Collect Netskope web proxy logs

Supported in:

Google secops SIEM

This document explains how to ingest Netskope web proxy logs to Google Security Operations using Google Cloud Storage V2.

Netskope provides a cloud-native secure web gateway that inspects and controls web traffic in real time. Web transaction (WebTx) logs capture detailed records of every HTTP and HTTPS session processed by the Netskope proxy, including user identity, application, URL category, threat and DLP verdicts, and network metadata.

Before you begin

Ensure that you have the following prerequisites:

A Google SecOps instance
A GCP project with Cloud Storage API enabled
Permissions to create and manage GCS buckets
Permissions to manage IAM policies on GCS buckets
Privileged access to the Netskope tenant with administrator credentials

Option - Netskope Log Streaming to Google Cloud Storage

Use this option if you have a Netskope Log Streaming subscription enabled on your tenant. Netskope Log Streaming pushes WebTx log files directly to your GCS bucket as compressed .gzip files at a fixed interval of 240 seconds.

Create Google Cloud Storage bucket

Go to the Google Cloud Console.
Select your project or create a new one.
In the navigation menu, go to Cloud Storage > Buckets.
Click Create bucket.

Provide the following configuration details:

Setting	Value
Name your bucket	Enter a globally unique name (for example, `netskope-webtx-logs`)
Location type	Choose based on your needs (Region, Dual-region, Multi-region)
Location	Select the location closest to your organization (for example, `us-central1`)
Storage class	Standard (recommended for frequently accessed logs)
Access control	Uniform (recommended)
Protection tools	Optional: Enable object versioning or retention policy

Click Create.

Create a GCP service account

Netskope Log Streaming requires a GCP service account with write permissions to your GCS bucket. The private key from this service account is used by Netskope to authenticate when pushing log files.

In the GCP Console, go to IAM & Admin > Service Accounts.
Click Create Service Account.
Provide the following configuration details:
- Service account name: Enter netskope-log-streaming
- Service account description: Enter Service account for Netskope Log Streaming to push WebTx logs to GCS
Click Create and Continue.
In the Grant this service account access to project section:
1. Click Select a role.
2. Search for and select Storage Object Creator.
Click Continue.
Click Done.

Generate JSON key

In IAM & Admin > Service Accounts, click the service account netskope-log-streaming.
Select the Keys tab.
Click Add Key > Create new key.
Select JSON as the key type.
Click Create.
A JSON key file downloads automatically. Save this file securely.
Open the JSON key file in a text editor and locate the private_key field. You will need this value in the next section.

Grant write permissions on GCS bucket

Go to Cloud Storage > Buckets.
Click your bucket name (for example, netskope-webtx-logs).
Go to the Permissions tab.
Click Grant access.
Provide the following configuration details:
- Add principals: Enter the service account email (for example, netskope-log-streaming@YOUR_PROJECT_ID.iam.gserviceaccount.com)
- Assign roles: Select Storage Object Creator
Click Save.

Create log stream

Sign in to the Netskope tenant with administrator credentials.
Go to Settings > Tools > Log Streaming.
Click Create Stream.
In the Name field, enter a human-readable name for the stream (for example, Chronicle WebTx GCS).
Select GCP Cloud Storage as the destination type.
Provide the following configuration details:
- Bucket: Enter the name of the GCS bucket (for example, netskope-webtx-logs).
  
  Note: Follow bucket naming conventions for Google Cloud Storage.
- Path (optional): Enter a folder path within the bucket where logs will be stored (for example, netskope/webtx/{%Y}).
  
  Note: In Google Cloud Storage, paths work as object names. When you enter a path such as netskope/webtx/{%Y}, Google Cloud Storage does not create separate folders in the bucket. Instead, the objects are stored in one bucket and named with the path as a prefix (for example, netskope/webtx/2026/filename). See object naming guidelines for details.
- Private Key: Enter the private_key value from the JSON key file generated in the previous section. Enter the key in PEM format with line break (\n) symbols:
```
-----BEGIN PRIVATE KEY-----\nprivate_key_content\n-----END PRIVATE KEY-----\n
```
  Note: Copy the entire private_key value from the JSON key file, including the \n characters.
Review the Delivery Options: Push frequency is an ongoing 240 seconds.
Click Save (or Create) to activate the stream.

Note: Stream activation can take up to 60 minutes from creation. After activation, Netskope pushes WebTx log files as compressed .gzip files to your GCS bucket every 240 seconds. These files contain the original web transaction data without modification.

Configure a feed in Google SecOps to ingest Netskope WebTx logs from GCS

Retrieve the Google SecOps service account

Google SecOps uses a unique service account to read data from your GCS bucket. You must grant this service account access to your bucket.

Go to SIEM Settings > Feeds.
Click Add New Feed.
Click Configure a single feed.
In the Feed name field, enter a name for the feed (for example, Netskope WebTx Logs).
Select Google Cloud Storage V2 as the Source type.
Select Netskope web proxy as the Log type.
Click Get Service Account. A unique service account email will be displayed, for example:
```
chronicle-12345678@chronicle-gcp-prod.iam.gserviceaccount.com
```
Copy this email address for use in the next step.

