To view aggregated report data, deploy a Cisco Content Security Management appliance .

You cannot aggregate Email Security Monitor reports of clustered appliances. All reports are restricted to machine level. This means they cannot be run at the group or cluster levels — only on individual machines.

The same is true of the Archived Reports page — each machine in effect has its own archive. Thus, the “Generate Report” feature runs on the selected machine.

The Scheduled Reports page is not restricted to machine level; therefore, settings can be shared across multiple machines. Individual scheduled reports run at machine level just like interactive reports, so if you configure your scheduled reports at cluster level, every machine in the cluster will send its own report.

The “Preview This Report” button always runs against the login-host.

Many of the Email Security Monitor pages include a search form. You can search for different types of items:

• IP Address (IPv4 and IPv6)
• domain
• network owner
• internal users
• destination domain
• internal sender domain
• internal sender IP address
• outgoing domain deliver status

For domain, network owner, and internal user searches, choose whether to exactly match the search text or look for items starting with the entered text (for instance, starts with “ex” will match “example.com”).

For IPv4 address searches, the entered text is always interpreted as the beginning of up to four IP octets in dotted decimal format. For instance, “17” will search in the range 17.0.0.0 through 17.255.255.255, so it will match 17.0.0.1 but not 172.0.0.1. For an exact match search, simply enter all four octets. IP address searches also support CIDR format (17.16.0.0/12).

For IPv6 address searches, AsyncOS supports the following formats:

• 2001:db8:2004:4202::0-2001:db8:2004:4202::ff
• 2001:db8:2004:4202::
• 2001:db8:2004:4202::23
• 2001:db8:2004:4202::/64

All searches are bounded by the time range currently selected on the page.

You can create a custom email securityreport page by assembling charts (graphs) and tables from existing report pages.

The Overview page provides a synopsis of the message activity of your appliance , including an overview of your quarantines and Outbreak Filters status (in the System Overview section of the page). The Overview page also includes graphs and detailed message counts for incoming and outgoing messages. You can use this page to monitor the flow of all mail into and out of your gateway.

The Overview page highlights how the appliance is integrated with the IP Reputation Service for incoming mail (messages stopped by reputation filtering, for example). On the Overview page, you can:

• View a mail trend graph of all mail “flowing” into or out of your gateway.
• View a graph showing the number of attempted messages, messages stopped by IP reputation filtering, messages with invalid reipients, messages marked as spam, messages marked as virus positive, and clean messages, over time.
• View the summary of the system status and local quarantines.
• See current virus and non-virus outbreak information based on information available at the Threat Operations Center (TOC).

The Overview page is divided into two sections: System Overview and Incoming and Outgoing Mail graphs and summary.

The Incoming Mail page provides a mechanism to report on the real-time information being collected by the Email Security Monitor feature for all remote hosts connecting to your appliance . This allows you to gather more information about an IP address, domain, and organization (network owner) sending mail to you. You can perform a Sender Profile search on IP addresses, domains, or organizations that have sent mail to you.

The Incoming Mail page has three views: Domain, IP Address, and Network Owner and provides a snapshot of the remote hosts connecting to the system in the context of the selected view.

It displays a table (Incoming Mail Details) of the top domains (or IP addresses, or network owners, depending on the view) that have sent mail to all public listeners configured on the appliance . You can monitor the flow of all mail into your gateway. You can click on any domain/IP/network owner to drill down to access details about this sender on a Sender Profile page (this is an Incoming Mail page, specific to the domain/IP/network owner you clicked on).

Not all available columns are displayed by default. You can show a different set of information by clicking the Columns link below the table. For example, you can show the "Detected by Advanced Malware Protection" column, which is hidden by default.

The Incoming Mail page extends to include a group of pages (Incoming Mail, Sender Profiles, and the Sender Group Report). From the Incoming Mail pages, you can:

• Perform a search on IP addresses, domains, or organizations (network owners) that have sent mail to you.
• View the Sender Groups report to see connections via a specific sender group and mail flow policy actions. See Sender Groups Report for more information.
• See detailed statistics on senders which have sent mail to you, including the number of attempted messages broken down by security service (sender reputation filtering, anti-spam, anti-virus, graymail, and so on).
• Sort by senders who have sent you a high volume of spam or virus email, as determined by anti-spam or anti-virus security services.
• Use the IP Reputation service to drill down on and examine the relationship between specific IP addresses, domains, and organizations to obtain more information about a sender.
• Drill down on specific senders to obtain more information about a sender from the IP Reputation Service, including a sender’s IP Reputation Score and which sender group the domain matched most recently. Add senders to sender groups.
• Drill down on a specific sender who sent a high volume of spam or virus email, as determined by the anti-spam or anti-virus security services.
• Once you have gathered information on a domain, you can add the IP address, domain, or organization to an existing sender group (if necessary) by clicking “Add to Sender Group” from a domain, IP address, or network owner profile page. See Configuring the Gateway to Receive Email.

The Sender Groups report provides a summary of connections by sender group and mail flow policy action, allowing you to review SMTP connection and mail flow policy trends. The Mail Flow by Sender Group listing shows the percentage and number of connections for each sender group. The Connections by Mail Flow Policy Action chart shows the percentage of connections for each mail flow policy action. This page provides an overview of the effectiveness of your Host Access Table (HAT) policies. For more information about the HAT, see Configuring the Gateway to Receive Email.

You can use the Sender Domain Reputation report page to view:

• Incoming messages based on the verdict received from the SDR service in graphical format.

• Summary of incoming messages based on the threat category and verdict received from the SDR service in tabular format.

• Incoming messages based on the threat category received from the SDR service in graphical format.

  Note	Only the messages whose SDR verdict is 'awful' or 'poor' are classified under the SDR threat category, such as, 'spam,' 'malicious,' etc.

• Summary of incoming messages based on the threat category received from the SDR service in tabular format.

In the Summary of Incoming Messages handled by SDR section, you can click on the number of messages corresponding to a particular verdict to view the related messages in Message Tracking.

The Outgoing Destinations page provides information about the domains your company sends mail to. The page consists of two section. The top half of the page consists of graphs depicting the top destinations by outgoing threat messages and top destinations by outgoing clean messages on the top half of the page. The bottom half of the page displays a chart showing all the columns sorted by total recipients (default setting).

You can select a time range on which to report, such as an hour, a week, or a custom range. As with all reports, you can export the data for the graphs or the details listing to CSV format via the Export link.

The Outgoing Destinations page can be used to answer the following types of questions:

• What domains is the appliance sending mail to?
• How much mail is sent to each domain?
• How much of that mail is clean, spam-positive, virus-positive, malware or stopped by a content filter?
• How many messages are delivered and how many messages are hard-bounced by the destination server?

The Outgoing Senders page provides information about the quantity and type of mail being sent from IP addresses and domains in your network. You can view the results by domain or IP address when you view this page. You might want to view the results by domain if you want to see what volume of mail is being sent by each domain, or you might want to view the results by IP address if you want see which IP addresses are sending the most virus messages or triggering content filters.

The page consists of two sections. On the left side of the page is a graph depicting the top senders by total threat messages. Total threat messages include messages that are spam-positive, virus-positive, malware or triggered a content filter. On the right side of the page is a graph displaying top senders by clean messages on the top half of the page. The bottom half of the page displays a chart showing all the columns sorted by total messages (default setting).

Note	This page does not display information about message delivery. Delivery information, such as how many messages from a particular domain were bounced can be tracked using the Delivery Status page.

You can select a time range on which to report, such as an hour, a week, or a custom range. As with all reports, you can export the data for the graphs or the details listing to CSV format via the Export link.

The Outgoing Senders page can be used to answer the following types of questions:

• Which IP addresses are sending the most virus-positive, spam-positive or malware email?
• Which IP addresses trigger content filters the most frequently?
• Which domains are sending the most mail?

You can use the Geo Distribution report page to view:

• Top incoming mail connections based on country of origin in graphical format.

• Total incoming mail connections based on country of origin in tabular format.

You can click on the number of incoming mail connections of a specific geolocation to view the related messages in Message Tracking.

The "Total Messages" column only displays those messages that are accepted at the SMTP connection level.

Note

During report generation: If one or more incoming mail connections are detected as private IP address, the incoming mail connections are categorized as “Private IP Addresses” in the report. If one or more incoming mail connections are detected as not a valid IP Reputation score, the incoming mail connections are categorized as ‘No Country Info’ in the report.

