Remediation Activity Log Fields

The descriptions and names of available log fields in a SaaS Security API remediation log.
A remediation log is generated when an incident is manually remediated or if automatic remediation has been applied. The log includes the following fields, which are available for ingestion by your Security information and event management (SIEM) system.
Fields are listed in the order that they are needed for push mode.
Field Name
Description
timestamp
Time the remediation action occurred. Values are in
YYYY-MM-DD HH:MM:SS
format.
serial
Serial number of the organization using the service (tenant).
log_type
Type of log. In this case,
remediation
.
cloud_app_instance
Instance name of the cloud application (not the type of cloud application) associated with the remediation of the incident.
severity
Policy violation or incident severity valued between
0
and
5
.
incident_id
Unique ID number for the incident. Can be null (no value).
asset_id
Unique ID number for the asset associated with the remediation of the incident.
item_name
Name of the file, folder, or user associated with the remediation of the incident.
item_type
Values are
File
,
Folder
, or
User
.
item_owner
User who owns the asset associated with the remediation.
container_name
Value is the
bucketname
for AWS S3, Google Cloud Platform, and Microsoft Azure assets. The value is
null
for the remaining applications.
item_creator
User who created the asset associated with the remediation.
policy_rule_name
Names of one or more policy rules (not policy type) that were matched.
future_use
Not currently implemented.
action_taken
Remediation action taken on SaaS Security API. (
Admin Quarantine
,
User Quarantine
, or
Remove Public Links
).
action_taken_by
User who performed the remediation. For automated remediation, the value is
Aperture
.
item_creator_email
Email address of the item creator.
item_owner_email
Email address of the item owner.

Recommended For You