This section provides information regarding the fields exported for Web Security and DLP logs using the Log Export feature for Cloud Web Security.
This section is divided into two sections with tables for Web Logs and for DLP Logs that are exported using Log Export.
Web Security Log Fields
This table includes the log fields when Log Export is configured to export Web Security logs.
| Parameter | Description | Example |
|---|---|---|
| browser_and_version | The client browser and its version. Non-browser returns a response of undefined_undefined. | Chrome_65 |
| cached | Indicates whether the resource was obtained from the isolated browser’s cache (True) or by downloading from the origin server (False). | True |
| casb_app_name | Summary of the log source group’s function or its contents. | DropBox |
| casb_cat_name | Cloud application name (for CASB events). | Cloud File Sharing |
| casb_fun_name | Application category ID. | upload |
| casb_org_name | Application function name. | Dropbox Inc. |
| casb_profile_id | Cloud Web Security CASB profile ID. | e47cecae-721f… |
| casb_profile_name | Cloud Web Security CASB profile name attached to application or exception rule. | upload block |
| casb_profile_type | Cloud Web Security CASB profile type (sanctioned/unsanctioned/unclassified). | unclassified |
| casb_risk_score | Cloud Web Security risk score for application (0-10). | 3 |
| categories | Category Rules Category type classification (e.g., General, Education, Download Sites, etc.). | Education |
| content-type | Page type. | text/html; charset=iso-8859-1 |
| domain | Domain part of the URL. | example.com |
| dst | Destination IP that proxy DNS lookup resolved to (may sometimes be a list of IP addresses). | 130.65.255.101 |
| egress_country | Egress IP country (isolation instance). | US |
| egress_ip | IP address for outbound flow (typically from a private network to the Internet). | 54.111.221.123 |
| event_time | The access initiate date and time. | 2018-04-10T21:00:40.548000 |
| filename | The filename of the file being uploaded or downloaded. | NA |
| file_size | The size (in bytes) of a file in a file upload/download event. | NA |
| full_session_id | Unique ID for a page load (used as a correlation ID for other events: uploads/downloads/etc.). | KbJQIDPS-1 |
| hashes | pagingIdentifier object hashes used to find and delete duplicate data from duplicate log fetch api calls. | |
| has_password | Presence of password in form POST request. | false |
| is_iframe | Is inline frame (iframe) element (true/false). | true |
| name | Request type. | page request |
| next_time | Log pagination uses this field as the start time for query. If no time is present, the original start and end time is used. | |
| origin_country | Country of actual IP address of the destination server (origin_ip). | FR |
| origin_ip | Actual IP address of the destination server. | 130.65.255.101 |
| pagingIdentifiers | Identifier used for log pagination if needed to download all log entries (i.e., the request returned more than 1000 records). | |
| pe_action | The Cloud Web Security action taken for the session (Isolate, Allow, Block, or Direct). Direct actions are external application links that a user may click to launch through their web browser (e.g., anchor links, javascript navigations and mailto links). | isolate |
| pe_reason | Web policy rule ID responsible for the Cloud Web Security action. This can be empty for some cases. | 6c6ea27d-5350 |
| product | The Cloud Web Security product. | CWS |
| protocol | The protocol used for the session (http or https). | http |
| referer | Page request referer address. | https://www.adobe.com |
| region | AWS region and availability zone. | us-west-1b |
| request_type | The method type for the request (GET, PUT, POST, etc.). | GET |
| response_code | HTTP response status code. | 200 |
| risk_score | Risk calculated for URL. | low |
| risk_tally | Cout of risks encountered. | 4 |
| sbox | Sandbox Inspection Result | Infected |
| sbox_mal_act | List of malicious activities found |
|
| severity | The severity level for the session. This is currently fixed at 5. | 5 |
| sha256 | SHA256 hash of this file or document or text. This provides a cryptographically unique identifier. | fd1aee67... |
| soph | Full file scan result. | Clean (Sandbox Required) |
| soph_dlp_ref | DLP log link. | NA |
| tab_id | Tab creation number within a surrogate (used to track how an individual tab is navigated by a user). | 1 |
| threats | Threat type identified by Cloud Web Security internal data (what the Risks field is set to). | cats_Phishing&Fraud |
| threat_types | Top level risk. | Phishing |
| timestamp | Start time of the requesting log. This is internal to the log database. | 2023-04-10T21:00:02.599Z |
| top_url | Top level URL (in case of iframe). | https://example.com |
| ua_type | The type of user agent (supported/unsupported/non browser). | supported_browser |
| url | The Destination URL | https://example.com |
| user-agent | The software (software agent) acting on behalf of a user (commonly a web browser). | Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36 |
| userid | The User ID for the log (in Anonymous mode, this is anon-xxx). | [email protected] |
| vendor | The product vendor name (Cloud Web Security). | Cloud Web Security |
| version | The Cloud Web Security product version. | 1.16.0 |
| virus_details | Virus detail. | EICAR-NOT-A-VIRUS |
| x-client-country | Country for IP request from user. | US |
| x-client-ip | Source IP. | 12.206.221.226 |
DLP Log Fields
This table includes the log fields when Log Export is configured to export DLP logs.