If you suspect delivery problems to a specific recipient domain or if you want to gather information on a Virtual Gateway address, the Monitor > Delivery Status Page provides monitoring information about email operations relating to a specific recipient domain.

The Delivery Status Page displays the same information as the tophosts command within the CLI. (For more information, see “Determining the Make-up of the Email Queue” in Managing and Monitoring Using the CLI)

This page displays a list of the top 20, 50, or 100 recipient domains for messages delivered by the system within the last three hours. You can sort by latest host status, active recipients (the default), connections out, delivered recipients, soft bounced events, and hard bounced recipients by clicking the links in the column heading for each statistic.

• To search for a specific domain, type the name of the domain in the Domain Name: field and click Search.
• To drill down on a domain shown, click the domain name link.

The results are shown in an Delivery Status Details Page.

Note	Any activity for a recipient domain results in that domain being “active” and thus present in the overview page. For example, if mail remains in the outbound queue due to delivery problems, that recipient domain continues to be listed in the outgoing mail overview.

The Internal Users page provides information about the mail sent and received by your internal users, per email address (a single user may have multiple email addresses listed — the email addresses are not combined in the report).

The page consists of two sections:

• Graphs depicting the top users by clean incoming and outgoing messages and top users receiving graymail.
• User mail flow details

You can select a time range on which to report (hour, day, week, or month). As with all reports, you can export the data for the graphs or the details listing to CSV format via the Export link. You can also display hidden table columns or hide default columns by clicking the Columns link below the table.

The User Mail Flow Details listing breaks down the mail received and sent by each email address into clean, spam (incoming only), virus, malware, content filter matches, and graymail (incoming only). You can sort the listing by clicking on the column headers.

Using the Internal Users report, you can answer these kinds of questions:

• Who is sending the most external email?
• Who receives the most clean email?
• Who receives the most number of graymail messages?
• Who receives the most spam?
• Who is triggering which content filters?
• Whose email is getting caught by content filters?

Inbound Internal Users are the users for which you received email, based on the Rcpt To: address. Outbound Internal Users are based on the Mail From: address and are useful when tracking the types of email that senders on your internal network are sending.

Note that some outbound mail (like bounces) have a null sender. They are counted under outbound and “unknown.”

Click on an internal user to view the Internal User detail page for that user.

Click the Columns link below the table to show columns that are hidden by default, such as the Incoming Detected by Advanced Malware Protection column or Outgoing Detected by Advanced Malware Protection column.

The DLP Incidents page shows information on the incidents of data loss prevention (DLP) policy violations occurring in outgoing mail. The appliance uses the DLP email policies enabled in the Outgoing Mail Policies table to detect sensitive data sent by your users. Every occurrence of an outgoing message violating a DLP policy is reported as an incident.

Using the DLP Incidents report, you can answer these kinds of questions:

• What type of sensitive data is being sent by your users?
• How severe are these DLP incidents?
• How many of these messages are being delivered?
• How many of these messages are being dropped?
• Who is sending these messages?

The DLP Incidents page is comprised of two main sections:

• the DLP incident trend graphs summarizing the top DLP incidents by severity (Low, Medium, High, Critical) and policy matches, and
• the DLP Incidents Details listing.

You can select a time range on which to report, such as an hour, a week, or a custom range. As with all reports, you can export the data for the graphs or the details listing to CSV format via the Export link or PDF format by clicking the Printable (PDF) link. For information about generating PDFs in languages other than English, see the Notes on Reports.

Click on the name of a DLP policy to view detailed information on the DLP incidents detected by the policy. You can use this method to get a list of users who sent mail that contained sensitive data detected by the policy.

The Content Filters page shows information about the top incoming and outgoing content filter matches (which content filter had the most matching messages) in two forms: a bar chart and a listing. Using the Content Filters page, you can review your corporate policies on a per-content filter or per-user basis and answer questions like:

• Which content filter is being triggered the most by incoming or outgoing mail?
• Who are the top users sending or receiving mail that is triggering a particular content filter?

You can click the name of the content filter in the listing to view more information about that filter on the Content Filter detail page.

The DMARC Verification page shows the top domains that failed DMARC verification and the details of actions AsyncOS performed on the messages that failed DMARC verification. You can use this report to fine-tune your DMARC settings and answer these kinds of questions:

• Which are the domains that sent maximum number of messages that are not DMARC compliant?
• For each domain, what are the actions AsyncOS performed on the messages that failed DMARC verification?

The DMARC Verification page contains:

• A bar chart showing top domains by DMARC verification failures.
• Tabular representation of the following, for each domain:
  • Number of messages that were rejected, quarantined, or accepted without taking any action. Click on the number to view a list of messages under the selected category.
  • Number messages that passed DMARC verification.
  • Total number of DMARC verification attempts.

You can select a time range on which to report, such as an hour, a week, or a custom range. As with all reports, you can export the data for the graphs or the details listing to CSV format via the Export link or PDF format by clicking the Printable (PDF) link.

You can use the Macro Detection report page to view:

• Top Incoming Macro-Enabled Attachments by File Type in graphical and tabular format.

• Top Outgoing Macro-Enabled Attachments by File Type in graphical and tabular format.

You can click on the number of macro-enabled attachments to view the related messages in Message Tracking.

Note

During report generation: If one or more macros are detected within an archive file, the Archive Files file type is incremented by one. The number of macro-enabled attachments within an archive file are not counted. If one or more macros are detected within an embedded file, the parent file type is incremented by one. The number of macro-enabled attachments within an embedded file are not counted.

You can use the External Threat Feeds report page to view:

• Top ETF sources used to detect threats in messages in graphical format

• Summary of ETF sources used to detect threats in messages in tabular format.

• Top IOCs that matched threats detected in messages in graphical format.

• Top ETF sources used to filter malicious incoming mail connections in graphical format.

• Summary of ETF sources used to filter malicious incoming mail connections in tabular format.

In the ‘Summary of External Threat Feed Sources’ section:

• You can click on the number of messages for a particular ETF source to view the related messages in Message Tracking.

• You can click on a particular threat feed source to view the distribution of the ETF source based on the IOCs.

In the ‘Summary of Indicator of Compromise (IOC) Matches’ section:

• You can click on the number of IOCs for a particular ETF source to view the related messages in Message Tracking.

• You can click on a particular IOC to view the distribution of the IOC based on the ETF sources.

The Outbreak Filters page shows the current status and configuration of Outbreak Filters on your appliance as well as information about recent outbreaks and messages quarantined due to Outbreak Filters. You can use this page to monitor your defense against targeted virus, scam, and phishing attacks.

The Threats By Type section shows the different types of threat messages received by the appliance .

The Threat Summary section shows a breakdown of the threat messages by Malware, Phish, Scam, and Virus. Click on the number to view a list of all the messages that are included in that number using Message Tracking.

The Past Year Outbreak Summary lists global as well as local outbreaks over the past year, allowing you to compare local network trends to global trends. The listing of global outbreaks is a superset of all outbreaks, both viral and non-viral, whereas local outbreaks are limited to virus outbreaks that have affected your appliance . Local outbreak data does not include non-viral threats. Global outbreak data represents all outbreaks detected by the Threat Operations Center which exceeded the currently configured threshold for the outbreak quarantine. Local outbreak data represents all virus outbreaks detected on this appliance which exceeded the currently configured threshold for the outbreak quarantine. The Total Local Protection Time is always based on the difference between when each virus outbreak was detected by the Threat Operations Center and the release of an anti-virus signature by a major vendor. Note that not every global outbreak affects your appliance . A value of “--” indicates either a protection time does not exist, or the signature times were not available from the anti-virus vendors (some vendors may not report signature times). This does not indicate a protection time of zero, rather it means that the information required to calculate the protection time is not available.

The Quarantined Messages section summarizes Outbreak Filters quarantining, and is a useful gauge of how many potential threat messages Outbreak Filters are catching. Quarantined messages are counted at time of release. Typically, messages will be quarantined before anti-virus and anti-spam rules are available. When released, they will be scanned by the anti-virus and anti-spam software and determined to be positive or clean. Because of the dynamic nature of Outbreak tracking, the rule under which a message is quarantined (and even the associated outbreak) may change while the message is in the quarantine. Counting the messages at the time of release (rather than the time of entry into the quarantine) avoids the confusion of having counts that increase and decrease.

