Netskope
Copy link

Netskope is a cloud security platform that identifies a variety of events related to cloud service usage and malware events.

SIEM (InsightIDR) supports the following alert and event types from Netskope:

  • Alert
  • Application events
  • Network events
  • Page events
  • Transaction events
ℹ️

Incidents and Endpoint events not supported

SIEM (InsightIDR) does not currently support parsing for Incidents or Endpoint event types from Netskope. Support for these event types is planned for a future release.

To set up Netskope:

  1. Review Before you begin and note any requirements.
  2. Configure Netskope to send data to SIEM InsightIDR
  3. Configure SIEM (InsightIDR) to collect data from the event source.
  4. Complete the event source configuration in AWS CloudFormation.
  5. Verify the configuration.

You can also:

Before you begin
Copy link

Make sure the following prerequisites are in place before configuring the event source:

  • You have recorded your Rapid7 organization API key.
  • You have the necessary AWS permissions to create IAM roles.
  • You have an existing Amazon S3 bucket in your AWS environment. The bucket must reside in the same AWS region as your Rapid7 tenant.
    • See Amazon’s documentation on creating an S3 bucket .
    • To find your AWS region:
      • Multi-org users: Open the Org Switcher in the top-left corner of the Command Platform navigation bar. From the dropdown, locate your current organization. The AWS region for that organization is displayed next to the organization name.
      • Single-org users: Ask your Platform Administrator to provide your AWS region.

Netskope’s integration with SIEM (InsightIDR) is enabled by Cloud Log Shipper, which pulls logs from their APIs and forwards them to SIEM (InsightIDR) using Syslog, in CEF format. To configure this event source, you will need to contact the Netskope account team to get Cloud Log Shipper.

Configure Netskope to send data to SIEM (InsightIDR)
Copy link

Before you configure the Netskope event source in SIEM (InsightIDR), you must configure log streaming in Netskope. Proper configuration ensures that SIEM (InsightIDR) can parse and process Netskope logs without errors.

⚠️

Important configuration requirements

Logs must be exported with a consistent column order and field set. Changing the field order or disabling fields can cause parsing failures or incomplete data ingestion.

To ensure successful parsing in SIEM (InsightIDR):

  • Enable all fields for each exported event type.
  • Preserve the default column order.
  • Don’t customize or reorder CSV columns.

For detailed instructions on configuring log streaming in Netskope, refer to Netskope’s documentation:

Configure SIEM (InsightIDR) to collect data from the event source
Copy link

After you complete the prerequisite steps and configure the event source to send data, you must add the event source in SIEM (InsightIDR).

Task 1: Select Netskope v2
Copy link

  1. From the Command Platform main menu, go to Data Connectors > Data Collectors.
  2. Go to the Event Sources tab, then click Add Event Source.
  3. Do one of the following:
    • Search for Netskope v2 in the event sources search bar.
    • In the Product Type filter, select Third Party Alerts.
  4. Select the Netskope v2 event source tile.

Task 2: Set up your collection method
Copy link

  1. Name the event source. This will become the name of the log that contains the event data in Log Search.
  2. In the Amazon S3 bucket name field, enter the name of the Amazon S3 bucket that stores your Netskope log data.
    • This field can’t be edited after you save the event source.
  3. Click Save and download template.

The event source is saved in SIEM and an AWS CloudFormation template is downloaded to your browser with the file name aws_s3.yml.

Complete the event source configuration in AWS CloudFormation
Copy link

To complete the setup of the Netskope event source you need to create a stack in AWS CloudFormation  and upload the template you downloaded while configuring the event source in SIEM.

This template:

  • Creates the required IAM permissions.
  • Configures the Amazon EventBridge rule to send S3 events to Rapid7.
  • Provisions an Amazon SQS queue for error handling.

