Using Email Security Monitor
This chapter contains the following sections:
• Email Security Monitor Overview, page 1
• Email Security Monitor Pages, page 2
• Reporting Overview, page 32
• Managing Reports, page 33
• Troubleshooting Email Reports, page 36
Email Security Monitor Overview
The Email Security Monitor feature collects data from every step in the email delivery process. The database
identifies and records each email sender by IP address, while interfacing with the SenderBase Reputation
Service for real-time identity information. You can instantly report on any email sender’s local mail flow
history and show a profile that includes the sender’s global record on the Internet. The Email Security Monitor
feature allows your security team to “close the loop” on who is sending mail to your users, the amount of mail
sent from and received by your users, and the effectiveness of your security policies.
This chapter explains how to:
• Access the Email Security Monitor feature to monitor inbound and outbound message flow.
• Make mail flow policy decisions (update whitelists, blacklists, and greylists) by querying for a sender’s
SenderBase Reputation Score (SBRS). You can query on network owners, domains, and even individual
IP addresses.
• Report on mail flow, system status, and mail sent to and from your network.
For any given email sender for incoming mail, the Email Security Monitor database captures critical parameters
such as:
• Message volume
• Connection history
• Accepted vs. rejected connections
• Acceptance rates and throttle limits
User Guide for AsyncOS 11.1 for Cisco Cloud Email Security
1
Using Email Security Monitor
Email Security Monitor and Centralized Management
• Sender reputation filter matches
• Number of anti-spam messages for suspected spam and positively identified spam
• Number of virus-positive message detected by anti-virus scanning
See Anti-Spam for more information on Anti-Spam scanning and Anti-Virus for more information on anti-virus
scanning.
The Email Security Monitor feature also captures information on which content filter a particular message
triggers, including the internal user (email recipient) to or from which the message was sent.
The Email Security Monitor feature is available in the GUI only, and provides a view into your email traffic
and the status of your appliance (including quarantines, work queues, and outbreaks). The appliance identifies
when a sender falls outside of the normal traffic profile. Senders that do are highlighted in the interface,
allowing you to take corrective action by assigning that sender to a sender group or refining the access profile
of the sender; or, you can let AsyncOS’s security services continue to react and respond. Outbound mail has
a similar monitoring capability, providing you a view into the top domains in the mail queue and the status
of receiving hosts (see Delivery Status Details Page, on page 15).
Note
Information for messages present in the work queue when the appliance is rebooted is not reported by the
Email Security Monitor feature.
Email Security Monitor and Centralized Management
To view aggregated report data, deploy a Cisco Content Security Management appliance.
You cannot aggregate Email Security Monitor reports of clustered appliances. All reports are restricted to
machine level. This means they cannot be run at the group or cluster levels — only on individual machines.
The same is true of the Archived Reports page — each machine in effect has its own archive. Thus, the
“Generate Report” feature runs on the selected machine.
The Scheduled Reports page is not restricted to machine level; therefore, settings can be shared across multiple
machines. Individual scheduled reports run at machine level just like interactive reports, so if you configure
your scheduled reports at cluster level, every machine in the cluster will send its own report.
The “Preview This Report” button always runs against the login-host.
Email Security Monitor Pages
The Email Security Monitor feature is comprised of all the pages available on the Monitor menu except the
Quarantines pages.
You use these pages in the GUI to monitor domains that are connecting to the appliance’s listeners. You can
monitor, sort, analyze, and classify the “mail flow” of your appliance and differentiate between high-volume
senders of legitimate mail and potential “spammers” (senders of high-volume, unsolicited commercial email)
or virus senders. These pages can also help you troubleshoot inbound connections to the system (including
important information such as SBRS score and most recent sender group match for domains).
These pages help you classify mail relative to the appliance, and also relative to the services that exist beyond
the scope of the gateway, such as the SenderBase Reputation Service, the Anti-Spam scanning service, the
Anti-Virus scanning security services, content filters, and Outbreak Filters.
User Guide for AsyncOS 11.1 for Cisco Cloud Email Security
2
Using Email Security Monitor
Searching and Email Security Monitor
You can generate a printer-friendly formatted .PDF version of any of the Email Security Monitor pages by
clicking on the Printable PDF link at the top-right of the page. For information about generating PDFs in
languages other than English, see the Notes on Reports, on page 33.
You can export graphs and other data to CSV (comma separated values) format via the Export link.
The exported CSV data will display all message tracking and reporting data in GMT regardless of what is set
on the Email Security appliance. The purpose of the GMT time conversion is to allow data to be used
independently from the appliance or when referencing data from appliances in multiple time zones.
Note
If you export localized CSV data, the headings may not render properly in some browsers. This occurs
because some browsers may not use the correct character set for the localized text. To work around this
problem, you can save the file to disk, and open the file using File > Open. When you open the file, select
the character set to display the localized text.
For more information about automating the export of report data, see Retrieving CSV Data, on page 30).
Searching and Email Security Monitor
Many of the Email Security Monitor pages include a search form. You can search for different types of items:
• IP Address (IPv4 and IPv6)
• domain
• network owner
• internal users
• destination domain
• internal sender domain
• internal sender IP address
• outgoing domain deliver status
For domain, network owner, and internal user searches, choose whether to exactly match the search text or
look for items starting with the entered text (for instance, starts with “ex” will match “example.com”).
For IPv4 address searches, the entered text is always interpreted as the beginning of up to four IP octets in
dotted decimal format. For instance, “17” will search in the range 17.0.0.0 through 17.255.255.255, so it will
match 17.0.0.1 but not 172.0.0.1. For an exact match search, simply enter all four octets. IP address searches
also support CIDR format (17.16.0.0/12).
For IPv6 address searches, AsyncOS supports the following formats:
• 2001:db8:2004:4202::0-2001:db8:2004:4202::ff
• 2001:db8:2004:4202::
• 2001:db8:2004:4202::23
• 2001:db8:2004:4202::/64
All searches are bounded by the time range currently selected on the page.
User Guide for AsyncOS 11.1 for Cisco Cloud Email Security
3
Using Email Security Monitor
Viewing Details of Messages Included in Reports
Viewing Details of Messages Included in Reports
This functionality works only if reporting and tracking are both local (not centralized on a Cisco Content
Security Management Appliance.)
Step 1
Click any blue number in a table on a report page.
(Not all tables have these links.)
The messages included in that number are displayed in Message Tracking.
Step 2
Scroll down to see the list.
My Dashboard Page
You can create a custom email securityreport page by assembling charts (graphs) and tables from existing
report pages.
To
Do This
Add modules to your custom
1 Go to Monitor > Email or Web > Reporting > My Dashboard and
report page
delete any sample modules that you do not need by clicking the [X] in the
top right corner of the module.
2 Do one of the following:
• Click the [+] button on a module in a report page under the Monitor
menu to add it to your custom report.
• Go to Monitor > Email or Web > Reporting > My Dashboard,
click the [+] button in one of the sections, then select the report
module that you want to add. You may need to check the + Report
Module in each section to find the report that you are looking for.
3 Modules are added with default settings. If you add a module that you
have customized (for example, by adding, deleting, or reordering columns
), customize these modules again after adding them. Time range of the
original module is not maintained.
4 If you add a chart that includes a separate legend (for example, a graph
from the Overview page), add the legend separately. If necessary, drag
and drop it into position beside the data it describes.
Notes:
• Some modules on some report pages are available only using one of the
above methods. If you cannot add a module using one method, try the
other method.
• You can add each module only once; if you have already added a
particular module to your report, the option to add it will not be available.
User Guide for AsyncOS 11.1 for Cisco Cloud Email Security
4
Using Email Security Monitor
Overview Page
To
Do This
View your custom report
page
1 Choose Monitor > Email or Web > Reporting > My Dashboard.
2 For reports in the Time Range section: The time range selected for all
report pages applies to all modules on the My Dashboard page. Select the
time range to view.
Newly-added modules appear at the top of the relevant section.
Rearrange modules on your Drag and drop modules into the desired location.
custom report page
Delete modules from your
custom report page
Click the [X] in the top right corner of the module.
Overview Page
The Overview page provides a synopsis of the message activity of your appliance, including an overview of
your quarantines and Outbreak Filters status (in the System Overview section of the page). The Overview
page also includes graphs and detailed message counts for incoming and outgoing messages. You can use
this page to monitor the flow of all mail into and out of your gateway.
The Overview page highlights how the appliance is integrated with the SenderBase Reputation Service for
incoming mail (messages stopped by reputation filtering, for example). On the Overview page, you can:
• View a mail trend graph of all mail “flowing” into or out of your gateway.
• View a graph showing the number of attempted messages, messages stopped by sender reputation
filtering (SBRS), messages with invalid recipients, messages marked as spam, messages marked as virus
positive, and clean messages, over time.
• View the summary of the system status and local quarantines.
• See current virus and non-virus outbreak information based on information available at the Threat
Operations Center (TOC).
The Overview page is divided into two sections: System Overview and Incoming and Outgoing Mail graphs
and summary.
System Overview
The System Overview section of the Overview page serves as a system dashboard, providing details about
the appliance including system and work queue status, quarantine status, and outbreak activity.
Status
This section provides an overview of the current state of the appliance and inbound mail processing.
System Status: One of the following states:
• Online
User Guide for AsyncOS 11.1 for Cisco Cloud Email Security
5
Using Email Security Monitor
Overview Page
• Resource Conservation
• Delivery Suspended
• Receiving Suspended
• Work Queue Paused
• Offline
See the Managing and Monitoring Using the CLI for more information.
Incoming Messages: The average rate of incoming mail per hour.
Work Queue: The number of messages awaiting processing in the work queue.
Click the System Status Details link to navigate to the System Status page.
System Quarantines
This section displays information about the top three quarantines by disk usage on the appliance, including
the name of the quarantine, how full the quarantine is (disk space), and the number of messages currently in
the quarantine.