The Threat Details listing displays information about specific outbreaks, including the threat category (virus, scam, or phishing), threat name, a description of the threat, and the number of messages identified. For virus outbreaks, the Past Year Virus Outbreaks include the Outbreak name and ID, time and date a virus outbreak was first seen globally, the protection time provided by Outbreak filters, and the number of quarantined messages. You can select either global or local outbreaks as well as the number of messages to display via the menu on the left. You can sort the listing by clicking on the column headers. Click on the number to view a list of all the messages that are included in that number using Message Tracking.

The First Seen Globally time is determined by the Threat Operations Center, based on data from SenderBase, the world’s largest email and web traffic monitoring network. The Protection Time is based on the difference between when each threat was detected by the Threat Operations Center and the release of an anti-virus signature by a major vendor.

A value of “--” indicates either a protection time does not exist, or the signature times were not available from the anti-virus vendors (some vendors may not report signature times). This does not indicate a protection time of zero. Rather, it means that the information required to calculate the protection time is not available.

Hit Messages from Incoming Messages section shows the percentage and number of viral attachment, other threats (non-viral), and clean incoming messages.

Hit Messages by Threat Level section shows the percentage and number of incoming threat messages (viral and non-viral) based on threat levels (Level 1 through 5).

Messages resided in Outbreak Quarantine section shows the number of threat messages resided in the Outbreak Quarantine based on the duration.

Top URL's Rewritten section shows the list of top 10 URLs that were rewritten based on the number of occurrences. Use the Items Displayed drop-down to view more rewritten URLs. Click on the number to view a list of all the messages that contain the selected rewritten URL on the Message Tracking page.

Using the Outbreak Filters page, you can answer questions like:

• How many messages are being quarantined and what type of threats were they?
• How much lead time has the Outbreak Filter feature been providing for virus outbreaks?
• How do my local virus outbreaks compare to the global outbreaks?

The Virus Types page provides an overview of the viruses entering and being sent from your network. The Virus Types page displays the viruses that have been detected by the virus scanning engines running on your appliance. You might want to use this report to take a specific action against a particular virus. For example, if you see that you are receiving a high volume of a viruses known to be embedded in PDF files, you might want to create a filter action to quarantine messages with PDF attachments.

If you run multiple virus scanning engines, the Virus Types page includes results from all enabled virus scanning engines. The name of the virus displayed on the page is a name determined by the virus scanning engines. If more than one scanning engine detects a virus, it is possible to have more than one entry for the same virus.

The Virus Types page gives you an overview of the viruses entering or being sent from or to your network. The Top Incoming Virus Detected section shows a chart view of the viruses that have been sent to your network in descending order. The Top Outgoing Virus Detected section shows a chart view of the viruses that have been sent from your network in descending order.

Note

To see which hosts sent virus-infected messages to your network, you can go to the Incoming Mail page, specify the same reporting period and sort by virus-positive. Similarly, to see which IP addresses have sent virus-positive email within your network, you can view the Outgoing Senders page and sort by virus-positive messages.

The VirusTypes Details listing displays information about specific viruses, including the infected incoming and outgoing messages, and the total infected messages. The details listing for infected incoming messages displays the name of the virus and the number of incoming messages infected with this virus. Similarly, the outgoing messages displays the name of the virus and the number of outgoing messages infected with the virus. You can sort the Virus Type details by Incoming Messages, Outgoing Messages, or Total Infected Messages.

• URL Filtering report modules are populated only if URL filtering is enabled.
• URL Filtering reports are available for incoming and outgoing messages.
• Only messages that are scanned by the URL filtering engine (either as part of anti-spam/outbreak filter scanning or through message/content filters) are included in these modules. However, not all of the results are necessarily specifically attributable to the URL Filtering feature.
• The Top URL Categories module includes all categories found in messages that have been scanned, whether or not they match a content or message filter.
• Each message can be associated with only one URL reputation level. For messages with multiple URLs, the statistics reflect the lowest reputation of any URL in the message.

• URLs in the global allowed list configured at Security Services > URL Filtering are not included in reports.

  URLs in allowed lists used in individual filters are included in reports.

• Malicious URLs are URLs that Outbreak Filters have determined to have poor reputation. Neutral URLs are those that Outbreak Filters have determined to require click-time protection. Neutral URLs have therefore been rewritten to redirect them to the Cisco Web Security proxy.
• Results of URL category-based filters are reflected in content and message filter reports.
• Results of click-time URL evaluations by the Cisco Web Security proxy are not reflected in reports.

• Web Interaction Tracking report modules are populated only if the web interaction tracking feature is enabled.
• Web Interaction Tracking report modules are not updated in real-time and are refreshed every 30 minutes. Also, after clicking a rewritten URL, it may take up to two hours for the Web Interaction Tracking report to report this event.
• Web Interaction Tracking report is not updated in real-time. After clicking a cloud re-directed rewritten URL, it may take up to two hours for the Web Interaction Tracking report to report this event.
• Web Interaction Tracking reports are available for incoming and outgoing messages.
• Only cloud re-directed rewritten URLs (either by policy or Outbreak Filter) clicked by the end users are included in these modules.
• Web Interaction Tracking page includes the following reports:

Top Rewritten Malicious URLs clicked by End Users. Click on a URL to view a detailed report that contains the following information:

• A list of end users who clicked on the rewritten malicious URL.
• Date and time at which the URL was clicked.
• Whether the URL was rewritten by a policy or an outbreak filter.
• Action taken (allow, block, or unknown) when the rewritten URL was clicked. Note that, if a URL was rewritten by outbreak filter and the final verdict is unavailable, the status is shown as unknown.

Top End Users who clicked on Rewritten Malicious URLs

Web Interaction Tracking Details. Includes the following information:

• A list of all the cloud re-directed rewritten URLs (malicious and unmalicious). Click on a URL to view a detailed report.
• Action taken (allow, block, or unknown) when a cloud re-directed rewritten URL was clicked.

For the data to show up, perform the following:

• Choose Incoming Mail Policies > Outbreak Filters to configure an outbreak filter and enable message modification and URL rewriting.

• Configure a content filter with the "Redirect to Cisco Security Proxy" action.

Note that, if the verdict of a URL (clean or malicious) was unknown at the time when the end user clicked it, the status is shown as unknown. This could be because the URL was under further scrutiny or the web server was down or not reachable at the time of the user click.

• The number of times end users clicked on a rewritten URL. Click on a number to view a list of all the messages that contain the clicked URL.
• While using Web Interaction Tracking reports, keep in mind the following limitations:
  • If you have configured a content or message filter to deliver messages after rewriting malicious URLs and notify another user (for example, an administrator), the web interaction tracking data of the original recipient is incremented even if the notified user clicks on the rewritten URLs.
  • If you are sending a copy of quarantined messages containing rewritten URLs to a user (for example, an administrator) using web interface, the web interaction tracking data of the original recipient is incremented even if the user (to whom the copy of the messages were sent) clicks on the rewritten URLs.
  • At any point, if you plan to modify the time of your appliance , make sure that the system time is synchronized with Coordinated Universal Time (UTC).

See Monitoring Forged Email Detection Results.

For the following reports, see File Reputation and File Analysis Reporting and Tracking:

• Advanced Malware Protection
• File Analysis
• AMP Verdict Updates

You can view the details of the mailbox remediation results using the Mailbox Auto Remediation report page (Monitor > Mailbox Auto Remediation). Use this report to view details such as:

• Remedial actions taken on messages
• The filenames associated with a SHA-256 hash
• A list of profile names defined for the recipients for whom the mailbox remediation was successful or unsuccessful
• Reason for the remediation failure
• No profile mapped to the domain

Click on a SHA-256 hash to view the related messages in Message Tracking.

For more information, see Remediating Messages in Mailboxes

The TLS Connections pages shows the overall usage of TLS connections for sent and received mail. The report also shows details for each domain sending mail using TLS connections.

The TLS Connections page can be used to determine the following information:

• Overall, what portion of incoming and outgoing connections use TLS?

• What partners do I have successful TLS connections with?

• What partners do I have unsuccessful TLS connections with?

• What partners do I have successful TLS connections with DANE support?

• What partners do I have unsuccessful TLS connections with DANE support?

