Secure Access Activity Data

act

-

The action

application

-

The name of the requested application

authType

-

The authentication method

clientIp

The endpoint IP

clientProtocol

-

The client protocol

clientTls

-

The transport layer security of the client

cloudAppCat

-

The category of the event in Cloud Reputation Service

companyName

-

The company name

contentEncoding

-

The content encoding of the request or the response

detectionType

-

The traffic detection type

deviceGUID

-

The non-endpoint object such as a network appliance

dpt

The service destination port of the private application server (dstport)

dst

The destination IP (dstaddr)

duration

-

The time it took the scanner to complete the scan (in milliseconds)

e2eLatency

-

The end-to-end traffic latency time (in milliseconds)

endpointGuid

The device GUID

endpointHostName

The hostname of the device on which the event was detected

eventName

-

The name of the log event

eventSubName

-

The Zero Trust Secure Access - Internet Access cloud app action or the Palo Alto Networks firewall log sub-type

eventTime

-

The time the agent or product detected the event

failedHTTPSInspection

-

Whether the HTTPS traffic inspection failed

fileHash

The SHA-1 of the file that violated the policy

fileHashSha256

The SHA-256 of the file that violated the policy

fileName

The name of the file that violated the policy

fileSize

-

The size of the file that is violating the policy

fileType

-

The type of file which is violating the policy

filterRiskLevel

-

The top-level risk level of the event

groupId

-

The group ID for the management scope filter

isPrivateApp

-

Whether the requested application is private

isRetroScan

-

Whether the event matches the Security Analytics Engine filter

logReceivedTime

-

The time when the XDR log was received

malName

-

The name of the detected malware

-

mimeType

-

The MIME type or content type of the response body

objectId

-

The UUID of the Zero Trust Secure Access private access application

originEventSourceType

-

The source type of the original event which matches the Security Analytics Engine filter

originUUID

-

The UUID of the original event which matches the Security Analytics Engine filter

osName

-

The host OS name

pname

-

The product name

policyTemplate

-

The Data Loss Prevention template name

policyTreePath

-

The policy tree path (endpoint only)

policyUuid

-

The policy UUID

principalName

The User Principal Name

productCode

-

The internal product code

profile

-

The name of the triggered Threat Protection template or Data Loss Prevention profile

-

pver

-

The product version

request

The destination URL that the user is accessing

requestBase

The URL domain

requestMethod

-

The network protocol request method

requestMimeType

-

The type of request content

requestSize

-

The request length

responseSize

-

The response length

ruleName

-

The name of the triggered cloud access rule

ruleUuid

-

The risk assessment and control design that is defined by Zero Trust Secure Access risk control rules

sender

-

The Zero Trust Internet Access gateway location

serverProtocol

-

The version of the HTTP protocol between the Service Gateway and server/website

serverRespTime

-

The time the server took to respond to the request (in milliseconds)

serverTls

-

The TLS version between the Service Gateway and server/website

sessionEnd

-

The session end time (in seconds)

sessionStart

-

The session start time (in seconds)

spt

The virtual source port assigned to the Secure Access Module (srcport)

src

The source IP (srcaddr)

suid

The user name or IP address (IPv4)

tags

The detected technique ID based on the alert filter

tlsJA3Fingerprint

-

The JA3 fingerprint

-

trafficType

-

The Zero Trust Internet Access gateway service mode

userDepartment

-

The user department request method

userDomain

The Microsoft Entra ID domain or the domain of the Trend Micro Anti-Spam administrator portal user name

uuid

-

The unique key of the log