Guides
ProductDeveloper
Guides

File Inspection Reports

A file that's been inspected and blocked appears in your security logs like any other network event that passes through Umbrella. Both the activity search and the security activity report show file inspection events, but greater detail is found in the security activity report.

Files that were inspected and allowed through because they are safe to appear as allowed events in the activity search report without any information about scan results because there is nothing to report.

In the earlier test with eicar.com, if the test worked as expected you should have a result in your security activity report for the identity that matched when doing a test. This result can be seen in one of two ways.

Table of Contents

Security Activity Report for File Inspection

  1. Navigate to Reporting > Core Reports > Security Activity and using the built-in filters, search for the threat name, which in this example is "EICAR."
  2. Click Advanced Search and filter for threat, then type 'eicar':
1842 215

The result will appear compressed in a card.

910

Click the card to expand it and review data. Because every sample of malware is different, each result will vary based on the malware, the identity triggered and which engine detected it as malicious, but the majority of these fields are consistent between various blocks of files that have been inspected.

The SHA-256 hash is especially helpful in cross-referencing between other security data platforms, or even VirusTotal.

909

Note: The eicar test virus is scanned by both the antivirus engine and the Cisco AMP engine and detected by both. All files are scanned by both engines and can be detected by both, one or neither. If a sample is detected by both engines, the Cisco AMP detection takes precedence in the reports.

FieldValue
Destinationwhich domain or IP hosted the suspicious file
URLthe URL at which the suspicious file was found at, if available. Usually the same domain as the destination.
Date & Timewhen the suspicious file was downloaded by the user and scanned
Categorieswhich security categories matched against this event. It is possible for a file to be malicious or suspicious as per the antivirus scanner and Cisco AMP but not be categorized.
Resulteither blocked or allowed
User Agentthe user agent of the browser with which the request was made (http://www.useragentstring.com/pages/useragentstring.php?typ=Browser)
Content Typethe MIME type of the data stream (https://developer.mozilla.org/en-US/docs/Web/HTTP/Basics_of_HTTP/MIME_types)
SHA-256 Hashchecksum of the file, if available. Typically for Cisco AMP; this is also included in the summary.
Status codethe HTTP code returned from the query (typically 300 or 400)
Virusthe name found by the antivirus scanner, where applicable
Referrerthe referrer URL where available/applicable

Security Activity Report for Activity Search

The Activity Search shows files that were allowed through and files that were blocked. Any page on any website could count as a file—files likes .HTML or .CSS are common. In the earlier test to download the eicar.com test file from proxy.opendnstest.com, other page elements were downloaded but allowed.

1606

On the far right-hand side, the ellipsis icon can be expanded for more information. In this instance, the file was allowed.

1234

Click See Full Details to view details.

243

The results for Cisco AMP are blank, as the file was allowed.

You can also use the filters for the columns in the activity search to show the 'file name' and make it more apparent. First, select "Columns" and expose the 'File Name' which is hidden by default.

211

Run the report for the last 24 hours and you'll see the results, including the file name that was proxied.

2450

Troubleshooting < File Inspection Reports > Manage the Cisco Umbrella Root Certificate