Professional Documents
Culture Documents
Reporting Guide
Revision: NOV.07.2020
Symantec Web Security Service/Page 2
Page 3
Copyrights
Broadcom, the pulse logo, Connecting everything, and Symantec are among the trademarks of Broadcom. The term “Broadcom”
refers to Broadcom Inc. and/or its subsidiaries.
The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries. For more information, please visit www.broadcom.com.
Broadcom reserves the right to make changes without further notice to any products or data herein to improve reliability, function,
or design. Information furnished by Broadcom is believed to be accurate and reliable. However, Broadcom does not assume any
liability arising out of the application or use of this information, nor the application or use of any product or circuit described herein,
neither does it convey any license under its patent rights nor the rights of others.
Page 5
With extensive web application controls and detailed reporting features, IT administrators can use the Web Security Service to
create and enforce granular policies that are applied to all covered users, including fixed locations and roaming users.
From the WSS portal, generate reports and analyze the results. The reports help you asses the browsing habits of employees
and the integrity of your network environment. Reports are not static; from them you can launch the policy editor and immediately
address issues.
This document provides policy concepts and describes how to use the WSS portal to define policies. It includes high-level and
use case examples.
Symantec Web Security Service/Page 6
Table Of Contents
Copyrights 3
Modify Data 25
Apply a Filter to Report Data 25
Use Case 25
Review Web Use for a Specific User 27
Modify Report Data Views 28
Generate a Report for a Single Element 28
View Detailed Report Information 31
Examine Detailed User or Client Activity 32
Use Cases 32
Change the Graphic Within a Report 35
Use Case 35
Change Visible Report Data 38
Add a Report to a Portal Dashboard 41
Change How Costs are Calculated in Reports 42
Use Case 42
Manage Reports 43
Schedule Report Generation 44
Download a Report to Your System 47
Archive Report Results 48
E-mail a Report 50
Create a Custom Report 52
Use Case 52
Admin Tasks 58
Integrate With CloudSOC 59
Technical Requirements 59
Reporting Guide/Page 7
Procedure 59
CASB Gatelets Solution Only 60
Delete the CloudSOC Integration 62
Create Policy From a Reported User 64
Download Access Logs 68
Web Security Logs 68
CFS Traffic Logs 68
Related Content 69
Reference: Access Log Formats 70
Suppress Personal Information From Access Logs 75
Use Cases 75
Procedure 75
Verify 78
Specify Access Log Retention Duration 79
Reset 80
Receive Alerts from Report Thresholds 81
Triggered Alerts 82
About Portal Retention 82
Request a Website Categorization Review 83
Page 8
As users browse web content from within the corporate firewall or as a remote user, WSS performs policy checks and allows or
blocks content per the verdict.
Your service account saves access logs and reporting data based on the WSS product.
Reporting Guide/Page 10
This series of applicable reports provide instant data summaries of the activity related to the selected Dashboard.
n Dashboard > Overview—A mix of web requests, blocked content, and malware detection.
n Dashboard > Content Filtering—Summaries specific to web browsing, web applications, and bandwidth.
n Dashboard > Product—Some add-on products yield their own Dashboards. For example, the Cloud Firewall Service.
By default, the date range is data collected over the previous seven days. You can change that value to one day or thirty days.
Furthermore, each summary report has a variance label; that is, how much activity has increased or decreased during the
previous selected day intervals. If you, for example, see that Web Apps Used has jumped 200% over the previous week, click
the summary to gain further data for analysis.
Analyze Data
Dashboards present data in graphs and/or tables. You can change the date range (for the entire dashboard view), change the
graphic style for each report widget, and rollover or click report elements to view more details.
Reporting Guide/Page 12
More information:
More information:
Change Report
Most predefined reports display results that include a wide scope of data. When reviewing report results, you can apply filters
to limit the scope of the results. Also, when you change the scope of the reports, the default graphic might not best represent
the new data set.
More information:
n Hover over a graph element to view details. Click a graph element to segment it or select a data row in the table below
the graph and select Drill. From the Drill drop-down, select an element to isolate the data view. For example, in the
Risk Groups report, you want to more information regarding detected Non-Productive requests.
