Activity Reports

The Activity reports provide the deepest level of insight into activity by product and also allows you to save and download report data.

Running Activity Reports

Open your USS Dashboard and select Analytics. Select or search for the report name in the Reports & Charts tab.

Only reports and charts for licensed products will be shown

The Activity report type is identified with the icon. This means these reports return detailed results and support filtering.

After selecting a report, the report will open in a new tab in the right-hand panel.

All Activity reports have the following options:

Filters

Close or open the filters that are available for this specific report.

The Filters dialog will be displayed by default when selecting a new report.
Run Report

Run the report with the current timespan and filter selection.

Download

Download the report.

Save

Save the report for use as a favourite or in report schedules.

Manage Products

Switch to product management for the product this report belongs to.

Running Reports and Limitations

All dashboard based reports are limited to a maximum 2 minute run time. In most cases, this should be sufficient to return more than 1,000,000 results which is the maximum size of a file that can be opened in Excel.

If you are getting a timeout message when running a report interactively then this is most likely because it is returning a significant amount of data. Consider whether this amount of data is actually required and try either reducing the time span of the report or add more filters to narrow down on the data you are looking for.

If your report uses a relative time span e.g. Last Month but when you run it, it exceeds the 2 minute timeout, you can Save the report and then attach it to a schedule. A scheduled report will run in the background for up to 2 hours.

If your use case requires a large export of the data with a specific time frame please contact your Service Provider for assistance.

Web Activity by Hits

The Web Activity by Hits report is available as part of the Web Security product and is concerned with hits to websites, domains and IPs collected by agents or gateways deployed on your network.

The Web Activity reports support filters that allow you to query the data with custom search criteria. To set a filter, click the Filters button before running the report.

The Web Activity reports normally generate a lot of data. It is best practice to be as specific as possible with the search criteria.
Domain

Part of the domain that you are searching for e.g. gaming.com, www.bbc.co.uk, .net, etc - path or query string are not supported

Username

Part of the username (Active Directory) that made the web requests. This may only be available if agents are deployed with user identification or authentication.

You can specify multiple values in the Username field. Separate each user name with a semicolon, e.g. admin; sysadmin.
MAC address

The physical or machine address of the device that made the web requests, e.g. AE:B1:7F:12:A0:B7 (not available when using the Chromebook agent).

IP address

The IP address of the device that made the web requests e.g. 10.0.0.5, 172.16.1.1 (not available when using the Chromebook agent)

Hostname

Part of the hostname of the device that made the web requests. (not available when using the Chromebook agent)

Final Action

Select the final action applied by a rule to the web request, e.g. Allow, Block, Redirect.

Limit By Web Category

Check this box to open the category picker. This allows you to select multiple Web Categories that the web request must have matched.

AD Group

Check this box to open the AD Group picker. This allows you to select a group that the user who made the request must be a direct member of in Active Directory. After the picker opens, select the AD Domain and then select the desired group. Only one group can be selected.

The AD Group filter will only match users who are direct members of the selected group
Limit By URL Category

Check this box to open the category picker. This allows you to select multiple custom URL Categories that the web request must have matched.

Filter Rule

The name of the Filter Rule that the web requests must have matched. This can also be used to detect sites blocked because they are "Unclassified" if this option is enabled.

Limit By Keyword Category

Check this box to open the category picker. This allows you to select multiple custom Keyword Lists that the web request must have matched.

Keyword

Enter in a Keyword List pattern that the web request must have matched, if you want to search on a specific keyword.

Tag

Select the tag that must have been applied to the web request.

Device Type

The type of device that made the web request. This technique uses the User Agent of the request to determine the type of device used e.g. Tablet, PC, Laptop, Smartphone

Log Level

The logging level set by the rule Log Level action

Exclude AJAX (XHR) requests

Remove any web requests that were generated by scripts. This is a best effort attempt and looks for the presences of the XMLHttpRequest header.

Click the icon to generate the report results. It may take several seconds to generate the report depending on the size of the result set.

Very large reports may return too many results. Try to narrow the search criteria further using time or additional filters.

The report results will appear in the Results panel and will be ordered by timestamp.

The results are grouped by Visit. Click the + icon to expand the visit to see the individual hits belonging to the visit, including the full URL of each hit. Use the Details pane to view all of the collected meta data for a specific hit.

