Web Content

The Web Content tab provides information on DNS activity hitting the web filters for devices assigned to a policy on your network. You can View events based on domain categorization policies. To export the Web Content Request table data in csv format, click Export. The default file name is security-activity_web-content.csv. Exported data is limited to 50,000 records.

Performing Search Queries

The search feature supports using queries to perform searches using the integrated search query language.  Using the search query language, you can search all records in the Security Events report with customized queries. Using the search query options available in the Web Content report, you can:

• Run a search on any of the following fields:
• ACTION
• CATEGORY
• DEVICE IP
• DEVICE NAME
• QUERY
• POLICY
• USER
• The = and the NOT (!=) operators
• Use AND and OR operators.
• Use single and double quoted to enter values with spaces.
• Use parentheses to group search parts. 
• Use the wildcard symbol (*) as the last character of the search value for a partial match.
• Use the ENTER key to apply search.
• Use the TAB key to autocomplete search with the first available suggestion.

Sample Search Queries

The following are search query examples:

• query=domain.*AND device=52.123*

device=office1.domain OR device=office2.domain.com

Search by the query fields matches values by subdomains. E.g. query = domain.com
matches
'domain.com', 'office.domain.com', 'space.office.domain.com

Filtering the Web Content Tab

To filter Web Content events by specific criteria, select the applicable objects from the following drop-down menus located below the top action menu:

• Action: The configured action for the security rule. This can be Allow, Redirect, Block, or Log.
• Category: The content category against which the device triggered.
• Policy: Active security policies.
• Source: The location of the device within the network infrastructure. For example, the device can be an on-prem appliance or an endpoint device. You can select which records to view by selecting or deselecting from among the options available. 

• Show: Security and activity events can be filtered by choosing an option from the Show drop-down menu. 

  Note

  Depending on the availability of data records, not all filter options may be displayed.

The Web Content table displays the following information by specific criteria. Select the applicable objects from the following column drop-down menus:

• DETECTED: The date the indicator was first detected. 
• QUERY: Displays the domain that sent the DNS queries. You can view the Dossier record of a threat class or property by clickingthe view on Dossier icon associated with a record allows you to view the Dossier threat look-up record of a threat class or property for the selected record. On the Dossier threat look-up page, you can view the Dossier report details for additional information on the selected record.
• CATEGORY: The content category against which the device triggered.
• POLICY: The security policy against which the malicious hit triggered.
• ACTION: The configured action for the security rule. This can be Allow, Redirect, Block, or Log.
• DEVICE NAME: The name of the device.  
• USER: The user that triggered the hit. For remote offices, the portal displays Unknown for these users.

• DEVICE IP: The IP address of the device responsible for the hit.

  Note

  You can enable and disable custom fields by clicking on the icon located in the top, right-hand corner of the table, and selecting or deselecting which custom fields you want to view. All fields can be selected or deselected, or they can be returned to the default configuration by clicking Restore to default GRID setting.

  Export Records

  Click Export to download a CSV file of report records. The maximum number of exported Web Content report records is 50,000.