Collect Netskope web proxy logs

Supported in:

This document explains how to ingest Netskope web proxy logs to Google Security Operations using Google Cloud Storage V2.

Netskope provides a cloud-native secure web gateway that inspects and controls web traffic in real time. Web transaction (WebTx) logs capture detailed records of every HTTP and HTTPS session processed by the Netskope proxy, including user identity, application, URL category, threat and DLP verdicts, and network metadata.

Before you begin

Ensure that you have the following prerequisites:

  • A Google SecOps instance
  • A GCP project with Cloud Storage API enabled
  • Permissions to create and manage GCS buckets
  • Permissions to manage IAM policies on GCS buckets
  • Privileged access to the Netskope tenant with administrator credentials

Option - Netskope Log Streaming to Google Cloud Storage

Use this option if you have a Netskope Log Streaming subscription enabled on your tenant. Netskope Log Streaming pushes WebTx log files directly to your GCS bucket as compressed .gzip files at a fixed interval of 240 seconds.

Create Google Cloud Storage bucket

  1. Go to the Google Cloud Console.
  2. Select your project or create a new one.
  3. In the navigation menu, go to Cloud Storage > Buckets.
  4. Click Create bucket.
  5. Provide the following configuration details:

    Setting Value
    Name your bucket Enter a globally unique name (for example, netskope-webtx-logs)
    Location type Choose based on your needs (Region, Dual-region, Multi-region)
    Location Select the location closest to your organization (for example, us-central1)
    Storage class Standard (recommended for frequently accessed logs)
    Access control Uniform (recommended)
    Protection tools Optional: Enable object versioning or retention policy
  6. Click Create.

Create a GCP service account

Netskope Log Streaming requires a GCP service account with write permissions to your GCS bucket. The private key from this service account is used by Netskope to authenticate when pushing log files.

  1. In the GCP Console, go to IAM & Admin > Service Accounts.
  2. Click Create Service Account.
  3. Provide the following configuration details:
    • Service account name: Enter netskope-log-streaming
    • Service account description: Enter Service account for Netskope Log Streaming to push WebTx logs to GCS
  4. Click Create and Continue.
  5. In the Grant this service account access to project section:
    1. Click Select a role.
    2. Search for and select Storage Object Creator.
  6. Click Continue.
  7. Click Done.

Generate JSON key

  1. In IAM & Admin > Service Accounts, click the service account netskope-log-streaming.
  2. Select the Keys tab.
  3. Click Add Key > Create new key.
  4. Select JSON as the key type.
  5. Click Create.
  6. A JSON key file downloads automatically. Save this file securely.
  7. Open the JSON key file in a text editor and locate the private_key field. You will need this value in the next section.

Grant write permissions on GCS bucket

  1. Go to Cloud Storage > Buckets.
  2. Click your bucket name (for example, netskope-webtx-logs).
  3. Go to the Permissions tab.
  4. Click Grant access.
  5. Provide the following configuration details:
    • Add principals: Enter the service account email (for example, netskope-log-streaming@YOUR_PROJECT_ID.iam.gserviceaccount.com)
    • Assign roles: Select Storage Object Creator
  6. Click Save.

Create log stream

  1. Sign in to the Netskope tenant with administrator credentials.
  2. Go to Settings > Tools > Log Streaming.
  3. Click Create Stream.
  4. In the Name field, enter a human-readable name for the stream (for example, Chronicle WebTx GCS).
  5. Select GCP Cloud Storage as the destination type.
  6. Provide the following configuration details:

    • Bucket: Enter the name of the GCS bucket (for example, netskope-webtx-logs).

    • Path (optional): Enter a folder path within the bucket where logs will be stored (for example, netskope/webtx/{%Y}).

    • Private Key: Enter the private_key value from the JSON key file generated in the previous section. Enter the key in PEM format with line break (\n) symbols:

      -----BEGIN PRIVATE KEY-----\nprivate_key_content\n-----END PRIVATE KEY-----\n
      
  7. Review the Delivery Options: Push frequency is an ongoing 240 seconds.

  8. Click Save (or Create) to activate the stream.

Configure a feed in Google SecOps to ingest Netskope WebTx logs from GCS

Retrieve the Google SecOps service account

Google SecOps uses a unique service account to read data from your GCS bucket. You must grant this service account access to your bucket.

  1. Go to SIEM Settings > Feeds.
  2. Click Add New Feed.
  3. Click Configure a single feed.
  4. In the Feed name field, enter a name for the feed (for example, Netskope WebTx Logs).
  5. Select Google Cloud Storage V2 as the Source type.
  6. Select Netskope web proxy as the Log type.
  7. Click Get Service Account. A unique service account email will be displayed, for example:

    chronicle-12345678@chronicle-gcp-prod.iam.gserviceaccount.com
    
  8. Copy this email address for use in the next step.

  9. Click Next.

  10. Specify values for the following input parameters:

    • Storage bucket URL: Enter the GCS bucket URI with the prefix path:

      gs://netskope-webtx-logs/netskope/webtx/
      
      • Replace:
        • netskope-webtx-logs: Your GCS bucket name.
        • netskope/webtx/: The path prefix configured in Netskope Log Streaming (leave empty for root).
    • Source deletion option: Select the deletion option according to your preference:

      • Never: Never deletes any files after transfers (recommended for testing).
      • Delete transferred files: Deletes files after successful transfer.
      • Delete transferred files and empty directories: Deletes files and empty directories after successful transfer.

    • Maximum File Age: Include files modified in the last number of days (default is 180 days)

    • Asset namespace: The asset namespace

    • Ingestion labels: The label to be applied to the events from this feed

  11. Click Next.

  12. Review your new feed configuration in the Finalize screen, and then click Submit.

Grant IAM permissions to the Google SecOps service account

The Google SecOps service account needs Storage Object Viewer role on your GCS bucket.

  1. Go to Cloud Storage > Buckets.
  2. Click your bucket name (for example, netskope-webtx-logs).
  3. Go to the Permissions tab.
  4. Click Grant access.
  5. Provide the following configuration details:
    • Add principals: Paste the Google SecOps service account email (for example, chronicle-12345678@chronicle-gcp-prod.iam.gserviceaccount.com)
    • Assign roles: Select Storage Object Viewer
  6. Click Save.

Option - Cloud Exchange Log Shipper to Google Cloud Storage

Use this option if you have the Netskope Cloud Exchange platform deployed with the Log Shipper module configured. The Log Shipper pulls WebTx logs from your Netskope tenant and pushes them as compressed .gzip files to a GCS bucket, which Google SecOps then reads through a Google Cloud Storage V2 feed.

Before you begin (Cloud Exchange)

Ensure that you have the following additional prerequisites for this option:

Configure the GCS destination plugin

  1. In Cloud Exchange, go to Settings > Plugin Store.
  2. Search for and select the Google Cloud SCC (Google GCS) plugin box.
  3. Click Configure New Plugin (or add a new plugin configuration).
  4. Provide the following configuration details:
    • Configuration Name: Enter a descriptive name (for example, GCS WebTx Destination).
    • Mapping: Select a mapping file. For WebTx logs that are pushed as original .gzip files, no mapping transformation is applied.
    • Bucket: Enter the name of the GCS bucket (for example, netskope-webtx-logs).
    • Path (optional): Enter a folder path (for example, netskope/webtx/).
    • Private Key: Enter the private_key value from the JSON key file of the service account.
  5. Click Save.
  6. The new plugin configuration will appear on the Log Shipper > Plugins page.

Configure a business rule (optional)

By default, the All business rule filters all alerts and events. If you want to filter WebTx logs specifically, create a new business rule:

  1. In Log Shipper, go to Business Rules.
  2. Click Create New Rule.
  3. Enter a Rule Name (for example, WebTx Only).
  4. Configure the desired filter(s) to include only WebTx data.
  5. Click Save.

Configure Log Delivery

  1. In Log Shipper, go to Log Delivery.
  2. Click Add Log Delivery Configuration.
  3. Provide the following configuration details:
    • Source Configuration: Select the Netskope CLS source plugin (for example, WebTxCLS or Netskope CLS).
    • Destination Configuration: Select the GCS destination plugin you configured (for example, GCS WebTx Destination).
    • Business Rule: Select a business rule (for example, All or WebTx Only).
  4. Click Save.

  5. To get additional historical data, click the Pull Historical Data icon from the Log Delivery actions.

  6. Select a Historical From and To date range and click Pull.

Configure a feed in Google SecOps to ingest Netskope WebTx logs from GCS

Follow the same steps as in the Netskope Log Streaming option to create a Google SecOps feed and grant IAM permissions:

  1. Retrieve the Google SecOps service account — create a feed with Google Cloud Storage V2 as the source type and Netskope web proxy as the log type.
  2. Grant IAM permissions to the Google SecOps service account — grant the Storage Object Viewer role (or Storage Object Admin if using a deletion option) on the GCS bucket to the Google SecOps service account.

Verify log delivery

To verify that WebTx logs are being delivered to the GCS bucket:

  1. In Cloud Exchange, go to Log Shipper > Log Delivery.
  2. Check the Total Logs/WebTx Sent to External Receiver and Total WebTx Sent to Storage Bucket columns to confirm that data is being pushed to the destination.
  3. In the GCS bucket, confirm that .gzip files are being written by the Log Shipper.

Configure Log Shipper Global Settings (optional)

Only Admins can change Log Shipper Global Settings. Go to Settings > Log Shipper. There are two tabs: General and Mappings.

On the General tab, you can configure the retry strategy for log delivery:

  • Default (3 Retries): In the event of a failed log delivery, Log Shipper will initiate 3 attempts to push the logs to the destination. If all 3 retry attempts fail, the corresponding batch of logs will be discarded.
  • Retry till Successful Delivery: Unlimited retries till successful delivery of logs.

You can also enable UTF-8 encoding for Alerts, Events, and WebTx to ensure seamless handling of UTF-8 encoded data. By default, this feature is disabled.

