File Events Log Formats
The Cisco Secure Access File Events log shows your organization's traffic events involving file access that match private access rules with File Inspection or File Type Control enabled. For more information, see Get Started With Private Access Rules, Manage File Inspection and File Analysis, and Manage File Type Controls.
For information about the size of a log file, see Estimate the Size of a Log.
Table of Contents
Example
Example content of the v9 or v10 File Events log.
timestamp,organization id,retention policy in days,aws region,firewall eventid,file action,disposition,sha256,direction,threat name,filestatic analysis,threat score,filetype id,filename,filesize,archive filename,archive filedepth,archive sha,dlp status
"2024-09-04 19:43:36","8231394","730","us-west-2a","9c8eff3ef69147905ff1ddec8b593c94be6d17fbc916f604b7deca0ba24299ae¦3¦1725479009¦67","CUSTOM_DETECTION","UNKNOWN","0fd3a79e8d4d16e12f782b1e9aa9b2f40ec8afa26675a1f426f12b4ffdea9923","DOWNLOAD","Carbanak","ANALYSIS_COMPLETE_NO_VIRUS","90","45","TryDownloading_9974801.sample","52224","TryDownloading_9974801.zip","1","e7624f8962811038bc7c5a266d56e86f8195cd8a2ce75905ded16dc79f47bfd5","FW_FILE_DLP_NONE"
Order of Fields in the File Events Log
Note: Not all fields listed are found in most or all requests. When a field does not have a value, Secure Access sets the field to the empty string ("") in the log.
V9, V10 Log Format
The CSV fields in the header row of the File Events log.
timestamp,organization id,retention policy in days,aws region,firewall eventid,file action,disposition,sha256,direction,threat name,filestatic analysis,threat score,filetype id,filename,filesize,archive filename,archive filedepth,archive sha,dlp status
The description of each field and the log version in which each field was released, up to version 9 or version 10. For more information about log versions, see Find Your Log Schema Version.
| Field name | Description | Release version |
|---|---|---|
| timestamp | The timestamp of the request transaction in UTC (e.g., 2024-01-16 17:48:41). | v9 |
| organization id | The Secure Access organization ID. For more information, see Find Your Organization ID. | v9 |
| retention policy | The number of days that AWS S3 stores your Secure Access File Events log. | v9 |
| aws region | The AWS region where Secure Access stores your logs. | v9 |
| firewall event id | The ID of the firewall event. Populated only for traffic handled by Cisco Secure Firewall. | v9 |
| file action | The action taken on a file in a remote browser isolation session. Valid values are: UNKNOWN, DETECT, BLOCK, MALWARE_CLOUD_LOOKUP, MALWARE_WHITELIST, CLOUD_LOOKUP_TIMEOUT, CUSTOM_DETECTION, CUSTOM_DETECTION_BLOCK, ARCHIVE_BLOCK_DEPTH_EXCEEDED, ARCHIVE_BLOCK_ENCRYPTED, ARCHIVE_BLOCK_FAILED_TO_INSPECT, TID_BLOCK | v9 |
| disposition | The status of the files proxied and scanned by Cisco Advanced Malware Protection (AMP) as part of the File Inspection feature. Valid values are: CLEAN, MALWARE, UNKNOWN. | v9 |
| sha256 | The SHA-256 checksum hash of the file. | v9 |
| direction | The traffic direction of the file event. Valid values are: UNKNOWN, UPLOAD, DOWNLOAD. | v9 |
| threat name | Name of the threat identified for files with MALWARE disposition. | v9 |
| file static analysis | The status of the file static sample analysis. For more information, see Cisco Secure Malware Analytics (formerly Threat Grid) Details. Valid values are: UNKNOWN, NOT_ANALYZED, ANALYSIS_COMPLETE_NO_VIRUS, ANALYSIS_FAILED, ANALYSIS_COMPLETE_MALWARE_DETECTED | v9 |
| threat score | The threat score most recently associated with this file. This is a value from 0 to 100. | v9 |
| file type id | The type of file. For example, PDF or MSEXE. | v9 |
| file name | The name of the file involved with the activity. | v9 |
| file size | The size of the file in bytes. | v9 |
| archive file name | The name of the archive file involved with the activity. | v9 |
| archive depth | The level (if any) at which the file was nested in an archive file. | v9 |
| archive sha | The SHA-256 checksum hash of the archive file. | v9 |
| dlp status | The verdict of the DLP scanning service. For more information, see Manage the Data Loss Prevention Policy. Valid values are: FW_FILE_DLP_NONE, FW_FILE_DLP_SENT, FW_FILE_DLP_SUCCESS, FW_FILE_DLP_FAIL_ON_MIN_FILESIZE, FW_FILE_DLP_FAIL_ON_MAX_FILESIZE, FW_FILE_DLP_FAIL_ON_MEMCAP, FW_FILE_DLP_FAIL_ON_FULL_QUEUE, FW_FILE_DLP_FAIL_ON_SEND, FW_FILE_DLP_FAIL_ON_NO_RESPONSE, FW_FILE_DLP_FAIL_ON_CLOUD_SEND, FW_FILE_DLP_VERDICT_FAIL, FW_FILE_DLP_VERDICT_UNKNOWN, FW_FILE_DLP_VERDICT_CLEAN, FW_FILE_DLP_VERDICT_DATA_LEAK, FW_FILE_DLP_VERDICT_MALICIOUS, FW_FILE_DLP_VERDICT_TIMEOUT | v9 |
DNS Log Formats < File Events Log Formats > IPS Log Formats
Updated about 1 month ago