Click the Local Quarantines link to navigate to the Local Quarantines page.
Virus Threat Level
This section shows the Outbreak status as reported by the Threat Operations Center (TOC). Also shown is
the status of the Outbreak quarantine, including how full it is (disk space) and the number of messages in the
quarantine. The Outbreak quarantine is only displayed if you have enabled the Outbreak Filters feature on
your appliance.
Note
In order for the Threat Level indicator to function, you need to have port 80 open on your firewall to
“downloads.ironport.com.” Alternatively, if you have specified a local update server, the Threat Level
indicator will attempt to use that address. The Threat Level indicator will also update correctly if you have
configured a proxy for downloads via the Service Updates page. For more information, see Service Updates.
Click the Outbreak Details link to view the external Threat Operations Center web site. Note that in order for
this link to work, your appliance must be able to access the Internet. Note that the Separate Window icon
indicates that a link will open in a separate window when clicked. You may need to configure your browser’s
pop-up blocker settings to allow these windows.
Incoming and Outgoing Summary and Graph
The Incoming and Outgoing summary sections provide access to real-time activity of all mail activity on your
system and is comprised of the Incoming and Outgoing Mail Graphs and Mail Summaries. You can select
the time frame on which to report via the Time Range menu. The time range you select is used throughout all
of the Email Security Monitor pages. The explanations of each type or category of message are below (see
Categorizing Email, on page 7).
While the mail trend graph displays a visual representation of the mail flow, the summary table provides a
numeric breakdown of the same information. The summary table includes the percentage and actual number
of each type of message, including the total number of attempted, threat, and clean messages.
User Guide for AsyncOS 11.1 for Cisco Cloud Email Security
6
Using Email Security Monitor
Overview Page
The outgoing graph and summary show similar information for outbound mail.
Notes on Counting Messages in Email Security Monitor
The method Email Security Monitor uses to count incoming mail depends on the number of recipients per
message. For example, an incoming message from example.com sent to three recipients would count as three
messages coming from that sender.
Because messages blocked by sender reputation filtering do not actually enter the work queue, the appliance
does not have access to the list of recipients for an incoming message. In this case, a multiplier is used to
estimate the number of recipients. This multiplier was determined by Cisco and based upon research of a large
sampling of existing customer data.
Categorizing Email
Messages reported in the Overview and Incoming Mail pages are categorized as follows:
• Stopped by Reputation Filtering: All connections blocked by HAT policies multiplied by a fixed
multiplier (see Notes on Counting Messages in Email Security Monitor, on page 7) plus all recipients
blocked by recipient throttling.
• Invalid Recipients: All recipients rejected by conversational LDAP rejection plus all RAT rejections.
• Spam Messages Detected: The total count of messages detected by the anti-spam scanning engine as
positive or suspect and also those that were both spam and virus positive.
• Virus Messages Detected: The total count and percentage of messages detected as virus positive and
not also spam.
Note
If you have configured your anti-virus settings to deliver unscannable or encrypted
messages, these messages will be counted as clean messages and not virus positive.
Otherwise, the messages are counted as virus positive.
• Detected by Advanced Malware Protection: A message attachment was found to be malicious by file
reputation filtering. This value does not include verdict updates or files found to be malicious by file
analysis.
• Messages with Malicious URLs: One or more URLs in the message were found to be malicious by
URL filtering.
• Stopped by Content Filter: The total count of messages that were stopped by a content filter.
• Stopped by DMARC: The total count of messages that were stopped after DMARC verification.
• S/MIME Verification/Decryption Failed: The total count of messages that failed S/MIME verification,
decryption, or both.
• S/MIME Verification/Decryption Successful: The total count of messages that were successfully
verified, decrypted, or decrypted and verified using S/MIME.
• Clean Messages: Mail that is accepted and is deemed to be virus and spam free — the most accurate
representation of clean messages accepted when taking per-recipient scanning actions (such as splintered
messages being processed by separate mail policies) into account. However, because messages that are
marked as spam or virus positive and still delivered are not counted, the actual number of messages
delivered may differ from the clean message count.
User Guide for AsyncOS 11.1 for Cisco Cloud Email Security
7
Using Email Security Monitor
Incoming Mail Page
• Graymail Messages
◦Marketing Messages: The total count of advertising messages sent by professional marketing
groups, for example Amazon.com.
◦Social Networking Messages: The total count of notification messages from social networks,
dating websites, forums, and so on. Examples include LinkedIn and CNET forums.
◦Bulk Messages: The total count of advertising messages sent by unrecognized marketing groups,
for example, TechTarget, a technology media company.
Click on the number corresponding to any of the above mentioned graymail categories to view a list of
messages belonging to that category using Message Tracking.
Note
Messages that match a message filter and are not dropped or bounced by the filter are
treated as clean. Messages dropped or bounced by a message filter are not counted in
the totals.
How Messages are Categorized
As messages proceed through the email pipeline, they can apply to multiple categories. For example, a message
can be marked as spam, virus, or malware positive, and it can also match a content filter. The various verdicts
follow these rules of precedence: Outbreak Filters quarantining (in this case the message is not counted until
it is released from the quarantine and again processed through the work queue), followed by spam positive,
virus positive, malware positive, and matching a content filter.
For example, if a message is marked as spam positive, and the anti-spam settings are set to drop spam positive
messages, the message is dropped and the spam counter is incremented. Further, if the anti-spam settings are
set to let the spam positive message continue on in the pipeline, and a subsequent content filter drops, bounces,
or quarantines the message, the spam count is still incremented. The content filter count is only incremented
if the message is not spam, virus, or malware positive.
Incoming Mail Page
The Incoming Mail page provides a mechanism to report on the real-time information being collected by the
Email Security Monitor feature for all remote hosts connecting to your appliance. This allows you to gather
more information about an IP address, domain, and organization (network owner) sending mail to you. You
can perform a Sender Profile search on IP addresses, domains, or organizations that have sent mail to you.
The Incoming Mail page has three views: Domain, IP Address, and Network Owner and provides a snapshot
of the remote hosts connecting to the system in the context of the selected view.
It displays a table (Incoming Mail Details) of the top domains (or IP addresses, or network owners, depending
on the view) that have sent mail to all public listeners configured on the appliance. You can monitor the flow
of all mail into your gateway. You can click on any domain/IP/network owner to drill down to access details
about this sender on a Sender Profile page (this is an Incoming Mail page, specific to the domain/IP/network
owner you clicked on).
Not all available columns are displayed by default. You can show a different set of information by clicking
the Columns link below the table. For example, you can show the "Detected by Advanced Malware Protection"
column, which is hidden by default.
User Guide for AsyncOS 11.1 for Cisco Cloud Email Security
8
Using Email Security Monitor
Incoming Mail Page
The Incoming Mail page extends to include a group of pages (Incoming Mail, Sender Profiles, and the Sender
Group Report). From the Incoming Mail pages, you can:
• Perform a search on IP addresses, domains, or organizations (network owners) that have sent mail to
you.
• View the Sender Groups report to see connections via a specific sender group and mail flow policy
actions. See Sender Groups Report, on page 13 for more information.
• See detailed statistics on senders which have sent mail to you, including the number of attempted messages
broken down by security service (sender reputation filtering, anti-spam, anti-virus, graymail, and so on).
• Sort by senders who have sent you a high volume of spam or virus email, as determined by anti-spam
or anti-virus security services.
• Use the SenderBase Reputation service to drill down on and examine the relationship between specific
IP addresses, domains, and organizations to obtain more information about a sender.
• Drill down on specific senders to obtain more information about a sender from the SenderBase Reputation
Service, including a sender’s SenderBase Reputation Score and which sender group the domain matched
most recently. Add senders to sender groups.
• Drill down on a specific sender who sent a high volume of spam or virus email, as determined by the
anti-spam or anti-virus security services.
• Once you have gathered information on a domain, you can add the IP address, domain, or organization
to an existing sender group (if necessary) by clicking “Add to Sender Group” from a domain, IP address,
or network owner profile page. See Configuring the Gateway to Receive Email.
Incoming Mail
The Incoming Mail page provides access to real-time activity of all public listeners configured on your system
and is comprised of two main sections: the mail trend graphs summarizing the top sender domains received
(by total threat messages, total clean messages, and total graymail messages) and the Incoming Mail Details
listing.
See Incoming Mail Details Listing, on page 10 for an explanation of the data included in the Incoming Mail
Details listing.
Notes on Time Ranges in the Mail Trend Graph
The Email Security Monitor feature constantly records data about the mail flowing into your gateway. The
data are updated every 60 seconds, but the display shown is delayed by 120 seconds behind the current system
time. You can specify the time range to include in the results shown. Because the data is monitored in real
time, information is periodically updated and summarized in the database.
Choose from the time range options in the following table.
Table 1: Time Ranges Available in the Email Security Monitor Feature
This time range selected in the GUI
...is defined as:
Hour
the last 60 minutes + up to 5 minutes
Day
the last 24 hours + the last 60 minutes
User Guide for AsyncOS 11.1 for Cisco Cloud Email Security
9
Using Email Security Monitor
Incoming Mail Page
This time range selected in the GUI
...is defined as:
Week
the last 7 days + the elapsed hours of the current day
30 days
the last 30 days + the elapsed hours of the current day
90 days
the last 90 days + the elapsed hours of the current day
Yesterday
00:00 to 23:59 (midnight to 11:59 PM)
Previous Calendar Month
00:00 of the first day of the month to 23:59 of the last day of the
month
Custom Range
the range enclosed by the start date and hour and the end date and
hour that you specify
The time range options that you see will differ if you have enabled Centralized Reporting. For details, see
information about Centralized Reporting Mode in Centralizing Services on a Cisco Content (M-Series) Security
Management Appliance
Incoming Mail Details Listing
The top senders which have connected to public listeners of the appliance are listed in the External Domains
Received listing table at the bottom of the Incoming Mail page, based on the view selected. Click the column
headings to sort the data. See Categorizing Email, on page 7 for an explanation of the various categories.
