Security Connector activity

When Enterprise Security Connector is deployed in your organization, Security Connector events are reported on the Security Connector activity report. The organization of events is similar to threat and access control events:

  • Any applied date or data filter ultimately defines the data that is shown. You can filter data based on the selected date or date range, the time of day you enter, the area you select in the Time graph, and the actual filters applied to security connector events. You can create a filter where you include or exclude data from the view.

  • Event data that appears on the Security Connector activity report is also defined by the selected dimension. The selected dimension defines how events are organized. This includes the Top 6 area of the page and the grouped events area.

    The Top 6 area of the page lists the top 6 items for the selected dimension. For example, if you select Affected Internal IP as the dimension, the Top 6 Affected Internal IP addresses are listed.

    The events area of the page also groups events based on the selected dimension. For example, if you selected Affected Internal IP, events are grouped by the affected internal IP address. You expand the provided IP address to view the associated events.

You can perform these actions on this page:

  • View event details. If you select the information icon beside an event, event details appear in a separate window.

  • Add data to the filter. You can decide to exclude or include data in the filter.

  • View the corresponding threat event. A Threat Events option is available when you click event data.

  • View the IoC details for a requested hostname. When viewing events based on hostname, you can click the information icon and the IoC Details appear in a separate window.

📘

A delegated administrator can view data based on the locations they are allowed to access. A strict delegated administrator cannot view the Security Connector activity report.

Security Connector event correlation

When traffic and events are recorded by Enterprise Security Connector, this data is available in ETP for further analysis. ETP allows you to easily compare and correlate Security Connector events to threat event data that is reported and tracked in the application. Administrators can also trace threat events to Security Connector events. Correlating this information makes it easier for you to identify compromised machines in your network and take action against threats or malicious activity in your network.

From the Security Connector activity report, you can examine and filter this data based on criteria and specific event information. To learn more about the Security Connector event data that is shown in ETP, see Dimensions for Security Connector events and Security Connector event details.

This applies when there is a correlation between threat event and security connector event data:

  • In the Security Connector activity report, a View link is associated with a specific security connector event in an events table. For example, when you expand a grouped event and view specific events, this link appears in the Correlated Threat Event column of the table. Clicking this link opens the Correlated Threat Event for Security Connector Event dialog where event details are provided. You can also open the event in the Threat Event report by clicking the Show in Threat Events link in the dialog. For more information on the data that is shown, see Threat event details.

  • In the Threat Events report, a View Link is associated with a specific threat event in an events table. Clicking this link opens the Correlated Security Connector Events(s) for Threat Event dialog where event details are provided. You can also show Security Connector events on the Security Connector activity report by clicking the Show in Security Connectors Activity link in the dialog. For more information on the data that is shown for a security connector event, see Security Connector event details.

  • In the Security Connector activity report, when you view data based on a dimension or event criteria (for example, a Connector IP, destination port, hostname, and more), you can click event data and select Threat Events from the menu that appears. If there is a correlated event, this option opens the correlated threat event in a dialog where detailed information is provided based on the dimension you selected. For example, if you select to view Threat Events based on a specific affected internal IP address, the Correlated Threat Events by Filtered Dimension(s) dialog shows all the threat events that apply to the specific affected internal IP address you selected. In this dialog, you can search for events, view detailed event data, and download event data to a CSV file. You can also show this data on the Threat Events report where you can do more data analysis.

  • Likewise, in the Threat Events report, you can also view data based on specific criteria such as a domain, hostname, or resolved IP address, click event data and select the option for Security Connector Events. This option opens a dialog where correlated security connector events are shown for the dimension you selected. In this dialog, you can search for events, view detailed event data, and download event data to a CSV file. You can also show this data in the Security Connector report.

  • To help you analyze correlated data, the Threat Events and Security Connector activity reports include filter criteria for each event type. For example, in the Threat Events report, in addition to filtering data by criteria or dimensions specific to threat events, you can filter data based on Security Connector criteria such as the affected internal IP address, source port, and more. Similarly, in addition to filtering data based on Security Connector events, on the Security Connector activity report, you can filter data based on threat event criteria, such as domain, list, action, policy, and more.

