SaaS Security
Incidents Log Fields
Table of Contents
Expand All
|
Collapse All
SaaS Security Docs
Incidents Log Fields
The descriptions and names of available log fields in
a Data Security incident log.
The incident log is generated when an incident is detected.
The log includes the following fields, which are available for ingestion
by your Security information and event management (SIEM) system.
Fields are listed in the order that they are needed for push
mode.
Field Name | Description |
|---|---|
timestamp | Time the incident was discovered in YYYY-MM-DD HH:MM:SS format with
Augmented Backus-Naur Form (ABNF) to indicate the timezone. |
serial | Serial number of the organization using
the service (tenant). |
log_type | Type of log. In this case, incident. |
cloud_app_instance | Instance name of the cloud application (not
the type of cloud application). |
severity | Severity of the incident valued between 0 and 5. |
incident_id | Unique ID number for the policy rule that
created the incident. |
asset_id | Unique ID number for the asset associated
with the incident. |
item_name | Name of the file, folder, email subject,
or user associated with the incident. |
item_type | Values are File, Folder,
or User |
item_owner | User who owns the asset identified in the
incident. |
container_name | Value of bucketname for AWS
S3, Google Cloud Platform, and Microsoft Azure assets. The value
is null for the remaining apps. |
item_creator | User who created the asset identified in
the incident. |
policy_rule_name | Names of one or more policy rules (not policy
type) that were matched. |
exposure | The type of exposure associated with the
incident. Values are Public, External, Company,
or Internal. |
occurrences_by_rule |
Value is null.
|
future_use | Not currently implemented |
future_use2 | Not currently implemented |
additional_notes | Any notes added by the administrator
(first 20 bytes). |
collaborators | Any external or internal collaborators with
access to view, edit, or download an asset. |
datetime_edited | Last time the asset associated with the
incident was updated on the cloud app. |
incident_category | Category of the incident. For example, Personal or Business Justified. |
incident_owner | Administrator assigned to the incident. |
item_creator_email | Email address of the item creator. |
item_owner_email | Email address of the item owner or sender
of email. |
item_cloud_url | File URL associated with the incident and
used to download or view the asset. |
item_owner_group | AD groups to which the asset owner belongs. |
item_sha256 | sha256 hash as reported by WildFire cloud service. |
item_size | Size of the file as reported by WildFire cloud
service . |
item_verdict | |
asset_create_time | Time the asset associated with the incident
was created on the cloud app or initially uploaded from local drive
to the cloud app. |