Activity Reports

Updated 3 months ago by admin

The Activity reports provide the deepest level of insight into activity by product and also allows you to save and download report data.

Running Activity Reports

Open your USS Dashboard and select Analytics. Select or search for the report name in the Reports & Charts tab.

Only reports and charts for licensed products will be shown

The Activity report type is identified with the icon. This means these reports return detailed results and support filtering.

After selecting a report, the report will open in a new tab in the right-hand panel.

All Activity reports have the following options:

Filters

Close or open the filters that are available for this specific report.

The Filters dialog will be displayed by default when selecting a new report.
Run Report

Run the report with the current timespan and filter selection.

Download

Download the report.

Save

Save the report for use as a favourite or in report schedules.

Manage Products

Switch to product management for the product this report belongs to.

Web Activity

The Web Activity by Visits report and the Web Activity by Hits report are available as part of the Web Security product and are concerned with hits to websites, domains and IPs collected by agents or gateways deployed on your network. Web browsing generates a vast amount of data, and as such the hits are grouped into what are known as visits, to make the report more consumable.

Terminology
  • A hit is a request for a web page (URL) by a web browser
  • A visit, unlike a hit, has a start and end time. A visit is essentially a group of hits. When a new hit is received, the system will try and place the hit into a visit (i.e. if the time of the hit falls in between the start and end of a visit and is to the same domain by the same user or device, the hit becomes part of the visit). Visits have a threshold, meaning that if a user continually hits a website without leaving more than a minute gap between hits, all the hits (even if they last for hours or days) will be grouped into the same visit. For a visit to count as a distinct "Visit to a particular domain by a particular user", there has to be a time gap of a minute between two hits. USS does this because hits on their own are not very meaningful in terms of browsing habits and it also helps to reduce the amount of data stored.

The Web Activity reports support filters that allow you to query the data with custom search criteria. To set a filter, click the Filters button before running the report.

The Web Activity reports normally generate a lot of data. It is best practice to be as specific as possible with the search criteria.
Domain

Part of the domain that you are searching for e.g. gaming.com, www.bbc.co.uk, .net, etc - path or query string are not supported

Username

Part of the username (Active Directory) that made the web requests. This may only be available if agents are deployed with user identification or authentication.

You can specify multiple values in the Username field. Separate each user name with a semicolon, e.g. admin; sysadmin.
MAC address

The physical or machine address of the device that made the web requests, e.g. AE:B1:7F:12:A0:B7

IP address

The IP address of the device that made the web requests e.g. 10.0.0.5, 172.16.1.1

Hostname

Part of the hostname of the device that made the web requests.

Final Action

Select the final action applied by a rule to the web request, e.g. Allow, Block, Redirect.

Limit By Web Category

Check this box to open the category picker. This allows you to select multiple Web Categories that the web request must have matched.

AD Group

Check this box to open the AD Group picker. This allows you to select a group that the user who made the request must be a direct member of in Active Directory. After the picker opens, select the AD Domain and then select the desired group. Only one group can be selected.

The AD Group filter will only match users who are direct members of the selected group
Limit By URL Category

Check this box to open the category picker. This allows you to select multiple custom URL Categories that the web request must have matched.

Filter Rule

The name of the Filter Rule that the web requests must have matched. This can also be used to detect sites blocked because they are "Unclassified" if this option is enabled.

Limit By Keyword Category

Check this box to open the category picker. This allows you to select multiple custom Keyword Lists that the web request must have matched.

Keyword

Enter in a Keyword List pattern that the web request must have matched, if you want to search on a specific keyword.

Tag

Select the tag that must have been applied to the web request.

Device Type

The type of device that made the web request. This technique uses the User Agent of the request to determine the type of device used e.g. Tablet, PC, Laptop, Smartphone

Log Level

The logging level set by the rule Log Level action

Exclude AJAX (XHR) requests

Remove any web requests that were generated by scripts. This is a best effort attempt and looks for the presences of the XMLHttpRequest header.

Click the icon to generate the report results. It may take several seconds to generate the report depending on the size of the result set.

Very large reports may return too many results. Try to narrow the search criteria further using time or additional filters.

The report results will appear in the Results panel and will be ordered by timestamp.

The results are grouped by Visit. Click the + icon to expand the visit to see the individual hits belonging to the visit, including the full URL of each hit. Use the Details pane to view all of the collected meta data for a specific hit.

