Web Security Service: Reporting Guide

Web Security Service
Reporting Guide
Revision: NOV.07.2020
Symantec Web Security Service/Page 2
Page 3
Copyrights
Broadcom, the pulse logo, Connecting everything, and Symantec are among the trademarks of Broadcom. The term “Broadcom”
refers to Broadcom Inc. and/or its subsidiaries.
Copyright © 2020 Broadcom. All Rights Reserved.
The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries. For more information, please visit www.broadcom.com.
Broadcom reserves the right to make changes without further notice to any products or data herein to improve reliability, function,
or design. Information furnished by Broadcom is believed to be accurate and reliable. However, Broadcom does not assume any
liability arising out of the application or use of this information, nor the application or use of any product or circuit described herein,
neither does it convey any license under its patent rights nor the rights of others.
Page 5
WSS Reporting Guide

The Symantec Web Security Service solutions provide real-time protection against web-borne threats. As a cloud-based product,
the Web Security Service leverages Symantec's proven security technology, including the WebPulse™ cloud community.
With extensive web application controls and detailed reporting features, IT administrators can use the Web Security Service to
create and enforce granular policies that are applied to all covered users, including fixed locations and roaming users.
From the WSS portal, generate reports and analyze the results. The reports help you asses the browsing habits of employees
and the integrity of your network environment. Reports are not static; from them you can launch the policy editor and immediately
address issues.
This document provides policy concepts and describes how to use the WSS portal to define policies. It includes high-level and
use case examples.
Table Of Contents
Copyrights 3
WSS Reporting Guide 5

Table Of Contents 6
Learn About Reporting 8

About Web Security Service Reporting 9
What Can I Do From A Report Dashboard? 11
What Can I Do With Reports? 16
Executive Reports 21
Executive Report Attributes 21
Procedure 23
Modify Data 25
Apply a Filter to Report Data 25
Use Case 25
Review Web Use for a Specific User 27
Modify Report Data Views 28
Generate a Report for a Single Element 28
View Detailed Report Information 31
Examine Detailed User or Client Activity 32
Use Cases 32
Change the Graphic Within a Report 35
Use Case 35
Change Visible Report Data 38
Add a Report to a Portal Dashboard 41
Change How Costs are Calculated in Reports 42
Use Case 42
Manage Reports 43
Schedule Report Generation 44
Download a Report to Your System 47
Archive Report Results 48
E-mail a Report 50
Create a Custom Report 52
Use Case 52
Admin Tasks 58
Integrate With CloudSOC 59
Technical Requirements 59
Reporting Guide/Page 7
Procedure 59
CASB Gatelets Solution Only 60
Delete the CloudSOC Integration 62
Create Policy From a Reported User 64
Download Access Logs 68
Web Security Logs 68
CFS Traffic Logs 68
Related Content 69
Reference: Access Log Formats 70
Suppress Personal Information From Access Logs 75
Use Cases 75
Procedure 75
Verify 78
Specify Access Log Retention Duration 79
Reset 80
Receive Alerts from Report Thresholds 81
Triggered Alerts 82
About Portal Retention 82
Request a Website Categorization Review 83
Page 8
Learn About Reporting

The following topics provide information about reporting.
n "About Web Security Service Reporting" on page 9
n "What Can I Do From A Report Dashboard?" on page 11
n "What Can I Do With Reports?" on page 16

About Web Security Service Reporting

Reviewing Web Security Service reports allows you to gain insight as to the types of traffic flowing through the network and to
validate that the current policies are enforcing acceptable web-use and are protecting your network from malicious code. For
example, you might determine that some blocking policy is too restrictive or that one user is spending too much time browsing
non-productive websites. Use the data to adjust policies or remind users of acceptable Web use.
As users browse web content from within the corporate firewall or as a remote user, WSS performs policy checks and allows or
blocks content per the verdict.
Your service account saves access logs and reporting data based on the WSS product.
n Web Security License
o Access log data: 100 days
o Reporting data: 100 days
n Hosted Reporting License
o Access log data: 1 year
o Reporting data: 1 year

What Can I Do From A Report Dashboard?

Each Web Security Service Dashboard displays high-level summaries of web browsing activities as they apply to the selected
module. Additionally, the Overview dashboard provides commonly monitored summaries from all modules.
Expand the following sections to learn about Dashboard features.
Summary Wide Widget

Each Dashboard displays a summary wide report widget.
This series of applicable reports provide instant data summaries of the activity related to the selected Dashboard.
n Dashboard > Overview—A mix of web requests, blocked content, and malware detection.
n Dashboard > Content Filtering—Summaries specific to web browsing, web applications, and bandwidth.
n Dashboard > Threat Protection—Summaries specific to malware detection.
n Dashboard > Product—Some add-on products yield their own Dashboards. For example, the Cloud Firewall Service.
By default, the date range is data collected over the previous seven days. You can change that value to one day or thirty days.
Furthermore, each summary report has a variance label; that is, how much activity has increased or decreased during the
previous selected day intervals. If you, for example, see that Web Apps Used has jumped 200% over the previous week, click
the summary to gain further data for analysis.
Clicking a summary report displays the full data array.
Analyze Data
Dashboards present data in graphs and/or tables. You can change the date range (for the entire dashboard view), change the
graphic style for each report widget, and rollover or click report elements to view more details.
More information:
n "Change the Graphic Within a Report" on page 35.
n "View Detailed Report Information" on page 31.
Customize Dashboard View

To display the data most important to your monitoring goals, add, move, or delete summary reports.
More information: "Add a Report to a Portal Dashboard" on page 41.
Create a Policy Rule

The upper-right corner of Dashboards contains a drop-down called Common Tasks. From this list, select Add Content Filtering
Rule, which takes you directly to the policy editor.
Access Other Reports

The upper-right corner of Dashboards contains a drop-down called Common Tasks. From this list, navigate to other reporting
features. Create a custom report, investigate with a forensic report, and quickly access targeted summaries.
More information:
n "Create a Custom Report" on page 52.
n "Examine Detailed User or Client Activity" on page 32.
Configure the Portal

If you do not see this option, you do not have Admin User privileges. The upper-right corner of each Dashboard contains a drop-
down called Common Tasks. From this list, navigate to pages that provide configuration options regarding the operation of the
WSS portal.
What Can I Do With Reports?