The default columns are displayed but additional columns can be included in the report. Hover over a column header, and expand the menu to view the available columns. You can add additional columns to the report which will be saved so that the same view appears each time the report is run.

The following columns are available (columns with a * are only available for the expanded hit view by clicking the + next to a result):

Column Name

Description

Username

The Active Directory username captured by the agent

OS

Operating system used to generate the hit*

Device (Host)

The hostname of the device that generated the hit (the hostname should be registered in the Devices section)

Device (MAC)

The MAC address of the device that generated the hit

Device (IP)

The internal IP address of the device that generated the hit

Start (UTC)

The UTC timestamps of the first hit in the visit, or the UTC time of the hit

Start (Local)

The local time of the first hit in the visit, or the local time of the hit. This is calculated by the Time Zone detected by the agent.

AD Domain

The Active Directory NetBIOS domain that the username is a direct member of

A

The number of Allowed hits in the visit or whether the hit matched the Allow final action

B

The number of Blocked hits in the visit or whether the hit matched the Block final action

R

The number of Redirect hits in the visit or whether the hit matched the Redirect final action

W

The number of Warn hits in the visit or whether the hit matched the Warn final action

Web Categories

The Web Categories that the URL matched

URL Categories

The custom URL Categories that the URL matched

Keyword Categories

The Keyword Lists that the URL matched*

Keyword Pattern

The patterns from the Keyword Lists that the URL matched

Filter Rule

The name of the standard Filter Rule that triggered on the request, if any*

Feature Control Name

The name of the Feature Control that triggered on the request, if any*

Agent

The version of the agent in use e.g. Gateway, Windows, Mac OS X

Tag

The tag that the agent was using when the hit was captured*

Country

The country code that is determined by the IP address of the destination web server*

It is possible to sort the results on a particular column by clicking the column header to toggle between ascending and descending sort.

Not all columns are sortable. If a column is not sortable, the menu will be disabled.

Cloud Activity (Inline)

The App Activity (Inline) report is available as part of the Cloud Application Security product and is concerned with providing a detailed analysis of user activity within Cloud Applications (app's). The App Activity (Inline) report is able to identify Shadow IT, by displaying the Cloud Applications in use in real time, the actions carried out within those applications (uploading, sharing, posting, etc) and even meta-data around the action carried out (file name, message, username, etc). This level of detail, combined with attributes from the App Catalog such as risk, provide a powerful insight into end-user behaviour and their use of Cloud Applications. Information from this report can be used to identify threats and sanction applications.

The App Activity (Inline) report allows searching based on the following criteria:

Username

Part of the username (Active Directory) that used the App.

This may only be available if agents are deployed with user identification or authentication.
MAC address

The physical or machine address of the device that made the requests, e.g. AE:B1:7F:12:A0:B7

IP address

The IP address of the device that made the requests e.g. 10.0.0.5, 172.16.1.1

Hostname

Part of the hostname of the device that used the App.

Service IP

The IP address of the destination cloud service

Limit by Keyword Category

Check this box to open the category picker. This allows you to select multiple Keyword Lists that the request must have matched.

Limit by Specific Match

Check this box to open the Cloud Application selector and select a Class, Name or Action to search for.

Filter Rule

The name of the Filter Rule that the web requests must have matched. This can also be used to detect sites blocked because they are "Unclassified" if this option is enabled.

Final Action

Select the final action applied by a rule to the request, e.g. Allow, Block, Redirect.

Device Type

The type of device that made the request. This technique uses the User Agent of the request to determine the type of device used e.g. Tablet, PC, Laptop, Smartphone

Keyword(s)

One or more keywords (separated by semicolons) that appear in the captured Action Value meta-data. Useful for searching for filenames or Social Media activity.

Log Level

The logging level set by the rule Log Level action

Tag

Select the tag that must have been applied to the request.

Risk Level

The baseline or custom risk level that the App Action must have (coming soon)

Click the icon to generate the report results. It may take several seconds to generate the report depending on the size of the result set.

The report results will appear in the Results panel and will be ordered by timestamp.

The results are grouped by App Action. Click the + icon to expand the activity to see the meta data captured for the action.

