Data Mapping: Secure Access Activity Data

Table 1. Zero Trust Secure Access - Internet Access Activity Data

Field Name

General Field

Description

Sample

endpointHostName

EndpointName

Endpoint hostname

  • my_machine

  • jeremy-mbp

customerId

-

Company ID

  • 66f0cb71-4150-4437-ba8b-91151bb1a047

  • c0bc06a1-1777-41e6-babe-978dd1d75627

osName

-

Endpoint device operating system

  • Windows 10

  • macos 12.1

dst

  • IPv4

  • IPv6

Destination IP address

10.10.10.10

endpointGuid

EndpointID

GUID of the agent which reported the detection

66f0cb71-4150-4437-ba8b-91151bb12345

principalName

-

User principal name used to log on to Trend Micro Web Security admin portal

  • sunny@trendmicro.com

  • millie.hutchinson@etlsystems.com

  • jeremy_tong@trendmicro.com

request

URL

The requested destination URL the user is accessing

https://google.com

act

-

Action taken for the violation

  • 0: allow

  • 1: monitor

  • 2: block

  • 3: warn

  • 4: override

  • 5: analyze

4

src

  • IPv4

  • IPv6

Source IP address that is connecting to the Internet Access gateway

  • 100.100.100.100

  • 18.162.103.100

serverTls

-

Server TLS/SSL version

TLS 1.2

eventTime

-

Event generation time on the agent side

1599465660

serverProtocol

-

HTTP protocol version of destination server

HTTP/1.1

userAgent

-

Name of the web browser app user connects from

  • Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0)

  • Chrome/74.0.3729.108

  • Safari/537.36

rt

-

Report received time

1599465660

tenantGuid

-

Tenant GUID of the Internet Access Gateway

66f0cb71-4150-4437-ba8b-91151bb09876

eventName

-

Event type name

SWG_ACTIVITY_LOG

application

-

Name of the requested application

Facebook

ruleName

-

Name of the rule that triggered the event

ETL_Access Rules_Web_Host

clientIp

-

Internal IP address of source endpoint

"fe80:0:0:0:fc7b:7a74:d273:8d13"

requestBase

-

SWG:

Domain of the requested URL

www.facebook.com

score

-

Web Reputation Services URL rating

81

userDomain

-

Domain of the username

etlsystems.com

suid

UserAccount

User name or IP address

Millie Hutchinson

duration

-

Scan complete time, in milliseconds

28

eventSubName

-

Event type subname

OneDrive download file

fileHash

FileSHA1

The SHA-1 of the file which violated the policy

1e15bf99022a9164708cebb3eace8fd61ad45cba

fileHashSha256

FileSHA2

The SHA-256 of the file which violated the policy

ba9edecdd09de1307714564c24409bd25508e22fe11c768053a08f173f263e93

fileName

FileName

File name of the file which violated the policy

word.doc

fileSize

-

Size of the file which violated the policy

12134

fileType

-

File type of the file which violated the policy

Microsoft Word

malName

-

Name of the malware detected

"BadZipFile"

mimeType

-

The MIME type/ content type of the response body

text/html

sender

-

Roaming users or gateway where the web traffic passed

ETL VPN

detectionType

-

Scan type

60

profile

-

Name of the Threat Protection template or Data Loss Prevention profile triggered

"default"

userDepartment

-

User department

Sales

requestMethod

-

HTTP/HTTPS request method

POST

pname

-

Internal product ID (Deprecated, use productCode)

  • "2200"

  • "751"

  • "533"

pver

-

Product version

"1.0"

deviceGUID

-

GUID of the agent which reported this detection

"d1142f61-5bdf-4a48-bee8-b35f7b6c2376"

requestMimeType

-

Requested content type

  • "application/x-msdos-program"

