Log Facets
Cloud App Security stores data as searchable indexes in cloud databases. Use these log facets to narrow a search to a specific data set. The following tables describe the available log facets for each log type.
|
Log Facet |
Description |
|---|---|
|
Scan Source |
Name of the protected application or service. |
|
Security Filter |
The security filter includes Advanced Spam Protection, File Blocking, Malware Scanning, and Web Reputation. |
|
Detected by |
Technology or method through which email messages and files were detected as containing a security threat. |
|
Virus Name |
Name of the virus detected. |
|
Spam Category |
Category of the spam email message detected. |
|
URL Category |
Category of the suspicious URL detected. |
|
Risk Level |
Risk level of a URL classified by Trend Micro Web Reputation Services. |
|
Affected User |
For Exchange Online and Gmail, the mailbox that received an email message violating a policy. For SharePoint Online, OneDrive, Microsoft Teams (Teams), Box, Dropbox, and Google Drive, the user account that uploaded or modified a file violating a policy. For Salesforce, the user account that updated an object record violating a policy. For Teams Chat, the user that sent a private chat message violating a policy. |
|
Triggered Policy |
Name of the Security Risk Scan policy that was violated. |
|
Action |
Action taken for a file, message, or Salesforce object record that violates a policy. |
|
Log Facet |
Description |
|---|---|
|
Scan Source |
Name of the protected application or service. |
|
Security Filter |
The security filter includes Malware Scanning and Web Reputation. |
|
Ransomware Name |
Name of the ransomware detected. |
|
Domain |
Domain detected with ransomware. |
|
Sender |
Mailbox that distributed the ransomware. |
|
Log Facet |
Description |
|---|---|
|
Scan Source |
Name of the protected application or service. |
|
Virus Name |
Name of the virus detected. |
|
Risk Level |
Risk level that Virtual Analyzer assigned after analyzing a file for threatening behavior. |
|
Affected User |
For Exchange Online and Gmail, the mailbox that received an email message violating a policy. For SharePoint Online, OneDrive, Microsoft Teams (Teams), Box, Dropbox, and Google Drive, the user account that uploaded or modified a file violating a policy. For Teams Chat, the user that sent a private chat message violating a policy. |
|
Triggered Policy |
Name of the Virtual Analyzer policy that was violated. |
|
Action |
Action taken for a file or message that violates a policy. |
|
Log Facet |
Description |
|---|---|
|
Scan Source |
Name of the protected application or service. |
|
Affected User |
For Exchange Online and Gmail, the mailbox that received an email message violating a policy. For SharePoint Online, OneDrive, Microsoft Teams (Teams), Box, Dropbox, and Google Drive, the user account that uploaded or modified a file violating a policy. For Salesforce, the user account that updated an object record violating a policy. For Teams Chat, the user that sent a private chat message violating a policy. |
|
Triggered Policy |
Name of the Data Loss Prevention policy that was violated. |
|
Triggered Template |
Name of the compliance template that was violated to trigger the Data Loss Prevention policy. |
|
Action |
Action taken for a file, message, or Salesforce object record that violates a policy. |
|
Security Filter |
The security filter includes Data Loss Prevention, Keyword Extraction, and Box Shared Links Control. |
|
Log Facet |
Description |
|---|---|
|
Scan Source |
Name of the protected application or service. |
|
Security Filter |
The security filter includes Virtual Analyzer, File Blocking, Web Reputation, Data Loss Prevention and Malware Scanning. |
|
Affected User |
For Exchange Online, the mailbox that received a message violating a policy. For SharePoint Online, OneDrive, Microsoft Teams (Teams), Box, Dropbox, and Google Drive, the user account that uploaded or modified a file violating a policy. For Salesforce, the user account that updated an object record violating a policy. |
|
Quarantine Type |
Whether an email message or a file is already quarantined. |
|
Restored by |
Whether it is the administrator or end user who restored a quarantined file in Box violating a Data Loss Prevention policy. |
|
Log Facet |
Description |
|---|---|
|
User |
Name of the user who performs management operations. |
|
Action |
Operation that a user performs, including logon events, scheduled user data synchronizations, and policy changes. |
|
Log Facet |
Description |
|---|---|
|
Scan Source |
Name of the protected application or service. |
|
Security Filter |
The security filter includes the Threat Remediation API. |
|
Affected User |
Exchange Online mailbox that contains an email message matching any item in the Blocked Lists for Exchange Online configured through the Threat Remediation API. |
|
Action |
Action taken for an email message matching any item in the Blocked Lists for Exchange Online configured through the Threat Remediation API. |
|
Log Facet |
Description |
|---|---|
|
Time of Click |
Time when the user clicks the URL. |
|
Action |
Action taken when the user clicks the URL. |
|
Sender |
Sender of the email message that contains the clicked URL. |
|
Recipient |
Recipient of the email message that contains the clicked URL. |
|
URL |
URL that the user clicks. |
|
Message ID |
Unique ID that identifies the email message containing the clicked URL. |
|
Log Facet |
Description |
|---|---|
|
Scan Source |
Name of the protected application or service. |
|
Security Filter |
The security filter includes Data Loss Prevention. |
|
Log Facet |
Description |
|---|---|
|
Delivery Status |
Delivery status of the inbound email message routed to Cloud App Security for inline protection. |
|
Recipient |
Recipient of the inbound email message routed to Cloud App Security for inline protection. |