The Web Security Service reports display information based on either pre-defined criteria or custom criteria. Each report
contains several features that allow you to manage how reports are analyzed and distributed.
Expand the following sections to learn more about report features.
Change Report
Most predefined reports display results that include a wide scope of data. When reviewing report results, you can apply filters
to limit the scope of the results. Also, when you change the scope of the reports, the default graphic might not best represent
the new data set.
More information:
n "Apply a Filter to Report Data" on page 25.
n "Change the Graphic Within a Report" on page 35.
View More Details

There are two ways to view more details.
n Hover over a graph element to view details. Click a graph element to segment it or select a data row in the table below
the graph and select Drill. From the Drill drop-down, select an element to isolate the data view. For example, in the
Risk Groups report, you want to more information regarding detected Non-Productive requests.
n Click any blue link to see more details related to the item, such as who performed requests, site names, applications
used, and more.
Change Inclusive Date Span

By default, each report displays data for all dates contained in your reporting database (up to the limits of your purchased
product). Each report provides the inclusive dates just below the report title. Click this link to select a commonly used time
frame, such as Current Month or Previous Week.
To change criteria other than just dates, select Custom.
Zoom In/Out On Date-Driven Reports

In date-driven reports, you can right-click a data row and select Drill > Zoom ....
Manage Reports
Each reports contains options that enable you to schedule automatic generation times, save as a file, and send to others.
More information:
n "Download Access Logs" on page 68.
n "Archive Report Results" on page 48.
n "Schedule Report Generation" on page 44.
n "E-mail a Report" on page 50.
Perform an Action Based on Reporter Data

Some reports have an Action drop-down, which allows you to select an action based on specific report data. You can see if a
selected element already exists in a policy rule. You can also select report data and create instant policy.
The Web Browsing Per Site report provides two additional options: view a selected site in a new browser tab and request a
categorization review categorization of a site.
More information:
n "Create Policy From a Reported User" on page 64.
n "Request a Website Categorization Review" on page 83.
Run Large Reports in the Background

Some reports, might require a considerable amount of time to generate. Examples of these reports are ones that must scan
non-numerical counter data, such as verdicts. Before generating these types of reports, the portal prompts to you Run Report
or Archive in Background as a PDF, spreadsheet compatible file (CSV), or XML editor compatible file.
The Archive in Background option allows you to begin the report generation and perform other tasks while waiting for the
report to complete. Furthermore, you can log out of your account and return later. When it is complete, the portal provides the
report on the Reports page in the Recent Archive Reports area.
Executive Reports
The myriad of Web Security Service reports provide data that is consumable by IT security professionals who are tasked with
analyzing, diagnosing, and remedying security hotspots and web use policies. The WSS Executive Report is designed for CIO
or other executives who request to see high-level security activities and trends in a format that is more presentable, professional,
and shareable.
Executive Reports capture data on a calendar-month basis. The ideal time to generate a report is at the beginning of new month
to obtain the previous month's data. You have the option to Archive the report or Email to recipients.
Executive Report Attributes

n Executive Reports uses telemetry from Google Analytics on frequently executed reports to prioritize presented data. The
report indicates the total transactions processed and promotes the protection from potential threats.
n The report is pre-defined and cannot be modified. The report provides an overview of all subscribed services within your
WSS account. For example, Cloud Firewall Service and Malware Analysis. The report also contains sections for
products currently not licensed, but with verbiage indicating the product is not active.
If your WSS account is not provisioned with an available add-on, the report contains a paragraph that explains the
product. For example—
Web Isolation—Your business has not activated Web Isolation. This service is required to
protect your organization from advanced threats targeting your end user’s web browsers and
email applications. Without Isolation, your business is exposed to these types of attacks.
n High-value reports, such as sandbox detonations and web isolations (if licensed), are differentiated and depicted clearly.
Procedure
1. Navigate to Report Center.
2. Select New Report > New Executive Report.
3. Complete the fields in on the Run Executive Report page.
a. Name the report; this name will be the report link in the portal.
b. Enter the Cover Title; this name will be on the first page of the generated report.
c. Select the Report Period. WSS retains past months for re-generation.
d. Select the Delivery method(s).
o Archive Report—WSS places the report link the Recent Archived Reports applet, which is available on
the Report Center page.
o Email Report—Enter recipient email addresses (separated by commas). Upon report complete, WSS
emails the report.
e. Click Run Report. The portal displays a message in the upper-right corner that the report generation has begun.
Tip: The Executive Report requires a longer generation time than standard reports.
Page 25
Modify Data
The following sections describe how to change how the WSS displays reported data within reports.
n "Apply a Filter to Report Data" below
n "Review Web Use for a Specific User" on page 27
n "Modify Report Data Views" on page 28
n "Generate a Report for a Single Element" on page 28
n "View Detailed Report Information" on page 31
n "Examine Detailed User or Client Activity" on page 32
n "Change the Graphic Within a Report" on page 35
n "Change Visible Report Data" on page 38
n "Add a Report to a Portal Dashboard" on page 41
Apply a Filter to Report Data

Most predefined Web Security Service reports display results that include a wide scope of data. When reviewing reports results,
you can apply filters to limit the scope of the results.
Use Case
You run the Blocked Requests by Category report, which by default displays all categories that were blocked by policy (verdict
= denied). You are curious to see the top ten users who were denied because they attempted to browse mature content websites.
Procedure
1. From any report, select Options (icon) > Report.
The portal displays the Report Options dialog.
2. In the Summarize By area, determine by what criteria the report summarizes.
a. For the above use case, keep Category as the primary summary datapoint. Define how many rows (per selection)
per page display.
b. (Optional) You can add one additional summary level by clicking Add Level. In this example, you want to see the
top ten users per category.
3. In the Filter area, specify the date range and additional criteria.
a. For the Date is criteria, specify what date range the report covers (if WSS did not process data for the specified
date range, the report is blank).
b. The filter automatically contains the default intent of the original report. In the above example, the Blocked
Requests per Category report applies the Verdict contains denied (policy denied) filter. Click Add Criteriato
add a new line. You can add multiple lines; the more you add, the more targeted the report becomes.
c. Select the filter category. To continue with the example, select Category, is, and Adult/Mature Content. Click
the + icon to add more Category filters. This examples searches for all denied verdicts because of four specific
mature content categories.
4. Click Save. The filtered report generates and displays. If the filter did not result in useful data, repeat and adjust the
filter.
5. Click links within the report, such as user names, to view even more detailed information.
6. To change the report graphic, select Options > Chart.
7. If the report is useful and you want to retain it or disseminate it, see "What Can I Do With Reports?" on page 16
Review Web Use for a Specific User

Web Security Service reporting allows you to isolate the browsing activity of a single user.
1. Navigate to any Dashboard.
2. Select Common Tasks > Report Tasks > User Overview. The service displays the User Overview dialog.
3. From the drop-down list, select a user and click Run Report.
Modify Report Data Views

The Web Security Service provides dozens of pre-defined reports. You can modify each report according to your reporting goals,
such as filter results, alter the data graph, or change the cost calculations. To learn more, select a topic link.
n "Apply a Filter to Report Data" on page 25
n "Change the Graphic Within a Report" on page 35
n "Change Visible Report Data" on page 38
n "View Detailed Report Information" on page 31
n "Change How Costs are Calculated in Reports" on page 42
Generate a Report for a Single Element

Most of the base Web Security Service reports provide multiple data elements per report. You might find a need a isolate a single
element for a one-time report or recurring scheduled report. For example, you want to run a report that lists activity per location.
2. Click Run Simple Report and select an option.
The portal generates and displays the selected report.
Optional Actions
You might decide the data in this report is worth seeing on a continuing basis.
1. Apply a weekly filter option.
For more details about report filters, see "Apply a Filter to Report Data" on page 25.
2. Configure the portal to send you the report on a weekly basis.

