Threats dashboard

Use the Threats tab of the Status > Dashboard page to monitor and investigate suspicious activity in your network.

  • Forcepoint Web Security is required to display information about outbound threats and to provide detailed forensic data about the threats.
  • You cannot add elements to, nor remove elements from, the Threats dashboard.

The initial view of the Threats dashboard shows:

  • Top Security Destinations shows the top countries to which suspicious traffic is being sent, or in which sites associated with suspicious activity are hosted.
  • Security Events by Type shows the number of blocked requests, permitted requests, or both for sites (destinations) in the top security categories associated with malware threats.
  • Suspicious Event Summary lists information about threat-related events in your network.

A Status control in the top, right corner of the tab indicates whether Threats data is being updated automatically.

  • If the status is Running, click Pause to prevent data from being updated while you examine current results.
  • If the status is Paused, click Start to update the dashboard with any new data collected while updates were halted.

Additional controls at the top of the tab let you restrict the information in the charts and summary table to the specified:

  • Time period (Today, 7 days, 30 days, and so on)
    • Date details under the drop-down list shows the start date and time used to calculate the selected period.
    • Configure the maximum time period available on the Settings > Reporting > Dashboard page (see Configuring Dashboard reporting data).

      With Microsoft SQL Server Express, the maximum time period is 30 days, and cannot be changed.

  • Severities (Critical, High, Medium, or Low)

    Click the Severity Mapping link for more information about the categories associated with each severity level.

  • Action (All, Permitted, or Blocked)
  • Direction (All, Inbound, or Outbound)

For Super Administrators, the number of Advanced File Analysis requests made in the selected time period is also listed (see Advanced File Analysis report). Click the link to open the Reporting > Advanced File Analysis page and view the details.

Administrators can also use the Top Event Destinations map and Security Events by Type chart to further refine the information that appears in the summary table at the bottom of the page.

  • Click a dot on the map to display only traffic associated with that country in the Suspicious Event Summary table.

    The size of the dot reflects the number of incidents associated with that country. Hover over a dot to see a tooltip showing the country name. (Hovering over a blue area without a dot displays the name of the continent.)

  • Click a category in the chart to display only traffic associated with that category in the table.

    Each category is represented by a different color in the chart; hover over a bar or segment in the chart to see a tooltip showing the category name.

By default:

  • The Top Event Destinations map shows the top 20 countries from which suspicious activity originates, or to which suspicious traffic is being sent.
  • The Security Events By Type chart shows the top 5 categories associated with suspicious activity in the network, displayed in stacked column format.

To modify the information in the map or the chart:

  • Click the Options icon, then select Edit.
  • Use the Top list (both elements) or Chart type list (Security Events by Category chart) to update the display.

    Changing the “top” value or chart type does not affect the information displayed in the summary table.

The Suspicious Event Summary table offers a variety of options to help you identify specific events to investigate.

  • Use the Search box to find events for a user name, IP address, or hostname (if available; requires Content Gateway).

    To stop filtering the table based on the term in the Search box, click Clear.

  • Each of the filters (time, severity, action, direction, country, category) currently applied to the summary table is listed. Clear the check box next to a filter to remove it and expand the information shown in the table.
  • Click a user name, IP address or hostname (if available) to see a detailed report. See Investigate threat event details.

The Suspicious Event Summary can be customized to show or hide any of the following columns. The columns displayed by default are marked with an asterisk (*).

Column Description
Severity* Indicated by an “S” icon with a blue background (). Shows the severity (Critical, High, Medium, or Low) assigned to the event.
Forensics*

(Forcepoint Web Security only) Indicated by a magnifying

glass icon (). Indicates whether the event included an attempt to send files.
User* The user name (if any) associated with the activity.
IP address The IP address of the machine on which the activity occurred.
Device* (Forcepoint Web Security only) The name of the machine on which the activity occurred.
Category* The Forcepoint URL Database category assigned to the activity.
Last Attempt* The timestamp of the most recent event sharing all of the characteristics displayed in the row.
Country* Indicated by the abbreviation “CC” (for country code). Shows the 2-letter country code for the event destination (target). If more than one destination is associated with an event, “Multiple” is displayed.
Direction

Whether the suspicious activity involved inbound or outbound traffic.

Outbound threat detection requires Forcepoint Web Security.
Incidents* The number of incidents sharing all of the characteristics displayed in the row except for “Last Attempt.”

To add columns to the chart, or to remove columns, click the Customize link above the table. Mark or clear the check box next to a column name to add or remove the column from the table.

To export the contents of the table to a CSV file, click Export to CSV. Select the time period for which to export event data, then click Export.