UDM mapping table

Transaction events

Column number Log field UDM mapping
1 bytes additional.fields
2 c-ip principal.ip
principal.asset.ip
3 cs-bytes network.sent_bytes
4 cs-content-type additional.fields
5 cs-dns target.hostname
target.asset.hostname
6 cs-host target.hostname
target.asset.hostname (if cs-dns is empty)
7 cs-method network.http.method
8 cs-referer network.http.referral_url
9 cs-uri additional.fields
10 cs-uri-port additional.fields
target.port (if x-cs-dst-port is empty)
11 cs-uri-query additional.fields
12 cs-uri-scheme network.application_protocol
13 cs-user-agent network.http.user_agent
14 cs-username principal.user.email_addresses (when it is a valid email)
principal.user.userid (when not a valid email)
15 date metadata.event_timestamp
16 rs-status additional.fields
17 s-ip target.ip
target.asset.ip
18 sc-bytes network.received_bytes
19 sc-content-type additional.fields
20 sc-status network.http.response_code
21 time metadata.event_timestamp
22 time-taken network.session_duration
23 x-c-browser principal.browser.browser_type
24 x-c-browser-version principal.browser.browser_version
25 x-c-country principal.location.country_or_region
26 x-c-device additional.fields
27 x-c-latitude principal.location.region_coordinates.latitude
28 x-c-local-time security_result.detection_fields
29 x-c-location principal.location.city
30 x-c-longitude principal.location.region_coordinates.longitude
31 x-c-os principal.platform
32 x-c-region principal.location.state
33 x-c-zipcode additional.fields
34 x-category additional.fields
35 x-category-id additional.fields
36 x-client-ssl-err additional.fields
37 x-cs-access-method additional.fields
38 x-cs-app principal.application
39 x-cs-app-activity additional.fields
40 x-cs-app-category additional.fields
41 x-cs-app-cci additional.fields
42 x-cs-app-ccl additional.fields
43 x-cs-app-from-user principal.user.email_address (when it is a valid email)
principal.user.userid (when not a valid email)
44 x-cs-app-instance-id principal.resource.product_object_id
45 x-cs-app-instance-name principal.resource.name
46 x-cs-app-instance-tag additional.fields
47 x-cs-app-object-id additional.fields
48 x-cs-app-object-name additional.fields
49 x-cs-app-object-type additional.fields
50 x-cs-app-suite additional.fields
51 x-cs-app-tags additional.fields
52 x-cs-app-to-user additional.fields
53 x-cs-connect-host additional.fields
54 x-cs-connect-port additional.fields
55 x-cs-connect-user-agent network.http.user_agent
network.http.parsed_user_agent
56 x-cs-domain-fronted-sni additional.fields
57 x-cs-dst-ip target.ip
58 x-cs-dst-port target.port
59 x-cs-http-version network.application_protocol_version
60 x-cs-ip-connect-xff principal.ip
principal.asset.ip
61 x-cs-ip-xff principal.ip
principal.asset.ip
62 x-cs-page-id additional.fields
63 x-cs-session-id network.session_id
64 x-cs-site additional.fields
65 x-cs-sni network.tls.client.server_name
66 x-cs-src-ip principal.ip
principal.asset.ip
67 x-cs-src-ip-egress principal.ip
principal.asset.ip
68 x-cs-src-port principal.port
69 x-cs-ssl-cipher network.tls.cipher
70 x-cs-ssl-engine-action additional.fields
71 x-cs-ssl-engine-action-reason additional.fields
72 x-cs-ssl-fronting-error security_result.detection_fields
73 x-cs-ssl-handshake-error security_result.detection_fields
74 x-cs-ssl-ja3 network.tls.client.ja3
75 x-cs-ssl-version network.tls.version
76 x-cs-timestamp metadata.event_timestamp
77 x-cs-traffic-type additional.fields
78 x-cs-tunnel-id additional.fields
79 x-cs-uri-path additional.fields
80 x-cs-url target.url
81 x-cs-userip principal.ip
principal.asset.ip
82 x-error additional.fields
83 x-other-category security_result.category_details
84 x-other-category-id security_result.detection_fields
85 x-policy-action security_result.action
security_result.action_details
86 x-policy-dst-host security_result.detection_fields
87 x-policy-dst-host-source security_result.detection_fields
88 x-policy-dst-ip security_result.detection_fields
89 x-policy-justification-reason additional.fields
90 x-policy-justification-type additional.fields
91 x-policy-name security_result.rule_name
92 x-policy-src-ip security_result.detection_fields
93 x-r-cert-enddate network.tls.server.certificate.not_after
94 x-r-cert-expired additional.fields
95 x-r-cert-incomplete-chain additional.fields
96 x-r-cert-issuer-cn network.tls.server.certificate.issuer
97 x-r-cert-mismatch additional.fields
98 x-r-cert-revocation-check additional.fields
99 x-r-cert-revoked additional.fields
100 x-r-cert-self-signed additional.fields
101 x-r-cert-startdate network.tls.server.certificate.not_before
102 x-r-cert-subject-cn network.tls.server.certificate.subject
103 x-r-cert-untrusted-root additional.fields
104 x-r-cert-valid additional.fields
105 x-request-id additional.fields
106 x-rs-file-category additional.fields
107 x-rs-file-language additional.fields
108 x-rs-file-md5 principal.file.md5
109 x-rs-file-sha256 principal.file.sha256
110 x-rs-file-size principal.file.size
111 x-rs-file-type additional.fields
112 x-s-country target.location.country_or_region
113 x-s-custom-signing-ca-error security_result.detection_fields
114 x-s-dp-name additional.fields
115 x-s-latitude target.location.region_coordinates.latitude
116 x-s-location target.location.city
117 x-s-longitude target.location.region_coordinates.longitude
118 x-s-region target.location.state
119 x-s-zipcode additional.fields
120 x-sc-notification-name additional.fields
121 x-server-ssl-err additional.fields
122 x-sr-dst-ip security_result.detection_fields
123 x-sr-dst-port security_result.detection_fields
124 x-sr-headers-name additional.fields
125 x-sr-headers-value additional.fields
126 x-sr-src-ip intermediary.ip
127 x-sr-src-port intermediary.port
128 x-sr-ssl-cipher security_result.detection_fields
129 x-sr-ssl-client-certificate-error security_result.detection_fields
130 x-sr-ssl-engine-action security_result.detection_fields
131 x-sr-ssl-engine-action-reason security_result.detection_fields
132 x-sr-ssl-handshake-error security_result.detection_fields
133 x-sr-ssl-ja3s network.tls.server.ja3s
134 x-sr-ssl-malformed-ssl security_result.detection_fields
135 x-sr-ssl-version security_result.detection_fields
136 x-ssl-bypass security_result.detection_fields
137 x-ssl-bypass-reason security_result.summary
138 x-ssl-policy-action security_result.detection_fields
139 x-ssl-policy-categories security_result.category_details
140 x-ssl-policy-dst-host security_result.detection_fields
141 x-ssl-policy-dst-host-source security_result.detection_fields
142 x-ssl-policy-dst-ip security_result.detection_fields
143 x-ssl-policy-name security_result.detection_fields
144 x-ssl-policy-src-ip security_result.detection_fields
145 x-transaction-id additional.fields
146 x-type metadata.product_event_type
x_rs_file_size event.idm.read_only_udm.principal.process.file.size Mapped from changelog
x_rs_file_type event.idm.read_only_udm.principal.process.file.mime_type Mapped from changelog
x_r_cert_start event.idm.read_only_udm.network.tls.server.certificate.not_before Mapped from changelog
x_r_cert_end event.idm.read_only_udm.network.tls.server.certificate.not_after Mapped from changelog
x_tenant_id event.idm.read_only_udm.additional Mapped from changelog
x_r_country event.idm.read_only_udm.additional Mapped from changelog
x_r_latitude event.idm.read_only_udm.additional Mapped from changelog
x_r_longitude event.idm.read_only_udm.additional Mapped from changelog
x_r_location event.idm.read_only_udm.additional Mapped from changelog
x_r_region event.idm.read_only_udm.additional Mapped from changelog
x_r_zipcode event.idm.read_only_udm.additional Mapped from changelog
x_c_authz_source event.idm.read_only_udm.additional Mapped from changelog
x_cs_app_instance_tags event.idm.read_only_udm.additional Mapped from changelog
x_cs_ssl_malformed_ssl event.idm.read_only_udm.additional Mapped from changelog
x_cs_access_proxy event.idm.read_only_udm.additional Mapped from changelog
x_c_local_timestamp event.idm.read_only_udm.additional Mapped from changelog
s_ip event.idm.read_only_udm.target.ip Mapped from changelog
file_md5 event.idm.read_only_udm.principal.file.md5 Mapped from changelog
device_sn event.idm.read_only_udm.principal.resource.product_object_id Mapped from changelog
act_user event.idm.read_only_udm.principal.user.email_addresses Mapped from changelog
from_user event.idm.read_only_udm.principal.user.email_addresses Mapped from changelog
userkey event.idm.read_only_udm.principal.user.email_addresses Mapped from changelog
act_user event.idm.read_only_udm.principal.user.userid Mapped from changelog
cs_app event.idm.read_only_udm.principal.application Mapped from changelog
bcc event.idm.read_only_udm.network.email.bcc Mapped from changelog
cc event.idm.read_only_udm.network.email.cc Mapped from changelog
source_ip event.idm.read_only_udm.principal.ip Mapped from changelog
hostname event.idm.read_only_udm.principal.hostname Mapped from changelog
pid event.idm.read_only_udm.principal.process.pid Mapped from changelog
process_path event.idm.read_only_udm.principal.process.file.full_path Mapped from changelog
process_name event.idm.read_only_udm.principal.process.file.names Mapped from changelog
file_path event.idm.read_only_udm.principal.file.full_path Mapped from changelog
src_file_type event.idm.read_only_udm.principal.file.mime_type Mapped from changelog
src_sha256 event.idm.read_only_udm.principal.file.sha256 Mapped from changelog
x_rs_file_sha256 event.idm.read_only_udm.principal.process.file.sha256 Mapped from changelog
destination_file_name event.idm.read_only_udm.target.file.names Mapped from changelog
x_cs_timestamp event.idm.read_only_udm.metadata.event_timestamp Mapped from changelog
dst_location event.idm.read_only_udm.target.location.city Mapped from changelog
assignee event.idm.read_only_udm.target.user.userid Mapped from changelog
connection_id event.idm.read_only_udm.network.session_id Mapped from changelog
network_session_id event.idm.read_only_udm.network.session_id Mapped from changelog
policy event.idm.read_only_udm.security_result.rule_name Mapped from changelog
policy_name event.idm.read_only_udm.security_result.rule_name Mapped from changelog
action_data event.idm.read_only_udm.security_result.action_details Mapped from changelog
column2 event.idm.read_only_udm.additional.fields Mapped from changelog
access_method event.idm.read_only_udm.additional.fields Mapped from changelog
column5 event.idm.read_only_udm.additional.fields Mapped from changelog
activity event.idm.read_only_udm.additional.fields Mapped from changelog
column6 event.idm.read_only_udm.additional.fields Mapped from changelog
alert event.idm.read_only_udm.additional.fields Mapped from changelog
column7 event.idm.read_only_udm.additional.fields Mapped from changelog
alert_name event.idm.read_only_udm.additional.fields Mapped from changelog
column8 event.idm.read_only_udm.additional.fields Mapped from changelog
alert_type event.idm.read_only_udm.additional.fields Mapped from changelog
column10 event.idm.read_only_udm.additional.fields Mapped from changelog
app-gdpr-level event.idm.read_only_udm.additional.fields Mapped from changelog
column11 event.idm.read_only_udm.additional.fields Mapped from changelog
app_session_id event.idm.read_only_udm.additional.fields Mapped from changelog
column12 event.idm.read_only_udm.additional.fields Mapped from changelog
appact event.idm.read_only_udm.additional.fields Mapped from changelog
column14 event.idm.read_only_udm.additional.fields Mapped from changelog
appsuite event.idm.read_only_udm.additional.fields Mapped from changelog
column15 event.idm.read_only_udm.additional.fields Mapped from changelog
audit_type event.idm.read_only_udm.additional.fields Mapped from changelog
column18 event.idm.read_only_udm.additional.fields Mapped from changelog
browser_session_id event.idm.read_only_udm.additional.fields Mapped from changelog
column24 event.idm.read_only_udm.additional.fields Mapped from changelog
cloud_provider event.idm.read_only_udm.additional.fields Mapped from changelog
column26 event.idm.read_only_udm.additional.fields Mapped from changelog
conn_duration event.idm.read_only_udm.additional.fields Mapped from changelog
column27 event.idm.read_only_udm.additional.fields Mapped from changelog
conn_endtime event.idm.read_only_udm.additional.fields Mapped from changelog
column28 event.idm.read_only_udm.additional.fields Mapped from changelog
conn_starttime event.idm.read_only_udm.additional.fields Mapped from changelog
column30 event.idm.read_only_udm.additional.fields Mapped from changelog
connection_type event.idm.read_only_udm.additional.fields Mapped from changelog
column32 event.idm.read_only_udm.additional.fields Mapped from changelog