Tip: For Simple Reports, the portal prompts you to save the report before you can set a
schedule.
For more details about scheduling, see "Schedule Report Generation" on page 44.
View Detailed Report Information

Every generated Web Security Service report contains dynamic elements that allow you see more details for a given
component. These elements include Links and Drill Downs.
Links
Click any blue-colored link.
Drill Down to a Specific Element in a Report

Select a data row and click the Drill drop-down list.
Select an element to view (not all elements are available for all reports). For example, in the Web Browsing per Category
report, you see there were several requests for Shopping category sites and you want to see which users requested them.
Select Drill > User.
Examine Detailed User or Client Activity

The Web Security Service provides a forensic report option that displays information about a specific user, client, category, or
website.
Use Cases
n Someone at your company observed a visiting vendor, who was logged into your guest network, browsing offensive Web
locations. You want to run a report for that day so you can forward it to the vendor and ask that future visitors refrain from
such activity.
n You suspect a particular client is infected with malware and you want to see a detailed report for all activity as it relates to
that client.
n You want a browsing behavior breakdown for one specific user.
Procedure
1. Two locations provide access to the Forensic Report:
n Any Dashboard link, select Common Tasks > Report Tasks > Forensic Report.
n The Report Center page, select New Report > New Forensic Report.
2. In the New Forensic Report dialog, enter the generation criteria. You can select any or all of the options.
a. Select a User; if you know the username, begin typing to use auto-fill. This examples looks for unauthenticated
users.
b. To restrict the report to a single client, select or enter a Client IP.
c. To restrict the report to single Category, select or enter one. This example displays results for unauthenticated
users who browsed Adult/Mature Content sites.
d. To restrict the report to a known destination Site, select or enter one.
e. To specify a time frame of user activity, select a Date is option. This example uses the Custom option and
isolates the day when the visitor was on campus.
f. Click Run Report.
Using the specified criteria, WSS generates and displays The Full Log Detail report.
n If the report does not display the desired data set, select Reports > Close <report> and repeat the procedure with other
search criteria.
n If the report satisfies your needs, save and disperse as required. See "What Can I Do With Reports?" on page 16.
Change the Graphic Within a Report

Each generated Web Security Service report displays a graph that Symantec selected as the most effective for the data. You
have the option to change not only the graphic, but the data that WSS uses to generate the graphic.
Use Case
The Search Engines > Reports > Web Applications report by default generates a pie chart based on total requests for each
application; however, you want to change the report to view the data in terms of costs.
Procedure
1. Generate any report.
2. Next to the report name, select Options > Chart (gear icon). The portal displays the Options dialog.
3. In the Options dialog, select the components of the new graph.

a. From the Chart Type drop-down, select a graph style.
b. The Chart the currently-sorted column option means the graphic compiles using the default data point. For
example, a ...Per User reports yields a graph based on user names but the report also contains other data
columns. To change the graph source data, select Chart the following column and select an option or options.
c. Click Save.
Some graph types, such as Pie, cannot contain more than one data element. WSS displays an error dialog if it
cannot comply with your selections.
The service displays the new graph.
4. (Optional) WSS does not retain the changed graph (when you exit the session) unless you manually save the report as a
new report or archive the results. To save the report, click Save icon and specify where to save it.
a. Name the new report.
b. Select which Group to save it in. If you save it in My Groups, only you can generate the report. If you save it in
Shared Groups, anyone with access to this WSS account sees the link and is able to run the report.
c. Click Save.
Change Visible Report Data

Each Web Security Service report displays data according to defaults set by Symantec. You can set how data is represented in
each report.
Change the Columns

Each report displays default data columns based on the Access Log data for that specific report. For example, User Names for
user-based reports. To remove columns from view or add (valid) additional columns, click a drop-down arrow in any column
header, select Columns, and select which column to hide/show.
Tip: The graph does not change. To change the graph to show the same data, click Options
> Chart. See "Change the Graphic Within a Report" on page 35.
Change the Sort Order

By default, each report displays data according to the key report data point in descending order (highest value first). To alter the
sorting, click any column header bar. The column you select becomes the key data point for the report and the blue arrow next
to the column name indicates the sorting order: ascending or descending.
(Optional) Save the Altered Report

WSS does not retain the changed graph (when you exit the session) unless you manually save the report as a new report or
archive the results. To save the report, click Save As and specify where to save it.
1. Name the new report.
2. Select which Group to save it in. If you save it in My Groups, only you can generate the report. If you save it in Shared
Groups, anyone with access to this WSS account sees the link and is able to run the report.
3. Click Save.
Add a Report to a Portal Dashboard

The Web Security Service provides multiple report Dashboards. The Overview dashboard provides commonly monitored
summaries from all modules. Other Dashboards provide solution-centric information. For example, Content Filtering and
Threat Protection (malware) each have Dashboards. Some WSS add-on products, such as Cloud Firewall Service, have a
Dashboard when provisioned.
Each Dashboard displays its own set of default reports, which are high-level summaries. To customize your Dashboard view,
add other reports.
1. Access any Dashboard.
Tip: The Overview > Add Report menu contains more high-level choices.
2. Click Add Report and select the report to add.
3. If necessary, move reports or delete other reports, as described in "What Can I Do From A Report Dashboard?" on
page 11.
Change How Costs are Calculated in Reports

By default, the Web Security Service uses the United States currency value of $0.10 to calculate the estimated costs
associated with user Web browsing. The Bandwidth Costs Per... reports calculate the data based on this value (also available in
other reports as an option).
Change this value if:
n You want to increase the estimated cost of Web browsing.
n You want to change the currency to one used by another country.
Note: This requires the Admin User role.
Use Case
In an IT role, you are responsible for determining how much to back-bill Internet use costs to various departments.
Procedure
1. Navigate to Account Configuration.
2. In the Reporting Settings area, click Cost Calculation for Reports.
3. Change the cost calculation, as required.
a. Select a different Currency.
b. Change the Cost per GB. Set the rate that your company uses to charge for bandwidth.
c. Some reports have columns for data based on Costs per hour. Set that bulk rate here.
4. Click Save.
Page 43
Manage Reports
Configure when reports run and what actions are available for reports.
n "Schedule Report Generation" on page 44
n "Download a Report to Your System" on page 47
n "Archive Report Results" on page 48
n "E-mail a Report" on page 50
n "Create a Custom Report" on page 52

