Data Loss Prevention (DLP) Log Formats

DLP logs show information about DLP events where data identifiers were triggered and a violation occurred. DLP logs are available in all versions. A single DLP event can present in multiple rows of the logs when different data identifiers and file labels are triggered for the same content. Rows pertinent to the same content or event have the same Unique Event ID.

Table of Contents


"2022-02-15 12:05:45","Real Time","f64dcc3f-50fa-410a-b8e1-589894276cee_17c81f85-34f7-4bc5-aa4c-155571f484f6","CRITICAL","Network1","","first.xlsx","Dropbox","","BLOCK","rule-1","classification-2","classifier-2.1","text/html","48","abbd2352c3cfea8846871928bf99ca24dc3a6f162170926649381a6d968869ab", "Confidential"

The example entry is 312 bytes. To estimate the size of your S3 Logs, see Estimate the Size of Your Logs.

Order of Fields in the DLP Log

<timestamp><event type><unique event id><severity><identity><owner><name><application><destination><action><rule><data classification><data identifier><content type><file size><SHA 256 hash><file label>

  • Timestamp—The timestamp of the request transaction in UTC.
  • Event Type—The type of event that matched a data identifier. "Real Time" denotes a proxy-based DLP event triggered by a Real Time rule and "SaaS API" denotes a DLP event triggered by any of the SaaS API rules.
  • Unique Event ID—The unique identifier for the event. There can be multiple violation matches in one event.
  • Severity—The severity of the rule (Low, Medium, High or Critical).
  • Identity—The source that triggered the violation.
  • Owner—The owner of the file.
    Note: This column has limited availability. Contact Support at [email protected] for more information.
  • Name—The name of the file.
  • Application—The application of the request.
  • Destination—The domain of the request.
  • Action—If the violation was Blocked or Monitored.
  • Rule—The DLP rule name.
  • Data Classification—The data classification whose data identifier matched on the violation.
  • Data Identifier—The data identifier that matched on the request.
  • Content Type—The mime type of the file that matches the data identifier.
  • File Size—The size of the file.
  • SHA256 Hash—The hex digest of the response content.
  • File Label—The file name label that matched on the file properties.

Cloud Firewall Log Formats < Data Loss Prevention (DLP) Log Formats > DNS Log Formats