V 2.0 : Cloud Firewall Logs

https://docs.umbrella.com/umbrella-user-guide/docs/log-format-and-versioning#dns

Rule Name	Rule Type	Common Event	Classification
V 2.0 : Cloud Firewall Logs	Base Rule	General Network Traffic	Network Traffic
V 2.0 : Cloud Traffic Allowed	Sub Rule	Traffic Allowed by Network Firewall	Network Allow
V 2.0 : Cloud Traffic Blocked	Sub Rule	Traffic Denied by Network Firewall	Network Deny

Device Key in Log Message	LogRhythm Schema	Data Type	Schema Description
Timestamp	N/A	N/A	The timestamp of the request transaction in UTC.
Origin IDs	N/A	N/A	The unique identity of the network tunnel.
Identities	<object>	Text/String	The names of the network tunnel.
Identity Type	<objecttype>	Text/String	The type of identity that made the request. Should always be "CDFW Tunnel Device".
Direction	N/A	N/A	The direction of the packet. It is destined either towards the internet or to the customer's network.
Protocol	<protnum>	Number	The actual protocol of the traffic. It could be TCP, UDP, ICMP.
Packet Size	<size>	Number	The size of the packet that Umbrella CDFW received.
Source IP	<sip>	IP Address	The internal IP address of the user-generated traffic towards the CDFW. If the traffic goes through NAT before it comes to CDFW, it will be the NAT IP address.
Source Port	<sport>	Number	The internal port number of the user-generated traffic towards the CDFW.
Destination IP	<dip>	IP Address	The destination IP address of the user-generated traffic towards the CDFW.
Destination Port	<dport>	Number	The destination port number of the user-generated traffic towards the CDFW.
Data Center	N/A	N/A	The name of the Umbrella data center that processed the user-generated traffic.
Rule ID	N/A	N/A	The ID of the rule that processed the user traffic.
Action	<action> <tag1>	Text/String	The categories that resulted in the destination being blocked. Available in version 4 and above.

Vendor Documentation