Reviewing threat incident details
When an administrator selects an incident in the table at the top of the page, the area below the table is populated with all available details about the incident. The available details may vary based on:
- What type of incident occurred. For example:
- An outbound request for a URL that is blocked by its Forcepoint URL Database category is unlikely to include a threat name, intent, or type, because the request is blocked before Content Gateway analysis occurs.
- A request that does not include a file transfer does not include forensic data.
- Your subscription level. For example:
- Only Content Gateway (a component of Forcepoint Web Security) passes hostname, threat name, threat intent, threat type, and scanning category information.
- Not all Forcepoint URL Filtering integrations pass protocol, method, or content type information.
- Whether any file transfer attempts were associated with the incident. (Only Content Gateway provides this type of forensic data.) See Reviewing threat-related forensic data.
The following incident details may be displayed on the page:
| Field | Description |
|---|---|
| Severity |
Critical, High, Medium, or Low. See How severity is assigned to suspicious activity. |
| Category | The Forcepoint URL Database or custom category assigned to the destination URL. |
| Threat Name | The name associated with the malicious software, bot traffic, or other threat activity (if applicable). |
| Threat Intent | What the threat would attempt to do (log keystrokes, open a back door into the network, and so on). |
| Platform | The operating system targeted by the threat (Windows, Android, and so on). |
| Threat Type | The classification of the malicious software (Trojan, worm, advanced persistent threat, and so on). |
| Action | The action assigned to the request (Permit or Block). |
| Reason | The reason the permit or block action was applied (for example, the category assigned to the URL). |
| Incident Time | The date and time the incident occurred. |
| ACEInsight Link | A link to ACEInsight.com to enable further research on the URL or threat. |
| User | The user requesting the URL (if a user is identified). |
| Source IP Address | The IP address from which the request originated. |
| Device | (Forcepoint Web Security only) The name of the machine from which the request originated. (When a hostname is not available, the source IP address is repeated). |
| Destination IP Address | The IP address of the requested URL. |
| Port | The port used to communicate with the requested URL. |
| Protocol | The protocol used to request the URL. |
| Direction | Whether the incident involved an inbound or outbound connection. |
| Method | Whether the request was a GET or a POST. |
| Content Type | The value reported in the “Content-Type” field of the HTTP header associated with the request (for example, text/html, image/gif, or application/javascript). |
| Bytes Sent | The number of bytes sent out from the source machine. |
| Bytes Received |
The number of bytes returned by the target (destination) URL. If the request was blocked, this is 0. |
| Country | The country hosting the destination URL. |
| Full URL | The full URL (domain, path, CGI string, and file) of the target site. |
| Active Policy | The policy used to manage the request. |
| Database Category | The category assigned to the request by the Forcepoint URL Database. |
| Scanning Category | The category assigned to the request by Content Gateway analysis (may match the Forcepoint URL Database category). |
| Role | The delegated administration role responsible for the policy used to manage the request. |