The default columns are displayed but additional columns can be included in the report. Hover over a column header, and expand the menu to view the available columns. You can add additional columns to the report which will be saved so that the same view appears each time the report is run.

The following columns are available:

Column Name

Description

Timestamp (UTC)

The UTC timestamps of the first hit in the visit, or the UTC time of the hit

Timestamp (Local)

The local time of the first hit in the visit, or the local time of the hit. This is calculated by the Time Zone detected by the agent.

Username

The Active Directory username captured by the agent

Device (Host)

The hostname of the device that generated the hit (the hostname should be registered in the Devices section)

Device (MAC)

The MAC address of the device that generated the hit

Device (IP)

The internal IP address of the device that generated the hit

OS

Operating system used to generate the hit

Device Type

The type of device that made the request, identified via User Agent header

AD Domain

The Active Directory NetBIOS domain that the username is a member of

App Class

The classification of the Cloud Application e.g. CRM, Storage, Social Networking from the App Catalog

App Name

The name of the Cloud Application from the App Catalog

App Action

The name of the action from the App Catalog that was carried out within the Cloud Application e.g. Uploaded a File, Attempted to Login

Keyword Categories

The Keyword Lists that the URL matched

Keywords

The patterns from the Keyword Lists that the URL matched

Tag

The tag that the agent was using when the hit was captured 

Action Value

The captured meta-data from the App Action

Baseline Risk

The risk level for the App Action set in the App Catalog

Custom Risk

The risk level set by the administrator by overriding the baseline value in the App Catalog

Final Action

The final action applied by a rule to the request, e.g. Allow, Block, Redirect

Browser

The name of the Web browser in use e.g. Chrome, IE

ICAP Agent

The version of the USS agent in use when the request was captured

Country

The GeoIP country determined from the destination IP address of the web request

Filter Rule

The name of the Filter Rule that matched when the request was captured

It is possible to sort the results on a particular column by clicking the column header to toggle between ascending and descending sort.

Not all columns are sortable. If a column is not sortable, the menu will be disabled.

Cloud Activity (API)

The App Activity (API) report is available as part of the Cloud Application Security product and is concerned with providing a detailed analysis of user activity within sanctioned Cloud Storage applications.

The App Activity (API) report allows searching based on the following criteria:

Action Value

A pattern that was captured as part of the file event, such as the filename or folder name

Event Type

The storage event action that took place e.g. Added, Deleted

User (E-mail)

The email address for the user that carried out the file event

User (Name)

The real name for the user that carried out the file event

Type

Whether the file event relates to a file or folder

Cloud Service

A specific sanctioned app e.g. Onedrive for Business

Path

The path that was involved in the file event

Parent name

The folder name that the file belongs to

MIME Type

The MIME type of the file event

Click the icon to generate the report results. It may take several seconds to generate the report depending on the size of the result set.

The report results will appear in the Results panel and will be ordered by timestamp.

Email Activity

A valid Email Security license is required to use this report. Please contact your Service Provider for further information.

The Email Activity report is available as part of the Email Security product and is concerned with auditing inbound and outbound e-mail processed by the Email Security product. It is the ideal report to track and trace e-mail delivery and to understand what e-mail rules have been applied to the message during processing.

The Email Activity report allows searching based on the following criteria:

Sender IP

The IP address of the sender.

Direction

The direction of the email e.g. inbound, outbound or both.

GUID

A globally unique ID to identify the message (generated by the Email Security system).

Message Rule

A Message Rule that must have matched during processing of the email.

Rule Action

A rule action that must have triggered during processing of the email.

Delivery State

The final delivery state of the message, which may include whether the message was Delayed, Dropped, Delivered, Blocked or experienced a Delivery Error.

Sender

Part of the sender email address.

Recipient

Part of the recipient email address.

Exclude CC/BCC

By default, when searching for a Sender or Recipient, the CC and BCC headers will also be searched. This adds extra overhead to the query and can be disabled, in which case only the TO header will be searched.

Subject

Part of the message subject you are searching for.

Verdict

The status of the message after processing e.g. Delivered, Rejected, Quarantined, Spam, Virus.

