Vendor Documentation
Classification
|
Rule Name |
Rule Type |
Common Event |
Classification |
|---|---|---|---|
|
V 2.0: Proxy Web Logs |
Base Rule |
General Proxy Information |
Information |
|
V 2.0: Proxy Traffic Allowed |
Sub Rule |
Traffic Allowed by Network Firewall |
Network Allow |
|
V 2.0: Proxy Traffic Blocked |
Sub Rule |
Traffic Denied by Network Firewall |
Network Deny |
Mapping with LogRhythm Schema
|
Device Key in Log Message |
LogRhythm Schema |
Data Type |
Schema Description |
|---|---|---|---|
|
Action |
<action>
|
Text/String |
Whether the request was allowed or blocked. |
|
AMP Disposition |
N/A |
N/A |
The status of the files proxied and scanned by Cisco Advanced Malware Protection (AMP) as part of the Umbrella File Inspection feature; can be Clean, Malicious or Unknown. |
|
AMP Malware Name |
<threatname> |
Text/String |
If Malicious, the name of the malware according to AMP. |
|
AMP Score |
N/A |
N/A |
The score of the malware from AMP. This field is not currently used and will be blank |
|
AV Detections |
N/A |
N/A |
The detection name is according to the antivirus engine used in file inspection. |
|
Blocked Categories |
N/A |
N/A |
The category that resulted in the destination being blocked. Available in version 4 and above. |
|
Categories |
<subject> |
Text/String |
The security categories for this request, such as Malware. |
|
Certificate Errors |
N/A |
N/A |
Any certificate or protocol errors in the request. |
|
Content Type |
N/A |
N/A |
The type of web content, typically text/html. |
|
Destination IP |
<dip> |
IP Address |
The destination IP address of the request. |
|
Destination List IDs |
N/A |
N/A |
The ID number umbrella is assigned to a destination list. |
|
DLP Status |
<status> |
Text/String |
If the request was Blocked for DLP. |
|
External Client IP |
N/A |
N/A |
The egress IP address of the network where the request originated. |
|
File Name |
N/A |
N/A |
The name of the file. |
|
Identities |
<object> |
Text/String |
All identities associated with this request. |
|
Identity Types |
<objecttype> |
Text/String |
The type of identities that were associated with the request. For example, Roaming Computer, Network, and so on. Available in version 5 and above. |
|
Internal Client IP |
<sip> |
IP Address |
The internal IP address of the computer making the request. |
|
Policy identity label |
<login> |
Text/String |
The identity that made the request. |
|
Policy Identity Type |
N/A |
N/A |
The first identity type that made the request. For example, Roaming Computer, Network, and so on. |
|
PUAs |
N/A |
N/A |
A list of all potentially unwanted application (PUA) results for the proxied file as returned by the antivirus scanner. |
|
Referer |
N/A |
N/A |
The referring domain or URL. |
|
Request Method |
N/A |
N/A |
The request method (GET, POST, HEAD, etc.) |
|
Request Size (bytes) |
<bytesout> |
Number |
Request size in bytes. |
|
Response Body Size (bytes) |
N/A |
N/A |
Response body size in bytes. |
|
Response Size (bytes) |
<bytesin> |
Number |
Response size in bytes. |
|
Rule ID |
N/A |
N/A |
The ID number is assigned to the rule by Umbrella. |
|
Ruleset ID |
N/A |
N/A |
The ID number is assigned to the ruleset by Umbrella. |
|
SHA—SHA256 |
<hash> |
Text/String |
The hex digest of the response content. |
|
Status Code |
<responsecode> |
Number |
The HTTP status code; should always be 200 or 201. |
|
Timestamp |
N/A |
N/A |
When this request was made in UTC. This is different from the Umbrella dashboard, which converts the time to your specified time zone. |
|
URL |
<url> |
Text/String |
The URL requested. |
|
User Agent |
<useragent> |
Text/String |
The browser agent that made the request. |