Cisco Cisco Content Security Management Appliance M390 Guía Del Usuario
5-46
AsyncOS 9.6 for Cisco Content Security Management Appliances User Guide
Chapter 5 Using Centralized Web Reporting and Tracking
Web Tracking
Search results include:
•
The time that the URL was accessed.
•
The number of related transactions spawned by the user-initiated transaction, such as images loaded,
javascripts run, and secondary sites accessed. The number of related transactions appears in each
row below the Display All Details link in the column heading.
javascripts run, and secondary sites accessed. The number of related transactions appears in each
row below the Display All Details link in the column heading.
•
The disposition (The result of the transaction. If applicable, shows the reason the transaction was
blocked, monitored, or warned.)
blocked, monitored, or warned.)
Viewing Transaction Details for Web Tracking Search Results
About Web Tracking and Advanced Malware Protection Features
When searching for file threat information in Web Tracking, keep the following points in mind:
•
To search for malicious files found by the file reputation service, select Known Malicious and
High-Risk Files for the Filter by Malware Category option in the Malware Threat area in the
Advanced section in Web Tracking.
High-Risk Files for the Filter by Malware Category option in the Malware Threat area in the
Advanced section in Web Tracking.
•
Web Tracking includes only information about file reputation processing and the original file
reputation verdicts returned at the time a transaction was processed. For example, if a file was
initially found to be clean, then a verdict update found the file to be malicious, only the clean verdict
appears in Tracking results.
reputation verdicts returned at the time a transaction was processed. For example, if a file was
initially found to be clean, then a verdict update found the file to be malicious, only the clean verdict
appears in Tracking results.
"Block - AMP" in search results means the transaction was blocked because of the file's reputation
verdict.
verdict.
In Tracking details, the "AMP Threat Score" is the best-effort score that the cloud reputation service
provides when it cannot determine a clear verdict for the file. In this situation, the score is between
1 and 100. (Ignore the AMP Threat Score if an AMP Verdict is returned or if the score is zero.) The
appliance compares this score to the threshold score (configured on the Security Services >
Anti-Malware and Reputation page) to determine what action to take. By default, files with scores
between 60 and 100 are considered malicious. Cisco does not recommend changing the default
threshold score. The WBRS score is the reputation of the site from which the file was downloaded;
this score is not related to the file reputation.
provides when it cannot determine a clear verdict for the file. In this situation, the score is between
1 and 100. (Ignore the AMP Threat Score if an AMP Verdict is returned or if the score is zero.) The
appliance compares this score to the threshold score (configured on the Security Services >
Anti-Malware and Reputation page) to determine what action to take. By default, files with scores
between 60 and 100 are considered malicious. Cisco does not recommend changing the default
threshold score. The WBRS score is the reputation of the site from which the file was downloaded;
this score is not related to the file reputation.
•
Verdict updates are available only in the AMP Verdict Updates report. The original transaction
details in Web Tracking are not updated with verdict changes. To see transactions involving a
particular file, click a SHA-256 in the verdict updates report.
details in Web Tracking are not updated with verdict changes. To see transactions involving a
particular file, click a SHA-256 in the verdict updates report.
To View
Do This
The full URL for a truncated
URL in the list
URL in the list
Note which host Web Security appliance processed the transaction,
then check the Accesslog on that appliance.
then check the Accesslog on that appliance.
Details for an individual
transaction
transaction
Click a URL in the Website column.
Details for all transactions
Click the Display All Details... link in the Website column heading.
A a list of up to 500 related
transactions
transactions
The number of related transactions appears in parentheses below the
“Display Details” link in the column heading in the list of search
results.
“Display Details” link in the column heading in the list of search
results.
Click the Related Transactions link in the Details view for a
transaction.
transaction.