Note: Each Google SecOps instance has a unique service account. Don't use service accounts from other documentation or examples.
Click Next.
Specify values for the following input parameters:
- Storage bucket URL: Enter the GCS bucket URI with the prefix path:
```
gs://netskope-webtx-logs/netskope/webtx/
```
  - Replace:
    - netskope-webtx-logs: Your GCS bucket name.
    - netskope/webtx/: The path prefix configured in Netskope Log Streaming (leave empty for root).
Note: Always include the trailing slash (/) at the end of the URI.
- Source deletion option: Select the deletion option according to your preference:
  - Never: Never deletes any files after transfers (recommended for testing).
  - Delete transferred files: Deletes files after successful transfer.
  - Delete transferred files and empty directories: Deletes files and empty directories after successful transfer.
    
    Note: If you select a deletion option, the Google SecOps service account must have Storage Object Admin role instead of Storage Object Viewer. Update IAM permissions accordingly.
- Maximum File Age: Include files modified in the last number of days (default is 180 days)
- Asset namespace: The asset namespace
- Ingestion labels: The label to be applied to the events from this feed
Click Next.
Review your new feed configuration in the Finalize screen, and then click Submit.

Grant IAM permissions to the Google SecOps service account

The Google SecOps service account needs Storage Object Viewer role on your GCS bucket.

Go to Cloud Storage > Buckets.
Click your bucket name (for example, netskope-webtx-logs).
Go to the Permissions tab.
Click Grant access.
Provide the following configuration details:
- Add principals: Paste the Google SecOps service account email (for example, chronicle-12345678@chronicle-gcp-prod.iam.gserviceaccount.com)
- Assign roles: Select Storage Object Viewer
Click Save.

Option - Cloud Exchange Log Shipper to Google Cloud Storage

Use this option if you have the Netskope Cloud Exchange platform deployed with the Log Shipper module configured. The Log Shipper pulls WebTx logs from your Netskope tenant and pushes them as compressed .gzip files to a GCS bucket, which Google SecOps then reads through a Google Cloud Storage V2 feed.

Before you begin (Cloud Exchange)

Ensure that you have the following additional prerequisites for this option:

A Netskope Cloud Exchange tenant with the Tenant plugin and Log Shipper module already configured.
The Netskope CLS source plugin configured in Log Shipper (this pulls data from the Netskope tenant).
A GCS bucket created for storing WebTx logs. If you haven't created one, follow the steps in Create Google Cloud Storage bucket.
A GCP service account with write access to the GCS bucket. If you haven't created one, follow the steps in Create a GCP service account, Generate JSON key, and Grant write permissions on GCS bucket.

Configure the GCS destination plugin

In Cloud Exchange, go to Settings > Plugin Store.
Search for and select the Google Cloud SCC (Google GCS) plugin box.
Click Configure New Plugin (or add a new plugin configuration).
Provide the following configuration details:
- Configuration Name: Enter a descriptive name (for example, GCS WebTx Destination).
- Mapping: Select a mapping file. For WebTx logs that are pushed as original .gzip files, no mapping transformation is applied.
- Bucket: Enter the name of the GCS bucket (for example, netskope-webtx-logs).
- Path (optional): Enter a folder path (for example, netskope/webtx/).
- Private Key: Enter the private_key value from the JSON key file of the service account.
Click Save.
The new plugin configuration will appear on the Log Shipper > Plugins page.

Configure a business rule (optional)

By default, the All business rule filters all alerts and events. If you want to filter WebTx logs specifically, create a new business rule:

In Log Shipper, go to Business Rules.
Click Create New Rule.
Enter a Rule Name (for example, WebTx Only).
Configure the desired filter(s) to include only WebTx data.
Click Save.

Configure Log Delivery

In Log Shipper, go to Log Delivery.
Click Add Log Delivery Configuration.
Provide the following configuration details:
- Source Configuration: Select the Netskope CLS source plugin (for example, WebTxCLS or Netskope CLS).
- Destination Configuration: Select the GCS destination plugin you configured (for example, GCS WebTx Destination).
- Business Rule: Select a business rule (for example, All or WebTx Only).
Click Save.

Note: As soon as the Log Delivery is saved, Cloud Exchange will do a historical pull for events (default period: 1 hour) and alerts (default period: 7 days).
To get additional historical data, click the Pull Historical Data icon from the Log Delivery actions.
Select a Historical From and To date range and click Pull.

Configure a feed in Google SecOps to ingest Netskope WebTx logs from GCS

Follow the same steps as in the Netskope Log Streaming option to create a Google SecOps feed and grant IAM permissions:

Retrieve the Google SecOps service account — create a feed with Google Cloud Storage V2 as the source type and Netskope web proxy as the log type.
Grant IAM permissions to the Google SecOps service account — grant the Storage Object Viewer role (or Storage Object Admin if using a deletion option) on the GCS bucket to the Google SecOps service account.

Verify log delivery

To verify that WebTx logs are being delivered to the GCS bucket:

In Cloud Exchange, go to Log Shipper > Log Delivery.
Check the Total Logs/WebTx Sent to External Receiver and Total WebTx Sent to Storage Bucket columns to confirm that data is being pushed to the destination.
In the GCS bucket, confirm that .gzip files are being written by the Log Shipper.

Configure Log Shipper Global Settings (optional)

Only Admins can change Log Shipper Global Settings. Go to Settings > Log Shipper. There are two tabs: General and Mappings.

On the General tab, you can configure the retry strategy for log delivery:

Default (3 Retries): In the event of a failed log delivery, Log Shipper will initiate 3 attempts to push the logs to the destination. If all 3 retry attempts fail, the corresponding batch of logs will be discarded.
Retry till Successful Delivery: Unlimited retries till successful delivery of logs.