The system acquires and verifies the validity of the remote host’s IP address (that is, the domain) by performing
a double DNS lookup . For more information about double DNS lookups and sender verification, see Configuring
the Gateway to Receive Email.
The Sender Detail listing has two views, Summary and All.
The default Sender Detail view shows the total number of attempted messages for each sender, and includes
a breakdown by category (the same categories as the Incoming Mail Summary graph on the Overview page.
The value for Stopped by Reputation Filtering is calculated based on several factors:
• Number of “throttled” messages from this sender.
• Number of rejected or TCP refused connections (may be a partial count).
• A conservative multiplier for the number of messages per connection.
When the appliance is under heavy load, an exact count of rejected connections is not maintained on a per-sender
basis. Instead, rejected connections counts are maintained only for the most significant senders in each time
interval. In this situation, the value shown can be interpreted as a “floor”; in other words, at least this many
messages were stopped.
Note
The Stopped by Reputation Filtering total on the Overview page is always based on a complete count of
all rejected connections. Only the per-sender connection counts are ever limited due to load.
Additional columns that you can display are:
User Guide for AsyncOS 11.1 for Cisco Cloud Email Security
10
Using Email Security Monitor
Incoming Mail Page
Connections Rejected: All connections blocked by HAT policies. When the appliance is under heavy load,
an exact count of rejected connections is not maintained on a per-sender basis. Instead, rejected connections
counts are maintained only for the most significant senders in each time interval.
Connections Accepted: All connections accepted
Stopped by Recipient Throttling: This is a component of Stopped by Reputation Filtering. It represents the
number of recipient messages stopped because any of the following HAT limits have been exceeded: maximum
recipients per hour, maximum recipients per message, or maximum messages per connection. This is summed
with an estimate of the recipient messages associated with rejected or TCP refused connections to yield Stopped
by Reputation Filtering.
Detected by Advanced Malware Protection: Messages with attachments that were found to be malicious
by file reputation filtering. This value does not include verdict updates or files found to be malicious by file
analysis.
Total Threat: Total number of threat messages (stopped by sender reputation, stopped as invalid recipient,
spam, plus virus).
Show or hide columns by clicking the Column link at the bottom of the table.
Sort the listing by clicking the column header links. A small triangle beside the column header indicates the
column by which the data is currently sorted.
“No Domain Information”
Domains which have connected to the appliance and could not be verified with a double-DNS lookup are
automatically grouped into the special domain “No Domain Information.” You can control how these types
of unverified hosts are managed via Sender Verification. See Configuring the Gateway to Receive Email.
You can select the number of senders to show in the listing via the Items Displayed menu.
Querying for More Information
For senders listed in the Email Security Monitor table, click the sender (or “No Domain Information” link) to
drill down for more information on the particular sender. The results are displayed on a Sender Profile page
which includes real-time information from the SenderBase Reputation Service. From the Sender Profile page,
you can drill down for more information on specific IP addresses or network owners (see Reporting Pages
Populated with Data: Sender Profile Pages, on page 11).
You can also view another report, the Sender Groups report, by clicking the Sender Groups report link at the
bottom of the Incoming Mail page. For more information about Sender Groups reports, see Sender Groups
Report, on page 13.
Reporting Pages Populated with Data: Sender Profile Pages
If you clicked a sender in the Incoming Mail Details table on an Incoming Mail page, the resulting Sender
Profile page is listed with data for the particular IP address, domain, or organization (network owner). Sender
Profile pages show detailed information for the sender. You can access a Sender Profile page for any network
owner, domain, or IP address by clicking on the specified item in the Incoming Mail or other Sender Profile
pages. Network owners are entities that contain domains; domains are entities that contain IP addresses. For
more information on this relationship and how it relates to the SenderBase Reputation Service, see Configuring
the Gateway to Receive Email.
The Sender Profile pages displayed for IP addresses, network owners, and domains vary slightly. For each,
the page contains a graph and summary table for incoming mail from this sender. Below the graph is a table
listing domains or IP addresses associated with the sender (the Sender Profile page for individual IP addresses
User Guide for AsyncOS 11.1 for Cisco Cloud Email Security
11
Using Email Security Monitor
Incoming Mail Page
does not contain the detailed listing) and an information section with the current SenderBase, sender group,
and network information for the sender.
• Network Owner profile pages contain information for the network owner, as well as the domains and
IP addresses associated with that network owner.
• Domain profile pages contain information for the domains and IP addresses associated with that domain.
• IP address profile pages contain information about the IP address only.
Each sender profile page contains the following data in the Current Information table at the bottom of
the page:
• The Global information from the SenderBase Reputation Service, including:
◦IP Address, Domain Name, and/or Network Owner
◦Network Owner Category (Network Owner Only)
◦CIDR Range (IP addresses only)
◦Daily Magnitude and Monthly Magnitude for the IP address, Domain, and/or Network Owner
◦Days since the first message was received from this sender
◦Last sender group and whether DNS verified (IP Address sender profile page only)
Daily magnitude is a measure of how many messages a domain has sent over the last 24 hours. Similar
to the Richter scale used to measure earthquakes, SenderBase magnitude is a measure of message volume
calculated using a log scale with a base of 10. The maximum theoretical value of the scale is set to 10,
which equates to 100% of the world's email message volume (approximately 10 billion messages/day).
Using the log scale, a one-point increase in magnitude equates to a 10x increase in actual volume.
Monthly magnitude is calculated using the same approach as daily magnitude, except the percentages
are calculated based on the volume of email sent over the last 30 days.
◦Average Magnitude (IP addresses only)
◦Lifetime Volume / 30 Day Volume (IP address profile pages only)
◦Bonded Sender Status (IP address profile pages only)
◦SenderBase Reputation Score (IP address profile pages only)
◦Days Since First Message (network owner and domain profile pages only)
◦Number of Domains Associated with this Network Owner (network owner and domain profile
pages only)
◦Number of IP Addresses in this Network Owner (network owner and domain profile pages only)
◦Number of IP Addresses used to Send Email (network owner pages only)
Click the “More from SenderBase” link to see a page with all information supplied by the SenderBase
Reputation Service.
• The Mail Flow Statistics information, with Email Security Monitor information collected about the
sender over the time range that you specify.
• Details about the domains and IP addresses controlled by this network owner are displayed on network
owner profile pages. Details about the IP addresses in the domain are displayed on domain pages.
User Guide for AsyncOS 11.1 for Cisco Cloud Email Security
12
Using Email Security Monitor
Outgoing Destinations
From a domain profile page, you can drill down to a specific IP address, or drill up to view an organization
profile page. You can also display the DNS Verified status, SBRS (SenderBase Reputation Score), and
Last Sender Group for each sender address in the IP Addresses table by clicking the Columns link at
the bottom of that table. You can also hide any columns in that table.
From a network owner profile page, you can display information such as Connections Rejected,
Connections Accepted, Stopped by Recipient Throttling, and Detected by Advanced Malware Protection
for each domain in the Domains table by clicking the Columns link at the bottom of that table. You can
also hide any columns in that table.
If you are an administrator of the system, on each of these pages, you can choose to add the network
owner, domain, or IP address to a sender group by clicking the check box for the entity (if necessary)
and then clicking Add to Sender Group.
You can also add a sender to a sender group by clicking the Add to Sender Group link below the Sender
Group Information in the Current Information table for the sender and clicking Add to Sender Group.
For more information about adding senders to sender groups, see Configuring the Gateway to Receive
Email. Of course, you do not have to make any changes — you can let the security services handle
incoming mail.
Sender Profile Search
Type an IP address, a domain, or an organization name in the Quick Search box to search for a specific sender.
A Sender Profile page is displayed with the information for sender. See Reporting Pages Populated with Data:
Sender Profile Pages, on page 11.
Sender Groups Report
The Sender Groups report provides a summary of connections by sender group and mail flow policy action,
allowing you to review SMTP connection and mail flow policy trends. The Mail Flow by Sender Group listing
shows the percentage and number of connections for each sender group. The Connections by Mail Flow Policy
Action chart shows the percentage of connections for each mail flow policy action. This page provides an
overview of the effectiveness of your Host Access Table (HAT) policies. For more information about the
HAT, see Configuring the Gateway to Receive Email.
Outgoing Destinations
The Outgoing Destinations page provides information about the domains your company sends mail to. The
page consists of two section. The top half of the page consists of graphs depicting the top destinations by
outgoing threat messages and top destinations by outgoing clean messages on the top half of the page. The
bottom half of the page displays a chart showing all the columns sorted by total recipients (default setting).
You can select a time range on which to report, such as an hour, a week, or a custom range. As with all reports,
you can export the data for the graphs or the details listing to CSV format via the Export link.
The Outgoing Destinations page can be used to answer the following types of questions:
• What domains is the appliance sending mail to?
• How much mail is sent to each domain?
• How much of that mail is clean, spam-positive, virus-positive, malware or stopped by a content filter?
• How many messages are delivered and how many messages are hard-bounced by the destination server?
User Guide for AsyncOS 11.1 for Cisco Cloud Email Security
13
Using Email Security Monitor
Outgoing Senders
Outgoing Senders
The Outgoing Senders page provides information about the quantity and type of mail being sent from IP
addresses and domains in your network. You can view the results by domain or IP address when you view
this page. You might want to view the results by domain if you want to see what volume of mail is being sent
by each domain, or you might want to view the results by IP address if you want see which IP addresses are
sending the most virus messages or triggering content filters.
The page consists of two sections. On the left side of the page is a graph depicting the top senders by total
threat messages. Total threat messages include messages that are spam-positive, virus-positive, malware or
triggered a content filter. On the right side of the page is a graph displaying top senders by clean messages
on the top half of the page. The bottom half of the page displays a chart showing all the columns sorted by
total messages (default setting).
