Explorations
Explorations let you explore data and further filter it to display what you want to follow. Using data explorations, you can search for risky behaviors and activities.
An exploration is a filtered dataset. You can add and remove filters to on the fly. Explorations are useful for investigations, looking for indicators, monitoring specific events and specific users based on the collected. data.
You can create explorations for user activities and system events. You can filter the data by rules, conditions and you can use the items in the Threat Library. In addition, the agent detects exfiltration attempts that were blocked by a prevention rule and can display this as an activity category.
Explorations are available for both ITM and CASB customers.
You can create your own custom explorations or use the available templates.
Some examples of explorations include:
- USB copy activity: View all users who have copied files to their USB device
- Suspicious users: View all activities in all channels (endpoint, email, cloud) for a group of users, for example those planning to leave the company
- Upload files to Web: View all users who have uploaded files to their personal webmail
- Download files from the Web: View all users who have downloaded a file from share/cloud drives
- Exfiltration attempts: View file exfiltration attempts that were blocked by a prevention rule
You can categorize the explorations using tags. Tags are labels used to categorize explorations, for example, high-risk and data exfiltration. An exploration can have more than one tag.
After you set up your exploration, the results will be displayed and you can define what you want to see.
You can export activities to CSV, JSON or PDF files.
Accessing Explorations
To access explorations so you can view, create and modify them, from the Proofpoint Information and Cloud Security Platform, select the Analytics app. From the left side-menu, select Activity > Explorations. Select Explorations.
Related Topics: