Event dimensions

These tables define the event dimensions for events in Enterprise Threat Protector (ETP).

For threat events in the Threat Events report, you can choose to show data based on this criteria.

Criteria for Threat Events
Dimension	Definition
Category	The overall category of the event. For a threat event, categories can be Malware, Phishing, Command and Control (C&C), DNS Exfiltration, Deny List, or Other (if assigned to a custom list).
Reason	Informs how a threat event was identified. Any of the following reasons may appear: Akamai Intelligence. Indicates threat event was identified by Akamai or a threat category. Customer Intelligence. Indicates threat event was found based on an administrator's custom list configuration. Document Static Analysis. Indicates threat event was found based on inline payload analysis of a document. Executable Static Analysis. Indicates threat event was found based on inline payload analysis of a document. AV scan. Indicates threat event was found by an antivirus scan.
Severity	Indicates the severity level. For more information, see Severity levels. This criteria or dimension appears for threat events only.
Location	A location is a public IP address or a named collection of public IP addresses that belong to a region or geographic area in your network, such as a CIDR block for an office branch or company headquarters. The location indicates where the event originated from.
Policy	Security policy or set of rules that are associated with a location.
Domain	Name or resolvable identifier for an IP address. This is the domain that is requested by the user. In a threat event, the domain is known or suspected to be malicious.
Resolved IP	IP address that is resolved from a domain name.
Detected Time	The time when the event was detected in your local time.
List	List that identified the threat as an event. This list can be a custom list or a threat category.
Action	Action taken on known or suspected threats based on a policy configuration.
Confidence	Indicates whether an event is a known or suspected threat.
Source IP	IP address of traffic. This is likely the IP address that is assigned to a location as a result of Network Address Translation (NAT).
Client Request ID	Universally unique identifier (UUID) of ETP Client that’s installed on the machine.
Autonomous System	A unique identifier for a network.
Detection Method	Indicates how the event was detected. This field may show any of these values: Inline. Indicates the event was detected at the time of access. Lookback. Indicates the event was discovered in log data based on behavior. Offline Static. Indicates the event was discovered offline or after content was downloaded as a result of static malware analysis. Offline Dynamic. Indicates the event was discovered in a sandbox environment as a result of dynamic malware analysis.
Machine Name	Identifies the client host or machine.
Onramp Type	Indicates how a request was directed to ETP Proxy. One of these values may appear: dns. Indicates DNS event was forwarded to ETP Proxy. web. Indicates web (HTTP and HTTPS) request was forwarded to the full web proxy. onramp_dns. Indicates that risky HTTP and HTTPS traffic was forwarded to the selective proxy. etp_client. Indicates the request was directed to ETP Proxy as a result of ETP Client. etp_offnet_client. Indicates the request was directed to ETP Proxy as a result ETP Client. In this case, ETP Client was off the corporate network. explicit_proxy_tls. Indicates the request was directed to ETP Proxy as a result of an on-premises proxy configuration.
Internal Client IP	Internal IP address of the user’s machine.
User Name	If authentication is enabled in a policy, this dimension shows the username of the user who made the request.
Threat Name	Name of the threat. If a specific name for a threat does not appear, ETP shows a name that classifies the threat. These classifications include: Customer Lists. Domains or IP addresses in a custom list. The domains or IP addresses in these lists are defined by your organization. Known Phishing. Domains or URLs that are used in a social engineering attack to fraudulently obtain personal or classified information. A phishing scam deceives victims to performing an activity that compromises their machine or reveals sensitive information. Known Malware. Domains or URLs that direct victims to malicious websites or are used by applications to harm a network. Malware steals confidential data, compromises data integrity, and disrupts data availability. Known CNC. Domains or URLs that are used for command and control communication. A command and control threat is used to steal data, distribute malware, and disrupt services. File Sharing. Domains or URLs of file sharing services. Aged Out. Indicates the domain was tracked as a threat for some time and it may still be a threat. If the proxy is enabled, the proxy determines whether the domain is still a threat. Generic Risky. Indicates there’s risk that the domain may be malicious. If the proxy is enabled, the proxy determines whether it is malicious. Unclassified. Indicates a threat is not yet classified by ETP. This criteria or dimension appears for threat events only.
HTTP Request Method	The action that’s performed during the request. This attribute is available only when ETP Proxy is enabled.
URI	Uniform Resource Identifier. Characters or string that identify a resource. For example, a URL is a URI. This attribute is available only when ETP Proxy is enabled.
Web Destination Port	Destination port of web traffic. This attribute is available only when ETP Proxy is enabled.
Layer 7 Protocol	Application layer protocols such as HTTP and HTTPS. This attribute is available only when ETP Proxy is enabled.