Note
This page does not display information about message delivery. Delivery information, such as how many
messages from a particular domain were bounced can be tracked using the Delivery Status page.
You can select a time range on which to report, such as an hour, a week, or a custom range. As with all reports,
you can export the data for the graphs or the details listing to CSV format via the Export link.
The Outgoing Senders page can be used to answer the following types of questions:
• Which IP addresses are sending the most virus-positive, spam-positive or malware email?
• Which IP addresses trigger content filters the most frequently?
• Which domains are sending the most mail?
Geo Distribution Page
You can use the Geo Distribution report page to view:
• Top incoming mail connections based on country of origin in graphical format.
• Total incoming mail connections based on country of origin in tabular format.
You can click on the number of incoming mail connections of a specific geolocation to view the related
messages in Message Tracking.
The "Total Messages" column only displays those messages that are accepted at the SMTP connection level.
Note
During report generation:
• If one or more incoming mail connections are detected as private IP address, the incoming mail
connections are categorized as “Private IP Addresses” in the report.
• If one or more incoming mail connections are detected as not a valid SBRS score, the incoming mail
connections are categorized as ‘No Country Info’ in the report.
User Guide for AsyncOS 11.1 for Cisco Cloud Email Security
14
Using Email Security Monitor
Delivery Status Page
Delivery Status Page
If you suspect delivery problems to a specific recipient domain or if you want to gather information on a
Virtual Gateway address, the Monitor > Delivery Status Page provides monitoring information about email
operations relating to a specific recipient domain.
The Delivery Status Page displays the same information as the tophosts command within the CLI. (For more
information, see “Determining the Make-up of the Email Queue” in Managing and Monitoring Using the CLI)
This page displays a list of the top 20, 50, or 100 recipient domains for messages delivered by the system
within the last three hours. You can sort by latest host status, active recipients (the default), connections out,
delivered recipients, soft bounced events, and hard bounced recipients by clicking the links in the column
heading for each statistic.
• To search for a specific domain, type the name of the domain in the Domain Name: field and click
Search.
• To drill down on a domain shown, click the domain name link.
The results are shown in an Delivery Status Details Page.
Note
Any activity for a recipient domain results in that domain being “active” and thus present in the overview
page. For example, if mail remains in the outbound queue due to delivery problems, that recipient domain
continues to be listed in the outgoing mail overview.
Retrying Delivery
Messages that are scheduled for later delivery can be immediately retried by clicking Retry All Delivery.
Retry All Delivery allows you to reschedule messages in the queue for immediate delivery. All domains that
are marked as “down” and any scheduled or soft bounced messages are queued for immediate delivery.
To retry delivery to a specific destination domain, click the domain name link. On the Delivery Status Details
page, click Retry Delivery.
You can also use the delivernow command in the CLI to reschedule messages for immediate delivery. For
more information, see Scheduling Email for Immediate Delivery.
Delivery Status Details Page
Use the Delivery Status Details Page to look up statistics on a specific recipient domain. This page displays
the same information as the hoststatus command within the CLI: Mail Status, Counters and Gauges. (For
more information, see Managing and Monitoring Using the CLI) To search for a specific domain, type the
name of the domain in the Domain Name: field and click Search. Virtual Gateway address information appears
if you are using the altsrchost feature.
Internal Users Page
The Internal Users page provides information about the mail sent and received by your internal users, per
email address (a single user may have multiple email addresses listed — the email addresses are not combined
in the report).
User Guide for AsyncOS 11.1 for Cisco Cloud Email Security
15
Using Email Security Monitor
Internal Users Page
The page consists of two sections:
• Graphs depicting the top users by clean incoming and outgoing messages and top users receiving graymail.
• User mail flow details
You can select a time range on which to report (hour, day, week, or month). As with all reports, you can export
the data for the graphs or the details listing to CSV format via the Export link. You can also display hidden
table columns or hide default columns by clicking the Columns link below the table.
The User Mail Flow Details listing breaks down the mail received and sent by each email address into clean,
spam (incoming only), virus, malware, content filter matches, and graymail (incoming only). You can sort
the listing by clicking on the column headers.
Using the Internal Users report, you can answer these kinds of questions:
• Who is sending the most external email?
• Who receives the most clean email?
• Who receives the most number of graymail messages?
• Who receives the most spam?
• Who is triggering which content filters?
• Whose email is getting caught by content filters?
Inbound Internal Users are the users for which you received email, based on the Rcpt To: address. Outbound
Internal Users are based on the Mail From: address and are useful when tracking the types of email that senders
on your internal network are sending.
Note that some outbound mail (like bounces) have a null sender. They are counted under outbound and
“unknown.”
Click on an internal user to view the Internal User detail page for that user.
Click the Columns link below the table to show columns that are hidden by default, such as the Incoming
Detected by Advanced Malware Protection column or Outgoing Detected by Advanced Malware Protection
column.
Internal User Details
The Internal User detail page shows detailed information about the specified user, including a breakdown of
incoming and outgoing messages showing the number of messages in each category (spam detected, virus
detected, detected by Advanced Malware Protection, stopped by content filter, graymail detected, and clean).
Optionally, for incoming messages, you can click the Columns link below the table to show the Incoming
Detected by Advanced Malware Protection column. This value reflects the number messages that contained
attachments that were determined by file reputation filtering to be malicious. It does not include verdict updates
or files found to be malicious by file analysis. Incoming and outgoing content filter and DLP policy matches
are also shown.
Click on a content filter name to view detailed information for that filter in the corresponding content filter
information page (see Content Filters Page, on page 18). You can use this method to get a list of users who
also sent or received mail that matched that particular content filter.
User Guide for AsyncOS 11.1 for Cisco Cloud Email Security
16
Using Email Security Monitor
DLP Incidents Page
Searching for a Specific Internal User
You can search for a specific internal user (email address) via the search form at the bottom of the Internal
Users page and the Internal User detail page. Choose whether to exactly match the search text or look for
items starting with the entered text (for instance, starts with “ex” will match “example.com”).
DLP Incidents Page
The DLP Incidents page shows information on the incidents of data loss prevention (DLP) policy violations
occurring in outgoing mail. The appliance uses the DLP email policies enabled in the Outgoing Mail Policies
table to detect sensitive data sent by your users. Every occurrence of an outgoing message violating a DLP
policy is reported as an incident.
Using the DLP Incidents report, you can answer these kinds of questions:
• What type of sensitive data is being sent by your users?
• How severe are these DLP incidents?
• How many of these messages are being delivered?
• How many of these messages are being dropped?
• Who is sending these messages?
The DLP Incidents page is comprised of two main sections:
• the DLP incident trend graphs summarizing the top DLP incidents by severity (Low, Medium, High,
Critical) and policy matches, and
• the DLP Incidents Details listing.
You can select a time range on which to report, such as an hour, a week, or a custom range. As with all reports,
you can export the data for the graphs or the details listing to CSV format via the Export link or PDF format
by clicking the Printable (PDF) link. For information about generating PDFs in languages other than English,
see the Notes on Reports, on page 33.
Click on the name of a DLP policy to view detailed information on the DLP incidents detected by the policy.
You can use this method to get a list of users who sent mail that contained sensitive data detected by the
policy.
DLP Incidents Details
The DLP policies currently enabled in the appliance’s outgoing mail policies are listed in the DLP Incidents
Details table at the bottom of the DLP Incidents page. Click on the name of a DLP policy to view more detailed
information.
The DLP Incidents Details table shows the total number of DLP incidents per policy, with a breakdown by
severity level. The severity level also includes the number of bounced messages and the number of messages
delivered in the clear, delivered encrypted, or dropped. Click on the column headings to sort the data.
User Guide for AsyncOS 11.1 for Cisco Cloud Email Security
17
Using Email Security Monitor
Content Filters Page
DLP Policy Detail Page
If you clicked the name of a DLP policy in the DLP Incidents Details table, the resulting DLP Policy Detail
page displays the DLP incidents data for the policy. The page displays graphs on the DLP incidents based on
severity.
The page also includes an Incidents by Sender listing at the bottom of the page that lists each internal user
who has sent a message that violated the DLP policy. The listing also shows the total number of DLP incidents
for this policy per user, with a breakdown by severity level, and whether any of the messages were delivered
in the clear, delivered encrypted, or dropped. You can use the Incidents by Sender listing to find out which
users may be sending your organization’s sensitive data to people outside your network.
Clicking on the sender name opens up the Internal Users page. See Internal Users Page, on page 15 for more
information.
Content Filters Page
The Content Filters page shows information about the top incoming and outgoing content filter matches (which
content filter had the most matching messages) in two forms: a bar chart and a listing. Using the Content
Filters page, you can review your corporate policies on a per-content filter or per-user basis and answer
questions like:
• Which content filter is being triggered the most by incoming or outgoing mail?
• Who are the top users sending or receiving mail that is triggering a particular content filter?
You can click the name of the content filter in the listing to view more information about that filter on the
Content Filter detail page.
Content Filter Details
The Content Filter detail page displays matches for that filter over time, as well as matches by internal user.
In the Matches by Internal User section, you can click the name of a user to view that internal user’s (email
address) Internal User details page (see Internal User Details, on page 16).
DMARC Verification Page
The DMARC Verification page shows the top domains that failed DMARC verification and the details of
actions AsyncOS performed on the messages that failed DMARC verification. You can use this report to
fine-tune your DMARC settings and answer these kinds of questions:
• Which are the domains that sent maximum number of messages that are not DMARC compliant?
• For each domain, what are the actions AsyncOS performed on the messages that failed DMARC
verification?
The DMARC Verification page contains:
• A bar chart showing top domains by DMARC verification failures.
