Browse: Traffic Logs

Examine DNS traffic and effortlessly export limited datasets for further analysis

Traffic Logs

Analyze DNS traffic with precision by narrowing down your search to specific date and time intervals, conveniently adjustable in 15-minute segments.

Easily export selected datasets in CSV format for seamless integration with other tools or for further in-depth analysis.

Enhance traffic logs with Full URL information using the CyberSight Browser Extension, bolstering incident response capabilities for superior troubleshooting and security forensics.

Date/Time Filters

By default, traffic logs are set to display data for the current day between 8:00 AM and 6:00 PM local time for the logged-in user.

There is a checkbox option to quickly expand the time range to All Day

Tools

• CyberSight Logs (Full URL Context)
  • Utilize the CyberSight Browser Extension to gain precise visibility into the websites accessed by users, enhancing troubleshooting and security forensics in incident response
    • CyberSight Logs Toggle: Enable or disable Full URLs in your Traffic Logs, including Quick Filter searches. (Requires CyberSight Browser Extension installation)
    • Export to CSV: Full URL records from CyberSight are seamlessly integrated into your Traffic Logs export, labeled as Event: CyberSight; Allow/Block: URL Event
  • Use Cases:
    • Troubleshooting: Identify and address issues like broken links or slow-loading pages swiftly by pinpointing the exact paths users took, facilitating the determination of root causes
    • Context: Enhance incident response forensics by tracing user paths through websites, aiding in the identification of malicious domains or resources. Gain a clearer understanding of the incident's scope, attack vectors, and implement effective countermeasures to mitigate future risks

• Quick Filters
  • All - All captured DNS requests based on current filter
  • Allowed - DNS requests allowed based on current filtering
  • Blocked - DNS requests blocked based on current filtering
    • Content Blocked - Total number of DNS records blocked by Policy configuration
      • Categories: Web Content Filtering, Application Filtering
      • Websites: Block List
      • Geolocation: Block List
      • Settings: Unclassified Domains, URL Allow List Only

• • • Threat Blocked - Total number of high risk DNS records blocked:
      • Categories: Security Filtering
      • Settings: Risk Level Access (high-risk URLs)
      • Malicious Domain List
  • Unclassified - DNS requests with no categorization by Threat Intel providers

• Export to CSV - export the records to CSV for further analysis

• Refresh - get latest DNS requests based on current filtering
• Toggle Live View - view new incoming traffic every 10 seconds to assist in live diagnostics

Grid Columns

• Endpoint - Name of Endpoint
• Logged in User - User logged on when the DNS record was sent
• Policy - Name of Policy Endpoint is using for Filtering decisions
• Event - Whether DNS was Allowed / Blocked
  • Hover state displays Filtering reason
• Website - The fully qualified domain name (FQDN) of the the DNS request
• Categories - The category the Website is classified as by our Threat Intel
• Date/Time - The relative time the DNS request occurred 
  • Hover state displays complete date/time
• Actions
  • Add to Policy - add the Website to Customer or Global Policy
  • Report Miscategorization - report incorrect categorization of Website to our Threat Intel
    • See: Threat Intel Miscategorizations
  • Ellipsis
    • View Log Entry - view deeper details about the individual DNS request
    • View Policy - view / edit applied Endpoint Policy