Schedule Report Generation

If personnel in your company are required to see the same Web Security Service report on a periodic basis, schedule when the
reports generate and configure the service to save the file or e-mail it.
You can generate the report in one of three formats:
n PDF—Opens with Adobe Acrobat/Reader.
n CSV—Comma-delineated file that opens with a compatible spreadsheet application (such as Excel).
Tip: If the generated report begins with incorrect characters—for example: ï»¿Category—

switch to the CSV (Raw) format.
n XML—Exports report data in standard XML format to be opened by external applications.
Procedure
2. Two locations provide access to the scheduler:
n Individual report pages—click the Schedule icon.
n The Report Center and Reports links—select Schedule from the Actions drop-down lists.
3. Specify the schedule.
a. Select the Format that the report saves as PDF, CSV or CSV (Raw), or XML.
b. Select the Action to take when the report generates:
n Archive report to server—WSS saves the generated report and displays it in the Recent Archived
Reports area on all Reports link tabs.
n Send report by email—WSS generates the report and sends it to the specified recipient(s). This is an
effective way to send targeted information to different personnel who are responsible for managing or
monitoring specific information.
c. Select the number of Rows. If using the E-mail action, consider size limitations of the recipient's inbox.
d. Specify when and how often the report generates.
n Select the Frequency: Daily, Weekly, or Monthly.
n Select the Run Time, which is the hour of the day.

n Select a Run Day option to specify on which day, in conjunction with the Frequency, the report runs (this
option does not display if the Frequency is Daily).
n If you set the Frequency to Weekly, select a day of the week.
n If you set the Frequency to Monthly, select the First Day or Last Day of the month or a Custom
day. Important: If you select the Last Day option, the report runs on the final day of month
regardless of the number of days. For example, February 28th or July 31st. If you require a strict 30-
day interval for the data, see the next option.
e. Select a Date Filter. The Previous option changes to match the Frequency selection. The All dates option
generates the report using the date filter that is applied to that report.
f. Accept the default Description or enter a custom one.
g. Click Schedule.
Download a Report to Your System

The Web Security Service allows you to download a copy of any report to your local system. For example, you want the report
in a file format that you can merge into other documents. You can combine multiple PDFs or copy results from a spreadsheet
into another project spreadsheet.
You can download the report in one of three formats:

Procedure
2. In the upper-right corner, click the Download icon. The portal displays a Download dialog.
a. Select the report Format.
b. Specify how many Rows display in the report. For example, you are only concerned with the top 20 results.
c. Click Download. WSS displays a dialog prompting you to select which application opens the file.
3. Open the file with the appropriate application and save the file to your system.
Archive Report Results

As you generate and review Web Security Service reports, you might decide to save the report results on the system and return
to the file at a later time. For example, you are generating several reports types and will determine which one is the more relative
to forward at the conclusion of your analysis.
You can save the archived report in one of three formats:

Archive Procedure
2. In the upper-right corner, click Archive. The portal displays the Archive dialog.
b. Specify how many Rows the report displays. For example, you are only concerned with the top 20 results.
c. Click Archive. WSS generates the report in the selected file format.
The portal displays the report in the Recent Archived Reports area on the Report Centner page. Click the View All Archived
Reports Link to display a dialog in which you can navigate these reports.
From here, you have the option sort by process, to Delete the report, Download the report for yourself or to send to others, or
View the report in the saved format (requires Adobe Acrobat/Reader, a spreadsheet application, or an application that reads
XML).
E-mail a Report
The Web Security Service allows you to e-mail a copy of any report to one or more recipients. For example, you notice an
unusual spike in a particular traffic type and you want to inform others in your organization.
You can e-mail the report in one of three formats:

Procedure
2. In the upper-right corner, click Email. The Email dialog displays.
b. Specify how many Rows the report displays. For example, you only want to send the top 10 results.
c. Enter To whom receives the e-mail. Enter commas to separate multiple recipients.
d. The default Subject is the title of the report. Accept the default or add/replace text. For example, Requires
immediate attention: social media traffic spike.
e. Click Email.
Create a Custom Report

Although the Web Security Service provides dozens of pre-defined reports, you might have the need to create a new report that
focuses on exact parameters. The WSS portal provides a wizard that creates custom reports. For each new report, you define:
n What type of data the report summarizes (for example, a specific user).
n Specific dates or other refining filters.
n The look of the report (for example, the graphic type or number of columns).
Use Case
For example, to analyze suspected acceptable web use abuses, you want to generate a report that lists, by location, the verdicts
denied by policy that occurred over a time frame for four specific users.
Procedure
The following procedure illustrates all aspects of the New Report wizard and provides examples according to the above
Use Case.
1. There are two methods to begin the New Report wizard.
n From any Dashboard, select Common Tasks > Report Tasks > New Report.
n From any Reports page (not individual reports), click New Report.
2. The first page of the wizard, Report Information, prompts you to define up to two summary fields (how the new report
sorts) and specify how many entries display for each field.
a. Name the report. For example, User Investigation.
b. Select the first Summarize By sorting criteria. To add a second level sort criteria, click Add Level. To continue
with the Use Case stated in the introduction above, this report summarizes by Location.
c. Click Next.
3. The second report construct is Set Report Filter. Specify the time span of data from which to generate the report and
select the data points that display in the report.
a. (Optional) The default Date range is All Dates. This means the report generates up to 90 days, which is the
current WSS maximum storage capacity. To narrow the time span, select a Date is option and use the calendars
to specify the range. Show option descriptions...
n Since—Generate the report for all dates since the specified date.
n Before—Generate the report for all dates after the specified date.
n Current—Generate the report for the same hour(s), day(s), week(s), or month as when the report runs.
n Previous—Generate the report for the previous specified hour(s), day(s), week(s), or month.
n Current and Previous—Generate the report that includes the current hour(s), day(s), week(s), or month
plus the previous specified same unit .
n Custom—Generate the report for a specified date range.
This example specifies a Custom date range.
b. (Optional) Add filter criteria. This is what limits the scope of the custom report.
n The first field is the data point. For example, User, Client IP, or Protocol.
n The second field is the matching condition. Show condition descriptions...
n Is—The report includes data for the matching value(s).
n Is not—The report includes data for all values except the specified value.
n Contains—Only display data that matches the specified string. For example, User Agent >
Contains > Firefox.
n Does not contain—Display all data that does not contain the specified string.
n Starts with—Display all data that begins with the specified string.
n Does not start with—Exclude all data that begins with the specified string.
n Ends with—Display all data that ends with the specified string.
n Does not end with—Exclude all data that ends with the specified string.
n The third field is a specific matching value that either you enter or you select. This depends on the
combination of the selected data point and filter criteria. For example, if you select User and Is and have
authenticated users, select a matching value from the populated list. If you select User and Contains,
you must enter the matching value.
c. Click the + icon to add more than one matching entry per data point
d. (Optional) Click Add Criteria to add more conditions.
This Use Case specifies four User names and adds Verdict is policy_denied criteria.
e. Click Next.
4. The third report construct is how many data columns display.