Run the template in AWS CloudFormation
Copy link

To run the template in AWS CloudFormation:

  1. Log in to AWS CloudFormation .
  2. Go to Stacks.
  3. Click Create Stack > With new resources (standard).
  4. Under Prepare Template, select Choose an existing template.
  5. Under Specify template, select Upload a template file.
  6. Click Choose file.
  7. Locate and select the aws_s3.yml file you downloaded in the Configure SIEM (InsightIDR) to collect data from the event source section.
  8. Click Next.
  9. Enter a name for your stack.
  10. Under Parameters, provide the Organization API key you recorded in the Before you begin section
  11. Click Next.
  12. Under Behavior on provisioning failure, select Roll back all stack resources.
  13. Click Next.
  14. Review the details and click Submit to launch your stack.

CloudFormation will then proceed to create all the resources defined in the template. See AWS’s documentation on monitoring stack progress  and status of the stack creation.

ℹ️

Visit the third-party vendor's documentation

For the most accurate information on creating a stack in AWS CloudFormation, we recommend that you visit AWS’s documentation on creating a stack from the CloudFormation console .

Verify the configuration
Copy link

Complete the following steps to view your logs and ensure events are making it to the Collector.

  1. From the left menu, click Log Search to view your raw logs to ensure events are making it to the Collector. Select the applicable Log Sets and the Log Names within them. The Log Name will be the event source name. Netskope logs flow into the following Log Sets:
  • Third Party Alerts
  • Web Proxy Activity
  • Virus Alert
  • Virus Infection
  • Ingress Authentication
  • Firewall Activity
  1. Next, click Log Search in the left menu to make sure Netskope events are coming through.
⚠️

Logs take a minimum of 7 minutes to appear in Log Search

Note that logs take at least 7 minutes to appear in Log Search after you set up the event source. If you see log messages when you select View Raw Log on the event source but do not see any log messages in Log Search after waiting for a few minutes for them to appear, then your logs do not match the recommended format and type for this event source.

Legacy detection rules
Copy link

SIEM (InsightIDR) supports the following legacy detection rules  for this event source:

  • Account visits suspicious link
  • First ingress authentication from country
  • Harvested credentials
  • Ingress from account whose password never expires
  • Ingress from community threat
  • Ingress from disabled account
  • Ingress from domain admin
  • Ingress from service account
  • Ingress from threat
  • Multiple country authentications
  • Network access for threat
  • Spear phishing URL detected
  • Third party alert - netskope
  • Virus alert

Sample Logs
Copy link

Here are some sample Netskope events as they appear in SIEM (InsightIDR) log search.