• Tabular representation of the following, for each domain:
User Guide for AsyncOS 11.1 for Cisco Cloud Email Security
18
Using Email Security Monitor
Macro Detection Page
◦Number of messages that were rejected, quarantined, or accepted without taking any action. Click
on the number to view a list of messages under the selected category.
◦Number messages that passed DMARC verification.
◦Total number of DMARC verification attempts.
You can select a time range on which to report, such as an hour, a week, or a custom range. As with all reports,
you can export the data for the graphs or the details listing to CSV format via the Export link or PDF format
by clicking the Printable (PDF) link.
Macro Detection Page
You can use the Macro Detection report page to view:
• Top Incoming Macro-Enabled Attachments by File Type in graphical and tabular format.
• Top Outgoing Macro-Enabled Attachments by File Type in graphical and tabular format.
You can click on the number of macro-enabled attachments to view the related messages in Message Tracking.
Note
During report generation:
• If one or more macros are detected within an archive file, the Archive Files file type is incremented
by one. The number of macro-enabled attachments within an archive file are not counted.
• If one or more macros are detected within an embedded file, the parent file type is incremented by
one. The number of macro-enabled attachments within an embedded file are not counted.
Outbreak Filters Page
The Outbreak Filters page shows the current status and configuration of Outbreak Filters on your appliance
as well as information about recent outbreaks and messages quarantined due to Outbreak Filters. You can use
this page to monitor your defense against targeted virus, scam, and phishing attacks.
The Threats By Type section shows the different types of threat messages received by the appliance.
The Threat Summary section shows a breakdown of the threat messages by Malware, Phish, Scam, and Virus.
Click on the number to view a list of all the messages that are included in that number using Message Tracking.
The Past Year Outbreak Summary lists global as well as local outbreaks over the past year, allowing you to
compare local network trends to global trends. The listing of global outbreaks is a superset of all outbreaks,
both viral and non-viral, whereas local outbreaks are limited to virus outbreaks that have affected your
appliance. Local outbreak data does not include non-viral threats. Global outbreak data represents all outbreaks
detected by the Threat Operations Center which exceeded the currently configured threshold for the outbreak
quarantine. Local outbreak data represents all virus outbreaks detected on this appliance which exceeded the
currently configured threshold for the outbreak quarantine. The Total Local Protection Time is always based
on the difference between when each virus outbreak was detected by the Threat Operations Center and the
release of an anti-virus signature by a major vendor. Note that not every global outbreak affects your appliance.
A value of “--” indicates either a protection time does not exist, or the signature times were not available from
User Guide for AsyncOS 11.1 for Cisco Cloud Email Security
19
Using Email Security Monitor
Virus Types Page
the anti-virus vendors (some vendors may not report signature times). This does not indicate a protection time
of zero, rather it means that the information required to calculate the protection time is not available.
The Quarantined Messages section summarizes Outbreak Filters quarantining, and is a useful gauge of how
many potential threat messages Outbreak Filters are catching. Quarantined messages are counted at time of
release. Typically, messages will be quarantined before anti-virus and anti-spam rules are available. When
released, they will be scanned by the anti-virus and anti-spam software and determined to be positive or clean.
Because of the dynamic nature of Outbreak tracking, the rule under which a message is quarantined (and even
the associated outbreak) may change while the message is in the quarantine. Counting the messages at the
time of release (rather than the time of entry into the quarantine) avoids the confusion of having counts that
increase and decrease.
The Threat Details listing displays information about specific outbreaks, including the threat category (virus,
scam, or phishing), threat name, a description of the threat, and the number of messages identified. For virus
outbreaks, the Past Year Virus Outbreaks include the Outbreak name and ID, time and date a virus outbreak
was first seen globally, the protection time provided by Outbreak filters, and the number of quarantined
messages. You can select either global or local outbreaks as well as the number of messages to display via
the menu on the left. You can sort the listing by clicking on the column headers. Click on the number to view
a list of all the messages that are included in that number using Message Tracking.
The First Seen Globally time is determined by the Threat Operations Center, based on data from SenderBase,
the world’s largest email and web traffic monitoring network. The Protection Time is based on the difference
between when each threat was detected by the Threat Operations Center and the release of an anti-virus
signature by a major vendor.
A value of “--” indicates either a protection time does not exist, or the signature times were not available from
the anti-virus vendors (some vendors may not report signature times). This does not indicate a protection time
of zero. Rather, it means that the information required to calculate the protection time is not available.
Hit Messages from Incoming Messages section shows the percentage and number of viral attachment, other
threats (non-viral), and clean incoming messages.
Hit Messages by Threat Level section shows the percentage and number of incoming threat messages (viral
and non-viral) based on threat levels (Level 1 through 5).
Messages resided in Outbreak Quarantine section shows the number of threat messages resided in the Outbreak
Quarantine based on the duration.
Top URL's Rewritten section shows the list of top 10 URLs that were rewritten based on the number of
occurrences. Use the Items Displayed drop-down to view more rewritten URLs. Click on the number to view
a list of all the messages that contain the selected rewritten URL on the Message Tracking page.
Using the Outbreak Filters page, you can answer questions like:
• How many messages are being quarantined and what type of threats were they?
• How much lead time has the Outbreak Filter feature been providing for virus outbreaks?
• How do my local virus outbreaks compare to the global outbreaks?
Virus Types Page
The Virus Types page provides an overview of the viruses entering and being sent from your network. The
Virus Types page displays the viruses that have been detected by the virus scanning engines running on your
appliance. You might want to use this report to take a specific action against a particular virus. For example,
if you see that you are receiving a high volume of a viruses known to be embedded in PDF files, you might
want to create a filter action to quarantine messages with PDF attachments.
User Guide for AsyncOS 11.1 for Cisco Cloud Email Security
20
Using Email Security Monitor
URL Filtering Page
If you run multiple virus scanning engines, the Virus Types page includes results from all enabled virus
scanning engines. The name of the virus displayed on the page is a name determined by the virus scanning
engines. If more than one scanning engine detects a virus, it is possible to have more than one entry for the
same virus.
The Virus Types page gives you an overview of the viruses entering or being sent from or to your network.
The Top Incoming Virus Detected section shows a chart view of the viruses that have been sent to your
network in descending order. The Top Outgoing Virus Detected section shows a chart view of the viruses
that have been sent from your network in descending order.
Note
To see which hosts sent virus-infected messages to your network, you can go to the Incoming Mail page,
specify the same reporting period and sort by virus-positive. Similarly, to see which IP addresses have
sent virus-positive email within your network, you can view the Outgoing Senders page and sort by
virus-positive messages.
The VirusTypes Details listing displays information about specific viruses, including the infected incoming
and outgoing messages, and the total infected messages. The details listing for infected incoming messages
displays the name of the virus and the number of incoming messages infected with this virus. Similarly, the
outgoing messages displays the name of the virus and the number of outgoing messages infected with the
virus. You can sort the Virus Type details by Incoming Messages, Outgoing Messages, or Total Infected
Messages.
URL Filtering Page
• URL Filtering report modules are populated only if URL filtering is enabled.
• URL Filtering reports are available for incoming and outgoing messages.
• Only messages that are scanned by the URL filtering engine (either as part of anti-spam/outbreak filter
scanning or through message/content filters) are included in these modules. However, not all of the
results are necessarily specifically attributable to the URL Filtering feature.
• The Top URL Categories module includes all categories found in messages that have been scanned,
whether or not they match a content or message filter.
• Each message can be associated with only one URL reputation level. For messages with multiple URLs,
the statistics reflect the lowest reputation of any URL in the message.
• URLs in the global whitelist configured at Security Services > URL Filtering are not included in reports.
URLs in whitelists used in individual filters are included in reports.
• Malicious URLs are URLs that Outbreak Filters have determined to have poor reputation. Neutral URLs
are those that Outbreak Filters have determined to require click-time protection. Neutral URLs have
therefore been rewritten to redirect them to the Cisco Web Security proxy.
• Results of URL category-based filters are reflected in content and message filter reports.
• Results of click-time URL evaluations by the Cisco Web Security proxy are not reflected in reports.
User Guide for AsyncOS 11.1 for Cisco Cloud Email Security
21
Using Email Security Monitor
Web Interaction Tracking Page
Web Interaction Tracking Page
• Web Interaction Tracking report modules are populated only if the web interaction tracking feature is
enabled.
• Web Interaction Tracking report modules are not updated in real-time and are refreshed every 30 minutes.
Also, after clicking a rewritten URL, it may take up to two hours for the Web Interaction Tracking report
to report this event.
• Web Interaction Tracking report is not updated in real-time. After clicking a cloud re-directed rewritten
URL, it may take up to two hours for the Web Interaction Tracking report to report this event.
• Web Interaction Tracking reports are available for incoming and outgoing messages.
• Only cloud re-directed rewritten URLs (either by policy or Outbreak Filter) clicked by the end users are
included in these modules.
• Web Interaction Tracking page includes the following reports:
Top Rewritten Malicious URLs clicked by End Users. Click on a URL to view a detailed report that contains
the following information:
• A list of end users who clicked on the rewritten malicious URL.
• Date and time at which the URL was clicked.
• Whether the URL was rewritten by a policy or an outbreak filter.
• Action taken (allow, block, or unknown) when the rewritten URL was clicked. Note that, if a URL was
rewritten by outbreak filter and the final verdict is unavailable, the status is shown as unknown.
Top End Users who clicked on Rewritten Malicious URLs
Web Interaction Tracking Details. Includes the following information:
• A list of all the cloud re-directed rewritten URLs (malicious and unmalicious). Click on a URL to view
a detailed report.
• Action taken (allow, block, or unknown) when a cloud re-directed rewritten URL was clicked.
For the data to show up, perform the following:
• Choose Incoming Mail Policies > Outbreak Filters to configure an outbreak filter and enable message
modification and URL rewriting.
