Reviewing SWG Web Browsing dashboard with Webroot URL Categories

Forcepoint ONE SSE's SmartEdge agent and Cloud SWG can also generate ShadowIT logs for web browsing.

Note: To review the SWG Web Browsing dashboard with ThreatSeeker URL Categories, refer to Reviewing SWG Web Browsing dashboard with ThreatSeeker URL Categories.

You can access the SWG Web Browsing dashboard by navigating to the Analyze > Dashboard > SWG Web Browsing dashboard.

The SWG Web Browsing dashboard provides an overview of your user's Web Browsing usage segmented by different web destinations and their individual web reputations, for the selected time range. The dashboard maintains a record of log information for the past 60 days. This dashboard is configured to provide a high-level overview of the top items' admins will want to review. Clicking into the sections will provide the full investigative list with additional details for each website discovered.

Note:

URLs, sites or cloud services that have been configured on the policy page to be sent direct for web proxy policies will not appear on this SWG Web Browsing page since they have already been accounted for by the policy stating direct access is allowed and approved.

For example, the SWG Web Browsing dashboard will not generate logs for all social networking sites as they have been configured for Direct App Access.



The dashboards display information for last 7 days, by default. You can select the Start Time and End Time and then click Apply to filter the information based on the selected time range. The End Time can be any date prior to today’s date.



Filtering

You can further filter the information by selecting the appropriate filter from the Search drop-down list on top of date range.

Follow the below steps to filter the information:

  1. Click into the Search box and select the Field option you are filtering by.


    Available options are Username, Web Browsing Category and Web Reputation Tier.

    On selecting the field option, Operator drop-down list appears.

  2. Select the appropriate operator from the drop-down list.

    Available options vary as per the field option selected. Available options are equals, does not equal, Contains and Does not contain.



  3. Enter the text or select the option from the drop-down list to filter the information.
    • If you have selected Username or Web Browsing Category from the Field drop-down list, then you should enter text.
    • If you have selected Web Reputation Tier in the Field drop-down list, then select the applicable value. Available options are Trustworthy, Low Risk, Moderate Risk, Suspicious and High Risk.

    On entering the text or on selecting the option from the drop-down list, AND and OR functions appear.

  4. Select the AND or OR function to continue your exact match filter.


    You can then continue to add refined filters as desired. Once ready to search click into the space with the magnifying glass to search.

Total Domains

The Total Domains widget indicates the total number of domains accessed by the users during the selected period.



You can click on the number to open the Total Domains page where you can view the domains visited, data uploaded and downloaded by various users.



You can further drill-down the details based on distinct users by clicking on the ellipsis icon next to the Distinct User Count number for that domain and then clicking the Drilldown into user count option. The Top Domains: <Domain Name> page opens displaying the User Email, Sum Uploaded Bytes, Sum Downloaded Bytes and Event Count details of the users who accessed the domain.



You can click the close icon to close the Top Domains: <Domain Name> page and to go back to the SWG Web Browsing.

Risky Destinations Discovered

The Risky Destinations Discovered widget indicates the number of risky destinations, that is domains with Web Reputation Tier equal to Suspicious (21-40%) or High Risk (0-20%), accessed by the users.



You can click the number to open the Risky Destinations Discovered page where you can view the risky domains visited, data uploaded and downloaded by various users.



You can further drill-down the details based on distinct users by clicking on the ellipsis icon next to the Distinct User Count number for that destination and then clicking the Drilldown into user count option. The Risky Destinations Discovered: <Domain Name> page opens displaying the User Email, Event Count, Sum Uploaded Bytes, and Sum Downloaded Bytes details of the users who accessed the destination.



Click the close icon to close the Risky Destinations Discovered: <Domain Name> page and to go back to the SWG Web Browsing.

Data Downloaded From Risky Destinations

The Data Downloaded From Risky Destinations widget indicates the volume of downloads from risky destinations, that is domain with Web Reputation Tier equal to Suspicious (21-40%) or High Risk (0-20%).



You can click the number to open the Data Downloaded From Risky Destinations page where you can view every unique risky destination and username combination and amount of data downloaded in bytes.



Click the close icon to close the Data Downloaded From Risky Destinations page and to go back to the SWG Web Browsing.

Data Uploaded to Risky Destinations

The Data Uploaded to Risky Destinations widget indicates the volume of uploads to risky destinations, that is domains with Web Reputation Tier equal to Suspicious (21-40%) or High Risk (0-20%).



You can click the number to open the Data Uploaded To Risky Destinations page where you can view every unique risky destination and username combination and amount of data uploaded in bytes.



Click the close icon to close the Data Uploaded to Risky Destinations page and to go back to the SWG Web Browsing.

