Proxy activity

If ETP Proxy is enabled for your enterprise, you can report on the network traffic that's directed to the proxy. The Proxy Activity report logs all traffic that's directed to ETP Proxy. Information such as internal client IP, username, group name, and more are logged in this report. The Proxy Activity report also shows what action was applied to traffic.

You need to be an ETP administrator or a user with a specific permission to perform the procedures in this section and view the Proxy Summary report. For more information, see Roles.

📘

If you do not enable authentication or the user skips authentication, ETP Proxy cannot report username and group information. This information is only recorded in the report when the user authenticates. For more information on authentication, see Authentication policy.

The organization of activity data is similar to event data. When navigating this tab:

  • Any applied date or data filter defines the data that is shown. You can filter data based on the selected date or date range, the time of day you enter, the area you select in the Time graph, and the actual filters applied to data on the page. You can create a filter where you include or exclude data from the view.

  • Data that appears on the Proxy Activity report is defined by the selected dimension.

    • The Top 6 area lists the top 6 data values for the selected dimension. For example, if you select the Location dimension, the Top 6 Locations are listed.

    • Activity data is grouped by the selected dimension. For example, if you select the Location dimension, this data is organized by specific locations. You can expand a specific location to view the associated activity.

  • You can perform the following actions on this page:

    • View activity details. If you select the information icon beside the activity data, more details appear in a separate window.

    • Add data to the filter. You can decide to exclude or include data in the filter.

    • View the IOC details for a requested domain. When viewing events based on domain, you can click the information icon and the IOC Details appear in a separate window.

If the proxy activity produced an event, the activity details indicate whether the activity is also an event.

If you are a delegated administrator, the data that appears on this page is based on the locations you created and are allowed to access. A strict delegated administrator cannot view the Proxy Activity report.

Filter proxy activity data

To filter proxy activity data:

  1. In the Threat Protection menu of Enterprise Center, select Reports > Proxy Activity.

  2. To filter data based on date and time, see Filter data based on date and time.

  3. To configure and apply a filter, see Configure and apply a filter. To show web traffic, you can apply a filter with the Layer 7 Protocol.

  4. To further narrow the date and time that you want to report on, move the slider handles of the provided graph to select the desired area or the date and time you want to focus on. For example, you may want to focus on the time when the most activity occurred.

  5. Select a dimension or criteria to define what data is shown.

  6. To hide data shown in the top 6 area, click one of the top 6 items. This data is hidden from the Top 6 graph. Likewise, you can click it again to show this data in the graph.

  7. To search for proxy connections that's grouped by the selected dimension, see Search for proxy connections.

Search for proxy connections

You can search for connections established with ETP Proxy in the Proxy Activity report. Data appears based on applied filters and the dimension or criteria you select. Search functionality is available to locate specific data in the list of activity.

To search for proxy connections:

  1. In the Threat Protection menu of Enterprise Center, select Reports > Proxy Activity.

  2. To filter data based on date and time, see Filter data based on date and time.

  3. To configure and apply a filter, see Configure and apply a filter.

  4. Select a dimension or criteria to define what data is shown.

  5. In the search field provided for grouped values, enter the dimension or criteria value. For example, if you select to show data based on domain, this means that events are grouped by domain. In this case, you would enter a domain.

  6. To search all connections associated with the dimension you selected, click the arrow icon for all filtered connections. For example, if you selected Destination Ports as a dimension, the All Destination Ports group is available and includes all destination ports for all connections. All connection information appears in a table format. Go to step 8.

  7. To search for a specific event that is part of a dimension group, click the arrow icon associated with the dimension value. For example, if events are grouped by destination port, this action shows connections that are associated with a specific destination port. A list of connections appear in a table format.

  8. In the provided search field, enter a data value that is associated with the connection. For example, you can enter the location, connection start time, end time, and more. The value you search for should match a value in one of the table columns.

View proxy activity details

On the Proxy Activity report, you can view detailed information about traffic that was allowed or dropped by ETP Proxy.

To view proxy activity details:

  1. In the Threat Protection menu of Enterprise Center, select Reports > Proxy Activity.

  2. Filter events as needed. For more information, see Filter data based on date and time and Filter proxy activity data.

  3. If you haven't done so already, select a dimension.

  4. In the list of grouped events, click the arrow icon that is associated with a dimension value. For example, if you selected Domain, click the arrow icon to see the associated traffic. Logged activity appears in a table format.