destination_file_directory event.idm.read_only_udm.additional.fields Mapped from changelog
column35 event.idm.read_only_udm.additional.fields Mapped from changelog
device event.idm.read_only_udm.additional.fields Mapped from changelog
column36 event.idm.read_only_udm.additional.fields Mapped from changelog
device_classification event.idm.read_only_udm.additional.fields Mapped from changelog
column37 event.idm.read_only_udm.additional.fields Mapped from changelog
dinsid event.idm.read_only_udm.additional.fields Mapped from changelog
column76 event.idm.read_only_udm.additional.fields Mapped from changelog
filepath event.idm.read_only_udm.additional.fields Mapped from changelog
column82 event.idm.read_only_udm.additional.fields Mapped from changelog
instance event.idm.read_only_udm.additional.fields Mapped from changelog
column83 event.idm.read_only_udm.additional.fields Mapped from changelog
instance_id event.idm.read_only_udm.additional.fields Mapped from changelog
column137 event.idm.read_only_udm.additional.fields Mapped from changelog
shared_with event.idm.read_only_udm.additional.fields Mapped from changelog
column138 event.idm.read_only_udm.additional.fields Mapped from changelog
site event.idm.read_only_udm.additional.fields Mapped from changelog
column139 event.idm.read_only_udm.additional.fields Mapped from changelog
smtp_to event.idm.read_only_udm.additional.fields Mapped from changelog
column140 event.idm.read_only_udm.additional.fields Mapped from changelog
spet event.idm.read_only_udm.additional.fields Mapped from changelog
column141 event.idm.read_only_udm.additional.fields Mapped from changelog
spst event.idm.read_only_udm.additional.fields Mapped from changelog
column109 event.idm.read_only_udm.additional.fields Mapped from changelog
page event.idm.read_only_udm.additional.fields Mapped from changelog
column196 event.idm.read_only_udm.additional.fields Mapped from changelog
violation event.idm.read_only_udm.additional.fields Mapped from changelog
column197 event.idm.read_only_udm.additional.fields Mapped from changelog
account_id event.idm.read_only_udm.additional.fields Mapped from changelog
column198 event.idm.read_only_udm.additional.fields Mapped from changelog
account_name event.idm.read_only_udm.additional.fields Mapped from changelog
column199 event.idm.read_only_udm.additional.fields Mapped from changelog
acked event.idm.read_only_udm.additional.fields Mapped from changelog
column200 event.idm.read_only_udm.additional.fields Mapped from changelog
alert_id event.idm.read_only_udm.additional.fields Mapped from changelog
column201 event.idm.read_only_udm.additional.fields Mapped from changelog
alert_source event.idm.read_only_udm.additional.fields Mapped from changelog
column202 event.idm.read_only_udm.additional.fields Mapped from changelog
breach_date event.idm.read_only_udm.additional.fields Mapped from changelog
column203 event.idm.read_only_udm.additional.fields Mapped from changelog
breach_id event.idm.read_only_udm.additional.fields Mapped from changelog
column204 event.idm.read_only_udm.additional.fields Mapped from changelog
breach_score event.idm.read_only_udm.additional.fields Mapped from changelog
column205 event.idm.read_only_udm.additional.fields Mapped from changelog
detection_engine event.idm.read_only_udm.additional.fields Mapped from changelog
column206 event.idm.read_only_udm.additional.fields Mapped from changelog
dlp_fingerprint_match event.idm.read_only_udm.additional.fields Mapped from changelog
column207 event.idm.read_only_udm.additional.fields Mapped from changelog
dlp_rule_score event.idm.read_only_udm.additional.fields Mapped from changelog
column208 event.idm.read_only_udm.additional.fields Mapped from changelog
email_title event.idm.read_only_udm.additional.fields Mapped from changelog
column209 event.idm.read_only_udm.additional.fields Mapped from changelog
event_uuid event.idm.read_only_udm.additional.fields Mapped from changelog
column210 event.idm.read_only_udm.additional.fields Mapped from changelog
file_category event.idm.read_only_udm.additional.fields Mapped from changelog
column211 event.idm.read_only_udm.additional.fields Mapped from changelog
file_cls_encrypted event.idm.read_only_udm.additional.fields Mapped from changelog
column212 event.idm.read_only_udm.additional.fields Mapped from changelog
file_exposure event.idm.read_only_udm.additional.fields Mapped from changelog
column213 event.idm.read_only_udm.additional.fields Mapped from changelog
file_id event.idm.read_only_udm.additional.fields Mapped from changelog
column214 event.idm.read_only_udm.additional.fields Mapped from changelog
filename event.idm.read_only_udm.additional.fields Mapped from changelog
column215 event.idm.read_only_udm.additional.fields Mapped from changelog
iaas_remediated event.idm.read_only_udm.additional.fields Mapped from changelog
column216 event.idm.read_only_udm.additional.fields Mapped from changelog
iaas_remediated_by event.idm.read_only_udm.additional.fields Mapped from changelog
column217 event.idm.read_only_udm.additional.fields Mapped from changelog
iaas_remediated_on event.idm.read_only_udm.additional.fields Mapped from changelog
column218 event.idm.read_only_udm.additional.fields Mapped from changelog
iaas_remediation_action event.idm.read_only_udm.additional.fields Mapped from changelog
column219 event.idm.read_only_udm.additional.fields Mapped from changelog
instance_name event.idm.read_only_udm.additional.fields Mapped from changelog
column220 event.idm.read_only_udm.additional.fields Mapped from changelog
loc event.idm.read_only_udm.additional.fields Mapped from changelog
column221 event.idm.read_only_udm.additional.fields Mapped from changelog
local_md5 event.idm.read_only_udm.additional.fields Mapped from changelog
column222 event.idm.read_only_udm.additional.fields Mapped from changelog
local_sha1 event.idm.read_only_udm.additional.fields Mapped from changelog
column223 event.idm.read_only_udm.additional.fields Mapped from changelog
local_sha256 event.idm.read_only_udm.additional.fields Mapped from changelog
column224 event.idm.read_only_udm.additional.fields Mapped from changelog
mal_id event.idm.read_only_udm.additional.fields Mapped from changelog
column225 event.idm.read_only_udm.additional.fields Mapped from changelog
mal_type event.idm.read_only_udm.additional.fields Mapped from changelog
column226 event.idm.read_only_udm.additional.fields Mapped from changelog
malware_id event.idm.read_only_udm.additional.fields Mapped from changelog
column227 event.idm.read_only_udm.additional.fields Mapped from changelog
malware_severity event.idm.read_only_udm.additional.fields Mapped from changelog
column228 event.idm.read_only_udm.additional.fields Mapped from changelog
malware_type event.idm.read_only_udm.additional.fields Mapped from changelog
column229 event.idm.read_only_udm.additional.fields Mapped from changelog
message_id event.idm.read_only_udm.additional.fields Mapped from changelog
column230 event.idm.read_only_udm.additional.fields Mapped from changelog
modified_date event.idm.read_only_udm.additional.fields Mapped from changelog
column231 event.idm.read_only_udm.additional.fields Mapped from changelog
pop_id event.idm.read_only_udm.additional.fields Mapped from changelog
column232 event.idm.read_only_udm.additional.fields Mapped from changelog
redirect_url event.idm.read_only_udm.additional.fields Mapped from changelog
column233 event.idm.read_only_udm.additional.fields Mapped from changelog
region_id event.idm.read_only_udm.additional.fields Mapped from changelog
column234 event.idm.read_only_udm.additional.fields Mapped from changelog
region_name event.idm.read_only_udm.additional.fields Mapped from changelog
column235 event.idm.read_only_udm.additional.fields Mapped from changelog
resource_category event.idm.read_only_udm.additional.fields Mapped from changelog
column236 event.idm.read_only_udm.additional.fields Mapped from changelog
resource_group event.idm.read_only_udm.additional.fields Mapped from changelog
column237 event.idm.read_only_udm.additional.fields Mapped from changelog
risk_level_id event.idm.read_only_udm.additional.fields Mapped from changelog
column238 event.idm.read_only_udm.additional.fields Mapped from changelog
sa_profile_name event.idm.read_only_udm.additional.fields Mapped from changelog
column239 event.idm.read_only_udm.additional.fields Mapped from changelog
sa_rule_name event.idm.read_only_udm.additional.fields Mapped from changelog
column240 event.idm.read_only_udm.additional.fields Mapped from changelog
sa_rule_severity event.idm.read_only_udm.additional.fields Mapped from changelog
column241 event.idm.read_only_udm.additional.fields Mapped from changelog
sender event.idm.read_only_udm.additional.fields Mapped from changelog
column242 event.idm.read_only_udm.additional.fields Mapped from changelog
severity_id event.idm.read_only_udm.additional.fields Mapped from changelog
column243 event.idm.read_only_udm.additional.fields Mapped from changelog
severity_level event.idm.read_only_udm.additional.fields Mapped from changelog
column244 event.idm.read_only_udm.additional.fields Mapped from changelog
shared_credential_user event.idm.read_only_udm.additional.fields Mapped from changelog
column245 event.idm.read_only_udm.additional.fields Mapped from changelog
shared_domains event.idm.read_only_udm.additional.fields Mapped from changelog
column246 event.idm.read_only_udm.additional.fields Mapped from changelog
sharedType event.idm.read_only_udm.additional.fields Mapped from changelog
column247 event.idm.read_only_udm.additional.fields Mapped from changelog
smtp_status event.idm.read_only_udm.additional.fields Mapped from changelog
column248 event.idm.read_only_udm.additional.fields Mapped from changelog
subject event.idm.read_only_udm.additional.fields Mapped from changelog
column249 event.idm.read_only_udm.additional.fields Mapped from changelog
suppression_count event.idm.read_only_udm.additional.fields Mapped from changelog
column250 event.idm.read_only_udm.additional.fields Mapped from changelog
tss_license event.idm.read_only_udm.additional.fields Mapped from changelog
column251 event.idm.read_only_udm.additional.fields Mapped from changelog
two_factor_auth event.idm.read_only_udm.additional.fields Mapped from changelog
column252 event.idm.read_only_udm.additional.fields Mapped from changelog
usergroup event.idm.read_only_udm.additional.fields Mapped from changelog
column253 event.idm.read_only_udm.additional.fields Mapped from changelog
watchlist_name event.idm.read_only_udm.additional.fields Mapped from changelog
column254 event.idm.read_only_udm.additional.fields Mapped from changelog
web_url event.idm.read_only_udm.additional.fields Mapped from changelog
column13 event.idm.read_only_udm.additional.fields Mapped from changelog
appcategory event.idm.read_only_udm.additional.fields Mapped from changelog
column31 event.idm.read_only_udm.additional.fields Mapped from changelog
custom_attr event.idm.read_only_udm.additional.fields Mapped from changelog
column86 event.idm.read_only_udm.additional.fields Mapped from changelog
location event.idm.read_only_udm.additional.fields Mapped from changelog
column90 event.idm.read_only_udm.additional.fields Mapped from changelog
md5 event.idm.read_only_udm.additional.fields Mapped from changelog
column91 event.idm.read_only_udm.additional.fields Mapped from changelog
mime_type event.idm.read_only_udm.additional.fields Mapped from changelog
column113 event.idm.read_only_udm.additional.fields Mapped from changelog
policy_action event.idm.read_only_udm.additional.fields Mapped from changelog
column57 (x-cs-dst-ip) event.idm.read_only_udm.target.ip and event.idm.read_only_udm.target.asset.ip Mapped from changelog
column58 (x-cs-dst-port) event.idm.read_only_udm.target.port Mapped from changelog
column66 (x-cs-src-ip) event.idm.read_only_udm.principal.ip and event.idm.read_only_udm.principal.asset.ip Mapped from changelog
column68 (x-cs-src-port) event.idm.read_only_udm.principal.port Mapped from changelog
column108 (x-rs-file-md5) event.idm.read_only_udm.principal.file.md5 Mapped from changelog
column6 (cs-host) event.idm.read_only_udm.target.hostname and event.idm.read_only_udm.target.asset.hostname Mapped from changelog
column11 (cs-uri-query) event.idm.read_only_udm.additional.fields Mapped from changelog
column34 (x-category) event.idm.read_only_udm.additional.fields Mapped from changelog
column35 (x-category-id) event.idm.read_only_udm.additional.fields Mapped from changelog
column36 (x-client-ssl-err) event.idm.read_only_udm.additional.fields Mapped from changelog
column37 (x-cs-access-method) event.idm.read_only_udm.additional.fields Mapped from changelog
column40 (x-cs-app-category) event.idm.read_only_udm.additional.fields Mapped from changelog
