• Enabling Centralized Email Reporting on the Legacy Web Interface

• Enabling Centralized Email Reporting on the New Web Interface

You must enable centralized email reporting on each managed Email Security appliance appliance.

For instructions, see the “Configuring an Email Security Appliance to Use Centralized Reporting” section of the documentation or online help for your Email Security appliance.

The Email > Reporting > Overview page on the Security Management appliance provides a synopsis of the email message activity from your Email Security appliances. The Overview page includes graphs and summary tables for the incoming and outgoing messages.

At a high level the Overview page shows you the incoming and outgoing mail graphs, and well as incoming and outgoing mail summaries.

The mail trend graphs provide a visual representation of the mail flow. You can use the mail trend graphs on this page to monitor the flow of all mail into and out of your appliances.

Note	The Domain-Based Executive Summary Report and the Executive Summary report are based on the Email Reporting Overview Page. For more information, see the Domain-Based Executive Summary Report and Executive Summary Report

The Email > Reporting > Incoming Mailpage on the Security Management appliance provides interactive reporting on the real-time information for all remote hosts connecting to your managed Security Management appliances. You can gather information about the IP addresses, domains, and network owners (organizations) sending mail to your system. You can also perform a Sender Profile search on IP addresses, domains, or organizations that have sent mail to you.

The Incoming Mail Details interactive table displays detailed information about the particular IP address, domain, or network owner (organization). You can access a Sender Profile page for any IP address, domain, or network owner by clicking the corresponding link at the top of the Incoming Mail page, or on other Sender Profile pages.

From the Incoming Mail pages you can:

• Perform a search on IP addresses, domains, or network owners (organizations) that have sent mail to your Security Management appliances. See Searching and the Interactive Email Report Pages.
• View the Sender Groups report to monitor connections according to the specific sender group and mail flow policy actions. See the Sender Groups Report Page for more information.
• See detailed statistics on senders that have sent mail to your appliances. The statistics include the number of attempted messages broken down by security service (sender reputation filtering, anti-spam, anti-virus, and so forth).
• Sort by senders who have sent you a high volume of spam or virus email, as determined by anti-spam or anti-virus security services.
• Use the SenderBase Reputation Service to examine the relationship between specific IP addresses, domains, and organizations to obtain information about a sender.
• Obtain more information about a sender from the SenderBase Reputation Service, including a sender’s SenderBase Reputation Score (SBRS) and which sender group the domain matched most recently. Add senders to sender groups.
• Obtain more information about a specific sender who has sent a high volume of spam or virus email, as determined by the anti-spam or anti-virus security services.

The Sender Groups report page provides a summary of connections by sender group and mail flow policy action, allowing you to review SMTP connection and mail flow policy trends. The Mail Flow by Sender Group listing shows the percentage and number of connections for each sender group. The Connections by Mail Flow Policy Action chart shows the percentage of connections for each mail flow policy action. This page provides an overview of the effectiveness of your Host Access Table (HAT) policies. For more information about the HAT, see the documentation or online help for your Email Security appliance.

To view the Sender Groups report page, select Email > Reporting > Sender Groups.

From the Sender Group Report page you can also generate a PDF or export raw data to a CSV file. For information on printing or exporting a file, see the Understanding the Email Reporting Pages.

Note	You can generate a scheduled report for the Sender Group report page. See the Scheduling Email Reports.

You can use the Sender Domain Reputation report page to view:

• Incoming messages based on the verdict received from the SDR service in graphical format.

• Summary of incoming messages based on the threat category and verdict received from the SDR service in tabular format.

• Incoming messages based on the threat category received from the SDR service in graphical format.

  Note	Only the messages whose SDR verdict is 'untrusted' or 'questionable' are classified under the SDR threat category, such as, 'spam,' 'malicious,' etc.

• Summary of incoming messages based on the threat category received from the SDR service in tabular format.

In the Summary of Incoming Messages handled by SDR section, you can click on the number of messages corresponding to a particular verdict to view the related messages in Message Tracking.

The Email > Reporting > Outgoing Destinations page provides information about the domains that your organization sends mail to.

Use the Outgoing Destinations page to answer the following types of questions:

• Which domains are the Email Security appliances sending mail to?
• How much mail is sent to each domain?
• How much of that mail is clean, spam-positive, virus-positive, malware or stopped by a content filter?
• How many messages are delivered and how many messages are hard-bounced by the destination servers?

The following list explains the various sections on the Outgoing Destinations page:

From the Outgoing Destinations page you can also generate a PDF or export raw data to a CSV file. For information on printing or exporting a file, see the Understanding the Email Reporting Pages.

Note	You can generate a scheduled report for the Outgoing Destinations page. See the Scheduling Email Reports.

The Email > Reporting > Outgoing Senders page provides information about the quantity and type of mail being sent from IP addresses and domains in your network.

Use the Outgoing Senders page to answer the following types of questions:

• Which IP addresses are sending the most virus-positive, or spam-positive or malware email?
• Which IP addresses trigger content filters the most frequently?
• Which domains are sending the most mail?
• What are the total number of recipients that are being processed where a delivery was attempted.

To view the Outgoing Senders page, perform the following:

You can see the results of the Outgoing senders with two types of views:

• Domain: This view allows you to see the volume of mail that is being sent by each domain
• IP address: This view allows you to see which IP addresses are sending the most virus messages or triggering content filters.

The following list explains the various sections on the Outgoing Senders page for both views:

Note	This page does not display information about message delivery. To track delivery information, such as the number of messages from a particular domain that were bounced, log in to the appropriate Email Security appliance and choose Monitor > Delivery Status.

From the Outgoing Senders page you can also generate a PDF or export raw data to a CSV file. For information on printing or exporting a file, see the Understanding the Email Reporting Pages.

Note	You can generate a scheduled report for the Outgoing Senders page. See the Scheduling Email Reports.

The Email > Reporting > Internal Users page provides information about the mail sent and received by your internal users per email address. A single user can have multiple email addresses. The email addresses are not combined in the report.

Use the Internal Users interactive report page to answer these types of questions:

• Who is sending the most external email?
• Who receives the most clean email?
• Who receives the largest number of graymail messages?
• Who receives the most spam?
• Who is triggering which content filters?
• Whose email is getting caught by content filters?

From the Internal Users page you can also generate a PDF or export raw data to a CSV file. For information on printing or exporting a file, see the Understanding the Email Reporting Pages.

Note	You can generate a scheduled report for the Internal Users page. See the Scheduling Email Reports.

The Email > Reporting > DLP Incidents (DLP Incident Summary) page shows information on the incidents of data loss prevention (DLP) policy violations occurring in outgoing mail. The Email Security appliance uses the DLP email policies enabled in the Outgoing Mail Policies table to detect sensitive data sent by your users. Every occurrence of an outgoing message violating a DLP policy is reported as an incident.

Using the DLP Incident Summary report, you can answer these kinds of questions:

• What type of sensitive data is being sent by your users?
• How severe are these DLP incidents?
• How many of these messages are being delivered?
• How many of these messages are being dropped?
• Who is sending these messages?

The DLP Incident Summary page contains two main sections:

• the DLP incident trend graphs summarizing the top DLP incidents by severity (Low, Medium, High, Critical) and policy matches,
• the DLP Incident Details listing

Click the name of a DLP policy to view detailed information on the DLP incidents detected by the policy. You can use this method to get a list of users who sent mail that contained sensitive data detected by the policy.

The Message Filters page shows information about the top message filter matches (which message filters had the largest number of matching messages) for incoming and outgoing messages.

You can use the Geo Distribution report page to view:

• Top incoming mail connections based on country of origin in graphical format.

• Total incoming mail connections based on country of origin in tabular format.

The following are the scenarios when no country information is displayed for the top and total incoming mail connections:

• The sender IP address belongs to a private IP address

• The sender IP address does not get a valid SBRS.

