Event dimensions

These tables define the event dimensions for events in ‚ÄčSIA‚Äč.

For threat events in the Threat Events report, you can choose to show data based on this criteria:

Dimensions for Threat Events

DimensionDefinition
CategoryThe overall category of the event.

For a threat event, categories can be Malware, Phishing, C&C, DNS Exfiltration, Deny List, or Other (if assigned to a custom list).
ReasonInforms how an event was identified.

Any of these reasons may appear:

  • ‚ÄčAkamai‚Äč Intelligence. Indicates the event was identified by ‚ÄčAkamai‚Äč or a threat category.
  • Customer Domain Intelligence. Indicates the event was found for a domain based on a list configuration.
  • Customer URL Intelligence. Indicates the event was found for a URL based on a list configuration.
  • Sandbox-Dynamic Analysis. Indicates the event was found with dynamic malware analysis.
  • AV scan. Indicates the event was found with inline payload analysis.
  • Data Leakage Prevention. Indicates the event was found as a result of a DLP configuration.
Additionally, if the event was detected as a result of AVC, these reasons may also be listed depending on the policy action assigned to these areas:

  • Application Risk Level. Indicates the event was detected based on the risk levels associated with the policy.
  • Category. Indicates the event was detected based on the category or categories associated with the policy.
  • Application category operation. Indicates the event was detected based on the category operations associated with the policy.
  • Application. Indicates the event was detected based on applications associated with the policy.
  • Application Operation. Indicates the event was detected based on application operations associated with the policy.
SeverityIndicates the severity level. For more information, see Severity levels.

This criteria or dimension appears for threat events only.
LocationA location is a public IP address or a named collection of public IP addresses that belong to a region or geographic area in your network, such as a CIDR block for an office branch or company headquarters.

The location indicates where the event originated from.
PolicySecurity policy or set of rules that are associated with a location.
DomainDomain or IP address requested by the user.
Resolved IPIP address that is resolved from a domain name.
Detected TimeThe time when the event was detected in your local time.
ListList that identified the threat as an event. This list can be a custom list or a threat category.
ActionAction taken on known or suspected threats based on a policy configuration.
ConfidenceIndicates whether an event is a known or suspected threat.
Device Risk LevelDevice posture risk level of the user’s device. To show a value for this dimension, your organization must be set up for device posture in Enterprise Application Access. You must also select device risk levels as part of your AVC configuration for accessing web applications or completing an application operation. For more information, see Use device posture for application access.
DoH AttributionID of the device where DNS over HTTPS (DoH) is enabled. An administrator can provide this ID for a user device when setting up DoH. For more information, see Encrypt DNS queries with DoT or DoH.
Source IPIP address of traffic. This is likely the IP address that is assigned to a location as a result of NAT.
Sub-LocationIndicates the sub-location where the event originated from.
Client Request IDUniversally unique identifier (UUID) of ‚ÄčETP Client‚Äč that‚Äôs installed on the machine.
Autonomous SystemA unique identifier for a network.
Detection MethodIndicates how the event was detected.

This field may show any of these values:

  • Inline. Indicates the event was detected at the time of access.
  • Lookback. Indicates the event was discovered in log data based on behavior.
  • Offline Static. Indicates the event was discovered offline or after content was downloaded as a result of static malware analysis.
  • Offline Dynamic. Indicates the event was discovered in a sandbox environment as a result of dynamic malware analysis.
Device NameName of the device where ‚ÄčETP Client‚Äč is hosted or installed.
Transport TypeIndicates how DNS traffic was transported to ‚ÄčSIA‚Äč. This field may show one of these values:


  • dou. Indicates that DNS traffic was transported over UDP.

  • dot. Indicates that DNS traffic was transported with DNS over TLS.

  • doh.Indicates that DNS traffic was transported with DNS over HTTPS.

Onramp TypeIndicates how a request was directed to ‚ÄčSIA‚Äč Proxy.

One of these values may appear:

  • dns. Indicates DNS event was forwarded to ‚ÄčSIA‚Äč Proxy.
  • web. Indicates web (HTTP and HTTPS) request was forwarded to the full web proxy.
  • onramp_dns. Indicates that risky HTTP and HTTPS traffic was forwarded to the selective proxy.
  • etp_client. Indicates the request was directed to ‚ÄčSIA‚Äč Proxy as a result of ‚ÄčETP Client‚Äč.
  • etp_offnet_client. Indicates the request was directed to ‚ÄčSIA‚Äč Proxy as a result ‚ÄčETP Client‚Äč. In this case, ‚ÄčETP Client‚Äč was off the corporate network.
  • explicit_proxy_tls. Indicates the request was directed to ‚ÄčSIA‚Äč Proxy as a result of an on-premises proxy configuration.
Internal Client IPInternal IP address of the user’s machine.
Internal Client NameInternal client name of machine that’s detected by DNS Forwarder.
User NameIf authentication is enabled in a policy, this dimension shows the username of the user who made the request.
Device OwnerOwner of the device where ‚ÄčETP Client‚Äč is installed. This is the username or email address of the user who activates ‚ÄčETP Client‚Äč on their device. This username or email address is associated with the device in ‚ÄčSIA‚Äč reports.
DictionariesThe specific dictionary that’s used to scan uploaded content for DLP.
PatternsThe pattern in a dictionary that’s used to scan uploaded content for DLP.
File HashThe hash of the uploaded file that’s scanned by DLP and detected to include sensitive information.
File TypeMIME file type that is downloaded or uploaded. An administrator may assign the block or monitor action to this file type in a policy.
Threat NameName of the threat. If a specific name for a threat does not appear, ‚ÄčSIA‚Äč shows a name that classifies the threat.

