When accessing event information in Enterprise Threat Protector, you can view and analyze detailed event data. ETP reports on these types of events:
- Threat Events: Events that are reported when a user attempts to access domains and IP addresses that are known or suspected threats to a network. If the ETP Proxy is enabled, you can also report on HTTP(s) threat events.
- Access Control Events: Events that are reported when a user violates access control settings in a policy. This includes settings for an acceptable use policy (AUP), application visibility and control (AVC), data loss prevention, and access by file type. For more information on AVC, see Application visibility and control, Data loss prevention, and Access by file type.
- Any applied date or data filter defines the data that is shown.
- In addition to selecting the date or time range that you want to report on, you can also filter the data that appears with the Time graph. The Time graph is a line graph that shows when events occurred during the selected date or date range. To focus on a specific time, you can narrow the selected area of the graph. When this is done, the corresponding events appear on the page.
- You can easily view and filter data based on dimensions or criteria. Creating a filter allows you to specify the criteria, and ultimately, the data that you want to report on. The event reports include an interactive user interface where you can select the dimension or criteria to view corresponding event information.
- Event data is organized by the selected dimension. For example, if you select Resolved IP as a dimension, event data is shown based on the resolved IP address. This includes the Top 6 area of the page and the grouped list of events.
- In addition to grouping events by the selected dimensions, the events data area of the page also includes a group for all events based on the applied filters. No matter what dimension is selected, this group shows all event data and provides a convenient way for report viewers to see the latest events.
- If you are a delegated administrator or tenant administrator, the data that appears in an threat or AUP event report is based on the locations you created or are allowed to manage. Data that applies to locations that you are not allowed to access is not shown in the report results.
- If you are a tenant administrator, you cannot view HTTP(S) threat events.
A threat or access control event report shows the Top 6 dimension items that produced the most events. For example, if you choose the Resolved IP dimension, the Top 6 Resolved IP addresses are listed and the total number of events produced by these top 6 resolved IP addresses is also listed. A bar graph is shown to visualize this data. In the list of the Top 6, a report viewer can also select the data they want to show or hide in the graph. For example, you can click one of the top resolved IP addresses to hide it from the graph, and you can click it again to have that data reappear in the graph.
The selected dimension also determines how events are organized. For example, selecting the resolved IP address means that events are grouped by the resolved IP address. You can view the events that are associated with the selected dimension. Event tables are customizable and you can select the data that is represented in table columns.
You can also perform a variety of actions for threat and access control events. You can:
- View event details. If you select the information icon beside an event, event details appear in a separate window.
- View domain details. You can click a domain and select to view more details. For a domain or hostname dimension value, you can also click the information icon beside the domain or hostname to view more details. You are directed to the Indicator Search page or to a separate window with the domain details.
- View threat details. If you filter or group threat event data by the Threat Name dimension, you can click the threat name and select to view more details. Information about the threat appears in a separate window, including a graph with events that occurred in the date range you specified.
- Add data to the filter. You can decide to exclude or include data in the filter.
- Report a domain that you believe is misclassified.
- If a Security Connector is configured for your organization, you can select to view Security Connector events that correlate to threat events. For more information on Security Connector events, see Security Connector events.
Each event table shows the latest 500 events. However, you can download a CSV file to see up to 5,000 of the most recent events based on the dimension and filters you selected.