a. Select which columns display in the report.
b. Select which column is used to sort and selecting Ascending (highest value first) or Descending (lowest value
first).
c. Click Next.
5. The fourth report construct is the type of graph displayed in the report. Select the graph type that you believe best serves
the report data. From within the generated report, you have the option to turn off the graph display or change its type.
The default option is for the graphic to display data according the what was selected as the Sort By option in Step 5.b. To
change this default, click Chart the following columns and select options.
Click Next.
6. The report is ready to run. You have two options.

n To run this report one time, clear the Save report to report list for running later option and click Run Report.
n To run this report again in the future, select a visibility option:
n Select a group from My Groups. The report displays in the selected group, but only you are able to run it.
n Select a group from Shared Groups. The report displays in the selected group and is visible to anyone
with WSS portal access credentials.
7. Click Run Report.
If the generated report does present expected results, select Options > Report (next to the report name) and alter the criteria.
See the Related Topic link for more information.
Page 58
Admin Tasks
The following tasks are available to WSS administrators.
n "Integrate With CloudSOC" on page 59
n "Create Policy From a Reported User" on page 64
n "Download Access Logs" on page 68
n Suppress Personal Information From Access Logs
n "Specify Access Log Retention Duration" on page 79
n "Receive Alerts from Report Thresholds" on page 81
n "Request a Website Categorization Review" on page 83

Integrate With CloudSOC

Symantec provides two CASB integration solutions with the Web Security Service:
n CASB Gatelets—Full WSS web security solution with enhanced web application from the CloudSOC service.
n CASB Gateway—CASB-only solution where CloudSOC receives user identity and traffic from WSS.
After you obtain the CASB license, you must perform the task to integrate WSS with the CloudSOC portal.
Technical Requirements
n When you purchase the CASB license, the admin on record receives an e-mail from Symantec that contains the
Integration ID. You must have this ID to register. The Integration ID is not the same number as your WSS Subscription
ID.
n This procedure describes how to integrate with an existing CloudSOC portal account. If you have not onboarded
CloudSOC, do so before continuing with this procedure.
Procedure
1. Navigate to Account Configuration > Products & Licensing.
2. In the Linked Products area, click CloudSOC CASB.
3. Define the integration information.

a. Enter your Company Domain.
b. Enter the Integration ID sent you by Symantec.
c. IMPORTANT—Select the appropriate Data Storage Location for your location. You cannot change this value
after setup.
d. Select how many Months of Data to Track. The current maximum is 3, which means you can view reports that
contain data from no more than the three previous months.
e. Click Save.
CASB Gatelets Solution Only

The following sub-sections apply only to the CASB Gatelets solution only. If you have the CASB Gateway solution, continue
with the CloudSOC documentation topics.
Web Application Policy
As web traffic flows through your network, you now have the ability to define granular block/allow and other actions on the tens
of thousands of detected web applications.
View CASB-Related Reports
As WSS processes traffic, you can view specific reports that provide insight into web application traffic traversing your
network.
Navigate to Report Center. The following reports contain reports enhanced by the CASB Audit Service.
n Applications by User
n Applications by Client IP
n Blocked Web Applications
n Web Application Actions
Add Reporting Users

WSS Administrators can add other users and designate them as Reporting Users. These users can only view reports—they
cannot change configuration settings. When a Reporting User accesses the CloudSOC Service from the WSS portal, the audit
service uses the credentials to create a Reporting User role.
Add new users on the Account Configuration > Administrators page.
For more information, search for roles in the help.
Access the CASB Audit App

The top of the WSS portal has a drop-down arrow next to your Admin name. Select Cloud App Audit.
When you click Cloud App Audit link, the CloudSOC opens in a new browser tab.
The Dashboard displays high-level data. Click Store.

The store is where you enable web applications and define domains and policies that are then sent to the WSS portal and made
available in policies.
To learn more about implementing web application configurations and monitoring user activities, consult the CloudSOC Help
system and other relevant Symantec documentation.
Delete the CloudSOC Integration

You can delete the WSS/CloudSOC integration. Be advised that this might cause adverse issues with other WSS
components. Symantec will provide best practices as they are developed.
Click CASB CloudSOC in the Linked Products area.

Click Delete Integration.

Create Policy From a Reported User

As you generate and view Web Security Service reports, you might observe suspicious activity from a client or user and want
to instantly create a policy directly from the report.
This feature is only supported in reports that represent singular users, clients, and so on. Reports that display trends, for
example, do not have this feature. Consider the following two use cases.
Use Case—Infected Client

You are reviewing the Potential Malware Infected Clients report and notice a large amount of suspicious activity from a
specific client. You can instantly apply policy to block that client until you investigate and resolve.
1. Navigate to Report Center and generate the Potential Malware Infected Clients report (from the Security area).
a. Select graphic element or table row. This is the user or client that requires a policy change.
b. In the table header, select Actions > New Policy Rule. The service displays the New Policy Rule dialog.
2. Define the policy.
The policy editor automatically adds the suspect IP address to the Sources construct. Set the Verdict to Block and click
Add Rule.
3. The policy creation switches the view to the Content Filtering page. Your new rule is viewable in the order added. If
necessary, move it to another spot in the list (click the number link). For example, you want a rule for an individual to be
evaluated before a group rule.
You must click Activate to enable the policy.
4. When you resolve this issue and want to restore the client back into production, return to this page, select the rule, and
click Delete (or you can click Disable to temporarily halt the enforcement of a rule).
Use Case—User Misconduct

When browsing a user report, you notice that a particular user is abusing Web privileges and you want to create a policy that
coaches this person.
1. In Solutions Mode, select Content Filtering > Reports and generate the Web Browsing per User and Category
report.
a. Scroll and scan the report to identify which users require coaching.
b. Select a row that requires coaching.
c. In the table header, select Actions > New Policy Rule. The service displays the New Policy Rule dialog.
2. Define the policy.

