Mimecast Web Security: Activity Report

Document created by user.oxriBaJeN4 Employee on Aug 6, 2018Last modified by user.oxriBaJeN4 Employee on May 2, 2019
Version 13Show Document
  • View in full screen mode

This guide describes the Mimecast Web Security Activity Report that displays a log of all DNS and URL requests in real-time, allowing administrators to easily track user activity within the organization.

 

Accessing the Activity Report 

 

To access the Activity Report:

  1. Log on to the Administration Console.
  2. Click on the Administration menu item.
  3. Click on the Web Security | Activity Report menu item.

 

Customizing the Activity Report 

 

You can customize the data displayed in the activity report by:

  • Searching for data.
  • Change the columns displayed.
  • Filtering the search results.

 

Searching for Data

 

Searching Activity ReportTo search for a particular activity:

  1. Enter known details in the Search field.
  2. To optionally filter the results of your entered search text, click on the All pull down menu and select one of the following:
    • User: Searches for users.
    • Source IP: Searches the source IP where the request came from.
    • Request: Searches the URL or domain request.
  3. Press the Enter key, or click on the magnifying glass icon. Your results display.

 

Changing the Activity Report Columns

 

Activity Report ColumnsThe activity report displays a set of default columns, but you can change these as required. To change the columns:

  1. Click on the Settings icon to the right of the column headings.
  2. Select or deselect the required columns. The available columns are:
    • User: Displays the user who the request came from.

      If you don't require users to logon to the Mimecast Security Agent (MSA), and they have not logged in or they are using a cloud only setup, they are considered unknown and left blank in the "User" column. Log entries left blank under the "Category" column are often reverse DNS lookups and are expected. Reverse lookups almost always contain a "Request" which contains "in-addr.arpa".  

    • Discovery Method: Displays the method used by the Mimecast Security Agent to find the user.
    • Source IP: Displays the source IP the request came from.
    • Request: Displays the URL or domain of the site the user attempted to access.
    • Category: Displays the category of the request. View the "Category Filtering Policies" section of the Mimecast Web Security: Configuring Policies page for the full list of categories.
    • Action: Displays the action taken on the request. See the "Action Values" section below for a list of the possible values.
    • Created: Displays the time of the request.
    • Event: Displays the request's protocol (e.g. DNS, HTTP, HTTPS).
    • Type: Displays the type of DNS record or HTTP(S) request.
    • Reason: Displays the reason why the request was allowed or blocked. See the "Reason Values" section below for a list of the possible values.
    • Policy: Displays the type of policy that took action on the request.
  3. Click on the Apply button.

 

Action Values

 

The following values can be displayed in the Action column of the activity report:

ActionDescription
AllowThe request was allowed.
BlockThe request was blocked.
Accepted

The user accessed the site by clicking on the "Accept Risk and Continue" link in the warning.

Inspect

The request is being inspected further which may result in it being allowed or blocked.

No ResponseThe request did not return an IP so no action was taken.
Unfiltered

The record type requested is not processed by Mimecast.

WarningThe request presented a warning page.

 

Reason Values

 

The following values can be displayed in the Reason column of the activity report. The reasons are displayed in the following groups:

  • Security Risk
  • User Configured
  • General
ReasonDescription

Security Risk

Advanced Similarity Check

We've detected the use of special characters to look like other characters in the requested domain.

Anti-Virus Unscannable

The download attempt of the web content or files was unscannable by our antivirus engine. This could be due to a variety of reasons.

Risk Accepted

The user continued to access the site by clicking on the "Accept Risk and Continue" link in the warning.

Certificate Revoked

The certificate has been revoked by it's issuer.

Suspicious

The request was deemed suspicious.

Newly Observed Domains

The request was for a site that is recently observed and are often considered malicious.

Protocol Protection

The server's response contained invalid content or content which could be considered a threat.

User Configured

 

Block or Allow List

The request was blocked or allowed based on the entries in a block or allow list policy. See the Mimecast Web Security: Managing a Policy page for further details.

Category Filtering

The request was blocked or allowed based on the entries in a category filtering policy. See the Mimecast Web Security: Managing a Policy page for further details.

Exception

The request was allowed based on the entries in your exception list. See the Mimecast Web Security: Managing Exceptions page for further details.

SafeSearch

The request was modified in accordance with the SafeSearch settings.

Managed URLs

The request was blocked or allowed based on your Targeted Threat Protection Managed URLs list. See the Targeted Threat Protection: Managed URLs page for further details.

Default Allow

The request was allowed. No policy was triggered.

General

 

Failed to Connect

The web proxy was unable to connect to the web server.

No Answers

No DNS records of the requested type were found.

No Such Domain

The requested domain name does not exist.

Server Failure

A DNS server failed to respond to the query.

Operational

The request was blocked by Mimecast.

None

No additional information.

 

Filtering the Activity ReportFiltering the Search Results

 

Once records are displayed in the activity report, you can filter the results to focus on specific actions, discovery ids, and categories. To filter the search results:

  1. Click on the Filters dropdown menu.
  2. Select or deselect the required filters.
    If there are only a few options you wish to exclude, click on the Select all link and then deselect the unwanted options.
  3. Scroll down and click on the Apply button.

 

Changing the Report's Data Range

 

To show activity within a certain date range:

  1. Click on the Date Range dropdown menu.
  2. Select the required Date Range (from the past 24 hours to the past 90 days).

 

See Also...

 

Attachments

    Outcomes