Proxy activity dimensions

These dimensions are available on the Proxy Activity report. You can organize data based on these dimensions.
Note: You must be an ETP administrator or a user with a specific permission to view the Proxy Activity report. For more information, see Enterprise Threat Protector roles.
Dimension Description
Domain Domain requested by the user.
Location Indicates the ETP location where the transaction originated from.
Action Policy action that was applied.
Internal Client IP Internal IP address of the user’s machine.
User Name Username of the user who made the request.
Destination IP IP address of the destination (origin) website.
Destination Port TCP or UDP port number of traffic such as port 80 for HTTP traffic and port 443 for HTTPS traffic.
Source IP IP address of traffic. This is likely the IP address that is assigned to a location as a result of Network Address Translation (NAT).
Client Port Port of ETP Client.
Geo Geographical location where responses originate from.
Autonomous System A unique identifier for a network.
HTTP Request Method The action that’s performed during a request.
Reason Informs how traffic was identified. Any of the following reasons may appear:
  • Akamai Intelligence. Indicates traffic was identified by Akamai or a threat category.
  • Customer Domain Intelligence. Indicates traffic was found for a domain based on a list configuration.
  • Customer URL Intelligence. Indicates traffic was found for a URL based on a list configuration.
  • Sandbox-Dynamic Analysis. Indicates traffic was found with dynamic malware analysis.
  • AV scan. Indicates traffic was found by scanning a file with inline payload analysis.
  • Data Leakage Prevention. Indicates traffic was found as a result of a data loss prevention (DLP) configuration.
Additionally, if traffic was detected as a result of application visibility and control (AVC), the following reasons may also be listed depending on the policy action assigned to these areas:
  • Application Risk Level. Indicates traffic was detected based on the risk levels associated with the policy.
  • Category. Indicates traffic was detected based on the category or categories associated with the policy.
  • Application category operation. Indicates traffic was detected based on the category operations associated with the policy.
  • Application. Indicates traffic was detected based on applications associated with the policy.
  • Application Operation. Indicates traffic was detected based on application operations associated with the policy.
Onramp Type Indicates how activity was directed to ETP Proxy.
One of these values may appear:
  • dns. Indicates DNS activity was forwarded to ETP Proxy.
  • web. Indicates web (HTTP and HTTPS) request was forwarded to the full web proxy.
  • onramp_dns. Indicates that risky HTTP and HTTPS traffic was forwarded to the selective proxy.
  • etp_client. Indicates the request was directed to ETP Proxy as a result of ETP Client.
  • etp_offnet_client. Indicates the request was directed to ETP Proxy as a result of ETP Client. In this case, ETP Client was off the corporate network.
  • explicit_proxy_tls. Indicates the request was directed to ETP Proxy as a result of an on-premises proxy configuration.
Client Request ID Universally unique identifier (UUID) of ETP Client that’s installed on the device.
Device Name Name of the user’s device where ETP Client is installed.
Device Owner Owner of the device where ETP Client is installed. This is the username or email address of the user who activates ETP Client on their device. This username or email address is associated with the device in ETP reports.
Groups User group that’s assigned to the user who made the request.
Matched Groups Indicates the users in groups appear in multiple groups.
User ID ID of the user who made the request.
Internal Client Name Internal client name of machine that’s detected by DNS Forwarder.
Dictionaries The specific dictionary that’s used to scan uploaded content for data loss prevention (DLP).
Patterns The pattern in a dictionary that’s used to scan uploaded content for DLP.
File Hash The hash of the file that was scanned by DLP and detected to include sensitive information.
File Type MIME file type that is downloaded or uploaded. An administrator may assign the block or monitor action to this file type in a policy.
Application For application visibility and control (AVC), this dimension shows the specific web application that is associated with the activity.
Operation For application visibility and control (AVC), this dimension shows the specific application operation that is associated with the activity.
Risk For application visibility and control (AVC), this dimension shows the risk level that is associated with the activity.
Sub-Location Indicates the sub-location where the event originated from.