a. For this example, set the Verdict as Allow With Coach.
b. Click Add Rule.
3. The policy creation switches the view to the Content Filtering page. Your new policy is viewable in its proper place in the
order of policy.
You must click Apply to enforce the policy. Also, to see the current coaching message that is sent to users who trigger
the policy, click the Edit icon in the Verdict column.
Download Access Logs

As Web Security Service processes web traffic requests and transactions, it stores the hourly access logs in the service. The
service allows you to download these raw log files as zip files. The files contain selected one-hour log files or daily log files that
contain all 24 one-hour log files.
Web Security Logs

You can download access logs that provide data for web security. The web proxy in WSS datacenters generates these logs.
The log files are aggregates of all configured locations that feed into WSS.
Consider the following use cases:
n For WSS, the logs are retained for 100 days in the reporting database. When this milestone is reached, WSS begins
deleting log file data on a daily basis, beginning with the oldest day. Download the logs for your own archiving purposes
before WSS deletes them.
n You have the Symantec Reporter product and you want to use it to reprocess specific logs. You must use Symantec
Reporter 9.x Enterprise Edition or Symantec Reporter 10.1.5.
Tip: If you have access to the Hosted Reporting product, you can re-upload the logs back to
WSS. Be advised that the service cannot recognize data it has previous processed. If you
upload logs that contain previously processed data, the result is bloated data—that is, the
reports display double the previous values. Take care to manage your download log files.
CFS Traffic Logs

If your account is provisioned with the Cloud Firewall Service (CFS), you can also download the access logs derived from
CFS traffic. Save the logs for records, compliance, and to use with other reporting applications.
Download Raw Access Log Files

1. Navigate to Account Configuration > Log Export.
2. Expand the Log Download area.
3. The default Data Source is SG (the proxy logs for web filtering). If your account has the CFS license provisioned, you
can select CFS Traffic.
4. Specify the download format that your external log reader requires. You also have the option to add or remove log fields
from the downloaded access log files:
a. Click View/Edit. The portal displays the Log Download Settings dialog.
b. Select the Export Type: CSV or ELFF.
c. (Optional) Use the field controls to add or remove log fields from the download file(s).
d. Click Save.
5. Use the date filters to isolate the data collection period.
6. Click Download.
Be advised that the amount of time required to create the download can vary. The selected number of days and log fields
influence generation time.
7. Upon completion, the portal adds the file to the viewable list. You can save a file to your local system or other location.
Process Logs With Symantec Reporter 9.x or 10.1.5+

The zip file contains *.log.gz files. Each file represents an hour (received time stamp) of data and can be directly imported into
Reporter. To use Reporter to process raw WSS log files, perform the following steps:
1. Save or FTP the raw access logs to the server from which Reporter is configured to process. Consider creating folder
names that identify the files; for example, Cloud_Archive.
2. In Reporter, create a new database (Administration: General Settings > Reporter Settings > Data Settings

> Databases).
3. Set the Log Source as the folder you created for the WSS logs.
Related Content
n About the Cloud Firewall Service
Reference: Access Log Formats

As internet traffic occurs, the WSS records every transaction in Access Logs, which are stored on assets in the datacenters.
The WSS takes the data from various, relevant Access Log fields to render reports.
If you are downloading the Access Logs to use with Splunk or a third-party reporting application, you might need to know the
Access Log fields for mapping references.
Note: In the following table, proxy refers to a proxy appliance in the WSS datacenter.
Extended Log
Description
Format
x-bluecoat- Tenant ID for the request.

request-
tenant-id
x-bluecoat- Configured name of the appliance

appliance-
name
date GMT Date in YYYY-MM-DD format.
time GMT time in HH:MM:SS format
time-taken Time taken (in milliseconds) to process the request (from the first byte of client request data received by the
proxy, to the last byte sent by the proxy to the client, including all of the delays by ICAP, and so on)
c-ip Client IP address.
cs-userdn Full username of a client authenticated to the proxy (fully distinguished).
cs-auth- List of groups that an authenticated user belongs to. Only groups referenced by policy are included.
groups
x-exception- Identifier of the exception resolved (empty if the transaction has not been terminated).
id
sc-filter- Deprecated content filtering result: Denied, Proxied or Observed.

result
cs-categories All content categories of the request URL.
cs(Referer) Request header: Referer
sc-status Protocol status code from appliance to client.
s-action What type of action did the Appliance take to process this request; possible values include ALLOWED, DENIED,
FAILED, SERVER_ERROR.
cs-method Request method used from client to appliance.
rs(Content- Response header: Content-Type.

Type)
cs-uri-scheme Scheme from the 'log' URL.

Extended Log
Description
Format
cs-host Hostname from the client's request URL. If URL rewrite policies are used, this field's value is derived from the
'log' URL.
cs-uri-port Port from the 'log' URL.
cs-uri-path Path from the 'log' URL. Does not include query.
cs-uri-query Query from the 'log' URL.
cs-uri- Document extension from the original requested URL.

extension
cs(User- Request header: User-Agent.

Agent)
s-ip IP address of the appliance on which the client established its connection.
sc-bytes Number of bytes the appliance sent to the client during the playspurt.
cs-bytes Number of bytes sent from client to appliance.
x-data-leak- Whether a data leak has occurred, according to the ICAP response.
detected
x-virus-id Identifier of a virus if one was detected.
x-bluecoat- ID of the cloud service customer site.

location-id
x-bluecoat- Cloud service location name of the ProxySG appliance.

location-name
x-bluecoat- Method used to access the cloud service.

access-type
x-bluecoat- Reports the application name.

application-
name
x-bluecoat- Reports the operation of an application.

application-
operation
r-ip IP address from the outbound server URL.
r-supplier- n Reports the country of the IP address to which the WSS connected.
country
n If the WSS connection did not occur—for example, the transaction was denied based on an earlier
condition such as URL category, the field indicates the country that the service would have tried to
connect to first. That is, the country of the first IP address returned from a DNS resolution of the server
URL's host.
x-rs- Result of validating server SSL certificate.

certificate-
validate-
status
Extended Log
Description
Format
x-rs- Errors observed in the server certificate.

certificate-
observed-
errors
x-cs-ocsp- An error was observed during the OCSP check for a client certificate.
error
x-rs- Version of the SSL protocol negotiated for the server connection.
connection-
negotiated-
ssl-version
x-rs- OpenSSL cipher suite negotiated for the server connection.

connection-
negotiated-
cipher
x-rs- Ciphersize of the OpenSSL cipher suite negotiated for the server connection.
connection-
negotiated-
cipher-size
x-rs- Hostname from the server's SSL certificate.