Symantec Web Security Service/Page 17
n Click any blue link to see more details related to the item, such as who performed requests, site names, applications
used, and more.
Manage Reports
Each reports contains options that enable you to schedule automatic generation times, save as a file, and send to others.
More information:
The Web Browsing Per Site report provides two additional options: view a selected site in a new browser tab and request a
categorization review categorization of a site.
Reporting Guide/Page 20
More information:
The Archive in Background option allows you to begin the report generation and perform other tasks while waiting for the
report to complete. Furthermore, you can log out of your account and return later. When it is complete, the portal provides the
report on the Reports page in the Recent Archive Reports area.
Symantec Web Security Service/Page 21
Executive Reports
The myriad of Web Security Service reports provide data that is consumable by IT security professionals who are tasked with
analyzing, diagnosing, and remedying security hotspots and web use policies. The WSS Executive Report is designed for CIO
or other executives who request to see high-level security activities and trends in a format that is more presentable, professional,
and shareable.
Executive Reports capture data on a calendar-month basis. The ideal time to generate a report is at the beginning of new month
to obtain the previous month's data. You have the option to Archive the report or Email to recipients.
n The report is pre-defined and cannot be modified. The report provides an overview of all subscribed services within your
WSS account. For example, Cloud Firewall Service and Malware Analysis. The report also contains sections for
Reporting Guide/Page 22
products currently not licensed, but with verbiage indicating the product is not active.
If your WSS account is not provisioned with an available add-on, the report contains a paragraph that explains the
product. For example—
Web Isolation—Your business has not activated Web Isolation. This service is required to
protect your organization from advanced threats targeting your end user’s web browsers and
email applications. Without Isolation, your business is exposed to these types of attacks.
n High-value reports, such as sandbox detonations and web isolations (if licensed), are differentiated and depicted clearly.
Symantec Web Security Service/Page 23
Procedure
1. Navigate to Report Center.
a. Name the report; this name will be the report link in the portal.
b. Enter the Cover Title; this name will be on the first page of the generated report.
c. Select the Report Period. WSS retains past months for re-generation.
o Archive Report—WSS places the report link the Recent Archived Reports applet, which is available on
the Report Center page.
o Email Report—Enter recipient email addresses (separated by commas). Upon report complete, WSS
emails the report.
Reporting Guide/Page 24
e. Click Run Report. The portal displays a message in the upper-right corner that the report generation has begun.
Tip: The Executive Report requires a longer generation time than standard reports.
Page 25
Modify Data
The following sections describe how to change how the WSS displays reported data within reports.
Use Case
You run the Blocked Requests by Category report, which by default displays all categories that were blocked by policy (verdict
= denied). You are curious to see the top ten users who were denied because they attempted to browse mature content websites.
Procedure
Symantec Web Security Service/Page 26
a. For the above use case, keep Category as the primary summary datapoint. Define how many rows (per selection)
per page display.
b. (Optional) You can add one additional summary level by clicking Add Level. In this example, you want to see the
top ten users per category.
3. In the Filter area, specify the date range and additional criteria.
Reporting Guide/Page 27
a. For the Date is criteria, specify what date range the report covers (if WSS did not process data for the specified
date range, the report is blank).
b. The filter automatically contains the default intent of the original report. In the above example, the Blocked
Requests per Category report applies the Verdict contains denied (policy denied) filter. Click Add Criteriato
add a new line. You can add multiple lines; the more you add, the more targeted the report becomes.
c. Select the filter category. To continue with the example, select Category, is, and Adult/Mature Content. Click
the + icon to add more Category filters. This examples searches for all denied verdicts because of four specific
mature content categories.
4. Click Save. The filtered report generates and displays. If the filter did not result in useful data, repeat and adjust the
filter.
