You must enable centralized email reporting on each managed Email Security appliance appliance.

For instructions, see the “Configuring an Email Security Appliance to Use Centralized Reporting” section of the documentation or online help for your Email Security appliance.

Many of the interactive email reporting pages include a ‘Search For:’ drop-down menu at the bottom of the page.

From the drop-down menu, you can search for several types of criteria, including the following:

• IP address
• Domain
• Network owner
• Internal user
• Destination domain
• Internal sender domain
• Internal sender IP address
• Incoming TLS domain
• Outgoing TLS domain

• SHA-256

For most searches, choose whether to exactly match the search text or look for items starting with the entered text (for example, starts with “ex” will match “example.com”).

For IPv4 searches, the entered text is always interpreted as the beginning of up to four IP octets in dotted decimal format. For example, ‘17.*’ will search in the range 17.0.0.0 through 17.255.255.255, so it will match 17.0.0.1 but not 172.0.0.1. For an exact match search, enter all four octets. IP address searches also support Classless Inter-Domain Routing (CIDR) format (17.16.0.0/12).

For IPv6 searches, you can enter addresses using the formats in the following examples:

• 2001:db8:2004:4202::0-2001:db8:2004:4202::ff
• 2001:db8:2004:4202::
• 2001:db8:2004:4202::23
• 2001:db8:2004:4202::/64

The Email > Reporting > Overview page on the Security Management appliance provides a synopsis of the email message activity from your Email Security appliances. The Overview page includes graphs and summary tables for the incoming and outgoing messages.

At a high level the Overview page shows you the incoming and outgoing mail graphs, and well as incoming and outgoing mail summaries.

The mail trend graphs provide a visual representation of the mail flow. You can use the mail trend graphs on this page to monitor the flow of all mail into and out of your appliances.

Note	The Domain-Based Executive Summary Report and the Executive Summary report are based on the Email Reporting Overview Page. For more information, see the Domain-Based Executive Summary Report and Executive Summary Report

The Email > Reporting > Incoming Mailpage on the Security Management appliance provides interactive reporting on the real-time information for all remote hosts connecting to your managed Security Management appliances. You can gather information about the IP addresses, domains, and network owners (organizations) sending mail to your system. You can also perform a Sender Profile search on IP addresses, domains, or organizations that have sent mail to you.

The Incoming Mail Details interactive table displays detailed information about the particular IP address, domain, or network owner (organization). You can access a Sender Profile page for any IP address, domain, or network owner by clicking the corresponding link at the top of the Incoming Mail page, or on other Sender Profile pages.

From the Incoming Mail pages you can:

• Perform a search on IP addresses, domains, or network owners (organizations) that have sent mail to your Security Management appliances. See Searching and the Interactive Email Report Pages.
• View the Sender Groups report to monitor connections according to the specific sender group and mail flow policy actions. See the Sender Groups Report Page for more information.
• See detailed statistics on senders that have sent mail to your appliances. The statistics include the number of attempted messages broken down by security service (sender reputation filtering, anti-spam, anti-virus, and so forth).
• Sort by senders who have sent you a high volume of spam or virus email, as determined by anti-spam or anti-virus security services.
• Use the SenderBase Reputation Service to examine the relationship between specific IP addresses, domains, and organizations to obtain information about a sender.
• Obtain more information about a sender from the SenderBase Reputation Service, including a sender’s SenderBase Reputation Score (SBRS) and which sender group the domain matched most recently. Add senders to sender groups.
• Obtain more information about a specific sender who has sent a high volume of spam or virus email, as determined by the anti-spam or anti-virus security services.

The Sender Groups report page provides a summary of connections by sender group and mail flow policy action, allowing you to review SMTP connection and mail flow policy trends. The Mail Flow by Sender Group listing shows the percentage and number of connections for each sender group. The Connections by Mail Flow Policy Action chart shows the percentage of connections for each mail flow policy action. This page provides an overview of the effectiveness of your Host Access Table (HAT) policies. For more information about the HAT, see the documentation or online help for your Email Security appliance.

To view the Sender Groups report page, select Email > Reporting > Sender Groups.

From the Sender Group Report page you can also generate a PDF or export raw data to a CSV file. For information on printing or exporting a file, see the Understanding the Email Reporting Pages.

Note	You can generate a scheduled report for the Sender Group report page. See the Scheduling Email Reports.

The Email > Reporting > Outgoing Destinations page provides information about the domains that your organization sends mail to.

