Threat event details

The Threat Events report allows you to review specific events and event details.

Threat events appear in a table. After you select a filter and dimension, you can select the type of data that you want to show in the table. In addition to data listed in the Event dimensions help topic, you can show this data in the events table:

Event Table Column / AttributeDescription
Detected TimeThe time when the event was detected in your local time.
CorrelationIf your organization uses a security connector, this column indicates whether there is a security connector event that correlates to the threat event. If there is a correlation, the column includes a View link that you can click in the Correlation table column. This link directs you to Correlation Security Connector Event(s) for Threat Event dialog where event information is provided.

Additionally, this column may show the values None or N/A. None indicates that while a sinkhole action was taken on the event, there is no correlation to a Security Connector event yet. N/A indicates that a Security Connector event correlation is not applicable because a sinkhole action was not taken on the event.

This attribute or data column does not apply to access control events.
Query TypeDNS resource record type associated with the request.
HashHash of the HTTP response for threats.
Response TimeTime when a response to a request was provided.

This attribute is available only when ‚ÄčSIA‚Äč Proxy is enabled.
ReasonInforms how an event was identified. Any of these reasons may appear:

  • ‚ÄčAkamai‚Äč Intelligence. Indicates the event was identified by ‚ÄčAkamai‚Äč or a threat category.
  • Customer Domain Intelligence. Indicates the event was found for a domain based on a list configuration.
  • Customer URL Intelligence. Indicates the event was found for a URL based on a list configuration.
  • Sandbox-Dynamic Analysis. Indicates the event was found with dynamic malware analysis.
  • AV scan. Indicates the event was found with inline payload analysis.
  • Data Leakage Prevention. Indicates the event was found as a result of a DLP configuration.
Additionally, if the event was detected as a result of AVC, these reasons may also be listed depending on the policy action assigned to these areas:

  • Application Risk Level. Indicates the event was detected based on the risk levels associated with the policy.
  • Category. Indicates the event was detected based on the category or categories associated with the policy.
  • Application category operation. Indicates the event was detected based on the category operations associated with the policy.
  • Application. Indicates the event was detected based on applications associated with the policy.
  • Application Operation. Indicates the event was detected based on application operations associated with the policy.
Destination IPIP address of the destination (origin) website.

This attribute is available only when ‚ÄčSIA‚Äč Proxy is enabled.
Connection IDUniquely identifies a connection in a network.

This attribute is available only when ‚ÄčSIA‚Äč Proxy is enabled.
Deep Scan ReportIf static or dynamic malware analysis is enabled and a threat was detected, a deep scan report is available for download here. For more information on a deep scan report, see Deep scan report.
On RampIndicates whether traffic was forwarded to ‚ÄčSIA‚Äč Proxy. This field shows Yes or No.
ApplicationWeb application that violated access control settings in a policy. For more information, see Application visibility and control.
OperationApplication operation that violated access control settings in a policy. For more information, see Application visibility and control.
RiskFor AVC, shows the risk associated with the DNS activity.
Client AgentsString for HTTP-based traffic that includes details about the end user's browser and system, such as the browser, browser version, operating system, command line tools, version of ‚ÄčETP Client‚Äč, and more.
Observed AUP CategoryThe AUP category or AVC category that was violated.
Request TimeDate and time when the request was made.
Request Header(s)Header fields in an HTTP request.
Response Header(s)Header fields in an HTTP response.
File NameThe name of the file that‚Äôs scanned by ‚ÄčSIA‚Äč.
DictionariesThe specific dictionary that’s used to scan uploaded content for DLP.
PatternsThe pattern in a dictionary that’s used to scan uploaded content for DLP.
File SizeSize of the file that's scanned by ‚ÄčSIA‚Äč.
File TypeMIME file type that is downloaded or uploaded. An administrator may assign the block or monitor action to this file type in a policy.
DLP Scan StatusShows the status of the DLP scan. For example, this status may indicate that the scan is complete and show the action that was taken on the document or text.
UploadA true value indicates that the recorded activity occurred when the user attempted to upload data.
File HashThe hash of the file that was scanned by DLP and detected to include sensitive information.
CIDRCIDR block that’s associated with the requested domain or IP address.