Guides
ProductDeveloperPartnerPersonal
Guides
ProductDeveloperPartnerPersonal

Data Loss Prevention (DLP) Log Formats

Suggest Edits

DLP logs show information about DLP events where data identifiers were triggered and a violation occurred. DLP logs are available in all versions. A single DLP event can present in multiple rows of the logs when different data identifiers and file labels are triggered for the same content. Rows pertinent to the same content or event have the same Unique Event ID.

Table of Contents

Examples

"2022-02-15 12:05:45","Real Time","f64dcc3f-50fa-410a-b8e1-589894276cee_17c81f85-34f7-4bc5-aa4c-155571f484f6","CRITICAL","Network1","","first.xlsx","Dropbox","<http://google.com","BLOCK","rule-1","classification-2","classifier-2.1","text/html","48","abbd2352c3cfea8846871928bf99ca24dc3a6f162170926649381a6d968869ab">, "Confidential","","","dlpprivateresource","","https","127.0.0.1","443","8247177"

The example entry is 397 bytes. To estimate the size of your S3 Logs, see Estimate the Size of Your Logs.

Order of Fields in the DLP Log

<timestamp><event type><unique event id><severity><identity><owner><name><application><destination><action><rule><data classification><data identifier><content type><file size>\<SHA 256 hash><file label><application category name><traffic direction><private resource name><private resource group name><destination protocol><destination ip><destination port><organization id>

  • Timestamp—The timestamp of the request transaction in UTC.
  • Event Type—The type of event that matched a data identifier. "Real Time" denotes a proxy-based DLP event triggered by a Real Time rule and "SaaS API" denotes a DLP event triggered by any of the SaaS API rules.
  • Unique Event ID—The unique identifier for the event. There can be multiple violation matches in one event.
  • Severity—The severity of the rule (Low, Medium, High or Critical).
  • Identity—The source that triggered the violation.
  • Owner—The owner of the file.
    Note: This column has limited availability. Contact Support at [email protected] for more information.
  • Name—The name of the file.
  • Application—The application of the request.
  • Destination—The domain of the request.
  • Action—If the violation was Blocked or Monitored.
  • Rule—The DLP rule name.
  • Data Classification—The data classification whose data identifier matched on the violation.
  • Data Identifier—The data identifier that matched on the request.
  • Content Type—The mime type of the file that matches the data identifier.
  • File Size—The size of the file.
  • SHA256 Hash—The hex digest of the response content.
  • File Label—The file name label that matched on the file properties.
  • Application Category Name—The category of the requested web application. For more information, see Application Categories.
  • Traffic Direction—Direction of traffic. (Applies only to some applications, such as OpenAI API and OpenAI ChatGPT.)
  • Private Resource Name—The name of the private resource.
  • Private Resource Group Name—The private resource group name if the matched rule destination was a private resource group.
  • Destination Protocol—The protocol of the destination.
  • Destination IP—The IP address of the destination.
  • Destination Port—The port of the destination.
  • Organization ID—The Umbrella organization ID. For more information, see Find Your Organization ID.

Cloud Firewall Log Formats < Data Loss Prevention (DLP) Log Formats > DNS Log Formats

Updated 25 days ago