Use reports on this page to:

• Identify attacks involving a large number of messages from a single sender, or with identical subjects, within a moving one-hour period.
• Monitor top domains to ensure that such attacks do not originate in your own domain. If this situation occurs, one or more accounts in your organization may be compromised.
• Help identify false positives so you can adjust your filters accordingly.

Reports on this page show data only from message filters that use the Header Repeats rule and that pass the number-of-messages threshold that you set in that rule. When combined with other rules, the Header Repeats rule is evaluated last, and is not evaluated at all if the message disposition is determined by a preceding condition. Similarly, messages caught by Rate Limiting never reach Header Repeats message filters. Therefore, some messages that might otherwise be considered high-volume mail may not be included in these reports. If you have configured your filters to include certain messages in the allowed list, those messages are also excluded from these reports.

For more information about message filters and the Header Repeats rule, see the online help or user guide for your Email Security appliance.

The Email > Reporting > Content Filters page shows information about the top incoming and outgoing content filter matches (which content filter had the most matching messages). The page displays the data as both bar charts and listings. Using the Content Filters page, you can review your corporate policies on a per-content-filter or per-user basis and answer the following types of questions:

• Which content filter is triggered the most by incoming or outgoing mail?
• Who are the top users sending or receiving mail that triggers a particular content filter?

To view more information about a specific filter, click the name of the filter. The Content Filter Details page appears. For more information on Content Filter details page, see the Content Filter Details Page.

If your access privileges allow you to view Message Tracking data: To view Message Tracking details for the messages that populate this report, click a blue number link in the table.

From the Content Filters page you can also generate a PDF or export raw data to a CSV file. For information on printing or exporting a file, see the Understanding the Email Reporting Pages.

Note	You can generate a scheduled report for the Content Filter page. See the Scheduling Email Reports.

The DMARC Verification page shows the top sender domains that failed Domain-based Message Authentication, Reporting and Conformance (DMARC) verification, and a summary of the actions taken for incoming messages from each domain. You can use this report to fine-tune your DMARC settings and answer these kinds of questions:

• Which domains sent the most messages that failed DMARC verification?
• For each domain, what actions were taken on messages that failed DMARC verification?

For more information about DMARC verification, see the Email Authentication chapter in the online help or user guide for your Email Security appliance.

You can use the Macro Detection report page to view:

• Top Incoming Macro-Enabled Attachments by File Type in graphical and tabular format.

• Top Outgoing Macro-Enabled Attachments by File Type in graphical and tabular format.

You can click on the number of macro-enabled attachments to view the related messages in Message Tracking.

Note

During report generation: If one or more macros are detected within an archive file, the Archive Files file type is incremented by one. The number of macro-enabled attachments within an archive file are not counted. If one or more macros are detected within an embedded file, the parent file type is incremented by one. The number of macro-enabled attachments within an embedded file are not counted.

You can use the External Threat Feeds report page to view:

• Top ETF sources used to detect threats in messages in graphical format

• Summary of ETF sources used to detect threats in messages in tabular format.

• Top IOCs that matched threats detected in messages in graphical format.

• Top ETF sources used to filter malicious incoming mail connections in graphical format.

• Summary of ETF sources used to filter malicious incoming mail connections in tabular format.

In the ‘Summary of External Threat Feed Sources’ section:

• You can click on the number of messages for a particular ETF source to view the related messages in Message Tracking.

• You can click on a particular threat feed source to view the distribution of the ETF source based on the IOCs.

In the ‘Summary of Indicator of Compromise (IOC) Matches’ section:

• You can click on the number of IOCs for a particular ETF source to view the related messages in Message Tracking.

• You can click on a particular IOC to view the distribution of the IOC based on the ETF sources.

The Email > Reporting > Virus Types page provides an overview of the viruses that are sent to and from your network. The Virus Types page displays the viruses that have been detected by the virus scanning engines running on the Email Security appliances and are displayed on the Security Management appliance. Use this report to take action against a particular virus. For example, if you see that you are receiving a high volume of viruses known to be embedded in PDF files, you can create a filter action to quarantine messages with PDF attachments.

Note	Outbreak Filters can quarantine these types of virus-infected messages with no user intervention.

If you run multiple virus scanning engines, the Virus Types page includes results from all enabled virus scanning engines. The name of the virus that appears on the page is determined by the virus scanning engines. If more than one scanning engine detects a virus, it is possible to have more than one entry for the same virus.

Note

To see which hosts sent virus-infected messages to your network, go to the Incoming Mail page, specify the same reporting period, and sort by virus positive. Similarly, to see which IP addresses have sent virus positive email within your network, view the Outgoing Senders page and sort by virus positive messages.

From the Virus Types page you can also generate a PDF or export raw data to a CSV file. For information on printing or exporting a file, see the Understanding the Email Reporting Pages.

Note	You can generate a scheduled report for the Virus Types page. See the Scheduling Email Reports.

• URL Filtering report modules are populated only if URL filtering is enabled.
• URL Filtering reports are available for incoming and outgoing messages.
• Only messages that are scanned by the URL filtering engine (either as part of anti-spam/outbreak filter scanning or through message/content filters) are included in these modules. However, not all of the results are necessarily specifically attributable to the URL Filtering feature.
• The Top URL Categories module includes all categories found in messages that have been scanned, whether or not they match a content or message filter.
• Each message can be associated with only one reputation level. For messages with multiple URLs, the statistics reflect the lowest reputation of any URL in the message.
• URLs in the global allowed list configured at Security Services > URL Filtering are not included in reports.

  URLs in allowed lists used in individual filters are included in reports.

• Malicious URLs are URLs that Outbreak Filters have determined to have poor reputation. Neutral URLs are those that Outbreak Filters have determined to require click-time protection. Neutral URLs have therefore been rewritten to redirect them to the Cisco Web Security proxy.
• Results of URL category-based filters are reflected in content and message filter reports.
• Results of click-time URL evaluations by the Cisco Web Security proxy are not reflected in reports.

• Web Interaction Tracking report modules are populated only if the Web Interaction Tracking feature is enabled on managed Email Security appliances.
• Web Interaction Tracking reports are available for incoming and outgoing messages.
• Only rewritten URLs (either by policy or Outbreak Filter) clicked by the end users are included in these modules.
• Web Interaction Tracking page includes the following reports:
  Top Rewritten Malicious URLs clicked by End Users. Click on a URL to view a detailed report that contains the following information:

  • A list of end users who clicked on the rewritten malicious URL.
  • Date and time at which the URL was clicked.
  • Whether the URL was rewritten by a policy or an outbreak filter.
  • Action taken (allow, block, or unknown) when the rewritten URL was clicked. Note that, if a URL was rewritten by outbreak filter and the final verdict is unavailable, the status is shown as unknown.

    Note	Due to a limitation, status of all outbreak rewritten URLs are shown as unknown.

  Top End Users who clicked on Rewritten Malicious URLs

  Tracking Web Interaction Details. Includes the following information:

  • A list of all the rewritten URLs (malicious and unmalicious). Click on a URL to view a detailed report.
  • Action taken (allow, block, or unknown) when a rewritten URL was clicked.

    If the verdict of a URL (clean or malicious) was unknown at the time when the end user clicked it, the status is shown as unknown. This could be because the URL was under further scrutiny or the web server was down or not reachable at the time of the user click.

  • The number of times end users clicked on a rewritten URL. Click a number to view a list of all messages that contain the clicked URL.
• Note the following:
  • If you have configured a content or message filter to deliver messages after rewriting malicious URLs and notify another user (for example, an administrator), the web interaction tracking data for the original recipient is incremented if the notified user clicks on the rewritten URLs.
  • If you are sending a copy of quarantined messages containing rewritten URLs to a user other than the original recipient (for example, to an administrator) using the web interface, the web interaction tracking data for the original recipient is incremented if the other user clicks on the rewritten URLs.