5. Click links within the report, such as user names, to view even more detailed information.
7. If the report is useful and you want to retain it or disseminate it, see "What Can I Do With Reports?" on page 16
2. Select Common Tasks > Report Tasks > User Overview. The service displays the User Overview dialog.
3. From the drop-down list, select a user and click Run Report.
Symantec Web Security Service/Page 28
Optional Actions
Reporting Guide/Page 29
You might decide the data in this report is worth seeing on a continuing basis.
For more details about report filters, see "Apply a Filter to Report Data" on page 25.
Tip: For Simple Reports, the portal prompts you to save the report before you can set a
schedule.
For more details about scheduling, see "Schedule Report Generation" on page 44.
Reporting Guide/Page 31
Links
Click any blue-colored link.
Select an element to view (not all elements are available for all reports). For example, in the Web Browsing per Category
report, you see there were several requests for Shopping category sites and you want to see which users requested them.
Select Drill > User.
Use Cases
n Someone at your company observed a visiting vendor, who was logged into your guest network, browsing offensive Web
locations. You want to run a report for that day so you can forward it to the vendor and ask that future visitors refrain from
such activity.
n You suspect a particular client is infected with malware and you want to see a detailed report for all activity as it relates to
that client.
Procedure
Reporting Guide/Page 33
n Any Dashboard link, select Common Tasks > Report Tasks > Forensic Report.
n The Report Center page, select New Report > New Forensic Report.
2. In the New Forensic Report dialog, enter the generation criteria. You can select any or all of the options.
a. Select a User; if you know the username, begin typing to use auto-fill. This examples looks for unauthenticated
users.
c. To restrict the report to single Category, select or enter one. This example displays results for unauthenticated
users who browsed Adult/Mature Content sites.
Symantec Web Security Service/Page 34
e. To specify a time frame of user activity, select a Date is option. This example uses the Custom option and
isolates the day when the visitor was on campus.
f. Click Run Report.
Using the specified criteria, WSS generates and displays The Full Log Detail report.
n If the report does not display the desired data set, select Reports > Close <report> and repeat the procedure with other
search criteria.
n If the report satisfies your needs, save and disperse as required. See "What Can I Do With Reports?" on page 16.
Reporting Guide/Page 35
Use Case
The Search Engines > Reports > Web Applications report by default generates a pie chart based on total requests for each
application; however, you want to change the report to view the data in terms of costs.
Procedure
1. Generate any report.
2. Next to the report name, select Options > Chart (gear icon). The portal displays the Options dialog.
b. The Chart the currently-sorted column option means the graphic compiles using the default data point. For
example, a ...Per User reports yields a graph based on user names but the report also contains other data
columns. To change the graph source data, select Chart the following column and select an option or options.
c. Click Save.
Some graph types, such as Pie, cannot contain more than one data element. WSS displays an error dialog if it
cannot comply with your selections.
Reporting Guide/Page 37
4. (Optional) WSS does not retain the changed graph (when you exit the session) unless you manually save the report as a
new report or archive the results. To save the report, click Save icon and specify where to save it.
b. Select which Group to save it in. If you save it in My Groups, only you can generate the report. If you save it in
Shared Groups, anyone with access to this WSS account sees the link and is able to run the report.
c. Click Save.
Symantec Web Security Service/Page 38
Tip: The graph does not change. To change the graph to show the same data, click Options
> Chart. See "Change the Graphic Within a Report" on page 35.
2. Select which Group to save it in. If you save it in My Groups, only you can generate the report. If you save it in Shared
Groups, anyone with access to this WSS account sees the link and is able to run the report.
3. Click Save.
Reporting Guide/Page 41
Each Dashboard displays its own set of default reports, which are high-level summaries. To customize your Dashboard view,
add other reports.
3. If necessary, move reports or delete other reports, as described in "What Can I Do From A Report Dashboard?" on
page 11.
Symantec Web Security Service/Page 42
Use Case
In an IT role, you are responsible for determining how much to back-bill Internet use costs to various departments.
Procedure
1. Navigate to Account Configuration.
b. Change the Cost per GB. Set the rate that your company uses to charge for bandwidth.
c. Some reports have columns for data based on Costs per hour. Set that bulk rate here.
