| Device Key in Log Message | LogRhythm Schema | Data Type | Schema Description |
|---|
| Action | <action>
<tag1> | Text/String | Whether the request was allowed or blocked. |
| AMP Disposition | N/A | N/A | The status of the files proxied and scanned by Cisco Advanced Malware Protection (AMP) as part of the Umbrella File Inspection feature; can be Clean, Malicious or Unknown. |
| AMP Malware Name | <threatname> | Text/String | If Malicious, the name of the malware according to AMP. |
| AMP Score | N/A | N/A | The score of the malware from AMP. This field is not currently used and will be blank |
| AV Detections | N/A | N/A | The detection name is according to the antivirus engine used in file inspection. |
| Blocked Categories | N/A | N/A | The category that resulted in the destination being blocked. Available in version 4 and above. |
| Categories | <subject> | Text/String | The security categories for this request, such as Malware. |
| Certificate Errors | N/A | N/A | Any certificate or protocol errors in the request. |
| Content Type | N/A | N/A | The type of web content, typically text/html. |
| Destination IP | <dip> | IP Address | The destination IP address of the request. |
| Destination List IDs | N/A | N/A | The ID number umbrella is assigned to a destination list. |
| DLP Status | <status> | Text/String | If the request was Blocked for DLP. |
| External Client IP | N/A | N/A | The egress IP address of the network where the request originated. |
| File Name | N/A | N/A | The name of the file. |
| Identities | <object> | Text/String | All identities associated with this request. |
| Identity Types | <objecttype> | Text/String | The type of identities that were associated with the request. For example, Roaming Computer, Network, and so on. Available in version 5 and above. |
| Internal Client IP | <sip> | IP Address | The internal IP address of the computer making the request. |
| Policy identity label | <login> | Text/String | The identity that made the request. |
| Policy Identity Type | N/A | N/A | The first identity type that made the request. For example, Roaming Computer, Network, and so on. |
| PUAs | N/A | N/A | A list of all potentially unwanted application (PUA) results for the proxied file as returned by the antivirus scanner. |
| Referer | N/A | N/A | The referring domain or URL. |
| Request Method | N/A | N/A | The request method (GET, POST, HEAD, etc.) |
| Request Size (bytes) | <bytesout> | Number | Request size in bytes. |
| Response Body Size (bytes) | N/A | N/A | Response body size in bytes. |
| Response Size (bytes) | <bytesin> | Number | Response size in bytes. |
| Rule ID | N/A | N/A | The ID number is assigned to the rule by Umbrella. |
| Ruleset ID | N/A | N/A | The ID number is assigned to the ruleset by Umbrella. |
| SHA—SHA256 | <hash> | Text/String | The hex digest of the response content. |
| Status Code | <responsecode> | Number | The HTTP status code; should always be 200 or 201. |
| Timestamp | N/A | N/A | When this request was made in UTC. This is different from the Umbrella dashboard, which converts the time to your specified time zone. |
| URL | <url> | Text/String | The URL requested. |
| User Agent | <useragent> | Text/String | The browser agent that made the request. |
