Skip to main content
Skip table of contents

V 2.0 : Proxy Web Logs

Vendor Documentation


Rule NameRule TypeCommon EventClassification
V 2.0 : Proxy Web LogsBase RuleGeneral Proxy InformationInformation
V 2.0 : Proxy Traffic AllowedSub RuleTraffic Allowed by Network FirewallNetwork Allow
V 2.0 : Proxy Traffic BlockedSub RuleTraffic Denied by Network FirewallNetwork Deny

Mapping with LogRhythm Schema

Device Key in Log Message

LogRhythm Schema

Data Type

Schema Description

TimestampN/AN/AWhen this request was made in UTC. This is different than the Umbrella dashboard, which converts the time to your specified time zone.
Policy identity labelN/AN/AThe identity that made the request.
Internal Client IP<sip>IP AddressThe internal IP address of the computer making the request.
External Client IPN/AN/AThe egress IP address of the network where the request originated.
Destination IP<dip>IP AddressThe destination IP address of the request.
Content Type


N/AThe type of web content, typically text/html.
URL<url>Text/StringThe URL requested.
Referer N/AN/AThe referring domain or URL.
User Agent<useragent>Text/StringThe browser agent that made the request.
Status Code<responsecode>NumberThe HTTP status code; should always be 200 or 201.
Request Size (bytes)<bytesout>NumberRequest size in bytes.
Response Size (bytes)<bytesin>NumberResponse size in bytes.
Response Body Size (bytes) N/AN/AResponse body size in bytes.
Text/StringWhether the request was allowed or blocked.
SHA—SHA256<hash>Text/StringThe hex digest of the response content.
Categories<subject>Text/StringThe security categories for this request, such as Malware.
AV DetectionsN/AN/AThe detection name according to the antivirus engine used in file inspection.
PUAsN/AN/AA list of all potentially unwanted application (PUA) results for the proxied file as returned by the antivirus scanner.
AMP DispositionN/AN/AThe status of the files proxied and scanned by Cisco Advanced Malware Protection (AMP) as part of the Umbrella File Inspection feature; can be Clean, Malicious or Unknown.
AMP Malware Name<threatname>Text/StringIf Malicious, the name of the malware according to AMP.
AMP ScoreN/AN/AThe score of the malware from AMP. This field is not currently used and will be blank
Policy Identity TypeN/AN/AThe first identity type that made the request. For example, Roaming Computer, Network, and so on.
Blocked CategoriesN/AN/AThe category that resulted in the destination being blocked. Available in version 4 and above.
Identities<object>Text/StringAll identities associated with this request.
Identity Types<objecttype>Text/StringThe type of identities that were associated with the request. For example, Roaming Computer, Network, and so on. Available in version 5 and above.
Request MethodN/AN/AThe request method (GET, POST, HEAD, etc.)
DLP Status<status>Text/StringIf the request was Blocked for DLP.
Certificate ErrorsN/AN/AAny certificate or protocol errors in the request.
File NameN/AN/AThe name of the file.
Ruleset IDN/AN/AThe ID number assigned to the ruleset by Umbrella.
Rule IDN/AN/AThe ID number assigned to the rule by Umbrella.
Destination List IDsN/AN/AThe ID number umbrella assigns to a destination list.
JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.