Understanding Dashboard Views in API logs
The API logs contain two different views to separate the information presented to make the dashboard easier to read and understand.
Summary View
The Summary view displays the current status of the files in the applications. It is the state of the account at a given point in time. The state of files in the Summary view are updated if the particular file has changed between scans. The Summary view is the default view when you first go to the API logs.
Selecting the file name will bring up the details of the file. Details displayed:
- Name: Name of the File.
- Time: Time of the Event.
- Type: Type of the file.
- Size: Size of the file.
- Owner: The owner of the file's account name.
- User Groups: The user groups that owner belongs.
- App: Application to which the file belongs.
- Creation Time: Time at which the file was created.
- Modification Time: Last modification time of the file.
- Team: Slack team the owner belongs to
- Status: One or more tags indicating specific user behavior associated with the file. An example would be a file shared externally and matching a DLP pattern would be
tagged as Shared, External and DLP. Tags could be Shared, Public, External, Internal, DLP, Renamed, Deleted and Moved.
- Private: Files that are not shared with anyone.
- Internal: Files shared with people internal to the organization.
- External: Files shared with specific people outside the corporate domain but within the application vendor domain (example, sharing from your corporate Gmail account to personal Gmail account).
- Public: Files shared by creating shareable links which do not require any user authentication. Files shared with users outside the application vendor domain is also considered as public. (example, sharing from your corporate Gmail account to personal OneDrive account)
- ID: ID number of the file.
- Path: Location of the file.
- Link: Link to the file to view the item.
- Shared With: Who the file is shared with if it's shared.
- DLP Match Locations: Where the file was located when it matched a DLP Pattern.
- Attachments: If the file is an email, if it contained any attachments.
- Data Pattern: DLP pattern matched.
- Labels: Labels defined for the document.
- Threat: Malware threat indicators.
- Hash: Hash info of the file if applicable
- Organization: Name of the organization that file belongs.
Charts
There are charts on the Summary View of API logs that provide a visual representation of the files and most exposed patterns.
- Summary chart:
- Total number of files in the account
- Number of files that match DLP patterns
- Number of files that are quarantined
- Shared Files by App chart:
- Shows you a breakdown of all the shared files in your corporate account across different apps
- Top Exposed Patterns chart:
- Shows the top DLP patterns that are matched against the files in your corporate account.
- Provides a breakdown of Public, External, Internal and Private files in your account matching DLP patterns. Note: From any bar chart, you can click on the legend to change the view to a single app or cmd/ctrl click multiple apps to compare activity. The Y axis will auto-adjust based on your clicks so you get a better view of interesting data. You can also Mouse over data points to see a pop-up showing exact values for a particular point in time.
Audit View
The Audit view displays the User Activity performed on the file and/or DLP Action taken on the file. The Audit view displays result of every scan.
Selecting the Timestamp will open up the Details for the event. Details Displayed:
- Time: Timestamp of the event.
- Owner: The file owner's user account name.
- User Groups: Groups with access to the file.
- App: Application to which the file belongs.
- Actor: Performer who downloaded, modified, deleted, sharingchanged, moved, or renamed the file.
- Actor IP Address: IP address of the performer who downloaded, modified, deleted, sharingchanged, moved, or renamed the file. Sometimes, this field will be empty even
if Actor field is filled as Google does not report it to Forcepoint ONE SSE.Note:
Actor and Actor IP Address fields are supported for Google Drive as well as Shared Drive.
Also, when a file is shared publicly and when a user performs an action without logging to Google account, then logs will not be generated.
- Enterprise Name: Slack enterprise name.
- Activity: User Activity that was taken, tags can include: SharingChanged, Renamed, Moved, Modified, Deleted.
- Team: Slack team the file owner belongs to.
- Action: DLP action that was taken, tags can include: PendingDLPScan, DLPScan, Encrypt, Quarantine, Whitelist, CreateCopy, RemoveExternalShare, RemovePublicShare, RemoveInternalShare, Notify, Alert, ICAP, DownloadFailure, ScanTimeout.
- Name: Name of the file.
- Path: Path location of the file.
- Size: Size of the file if applicable
- Link: Link that will take you to the item in the application if the admin account has access to it.
- ID: ID number of the file.
- Shared With: Users the file is shared with.
- ICAP: ICAP transaction if sent to another DLP system.
- Hash: Hash info of the file if applicable
These pieces of info about the file at scan time before action was taken (for example who the file was shared with before the remove share action).
- Groups Included: Groups included in the scan
- Groups Excluded: If the scan/policy excluded groups from the action.
- Data Patterns: All of the data patterns the file matches
- Policy ID: The ID number of the policy line that was triggered. This will help identify which policy line triggered the action/event log for troubleshooting.
Note: The Policy ID field will only appear when viewing the Audit View of the logs. Policy ID only shows when the event triggered an actual policy actual and will not display any ID number if the API scans just identifies DLP patterns for visibility.