Complete the following tasks before you configure URL Threat Analysis. See
Configure URL Threat Analysis for steps to connect the DD Analyzer device and enable URL Threat Analysis.
- SMS v4.6.0 or later
- Use devices that support HTTP metadata collection,
which includes the following versions:
- TPS (440T or 2200T) — TOS v4.2.0 or later
- TPS (1100TX or 5500TX) — TOS v5.2.0 or later
- TPS (8200TX or 8400TX) — TOS v5.0.0 or later
- TPS (8600TXE) — TOS v6.0.0 or later
- TPS (9200TXE) — TOS v6.0.0 or later
- DD Analyzer — v5.5.0 or later
- Ensure that TCP port 443 is available so that the SMS can send event URLs to the DD Analyzer. See Ports for more information about the SMS network ports.
- Configure one or more profiles to generate events
with URL data using the following steps:
- Navigate to .
- In the Details tab, click Edit Details.
- Select HTTP Context.
- Click OK to configure the profile to extract HTTP metadata from filter alerts.
- Distribute the profile. See Profile distribution for more information.
- Review the filter settings for your profile. Trend recommends including action sets with + Notify.
- Save an inspection event query in .
When creating a saved inspection event query, keep the following information in mind:
-
Include any parameters that create a set of events with URLs that you want to send to the DD device to analyze.
-
Trend recommends that you include Events with suspicious URL metadata. In Filter Criteria, under Suspicious URL Metadata, select Include.
Note
The correct DV is required to enable the Suspicious URL Metadata field. Activate the DV after you upgrade the SMS. For more information on the correct DV version for your product, see the SMS Release Notes on the TMC at https://tmc.tippingpoint.com/. - When you modify the URL Threat Analysis saved query, the SMS uses the updated version to send the next set of event URLs to the DD Analyzer.
For more information about creating an inspection query, see Search for Inspection events. -