• The Forged Email Detection page includes the following reports:
  • Top Forged Email Detection. Displays the top ten users in the content dictionary that matched the forged From: header in the incoming messages.
  • Forged Email Detection Details. Displays a list of all the users in the content dictionary that matched the forged From: header in the incoming messages and for a given user, the number of messages matched.
• The Forged Email Detection reports are populated only if you are using the Forged Email Detection content filter or the forged-email-detection message filter.

You can use the Safe Print Action report page to view:

• Number of safe-printed attachments based on the file type in graphical format.

• Summary of safe-printed attachments based on the file type in tabular format.

In the ‘Summary of Safe Print File Types’ section, click the total number of safe-printed attachments to view the message details in Message Tracking.

You can use the Mail Policy Details report page to view:

• Top incoming messages that matched a configured mail policy in graphical and tabular format.

• Top outgoing messages that matched a configured mail policy in graphical and tabular format.

In the ‘Incoming Policies’ section, click the total number of incoming messages that matched a specific mail policy to view the message details in Message Tracking.

In the ‘Outgoing Policies’ section, click the total number of incoming messages that matched a specific mail policy to view the message details in Message Tracking.

• Advanced Phishing Protection Page on Legacy Web Interface

• Advanced Phishing Protection Page on New Web Interface

The Email > Reporting > Advanced Phishing Protection report page displays the following:

• Total number of messages successfully forwarded to the Cisco Advanced Phishing Protection cloud service.

• Total number of messages that are not forwarded to the Cisco Advanced Phishing Protection cloud service.

Note

If the forwarding of message metadata has failed, you must validate the configurations of the Advanced Phishing Protection feature. For more information, see the "Integrating Cisco Email Security Gateway with the Cisco Advanced Phishing Protection" chapter of the User Guide for AsyncOS for Cisco Email Security Appliances.

You can use the Advanced Phishing Protection report page to view:

• Total number of messages attempted to be forwarded to the Cisco Advanced Phishing Protection cloud service, in a graphical format.

• Summary of messages forwarded to the Cisco Advanced Phishing Protection cloud service in a graphical

  format.

The Monitoring > Advanced Phishing Protection report page displays the following:

• Total number of messages successfully forwarded to the Cisco Advanced Phishing Protection cloud service.

• Total number of messages that are not forwarded to the Cisco Advanced Phishing Protection cloud service.

Note

If the forwarding of message metadata has failed, you must validate the configurations of the Advanced Phishing Protection feature. For more information, see the "Integrating Cisco Email Security Gateway with the Cisco Advanced Phishing Protection" chapter of the User Guide for AsyncOS for Cisco Email Security Appliances.

You can use the Advanced Phishing Protection report page to view:

• Total number of messages attempted to be forwarded to the Cisco Advanced Phishing Protection cloud service, in a graphical format.

• Requirements for File Analysis Report Details

• Identifying Files by SHA-256 Hash

• File Reputation and File Analysis Report Pages

• Viewing File Reputation Filtering Data in Other Reports

You can view the details of the mailbox remediation results using the Mailbox Auto Remediation report page. Use this report to view details such as:

• A list of recipients for whom the mailbox remediation was successful or unsuccessful
• Remedial actions taken on messages
• The filenames associated with a SHA-256 hash

The Recipients for whom remediation was unsuccessful field is updated in the following scenarios:

• The recipient is not a valid Office 365 user or the recipient does not belong to the Office 365 domain account configured on your appliance.
• The message containing the attachment is no longer available in the mailbox, for example, the end user deleted the message.
• There was a connectivity issue between your appliance and Office 365 services when the appliance was trying to perform the configured remedial action.

Click on a SHA-256 hash to view the related messages in Message Tracking.

Note	After upgrading to AsyncOS 13.6.1, the message tracking status of the messages received before the upgrade remains as "Delivered" than "Remediated."

The Email > Reporting > TLS Connections page shows the overall usage of TLS connections for sent and received mail. The report also shows details for each domain sending mail using TLS connections.

The TLS Connections page can be used to determine the following information:

• Overall, what portion of incoming and outgoing connections uses TLS?
• Which partners do I have successful TLS connections with?
• Which partners do I have unsuccessful TLS connections with?
• Which partners have issue with their TLS certificates?
• What percentage of overall mail with a partner uses TLS?

The Inbound SMTP Authentication page shows the use of client certificates and the SMTP AUTH command to authenticate SMTP sessions between the Email Security appliance and users’ mail clients. If the appliance accepts the certificate or SMTP AUTH command, it will establish a TLS connection to the mail client, which the client will use to send a message. Since it is not possible for the appliance to track these attempts on a per-user basis, the report shows details on SMTP authentication based on the domain name and domain IP address.

Use this report to determine the following information:

• Overall, how many incoming connection use SMTP authentication?
• How many connections use a client certificated?
• How many connections use SMTP AUTH?
• What domains are failing to connect when attempting to use SMTP authentication?
• How many connections are successfully using the fall-back when SMTP authentication fails?

The Inbound SMTP Authentication page includes a graph for received connections, a graph for mail recipients who attempted an SMTP authentication connection, and a table with details on the attempts to authenticate connections.

The Received Connections graph shows the incoming connections from mail clients that attempt to authentication their connections using SMTP authentication over the time range you specify. The graph displays the total number of connections the appliance received, the number that did not attempt to authenticate using SMTP authentication, the number that failed and succeeded to authenticate the connection using a client certificate, and the number that failed and succeeded to authenticate using the SMTP AUTH command.

The Received Recipients graph displays the number of recipients whose mail clients attempted to authenticate their connections to the Email Security appliances to send messages using SMTP authentication. The graph also show the number of recipients whose connections were authenticated and the number of recipients whose connections were not authenticated.

The SMTP Authentication details table displays details for the domains whose users attempt to authenticate their connections to the Email Security appliance to send messages. For each domain, you can view the number of connection attempts using a client certificate that were successful or failed, the number of connection attempts using the SMTP AUTH command that were successful or failed, and the number that fell back to the SMTP AUTH after their client certificate connection attempt failed. You can use the links at the top of the page to display this information by domain name or domain IP address.

Rate Limiting by envelope sender allows you to limit the number of email message recipients per time interval from an individual sender, based on the mail-from address. The Rate Limits report shows you the senders who most egregiously exceed this limit.

Use this report to help you identify the following:

• Compromised user accounts that might be used to send spam in bulk.
• Out-of-control applications in your organization that use email for notifications, alerts, automated statements, etc.
• Sources of heavy email activity in your organization, for internal billing or resource-management purposes.
• Sources of large-volume inbound email traffic that might not otherwise be considered spam.

Note that other reports that include statistics for internal senders (such as Internal Users or Outgoing Senders) measure only the number of messages sent; they do not identify senders of a few messages to a large number of recipients.

The Top Offenders by Incident chart shows the envelope senders who most frequently attempted to send messages to more recipients than the configured limit. Each attempt is one incident. This chart aggregates incident counts from all listeners.

The Top Offenders by Rejected Recipients chart shows the envelope senders who sent messages to the largest number of recipients above the configured limit. This chart aggregates recipient counts from all listeners.

Rate Limiting settings, including “Rate Limit for Envelope Senders” settings, are configured on the Email Security appliance in Mail Policies > Mail Flow Policies. For more information on rate limiting, see the documentation or online help for your Email Security appliance.

The Email > Reporting > Outbreak Filters page shows information about recent outbreaks and messages quarantined due to Outbreak Filters. You can use this page to monitor your defense against targeted virus, scam, and phishing attacks.

Use the Outbreak Filters page to answer the following types of questions:

• How many messages are quarantined and by which Outbreak Filters rule?
• How much lead time has the Outbreak Filters feature been providing for virus outbreaks?
• How do the local outbreaks compare to the global outbreaks?
• How long do messages stay in the Outbreak Quarantine?
• Which potentially malicious URLs are most frequently seen?

The Threats By Type section shows the different types of threat messages received by the appliance. The Threat Summary section shows a breakdown of the messages by Virus, Phish, and Scam.

