Events

The Events page displays activity logged by Browser Security capabilities. Events appear only when logging is enabled for the relevant ruleClosed Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session..

Event Filtering

Event filtering enables users to narrow the Events view and focus on activity relevant to your investigation or review. Event data can be filtered based on available attributes, such as:

  • Capability (Access Control, Secure Browsing, DLP)

  • Event type

  • Action

  • User

  • Resource

  • Description

  • Rule Name

  • Data types

  • Time

Note - Filtering affects only the data displayed in the Events view and does not change how policies are evaluated or enforced.

Event Logging Behavior

Event Logging Behavior displays the following information for each logged event.

Field

Description

Time

Date and time when the event was logged.

User

User associated with the event.

Capability

The browser security capability that generated the event.

Event Type

Type of event generated by the capability.

Action

Action enforced by the policy rule.

Resource

Website or resource associated with the event.

Description

Description of the event, based on the applied rule and action.
Rule Name

Name of the policy rule that matched the event.
Data Types

Detected data types for Data Loss PreventionClosed Check Point Software Blade on a Security Gateway that detects and prevents the unauthorized transmission of confidential information outside the organization. Acronym: DLP. (DLP) events only.

Event Types

Event Types describe the types of events generated by each Browser Security capability and the supported actions.

Action

Event Type(s)

Actions

Data Types

Access Control

Access Event

Allow, Block, Ask

Not applicable

Data Loss Prevention

File Upload, File Download

Allow, Prevent, Detect, Ask

Displayed only if a match occurs

Threat Emulation

File Upload, File Download, TEX Event

Prevent, Inform User

 Not applicable

Zero Phishing

Phishing Event

Prevent

 Not applicable

Detailed Event View

The Detailed Event View displays the following information for a selected event.

Field

Description

Time

Date and time when the event was logged.

User

User associated with the event.

Capability

The browser security capability that generated the event.

Event Type

Type of event generated by the capability.

Action

Action enforced by the policy rule.

Resource

Website, application, or resource associated with the event.
Description

Description of the event’s outcome.
Rule Name

Name of the policy rule that matched the event.
Data Types

Detected data types for Data Loss Prevention (DLP) events only.
Application

Application associated with the event, if applicable.
Browser

The browser where the event occurred.
OS Version

Operating system version of the endpoint.
Client Version

Browser Security client version.

IP Address

IP address associated with the event.

Ask Action Behavior

Ask Action Behavior describes how events are logged when a rule requires user justification.

Scenario

Result

Justification provided

Action is logged as Allow. The justification text appears in quotation marks in the Description.

Prompt closed without justification

Action remains Ask.

Event Description Behavior

Event Description Behavior describes how event descriptions are generated based on rule action and detection results.

Condition

Description

No data type matched

The file was allowed because it did not match any configured data types.

Rule action is Allow

Access or file transfer was allowed.

Ask with justification

Justification text is included in the Description.

Scenarios

Access Control

  1. Scenario 1: Ask Before Access (Controlled Exception)

    Use Case:

    An organization restricts access to external file-sharing websites but allows temporary access with justification.

  2. Scenario 2: Block High-Risk Categories (Strict Enforcement)

    Specific Event

    Since the URL belongs to a high risk category (gambling/unknown), the rule matching Source + Destination selects the Block action.

Secure Browsing

  1. Scenario 1: Ask about Password Reuse (User Decision Control)

    Specific Event

    Since the password is entered on a non-approved website, the Password Reuse capability triggers an Ask action.

  2. Scenario 2: Prevent Phishing Site Access (Real-Time Protection)

    Specific Event

    Since the URL is identified as a phishing/ malicious site, the Zero PhishingClosed Check Point Software Blade on a Security Gateway (R81.20 and higher) that provides real-time phishing prevention based on URLs. Acronym: ZPH. capability matches the rule and selects the Prevent action.

Data Loss Prevention (DLP)

  1. Scenario 1: Ask about Sensitive Data Upload (Guided User Decision)

    Specific Event

    Since the uploaded file contains sensitive data and the rule is configured with Action = Ask, the user is prompted before the upload is allowed.

  2. Scenario 2: Prevent Upload of Confidential Data (Strict Data Protection)

    Specific Event

    Since the uploaded file contains sensitive data and the rule is configured with Action = Prevent, the upload is blocked immediately.