For events in the access control events report, you can choose to show data based on these dimensions.

Criteria for Access Control Events
Dimension	Definition
Category	Categories of AUP violations. Violations are reported at the subcategory level. If a category does not have a subcategory, than the category name is provided.
Domain	Name or resolvable identifier for an IP address. In an AUP event, the domain is blocked based on the setting assigned to the domain's AUP category in the policy configuration. The user receives an error or warning message when attempting to request this domain.
Policy	Security policy or set of rules that are associated with a location.
Location	Indicates where a threat originated from.
Layer 7 Protocol	Indicates whether the HTTP or HTTPS application layer protocols were used. This attribute is available only when ETP Proxy is enabled.
Internal Client Name	Internal client name of machine that’s detected by DNS Forwarder.
Application	Web application that violated the ETP policy for access control. For more information, see Application visibility and control categories.
Operation	Application operation that violates ETP policy for access control. For more information, see Application visibility and control categories.
Risk	Risk level associated with a web application that violated ETP policy for access control. For more information, see Application visibility and control categories.
Reason	Indicates how the event was detected. If the event was detected by AVC, the following reasons may appear depending on the configuration of the policy: Application Risk Level Category Application Category Operation Application Application Operation If the event was detected with data loss prevention, “Data Leakage Prevention” is shown in the report.
Dictionaries	Indicates if the event was found as a result of a dictionary configuration. The specific dictionary that found the event is provided.
Patterns	Shows the patterns in a dictionary that detected the event.
File Hash	The hash of the file that was scanned by DLP and detected to include sensitive information.
Matched Groups	Indicates that users in groups appear in multiple groups.
Groups	If authentication is required, this dimension shows the user group that’s assigned to the user who made the request and violated the AUP.
User Name	If authentication is enabled in a policy and configured for an acceptable use policy, this is the username of the user who made the request.
User ID	If authentication is required, this dimension shows the User ID associated with the user who made the request and violated the AUP.
Internal Client IP	Internal IP address of the user’s machine.
Onramp Type	Indicates how a request was directed to ETP Proxy. One of these values may appear: dns. Indicates DNS event was forwarded to ETP Proxy. web. Indicates web (HTTP and HTTPS) request was forwarded to the full web proxy. onramp_dns. Indicates that risky HTTP and HTTPS traffic was forwarded to the selective proxy. etp_client. Indicates the request was directed to ETP Proxy as a result of ETP Client. etp_offnet_client. Indicates the request was directed to ETP Proxy as a result of ETP Client. In this case, ETP Client was off the corporate network. explicit_proxy_tls. Indicates the request was directed to ETP Proxy as a result of an on-premises proxy configuration.
Client Request ID	Universally unique identifier (UUID) of ETP Client that’s installed on the machine.

For Security Connector events in the Security Connector report, you can choose to show data based on these dimensions:

Criteria for Security Connector Events
Dimension	Definition
Affected Internal IP	The private or internal IP address of a machine in your network that communicates with Security Connector and is known to be compromised.
Affected Machine	Name of the compromised machine in your network. The machine name appears if your organization has configured DNS Pointer (PTR) records on the DNS name server that communicates with the security connector. Enterprise Threat Protector performs a reverse IP address lookup to show this information.
Destination Port	TCP or UDP port number of traffic such as port 80 for HTTP traffic and port 443 for HTTPS traffic.
Hostname	Hostname in the host header or Server Name Identification (SNI).
Source Port	The TCP/UDP port of the user’s machine
Connector Name	Name of the security connector
Connector IP	The IP address of the security connector

Event dimensions

Search Results