column46 (x-cs-app-instance-tag) event.idm.read_only_udm.additional.fields Mapped from changelog
column47 (x-cs-app-object-id) event.idm.read_only_udm.additional.fields Mapped from changelog
column50 (x-cs-app-suite) event.idm.read_only_udm.additional.fields Mapped from changelog
column52 (x-cs-app-to-user) event.idm.read_only_udm.additional.fields Mapped from changelog
column53 (x-cs-connect-host) event.idm.read_only_udm.additional.fields Mapped from changelog
column54 (x-cs-connect-port) event.idm.read_only_udm.additional.fields Mapped from changelog
column56 (x-cs-domain-fronted-sni) event.idm.read_only_udm.additional.fields Mapped from changelog
column71 (x-cs-ssl-engine-action-reason) event.idm.read_only_udm.additional.fields Mapped from changelog
column78 (x-cs-tunnel-id) event.idm.read_only_udm.additional.fields Mapped from changelog
column79 (x-cs-uri-path) event.idm.read_only_udm.additional.fields Mapped from changelog
column89 (x-policy-justification-reason) event.idm.read_only_udm.additional.fields Mapped from changelog
column90 (x-policy-justification-type) event.idm.read_only_udm.additional.fields Mapped from changelog
column107 (x-rs-file-language) event.idm.read_only_udm.additional.fields Mapped from changelog
column119 (x-s-zipcode) event.idm.read_only_udm.additional.fields Mapped from changelog
column120 (x-sc-notification-name) event.idm.read_only_udm.additional.fields Mapped from changelog
column121 (x-server-ssl-err) event.idm.read_only_udm.additional.fields Mapped from changelog
column124 (x-sr-headers-name) event.idm.read_only_udm.additional.fields Mapped from changelog
column125 (x-sr-headers-value) event.idm.read_only_udm.additional.fields Mapped from changelog
column14 (cs-username) event.idm.read_only_udm.principal.user.userid Mapped from changelog
column23 (x-c-browser) event.idm.read_only_udm.principal.browser.browser_type Mapped from changelog
column24 (x-c-browser-version) event.idm.read_only_udm.principal.browser.browser_version Mapped from changelog
column28 (x-c-local-time) event.idm.read_only_udm.security_result.detection_fields Mapped from changelog
column84 (x-other-category-id) event.idm.read_only_udm.security_result.detection_fields Mapped from changelog
column88 (x-policy-dst-ip) event.idm.read_only_udm.security_result.detection_fields Mapped from changelog
column92 (x-policy-src-ip) event.idm.read_only_udm.security_result.detection_fields Mapped from changelog
column123 (x-sr-dst-port) event.idm.read_only_udm.security_result.detection_fields Mapped from changelog
column144 (x-ssl-policy-src-ip) event.idm.read_only_udm.security_result.detection_fields Mapped from changelog
column31 (x-c-os) event.idm.read_only_udm.principal.platform Mapped from changelog
column38 (x-cs-app) event.idm.read_only_udm.principal.application Mapped from changelog
column43 (x-cs-app-from-user) event.idm.read_only_udm.principal.user.email_address Mapped from changelog
column43 (x-cs-app-from-user) event.idm.read_only_udm.principal.user.userid Mapped from changelog
column44 (x-cs-app-instance-id) event.idm.read_only_udm.principal.resource.product_object_id Mapped from changelog
column45 (x-cs-app-instance-name) event.idm.read_only_udm.principal.resource.name Mapped from changelog
column55 (x-cs-connect-user-agent) event.idm.read_only_udm.network.http.user_agent and event.idm.read_only_udm.network.http.parsed_user_agent Mapped from changelog
column60 (x-cs-ip-connect-xff) event.idm.read_only_udm.principal.ip and event.idm.read_only_udm.principal.asset.ip Mapped from changelog
column61 (x-cs-ip-xff) event.idm.read_only_udm.principal.ip and event.idm.read_only_udm.principal.asset.ip Mapped from changelog
column81 (x-cs-userip) event.idm.read_only_udm.principal.ip and event.idm.read_only_udm.principal.asset.ip Mapped from changelog
column63 (x-cs-session-id) event.idm.read_only_udm.network.session_id Mapped from changelog
column69 (x-cs-ssl-cipher) event.idm.read_only_udm.network.tls.cipher Mapped from changelog
column75 (x-cs-ssl-version) event.idm.read_only_udm.network.tls.version Mapped from changelog
column109 (x-rs-file-sha256) event.idm.read_only_udm.principal.file.sha256 Mapped from changelog
column126 (x-sr-src-ip) event.idm.read_only_udm.intermediary.ip Mapped from changelog
column127 (x-sr-src-port) event.idm.read_only_udm.intermediary.port Mapped from changelog
column70 (x-cs-ssl-engine-action) event.idm.read_only_udm.additional.fields Mapped from changelog
column19 (sc-content-type) event.idm.read_only_udm.additional.fields Mapped from changelog
column26 (x-c-device) event.idm.read_only_udm.additional.fields Mapped from changelog
column39 (x-cs-app-activity) event.idm.read_only_udm.additional.fields Mapped from changelog
column41 (x-cs-app-cci) event.idm.read_only_udm.additional.fields Mapped from changelog
column42 (x-cs-app-ccl) event.idm.read_only_udm.additional.fields Mapped from changelog
column51 (x-cs-app-tags) event.idm.read_only_udm.additional.fields Mapped from changelog
column64 (x-cs-site) event.idm.read_only_udm.additional.fields Mapped from changelog
column48 (x-cs-app-object-name) event.idm.read_only_udm.additional.fields Mapped from changelog
column49 (x-cs-app-object-type) event.idm.read_only_udm.additional.fields Mapped from changelog
column106 (x-rs-file-category) event.idm.read_only_udm.additional.fields Mapped from changelog
column111 (x-rs-file-type) event.idm.read_only_udm.additional.fields Mapped from changelog
column9 (cs-uri) event.idm.read_only_udm.additional.fields Mapped from changelog
column4 (cs-content-type) event.idm.read_only_udm.additional.fields Mapped from changelog
column108 (x-rs-file-md5) event.idm.read_only_udm.principal.process.file.md5 Mapped from changelog
column110 (x-rs-file-size) event.idm.read_only_udm.principal.file.size Mapped from changelog
column85 (x-policy-action) event.idm.read_only_udm.security_result.action_details Mapped from changelog
column20 (http_response_code) event.idm.read_only_udm.network.http.response_code Mapped from changelog
column1 (bytes) event.idm.read_only_udm.additional.fields Mapped from changelog
column3 (cs-bytes) event.idm.read_only_udm.network.sent_bytes Mapped from changelog
column18 (sc-bytes) event.idm.read_only_udm.network.received_bytes Mapped from changelog
column22 (time-taken) event.idm.read_only_udm.network.session_duration Mapped from changelog
column27 (x-c-latitude) event.idm.read_only_udm.principal.location.region_coordinates.latitude Mapped from changelog
column30 (x-c-longitude) event.idm.read_only_udm.principal.location.region_coordinates.longitude Mapped from changelog
column32 (x-c-region) event.idm.read_only_udm.principal.location.state Mapped from changelog
column57 (x-cs-dst-ip) event.idm.read_only_udm.intermediary.ip and event.idm.read_only_udm.intermediary.asset.ip Mapped from changelog
column74 (x-cs-ssl-ja3) event.idm.read_only_udm.network.tls.client.ja3 Mapped from changelog
column115 (x-s-latitude) event.idm.read_only_udm.target.location.region_coordinates.latitude Mapped from changelog
column117 (x-s-longitude) event.idm.read_only_udm.target.location.region_coordinates.longitude Mapped from changelog
column118 (x-s-region) event.idm.read_only_udm.target.location.state Mapped from changelog
column7 (method) event.idm.read_only_udm.network.http.method Mapped from changelog
column12 (app_protocol) event.idm.read_only_udm.network.application_protocol Mapped from changelog
column13 (network_http_user_agent) event.idm.read_only_udm.network.http.user_agent Mapped from changelog
column17 (server_ip) event.idm.read_only_udm.target.ip and event.idm.read_only_udm.target.asset.ip Mapped from changelog
column58 (intermediary_port) event.idm.read_only_udm.intermediary.port Mapped from changelog
column65 (x-cs-sni) event.idm.read_only_udm.network.tls.client.server_name Mapped from changelog
column70 (engine_action) event.idm.read_only_udm.security_result.action_details Mapped from changelog
column70 (engine_action) event.idm.read_only_udm.security_result.action Mapped from changelog
column76 (generated_timestamp) event.idm.read_only_udm.metadata.event_timestamp Mapped from changelog
column80 (x-cs-url) event.idm.read_only_udm.target.url Mapped from changelog
column83 (other_categories) event.idm.read_only_udm.security_result.category_details Mapped from changelog
column139 (x-ssl-policy-categories) event.idm.read_only_udm.security_result.category_details Mapped from changelog
column85 (x-policy-action) event.idm.read_only_udm.security_result.action Mapped from changelog
column91 (x-policy-name) event.idm.read_only_udm.security_result.rule_name Mapped from changelog
column96 (x-r-cert-issuer-cn) event.idm.read_only_udm.network.tls.server.certificate.issuer Mapped from changelog
column102 (x-r-cert-subject-cn) event.idm.read_only_udm.network.tls.server.certificate.subject Mapped from changelog
column112 (x-s-country) event.idm.read_only_udm.target.location.country_or_region Mapped from changelog
column133 (x-sr-ssl-ja3s) event.idm.read_only_udm.network.tls.server.ja3s Mapped from changelog
column136 (x-ssl-bypass) event.idm.read_only_udm.security_result.detection_fields Mapped from changelog
column143 (x-ssl-policy-name) event.idm.read_only_udm.security_result.detection_fields Mapped from changelog
column137 (x-ssl-bypass-reason) event.idm.read_only_udm.security_result.summary Mapped from changelog
column146 (x-type) event.idm.read_only_udm.metadata.product_event_type Mapped from changelog
column62 (x-cs-page-id) event.idm.read_only_udm.additional.fields Mapped from changelog
column63 (x-cs-session-id) event.idm.read_only_udm.additional.fields Mapped from changelog
column66 (x-cs-src-ip) event.idm.read_only_udm.additional.fields Mapped from changelog
column72 (x-cs-ssl-fronting-error) event.idm.read_only_udm.additional.fields Mapped from changelog
column73 (x-cs-ssl-handshake-error) event.idm.read_only_udm.additional.fields Mapped from changelog
column77 (x-cs-traffic-type) event.idm.read_only_udm.additional.fields Mapped from changelog
column82 (x-error) event.idm.read_only_udm.additional.fields Mapped from changelog
column86 (x-policy-dst-host) event.idm.read_only_udm.additional.fields Mapped from changelog
column87 (x-policy-dst-host-source) event.idm.read_only_udm.additional.fields Mapped from changelog
column94 (x-r-cert-expired) event.idm.read_only_udm.additional.fields Mapped from changelog
column95 (x-r-cert-incomplete-chain) event.idm.read_only_udm.additional.fields Mapped from changelog
column97 (x-r-cert-mismatch) event.idm.read_only_udm.additional.fields Mapped from changelog
column98 (x-r-cert-revocation-check) event.idm.read_only_udm.additional.fields Mapped from changelog
column99 (x-r-cert-revoked) event.idm.read_only_udm.additional.fields Mapped from changelog
column100 (x-r-cert-self-signed) event.idm.read_only_udm.additional.fields Mapped from changelog
column103 (x-r-cert-untrusted-root) event.idm.read_only_udm.additional.fields Mapped from changelog
column104 (x-r-cert-valid) event.idm.read_only_udm.additional.fields Mapped from changelog
column105 (x-request-id) event.idm.read_only_udm.additional.fields Mapped from changelog
column113 (x-s-custom-signing-ca-error) event.idm.read_only_udm.additional.fields Mapped from changelog
column114 (x-s-dp-name) event.idm.read_only_udm.additional.fields Mapped from changelog
column122 (x-sr-dst-ip) event.idm.read_only_udm.additional.fields Mapped from changelog
column128 (x-sr-ssl-cipher) event.idm.read_only_udm.additional.fields Mapped from changelog
column129 (x-sr-ssl-client-certificate-error) event.idm.read_only_udm.additional.fields Mapped from changelog
column130 (x-sr-ssl-engine-action) event.idm.read_only_udm.additional.fields Mapped from changelog
column131 (x-sr-ssl-engine-action-reason) event.idm.read_only_udm.additional.fields Mapped from changelog
column132 (x-sr-ssl-handshake-error) event.idm.read_only_udm.additional.fields Mapped from changelog
column134 (x-sr-ssl-malformed-ssl) event.idm.read_only_udm.additional.fields Mapped from changelog
column135 (x-sr-ssl-version) event.idm.read_only_udm.additional.fields Mapped from changelog
column138 (x-ssl-policy-action) event.idm.read_only_udm.additional.fields Mapped from changelog
column140 (x-ssl-policy-dst-host) event.idm.read_only_udm.additional.fields Mapped from changelog
column141 (x-ssl-policy-dst-host-source) event.idm.read_only_udm.additional.fields Mapped from changelog
column142 (x-ssl-policy-dst-ip) event.idm.read_only_udm.additional.fields Mapped from changelog
column8 (cs-referer) event.idm.read_only_udm.network.http.referral_url Mapped from changelog
column16 (http_response_code) event.idm.read_only_udm.network.http.response_code Mapped from changelog