The default columns are displayed but additional columns can be included in the report. Hover over a column header, and expand the menu to view the available columns. You can add additional columns to the report which will be saved so that the same view appears each time the report is run.

The following columns are available (columns with a * are only available for the expanded hit view by clicking the + next to a result):

Column Name

Description

Username

The Active Directory username captured by the agent

OS

Operating system used to generate the hit*

Device (Host)

The hostname of the device that generated the hit (the hostname should be registered in the Devices section)

Device (MAC)

The MAC address of the device that generated the hit

Device (IP)

The internal IP address of the device that generated the hit

Start (UTC)

The UTC timestamps of the first hit in the visit, or the UTC time of the hit

Start (Local)

The local time of the first hit in the visit, or the local time of the hit. This is calculated by the Time Zone detected by the agent.

AD Domain

The Active Directory NetBIOS domain that the username is a direct member of

Duration

The approximate time spent browsing the site, calculated by the timestamp of the first and last hit in the visit. This is an approximation only and may not reflect human behaviour.

A

The number of Allowed hits in the visit or whether the hit matched the Allow final action

B

The number of Blocked hits in the visit or whether the hit matched the Block final action

R

The number of Redirect hits in the visit or whether the hit matched the Redirect final action

W

The number of Warn hits in the visit or whether the hit matched the Warn final action

Web Categories

The Web Categories that the URL matched

URL Categories

The custom URL Categories that the URL matched

Keyword Categories

The Keyword Lists that the URL matched*

Keyword Pattern

The patterns from the Keyword Lists that the URL matched

Filter Rule

The name of the standard Filter Rule that triggered on the request, if any*

Feature Control Name

The name of the Feature Control that triggered on the request, if any*

Agent

The version of the agent in use e.g. Gateway, Windows, Mac OS X

Tag

The tag that the agent was using when the hit was captured*

Country

The country code that is determined by the IP address of the destination web server*

It is possible to sort the results on a particular column by clicking the column header to toggle between ascending and descending sort.

Not all columns are sortable. If a column is not sortable, the menu will be disabled.

Web Activity by Category

The Web Activity by Category report makes it easy to obtain a list of unique objects based on category. For example, all users who have web hits classified as Malware. From this report you can drill down for further detail.

App Activity (Inline)

The App Activity (Inline) report is available as part of the Cloud Application Security product and is concerned with providing a detailed analysis of user activity within Cloud Applications (app's). The App Activity (Inline) report is able to identify Shadow IT, by displaying the Cloud Applications in use in real time, the actions carried out within those applications (uploading, sharing, posting, etc) and even meta-data around the action carried out (file name, message, username, etc). This level of detail, combined with attributes from the App Catalog such as risk, provide a powerful insight into end-user behaviour and their use of Cloud Applications. Information from this report can be used to identify threats and sanction applications.

The App Activity (Inline) report allows searching based on the following criteria:

Username

Part of the username (Active Directory) that used the App.

This may only be available if agents are deployed with user identification or authentication.
MAC address

The physical or machine address of the device that made the requests, e.g. AE:B1:7F:12:A0:B7

IP address

The IP address of the device that made the requests e.g. 10.0.0.5, 172.16.1.1

Hostname

Part of the hostname of the device that used the App.

Service IP

The IP address of the destination cloud service

Limit by Keyword Category

Check this box to open the category picker. This allows you to select multiple Keyword Lists that the request must have matched.

Limit by Specific Match

Check this box to open the Cloud Application selector and select a Class, Name or Action to search for.

Filter Rule

The name of the Filter Rule that the web requests must have matched. This can also be used to detect sites blocked because they are "Unclassified" if this option is enabled.

Final Action

Select the final action applied by a rule to the request, e.g. Allow, Block, Redirect.

Device Type

The type of device that made the request. This technique uses the User Agent of the request to determine the type of device used e.g. Tablet, PC, Laptop, Smartphone

Keyword(s)

One or more keywords (separated by semicolons) that appear in the captured Action Value meta-data. Useful for searching for filenames or Social Media activity.

Log Level

The logging level set by the rule Log Level action

Tag

Select the tag that must have been applied to the request.

Risk Level

The baseline or custom risk level that the App Action must have (coming soon)

Click the icon to generate the report results. It may take several seconds to generate the report depending on the size of the result set.

The report results will appear in the Results panel and will be ordered by timestamp.

The results are grouped by App Action. Click the + icon to expand the activity to see the meta data captured for the action.

