Guide
TrainingSupportCommunity

Events

Suggest Edits

When accessing event information in ​SIA​, you can view and analyze detailed event data. ​SIA​ reports on these types of events:

  • Threat Events: Events that are reported when a user attempts to access domains and IP addresses that are known or suspected threats to a network. If the ​SIA​ Proxy is enabled, you can also report on HTTP and HTTPS threat events.

  • Access Control Events: Events that are reported when a user violates access control settings in a policy. This includes settings for an AUP, AVC, DLP, and access by file type. For more information on AVC, see Application visibility and control, Data loss prevention, and Access by file type.

  • Firewall as a Service (FWaaS) Events: Events that are reported when outbound communication is attempted to IP addresses, services, or applications that are blocked in the firewall settings of a policy. In addition to any filter you apply to the report, the FWaaS report calculates the number of events that occur within a five minute period. You can see this in the Start and End Time values of the report. For more information about event dimensions and details, see FWaaS event dimensions and FWaaS event details.

Event data is organized by dimensions (event criteria) and various filters. The following applies:

  • Any applied date or data filter defines the data that is shown.

  • In addition to selecting the date or time range that you want to report on, you can also filter the data that appears with the Time graph. The Time graph is a line graph that shows when events occurred during the selected date or date range. To focus on a specific time, you can narrow the selected area of the graph. When this is done, the corresponding events appear on the page.

  • You can easily view and filter data based on dimensions or criteria. Creating a filter allows you to specify the criteria, and ultimately, the data that you want to report on. The event reports include an interactive user interface where you can select the dimension or criteria to view corresponding event information.

  • Event data is organized by the selected dimension. For example, if you select Resolved IP as a dimension, event data is shown based on the resolved IP address. This includes the Top 6 area of the page and the grouped list of events.

  • In addition to grouping events by the selected dimensions, the events data area of the page also includes a group for all events based on the applied filters. No matter what dimension is selected, this group shows all event data and provides a convenient way for report viewers to see the latest events.

  • You can download a CSV with aggregate data that shows the total number of events based on the dimension you selected for the report. For example, if you are showing and grouping data based on category, the CSV shows the total number of events based on category.

  • If you are a delegated administrator or strict delegated administrator, the data that appears in a threat or an AUP event report is based on the locations you created or are allowed to manage. Data that applies to locations that you are not allowed to access is not shown in the report results.

  • If you are a strict delegated administrator, you cannot view HTTP(S) threat events.

An event report shows the Top 6 dimension items that produced the most events. For example, if you choose the Resolved IP dimension, the Top 6 Resolved IP addresses are listed and the total number of events produced by these top 6 resolved IP addresses is also listed. A bar graph is shown to visualize this data. In the list of the Top 6, a report viewer can also select the data they want to show or hide in the graph. For example, you can click one of the top resolved IP addresses to hide it from the graph, and you can click it again to have that data reappear in the graph.

The selected dimension also determines how events are organized. For example, selecting the resolved IP address means that events are grouped by the resolved IP address. You can view the events that are associated with the selected dimension. Event tables are customizable and you can select the data that is represented in table columns.

You can also perform a variety of actions for events. You can:

  • View event details. If you select the information icon beside an event, event details appear in a separate window.

  • View domain details. You can click a domain and select to view more details. For a domain or hostname dimension value, you can also click the information icon beside the domain or hostname to view more details. You are directed to the Indicator Search page or to a separate window with the domain details.

  • View threat details. If you filter or group threat event data by the Threat Name dimension, you can click the threat name and select to view more details. Information about the threat appears in a separate window, including a graph with events that occurred in the date range you specified.

  • Add data to the filter. You can decide to exclude or include data in the filter.

  • Report a domain that you believe is misclassified.

  • If a Security Connector is configured for your organization, you can select to view Security Connector events that correlate to threat events. For more information on Security Connector events, see Security Connector event details.

Each event table shows the latest 500 events. However, you can download a CSV file to see up to 5,000 of the most recent events based on the dimension and filters you selected.

Updated 27 days ago