Use the Outgoing Destinations page to answer the following types of questions:

• Which domains are the Email Security appliances sending mail to?
• How much mail is sent to each domain?
• How much of that mail is clean, spam-positive, virus-positive, malware or stopped by a content filter?
• How many messages are delivered and how many messages are hard-bounced by the destination servers?

The following list explains the various sections on the Outgoing Destinations page:

From the Outgoing Destinations page you can also generate a PDF or export raw data to a CSV file. For information on printing or exporting a file, see the Understanding the Email Reporting Pages.

Note	You can generate a scheduled report for the Outgoing Destinations page. See the Scheduling Email Reports.

The Email > Reporting > Outgoing Senders page provides information about the quantity and type of mail being sent from IP addresses and domains in your network.

Use the Outgoing Senders page to answer the following types of questions:

• Which IP addresses are sending the most virus-positive, or spam-positive or malware email?
• Which IP addresses trigger content filters the most frequently?
• Which domains are sending the most mail?
• What are the total number of recipients that are being processed where a delivery was attempted.

To view the Outgoing Senders page, perform the following:

You can see the results of the Outgoing senders with two types of views:

• Domain: This view allows you to see the volume of mail that is being sent by each domain
• IP address: This view allows you to see which IP addresses are sending the most virus messages or triggering content filters.

The following list explains the various sections on the Outgoing Senders page for both views:

Note	This page does not display information about message delivery. To track delivery information, such as the number of messages from a particular domain that were bounced, log in to the appropriate Email Security appliance and choose Monitor > Delivery Status.

From the Outgoing Senders page you can also generate a PDF or export raw data to a CSV file. For information on printing or exporting a file, see the Understanding the Email Reporting Pages.

Note	You can generate a scheduled report for the Outgoing Senders page. See the Scheduling Email Reports.

The Email > Reporting > Internal Users page provides information about the mail sent and received by your internal users per email address. A single user can have multiple email addresses. The email addresses are not combined in the report.

Use the Internal Users interactive report page to answer these types of questions:

• Who is sending the most external email?
• Who receives the most clean email?
• Who receives the largest number of graymail messages?
• Who receives the most spam?
• Who is triggering which content filters?
• Whose email is getting caught by content filters?

From the Internal Users page you can also generate a PDF or export raw data to a CSV file. For information on printing or exporting a file, see the Understanding the Email Reporting Pages.

Note	You can generate a scheduled report for the Internal Users page. See the Scheduling Email Reports.

The Email > Reporting > DLP Incidents (DLP Incident Summary) page shows information on the incidents of data loss prevention (DLP) policy violations occurring in outgoing mail. The Email Security appliance uses the DLP email policies enabled in the Outgoing Mail Policies table to detect sensitive data sent by your users. Every occurrence of an outgoing message violating a DLP policy is reported as an incident.

Using the DLP Incident Summary report, you can answer these kinds of questions:

• What type of sensitive data is being sent by your users?
• How severe are these DLP incidents?
• How many of these messages are being delivered?
• How many of these messages are being dropped?
• Who is sending these messages?

The DLP Incident Summary page contains two main sections:

• the DLP incident trend graphs summarizing the top DLP incidents by severity (Low, Medium, High, Critical) and policy matches,
• the DLP Incident Details listing

Click the name of a DLP policy to view detailed information on the DLP incidents detected by the policy. You can use this method to get a list of users who sent mail that contained sensitive data detected by the policy.

The Message Filters page shows information about the top message filter matches (which message filters had the largest number of matching messages) for incoming and outgoing messages.

You can use the Geo Distribution report page to view:

• Top incoming mail connections based on country of origin in graphical format.

• Total incoming mail connections based on country of origin in tabular format.

The following are the scenarios when no country information is displayed for the top and total incoming mail connections:

• The sender IP address belongs to a private IP address

• The sender IP address does not get a valid SBRS.

Use reports on this page to:

• Identify attacks involving a large number of messages from a single sender, or with identical subjects, within a moving one-hour period.
• Monitor top domains to ensure that such attacks do not originate in your own domain. If this situation occurs, one or more accounts in your organization may be compromised.
• Help identify false positives so you can adjust your filters accordingly.

Reports on this page show data only from message filters that use the Header Repeats rule and that pass the number-of-messages threshold that you set in that rule. When combined with other rules, the Header Repeats rule is evaluated last, and is not evaluated at all if the message disposition is determined by a preceding condition. Similarly, messages caught by Rate Limiting never reach Header Repeats message filters. Therefore, some messages that might otherwise be considered high-volume mail may not be included in these reports. If you have configured your filters to whitelist certain messages, those messages are also excluded from these reports.