The default columns are displayed but additional columns can be included in the report. Hover over a column header, and expand the menu to view the available columns. You can add additional columns to the report which will be saved so that the same view appears each time the report is run.

The following columns are available:

Column Name

Description

Timestamp (UTC)

The UTC timestamps of the first hit in the visit, or the UTC time of the hit

Timestamp (Local)

The local time of the first hit in the visit, or the local time of the hit. This is calculated by the Time Zone detected by the agent.

Username

The Active Directory username captured by the agent

Device (Host)

The hostname of the device that generated the hit (the hostname should be registered in the Devices section)

Device (MAC)

The MAC address of the device that generated the hit

Device (IP)

The internal IP address of the device that generated the hit

OS

Operating system used to generate the hit

Device Type

The type of device that made the request, identified via User Agent header

AD Domain

The Active Directory NetBIOS domain that the username is a member of

App Class

The classification of the Cloud Application e.g. CRM, Storage, Social Networking from the App Catalog

App Name

The name of the Cloud Application from the App Catalog

App Action

The name of the action from the App Catalog that was carried out within the Cloud Application e.g. Uploaded a File, Attempted to Login

Keyword Categories

The Keyword Lists that the URL matched

Keywords

The patterns from the Keyword Lists that the URL matched

Tag

The tag that the agent was using when the hit was captured 

Action Value

The captured meta-data from the App Action

Baseline Risk

The risk level for the App Action set in the App Catalog

Custom Risk

The risk level set by the administrator by overriding the baseline value in the App Catalog

Final Action

The final action applied by a rule to the request, e.g. Allow, Block, Redirect

Browser

The name of the Web browser in use e.g. Chrome, IE

ICAP Agent

The version of the USS agent in use when the request was captured

Country

The GeoIP country determined from the destination IP address of the web request

Filter Rule

The name of the Filter Rule that matched when the request was captured

It is possible to sort the results on a particular column by clicking the column header to toggle between ascending and descending sort.

Not all columns are sortable. If a column is not sortable, the menu will be disabled.

App Activity (API)

The App Activity (API) report is available as part of the Cloud Application Security product and is concerned with providing a detailed analysis of user activity within sanctioned Cloud Storage applications. The App Activity (API) report is able to scan files uploaded or created within Cloud Storage apps for malware, data leakage and inappropriate image content.

The App Activity (API) report allows searching based on the following criteria:

Action Value

A pattern that was captured as part of the file event, such as the filename or folder name

Action

The storage event action that took place e.g. Download, Add, Delete

Threat Type

The type of threat that was detected e.g. dictionary, malware, credit card

Detail

A pattern to search within the scan results / excerpt that was matched

User (E-mail)

The email address for the user that carried out the file event

User (Name)

The real name for the user that carried out the file event

Type

Whether the file event relates to a file or folder

App (API)

A specific sanctioned app e.g. Dropbox, Onedrive

Path

The path that was involved in the file event

Parent name

The folder name that the file belongs to

IP address

The device IP that made the file event

MIME Type

The MIME type of the file event

Threats (min)

The number of threats that must have been detected for the result to match

Click the icon to generate the report results. It may take several seconds to generate the report depending on the size of the result set.

The report results will appear in the Results panel and will be ordered by timestamp.

The results are grouped by Event. Click the + icon to expand the activity to see the scan results each event.

The default columns are displayed but additional columns can be included in the report. Hover over a column header, and expand the menu to view the available columns. You can add additional columns to the report which will be saved so that the same view appears each time the report is run.

E-mail Analyse

A valid E-mail Security license is required to use this report. Please contact your Service Provider for further information.

The E-mail Analyse report is available as part of the E-mail Security product and is concerned with auditing inbound and outbound e-mail processed by the E-mail Security product. It is the ideal report to track and trace e-mail delivery and to understand what e-mail rules have been applied to the message during processing.

The E-mail Analyse report allows searching based on the following criteria:

Reports

Select a previously saved report to load - see Saving and running Saved reports, below.

Timespan

Select a pre-determined time interval, such as Last Day, Last Week or Custom to enter in a specific start and end time. See Data Retention Periods for information on how much data is retained per product.

From

Available if Custom timespan is selected, the start date for the search.

To

Available if Custom timespan is selected, the end date for the search.

Subject

Part of the message subject you are searching for.

Recipient

Part of the e-mail address of the recipient.

Sender

Part of the e-mail address of the sender.

GUID

The message GUID generated by the E-mail Security product (generally used for Technical Support)

Direction

Whether the message was inbound, outbound or either.