column101 (x-r-cert-startdate) event.idm.read_only_udm.network.tls.server.certificate.not_before Mapped from changelog
column93 (x-r-cert-enddate) event.idm.read_only_udm.network.tls.server.certificate.not_after Mapped from changelog
column2 event.idm.read_only_udm.network.sent_bytes Mapped from changelog
cs_dns event.idm.read_only_udm.target.hostname and event.idm.read_only_udm.target.asset.hostname Mapped from changelog
cs_host event.idm.read_only_udm.target.hostname and event.idm.read_only_udm.target.asset.hostname Mapped from changelog
cs_method event.idm.read_only_udm.network.http.method Mapped from changelog
cs_referer event.idm.read_only_udm.network.http.referral_url Mapped from changelog
cs_uri_scheme event.idm.read_only_udm.network.application_protocol Mapped from changelog
cs-username event.idm.read_only_udm.principal.user.userid Mapped from changelog
timestamp event.idm.read_only_udm.metadata.event_timestamp Mapped from changelog
sc-status event.idm.read_only_udm.network.http.response_code Mapped from changelog
rs-status event.idm.read_only_udm.network.http.response_code Mapped from changelog
s-ip event.idm.read_only_udm.target.ip and event.idm.read_only_udm.target.asset.ip Mapped from changelog
sc-bytes event.idm.read_only_udm.network.received_bytes Mapped from changelog
x-c-country event.idm.read_only_udm.principal.location.country_or_region Mapped from changelog
x-c-location event.idm.read_only_udm.principal.location.name Mapped from changelog
x-c-region event.idm.read_only_udm.principal.location.state Mapped from changelog
column49 event.idm.read_only_udm.target.ip and event.idm.read_only_udm.target.asset.ip Mapped from changelog
x_cs_dst_port event.idm.read_only_udm.target.port Mapped from changelog
x-cs-session-id event.idm.read_only_udm.network.session_id Mapped from changelog
column56 event.idm.read_only_udm.principal.ip and event.idm.read_only_udm.principal.asset.ip Mapped from changelog
column57 event.idm.read_only_udm.principal.ip and event.idm.read_only_udm.principal.asset.ip Mapped from changelog
x-cs-src-port event.idm.read_only_udm.principal.port Mapped from changelog
x-cs-ssl-ja3 event.idm.read_only_udm.network.tls.client.ja3 Mapped from changelog
x-cs-ssl-version event.idm.read_only_udm.network.tls.version Mapped from changelog
column71 event.idm.read_only_udm.security_result.category_details Mapped from changelog
x-policy-action event.idm.read_only_udm.security_result.action_details Mapped from changelog
x-policy-name event.idm.read_only_udm.security_result.rule_name Mapped from changelog
x-ssl-policy-name event.idm.read_only_udm.security_result.rule_name Mapped from changelog
x-r-cert-subject-cn event.idm.read_only_udm.network.tls.server.certificate.subject Mapped from changelog
x-rs-file-sha256 event.idm.read_only_udm.principal.process.file.sha256 Mapped from changelog
x-rs-file-size event.idm.read_only_udm.principal.file.size Mapped from changelog
x-s-country event.idm.read_only_udm.target.location.country_or_region Mapped from changelog
x-s-location event.idm.read_only_udm.target.location.name Mapped from changelog
x-sr-ssl-ja3s event.idm.read_only_udm.network.tls.server.ja3s Mapped from changelog
x_cs_connect_host event.idm.read_only_udm.additional.fields Mapped from changelog
x_cs_connect_port event.idm.read_only_udm.additional.fields Mapped from changelog
x_cs_connect_user_agent event.idm.read_only_udm.additional.fields Mapped from changelog
x_cs_ip_xff event.idm.read_only_udm.additional.fields Mapped from changelog
x-policy-justification-type event.idm.read_only_udm.additional.fields Mapped from changelog
x-sr-src-port event.idm.read_only_udm.additional.fields Mapped from changelog
cs-uri-port event.idm.read_only_udm.additional.fields Mapped from changelog
cs_uri event.idm.read_only_udm.additional.fields Mapped from changelog
cs_uri_query event.idm.read_only_udm.additional.fields Mapped from changelog
time_taken event.idm.read_only_udm.additional.fields Mapped from changelog
x-category event.idm.read_only_udm.additional.fields Mapped from changelog
x-cs-access-method event.idm.read_only_udm.additional.fields Mapped from changelog
x-cs-app event.idm.read_only_udm.additional.fields Mapped from changelog
x-cs-app-activity event.idm.read_only_udm.additional.fields Mapped from changelog
x-cs-app-category event.idm.read_only_udm.additional.fields Mapped from changelog
x-cs-app-cci event.idm.read_only_udm.additional.fields Mapped from changelog
x-cs-app-ccl event.idm.read_only_udm.additional.fields Mapped from changelog
x-cs-page-id event.idm.read_only_udm.additional.fields Mapped from changelog
x-cs-site event.idm.read_only_udm.additional.fields Mapped from changelog
x-cs-traffic-type event.idm.read_only_udm.additional.fields Mapped from changelog
x-cs-uri-path event.idm.read_only_udm.additional.fields Mapped from changelog
x-error event.idm.read_only_udm.additional.fields Mapped from changelog
x-request-id event.idm.read_only_udm.additional.fields Mapped from changelog
x-s-dp-name event.idm.read_only_udm.additional.fields Mapped from changelog
x-sc-notification-name event.idm.read_only_udm.additional.fields Mapped from changelog
x-transaction-id event.idm.read_only_udm.additional.fields Mapped from changelog
x-type event.idm.read_only_udm.additional.fields Mapped from changelog
x-cs-http-version event.idm.read_only_udm.security_result.detection_fields Mapped from changelog
x-cs-ssl-engine-action event.idm.read_only_udm.security_result.detection_fields Mapped from changelog
x-cs-ssl-engine-action-reason event.idm.read_only_udm.security_result.detection_fields Mapped from changelog
x-cs-ssl-fronting-error event.idm.read_only_udm.security_result.detection_fields Mapped from changelog
x-cs-ssl-handshake-error event.idm.read_only_udm.security_result.detection_fields Mapped from changelog
x-cs-userip event.idm.read_only_udm.security_result.detection_fields Mapped from changelog
x-policy-dst-host event.idm.read_only_udm.security_result.detection_fields Mapped from changelog
x-policy-dst-host-source event.idm.read_only_udm.security_result.detection_fields Mapped from changelog
x-policy-dst-ip event.idm.read_only_udm.security_result.detection_fields Mapped from changelog
x-policy-src-ip event.idm.read_only_udm.security_result.detection_fields Mapped from changelog
x-sr-ssl-engine-action event.idm.read_only_udm.security_result.detection_fields Mapped from changelog
x-sr-ssl-engine-action-reason event.idm.read_only_udm.security_result.detection_fields Mapped from changelog
x-ssl-policy-action event.idm.read_only_udm.security_result.detection_fields Mapped from changelog
x-ssl-policy-dst-host event.idm.read_only_udm.security_result.detection_fields Mapped from changelog
x-ssl-policy-dst-host-source event.idm.read_only_udm.security_result.detection_fields Mapped from changelog
x-ssl-policy-dst-ip event.idm.read_only_udm.security_result.detection_fields Mapped from changelog
x-ssl-policy-src-ip event.idm.read_only_udm.security_result.detection_fields Mapped from changelog
x-ssl-bypass-reason event.idm.read_only_udm.security_result.detection_fields Mapped from changelog
SSL BYPASS REASON event.idm.read_only_udm.security_result.detection_fields Mapped from changelog
x_policy_name event.idm.read_only_udm.additional.fields Mapped from changelog
bytes event.idm.read_only_udm.additional.fields Mapped from changelog
x_s_dp_name event.idm.read_only_udm.additional.fields Mapped from changelog
rs_status event.idm.read_only_udm.additional.fields Mapped from changelog
postal_code event.idm.read_only_udm.additional.fields Mapped from changelog
internal_category event.idm.read_only_udm.additional.fields Mapped from changelog
accessMethod event.idm.read_only_udm.additional.fields Mapped from changelog
postal_code_num event.idm.read_only_udm.additional.fields Mapped from changelog
log_id event.idm.read_only_udm.metadata.product_log_id Mapped from changelog
http_version event.idm.read_only_udm.network.application_protocol_version Mapped from changelog
method event.idm.read_only_udm.network.http.method Mapped from changelog
int2 event.idm.read_only_udm.network.received_bytes Mapped from changelog
server_bytes event.idm.read_only_udm.network.received_bytes Mapped from changelog
bytes_received event.idm.read_only_udm.network.received_bytes Mapped from changelog
sent_bytes event.idm.read_only_udm.network.sent_bytes Mapped from changelog
int3 event.idm.read_only_udm.network.sent_bytes Mapped from changelog
cs-bytes event.idm.read_only_udm.network.sent_bytes Mapped from changelog
client_bytes event.idm.read_only_udm.network.sent_bytes Mapped from changelog
int1 event.idm.read_only_udm.network.session_duration.seconds Mapped from changelog
prin_ip event.idm.read_only_udm.principal.asset.ip Mapped from changelog
prin_ip event.idm.read_only_udm.principal.ip Mapped from changelog
city event.idm.read_only_udm.principal.location.city Mapped from changelog
location event.idm.read_only_udm.principal.location.country_or_region Mapped from changelog
src_latitude event.idm.read_only_udm.principal.location.region_coordinates.latitude Mapped from changelog
src_longitude event.idm.read_only_udm.principal.location.region_coordinates.longitude Mapped from changelog
latitude_region event.idm.read_only_udm.principal.location.region_coordinates.latitude Mapped from changelog
longitude_region event.idm.read_only_udm.principal.location.region_coordinates.longitude Mapped from changelog
p_application event.idm.read_only_udm.principal.application Mapped from changelog
state event.idm.read_only_udm.principal.location.state Mapped from changelog
state_location event.idm.read_only_udm.target.location.state Mapped from changelog
t_ip event.idm.read_only_udm.principal.nat_ip Mapped from changelog
p_port event.idm.read_only_udm.principal.nat_port Mapped from changelog
prin_port event.idm.read_only_udm.principal.port Mapped from changelog
target_host event.idm.read_only_udm.target.asset.hostname Mapped from changelog
target_ip event.idm.read_only_udm.target.asset.ip Mapped from changelog
tar_ip event.idm.read_only_udm.target.asset.ip Mapped from changelog
target_ip event.idm.read_only_udm.target.ip Mapped from changelog
tar_ip event.idm.read_only_udm.target.ip Mapped from changelog
target_host event.idm.read_only_udm.target.hostname Mapped from changelog
location_name event.idm.read_only_udm.target.location.city Mapped from changelog
dst_latitude event.idm.read_only_udm.target.location.region_coordinates.latitude Mapped from changelog
dst_longitude event.idm.read_only_udm.target.location.region_coordinates.longitude Mapped from changelog
latitude event.idm.read_only_udm.target.location.region_latitude Mapped from changelog
longitude event.idm.read_only_udm.target.location.region_longitude Mapped from changelog
name event.idm.read_only_udm.security_result.rule_name Mapped from changelog
summary_res event.idm.read_only_udm.security_result.summary Mapped from changelog
target_port event.idm.read_only_udm.target.port Mapped from changelog
dstport event.idm.read_only_udm.target.port Mapped from changelog
_id event.idm.read_only_udm.metadata.product_log_id Mapped from changelog
product_id event.idm.read_only_udm.metadata.product_log_id Mapped from changelog
url event.idm.read_only_udm.target.url Mapped from changelog
referer event.idm.read_only_udm.network.http.referral_url Mapped from changelog
organization_unit event.idm.read_only_udm.principal.administrative_domain Mapped from changelog
user_id event.idm.read_only_udm.principal.user.userid Mapped from changelog
cs_username event.idm.read_only_udm.principal.user.userid Mapped from changelog
useragent event.idm.read_only_udm.network.http.user_agent Mapped from changelog
cs_user_agent event.idm.read_only_udm.network.http.user_agent Mapped from changelog
useragent event.idm.read_only_udm.network.http.parsed_user_agent Mapped from changelog
cs_user_agent event.idm.read_only_udm.network.http.parsed_user_agent Mapped from changelog
session_duration event.idm.read_only_udm.network.session_duration.seconds Mapped from changelog
os_version event.idm.read_only_udm.principal.platform_version Mapped from changelog
os event.idm.read_only_udm.principal.platform Mapped from changelog
x_c_os event.idm.read_only_udm.principal.platform Mapped from changelog
ur_normalized event.idm.read_only_udm.target.user.email_addresses Mapped from changelog
browser_session_id event.idm.read_only_udm.network.session_id Mapped from changelog
x_cs_session_id event.idm.read_only_udm.network.session_id Mapped from changelog
malware_id event.idm.read_only_udm..threat_id Mapped from changelog
src_location event.idm.read_only_udm.principal.resource.attribute.labels Mapped from changelog
src_zipcode event.idm.read_only_udm.principal.resource.attribute.labels Mapped from changelog
