Skip to main content
Skip table of contents

V 2.0 : Proxy Web Logs

Vendor Documentation


Rule NameRule TypeCommon EventClassification
V 2.0: Proxy Web LogsBase RuleGeneral Proxy InformationInformation
V 2.0: Proxy Traffic AllowedSub RuleTraffic Allowed by Network FirewallNetwork Allow
V 2.0: Proxy Traffic BlockedSub RuleTraffic Denied by Network FirewallNetwork Deny

Mapping with LogRhythm Schema

Device Key in Log MessageLogRhythm SchemaData TypeSchema Description
Text/StringWhether the request was allowed or blocked.
AMP DispositionN/AN/AThe status of the files proxied and scanned by Cisco Advanced Malware Protection (AMP) as part of the Umbrella File Inspection feature; can be Clean, Malicious or Unknown.
AMP Malware Name<threatname>Text/StringIf Malicious, the name of the malware according to AMP.
AMP ScoreN/AN/AThe score of the malware from AMP. This field is not currently used and will be blank
AV DetectionsN/AN/AThe detection name is according to the antivirus engine used in file inspection.
Blocked CategoriesN/AN/AThe category that resulted in the destination being blocked. Available in version 4 and above.
Categories<subject>Text/StringThe security categories for this request, such as Malware.
Certificate ErrorsN/AN/AAny certificate or protocol errors in the request.
Content TypeN/AN/AThe type of web content, typically text/html.
Destination IP<dip>IP AddressThe destination IP address of the request.
Destination List IDsN/AN/AThe ID number umbrella is assigned to a destination list.
DLP Status<status>Text/StringIf the request was Blocked for DLP.
External Client IPN/AN/AThe egress IP address of the network where the request originated.
File NameN/AN/AThe name of the file.
Identities<object>Text/StringAll identities associated with this request.
Identity Types<objecttype>Text/StringThe type of identities that were associated with the request. For example, Roaming Computer, Network, and so on. Available in version 5 and above.
Internal Client IP<sip>IP AddressThe internal IP address of the computer making the request.
Policy identity label<login>Text/StringThe identity that made the request.
Policy Identity TypeN/AN/AThe first identity type that made the request. For example, Roaming Computer, Network, and so on.
PUAsN/AN/AA list of all potentially unwanted application (PUA) results for the proxied file as returned by the antivirus scanner.
Referer N/AN/AThe referring domain or URL.
Request MethodN/AN/AThe request method (GET, POST, HEAD, etc.)
Request Size (bytes)<bytesout>NumberRequest size in bytes.
Response Body Size (bytes) N/AN/AResponse body size in bytes.
Response Size (bytes)<bytesin>NumberResponse size in bytes.
Rule IDN/AN/AThe ID number is assigned to the rule by Umbrella.
Ruleset IDN/AN/AThe ID number is assigned to the ruleset by Umbrella.
SHA—SHA256<hash>Text/StringThe hex digest of the response content.
Status Code<responsecode>NumberThe HTTP status code; should always be 200 or 201.
TimestampN/AN/AWhen this request was made in UTC. This is different from the Umbrella dashboard, which converts the time to your specified time zone.
URL<url>Text/StringThe URL requested.
User Agent<useragent>Text/StringThe browser agent that made the request.
JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.