Web Activity Report

by David Schwalenberg
May 21, 2014

This report presents web activity detected in the last 72 hours, with some 7-day trending. This report can be used to monitor web accesses and look for suspicious or potentially unauthorized activity.

The report components use the Domain_Summary, Domain_Failure_Summary, and SSL_Cert_Summary events, which all provide lists of domains accessed; searches are performed within these events to find specific domains of interest. Each summary event for a given IP address provides the domains accessed by that IP since the last such event for that IP (which may be as often as hourly). The report components can be altered to add or remove domains of interest as needed. If failed attempts to access domains do not need to be tracked, remove the Domain_Failure_Summary event from the filters in the components.

The report is available in the SecurityCenter Report app feed, an app store of dashboards, reports, and assets. The report requirements are:

  • SecurityCenter 4.8
  • PVS 4.0.1
  • LCE 4.2.2

Note that this report relies on PVS detections being forwarded to the LCE. Make sure that the PVS is configured to send syslog messages to the LCE: in Configuration > PVS Settings > Syslog, include the LCE host (with port 514) in the Realtime Syslog Server List. The LCE listens for syslog messages by default.

For related SecurityCenter dashboards, see the Web Activity Dashboard and the Passive Network Forensics Dashboard.

For a procedure to get sorted lists of websites accessed, see Use SecurityCenter to Obtain a List of Websites Accessed.