certificate-
hostname
x-rs- All content categories of the server's SSL certificate's hostname.

certificate-
hostname-
categories
x-cs- Version of the SSL protocol negotiated for the client connection.
connection-
negotiated-
ssl-version
x-cs- OpenSSL cipher suite negotiated for the client connection.

connection-
negotiated-
cipher
x-cs- Ciphersize of the OpenSSL cipher suite negotiated for the client connection.
connection-
negotiated-
cipher-size
x-cs- Subject of the certificate presented by the client.

certificate-
subject
cs-icap- ICAP REQMOD status.

status
cs-icap- REQMOD ICAP error details.

error-details
Extended Log
Description
Format
rs-icap- ICAP RESPMOD status.

status
rs-icap- RESPMOD ICAP error details.

error-details
s-supplier-ip IP address used to contact the upstream host. This is not set if a connection is not made or if an exception
occurs.
s-supplier- The geolocation (country) associated with the IP address of the connection, identified by s-supplier-ip . This
country is not set if a connection is not made or if an exception occurs.
s-supplier- A list of entries where the IP address resolved but did not result in a successful connection. Each entry
failures comprises the IP address, country, and whether the connection was denied or timed out. This field is designed
for use with Symantec Reporter.
x-cs-client- The country associated with the client IP address.

ip-country
cs-threat- Threat risk level of the request URL.

risk
x-rs- Threat risk level of the server's SSL certificate's hostname.

certificate-
hostname-
threat-risk
x-client- The agent type of the authenticated client.

agent-type
x-client-os Client operating system.
x-client- Client agent software.

agent-sw
x-client- A unique identifier for the client device.

device-id
x-client- The name of the device.

device-name
x-client- Type of device.

device-type
x-client- Information related to how secure the client environment is per the compliance policy.
security-
posture-
details
x-client- The risk score that indicates the security posture of the client,
security-
posture-risk-
score
x-bluecoat- Reference ID specified in the reference_id(Rule_ID) action in a policy rule.

reference-id
Extended Log
Description
Format
x-sc- Issuer for forged certificates.

connection-
issuer-
keyring
x-sc- Key alias name in HSM issuer for forged certificates.

connection-
issuer-
keyring-alias
x-cloud-rs Summary of RS server processing in the form (<rs-ratings>:<rating-source>:<rating-label>).
x-bluecoat- A placeholder represented by a dash (-).

placeholder
cs(X-
Requested-
With)
x-bluecoat- Globally unique per-request identifier generated by the appliance. Default exception pages include the
transaction- transaction ID; thus, you can look for the ID in the access log to learn more about the transaction.
uuid
Suppress Personal Information From Access Logs

You can configure the Web Security Service to suppress some or all user identification information from the Access Logs, which
reside on the WSS asset devices. Currently, WSS allows you to suppress the following data types from the logs.
n User and Group Names
n User and Group Names and IP Addresses
n All Data (Do not log any information)
To suppress these data types from the access logs, the portal provides two control types.
n Default—Applies to all traffic.
n Granular—Suppress any of the above data types for specific users, groups, and locations.
Granular controls override the default settings.
Use Cases
n You want to suppress guest user names from your guests who access your WiFi network while they wait in the lobby.
The Default setting is Log all traffic normally (no suppression) and the Granular setting is Do not log user/group
name and client IP for the HQLobbyGuestWiFi (example name) location.
n You need to suppress some user and group names from the logs for you employees; additionally, you want to prevent the
recording of all PII data from the Executive Staff. The Default setting is Do not log user/group name and the Granular
setting is Do not log any data for the EStaff group list (this is an Object Library group list created for this example).
n You might have a set of employees that require identity suppression because of their geolocation or particular job duties.
You can suppress user identities based on access method locations that you have added to the WSS portal.
n
Note: Geolocation can only suppressed when your portal account has the Advanced Web
Security with Risk Controls and Web Applications add-on license. If the license is not
present, Geolocation is not collected.
n In the case of multiple privacy level matches, WSS applies the most strict level. For example, if you have a user that
exists in WestCoast and Legal. The policy for WestCoast is Log all traffic normally and the policy for Legal is Do not
log any data. The user identity information is not logged, thus not visible in reporting.
Procedure
1. Verify and/complete the following prerequisites.
n Verify that your WSS connects to your Active Directory through the Auth Connector and integrates with your
SAML implementation and provides the user and group names. Navigate to Identity > Users & Groups.
n If necessary and allows for more efficient policy, use the Policy > Object Library to create custom user, group,
and locations lists.
2. Navigate to Account Configuration > Data Retention and Privacy.

3. Expand the End User Privacy area.
4. Select the Default Privacy Setting.
The default value is Log all traffic normally, which means no data suppression. From the For all traffic drop-down list,
select a suppression option that applies to all users whose traffic routes throughWSS.
5. If necessary, apply more Granular Log Controls. Click Add. The service displays the Add Granular Privacy Controls
dialog.
a. Select a suppression option that applies to specific user, group, or location.
b. Select Available Items (users, groups, and locations; Shift+Left-mouse-click to select multiple objects).
c. Click Add.
d. Click Save.
The portal places the object in its correct table.

If you Change the Privacy Level for any object, the Web Security Service moves the object to the correct policy
table/column. If the same object already exists in that policy, the WSS merges the objects; no name duplication occurs.
Verify
After you know that some relevant traffic has passed, generate the Reports > Report Center > Full Log Details report.
Specify Access Log Retention Duration

Depending on the product, the Web Security Service retains accumulated access log and report database data that spans a
finite number of days or years.
n Web Security: 100 days.
n Hosted Reporting: 1 year.
You might have a personal concern or a corporate edict on how long user data should remain in the cloud. WSS allows you set a
limit for how long stored data remains in the reporting database. Before setting the limit, consider the following warning and best
practice.
n Reducing a current limit forces the web to purge all older-than-the limit data (chunked in days). You cannot generate
reports from the expired data nor can you restore data following a delete action.
n Because of this limitation, download the current access logs and archive them before you limit retention and expire older
data. If you have a need to generate more reports from that data, you can re-upload the data; however, consider how the
service processes the data.
n WSS considers the hardened data as new content; the data remains until the expiration time has passed.
n The reporter database looks at the log dates. At midnight GMT, WSS expires that content out again.
Generate the new reports against the uploaded data as soon as possible.
To download the access log files, navigate to Account Configuration > Log Export. See "Download Access Logs" on
page 68.
n Review any scheduled reports. If you limit the retention to 15 days and you have a report that generates every 30 days,
the report will not contain 50% of the user-generated data because WSS deleted the logs.
Procedure
1. Navigate to Account Configuration > Data Retention and Privacy.
2. Expand the Lot Retention Time area.

