Log Facets

Cloud App Security stores data as searchable indexes in cloud databases. Use these log facets to narrow a search to a specific data set. The following tables describe the available log facets for each log type.

Table 1. Security Risk Scan Log Facets

Log Facet

Description

Scan Source

Name of the protected application or service.

Security Filter

The security filter includes Advanced Spam Protection, File Blocking, Malware Scanning, and Web Reputation.

Detected by

Technology or method through which email messages and files were detected as containing a security threat.

Virus Name

Name of the virus detected.

Spam Category

Category of the spam email message detected.

URL Category

Category of the suspicious URL detected.

Risk Level

Risk level of a URL classified by Trend Micro Web Reputation Services.

Affected User

For Exchange Online and Gmail, the mailbox that received an email message violating a policy. For SharePoint Online, OneDrive, Microsoft Teams (Teams), Box, Dropbox, and Google Drive, the user account that uploaded or modified a file violating a policy. For Salesforce, the user account that updated an object record violating a policy. For Teams Chat, the user that sent a private chat message violating a policy.

Triggered Policy

Name of the Security Risk Scan policy that was violated.

Action

Action taken for a file, message, or Salesforce object record that violates a policy.

Table 2. Ransomware Log Facets

Log Facet

Description

Scan Source

Name of the protected application or service.

Security Filter

The security filter includes Malware Scanning and Web Reputation.

Ransomware Name

Name of the ransomware detected.

Domain

Domain detected with ransomware.

Sender

Mailbox that distributed the ransomware.

Table 3. Virtual Analyzer Log Facets

Log Facet

Description

Scan Source

Name of the protected application or service.

Virus Name

Name of the virus detected.

Risk Level

Risk level that Virtual Analyzer assigned after analyzing a file for threatening behavior.

Affected User

For Exchange Online and Gmail, the mailbox that received an email message violating a policy. For SharePoint Online, OneDrive, Microsoft Teams (Teams), Box, Dropbox, and Google Drive, the user account that uploaded or modified a file violating a policy. For Teams Chat, the user that sent a private chat message violating a policy.

Triggered Policy

Name of the Virtual Analyzer policy that was violated.

Action

Action taken for a file or message that violates a policy.

Table 4. Data Loss Prevention Log Facets

Log Facet

Description

Scan Source

Name of the protected application or service.

Affected User

For Exchange Online and Gmail, the mailbox that received an email message violating a policy. For SharePoint Online, OneDrive, Microsoft Teams (Teams), Box, Dropbox, and Google Drive, the user account that uploaded or modified a file violating a policy. For Salesforce, the user account that updated an object record violating a policy. For Teams Chat, the user that sent a private chat message violating a policy.

Triggered Policy

Name of the Data Loss Prevention policy that was violated.

Triggered Template

Name of the compliance template that was violated to trigger the Data Loss Prevention policy.

Action

Action taken for a file, message, or Salesforce object record that violates a policy.

Security Filter

The security filter includes Data Loss Prevention, Keyword Extraction, and Box Shared Links Control.

Table 5. Quarantine Log Facets

Log Facet

Description

Scan Source

Name of the protected application or service.

Security Filter

The security filter includes Virtual Analyzer, File Blocking, Web Reputation, Data Loss Prevention and Malware Scanning.

Affected User

For Exchange Online, the mailbox that received a message violating a policy. For SharePoint Online, OneDrive, Microsoft Teams (Teams), Box, Dropbox, and Google Drive, the user account that uploaded or modified a file violating a policy. For Salesforce, the user account that updated an object record violating a policy.

Quarantine Type

Whether an email message or a file is already quarantined.

Restored by

Whether it is the administrator or end user who restored a quarantined file in Box violating a Data Loss Prevention policy.

Table 6. Audit Logs Log Facet

Log Facet

Description

User

Name of the user who performs management operations.

Action

Operation that a user performs, including logon events, scheduled user data synchronizations, and policy changes.