Reviewing SWG Web Browsing dashboard with ThreatSeeker URL Categories
Forcepoint ONE SSE's SmartEdge agent and Cloud SWG can also generate ShadowIT logs for web browsing.
You can access the SWG Web Browsing dashboard by navigating to the dashboard.
The SWG Web Browsing dashboard provides an overview of your user's Web Browsing usage segmented by different URL destinations and their individual URL reputations, for the selected time range. The dashboard maintains a record of log information for the past 60 days. This dashboard is configured to provide a high-level overview of the top items' admins will want to review. Clicking into the sections will provide the full investigative list with additional details for each website discovered.
URLs, sites or cloud services that have been configured on the policy page to be sent direct for web proxy policies will not appear on this SWG Web Browsing page since they have already been accounted for by the policy stating direct access is allowed and approved.
For example, the SWG Web Browsing dashboard will not generate logs for all social networking sites as they have been configured for Direct App Access.
The dashboards display information for last 7 days, by default. You can select the Start Time and End Time and then click Apply to filter the information based on the selected time range. The End Time can be any date prior to today’s date.
Filtering
You can further filter the information by selecting the appropriate filter from the Search drop-down list on top of date range.
Follow the below steps to filter the information:
- Click into the Search box and select the Field option you are filtering by.
Available options are Username, URL Category and URL Reputation Tier.
On selecting the field option, Operator drop-down list appears.
- Select the appropriate operator from the drop-down list.
Available options vary as per the field option selected. Available options are equals, does not equal, Contains and Does not contain.
- Enter the text or select the option from the drop-down list to filter the information.
- If you have selected Username or URL Category from the Field drop-down list, then you should enter text.
- If you have selected URL Reputation Tier in the Field drop-down list, then select the applicable value. Available options are Harmful, Suspicious, Marginally Safe, Fairly Safe and Very Safe.
On entering the text or on selecting the option from the drop-down list, AND and OR functions appear.
- Select the AND or OR function to continue your exact match filter.
You can then continue to add refined filters as desired. Once ready to search click into the space with the magnifying glass to search.
Total Domains
The Total Domains widget indicates the total number of domains accessed by the users during the selected period.
You can click on the number to open the Total Domains page where you can view the domains visited, data uploaded and downloaded by various users.
You can further drill-down the details based on distinct users by clicking on the ellipsis icon next to the Distinct User Count number for that domain and then clicking the Drilldown into user count option. The Top Domains: <Domain Name> page opens displaying the User Email, Sum Uploaded Bytes, Sum Downloaded Bytes and Event Count details of the users who accessed the domain.
You can click the close icon to close the Top Domains: <Domain Name> page and to go back to the SWG Web Browsing.
Risky Destinations Discovered
The Risky Destinations Discovered widget indicates the number of risky destinations, that is domains with URL Reputation Tier equal to Suspicious (60-69%) or High Risk (0-59%), accessed by the users.
You can click the number to open the Risky Destinations Discovered page where you can view the risky domains visited, data uploaded and downloaded by various users.
You can further drill-down the details based on distinct users by clicking on the ellipsis icon next to the Distinct User Count number for that destination and then clicking the Drilldown into user count option. The Risky Destinations Discovered: <Domain Name> page opens displaying the User Email, Event Count, Sum Uploaded Bytes, and Sum Downloaded Bytes details of the users who accessed the destination.
Click the close icon to close the Risky Destinations Discovered: <Domain Name> page and to go back to the SWG Web Browsing.
Data Downloaded From Risky Destinations
The Data Downloaded From Risky Destinations widget indicates the volume of downloads from risky destinations, that is domain with URL Reputation Tier equal to Suspicious (60-69%) or High Risk (0-59%).
You can click the number to open the Data Downloaded From Risky Destinations page where you can view every unique risky destination and username combination and amount of data downloaded in bytes.
Click the close icon to close the Data Downloaded From Risky Destinations page and to go back to the SWG Web Browsing.
Data Uploaded to Risky Destinations
The Data Uploaded to Risky Destinations widget indicates the volume of uploads to risky destinations, that is domains with URL Reputation Tier equal to Suspicious (60-69%) or High Risk (0-59%).
You can click the number to open the Data Uploaded To Risky Destinations page where you can view every unique risky destination and username combination and amount of data uploaded in bytes.
Click the close icon to close the Data Uploaded to Risky Destinations page and to go back to the SWG Web Browsing.
