Skip to main content
Skip table of contents

V 2.0 : Forcepoint Secure Web Gateway Event

Vendor Documentation


Rule NameRule TypeCommon EventClassification
V 2.0 Forcepoint Secure Web Gateway EventBase RuleGateway MessageInformation

Mapping with LogRhythm Schema

Device Key in Log Message

LogRhythm Schema

Data Type

Schema Description

productVersion<version>Text/StringN/Web protection product version, as determined by Multiplexer (for example, 8.2.0)
categoryNumberN/AN/AInteger representing the category assigned to the URL.
TransactionN/AN/APermitted or Blocked, based on the value of dispositionNumber.
severity<severity>Number1 if permitted, 7 if blocked
This severity entry does not relate to the severity levels assigned to incidents that appear on the Threats dashboard in Security Manager.
app<protname>Text/StringProtocol (The protocol name (custom or defined in the URL Database))
dvcN/AN/AsourceServer (IP address (in integer format) of the server that originated the message, either Content Gateway or Network Agent)
dst<dip>IP AddressDestination (Translated IPv4 or IPv6 address of the destination machine)
(resolved by DNS from the requested URL).
dhost<domainorigin>Text/StringurlHost (Host (domain) portion of the requested URL)
dpt<dport> NumberclientDestinationPort (Destination port of client connection; e.g., 8080 with Content Gateway explicit proxy)
src<sip>IP Addresssource (IPv4 or IPv6 address of the client (requesting) machine)
spt<sport>NumberclientSourcePort (Source port of the client connection)
suserN/AN/AuserPath (Contains NameSpace, Domain, and UserName information for the user to whom the policy was applied.)
loginID<login>Text/StringloginID (Login ID of the user to whom the policy was applied.) (Output can now be configured to replace the full LDAP user path with domain/userID.)
destinationTranslatedPort<snatport>NumberproxySourcePort (Source port of proxy-server connection)
rtN/AN/ATime (A positive, long number representing the number of seconds (v8.5) or milliseconds (v8.5.3) since midnight Jan. 1, 1970)
in<bytesin>NumberbytesReceived (Bytes received in response to the request)
out<bytesout>NumberbytesSent (Bytes sent as part of the request)
requestMethod<command>Text/Stringmethod (Method associated with the request (for example, GET, POST, PUT, and so on))
requestClientApplication<useragent>Text/StringuserAgent (Contents of the User-Agent HTTP header, if present)
reason<reason>Text/StringscanReasonString (Scanning analytic result, if any; the string might look like: 0-1404-Threat.Malicious.Web.RealTime.)
cs1<policy>Text/StringpolicyNames (The name of the policy or policies that could be applied to the request. (Multiple policies may be found, for example, for a user who belongs to multiple groups.))
cs2N/A N/AdynamicCategory (If non-zero, the category determined by real-time content analysis (e.g., Real-Time Security Scanning, Advanced File Analysis, etc.))
cs3<objecttype>Text/StringcontentType (The Content Type value from the request header (for example, image/gif))
cn1<responsecode>NumberdispositionNumber (The numeric code associated with the action (e.g., category permitted, file type blocked) applied to the request)
cn2<milliseconds>NumberscanDuration (If Content Gateway analysis was performed, how long it took (milliseconds))
request<url>Text/Stringurl (Full requested URL. Does not include protocol or port.)
logRecordSourceN/AN/AlogRecordSource (The source of the log record. (Hybrid or on-premises (OnPrem)))
fileName<objectname>Text/StringThe name of the file associated with the request.
fileTypeCode<object>Text/StringThe file type associated with the request.
ccaResultAttr<processid>NumberAn ID from scanning results indicating which scanning process was used.
cloudAppIdN/AN/AAn internal ID assigned to the cloud application.
cloudAppNameN/AN/AName of the requested cloud application.
cloudAppRiskLevelN/AN/ARisk level (high, medium, or low) assigned to the cloud application.
cloudAppTypeN/AN/AType of cloud application requested (for example, Finance).
contentStrippedN/AN/AWhen Content Gateway content stripping is enabled, a threebit map of the content that was removed.
Bit 0 indicates ActiveX
Bit 1 indicates JavaScript
Bit 2 indicates VBScript
For example, “000” indicates that no content was stripped.
On the other hand, “010” indicates only JavaScript is stripped, while “111” indicates that ActiveX, JavaScript, and VBScript data are all stripped.
customerIdN/AN/AID provided to each customer who purchases the Forcepoint Web Security Hybrid Module. (hybrid data)
DSSexternalIncidentID<threatid>Text/String/NumberThe Forcepoint DLP ID number associated with an incident in the forensics repository.
DSStimeStampN/AN/AThe Forcepoint DLP timestamp for the forensic data.
keywordN/AN/AKeyword used to block a request. Empty if the request was not blocked by keyword.
networkDirectionN/AN/AInbound (0) or outbound (1)
protocolId<protnum>Text/StringSigned protocol identifier. A negative number indicates a custom protocol.
protocolVersionN/AN/AHTTP Version (Byte.Byte)
proxySourceAddressN/AN/AThe IP address of the proxy (on-premises data) or the SIEMConnector IP address (hybrid data).
proxyStatusCodeN/AN/AProxy HTTP response code.
refererUrlN/AN/AURL of the referer site associated with the request.
requestCount<quantity>NumberThe number of requests to a given site.
roleIdN/AN/AA number associated with the delegated administration role in which the policy applied to the request was created. The identifier for the Super Administrator role is 8.
serverStatusCodeN/AN/AOrigin server HTTP response code.
JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.