Policy Violation Log Fields

The descriptions and names of available log fields in a SaaS Security API policy violation log.
The policy violation log is generated when an asset matches a policy rule. The log includes the following fields, which are available for ingestion by your Security information and event management (SIEM) system.
Fields are listed in the order that they are needed for push mode.
Field Name
Description
timestamp
Time the policy violation occurred. Values are in
YYYY-MM-DD HH:MM:SS
format.
serial
Serial number of the organization using the service (tenant).
log_type
Type of log. In this case,
policy_violation
.
cloud_app_instance
Instance name of the cloud application (not the type of cloud application) associated with the policy violation.
severity
Policy violation severity valued between
0
and
5
.
incident_id
Unique ID number for the incident. Can be null (no value).
asset_id
Unique ID number for the asset associated with the policy violation.
item_name
Name of the file, folder, or user associated with the policy violation.
item_type
Values are
File
,
Folder
, or
User
.
item_owner
User who owns the asset associated with the policy violation.
item_creator
User who created the asset identified in the policy violation.
policy_rule_name
Name of the policy rule that triggered the violation.
future_use
Not currently implemented.
action_taken
Action taken to remedy the policy violation. For example,
Log only
, or
Send Administrator Alert
.
action_taken_by
Cloud app user who took action to remediate the policy violation. For automated remediation, the value is
Aperture
.

Recommended For You