Log Streaming record format

Updated 5 hours ago by admin

Web Security - Web Hits

[
{
"visit_id": 37338628,
"utc_timestamp": "2019-12-04 03:44:05.132266",
"tz_offset": 0,
"url_domain": "fonts.googleapis.com",
"samaccountname": "user32",
"web_categories": "10429",
"url_categories": null,
"keyword_categories": "65321 22213",
"keywords": [
"google"
],
"final_action": "Allowed",
"log_level": "Do Not Log",
"device_type": "Unrecognized",
"ip_address": "10.0.0.97",
"mac_address": "00:0C:29:1D:52:F5",
"tag": "Test Automation",
"dst_ip_address": "216.58.210.42",
"http_method": "GET",
"url_scheme": "http",
"url_path": "\/css",
"url_query": "family=Open+Sans:300,400,600,700,800&display=swap",
"icap_agent": "USS Gateway",
"feature_control_name": null,
"filter_rule_name": null,
"netbios_domain": null,
"browser": "Tesla Car Browser",
"operating_system": "Linux",
"module_name": null,
"category_name": null,
"pattern": null,
"response_action": null,
"threshold": null,
"score": null,
"web_category_names": [
"File Repositories"
],
"url_category_names": [],
"keyword_category_names": [
"Unknown",
"FontsTest"
],
"hostname": null,
"count": 59
}
]

CASB - Inline Event

[
{
"visit_id": 37090874,
"utc_timestamp": "2019-11-19 14:36:21.472163",
"tz_offset": 0,
"netbios_domain": null,
"samaccountname": null,
"tag": "Test Automation",
"ip_address": "10.0.0.207",
"mac_address": "8C:16:45:60:26:8D",
"dst_ip_address": "216.58.213.100",
"http_method": "GET",
"url_scheme": "https",
"url_domain": "www.google.com",
"url_path": "\/search",
"url_query": "ei=zP3TXd6DEK-E1fAPm72lgAQ&q=censornet&oq=censornet&gs_l=psy-ab.12...0.0..23541...0.0..0.0.0.......0......gws-wiz.xQ9MTpfR4hk&ved=0ahUKEwjemZjbv_blAhUvQhUIHZteCUAQ4dUDCAo",
"browser": "Firefox",
"operating_system": "Windows 10",
"device_type": "Desktop",
"icap_agent": "USS Gateway",
"feature_control_name": null,
"filter_rule_name": "app capture",
"final_action": "Allowed",
"log_level": "High",
"web_categories": "10313",
"url_categories": null,
"app_class": "Search Engine",
"app_name": "Google Search Engine",
"app_action": "Searched on the web",
"app_data": "q=censornet&",
"keyword_categories": "65321 22213",
"keywords": [
"google,censornet",
"search"
],
"web_category_names": [
"Search Engines"
],
"url_category_names": [],
"keyword_category_names": [
"Unknown",
"tomtest"
],
"hostname": null,
"count": 3
}
]

CASB - API Event

[
{
"event_id": 95978,
"utc_timestamp": "2019-10-04 09:40:35",
"action": "add",
"action_value": "427029_10.jpg",
"user_id": "uZGJpZDpBQURBNUwzQTcxX3FXQkFxdF9vS0xEM3laWmtiVkdZNlI5UQ==",
"object_type": "file",
"path": "\/CASB\/IA Test Images\/427029_10.jpg",
"parent_name": "IA Test Images",
"mime_type": "image\/jpeg",
"ip_address": "2.26.223.28",
"user_name": "Trevor Leeds",
"user_email": "tl@domaintest.com",
"service_name": "dropbox",
"threats": [
{
"threat_type": "Adult",
"threat_description": null,
"filename": "427029_10.jpg",
"archive_path": "427029_10.jpg",
"threat_detail": "100% certainty",
"scanner": "ia"
}
]
}
]