For more information about message filters and the Header Repeats rule, see the online help or user guide for your Email Security appliance.

The Email > Reporting > Content Filters page shows information about the top incoming and outgoing content filter matches (which content filter had the most matching messages). The page displays the data as both bar charts and listings. Using the Content Filters page, you can review your corporate policies on a per-content-filter or per-user basis and answer the following types of questions:

• Which content filter is triggered the most by incoming or outgoing mail?
• Who are the top users sending or receiving mail that triggers a particular content filter?

To view more information about a specific filter, click the name of the filter. The Content Filter Details page appears. For more information on Content Filter details page, see the Content Filter Details Page.

If your access privileges allow you to view Message Tracking data: To view Message Tracking details for the messages that populate this report, click a blue number link in the table.

From the Content Filters page you can also generate a PDF or export raw data to a CSV file. For information on printing or exporting a file, see the Understanding the Email Reporting Pages.

Note	You can generate a scheduled report for the Content Filter page. See the Scheduling Email Reports.

The DMARC Verification page shows the top sender domains that failed Domain-based Message Authentication, Reporting and Conformance (DMARC) verification, and a summary of the actions taken for incoming messages from each domain. You can use this report to fine-tune your DMARC settings and answer these kinds of questions:

• Which domains sent the most messages that failed DMARC verification?
• For each domain, what actions were taken on messages that failed DMARC verification?

For more information about DMARC verification, see the Email Authentication chapter in the online help or user guide for your Email Security appliance.

You can use the Macro Detection report page to view:

• Top Incoming Macro-Enabled Attachments by File Type in graphical and tabular format.

• Top Outgoing Macro-Enabled Attachments by File Type in graphical and tabular format.

You can click on the number of macro-enabled attachments to view the related messages in Message Tracking.

Note

During report generation: If one or more macros are detected within an archive file, the Archive Files file type is incremented by one. The number of macro-enabled attachments within an archive file are not counted. If one or more macros are detected within an embedded file, the parent file type is incremented by one. The number of macro-enabled attachments within an embedded file are not counted.

The Email > Reporting > Virus Types page provides an overview of the viruses that are sent to and from your network. The Virus Types page displays the viruses that have been detected by the virus scanning engines running on the Email Security appliances and are displayed on the Security Management appliance. Use this report to take action against a particular virus. For example, if you see that you are receiving a high volume of viruses known to be embedded in PDF files, you can create a filter action to quarantine messages with PDF attachments.

Note	Outbreak Filters can quarantine these types of virus-infected messages with no user intervention.

If you run multiple virus scanning engines, the Virus Types page includes results from all enabled virus scanning engines. The name of the virus that appears on the page is determined by the virus scanning engines. If more than one scanning engine detects a virus, it is possible to have more than one entry for the same virus.

Note

To see which hosts sent virus-infected messages to your network, go to the Incoming Mail page, specify the same reporting period, and sort by virus positive. Similarly, to see which IP addresses have sent virus positive email within your network, view the Outgoing Senders page and sort by virus positive messages.

From the Virus Types page you can also generate a PDF or export raw data to a CSV file. For information on printing or exporting a file, see the Understanding the Email Reporting Pages.

Note	You can generate a scheduled report for the Virus Types page. See the Scheduling Email Reports.

• URL Filtering report modules are populated only if URL filtering is enabled.
• URL Filtering reports are available for incoming and outgoing messages.
• Only messages that are scanned by the URL filtering engine (either as part of anti-spam/outbreak filter scanning or through message/content filters) are included in these modules. However, not all of the results are necessarily specifically attributable to the URL Filtering feature.
• The Top URL Categories module includes all categories found in messages that have been scanned, whether or not they match a content or message filter.
• Each message can be associated with only one reputation level. For messages with multiple URLs, the statistics reflect the lowest reputation of any URL in the message.
• URLs in the global whitelist configured at Security Services > URL Filtering are not included in reports.

  URLs in whitelists used in individual filters are included in reports.

• Malicious URLs are URLs that Outbreak Filters have determined to have poor reputation. Neutral URLs are those that Outbreak Filters have determined to require click-time protection. Neutral URLs have therefore been rewritten to redirect them to the Cisco Web Security proxy.
• Results of URL category-based filters are reflected in content and message filter reports.
• Results of click-time URL evaluations by the Cisco Web Security proxy are not reflected in reports.