• What partners have issue with their TLS certificates?

• What percent of overall mail with a partner uses TLS?

• What percent of outgoing TLS connections with DANE support are successful?

• What percent of outgoing connections with DANE support are unsuccessful?

The TLS Connections page is divided into a section for incoming connections and a section for outgoing connections. Each section includes a graph, summaries, and a table with details.

The graph displays a view of incoming or outgoing TLS-encrypted and non-encrypted connections over the time range you specify. The graph displays the total volume of messages, the volume of encrypted and unencrypted messages, the volume of successful and failed TLS encrypted messages and the volume of successful and failed DANE connections. The graphs distinguish between connections in which TLS was required and connections in which TLS was merely preferred.

The table displays details for domains sending or receiving encrypted messages. For each domain, you can view the number of required and preferred TLS connections that were successful and that failed, the total number of TLS connections attempted (whether successful or failed), the total number of unencrypted connections, and the total number of unencrypted connections, and the total number of DANE connections (depending on whether successful or failed). You can also view the percentage of all connections in which TLS was attempted, and the total number of encrypted messages sent successfully, regardless of whether TLS was preferred or required. You can show or hide columns by clicking the Columns link at the bottom of this table.

The Inbound SMTP Authentication page shows the use of client certificates and the SMTP AUTH command to authenticate SMTP sessions between the appliance and users’ mail clients. If the appliance accepts the certificate or SMTP AUTH command, it will establish a TLS connection to the mail client, which the client will use to send a message. Since it is not possible for the appliance to track these attempts on a per-user basis, the report shows details on SMTP authentication based on the domain name and domain IP address.

Use this report to determine the following information:

• Overall, how many incoming connection use SMTP authentication?
• How many connections use a client certificated?
• How many connections use SMTP AUTH?
• What domains are failing to connect when attempting to use SMTP authentication?
• How many connections are successfully using the fall-back when SMTP authentication fails?

The Inbound SMTP Authentication page includes a graph for received connections, a graph for mail recipients who attempted an SMTP authentication connection, and a table with details on the attempts to authenticate connections.

The Received Connections graph shows the incoming connections from mail clients that attempt to authentication their connections using SMTP authentication over the time range you specify. The graph displays the total number of connections the appliance received, the number that did not attempt to authenticate using SMTP authentication, the number that failed and succeeded to authenticate the connection using a client certificate, and the number that failed and succeeded to authenticate using the SMTP AUTH command.

The Received Recipients graph displays the number of recipients whose mail clients attempted to authenticate their connections to the appliances to send messages using SMTP authentication. The graph also show the number of recipients whose connections were authenticated and the number of recipients whose connections were not authenticated.

The SMTP Authentication details table displays details for the domains whose users attempt to authenticate their connections to the appliance to send messages. For each domain, you can view the number of connection attempts using a client certificate that were successful or failed, the number of connection attempts using the SMTP AUTH command that were successful or failed, and the number that fell back to the SMTP AUTH after their client certificate connection attempt failed. You can use the links at the top of the page to display this information by domain name or domain IP address.

Rate Limiting by envelope sender allows you to limit the number of email message recipients per time interval from an individual sender, based on the mail-from address. The Rate Limits report shows you the senders who most egregiously exceed this limit.

Use this report to help you identify the following:

• Compromised user accounts that might be used to send spam in bulk.
• Out-of-control applications in your organization that use email for notifications, alerts, automated statements, etc.
• Sources of heavy email activity in your organization, for internal billing or resource-management purposes.
• Sources of large-volume inbound email traffic that might not otherwise be considered spam.

Note that other reports that include statistics for internal senders (such as Internal Users or Outgoing Senders) measure only the number of messages sent; they do not identify senders of a few messages to a large number of recipients.

The Top Offenders by Incident chart shows the envelope senders who most frequently attempted to send messages to more recipients than the configured limit. Each attempt is one incident. This chart aggregates incident counts from all listeners.

The Top Offenders by Rejected Recipients chart shows the envelope senders who sent messages to the largest number of recipients above the configured limit. This chart aggregates recipient counts from all listeners.

To configure rate limiting by envelope sender or modify the existing rate limit, see Defining Rules for Incoming Messages Using a Mail Flow Policy.

The System Capacity page provides a detailed representation of the system load, including messages in the work queue, average time spent in the work queue, incoming and outgoing messages (volume, size, and number), overall CPU usage, CPU usage by function, and memory page swapping information.

The system capacity page can be used to determine the following information:

• Identify when an appliance is exceeding recommended capacity and configuration optimization or additional appliances are needed.
• Identify historical trends in system behavior which point to upcoming capacity issues.
• Identify which part of the system is using the most resources to assist with troubleshooting.

It is important to monitor your appliance to ensure that your capacity is appropriate to your message volumes. Over time, volume will inevitably rise and appropriate monitoring will ensure that additional capacity or configuration changes can be applied proactively. The most effective way to monitor system capacity is to track overall volume, messages in the work queue and incidents of Resource Conservation Mode.

• Volume: It is important to have an understanding of the “normal” message volume and the “usual” spikes in your environment. Track this data over time to measure volume growth. You can use the Incoming Mail and Outgoing Mail pages to track volume over time. For more information, see System Capacity- Incoming Mail and System Capacity-Outgoing Mail.
• Work Queue: The work queue is designed to work as a “shock absorber”-- absorbing and filtering spam attacks and processing unusual increases in ham messages. However, the work queue is also the best indicator of a system under stress, prolonged and frequent work queue backups may indicate a capacity problem. You can use the WorkQueue page to track the average time messages spend in the work queue and the activity in your work queue. For more information, see System Capacity- Workqueue.
• Resource Conservation Mode: When an appliance becomes overloaded, it will enter “Resource Conservation Mode” (RCM) and send a CRITICAL system alert. This is designed to protect the device and allow it to process any backlog of messages. Your appliance should enter RCM infrequently and only during a very large or unusual increase in mail volume. Frequent RCM alerts may be an indication that the system is becoming overloaded. See System Capacity-System Load.

The System Status page provides a detailed representation of all real-time mail and DNS activity for the system. The information displayed is the same information that is available by using the status detail and dnsstatus commands in the CLI. For more information, see “Monitoring Detailed Email Status” for the status detail command and “Checking the DNS Status” for the dnsstatus command in Managing and Monitoring Using the CLI

The System Status page is comprised of four sections: System Status, Gauges, Rates, and Counters.

Note	The High Volume Mail page shows data only from message filters that use Header Repeats rule.

The High Volume Mail page contains the following reports in the form of bar charts:

• Top Subjects. You can use this chart to understand the top subjects of messages that AsyncOS received.
• Top Envelope Senders. You can use this chart to understand the top envelope senders of messages that AsyncOS received.
• Top Message Filters by Number of Matches. You can use this chart to understand the top message filter (that uses Header Repeats rule) matches.

The High Volume Mail page also provides a tabular representation of the top message filters and the number of matches for the respective message filters. Click on the number to view a list of all the messages that are included in that number using Message Tracking.

You can select a time range on which to report, such as an hour, a week, or a custom range. As with all reports, you can export the data for the graphs or the details listing to CSV format via the Export link or PDF format by clicking the Printable (PDF) link.

The Message Filters page shows information about the top message filter matches (which message filter had the most matching messages) in two forms: a bar chart and a tabular representation.

Using the bar chart, you can find the message filters that are being triggered the most by incoming and outgoing messages. The tabular representation shows the top message filters and the number of matches for the respective message filters. Click on the number to view a list of all the messages that are included in that number using Message Tracking.

You can select a time range on which to report, such as an hour, a week, or a custom range. As with all reports, you can export the data for the graphs or the details listing to CSV format via the Export link or PDF format by clicking the Printable (PDF) link.

You can use the Safe Print report page to view:

• Number of safe-printed attachments based on the file type in graphical format.

• Summary of safe-printed attachments based on the file type in tabular format.

In the ‘Summary of Safe Print File Types’ section, click the total number of safe-printed attachments to view the message details in Message Tracking.

You can retrieve the data used to build the charts and graphs in the Email Security Monitor in CSV format. The CSV data can be accessed in two ways:

• CSV reports delivered via email. You can generate a CSV report that is delivered via email or archived. This delivery method is useful when you want separate reports for each table represented on an Reports page, or when you want to send CSV data to users who do not have access to internal networks.

