Incidents Log Fields

The descriptions and names of available log fields in a SaaS Security API incident log.
The incident log is generated when an incident is detected. The log includes the following fields, which are available for ingestion by your Security information and event management (SIEM) system.
Fields are listed in the order that they are needed for push mode.
Field Name
Description
timestamp
Time the incident was discovered in
YYYY-MM-DD HH:MM:SS
format with Augmented Backus-Naur Form (ABNF) to indicate the timezone.
serial
Serial number of the organization using the service (tenant).
log_type
Type of log. In this case,
incident
.
cloud_app_instance
Instance name of the cloud application (not the type of cloud application).
severity
Severity of the incident valued between
0
and
5
.
incident_id
Unique ID number for the policy rule that created the incident.
asset_id
Unique ID number for the asset associated with the incident.
item_name
Name of the file, folder, email subject, or user associated with the incident.
item_type
Values are
File
,
Folder
, or
User
item_owner
User who owns the asset identified in the incident.
container_name
Value of
bucketname
for AWS S3, Google Cloud Platform, and Microsoft Azure assets. The value is
null
for the remaining apps.
item_creator
User who created the asset identified in the incident.
policy_rule_name
Names of one or more policy rules (not policy type) that were matched.
exposure
The type of exposure associated with the incident. Values are
Public
,
External
,
Company
, or
Internal
.
occurrences_by_rule
Where applicable, the number of occurrences matched for the corresponding rule.
future_use
Not currently implemented
future_use2
Not currently implemented
additional_notes
Any notes added by the administrator (first 20 bytes).
collaborators
Any external or internal collaborators with access to view, edit, or download an asset.
datetime_edited
Last time the asset associated with the incident was updated on the cloud app.
incident_category
Category of the incident. For example,
Personal
or
Business Justified
.
incident_owner
Administrator assigned to the incident.
item_creator_email
Email address of the item creator.
item_owner_email
Email address of the item owner or sender of email.
item_cloud_url
File URL associated with the incident and used to download or view the asset.
item_owner_group
AD groups to which the asset owner belongs.
item_sha256
sha256 hash as reported by WildFire cloud service.
item_size
Size of the file as reported by WildFire cloud service .
item_verdict
Verdict as reported by WildFire cloud service: either
malware
,
benign
, or
not available
.
asset_create_time
Time the asset associated with the incident was created on the cloud app or initially uploaded from local drive to the cloud app.

Recommended For You