a. Move the slider to adjust the retention limit.
Tip: The initial value varies—100 days to 1 year—depends on the WSS product).
As you move the slider, the Log Retention Time fields (the Log Retention Time field and the field hovering over
the slider) display the limits.
b. When you are satisfied with the limit, click Save.
3. For a verification mechanism, the portal displays the Delete Access Logs dialog.
The dialog reminds you of the log download best practice mentioned above. The dialog also indicates how many days of
data the service will delete if you enact the limit. To enact the limit, you must enter the word DELETE in the field and
click OK. If you enter any other characters and click OK, the service does not enact the limit.
As stated on the screen, the service might require up to 24 hours to adjust to the new limit.
Reset
The Reset link on the page moves the limit to the previously set limit before you click Save. To restore the service
default, move the slider fully to the right.
Receive Alerts from Report Thresholds

The Web Security Service allows you to configure e-mailed alerts triggered when reporting value thresholds are breached. When
this occurs, the service sends an e-mail to a specified recipient. For example, you want to receive an e-mail alert when your
when WSS detects that policy denied access to users 25 times. The e-mail informs the recipient how many times the specified
threshold was exceeded. These alerts provide a custom way to monitor targeted areas of concern without having to log into the
portal.
1. Navigate to Account Configuration.
2. In the Reporting Settings area, click Reporting Alerts.
3. Click Add Alert The service displays the Add Alert dialog.
a. Name the alert. The service inserts this name into the Subject line of the e-mail sent to the recipient of the alert.
b. Select the Field that provides the basis for this alert.
c. From the other Field drop-downs, select criteria that triggers alert. For example, you want to be alerted when the
service detects excessive denied by policy actions. Another use case is setting an alert for Malware detection.
d. From the Threshold Field drop-down, select the action triggers the alert.
e. From the Threshold Value drop-down, select the value of d that triggers the alert. For example, if the service
triggers the alert based on a denied policy verdict for all users, the threshold values allow you to set at what
iteration you receive the alert.
f. In the Email field, enter the e-mail address of the recipient who receives this alert.
g. Click Add.
Triggered Alerts
When an alert triggers, WSS sends an e-mail to the recipient. The e-mail body contains a brief description of the alert trigger.
The e-mail also contains an .CSV file attachment that is compatible spreadsheet applications (or preview in the e-mail body if
the recipients application supports that function).
About Portal Retention

WSS automatically clears the alerts from the reporting database page every 24 hours. For example, if the alert triggers at 1:00
PM, it remains until 1:00 PM the following day.
However, you can return to the Report Alerts page, select a report, and click the Run button to immediately generate an alert
report/email. The service indicates whether or not new alert information is available (e-mails are only sent if a new alert is
found).
Request a Website Categorization Review

Symantec's industry-leading web filtering technology rates and categorizes thousands of new sites a day. When rated
websites become a part of the content filtering database, they become available for policy checks. As you are reviewing reports,
you might question the categorization and want to ask Symantec to review that rating and suggest an alternate
category. Symantec cannot guarantee a rating switch but will perform an analysis. If you request is rejected, you can add the
site to the WSS always allow or always block lists.
If you know the site in question, you can proceed directly to http://sitereview.bluecoat.com/#/ and enter the URL in question.
In the portal, the Web Browsing Per Site and Blocked Requests By Site reports also provide that mechanism. When scanning
report data, you can select the site and proceed directly to the rating review site.
2. Generate the Web Browsing Per Site or Blocked Requests By Site report.
3. Request a site review.

a. Select a site from the report graph or table data.
b. In the data table header, select Action > Submit Site Review.
4. Your browser opens the site review page in a new tab. The selected site data is already filled out.
5. Complete the site review form.
a. Select the category or categories you believe the site should be rated.
b. To be notified of the analysis conclusion, click Send results of the review via email and enter your contact
address.
c. Provide a detailed description that states why you believe the current categorization is in error.
d. Click Submit for Review.

Web Security Service: Reporting Guide

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Web Security Service: Reporting Guide

Uploaded by

Copyright:

Available Formats

Web Security Service

Copyright © 2020 Broadcom. All Rights Reserved.

WSS Reporting Guide

WSS Reporting Guide 5

Learn About Reporting 8

Learn About Reporting

n "About Web Security Service Reporting" on page 9

n "What Can I Do From A Report Dashboard?" on page 11

n "What Can I Do With Reports?" on page 16

About Web Security Service Reporting

n Web Security License

o Access log data: 100 days

o Reporting data: 100 days

n Hosted Reporting License

o Access log data: 1 year

o Reporting data: 1 year

What Can I Do From A Report Dashboard?

Expand the following sections to learn about Dashboard features.

Summary Wide Widget

n Dashboard > Threat Protection—Summaries specific to malware detection.

Clicking a summary report displays the full data array.

n "Change the Graphic Within a Report" on page 35.

n "View Detailed Report Information" on page 31.

Customize Dashboard View

More information: "Add a Report to a Portal Dashboard" on page 41.

Create a Policy Rule

Access Other Reports

n "Create a Custom Report" on page 52.

n "Examine Detailed User or Client Activity" on page 32.

Configure the Portal

What Can I Do With Reports?

Expand the following sections to learn more about report features.

n "Apply a Filter to Report Data" on page 25.

n "Change the Graphic Within a Report" on page 35.

View More Details

Change Inclusive Date Span

To change criteria other than just dates, select Custom.

Zoom In/Out On Date-Driven Reports

n "Download Access Logs" on page 68.

n "Archive Report Results" on page 48.

n "Schedule Report Generation" on page 44.

n "E-mail a Report" on page 50.

Perform an Action Based on Reporter Data

n "Create Policy From a Reported User" on page 64.

n "Request a Website Categorization Review" on page 83.

Run Large Reports in the Background

Executive Report Attributes

2. Select New Report > New Executive Report.

3. Complete the fields in on the Run Executive Report page.

d. Select the Delivery method(s).

n "Apply a Filter to Report Data" below

n "Review Web Use for a Specific User" on page 27

n "Modify Report Data Views" on page 28

n "Generate a Report for a Single Element" on page 28

n "View Detailed Report Information" on page 31

n "Examine Detailed User or Client Activity" on page 32

n "Change the Graphic Within a Report" on page 35

n "Change Visible Report Data" on page 38

n "Add a Report to a Portal Dashboard" on page 41

Apply a Filter to Report Data

1. From any report, select Options (icon) > Report.

The portal displays the Report Options dialog.

2. In the Summarize By area, determine by what criteria the report summarizes.