• Configure a content filter with the "Redirect to Cisco Security Proxy" action.
Note that, if the verdict of a URL (clean or malicious) was unknown at the time when the end user clicked it,
the status is shown as unknown. This could be because the URL was under further scrutiny or the web server
was down or not reachable at the time of the user click.
• The number of times end users clicked on a rewritten URL. Click on a number to view a list of all the
messages that contain the clicked URL.
• While using Web Interaction Tracking reports, keep in mind the following limitations:
User Guide for AsyncOS 11.1 for Cisco Cloud Email Security
22
Using Email Security Monitor
Forged Email Matches Report
◦If you have configured a content or message filter to deliver messages after rewriting malicious
URLs and notify another user (for example, an administrator), the web interaction tracking data
of the original recipient is incremented even if the notified user clicks on the rewritten URLs.
◦If you are sending a copy of quarantined messages containing rewritten URLs to a user (for example,
an administrator) using web interface, the web interaction tracking data of the original recipient is
incremented even if the user (to whom the copy of the messages were sent) clicks on the rewritten
URLs.
◦At any point, if you plan to modify the time of your appliance, make sure that the system time is
synchronized with Coordinated Universal Time (UTC).
Forged Email Matches Report
See Monitoring Forged Email Detection Results.
File Reputation and File Analysis Reports
For the following reports, see File Reputation and File Analysis Reporting and Tracking:
• Advanced Malware Protection
• File Analysis
• AMP Verdict Updates
Mailbox Auto Remediation Report
You can view the details of the mailbox remediation results using the Mailbox Auto Remediation report page
(Monitor > Mailbox Auto Remediation). Use this report to view details such as:
• A list of recipients for whom the mailbox remediation was successful or unsuccessful
• Remedial actions taken on messages
• The filenames associated with a SHA-256 hash
Click on a SHA-256 hash to view the related messages in Message Tracking.
For more information, see Automatically Remediating Messages in Office 365 Mailboxes
TLS Connections Page
The TLS Connections pages shows the overall usage of TLS connections for sent and received mail. The
report also shows details for each domain sending mail using TLS connections.
The TLS Connections page can be used to determine the following information:
• Overall, what portion of incoming and outgoing connections use TLS?
• What partners do I have successful TLS connections with?
• What partners do I have unsuccessful TLS connections with?
User Guide for AsyncOS 11.1 for Cisco Cloud Email Security
23
Using Email Security Monitor
Inbound SMTP Authentication Page
• What partners have issue with their TLS certificates?
• What percent of overall mail with a partner uses TLS?
The TLS Connections page is divided into a section for incoming connections and a section for outgoing
connections. Each section includes a graph, summaries, and a table with details.
The graph displays a view of incoming or outgoing TLS-encrypted and non-encrypted connections over the
time range you specify. The graph displays the total volume of messages, the volume of encrypted and
unencrypted messages, and the volume of successful and failed TLS encrypted messages. The graphs distinguish
between connections in which TLS was required and connections in which TLS was merely preferred.
The table displays details for domains sending or receiving encrypted messages. For each domain, you can
view the number of required and preferred TLS connections that were successful and that failed, the total
number of TLS connections attempted (whether successful or failed), and the total number of unencrypted
connections. You can also view the percentage of all connections in which TLS was attempted, and the total
number of encrypted messages sent successfully, regardless of whether TLS was preferred or required. You
can show or hide columns by clicking the Columns link at the bottom of this table.
Inbound SMTP Authentication Page
The Inbound SMTP Authentication page shows the use of client certificates and the SMTP AUTH command
to authenticate SMTP sessions between the Email Security appliance and users’ mail clients. If the appliance
accepts the certificate or SMTP AUTH command, it will establish a TLS connection to the mail client, which
the client will use to send a message. Since it is not possible for the appliance to track these attempts on a
per-user basis, the report shows details on SMTP authentication based on the domain name and domain IP
address.
Use this report to determine the following information:
• Overall, how many incoming connection use SMTP authentication?
• How many connections use a client certificated?
• How many connections use SMTP AUTH?
• What domains are failing to connect when attempting to use SMTP authentication?
• How many connections are successfully using the fall-back when SMTP authentication fails?
The Inbound SMTP Authentication page includes a graph for received connections, a graph for mail recipients
who attempted an SMTP authentication connection, and a table with details on the attempts to authenticate
connections.
The Received Connections graph shows the incoming connections from mail clients that attempt to
authentication their connections using SMTP authentication over the time range you specify. The graph
displays the total number of connections the appliance received, the number that did not attempt to authenticate
using SMTP authentication, the number that failed and succeeded to authenticate the connection using a client
certificate, and the number that failed and succeeded to authenticate using the SMTP AUTH command.
The Received Recipients graph displays the number of recipients whose mail clients attempted to authenticate
their connections to the Email Security appliances to send messages using SMTP authentication. The graph
also show the number of recipients whose connections were authenticated and the number of recipients whose
connections were not authenticated.
The SMTP Authentication details table displays details for the domains whose users attempt to authenticate
their connections to the Email Security appliance to send messages. For each domain, you can view the number
User Guide for AsyncOS 11.1 for Cisco Cloud Email Security
24
Using Email Security Monitor
Rate Limits Page
of connection attempts using a client certificate that were successful or failed, the number of connection
attempts using the SMTP AUTH command that were successful or failed, and the number that fell back to
the SMTP AUTH after their client certificate connection attempt failed. You can use the links at the top of
the page to display this information by domain name or domain IP address.
Rate Limits Page
Rate Limiting by envelope sender allows you to limit the number of email message recipients per time interval
from an individual sender, based on the mail-from address. The Rate Limits report shows you the senders
who most egregiously exceed this limit.
Use this report to help you identify the following:
• Compromised user accounts that might be used to send spam in bulk.
• Out-of-control applications in your organization that use email for notifications, alerts, automated
statements, etc.
• Sources of heavy email activity in your organization, for internal billing or resource-management
purposes.
• Sources of large-volume inbound email traffic that might not otherwise be considered spam.
Note that other reports that include statistics for internal senders (such as Internal Users or Outgoing Senders)
measure only the number of messages sent; they do not identify senders of a few messages to a large number
of recipients.
The Top Offenders by Incident chart shows the envelope senders who most frequently attempted to send
messages to more recipients than the configured limit. Each attempt is one incident. This chart aggregates
incident counts from all listeners.
The Top Offenders by Rejected Recipients chart shows the envelope senders who sent messages to the largest
number of recipients above the configured limit. This chart aggregates recipient counts from all listeners.
To configure rate limiting by envelope sender or modify the existing rate limit, see Defining Rules for Incoming
Messages Using a Mail Flow Policy.
System Capacity Page
The System Capacity page provides a detailed representation of the system load, including messages in the
work queue, average time spent in the work queue, incoming and outgoing messages (volume, size, and
number), overall CPU usage, CPU usage by function, and memory page swapping information.
The system capacity page can be used to determine the following information:
• Identify when a appliance is exceeding recommended capacity and configuration optimization or
additional appliances are needed.
• Identify historical trends in system behavior which point to upcoming capacity issues.
• Identify which part of the system is using the most resources to assist with troubleshooting.
It is important to monitor your appliance to ensure that your capacity is appropriate to your message volumes.
Over time, volume will inevitably rise and appropriate monitoring will ensure that additional capacity or
configuration changes can be applied proactively. The most effective way to monitor system capacity is to
track overall volume, messages in the work queue and incidents of Resource Conservation Mode.
User Guide for AsyncOS 11.1 for Cisco Cloud Email Security
25
Using Email Security Monitor
System Capacity Page
• Volume: It is important to have an understanding of the “normal” message volume and the “usual” spikes
in your environment. Track this data over time to measure volume growth. You can use the Incoming
Mail and Outgoing Mail pages to track volume over time. For more information, see System CapacityIncoming Mail, on page 26 and System Capacity-Outgoing Mail, on page 27.
• Work Queue: The work queue is designed to work as a “shock absorber”-- absorbing and filtering spam
attacks and processing unusual increases in ham messages. However, the work queue is also the best
indicator of a system under stress, prolonged and frequent work queue backups may indicate a capacity
problem. You can use the WorkQueue page to track the average time messages spend in the work queue
and the activity in your work queue. For more information, see System Capacity- Workqueue, on page
26.
• Resource Conservation Mode: When a appliance becomes overloaded, it will enter “Resource
Conservation Mode” (RCM) and send a CRITICAL system alert. This is designed to protect the device
and allow it to process any backlog of messages. Your appliance should enter RCM infrequently and
only during a very large or unusual increase in mail volume. Frequent RCM alerts may be an indication
that the system is becoming overloaded. See System Capacity-System Load, on page 27.
System Capacity- Workqueue
The Workqueue page shows the average time a message spends in the work queue, excluding any time spent
in the Spam quarantine or in a policy, virus, or outbreak quarantine. You can view time periods from an hour
up to one month. This average can help in identifying both short term events delaying mail delivery and
identify long term trends in the workload on the system.
Note
If a message is released from the quarantine into the work queue, the “average time in work queue” metric
ignores this time. This prevents double-counting and distorted statistics due to extended time spent in a
quarantine.
The report also shows the volume of messages in the work queue over a specified time period, and it shows
the maximum messages in the work queue over the same time period. The graphical representation of the
maximum messages in the work queue also shows the work queue threshold level.
Occasional spikes in the Workqueue graphs are normal and expected. If the messages in the work queue
remain higher than the configured threshold for a long duration, this may indicate a capacity issue. In this
scenario, consider tuning the threshold level or review the system configuration.
For instructions to change the work queue threshold level, see Setting Thresholds for System Health Parameters.
Tip
When reviewing the work queue page, you may want to measure the frequency of work queue backups,
and take note of work queue backups that exceed 10,000 messages.
