Sandboxing, Predictive Analysis, File reputation threat alerts etc are configured on CAS to notify events promptly over email or syslog, however the client ip address or server ip addresses are missing in the alert. A sample alert for Predictive Analysis is given below:
File determined to be unsafe through Predictive Analysis
File has been dropped.
2018-07-10 02:54:40 (UTC)
Hardware serial number: XXXXXXXXXX
CAS (Version 188.8.131.52(217803)) - http://www.symantec.com Predictive Analysis Vendor: Cylance
Machine name: CASUnknown
Machine IP address: 10.1.1.1
Threat Score: 9
This is due to ProxySG not configured to send Client IP Address and Server (OCS) Address to ICAP server along with the scan request The below configuration needs to be modified on ProxySG to address this issue.