4. Click Save.
Page 43
Manage Reports
Configure when reports run and what actions are available for reports.
n CSV—Comma-delineated file that opens with a compatible spreadsheet application (such as Excel).
Procedure
1. Navigate to Report Center.
n The Report Center and Reports links—select Schedule from the Actions drop-down lists.
Reporting Guide/Page 45
a. Select the Format that the report saves as PDF, CSV or CSV (Raw), or XML.
n Archive report to server—WSS saves the generated report and displays it in the Recent Archived
Reports area on all Reports link tabs.
n Send report by email—WSS generates the report and sends it to the specified recipient(s). This is an
effective way to send targeted information to different personnel who are responsible for managing or
monitoring specific information.
c. Select the number of Rows. If using the E-mail action, consider size limitations of the recipient's inbox.
n Select a Run Day option to specify on which day, in conjunction with the Frequency, the report runs (this
option does not display if the Frequency is Daily).
n If you set the Frequency to Monthly, select the First Day or Last Day of the month or a Custom
day. Important: If you select the Last Day option, the report runs on the final day of month
regardless of the number of days. For example, February 28th or July 31st. If you require a strict 30-
day interval for the data, see the next option.
e. Select a Date Filter. The Previous option changes to match the Frequency selection. The All dates option
generates the report using the date filter that is applied to that report.
g. Click Schedule.
Reporting Guide/Page 47
n CSV—Comma-delineated file that opens with a compatible spreadsheet application (such as Excel).
Procedure
1. Generate any report.
2. In the upper-right corner, click the Download icon. The portal displays a Download dialog.
b. Specify how many Rows display in the report. For example, you are only concerned with the top 20 results.
c. Click Download. WSS displays a dialog prompting you to select which application opens the file.
3. Open the file with the appropriate application and save the file to your system.
Symantec Web Security Service/Page 48
n CSV—Comma-delineated file that opens with a compatible spreadsheet application (such as Excel).
Archive Procedure
1. Generate any report.
2. In the upper-right corner, click Archive. The portal displays the Archive dialog.
b. Specify how many Rows the report displays. For example, you are only concerned with the top 20 results.
The portal displays the report in the Recent Archived Reports area on the Report Centner page. Click the View All Archived
Reports Link to display a dialog in which you can navigate these reports.
Reporting Guide/Page 49
From here, you have the option sort by process, to Delete the report, Download the report for yourself or to send to others, or
View the report in the saved format (requires Adobe Acrobat/Reader, a spreadsheet application, or an application that reads
XML).
Symantec Web Security Service/Page 50
E-mail a Report
The Web Security Service allows you to e-mail a copy of any report to one or more recipients. For example, you notice an
unusual spike in a particular traffic type and you want to inform others in your organization.
n CSV—Comma-delineated file that opens with a compatible spreadsheet application (such as Excel).
Procedure
1. Generate any report.
b. Specify how many Rows the report displays. For example, you only want to send the top 10 results.
Reporting Guide/Page 51
c. Enter To whom receives the e-mail. Enter commas to separate multiple recipients.
d. The default Subject is the title of the report. Accept the default or add/replace text. For example, Requires
immediate attention: social media traffic spike.
e. Click Email.
Symantec Web Security Service/Page 52
n What type of data the report summarizes (for example, a specific user).
n The look of the report (for example, the graphic type or number of columns).
Use Case
For example, to analyze suspected acceptable web use abuses, you want to generate a report that lists, by location, the verdicts
denied by policy that occurred over a time frame for four specific users.
Procedure
The following procedure illustrates all aspects of the New Report wizard and provides examples according to the above
Use Case.
n From any Dashboard, select Common Tasks > Report Tasks > New Report.
Reporting Guide/Page 53
n From any Reports page (not individual reports), click New Report.
2. The first page of the wizard, Report Information, prompts you to define up to two summary fields (how the new report
sorts) and specify how many entries display for each field.
b. Select the first Summarize By sorting criteria. To add a second level sort criteria, click Add Level. To continue
Symantec Web Security Service/Page 54
with the Use Case stated in the introduction above, this report summarizes by Location.
c. Click Next.