  5. Click the information button. Activity details appear in a separate window. You can use the arrow keys on your keyboard to navigate to other activity in the table and show details.

Add or remove data columns to connection or activity data tables

On the DNS Activity, Proxy Activity, and the Network Traffic tabs of the Activity page, you can add or remove data that appears in the connections or activity data tables. The modifications you make to an individual table apply to all connection and activity tables you view.

To add or remove data columns to connection or activity data tables:

  1. In the Threat Protection menu of Enterprise Center, select Reports.

  2. Select one of these:

    • For data on DNS traffic directed to ETP, select DNS Activity.

    • For data on traffic directed to ETP Proxy, select Proxy Activity.

    • For data on traffic directed to ETP, select Network Traffic.

  3. Filter events as needed. For more information see Filter data based on date and time. Depending on the data you are filtering, do one of these steps:

  4. If you haven't done so already, select a dimension or criteria.

  5. To add a data column to the connections or activity data table:

    1. In the grouped connections area on the page, click the table icon. A list of additional attributes appear.

    2. Select the data type that you want to add to the table. A column for this data appears.

  6. To remove a data column from the connections or activity data table:

    1. In the grouped connections or activity area on the page, click the table icon. A list of data types appear.

    2. Deselect any data type that you want to remove from the table. After a data type is deselected, the column is removed from the table.

Download a CSV file with connection or activity information

From the DNS Activity, Proxy Activity and Network Traffic reports, you can download a CSV that contains a complete list of connections or activity. Each table shows the latest 500 connections. However, you can download a CSV file to see up to 5,000 of the most recent connections or activity based on the dimension and filters you selected.

To download a CSV file with connection or activity information:

  1. In the Threat Protection menu of Enterprise Center, select Reports.

  2. Do one of these steps:

    • For data on DNS traffic directed to ETP, select DNS Activity.

    • For data on traffic directed to ETP Proxy, select Proxy Activity.

    • For data on traffic directed to ETP, select Network Traffic.

  3. Filter data as needed. For more information see Filter data based on date and time. Depending on the data you are filtering, do one of these steps:

  4. If you haven't done so already, select a dimension or criteria.

  5. In the grouped connections or activity area, click the arrow icon to show the connections or activity associated with the selected dimension.

  6. Click Download CSV (All Events) to download the connections or activity that are associated with the dimension you selected.

Proxy activity dimensions

You can organize data based on these dimensions available on the Proxy Activity report:

Dimension

Description

Domain

Domain or IP address requested by the user.

Location

Indicates the ETP location where the transaction originated from.

Action

Policy action that was applied.

Internal Client IP

Internal IP address of the user’s machine.

User Name

Username of the user who made the request.

Destination IP

IP address of the destination (origin) website.

Destination Port

TCP or UDP port number of traffic such as port 80 for HTTP traffic and port 443 for HTTPS traffic.

Source IP

IP address of traffic. This is likely the IP address that is assigned to a location as a result of NAT.

Client Port

Port of ETP Client.

Geo

Geographical location where responses originate from.

Autonomous System

A unique identifier for a network.

HTTP Request Method

The action that’s performed during a request.

Reason

Informs how traffic was identified.

Any of these reasons may appear:

  • **<> Intelligence**. Indicates traffic was identified by <> or a threat category.
  • **Customer Domain Intelligence**. Indicates traffic was found for a domain based on a list configuration.
  • **Customer URL Intelligence**. Indicates traffic was found for a URL based on a list configuration.
  • **Sandbox-Dynamic Analysis**. Indicates traffic was found with dynamic malware analysis.
  • **AV scan**. Indicates traffic was found with inline payload analysis.
  • **Data Leakage Prevention**. Indicates traffic was found as a result of a DLP configuration.
Additionally, if traffic was detected as a result of AVC, these reasons may also be listed depending on the policy action assigned to these areas:
  • **Application Risk Level**. Indicates traffic was detected based on the risk levels associated with the policy.
  • **Category**. Indicates traffic was detected based on the category or categories associated with the policy.
  • **Application category operation**. Indicates traffic was detected based on the category operations associated with the policy.
  • **Application**. Indicates traffic was detected based on applications associated with the policy.
  • **Application Operation**. Indicates traffic was detected based on application operations associated with the policy.

Onramp Type

Indicates how activity was directed to ETP Proxy.