Alert
Copy link

_id,access_method,account_name,acked,acting_user,action,activity,act_user,alert,alert_name,s
everity,alert_source,alert_type,appcategory,appsuite,app,app_session_id,assignee,bcc,browser
,browser_session_id,server_bytes,client_bytes,cc,cci,ccl,cloud_provider,breach_id,eeml,breach
_score,connection_id,src_country,shared_credential_user,breach_date,policy_name,policy_acti
on,dst_country,dst_geoip_src,dsthost,dstip,dst_location,dstport,dst_region,dst_timezone,dst_zi
pcode,detection_engine,device,device_classification,device_sn,dlp_file,dlp_fingerprint_classific
ation,dlp_fingerprint_match,dlp_fingerprint_score,dlp_match_info,inline_dlp_match_info,dlp_inci
dent_id,dlp_parent_id,dlp_profile_name,dlp_profile,dlp_rule_count,dlp_rule,dlp_rule_severity,dl
p_rule_score,dlp_unique_count,dlp_is_unique_count,dns_profile,domain,driver,conn_duration,e
ncryption_status,conn_endtime,end_time,computer_name,executable_hash,executable_signed
,sharedType,file_category,destination_file_directory,file_exposure,file_id,file_md5,destination_fil
e_name,filename,file_origin,file_owner,destination_file_path,file_path,filepath,sha256,file_size,fi
le_type,email_from_user,from_user,app-gdpr-
level,usergroup,device_type,hostname,dinsid,incident_id,latest_incident_id,instance_id,instanc
e,instance_name,sanctioned_instance,ip_protocol,dst_latitude,src_latitude,local_md5,local_sha
1,local_sha256,loc,location,src_location,dst_longitude,src_longitude,mal_id,malware_id,mal_se
v,malware_severity,mal_type,malware_type,managed_app,managementID,vendor_id,md5,mes
sage_id,mime_type,tss_mode,product_id,modified_date,src_network,network_session_id,ur_no
rmalized,oauth,object,object_id,owner,object_type,org,organization_unit,os,os_details,os_family
,os_user_name,os_version,page,parent_id,owner_pdl,policy_name_enforced,policy,policy_vers
ion,pop_id,netskope_pop,port,web_url,connection_type,process_name,process_cert_subject,pi
d,process_path,publisher_cn,domain_ip,redirect_url,referer,region_name,src_region,region_id,i
aas_remediated,iaas_remediation_action,iaas_remediated_by,iaas_remediated_on,req,req_cnt
,request_id,resource_category,resource_group,resp,resp_cnt,risk_level_id,sa_profile_name,sa
_rule_compliance,sa_rule_name,sa_rule_severity,sender,session_duration,session_number_un