src_geoip_src event.idm.read_only_udm.principal.resource.attribute.labels Mapped from changelog
ip_protocol event.idm.read_only_udm.network.ip_protocol Mapped from changelog
file_size event.idm.read_only_udm.principal.file.size Mapped from changelog
x_rs_file_size event.idm.read_only_udm.principal.file.size Mapped from changelog
file_type event.idm.read_only_udm.target.file.mime_type Mapped from changelog
srcip event.idm.read_only_udm.principal.ip Mapped from changelog
s_ip event.idm.read_only_udm.principal.ip Mapped from changelog
c_ip event.idm.read_only_udm.principal.ip Mapped from changelog
x_cs_src_ip event.idm.read_only_udm.principal.ip Mapped from changelog
srcip event.idm.read_only_udm.principal.asset.ip Mapped from changelog
s_ip event.idm.read_only_udm.principal.asset.ip Mapped from changelog
c_ip event.idm.read_only_udm.principal.asset.ip Mapped from changelog
x_cs_src_ip event.idm.read_only_udm.principal.asset.ip Mapped from changelog
srcport event.idm.read_only_udm.principal.port Mapped from changelog
x_cs_src_port event.idm.read_only_udm.principal.port Mapped from changelog
file_md5 event.idm.read_only_udm.principal.process.file.md5 Mapped from changelog
x_rs_file_md5 event.idm.read_only_udm.principal.process.file.md5 Mapped from changelog
computer_name event.idm.read_only_udm.principal.hostname Mapped from changelog
computer_name event.idm.read_only_udm.principal.asset.hostname Mapped from changelog
cs_dns event.idm.read_only_udm.principal.asset.hostname Mapped from changelog
cs_host event.idm.read_only_udm.principal.asset.hostname Mapped from changelog
device event.idm.read_only_udm.principal.resource.type Mapped from changelog
device event.idm.read_only_udm.principal.resource.resource_subtype Mapped from changelog
device_sn event.idm.read_only_udm.principal.resource.id Mapped from changelog
src_region event.idm.read_only_udm.principal.location.name Mapped from changelog
x_c_location event.idm.read_only_udm.principal.location.name Mapped from changelog
src_country event.idm.read_only_udm.principal.location.country_or_region Mapped from changelog
x_c_country event.idm.read_only_udm.principal.location.country_or_region Mapped from changelog
x_c_latitude event.idm.read_only_udm.principal.location.region_coordinates.latitude Mapped from changelog
x_c_longitude event.idm.read_only_udm.principal.location.region_coordinates.longitude Mapped from changelog
x_s_latitude event.idm.read_only_udm.target.location.region_coordinates.latitude Mapped from changelog
x_s_longitude event.idm.read_only_udm.target.location.region_coordinates.longitude Mapped from changelog
destination_file_path event.idm.read_only_udm.target.file.full_path Mapped from changelog
dlp_file event.idm.read_only_udm.target.file.full_path Mapped from changelog
sha256 event.idm.read_only_udm.target.file.sha256 Mapped from changelog
md5 event.idm.read_only_udm.target.file.md5 Mapped from changelog
dst_country event.idm.read_only_udm.target.location.country_or_region Mapped from changelog
x_s_country event.idm.read_only_udm.target.location.country_or_region Mapped from changelog
x_s_region event.idm.read_only_udm.target.location.state Mapped from changelog
dst_region event.idm.read_only_udm.target.location.name Mapped from changelog
x_s_location event.idm.read_only_udm.target.location.name Mapped from changelog
dst_zipcode event.idm.read_only_udm.target.resource.attribute.labels Mapped from changelog
dsthost event.idm.read_only_udm.target.ip Mapped from changelog
dstip event.idm.read_only_udm.target.ip Mapped from changelog
x_cs_dst_ip event.idm.read_only_udm.target.ip Mapped from changelog
dsthost event.idm.read_only_udm.target.asset.ip Mapped from changelog
dstip event.idm.read_only_udm.target.asset.ip Mapped from changelog
x_cs_dst_ip event.idm.read_only_udm.target.asset.ip Mapped from changelog
cci event.idm.read_only_udm..detection_fields Mapped from changelog
alert_type event.idm.read_only_udm..detection_fields Mapped from changelog
x_other_category_id event.idm.read_only_udm..detection_fields Mapped from changelog
x_cs_userip event.idm.read_only_udm..detection_fields Mapped from changelog
x_ssl_bypass event.idm.read_only_udm..detection_fields Mapped from changelog
x_cs_ssl_fronting_error event.idm.read_only_udm..detection_fields Mapped from changelog
x_cs_ssl_handshake_error event.idm.read_only_udm..detection_fields Mapped from changelog
x_sr_ssl_handshake_error event.idm.read_only_udm..detection_fields Mapped from changelog
x_sr_ssl_client_certificate_error event.idm.read_only_udm..detection_fields Mapped from changelog
x_sr_ssl_malformed_ssl event.idm.read_only_udm..detection_fields Mapped from changelog
x_s_custom_signing_ca_error event.idm.read_only_udm..detection_fields Mapped from changelog
x_cs_ssl_engine_action event.idm.read_only_udm..detection_fields Mapped from changelog
x_cs_ssl_engine_action_reason event.idm.read_only_udm..detection_fields Mapped from changelog
x_sr_ssl_engine_action event.idm.read_only_udm..detection_fields Mapped from changelog
x_sr_ssl_engine_action_reason event.idm.read_only_udm..detection_fields Mapped from changelog
x_ssl_policy_src_ip event.idm.read_only_udm..detection_fields Mapped from changelog
x_ssl_policy_dst_ip event.idm.read_only_udm..detection_fields Mapped from changelog
x_ssl_policy_dst_host event.idm.read_only_udm..detection_fields Mapped from changelog
x_ssl_policy_dst_host_source event.idm.read_only_udm..detection_fields Mapped from changelog
x_ssl_policy_action event.idm.read_only_udm..detection_fields Mapped from changelog
x_sr_ssl_version event.idm.read_only_udm..detection_fields Mapped from changelog
x_sr_ssl_cipher event.idm.read_only_udm..detection_fields Mapped from changelog
x_cs_src_ip_egress event.idm.read_only_udm..detection_fields Mapped from changelog
x_policy_src_ip event.idm.read_only_udm..detection_fields Mapped from changelog
x_policy_dst_ip event.idm.read_only_udm..detection_fields Mapped from changelog
x_policy_dst_host event.idm.read_only_udm..detection_fields Mapped from changelog
x_policy_dst_host_source event.idm.read_only_udm..detection_fields Mapped from changelog
x_policy_justification_type event.idm.read_only_udm..detection_fields Mapped from changelog
x_policy_justification_reason event.idm.read_only_udm..detection_fields Mapped from changelog
x_sc_notification_name event.idm.read_only_udm..detection_fields Mapped from changelog
x_cs_http_version event.idm.read_only_udm..detection_fields Mapped from changelog
x_sr_dst_ip event.idm.read_only_udm..detection_fields Mapped from changelog
x_sr_dst_port event.idm.read_only_udm..detection_fields Mapped from changelog
ccl event.idm.read_only_udm..confidence_details Mapped from changelog
ccl event.idm.read_only_udm..confidence Mapped from changelog
dlp_profile_name event.idm.read_only_udm..rule_type Mapped from changelog
policy_name event.idm.read_only_udm.additional.fields Mapped from changelog
dlp_fingerprint_classification event.idm.read_only_udm.additional.fields Mapped from changelog
dlp_fingerprint_score event.idm.read_only_udm.additional.fields Mapped from changelog
dlp_unique_count event.idm.read_only_udm.additional.fields Mapped from changelog
x_type event.idm.read_only_udm.additional.fields Mapped from changelog
x_transaction_id event.idm.read_only_udm.additional.fields Mapped from changelog
x_client_ssl_err event.idm.read_only_udm.additional.fields Mapped from changelog
x_cs_domain_fronted_sni event.idm.read_only_udm.additional.fields Mapped from changelog
x_cs_tunnel_id event.idm.read_only_udm.additional.fields Mapped from changelog
x_request_id event.idm.read_only_udm.additional.fields Mapped from changelog
x_s_zipcode event.idm.read_only_udm.additional.fields Mapped from changelog
x_c_zipcode event.idm.read_only_udm.additional.fields Mapped from changelog
x_c_browser event.idm.read_only_udm.additional.fields Mapped from changelog
x_c_browser_version event.idm.read_only_udm.additional.fields Mapped from changelog
x_c_device event.idm.read_only_udm.additional.fields Mapped from changelog
x_cs_site event.idm.read_only_udm.additional.fields Mapped from changelog
x_cs_page_id event.idm.read_only_udm.additional.fields Mapped from changelog
x_cs_traffic_type event.idm.read_only_udm.additional.fields Mapped from changelog
x_category_id event.idm.read_only_udm.additional.fields Mapped from changelog
x_category event.idm.read_only_udm.additional.fields Mapped from changelog
x_r_cert_valid event.idm.read_only_udm.additional.fields Mapped from changelog
x_r_cert_expired event.idm.read_only_udm.additional.fields Mapped from changelog
x_r_cert_untrusted_root event.idm.read_only_udm.additional.fields Mapped from changelog
x_r_cert_incomplete_chain event.idm.read_only_udm.additional.fields Mapped from changelog
x_r_cert_self_signed event.idm.read_only_udm.additional.fields Mapped from changelog
x_r_cert_revoked event.idm.read_only_udm.additional.fields Mapped from changelog
x_rs_file_type event.idm.read_only_udm.additional.fields Mapped from changelog
x_rs_file_category event.idm.read_only_udm.additional.fields Mapped from changelog
x_rs_file_language event.idm.read_only_udm.additional.fields Mapped from changelog
x_r_cert_revocation_check event.idm.read_only_udm.additional.fields Mapped from changelog
x_cs_app_category event.idm.read_only_udm.additional.fields Mapped from changelog
x_cs_app_cci event.idm.read_only_udm.additional.fields Mapped from changelog
x_cs_app_ccl event.idm.read_only_udm.additional.fields Mapped from changelog
x_cs_app_tags event.idm.read_only_udm.additional.fields Mapped from changelog
x_cs_app_suite event.idm.read_only_udm.additional.fields Mapped from changelog
x_cs_app_instance_id event.idm.read_only_udm.additional.fields Mapped from changelog
x_cs_app_instance_name event.idm.read_only_udm.additional.fields Mapped from changelog
x_cs_app_instance_tag event.idm.read_only_udm.additional.fields Mapped from changelog
x_cs_app_activity event.idm.read_only_udm.additional.fields Mapped from changelog
x_cs_app_from_user event.idm.read_only_udm.additional.fields Mapped from changelog
x_cs_app_to_user event.idm.read_only_udm.additional.fields Mapped from changelog
x_cs_app_object_type event.idm.read_only_udm.additional.fields Mapped from changelog
x_cs_app_object_name event.idm.read_only_udm.additional.fields Mapped from changelog
x_cs_app_object_id event.idm.read_only_udm.additional.fields Mapped from changelog
x_cs_uri_path event.idm.read_only_udm.additional.fields Mapped from changelog
x_r_cert_mismatch event.idm.read_only_udm.additional.fields Mapped from changelog
x_cs_access_method event.idm.read_only_udm.additional.fields Mapped from changelog
cs_uri_port event.idm.read_only_udm.additional.fields Mapped from changelog
cs_content_type event.idm.read_only_udm.additional.fields Mapped from changelog
sc_content_type event.idm.read_only_udm.additional.fields Mapped from changelog
app event.idm.read_only_udm.target.application Mapped from changelog
access_method event.idm.read_only_udm.extensions.auth.auth_details Mapped from changelog
action event.idm.read_only_udm..action Mapped from changelog
x_policy_action event.idm.read_only_udm..action Mapped from changelog
alert_name event.idm.read_only_udm..rule_name Mapped from changelog
x_ssl_policy_name event.idm.read_only_udm..rule_name Mapped from changelog
severity event.idm.read_only_udm..severity Mapped from changelog
activity event.idm.read_only_udm..description Mapped from changelog
appcategory event.idm.read_only_udm..category_details Mapped from changelog
x_ssl_policy_categories event.idm.read_only_udm..category_details Mapped from changelog
x_other_category event.idm.read_only_udm..category_details Mapped from changelog
sc_bytes event.idm.read_only_udm.network.received_bytes Mapped from changelog
cs_bytes event.idm.read_only_udm.network.sent_bytes Mapped from changelog
client_packets event.idm.read_only_udm.network.sent_packets Mapped from changelog
server_packets event.idm.read_only_udm.network.received_packets Mapped from changelog
appSessionId network.session_id Mapped from changelog
clientBytes network.sent_bytes Mapped from changelog
serverBytes network.received_bytes Mapped from changelog
ccl security_result.confidence_details Mapped from changelog
IncidentID", "applicationType", "browser", and "cci security_result.detection_fields Mapped from changelog
x-cs-app-ccl","x-cs-app-instance-id","x-cs-app-tags" ,"x-cs-app-instance-name" ,"x-cs-app-instance-tag", "x-cs-app-to-user","x-cs-app-object-id" and "x-cs-app-from-user additional.fields Mapped from changelog
dvchost target.hostname Mapped from changelog
duser target.user.email_addresses Mapped from changelog
requestClientApplication network.http.parsed_user_agent Mapped from changelog
Domain principal.administrative_domain Mapped from changelog