Event Count By Web Reputation, Destination Count By Web Reputation and User Count By Web Reputation

The Event Count by Web Reputation widget displays the event count across all Web Reputation Tiers, the Destination Count by Web Reputation widget displays the domain count across all Web Reputation Tiers and the User Count by Web Reputation widget displays the user count across all Web Reputation Tiers. For example, the Event Count by Web Reputation widget is explained. You can follow the same process for the Destination Count By Web Reputation and the User Count By Web Reputation widgets.



When you place the mouse pointer on Web Reputation tier of the donut chart, it displays the total count for the pointed web reputation tier and name of the web reputation tier.



You can click into the donut chart on a specific ranking color and click Drill into <Web Reputation> to pull up a new window with the list of details for that particular web reputation. For example, clicking the trustworthy piece of the Event Count by Web Reputation chart opens the detail window containing trustworthy destinations that were accessed.



You can further drill-down the details based on distinct users by clicking on the ellipsis icon next to the Distinct User Count number for that destination and then clicking the Drilldown into user count option. The Event Count By Web Reputation : <Destination> page opens displaying the User Email, Sum Uploaded Bytes, Sum Downloaded Bytes and Event Count details of the users who accessed the destination.



Click the close icon to close the Event Count By Web Reputation : <Destination> page and to go back to the SWG Web Browsing.

You can also turn off pieces of the donut chart by clicking the bulleted web reputation on the side to hide the data related to selected web reputation.



Top Risky Destinations Accessed

The Top Risky Destinations Accessed widget indicates the top 10 risky destinations based on the distinct user count. Risky destinations are those Web Reputation Tier equal to Suspicious (21-40%) or High Risk (0-20%).



You can click on the respective graph bar that you like to investigate and select Drill into < Destination Name> option to view the unique users who accessed the destination and volume of data uploaded and downloaded by each user from/to the destination.



Click the close icon to close the Top Risky Destinations Accessed: < Destination Name> page and to go back to the SWG Web Browsing.

Risky Web Browsing Categories

The Risky Web Browsing Categories widget displays various risky web reputation categories visited by users.



Top Uploaders To Risky Destinations and Top Downloaders From Risky Destinations

The Top Uploaders To Risky Destinations and Top Downloaders From Risky Destinations widgets display top uploaders and downloaders to and from risky destinations. These widgets display only destinations whose Web Reputation Tier is Suspicious or High Risk.



You can drill-down into the top uploaders or downloaders by clicking the User Email.

On clicking the User Email, the Top Uploaders To Risky Destinations : <User Email> page opens displaying Destination, Source IP, Web Reputation and Sum Upload Bytes details for that user.



On clicking the User Email, the Top Downloaders from Risky Destinations : <User Email> page opens displaying Destination, Source IP, Web Reputation and Sum Downloaded Bytes details for that user.



Click the close icon to close the Top Uploaders To Risky Destinations : <User Email> or Top Downloaders from Risky Destinations : <User Email> page and to go back to the SWG Web Browsing.

Top Web Browsing Categories

The Top Web Browsing Categories widget displays top 10 all the web browsing categories by user count. You can click See All to view all the web browsing categories.



You can investigate any of the web browsing category by clicking the particular Web Browsing Category name. On clicking the category name, the Web Browsing Categories: <Web Browsing Category Name> page opens displaying various destinations that fall under browsing category, no of distinct users accessed the destination, total volume of data uploaded and downloaded to/from the destination, web reputation score of the destination and event count for that category.



You can further drill-down the details based on distinct users by clicking on the ellipsis icon next to the Distinct User Count number for that destination and then clicking the Drilldown into user count option. The Web Browsing Categories : <Destination> page opens displaying the user email who accessed the destination, total volume of data uploaded and downloaded to/from the destination by the user and event count details of the users.



Click the close icon to close the Web Browsing Categories : <Destination> page and to go back to the SWG Web Browsing.

Top Policies By Hit Count

The Top Policies By Hit Count widget displays the top 10 policies by hit count.



Top Web Browsing Domains Denied

The Top Web Browsing Domains Denied widget displays top 10 web browsing domains for which access was denied and number of times access was denied for each domain.



Top Users Denied

The Top Users Denied widgets displays top user emails for whom access was denied and number of times access was denied for each user.

Top Sensitive File Uploaders, Top Domains Receiving Sensitive Data and Top Uploaded Patterns

The Top Sensitive File Uploaders, Top Domains Receiving Sensitive Data and Top Uploaded Patterns widgets display the top offenders who uploaded sensitive data, top domains where sensitive data was uploaded and which data patterns were identified the most during upload.



You can drill-down the Top Domains Receiving Sensitive Data widget to more granular level to analyze the data by clicking the respective bar and then selecting Drill into <Domain Name>. This opens Top Domains Receiving Sensitive Data : <Domain Name> page with a modal table containing Pattern and Pattern Count fields.