The Past Year Outbreak Summary lists global as well as local outbreaks over the past year, allowing you to compare local network trends to global trends. The listing of global outbreaks is a superset of all outbreaks, both viral and non-viral, whereas local outbreaks are limited to virus outbreaks that have affected your appliance. Local outbreak data does not include non-viral threats. Global outbreak data represents all outbreaks detected by the Threat Operations Center which exceeded the currently configured threshold for the outbreak quarantine. Local outbreak data represents all virus outbreaks detected on this appliance which exceeded the currently configured threshold for the outbreak quarantine. The Total Local Protection Time is always based on the difference between when each virus outbreak was detected by the Threat Operations Center and the release of an anti-virus signature by a major vendor. Note that not every global outbreak affects your appliance. A value of “--” indicates either a protection time does not exist, or the signature times were not available from the anti-virus vendors (some vendors may not report signature times). This does not indicate a protection time of zero, rather it means that the information required to calculate the protection time is not available.

The Quarantined Messages section summarizes Outbreak Filters quarantining, and is a useful gauge of how many potential threat messages Outbreak Filters are catching. Quarantined messages are counted at time of release. Typically, messages will be quarantined before anti-virus and anti-spam rules are available. When released, they will be scanned by the anti-virus and anti-spam software and determined to be positive or clean. Because of the dynamic nature of Outbreak tracking, the rule under which a message is quarantined (and even the associated outbreak) may change while the message is in the quarantine. Counting the messages at the time of release (rather than the time of entry into the quarantine) avoids the confusion of having counts that increase and decrease.

The Threat Details listing displays information about specific outbreaks, including the threat category (virus, scam, or phishing), threat name, a description of the threat, and the number of messages identified. For virus outbreaks, the Past Year Virus Outbreaks include the Outbreak name and ID, time and date a virus outbreak was first seen globally, the protection time provided by Outbreak filters, and the number of quarantined messages. You can choose whether to view global or local outbreaks.

The First Seen Globally time is determined by the Threat Operations Center, based on data from the SenderBase, the world’s largest email and web traffic monitoring network. The Protection Time is based on the difference between when each threat was detected by the Threat Operations Center and the release of an anti-virus signature by a major vendor.

A value of “--” indicates either a protection time does not exist, or the signature times were not available from the anti-virus vendors (some vendors may not report signature times). This does not indicate a protection time of zero. Rather, it means that the information required to calculate the protection time is not available.

Other modules on this page provide:

• The number of incoming messages processed by Outbreak Filters in the selected time period.

Non-viral threats include phishing emails, scams, and malware distribution using links to an external website.

• Severity of threats caught by Outbreak Filters.

Level 5 threats are severe in scope or impact, while Level 1 represents low threat risk. For descriptions of threat levels, see the online help or user guide for your Email Security appliance.

• Length of time messages spent in the Outbreak Quarantine.

This duration is determined by the time it takes the system to compile enough data about the potential threat to make a verdict on its safety. Messages with viral threats typically spend more time in the quarantine than those with non-viral threats, because they must wait for anti-virus program updates. The maximum retention time that you specify for each mail policy is also reflected.

• The URLs most frequently rewritten to redirect message recipients to the Cisco Web Security Proxy for click-time evaluation of the site if and when the recipient clicks a potentially malicious link in a message.

This list may include URLs that are not malicious, because if any URL in a message is deemed malicious, then all URLs in the message are rewritten.

Note	In order to correctly populate the tables on the Outbreak Filters reporting page, the appliance must be able to communicate with the Cisco update servers specified in Management Appliance > System Administration > Update Settings.

For more information, see the Outbreak Filters chapter.

Graymail statistics are reflected in the following reports:

After upgrade to AsyncOS 9.5:

• The number of marketing messages is the sum of marketing messages detected before and after the upgrade.
• The total number of graymail messages does not include the number of marketing messages detected before the upgrade.
• The total number of attempted messages also includes the number of marketing messages detected before the upgrade.
• If the graymail feature is not enabled on managed Email Security appliances, marketing messages are counted as clean messages.

The Email > Reporting > System Capacity page provides a detailed representation of the system load, including messages in the work queue, incoming and outgoing messages (volume, size, and number), overall CPU usage, CPU usage by function, and memory page swapping information.

The System Capacity page can be used to determine the following information:

• Identify when Email Security appliances are exceeding recommended capacity; this enables you to determine when configuration optimization or additional appliances are needed.
• Identify historical trends in system behavior that point to upcoming capacity issues.
• For troubleshooting, identify which parts of the system are using the most resources.

Monitor your Email Security appliances to ensure that the capacity is appropriate to your message volumes. Over time, volume inevitably rises and appropriate monitoring ensures that additional capacity or configuration changes can be applied proactively. The most effective way to monitor system capacity is to track the overall volume, the messages in the work queue, and the incidents of Resource Conservation Mode.

• Volume:It is important to understand the “normal” message volume and the “usual” spikes in your environment. Track this data over time to measure volume growth. You can use the Incoming Mail and Outgoing Mail pages to track volume over time. For more information, see System Capacity – Incoming Mail and System Capacity – Outgoing Mail.
• Work Queue: The work queue is designed to work as a “shock absorber”— absorbing and filtering spam attacks and processing unusual increases in non-spam messages. However, the work queue can also indicate a system under stress. Prolonged and frequent work queue backups may indicate a capacity problem. You can use the System Capacity – Workqueue page to track the activity in your work queue. For more information, see System Capacity – Workqueue.
• Resource Conservation Mode: When an appliance becomes overloaded, it enters Resource Conservation Mode (RCM) and sends a CRITICAL system alert. This is designed to protect the device and allow it to process any backlog of messages. Your appliance should enter RCM infrequently and only during a very large or unusual increase in mail volume. Frequent RCM alerts may be an indication that the system is becoming overloaded. See Resource Conservation Activity.

The Email > Reporting > Reporting Data Availability page allows you to view, update and sort data to provide real-time visibility into resource utilization and email traffic trouble spots.

All data resource utilization and email traffic trouble spots are shown from this page, including the data availability for the overall appliances that are managed by the Security Management appliance.

From this report page you can also view the data availability for a specific appliance and time range.

The Mail Flow Summary report page on the Security Management appliance provides a synopsis of the email message activity from your Email Security appliances. The Mail Flow Summary report page includes graphs and summary tables for the incoming and outgoing messages.

The Mail Flow Summary: Incoming report page shows the incoming mail graphs for the total number of messages that are processed and blocked by the appliance, as well as the summary of the incoming mails.

You can use the mail trend graphs on this page to monitor the flow of all the incoming mails that are processed and blocked by your appliances, based on the selected time range. For more information, see Choosing a Time Range for Reports.

To search for specific information within your data, see Searching and the Interactive Email Report Pages

The following mail trend graphs provide a visual representation of the incoming mail flow:

• Threat Detection Summary

• Content Summary

You can view the mail trend of the incoming messages based on the required counters for the respective categories. For more information, see Using Counters to Filter Data on the Trend Graphs.

The Mail Flow Summary: Outgoing report page shows the outgoing mail graphs for the total number of messages that are processed and delivered by the appliance, as well as the summary of the outgoing mail.

You can use the mail trend graphs on this page to monitor the flow of all the outgoing mails that are processed and delivered by your appliances, based on the selected time range. For more information, see Choosing a Time Range for Reports.

The following mail trend graphs provide a visual representation of the mail flow of the Outgoing Mails.

You can view the mail trend of the outgoing messages based on the required counters of the processed messages. For more information, see Using Counters to Filter Data on the Trend Graphs.

The following list explains the various sections on the Mail Flow Summary report page:

The System Capacity report page provides a detailed representation of the system load, including messages in the work queue, incoming and outgoing messages (volume, size, and number), overall CPU usage, CPU usage by function, and memory page swapping information.

The System Capacity report page can be used to determine the following information:

• Identify when Email Security appliances are exceeding recommended capacity; this enables you to determine when configuration optimization or additional appliances are needed.

• Identify historical trends in system behavior that point to upcoming capacity issues.

