This guide describes the Mimecast Web Security Activity Report that displays a log of all DNS and URL requests in real-time, allowing administrators to easily track user activity within the organization.
Accessing the Activity Report
To access the Activity Report:
- Log on to the Administration Console.
- Click on the Administration menu item.
- Click on the Web Security | Activity Report menu item.
Customizing the Activity Report
You can customize the data displayed in the activity report by:
- Searching for data.
- Change the columns displayed.
- Filtering the search results.
Searching for Data
- Enter known details in the Search field.
- To optionally filter the results of your entered search text, click on the All pull down menu and select one of the following:
- User: Searches for users.
- Source IP: Searches the source IP where the request came from.
- Request: Searches the URL or domain request.
- Press the Enter key, or click on the magnifying glass icon. Your results display.
Changing the Activity Report Columns
- Click on the icon to the right of the column headings.
- Select or deselect the required columns. The available columns are:
- User: Displays the user who the request came from.
If you don't require users to logon to the Mimecast Security Agent (MSA), and they have not logged in or they are using a cloud only setup, they are considered unknown and left blank in the "User" column. Log entries left blank under the "Category" column are often reverse DNS lookups and are expected. Reverse lookups almost always contain a "Request" which contains "in-addr.arpa".
- Discovery Method: Displays the method used by the Mimecast Security Agent to find the user.
- Source IP: Displays the source IP the request came from.
- Request: Displays the URL or domain of the site the user attempted to access.
- Category: Displays the category of the request. View the "Category Filtering Policies" section of the Mimecast Web Security: Configuring Policies page for the full list of categories.
- Action: Displays the action taken on the request. See the "Action Values" section below for a list of the possible values.
- Created: Displays the time of the request.
- Event: Displays the request's protocol (e.g. DNS, HTTP, HTTPS).
- Type: Displays the type of DNS record or HTTP(S) request.
- Reason: Displays the reason why the request was allowed or blocked. See the "Reason Values" section below for a list of the possible values.
- Policy: Displays the type of policy that took action on the request.
- User: Displays the user who the request came from.
- Click on the Apply button.
The following values can be displayed in the Action column of the activity report:
|Allow||The request was allowed.|
|Block||The request was blocked.|
The user accessed the site by clicking on the "Accept Risk and Continue" link in the warning.
The request is being inspected further which may result in it being allowed or blocked.
|No Response||The request did not return an IP so no action was taken.|
The record type requested is not processed by Mimecast.
|Warning||The request presented a warning page.|
The following values can be displayed in the Reason column of the activity report. The reasons are displayed in the following groups:
- Security Risk
- User Configured
|Advanced Similarity Check|
We've detected the use of special characters to look like other characters in the requested domain.
The download attempt of the web content or files was unscannable by our antivirus engine. This could be due to a variety of reasons.
The user continued to access the site by clicking on the "Accept Risk and Continue" link in the warning.
The certificate has been revoked by it's issuer.
The request was deemed suspicious.
|Newly Observed Domains|
The request was for a site that is recently observed and are often considered malicious.
The server's response contained invalid content or content which could be considered a threat.
|Block or Allow List|
The request was blocked or allowed based on the entries in a block or allow list policy. See the Mimecast Web Security: Managing a Policy page for further details.
The request was blocked or allowed based on the entries in a category filtering policy. See the Mimecast Web Security: Managing a Policy page for further details.
The request was allowed based on the entries in your exception list. See the Mimecast Web Security: Managing Exceptions page for further details.
The request was modified in accordance with the SafeSearch settings.
The request was blocked or allowed based on your Targeted Threat Protection Managed URLs list. See the Targeted Threat Protection: Managed URLs page for further details.
The request was allowed. No policy was triggered.
|Failed to Connect|
The web proxy was unable to connect to the web server.
No DNS records of the requested type were found.
|No Such Domain|
The requested domain name does not exist.
A DNS server failed to respond to the query.
The request was blocked by Mimecast.
No additional information.
Once records are displayed in the activity report, you can filter the results to focus on specific actions, discovery ids, and categories. To filter the search results:
- Click on the Filters dropdown menu.
- Select or deselect the required filters. If there are only a few options you wish to exclude, click on the Select all link and then deselect the unwanted options.
- Scroll down and click on the Apply button.
Changing the Report's Data Range
To show activity within a certain date range:
- Click on the Date Range dropdown menu.
- Select the required Date Range (from the past 24 hours to the past 90 days).