Rejected: Email was rejected by a connection rule before being processed. This is usually caused by sender being in the deny list, email being sent to a non-existent mailbox or the exceeding maximum file size

Delayed: Delivery of the email was delayed and most likely timed out. Leading cause being a service outage on the remote host, missing MX record, or DNS issue. More info will be available in the "Server Log" in Details View

Dropped: A remote sending server closed the The TCP session during the payload of the email, this is before a confirmation of the full payload has been received by our services. In these situations the remote server will try again based on their retry settings.

Delivery Error: Refers to the "Delivered" Column. This filter will show emails where the final action was "Deliver", however, the email delivery experienced an error resulting in a fail. Please consult the "Server Log" in the Details View to find find a detailed report of the failure

Blocked: The email was blocked from being delivered by the remote host, most likely caused by tls connection breakdown or firewall. This is a rare and very broad error, more info will be available in the "Server Log" in Details View.

Delivered: Final Action of the email is to "Deliver" and the email received a delivery confirmation from the recipient.

Advanced DLP add-on

If you have licensed the Advanced DLP for Email Security add-on, an additional set of report filters will be available:

A Message Rule that must have matched during processing of the email.

Policy Name

The DLP Policy name, can be a partial string search e.g. "pci".

Grammar Name

A shortened version of the grammar name, can be a partial string search e.g. "account". For a list of grammar names see Grammar Entity Short Names article.

Severity Level

The Severity Level that must have been triggered by the DLP Policy on the email message.

Pattern

A pattern or term that has been found by the DLP Scanner i.e. a passport number, credit card, persons name. This can be a partial string search.

Min. Score

The minimum score that the DLP Policy resulted in (0-100)

Min. Matches

The number of matches found in the content that triggered the DLP Policy.

Filename

The filename of an attachment that triggered the DLP Policy. Can be a partial string.

Mime Type

The MIME Type of the attachment that triggered the DLP Policy. Can be a partial string.

Running the Report

Click the Run Report button to generate the report results. It may take several seconds to generate the report depending on the size of the result set.

The report results will appear in the Results panel and will be ordered by Timestamp (Local) by default.

The default columns are displayed but additional columns can be included in the report. Hover over a column header, and expand the menu to view the available columns. You can add additional columns to the report which will be saved so that the same view appears each time the report is run.

To make more room to view the results, you can collapse the Criteria panel using the collapse < icon

The following columns are available:

Column Name

Description

Direction

The direction of the email message, e.g. inbound or outbound

Timestamp (UTC)

The UTC timestamp that the Email Security service MTA processed the email, taking into account the product region in use e.g. EU, US.

Timestamp (Local)

The local time of the user running the report. This is calculated using the browser offset and converting Timestamp (UTC)

SMTP Timestamp

The timestamp recorded from the SMTP conversation "EOD" status. Only if Delivery State is "Delivered".

Sender

The senders email address

Sender IP

The IP address of the sender

Subject

The subject of the message

Recipient(s)

The recipients of the message. The message may be addressed to multiple recipients on the TO header. These will appear as the first recipient plus a counter e.g. recipient1@domain.com +2 indicating the first recipient and two additional recipients. To view CC and BCC header recipients, double click the message or click the details icon.

Size

The size in KB/MB of the message, including attachments

Verdict

The status of the message after processing e.g. Delivered, Rejected, Quarantined, Spam, Virus

Delivery State

The final delivery state of the message, which may include whether the message was Delayed, Dropped or Delivered

Final Rule

The rule name that triggered the Final Action during processing.

Final Action

The Final Action applied to the rule before processing was stopped

Delivered

Whether or not the customer email server/service accepted the email for delivery. For full delivery logs, double click the message or click the details icon and then open the Server Log tab.

Score

If Advanced DLP add-on is active, the score determined by the DLP Scanner for the given message.

Verdict Details

Additional meta data that was set during rule processing.

It is possible to sort the results on a particular column by clicking the column header to toggle between ascending and descending sort.

Not all columns are sortable. If a column is not sortable, the menu will be disabled.

The Email Activity report also captures additional data for every message which is available in the Details View. Double click the message line or click the magnifying glass icon to view the detail on a particular message, which is split up into several tabs.

The General tab shows a summary of the message, with additional CC and BCC recipients

The Actions tab shows the rules that the message triggered as it was processed. This may help to identify why a message ended up with a final status of Deliver, Reject or Quarantine.

