Incidents Log Fields

The descriptions and names of available log fields in a Prisma SaaS incident log.
The incident log is generated when an incident is detected.
Field Name
Description
detected_timestamp
The time the incident was discovered in
YYYY-MM-DD HH:MM:SS
format with Augmented Backus-Naur Form (ABNF) to indicate the timezone.
serial
Serial number of the organization using the service (tenant).
cloud_app_instance
The instance name of the cloud application (not the type of cloud application).
severity
The severity of the incident valued between 0 and 5.
incident_id
Unique ID number for the incident.
asset-id
Unique ID number for the asset associated with the incident.
item_name
Name of the file, folder, email Subject, or user associated with the incident
item_type
File
,
Folder
, or
User
item_owner
The user who owns the asset identified in the incident.
container_name
The value is the
bucketname
for AWS S3, Google Cloud Platform, and Microsoft Azure assets. The value is
null
for the remaining apps.
item_creator
The user who created the asset identified in the incident.
policy_rule_name
The names of one or more policy rules (not policy type) that were matched.
exposure
The type of exposure associated with the incident. Values are
Public
,
External
,
Company
, or
Internal
.
occurrences_by_rule
Where applicable, the number of occurrences matched for the corresponding rule.
state
One of the following states:
  • Active
  • Remediated in cloud
  • Remediated by Prisma_SaaS
  • Remediated by <Admin_name>
  • Closed Business Justified
  • Closed Personal Content
  • Closed Risks mis-identified
  • Closed No reason given
collaborators
Any external or internal collaborators with access to view, edit, or download an asset.
datetime_edited
Last time the asset was updated.
incident_category
The category of the incident. For example,
Personal
or
BusinessJustified
.
incident_owner
The administrator assigned to the incident.
additional_notes
Any notes added by the administrator (first 20 bytes).
item_owner_email
Email address of the item owner or sender of email.
item_creator_email
Email address of the item creator.

Related Documentation