ique,serverity,severity_level,severity_id,shared_with,shared_domains,tunnel_id,smtp_status,sm
tp_to,src_geoip_src,srcip,srcport,conn_starttime,start_time,status,subject,tags,telemetry_app,th
reat_type,timestamp,src_timezone,to_user,numbytes,traffic_type,transaction_id,tss_license,two
_factor_auth,type,unc_path,nsdeviceuid,url,user,useragent,user_confidence_index,user_confid
ence_level,user_id,userip,userkey,violation,site,src_zipcode,account_id,alert_id,appact,audit_ty
pe,response_time,email_modified,email_title,subtype,event_uuid,file_cls_encrypted,fllg,file_pdl,
local_source_time,server_packets,client_packets,flpp,risk_score,suppression_count,spet,spst,t
hr,email_user,tur,total_packets,num_users,watchlist_name,custom_attr,record_type
9b541e70382603f8a79561af,Client,-,-,-,alert,Download,-,yes,-,unknown,-,-,IaaS/PaaS,-,Google
Cloud
Platform,8197115700555465165,-,-,Go,8265960451305484156,-,-,-,89,high,-,-,-,-,0,US,-,-,-,-,M
X,-,-,142.251.34.206,Queretaro,443,Queretaro,America/Mexico_City,N/A,-,Windows
Device,unmanaged,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,packages.cloud.google.com,-,-,-,-,-,-,-,-,-,Archive
and Compressed,-,-,-,-,-,-,-,-,-,-,-,-,8897,GZ
Compress,-,-,-,-,-,random_hostname.com,-,8282945461328723956,-,-,-,-,-,-,-100.38392639160
156|20.600095748901367,-121.1871|45.599899999999998,-,-,-,-,-,The
Dalles,-100.38392639160156|20.600095748901367,-121.1871|45.599899999999998,-,-,-,-,-,-,
no,-,-,ea0a15a433f438f9f678257363bf5546,-,-,-,-,-,-,-,user@example.com,-,index.gz,-,-,File,-,,
Windows Server 2016,-,Windows Server,-,Windows Server
10.0,packages.cloud.google.com/yuck/repos/google-compute-engine-
stable/index.gz,-,-,-,Unmanaged Client DLP Policy,-,-,US-
SEA2,443,-,-,-,-,-,-,-,-,-,-,-,Oregon,-,-,-,-,-,-,-,8282945461328723956,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-
,-,12.12.123.123,-,-,-,-,-,-,,-,1767948789,America/Los_Angeles,-,-,CloudApp,828294546132872
3956,-,-,nspolicy,-,00000000-0000-0000-0000-
000000000000,packages.cloud.google.com/yuck/repos/google-compute-engine-
stable/index.gz,user@example.com,Go-http-
client/1.1,-,-,-,10.0.0.10,user@example.com,-,Google Cloud
Platform,97058,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,alert