3. The second report construct is Set Report Filter. Specify the time span of data from which to generate the report and
select the data points that display in the report.
a. (Optional) The default Date range is All Dates. This means the report generates up to 90 days, which is the
current WSS maximum storage capacity. To narrow the time span, select a Date is option and use the calendars
to specify the range. Show option descriptions...
n Since—Generate the report for all dates since the specified date.
n Before—Generate the report for all dates after the specified date.
n Current—Generate the report for the same hour(s), day(s), week(s), or month as when the report runs.
n Previous—Generate the report for the previous specified hour(s), day(s), week(s), or month.
n Current and Previous—Generate the report that includes the current hour(s), day(s), week(s), or month
plus the previous specified same unit .
b. (Optional) Add filter criteria. This is what limits the scope of the custom report.
Reporting Guide/Page 55
n The first field is the data point. For example, User, Client IP, or Protocol.
n Is not—The report includes data for all values except the specified value.
n Contains—Only display data that matches the specified string. For example, User Agent >
Contains > Firefox.
n Does not contain—Display all data that does not contain the specified string.
n Starts with—Display all data that begins with the specified string.
n Does not start with—Exclude all data that begins with the specified string.
n Ends with—Display all data that ends with the specified string.
n Does not end with—Exclude all data that ends with the specified string.
n The third field is a specific matching value that either you enter or you select. This depends on the
combination of the selected data point and filter criteria. For example, if you select User and Is and have
authenticated users, select a matching value from the populated list. If you select User and Contains,
you must enter the matching value.
c. Click the + icon to add more than one matching entry per data point
This Use Case specifies four User names and adds Verdict is policy_denied criteria.
e. Click Next.
b. Select which column is used to sort and selecting Ascending (highest value first) or Descending (lowest value
first).
c. Click Next.
5. The fourth report construct is the type of graph displayed in the report. Select the graph type that you believe best serves
the report data. From within the generated report, you have the option to turn off the graph display or change its type.
The default option is for the graphic to display data according the what was selected as the Sort By option in Step 5.b. To
change this default, click Chart the following columns and select options.
Click Next.
n To run this report one time, clear the Save report to report list for running later option and click Run Report.
n Select a group from My Groups. The report displays in the selected group, but only you are able to run it.
n Select a group from Shared Groups. The report displays in the selected group and is visible to anyone
with WSS portal access credentials.
If the generated report does present expected results, select Options > Report (next to the report name) and alter the criteria.
See the Related Topic link for more information.
Page 58
Admin Tasks
The following tasks are available to WSS administrators.
n CASB Gatelets—Full WSS web security solution with enhanced web application from the CloudSOC service.
n CASB Gateway—CASB-only solution where CloudSOC receives user identity and traffic from WSS.
After you obtain the CASB license, you must perform the task to integrate WSS with the CloudSOC portal.
Technical Requirements
n When you purchase the CASB license, the admin on record receives an e-mail from Symantec that contains the
Integration ID. You must have this ID to register. The Integration ID is not the same number as your WSS Subscription
ID.
n This procedure describes how to integrate with an existing CloudSOC portal account. If you have not onboarded
CloudSOC, do so before continuing with this procedure.
Procedure
1. Navigate to Account Configuration > Products & Licensing.
c. IMPORTANT—Select the appropriate Data Storage Location for your location. You cannot change this value
after setup.
d. Select how many Months of Data to Track. The current maximum is 3, which means you can view reports that
contain data from no more than the three previous months.
e. Click Save.
Web Application Policy
As web traffic flows through your network, you now have the ability to define granular block/allow and other actions on the tens
of thousands of detected web applications.
View CASB-Related Reports
As WSS processes traffic, you can view specific reports that provide insight into web application traffic traversing your
network.
Navigate to Report Center. The following reports contain reports enhanced by the CASB Audit Service.
n Applications by User
n Applications by Client IP
When you click Cloud App Audit link, the CloudSOC opens in a new browser tab.
The store is where you enable web applications and define domains and policies that are then sent to the WSS portal and made
available in policies.
