Data in alert notifications and scheduled reports

The following table describes the data that is included in an alert notification email or scheduled report.
Note: If you select Text format for the report, columns and values in the report are shown in a pipe-delimited format.
Note: If you schedule a report for DNS or proxy summary data, an administrator is emailed a PDF that contains bar graphs with the top activity for a specific dimension, such as location, geographical region, domain, and more. This is the same data that an administrator can view in the DNS Summary and Proxy Summary activity reports.
Data in alert notifications and scheduled reports
Data Description
Details Includes the following information about the event or alert:
  • The requested domain. Domains appear as links to the Indicator Search page where additional information about the event is provided.
  • Whether the event was detected while the end user was on or off the corporate network
  • Action taken to mitigate the threat as a result of the associated policy configuration.
  • The confidence level that Enterprise Threat Protector (ETP) has in classifying the domain as a threat. The report indicates whether the domain is a confirmed or suspected threat.
Note: If the report is in text format, domain, detection, action taken, and confidence data appear as separate pipe-delimited values.
Location The location or sub-location of the user who made the request. The provided location is also a link to the Locations page in ETP.
Policy The policy that is associated with the location. The provided policy name is also a link to the Policies page in ETP.
List The list where this domain is a confirmed or suspected threat. The provided list name is also a link to the Custom Lists page.
Affected Internal IPThe private or internal IP address of a machine in your network that communicates with the security connector and is known to be compromised. This value appears in a scheduled report when an Affected Internal IP is detected in a DNS security connector event. This data does not appear in alert notifications.
Count or DNS Count The total number of alerts or events that are associated with the domain. The count for a domain is also a link to the Threat Events report.
URI(s) Uniform Resource Identifier. Characters or string that identify a resource. For example, a URL. As a result of grouping data by domain and locations, more than one URI may be listed in alert notifications and scheduled report results.
Reason(s) Informs how a threat event was identified. Any of the these reasons may appear:
  • Akamai Intelligence: Indicates threat event was identified by Akamai or a threat category.
  • Customer Intelligence: Indicates threat event was found based on an administrator's custom list configuration.
  • Document Static Analysis: Indicates threat event was found based on inline payload analysis of a document.
  • Executable Static Analysis: Indicates threat event was found based on inline payload analysis of a document.
  • AV scan: Indicates threat event was found by an antivirus scan.

As a result of grouping data by domain and locations, more than one reason may be provided in alert notifications and scheduled report results.

HTTP Count The total number of alerts or events that are associated with HTTP traffic.