Application Event
Copy link

_id,access_method,account_name,acked,acting_user,action,activity,act_user,alert,alert_name,s
everity,alert_source,alert_type,appcategory,appsuite,app,app_session_id,assignee,bcc,browser
,browser_session_id,server_bytes,client_bytes,cc,cci,ccl,cloud_provider,breach_id,eeml,breach
_score,connection_id,src_country,shared_credential_user,breach_date,policy_name,policy_acti
on,dst_country,dst_geoip_src,dsthost,dstip,dst_location,dstport,dst_region,dst_timezone,dst_zi
pcode,detection_engine,device,device_classification,device_sn,dlp_file,dlp_fingerprint_classific
ation,dlp_fingerprint_match,dlp_fingerprint_score,dlp_match_info,inline_dlp_match_info,dlp_inci
dent_id,dlp_parent_id,dlp_profile_name,dlp_profile,dlp_rule_count,dlp_rule,dlp_rule_severity,dl
p_rule_score,dlp_unique_count,dlp_is_unique_count,dns_profile,domain,driver,conn_duration,e
ncryption_status,conn_endtime,end_time,computer_name,executable_hash,executable_signed
,sharedType,file_category,destination_file_directory,file_exposure,file_id,file_md5,destination_fil
e_name,filename,file_origin,file_owner,destination_file_path,file_path,filepath,sha256,file_size,fi
le_type,email_from_user,from_user,app-gdpr-
level,usergroup,device_type,hostname,dinsid,incident_id,latest_incident_id,instance_id,instanc
e,instance_name,sanctioned_instance,ip_protocol,dst_latitude,src_latitude,local_md5,local_sha
1,local_sha256,loc,location,src_location,dst_longitude,src_longitude,mal_id,malware_id,mal_se
v,malware_severity,mal_type,malware_type,managed_app,managementID,vendor_id,md5,mes
sage_id,mime_type,tss_mode,product_id,modified_date,src_network,network_session_id,ur_no
rmalized,oauth,object,object_id,owner,object_type,org,organization_unit,os,os_details,os_family
,os_user_name,os_version,page,parent_id,owner_pdl,policy_name_enforced,policy,policy_vers
ion,pop_id,netskope_pop,port,web_url,connection_type,process_name,process_cert_subject,pi
d,process_path,publisher_cn,domain_ip,redirect_url,referer,region_name,src_region,region_id,i
aas_remediated,iaas_remediation_action,iaas_remediated_by,iaas_remediated_on,req,req_cnt
,request_id,resource_category,resource_group,resp,resp_cnt,risk_level_id,sa_profile_name,sa
_rule_compliance,sa_rule_name,sa_rule_severity,sender,session_duration,session_number_un
ique,serverity,severity_level,severity_id,shared_with,shared_domains,tunnel_id,smtp_status,sm
tp_to,src_geoip_src,srcip,srcport,conn_starttime,start_time,status,subject,tags,telemetry_app,th
reat_type,timestamp,src_timezone,to_user,numbytes,traffic_type,transaction_id,tss_license,two
_factor_auth,type,unc_path,nsdeviceuid,url,user,useragent,user_confidence_index,user_confid
ence_level,user_id,userip,userkey,violation,site,src_zipcode,account_id,alert_id,appact,audit_ty
pe,response_time,email_modified,email_title,subtype,event_uuid,file_cls_encrypted,fllg,file_pdl,
local_source_time,server_packets,client_packets,flpp,risk_score,suppression_count,spet,spst,t
hr,email_user,tur,total_packets,num_users,watchlist_name,custom_attr,record_type
9658581311d83afc5e13010d,CASB API,-,-,-,-,Login Failed,-,no,-,-,-,-,Cloud Storage,-,Microsoft
Office 365 OneDrive for
Business,7218762417634559691,-,-,unknown,-,-,-,-,82,high,-,-,-,-,7218762417634559691,US,-,
-,-,-,-,-,-,-,-,-,-,-,-,-,unknown,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,
-,-,-,-,tenant.example.com,tenant.example.com,-,yes,-,-,-84.5|33.61,-,-,-,-,-,Atlanta,-,-84.5|33.61,
-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,user@example.com,-,user@example.com,-,-,User,-,-,unknown,-,-,-,-,-,-,
-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,Georgia,-,-,-,-,-,-,-,7218762417634559691,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,
-,203.0.113.50,-,-,-,-,-,-,-,-,1747208789,-,-,-,cloudapp,7218762417634559691,-,-,nspolicy,-,-,-,us
er@example.com,-,-,-,-,203.0.113.50,user@example.com,-,Microsoft Office 365 OneDrive for
Business,30349,-,-,CASB API Scan,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,application