Event Count By URL Reputation, Destination Count By URL Reputation and User Count By URL Reputation
The Event Count by URL Reputation widget displays the event count across all URL Reputation Tiers, the Destination Count by URL Reputation widget displays the domain count across all URL Reputation Tiers and the User Count by URL Reputation widget displays the user count across all URL Reputation Tiers. For example, the Event Count by URL Reputation widget is explained. You can follow the same process for the Destination Count By URL Reputation and the User Count By URL Reputation widgets.
When you place the mouse pointer on URL Reputation tier of the donut chart, it displays the total count for the pointed URL reputation tier and name of the URL reputation tier.
You can click into the donut chart on a specific ranking color and click Drill into <URL Reputation> to pull up a new window with the list of details for that particular URL reputation. For example, clicking the trustworthy piece of the Event Count by URL Reputation chart opens the detail window containing trustworthy destinations that were accessed.
You can further drill-down the details based on distinct users by clicking on the ellipsis icon next to the Distinct User Count number for that destination and then clicking the Drilldown into user count option. The Event Count By URL Reputation : <Destination> page opens displaying the User Email, Sum Uploaded Bytes, Sum Downloaded Bytes and Event Count details of the users who accessed the destination.
Click the close icon to close the Event Count By URL Reputation : <Destination> page and to go back to the SWG Web Browsing.
You can also turn off pieces of the donut chart by clicking the bulleted URL reputation on the side to hide the data related to selected URL reputation.
Top Risky Destinations Accessed
The Top Risky Destinations Accessed widget indicates the top 10 risky destinations based on the distinct user count. Risky destinations are those URL Reputation Tier equal to Suspicious (60-69%) or Harmful (0-59%).
You can click on the respective graph bar that you like to investigate and select Drill into < Destination Name> option to view the unique users who accessed the destination and volume of data uploaded and downloaded by each user from/to the destination.
Click the close icon to close the Top Risky Destinations Accessed: < Destination Name> page and to go back to the SWG Web Browsing.
Risky URL Categories
The Risky URL Categories widget displays various risky URL reputation categories visited by users.
Top Uploaders To Risky Destinations and Top Downloaders From Risky Destinations
The Top Uploaders To Risky Destinations and Top Downloaders From Risky Destinations widgets display top uploaders and downloaders to and from risky destinations. These widgets display only destinations whose URL Reputation Tier is Suspicious (60-69%) or Harmful (0-59%).
You can drill-down into the top uploaders or downloaders by clicking the User Email.
On clicking the User Email, the Top Uploaders To Risky Destinations : <User Email> page opens displaying Destination, Source IP, URL Reputation and Sum Upload Bytes details for that user.
On clicking the User Email, the Top Downloaders from Risky Destinations : <User Email> page opens displaying Destination, Source IP, URL Reputation and Sum Downloaded Bytes details for that user.
Click the close icon to close the Top Uploaders To Risky Destinations : <User Email> or Top Downloaders from Risky Destinations : <User Email> page and to go back to the SWG Web Browsing.
Top URL Categories
The Top URL Categories widget displays top 10 all the URL categories by user count. You can click See All to view all the URL categories.
You can investigate any of the URL category by clicking the particular URL Category name. On clicking the category name, the URL Categories: <URL Category Name> page opens displaying various destinations that fall under browsing category, no of distinct users accessed the destination, total volume of data uploaded and downloaded to/from the destination, web reputation score of the destination and event count for that category.
You can further drill-down the details based on distinct users by clicking on the ellipsis icon next to the Distinct User Count number for that destination and then clicking the Drilldown into user count option. The URL Categories : <Destination> page opens displaying the user email who accessed the destination, total volume of data uploaded and downloaded to/from the destination by the user and event count details of the users.
Click the close icon to close the URL Categories : <Destination> page and to go back to the SWG Web Browsing.
Top Policies By Hit Count
The Top Policies By Hit Count widget displays the top 10 policies by hit count.
Top Web Browsing Domains Denied
The Top Web Browsing Domains Denied widget displays top 10 web browsing domains for which access was denied and number of times access was denied for each domain.
Top Users Denied
Top Sensitive File Uploaders, Top Domains Receiving Sensitive Data and Top Uploaded Patterns
The Top Sensitive File Uploaders, Top Domains Receiving Sensitive Data and Top Uploaded Patterns widgets display the top offenders who uploaded sensitive data, top domains where sensitive data was uploaded and which data patterns were identified the most during upload.
You can drill-down the Top Domains Receiving Sensitive Data widget to more granular level to analyze the data by clicking the respective bar and then selecting Drill into <Domain Name>. This opens Top Domains Receiving Sensitive Data : <Domain Name> page with a modal table containing Pattern and Pattern Count fields.