Understanding Activity and Action descriptions in Proxy logs

This topic describes activities and actions supported in the Proxy logs.

The Activity column is the activity the user is doing that triggered the event.

Activity Name Description
MFA A user completes an action related to Multi-Factor Authentication
Access General web traffic
Cloudstorage High level tag for when a user has uploaded or downloaded a file from a cloud storage application (example: OneDrive, GDrive, Dropbox, etc).
Downloaded A user downloads a file from an application.
Edit
Email High level category for any email related event.
IMAP Email received via IMAP
Login User logged in.
Logout User logged out.
Print User printed an online file to PDF.
ProvidedJustification User provided justification for file upload (or download)
Receive A user receives an email
Reauth User had to reauthenticate due to session policy match
Search
Send A user sends an email
SMTP Email sent via SMTP
Uploaded A user uploads a file to an application
Viewed A user views a file watermarked with a callback on it.
Web When access is through a web browser.
Salesforce: Accounts Viewing or editing content on the Accounts tab
Salesforce: Campaigns Viewing or editing content on the Campaigns tab
Salesforce: Contacts Viewing or editing content on the Contacts tab
Salesforce: Contracts Viewing or editing content on the Contracts tab
Salesforce: Dashboards Viewing or editing content on the Dashboards tab
Salesforce: Documents Viewing or editing content on the Documents tab
Salesforce: Files Viewing or editing content on the Files tab
Salesforce: Groups Viewing or editing content on the Groups tab
Salesforce: Forecasts Viewing or editing content on the Forecasts tab
Salesforce: Leads Viewing or editing content on the Leads tab
Salesforce: Opportunities Viewing or editing content on the Opportunities tab
Salesforce: Pricebooks Viewing or editing content on the Pricebooks tab
Salesforce: Products Viewing or editing content on the Products tab
Salesforce: Reports Viewing or editing content on the Reports tab
Salesforce: Solutions Viewing or editing content on the Solutions tab
Salesforce: Users Viewing or editing content on the Users tab
Salesforce: Other Viewing or editing content on the general Salesforce tab

The Action column is the action that Forcepoint ONE SSE takes based on policy configuration.

Action Name Description
Alert Event identified and logged in the alerts tab.
Allow File was allowed during upload or download.
AllowedOnJustification User was allowed to upload (or download) after justification was provided
Apitokenalert Alert relating to an issue with the API token.
App_Teams Activity applied to actions within the Teams chat app
App_Yammer Activity applied to actions within the Yammer chat app
Blocked File was blocked during an upload or download event
DelayLogin User login delayed
Denied User action denied
DLP Any DLP event identified based on policy match. The file matched a data pattern in policy configuration.
DRM File downloaded was made read only (DRM'd).
Encrypted File was encrypted during download or upload.
Formtext Action taken on formtext (such as text within a chat app).
Mail
Masked Text in chat app was masked so the sensitive content cannot be seen.
Notify Notification on policy sent out to configured users/admins
PendingJustification File upload (or download) denied pending justification from user
Suspicoiususerlocations User logged into application(s) from distant locations in short period of time
SuspiciousUserLogins Too many failed user login attempts.
SuspiciousDataSharing Email forwarded to consumer account containing an attachment or sensitive keyword.
SuspiciousDataLocations Watermarked file with callback was viewed from geographically distant locations.
SuspiciousUserTFALogins Too many (2) failed user TFA login attempts.
Threat Associated with identified malware
Watermarked File applied one of the watermark options (visible, invisible, callback)
Webdlp Forcepoint ONE SSE applied a DLP policy to a web traffic event.