• Web Interaction Tracking report modules are populated only if the Web Interaction Tracking feature is enabled on managed Email Security appliances.
• Web Interaction Tracking reports are available for incoming and outgoing messages.
• Only rewritten URLs (either by policy or Outbreak Filter) clicked by the end users are included in these modules.
• Web Interaction Tracking page includes the following reports:
  Top Rewritten Malicious URLs clicked by End Users. Click on a URL to view a detailed report that contains the following information:

  • A list of end users who clicked on the rewritten malicious URL.
  • Date and time at which the URL was clicked.
  • Whether the URL was rewritten by a policy or an outbreak filter.
  • Action taken (allow, block, or unknown) when the rewritten URL was clicked. Note that, if a URL was rewritten by outbreak filter and the final verdict is unavailable, the status is shown as unknown.

    Note	Due to a limitation, status of all outbreak rewritten URLs are shown as unknown.

  Top End Users who clicked on Rewritten Malicious URLs

  Tracking Web Interaction Details. Includes the following information:

  • A list of all the rewritten URLs (malicious and unmalicious). Click on a URL to view a detailed report.
  • Action taken (allow, block, or unknown) when a rewritten URL was clicked.

    If the verdict of a URL (clean or malicious) was unknown at the time when the end user clicked it, the status is shown as unknown. This could be because the URL was under further scrutiny or the web server was down or not reachable at the time of the user click.

  • The number of times end users clicked on a rewritten URL. Click a number to view a list of all messages that contain the clicked URL.
• Note the following:
  • If you have configured a content or message filter to deliver messages after rewriting malicious URLs and notify another user (for example, an administrator), the web interaction tracking data for the original recipient is incremented if the notified user clicks on the rewritten URLs.
  • If you are sending a copy of quarantined messages containing rewritten URLs to a user other than the original recipient (for example, to an administrator) using the web interface, the web interaction tracking data for the original recipient is incremented if the other user clicks on the rewritten URLs.

• The Forged Email Detection page includes the following reports:
  • Top Forged Email Detection. Displays the top ten users in the content dictionary that matched the forged From: header in the incoming messages.
  • Forged Email Detection Details. Displays a list of all the users in the content dictionary that matched the forged From: header in the incoming messages and for a given user, the number of messages matched.
• The Forged Email Detection reports are populated only if you are using the Forged Email Detection content filter or the forged-email-detection message filter.

• Requirements for File Analysis Report Details
• Identifying Files by SHA-256 Hash
• File Reputation and File Analysis Report Pages
• Viewing File Reputation Filtering Data in Other Reports
• For Which Files Are Detailed File Analysis Results Visible in the Cloud?

Requirements for File Analysis Report Details

• (Cloud File Analysis) Ensure That the Management Appliance Can Reach the File Analysis Server
• (Cloud File Analysis) Configure the Management Appliance to Display Detailed File Analysis Results
• (On-Premises File Analysis) Activate the File Analysis Account
• Additional Requirements

(Cloud File Analysis) Ensure That the Management Appliance Can Reach the File Analysis Server

In order to obtain File Analysis report details, the appliance must be able to connect to the File Analysis server over port 443. See details in Firewall Information

If your Cisco Content Security Management appliance does not have a direct connection to the internet, configure a proxy server for this traffic (See Upgrade and Update Settings.) If you have already configured the appliance to use a proxy to obtain upgrades and service updates, the existing settings are used.

If you use an HTTPS proxy, the proxy must not decrypt the traffic; use a pass-through mechanism for communications with the File Analysis server. The proxy server must trust the certificate from the Fire Analysis server, but need not provide its own certificate to the File Analysis server.

(Cloud File Analysis) Configure the Management Appliance to Display Detailed File Analysis Results

In order to allow all content security appliances in your organization to display detailed results in the cloud about files sent for analysis from any Cisco Email Security appliance or Cisco Web Security appliance in your organization, you need to join all appliances to the same appliance group.

---

Step 1	[New Web Interface Only] On the Cloud Email Security Management Console, click on the gear icon to load the legacy web interface.
Step 2	Select Management Appliance > Centralized Services > Security Appliances.
Step 3	Scroll to the File Analysis section.
Step 4	If your managed appliances are pointed at different File Analysis cloud servers, select the server from which to display result details. Result details will not be available for files processed by any other cloud server.
Step 5	Enter the Analysis Group ID. If you enter the Group ID incorrectly or need to change it for any other reason, you must open a case with Cisco TAC. This change takes effect immediately; it does not require a Commit. It is suggested to use your CCOID for this value. This value is case-sensitive. This value must be identical on all appliances that will share data about files that are uploaded for analysis. An appliance can belong to only one group. You can add a machine to a group at any time, but you can add it only once.
Step 6	Click Group Now.
Step 7	Configure the same group on each Email Security appliance that will share data with this appliance.

