DNS activity

The DNS Activity report provides data on all DNS activity that's directed to ​SIA​ or ​SIA​ Proxy. While the Summary of DNS Activity report shows the top DNS requests based on dimensions like domain, location, and more, the DNS Activity report shows more detailed data on traffic, such as the applied policy action or the internal client IP address associated with traffic.

📘

You need to be an ​SIA​ administrator or a user with a specific permission to perform the procedures in this section and view the DNS Activity report. For more information, see Roles.

Report viewers or administrators can:

  • Investigate suspicious activity

  • Review requests made to a specific domain

  • Check activity from a specific client internal IP address or machine name

  • Troubleshoot a failed request based on connection ID or client request ID

The organization of activity data is similar to event data. When navigating this tab:

  • Any applied date or data filter defines the data that is shown. You can filter data based on the selected date or date range, the time of day you enter, the area you select in the Time graph, and the actual filters applied to data on the page. You can create a filter where you include or exclude data from the view.

  • Data that appears on the DNS Activity report is defined by the selected dimension.

    • The Top 6 area lists the top 6 data values for the selected dimension. For example, if you select the Location dimension, the Top 6 Locations are listed.

    • Activity data is grouped by the selected dimension. For example, if you select the Location dimension, this data is organized by specific locations. You can expand a specific location to view the associated activity.

  • You can perform the following actions on this page:

    • View activity details. If you select the information icon beside the activity data, more details appear in a separate window.

    • Add data to the filter. You can decide to exclude or include data in the filter.

    • View the IOC details for a requested domain. When viewing events based on domain, you can click the information icon and the IOC Details appear in a separate window.

Filter DNS activity data

To filter DNS activity data:

  1. In the Threat Protection menu of Enterprise Center, select Reports > DNS Activity.

  2. To filter data based on date and time, see Filter data based on date and time.

  3. To configure and apply a filter, see Configure and apply a filter.

  4. To further narrow the date and time that you want to report on, move the slider handles of the provided graph to select the desired area or the date and time you want to focus on. For example, you may want to focus on the time when the most activity occurred.

  5. Select a dimension or criteria to define what data is shown.

  6. To hide data shown in the top 6 area, click one of the top 6 items. This data is hidden from the Top 6 graph. Likewise, you can click it again to show this data in the graph.

  7. To search for DNS traffic that's grouped by the selected dimension, see Search for DNS traffic.

Search for DNS traffic

In the DNS Activity report, you can search for DNS traffic that's directed to ​SIA​. Data appears based on applied filters and the dimension or criteria you select. Search functionality is available to locate specific data in the list of activity.

To search for DNS traffic:

  1. In the Threat Protection menu of Enterprise Center, select Reports > DNS Activity.

  2. To filter data based on date and time, see Filter data based on date and time.

  3. To configure and apply a filter, see Configure and apply a filter.

  4. Select a dimension or criteria to define what data is shown.

  5. In the search field provided for grouped values, enter the dimension or criteria value. For example, if you select to show data based on domain, this means that events are grouped by domain. In this case, you would enter a domain.

  6. To search all connections associated with the dimension you selected, click the arrow icon for all filtered connections. For example, if you selected Source IP as a dimension, the All Source IPs group is available and includes all source IP addresses for all connections. All connection information appears in a table format. Go to step 8.

  7. To search for a specific event that is part of a dimension group, click the arrow icon associated with the dimension value. For example, if events are grouped by source IP address, this action shows connections that are associated with a specific IP address. A list of connections appear in a table format.

  8. In the provided search field, enter a data value that is associated with the connection. For example, you can enter the location, connection start time, end time, and more. The value you search for should match a value in one of the table columns.

Add event or activity data to a filter

Before you begin

Configure and apply a filter.

You can add specific data from an event or activity report to a filter. This includes data for threat and access control events, Security Connector events, network traffic activity, DNS activity, and more.

To add event or activity data to a filter:

  1. Go to the report where you want to apply a filter:

    • For threat or access control events, in the Threat Protection menu, select Reports > Threat Events or Reports > Access Control.

    • For an activity report, in the Threat Protection menu, select Reports and then select an activity report.