Alert events

Column number Log field UDM mapping
1 _id metadata.product_log_id
2 access_method additional.fields
3 act_user principal.user.email_addresses
userid
4 action security_result.action
action_details
5 activity additional.fields
6 alert additional.fields
7 alert_name security_result.detection_fields
8 alert_type security_result.detection_fields
9 app principal.application
10 app-gdpr-level additional.fields
11 app_session_id additional.fields
12 appact additional.fields
13 appcategory additional.fields
14 appsuite additional.fields
15 audit_type additional.fields
16 bcc network.email.bcc
additional.fields
17 browser principal.browser.browser_type
18 browser_session_id additional.fields
19 cc network.email.cc
additional.fields
20 cci additional.fields
21 ccl additional.fields
22 client_bytes network.sent_bytes
23 client_packets network.sent_packets
24 cloud_provider additional.fields
25 computer_name principal.hostname
26 conn_duration additional.fields
27 conn_endtime additional.fields
28 conn_starttime additional.fields
29 connection_id network.session_id
30 connection_type additional.fields
31 custom_attr additional.fields
32 destination_file_directory additional.fields
33 destination_file_name target.file.names
34 destination_file_path target.file.full_path
35 device principal.platform
additional.fields
36 device_classification additional.fields
37 dinsid additional.fields
38 dlp_file target.file.full_path
39 dlp_fingerprint_classification additional.fields
40 dlp_fingerprint_score additional.fields
41 dlp_incident_id additional.fields
42 dlp_is_unique_count additional.fields
43 dlp_parent_id additional.fields
44 dlp_profile additional.fields
45 dlp_rule additional.fields
46 dlp_rule_count additional.fields
47 dlp_rule_severity additional.fields
48 dlp_unique_count additional.fields
49 dns_profile additional.fields
50 domain network.tls.client.server_name
51 domain_ip principal.ip
52 driver additional.fields
53 dst_country target.location.country_or_region
54 dst_geoip_src additional.fields
55 dst_latitude target.location.region_coordinates.latitude
56 dst_location target.location.city
57 dst_longitude target.location.region_coordinates.longitude
58 dst_region target.location.name
59 dst_timezone additional.fields
60 dst_zipcode target.resource.attribute.labels
61 dsthost target.hostname
62 dstip target.ip
63 dstport target.port
64 eeml additional.fields
65 email_from_user additional.fields
66 email_modified additional.fields
67 email_user additional.fields
68 encryption_status additional.fields
69 end_time additional.fields
70 file_md5 principal.file.md5
71 file_owner additional.fields
72 file_path principal.file.full_path
73 file_pdl additional.fields
74 file_size principal.file.size
75 file_type principal.file.mime_type
76 filepath additional.fields
77 fllg additional.fields
78 flpp additional.fields
79 from_user principal.user.email_addresses
additional.fields
80 hostname principal.hostname
81 incident_id additional.fields
82 instance additional.fields
83 instance_id additional.fields
84 ip_protocol network.ip_protocol
85 local_source_time additional.fields
86 location additional.fields
87 mal_sev additional.fields
88 managed_app additional.fields
89 managementID additional.fields
90 md5 additional.fields
91 mime_type additional.fields
92 netskope_pop additional.fields
93 network_session_id network.session_id
94 nsdeviceuid principal.asset.asset_id
95 num_users additional.fields
96 numbytes additional.fields
97 object additional.fields
98 object_id additional.fields
99 object_type additional.fields
100 org additional.fields
101 organization_unit principal.administrative_domain
102 os principal.platform
103 os_details additional.fields
104 os_family additional.fields
105 os_user_name additional.fields
106 os_version principal.platform_version
107 owner additional.fields
108 owner_pdl additional.fields
109 page additional.fields
110 parent_id additional.fields
111 pid principal.process.pid
112 policy security_result.rule_name
113 policy_action additional.fields
114 policy_name security_result.rule_name
115 policy_name_enforced additional.fields
116 process_cert_subject additional.fields
117 process_name principal.process.file.names
118 process_path principal.process.file.full_path
119 publisher_cn additional.fields
120 record_type additional.fields
121 referer network.http.referral_url
122 req additional.fields
123 req_cnt additional.fields
124 request_id additional.fields
125 resp additional.fields
126 resp_cnt additional.fields
127 risk_score additional.fields
128 sa_rule_compliance additional.fields
129 sanctioned_instance additional.fields
130 server_bytes network.received_bytes
131 server_packets network.received_packets
132 severity security_result.severity
133 session_duration network.session_duration
134 session_number_unique additional.fields
135 severity security_result.severity
136 sha256 principal.file.sha256
137 shared_with additional.fields
138 site additional.fields
139 smtp_to additional.fields
140 spet additional.fields
141 spst additional.fields
142 src_country principal.location.country_or_region
143 src_geoip_src principal.resource.attribute.labels
144 src_latitude principal.location.region_coordinates.latitude
145 src_location principal.location.city
146 src_longitude principal.location.region_coordinates.longitude
147 src_network additional.fields
148 src_region principal.location.state
149 src_timezone additional.fields
150 src_zipcode principal.resource.attribute.labels
151 srcip principal.ip
152 srcport principal.port
153 start_time additional.fields
154 subtype additional.fields
155 tags additional.fields
156 telemetry_app additional.fields
157 thr additional.fields
158 threat_type additional.fields
159 timestamp additional.fields
160 to_user additional.fields
161 total_packets additional.fields
162 traffic_type additional.fields
163 transaction_id additional.fields
164 tss_mode additional.fields
165 tunnel_id additional.fields
166 tur additional.fields
167 type additional.fields
168 ur_normalized additional.fields
169 url target.url
170 user additional.fields
171 user_confidence_index additional.fields
172 user_confidence_level additional.fields
173 user_id additional.fields
174 useragent network.http.user_agent
network.http.parsed_user_agent
175 userip additional.fields
176 userkey principal.user.email_addresses
177 oauth additional.fields
178 response_time additional.fields
179 device_sn principal.resource.product_object_id
180 device_type additional.fields
181 dlp_profile_name security_result.rule_type
182 executable_hash additional.fields
183 executable_signed additional.fields
184 file_origin additional.fields
185 policy_version additional.fields
186 port additional.fields
187 product_id metadata.product_log_id
188 unc_path additional.fields
189 vendor_id additional.fields
190 acting_user additional.fields
191 assignee target.user.userid
192 dlp_match_info additional.fields
193 inline_dlp_match_info additional.fields
194 latest_incident_id additional.fields
195 status additional.fields
196 violation additional.fields
197 account_id additional.fields
198 account_name additional.fields
199 acked additional.fields
200 alert_id additional.fields
201 alert_source additional.fields
202 breach_date additional.fields
203 breach_id additional.fields
204 breach_score additional.fields
205 detection_engine additional.fields
206 dlp_fingerprint_match additional.fields
207 dlp_rule_score additional.fields
208 email_title additional.fields
209 event_uuid additional.fields
210 file_category additional.fields
211 file_cls_encrypted additional.fields
212 file_exposure additional.fields
213 file_id additional.fields
214 filename additional.fields
215 iaas_remediated additional.fields
216 iaas_remediated_by additional.fields
217 iaas_remediated_on additional.fields
218 iaas_remediation_action additional.fields
219 instance_name additional.fields
220 loc additional.fields
221 local_md5 additional.fields
222 local_sha1 additional.fields
223 local_sha256 additional.fields
224 mal_id additional.fields
225 mal_type additional.fields
226 malware_id additional.fields
227 malware_severity additional.fields
228 malware_type additional.fields
229 message_id additional.fields
230 modified_date additional.fields
231 pop_id additional.fields
232 redirect_url additional.fields
233 region_id additional.fields
234 region_name additional.fields
235 resource_category additional.fields
236 resource_group additional.fields
237 risk_level_id additional.fields
238 sa_profile_name additional.fields
239 sa_rule_name additional.fields
240 sa_rule_severity additional.fields
241 sender additional.fields
242 severity_id additional.fields
243 severity_level additional.fields
244 shared_credential_user additional.fields
245 shared_domains additional.fields
246 sharedType additional.fields
247 smtp_status additional.fields
248 subject additional.fields
249 suppression_count additional.fields
250 tss_license additional.fields
251 two_factor_auth additional.fields
252 usergroup additional.fields
253 watchlist_name additional.fields
254 web_url additional.fields