Note: The "Retry till Successful Delivery" option may impact overall Cloud Exchange performance, including other Cloud Exchange modules.

You can also enable UTF-8 encoding for Alerts, Events, and WebTx to ensure seamless handling of UTF-8 encoded data. By default, this feature is disabled.

UDM mapping table

Transaction events

Column number	Log field	UDM mapping
1	`bytes`	`additional.fields`
2	`c-ip`	`principal.ip` `principal.asset.ip`
3	`cs-bytes`	`network.sent_bytes`
4	`cs-content-type`	`additional.fields`
5	`cs-dns`	`target.hostname` `target.asset.hostname`
6	`cs-host`	`target.hostname` `target.asset.hostname` (if cs-dns is empty)
7	`cs-method`	`network.http.method`
8	`cs-referer`	`network.http.referral_url`
9	`cs-uri`	`additional.fields`
10	`cs-uri-port`	`additional.fields` `target.port` (if x-cs-dst-port is empty)
11	`cs-uri-query`	`additional.fields`
12	`cs-uri-scheme`	`network.application_protocol`
13	`cs-user-agent`	`network.http.user_agent`
14	`cs-username`	`principal.user.email_addresses` (when it is a valid email) `principal.user.userid` (when not a valid email)
15	`date`	`metadata.event_timestamp`
16	`rs-status`	`additional.fields`
17	`s-ip`	`target.ip` `target.asset.ip`
18	`sc-bytes`	`network.received_bytes`
19	`sc-content-type`	`additional.fields`
20	`sc-status`	`network.http.response_code`
21	`time`	`metadata.event_timestamp`
22	`time-taken`	`network.session_duration`
23	`x-c-browser`	`principal.browser.browser_type`
24	`x-c-browser-version`	`principal.browser.browser_version`
25	`x-c-country`	`principal.location.country_or_region`
26	`x-c-device`	`additional.fields`
27	`x-c-latitude`	`principal.location.region_coordinates.latitude`
28	`x-c-local-time`	`security_result.detection_fields`
29	`x-c-location`	`principal.location.city`
30	`x-c-longitude`	`principal.location.region_coordinates.longitude`
31	`x-c-os`	`principal.platform`
32	`x-c-region`	`principal.location.state`
33	`x-c-zipcode`	`additional.fields`
34	`x-category`	`additional.fields`
35	`x-category-id`	`additional.fields`
36	`x-client-ssl-err`	`additional.fields`
37	`x-cs-access-method`	`additional.fields`
38	`x-cs-app`	`principal.application`
39	`x-cs-app-activity`	`additional.fields`
40	`x-cs-app-category`	`additional.fields`
41	`x-cs-app-cci`	`additional.fields`
42	`x-cs-app-ccl`	`additional.fields`
43	`x-cs-app-from-user`	`principal.user.email_address` (when it is a valid email) `principal.user.userid` (when not a valid email)
44	`x-cs-app-instance-id`	`principal.resource.product_object_id`
45	`x-cs-app-instance-name`	`principal.resource.name`
46	`x-cs-app-instance-tag`	`additional.fields`
47	`x-cs-app-object-id`	`additional.fields`
48	`x-cs-app-object-name`	`additional.fields`
49	`x-cs-app-object-type`	`additional.fields`
50	`x-cs-app-suite`	`additional.fields`
51	`x-cs-app-tags`	`additional.fields`
52	`x-cs-app-to-user`	`additional.fields`
53	`x-cs-connect-host`	`additional.fields`
54	`x-cs-connect-port`	`additional.fields`
55	`x-cs-connect-user-agent`	`network.http.user_agent` `network.http.parsed_user_agent`
56	`x-cs-domain-fronted-sni`	`additional.fields`
57	`x-cs-dst-ip`	`target.ip`
58	`x-cs-dst-port`	`target.port`
59	`x-cs-http-version`	`network.application_protocol_version`
60	`x-cs-ip-connect-xff`	`principal.ip` `principal.asset.ip`
61	`x-cs-ip-xff`	`principal.ip` `principal.asset.ip`
62	`x-cs-page-id`	`additional.fields`
63	`x-cs-session-id`	`network.session_id`
64	`x-cs-site`	`additional.fields`
65	`x-cs-sni`	`network.tls.client.server_name`
66	`x-cs-src-ip`	`principal.ip` `principal.asset.ip`
67	`x-cs-src-ip-egress`	`principal.ip` `principal.asset.ip`
68	`x-cs-src-port`	`principal.port`
69	`x-cs-ssl-cipher`	`network.tls.cipher`
70	`x-cs-ssl-engine-action`	`additional.fields`
71	`x-cs-ssl-engine-action-reason`	`additional.fields`
72	`x-cs-ssl-fronting-error`	`security_result.detection_fields`
