Remote Browser Isolation
Focus
Focus
Strata Logging Service

Remote Browser Isolation

Table of Contents

Remote Browser Isolation

See the following for information related to supported log formats:
REMOTE BROWSER ISOLATION Field
(Display Name)
Description
action.​value
(ACTION)
Action taken by Remote Browser Isolation. Possible values:
  • Allow
  • Deny
CEF field name: Action
EMAIL field name: Action
HTTPS field name: Action
LEEF field name: Action
bh_name
(BH NAME)
The name of the browser host.
CEF field name: BHName
EMAIL field name: BHName
HTTPS field name: BHName
LEEF field name: BHName
browser_type
(BROWSER TYPE)
Browser details.
CEF field name: BrowserType
EMAIL field name: BrowserType
HTTPS field name: BrowserType
LEEF field name: BrowserType
client_id
(CLIENT ID)
The session or client ID. Uniquely identifies the user and browser.
CEF field name: ClientId
EMAIL field name: ClientId
HTTPS field name: ClientId
LEEF field name: ClientId
client_ip.​value
(CLIENT IP)
Public IP address of the session.
CEF field name: ClientIP
EMAIL field name: ClientIP
HTTPS field name: ClientIP
LEEF field name: ClientIP
connected_duration
(SESSION DURATION)
Session duration in seconds.
CEF field name: SessionDuration
EMAIL field name: SessionDuration
HTTPS field name: SessionDuration
LEEF field name: SessionDuration
customer_id
(CORTEX DATA LAKE TENANT ID)
The ID that uniquely identifies the Cortex Data Lake instance which received this log record.
CEF field name: CortexDataLakeTenantID
EMAIL field name: CortexDataLakeTenantID
HTTPS field name: CortexDataLakeTenantID
LEEF field name: CortexDataLakeTenantID
data_size
(DATA SIZE)
Value depends on the event_sub_type:
  • If event_sub_type is UPLOAD or DOWNLOAD, then data_size is the size of the file being uploaded or downloaded.
  • If event_sub_type is COPY or PASTE, then data_size is the size of the data being copied or pasted.
CEF field name: DataSize
EMAIL field name: DataSize
HTTPS field name: DataSize
LEEF field name: DataSize
disconnect_reason.​value
(DISCONNECT REASON)
Disconnect reason upon the end of a session. Possible values:
  • USER_INIT - The user ended the session.
  • SYS_INIT - The system ended the session.
  • IDLE - The session timed out.
  • OTHER - Other reason.
CEF field name: DisconnectReason
EMAIL field name: DisconnectReason
HTTPS field name: DisconnectReason
LEEF field name: DisconnectReason
edge_location
(EDGE LOCATION)
Name of the edge location region.
CEF field name: EdgeLocation
EMAIL field name: EdgeLocation
HTTPS field name: EdgeLocation
LEEF field name: EdgeLocation
event_severity.​value
(EVENT SEVERITY)
Severity of the event. Possible values are INFO or WARN.
CEF field name: EventSeverity
EMAIL field name: EventSeverity
HTTPS field name: EventSeverity
LEEF field name: EventSeverity
event_sub_type.​value
(EVENT SUBTYPE)
Subtype of the event. The possible values depend on the event_type.
event_type = POLICY:
  • COPY
  • PASTE
  • PRINT
  • UPLOAD
  • DOWNLOAD
  • KEYB (Keyboard)
  • VII (View in Isolation)
event_type = SESSION:
  • START
  • STOP
event_type = AUTH:
  • SUCCESS
  • FAIL
event_type = ISSUE:
  • OTHER
  • ACCESS
  • PERFORM
  • AV
These event subtypes correspond to the security controls in the isolation profiles.
CEF field name: EventSubType
EMAIL field name: EventSubType
HTTPS field name: EventSubType
LEEF field name: EventSubType
event_type.​value
(EVENT TYPE)
Event type. Possible values:
  • SESSION - A browser event. For example, a user started or ended an isolated browsing session.