• For troubleshooting, identify which parts of the system are using the most resources.

To view the System Capacity report page on the Security Management appliance, select Email from the Product drop-down and choose Monitoring > System Capacity from the Reports drop-down. For more information, see Using the Interactive Report Pages.

You can monitor your Email Security appliances to ensure that the capacity is appropriate to your message volumes. Over time, volume inevitably rises and appropriate monitoring ensures that additional capacity or configuration changes can be applied proactively. The most effective way to monitor system capacity is to track the overall volume, the messages in the work queue, and the incidents of Resource Conservation Mode.

• Volume: It is important to understand the “normal” message volume and the “usual” spikes in your environment. Track this data over time to measure volume growth. You can use the Incoming Mail and Outgoing Mail pages to track volume over time. For more information, see System Capacity – Incoming Mail and System Capacity – Outgoing Mail.

• Work Queue: The work queue is designed to work as a “shock absorber”— absorbing and filtering spam attacks and processing unusual increases in non-spam messages. However, the work queue can also indicate a system under stress. Prolonged and frequent work queue backups may indicate a capacity problem. You can use the System Capacity – Workqueue page to track the activity in your work queue. For more information, see System Capacity – Workqueue.

• Resource Conservation Mode: When an appliance becomes overloaded, it enters Resource Conservation Mode (RCM) and sends a CRITICAL system alert. This is designed to protect the device and allow it to process any backlog of messages. Your appliance should enter RCM infrequently and only during a very large or unusual increase in mail volume. Frequent RCM alerts may be an indication that the system is becoming overloaded. See Resource Conservation Activity.

Advanced Malware Protection protects against zero-day and targeted file-based threats in email attachments by:

• Obtaining the reputation of known files.

• Analyzing behavior of certain files that are not yet known to the reputation service.

• Evaluating emerging threats as new information becomes available, and notifying you about files that are determined to be threats after they have entered your network.

This feature is available for incoming and outgoing messages.

For more information on the file reputation filtering and file analysis, see the User Guide or Online Help for AsyncOS for Email Security Appliances.

To view the report page, select Advanced Malware Protection from the Filter and Malware Reports section of the Reports drop-down.

The Advanced Malware Protection report page shows the following reporting views:

• Advanced Malware Protection – Summary

• Advanced Malware Protection – AMP Reputation

• Advanced Malware Protection – File Analysis

• Advanced Malware Protection – File Retrospection

• Advanced Malware Protection – Mailbox Auto Remediation

To view the Advanced Malware Protection report page on the Security Management appliance, select Email from the Product drop-down and choose Monitoring > Advanced Malware Protection from the Reports drop-down. For more information, see Using the Interactive Report Pages.

The Advanced Malware Protection report page displays a metrics bar that provides real time data of all the managed appliances connected to the Cisco Threat Grid appliance.

Note	You must use the trailblazerconfig > enable command on the CLI to populate data on the metrics bar. For more information, see The trailblazerconfig Command. You can only view the data from the Cisco Threat Grid appliance for the day, week and month.

The Virus Filtering report page provides an overview of the viruses that are sent to and from your network. The Virus Types page displays the viruses that have been detected by the virus scanning engines running on the Email Security appliances and are displayed on the Security Management appliance. Use this report to take action against a particular virus. For example, if you see that you are receiving a high volume of viruses known to be embedded in PDF files, you can create a filter action to quarantine messages with PDF attachments.

To view the Virus Filtering report page on the Security Management appliance, select Email from the Product drop-down and choose Monitoring > Virus Filtering from the Reports drop-down. For more information, see Using the Interactive Report Pages.

If you run multiple virus scanning engines, the Virus Filtering report page includes results from all enabled virus scanning engines. The name of the virus that appears on the page is determined by the virus scanning engines. If more than one scanning engine detects a virus, it is possible to have more than one entry for the same virus.

The following list explains the various sections on the Virus Filtering report page:

Note

To see which hosts sent virus-infected messages to your network, go to the Incoming Mail page, specify the same reporting period, and sort by virus positive messages. Similarly, to see which IP addresses have sent virus positive emails within your network, go to the Outgoing Senders page and sort by virus positive messages. From the Virus Filtering report page, you can export raw data to a CSV file. For information on printing or exporting a file, see the Exporting Reporting and Tracking Data. You can generate a scheduled report for the Virus Filtering report page. See the Scheduling Email Reports.

You can use the Macro Detection report page to view:

• Top Incoming Macro-Enabled Attachments by File Type in graphical and tabular format.

• Total Incoming Macro-Enabled Attachments by File Type in tabular format.

• Top Outgoing Macro-Enabled Attachments by File Type in graphical and tabular format.

• Total Outgoing Macro-Enabled Attachments by File Type in tabular format.

To view the Macro Detection report page on the Security Management appliance, select Email from the Product drop-down and choose Monitoring > Macro Detection from the Reports drop-down. For more information, see Using the Interactive Report Pages.

From the Macro Detection report page you can export raw data to a CSV file. For information on printing or exporting a file, see the Exporting Reporting and Tracking Data.

You can click on the number of macro-enabled attachments to view the related messages in Message Tracking.

Note

During report generation: If one or more macros are detected within an archive file, the Archive Files file type is incremented by one. The number of macro-enabled attachments within an archive file are not counted. If one or more macros are detected within an embedded file, the parent file type is incremented by one. The number of macro-enabled attachments within an embedded file are not counted.

The DMARC Verification report page shows the top sender domains that failed Domain-based Message Authentication, Reporting and Conformance (DMARC) verification, and a summary of the actions taken for incoming messages from each domain. You can use this report to fine-tune your DMARC settings and answer these kinds of questions:

• Which domains sent the most messages that failed DMARC verification?

• For each domain, what actions are taken on messages that failed DMARC verification?

You can use the DMARC Verification report page to view:

• Top Domains by DMARC verification failures in graphical format.

• Total domains by DMARC verification details in tabular format. For more information, see Domains by DMARC Verification Details Table.

To view the DMARC Verification report page on the Security Management appliance, select Email from the Product drop-down and choose Monitoring > DMARC Verification from the Reports drop-down. For more information, see Using the Interactive Report Pages.

If your access privileges allow you to view Message Tracking data for the messages that populate this report, click a blue number link in the table.

From the DMARC Verification report page you can export raw data to a CSV file. For information on printing or exporting a file, see the Exporting Reporting and Tracking Data.

For more information about DMARC verification, see the Email Authentication chapter in the online help or user guide for your Email Security appliance.

The Outbreak Filtering report page shows information about recent outbreaks and messages quarantined due to Outbreak Filters. You can use this page to monitor your defense against targeted virus, scam, and phishing attacks.

Use the Outbreak Filtering report page to answer the following types of questions:

• How many messages are quarantined and by which Outbreak Filters rule?

• How long do messages stay in the Outbreak Quarantine?

• Which potentially malicious URLs are most frequently seen?

To view the Outbreak Filtering report page on the Security Management appliance, select Email from the Product drop-down and choose Monitoring > Outbreak Filtering from the Reports drop-down. For more information, see Using the Interactive Report Pages.

The following table explains the various sections on the Outbreak Filtering report page:

Note	In order to correctly populate the tables on the Outbreak Filtering report page, the appliance must be able to communicate with the Cisco update servers.

For more information, see the Outbreak Filters chapter in the online help or user guide for your Email Security appliance.

URL Filtering reports are available for incoming and outgoing messages.

Only messages that are scanned by the URL filtering engine (either as part of anti-spam/outbreak filter scanning or through message/content filters) are included in these modules. However, not all of the results are necessarily specifically attributable to the URL Filtering feature.

Note	URL Filtering report modules are populated only if URL filtering is enabled.

From the URL Filtering report page, you can view:

• The Top URL Categories module includes all categories found in messages that have been scanned, whether or not they match a content or message filter.

  Each message can be associated with only one reputation level. For messages with multiple URLs, the statistics reflect the lowest reputation of any URL in the message.

