Removed[X-MS-Exchange-%2Aabc]`
Delete headers – Regexp	`scanSettings.cfScanSettings.expressions` `{<expression number>, <expression name>}.` `headersToChange.headersToDelete.regexList`	Rule created with an expression, or a new expression created in an existing rule: `scanSettings.cfScanSettings.expressions` `{1, Some expression name}.actions.headersToChange.` `headersToDelete.regexList.Added[X-KSMG.+]` Expression modified: `scanSettings.cfScanSettings.expressions` `{1, Some expression name}.actions.headersToChange.` `headersToDelete.regexList.Added[X-MS.+]` `scanSettings.cfScanSettings.expressions` `{1, Some expression name}.actions.headersToChange.` `headersToDelete.regexList.Removed-KSMG.+]` Rule with expression removed or expression removed: `scanSettings.cfScanSettings.expressions` `{1, Some expression name}.actions.headersToChange.` `headersToDelete.regexList.regexList.Removed[X-MS.+]`
Modify headers	`scanSettings.cfScanSettings.expressions` {`<expression number>, <expression number>}.` `headersToChange.headersToModify` Values in the list are represented as pairs of records: one record for the header name, and another for the value. If a header is added or removed, such an event is represented by two records: 1. A record with the added or removed header in the following form: `scanSettings.cfScanSettings.expressions` `{<expression number>, <expression name>}.` `headersToChange.headersToModify{N}.<header name>` 2. A record with the value of the added or removed header in the following form: `scanSettings.cfScanSettings.expressions` `{<expression number>, <expression name>}.` `headersToChange.headersToModify{N}.<header value>` If only the header is changed for a pair, the modifications of the pair are represented by a single record of the following form: `scanSettings.cfScanSettings.expressions` `{<expression number>, <expression name>}.` `headersToChange.headersToModify{N}.<header name>` If only the value of the header is changed for a pair, the modifications of the pair are represented by a single record of the following form: `scanSettings.cfScanSettings.expressions` `{<expression number>, <expression name>}.` `headersToChange.headersToModify{N}.<header value>` Where N is the serial number of the pair in the list of pairs. If the serial number of a pair changes, the modifications of the pair are represented by a single record of the following form: `scanSettings.cfScanSettings.expressions` `{<expression number>, <expression name>}.` `headersToChange.headersToModify{N}.<serial number>`	Rule created with an expression, or a new expression created in an existing rule: `scanSettings.cfScanSettings.expressions{1,` `Some expression name}.headersToChange.` `headersToModify{1}.name[][X-MS-Exchange-Abc]` `scanSettings.cfScanSettings.expressions{1,` `Some expression name}.headersToChange.` `headersToModify{1}.value[][123]` `scanSettings.cfScanSettings.expressions{1,` `Some expression name}.headersToChange.` `headersToModify{2}.name[][X-MS-Exchange-Def]` `scanSettings.cfScanSettings.expressions{1,` `Some expression name}.headersToChange.` `headersToModify{2}.value[][456]` `scanSettings.cfScanSettings.expressions{1,` `Some expression name}.headersToChange.` `headersToModify{3}.name[][X-MS-Exchange-Ghi]` `scanSettings.cfScanSettings.expressions{1,` `Some expression name}.headersToChange.` `headersToModify{3}.value[][789]` Expression modified: `scanSettings.cfScanSettings.expressions{1,` `Some expression name}.headersToChange.` `headersToModify{1}.name[X-MS-Exchange-Abc][]` `scanSettings.cfScanSettings.expressions{1,` `Some expression name}.headersToChange.` `headersToModify{1}.value[123][]` `scanSettings.cfScanSettings.expressions` `{1, Some expression name}.headersToChange.` `headersToModify{2}.value[456][444]` `scanSettings.cfScanSettings.expressions` `{1, Some expression name}.headersToChange.` `headersToModify{2}.Index[2][1]` `scanSettings.cfScanSettings.expressions` `{1, Some expression name}.headersToChange.` `headersToModify{3}.name[X-MS-Exchange-Ghi][X-PT-Ghi]` `scanSettings.cfScanSettings.expressions` `{1, Some expression name}.headersToChange.` `headersToModify{3}.Index[3][2]` `scanSettings.cfScanSettings.expressions` `{1, Some expression name}.headersToChange.` `headersToModify{3}.name[][X-MS-Exchange-Xyz]` `scanSettings.cfScanSettings.expressions` `{1, Some expression name}.headersToChange.` `headersToModify{3}.value[][111]` Rule with expression removed or expression removed: `scanSettings.cfScanSettings.expressions` `{1, Some expression name}.headersToChange.` `headersToModify{1}.name[X-MS-Exchange-Def][]` `scanSettings.cfScanSettings.expressions` `{1, Some expression name}.headersToChange.` `headersToModify{1}.value[444][]` `scanSettings.cfScanSettings.expressions` `{1, Some expression name}.headersToChange.` `headersToModify{2}.name[X-PT-Ghi][]` `scanSettings.cfScanSettings.expressions` `{1, Some expression name}.headersToChange.` `headersToModify{2}.value[789][]` `scanSettings.cfScanSettings.expressions` `{1, Some expression name}.headersToChange.` `headersToModify{3}.name[X-MS-Exchange-Xyz][]` `scanSettings.cfScanSettings.expressions` `{1, Some expression name}.headersToChange.` `headersToModify{1}.value[111][]`

Page top