To learn more about implementing web application configurations and monitoring user activities, consult the CloudSOC Help
system and other relevant Symantec documentation.
This feature is only supported in reports that represent singular users, clients, and so on. Reports that display trends, for
example, do not have this feature. Consider the following two use cases.
1. Navigate to Report Center and generate the Potential Malware Infected Clients report (from the Security area).
Symantec Web Security Service/Page 65
a. Select graphic element or table row. This is the user or client that requires a policy change.
b. In the table header, select Actions > New Policy Rule. The service displays the New Policy Rule dialog.
The policy editor automatically adds the suspect IP address to the Sources construct. Set the Verdict to Block and click
Add Rule.
3. The policy creation switches the view to the Content Filtering page. Your new rule is viewable in the order added. If
necessary, move it to another spot in the list (click the number link). For example, you want a rule for an individual to be
evaluated before a group rule.
4. When you resolve this issue and want to restore the client back into production, return to this page, select the rule, and
click Delete (or you can click Disable to temporarily halt the enforcement of a rule).
Reporting Guide/Page 66
1. In Solutions Mode, select Content Filtering > Reports and generate the Web Browsing per User and Category
report.
a. Scroll and scan the report to identify which users require coaching.
c. In the table header, select Actions > New Policy Rule. The service displays the New Policy Rule dialog.
3. The policy creation switches the view to the Content Filtering page. Your new policy is viewable in its proper place in the
order of policy.
You must click Apply to enforce the policy. Also, to see the current coaching message that is sent to users who trigger
the policy, click the Edit icon in the Verdict column.
Reporting Guide/Page 68
n For WSS, the logs are retained for 100 days in the reporting database. When this milestone is reached, WSS begins
deleting log file data on a daily basis, beginning with the oldest day. Download the logs for your own archiving purposes
before WSS deletes them.
n You have the Symantec Reporter product and you want to use it to reprocess specific logs. You must use Symantec
Reporter 9.x Enterprise Edition or Symantec Reporter 10.1.5.
Tip: If you have access to the Hosted Reporting product, you can re-upload the logs back to
WSS. Be advised that the service cannot recognize data it has previous processed. If you
upload logs that contain previously processed data, the result is bloated data—that is, the
reports display double the previous values. Take care to manage your download log files.
3. The default Data Source is SG (the proxy logs for web filtering). If your account has the CFS license provisioned, you
can select CFS Traffic.
Symantec Web Security Service/Page 69
4. Specify the download format that your external log reader requires. You also have the option to add or remove log fields
from the downloaded access log files:
a. Click View/Edit. The portal displays the Log Download Settings dialog.
c. (Optional) Use the field controls to add or remove log fields from the download file(s).
d. Click Save.
6. Click Download.
Be advised that the amount of time required to create the download can vary. The selected number of days and log fields
influence generation time.
7. Upon completion, the portal adds the file to the viewable list. You can save a file to your local system or other location.
1. Save or FTP the raw access logs to the server from which Reporter is configured to process. Consider creating folder
names that identify the files; for example, Cloud_Archive.
3. Set the Log Source as the folder you created for the WSS logs.
Related Content
n About the Cloud Firewall Service
Reporting Guide/Page 70
If you are downloading the Access Logs to use with Splunk or a third-party reporting application, you might need to know the
Access Log fields for mapping references.
Note: In the following table, proxy refers to a proxy appliance in the WSS datacenter.
Extended Log
Description
Format
time-taken Time taken (in milliseconds) to process the request (from the first byte of client request data received by the
proxy, to the last byte sent by the proxy to the client, including all of the delays by ICAP, and so on)
cs-auth- List of groups that an authenticated user belongs to. Only groups referenced by policy are included.
groups
x-exception- Identifier of the exception resolved (empty if the transaction has not been terminated).
id
s-action What type of action did the Appliance take to process this request; possible values include ALLOWED, DENIED,
FAILED, SERVER_ERROR.