73	`x-cs-ssl-handshake-error`	`security_result.detection_fields`
74	`x-cs-ssl-ja3`	`network.tls.client.ja3`
75	`x-cs-ssl-version`	`network.tls.version`
76	`x-cs-timestamp`	`metadata.event_timestamp`
77	`x-cs-traffic-type`	`additional.fields`
78	`x-cs-tunnel-id`	`additional.fields`
79	`x-cs-uri-path`	`additional.fields`
80	`x-cs-url`	`target.url`
81	`x-cs-userip`	`principal.ip` `principal.asset.ip`
82	`x-error`	`additional.fields`
83	`x-other-category`	`security_result.category_details`
84	`x-other-category-id`	`security_result.detection_fields`
85	`x-policy-action`	`security_result.action` `security_result.action_details`
86	`x-policy-dst-host`	`security_result.detection_fields`
87	`x-policy-dst-host-source`	`security_result.detection_fields`
88	`x-policy-dst-ip`	`security_result.detection_fields`
89	`x-policy-justification-reason`	`additional.fields`
90	`x-policy-justification-type`	`additional.fields`
91	`x-policy-name`	`security_result.rule_name`
92	`x-policy-src-ip`	`security_result.detection_fields`
93	`x-r-cert-enddate`	`network.tls.server.certificate.not_after`
94	`x-r-cert-expired`	`additional.fields`
95	`x-r-cert-incomplete-chain`	`additional.fields`
96	`x-r-cert-issuer-cn`	`network.tls.server.certificate.issuer`
97	`x-r-cert-mismatch`	`additional.fields`
98	`x-r-cert-revocation-check`	`additional.fields`
99	`x-r-cert-revoked`	`additional.fields`
100	`x-r-cert-self-signed`	`additional.fields`
101	`x-r-cert-startdate`	`network.tls.server.certificate.not_before`
102	`x-r-cert-subject-cn`	`network.tls.server.certificate.subject`
103	`x-r-cert-untrusted-root`	`additional.fields`
104	`x-r-cert-valid`	`additional.fields`
105	`x-request-id`	`additional.fields`
106	`x-rs-file-category`	`additional.fields`
107	`x-rs-file-language`	`additional.fields`
108	`x-rs-file-md5`	`principal.file.md5`
109	`x-rs-file-sha256`	`principal.file.sha256`
110	`x-rs-file-size`	`principal.file.size`
111	`x-rs-file-type`	`additional.fields`
112	`x-s-country`	`target.location.country_or_region`
113	`x-s-custom-signing-ca-error`	`security_result.detection_fields`
114	`x-s-dp-name`	`additional.fields`
115	`x-s-latitude`	`target.location.region_coordinates.latitude`
116	`x-s-location`	`target.location.city`
117	`x-s-longitude`	`target.location.region_coordinates.longitude`
118	`x-s-region`	`target.location.state`
119	`x-s-zipcode`	`additional.fields`
120	`x-sc-notification-name`	`additional.fields`
121	`x-server-ssl-err`	`additional.fields`
122	`x-sr-dst-ip`	`security_result.detection_fields`
123	`x-sr-dst-port`	`security_result.detection_fields`
124	`x-sr-headers-name`	`additional.fields`
125	`x-sr-headers-value`	`additional.fields`
126	`x-sr-src-ip`	`intermediary.ip`
127	`x-sr-src-port`	`intermediary.port`
128	`x-sr-ssl-cipher`	`security_result.detection_fields`
129	`x-sr-ssl-client-certificate-error`	`security_result.detection_fields`
130	`x-sr-ssl-engine-action`	`security_result.detection_fields`
131	`x-sr-ssl-engine-action-reason`	`security_result.detection_fields`
132	`x-sr-ssl-handshake-error`	`security_result.detection_fields`
133	`x-sr-ssl-ja3s`	`network.tls.server.ja3s`
134	`x-sr-ssl-malformed-ssl`	`security_result.detection_fields`
135	`x-sr-ssl-version`	`security_result.detection_fields`
136	`x-ssl-bypass`	`security_result.detection_fields`
137	`x-ssl-bypass-reason`	`security_result.summary`
138	`x-ssl-policy-action`	`security_result.detection_fields`
139	`x-ssl-policy-categories`	`security_result.category_details`
140	`x-ssl-policy-dst-host`	`security_result.detection_fields`
141	`x-ssl-policy-dst-host-source`	`security_result.detection_fields`
142	`x-ssl-policy-dst-ip`	`security_result.detection_fields`
143	`x-ssl-policy-name`	`security_result.detection_fields`
144	`x-ssl-policy-src-ip`	`security_result.detection_fields`
145	`x-transaction-id`	`additional.fields`
146	`x-type`	`metadata.product_event_type`

