Cloud App Security provides many options to save or view log data after performing a search.
The following illustration and table explain the options available underneath the Search bar.
log-search-options.jpg
Log Result Options

Log Result Option Descriptions

Option
Description
log-search-options-s.jpg
Save the log data as a report to view at a later time.
log-search-options-e.jpg
Export the log data as a CSV file to view as a spreadsheet or to import into another product.
  • Select Current View to export all log records in the current view.
  • Select All Records to export all log records of the selected type. A maximum of 10,000 records can be exported each time.
log-search-options-p.jpg
Preview the log data in the browser before saving it as a report.
log-search-options-t.jpg
View the log data in a chart or tabular format.
The following illustration explains how to sort log data.
log-sort.jpg
Log Data Sorting Options
Sort log data in ascending or descending order in either of the following ways:
  • Click the title area of a column as necessary.
  • Click the down arrow at the right of the title area of a column, and then click Sort Ascending or Sort Descending as necessary.
Note
Note
Sorting is not supported for certain columns, for example, Summary Report in the Virtual Analyzer log type, Security Risk Name in the Security Risk Scan log type, and Ransomware Name in the Ransomware log type.
To cancel the current sorting, click the title area of another column to re-sort the log data, or click the down arrow at the right of the title area and then click Remove Sort.
To hide a column, click the down arrow at the right of its title area, and then click Hide Column.
To unhide a hidden column, click the title area of another column.
The following illustration explains how to view a triggered policy or quarantined items related to an affected user.
link-to-policy-and-q.jpg
Link to Policy and Quarantine Options
Under Affected User in the log detail area, click the account name of a log item. The Quarantine page opens and the quarantined items related to this affected user appear.
Under Triggered Policy in the log detail area, click the policy name of a log item. The policy setting page corresponding to this policy appears.
The following illustration explains how to view the BEC report if an email message is detected as a BEC attack.
bec-report.jpg
BEC Report Option
  1. Select Security Risk Scan from the Type drop-down list, and select Exchange Online or Gmail in the Scan Source log facet.
  2. Under Security Risk Name in the log detail area, hover over the item that contains the BEC spam category. The BEC Report appears, showing the possible reasons that cause the email message to be a BEC attack.
Note
Note
An email message can be classified by Cloud App Security as more than one spam category. In this case,
  • Spam categories are listed by priority of action set for each category.
  • Spam categories at the same priority of action are listed by their impact on users according to the result from Trend Micro Antispam Engine.
The following illustration explains how to view a comprehensive report for each Predictive Machine Learning detection.
predictive-machine-l.jpg
Predictive Machine Learning Log Details Option
  1. Select Security Risk Scan from the Type drop-down list, and select Predictive Machine Learning in the Detected by log facet.
  2. Under Detected by in the log detail area, click the Predictive Machine Learning link.
    The Predictive Machine Learning Log Details screen appears, consisting of two sections:
    • Top banner: Specific details related to this particular detection
    • Bottom tab controls: Details related to the Predictive Machine Learning threat, including threat probability scores, probable threat types, and file information.

Log Details - Top Banner

Section
Description
Detection name
Indicates the name of the Predictive Machine Learning detection
Detection time / Action
Indicates when this specific detection occurred and the action taken on the threat
File name
Indicates the name of the file that triggered the detection
Note
Note
Click Add to Exception List to quickly add the SHA-1 hash value of the affected file to the global Predictive Machine Learning Exception List.
View the entire exception list from AdministrationGlobal SettingsPredictive Machine Learning Exception List.
Affected User
For Exchange Online and Gmail: Displays the mailbox of a protected user that received or sent an email message triggering the detection
For SharePoint Online, OneDrive, Microsoft Teams (Teams), Box, Dropbox, and Google Drive: Displays the user account that uploaded or modified a file triggering the detection
For Salesforce: Displays the user account that updated an object record violating a policy
For Teams Chat: Displays the user that sent a private chat message violating a policy

Log Details - Tab Information

Tab
Description
Threat Indicators
Provides the results of the Predictive Machine Learning analysis
  • Threat Probability: Indicates how closely the file matches the malware model
  • Probable Threat Type: Indicates the most likely type of threat contained in the file after Predictive Machine Learning compared the analysis to other known threats
  • Similar Known Threats: Provides a list of known threat types that exhibit similar file features to the detection
File Details
Provides general details about the file properties for this specific detection log
(Exchange Online only) The following illustration explains how to manage a quarantined email message from the Logs screen.
quarantine-on-logs.jpg
Quarantined Item Management Option
  1. Select Security Risk Scan from the Type drop-down list, select Exchange Online in the Scan Source log facet, select Quarantine in the Action log facet, and specify other log facets as necessary.
  2. Under Action in the log detail area, click Quarantine of an item.
  3. On the screen that appears, select the item and restore, download, or delete it as necessary.
    Note
    Note
    If there is no item shown on the screen, the quarantined item may have already been restored or deleted. Click >> Back to Logs and select the Quarantine log type to view detailed information.
  4. Click >> Back to Logs.
    The Logs screen appears, displaying the previously configured search criterion and the search result.
(Exchange Online - Inline Mode only) The following describes how to view the email tracking logs for an email that has been redirected to other users than the originally intended recipients.
  1. Select Data Loss Prevention from the Type drop-down list, select Exchange Online (Inline Mode) in the Scan Source log facet, select Change Recipient in the Action log facet, and specify other log facets as necessary.
  2. Under Action in the log details area, click Change Recipient of an item.
    On the screen that appears, you can find the email tracking logs for this email, including information about both the user that the email is redirected to and the originally intended recipients.
The following describes how to view the Virtual Analyzer report for malicious files or URLs detected.
  1. Select Virtual Analyzer from the Type drop-down list, and select Malicious files or Malicious URLs from the Threat Type log facet.
  2. Under Summary Report, click Download Report.
The following describes how to view source information about ransomware.
  1. Select Ransomware from the Type drop-down list.
  2. Under Ransomware Name, hover over a ransomware threat and view the domain, IP, and location about the ransomware.