Status

The status of the message after processing e.g. Delivered, Rejected, Quarantined.

Click the icon to generate the report results. It may take several seconds to generate the report depending on the size of the result set.

The report results will appear in the Results panel and will be ordered by timestamp.

The default columns are displayed but additional columns can be included in the report. Hover over a column header, and expand the menu to view the available columns. You can add additional columns to the report which will be saved so that the same view appears each time the report is run.

To make more room to view the results, you can collapse the Criteria panel using the icon

The following columns are available:

Column Name

Description

Sender

The e-mail address of the sender of the message

Sender IP

The IP address of the sender

Country

The Geo-IP location of the sender IP

Subject

The message subject

Recipient

The e-mail address of the message recipient(s)

E-mail GUID

The unique GUID of the message in the E-mail Security system

Received

The timestamp that the e-mail was processed

Status

The final status of the message after processing

Size

The size in KB/MB of the message

It is possible to sort the results on a particular column by clicking the column header to toggle between ascending and descending sort.

Not all columns are sortable. If a column is not sortable, the menu will be disabled.

The E-mail Analyse report also captures additional data for every message which is available in the Detail View. Click the icon to view the detail on a particular message, which is split up into General, Actions and SMTP Trace tabs.

The General tab shows a summary of the message:

The Actions tab shows the rules that the message triggered as it was processed. This may help to identify why a message ended up with a final status of Deliver, Reject or Quarantine.

The SMTP Trace tab shows the real SMTP conversation between the E-mail Security service and the SMTP server that has been configured to receive processed e-mail:

The SMTP Trace is only available if the message status was Deliver

Authentication Analyse

A valid Authentication license is required to use this report. Please contact your Service Provider for further information.

The Authentication Analyse report is available as part of the Authentication product and is concerned with providing protection for user account compromise through the use of weak or stolen passwords.

The Authentication Analyse report allows searching based on the following criteria:

Reports

Select a previously saved report to load - see Saving and running Saved reports, below

Timespan

Select a pre-determined time interval, such as Last Day, Last Week or Custom to enter in a specific start and end time. See Data Retention Periods for information on how much data is retained per product.

From

Available if Custom timespan is selected, the start date for the search.

To

Available if Custom timespan is selected, the end date for the search.

Display Name

Part of the users Display Name from Active Directory.

Username

Part of the users Active Directory username.

End User IP

Part of the device IP that made the authentication request.

Login Type

Whether the authentication type resulted in a success or failure.

Auth Host

Part of the hostname of the server running the Authentication Protection Client software.

Dispatch Policy

The dispatch policy that was used to issue the passcode for the authentication attempt.

Auth Client

The type of Authentication Protection Client in use for the authentication attempt.

Click the icon to generate the report results. It may take several seconds to generate the report depending on the size of the result set.

The report results will appear in the Results panel and will be ordered by timestamp.

The default columns are displayed but additional columns can be included in the report. Hover over a column header, and expand the menu to view the available columns. You can add additional columns to the report which will be saved so that the same view appears each time the report is run.

To make more room to view the results, you can collapse the Criteria panel using the icon.

The following columns are available:

Column Name

Description

Timestamp (UTC)

The UTC timestamps of the first hit in the visit, or the UTC time of the hit

Timestamp (Local)

The local time of the first hit in the visit, or the local time of the hit. This is calculated by the Time Zone detected by the agent

Login Type

The result of the authentication attempt; success or failure

Reason

If the Login Type resulted in a failure, the reason for the failure

Display Name

The users display name from Active Directory

User (UPN)

The username from Active Directory in UPN format (User Principal Name) e.g. user@domain.com

User (SAM)

The username from Active Directory in SAM format (Security Account Manager) e.g. username

Dispatch Policy

The name of the Dispatch Policy that was used to send the One-Time Passcode (OTP) to the user

Auth Client

The name of the Authentication Client that was used to process the authentication attempt e.g. RADIUS, AD FS

Auth Client (IP)

The IP address of the server running the Authentication Client

Auth Client (Host)

The hostname of the server running the Authentication Client

End User IP

The IP of the user making the authentication request (internal or external)

Country

If the End User IP is external, the country associated with the external IP

Organization

If the End User IP is external, the organization that owns the public IP address

SessionID

Used for troubleshooting only e.g. to compare with the Event Viewer on the server running an Authentication Client

It is possible to sort the results on a particular column by clicking the column header to toggle between ascending and descending sort.