Alert events

Column number	Log field	UDM mapping
1	`_id`	`metadata.product_log_id`
2	`access_method`	`additional.fields`
3	`act_user`	`principal.user.email_addresses` `userid`
4	`action`	`security_result.action` `action_details`
5	`activity`	`additional.fields`
6	`alert`	`additional.fields`
7	`alert_name`	`security_result.detection_fields`
8	`alert_type`	`security_result.detection_fields`
9	`app`	`principal.application`
10	`app-gdpr-level`	`additional.fields`
11	`app_session_id`	`additional.fields`
12	`appact`	`additional.fields`
13	`appcategory`	`additional.fields`
14	`appsuite`	`additional.fields`
15	`audit_type`	`additional.fields`
16	`bcc`	`network.email.bcc` `additional.fields`
17	`browser`	`principal.browser.browser_type`
18	`browser_session_id`	`additional.fields`
19	`cc`	`network.email.cc` `additional.fields`
20	`cci`	`additional.fields`
21	`ccl`	`additional.fields`
22	`client_bytes`	`network.sent_bytes`
23	`client_packets`	`network.sent_packets`
24	`cloud_provider`	`additional.fields`
25	`computer_name`	`principal.hostname`
26	`conn_duration`	`additional.fields`
27	`conn_endtime`	`additional.fields`
28	`conn_starttime`	`additional.fields`
29	`connection_id`	`network.session_id`
30	`connection_type`	`additional.fields`
31	`custom_attr`	`additional.fields`
32	`destination_file_directory`	`additional.fields`
33	`destination_file_name`	`target.file.names`
34	`destination_file_path`	`target.file.full_path`
35	`device`	`principal.platform` `additional.fields`
36	`device_classification`	`additional.fields`
37	`dinsid`	`additional.fields`
38	`dlp_file`	`target.file.full_path`
39	`dlp_fingerprint_classification`	`additional.fields`
40	`dlp_fingerprint_score`	`additional.fields`
41	`dlp_incident_id`	`additional.fields`
42	`dlp_is_unique_count`	`additional.fields`
43	`dlp_parent_id`	`additional.fields`
44	`dlp_profile`	`additional.fields`
45	`dlp_rule`	`additional.fields`
46	`dlp_rule_count`	`additional.fields`
47	`dlp_rule_severity`	`additional.fields`
48	`dlp_unique_count`	`additional.fields`
49	`dns_profile`	`additional.fields`
50	`domain`	`network.tls.client.server_name`
51	`domain_ip`	`principal.ip`
52	`driver`	`additional.fields`
53	`dst_country`	`target.location.country_or_region`
54	`dst_geoip_src`	`additional.fields`
55	`dst_latitude`	`target.location.region_coordinates.latitude`
56	`dst_location`	`target.location.city`
57	`dst_longitude`	`target.location.region_coordinates.longitude`
58	`dst_region`	`target.location.name`
59	`dst_timezone`	`additional.fields`
60	`dst_zipcode`	`target.resource.attribute.labels`
61	`dsthost`	`target.hostname`
62	`dstip`	`target.ip`
63	`dstport`	`target.port`
64	`eeml`	`additional.fields`
65	`email_from_user`	`additional.fields`
66	`email_modified`	`additional.fields`
67	`email_user`	`additional.fields`
68	`encryption_status`	`additional.fields`
69	`end_time`	`additional.fields`
70	`file_md5`	`principal.file.md5`
71	`file_owner`	`additional.fields`
72	`file_path`	`principal.file.full_path`
73	`file_pdl`	`additional.fields`
74	`file_size`	`principal.file.size`
75	`file_type`	`principal.file.mime_type`
76	`filepath`	`additional.fields`
77	`fllg`	`additional.fields`
78	`flpp`	`additional.fields`
79	`from_user`	`principal.user.email_addresses` `additional.fields`
80	`hostname`	`principal.hostname`
81	`incident_id`	`additional.fields`
82	`instance`	`additional.fields`
83	`instance_id`	`additional.fields`
84	`ip_protocol`	`network.ip_protocol`
85	`local_source_time`	`additional.fields`
86	`location`	`additional.fields`
87	`mal_sev`	`additional.fields`
88	`managed_app`	`additional.fields`
89	`managementID`	`additional.fields`
90	`md5`	`additional.fields`
91	`mime_type`	`additional.fields`
92	`netskope_pop`	`additional.fields`
93	`network_session_id`	`network.session_id`
94	`nsdeviceuid`	`principal.asset.asset_id`
95	`num_users`	`additional.fields`
96	`numbytes`	`additional.fields`
97	`object`	`additional.fields`
98	`object_id`	`additional.fields`
99	`object_type`	`additional.fields`
100	`org`	`additional.fields`
101	`organization_unit`	`principal.administrative_domain`
102	`os`	`principal.platform`
103	`os_details`	`additional.fields`
104	`os_family`	`additional.fields`
105	`os_user_name`	`additional.fields`
106	`os_version`	`principal.platform_version`
107	`owner`	`additional.fields`
108	`owner_pdl`	`additional.fields`
109	`page`	`additional.fields`
110	`parent_id`	`additional.fields`
111	`pid`	`principal.process.pid`
112	`policy`	`security_result.rule_name`
113	`policy_action`	`additional.fields`
114	`policy_name`	`security_result.rule_name`
115	`policy_name_enforced`	`additional.fields`
116	`process_cert_subject`	`additional.fields`
117	`process_name`	`principal.process.file.names`
118	`process_path`	`principal.process.file.full_path`
119	`publisher_cn`	`additional.fields`
120	`record_type`	`additional.fields`
121	`referer`	`network.http.referral_url`
122	`req`	`additional.fields`
123	`req_cnt`	`additional.fields`
124	`request_id`	`additional.fields`
125	`resp`	`additional.fields`
126	`resp_cnt`	`additional.fields`
127	`risk_score`	`additional.fields`