| Parameter | Description | Example |
|---|---|---|
| action | Action taken for session (block or log). | block |
| alerted | Whether or not an email alert was sent to a DLP Auditor profile. | false |
| categories | Category Rules Category type classification (e.g., General, Education, Download Sites, etc.). | Download Sites |
| ccl_ids | Name of DLP dictionary that was violated. If there are multiple violations, this will be an array of strings. | Credit... |
| ccl_match_counts | Number of matches of the string that caused the violation. If there are multiple violations, this will be an array of match counts in the same order as the list of dictionaries from ccl_ids field. | 1 |
| ccl_scores | DLP score from the dictionary that caused the violation. If there are multiple violations, this will be an array of DLP scores in the same order as the list of dictionaries from ccl_ids field. | 1 |
| domain | Domain part of the URL. | tinyupload.com |
| dst_url | Destination URL. | http://tinyupload.com |
| event_id | Unique identifier for the DLP request (corresponds to the file_id in web log if this is a file upload). | a4c216… |
| event_time | The access initiate date and time. | 2023-03-09T17:16:22.227000 |
| filename | The name of the file that triggered the DLP violation (for file uploads). | credit_cards.csv |
| file_type | Type of file that triggered the DLP violation. | CSV |
| hashes | pagingIdentifier object hashes used to find and delete duplicate data from duplicate log fetch api calls. | |
| name | Request type. | file_upload |
| next_time | Log pagination uses this field as the start time for query. If no time is present, the original start and end time is used. | |
| pagingIdentifiers | Identifier used for log pagination if needed to download all log entries (i.e., the request returned more than 1000 records). | |
| product | The Cloud Web Security Product. | CWS |
| protocol | The protocol used for the session (http or https). | http |
| request_type | The method type for the request (GET, PUT, POST, etc.). | POST |
| rule_id | DLP policy rule identifier responsible for the action taken. | 1f3ef32… |
| rule_name | Name of the DLP policy rule that was violated. | Credit card block rule |
| severity | The severity level for the session. This is currently fixed at 5. | 5 |
| sha256 | SHA256 hash of this file or document or text. This provides a cryptographically unique identifier. | fd1aee67… |
| src_url | Source URL. | http://tinyupload.com/ |
| status | Result from the DLP engine (currently fixed at dirty). | dirty |
| stream_name | Internal name used for the file (usually working_file) or text stream (uid). | 1a856c756fea |
| timestamp | Start time of the requesting log. This is internal to the log database. | 2023-03-09T17:16:22.227Z |
| userid | User ID for the log (in Anonymous mode, this is anon-xxx). | [email protected] |
| user_input | Whether or not this event was generated as a result of user form input. | false |
| vendor | The product vendor name (Cloud Web Security) | Cloud Web Security |
| version | The Cloud Web Security product version. | 1.16.0 |