• The Top URL spam messages

  URLs in the global allowed list configured at Security Services > URL Filtering page of the email security appliance, are not included in reports.

  URLs in allowed lists used in individual filters are included in reports.

• Malicious URLs are URLs that Outbreak Filters have determined to have poor reputation. Neutral URLs are those that Outbreak Filters have determined to require click-time protection. Neutral URLs have therefore been rewritten to redirect them to the Cisco Web Security proxy.

  Results of URL category-based filters are reflected in content and message filter reports.

  Results of click-time URL evaluations by the Cisco Web Security proxy are not reflected in reports.

To view the URL Filtering report page on the Security Management appliance, select Email from the Product drop-down and choose Monitoring > URL Filtering from the Reports drop-down. For more information, see Using the Interactive Report Pages.

The following table explains the various sections on the URL Filtering report page:

From the URL Filtering report page you can export raw data to a CSV file. For information on printing or exporting a file, see the Exporting Reporting and Tracking Data.

The URL Retrospection Report page shows URLs processed by the URL Retrospective Service. It displays the following details:

• URL - The URLs sent to the URL Retrospective Service analysis by Cisco Secure Email Cloud Gateway.

• Verdict Received - Date and time when Cisco Secure Email Cloud Gateway receives a verdict from the URL Retrospective Service.

• Remediation Status of Impacted Messages - Action taken for the malicious URLs and the number of messages against each remediation status. The possible remediation statuses are: In- Progress, Success, Failed, and Skipped.

The Forged Email Detection page includes the following reports:

• Top Forged Email Detection. Displays the top ten users in the content dictionary that matched the forged From: header in the incoming messages.

• Forged Email Detection: Details. Displays a list of all the users in the content dictionary that matched the forged From: header in the incoming messages and for a given user, the number of messages matched.

To view the Forged Email Detection report page on the Security Management appliance, select Email from the Product drop-down and choose Monitoring > Forged Email Detection from the Reports drop-down. For more information, see Using the Interactive Report Pages.

The Forged Email Detection reports are populated only if you are using the Forged Email Detection content filter or the forged-email-detection message filter.

From the Forged Email Detection report page you can export raw data to a CSV file. For information on printing or exporting a file, see the Exporting Reporting and Tracking Data.

You can use the Sender Domain Reputation report page to view:

• Incoming messages based on the verdict received from the SDR service in graphical format.

• Summary of incoming messages based on the threat category and verdict received from the SDR service in tabular format.

• Incoming messages based on the threat category received from the SDR service in graphical format.

  Note	Only the messages whose SDR verdict is 'untrusted' or 'questionable' are classified under the SDR threat category, such as, 'spam,' 'malicious,' etc.

• Summary of incoming messages based on the threat category received from the SDR service in tabular format.

To view the Sender Domain Reputation report page on the Security Management appliance, select Email from the Product drop-down and choose Monitoring > Sender Domain Reputation from the Reports drop-down. For more information, see Using the Interactive Report Pages.

You can use the External Threat Feeds report page to view:

• Top ETF sources used to detect threats in messages in graphical format

• Summary of ETF sources used to detect threats in messages in tabular format.

• Top IOCs that matched threats detected in messages in graphical format.

• Top ETF sources used to filter malicious incoming mail connections in graphical format.

• Summary of ETF sources used to filter malicious incoming mail connections in tabular format.

In the ‘Summary of External Threat Feed Sources’ section:

• You can click on the number of messages for a particular ETF source to view the related messages in Message Tracking.

• You can click on a particular threat feed source to view the distribution of the ETF source based on the IOCs.

In the ‘Summary of Indicator of Compromise (IOC) Matches’ section:

• You can click on the number of IOCs for a particular ETF source to view the related messages in Message Tracking.

• You can click on a particular IOC to view the distribution of the IOC based on the ETF sources.

To view the External Threat Feeds report page on the Security Management appliance, select Email from the Product drop-down and choose Monitoring > External Threat Feeds from the Reports drop-down. For more information, see Using the Interactive Report Pages.

You can use the Safe Print Action report page to view:

• Number of safe-printed attachments based on the file type in graphical format.

• Summary of safe-printed attachments based on the file type in tabular format.

In the ‘Summary of Safe Print File Types’ section, click the total number of safe-printed attachments to view the message details in Message Tracking.

You can view the following on the Advanced Phishing Protection report page:

• Total number of messages successfully forwarded to the Cisco Advanced Phishing Protection cloud service.

• Total number of messages that are not forwarded to the Cisco Advanced Phishing Protection cloud service.

Note

If the forwarding of message metadata has failed, you must validate the configurations of the Advanced Phishing Protection feature. For more information, see the "Integrating Cisco Email Security Gateway with the Cisco Advanced Phishing Protection" chapter of the User Guide for AsyncOS for Cisco Email Security Appliances.

To view the Advanced Phishing Protection report page on the Security Management appliance, select Email from the Product drop-down and choose Monitoring > Advanced Phishing Protection from the Reports drop-down. For more information, see Using the Interactive Report Pages.

You can use the Advanced Phishing Protection report page to view:

• Total number of messages attempted to be forwarded to the Cisco Advanced Phishing Protection cloud service.

• Summary of messages forwarded to the Cisco Advanced Phishing Protection cloud service in a graphical format.

The Mail Flow Details report page on the Security Management appliance provides interactive reporting on the real-time information for all remote hosts connecting to your managed Security Management appliances. You can gather information about the IP addresses, domains, and network owners (organizations) sending mail to your system. You can also gather information about the IP addresses and domains of the outgoing senders.

To view the Mail Flow Details report page on the Security Management appliance, select Email from the Product drop-down and choose Monitoring > Mail Flow Details from the Reports drop-down. For more information, see Using the Interactive Report Pages.

The Mail Flow Details report page has the following tabs:

• Incoming Mails

• Outgoing Senders

To search for specific information within your data, see Searching and the Interactive Email Report Pages.

From the Incoming Mails tab, you can:

• View the top senders by total threat messages in graphical format.

• View the top senders by clean messages in graphical format.

• View the top senders by graymail messages in graphical format.

• See the IP addresses, domains, or network owners (organizations) that have sent mail to your Security Management appliances.

• See detailed statistics on senders that have sent mail to your appliances. The statistics include the number of connections (accepted or rejected), attempted messages broken down by security service (sender reputation filtering, anti-spam, anti-virus, and so forth), total threat messages, total graymails and clean messages.

• See the Incoming Mails interactive table for the detailed information about the particular IP address, domain, or network owner (organization). For more information, see Incoming Mails Table.

  If your access privileges allow you to view Message Tracking data for the messages that populate this report, click a number hyperlink in the table.

From the Outgoing Senders tab, you can:

• View the top senders by total threat messages in graphical format.

• View the top senders by clean messages in graphical format.

• View the top senders (by IP address or domain) of outgoing threat messages (spam, antivirus, etc.) in your organization.

• See detailed statistics on senders that have sent mail from your appliances. The statistics include the total threat messages broken down by security service (sender reputation filtering, anti-spam, anti-virus, and so forth) and clean messages.

• See the Sender Details interactive table for detailed information about the particular IP address or domain. For more information, see Sender Details Table.

  If your access privileges allow you to view Message Tracking data for the messages that populate this report, click a number hyperlink in the table.

The Sender Groups report page provides a summary of connections by sender group and mail flow policy action, allowing you to review SMTP connection and mail flow policy trends. The Mail Flow by Sender Group listing shows the percentage and number of connections for each sender group. The Connections by Mail Flow Policy Action chart shows the percentage of connections for each mail flow policy action. This page provides an overview of the effectiveness of your Host Access Table (HAT) policies. For more information about the HAT, see the documentation or online help for your Email Security appliance.

To view the Sender Groups report page on the Security Management appliance, select Email from the Product drop-down and choose Monitoring > Sender Groups from the Reports drop-down. For more information, see Using the Interactive Report Pages.