---

What to Do Next

Related Topics

For Which Files Are Detailed File Analysis Results Visible in the Cloud?

(On-Premises File Analysis) Activate the File Analysis Account

If you have deployed an on-premises (private cloud) Cisco AMP Threat Grid Appliance, you must activate the File Analysis account for your Cisco Content Security Management appliance in order to view report details available on the Threat Grid appliance. You generally only need to do this once.

Before You Begin

Ensure that you are receiving System alerts at Critical level.

---

Step 1	The first time you attempt to access File Analysis report details from the Threat Grid appliance, wait a few minutes and you will receive an alert that includes a link. If you do not receive this alert, go to Management Appliance > System Administration > Alerts and click View Top Alerts.
Step 2	Click the link in the alert message.
Step 3	Activate your management appliance account.

---

Additional Requirements

For any additional requirements, see the Release Notes for your Security Management appliance release, available from http:/​/​www.cisco.com/​c/​en/​us/​support/​security/​content-security-management-appliance/​products-release-notes-list.html

Identifying Files by SHA-256 Hash

Because filenames can easily be changed, the appliance generates an identifier for each file using a Secure Hash Algorithm (SHA-256). If an appliance processes the same file with different names, all instances are recognized as the same SHA-256. If multiple appliances process the same file, all instances of the file have the same SHA-256 identifier.

In most reports, files are listed by their SHA-256 value (in an abbreviated format).

File Reputation and File Analysis Report Pages

Report	Description
Advanced Malware Protection	Shows file-based threats that were identified by the file reputation service. For files with changed verdicts, see the AMP Verdict updates report. Those verdicts are not reflected in the Advanced Malware Protection report. If a file extracted from a compressed or archived file is malicious, only the SHA value of the compressed or archived file is included in the Advanced Malware Protection report. Note    From AsyncOS 9.6.5 onwards, Advanced Malware Protection report has been enhanced to display additional fields, graphs, and so on. The report displayed after the upgrade does not include the reporting data prior to the upgrade. To view the Advanced Malware Protection report prior to AsyncOS 9.6.5 upgrade, click on the hyperlink at the bottom of the page. The Incoming Malware Files by Category section shows the percentage of blacklisted file SHAs received from the AMP for Endpoints console that are categorised as Custom Detection. The threat name of a blacklisted file SHA obtained from AMP for Endpoints console is displayed as Simple Custom Detection in the Incoming Malware Threat Files section of the report. You can click on the link in the More Details section of the report to view the file trajectory details of a blacklisted file SHA in the AMP for Endpoints console You can view the Low Risk verdict details in the Incoming Files Handed by AMP section of the report.
Advanced Malware Protection File Analysis	Displays the time and verdict (or interim verdict) for each file sent for analysis. The appliance checks for analysis results every 30 minutes. To view more than 1000 File Analysis results, export the data as a .csv file. For deployments with an on-premises Cisco AMP Threat Grid Appliance: Files that are whitelisted on the AMP Threat Grid appliance show as "clean." For information about whitelisting, see the AMP Threat Grid documentation or online help. Drill down to view detailed analysis results, including the threat characteristics for each file. You can also search for additional information about an SHA, or click the link at the bottom of the file analysis details page to view additional details on the server that analyzed the file. To view details on the server that analyzed a file, see Requirements for File Analysis Report Details. If a file extracted from a compressed or archived file is sent for analysis, only the SHA value of the extracted file is included in the File Analysis report. Note    From AsyncOS 9.6.5 onwards, File Analysis report has been enhanced to display additional fields, graphs, and so on. The report displayed after the upgrade does not include the reporting data prior to the upgrade. To view the File Analysis report prior to AsyncOS 9.6.5 upgrade, click on the hyperlink at the bottom of the page.
Advanced Malware Protection Verdict Updates	Because Advanced Malware Protection is focused on targeted and zero-day threats, threat verdicts can change as aggregated data provides more information. The AMP Verdict Updates report lists the files processed by this appliance for which the verdict has changed since the message was received. For more information about this situation, see the documentation for your Email Security appliance. To view more than 1000 verdict updates, export the data as a .csv file. In the case of multiple verdict changes for a single SHA-256, this report shows only the latest verdict, not the verdict history. To view all affected messages for a particular SHA-256 within the maximum available time range (regardless of the time range selected for the report) click a SHA-256 link.