Network Event
Copy link

_id,access_method,account_name,acked,acting_user,action,activity,act_user,alert,alert_name,s
everity,alert_source,alert_type,appcategory,appsuite,app,app_session_id,assignee,bcc,browser
,browser_session_id,server_bytes,client_bytes,cc,cci,ccl,cloud_provider,breach_id,eeml,breach
_score,connection_id,src_country,shared_credential_user,breach_date,policy_name,policy_acti
on,dst_country,dst_geoip_src,dsthost,dstip,dst_location,dstport,dst_region,dst_timezone,dst_zi
pcode,detection_engine,device,device_classification,device_sn,dlp_file,dlp_fingerprint_classific
ation,dlp_fingerprint_match,dlp_fingerprint_score,dlp_match_info,inline_dlp_match_info,dlp_inci
dent_id,dlp_parent_id,dlp_profile_name,dlp_profile,dlp_rule_count,dlp_rule,dlp_rule_severity,dl
p_rule_score,dlp_unique_count,dlp_is_unique_count,dns_profile,domain,driver,conn_duration,e
ncryption_status,conn_endtime,end_time,computer_name,executable_hash,executable_signed
,sharedType,file_category,destination_file_directory,file_exposure,file_id,file_md5,destination_fil
e_name,filename,file_origin,file_owner,destination_file_path,file_path,filepath,sha256,file_size,fi
le_type,email_from_user,from_user,app-gdpr-
level,usergroup,device_type,hostname,dinsid,incident_id,latest_incident_id,instance_id,instanc
e,instance_name,sanctioned_instance,ip_protocol,dst_latitude,src_latitude,local_md5,local_sha
1,local_sha256,loc,location,src_location,dst_longitude,src_longitude,mal_id,malware_id,mal_se
v,malware_severity,mal_type,malware_type,managed_app,managementID,vendor_id,md5,mes
sage_id,mime_type,tss_mode,product_id,modified_date,src_network,network_session_id,ur_no
rmalized,oauth,object,object_id,owner,object_type,org,organization_unit,os,os_details,os_family
,os_user_name,os_version,page,parent_id,owner_pdl,policy_name_enforced,policy,policy_vers
ion,pop_id,netskope_pop,port,web_url,connection_type,process_name,process_cert_subject,pi
d,process_path,publisher_cn,domain_ip,redirect_url,referer,region_name,src_region,region_id,i
aas_remediated,iaas_remediation_action,iaas_remediated_by,iaas_remediated_on,req,req_cnt
,request_id,resource_category,resource_group,resp,resp_cnt,risk_level_id,sa_profile_name,sa
_rule_compliance,sa_rule_name,sa_rule_severity,sender,session_duration,session_number_un
ique,serverity,severity_level,severity_id,shared_with,shared_domains,tunnel_id,smtp_status,sm
tp_to,src_geoip_src,srcip,srcport,conn_starttime,start_time,status,subject,tags,telemetry_app,th
reat_type,timestamp,src_timezone,to_user,numbytes,traffic_type,transaction_id,tss_license,two
_factor_auth,type,unc_path,nsdeviceuid,url,user,useragent,user_confidence_index,user_confid
ence_level,user_id,userip,userkey,violation,site,src_zipcode,account_id,alert_id,appact,audit_ty
pe,response_time,email_modified,email_title,subtype,event_uuid,file_cls_encrypted,fllg,file_pdl,
local_source_time,server_packets,client_packets,flpp,risk_score,suppression_count,spet,spst,t
hr,email_user,tur,total_packets,num_users,watchlist_name,custom_attr,record_type
f25329fb48ccdeac584b0ed7,Client,-,-,-,block,-,-,-,-,-,-,-,n/a,-,ssl,-,-,-,-,-,132,1871,-,-,-,-,-,-,-,-,US,
-,-,-,-,US,2,mtalk.google.com,142.250.99.188,Mountain
View,4321,California,-,94043,-,,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,mtalk.google.com,-,-,-,-,2026-01-
09T05:57:52+00:00,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,TCP,-122.08|37.41,-121.19|45.
6,-,-,-,-,-,The
Dalles,-122.08|37.41,-121.19|45.6,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,user@example.com,-,-,-,-,-,-,,Windo
ws Server 10.0,-,-,-,-,-,-,-,-,default,-,0X0A0F,US-
SEA2,-,-,-,-,-,-,-,-,-,-,-,-,Oregon,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,29,-,-,-,-,-,-,1136959617090588,-,-,2,12
.12.190.123,12345,-,2026-01-09T05:57:52+00:00,-,-,-,-,-,1767938272,-,-,2003,non-
web,-,-,-,network,-,-,-,user@example.com,-,-,-,-,10.0.0.10,user@example.com,-,ssl,97058,-,-,-,-
,-,-,-,-,-,-,-,-,-,3,4,-,-,-,-,-,-,-,-,7,-,-,-,network