  2. Select a dimension or criteria to define what data is shown.

  3. To add data from the Top 6 area to the filter, hover over a value, and click the menu icon that appears.

    1. If you want the data to be part of the In filter, select Add to Include Filter. A value cannot be added to the Include Filter if it's already in the Exclude Filter.

    2. If you want the data to be part of the Not In filter, select Add to Exclude Filter. A value cannot be added to the Exclude Filter if it's already in the Include Filter.

  4. To add specific data to the filter:

    1. Click the grouped dimension value or expand a grouped dimension value to view the events or traffic associated with the dimension. Click the data value that you want to add to the filter.

      For example, if you want to add a domain, click the domain. If you want to add a list associated with an event, click the list value.

    2. Select one of these options:

      • Add to Include Filter if you want the data to be part of the In filter. A value cannot be added to the Include Filter if it's already in the Exclude Filter.

      • Add to Exclude Filter if you want the data to be part of the Not In filter. A value cannot be added to the Exclude Filter if it's already in the Include Filter.

  5. To add data from the details window to the filter:

    1. Click the grouped dimension value or expand a grouped dimension value to view the events or traffic associated with the dimension.

    2. To view event or connection details, click the information icon. Click the Event Details or Connection Details tab.

    3. Click the data on the details widow and select one of the following:

      • If you want the data to be part of the In filter, select Add to Include Filter. A value cannot be added to the Include Filter if it's already in the Exclude Filter.

      • If you want the data to be part of the Not In filter, select Add to Exclude Filter. A value cannot be added to the Exclude Filter if it's already in the Include Filter.

  6. Click Apply to apply the filter.

View DNS activity details

In the DNS Activity report, you can view detailed information about DNS traffic that was directed to ​SIA​.

To view DNS activity details:

  1. In the in the Threat Protection menu of Enterprise Center, select Reports > DNS Activity.

  2. Filter events as needed. For more information, see Filter data based on date and time and Filter DNS activity data.

  3. If you haven't done so already, select a dimension.

  4. In the list of grouped events, click the arrow icon that is associated with a dimension value. For example, if you selected Domain, click the arrow icon to see the associated traffic. Logged activity appears in a table format.

  5. Click the information button. Activity details appear in a separate window. You can use the arrow keys on your keyboard to navigate to other activity in the table and show details.

Add or remove data columns to connection or activity data tables

On the DNS Activity, Proxy Activity, and the Network Traffic tabs of the Activity page, you can add or remove data that appears in the connections or activity data tables. The modifications you make to an individual table apply to all connection and activity tables you view.

To add or remove data columns to connection or activity data tables:

  1. In the Threat Protection menu of Enterprise Center, select Reports > Activity.

  2. Select one of these:

    • For data on DNS traffic directed to ​SIA​, select DNS Activity.
    • For data on traffic directed to ​SIA​ Proxy, select Proxy Activity.
    • For data on traffic directed to ​SIA​, select Network Traffic.
  3. Filter events as needed. For more information see Filter data based on date and time.

    Depending on the data you're filtering, do one of these:

  4. If you haven't done so already, select a dimension or criteria.

  5. To add a data column to the connections or activity data table:

    1. In the grouped connections area on the page, click the table icon. A list of additional attributes appear.

    2. Select the data type that you want to add to the table. A column for this data appears.

  6. To remove a data column from the connections or activity data table:

    1. In the grouped connections or activity area on the page, click the table icon. A list of data types appear.

    2. Deselect any data type that you want to remove from the table. After a data type is deselected, the column is removed from the table.

Download a CSV file with connection or activity information

From the DNS Activity, Proxy Activity and Network Traffic reports, you can download a CSV that contains a complete list of connections or activity. Each table shows the latest 500 connections. However, you can download a CSV file to see up to 5,000 of the most recent connections or activity based on the dimension and filters you selected.

To download a CSV file with connection or activity information:

  1. In the Threat Protection menu of Enterprise Center, select Reports > Activity.

  2. Click one of these:

    • For data on DNS traffic directed to ​SIA​, select DNS Activity.

    • For data on traffic directed to ​SIA​ Proxy, select Proxy Activity.

    • For data on traffic directed to ​SIA​, select Network Traffic.

