Monitored User Activity on Windows and Mac

The table lists User Activity by Category and Primary Category fields, which can be monitored and collected by Proofpoint DLP and ITM solutions on Windows and Mac systems.

A monitored activity is assigned one Primary Category and one or more other categories in the Category names. Typically, the Primary Category is the most useful information to indicate what the user did. Together the Primary Category and the Category field form a sequence where the Primary Category is followed by multiple Categories that are related to the activity. For example, when a user uploads a file via the Web Browser, the Primary Category is Web File Upload, usually with Category fields Web Browsing and Application Use .

Some triggers are available on request only. Contact your Proofpoint representative.

Activity Category Name	Win	Mac	Activity Trigger
Application Use Application Open Application Still-In-Use	√	√	These categories are assigned when a mouse click or keystroke is detected on a Desktop application. Application Open is assigned when the first mouse click or keystroke is detected in a Desktop application. (Supported since Win Agent 1.5 and Mac Agent 1.4. ) Application Still-In-Use indicates that the application that triggered Application Open is still in use. It is triggered when a mouse click or keystroke is detected in a Desktop application at least 1 hour after Application Open was triggered on an endpoint with Endpoint DLP license. (Supported since Win Agent 1.5 and Mac Agent 1.4. )
Web Browsing Website Open Website Still-In-Use	√	√	These categories are assigned when a mouse click or keystroke is detected on a Website that is viewed in a Browser, Website Open is assigned when the first mouse click or keystroke is detected in a Website application. (Supported since Win Agent 1.5 and Mac Agent 1.4. ) Website Still-In-Use indicates that the application that triggered Website Open is still in use. It is triggered when a mouse click or keystroke is detected in a Website application at least 1 hour after Website Open was triggered on an endpoint with Endpoint DLP license. (Supported since Win Agent 1.5 and Mac Agent 1.4. )
Document Open	√	√	Triggered upon opening a document (in one of the supported applications). (Supported since Win Agent 1.5.)
Volume Mount USB Connect	√	√	Triggered upon plugging in a USB storage device or when detecting a mounted USB storage device.
Copy from USB	√		Triggered upon copying/moving files or folders originated from a USB storage device to any folder via keyboard shortcuts, menu items, buttons, or drag and drop.
Copy to USB	√	√	Triggered upon copying/moving files or folders to a USB storage device via keyboard shortcuts, menu items, buttons, or drag and drop. Since USB device can be an exit point for data exfiltration, this activity can be blocked (or prompt for user justification) by the Prevention mechanism.
Web File Sync	√	√	Triggered upon copying/moving files or folders to a local sync folder used by one of the supported sync services (Dropbox, OneDrive, Google Drive, etc) via keyboard shortcuts, menu items, buttons, or drag and drop. Since local sync folder can be an exit point for data exfiltration, this activity can be blocked (or prompt for user justification) by the Prevention mechanism.
Web File Upload	√	√	Triggered upon uploading files or folders to a website via File Open dialog, copy/paste or drag and drop within a browser. Since websites can be an exit point for data exfiltration, this activity can be blocked (or prompt for user justification) by the Prevention mechanism.
Print	√	√	Triggered upon sending a document to a printer. Since printers can be an exit point for data exfiltration, this activity can be blocked (or prompt for user justification) by the Prevention mechanism.
Web File Download	√	√	Triggered upon downloading files from a Website via Browser. Since websites can be entry point, and downloaded file starts to be tracked (and assigned with the File Tracking category as well).
File Tracking	√	√	This category is assigned for any file that is downloaded from a Website via Browser.
File Copy	√	√	This category is assigned to any copy of file or folder via keyboard shortcuts, menu items, buttons, or drag and drop.
File Move	√	√	This category is assigned to any move operation of file or folder via keyboard shortcuts, menu items, buttons, or drag and drop.
File Soft-delete	√	√	Triggered upon deleting a file (or folder that contains files) by moving it to the Recycle Bin (on Win) or Trash/Bin (on Mac).
File Delete	√	√	Triggered upon permanently deleting a file (or folder that contains files).
File Rename	√	√	Triggered upon renaming a file.
IM Message File Attach		√	Triggered upon attaching a file to IM (Instant Messaging) client. For now, supported only for Apple’s Messages app on Mac. Available on request. Contact your Proofpoint representative.
Copy File to Clipboard		√	Triggered upon inserting a file (of folder with files) to the clipboard (and before pasting it).
File Drag and Drop		√	This category is assigned to any drag and drop of a file (or folder with files).
Session Login	√		Triggered upon user log in.
Session Logout	√		Triggered upon user log out.
Session Lock	√		Triggered upon locking the endpoint by the user.
Session Unlock	√		Triggered upon unlocking the endpoint by the user.
Paste Text from Clipboard	√		Triggered upon capturing text pasted from the clipboard for all commonly used paste methods.
Copy to Network Drive	√		Triggered upon exfiltrating to a network drive.
Send File using AirDrop		√	Triggered upon sending a file via AirDrop

Agent Activity Signals

Signal	Windows	Mac	Supported in Endpoint DLP
Agent	x
Agent Data-loss	x	x	x
Agent Deregistration		x	x
Agent Functionality	x	x	x
Agent Heartbeat	x	x	x
Agent Informational	x		x
Agent Lifecycle		x	x
Agent Metrics	x		x
Agent Offline	x		x
Agent Registration	x	x	x
Agent Start	x	x	x
Agent Stop	x
Agent Tampering	x		x