System Capacity- Incoming Mail
The incoming mail page shows incoming connections, the total number of incoming messages, the average
message size, and the total incoming message size. You can limit the results to the time range that you specify.
It is important to have an understanding of the trends of normal message volume and spikes in your environment.
You can use the incoming mail page to help track volume growth over time and plan for system capacity.
You might also want to compare the Incoming Mail data with the Sender Profile data to view the trends in
volumes of emails that are being sent from specific domains to your network.
User Guide for AsyncOS 11.1 for Cisco Cloud Email Security
26
Using Email Security Monitor
System Capacity Page
Note
An increased number of incoming connections may not necessarily affect system load.
System Capacity-Outgoing Mail
The outgoing mail page shows outgoing connections, the total number of outgoing messages, the average
message size, and the total outgoing message size. You can limit the results to the time range that you specify.
It is important to have an understanding of the trends of normal message volume and spikes in your environment.
You can use the outgoing mail page to help track volume growth over time and plan for system capacity. You
might also want to compare the Outgoing Mail data with the Outgoing Destinations data to view the trends
in volumes of emails that are being sent from specific domains or IP addresses.
System Capacity-System Load
The system load report shows the following:
• Overall CPU Usage
• Memory Page Swapping
• Resource Conservation Activity
Overall CPU Usage
Email Security appliance is optimized to use idle CPU resources to improve message throughput. High CPU
usage may not indicate a system capacity problem. If the high CPU usage is coupled with consistent,
high-volume memory page swapping, you may have a capacity problem.
Note
This graph also shows the threshold level for CPU usage. If you want to change the threshold level, use
the System Administration > System Health page in web interface or healthconfig command in CLI.
See Setting Thresholds for System Health Parameters.
This page also shows a graph that displays the amount of CPU used by different functions, including mail
processing, spam and virus engines, reporting, and quarantines. The CPU-by-function graph is a good indicator
of which areas of the product use the most resources on your system. If you need to optimize your appliance,
this graph can help you determine which functions may need to be tuned or disabled.
Memory Page Swapping
The memory page swapping graph shows how frequently the system must page to disk. This graph also shows
the threshold level for memory page swapping. If you want to change the threshold level, use the System
Administration > System Health page in web interface or healthconfig command in CLI. See Setting
Thresholds for System Health Parameters.
Resource Conservation Activity
The resource conservation activity graph shows the number of times the appliance entered Resource
Conservation Mode (RCM). For example, if the graph shows n times, it means that the appliance has entered
RCM n times and exited at least n-1 times.
User Guide for AsyncOS 11.1 for Cisco Cloud Email Security
27
Using Email Security Monitor
System Status Page
Your appliance should enter RCM infrequently and only during a very large or unusual increase in mail
volume. If the Resource Conservation Activity graph shows that your appliance is entering RCS frequently,
it may be an indication that the system is becoming overloaded.
Note about Memory Page Swapping
The system is designed to swap memory regularly, so some memory swapping is expected and is not an
indication of problems with your appliance. Unless the system consistently swaps memory in high volumes,
memory swapping is normal and expected behavior, especially on C170 and C190 appliances. To improve
performance, you may need to add appliances to your network or tune your configuration to ensure maximum
throughput.
System Capacity- All
The All page consolidates all the previous system capacity reports onto a single page so you can view the
relationship between the different reports. For example, you might view the message queue is high at the same
time that excessive memory swapping takes place. This might be an indication that you have a capacity
problem. You may want to save this page as PDF to preserve a snapshot of system performance for later
reference (or to share with support staff). For information about generating PDFs in languages other than
English, see the Notes on Reports, on page 33.
System Status Page
The System Status page provides a detailed representation of all real-time mail and DNS activity for the
system. The information displayed is the same information that is available by using the status detail and
dnsstatus commands in the CLI. For more information, see “Monitoring Detailed Email Status” for the status
detail command and “Checking the DNS Status” for the dnsstatus command in Managing and Monitoring
Using the CLI
The System Status page is comprised of four sections: System Status, Gauges, Rates, and Counters.
System Status
The system status section shows Mail System Status and Version Information.
Mail System Status
The Mail System Status section includes:
• System Status (for more information about system status, see Status, on page 5)
• The last time the status was reported.
• The uptime for the appliance.
• The oldest message in the system, including messages that have not yet been queued for delivery.
Version Information
The Version Information section includes:
• The appliance model name.
User Guide for AsyncOS 11.1 for Cisco Cloud Email Security
28
Using Email Security Monitor
System Status Page
• The version and build date of the AsyncOS operating system installed.
• The installation date of the AsyncOS operating system.
• The serial number of the system to which you are connected.
This information is useful if you are contacting Cisco Customer Support. (See Working with Technical
Support.)
Gauges
The Gauges section shows queue and resource utilization.
• Mail Processing Queue
• Active Recipients in Queue
• Queue Space
• CPU Utilization
Mail Gateway Appliance refers to the percentage of the CPU that AsyncOS processes are consuming. CASE
refers to several items, including the Anti-Spam scanning engine and Outbreak Filters processes.
• General Resource Utilization
• Logging Disk Utilization
Rates
The Rates section shows rate handling for recipients.
• Mail Handling Rates
• Completion Rates
Counters
It is recommended that you avoid resetting counters on Cloud Email Security appliance.
You can reset the cumulative email monitoring counters for system statistics and view the last time the counters
were reset. The reset affects system counters as well as per-domain counters. The reset does not affect the
counters on messages in the delivery queue related to retry schedules.
Note
Only user accounts that are in the administrator or operator group have access to reset the counters. User
accounts you create in the guest group will not be able to reset the counters. For more information, see
Working with User Accounts.
Click Reset Counters to reset the counters. This button offers the same functionality as the resetcounters
command in the CLI. For more information, see Resetting Email Monitoring Counters.
• Mail Handling Events
• Completion Events
User Guide for AsyncOS 11.1 for Cisco Cloud Email Security
29
Using Email Security Monitor
High Volume Mail Page
• Domain Key Events
• DNS Status
High Volume Mail Page
Note
The High Volume Mail page shows data only from message filters that use Header Repeats rule.
The High Volume Mail page contains the following reports in the form of bar charts:
• Top Subjects. You can use this chart to understand the top subjects of messages that AsyncOS received.
• Top Envelope Senders. You can use this chart to understand the top envelope senders of messages that
AsyncOS received.
• Top Message Filters by Number of Matches. You can use this chart to understand the top message
filter (that uses Header Repeats rule) matches.
The High Volume Mail page also provides a tabular representation of the top message filters and the number
of matches for the respective message filters. Click on the number to view a list of all the messages that are
included in that number using Message Tracking.
You can select a time range on which to report, such as an hour, a week, or a custom range. As with all reports,
you can export the data for the graphs or the details listing to CSV format via the Export link or PDF format
by clicking the Printable (PDF) link.
Message Filters Page
The Message Filters page shows information about the top message filter matches (which message filter had
the most matching messages) in two forms: a bar chart and a tabular representation.
Using the bar chart, you can find the message filters that are being triggered the most by incoming and outgoing
messages. The tabular representation shows the top message filters and the number of matches for the respective
message filters. Click on the number to view a list of all the messages that are included in that number using
Message Tracking.
You can select a time range on which to report, such as an hour, a week, or a custom range. As with all reports,
you can export the data for the graphs or the details listing to CSV format via the Export link or PDF format
by clicking the Printable (PDF) link.
Retrieving CSV Data
You can retrieve the data used to build the charts and graphs in the Email Security Monitor in CSV format.
The CSV data can be accessed in two ways:
• CSV reports delivered via email. You can generate a CSV report that is delivered via email or archived.
This delivery method is useful when you want separate reports for each table represented on an Email
Security Monitor page, or when you want to send CSV data to users who do not have access to internal
networks.
The comma-separated values (CSV) Report Type is an ASCII text file which contains the tabular data
of the scheduled report. Each CSV file may contain up to 100 rows. If a report contains more than one
User Guide for AsyncOS 11.1 for Cisco Cloud Email Security
30
Using Email Security Monitor
Retrieving CSV Data
type of table, a separate CSV file will be created for each table. Multiple CSV files for a single report
will be compressed into a single .zip file for the archived file storage option or will all be attached to
separate e-mail messages for e-mail delivery.
For information about configuring scheduled or on-demand reports, see Reporting Overview, on page
32.
• CSV files retrieved via HTTP. You can retrieve the data used to build the charts and graphs in the
Email Security Monitor feature via HTTP. This delivery method is useful if you plan to perform further
analysis on the data via other tools. You can automate the retrieval of this data, for example, by an
automatic script that will download raw data, process, and then display the results in some other system.
Retrieving CSV Data Via Automated Processes
The easiest way to get the HTTP query you will need is to configure one of the Email Security Monitor pages
to display the type of data you want. You can then copy the Export link. This is the download URL. When
automating data retrieval like this it is important to note which parameters in the download URL should be
fixed and which should change (see below).
The download URL is encoded in such a way that it can be copied to an external script that can execute the
same query (using proper HTTP authentication) and get a similar data set. The script can use Basic HTTP
Authentication or cookie authentication. Keep the following in mind when retrieving CSV data via automated
processes:
• Time range selection (past hour, day, week, etc) in relation to when the URL is used again. If you copy
the URL to retrieve a CSV data set for “Past Day,” the next time you use that URL you will get a new
data set that covers the “Past Day” from the time you send the URL again. The date range selection is
retained, and appears in the CSV query string (e.g. date_range=current_day ).
• Filtering and grouping preferences for the data set. Filters are retained and appear in the query string.
Note that filters in reports are rare — one example is the “Global / Local” outbreaks selector in the
Outbreaks report.
• The CVS download returns all rows of data in the table for the selected time range.
• The CSV download returns the rows of data in the table ordered by timestamp and key. You can perform
further sorting in a separate step such as via a spreadsheet application.