  • "multipart/related; type=\"application/xop+xml\"; boundary=\"urn:uuid:FE7597F5-87C6-49B4-BE87-CC03F82272A8\"; start=\"<http://tempuri.org/xml/0>\"; start-Info=\"text/xml; charset=utf-8\""

failedHTTPSInspection

-

Failed to inspect HTTPS traffic

TRUE

tlsJA3Fingerprint

-

JA3 fingerprint

"771,4865-4866-4867-49195-49199-49196-49200-52393-52392-49171-49172-156-157-47-53,0-23-65281-10-11-35-16-5-13-18-51-45-43-27-41,29-23-24,0"

responseSize

-

Response length

6096

clientProtocol

-

Protocol the endpoint used when connecting to the Internet Access Gateway

HTTP/1.1

clientTls

-

TLS version the endpoint used when connecting to the Internet Access Gateway

TLS 1.2

contentEncoding

-

Content encoding of the request or response

"gzip"

authType

-

Endpoint authorization method

Agent JWT

requestSize

-

Request length

952

serverRespTime

-

Response time from requested server, in milliseconds

311

trafficType

-

Endpoint connection method to Internet Access Gateway

Forward

urlCat

-

Category of the requested URL

Social Networking

Table 2. Zero Trust Secure Access - Private Access Activity Data

Field Name

General Field

Description

Sample

endpointHostName

EndpointName

Endpoint hostname

  • my_machine

  • jeremy-mbp

customerId

-

Company ID

  • 66f0cb71-4150-4437-ba8b-91151bb1a047

  • c0bc06a1-1777-41e6-babe-978dd1d75627

osName

-

Endpoint device operating system

  • Windows 10

  • macos 12.1

dst

  • IPv4

  • IPv6

IP address of destination private application server

10.206.209.64

endpointGuid

EndpointID

Endpoint ID generated by the Secure Access Module

DSP84573ULLJHM5GK2R7

principalName

-

User principal name of signed-in user

  • sunny@trendmicro.com

  • millie.hutchinson@etlsystems.com

  • jeremy_tong@trendmicro.com

request

URL

The requested destination URL the user is accessing

SWG: https://google.com

ZTNA: /api/example/v1/testit

act

-

Action taken for the violation

block

src

  • IPv4

  • IPv6

Source endpoint public IP address

  • 100.100.100.100

  • 18.162.103.100

serverTls

-

Server TLS/SSL version

  • TLS1.3: 34

  • TLS1.2: 33

  • TLS1.1: 32

  • TLS1.0: 31

  • SSL3.0: 30

  • TSL2.0: 20

  • SSL1.0: 10

31

eventTime

-

Event generation time on the agent side

1599465660

serverProtocol

-

HTTP protocol version of destination server

1.1

userAgent

-

Name of the web browser app user connects from

  • Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0)

  • Chrome/74.0.3729.108

  • Safari/537.36

rt

-

Report received time

1599465660

tenantGuid

-

Tenant GUID of the Internet Access Gateway

66f0cb71-4150-4437-ba8b-91151bb09876

eventName

-

Event type name

  • ZTNA_ACTIVITY_LOG

  • ZTNA_DETECTION_LOG

application

-

Name of the requested application

wiki

ruleName

-

Name of the rule that triggered the event

block_wiki_for_guest

clientIp

-

Virtual IP address of source endpoint Secure Access Module

10.64.23.45

100.64.0.2

requestBase

-

Domain of the requested private application

gary.webserver64.com

ruleType

-

Type of rule which triggered

access

ruleUuid

-

UUID of the triggered rule

12340518-abd7-43e1-9b73-2f55c4c95a8e

objectId

-

UUID of private access application

6f1fe071-9636-4c99-9a4d-c9f6d409a4c8

spt

Port

Source virtual port assigned to endpoint Secure Access Module

57763

policyUuid

-

UUID of the triggered Private Access or Risk Control rule

afef0518-abd7-43e1-9b73-2f55c4c95a8e

dpt

Port

Destination port of private application server

443

companyName

-

Company name

Trend Micro

start

-

Secure Access Module session start time

1575462989