Understanding Activity and Action descriptions in Proxy logs

This topic describes activities and actions supported in the Proxy logs.

The Activity column is the activity the user is doing that triggered the event.

Activity Name	Description
MFA	A user completes an action related to Multi-Factor Authentication
Access	General web traffic
Cloudstorage	High level tag for when a user has uploaded or downloaded a file from a cloud storage application (example: OneDrive, GDrive, Dropbox, etc).
Downloaded	A user downloads a file from an application.
Edit
Email	High level category for any email related event.
IMAP	Email received via IMAP
Login	User logged in.
Logout	User logged out.
Print	User printed an online file to PDF.
ProvidedJustification	User provided justification for file upload (or download)
Receive	A user receives an email
Reauth	User had to reauthenticate due to session policy match
Search
Send	A user sends an email
SMTP	Email sent via SMTP
Uploaded	A user uploads a file to an application
Viewed	A user views a file watermarked with a callback on it.
Web	When access is through a web browser.
Salesforce: Accounts	Viewing or editing content on the Accounts tab
Salesforce: Campaigns	Viewing or editing content on the Campaigns tab
Salesforce: Contacts	Viewing or editing content on the Contacts tab
Salesforce: Contracts	Viewing or editing content on the Contracts tab
Salesforce: Dashboards	Viewing or editing content on the Dashboards tab
Salesforce: Documents	Viewing or editing content on the Documents tab
Salesforce: Files	Viewing or editing content on the Files tab
Salesforce: Groups	Viewing or editing content on the Groups tab
Salesforce: Forecasts	Viewing or editing content on the Forecasts tab
Salesforce: Leads	Viewing or editing content on the Leads tab
Salesforce: Opportunities	Viewing or editing content on the Opportunities tab
Salesforce: Pricebooks	Viewing or editing content on the Pricebooks tab
Salesforce: Products	Viewing or editing content on the Products tab
Salesforce: Reports	Viewing or editing content on the Reports tab
Salesforce: Solutions	Viewing or editing content on the Solutions tab
Salesforce: Users	Viewing or editing content on the Users tab
Salesforce: Other	Viewing or editing content on the general Salesforce tab

The Action column is the action that Forcepoint ONE SSE takes based on policy configuration.

Action Name	Description
Alert	Event identified and logged in the alerts tab.
Allow	File was allowed during upload or download.
AllowedOnJustification	User was allowed to upload (or download) after justification was provided
Apitokenalert	Alert relating to an issue with the API token.
App_Teams	Activity applied to actions within the Teams chat app
App_Yammer	Activity applied to actions within the Yammer chat app
Blocked	File was blocked during an upload or download event
DelayLogin	User login delayed
Denied	User action denied
DLP	Any DLP event identified based on policy match. The file matched a data pattern in policy configuration.
DRM	File downloaded was made read only (DRM'd).
Encrypted	File was encrypted during download or upload.
Formtext	Action taken on formtext (such as text within a chat app).
Mail
Masked	Text in chat app was masked so the sensitive content cannot be seen.
Notify	Notification on policy sent out to configured users/admins
PendingJustification	File upload (or download) denied pending justification from user
Suspicoiususerlocations	User logged into application(s) from distant locations in short period of time
SuspiciousUserLogins	Too many failed user login attempts.
SuspiciousDataSharing	Email forwarded to consumer account containing an attachment or sensitive keyword.
SuspiciousDataLocations	Watermarked file with callback was viewed from geographically distant locations.
SuspiciousUserTFALogins	Too many (2) failed user TFA login attempts.
Threat	Associated with identified malware
Watermarked	File applied one of the watermark options (visible, invisible, callback)
Webdlp	Forcepoint ONE SSE applied a DLP policy to a web traffic event.