Web transaction

Columns 1-146 can also be used as another schema.

Column number Log field UDM mapping
1 date metadata.timestamp
2 time metadata.timestamp
3 time-taken additional.fields
4 cs-bytes network.sent_bytes
5 sc-bytes network.received_bytes
6 bytes additional.fields
7 c-ip principal.ip
principal.asset.ip
8 s-ip target.ip
target.asset.ip
9 cs-username principal.user.userid
10 cs-method network.http.method
11 cs-uri-scheme network.application_protocol
12 cs-uri-query additional.fields
13 cs-user-agent network.http.user_agent
14 cs-content-type additional.fields
15 sc-status network.http.response_code
16 sc-content-type additional.fields
17 cs-dns target.hostname
18 cs-host target.hostname
19 cs-uri additional.fields
20 cs-uri-port additional.fields
21 cs-referer network.http.referral_url
22 x-cs-session-id network.session_id
23 x-cs-access-method additional.fields
24 x-cs-app principal.application
25 x-s-country target.location.country_or_region
26 x-s-latitude target.location.region_coordinates.latitude
27 x-s-longitude target.location.region_coordinates.longitude
28 x-s-location target.location.name
29 x-s-region target.location.state
30 x-s-zipcode additional.fields
31 x-c-country principal.location.country_or_region
32 x-c-latitude principal.location.region_coordinates.latitude
33 x-c-longitude principal.location.region_coordinates.longitude
34 x-c-location principal.location.name
35 x-c-region principal.location.state
36 x-c-zipcode additional.fields
37 x-c-os principal.platform
38 x-c-browser additional.fields
39 x-c-browser-version additional.fields
40 x-c-device additional.fields
41 x-cs-site additional.fields
42 x-cs-timestamp metadata.event_timestamp
43 x-cs-page-id additional.fields
44 x-cs-userip security_result.detection_fields
45 x-cs-traffic-type additional.fields
46 x-cs-tunnel-id additional.fields
47 x-category additional.fields
48 x-other-category security_resul.category_details
49 x-type additional.fields
50 x-server-ssl-err additional.fields
51 x-client-ssl-err additional.fields
52 x-transaction-id additional.fields
53 x-request-id additional.fields
54 x-cs-sni network.tls.client.server_name
55 x-cs-domain-fronted-sni additional.fields
56 x-category-id additional.fields
57 x-other-category-id security_result.detection_fields
58 x-sr-headers-name additional.fields
59 x-sr-headers-value additional.fields
60 x-cs-ssl-ja3 network.tls.client.ja3
61 x-sr-ssl-ja3s network.tls.server.ja3s
62 x-ssl-bypass additional.fields
63 x-ssl-bypass-reason additional.fields
64 x-r-cert-subject-cn network.tls.server.certificate.subject
65 x-r-cert-issuer-cn network.tls.server.certificate.issuer
66 x-r-cert-startdate network.tls.server.certificate.not_before
67 x-r-cert-enddate network.tls.server.certificate.not_after
68 x-r-cert-valid additional.fields
69 x-r-cert-expired additional.fields
70 x-r-cert-untrusted-root additional.fields
71 x-r-cert-incomplete-chain additional.fields
72 x-r-cert-self-signed additional.fields
73 x-r-cert-revoked additional.fields
74 x-r-cert-revocation-check additional.fields
75 x-r-cert-mismatch additional.fields
76 x-cs-ssl-fronting-error security_result.detection_fields
77 x-cs-ssl-handshake-error security_result.detection_fields
78 x-sr-ssl-handshake-error security_result.detection_fields
79 x-sr-ssl-client-certificate-error security_result.detection_fields
80 x-sr-ssl-malformed-ssl security_result.detection_fields
81 x-s-custom-signing-ca-error security_result.detection_fields
82 x-cs-ssl-engine-action security_result.detection_fields
83 x-cs-ssl-engine-action-reason security_result.detection_fields
84 x-sr-ssl-engine-action security_result.detection_fields
85 x-sr-ssl-engine-action-reason security_result.detection_fields
86 x-ssl-policy-src-ip security_result.detection_fields
87 x-ssl-policy-dst-ip security_result.detection_fields
88 x-ssl-policy-dst-host security_result.detection_fields
89 x-ssl-policy-dst-host-source security_result.detection_fields
90 x-ssl-policy-categories security_result.category_details
91 x-ssl-policy-action security_result.detection_fields
92 x-ssl-policy-name security_result.rule_name
93 x-cs-ssl-version network.tls.version
94 x-cs-ssl-cipher network.tls.cipher
95 x-sr-ssl-version security_result.detection_fields
96 x-sr-ssl-cipher security_result.detection_fields
97 x-cs-src-ip-egress security_result.detection_fields
98 x-s-dp-name additional.fields
99 x-cs-src-ip principal.ip
principal.asset.ip
100 x-cs-src-port principal.port
101 x-cs-dst-ip target.ip
102 x-cs-dst-port target.port
103 x-sr-src-ip security_result.detection_fields
104 x-sr-src-port additional.fields
105 x-sr-dst-ip security_result.detection_fields
106 x-sr-dst-port security_result.detection_fields
107 x-cs-ip-connect-xff additional.fields
108 x-cs-ip-xff additional.fields
109 x-cs-connect-host additional.fields
110 x-cs-connect-port additional.fields
111 x-cs-connect-user-agent additional.fields
112 x-cs-url target.url
113 x-cs-uri-path additional.fields
114 x-cs-http-version security_result.detection_fields
115 rs-status additional.fields
116 x-cs-app-category additional.fields
117 x-cs-app-cci additional.fields
118 x-cs-app-ccl additional.fields
119 x-cs-app-tags additional.fields
120 x-cs-app-suite additional.fields
121 x-cs-app-instance-id additional.fields
122 x-cs-app-instance-name additional.fields
123 x-cs-app-instance-tag additional.fields
124 x-cs-app-activity additional.fields
125 x-cs-app-from-user additional.fields
126 x-cs-app-to-user additional.fields
127 x-cs-app-object-type additional.fields
128 x-cs-app-object-name additional.fields
129 x-cs-app-object-id additional.fields
130 x-rs-file-type principal.process.file.mime_type
131 x-rs-file-category additional.fields
132 x-rs-file-language additional.fields
133 x-rs-file-size principal.process.size
134 x-rs-file-md5 principal.process.file.md5
135 x-rs-file-sha256 principal.process.file.sha256
136 x-error additional.fields
137 x-c-local-time additional.fields
138 x-policy-action security_result.action
action_details
139 x-policy-name additional.fields
140 x-policy-src-ip security_result.detection_fields
141 x-policy-dst-ip security_result.detection_fields
142 x-policy-dst-host security_result.detection_fields
143 x-policy-dst-host-source security_result.detection_fields
144 x-policy-justification-type security_result.detection_fields
145 x-policy-justification-reason security_result.detection_fields
146 x-sc-notification-name security_result.detection_fields
147 sr-bytes additional.fields
148 rs-bytes additional.fields
149 x-action additional.fields
150 x-action-reason additional.fields
151 x-c-authn-user additional.fields
152 x-c-authn-source additional.fields
153 x-c-authn-surrogate additional.fields
154 x-c-authn-surrogate-status additional.fields
155 x-c-authz-groups additional.fields
156 x-c-authz-ou additional.fields
157 x-cs-xau additional.fields
158 x-cs-connect-xau additional.fields
159 x-c-user-confidence-index additional.fields
160 x-c-hostname additional.fields
161 x-c-device-uid principal.asset.asset_id
162 x-c-os-family additional.fields
163 x-c-os-version principal.platform_version
164 x-c-nsclient-version metadata.product_version
165 x-c-nsclient-client-profile additional.fields
166 x-c-nsclient-steering-profile additional.fields
167 x-c-device-classification additional.fields
168 x-cs-nsclient-tunnel-type additional.fields
169 x-cs-process principal.process.file.full_path
170 x-cs-pid principal.process.pid
171 x-cs-parent-process principal.process.parent_process.file.full_path
172 x-cs-ppid principal.process.parent_process.pid
173 x-tp-result additional.fields
174 x-tp-engine additional.fields
175 x-tp-malware-name additional.fields
176 x-tp-severity additional.fields
177 x-sr-forward-dest additional.fields
178 x-ssl-policy-issuer additional.fields
179 x-eip-policy-name additional.fields
180 x-eip-policy-footprint additional.fields
181 x-policy-categories additional.fields
182 x-c-timezone additional.fields
183 x-support additional.fields
184 x-r-country additional.fields
185 x-r-latitude additional.fields
186 x-r-longitude additional.fields
187 x-r-location additional.fields
188 x-r-region additional.fields
189 x-r-zipcode additional.fields
190 x-c-authz-source additional.fields
191 x-cs-app-instance-tags additional.fields
192 x-cs-ssl-malformed-ssl additional.fields
193 x-cs-access-proxy additional.fields
194 x-c-local-timestamp additional.fields
195 x-r-cert-start network.tls.server.certificate.not_before
196 x-r-cert-end network.tls.server.certificate.not_after
197 x-tenant-id additional.fields

Change Log

View the Change Log for this parser

Need more help? Get answers from Community members and Google SecOps professionals.