The Attachments tab lists the names of any attachments in the message.

The URLs tab lists the full URLs that were captured from the message.

The Headers tab lists the full message headers which can be copied to the clipboard or exported.

The Server Log tab shows the real SMTP conversation between the Email Security service and the SMTP server that has been configured to receive processed e-mail:

The SMTP Log is only available if the message status was Deliver

Authentication Activity

A valid MFA powered by IntelliTrust license is required to use this report. Please contact your Service Provider for further information.

The Authentication Activity report is available as part of the MFA powered by IntelliTrust product and is concerned with providing protection for user account compromise through the use of multi-factor authentication.

The Authentication Activity report allows searching based on the following criteria:

Username (UPN)

Part of the users Active Directory username in UPN format e.g. user@domain.local.

End User IP

The end user device IP that made the authentication request. This may be an RFC1918 address.

Auth Client

The type of Authentication Protection Client in use for the authentication attempt, e.g. RADIUS, AD FS.

Login Type

Whether or not the login was successful or failed.

Token

Part of the token number that was entered by the end user.

Click the Run Report button to generate the report results. It may take several seconds to generate the report depending on the size of the result set.

The report results will appear in the Results panel and will be ordered by timestamp.

The default columns are displayed but additional columns can be included in the report. Hover over a column header, and expand the menu to view the available columns. You can add additional columns to the report which will be saved so that the same view appears each time the report is run.

To make more room to view the results, you can collapse the Criteria panel using collapse < icon.

The following columns are available:

Column Name

Description

Timestamp (UTC)

The UTC timestamps of the authentication attempt

Timestamp (Local)

The local time of the user running the report. This is calculated using the browser offset and converting Timestamp (UTC)

Login Type

The result of the authentication attempt; success or failure

Note

Additional information about the Login Type

Username (UPN)

The username from Active Directory in UPN format (User Principal Name) e.g. user@domain.com

Token

The token number that was entered by the end user, if available

Auth Client

The name of the Authentication Client that was used to process the authentication attempt e.g. RADIUS, AD FS

End User IP

The IP of the user making the authentication request (internal or external)

Country

If the End User IP is external, the country associated with the external IP

City

If the End User IP is external, the city associated with the external IP

ISP

If the End User IP is external, the organization that owns the public IP address

SessionID

Used for troubleshooting only e.g. to compare with the Event Viewer on the server running an Authentication Client

Latitude

If the End User IP is external, the latitude of the external IP

Longitude

If the End User IP is external, the longitude of the external IP

Subject

Used for troubleshooting only. An internal ID.

It is possible to sort the results on a particular column by clicking the column header to toggle between ascending and descending sort.

Not all columns are sortable. If a column is not sortable, the menu will be disabled.

Saving and running Saved reports

Once a report has been generated by completing the search criteria, it can be saved so that it can be easily run again in the future or attached to a Schedule.

It is best practice to run the report and ensure you have the expected results before saving it

To save a report, expand the hamburger menu button which can be found to the right of the Run Report button and click Save:

When prompted, enter a name for the report. If you would like the report to be available in the Favourites panel within the Analytics section, tick the Make Favourite checkbox. Click Save again.

The report is now saved. The report is now available from the Saved reports list or within the Schedules section.

Select a saved report. The saved criteria will be loaded into the form ready to be run. To run the report, click the Run Report button.

Deleting reports

To delete a saved report, navigate to the Saved tab within the Analytics section. Locate the report you wish to delete and click the trash icon.

Download Reports

To download a report, first Run the report and generate results. From the hamburger menu, select the Download option.

Activity reports can be exported as Excel or CSV (Comma Separated Values).

PDF reports are available for chart based reports.

Select the report format and enter a recipient of the report. An email will be sent to the recipient once the report has been generated.

If the recipient has never received a report before, they will be required to verify their email address. If they do not complete the verification, they will not receive the report.
Large reports can take several minutes to generate. A further notice will be provided once the report is ready.

You can view the progress or the result of the download in the Active Downloads section. Once the report is ready, a red flag will indicate it can be downloaded.

The Downloads list will show the status of all current and previous download attempts. If the browser cache is cleared or a different browser is used, the list will no longer be available.


How did we do?