    You can also configure and apply a filter to show correlated events. For example, on the Security Connector activity report, you can create and apply a filter to show events that correlate to threat events. Similarly, on the Threat Events report, you can create and apply a filter to show events that correlate to security connector events.

View correlated Security Connector events

On the Threat Events tab, you can identify whether a threat event correlates to any security connector event. Perform the following procedure to view correlated security connector events.

📘

This procedure only applies if Enterprise Security Connector is deployed in your enterprise.

To view correlated Security Connector events:

  1. In the Threat Protection menu of Enterprise Center, select Reports > Threat Events.

  2. Filter events as needed. For more information, see Filter data based on date and time and Filter event data.

  3. If you haven't done so already, select a dimension or event criteria.

  4. In the grouped events area, click the arrow icon to show the events associated with a dimension value.

  5. Locate an event that shows View in the Correlation column, then do one of these:

    • In the Correlation column, click View. You are directed to the Correlated Security Connector Event(s) for Threat Event dialog where correlated security connector events appear.

    • Click a data value in the events table and in the menu, select Security Connector Events. You are directed to the Correlated Security Connector Event(s) by Filtered Dimension dialog where correlated security connector events appear.

Download correlated Security Connector events to a CSV file

When viewing correlated security connector events from the Threat Events report, you can download security connector event data to a CSV file.

To download correlated Security Connector events to a CSV file:

  1. In the Threat Protection menu of Enterprise Center, select Reports > Threat Events.

  2. Filter events as needed. For more information, see Filter data based on date and time and Filter event data.

  3. If you haven't done so already, select a dimension or event criteria.

  4. In the grouped events area, click the arrow icon to show the events associated with a dimension value.

  5. Locate an event that shows View in the Correlation column, then do one of these:

    • In the Correlation column, click View. The events appears in the Correlated Security Connector Event(s) for Threat Event dialog.

    • Click a data value in the events table and in the menu, select Security Connector Events. You are directed to the Correlated Security Connector Event(s) by Filtered Dimension dialog where correlated security connector events appear.

  6. Click the download icon. The event or events data downloads to a CSV file.

View correlated threat events

In the Security Connector activity report, you can identify whether a security connector event correlates to a threat event. Perform the following procedure to view correlated threat events.

📘

This procedure only applies if Enterprise Security Connector is deployed in your enterprise.

To view correlated threat events:

  1. In the Threat Protection menu of Enterprise Center, select Reports > Security Connector.

  2. Filter events as needed. For more information, see Filter data based on date and time and Filter event data.

  3. If you haven't done so already, select a dimension or event criteria.

  4. In the grouped events area, click the arrow icon to show the events associated with a dimension value.

  5. Locate an event that shows View in the Correlated Threat Event column, then do one of these:

    • In the Correlated Threat Event column, click View. You are directed to the Correlated Threat Event for Security Connector Event dialog where event information appears. To show the event in the Threat Events report, click Show in Threat Events.

    • Click a data value in the events table and in the menu, select Threat Events. You are directed to the Correlated Threat Event(s) by Filtered Dimensions dialog where associated events appears. To show these events in the Threat Events report, click Show in Threat Events.

Download correlated threat events to a CSV file

When viewing correlated threat events from the Security Connector events tab, you can download threat event data to a CSV file.

To download correlated threat events to a CSV file:

  1. In the Threat Protection menu of Enterprise Center, select Reports > Security Connector.

  2. Filter events as needed. For more information, see Filter data based on date and time and Filter event data.

  3. If you haven't done so already, select a dimension or event criteria.

  4. In the grouped events area, click the arrow icon to show the events associated with a dimension value.

  5. Locate an event that shows View in the Correlated Threat Event column, then do one of these:

    • In the Correlated Threat Event column, click View. The events appears in the Correlated Threat Events for Security Connector Event dialog.

