Learn about the Detection log type, the schema fields and their description under
SaaS Security log type.
Detection logging records the results of running security detectors on agents,
typically during scheduled security scans of SaaS applications and low-code agents.
The purpose is to capture and store the specific security detections identified in
each scan.
DETECTION FIELD
Display Name
Description
agent_id
(AGENT ID)
Unique identifier for the agent at the endpoint.
detection_details
(DETECTION DETAILS)
Detector-specific details encoded as JSON string. Content varies
based on the detector_type.
detection_id
(DETECTION ID)
Unique identifier for this detection instance (used for
correlation).
detection_risk_score
(DETECTION RISK SCORE)
Risk score associated with the detection.
detector_type
(DETECTOR TYPE)
Identifier for the specific detector that was triggered.
first_seen_at
(FIRST SEEN AT)
First time this detection instance was observed (ISO 8601 / RFC 3339
timestamp format).
last_seen_at
(LAST SEEN AT)
Most recent time this detection instance was observed (ISO 8601 / RFC
3339 timestamp format).
log_source
(LOG SOURCE)
Identifies the system that produced the data.
log_source_id
(DEVICE SN)
Source of the record, represented as a platform and region
combination (e.g., agentic-platform-us-west-2).
log_type
(LOG TYPE)
Identifies the log type.
saas_app_id
(SAAS APP ID)
Unique identifier of the specific connected application.
scan_id
(SCAN ID)
Scan ID that produced the detection.
sub_type
(SUB TYPE)
Category of detection (e.g., Posture, Identity, Onboarding).
time_generated
(TIME GENERATED)
Time the log was generated on the data plane in format
YYYY-MM-DDTHH:MM:SS[.DDDDDD]Z.
tsg_id
(TSG ID)
The Tenant Service Group that uniquely identifies the Strata Logging
Service instance which received this log record.