Page Event
Copy link

_id,access_method,account_name,acked,acting_user,action,activity,act_user,alert,alert_name,s
everity,alert_source,alert_type,appcategory,appsuite,app,app_session_id,assignee,bcc,browser
,browser_session_id,server_bytes,client_bytes,cc,cci,ccl,cloud_provider,breach_id,eeml,breach
_score,connection_id,src_country,shared_credential_user,breach_date,policy_name,policy_acti
on,dst_country,dst_geoip_src,dsthost,dstip,dst_location,dstport,dst_region,dst_timezone,dst_zi
pcode,detection_engine,device,device_classification,device_sn,dlp_file,dlp_fingerprint_classific
ation,dlp_fingerprint_match,dlp_fingerprint_score,dlp_match_info,inline_dlp_match_info,dlp_inci
dent_id,dlp_parent_id,dlp_profile_name,dlp_profile,dlp_rule_count,dlp_rule,dlp_rule_severity,dl
p_rule_score,dlp_unique_count,dlp_is_unique_count,dns_profile,domain,driver,conn_duration,e
ncryption_status,conn_endtime,end_time,computer_name,executable_hash,executable_signed
,sharedType,file_category,destination_file_directory,file_exposure,file_id,file_md5,destination_fil
e_name,filename,file_origin,file_owner,destination_file_path,file_path,filepath,sha256,file_size,fi
le_type,email_from_user,from_user,app-gdpr-
level,usergroup,device_type,hostname,dinsid,incident_id,latest_incident_id,instance_id,instanc
e,instance_name,sanctioned_instance,ip_protocol,dst_latitude,src_latitude,local_md5,local_sha
1,local_sha256,loc,location,src_location,dst_longitude,src_longitude,mal_id,malware_id,mal_se
v,malware_severity,mal_type,malware_type,managed_app,managementID,vendor_id,md5,mes
sage_id,mime_type,tss_mode,product_id,modified_date,src_network,network_session_id,ur_no
rmalized,oauth,object,object_id,owner,object_type,org,organization_unit,os,os_details,os_family
,os_user_name,os_version,page,parent_id,owner_pdl,policy_name_enforced,policy,policy_vers
ion,pop_id,netskope_pop,port,web_url,connection_type,process_name,process_cert_subject,pi
d,process_path,publisher_cn,domain_ip,redirect_url,referer,region_name,src_region,region_id,i
aas_remediated,iaas_remediation_action,iaas_remediated_by,iaas_remediated_on,req,req_cnt
,request_id,resource_category,resource_group,resp,resp_cnt,risk_level_id,sa_profile_name,sa
_rule_compliance,sa_rule_name,sa_rule_severity,sender,session_duration,session_number_un
ique,serverity,severity_level,severity_id,shared_with,shared_domains,tunnel_id,smtp_status,sm
tp_to,src_geoip_src,srcip,srcport,conn_starttime,start_time,status,subject,tags,telemetry_app,th
reat_type,timestamp,src_timezone,to_user,numbytes,traffic_type,transaction_id,tss_license,two
_factor_auth,type,unc_path,nsdeviceuid,url,user,useragent,user_confidence_index,user_confid
ence_level,user_id,userip,userkey,violation,site,src_zipcode,account_id,alert_id,appact,audit_ty
pe,response_time,email_modified,email_title,subtype,event_uuid,file_cls_encrypted,fllg,file_pdl,
local_source_time,server_packets,client_packets,flpp,risk_score,suppression_count,spet,spst,t
hr,email_user,tur,total_packets,num_users,watchlist_name,custom_attr,record_type
4d4795c4d825d6bee5515aa5,Client,-,-,-,-,-,-,-,-,unknown,-,-,Technology,-,Google App
Bypass,1494365267375841033,-,-,Chrome,2120028816926628866,18275437,29272,-,-,-,-,-,-,-,
4841498802315193211,US,-,-,-,-,MX,-,-,142.251.34.202,Queretaro,443,Queretaro,America/Me
xico_City,N/A,-,Windows Device,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,optimizationguide-
pa.googleapis.com,-,48,-,1767938266,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,instance-
ngcc1,-,-,-,-,-,-,-,-,-100.38392639160156|20.600095748901367,-121.1871|45.59989999999999
8,-,-,-,-,-,The
Dalles,-100.38392639160156|20.600095748901367,-121.1871|45.599899999999998,-,-,-,-,-,-,-
,-,-,-,-,-,-,-,-,-,-,user@example.com,-,-,-,-,-,-,,Windows Server 2016,-,Windows Server,-,Windows
Server 10.0,optimizationguide-pa.googleapis.com/downloads,-,-,-,-,-,-,US-
SEA2,-,-,-,-,-,-,-,-,-,-,-,-,Oregon,-,-,-,-,-,-,20,-,-,-,-,20,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,34.82.123.123,-,176
7938218,-,-,-,-,-,-,1767938218,America/Los_Angeles,-,18304709,CloudApp,-,-,-,connection,-,-,
optimizationguide-pa.googleapis.com/downloads,user@example.com,"Mozilla/5.0 (Windows
NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/143.0.0.0
Safari/537.36",-,-,-,10.0.0.10,user@example.com,-,Google App
Bypass,97058,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,page

