Web Security - Activity Report

Updated
This article explains how to use the Activity Report to view logs of DNS and URL requests, and is intended for use by Administrators.

Viewing the Activity Report

You can view the Activity Report by using the following steps:

  1. Log on to the Mimecast Administration Console.
  2. Navigate to Web Security | Activity ReportActivity Report

Changing the Date Range

You can change the Date Range within the Activity Report screen by using the following steps:

  1. Click on the Date Range drop-down.
  2. Select the required Date Range (from the past 24 hours to the past 90 days, or select a Custom Range).

    Activity Report Date Range

Searching for Activity Report Data

You can search for data within the Activity Report screen by using the following steps:

  1. Enter known details in the Search field.
  2. You can optionally click on the All drop-down field to filter the results by:
      • All: No filter is applied, and all records are displayed.
      • User: Searches for the specified user.
      • Device Name: Searches for the specified device.
      • Public IP/Private IP: Searches the specified public/private IP where the request came from.
      • Request: Searches the URL or domain request.
      • Policy: Searches for the specified policy.
  1. Press the Enter key, or click on the Search icon.

Filtering Activity Report Data

The Activity Report data can be filtered to focus on the details of specific activity.

You can filter within the Activity Report screen by using the following steps:

  1. Click on the Filters drop-down menu.
  2. You can:
      • Select one or more Action:
        • Allow: The request was allowed.
        • Block: The request was blocked.
        • Accepted: The user accessed the site by clicking on the Accept Risk and Continue link in the warning.
        • Inspect: The request is being inspected further which may result in it being allowed or blocked.
        • Isolate: The requests that were redirected to a browser isolation container.
        • No Response: The request did not return an IP, so no action was taken.
        • Unfiltered: The record type requested is not processed by Mimecast.
        • Warning: The request presented a warning page.

          Some Operating Systems may query a DNS record type 65 along with the A (IPv4) and AAAA (IPv6). To avoid circumvention of your Web Security policies, Mimecast provides an empty response for type 65 without impacting the protection. If a policy is configured to block a URL, the URL will still be blocked. For reporting purposes, Mimecast logs the query in the Activity Report.

      • Select one or more Discovery Method.
      • Select one or more Category.
      • Select one or more Event.
      • Select one or more Reason.
      • Select one or more Application Name.
      • Select one or more Application Category.
  1. Click on the Apply button.

    Use the Select All/Deselect All links to toggle all selections and make small adjustments.

Customizing Data

All data associated with the Activity Report is displayed in columns, which you can add/remove to enable you to focus on just the data you require.

You can customize the columns shown in the Activity Report by using the following steps:

  1. Click on the gear icon.
  2. Select/deselect the Columns you want displayed:
      • User: Displays the user who the request came from when using the Mimecast Security Agent.

        If you're using the Windows Server OS, the system requests are recognized as NT AUTHORITY.

        If you've turned off Mimecast Security Agent authentication and Transparent User ID or are using network protection only, this column is blank.

      • Device Name: Displays the name of devices using the Mimecast Security Agent.
      • Private IP: Displays the private IP address that the request came from.
      • Category: Displays the category that was allowed or blocked by a category filtering policy. See Configuring a Category Filtering Policy and Policy Categories in Managing Policies.
      • Application Category: Displays the application's category (e.g., Fileshare).
      • Event: Displays the request's protocol. The following values can be displayed:
        • DNS
        • HTTP
        • HTTPS
        • Risk
      • Reason: Displays the reason why the request was allowed or blocked. See list of reasons values.
      • Date/Time: Displays the date and time of the request.
      • Discovery Method: Displays the method used by the Mimecast Security Agent to find the user.

        For a full list of values, see the Identification Process section of Transparent User ID. This functionality forms part of the Mimecast Security Agent and removes the need for users to log into or interact with the Mimecast Security Agent by automatically identifying the domain user's primary email address.

      • Public IP: Displays the source IP the request came from.
      • Request: Displays the URL or domain of the site the user attempted to access.
      • Application Name: Displays the application name (e.g. Dropbox).
      • Action: Displays the action taken on the request. 
      • Type: Displays the type of DNS record or HTTP(S) request.
      • Policy: Displays the type of policy that took action on the request.
  1. Click on the Apply button.

Activity Report columns 

Reason Values

The following values can be displayed in the Reason column of the Activity Report:

Application Name Description
Application Control The request was logged or allowed based on an Application Control Policy in Managing Policies.
AV Infected The download attempt of the web content or files found infected content.
AV Unscannable The download attempt of the web content or files was unscannable by our antivirus engine. This could be due to a variety of reasons.
Block or Allow List The request was blocked by a Block or Allow policy. See Configuring a Block or Allow List Policy in Managing Policies.
Category Filtering The request was blocked or allowed based on the entries in a category filtering policy. See Amending a Policy in Managing Policies.
Certificate Revoked The certificate has been revoked by its issuer.
Connection Failed The web proxy was unable to connect to the web server.
Default Allow The request was allowed. No policy was triggered.
Exception The request was allowed based on the entries in your exception list. See Managing Exceptions.
Extended Proxy The request was blocked or allowed by an extended proxy. See Configuring an Advanced Security Policy in Managing Policies.
Managed URLs The request was blocked or allowed based on your Targeted Threat Protection Managed URLs list. See Targeted Threat Protection URL Protection - Managed URLs.
Newly Observed Domains The request was for a site that is recently observed and is often considered malicious.
No Answers No DNS records of the requested type were found.
No Such Domain The requested domain name does not exist.
None No additional information.
Operational The request was blocked by Mimecast.
Protocol Protection The server's response contained invalid content or content which could be considered a threat.
Risk Accepted The user continued to access the site by clicking on the Accept Risk and Continue link in the warning.
Safe Search The request was modified in accordance with the SafeSearch settings.
Server Failure A DNS server failed to respond to the query.
Similarity Check We've detected the use of special characters to look like other characters in the requested domain.
Suspicious The request was deemed suspicious.

Exporting Data

You can Export Data from the Activity Report, by using the following steps:

  1. Click on the Export Data button.
  2. Select the data Columns to Include in the export.
  3. Select a File Format for the export file.
  4. Click on the Download buttonExport Data from Activity Report

Up to 10,000 items can be exported at a time.

Related to

Was this article helpful?
0 out of 0 found this helpful

Comments

0 comments

Please sign in to leave a comment.