Understanding Investigate page in Discovery Report

The Investigate page lists out all of the applications and domains discovered.

Here, you can see them listed out with high level information such as number of unique events (connections) made to the application or domain, uploaded data for each application and cloud scores. Clicking into an application will allow you to view greater details about the application and allow you to manage the application as an unlicensed app. You can filter the applications in the Investigate page by selecting the appropriate filter from the Search drop-down list. By default, Policy=Empty is selected, that is only those applications whose policy is empty are displayed. You can also sort the details by clicking on the appropriate column name.



There are three primary views for this page. You can view the page sorted by the application, by the sources (or users), or by new domains that were discovered. This can be changed by clicking the dropdown in the top left corner above the search bar.



Note: New Domains are domains that were discovered and do not currently exist with the Forcepoint ONE SSE database. Once a new domain has been discovered, it will be crawled and added to the database and appear on the next Forcepoint ONE SSE release.

Apps

Viewing by Apps will show you an overview of the users and activity within those applications.



  • App: Shows the name of the application that is being reported on.
  • Policy: Displays a icon indicating whether the application has been sanctioned or protected by Zscaler.
  • Sources: Number of unique users or sources that have connected to the application.
  • Events: Total number of events across all sources that have occurred within that application.
  • Upload: Total upload (in bytes) of data to the application across all sources/users.
  • Cloud Score: A cloud score calculated by an adjustable weighted formula (see section below Adjusting Cloud Risk Scores) that takes into account the applications possessed attributes as well as Forcepoint ONE SSE's automated trust rating.
When you select a single application or multiple applications, the following buttons appear:
  • Sanction Apps: Select this button to sanction the selected applications. Once sanctioned, a icon appears on the Policy column for those applications. When you select this button, applications which are already secured by Zscaler will not change their state.
  • Unsanction Apps: Select this button to unsanction the selected applications. Once unsanctioned, icon disappears from the Policy column for those applications.

Sources

Viewing by sources shows a breakdown of activity by the individual source or user.



  • Source: The source or the user connecting to the cloud applications. This will display the IP address unless your log data included the user's username and it was specified when uploading the log file.
  • Apps: Number of applications the source/user has connected to.
  • Events: Total number of events across all the applications the source/user has performed.
  • Upload: Total number of uploaded data (in bytes) that the user has done across all of the applications they have connected to.

New Domains

As mentioned above, new domains are domains that were discovered that are not currently recognized or part of Forcepoint ONE SSE's cloud app database.

All new domains discovered will be crawled and added to the cloud app database and will be viewable after the next Forcepoint ONE SSE update release.



  • New Domain: The listed IP address of the newly discovered domain.
  • Sources: The number of unique sources/users who have connected to that domain.
  • Events: Total number of events by all sources/users in that new domain.
  • Upload: Total amount of uploaded data (in bytes) to that new domain across all sources/users.