From the Sender Group report page you can export raw data to a CSV file. For information on printing or exporting a file, see the Exporting Reporting and Tracking Data.

Note	You can generate a scheduled report for the Sender Group report page. See the Scheduling Email Reports.

The Outgoing Destinations report page provides information about the domains that your organization sends mail to.

You can use the Outgoing Destinations page to view:

• Which domains are the Email Security appliances sending messages to?

• How much message is sent to each domain?

• How much of that message is clean, spam-positive, virus-positive, malware or stopped by a content filter?

• How many messages are delivered and how many messages are hard-bounced by the destination servers?

To view the Outgoing Destinations report page on the Security Management appliance, select Email from the Product drop-down and choose Monitoring > Outgoing Destinations from the Reports drop-down. For more information, see Using the Interactive Report Pages.

To search for specific information within your data, see Searching and the Interactive Email Report Pages.

The following list explains the various sections on the Outgoing Destinations report page:

From the Outgoing Destinations report page you can export raw data to a CSV file. For information on printing or exporting a file, see the Exporting Reporting and Tracking Data.

You can generate a scheduled report for the Outgoing Destinations page. See the Scheduling Email Reports.

The TLS Encryptions page shows the overall usage of TLS connections for sent and received mail. The report also shows details for each domain sending mail using TLS connections.

The TLS Connections page can be used to determine the following information:

• Overall, what portion of incoming and outgoing connections uses TLS?

• Which partners do I have successful TLS connections with?

• Which partners do I have unsuccessful TLS connections with?

• What partners do I have successful outgoing TLS connections with DANE support?

• What partners do I have unsuccessful outgoing TLS connections with DANE support?

• Which partners have issue with their TLS certificates?

• What percentage of overall mail with a partner uses TLS?

To view the TLS Encryption report page on the Security Management appliance, select Email from the Product drop-down and choose Monitoring > TLS Encryption from the Reports drop-down. For more information, see Using the Interactive Report Pages.

The TLS Encryption report page has the following tabs:

• Incoming

• Outgoing

To search for specific information within your data, see Searching and the Interactive Email Report Pages.

The following list explains the various sections on the TLS Encryption report page:

The Inbound SMTP Authentication report page shows the use of client certificates and the SMTP AUTH command to authenticate SMTP sessions between the Email Security appliance and users’ mail clients. If the appliance accepts the certificate or SMTP AUTH command, it will establish a TLS connection to the mail client, which the client will use to send a message. Since it is not possible for the appliance to track these attempts on a per-user basis, the report shows details on SMTP authentication based on the domain name and domain IP address.

Use this report to determine the following information:

• Overall, how many incoming connection use SMTP authentication?

• How many connections use a client certificated?

• How many connections use SMTP AUTH?

• What domains are failing to connect when attempting to use SMTP authentication?

• How many connections are successfully using the fall-back when SMTP authentication fails?

To view the Inbound SMTP Authentication report page on the Security Management appliance, select Email from the Product drop-down and choose Monitoring > Inbound SMTP Authentication from the Reports drop-down. For more information, see Using the Interactive Report Pages.

The Inbound SMTP Authentication has two different views:

• Domains

• IP Addresses

These views provide a snapshot of the SMTP authentications in the context of the selected view.

The Inbound SMTP Authentication report page includes a graph for received connections, a graph for received recipients who attempted an SMTP authentication connection, and a table with details on the attempts to authenticate connections.

The following list explains the various sections on the Inbound SMTP Authentication report page:

Rate Limiting by envelope sender allows you to limit the number of email message recipients per time interval from an individual sender, based on the mail-from address. The Rate Limits report shows you the senders who most egregiously exceed this limit.

Use this report to help you identify the following:

• Compromised user accounts that might be used to send spam in bulk.

• Out-of-control applications in your organization that use email for notifications, alerts, automated statements, etc.

• Sources of heavy email activity in your organization, for internal billing or resource-management purposes.

• Sources of large-volume inbound email traffic that might not otherwise be considered spam.

To view the Rate Limits report page on the Security Management appliance, select Email from the Product drop-down and choose Monitoring > Rate Limits from the Reports drop-down. For more information, see Using the Interactive Report Pages.

Note that other reports that include statistics for internal senders (such as Internal Users or Outgoing Senders) measure only the number of messages sent; they do not identify senders of a few messages to a large number of recipients.

The Top Offenders by Incident chart shows the envelope senders who most frequently attempted to send messages to more recipients than the configured limit. Each attempt is one incident. This chart aggregates incident counts from all listeners.

The Top Offenders by Rejected Recipients chart shows the envelope senders who sent messages to the largest number of recipients above the configured limit. This chart aggregates recipient counts from all listeners.

Rate Limiting settings, including “Rate Limit for Envelope Senders” settings, are configured on the Email Security appliance in Mail Policies > Mail Flow Policies. For more information on rate limiting, see the documentation or online help for your Email Security appliance.

Related Topics

High Volume Mail Page

You can use the Connections by Country report page to view:

• Top incoming mail connections based on country of origin in graphical format.

• Total incoming mail connections and messages based on country of origin in tabular format.

To view the Connections by Country report page on the Security Management appliance, select Email from the Product drop-down and choose Monitoring > Connections by Country from the Reports drop-down. For more information, see Using the Interactive Report Pages.

The following are the scenarios when no country information is displayed for the top and total incoming mail connections:

• The sender IP address belongs to a private IP address.

• The sender IP address does not get a valid SBRS.

If your access privileges allow you to view Message Tracking data for the messages that populate this report, click a blue number link in the table.

From the Connections by Country report page you can export raw data to a CSV file. For information on printing or exporting a file, see the Exporting Reporting and Tracking Data.

The Cisco Domain Protection cloud service interface automatically identifies, monitors and manages messages sent on your behalf. This provides an easy way to identify and eliminate illegitimate email messages and block malicious ones to prevent phishing attacks impersonating your company’s domain. Domain Protection even detects the use of look-alike domains so the malicious URLs can be quickly taken down.

You can use the Monitoring > Domain Protection report page of the new web interface of your appliance to view:

• Summary of messages that are classified as legitimate or threat, in a graphical format.

• Summary of the destination domains details based on the senders, in a tabular format.

Make sure that you have a valid license to access Cisco Domain Protection cloud service interface with Administrator access privileges. To obtain a license, go to the Cisco Domain Protection registration page using the following URL: https://www.cisco.com/c/en/us/buy.html.

If you are already registered to Cisco Domain Protection, enter the following details to authenticate and view the Domain Protection reports on your appliance:

• Client ID: This is the API access UID used to import the reports from the Cisco Domain Protection cloud service.

• Client Secret: This is the API access key used to import the reports from the Cisco Domain Protection cloud service.

To generate API access UID and key, you must log in to the Cisco Domain Protection cloud service and go to Settings > API Client Secret > Generate API Credentials. For more information, see User Guide for Cisco Domain Protection.

Note	To view the Domain Protection report page on the new web interface of your appliance, make sure that trailblazerconfig is enabled on your appliance.

The User Mail Summary report page provides information about the mail sent and received by your internal users per email address. A single user can have multiple email addresses. The email addresses are not combined in the report.

You can use the User Mail Summary report page to view:

• Who is sending the most external email?

• Who receives the most clean email?

• Who receives the largest number of graymail messages?

• Who receives the most spam?

• Who is triggering which content filters?

• Whose email is getting caught by content filters?

To view the User Mail Summary report page on the Security Management appliance, select Email from the Product drop-down and choose Monitoring > User Mail Summary from the Reports drop-down. For more information, see Using the Interactive Report Pages.

To search for specific information within your data, see Searching and the Interactive Email Report Pages.

The following list explains the various sections on the User Mail Summary report page:

From the User Mail Summary report page you can export raw data to a CSV file. For information on printing or exporting a file, see the Exporting Reporting and Tracking Data.

Note	You can generate a scheduled report for the User Mail Summary page. See the Scheduling Email Reports.

