Data Loss Prevention (DLP) Log Formats
The Cisco Secure Access DLP logs show information about DLP events where data identifiers were triggered and a violation occurred. DLP logs are available in all log format versions. For information about the size of a log file, see Estimate the Size of a Log.
Note: A single DLP event can present in multiple rows of the logs when different data identifiers and file labels are triggered for the same content. Rows related to the same content or event have the same Unique Event ID.
Table of Contents
Example
An example of a v10 DLP log event.
timestamp,event type,unique event id,severity,identity,owner,name,application,destination,action,rule,data classification,data identifier,content type,file size,sha 256 hash,file label,application category name,traffic direction,private resource name,private resource group name,destination protocol,destination ip,destination port,organization id
"2022-02-15 12:05:45","Real Time","f64dcc3f-50fa-410a-b8e1-589894276cee_17c81f85-34f7-4bc5-aa4c-155571f484f6","ALERT","Network1","","first.xlsx","Dropbox","https://upload.dropbox.com/ajax/mercury/upload.php?av=100050982596543&__user=100050982596543","BLOCK","privateappsrule","Built-in PCI Classification","Credit Card Number - Strict","text/html","48","abbd2352c3cfea8846871928bf99ca24dc3a6f162170926649381a6d968869ab", "Confidential","","","dlpprivateresource","","https","127.0.0.1","443","8247177"
Order of Fields in the DLP Log
Note: Not all fields listed are found in most or all requests. When a field does not have a value, Secure Access sets the field to the empty string ("") in the log.
V10 Log Formats
The CSV fields in the header row of the DLP logs.
timestamp,event type,unique event id,severity,identity,owner,name,application,destination,action,rule,data classification,data identifier,content type,file size,sha 256 hash,file label,application category name,traffic direction,private resource name,private resource group name,destination protocol,destination ip,destination port,organization id
The description of each field and the log version in which each field was released, up to version 10. For more information about log versions, see Find Your Log Schema Version.
| Field name | Description | Release version |
|---|---|---|
| timestamp | The date and time of the DLP event, expressed as a UTC-formatted string (e.g., 2024-01-16 17:48:41).Note: Unlike the Secure Access dashboard and reports, Secure Access logs do not convert the timestamp to your local timezone. | v6 |
| event type | The type of event that matched a data identifier. Real Time denotes a proxy-based DLP event triggered by a Real Time rule and SaaS API denotes a DLP event triggered by any of the SaaS API rules. | v8 |
| unique event id | The unique identifier for the event. There can be multiple violation matches in one event. | v6 |
| severity | The severity of the rule: Low, Medium, High, or Critical. | v6 |
| identity | The source that triggered the violation. | v6 |
| owner | The owner of the file. | v6 |
| name | The name of the file. | v6 |
| application | The application of the request. | v6 |
| destination | The domain of the request. | v6 |
| action | If the violation was Blocked or Monitored. | v6 |
| rule | The DLP rule name. | v6 |
| data classification | The data classification whose data identifier matched on the violation. | v6 |
| data identifier | The data identifier that matched on the request. | v6 |
| content type | The mime type of the file that matches the data identifier. | v6 |
| file size | The size of the file in bytes. | v6 |
| sha 256 hash | The hex digest of the response content. | v6 |
| file label | The file name label that matched on the file properties. | v7 |
| application category name | The category of the requested web application. For more information, see Application Categories. | v10 |
| traffic direction | Direction of traffic. (Applies only to some applications, such as OpenAI API and OpenAI ChatGPT.) | v10 |
| private resource name | The name of the private resource. | v10 |
| private resource group name | The private resource group name if the matched rule destination was a private resource group. | v10 |
| destination protocol | The protocol of the destination. | v10 |
| destination ip | The IP address of the destination. | v10 |
| destination port | The port of the destination. | v10 |
| organization id | The Secure Access organization ID. For more information, see Find Your Organization ID . | v10 |
Cloud Firewall Log Formats < Data Loss Prevention (DLP) Log Formats > DNS Log Formats
Updated about 1 month ago