128	`sa_rule_compliance`	`additional.fields`
129	`sanctioned_instance`	`additional.fields`
130	`server_bytes`	`network.received_bytes`
131	`server_packets`	`network.received_packets`
132	`severity`	`security_result.severity`
133	`session_duration`	`network.session_duration`
134	`session_number_unique`	`additional.fields`
135	`severity`	`security_result.severity`
136	`sha256`	`principal.file.sha256`
137	`shared_with`	`additional.fields`
138	`site`	`additional.fields`
139	`smtp_to`	`additional.fields`
140	`spet`	`additional.fields`
141	`spst`	`additional.fields`
142	`src_country`	`principal.location.country_or_region`
143	`src_geoip_src`	`principal.resource.attribute.labels`
144	`src_latitude`	`principal.location.region_coordinates.latitude`
145	`src_location`	`principal.location.city`
146	`src_longitude`	`principal.location.region_coordinates.longitude`
147	`src_network`	`additional.fields`
148	`src_region`	`principal.location.state`
149	`src_timezone`	`additional.fields`
150	`src_zipcode`	`principal.resource.attribute.labels`
151	`srcip`	`principal.ip`
152	`srcport`	`principal.port`
153	`start_time`	`additional.fields`
154	`subtype`	`additional.fields`
155	`tags`	`additional.fields`
156	`telemetry_app`	`additional.fields`
157	`thr`	`additional.fields`
158	`threat_type`	`additional.fields`
159	`timestamp`	`additional.fields`
160	`to_user`	`additional.fields`
161	`total_packets`	`additional.fields`
162	`traffic_type`	`additional.fields`
163	`transaction_id`	`additional.fields`
164	`tss_mode`	`additional.fields`
165	`tunnel_id`	`additional.fields`
166	`tur`	`additional.fields`
167	`type`	`additional.fields`
168	`ur_normalized`	`additional.fields`
169	`url`	`target.url`
170	`user`	`additional.fields`
171	`user_confidence_index`	`additional.fields`
172	`user_confidence_level`	`additional.fields`
173	`user_id`	`additional.fields`
174	`useragent`	`network.http.user_agent` `network.http.parsed_user_agent`
175	`userip`	`additional.fields`
176	`userkey`	`principal.user.email_addresses`
177	`oauth`	`additional.fields`
178	`response_time`	`additional.fields`
179	`device_sn`	`principal.resource.product_object_id`
180	`device_type`	`additional.fields`
181	`dlp_profile_name`	`security_result.rule_type`
182	`executable_hash`	`additional.fields`
183	`executable_signed`	`additional.fields`
184	`file_origin`	`additional.fields`
185	`policy_version`	`additional.fields`
186	`port`	`additional.fields`
187	`product_id`	`metadata.product_log_id`
188	`unc_path`	`additional.fields`
189	`vendor_id`	`additional.fields`
190	`acting_user`	`additional.fields`
191	`assignee`	`target.user.userid`
192	`dlp_match_info`	`additional.fields`
193	`inline_dlp_match_info`	`additional.fields`
194	`latest_incident_id`	`additional.fields`
195	`status`	`additional.fields`
196	`violation`	`additional.fields`
197	`account_id`	`additional.fields`
198	`account_name`	`additional.fields`
199	`acked`	`additional.fields`
200	`alert_id`	`additional.fields`
201	`alert_source`	`additional.fields`
202	`breach_date`	`additional.fields`
203	`breach_id`	`additional.fields`
204	`breach_score`	`additional.fields`
205	`detection_engine`	`additional.fields`
206	`dlp_fingerprint_match`	`additional.fields`
207	`dlp_rule_score`	`additional.fields`
208	`email_title`	`additional.fields`
209	`event_uuid`	`additional.fields`
210	`file_category`	`additional.fields`
211	`file_cls_encrypted`	`additional.fields`
212	`file_exposure`	`additional.fields`
213	`file_id`	`additional.fields`
214	`filename`	`additional.fields`
215	`iaas_remediated`	`additional.fields`
216	`iaas_remediated_by`	`additional.fields`
217	`iaas_remediated_on`	`additional.fields`
218	`iaas_remediation_action`	`additional.fields`
219	`instance_name`	`additional.fields`
220	`loc`	`additional.fields`
221	`local_md5`	`additional.fields`
222	`local_sha1`	`additional.fields`
223	`local_sha256`	`additional.fields`
224	`mal_id`	`additional.fields`
225	`mal_type`	`additional.fields`
226	`malware_id`	`additional.fields`
227	`malware_severity`	`additional.fields`
228	`malware_type`	`additional.fields`
229	`message_id`	`additional.fields`
230	`modified_date`	`additional.fields`
231	`pop_id`	`additional.fields`
232	`redirect_url`	`additional.fields`
233	`region_id`	`additional.fields`
234	`region_name`	`additional.fields`
235	`resource_category`	`additional.fields`
236	`resource_group`	`additional.fields`
237	`risk_level_id`	`additional.fields`
238	`sa_profile_name`	`additional.fields`
239	`sa_rule_name`	`additional.fields`
240	`sa_rule_severity`	`additional.fields`
241	`sender`	`additional.fields`
242	`severity_id`	`additional.fields`
243	`severity_level`	`additional.fields`
244	`shared_credential_user`	`additional.fields`
245	`shared_domains`	`additional.fields`
246	`sharedType`	`additional.fields`
247	`smtp_status`	`additional.fields`
248	`subject`	`additional.fields`
249	`suppression_count`	`additional.fields`
250	`tss_license`	`additional.fields`
251	`two_factor_auth`	`additional.fields`
252	`usergroup`	`additional.fields`
253	`watchlist_name`	`additional.fields`
254	`web_url`	`additional.fields`

