>
    SSPM Syslog Field Descriptions
    Focus
    Download PDF
    Focus
    1. Home
    2. SaaS Security
    3. Assess Posture Security
    4. Configure a Syslog Receiver for SSPM
    5. SSPM Syslog Field Descriptions
    Download PDF
    SaaS Security

    SSPM Syslog Field Descriptions

    Table of Contents

    SSPM Syslog Field Descriptions

    Learn about the different fields of each log type that SSPM can forward to an external server.
    Where Can I Use This?What Do I Need?
    • Strata Cloud Manager
    • SaaS Security Posture Management license
    Or any of the following licenses that include the Data Security license:
    • CASB-X
    • CASB-PA
    The following tables list the standard fields of each log type that SSPM can forward to an external server. To help parsing, the delimiter is a comma and each field is a comma-separated value (CSV) string.

    Config Scan Event Fields

    SSPM generates a config scan event when a config scan detects that the status of an application setting has changed. For example, if the previous scan determined that the setting status was Passed, but the current scan determines the setting status is Failed, SSPM generates a config scan event.
    Config Scan Event Fields
    Field NameDescription
    type
    The type of event. In this case, sspm_config_scan.
    tenant_name
    The name of the tenant where the SSPM instance is deployed.
    event_date
    The date and time that the event occurred. SSPM logs this information as a high-precision (6-digit milliseconds) timestamp, ending with the UTC offset. The timestamp format is YYYY-MM-DDTHH.MM.SS.ssssss+|-HH:MM. For example: 2024-01-11T11:19:46.360053-08:00.
    policy_name
    The name of the SSPM rule that maps to the application setting. For example, the Salesforce application setting "Block Redirect to Unknown URL" maps to the SSPM rule "Apps are configured to block redirects to unknown URLs to prevent phishing attacks".
    policy_status
    The status of the SSPM rule that maps to the application setting. For example, Passed or Failed.
    category
    The category of the SSPM rule that maps to the application setting. For example, Identity Access Management or Data Security.
    setting_name
    The name of the application setting. For example, Salesforce settings include "Email Domain Allowlist", "Make data protection details available in records", and "Referrer URL protection".
    current_value
    The current value of the application setting.
    suggested_value
    The value that Palo Alto Networks recommends for the application setting.
    status
    The status of the application setting, which SSPM determines during the config scan. For example, the status of an application setting might be Passed, Violation, or, if you turned monitoring off for the setting, Waived.
    remediation_type
    The remediation type, which indicates whether automated remediation is available for the setting. This field contains one of the following values:
    • SYSTEM — Indicates that automated remediation is available. When automated remediation is available, the user can resolve a misconfiguration with one click of a button. SSPM uses the application's API to change the setting to the recommended value.
    • MANUAL — Automated remediation is not available.
    cloud_app_instance
    The name of the application instance in SSPM.

    Third-Party Plugin Scan Event Fields

    SSPM generates a third-party plugin scan event when a third-party plugin scan of an application completes.
    Third-Party Plugin Scan Event Fields
    Field NameDescription
    type
    The type of event. In this case, sspm_supplychain_scan.
    tenant_name
    The name of the tenant where the SSPM instance is deployed.
    event_date
    The date and time that the event occurred. SSPM logs this information as a high-precision (6-digit milliseconds) timestamp, ending with the UTC offset. The timestamp format is YYYY-MM-DDTHH.MM.SS.ssssss+|-HH:MM. For example: 2024-01-11T11:19:46.360053-08:00.
    app_name
    The name of the application instance in SSPM. This is the instance of the hosting application that SSPM scanned for connected third-party plugins.
    app_type
    The type of hosting application that SSPM scanned for connected third-party plugins. For example, Google Workspace, Salesforce, or ServiceNow.
    third_party_app_scan_events
    A list of third_party_app_scan_event structures, which describe the third-party plugins. See the following table, which describes the fields of a third_party_app_scan_event structure. The maximum size of this list is 200.
    third_party_app_scan_event Structure Fields
    Field NameDescription
    third_party_app_idThe ID of the third-party plugin.
    third_party_app_nameThe name of the third-party application that was installed as a plugin to the hosting application.
    typeThe level at which the third-party plugin was installed. Possible values include PRODUCT, ORGANIZATION, WORKSPACE, and USER.
    statusThe review status of the third-party plugin. Possible values include Not Reviewed, Reviewed, Revoked, and Revoke In-Progress.
    active_usersThe number of active users of the third-party plugin.
    users_revokedThe number of users who previously had access to the third-party plugin, but who had their access revoked by an administrator.
    scopesThe number of application scopes to which the connected third-party plugin has permission.
    scope_namesA list of the application scopes to which the connected third-party plugin has permission.
    riskThe risk severity of third-party plugin, which is based on the application scopes to which the plugin has permission. Possible values include High, Medium, and Low.
    status_updated_timestampThe date and time that the third-party plugin's status was updated. SSPM logs this information as a high-precision (6-digit milliseconds) timestamp, ending with the UTC offset. The timestamp format is YYYY-MM-DDTHH.MM.SS.ssssss+|-HH:MM. For example: 2024-01-11T11:19:46.360053-08:00.

    © 2025 Palo Alto Networks, Inc. All rights reserved.