Proxy activity

If ‚ÄčSIA‚Äč Proxy is enabled for your enterprise, you can report on the network traffic that's directed to the proxy. The Proxy Activity report logs all traffic that's directed to ‚ÄčSIA‚Äč Proxy. Information such as internal client IP, username, group name, and more are logged in this report. The Proxy Activity report also shows what action was applied to traffic.

You need to be an ‚ÄčSIA‚Äč administrator or a user with a specific permission to perform the procedures in this section and view the Proxy Summary report. For more information, see Roles.

ūüďė

If you do not enable authentication or the user skips authentication, ‚ÄčSIA‚Äč Proxy cannot report username and group information. This information is only recorded in the report when the user authenticates. For more information on authentication, see Authentication policy.

The organization of activity data is similar to event data. When navigating this tab:

  • Any applied date or data filter defines the data that is shown. You can filter data based on the selected date or date range, the time of day you enter, the area you select in the Time graph, and the actual filters applied to data on the page. You can create a filter where you include or exclude data from the view.

  • Data that appears on the Proxy Activity report is defined by the selected dimension.

    • The Top 6 area lists the top 6 data values for the selected dimension. For example, if you select the Location dimension, the Top 6 Locations are listed.

    • Activity data is grouped by the selected dimension. For example, if you select the Location dimension, this data is organized by specific locations. You can expand a specific location to view the associated activity.

  • You can perform the following actions on this page:

    • View activity details. If you select the information icon beside the activity data, more details appear in a separate window.

    • Add data to the filter. You can decide to exclude or include data in the filter.

    • View the IOC details for a requested domain. When viewing events based on domain, you can click the information icon and the IOC Details appear in a separate window.

If the proxy activity produced an event, the activity details indicate whether the activity is also an event.

If you are a delegated administrator, the data that appears on this page is based on the locations you created and are allowed to access. A strict delegated administrator cannot view the Proxy Activity report.

Filter proxy activity data

To filter proxy activity data:

  1. In the Threat Protection menu of Enterprise Center, select Reports > Proxy Activity.

  2. To filter data based on date and time, see Filter data based on date and time.

  3. To configure and apply a filter, see Configure and apply a filter. To show web traffic, you can apply a filter with the Layer 7 Protocol.

  4. To further narrow the date and time that you want to report on, move the slider handles of the provided graph to select the desired area or the date and time you want to focus on. For example, you may want to focus on the time when the most activity occurred.

  5. Select a dimension or criteria to define what data is shown.

  6. To hide data shown in the top 6 area, click one of the top 6 items. This data is hidden from the Top 6 graph. Likewise, you can click it again to show this data in the graph.

  7. To search for proxy connections that's grouped by the selected dimension, see Search for proxy connections.

Search for proxy connections

You can search for connections established with ‚ÄčSIA‚Äč Proxy in the Proxy Activity report. Data appears based on applied filters and the dimension or criteria you select. Search functionality is available to locate specific data in the list of activity.

To search for proxy connections:

  1. In the Threat Protection menu of Enterprise Center, select Reports > Proxy Activity.

  2. To filter data based on date and time, see Filter data based on date and time.

  3. To configure and apply a filter, see Configure and apply a filter.

  4. Select a dimension or criteria to define what data is shown.

  5. In the search field provided for grouped values, enter the dimension or criteria value. For example, if you select to show data based on domain, this means that events are grouped by domain. In this case, you would enter a domain.

  6. To search all connections associated with the dimension you selected, click the arrow icon for all filtered connections. For example, if you selected Destination Ports as a dimension, the All Destination Ports group is available and includes all destination ports for all connections. All connection information appears in a table format. Go to step 8.

  7. To search for a specific event that is part of a dimension group, click the arrow icon associated with the dimension value. For example, if events are grouped by destination port, this action shows connections that are associated with a specific destination port. A list of connections appear in a table format.

  8. In the provided search field, enter a data value that is associated with the connection. For example, you can enter the location, connection start time, end time, and more. The value you search for should match a value in one of the table columns.

View proxy activity details

On the Proxy Activity report, you can view detailed information about traffic that was allowed or dropped by ‚ÄčSIA‚Äč Proxy.

To view proxy activity details:

  1. In the Threat Protection menu of Enterprise Center, select Reports > Proxy Activity.

  2. Filter events as needed. For more information, see Filter data based on date and time and Filter proxy activity data.

  3. If you haven't done so already, select a dimension.

  4. In the list of grouped events, click the arrow icon that is associated with a dimension value. For example, if you selected Domain, click the arrow icon to see the associated traffic. Logged activity appears in a table format.

  5. Click the information button. Activity details appear in a separate window. You can use the arrow keys on your keyboard to navigate to other activity in the table and show details.