One of these values may appear:

  • **dns**. Indicates DNS activity was forwarded to <> Proxy.
  • **web**. Indicates web (HTTP and HTTPS) request was forwarded to the full web proxy.
  • **onramp_dns**. Indicates that risky HTTP and HTTPS traffic was forwarded to the selective proxy.
  • **etp_client**. Indicates the request was directed to <> Proxy as a result of <> Client.
  • **etp_offnet_client**. Indicates the request was directed to <> Proxy as a result <> Client. In this case, <> Client was off the corporate network.
  • **explicit_proxy_tls**. Indicates the request was directed to <> Proxy as a result of an on-premises proxy configuration.

Client Request ID

UUID of ETP Client that’s installed on the device.

Device Name

Name of the user’s device where ETP Client is installed.

Device Owner

Owner of the device where ETP Client is installed. This is the username or email address of the user who activates ETP Client on their device. This username or email address is associated with the device in ETP reports.

Groups

User group that’s assigned to the user who made the request.

Matched Groups

Indicates the users in groups appear in multiple groups.

User ID

ID of the user who made the request.

Internal Client Name

Internal client name of device that’s detected by DNS Forwarder or HTTP Forwarder.

Dictionaries

The specific dictionary that’s used to scan uploaded content for DLP.

Patterns

The pattern in a dictionary that’s used to scan uploaded content for DLP.

File Hash

The hash of the file that was scanned by DLP and detected to include sensitive information.

File Type

MIME file type that is downloaded or uploaded. An administrator may assign the block or monitor action to this file type in a policy.

Application

For AVC, this dimension shows the specific web application that is associated with the activity.

Operation

For AVC, this dimension shows the specific application operation that is associated with the activity.

Risk

For AVC, this dimension shows the risk level that is associated with the activity.

Sub-Location

Indicates the sub-location where the event originated from.

Proxy activity details

The Proxy Activity report allows you to review activity that's directed to ETP Proxy.

Proxy activity appears in a table. After you select a filter and dimension, you can select the type of data you want to show in the table. In addition to data listed in the Proxy activity dimensions topic, you can show this data in the activity table:

Proxy activity detail

Description

Detected Time

Date and time the activity was detected.

Policy

Policy that applies or was applied.

List

Custom lists or threat categories associated with the activity.

Detection Method

Indicates how activity was detected. This field may show any of these values:

  • **Inline**. Indicates the activity was detected at the time of access.
  • **Lookback**. Indicates the activity was discovered in log data based on behavior.
  • **Offline Static**. Indicates the activity was discovered offline or after content was downloaded as a result of static malware analysis.
  • **Offline Dynamic**. Indicates the activity was discovered in a sandbox environment as a result of dynamic malware analysis.

Resolved IP

IP address that is resolved from the domain.

Is Event

Indicates whether the activity produced an event. This dimension shows a value of True or False.

Category

The overall category of the event. This may be the AUP category or the threat event category such as malware, phishing, C&C, and DNS exfiltration.

If the domain does not appear in any lists, including threat, custom, or exception lists, the Unclassified category is shown.

Confidence

Indicates whether activity is a known threat. If this information is not known, it shows as Unknown.

Connection ID

ID associated with the activity.

On-Ramp

Indicates whether traffic was forwarded to ETP Proxy. This field shows Yes or No.

Client Agents

String for HTTP-based traffic that includes details about the end user's browser and system, such as the browser, browser version, operating system, command line tools, version of ETP Client, and more.

Layer 7 Protocol

Application layer protocols such as HTTP and HTTPS.

Request Time

Date and time the user made the request.

Response Time

Date and time when a response to a request was provided.

URI

Uniform Resource Identifier. Characters or string that identify a resource. For example, a URL is a URI.

Source Port

The TCP/UDP port of the user’s machine.

Request Header

Header fields in an HTTP request.

Request Strings

The query string in an HTTP request.

File Name

The name of the file that’s scanned by ETP.

Dictionaries

The specific dictionary that’s used to scan uploaded content for DLP.

Patterns

The pattern in a dictionary that’s used to scan uploaded content for DLP.

File Type

MIME file type that is downloaded or uploaded. An administrator may assign the block or monitor action to this file type in a policy.

File Size

Size of the file that's scanned by ETP.

DLP Scan Status

Shows the status of the DLP scan. For example, this status may indicate that the scan is complete and show the action that was taken on the document or text.

Upload

A true value indicates that the recorded activity occurred when the user attempted to upload data.

Hash

Hash of the HTTP response.

CIDR

CIDR block that’s associated with the requested domain or IP address.


Did this page help you?