Event dimensions
These tables define the event dimensions for events in Enterprise Threat Protector (ETP).
For threat events in the Threat Events report, you can choose to show data based on this criteria.
Dimension | Definition |
---|---|
Category | The overall category of the event. For a threat event, categories can be Malware, Phishing, Command and Control (C&C), DNS Exfiltration, Deny List, or Other (if assigned to a custom list). |
Reason | Informs how a threat event was identified. Any of the following reasons may
appear:
|
Severity | Indicates the severity level. For more information, see Severity levels. This criteria or dimension appears for threat events only. |
Location | A location is a public IP address or a named collection of public IP addresses
that belong to a region or geographic area in your network, such as a CIDR block for
an office branch or company headquarters. The location indicates where the event originated from. |
Policy | Security policy or set of rules that are associated with a location. |
Domain | Name or resolvable identifier for an IP address. This is the domain that is requested by the user. In a threat event, the domain is known or suspected to be malicious. |
Resolved IP | IP address that is resolved from a domain name. |
Detected Time | The time when the event was detected in your local time. |
List | List that identified the threat as an event. This list can be a custom list or a threat category. |
Action | Action taken on known or suspected threats based on a policy configuration. |
Confidence | Indicates whether an event is a known or suspected threat. |
Source IP | IP address of traffic. This is likely the IP address that is assigned to a location as a result of Network Address Translation (NAT). |
Client Request ID | Universally unique identifier (UUID) of ETP Client that’s installed on the machine. |
Autonomous System | A unique identifier for a network. |
Detection Method | Indicates how the event was detected. This field may
show any of these values:
|
Machine Name | Identifies the client host or machine. |
Onramp Type | Indicates how a request was directed to
ETP Proxy. One of these values may appear:
|
Internal Client IP | Internal IP address of the user’s machine. |
User Name | If authentication is enabled in a policy, this dimension shows the username of the user who made the request. |
Threat Name | Name of the threat. If a specific name for a threat
does not appear, ETP shows a name that classifies the threat. These classifications
include:
This criteria or dimension appears for threat events only. |
HTTP Request Method | The action that’s performed during the
request. This attribute is available only when ETP Proxy is enabled. |
URI | Uniform Resource Identifier. Characters or string
that identify a resource. For example, a URL is a URI. This attribute is available only when ETP Proxy is enabled. |
Web Destination Port |
Destination port of web traffic. This attribute is available only when ETP Proxy is enabled. |
Layer 7 Protocol | Application layer protocols such as HTTP and
HTTPS. This attribute is available only when ETP Proxy is enabled. |
For events in the access control events report, you can choose to show data based on these dimensions.
Dimension | Definition |
Category | Categories of AUP violations. Violations are reported at the subcategory level. If a category does not have a subcategory, than the category name is provided. |
Domain | Name or resolvable identifier for an IP address. In an AUP event, the domain is blocked based on the setting assigned to the domain's AUP category in the policy configuration. The user receives an error or warning message when attempting to request this domain. |
Policy | Security policy or set of rules that are associated with a location. |
Location | Indicates where a threat originated from. |
Layer 7 Protocol | Indicates whether the HTTP or HTTPS
application layer protocols were used. This attribute is available only when ETP Proxy is enabled. |
Internal Client Name | Internal client name of machine that’s detected by DNS Forwarder. |
Application | Web application that violated the ETP policy for access control. This dimension is available in the report if your organization is participating in the application visibility and control (AVC) beta. For more information, see Application visibility and control categories. |
Operation | Application operation that violates ETP policy for access control. This dimension is available in the report if your organization is participating in the application visibility and control (AVC) beta. For more information, see Application visibility and control categories. |
Risk | Risk level associated with a web application that violated ETP policy for access control. This dimension is available in the report if your organization is participating in the application visibility and control (AVC) beta. For more information, see Application visibility and control categories. |
Reason | Indicates how the event was detected. If the event
was detected by AVC, the following reasons may appear depending on the configuration
of the policy:
If the event was detected with data loss prevention, “Data Leakage Prevention” is shown in the report. |
Dictionaries | Indicates if the event was found as a result of a dictionary configuration. The specific dictionary that found the event is provided. |
Patterns | Shows the patterns in a dictionary that detected the event. |
File Hash | The hash of the file that was scanned by DLP and detected to include sensitive information. |
Matched Groups | Indicates that users in groups appear in multiple groups. |
Groups | If authentication is required, this dimension shows the user group that’s assigned to the user who made the request and violated the AUP. |
User Name | If authentication is enabled in a policy and configured for an acceptable use policy, this is the username of the user who made the request. |
User ID | If authentication is required, this dimension shows the User ID associated with the user who made the request and violated the AUP. |
Internal Client IP | Internal IP address of the user’s machine. |
Onramp Type | Indicates how a request was directed to ETP Proxy. One of these
values may appear:
|
Client Request ID | Universally unique identifier (UUID) of ETP Client that’s installed on the machine. |
For Security Connector events in the Security Connector report, you can choose to show data based on these dimensions:
Dimension | Definition |
---|---|
Affected Internal IP | The private or internal IP address of a machine in your network that communicates with Security Connector and is known to be compromised. |
Affected Machine | Name of the compromised machine in your network. The machine name appears if your organization has configured DNS Pointer (PTR) records on the DNS name server that communicates with the security connector. Enterprise Threat Protector performs a reverse IP address lookup to show this information. |
Destination Port | TCP or UDP port number of traffic such as port 80 for HTTP traffic and port 443 for HTTPS traffic. |
Hostname | Hostname in the host header or Server Name Identification (SNI). |
Source Port | The TCP/UDP port of the user’s machine |
Connector Name | Name of the security connector |
Connector IP | The IP address of the security connector |