  The comma-separated values (CSV) Report Type is an ASCII text file which contains the tabular data of the scheduled report. Each CSV file may contain up to 100 rows. If a report contains more than one type of table, a separate CSV file will be created for each table. Multiple CSV files for a single report will be compressed into a single .zip file for the archived file storage option or will all be attached to separate e-mail messages for e-mail delivery.

• CSV files retrieved via HTTP. You can retrieve the data used to build the charts and graphs in the Email Security Monitor feature via HTTP. This delivery method is useful if you plan to perform further analysis on the data via other tools. You can automate the retrieval of this data, for example, by an automatic script that will download raw data, process, and then display the results in some other system.

Many of the interactive email reporting pages include a ‘Search For:’ drop-down menu at the bottom of the page.

From the drop-down menu, you can search for several types of criteria, including the following:

• IP address
• Domain
• Network owner
• Internal user
• Destination domain
• Internal sender domain
• Internal sender IP address
• Incoming TLS domain
• Outgoing TLS domain

• SHA-256

For most searches, choose whether to exactly match the search text or look for items starting with the entered text (for example, starts with “ex” will match “example.com”).

For IPv4 searches, the entered text is always interpreted as the beginning of up to four IP octets in dotted decimal format. For example, ‘17.*’ will search in the range 17.0.0.0 through 17.255.255.255, so it will match 17.0.0.1 but not 172.0.0.1. For an exact match search, enter all four octets. IP address searches also support Classless Inter-Domain Routing (CIDR) format (17.16.0.0/12).

For IPv6 searches, you can enter addresses using the formats in the following examples:

• 2001:db8:2004:4202::0-2001:db8:2004:4202::ff
• 2001:db8:2004:4202::
• 2001:db8:2004:4202::23
• 2001:db8:2004:4202::/64

The Email Security Monitor feature constantly records data about the mail flowing into your gateway. The data are updated every 60 seconds, but the display shown is delayed by 120 seconds behind the current system time. You can specify the time range to include in the results shown. Because the data is monitored in real time, information is periodically updated and summarized in the database.

Choose from the time range options in the following table.

You can create a custom report page by assembling charts (graphs) and tables from all your existing email security reports, on the My Reports page.

The Mail Flow Summary report page provides a synopsis of the email message activity from your appliance . The Mail Flow Summary report page includes graphs and summary tables for the incoming and outgoing messages.

The Mail Flow Summary: Incoming report page shows the incoming mail graphs for the total number of messages that are processed and blocked by the appliance , as well as the summary of the incoming mails.

You can use the mail trend graphs on this page to monitor the flow of all the incoming mails that are processed and blocked by your appliances , based on the selected time range. For more information, see Time Range for Reports.

To search for specific information within your data, see Searching and the Interactive Email Report Pages

The following mail trend graphs provide a visual representation of the incoming mail flow:

• Threat Detection Summary

• Content Summary

You can view the mail trend of the incoming messages based on the required counters for the respective categories. For more information, see Using Counters to Filter Data on the Trend Graphs.

The Mail Flow Summary: Outgoing report page shows the outgoing mail graphs for the total number of messages that are processed and delivered by the appliance , as well as the summary of the outgoing mail.

You can use the mail trend graphs on this page to monitor the flow of all the outgoing mails that are processed and delivered by your appliances , based on the selected time range. For more information, see Time Range for Reports.

The following mail trend graphs provide a visual representation of the mail flow of the Outgoing Mails.

You can view the mail trend of the outgoing messages based on the required counters of the processed messages. For more information, see Using Counters to Filter Data on the Trend Graphs.

The following list explains the various sections on the Mail Flow Summary report page:

The System Capacity page provides a detailed representation of the system load, including messages in the work queue, average time spent in the work queue, incoming and outgoing messages (volume, size, and number), overall CPU usage, CPU usage by function, and memory page swapping information.

The system capacity page can be used to determine the following information:

• Identify when an appliance is exceeding recommended capacity and configuration optimization or additional appliances are needed.
• Identify historical trends in system behavior which point to upcoming capacity issues.
• Identify which part of the system is using the most resources to assist with troubleshooting.

It is important to monitor your appliance to ensure that your capacity is appropriate to your message volumes. Over time, volume will inevitably rise and appropriate monitoring will ensure that additional capacity or configuration changes can be applied proactively. The most effective way to monitor system capacity is to track overall volume, messages in the work queue and incidents of Resource Conservation Mode.

• Volume: It is important to have an understanding of the “normal” message volume and the “usual” spikes in your environment. Track this data over time to measure volume growth. You can use the Incoming Mail and Outgoing Mail pages to track volume over time. For more information, see System Capacity- Incoming Mail and System Capacity-Outgoing Mail.
• Work Queue: The work queue is designed to work as a “shock absorber”-- absorbing and filtering spam attacks and processing unusual increases in ham messages. However, the work queue is also the best indicator of a system under stress, prolonged and frequent work queue backups may indicate a capacity problem. You can use the WorkQueue page to track the average time messages spend in the work queue and the activity in your work queue. For more information, see System Capacity- Workqueue.
• Resource Conservation Mode: When an appliance becomes overloaded, it will enter “Resource Conservation Mode” (RCM) and send a CRITICAL system alert. This is designed to protect the device and allow it to process any backlog of messages. Your appliance should enter RCM infrequently and only during a very large or unusual increase in mail volume. Frequent RCM alerts may be an indication that the system is becoming overloaded. See System Capacity-System Load.

The Reporting Data Availability page allows you to view data to provide real-time visibility into resource utilization and email traffic trouble spots.

All data resource utilization and email traffic trouble spots are shown from this page, including the data availability for the overall appliances that are managed by the Security Management appliance .

From this report page you can also view the data availability for a specific appliance and time range.

Advanced Malware Protection protects against zero-day and targeted file-based threats in email attachments by:

• Obtaining the reputation of known files.

• Analyzing behavior of certain files that are not yet known to the reputation service.

• Evaluating emerging threats as new information becomes available, and notifying you about files that are determined to be threats after they have entered your network.

This feature is available for incoming and outgoing messages.

For more information on the file reputation filtering and file analysis, see the User Guide or Online Help for AsyncOS for Email Security Appliances .

To view the report page, select Advanced Malware Protection from the File and Malware Reports section of the Reports drop-down.

The Advanced Malware Protection report page shows the following reporting views:

• Advanced Malware Protection – Summary

• Advanced Malware Protection – AMP Reputation

• Advanced Malware Protection – File Analysis

• Advanced Malware Protection – File Retrospection

• Advanced Malware Protection – Mailbox Auto Remediation

The Advanced Malware Protection report page displays a metrics bar that provides real time data of the appliance connected to the Cisco Threat Grid appliance.

Note	You must use the trailblazerconfig > enable command on the CLI to populate data on the metrics bar. For more information, see the Cisco Email Security Command Reference Guide. You can only view the data from the Cisco Threat Grid appliance for the day, week and month.

The Virus Filtering page provides an overview of the viruses entering and being sent from your network. The Virus Filtering page displays the viruses that have been detected by the virus scanning engines running on your appliance. You might want to use this report to take a specific action against a particular virus. For example, if you see that you are receiving a high volume of a viruses known to be embedded in PDF files, you might want to create a filter action to quarantine messages with PDF attachments.

If you run multiple virus scanning engines, the Virus Filtering page includes results from all enabled virus scanning engines. The name of the virus displayed on the page is a name determined by the virus scanning engines. If more than one scanning engine detects a virus, it is possible to have more than one entry for the same virus.

The Virus Filtering page gives you an overview of the viruses entering or being sent from or to your network. The Top Incoming Virus Detected section shows a chart view of the viruses that have been sent to your network in descending order. The Top Outgoing Virus Detected section shows a chart view of the viruses that have been sent from your network in descending order.

Note

To see which hosts sent virus-infected messages to your network, you can go to the Incoming Mail page, specify the same reporting period and sort by virus-positive. Similarly, to see which IP addresses have sent virus-positive email within your network, you can view the Outgoing Senders page and sort by virus-positive messages.

The VirusTypes Details listing displays information about specific viruses, including the infected incoming and outgoing messages, and the total infected messages. The details listing for infected incoming messages displays the name of the virus and the number of incoming messages infected with this virus. Similarly, the outgoing messages displays the name of the virus and the number of outgoing messages infected with the virus. You can sort the Virus Type details by Incoming Messages, Outgoing Messages, or Total Infected Messages.

