Guides
ProductDeveloper
Guides

Activity Search Report

The Activity Search report helps you find the result of every DNS, URL, and IP request from your various identities, ordered in descending date and time. It lists all security (and non-security) related activity within the identities reporting to Umbrella for the selected time and also allows you to refine your search using filters to see only what you need to see. This can greatly assist you in determining if there are any security issues you may have within your organization that requires your attention.

By clicking an identity or destination, you can quickly pivot from this report to the Top Identities and the Top Destinations Reports. Each report can also lead you to the Identity Details and Destination Details reports as well for further information on individual identities and destinations.

Table of Contents

Prerequisites

View the Activity Search Report

  1. Navigate to Reporting > Core Reports > Activity Search.
    This takes you to the default view of the Activity Search report, which lists all of your identities and the internet requests, or traffic events for your organization tracked over time. The default is 24 hours.
  1. Choose a time frame to view the report. You can view the results for the last 24 hours (default), Yesterday, Last 7 Days, Last 30 Days, or a Custom range.
125
  1. Filter results by the response type.
    Select Allowed, or Blocked. By default, nothing is selected, so all responses are shown.
206
  1. Filter by event type. By default, none is selected so responses for all event types are shown.
  1. Filter by identity types.
  1. Filter by security categories.
    For more information about security categories, see Security Categories.
  1. Filter by content categories.
    For a full list of content categories, see Content Category Definitions.
  1. Choose to optionally filter results by search options.
  • Include All Traffic—Includes data from all domains including high-traffic domains that are filtered out by default.
422

Configure Columns to Display

To change the layout of the data presented in the Activity Search Report, select Customize Columns and then check or clear the information you want to see displayed and click Apply. You can also drag and drop items in the list to reorder their position on the page.

257
  • Action—The activity is either Blocked or Allowed.
  • Categories—Content and Security Categories flagged with the activity.
  • Date & Time—The date and time stamp of the activity.
  • Destination—The destination of the activity.
  • DNS Type—The record type for the DNS request.
  • External IP—The external IP address for the activity.
  • Identity—The identity which performed the activity.
  • Internal IP—The internal IP address for the activity.
  • Policy or Ruleset Identity—The identity used to determine which policy applied to this activity.
  • Public Applications—What application is involved with the activity, when applicable. The Public Application field will only populate for traffic matching policies with Application Controls enabled. If no policies have Application Control enabled, the field will remain blank.

From your search results, you can click an identity or destination and go to their respective Identity Details or Destination Details reports.

View Actions

To learn more about the results of your activity search, click the View Actions icon (the blue ellipsis at the right of each item in the search results) for a result and choose an item from the menu.

See Full Details

With View Actions, you can view the full details of each activity result:

352

The detail fields available depend on the type of event.

Filter Views

Where applicable, certain results can be filtered by the following:

  • Filter by Application
  • Filter by Destination
  • Filter by URL
  • Filter by Identity
  • Filter by External IP
282

Security Activity Report < Activity Search Report > Top Threats Report