Add or remove data columns to connection or activity data tables

On the DNS Activity, Proxy Activity, and the Network Traffic tabs of the Activity page, you can add or remove data that appears in the connections or activity data tables. The modifications you make to an individual table apply to all connection and activity tables you view.

To add or remove data columns to connection or activity data tables:

  1. In the Threat Protection menu of Enterprise Center, select Reports.

  2. Select one of these:

    • For data on DNS traffic directed to ‚ÄčSIA‚Äč, select DNS Activity.

    • For data on traffic directed to ‚ÄčSIA‚Äč Proxy, select Proxy Activity.

    • For data on traffic directed to ‚ÄčSIA‚Äč, select Network Traffic.

  3. Filter events as needed. For more information see Filter data based on date and time. Depending on the data you are filtering, do one of these steps:

  4. If you haven't done so already, select a dimension or criteria.

  5. To add a data column to the connections or activity data table:

    1. In the grouped connections area on the page, click the table icon. A list of additional attributes appear.

    2. Select the data type that you want to add to the table. A column for this data appears.

  6. To remove a data column from the connections or activity data table:

    1. In the grouped connections or activity area on the page, click the table icon. A list of data types appear.

    2. Deselect any data type that you want to remove from the table. After a data type is deselected, the column is removed from the table.

Download a CSV file with connection or activity information

From the DNS Activity, Proxy Activity and Network Traffic reports, you can download a CSV that contains a complete list of connections or activity. Each table shows the latest 500 connections. However, you can download a CSV file to see up to 5,000 of the most recent connections or activity based on the dimension and filters you selected.

To download a CSV file with connection or activity information:

  1. In the Threat Protection menu of Enterprise Center, select Reports.

  2. Do one of these steps:

    • For data on DNS traffic directed to ‚ÄčSIA‚Äč, select DNS Activity.

    • For data on traffic directed to ‚ÄčSIA‚Äč Proxy, select Proxy Activity.

    • For data on traffic directed to ‚ÄčSIA‚Äč, select Network Traffic.

  3. Filter data as needed. For more information see Filter data based on date and time. Depending on the data you are filtering, do one of these steps:

  4. If you haven't done so already, select a dimension or criteria.

  5. In the grouped connections or activity area, click the arrow icon to show the connections or activity associated with the selected dimension.

  6. Click Download CSV (All Events) to download the connections or activity that are associated with the dimension you selected.

Proxy activity dimensions

You can organize data based on these dimensions available on the Proxy Activity report:

DimensionDescription
DomainDomain or IP address requested by the user.
LocationIndicates the ‚ÄčSIA‚Äč location where the transaction originated from.
ActionPolicy action that was applied.
Internal Client IPInternal IP address of the user’s machine.
User NameUsername of the user who made the request.
Destination IPIP address of the destination (origin) website.
Destination PortTCP or UDP port number of traffic such as port 80 for HTTP traffic and port 443 for HTTPS traffic.
Source IPIP address of traffic. This is likely the IP address that is assigned to a location as a result of NAT.
Client PortPort of ‚ÄčETP Client‚Äč.
GeoGeographical location where responses originate from.
Autonomous SystemA unique identifier for a network.
HTTP Request MethodThe action that’s performed during a request.
ReasonInforms how traffic was identified.

Any of these reasons may appear:

  • ‚ÄčAkamai‚Äč Intelligence. Indicates traffic was identified by ‚ÄčAkamai‚Äč or a threat category.
  • Customer Domain Intelligence. Indicates traffic was found for a domain based on a list configuration.
  • Customer URL Intelligence. Indicates traffic was found for a URL based on a list configuration.
  • Sandbox-Dynamic Analysis. Indicates traffic was found with dynamic malware analysis.
  • AV scan. Indicates traffic was found with inline payload analysis.
  • Data Leakage Prevention. Indicates traffic was found as a result of a DLP configuration.
Additionally, if traffic was detected as a result of AVC, these reasons may also be listed depending on the policy action assigned to these areas:

  • Application Risk Level. Indicates traffic was detected based on the risk levels associated with the policy.
  • Category. Indicates traffic was detected based on the category or categories associated with the policy.
  • Application category operation. Indicates traffic was detected based on the category operations associated with the policy.
  • Application. Indicates traffic was detected based on applications associated with the policy.
  • Application Operation. Indicates traffic was detected based on application operations associated with the policy.
Onramp TypeIndicates how activity was directed to ‚ÄčSIA‚Äč Proxy.