You can use the Macro Detection report page to view:

• Top and summary of Incoming Macro-Enabled Attachments by File Type in graphical and tabular format.

• Top and summary Outgoing Macro-Enabled Attachments by File Type in graphical and tabular format.

You can click on the number of macro-enabled attachments to view the related messages in Message Tracking.

To view the Macro Detection report page on the appliance , select Macro Detection from the Reports drop-down.

Note

During report generation: If one or more macros are detected within an archive file, the Archive Files file type is incremented by one. The number of macro-enabled attachments within an archive file are not counted. If one or more macros are detected within an embedded file, the parent file type is incremented by one. The number of macro-enabled attachments within an embedded file are not counted.

The DMARC Verification page shows the top domains that failed DMARC verification and the details of actions AsyncOS performed on the messages that failed DMARC verification. You can use this report to fine-tune your DMARC settings and answer these kinds of questions:

• Which are the domains that sent maximum number of messages that are not DMARC compliant?
• For each domain, what are the actions AsyncOS performed on the messages that failed DMARC verification?

The DMARC Verification page contains:

• A graphical representation showing top domains by DMARC verification failures.
• Tabular representation of the following, for each domain:
  • Number of messages that were rejected, quarantined, or accepted without taking any action. Click the number to view a list of messages under the selected category.
  • Number messages that passed DMARC verification.
  • Total number of DMARC verification attempts.

You can select a time range on which to report, such as an hour, a week, or a custom range. As with all reports, you can export the data for the graphs or the details listing to CSV format via the Export link.

• URL Filtering report modules are populated only if URL filtering is enabled.

• URL Filtering reports are available for incoming and outgoing messages.

• Only messages that are scanned by the URL filtering engine (either as part of anti-spam/outbreak filter scanning or through message/content filters) are included in these modules. However, not all of the results are necessarily specifically attributable to the URL Filtering feature.

• The Top URL Categories module includes all categories found in messages that have been scanned, whether or not they match a content or message filter.

• Each message can be associated with only one URL reputation level. For messages with multiple URLs, the statistics reflect the lowest reputation of any URL in the message.

• URLs in the global allowed list configured at Security Services > URL Filtering are not included in reports.

  URLs in allowed lists used in individual filters are included in reports.

• Malicious URLs are URLs that Outbreak Filters have determined to have poor reputation. Neutral URLs are those that Outbreak Filters have determined to require click-time protection. Neutral URLs have therefore been rewritten to redirect them to the Cisco Web Security proxy.

• Results of URL category-based filters are reflected in content and message filter reports.

• Results of click-time URL evaluations by the Cisco Web Security proxy are not reflected in reports.

The Outbreak Filtering report page shows information about recent outbreaks and messages quarantined due to Outbreak Filters. You can use this page to monitor your defense against targeted virus, scam, and phishing attacks.

Use the Outbreak Filtering report page to answer the following types of questions:

• How many messages are quarantined and by which Outbreak Filters rule?

• How long do messages stay in the Outbreak Quarantine?

• Which potentially malicious URLs are most frequently seen?

To view the Outbreak Filtering report page , select Outbreak Filtering from the Reports drop-down.

The following table explains the various sections on the Outbreak Filtering report page:

Note	In order to correctly populate the tables on the Outbreak Filtering report page, the appliance must be able to communicate with the Cisco update servers.

The Forged Email Detection page includes the following reports:

• Top Forged Email Detection. Displays the top ten users in the content dictionary that matched the forged From: header in the incoming messages.

• Forged Email Detection: Details. Displays a list of all the users in the content dictionary that matched the forged From: header in the incoming messages and for a given user, the number of messages matched.

To view the Forged Email Detection report page on the Security Management appliance, select Forged Email Detection from the Reports drop-down.

The Forged Email Detection reports are populated only if you are using the Forged Email Detection content filter or the forged-email-detection message filter.

From the Forged Email Detection report page you can export raw data to a CSV file. Click Export link on the top of a report page. Select the required report module that you want to export and click Download.

You can use the Sender Domain Reputation report page to view:

• Incoming messages based on the verdict received from the SDR service in graphical format.

• Incoming messages based on the threat category received from the SDR service in graphical format.

  Note	Only the messages whose SDR verdict is 'awful' or 'poor' are classified under the SDR threat category, such as, 'spam,' 'malicious,' etc.

• Summary of incoming messages based on the threat category received from the SDR service in tabular format.

To view the Sender Domain Reputation report page on the Security Management appliance, select Sender Domain Reputation from the Reports drop-down.

You can use the External Threat Feeds report page to view:

• Top ETF sources used to detect threats in messages in graphical format

• Summary of ETF sources used to detect threats in messages in tabular format.

• Top IOCs that matched threats detected in messages in graphical format.

• Top ETF sources used to filter malicious incoming mail connections in graphical format.

• Summary of ETF sources used to filter malicious incoming mail connections in tabular format.

In the ‘Summary of External Threat Feed Sources’ section:

• You can click on the number of messages for a particular ETF source to view the related messages in Message Tracking.

• You can click on a particular threat feed source to view the distribution of the ETF source based on the IOCs.

In the ‘Summary of Indicator of Compromise (IOC) Matches’ section:

• You can click on the number of IOCs for a particular ETF source to view the related messages in Message Tracking.

• You can click on a particular IOC to view the distribution of the IOC based on the ETF sources.

To view the External Threat Feeds report page, select External Threat Feeds from the Reports drop-down.

The Mail Flow Details report page provides interactive reporting on the real-time information for all remote hosts connecting to your managed Security Management appliances . You can gather information about the IP addresses, domains, and network owners (organizations) sending mail to your system. You can also gather information about the IP addresses and domains of the outgoing senders.

To view the Mail Flow Details report page, select Mail Flow Details from the Reports drop-down.

The Mail Flow Details report page has the following tabs:

• Incoming Mails

• Outgoing Senders

To search for specific information within your data, see Searching and the Interactive Email Report Pages.

From the Incoming Mails tab, you can:

• View the top senders by total threat messages in graphical format.

• View the top senders by clean messages in graphical format.

• View the top senders by graymail messages in graphical format.

• See the IP addresses, domains, or network owners (organizations) that have sent mail to your Security Management appliances .

• See detailed statistics on senders that have sent mail to your appliances . The statistics include the number of connections (accepted or rejected), attempted messages broken down by security service (sender reputation filtering, anti-spam, anti-virus, and so forth), total threat messages, total graymails and clean messages.

• See the Incoming Mails interactive table for the detailed information about the particular IP address, domain, or network owner (organization). For more information, see Incoming Mails Table.

  If your access privileges allow you to view Message Tracking data for the messages that populate this report, click a number hyperlink in the table.

From the Outgoing Senders tab, you can:

• View the top senders by total threat messages in graphical format.

• View the top senders by clean messages in graphical format.

• View the top senders (by IP address or domain) of outgoing threat messages (spam, antivirus, etc.) in your organization.

• See detailed statistics on senders that have sent mail from your appliances . The statistics include the total threat messages broken down by security service (sender reputation filtering, anti-spam, anti-virus, and so forth) and clean messages.

• See the Sender Details interactive table for detailed information about the particular IP address or domain. For more information, see Sender Details Table.

  If your access privileges allow you to view Message Tracking data for the messages that populate this report, click a number hyperlink in the table.

The Sender Groups report provides a summary of connections by sender group and mail flow policy action, allowing you to review SMTP connection and mail flow policy trends. The Mail Flow by Sender Group listing shows the percentage and number of connections for each sender group. The Connections by Mail Flow Policy Action chart shows the percentage of connections for each mail flow policy action. This page provides an overview of the effectiveness of your Host Access Table (HAT) policies. For more information about the HAT, see Configuring the Gateway to Receive Email.

The Outgoing Destinations page provides information about the domains your company sends mail to. The page consists of two sections. The top half of the page consists of graphs depicting the top destinations by outgoing threat messages and top destinations by outgoing clean messages on the top half of the page. The bottom half of the page displays a chart showing all the columns sorted by total recipients (default setting).

You can select a time range on which to report, such as a day, a week, or a custom range. As with all reports, you can export the data for the graphs or the details listing to CSV format via the Export link.