    • Select the data that you want to report and click Threat Events. The events appears in the Correlated Threat Event(s) by Filtered Dimensions dialog.

  6. Click the download icon. The event or events data downloads to a CSV file.

View details associated with a hostname

In the Security Connector report, you can view additional information about a requested hostname. This information appears in a separate window.

To view details associated with a hostname:

  1. In the Threat Protection menu of Enterprise Center, select Reports > Security Connector.

  2. Filter events as needed. For more information, see Filter data based on date and time and Filter event data.

  3. Select the Hostname dimension.

  4. In the grouped events area, click the information icon that is associated with a hostname. The IoC Details appear in a separate window.

Dimensions for Security Connector Events

The Security Connector report allows you to review specific events and details associated with the information collected by the security connector. These dimensions are available.

Additional information is available in the event details. For more information, see Security Connector event details.

Dimension

Definition

Internal Client IP

Internal IP address of the user’s device

Internal Client Name

Internal client name of the device that's detected by DNS Forwarder or HTTP Forwarder.

Hostname

Hostname in the host header or SNI.

Source Port

The TCP/UDP port of the user’s machine.

Connector Name

Name of the security connector.

Connector IP

The IP address of the security connector.

Status

Indicates why traffic was dropped by HTTP Forwarder and an error occurred. These status may include:

  • Unsupported HTTP version
  • Host lookup failed
  • Connection to resolved IP addresses failed
  • HTTP processing error
  • Connection failure
  • Invalid proxy authorization credentials

Request ID

The unique identifier of a request that’s received by Security Connector as an HTTP Forwarder.

Security Connector event details

Security Connector events are organized in the events table based on this information. You can select to show or hide some of this information in the report.

Columns in the Security Connector Events Table

Event Table Column

Description

Event Time

The time that the event was detected by the security connector.

Hostname

Hostname in the host header or SNI.

Destination Port

Destination TCP/UDP port of packets.

URL

If the full URL is not available from the security connector, then the provided URL is based only on the hostname of the request.

Hit Count

Number of connections that were captured and logged by the security connector as a result of the internal IP address, destination port, layer 4 protocol, hostname, user-agent string, and URL.

Correlated Threat Event

Indicates if there is a correlating threat event. If there is a correlation, the column includes a View link for an ETP administrator or report viewer to see the corresponding threat event in a separate dialog. The dialog also contains a link to the Threat Events report where a filter is applied to show the corresponding event information based on the domain and event ID.

Redirect Type

Indicates how a request was sent to the Security Connector as a sinkhole.

Source Port

The TCP/UDP port of the user’s machine.

Connector IP

The IP address of the security connector.

Layer 4 Protocol

Transport layer protocol that applies to the event. In this case, whether TCP or the UDP was used. If these protocols are not used, no information is shown in this field.

User Agent

User-agent string for HTTP-based traffic that includes details about the end user's browser and system, such as the browser, browser version, operating system, command line tools, and more.

Layer 7 Protocol

Application layer protocol that was used to communicate with the security connector. For example, HTTP or TLS.

Status Code

Response code for requests. This field only applies to requests that are directed to HTTP Forwarder.

Drop

Indicates if traffic was dropped by HTTP Forwarder. If the transaction is successful, the value false appears.

Description

Provides more detailed information on errors. This information can include an IP address or port number.

Proxy Mode

Indicates the proxy type for HTTP Forwarder. Possible values include HTTP-Explicit and HTTP-Transparent.

Redirect To

Indicates how HTTP Forwarder directs traffic from a client (browser). Possible values in this field include:

  • **Direct to Origin**: Redirects requests to the origin as a failover method.
  • **Internal**. Request bypasses the proxy and it is directed to the origin because it is an internal domain configured in the ETP Network Configuration.
  • **ETP Proxy**. Request is directed to ETP Proxy
  • **Unknown**. Request is malformed and as a result, Security Connector drops the connection.

Did this page help you?