Web transaction

Columns 1-146 can also be used as another schema.

Column number	Log field	UDM mapping
1	`date`	`metadata.timestamp`
2	`time`	`metadata.timestamp`
3	`time-taken`	`additional.fields`
4	`cs-bytes`	`network.sent_bytes`
5	`sc-bytes`	`network.received_bytes`
6	`bytes`	`additional.fields`
7	`c-ip`	`principal.ip` `principal.asset.ip`
8	`s-ip`	`target.ip` `target.asset.ip`
9	`cs-username`	`principal.user.userid`
10	`cs-method`	`network.http.method`
11	`cs-uri-scheme`	`network.application_protocol`
12	`cs-uri-query`	`additional.fields`
13	`cs-user-agent`	`network.http.user_agent`
14	`cs-content-type`	`additional.fields`
15	`sc-status`	`network.http.response_code`
16	`sc-content-type`	`additional.fields`
17	`cs-dns`	`target.hostname`
18	`cs-host`	`target.hostname`
19	`cs-uri`	`additional.fields`
20	`cs-uri-port`	`additional.fields`
21	`cs-referer`	`network.http.referral_url`
22	`x-cs-session-id`	`network.session_id`
23	`x-cs-access-method`	`additional.fields`
24	`x-cs-app`	`principal.application`
25	`x-s-country`	`target.location.country_or_region`
26	`x-s-latitude`	`target.location.region_coordinates.latitude`
27	`x-s-longitude`	`target.location.region_coordinates.longitude`
28	`x-s-location`	`target.location.name`
29	`x-s-region`	`target.location.state`
30	`x-s-zipcode`	`additional.fields`
31	`x-c-country`	`principal.location.country_or_region`
32	`x-c-latitude`	`principal.location.region_coordinates.latitude`
33	`x-c-longitude`	`principal.location.region_coordinates.longitude`
34	`x-c-location`	`principal.location.name`
35	`x-c-region`	`principal.location.state`
36	`x-c-zipcode`	`additional.fields`
37	`x-c-os`	`principal.platform`
38	`x-c-browser`	`additional.fields`
39	`x-c-browser-version`	`additional.fields`
40	`x-c-device`	`additional.fields`
41	`x-cs-site`	`additional.fields`
42	`x-cs-timestamp`	`metadata.event_timestamp`
43	`x-cs-page-id`	`additional.fields`
44	`x-cs-userip`	`security_result.detection_fields`
45	`x-cs-traffic-type`	`additional.fields`
46	`x-cs-tunnel-id`	`additional.fields`
47	`x-category`	`additional.fields`
48	`x-other-category`	`security_resul.category_details`
49	`x-type`	`additional.fields`
50	`x-server-ssl-err`	`additional.fields`
51	`x-client-ssl-err`	`additional.fields`
52	`x-transaction-id`	`additional.fields`
53	`x-request-id`	`additional.fields`
54	`x-cs-sni`	`network.tls.client.server_name`
55	`x-cs-domain-fronted-sni`	`additional.fields`
56	`x-category-id`	`additional.fields`
57	`x-other-category-id`	`security_result.detection_fields`
58	`x-sr-headers-name`	`additional.fields`
59	`x-sr-headers-value`	`additional.fields`
60	`x-cs-ssl-ja3`	`network.tls.client.ja3`
61	`x-sr-ssl-ja3s`	`network.tls.server.ja3s`
62	`x-ssl-bypass`	`additional.fields`
63	`x-ssl-bypass-reason`	`additional.fields`
64	`x-r-cert-subject-cn`	`network.tls.server.certificate.subject`
65	`x-r-cert-issuer-cn`	`network.tls.server.certificate.issuer`
66	`x-r-cert-startdate`	`network.tls.server.certificate.not_before`
67	`x-r-cert-enddate`	`network.tls.server.certificate.not_after`
68	`x-r-cert-valid`	`additional.fields`
69	`x-r-cert-expired`	`additional.fields`
70	`x-r-cert-untrusted-root`	`additional.fields`
71	`x-r-cert-incomplete-chain`	`additional.fields`
72	`x-r-cert-self-signed`	`additional.fields`
73	`x-r-cert-revoked`	`additional.fields`
74	`x-r-cert-revocation-check`	`additional.fields`
75	`x-r-cert-mismatch`	`additional.fields`
76	`x-cs-ssl-fronting-error`	`security_result.detection_fields`
77	`x-cs-ssl-handshake-error`	`security_result.detection_fields`
78	`x-sr-ssl-handshake-error`	`security_result.detection_fields`
79	`x-sr-ssl-client-certificate-error`	`security_result.detection_fields`
80	`x-sr-ssl-malformed-ssl`	`security_result.detection_fields`
81	`x-s-custom-signing-ca-error`	`security_result.detection_fields`
82	`x-cs-ssl-engine-action`	`security_result.detection_fields`
83	`x-cs-ssl-engine-action-reason`	`security_result.detection_fields`
84	`x-sr-ssl-engine-action`	`security_result.detection_fields`
85	`x-sr-ssl-engine-action-reason`	`security_result.detection_fields`
86	`x-ssl-policy-src-ip`	`security_result.detection_fields`
87	`x-ssl-policy-dst-ip`	`security_result.detection_fields`
88	`x-ssl-policy-dst-host`	`security_result.detection_fields`
89	`x-ssl-policy-dst-host-source`	`security_result.detection_fields`
90	`x-ssl-policy-categories`	`security_result.category_details`
91	`x-ssl-policy-action`	`security_result.detection_fields`
92	`x-ssl-policy-name`	`security_result.rule_name`
93	`x-cs-ssl-version`	`network.tls.version`
94	`x-cs-ssl-cipher`	`network.tls.cipher`
95	`x-sr-ssl-version`	`security_result.detection_fields`
96	`x-sr-ssl-cipher`	`security_result.detection_fields`
