(Draft) Review File Inspection Through Reports (March 2022)
ARL
A file that has been inspected and blocked or warned appears in your security logs like any other network event that passes through Umbrella. Both the Activity Search and the Security Activity reports show file inspection events, but greater detail is found in the Security Activity report.
Files that were inspected and allowed because they are safe appear as allowed events in the activity search report without any information about scan results. There is no information about scan results because there is nothing to report.
Table of Contents
- View Inspected Files in the Security Activity Report
- View Inspected Files in the Activity Search Report
View Inspected Files in the Security Activity Report
- Navigate to Reporting > Core Reports > Security Activity, click Advanced Search, add the Threat Name, and click Search.
The result appears compressed in a card.
- Click the card to expand it and review data.
Because every sample of malware is different, each result will vary based on the malware, the identity triggered and which engine detected it as malicious, but the majority of these fields are consistent between various blocks of files that have been inspected.
The SHA-256 hash is especially helpful in cross-referencing between other security data platforms, or even VirusTotal.
Note: The eicar test virus is scanned by both the antivirus engine and the Cisco AMP engine and detected by both. All files are scanned by both engines and can be detected by both, one or neither. If a sample is detected by both engines, the Cisco AMP detection takes precedence in the reports.
Field | Value |
---|---|
Destination | which domain or IP hosted the suspicious file |
URL | the URL at which the suspicious file was found at, if available. Usually the same domain as the destination. |
Date & Time | when the suspicious file was downloaded by the user and scanned |
Categories | which security categories matched against this event. It is possible for a file to be malicious or suspicious as per the antivirus scanner and Cisco AMP but not be categorized. |
Result | either blocked or allowed |
User Agent | the user agent of the browser with which the request was made http://www.useragentstring.com/pages/useragentstring.php?typ=Browser |
Content Type | the MIME type of the data stream https://developer.mozilla.org/en-US/docs/Web/HTTP/Basics_of_HTTP/MIME_types |
SHA-256 Hash | checksum of the file, if available. Typically, for Cisco AMP. This is also included in the summary. |
Status code | the HTTP code returned from the query (typically 300 or 400) |
Virus | the name found by the antivirus scanner, where applicable |
Referrer | the referrer URL where available/applicable |
View Inspected Files in the Activity Search Report
The Activity Search shows blocked and unblocked files. Any page on any website could count as a file—files like .HTML or .CSS are common. In the earlier test to download the eicar.com test file from proxy.opendnstest.com, other page elements were downloaded but allowed.
On the far right-hand side, the ellipsis icon can be expanded for more information. In this instance, the file was allowed.
Click See Full Details to view details.
The results for Cisco AMP are blank, as the file was allowed.
You can also use the filters for the columns in the activity search to show the 'file name' and make it more apparent. First, select "Columns" and expose the 'File Name' which is hidden by default.
Run the report for the last 24 hours and you'll see the results including the file name that was proxied.
Troubleshoot File Analysis < Review File Inspection Through Reports > Manage File Type Control
Updated 4 months ago