search cancel

ATP UI does not receive all Anti-Malware service events from Email Security.cloud for a given date

book

Article ID: 163671

calendar_today

Updated On:

Products

Endpoint Detection and Response

Issue/Introduction

The Dashboard of Advanced Threat Protection (ATP) Platform does not show as many Malicious events for Email as the Email Track and Trace tool within Email Security.cloud shows messages for Anti-Malware service for the same date.

Environment

Within ATP Platform UI, Synapse is activated.

Within ATP Platform UI, Email Security.cloud correlation is enabled.


 

Resolution

To confirm whether ATP UI receives all Anti-Malware service events for a given date

  • Enumerate the Malicious email events from the graph on the Dashboard of ATP UI
  • Enumerate events for Anti-Malware service within Email Track and Trace
  • Compare
  • If these numbers do not appear to match, upload log evidence at the ATP CLI by typing "gather_logs", then contact support for further assistance.

 

To enumerate events for Anti-Malware service with Email Track and Trace in the Email Security.cloud portal

  1. Click Tools > Email Track and Trace
  2. In Recipient: line, type *@domain.tld
    ...where domain is your actual recipient domain and tld is your actual Top Level Domain.
         
  3. Click Select Specific Dates and Times
  4. On the from: line, click the Calendar button, then select the date that matched the date you examined on the Dashbaord.
  5. On the from: line, select 12:00 AM
  6. On the to: date, click the Calendar button, then select the same date as entered on the from: line
  7. On the to: line, select 11:59 PM
  8. Click "Select more search options".
  9. From the options that appear, click Service
  10. When the Service dropdown box appears, click "Any", then click "Anti-Malware"
  11. At the bottom, click the Search button.