Event dimensions
These tables define the event dimensions for events in ETP.
For threat events in the Threat Events report, you can choose to show data based on this criteria:
Dimensions for Threat Events
Dimension | Definition |
---|---|
Category | The overall category of the event. For a threat event, categories can be Malware, Phishing, C&C, DNS Exfiltration, Deny List, or Other (if assigned to a custom list). |
Reason | Informs how an event was identified. Any of these reasons may appear:
|
Severity | Indicates the severity level. For more information, see Severity levels. This criteria or dimension appears for threat events only. |
Location | A location is a public IP address or a named collection of public IP addresses that belong to a region or geographic area in your network, such as a CIDR block for an office branch or company headquarters. The location indicates where the event originated from. |
Policy | Security policy or set of rules that are associated with a location. |
Domain | Name or resolvable identifier for an IP address. This is the domain that is requested by the user. In a threat event, the domain is known or suspected to be malicious. |
Resolved IP | IP address that is resolved from a domain name. |
Detected Time | The time when the event was detected in your local time. |
List | List that identified the threat as an event. This list can be a custom list or a threat category. |
Action | Action taken on known or suspected threats based on a policy configuration. |
Confidence | Indicates whether an event is a known or suspected threat. |
Source IP | IP address of traffic. This is likely the IP address that is assigned to a location as a result of NAT. |
Sub-Location | Indicates the sub-location where the event originated from. |
Client Request ID | Universally unique identifier (UUID) of ETP Client that’s installed on the machine. |
Autonomous System | A unique identifier for a network. |
Detection Method | Indicates how the event was detected. This field may show any of these values:
|
Device Name | Name of the device where ETP Client is hosted or installed. |
Transport Type | Indicates how DNS traffic was transported to ETP. This field may show one of these values:
|
Onramp Type | Indicates how a request was directed to ETP Proxy. One of these values may appear:
|
Internal Client IP | Internal IP address of the user’s machine. |
Internal Client Name | Internal client name of machine that’s detected by DNS Forwarder. |
User Name | If authentication is enabled in a policy, this dimension shows the username of the user who made the request. |
Device Owner | Owner of the device where ETP Client is installed. This is the username or email address of the user who activates ETP Client on their device. This username or email address is associated with the device in ETP reports. |
Dictionaries | The specific dictionary that’s used to scan uploaded content for DLP. |
Patterns | The pattern in a dictionary that’s used to scan uploaded content for DLP. |
File Hash | The hash of the uploaded file that’s scanned by DLP and detected to include sensitive information. |
File Type | MIME file type that is downloaded or uploaded. An administrator may assign the block or monitor action to this file type in a policy. |
Threat Name | Name of the threat. If a specific name for a threat does not appear, ETP shows a name that classifies the threat. These classifications include:
|
HTTP Request Method | The action that’s performed during the request. This attribute is available only when ETP Proxy is enabled. |
URI | Uniform Resource Identifier. Characters or string that identify a resource. For example, a URL is a URI. This attribute is available only when ETP Proxy is enabled. |
Web Destination Port | Destination port of web traffic. This attribute is available only when ETP Proxy is enabled. |
Layer 7 Protocol | Application layer protocols such as HTTP and HTTPS. This attribute is available only when ETP Proxy is enabled. |
For events in the access control events report, you can choose to show data based on these dimensions:
Dimensions for Access Control Events
Dimension | Definition |
---|---|
Category | Categories of AUP violations. Violations are reported at the subcategory level. If a category does not have a subcategory, then the category name is provided. |
Domain | Name or resolvable identifier for an IP address. In an AUP event, the domain is blocked based on the setting assigned to the domain's AUP category in the policy configuration. The user receives an error or warning message when attempting to request this domain. |
Policy | Security policy or set of rules that are associated with a location. |
Location | Indicates where a threat originated from. |
Layer 7 Protocol | Indicates whether the HTTP or HTTPS application layer protocols were used. This attribute is available only when ETP Proxy is enabled. |
Sub-Location | Indicates the sub-location where the event originated from. |
Internal Client Name | Internal client name of machine that’s detected by DNS Forwarder. |
Application | Web application that violated the ETP policy for access control. For more information, see Application visibility and control. |
Operation | Application operation that violates ETP policy for access control. For more information, see Application visibility and control. |
Risk | Risk level associated with a web application that violated ETP policy for access control. For more information, see Application visibility and control. |
Reason | Indicates how the event was detected. If the event was detected by AVC, the following reasons may appear depending on the configuration of the policy:
|
Device Owner | Owner of the device where ETP Client is installed. This is the username or email address of the user who activates ETP Client on their device. This username or email address is associated with the device in ETP reports. |
Dictionaries | Indicates if the event was found as a result of a dictionary configuration. The specific dictionary that found the event is provided. |
Patterns | Shows the patterns in a dictionary that detected the event. |
File Hash | The hash of the file that was scanned by DLP and detected to include sensitive information. |
File Type | MIME file type that is downloaded or uploaded. An administrator may assign the block or monitor action to this file type in a policy. |
Matched Groups | Indicates that users in groups appear in multiple groups. |
Groups | If authentication is required, this dimension shows the user group that’s assigned to the user who made the request and violated the AUP. |
User Name | If authentication is enabled in a policy and configured for an acceptable use policy, this is the username of the user who made the request. |
User ID | If authentication is required, this dimension shows the User ID associated with the user who made the request and violated the AUP. |
Internal Client IP | Internal IP address of the user’s machine. |
Onramp Type | Indicates how a request was directed to ETP Proxy. One of these values may appear:
|
Device Name | Name of the device where ETP Client is hosted or installed. |
Client Request ID | UUID of ETP Client that’s installed on the machine. |
For information on Security Connector events, see Dimensions for Security Connector events.
Updated about 1 month ago