Access control event details

The Access Control report allows you to review specific access control events and event details.

Access control events appear in a table. After you select a filter and dimension, you can select the type of data that you want to show in the table. In addition to data listed in the Event dimensions topic, you can show this data in the events table:

Event Table Column / Attribute

Description

Detected Time

The time when the event was detected in your local time.

Action

Action taken on event based on a policy configuration.

Confidence

Indicates whether an event is a known or suspected threat.

Detection

Shows Inline or Lookback as a value. Inline indicates that the event was detected at the time of access, while lookback indicates that the event was discovered in log data based on behavior.

Request Time

Date and time the user made the request.

Response Time

Date and time when a response to a request was provided.

This attribute is available only when ETP Proxy is enabled.

URI

Uniform Resource Identifier. Characters or string that identify a resource. For example, a URL is a URI.

This attribute is available only when ETP Proxy is enabled.

Source Port

The TCP/UDP port of the user’s machine.

HTTP Request Method

The actions that's performed during a request.

This attribute is available only when ETP Proxy is enabled.

Request Query String(s)

Part of URL that defines parameters in a request, such as language or country code.

Request Header(s)

Header fields in an HTTP request.

Response Header(s)

Header fields in an HTTP response.

Source IP

IP address of traffic. This is likely the IP address that is assigned to a location as a result of NAT.

Destination IP

IP address of the destination (origin) website.

This attribute is available only when ETP Proxy is enabled.

Destination Port

Destination port of web traffic. This attribute is available only when ETP Proxy is enabled.

Reason

Informs how an event was identified. Any of these reasons may appear:

  • **<> Intelligence**. Indicates the event was identified by <> or a threat category.
  • **Customer Domain Intelligence**. Indicates the event was found for a domain based on a list configuration.
  • **Customer URL Intelligence**. Indicates the event was found for a URL based on a list configuration.
  • **Sandbox-Dynamic Analysis**. Indicates the event was found with dynamic malware analysis.
  • **AV scan**. Indicates the event was found with inline payload analysis.
  • **Data Leakage Prevention**. Indicates the event was found as a result of a DLP configuration.
Additionally, if the event was detected as a result of AVC, these reasons may also be listed depending on the policy action assigned to these areas:
  • **Application Risk Level**. Indicates the event was detected based on the risk levels associated with the policy.
  • **Category**. Indicates the event was detected based on the category or categories associated with the policy.
  • **Application category operation**. Indicates the event was detected based on the category operations associated with the policy.
  • **Application**. Indicates the event was detected based on applications associated with the policy.
  • **Application Operation**. Indicates the event was detected based on application operations associated with the policy.

Machine Name

If ETP Client is deployed in an organization, this criteria identifies the client host or machine.

Autonomous System

A unique identifier for a network.

Query Type

IP address that is resolved from a domain name.

Resolved IP

IP address that is resolved from a domain name.

Client Agents

String for HTTP-based traffic that includes details about the end user's browser and system, such as the browser, browser version, operating system, command line tools, version of ETP Client, and more.

Observed AUP Category

The AUP category or AVC category that was violated.

File Name

The name of the file that was scanned by DLP.

Dictionaries

The specific dictionary that’s used to scan uploaded content for DLP.

Patterns

The pattern in a dictionary that’s used to scan uploaded content for DLP.

File Size

The size of the file that was scanned by DLP.

File Type

MIME file type that is downloaded or uploaded. An administrator may assign the block or monitor action to this file type in a policy.

DLP Scan Status

Shows the status of the DLP scan. For example, this status may indicate that the scan is complete and show the action that was taken on the document or text.

Upload

A true value indicates that the recorded activity occurred when the user attempted to upload data.


Did this page help you?