Email Security - Email Message

Please ensure your SQS maximum message size is set large enough to receive all of the meta data for each email message.
[{
"direction": "incoming",
"delivery_state": "spam_quarantine",
"email_guid": "322fbd0e-c5be-49bb-acac-2a31e87f71b4",
"email_size": "38737",
"originating_ip": "209.85.215.201",
"from_address": "172-GOP-811.0.1650.0.0.8792.9.4585932@google.com",
"to_addresses": [{
"to_address": "james.clerkmaxwell@sssclient.com"
}],
"cc_addresses": [],
"bcc_addresses": [],
"received_date": "2019-12-09 16:30:10+00",
"subject": "Just Published - The 2019 Data Review",
"attachments": [],
"verdict": "spam",
"verdict_details": "Score is 206",
"urls": [{
"url": "https:\/\/fonts.googleapis.com\/css?family=Roboto"
},
{
"url": "https:\/\/fonts.googleapis.com\/css?family=Roboto:100,100i,300,300i,400,400i,500,500i,700,700i&display=swap"
},
{
"url": "https:\/\/fonts.googleapis.com\/css?family=Google+Sans"
}
],
"rules": [{
"rule_data": "DKIM Pass or SPF Pass",
"recipients": [
"ALL"
],
"rule_action": "DMARC Verifying Pass",
"final_action": 0,
"rule_data_name": "DKIM Pass or SPF Pass",
"rule_description": "(Default) Signature Verification"
},
{
"rule_data": "Authentication-Results: in-stage-01; spf=pass smtp.mailfrom=172-GOP-811.0.1650.0.0.8792.9.4585932@google.com; dkim=pass header.i=@google.com; dmarc=pass action=reject header.from=google.com;",
"recipients": [
"ALL"
],
"rule_action": "Add Message Header",
"final_action": 0,
"rule_data_name": "DKIMVereficationHeader",
"rule_description": "(Default) Signature Verification"
},
{
"rule_data": "105",
"recipients": [
"ALL"
],
"rule_action": "Add to Spam Score",
"final_action": 0,
"rule_data_name": "105",
"rule_description": "(Default) CoreService Suspect"
},
{
"rule_data": "101",
"recipients": [
"ALL"
],
"rule_action": "Add to Spam Score",
"final_action": 0,
"rule_data_name": "101",
"rule_description": "Customers - Newsletter Spam"
},
{
"rule_data": "[Marketing Medium]",
"recipients": [
"ALL"
],
"rule_action": "Prefix Text to Subject",
"final_action": 0,
"rule_data_name": "[Marketing Medium]",
"rule_description": "Medium Reputation Marketing"
},
{
"rule_data": "12046",
"recipients": [
"ALL"
],
"rule_action": "Quarantine",
"final_action": 1,
"rule_data_name": "Spam",
"rule_description": "Possible Spam"
}
],
"email_headers": [{
"header_name": "Authentication-Results",
"header_value": " in-stage-01; spf=pass smtp.mailfrom=172-GOP-811.0.1650.0.0.8792.9.4585932@google.com; dkim=pass header.i=@google.com; dmarc=pass action=reject header.from=google.com;"
},
{
"header_name": "Received",
"header_value": "from mail-pg1-f201.google.com ([209.85.215.201]) by IN-STAGE-01 over TLS secured channel with Microsoft SMTPSVC(8.5.9600.16384);\t Mon, 9 Dec 2019 16:30:09 +0000"
},
{
"header_name": "Received",
"header_value": "by mail-pg1-f201.google.com with SMTP id g20so7667944pgb.18 for <james.clerkmaxwell@sssclient.com>; Mon, 09 Dec 2019 08:30:09 -0800 (PST)"
},
{
"header_name": "DKIM-Signature",
"header_value": "v=1; a=rsa-sha256; c=relaxed\/relaxed; d=google.com; s=20161025; h=date:from:reply-to:to:message-id:subject:mime-version :list-unsubscribe; bh=BiFc3n2znjncUk2yyyg+H0w9Y+UzqJ+xJ4bVSoZErDc=; b=pCnJBuv+Gef5Z0DnH21J4jxAnTMFR8a2XD6K6OwKuam3+aFlBqw+\/J2Z5B8ZAnoAgc J0YKWGC68J0I1C3Kto6s4orXZP5onkoEU\/IszjfG7WAebgacTIsStY7tZ3H2c1SqZxih Kx2C8fa7oac1MZIHGzq\/knbEIeXjSGCOpWlwfjSLxjOZCiSJvlNMZfGYY1oTGJgFoi3F IPIpvGkcog2CkDs6btPhXb8Z4pU03wenedbNHcn2dd\/v9EtvgbgV2Dfa4bsPrhr1pxVm i7ykV+sBZqZdywpTAwGfpFLgRH88rJvdUtRtBI0EGfppmLH0b8MdGSkTeDJliJSjCrrw mlsQ=="
},
{
"header_name": "X-Google-DKIM-Signature",
"header_value": "v=1; a=rsa-sha256; c=relaxed\/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:reply-to:to:message-id:subject :mime-version:list-unsubscribe; bh=BiFc3n2znjncUk2yyyg+H0w9Y+UzqJ+xJ4bVSoZErDc=; b=W657VAMoar8hF2PTEzZDL4JGpJq5z2ZId7dAlkICrs8pkDqJbd1yQz8CbXvMfcYn3r QevJXpN2oi9X42kCJsR+8LDr\/DPTdgST1gGhHqKYu2gtIPNI6P3Eh3pTwKPjMQrVyC\/2 kJGvSA+fgildp+3PLbj0X+TREWb84KyfHHEsoKAkOUpw51gEnZ\/kqlsZ85QSxWjphyCD ph34dmLquUASaPo6l4YgjiiYENe65so4vtMWUTGm2hNNeBf9xF6U5QlyZNIeot5EaNte G62zjXyFf6vF0yzdE8otlinM9CIPbEe+\/ykoEE5kLFLtzJcrP5NWoDLYrxcKjW7YMitZ Fl1w=="
