Views:
Use the URL Threat Analyzer results panel to identify potential URL threats to your network and adjust your profile filter action sets if necessary. After the SMS sends a set of inspection event URLs to the DD Analyzer device for analysis, the progress and results are displayed in this panel. For steps to set up URL Threat Analysis, see URL Threat Analysis.
The SMS can submit event URLs to the device at a faster rate than the DD Analyzer can analyze the URLs and return the results. For this reason, several entries might be in the Queued state in the results panel at the same time.
If there are more DD Analyzer devices connected in a cluster to perform analysis, the analysis rate improves.
Additionally, you can improve the analysis rate by modifying your saved inspection event query to include more search parameters. Selecting more parameters reduces the number of inspection event URLs sent to the DD Analyzer. This improves the analysis rate and creates a more fine-tuned set of results.
For more information about the DD Analyzer, see the DD Analyzer documentation on the Trend documentation site.

To update the table results

Click Refresh in the URL Threat Analyzer Configuration panel. The results panel limits the number of entries to 10,000 event URLs.

To resubmit a URL to the DD Analyzer

The SMS does not automatically resubmit event URLs to the DD Analyzer after the initial submission. However, if the DD Analyzer did not properly receive the event URL because of a NonComm status, for example, you can manually resubmit that URL.
To resubmit URLs to the DD Analyzer, right-click on one or more entries in the results table, and then select URL ForwardingResubmit URL.
Note
Note
If you resubmit one or more entries, and if the number of entries in the results panel is already at 10,000, go to the DD device management console to view the results.

To create a manual response

Right-click on one or more entries in the results table, and then select Create ResponseSource IP Address.
You can manually respond to a targeted host by specifying the IP address of the host and the policy that you want to trigger for that host. Create policies in Responder to provide more configuration options and to fine-tune your response. Responder supports multiple action sets that can be added to a response policy.
Column Description
Event Number The order in which the event appeared in the SMS.
Event Time The time on the IPS/TPS device that the traffic was first encountered.
Filter Name The name of the filter that triggered the event.
URL The event URL.
Risk Level
  • NoRiskFound — The object did not exhibit suspicious characteristics.
  • Low — The object exhibited mildly suspicious characteristics that are most likely benign.
  • Medium — The object exhibited moderately suspicious characteristics.
  • High — The object exhibited highly suspicious characteristics that are commonly associated with malware.
  • Unknown — The DD Analyzer was unable to determine the risk level. When a URL is resubmitted, the risk level resets to Unknown until the SMS receives the updated results from the DD Analyzer. Details are available for the entry in the DD device management console.
Status
Informational statuses:
  • Queued — The SMS sent the event to the DD Analyzer, but analysis has not begun.
  • InProgress — The event is currently being analyzed by the DD Analyzer.
  • Complete — The event analysis is complete.
  • Canceled — The event analysis was canceled from the DD Analyzer user interface.
  • NonComm — The SMS is not connected to the DD Analyzer. This condition may be caused by network connectivity issues.
Error statuses:
  • BadURL — The URL format is incorrect.
  • Error — The DD Analyzer encountered an error.
    Resubmit the URL by right-clicking the entry and selecting URL ForwardingResubmit URL.
    If resubmitting does not correct the condition, search for the corresponding URL in the Virtual AnalyzerSubmissions panel in the DD device management console for more specific information about the type of error.
  • Timeout — The URL entry has been in an active state (Queued, InProgress, or NonComm) for over 24 hours. After 24 hours, you can view the entry in the DD device management console.
HTML Reports
PDF Reports
Link to the HTML or PDF formatted report generated by the DD Analyzer that provides a comprehensive summary of the event URL. The link only appears in the SMS URL Threat Analyzer Results panel if the submission is in a Complete state.
Click the report link to download either report file. The content of the HTML and PDF reports is the same; only the format is different.
You can also download the report, in either format, in the DD device management console.
Source IP Address Source IP address from the event. Expand this column for location details, including geography map, region, city, and named resource.
Device Name of the IPS/TPS device that generated the event.
Segment/Rule Segment for IPS/TPS-generated events.
Submit Time The time that the event was submitted from the SMS to the DD Analyzer.