  • POLICY - A policy event.
  • AUTH - An authentication event.
  • ISSUE
CEF field name: EventType
EMAIL field name: EventType
HTTPS field name: EventType
LEEF field name: EventType
file_name
(FILE NAME)
The names of files being uploaded or downloaded.
CEF field name: FileName
EMAIL field name: FileName
HTTPS field name: FileName
LEEF field name: FileName
issue_details
(ISSUE DETAILS)
User-reported issue details.
CEF field name: IssueDetails
EMAIL field name: IssueDetails
HTTPS field name: IssueDetails
LEEF field name: IssueDetails
log_source
(LOG SOURCE)
Identifies the origin of the data. That is, the system that produced the data.
CEF field name: LogSource
EMAIL field name: LogSource
HTTPS field name: LogSource
LEEF field name: LogSource
log_source_group_id
(LOG SOURCE GROUP ID)
ID that uniquely identifies the logSourceGroupId of the log. That is, the log_source_id of the group.
CEF field name: LogSourceGroupID
EMAIL field name: LogSourceGroupID
HTTPS field name: LogSourceGroupID
LEEF field name: LogSourceGroupID
log_source_id
(DEVICE SN)
ID that uniquely identifies the source of the log. That is, the serial number of the firewall that generated the log.
If the log is generated by Prisma Access, the serial number is not displayed.
CEF field name: DeviceSN
EMAIL field name: DeviceSN
HTTPS field name: DeviceSN
LEEF field name: DeviceSN
log_source_name
(DEVICE NAME)
Name of the source of the log.
CEF field name: DeviceName
EMAIL field name: DeviceName
HTTPS field name: DeviceName
LEEF field name: DeviceName
log_time
(TIME RECEIVED)
Time the log was received in Strata Logging Service. This string contains a timestamp value that is the number of microseconds since the Unix epoch.
CEF field name: TimeReceived
EMAIL field name: TimeReceived
HTTPS field name: TimeReceived
LEEF field name: TimeReceived
log_type.​value
(LOG TYPE)
Identifies the log type.
CEF field name: LogType
EMAIL field name: LogType
HTTPS field name: LogType
LEEF field name: LogType
os_type
(OS TYPE)
User's OS type.
CEF field name: OSType
EMAIL field name: OSType
HTTPS field name: OSType
LEEF field name: OSType
platform_type
(PLATFORMTYPE)
The platform type (Valid types are PRISMA_ACCESS, CNGFW, VM, HWFW).
CEF field name: PlatformType
EMAIL field name: PlatformType
HTTPS field name: PlatformType
LEEF field name: PlatformType
sub_type.​value
(SUB TYPE)
Identifies the log subtype.
CEF field name: SubType
EMAIL field name: SubType
HTTPS field name: SubType
LEEF field name: SubType
time_generated
(TIME GENERATED)
Time when the log was generated on the source. This string contains a timestamp value that is the number of microseconds since the Unix epoch.
CEF field name: TimeGenerated
EMAIL field name: TimeGenerated
HTTPS field name: TimeGenerated
LEEF field name: TimeGenerated
time_generated_high_res
(TIME GENERATED HIGH RESOLUTION)
Time the log was generated in data plane with millisec granularity in format YYYY-MM-DDTHH:MM:SS[.DDDDDD]Z.
EMAIL field name: TimeGeneratedHighResolution
HTTPS field name: TimeGeneratedHighResolution
url
(URL)
URL where the isolation policy was applied. Populated only when event-type = POLICY
.
CEF field name: URL
EMAIL field name: URL
HTTPS field name: URL
LEEF field name: URL
user_id
(SOURCE USER)
User name.
CEF field name: SourceUser
EMAIL field name: SourceUser
HTTPS field name: SourceUser
LEEF field name: SourceUser
vendor_name
(VENDOR NAME)
Identifies the vendor that produced the data.
CEF field name: VendorName
EMAIL field name: VendorName
HTTPS field name: VendorName
LEEF field name: VendorName