These classifications include:

  • Customer Lists. Domains or IP addresses in a custom list. The domains or IP addresses in these lists are defined by your organization.
  • Known Phishing. Domains or URLs that are used in a social engineering attack to fraudulently obtain personal or classified information. A phishing scam deceives victims to performing an activity that compromises their machine or reveals sensitive information.
  • Known Malware. Domains or URLs that direct victims to malicious websites or are used by applications to harm a network. Malware steals confidential data, compromises data integrity, and disrupts data availability.
  • Known CNC. Domains or URLs that are used for C&C communication. A C&C threat is used to steal data, distribute malware, and disrupt services.
  • File Sharing. Domains or URLs of file sharing services.
  • Aged Out. Indicates the domain was tracked as a threat for some time and it may still be a threat. If the proxy is enabled, the proxy determines whether the domain is still a threat.
  • Generic Risky. Indicates there's risk that the domain may be malicious. If the proxy is enabled, the proxy determines whether it is malicious.
  • Unclassified Indicates a threat is not yet classified by ‚ÄčSIA‚Äč.

This criteria or dimension appears for threat events only.
HTTP Request MethodThe action that’s performed during the request.

This attribute is available only when ‚ÄčSIA‚Äč Proxy is enabled.
URIUniform Resource Identifier. Characters or string that identify a resource. For example, a URL is a URI.

This attribute is available only when ‚ÄčSIA‚Äč Proxy is enabled.
Web Destination PortDestination port of web traffic.

This attribute is available only when ‚ÄčSIA‚Äč Proxy is enabled.
Layer 7 ProtocolApplication layer protocols such as HTTP and HTTPS.

This attribute is available only when ‚ÄčSIA‚Äč Proxy is enabled.

For events in the access control events report, you can choose to show data based on these dimensions:

Dimensions for Access Control Events

DimensionDefinition
CategoryCategories of AUP violations. Violations are reported at the subcategory level. If a category does not have a subcategory, then the category name is provided.
DomainDomain or IP address requested by the user.
PolicySecurity policy or set of rules that are associated with a location.
LocationIndicates where a threat originated from.
Layer 7 ProtocolIndicates whether the HTTP or HTTPS application layer protocols were used.

This attribute is available only when ‚ÄčSIA‚Äč Proxy is enabled.
Sub-LocationIndicates the sub-location where the event originated from.
Internal Client NameInternal client name of machine that’s detected by DNS Forwarder.
ApplicationWeb application that violated the ‚ÄčSIA‚Äč policy for access control. For more information, see Application visibility and control.
OperationApplication operation that violates ‚ÄčSIA‚Äč policy for access control. For more information, see Application visibility and control.
RiskRisk level associated with a web application that violated ‚ÄčSIA‚Äč policy for access control. For more information, see Application visibility and control.
ReasonIndicates how the event was detected. If the event was detected by AVC, the following reasons may appear depending on the configuration of the policy:

  • Application Risk Level
  • Category
  • Application Category Operation
  • Application
  • Application Operation

If the event was detected with DLP, ‚ÄúData Leakage Prevention‚ÄĚ is shown in the report.
Device OwnerOwner of the device where ‚ÄčETP Client‚Äč is installed. This is the username or email address of the user who activates ‚ÄčETP Client‚Äč on their device. This username or email address is associated with the device in ‚ÄčSIA‚Äč reports.
Device Risk LevelDevice posture risk level of the user’s device. To show a value for this dimension, your organization must be set up for device posture in Enterprise Application Access. You must also select device risk levels as part of your AVC configuration for accessing web applications or completing an application operation. For more information, see Use device posture for application access.
DictionariesIndicates if the event was found as a result of a dictionary configuration. The specific dictionary that found the event is provided.
PatternsShows the patterns in a dictionary that detected the event.
File HashThe hash of the file that was scanned by DLP and detected to include sensitive information.
File TypeMIME file type that is downloaded or uploaded. An administrator may assign the block or monitor action to this file type in a policy.
Matched GroupsIndicates that users in groups appear in multiple groups.
GroupsIf authentication is required, this dimension shows the user group that’s assigned to the user who made the request and violated the AUP.
User NameIf authentication is enabled in a policy and configured for an acceptable use policy, this is the username of the user who made the request.
User IDIf authentication is required, this dimension shows the User ID associated with the user who made the request and violated the AUP.
Internal Client IPInternal IP address of the user’s machine.
Onramp TypeIndicates how a request was directed to ‚ÄčSIA‚Äč Proxy.

One of these values may appear:

  • dns. Indicates DNS event was forwarded to ‚ÄčSIA‚Äč Proxy.
  • web. Indicates web (HTTP and HTTPS) request was forwarded to the full web proxy.
  • onramp_dns. Indicates that risky HTTP and HTTPS traffic was forwarded to the selective proxy.
  • etp_client. Indicates the request was directed to ‚ÄčSIA‚Äč Proxy as a result of ‚ÄčETP Client‚Äč.
  • etp_offnet_client. Indicates the request was directed to ‚ÄčSIA‚Äč Proxy as a result of ‚ÄčETP Client‚Äč. In this case, ‚ÄčETP Client‚Äč was off the corporate network.
  • explicit_proxy_tls. Indicates the request was directed to ‚ÄčSIA‚Äč Proxy as a result of an on-premises proxy configuration.
Device NameName of the device where ‚ÄčETP Client‚Äč is hosted or installed.
Client Request IDUUID of ‚ÄčETP Client‚Äč that‚Äôs installed on the machine.

For information on Security Connector events, see Dimensions for Security Connector events.