Extended Log
Description
Format
cs-host Hostname from the client's request URL. If URL rewrite policies are used, this field's value is derived from the
'log' URL.
cs-uri-path Path from the 'log' URL. Does not include query.
s-ip IP address of the appliance on which the client established its connection.
sc-bytes Number of bytes the appliance sent to the client during the playspurt.
x-data-leak- Whether a data leak has occurred, according to the ICAP response.
detected
r-supplier- n Reports the country of the IP address to which the WSS connected.
country
n If the WSS connection did not occur—for example, the transaction was denied based on an earlier
condition such as URL category, the field indicates the country that the service would have tried to
connect to first. That is, the country of the first IP address returned from a DNS resolution of the server
URL's host.
Extended Log
Description
Format
x-cs-ocsp- An error was observed during the OCSP check for a client certificate.
error
x-rs- Version of the SSL protocol negotiated for the server connection.
connection-
negotiated-
ssl-version
x-rs- Ciphersize of the OpenSSL cipher suite negotiated for the server connection.
connection-
negotiated-
cipher-size
x-cs- Version of the SSL protocol negotiated for the client connection.
connection-
negotiated-
ssl-version
x-cs- Ciphersize of the OpenSSL cipher suite negotiated for the client connection.
connection-
negotiated-
cipher-size
Extended Log
Description
Format
s-supplier-ip IP address used to contact the upstream host. This is not set if a connection is not made or if an exception
occurs.
s-supplier- The geolocation (country) associated with the IP address of the connection, identified by s-supplier-ip . This
country is not set if a connection is not made or if an exception occurs.
s-supplier- A list of entries where the IP address resolved but did not result in a successful connection. Each entry
failures comprises the IP address, country, and whether the connection was denied or timed out. This field is designed
for use with Symantec Reporter.
x-client- Information related to how secure the client environment is per the compliance policy.
security-
posture-
details
x-client- The risk score that indicates the security posture of the client,
security-
posture-risk-
score
Extended Log
Description
Format
cs(X-
Requested-
With)
x-bluecoat- Globally unique per-request identifier generated by the appliance. Default exception pages include the
transaction- transaction ID; thus, you can look for the ID in the access log to learn more about the transaction.
uuid
Symantec Web Security Service/Page 75
To suppress these data types from the access logs, the portal provides two control types.
n Granular—Suppress any of the above data types for specific users, groups, and locations.
Use Cases
n You want to suppress guest user names from your guests who access your WiFi network while they wait in the lobby.
The Default setting is Log all traffic normally (no suppression) and the Granular setting is Do not log user/group
name and client IP for the HQLobbyGuestWiFi (example name) location.
n You need to suppress some user and group names from the logs for you employees; additionally, you want to prevent the
recording of all PII data from the Executive Staff. The Default setting is Do not log user/group name and the Granular
setting is Do not log any data for the EStaff group list (this is an Object Library group list created for this example).
n You might have a set of employees that require identity suppression because of their geolocation or particular job duties.
You can suppress user identities based on access method locations that you have added to the WSS portal.
n
Note: Geolocation can only suppressed when your portal account has the Advanced Web
Security with Risk Controls and Web Applications add-on license. If the license is not
present, Geolocation is not collected.
n In the case of multiple privacy level matches, WSS applies the most strict level. For example, if you have a user that
exists in WestCoast and Legal. The policy for WestCoast is Log all traffic normally and the policy for Legal is Do not
log any data. The user identity information is not logged, thus not visible in reporting.
Procedure
1. Verify and/complete the following prerequisites.
n Verify that your WSS connects to your Active Directory through the Auth Connector and integrates with your
SAML implementation and provides the user and group names. Navigate to Identity > Users & Groups.
n If necessary and allows for more efficient policy, use the Policy > Object Library to create custom user, group,
and locations lists.
The default value is Log all traffic normally, which means no data suppression. From the For all traffic drop-down list,
select a suppression option that applies to all users whose traffic routes throughWSS.
5. If necessary, apply more Granular Log Controls. Click Add. The service displays the Add Granular Privacy Controls
dialog.