  3. Filter data as needed. For more information see Filter data based on date and time. Depending on the data you are filtering, do one of these steps:

  4. If you haven't done so already, select a dimension or criteria.

  5. In the grouped connections or activity area, click the arrow icon to show the connections or activity associated with the selected dimension.

  6. Click Download CSV (All Events) to download the connections or activity that are associated with the dimension you selected.

DNS activity dimensions

You can organize data based on these dimensions available on the DNS Activity report:

DimensionDescription
Location​SIA​ location where the traffic originated from.
DomainDomain or IP address requested by the user.
Source IPIP address of traffic. This is likely the IP address that's assigned to a location as a result of NAT.
ActionPolicy action that was applied to traffic.
PolicyPolicy that was applied to the activity.
Autonomous System NameA unique identifier for a network.
Query TypeDNS resource record type associated with the request.
Resolved IPIP address that's resolved from a domain name.
Transport TypeIndicates how DNS traffic was transported to ​SIA​. This field may show one of these values:


  • dou. Indicates that DNS traffic was transported over UDP.

  • dot. Indicates that DNS traffic was transported with DNS over TLS.

  • doh. Indicates that DNS traffic was transported with DNS over HTTPS.
On Ramp TypeIf traffic is directed to ​SIA​ Proxy, this dimension indicates the type of proxy that applies.

This field may show these values:
  • If traffic is directed to the selective proxy, DNS appears.

  • If traffic is directed to the full web proxy, web appears.
  • If traffic is directed to the proxy as a result of the ​ETP Client​, etp_client appears.
Internal Client IPInternal IP address of the user's device.
Internal Client NameInternal client name of the device that's detected by DNS Forwarder or HTTP Forwarder.
Client Request IDUUID of ​ETP Client​ that's installed on the machine.
Device NameIf activity is detected off the corporate network or ​ETP Client​ directs traffic to ​SIA​ Proxy, this dimension identifies the ​ETP Client​ host or device name.
Device OwnerOwner of the device. This is the username or email address of the user who activates ​ETP Client​ on their device. This username or email address is associated with the device in ​SIA​ reports.
DoH AttributionID of the device where DNS over HTTPS (DoH) is enabled. An administrator can provide this ID for a user device when setting up DoH. For more information, see Encrypt DNS queries with DoT or DoH.
ApplicationFor AVC, shows the application name related to the DNS activity. For more information, see Application visibility and control.
RiskFor AVC, shows the risk associated with the DNS activity. For more information, see Application visibility and control.
Security ConnectorName of Security Connector that's directing DNS traffic to ​SIA​.
Sub-LocationIndicates the sub-location where the event originated from.

DNS activity details

The DNS Activity report allows you to review DNS activity that's directed to ​SIA​ and ​SIA​ Proxy.

DNS activity appears in a table. After you select a filter and dimension, you can select the type of data that you want to show in the table. In addition to data listed in the DNS activity dimensions topic, you can show this data in the activity table:

DetailDescription
Query TimeDate and time the query was detected.
Observed AUP categoriesThe AUP category or AVC category that’s associated with the activity.
On RampIndicates whether traffic was forwarded to ​SIA​ Proxy. This field shows Yes or No.
Hit CountNumber of requests to the associated domain.
AkaRankIndicates the specific list where the domain or website is ranked. These lists include the top 10, 100, 1K, 10K, 100K, or one million websites that ​Akamai​ determines are most popular on the Internet.
ASNAutonomous System Number. A unique number that identifies a network.
ListCustom lists or threat categories associated with the activity.
Client AgentsString for HTTP-based traffic that includes details about the end user's browser and system, such as the browser, browser version, operating system, command line tools, version of ​ETP Client​, and more.
Resolved IP TypeDNS resource record type associated with the resolved IP address.
Security CategoryIndicates how DNS activity is tracked by ​SIA​. This field may show a specific threat category or one of these values:
  • No Proxy. Indicates that traffic bypasses the proxy. For example, it may be part of the Bypass List.
  • Unknown. Indicates that traffic is unclassified.
  • Other. Indicates that traffic matches a custom list configuration.

If the traffic is considered a threat, one of these values may appear:
  • Malware
  • Phishing
  • C&C
  • Risk Domains
  • DNS Exfiltration

For more information about threat categories, see Threat categories.
CIDRCIDR block that’s associated with the requested domain or IP address.