97	`x-cs-src-ip-egress`	`security_result.detection_fields`
98	`x-s-dp-name`	`additional.fields`
99	`x-cs-src-ip`	`principal.ip` `principal.asset.ip`
100	`x-cs-src-port`	`principal.port`
101	`x-cs-dst-ip`	`target.ip`
102	`x-cs-dst-port`	`target.port`
103	`x-sr-src-ip`	`security_result.detection_fields`
104	`x-sr-src-port`	`additional.fields`
105	`x-sr-dst-ip`	`security_result.detection_fields`
106	`x-sr-dst-port`	`security_result.detection_fields`
107	`x-cs-ip-connect-xff`	`additional.fields`
108	`x-cs-ip-xff`	`additional.fields`
109	`x-cs-connect-host`	`additional.fields`
110	`x-cs-connect-port`	`additional.fields`
111	`x-cs-connect-user-agent`	`additional.fields`
112	`x-cs-url`	`target.url`
113	`x-cs-uri-path`	`additional.fields`
114	`x-cs-http-version`	`security_result.detection_fields`
115	`rs-status`	`additional.fields`
116	`x-cs-app-category`	`additional.fields`
117	`x-cs-app-cci`	`additional.fields`
118	`x-cs-app-ccl`	`additional.fields`
119	`x-cs-app-tags`	`additional.fields`
120	`x-cs-app-suite`	`additional.fields`
121	`x-cs-app-instance-id`	`additional.fields`
122	`x-cs-app-instance-name`	`additional.fields`
123	`x-cs-app-instance-tag`	`additional.fields`
124	`x-cs-app-activity`	`additional.fields`
125	`x-cs-app-from-user`	`additional.fields`
126	`x-cs-app-to-user`	`additional.fields`
127	`x-cs-app-object-type`	`additional.fields`
128	`x-cs-app-object-name`	`additional.fields`
129	`x-cs-app-object-id`	`additional.fields`
130	`x-rs-file-type`	`principal.process.file.mime_type`
131	`x-rs-file-category`	`additional.fields`
132	`x-rs-file-language`	`additional.fields`
133	`x-rs-file-size`	`principal.process.size`
134	`x-rs-file-md5`	`principal.process.file.md5`
135	`x-rs-file-sha256`	`principal.process.file.sha256`
136	`x-error`	`additional.fields`
137	`x-c-local-time`	`additional.fields`
138	`x-policy-action`	`security_result.action` `action_details`
139	`x-policy-name`	`additional.fields`
140	`x-policy-src-ip`	`security_result.detection_fields`
141	`x-policy-dst-ip`	`security_result.detection_fields`
142	`x-policy-dst-host`	`security_result.detection_fields`
143	`x-policy-dst-host-source`	`security_result.detection_fields`
144	`x-policy-justification-type`	`security_result.detection_fields`
145	`x-policy-justification-reason`	`security_result.detection_fields`
146	`x-sc-notification-name`	`security_result.detection_fields`
147	`sr-bytes`	`additional.fields`
148	`rs-bytes`	`additional.fields`
149	`x-action`	`additional.fields`
150	`x-action-reason`	`additional.fields`
151	`x-c-authn-user`	`additional.fields`
152	`x-c-authn-source`	`additional.fields`
153	`x-c-authn-surrogate`	`additional.fields`
154	`x-c-authn-surrogate-status`	`additional.fields`
155	`x-c-authz-groups`	`additional.fields`
156	`x-c-authz-ou`	`additional.fields`
157	`x-cs-xau`	`additional.fields`
158	`x-cs-connect-xau`	`additional.fields`
159	`x-c-user-confidence-index`	`additional.fields`
160	`x-c-hostname`	`additional.fields`
161	`x-c-device-uid`	`principal.asset.asset_id`
162	`x-c-os-family`	`additional.fields`
163	`x-c-os-version`	`principal.platform_version`
164	`x-c-nsclient-version`	`metadata.product_version`
165	`x-c-nsclient-client-profile`	`additional.fields`
166	`x-c-nsclient-steering-profile`	`additional.fields`
167	`x-c-device-classification`	`additional.fields`
168	`x-cs-nsclient-tunnel-type`	`additional.fields`
169	`x-cs-process`	`principal.process.file.full_path`
170	`x-cs-pid`	`principal.process.pid`
171	`x-cs-parent-process`	`principal.process.parent_process.file.full_path`
172	`x-cs-ppid`	`principal.process.parent_process.pid`
173	`x-tp-result`	`additional.fields`
174	`x-tp-engine`	`additional.fields`
175	`x-tp-malware-name`	`additional.fields`
176	`x-tp-severity`	`additional.fields`
177	`x-sr-forward-dest`	`additional.fields`
178	`x-ssl-policy-issuer`	`additional.fields`
179	`x-eip-policy-name`	`additional.fields`
180	`x-eip-policy-footprint`	`additional.fields`
181	`x-policy-categories`	`additional.fields`
182	`x-c-timezone`	`additional.fields`
183	`x-support`	`additional.fields`
184	`x-r-country`	`additional.fields`
185	`x-r-latitude`	`additional.fields`
186	`x-r-longitude`	`additional.fields`
187	`x-r-location`	`additional.fields`
188	`x-r-region`	`additional.fields`
189	`x-r-zipcode`	`additional.fields`
190	`x-c-authz-source`	`additional.fields`
191	`x-cs-app-instance-tags`	`additional.fields`
192	`x-cs-ssl-malformed-ssl`	`additional.fields`
193	`x-cs-access-proxy`	`additional.fields`
194	`x-c-local-timestamp`	`additional.fields`
195	`x-r-cert-start`	`network.tls.server.certificate.not_before`
196	`x-r-cert-end`	`network.tls.server.certificate.not_after`
197	`x-tenant-id`	`additional.fields`

Need more help? Get answers from Community members and Google SecOps professionals.