Symantec Web Security Service/Page 77
b. Select Available Items (users, groups, and locations; Shift+Left-mouse-click to select multiple objects).
c. Click Add.
d. Click Save.
If you Change the Privacy Level for any object, the Web Security Service moves the object to the correct policy
table/column. If the same object already exists in that policy, the WSS merges the objects; no name duplication occurs.
Verify
After you know that some relevant traffic has passed, generate the Reports > Report Center > Full Log Details report.
Symantec Web Security Service/Page 79
You might have a personal concern or a corporate edict on how long user data should remain in the cloud. WSS allows you set a
limit for how long stored data remains in the reporting database. Before setting the limit, consider the following warning and best
practice.
n Reducing a current limit forces the web to purge all older-than-the limit data (chunked in days). You cannot generate
reports from the expired data nor can you restore data following a delete action.
n Because of this limitation, download the current access logs and archive them before you limit retention and expire older
data. If you have a need to generate more reports from that data, you can re-upload the data; however, consider how the
service processes the data.
n WSS considers the hardened data as new content; the data remains until the expiration time has passed.
n The reporter database looks at the log dates. At midnight GMT, WSS expires that content out again.
Generate the new reports against the uploaded data as soon as possible.
To download the access log files, navigate to Account Configuration > Log Export. See "Download Access Logs" on
page 68.
n Review any scheduled reports. If you limit the retention to 15 days and you have a report that generates every 30 days,
the report will not contain 50% of the user-generated data because WSS deleted the logs.
Procedure
1. Navigate to Account Configuration > Data Retention and Privacy.
As you move the slider, the Log Retention Time fields (the Log Retention Time field and the field hovering over
the slider) display the limits.
3. For a verification mechanism, the portal displays the Delete Access Logs dialog.
The dialog reminds you of the log download best practice mentioned above. The dialog also indicates how many days of
data the service will delete if you enact the limit. To enact the limit, you must enter the word DELETE in the field and
click OK. If you enter any other characters and click OK, the service does not enact the limit.
As stated on the screen, the service might require up to 24 hours to adjust to the new limit.
Reset
The Reset link on the page moves the limit to the previously set limit before you click Save. To restore the service
default, move the slider fully to the right.
Symantec Web Security Service/Page 81
3. Click Add Alert The service displays the Add Alert dialog.
a. Name the alert. The service inserts this name into the Subject line of the e-mail sent to the recipient of the alert.
b. Select the Field that provides the basis for this alert.
c. From the other Field drop-downs, select criteria that triggers alert. For example, you want to be alerted when the
service detects excessive denied by policy actions. Another use case is setting an alert for Malware detection.
d. From the Threshold Field drop-down, select the action triggers the alert.
e. From the Threshold Value drop-down, select the value of d that triggers the alert. For example, if the service
triggers the alert based on a denied policy verdict for all users, the threshold values allow you to set at what
iteration you receive the alert.
Reporting Guide/Page 82
f. In the Email field, enter the e-mail address of the recipient who receives this alert.
g. Click Add.
Triggered Alerts
When an alert triggers, WSS sends an e-mail to the recipient. The e-mail body contains a brief description of the alert trigger.
The e-mail also contains an .CSV file attachment that is compatible spreadsheet applications (or preview in the e-mail body if
the recipients application supports that function).
However, you can return to the Report Alerts page, select a report, and click the Run button to immediately generate an alert
report/email. The service indicates whether or not new alert information is available (e-mails are only sent if a new alert is
found).
Symantec Web Security Service/Page 83
If you know the site in question, you can proceed directly to http://sitereview.bluecoat.com/#/ and enter the URL in question.
In the portal, the Web Browsing Per Site and Blocked Requests By Site reports also provide that mechanism. When scanning
report data, you can select the site and proceed directly to the rating review site.
1. Navigate to Report Center.
4. Your browser opens the site review page in a new tab. The selected site data is already filled out.
a. Select the category or categories you believe the site should be rated.
b. To be notified of the analysis conclusion, click Send results of the review via email and enter your contact
address.
Symantec Web Security Service/Page 85
c. Provide a detailed description that states why you believe the current categorization is in error.