The DLP Incidents (DLP Incident Summary) report page shows information on the incidents of data loss prevention (DLP) policy violations occurring in outgoing mail. The Email Security appliance uses the DLP email policies enabled in the Outgoing Mail Policies table to detect sensitive data sent by your users. Every occurrence of an outgoing message violating a DLP policy is reported as an incident.

Using the DLP Incident Summary report, you can answer these kinds of questions:

• What type of sensitive data is being sent by your users?

• How severe are these DLP incidents?

• How many of these messages are being delivered?

• How many of these messages are being dropped?

• Who is sending these messages?

The DLP Incident Summary page contains two main sections:

• The DLP incident trend graphs summarizing the top DLP incidents by severity (Low, Medium, High, Critical) and policy matches.

• The DLP Incident Details listing.

To view the DLP Incident Summary report page on the Security Management appliance, select Email from the Product drop-down and choose Monitoring > DLP Incident Summary from the Reports drop-down. For more information, see Using the Interactive Report Pages.

From the DLP Incidents report page you can export raw data to a CSV file. For information on printing or exporting a file, see the Exporting Reporting and Tracking Data.

To search for specific information within your data, see Searching and the Interactive Email Report Pages.

The following list explains the various sections on the DLP Incident Summary report page:

You can use the Web Interaction report page to view:

• Top Malicious URLs clicked by End Users.

• Top Users who clicked on Rewritten Malicious URLs.

• Web Interaction Tracking Details.

Note	Web Interaction report modules are populated only if the Web Interaction Tracking feature is enabled on managed Email Security appliances.

Web Interaction reports are available for incoming and outgoing messages. Only rewritten URLs (either by policy or Outbreak Filter) clicked by the end users are included in these modules.

To view the Web Interaction report page on the Security Management appliance, select Email from the Product drop-down and choose Monitoring > Web Interaction from the Reports drop-down. For more information, see Using the Interactive Report Pages.

From the Web Interaction report page you can export raw data to a CSV file. For information on printing or exporting a file, see the Exporting Reporting and Tracking Data.

The following list explains the various sections on the Web Interaction report page:

The Remediation Report page displays the remediation results of messages attempted for remediation using Mailbox Auto Remediation and Mailbox Search and Remediate.

On the Security Mangament appliance, click the Monitoring tab and select Mail Flow Summary > User Reports > Remediation Report.

You can use this report to:

• View the messages attempted for remediation using Mailbox Auto Remediation and Mailbox Search and Remediate.

• Know the reason for remediation failure. For example, connections errors, authentication errors, and so on.

The following list explains the various sections on the Remediation Report page:

The Message Filters report page shows information about the top message filter matches (which message filters had the largest number of matching messages) for incoming and outgoing messages.

You can use the Message Filters report page to view:

• Top message filter by number of matches in graphical format.

• Total message filter by number of matches in tabular format.

To view the Message Filters report page on the Security Management appliance, select Email from the Product drop-down and choose Monitoring > Message Filters from the Reports drop-down. For more information, see Using the Interactive Report Pages.

From the Message Filters report page you can export raw data to a CSV file. For information on printing or exporting a file, see the Exporting Reporting and Tracking Data.

You can use the High Volume Mail report page to:

• Identify attacks involving a large number of messages from a single sender, or with identical subjects, within a moving one-hour period.

• Monitor top domains to ensure that such attacks do not originate in your own domain. If this situation occurs, one or more accounts in your organization may be compromised.

• Help identify false positives so you can adjust your filters accordingly.

You can use the High Volume Mail report page to view:

• Messages with the top subjects in graphical format.

• Messages with the top envelope senders in graphical format.

• Top message filters by number of matches in graphical format.

• Total message filters by number of matches in tabular format.

To view the High Volume Mail report page on the Security Management appliance, select Email from the Product drop-down and choose Monitoring > High Volume Mail from the Reports drop-down. For more information, see Using the Interactive Report Pages.

From the High Volume Mail report page you can export raw data to a CSV file. For information on printing or exporting a file, see the Exporting Reporting and Tracking Data.

Reports on this page show data only from message filters that use the Header Repeats rule and that pass the number-of-messages threshold that you set in that rule. When combined with other rules, the Header Repeats rule is evaluated last, and is not evaluated at all if the message disposition is determined by a preceding condition. Similarly, messages caught by Rate Limiting never reach Header Repeats message filters. Therefore, some messages that might otherwise be considered high-volume mail may not be included in these reports. If you have configured your filters to include certain messages in allowed list, those messages are also excluded from these reports.

For more information about message filters and the Header Repeats rule, see the online help or user guide for your Email Security appliance.

The Content Filters report page shows information about the top incoming and outgoing content filter matches (which content filter had the most matching messages). The page displays the data as both bar charts and listings. Using the Content Filters report page, you can answer the following types of questions:

• Which content filter is triggered the most by incoming or outgoing mail?

• Who are the top users sending or receiving mail that triggers a particular content filter?

You can use the Content Filter report page to view:

• Top incoming and outgoing content filter matches in graphical format.

• Top incoming and outgoing content filter matches in tabular format.

To view the Content Filters report page on the Security Management appliance, select Email from the Product drop-down and choose Monitoring > Content Filters from the Reports drop-down. For more information, see Using the Interactive Report Pages.

From the Content Filters report page you can export raw data to a CSV file. For information on printing or exporting a file, see the Exporting Reporting and Tracking Data.

Note	Note You can generate a scheduled report for the Content Filter page. See the Scheduling Email Reports.

From the Reports drop-down, select Monitoring > Reporting Data Availability on the new web interface of your appliance to view, update and sort data to provide real-time visibility into resource utilization and email traffic trouble spots.

All data resource utilization and email traffic trouble spots are shown from this page, including the data availability for the overall appliances that are managed by the Security Management appliance.

From this report page you can also view the data availability for a specific appliance and time range.

Graymail statistics are reflected in the following reports:

After upgrade to AsyncOS 9.5:

• The number of marketing messages is the sum of marketing messages detected before and after the upgrade.
• The total number of graymail messages does not include the number of marketing messages detected before the upgrade.
• The total number of attempted messages also includes the number of marketing messages detected before the upgrade.
• If the graymail feature is not enabled on managed Email Security appliances, marketing messages are counted as clean messages.

Two special reports that can be generated in the Email > Reporting section on the Security Management appliance are:

• Domain-Based Executive Summary Report
• Executive Summary Report

• Adding Scheduled Reports on the New Web Interface

• Editing Scheduled Reports on the New Web Interface

• Discontinuing Scheduled Reports on the New Web Interface

• Accessing Archived Reports on the New Web Interface

• Generating Email Reports On Demand

• Deleting Archived Reports on the New Web Interface

Problem

Outbreak Filters reports do not show threat information correctly.

Solution

Verify that the appliance can communicate with the Cisco update servers specified in Management Appliance > System Administration > Update Settings.

Problem

Message tracking results when drilling down from reports do not match expected results.

Solution

This can occur if reporting and tracking are not consistently and simultaneously enabled and functioning properly, or are not consistently and simultaneously either centralized or stored locally on each Email Security appliance. Data for each feature (reporting, tracking) is captured only while that feature is enabled.

Problem

A Web Security appliance and an Email Security appliance sent the same file for analysis, and the AMP Verdict Updates reports for Web and Email show different verdicts for that file.

Solution

This situation is temporary. Results will match once all verdict updates have been downloaded. Allow up to 30 minutes for this to occur.

• File Analysis Report Details Are Not Available
• Error When Viewing File Analysis Report Details
• Error When Viewing File Analysis Report Details with Private Cloud Cisco AMP Threat Grid Appliance
• Logging of File Analysis-Related Errors

Problem

The count of Marketing, Social and Bulk mail exceeds the total number of graymail messages.

Solution

The total number of Marketing Messages includes marketing messages received both before and after upgrade to AsyncOS 9.5, but the total number of graymail messages includes only messages received after upgrade. See Reporting of Marketing Messages after Upgrade to AsyncOS 9.5.