URLs page

The URLs page consists of a number of widgets. The tabs let you select between Unique and All URLs. The widgets provide an overview of the detected URLs.

At the top of the page is the portal settings widget.

Unique tab

The Unique tab displays distinct URLs found in email messages and that have been analyzed.

URLs over time

The Mail URLs over time widget provides an overview of the number of URLs that were received in email messages and were analyzed by the system. The graph is a daily columns chart of received URLs, grouped by maliciousness.

There are three different types of threats:

Malicious mail messages contains attachments or URLs that have been determined to be critical. These mail messages are displayed in red.
Suspicious mail messages have been determined to be of medium risk. The threats they contain, while indicating a potential risk, do not need immediate attention. These mail messages are displayed in orange.
Benign mail messages are considered low or no risk. These mail messages are displayed in blue.

Filters

An easy-to-use filtering mechanism is provided that allows you to focus on the information that you are interested in. Click the icon to expand the Filters widget.

Note:

The use of filters is optional.

Click Filter by and select an item from the pull-down menu. Select from Analysis tags, Analyst UUID, Blocked, MD5, Message ID, or Minimum score.

You can combine multiple filters to narrow the focus. You can also deploy multiple instances of some filters.

Delete an individual filter by clicking the Remove button next to its entry. Delete all the selected filters by clicking the icon. This also collapses the Filters widget.

Click Apply to apply the selected filters.

Analysis tags: Restrict displayed attachments/URLs by their analysis tags. These are labels assigned to a file or URL by the system analysis. They can identify a threat or threat class, or refer to specific malicious behavior that was detected.
Analyst UUID: Restrict displayed files to the system analysis UUID for the downloaded file. This is an internal unique identifier for the analysis of a file.
Blocked: Filter messages/attachments/URLs by their Blocked status, Yes or No.
MD5: Restrict displayed files to the MD5 hash of the downloaded file.
Message ID: Restrict displayed files to those matching the defined message ID.
Minimum score: Restrict displayed files to those assigned a score greater than your chosen value (from 1 to 100) by the system analysis.

Unique URLs

The Unique URLs list displays the URLs found in email messages and processed by the VMware backend.

The quick search field above the list provides fast, as-you-type search. It filters the rows in the list, displaying only those rows that have text, in any field, that matches the query string.

The columns to be displayed in the list can be customized by clicking the icon.

Customize the number of rows to be displayed. The default is 20 entries. Use the and icons to navigate through multiple pages.

Each row is a summary of a URL. Click the icon (or anywhere on an entry row) to access a detailed view of the URL.

The list is sorted by score and includes the following fields:

URL

The URL found in the email messages.

Mail

Lists the number of messages with this URL. Click to view the details of the message and URL.

Senders

Lists the number of senders of messages with the URL.

Recipients

Lists the number of recipients of messages with the URL.

First seen

Timestamp from when a message with the URL was first seen.

Last seen

Timestamp from when a message with the URL was last seen.

AV Class

A label defining the antivirus class of the URL. If the label has a icon, you can click that for a pop-up description.

Malware

A label defining the malware type of the URL. If the label has a icon, you can click that for a pop-up description.

Score

The score assigned to the URL by the system analysis indicates the critical level of the detected threat and ranges from 0 to 100:

Threats that are 70 or above are considered to be critical.
Threats that are between 30 and 69 are considered to be medium-risk.
Threats that are between 1 and 30 are considered to be benign.

For details, see Maliciousness score.

All tab

The All tab displays all URLs found in email messages and that have been analyzed.

URLs over time

There are three different types of threats:

Malicious mail messages contains attachments or URLs that have been determined to be critical. These mail messages are displayed in red.
Suspicious mail messages have been determined to be of medium risk. The threats they contain, while indicating a potential risk, do not need immediate attention. These mail messages are displayed in orange.
Benign mail messages are considered low or no risk. These mail messages are displayed in blue.

Filters

An easy-to-use filtering mechanism is provided that allows you to focus on the information that you are interested in. Click the icon to expand the Filters widget.

Note:

The use of filters is optional.

Click Filter by and select an item from the pull-down menu. Select from Analysis tags, Analyst UUID, Blocked, MD5, Message ID, Minimum score, Recipient, Sender, or Subject.

You can combine multiple filters to narrow the focus. You can also deploy multiple instances of some filters.

Delete an individual filter by clicking the Remove button next to its entry. Delete all the selected filters by clicking the icon. This also collapses the Filters widget.

Click Apply to apply the selected filters.

Analysis tags: Restrict displayed attachments/URLs by their analysis tags. These are labels assigned to a file or URL by the system analysis. They can identify a threat or threat class, or refer to specific malicious behavior that was detected.
Analyst UUID: Restrict displayed files to the system analysis UUID for the downloaded file. This is an internal unique identifier for the analysis of a file.
Blocked: Filter messages/attachments/URLs by their Blocked status, Yes or No.
MD5: Restrict displayed files to the MD5 hash of the downloaded file.
Message ID: Restrict displayed files to those matching the defined message ID.
Minimum score: Restrict displayed files to those assigned a score greater than your chosen value (from 1 to 100) by the system analysis.
Recipient: Restrict to messages with a specific recipient.
Sender: Restrict to messages sent by a specific address.
Subject: Filter messages/attachments/URLs by the subject line.

Mail URLs

The Mail URLs list displays the URLs found in email messages and processed by the VMware backend.

The quick search field above the list provides fast, as-you-type search. It filters the rows in the list, displaying only those rows that have text, in any field, that matches the query string.

The columns to be displayed in the list can be customized by clicking the icon.

Customize the number of rows to be displayed. The default is 20 entries. Use the and icons to navigate through multiple pages.

Each row is a summary of a URL. Click the icon (or anywhere on an entry row) to access a detailed view of the URL.

The list is sorted by timestamp and includes the following fields:

Timestamp

Indicates when the message was received. The time is shown in the currently selected timezone.

The list is sorted by timestamp, by default in decreasing order (latest attachment at the top). Click the icon to sort the list in increasing order (oldest attachment at the top). Click the icon to toggle to the default.

Sensor

Name of the sensor that detected the message.

URL

The URL found in the email messages.

Sender

The email address of the sender of the message. This email address may be spoofed.

Click the icon to sort the list alphabetically by the sender.

Recipient

The email address of the recipient of the message.

Click the icon to sort the list alphabetically by the recipient.

Subject

The provided subject of the message.

Click the icon to sort the list alphabetically by the subject.