Viewing File Reputation Filtering Data in Other Reports

Data for file reputation and analysis is available in other reports where relevant. A Detected by Advanced Malware Protection column may be hidden by default in applicable reports. To display additional columns, click the Columns link at the bottom of the table.

For Which Files Are Detailed File Analysis Results Visible in the Cloud?

If you have deployed public-cloud File Analysis, you can view detailed results for all files uploaded from any managed appliance that has been added to the appliance group for File Analysis.

If you have added your management appliance to the group, you can view the list of managed appliances in the group by clicking the button on the Management Appliance > Centralized Services > Security Appliances page.

Appliances in the analysis group are identified by the File Analysis Client ID. To determine this identifier for a particular appliance, look in the following location:

Appliance	Location of File Analysis Client ID
Email Security appliance	Advanced Settings for File Analysis section on the Security Services > File Reputation and Analysis page.
Web Security appliance	Advanced Settings for File Analysis section on the Security Services > Anti-Malware and Reputation page.
Cisco Content Security Management appliance	At the bottom of the Management Appliance > Centralized Services > Security Appliances page.

Related Topics

• (Cloud File Analysis) Configure the Management Appliance to Display Detailed File Analysis Results

Outbreak Filters Page

The Email > Reporting > Outbreak Filters page shows information about recent outbreaks and messages quarantined due to Outbreak Filters. You can use this page to monitor your defense against targeted virus, scam, and phishing attacks.

Use the Outbreak Filters page to answer the following types of questions:

• How many messages are quarantined and by which Outbreak Filters rule?
• How much lead time has the Outbreak Filters feature been providing for virus outbreaks?
• How do the local outbreaks compare to the global outbreaks?
• How long do messages stay in the Outbreak Quarantine?
• Which potentially malicious URLs are most frequently seen?

The Threats By Type section shows the different types of threat messages received by the appliance. The Threat Summary section shows a breakdown of the messages by Virus, Phish, and Scam.

The Past Year Outbreak Summary lists global as well as local outbreaks over the past year, allowing you to compare local network trends to global trends. The listing of global outbreaks is a superset of all outbreaks, both viral and non-viral, whereas local outbreaks are limited to virus outbreaks that have affected your appliance. Local outbreak data does not include non-viral threats. Global outbreak data represents all outbreaks detected by the Threat Operations Center which exceeded the currently configured threshold for the outbreak quarantine. Local outbreak data represents all virus outbreaks detected on this appliance which exceeded the currently configured threshold for the outbreak quarantine. The Total Local Protection Time is always based on the difference between when each virus outbreak was detected by the Threat Operations Center and the release of an anti-virus signature by a major vendor. Note that not every global outbreak affects your appliance. A value of “--” indicates either a protection time does not exist, or the signature times were not available from the anti-virus vendors (some vendors may not report signature times). This does not indicate a protection time of zero, rather it means that the information required to calculate the protection time is not available.

The Quarantined Messages section summarizes Outbreak Filters quarantining, and is a useful gauge of how many potential threat messages Outbreak Filters are catching. Quarantined messages are counted at time of release. Typically, messages will be quarantined before anti-virus and anti-spam rules are available. When released, they will be scanned by the anti-virus and anti-spam software and determined to be positive or clean. Because of the dynamic nature of Outbreak tracking, the rule under which a message is quarantined (and even the associated outbreak) may change while the message is in the quarantine. Counting the messages at the time of release (rather than the time of entry into the quarantine) avoids the confusion of having counts that increase and decrease.

The Threat Details listing displays information about specific outbreaks, including the threat category (virus, scam, or phishing), threat name, a description of the threat, and the number of messages identified. For virus outbreaks, the Past Year Virus Outbreaks include the Outbreak name and ID, time and date a virus outbreak was first seen globally, the protection time provided by Outbreak filters, and the number of quarantined messages. You can choose whether to view global or local outbreaks.

The First Seen Globally time is determined by the Threat Operations Center, based on data from the SenderBase, the world’s largest email and web traffic monitoring network. The Protection Time is based on the difference between when each threat was detected by the Threat Operations Center and the release of an anti-virus signature by a major vendor.

A value of “--” indicates either a protection time does not exist, or the signature times were not available from the anti-virus vendors (some vendors may not report signature times). This does not indicate a protection time of zero. Rather, it means that the information required to calculate the protection time is not available.

