Policy Violation Log Fields

The descriptions and names of available log fields in a Prisma SaaS policy violation log.
The policy violation log is generated when an asset matches a policy rule.
Field Name
Description
violation_timestamp
Time the policy violation occurred. Values are in
YYYY-MM-DD HH:MM:SS
format.
serial
Serial number of the organization using the service (tenant).
cloud_app_instance
The instance name of the cloud application (not the type of cloud application) associated with the policy violation
severity
The policy violation severity valued between 0 and 5.
incident_id
The unique ID number for the incident. Can be null (no value).
asset_id
The unique ID number for the asset associated with the policy violation
item_name
The name of the file, folder, or user associated with the policy violation
item_type
File
,
Folder
, or
User
item_owner
The user who owns the asset associated with the policy violation.
item_creator
The user who created the asset identified in the policy violation.
policy_rule_name
The name of the policy rule that triggered the violation.
FUTURE_USE
Not currently implemented
action_taken
Action taken to remedy the policy violation. For example,
Log only
, or
Send Administrator Alert
action_taken_by
The cloud app user who took action to remediate the policy violation. For automated remediation, the value is
Aperture
.

Related Documentation