The Outgoing Destinations page can be used to answer the following types of questions:

• What domains is the appliance sending mail to?
• How much mail is sent to each domain?
• How much of that mail is clean, spam-positive, virus-positive, malware or stopped by a content filter?
• How many messages are delivered and how many messages are hard-bounced by the destination server?

The TLS Encryption pages shows the overall usage of TLS Encryption for sent and received mail. The report also shows details for each domain sending mail using TLS connections.

The TLS Encryption page can be used to determine the following information:

• Overall, what portion of incoming and outgoing connections use TLS?

• What partners do I have successful TLS connections with?

• What partners do I have unsuccessful TLS connections with?

• What partners do I have successful TLS connections with DANE support?

• What partners do I have unsuccessful TLS connections with DANE support?

• What partners have issue with their TLS certificates?

• What percent of overall mail with a partner uses TLS?

• What percent of outgoing TLS connections with DANE support are successful?

• What percent of outgoing connections with DANE support are unsuccessful?

The TLS Encryption page is divided into a section for incoming connections and a section for outgoing connections. Each section includes a graph, summaries, and a table with details.

The graph displays a view of incoming or outgoing TLS-encrypted and non-encrypted connections over the time range you specify. The graph displays the total volume of messages, the volume of encrypted and unencrypted messages, the volume of successful and failed TLS encrypted messages and the volume of successful and failed DANE connections. The graphs distinguish between connections in which TLS was required and connections in which TLS was merely preferred.

The table displays details for domains sending or receiving encrypted messages. For each domain, you can view the number of required and preferred TLS connections that were successful and that failed, the total number of TLS connections attempted (whether successful or failed), the total number of unencrypted connections, and the total number of unencrypted connections, and the total number of DANE connections (depending on whether successful or failed). You can also view the percentage of all connections in which TLS was attempted, and the total number of encrypted messages sent successfully, regardless of whether TLS was preferred or required. You can show or hide columns by Customize Columns icon at the top right side of the table.

The Inbound SMTP Authentication page shows the use of client certificates and the SMTP AUTH command to authenticate SMTP sessions between the appliance and users’ mail clients. If the appliance accepts the certificate or SMTP AUTH command, it will establish a TLS connection to the mail client, which the client will use to send a message. Since it is not possible for the appliance to track these attempts on a per-user basis, the report shows details on SMTP authentication based on the domain name and domain IP address.

Use this report to determine the following information:

• Overall, how many incoming connection use SMTP authentication?
• How many connections use a client certificated?
• How many connections use SMTP AUTH?
• What domains are failing to connect when attempting to use SMTP authentication?
• How many connections are successfully using the fall-back when SMTP authentication fails?

The Inbound SMTP Authentication page includes a graph for received connections, a graph for mail recipients who attempted an SMTP authentication connection, and a table with details on the attempts to authenticate connections.

The Received Connections graph shows the incoming connections from mail clients that attempt to authentication their connections using SMTP authentication over the time range you specify. The graph displays the total number of connections the appliance received, the number that did not attempt to authenticate using SMTP authentication, the number that failed and succeeded to authenticate the connection using a client certificate, and the number that failed and succeeded to authenticate using the SMTP AUTH command.

The Received Recipients graph displays the number of recipients whose mail clients attempted to authenticate their connections to the appliances to send messages using SMTP authentication. The graph also show the number of recipients whose connections were authenticated and the number of recipients whose connections were not authenticated.

The SMTP Authentication details table displays details for the domains whose users attempt to authenticate their connections to the appliance to send messages. For each domain, you can view the number of connection attempts using a client certificate that were successful or failed, the number of connection attempts using the SMTP AUTH command that were successful or failed, and the number that fell back to the SMTP AUTH after their client certificate connection attempt failed. You can use the tabs at the top of the page to display this information by domain name or domain IP address.

Rate Limiting by envelope sender allows you to limit the number of email message recipients per time interval from an individual sender, based on the mail-from address. The Rate Limits report shows you the senders who most egregiously exceed this limit.

Use this report to help you identify the following:

• Compromised user accounts that might be used to send spam in bulk.
• Out-of-control applications in your organization that use email for notifications, alerts, automated statements, etc.
• Sources of heavy email activity in your organization, for internal billing or resource-management purposes.
• Sources of large-volume inbound email traffic that might not otherwise be considered spam.

Note that other reports that include statistics for internal senders (such as Internal Users or Outgoing Senders) measure only the number of messages sent; they do not identify senders of a few messages to a large number of recipients.

The Top Offenders by Incident chart shows the envelope senders who most frequently attempted to send messages to more recipients than the configured limit. Each attempt is one incident. This chart aggregates incident counts from all listeners.

The Top Offenders by Rejected Recipients chart shows the envelope senders who sent messages to the largest number of recipients above the configured limit. This chart aggregates recipient counts from all listeners.

To configure rate limiting by envelope sender or modify the existing rate limit, see Defining Rules for Incoming Messages Using a Mail Flow Policy.

You can use the Connections by Country report page to view:

• Top incoming mail connections based on country of origin in graphical format.

• Total incoming mail connections based on country of origin in tabular format.

You can click on the number of incoming mail connections of a specific geolocation to view the related messages in Message Tracking.

The "Total Messages" column only displays those messages that are accepted at the SMTP connection level.

Note

During report generation: If one or more incoming mail connections are detected as private IP address, the incoming mail connections are categorized as “Private IP Addresses” in the report. If one or more incoming mail connections are detected as not a valid IP Reputation score, the incoming mail connections are categorized as ‘No Country Info’ in the report.

The User Mail Sumamry page provides information about the mail sent and received by your internal users, per email address (a single user may have multiple email addresses listed — the email addresses are not combined in the report).

The page consists of two sections:

• Graphs depicting the top users by clean incoming and outgoing messages and top users receiving graymail.

• User mail flow details

You can select a time range on which to report (hour, day, week, or month). As with all reports, you can export the data for the graphs or the details listing to CSV format via the Export link. You can also display hidden table columns or hide default columns by clicking the Customize Column icon on the top right side of the table.

The User Mail Flow Details listing breaks down the mail received and sent by each email address into clean, spam (incoming only), virus, malware, content filter matches, and graymail (incoming only). You can sort the listing by clicking on the column headers.

Using the Internal Users report, you can answer these kinds of questions:

• Who is sending the most external email?

• Who receives the most clean email?

• Who receives the most number of graymail messages?

• Who receives the most spam?

• Who is triggering which content filters?

• Whose email is getting caught by content filters?

Inbound Internal Users are the users for which you received email, based on the Rcpt To: address. Outbound Internal Users are based on the Mail From: address and are useful when tracking the types of email that senders on your internal network are sending.

Note that some outbound mail (like bounces) have a null sender. They are counted under outbound and “unknown.”

Click on an internal user to view the Internal User detail page for that user.

Click the Customize Columns icon on the top right side of the table to show columns that are hidden by default, such as the Incoming Spam Detected by Intelligent Multi-Scan column or Outgoing Spam Detected by Intelligent Multi-Scan column.

The DLP Incident Summary page shows information on the incidents of data loss prevention (DLP) policy violations occurring in outgoing mail. The appliance uses the DLP email policies enabled in the Outgoing Mail Policies table to detect sensitive data sent by your users. Every occurrence of an outgoing message violating a DLP policy is reported as an incident.

Using the DLP Incidents report, you can answer these kinds of questions:

• What type of sensitive data is being sent by your users?

• How severe are these DLP incidents?

• How many of these messages are being delivered?

• How many of these messages are being dropped?

• Who is sending these messages?

The DLP Incident Summary page is comprised of two main sections:

• the DLP incident trend graphs summarizing the top DLP incidents by severity (Low, Medium, High, Critical) and policy matches, and

• the DLP Incidents Details listing.

You can select a time range on which to report, such as an hour, a week, or a custom range. As with all reports, you can export the data for the graphs or the details listing to CSV format via the Export link. For information about generating PDFs in languages other than English, see the Notes on Reports.

Click the name of a DLP policy to view detailed information on the DLP incidents detected by the policy. You can use this method to get a list of users who sent mail that contained sensitive data detected by the policy.

• Web Interaction Tracking report modules are populated only if the web interaction tracking feature is enabled.

• Web Interaction Tracking report modules are not updated in real-time and are refreshed every 30 minutes. Also, after clicking a rewritten URL, it may take up to two hours for the Web Interaction Tracking report to report this event.