Other modules on this page provide:

• The number of incoming messages processed by Outbreak Filters in the selected time period.

Non-viral threats include phishing emails, scams, and malware distribution using links to an external website.

• Severity of threats caught by Outbreak Filters.

Level 5 threats are severe in scope or impact, while Level 1 represents low threat risk. For descriptions of threat levels, see the online help or user guide for your Email Security appliance.

• Length of time messages spent in the Outbreak Quarantine.

This duration is determined by the time it takes the system to compile enough data about the potential threat to make a verdict on its safety. Messages with viral threats typically spend more time in the quarantine than those with non-viral threats, because they must wait for anti-virus program updates. The maximum retention time that you specify for each mail policy is also reflected.

• The URLs most frequently rewritten to redirect message recipients to the Cisco Web Security Proxy for click-time evaluation of the site if and when the recipient clicks a potentially malicious link in a message.

This list may include URLs that are not malicious, because if any URL in a message is deemed malicious, then all URLs in the message are rewritten.

Note	In order to correctly populate the tables on the Outbreak Filters reporting page, the appliance must be able to communicate with the Cisco update servers specified in Management Appliance > System Administration > Update Settings.

For more information, see the Outbreak Filters chapter.

System Capacity Page

The Email > Reporting > System Capacity page provides a detailed representation of the system load, including messages in the work queue, incoming and outgoing messages (volume, size, and number), overall CPU usage, CPU usage by function, and memory page swapping information.

The System Capacity page can be used to determine the following information:

• Identify when Email Security appliances are exceeding recommended capacity; this enables you to determine when configuration optimization or additional appliances are needed.
• Identify historical trends in system behavior that point to upcoming capacity issues.
• For troubleshooting, identify which parts of the system are using the most resources.

Monitor your Email Security appliances to ensure that the capacity is appropriate to your message volumes. Over time, volume inevitably rises and appropriate monitoring ensures that additional capacity or configuration changes can be applied proactively. The most effective way to monitor system capacity is to track the overall volume, the messages in the work queue, and the incidents of Resource Conservation Mode.

• Volume:It is important to understand the “normal” message volume and the “usual” spikes in your environment. Track this data over time to measure volume growth. You can use the Incoming Mail and Outgoing Mail pages to track volume over time. For more information, see System Capacity – Incoming Mail and System Capacity – Outgoing Mail.
• Work Queue: The work queue is designed to work as a “shock absorber”— absorbing and filtering spam attacks and processing unusual increases in non-spam messages. However, the work queue can also indicate a system under stress. Prolonged and frequent work queue backups may indicate a capacity problem. You can use the System Capacity – Workqueue page to track the activity in your work queue. For more information, see System Capacity – Workqueue.
• Resource Conservation Mode: When an appliance becomes overloaded, it enters Resource Conservation Mode (RCM) and sends a CRITICAL system alert. This is designed to protect the device and allow it to process any backlog of messages. Your appliance should enter RCM infrequently and only during a very large or unusual increase in mail volume. Frequent RCM alerts may be an indication that the system is becoming overloaded. See Resource Conservation Activity.

• How to Interpret the Data You See on System Capacity Page
• System Capacity – Workqueue
• System Capacity – Incoming Mail
• System Capacity – Outgoing Mail
• System Capacity – System Load
• System Capacity – All
• Threshold Indicator in System Capacity Graphs

How to Interpret the Data You See on System Capacity Page

When choosing time ranges for viewing data on the System Capacity page, the following is important to remember:

• Day Report— The Day report queries the hour table and displays the exact number of queries that have been received by the appliance on an hourly basis over a 24 hour period. This information is gathered from the hour table. This is an exact number.
• Month Report— The Month report queries the day tables for the 30 or 31 days (dependent on the number of days in the month), giving you an exact report on the number of queries over 30 or 31 days. Again, this is an exact number.

The ‘Maximum’ value indicator on the System Capacity page is the highest value seen for the specified period. The ‘Average’ value is the average of all values for the specified period. The period of aggregation depends on the interval selected for that report. For example, you can choose to see the Average and Maximum values for each day if the chart is for a month period.

You can click the View Details link for a specific graph to view data for individual Email Security appliances and overall data for the appliances connected to the Security Management appliance.

System Capacity – Workqueue

The Workqueue page shows the average time a message spends in the work queue, excluding any time spent in the Spam quarantine or in a policy, virus, or outbreak quarantine. You can view time periods from an hour up to one month. This average can help in identifying both short term events delaying mail delivery and identify long term trends in the workload on the system.

