Targeted Threat Protection - URL Protect - Logs

Updated

This article contains information on using Mimecast's Targeted Threat Protection URL Protect Dashboard to monitor, filter, and manage URL logs, block or allow URLs, export data, and analyze advanced phishing and security scan results.

Targeted Threat Protection builds on Mimecast's security services to protect organizations against the growing threat of advanced phishing and spear-phishing attacks in inbound emails. This extends to all end-user devices and applications where the link is accessed, and full logging provides administrative visibility, real-time alerts, and auditing of user clicks.

The URL Protection Dashboard allows you to view the log file details for each link clicked on by end-users protected by URL Protect. Additionally, you can:

  • Block or allow the URL.
  • Filter the logs displayed.
  • Export the log data.

URL Protect Logs have a maximum retention of 30 days. This retention period cannot be changed.

Viewing Logs

To view URL Protection Logs:

  1. Log on to the Mimecast Administration Console.
  2. Navigate to Email Security | URL Protect menu item.
  3. Click the Logs button. The list of log files is displayed.
  4. Click on a Log to display the full URL and a consolidated view of its associated details, including the:
    • Definition applied.
    • Result of the security scan.

Searching / Filtering the Log Files

To search for log files:

  1. Enter one of the following into the Search box:
      • From address.
      • To address.
      • URL.
  1. Select the Date Range over which you want to search.
  1. Press the Enter key.

To filter the log files:

  1. Click on the View button.
  2. Select an Action from the list.

The Logs Queue

Above the search bar, the following features are available:

Button Description
Export Data Allows administrators to export various log information in CSV or .XLSX format.
View Displays various options to filter the log data displayed in a drop-down menu.
URL Decoder Allows administrators to see the real URL without clicking on it. View the Check & Decode URL's page for further information on decoding the Targeted Threat Protection URLs.
Check URL Allows administrators to check whether a URL is safe using various scanning options. For further information, view the Check & Decode URL's page.

The various columns displayed are:

Column Description
From / To The From/To email address associated with the email/link.
Subject The subject of the email/link.
Definition Displays the Targeted Threat Protection definition applied.
URL The URL of the link the user clicked on.
Scan Result Displays the results from the scan engine, malicious or clean.
Action Displays the action taken, allowing administrators to decode the Targeted Threat Protection URLs.
Admin Override Displays whether the administrator overrode the policy.
User Awareness Displays whether user awareness is enabled in the definition and applied to the URL.
Date Time Displays the date and time of the incident.
Route Displays the route of the URL, inbound or outbound.

Viewing Log Details

To access detailed information about an individual log (see The Logs Queue section above), click on an entry from the list to view it in a pop-out panel.

Scan Details

URL logs correct.png

Where applicable, this section shows detailed scan information, including:

Category
Description
Advanced Similarity
Checks
Similarity checks are performed against the customer’s internal, monitored, and Mimecast-monitored domains. The scanned
domain and the similar internal/monitored/Mimecast domain are shown in the scan details.
Anti-Virus Scanning
Remote content is scanned using anti-virus (AV) signatures. If the content is malicious, the relevant AV signature name, file extension, and category trigger are displayed.
Sandbox Results
Downloaded files can be sent for AV scanning, static code analysis, and sandboxing. The results of the analysis are displayed here.
Managed URLs
If a URL is blocked because of an entry on the customer-managed block list, triggering the URL (including redirected or extracted URLs) and the corresponding entry will be displayed here.
Dangerous File
Extension
The mime type and extension of the downloaded file were a dangerous
file extension is detected.
HTML Content
Checks
Displayed if malicious executables are detected within a web page.
URL Reputation Scan
Indicates the blocked URL and the detection category if a URL is blocked due to a reputation scan.
Advanced Phishing 
If Credential Theft Protection detects a credential harvesting page, credential theft evidence is provided, including the name of any spoofed brands detected. 
Machine Learning
Detection
Indicates that the URL was detected and blocked by machine learning. 
  • Credential Theft Evidence: This establishes the reason for the block and the context in which it occurred. There are six possible evidence results, and only one will be displayed:
    • The URL impersonates the (brand's name) login page and uses a fraudulent certificate.
    • The URL impersonates (brand's name) login page and uses an invalid certificate.
    • The URL impersonates (brand's name) login page and uses an unencrypted connection.
    • The URL impersonates (brand's name), requests payment details, and uses a fraudulent certificate.
    • The URL impersonates (brand's name), requests payment details, and uses an invalid certificate.
    • The URL impersonates (brand's name), requests payment details, and uses an unencrypted connection.

The additional scan details are only displayed if a URL has been scanned and blocked.

Blocking / Allowing a URL

Click on any individual log entry to display the full URL and a consolidated view of its associated log detail. You can auto-create URL entries in the allow and block override list with the detail displayed.

To allow/block a URL:

  1. Select either the Add to Allow or Add to Block button. A confirmation message is displayed confirming the allow.
  2. Select OK to return to the log record.
  3. Select Go Back to return to the list of log records.

Reporting a URL for Recategorization

Customers can report false positive/false negative URLs via the Mimecast Administration Console by selecting the relevant log entry line and clicking the Report button. 

Exporting Data

Administrators can export the various columns of the Targeted Threat Protection Logs. To export log data:

  1. Click on the Export Data button.
  2. Select the Columns you wish to include in the export.
  3. From the File Format drop-down menu, select either:
      • .CSV
      • .XLSX 
  1. From the Export Option drop-down menu, select either:
      • Download
      • Send Mail
  1. Click on the Export button.

There is a 10,000 limit when exporting URL logs.

See Also...

Related to

Was this article helpful?
0 out of 0 found this helpful

Comments

0 comments

Please sign in to leave a comment.