Not all columns are sortable. If a column is not sortable, the menu will be disabled.

Saving and running Saved reports

Once a report has been generated by completing the search criteria, it can be saved so that it can be easily run again in the future or attached to a Schedule.

It is best practice to run the report and ensure you have the expected results before saving it

To save a report, click the Save button at the bottom of the Criteria section:

When prompted, enter a name for the report. Click Save again.

The report is now saved. The report is now available from the Saved Reports drop-down or within the Schedules section.

Select a saved report. The saved criteria will be loaded into the form ready to be run. To run the report, click the button.

Deleting reports

To delete a saved report, click the icon. This will open the Saved Reports dialog.

Click the icon to delete the Saved Report.

Exporting Reports

To export a report, first Run the report and generate results. This will display the Export menu option in the top right hand corner of the results.

Reports can be exported as PDF or CSV (Comma Separated Values).

PDF reports are limited to a maximum of 10 columns and 5,000 pages of data. If you require a larger report, use the CSV option.

Clicking an option will trigger the report to be exported and a notice will appear.

Large reports can take several minutes to generate. A further notice will be provided once the report is ready.
If the report to export has more than 100,000 results then you will be prompted to convert to a one-time schedule and CSV format. Alternatively, reduce the size of the report by adjusting the search criteria and try again.

Once the exported report is ready, you can view it in the Archived Exports list. Click Archived Exports button.

The available reports are displayed:

Click to download the report.

Click to permanently delete the report.

The report will also be available in the Analytics Archives section.

Malware Analyse

A valid Gateway Anti-malware license is required to use this report. If you do not have a license, you can still use the Web Analyse report to identify malware hits using the Web Category search criteria.

The Malware Analyse report is available as part of the Web Security product and is concerned with identifying web content that was blocked by the Gateway agent anti-malware scanner. Once enabled, the gateway anti-malware module scans all downloaded content (up to the maximum file size configuration setting) for malware and any positive detections are contained in this report.

The Malware Analyse report allows searching based on the following criteria:

Reports

Select a previously saved report to load - see Saving and running Saved reports, above.

Timespan

Select a pre-determined time interval, such as Last Day, Last Week or Custom to enter in a specific start and end time. See Data Retention Periods for information on how much data is retained per product.

Start

Available if Custom timespan is selected, the start date for the search.

End

Available if Custom timespan is selected, the end date for the search.

Domain

Part of the domain that you are searching for e.g. gaming.com, www.bbc.co.uk, .net, etc - path or query string are not supported

Username

Part of the username (Active Directory) that made the web requests. This may only be available if agents are deployed with user identification or authentication.

Hostname

Part of the hostname of the device that made the web requests.

MAC address

The physical or machine address of the device that made the web requests, e.g. AE:B1:7F:12:A0:B7

IP address

The IP address of the device that made the web requests e.g. 10.0.0.5, 172.16.1.1

Tag

Select the tag that must have been applied to the web request.

Click the icon to generate the report results. It may take several seconds to generate the report depending on the size of the result set.

The report results will appear in the Results panel and will be ordered by timestamp.

The default columns are displayed but additional columns can be included in the report. Hover over a column header, and expand the menu to view the available columns. You can add additional columns to the report which will be saved so that the same view appears each time the report is run.

To make more room to view the results, you can collapse the Criteria panel using the icon.

The following columns are available:

Column Name

Description

Timestamp (UTC)

The UTC timestamps of the first hit in the visit, or the UTC time of the hit

Timestamp (Local)

The local time of the first hit in the visit, or the local time of the hit. This is calculated by the Time Zone detected by the agent.

URL Domain

The requested URL

Username

The Active Directory username captured by the agent

Device (Host)

The hostname of the device that generated the hit (the hostname should be registered in the Devices section)

Device (MAC)

The MAC address of the device that generated the hit

Device (IP)

The internal IP address of the device that generated the hit

Malware Category

The category of malware as reported by the scanning engine

Malware Name

The name of the malware identified

AD Domain

The Active Directory NetBIOS domain that the username is a member of

Tag

The tag that the agent was using when the hit was captured

It is possible to sort the results on a particular column by clicking the column header to toggle between ascending and descending sort.

Not all columns are sortable. If a column is not sortable, the menu will be disabled.

The Malware Analyse report also provides a link to the BitDefender virus database for further information on a particular Malware Name. Click the icon to view the detail on the BitDefender web site.


How did we do?