Most browser based IPS detections comes from iframes within legit sites. SEP only logs the url of the iframe.
SEP should also log the root website.
Eg. If a user visites forbes.com that host adware through an iframe, SEP will log the source as infectedadsite.com and never leave any trace that the malicious site to be checked is actually forbes.com.
SEP should log both sites. E.g "infectedadsite.com blocked while visiting forbes.com"
Torb