Monitor Advanced Threat Defense
Several methods are available for monitoring the scanning activities that are performed by Advanced Threat Defense when it is used to support Web Gateway.
The monitoring can be done on Web Gateway and on Skyhigh Security Content Security Reporter.
Monitor Advanced Threat Defense on Web Gateway
On Web Gateway, you can implement rule sets with rules for logging information about the scanning jobs that Advanced Threat Defense performs and for handling errors that occur during these jobs.
You can also review Advanced Threat Defense activities on the dashboard of the user interface.
- Log Handler — The ATD Scanning Log rule set can be imported from the Logging group of rule sets in the rule set library.
The rule set contains a logging rule that records information about each scanning job Advanced Threat Defense performs on a web object that was passed on to it by Web Gateway.
This information includes:
- Severity grade that is the result of scanning
- Server that Advanced Threat Defense runs on
- Task ID for a scanning job
- Hash value for a scanning job
To create the log entries that provide this information, the rule uses suitable properties.
- Error Handler — The Block on ATD Errors rule set can be imported from the Error Handling group of rule sets in the rule set library.
It contains blocking rules for handling errors that occur when Advanced Threat Defense performs a scanning job.
The rules use the appropriate error IDs in their criteria. The error IDs range from 14010 to 14012.
A rule in the Block on Anti-Malware Engine Errors rule set covers the range from 14002 to 14050. The Block on ATD Errors rule set should, therefore, be placed before this anti-malware rule set.
Otherwise, the blocking rules in the Block on ATD Errors rule set would never be processed and only block messages with text that is related to anti-malware errors in general would be sent to users.
- Anti-Malware properties — Several properties are available for monitoring the activities of Advanced Threat Defense. Their names begin with Antimalware.MATD, for example, Antimalware.MATD.Server or Antimalware.MATD.Report.
These properties are used in the logging rules of the ATD Scanning Log rule set.
When a scanning job has been performed by Advanced Threat Defense, the value of the Antimalware.MATD.Report property is a report on this job. The report is provided as a string that represents the data structure of a JavaScript Object Notation (JSON) object.
Using JSON properties together with the Antimalware.MATD.Report property, you can extract report information.
- Dashboard — The dashboard charts and tables show how the following data evolved during a particular time interval.
- Under Executive Summary: Number of requests for web objects that were blocked due to the scanning results found by Advanced Threat Defense.
- Under Malware Statistics: Number of requests for web objects that were passed on to Advanced Threat Defense for scanning, number of requests that were blocked due to the scanning results, and the time consumed for the scanning.
Monitor Advanced Threat Defense on Content Security Reporter
With Skyhigh Security Content Security Reporter, you can collect data about the scanning activities that Advanced Threat Defense performs when it is used to support Web Gateway.
- To collect the data, configure both Web Gatewayand Advanced Threat Defense as log sources.
- To view the data, register the server that Advanced Threat Defense runs on. You can then view the data on the dashboard monitor.
For more information, see the Skyhigh Security Content Security Reporter Product Guide.