Investigate threat event details

Use the Dashboard > Threats > Event Details page to research suspicious activity incidents. The page can show incidents related to:

  • A specific user name, IP address, or device, selected from the Suspicious Event Summary table on the Threats dashboard. (Device names are provided by Content Gateway, and are not available in Forcepoint URL Filtering deployments.)
  • A specific severity level, selected by clicking the link in a suspicious activity alert email notification (see Configuring suspicious activity alerts).

At the top of the page, a table lists each incident associated with the selected user, IP address, hostname, or severity level. The table shows 10 rows of data per page.

  • Use the Search field to narrow results to a specific incident or group of related incidents. Click Clear to remove the search filter.
  • Refer to the information on the top, right portion of the page to see the time period covered in the table, and when the table was last updated.
  • Click Customize in the toolbar at the top of the content pane to change the columns shown in the table. The detail table has the same column options as the summary table on the Threats dashboard.
  • Click a row in the table to update the bottom portion of the page with additional details about the selected incident, its associated threats, and the detection methods used (see Reviewing threat incident details).

    The incident details section includes a link to ACEInsight. Use this link to view current information about the URL and threats associated with the incident.

  • If there are more than 10 incidents, use the paging controls at the bottom of the table to navigate through the data.

With Forcepoint Web Security, files associated with attempts to either infect your network or send sensitive data out of your network may be captured. File-related data is referred to collectively as forensic data, and it is stored in a special database, called the forensics repository.

  • Forensics capture and storage is enabled by default.
  • Configure forensics capture and storage on the Settings > Reporting > Dashboard page (see Configuring Dashboard reporting data).

When forensics capture is enabled and there are files (like spreadsheets, documents, or compressed files) associated with an incident, an icon appears in the Forensics column of the Event Details table. When you select an incident that includes forensics data, information about any files associated with the incident is displayed in the Forensic Data section of the page (see Reviewing threat-related forensic data).

Warning:

Use caution when opening a file associated with a threat incident. If the file is infected with malware, it could infect the machine you use to investigate the incident.

Captured files may also contain sensitive data.

If a user agent header was captured for the incident, the User Agent String field includes a link that you can use to Search for other instances of the user agent. Click the link to see results on the Search tab of the Reporting > Applications page. See Application reporting, for more information about application reports and user agents.

To export event information to a CSV file, click Export in the toolbar at the top of the content pane. All threat-related events logged in the selected time period are exported; not just those for the user, IP address, hostname, or severity level currently displayed on the page.