Log Options

Cloud App Security provides many options to save or view log data after performing a search.

The following illustration and table explain the options available underneath the Search bar.

Figure 1. Log Result Options
Table 1. Log Result Option Descriptions

Option

Description

Save the log data as a report to view at a later time.
Export the log data as a CSV file to view as a spreadsheet or to import into another product.

  • Select Current View to export all log records in the current view.

  • Select All Records to export all log records of the selected type. A maximum of 10,000 records can be exported each time.

Preview the log data in the browser before saving it as a report.

View the log data in a chart or tabular format.

The following illustration explains how to sort log data.

Figure 2. Log Data Sorting Options

Sort log data in ascending or descending order in either of the following ways:

  • Click the title area of a column as necessary.

  • Click the down arrow at the right of the title area of a column, and then click Sort Ascending or Sort Descending as necessary.

Note:

Sorting is not supported for certain columns, for example, Summary Report in the Virtual Analyzer log type, Security Risk Name in the Security Risk Scan log type, and Ransomware Name in the Ransomware log type.

To cancel the current sorting, click the title area of another column to re-sort the log data, or click the down arrow at the right of the title area and then click Remove Sort.

To hide a column, click the down arrow at the right of its title area, and then click Hide Column.

To unhide a hidden column, click the title area of another column.

The following illustration explains how to view a triggered policy or quarantined items related to an affected user.

Figure 3. Link to Policy and Quarantine Options

Under Affected User in the log detail area, click the account name of a log item. The Quarantine page opens and the quarantined items related to this affected user appear.

Under Triggered Policy in the log detail area, click the policy name of a log item. The policy setting page corresponding to this policy appears.

The following illustration explains how to view the BEC report if an email message is detected as a BEC attack.

Figure 4. BEC Report Option

  1. Select Security Risk Scan from the Type drop-down list, and select Exchange Online or Gmail in the Scan Source log facet.

  2. Under Security Risk Name in the log detail area, hover over the item that contains the BEC spam category. The BEC Report appears, showing the possible reasons that cause the email message to be a BEC attack.

Note:
An email message can be classified by Cloud App Security as more than one spam category. In this case,

  • Spam categories are listed by priority of action set for each category.

  • Spam categories at the same priority of action are listed by their impact on users according to the result from Trend Micro Antispam Engine.

The following illustration explains how to view a comprehensive report for each Predictive Machine Learning detection.

Figure 5. Predictive Machine Learning Log Details Option

  1. Select Security Risk Scan from the Type drop-down list, and select Predictive Machine Learning in the Detected by log facet.

  2. Under Detected by in the log detail area, click the Predictive Machine Learning link.

    The Predictive Machine Learning Log Details screen appears, consisting of two sections:

    • Top banner: Specific details related to this particular detection

    • Bottom tab controls: Details related to the Predictive Machine Learning threat, including threat probability scores, probable threat types, and file information.

Table 2. Log Details - Top Banner

Section

Description

Detection name

Indicates the name of the Predictive Machine Learning detection

Detection time / Action

Indicates when this specific detection occurred and the action taken on the threat

File name

Indicates the name of the file that triggered the detection

Note:

Click Add to Exception List to quickly add the SHA-1 hash value of the affected file to the global Predictive Machine Learning Exception List.

View the entire exception list from Administration > Global Settings > Predictive Machine Learning Exception List.

Affected User

For Exchange Online and Gmail: Displays the mailbox of a protected user that received or sent an email message triggering the detection

For SharePoint Online, OneDrive, Microsoft Teams (Teams), Box, Dropbox, and Google Drive: Displays the user account that uploaded or modified a file triggering the detection

For Salesforce: Displays the user account that updated an object record violating a policy

For Teams Chat: Displays the user that sent a private chat message violating a policy
Table 3. Log Details - Tab Information

Tab

Description

Threat Indicators

Provides the results of the Predictive Machine Learning analysis

  • Threat Probability: Indicates how closely the file matches the malware model

  • Probable Threat Type: Indicates the most likely type of threat contained in the file after Predictive Machine Learning compared the analysis to other known threats

  • Similar Known Threats: Provides a list of known threat types that exhibit similar file features to the detection

File Details

Provides general details about the file properties for this specific detection log

(Exchange Online only) The following illustration explains how to manage a quarantined email message from the Logs screen.

Figure 6. Quarantined Item Management Option

  1. Select Security Risk Scan from the Type drop-down list, select Exchange Online in the Scan Source log facet, select Quarantine in the Action log facet, and specify other log facets as necessary.

  2. Under Action in the log detail area, click Quarantine of an item.

  3. On the screen that appears, select the item and restore, download, or delete it as necessary.

    Note:

    If there is no item shown on the screen, the quarantined item may have already been restored or deleted. Click >> Back to Logs and select the Quarantine log type to view detailed information.

  4. Click >> Back to Logs.

    The Logs screen appears, displaying the previously configured search criterion and the search result.

(Exchange Online - Inline Mode only) The following describes how to view the email tracking logs for an email that has been redirected to other users than the originally intended recipients.

  1. Select Data Loss Prevention from the Type drop-down list, select Exchange Online (Inline Mode) in the Scan Source log facet, select Change Recipient in the Action log facet, and specify other log facets as necessary.

  2. Under Action in the log details area, click Change Recipient of an item.

    On the screen that appears, you can find the email tracking logs for this email, including information about both the user that the email is redirected to and the originally intended recipients.

The following describes how to view the Virtual Analyzer report for malicious files or URLs detected.

  1. Select Virtual Analyzer from the Type drop-down list, and select Malicious files or Malicious URLs from the Threat Type log facet.

  2. Under Summary Report, click Download Report.

The following describes how to view source information about ransomware.

  1. Select Ransomware from the Type drop-down list.

  2. Under Ransomware Name, hover over a ransomware threat and view the domain, IP, and location about the ransomware.

Parent topic: Logs and Reports