Guides
ProductDeveloperPartnerPersonal

(Draft) Review File Inspection Through Reports (March 2022)

ARL

A file that has been inspected and blocked or warned appears in your security logs like any other network event that passes through Umbrella. Both the Activity Search and the Security Activity reports show file inspection events, but greater detail is found in the Security Activity report.

Files that were inspected and allowed because they are safe appear as allowed events in the activity search report without any information about scan results. There is no information about scan results because there is nothing to report.

Table of Contents

View Inspected Files in the Security Activity Report

  1. Navigate to Reporting > Core Reports > Security Activity, click Advanced Search, add the Threat Name, and click Search.
1824 215

The result appears compressed in a card.

910
  1. Click the card to expand it and review data.
    Because every sample of malware is different, each result will vary based on the malware, the identity triggered and which engine detected it as malicious, but the majority of these fields are consistent between various blocks of files that have been inspected.

The SHA-256 hash is especially helpful in cross-referencing between other security data platforms, or even VirusTotal.

909

Note: The eicar test virus is scanned by both the antivirus engine and the Cisco AMP engine and detected by both. All files are scanned by both engines and can be detected by both, one or neither. If a sample is detected by both engines, the Cisco AMP detection takes precedence in the reports.

FieldValue
Destinationwhich domain or IP hosted the suspicious file
URLthe URL at which the suspicious file was found at, if available. Usually the same domain as the destination.
Date & Timewhen the suspicious file was downloaded by the user and scanned
Categorieswhich security categories matched against this event. It is possible for a file to be malicious or suspicious as per the antivirus scanner and Cisco AMP but not be categorized.
Resulteither blocked or allowed
User Agentthe user agent of the browser with which the request was made http://www.useragentstring.com/pages/useragentstring.php?typ=Browser
Content Typethe MIME type of the data stream https://developer.mozilla.org/en-US/docs/Web/HTTP/Basics_of_HTTP/MIME_types
SHA-256 Hashchecksum of the file, if available. Typically, for Cisco AMP. This is also included in the summary.
Status codethe HTTP code returned from the query (typically 300 or 400)
Virusthe name found by the antivirus scanner, where applicable
Referrerthe referrer URL where available/applicable

View Inspected Files in the Activity Search Report

The Activity Search shows blocked and unblocked files. Any page on any website could count as a file—files like .HTML or .CSS are common. In the earlier test to download the eicar.com test file from proxy.opendnstest.com, other page elements were downloaded but allowed.

1606

On the far right-hand side, the ellipsis icon can be expanded for more information. In this instance, the file was allowed.

1234

Click See Full Details to view details.

243

The results for Cisco AMP are blank, as the file was allowed.

You can also use the filters for the columns in the activity search to show the 'file name' and make it more apparent. First, select "Columns" and expose the 'File Name' which is hidden by default.

211

Run the report for the last 24 hours and you'll see the results including the file name that was proxied.

2450

Troubleshoot File Analysis < Review File Inspection Through Reports > Manage File Type Control