One of these values may appear:

  • dns. Indicates DNS activity was forwarded to ‚ÄčSIA‚Äč Proxy.
  • web. Indicates web (HTTP and HTTPS) request was forwarded to the full web proxy.
  • onramp_dns. Indicates that risky HTTP and HTTPS traffic was forwarded to the selective proxy.
  • etp_client. Indicates the request was directed to ‚ÄčSIA‚Äč Proxy as a result of ‚ÄčETP Client‚Äč.
  • etp_offnet_client. Indicates the request was directed to ‚ÄčSIA‚Äč Proxy as a result ‚ÄčETP Client‚Äč. In this case, ‚ÄčETP Client‚Äč was off the corporate network.
  • explicit_proxy_tls. Indicates the request was directed to ‚ÄčSIA‚Äč Proxy as a result of an on-premises proxy configuration.
Client Request IDUUID of ‚ÄčETP Client‚Äč that‚Äôs installed on the device.
Device NameName of the user‚Äôs device where ‚ÄčETP Client‚Äč is installed.
Device OwnerOwner of the device where ‚ÄčETP Client‚Äč is installed. This is the username or email address of the user who activates ‚ÄčETP Client‚Äč on their device. This username or email address is associated with the device in ‚ÄčSIA‚Äč reports.
Device Risk LevelDevice posture risk level of the user’s device. To show a value for this dimension, your organization must be set up for device posture in Enterprise Application Access. You must also select device risk levels as part of your AVC configuration for accessing web applications or completing an application operation. For more information, see Use device posture for application access.
GroupsUser group that’s assigned to the user who made the request.
Matched GroupsIndicates the users in groups appear in multiple groups.
User IDID of the user who made the request.
Internal Client NameInternal client name of device that’s detected by DNS Forwarder or HTTP Forwarder.
DictionariesThe specific dictionary that’s used to scan uploaded content for DLP.
PatternsThe pattern in a dictionary that’s used to scan uploaded content for DLP.
File HashThe hash of the file that was scanned by DLP and detected to include sensitive information.
File TypeMIME file type that is downloaded or uploaded. An administrator may assign the block or monitor action to this file type in a policy.
ApplicationFor AVC, this dimension shows the specific web application that is associated with the activity.
OperationFor AVC, this dimension shows the specific application operation that is associated with the activity.
RiskFor AVC, this dimension shows the risk level that is associated with the activity.
Sub-LocationIndicates the sub-location where the event originated from.

Proxy activity details

The Proxy Activity report allows you to review activity that's directed to ‚ÄčSIA‚Äč Proxy.

Proxy activity appears in a table. After you select a filter and dimension, you can select the type of data you want to show in the table. In addition to data listed in the Proxy activity dimensions topic, you can show this data in the activity table:

Proxy activity detailDescription
Detected TimeDate and time the activity was detected.
PolicyPolicy that applies or was applied.
ListCustom lists or threat categories associated with the activity.
Detection MethodIndicates how activity was detected. This field may show any of these values:

  • Inline. Indicates the activity was detected at the time of access.
  • Lookback. Indicates the activity was discovered in log data based on behavior.
  • Offline Static. Indicates the activity was discovered offline or after content was downloaded as a result of static malware analysis.
  • Offline Dynamic. Indicates the activity was discovered in a sandbox environment as a result of dynamic malware analysis.
Resolved IPIP address that is resolved from the domain.
Is EventIndicates whether the activity produced an event. This dimension shows a value of True or False.
CategoryThe overall category of the event. This may be the AUP category or the threat event category such as malware, phishing, C&C, and DNS exfiltration.

If the domain does not appear in any lists, including threat, custom, or exception lists, the Unclassified category is shown.
ConfidenceIndicates whether activity is a known threat. If this information is not known, it shows as Unknown.
Connection IDID associated with the activity.
On-RampIndicates whether traffic was forwarded to ‚ÄčSIA‚Äč Proxy. This field shows Yes or No.
Client AgentsString for HTTP-based traffic that includes details about the end user's browser and system, such as the browser, browser version, operating system, command line tools, version of ‚ÄčETP Client‚Äč, and more.
Layer 7 ProtocolApplication layer protocols such as HTTP and HTTPS.
Request TimeDate and time the user made the request.
Response TimeDate and time when a response to a request was provided.
URIUniform Resource Identifier. Characters or string that identify a resource. For example, a URL is a URI.
Source PortThe TCP/UDP port of the user’s machine.
Request HeaderHeader fields in an HTTP request.
Request StringsThe query string in an HTTP request.
File NameThe name of the file that‚Äôs scanned by ‚ÄčSIA‚Äč.
DictionariesThe specific dictionary that’s used to scan uploaded content for DLP.
PatternsThe pattern in a dictionary that’s used to scan uploaded content for DLP.
File TypeMIME file type that is downloaded or uploaded. An administrator may assign the block or monitor action to this file type in a policy.
File SizeSize of the file that's scanned by ‚ÄčSIA‚Äč.
DLP Scan StatusShows the status of the DLP scan. For example, this status may indicate that the scan is complete and show the action that was taken on the document or text.
UploadA true value indicates that the recorded activity occurred when the user attempted to upload data.
HashHash of the HTTP response.
CIDRCIDR block that’s associated with the requested domain or IP address.