Skip to main content
Skip table of contents

Activity and Alert Events

Vendor Documentation


Rule Name

Rule Type


Common Event

Activity and Alert EventsBase RuleActivityGeneral Activity

Mapping with LogRhythm Schema

Device Key in Log MessageLogRhythm SchemaData TypeSchema Description
Device VendorN/AN/AN/A
Device ProductN/AN/AN/A
Device VersionN/AN/AN/A
Device Event Class IDN/AN/AA unique ID identifying the activity.
NameN/AN/AThe name of the action taken.
Severity<severity>NumberThe severity assigned with the Forcepoint CASB policy breached by the activity. If more than one policy was breached, the highest severity across these policies is displayed. This column is empty if no policy was breached.
6 = Info
7 = Low
8 = Medium
9 = High
10 = Critical
act<action>Text/StringThe mitigation action taken by Forcepoint CASB as a result of the policies breached by the activity.
appN/AN/AApplication level protocol (https, http, imap, etc).
catN/AN/AThe data object category (i.e., logical group based on the cloud service modules).
cs1<policy>Text/StringThe policy rules breached by the activity.
destinationServiceNameN/AN/AThe asset name assigned with the cloud service (e.g., My Office365).
deviceExternalIdN/AN/AThe endpoint client assigned ID.
deviceFacilityN/AN/AIf the IP address is external, this displays "True."
deviceProcessNameN/AN/AThe cloud service object accessed.
dprivN/AN/AA flag indicating if the user performing the activity is an administrator (Admin) or a user (User).
dst<dip>IP AddressThe IP address of the cloud service.
duser<account>Text/StringTarget user SAM account name.
endN/AN/AThe date the activity took place in Epoch.
externalId<session>Text/StringSession ID.
fsize<size>NumberFile size.
msgN/AN/ATitle / Department / sourceCountry / destCountry.
outcome<status>Text/StringThe activity status (Success / Failure / Unknown).
protoN/AN/AThe sub-service used (e.g., Outlook Web Access or SharePoint Online for Office 365).
reason<subject>Text/StringThe activity performed by the user (e.g., view page, delete file).
requestClientApplication<useragent>Text/StringEndpoint type / Endpoint OS / UserAgent.
rtN/AN/AActivity date in Epoch.
sourceServiceNameN/AN/AA flag indicating if the device used to access the service is “Managed” or “Unmanaged” by Forcepoint CASB.
src<sip>IP AddressThe source IP address for the activity.
startN/AN/AActivity date in Epoch.
suser<login>Text/StringSAM account name.
cs2N/AN/AThe data types detected in the activity.
cs3<objecttype>Text/StringThe type of the file related to the activity.
cs5N/AN/AA flag indicating whether the data detected in the activity is sensitive (TRUE) or not sensitive (FALSE).
cs6N/AN/AThe data types detected in the activity.
dprocN/AN/AAuthentication type.
record<object>Text/StringThe record type depends on the action type. For example, when the user action is File Upload, the record contains the file name.
cs4N/AN/AThe full name of the user. This data is retrieved from the Active Directory if integration is in place; otherwise it is empty.
duidN/AN/AThe activity's destination subject (e.g., the email destination, the person/group a file is shared with, the user account when an admin changes permissions)
fnameN/AN/AThe ID assigned to the data object.
oldFileNameN/AN/AThe activity subject (e.g., the email subject, chat message, or searched content).
cn1N/AN/AThe monetary value of the activity.
cn2N/AN/AThe impact score given to the activity by Forcepoint CASB.
oldFileIdN/AN/AGeneral properties relevant to the type of activity.
flexString2N/AN/AThe mitigation actions taken after the activity is detected (e.g., Remove sharing permissions).
AD.IPReputationCategoryN/AN/AIP reputation category name.
AD.TORNetworksN/AN/AThe IP addresses of the Tor networks detected in the activity.
AD.SuspiciousIPsN/AN/AThe suspicious IP addresses of the Tor networks detected in the activity.
AD.AnonymousProxiesN/AN/AThe anonymous proxy IP addresses of the Tor networks detected in the activity.
AD.IPChainN/AN/AThe IP chain of the client in the activity.
AD.IPOriginN/AN/AA flag indicating whether the endpoint client IP address is considered an external location (External) or an internal location (Internal). This is based on your organization's internal IP ranges settings. If the location cannot be determined, this flag displays "Unknown".
AD.samAccountNameN/AN/AAccount name.
JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.