Transaction Event
Copy link

date,time,time-taken,cs-bytes,sc-bytes,bytes,c-ip,s-ip,cs-username,cs-method,cs-uri-
scheme,cs-uri-query,cs-user-agent,cs-content-type,sc-status,sc-content-type,cs-dns,cs-host,cs-
uri,cs-uri-port,cs-referer,x-cs-session-id,x-cs-access-method,x-cs-app,x-s-country,x-s-latitude,x-
s-longitude,x-s-location,x-s-region,x-s-zipcode,x-c-country,x-c-latitude,x-c-longitude,x-c-
location,x-c-region,x-c-zipcode,x-c-os,x-c-browser,x-c-browser-version,x-c-device,x-cs-site,x-cs-
timestamp,x-cs-page-id,x-cs-userip,x-cs-traffic-type,x-cs-tunnel-id,x-category,x-other-
category,x-type,x-server-ssl-err,x-client-ssl-err,x-transaction-id,x-request-id,x-cs-sni,x-cs-
domain-fronted-sni,x-category-id,x-other-category-id,x-sr-headers-name,x-sr-headers-value,x-
cs-ssl-ja3,x-sr-ssl-ja3s,x-ssl-bypass,x-ssl-bypass-reason,x-r-cert-subject-cn,x-r-cert-issuer-cn,x-
r-cert-startdate,x-r-cert-enddate,x-r-cert-valid,x-r-cert-expired,x-r-cert-untrusted-root,x-r-cert-
incomplete-chain,x-r-cert-self-signed,x-r-cert-revoked,x-r-cert-revocation-check,x-r-cert-
mismatch,x-cs-ssl-fronting-error,x-cs-ssl-handshake-error,x-sr-ssl-handshake-error,x-sr-ssl-
client-certificate-error,x-sr-ssl-malformed-ssl,x-s-custom-signing-ca-error,x-cs-ssl-engine-
action,x-cs-ssl-engine-action-reason,x-sr-ssl-engine-action,x-sr-ssl-engine-action-reason,x-ssl-
policy-src-ip,x-ssl-policy-dst-ip,x-ssl-policy-dst-host,x-ssl-policy-dst-host-source,x-ssl-policy-
categories,x-ssl-policy-action,x-ssl-policy-name,x-cs-ssl-version,x-cs-ssl-cipher,x-sr-ssl-
version,x-sr-ssl-cipher,x-cs-src-ip-egress,x-s-dp-name,x-cs-src-ip,x-cs-src-port,x-cs-dst-ip,x-cs-
dst-port,x-sr-src-ip,x-sr-src-port,x-sr-dst-ip,x-sr-dst-port,x-cs-ip-connect-xff,x-cs-ip-xff,x-cs-
connect-host,x-cs-connect-port,x-cs-connect-user-agent,x-cs-url,x-cs-uri-path,x-cs-http-
version,rs-status,x-cs-app-category,x-cs-app-cci,x-cs-app-ccl,x-cs-app-tags,x-cs-app-suite,x-cs-
app-instance-id,x-cs-app-instance-name,x-cs-app-instance-tag,x-cs-app-activity,x-cs-app-from-
user,x-cs-app-to-user,x-cs-app-object-type,x-cs-app-object-name,x-cs-app-object-id,x-rs-file-
type,x-rs-file-category,x-rs-file-language,x-rs-file-size,x-rs-file-md5,x-rs-file-sha256,x-error,x-c-
local-time,x-policy-action,x-policy-name,x-policy-src-ip,x-policy-dst-ip,x-policy-dst-host,x-policy-
dst-host-source,x-policy-justification-type,x-policy-justification-reason,x-sc-notification-name
2025-11-
18,07:48:29,25,178,1055,1233,10.0.0.5,203.0.113.11,user@example.com,OPTIONS,https,-,Ge
nericAgent/1.0,-,403,-,onedrive.example.com,onedrive.example.com,/,443,-,100000000000000
0001,Client,Example
OneDrive,US,0.000000,0.000000,City,State,00000,US,0.000000,0.000000,City,State,N/A,Wind
ows 10,Native,-,Windows
Device,live,1763452109,5398075370891712522,10.0.0.5,CloudApp,-,Cloud Storage,Cloud
Storage,http_transaction,-,-,7061116132216555741,7061116132216555741,onedrive.example.
com,-,7,7,-,-,HASH1,NotAvailable,No,-,onedrive.example.com,Example TLS CA,Oct 27
12:22:37 2025 GMT,Apr 25 12:22:37 2026
GMT,Yes,No,No,No,No,Disabled,-,No,No,No,No,No,No,No,Allow,Established,Allow,Established,
10.0.0.5,203.0.113.12,onedrive.example.com,Sni,Cloud Storage,Decrypt,-,TLSv1.2,ECDHE-
ECDSA-AES256-GCM-SHA384,TLSv1.3,TLS_AES_256_GCM_SHA384,203.0.113.90,TEST-
DP,10.0.0.5,5768,203.0.113.12,443,203.0.113.80,42858,203.0.113.11,443,-,-,-,-,-,https://onedriv
e.example.com/,/,HTTP1.1,403,Cloud Storage,85,high,"Category",Example
Live,-,-,-,Browse,-,-,-,-,-,-,-,-,-,-,-,http,2025-11-18
02:48:30,allow_default,DefaultAction,10.0.0.5,203.0.113.11,onedrive.example.com,HttpHostHe
ader,-,-,-