},
{
"header_name": "X-Gm-Message-State",
"header_value": "APjAAAVexFyO6bzpo5o+m1Ph7treFyUyr2lQFgPxK6gybD6t9+RmZPcX\tUXLyf5STMCo6EzHWCkoows1cBw=="
},
{
"header_name": "X-Google-Smtp-Source",
"header_value": "APXvYqzy5Bk9ka7Wibr2qMe5dBBhmhuyjUI2qPXmE5GmuVhWlwtWCHqrKUSrG81JVSG9pCDuBQFjx7yZQayljyA="
},
{
"header_name": "X-Received",
"header_value": "by 2002:a17:90a:2469:: with SMTP id h96mr33443573pje.121.1575909008343; Mon, 09 Dec 2019 08:30:08 -0800 (PST)"
},
{
"header_name": "Return-Path",
"header_value": "<172-GOP-811.0.1650.0.0.8792.9.4585932@google.com>"
},
{
"header_name": "Received",
"header_value": "from gopher.mktdns.com (gopher.mktdns.com. [199.15.215.164]) by gmr-mx.google.com with ESMTPS id j2si5136pfi.1.2019.12.09.08.30.08 for <james.clerkmaxwell@sssclient.com> (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128\/128); Mon, 09 Dec 2019 08:30:08 -0800 (PST)"
},
{
"header_name": "Return-Path",
"header_value": "<thinkwithgoogle-noreply@google.com>"
},
{
"header_name": "X-MSFBL",
"header_value": "zePA5fetFyFr4kRw005VALnGAHrxqlJkX\/NqGK19mnQ=|eyJ1IjoiMTcyLUdPUC0\t4MTE6NjQ1OTo1MDczOjExODY5OjA6ODc5Mjo5OjE2NTA6NDU4NTkzMiIsImIiOiJ\tkdnAtMTk5LTE1LTIxNS0xNjQiLCJyIjoiamFtZXMuY2xlcmttYXh3ZWxsQHNzc2N\tsaWVudC5jb20iLCJnIjoiYmctc2pyLTA2In0="
},
{
"header_name": "Received",
"header_value": "from [10.0.15.43] ([10.0.15.43:38376] helo=sjmas03.marketo.org)\tby sjmta02.marketo.org (envelope-from <thinkwithgoogle-noreply@google.com>)\t(ecelerity 4.2.38.62370 r(:)) with ESMTP\tid 08\/94-14989-A567EED5; Mon, 09 Dec 2019 10:29:14 -0600"
},
{
"header_name": "Date",
"header_value": "Mon, 9 Dec 2019 10:29:14 -0600"
},
{
"header_name": "From",
"header_value": "Think with Google <thinkwithgoogle-noreply@google.com>"
},
{
"header_name": "Reply-To",
"header_value": "<thinkwithgoogle-noreply@google.com>"
},
{
"header_name": "To",
"header_value": "<james.clerkmaxwell@sssclient.com>"
},
{
"header_name": "Message-ID",
"header_value": "<1802064205.-995280616.1575908954104.JavaMail.mktmail@sjmas03.marketo.org>"
},
{
"header_name": "Subject",
"header_value": "[Marketing Medium] Just Published - The 2019 Data Review"
},
{
"header_name": "MIME-Version",
"header_value": "1.0"
},
{
"header_name": "Content-Type",
"header_value": "multipart\/alternative"
},
{
"header_name": "X-PVIQ",
"header_value": "mkto-172GOP811-000001-000000-001650"
},
{
"header_name": "X-Binding",
"header_value": "bg-sjr-06"
},
{
"header_name": "X-MarketoID",
"header_value": "172-GOP-811:6459:5073:11869:0:8792:9:1650:4585932"
},
{
"header_name": "X-MktArchive",
"header_value": "false"
},
{
"header_name": "List-Unsubscribe",
"header_value": "<mailto:NRKWE5JUOVAXQUJUKZKVA4LQOF2DMLLDGRIT2PI.1650.8792.9@unsub-sj.mktomail.com>"
},
{
"header_name": "X-Mailfrom",
"header_value": "172-GOP-811.0.1650.0.0.8792.9.4585932@google.com"
},
{
"header_name": "X-MSYS-API",
"header_value": "{\"options\":{\"open_tracking\":false,\"click_tracking\":false}}"
},
{
"header_name": "X-OriginalArrivalTime",
"header_value": "09 Dec 2019 16:30:09.0637 (UTC) FILETIME=[EC6BF150:01D5AEAD]"
}
],
"smtp_conversation": null
}]

Admin Audit - Event

[
{
"utc_timestamp": "2019-11-19 14:35:45",
"username": "tom.moreton@emaildomain.com",
"ip_address": "10.0.0.207",
"model": "KeywordCategory",
"url": "https:\/\/api2.clouduss.com\/keyword_categories",
"method": "PUT",
"payload": {
"original": {
"id": 65321,
"name": "tomtest2",
"description": "",
"match_all_patterns": 0,
"match_url_content": 1,
"match_appdata_content": 1,
"match_dlp_content": 1,
"dlp_enabled": 0
},
"changed": {
"id": 65321,
"name": "jankyqa",
"description": "",
"match_all_patterns": 0,
"match_url_content": 1,
"match_appdata_content": 1,
"match_dlp_content": 1,
"dlp_enabled": 0
}
}
}
]


How did we do?