• The first row contains column headers that match the display names shown in the report. Note that
timestamps (see Timestamps, on page 32) and keys (see Keys, on page 32) also appear.
Sample URL
http://example.com/monitor/content_filters?format=csv&sort_col_ss_0_0_0=
MAIL_CONTENT_FILTER_INCOMING.RECIPIENTS_MATCHED&section=ss_0_0_0
&date_range=current_day&sort_order_ss_0_0_0=desc&report_def_id=mga_content_filters
Adding Basic HTTP Authentication credentials
To specify basic HTTP Authentication credentials to the URL:
http://example.com/monitor/
becomes:
http://username:password@example.com/monitor/
User Guide for AsyncOS 11.1 for Cisco Cloud Email Security
31
Using Email Security Monitor
Reporting Overview
File Format
The downloaded file is in CSV format and has a .csv file extension. The file header has a default filename,
which starts with the name of the report, then the section of the report.
Timestamps
Exports that stream data show begin and end timestamps for each raw “interval” of time. Two begin and two
end timestamps are provided — one in numeric format and the other in human-readable string format. The
timestamps are in GMT time, which should make log aggregation easier if you have appliances in multiple
time zones.
Note that in some rare cases where the data has been merged with data from other sources, the export file
does not include timestamps. For example, the Outbreak Details export merges report data with Threat
Operations Center (TOC) data, making timestamps irrelevant because there are no intervals.
Keys
Exports also include the report table key(s), even in cases where the keys are not visible in the report. In cases
where a key is shown, the display name shown in the report is used as the column header. Otherwise, a column
header such as “key0,” “key1,” etc. is shown.
Streaming
Most exports stream their data back to the client because the amount of data is potentially very large. However,
some exports return the entire result set rather than streaming data. This is typically the case when report data
is aggregated with non-report data (e.g. Outbreaks Detail.)
Reporting Overview
Reporting in AsyncOS involves three basic actions:
• You can create Scheduled Reports to be run on a daily, weekly, or monthly basis.
• You can generate a report immediately (“on-demand” report).
• You can view archived versions of previously run reports (both scheduled and on-demand).
Configure scheduled and on-demand reports via the Monitor > Scheduled Reports page. View archived reports
via the Monitor > Archived Reports page.
Your appliance will retain the most recent reports it generates, up to 1000 total versions for all reports. You
can define as many recipients for reports as you want, including zero recipients. If you do not specify an email
recipient, the system will still archive the reports. If you need to send the reports to a large number of addresses,
however, it may be easier to create a mailing list rather than listing the recipients individually.
By default, the appliance archives the twelve most recent reports of each scheduled report. Reports are stored
in the /saved_reports directory of the appliance. (See FTP, SSH, and SCP Access for more information.)
Scheduled Report Types
You can choose from the following report types:
User Guide for AsyncOS 11.1 for Cisco Cloud Email Security
32
Using Email Security Monitor
Setting the Return Address for Reports
• Content Filters
• Delivery Status
• DLP Incident Summary
• Executive Summary
• Incoming Mail Summary
• Internal Users Summary
• Outgoing Destinations
• Outgoing Mail Summary
• Outgoing Senders: Domains
• Sender Groups
• System Capacity
• TLS Connections
• Outbreak Filters
• Virus Types
Each of the reports consists of a summary of the corresponding Email Security Monitor page. So, for example,
the Content Filters report provides a summary of the information displayed on the Monitor > Content Filters
page. The Executive Summary report is based on the Monitor > Overview page.
Notes on Reports
Content Filter reports in a PDF format are limited to a maximum of 40 content filters. You can obtain the full
listing via reports in a CSV format.
Note
To generate PDFs in Chinese, Japanese, or Korean on Windows computers, you must also download the
applicable Font Pack from Adobe.com and install it on your local computer.
Setting the Return Address for Reports
To set the return address for reports, see Configuring the Return Address for Appliance Generated Messages.
From the CLI, use the addressconfig command.
Managing Reports
You can create, edit, delete, and view archived scheduled reports. You can also run a report immediately
(on-demand report). The following report types are available: Content Filters, DLP Incident Summary,
Executive Summary, Incoming Mail Summary, Internal Users Summary, Outgoing Mail Summary, Sender
Groups, and Outbreak Filters. Managing and viewing these reports is discussed below.
User Guide for AsyncOS 11.1 for Cisco Cloud Email Security
33
Using Email Security Monitor
Scheduled Reports
Note
When in Cluster Mode, you are unable to view reports. You may view reports when in machine mode.
The Monitor > Scheduled Reports page shows a listing of the scheduled reports already created on the appliance.
Scheduled Reports
Scheduled reports can be scheduled to run on a daily, weekly, or monthly basis. You can select a time at which
to run the report. Regardless of when you run a report, it will only include data for the time period that you
specify, for example the past 3 days or the previous calendar month. Note that a daily report scheduled to run
at 1AM will contain data for the previous day, midnight to midnight.
Your appliance ships with a default set of scheduled reports —you can use, modify, or delete any of them.
Scheduling a Report to be Generated Automatically
Step 1
Step 2
On the Monitor > Scheduled Reports page, click Add Scheduled Report.
Select a report type. Depending on the report type you select, different options may be available.
For more information about the available types of scheduled reports, see Scheduled Report Types, on page 32.
Step 3
Enter a descriptive title for the report. AsyncOS does not verify the uniqueness of report names. To avoid confusion, do
not create multiple reports with the same name.
Select a time range for the report data. (This option is not available for Outbreak Filters reports.)
Select a format for the report:
Step 4
Step 5
• PDF. Create a formatted PDF document for delivery, archival, or both. You can view the report as a PDF file
immediately by clicking Preview PDF Report.
For information about generating PDFs in languages other than English, see the Notes on Reports, on page 33.
• CSV. Create an ASCII text file that contains the tabular data as comma-separated values. Each CSV file may contain
up to 100 rows. If a report contains more than one type of table, a separate CSV file is created for each table.
Step 6
Step 7
Step 8
Specify the report options, if available. Some reports do not have report options.
Specify scheduling and delivery options. If you do not specify an email address, the report is archived but is not sent to
any recipients.
Note
If you are sending reports to an external account (such as Yahoo or Gmail, etc.), you may need to add the
reporting return address to the external account’s whitelist to prevent report emails from being incorrectly
classified as spam.
Click Submit. Commit your changes.
User Guide for AsyncOS 11.1 for Cisco Cloud Email Security
34
Using Email Security Monitor
Archived Reports
Editing Scheduled Reports
Step 1
Step 2
Step 3
Click the report title in the listing on the Services > Centralized Reporting page.
Make your changes.
Submit and commit your changes.
Deleting Scheduled Reports
Step 1
On the Services > Centralized Reporting page, select the check boxes corresponding to the reports that you want to
delete.
Note
Select the All check box to remove all scheduled reports.
Step 2
Step 3
Click Delete.
Confirm the deletion and then commit your changes.
Any archived versions of deleted reports are not automatically deleted.
Archived Reports
The Monitor > Archived Reports page lists the available archived reports. You can view a report by clicking
its name in the Report Title column. You can generate a report immediately by clicking Generate Report
Now
Use the Show menu to filter which type of reports is listed. Click the column headings to sort the listing.
Archived reports are deleted automatically — up to 30 instances of each scheduled report (up to 1000 reports)
are kept and as new reports are added, older ones are deleted to keep the number at 1000. The 30 instances
limit is applied to each individual scheduled report, not report type.
Generating On-Demand Reports
You can generate a report without scheduling it. These on-demand reports are still based on a specified time
frame, but they are generated immediately.
Step 1
Step 2
Click Generate Report Now on the Archived Reports page.
Select a report type and edit the title if desired. AsyncOS does not verify the uniqueness of report names. To avoid
confusion, do not create multiple reports with the same name.
For more information about the available types of scheduled reports, see Scheduled Report Types, on page 32.
Step 3
Select a time range for the report data. (This option is not available for Virus Outbreak reports.)
User Guide for AsyncOS 11.1 for Cisco Cloud Email Security
35
Using Email Security Monitor
Troubleshooting Email Reports
If you create a custom range, the range will appear as a link. To modify the range, click the link.
Step 4
Select a format for the report.
• PDF. Create a formatted PDF document for delivery, archival, or both. You can view the report as a PDF file
immediately by clicking Preview PDF Report.
For information about generating PDFs in languages other than English, see the Notes on Reports, on page 33.
• CSV. Create an ASCII text file that contains the tabular data as comma-separated values. Each CSV file may contain
up to 100 rows. If a report contains more than one type of table, a separate CSV file is created for each table.Specify
any report options.
Step 5
Step 6
Step 7
Step 8
Select whether to archive the report (if so, the report will shown on the Archived Reports page).
Specify whether to email the report and to which email addresses to send the report.
Click Deliver this Report to generate the report and deliver it to recipients or archive it.
Commit your changes.
Troubleshooting Email Reports
Link to Message Tracking Gives Unexpected Results
Problem
Drilling down from a report to view details in message tracking yields unexpected results.
Solution
This can occur if reporting and message tracking were not simultaneously enabled, functioning properly, and
storing data locally (as opposed to being stored centrally on a Security Management appliance). Data for each
feature (reporting and message tracking) is stored only while that feature is enabled and functioning on that
appliance, independently of whether the other feature (reporting or message tracking) is enabled and functioning.
Therefore, reports may include data that is not available in Message Tracking and vice-versa.
File Analysis Details in the Cloud Are Incomplete
Problem
Complete file analysis results in the public cloud are not available for files uploaded from other Email Security
appliances in my organization.
Solution
Be sure to group all appliances that will share file analysis result data. See (Public Cloud File Analysis Services
Only) Configuring Appliance Groups. This configuration must be done on each appliance in the group.
User Guide for AsyncOS 11.1 for Cisco Cloud Email Security
36
Download PDF
Similar pages