Note	If a message is released from the quarantine into the work queue, the “average time in work queue” metric ignores this time. This prevents double-counting and distorted statistics due to extended time spent in a quarantine.

The report also shows the volume of messages in the work queue over a specified time period, and it shows the maximum messages in the work queue over the same time period. The graphical representation of the maximum messages in the work queue also shows the work queue threshold level.

Occasional spikes in the Workqueue graphs are normal and expected. If the messages in the work queue remain higher than the configured threshold for a long duration, this may indicate a capacity issue. In this scenario, consider tuning the threshold level or review the system configuration.

To change the work queue threshold level, see Adjusting the Reference Threshold in System Health Graphs for Email Security Appliances.

Tip	When reviewing the work queue page, you may want to measure the frequency of work queue backups, and take note of work queue backups that exceed 10,000 messages.

System Capacity – Incoming Mail

The System Capacity – Incoming Mail page shows incoming connections, the total number of incoming messages, the average message size, and the total incoming message size. You can view the results for a day, week, month, or year. It is important to understand the trends of normal message volume and spikes in your environment. You can use the System Capacity – Incoming Mail page to track volume growth over time and plan for system capacity. You might also want to compare the incoming mail data with the sender profile data to view the trends in volumes of email messages that are sent from specific domains to your network.

Note	An increased number of incoming connections may not necessarily affect system load.

System Capacity – Outgoing Mail

The System Capacity – Outgoing Mail page shows outgoing connections, the total number of outgoing messages, the average message size, and the total outgoing message size. You can view the results for a day, week, month, or year. It is important to understand the trends of normal message volume and spikes in your environment. You can use the System Capacity – Outgoing Mail page to track volume growth over time and plan for system capacity. You might also want to compare the outgoing mail data with the outgoing destinations data to view the trends in volumes of email messages that are sent from specific domains or IP addresses.

System Capacity – System Load

The system load report shows the following:

• Overall CPU Usage
• Memory Page Swapping
• Resource Conservation Activity

Overall CPU Usage

Email Security appliances are optimized to use idle CPU resources to improve message throughput. High CPU usage may not indicate a system capacity problem. If the high CPU usage is coupled with consistent, high-volume memory page swapping, you may have a capacity problem.

Note

This graph also indicates a threshold for CPU usage that is a visual reference only. To adjust the position of this line, see Adjusting the Reference Threshold in System Health Graphs for Email Security Appliances. You can configure your Email Security appliances to send you alerts that will suggest actions that you can take to address capacity issues.

This page also shows a graph that displays the amount of CPU used by different functions, including mail processing, spam and virus engines, reporting, and quarantines. The CPU-by-function graph is a good indicator of which areas of the product use the most resources on your system. If you need to optimize your appliance, this graph can help you determine which functions may need to be tuned or disabled.

Memory Page Swapping

The memory page swapping graph shows how frequently the system must page to disk, in kilobytes per second.

The system is designed to swap memory regularly, so some memory swapping is expected and is not an indication of problems with your appliance. Unless the system consistently swaps memory in high volumes, memory swapping is normal and expected behavior (especially on C170appliances). To improve performance, you may need to add Email Security appliances to your network or tune your configuration to ensure maximum throughput.

Note

This graph also indicates a threshold for memory page swapping that is a visual reference only. To adjust the position of this line, see Adjusting the Reference Threshold in System Health Graphs for Email Security Appliances. You can configure your Email Security appliances to send you alerts that will suggest actions that you can take to address capacity issues.

Resource Conservation Activity

The resource conservation activity graph shows the number of times the Email Security appliance entered Resource Conservation Mode (RCM). For example, if the graph shows n times, it means that the appliance has entered RCM n times and exited at least n-1 times.

Your appliances should enter RCM infrequently and only during a very large or unusual increase in mail volume. If the Resource Conservation Activity graph shows that your appliance is entering RCS frequently, it may be an indication that the system is becoming overloaded.

System Capacity – All

The All page consolidates all the previous system capacity reports onto a single page so you can view the relationship between the different reports. For example, you might see that the message queue is high at the same time that excessive memory swapping takes place. This might be an indication that you have a capacity problem. You may want to save this page as a PDF file to preserve a snapshot of system performance for later reference (or to share with support staff).

Threshold Indicator in System Capacity Graphs

In some graphs, a line indicates the default value that may indicate a possible problem if it is frequently or consistently crossed. To adjust this visual indicator, see Adjusting the Reference Threshold in System Health Graphs for Email Security Appliances.