Event dimensions
These tables define the event dimensions for events in āSIAā.
For threat events in the Threat Events report, you can choose to show data based on this criteria:
Dimensions for Threat Events
Dimension | Definition |
---|---|
Category | The overall category of the event. For a threat event, categories can be Malware, Phishing, C&C, DNS Exfiltration, Deny List, or Other (if assigned to a custom list). |
Reason | Informs how an event was identified. Any of these reasons may appear:
|
Severity | Indicates the severity level. For more information, see Severity levels. This criteria or dimension appears for threat events only. |
Location | A location is a public IP address or a named collection of public IP addresses that belong to a region or geographic area in your network, such as a CIDR block for an office branch or company headquarters. The location indicates where the event originated from. |
Policy | Security policy or set of rules that are associated with a location. |
Domain | Domain or IP address requested by the user. |
Resolved IP | IP address that is resolved from a domain name. |
Detected Time | The time when the event was detected in your local time. |
List | List that identified the threat as an event. This list can be a custom list or a threat category. |
Action | Action taken on known or suspected threats based on a policy configuration. |
Confidence | Indicates whether an event is a known or suspected threat. |
Device Risk Level | Device posture risk level of the userās device. To show a value for this dimension, your organization must be set up for device posture in Enterprise Application Access. You must also select device risk levels as part of your AVC configuration for accessing web applications or completing an application operation. For more information, see Use device posture for application access. |
DoH Attribution | ID of the device where DNS over HTTPS (DoH) is enabled. An administrator can provide this ID for a user device when setting up DoH. For more information, see Encrypt DNS queries with DoT or DoH. |
Source IP | IP address of traffic. This is likely the IP address that is assigned to a location as a result of NAT. |
Sub-Location | Indicates the sub-location where the event originated from. |
Client Request ID | Universally unique identifier (UUID) of āETP Clientā thatās installed on the machine. |
Autonomous System | A unique identifier for a network. |
Detection Method | Indicates how the event was detected. This field may show any of these values:
|
Device Name | Name of the device where āETP Clientā is hosted or installed. |
Transport Type | Indicates how DNS traffic was transported to āSIAā. This field may show one of these values:
|
Onramp Type | Indicates how a request was directed to āSIAā Proxy. One of these values may appear:
|
Internal Client IP | Internal IP address of the userās machine. |
Internal Client Name | Internal client name of machine thatās detected by DNS Forwarder. |
User Name | If authentication is enabled in a policy, this dimension shows the username of the user who made the request. |
Device Owner | Owner of the device where āETP Clientā is installed. This is the username or email address of the user who activates āETP Clientā on their device. This username or email address is associated with the device in āSIAā reports. |
Dictionaries | The specific dictionary thatās used to scan uploaded content for DLP. |
Patterns | The pattern in a dictionary thatās used to scan uploaded content for DLP. |
File Hash | The hash of the uploaded file thatās scanned by DLP and detected to include sensitive information. |
File Type | MIME file type that is downloaded or uploaded. An administrator may assign the block or monitor action to this file type in a policy. |
Threat Name | Name of the threat. If a specific name for a threat does not appear, āSIAā shows a name that classifies the threat. These classifications include:
This criteria or dimension appears for threat events only. |
HTTP Request Method | The action thatās performed during the request. This attribute is available only when āSIAā Proxy is enabled. |
URI | Uniform Resource Identifier. Characters or string that identify a resource. For example, a URL is a URI. This attribute is available only when āSIAā Proxy is enabled. |
Web Destination Port | Destination port of web traffic. This attribute is available only when āSIAā Proxy is enabled. |
Layer 7 Protocol | Application layer protocols such as HTTP and HTTPS. This attribute is available only when āSIAā Proxy is enabled. |
For events in the access control events report, you can choose to show data based on these dimensions:
Dimensions for Access Control Events
Dimension | Definition |
---|---|
Category | Categories of AUP violations. Violations are reported at the subcategory level. If a category does not have a subcategory, then the category name is provided. |
Domain | Domain or IP address requested by the user. |
Policy | Security policy or set of rules that are associated with a location. |
Location | Indicates where a threat originated from. |
Layer 7 Protocol | Indicates whether the HTTP or HTTPS application layer protocols were used. This attribute is available only when āSIAā Proxy is enabled. |
Sub-Location | Indicates the sub-location where the event originated from. |
Internal Client Name | Internal client name of machine thatās detected by DNS Forwarder. |
Application | Web application that violated the āSIAā policy for access control. For more information, see Application visibility and control. |
Operation | Application operation that violates āSIAā policy for access control. For more information, see Application visibility and control. |
Risk | Risk level associated with a web application that violated āSIAā policy for access control. For more information, see Application visibility and control. |
Reason | Indicates how the event was detected. If the event was detected by AVC, the following reasons may appear depending on the configuration of the policy:
If the event was detected with DLP, āData Leakage Preventionā is shown in the report. |
Device Owner | Owner of the device where āETP Clientā is installed. This is the username or email address of the user who activates āETP Clientā on their device. This username or email address is associated with the device in āSIAā reports. |
Device Risk Level | Device posture risk level of the userās device. To show a value for this dimension, your organization must be set up for device posture in Enterprise Application Access. You must also select device risk levels as part of your AVC configuration for accessing web applications or completing an application operation. For more information, see Use device posture for application access. |
Dictionaries | Indicates if the event was found as a result of a dictionary configuration. The specific dictionary that found the event is provided. |
Patterns | Shows the patterns in a dictionary that detected the event. |
File Hash | The hash of the file that was scanned by DLP and detected to include sensitive information. |
File Type | MIME file type that is downloaded or uploaded. An administrator may assign the block or monitor action to this file type in a policy. |
Matched Groups | Indicates that users in groups appear in multiple groups. |
Groups | If authentication is required, this dimension shows the user group thatās assigned to the user who made the request and violated the AUP. |
User Name | If authentication is enabled in a policy and configured for an acceptable use policy, this is the username of the user who made the request. |
User ID | If authentication is required, this dimension shows the User ID associated with the user who made the request and violated the AUP. |
Internal Client IP | Internal IP address of the userās machine. |
Onramp Type | Indicates how a request was directed to āSIAā Proxy. One of these values may appear:
|
Device Name | Name of the device where āETP Clientā is hosted or installed. |
Client Request ID | UUID of āETP Clientā thatās installed on the machine. |
For information on Security Connector events, see Dimensions for Security Connector events.
Updated about 2 months ago