• Web Interaction Tracking report is not updated in real-time. After clicking a cloud re-directed rewritten URL, it may take up to two hours for the Web Interaction Tracking report to report this event.

• Web Interaction Tracking reports are available for incoming and outgoing messages.

• Only cloud re-directed rewritten URLs (either by policy or Outbreak Filter) clicked by the end users are included in these modules.

• Web Interaction Tracking page includes the following reports:

Top Malicious URLs clicked by End Users. Click on a URL to view a detailed report that contains the following information:

• A list of end users who clicked on the rewritten malicious URL.

• Date and time at which the URL was clicked.

• Whether the URL was rewritten by a policy or an outbreak filter.

• Action taken (allow, block, or unknown) when the rewritten URL was clicked. Note that, if a URL was rewritten by outbreak filter and the final verdict is unavailable, the status is shown as unknown.

Top End Users who clicked on Malicious URLs

This section displays the summary of the top end users who clicked on the Rewritten Malicious URLs, for incoming and outgoing messages.

Web Interaction Tracking Details. Includes the following information:

• A list of all the cloud re-directed rewritten URLs (malicious and unmalicious). Click on a URL to view a detailed report.

• Action taken (allow, block, or unknown) when a cloud re-directed rewritten URL was clicked.

For the data to show up, perform the following:

• Choose Incoming Mail Policies > Outbreak Filters to configure an outbreak filter and enable message modification and URL rewriting.

• Configure a content filter with the "Redirect to Cisco Security Proxy" action.

Note that, if the verdict of a URL (clean or malicious) was unknown at the time when the end user clicked it, the status is shown as unknown. This could be because the URL was under further scrutiny or the web server was down or not reachable at the time of the user click.

• The number of times end users clicked on a rewritten URL. Click on a number to view a list of all the messages that contain the clicked URL.

• While using Web Interaction Tracking reports, keep in mind the following limitations:

  • If you have configured a content or message filter to deliver messages after rewriting malicious URLs and notify another user (for example, an administrator), the web interaction tracking data of the original recipient is incremented even if the notified user clicks on the rewritten URLs.

  • If you are sending a copy of quarantined messages containing rewritten URLs to a user (for example, an administrator) using web interface, the web interaction tracking data of the original recipient is incremented even if the user (to whom the copy of the messages were sent) clicks on the rewritten URLs.

  • At any point, if you plan to modify the time of your appliance , make sure that the system time is synchronized with Coordinated Universal Time (UTC).

You can use the Remediation report to monitor the remediation results for Mailbox Auto Remediation and Mailbox Search and Remediate.

The following list explains the various sections on the Rate Limit report:

The Message Filters page shows information about the top message filter matches (which message filter had the most matching messages) in two forms: a bar chart and a tabular representation.

Using the bar chart, you can find the message filters that are being triggered the most by incoming and outgoing messages. The tabular representation shows the top message filters and the number of matches for the respective message filters. Click on the number to view a list of all the messages that are included in that number using Message Tracking.

You can select a time range on which to report, such as an hour, a week, or a custom range. As with all reports, you can export the data for the graphs or the details listing to CSV format via the Export link.

Note	The High Volume Mail page shows data only from message filters that use Header Repeats rule.

The High Volume Mail page contains the following reports in the form of bar charts:

• Top Subjects. You can use this chart to understand the top subjects of messages that AsyncOS received.
• Top Envelope Senders. You can use this chart to understand the top envelope senders of messages that AsyncOS received.
• Top Message Filters by Number of Matches. You can use this chart to understand the top message filter (that uses Header Repeats rule) matches.

The High Volume Mail page also provides a tabular representation of the top message filters and the number of matches for the respective message filters. Click the number to view a list of all the messages that are included in that number using Message Tracking.

You can select a time range on which to report, such as an hour, a week, or a custom range. As with all reports, you can export the data for the graphs or the details listing to CSV format via the Export link.

The Content Filters page shows information about the top incoming and outgoing content filter matches (which content filter had the most matching messages) in two forms: a bar chart and a listing. Using the Content Filters page, you can review your corporate policies on a per-content filter or per-user basis and answer questions like:

• Which content filter is being triggered the most by incoming or outgoing mail?

• Who are the top users sending or receiving mail that is triggering a particular content filter?

You can click the name of the content filter in the listing to view more information about that filter on the Content Filter detail page.

You can use the Safe Print report page to view:

• Number of safe-printed attachments based on the file type in graphical format.

• Summary of safe-printed attachments based on the file type in tabular format.

In the ‘Summary of Safe Print File Types’ section, click the total number of safe-printed attachments to view the message details in Message Tracking.

The Reports > Mail Flow Summary > Advanced Phishing Protection report page displays the following:

• Total number of messages successfully forwarded to the Cisco Advanced Phishing Protection cloud service.

• Total number of messages that are not forwarded to the Cisco Advanced Phishing Protection cloud service.

  Note	If the forwarding of message metadata has failed, you must validate the configurations of the Advanced Phishing Protection feature. For more information, see How to Integrate Email Gateway with the Cisco Advanced Phishing Protection Cloud Service

You can use the Advanced Phishing Protection report page to view:

• Total number of messages that are sent from all appliances at the organizational level to the Cisco Advanced Phishing Protection cloud service in a dashboard.

• Total number of messages attempted to be forwarded to the Cisco Advanced Phishing Protection cloud service, in a graphical format.

To view the detailed information on the metadata of the message that is forwarded to the Cisco Advanced Phishing Protection cloud service, click on the link and login to the Cisco Advanced Phishing Protection cloud service. For more information, see Monitoring Message Metadata on the Cisco Advanced Phishing Protection Cloud Service.

You can choose from the following report types:

• AMP Reputation
• Advanced Malware Protection File Analysis
• Advanced Malware Protection File Retrospection
• Connections by Country
• Content Filters
• DLP Incident Summary
• DMARC Verification Report
• Delivery Status
• Executive Summary
• External Threat Feeds
• Forged Email Detection
• High Volume Mail
• Inbound SMTP Authentication
• Marco Detection
• Mail Flow Summary:Incoming
• Mailbox Auto Remediation
• Mail Flow Details (Outgoing senders: domain)
• Mail Flow Summary: Outgoing
• Message Filters
• My Email Reports
• Outgoing Destinations
• Rate Limits
• Sender Domain Reputation
• Sender Groups
• System Capacity
• TLS Encryption
• User Mail Summary
• URL Filtering
• Outbreak Filters
• Virus Filtering
• Web Interaction

Each of the reports consists of a summary of the corresponding Email Security Monitor page.

To set the return address for reports, see Configuring the Return Address for Appliance Generated Messages. From the CLI, use the addressconfig command.

Scheduled reports can be scheduled to run on a daily, weekly, or monthly basis. You can select a time at which to run the report. Regardless of when you run a report, it will only include data for the time period that you specify, for example the past 3 days or the previous calendar month. Note that a daily report scheduled to run at 1AM will contain data for the previous day, midnight to midnight.

Your appliance ships with a default set of scheduled reports —you can use, modify, or delete any of them.

The Monitor > Archived Reports page lists the available archived reports. You can view a report by clicking its name in the Report Title column. You can generate a report immediately by clicking Generate Report Now

Use the Show menu to filter which type of reports is listed. Click the column headings to sort the listing.

Archived reports are deleted automatically — up to 30 instances of each scheduled report (up to 1000 reports) are kept and as new reports are added, older ones are deleted to keep the number at 1000. The 30 instances limit is applied to each individual scheduled report, not report type.

Problem

Drilling down from a report to view details in message tracking yields unexpected results.

Solution

This can occur if reporting and message tracking were not simultaneously enabled, functioning properly, and storing data locally (as opposed to being stored centrally on a Security Management appliance ). Data for each feature (reporting and message tracking) is stored only while that feature is enabled and functioning on that appliance , independently of whether the other feature (reporting or message tracking) is enabled and functioning. Therefore, reports may include data that is not available in Message Tracking and vice-versa.

Problem

Complete file analysis results in the public cloud are not available for files uploaded from other appliances in my organization.

Solution

Be sure to group all appliances that will share file analysis result data. See (Public Cloud File Analysis Services Only) Configuring Appliance Groups. This configuration must be done on each appliance in the group.