DNS Push Security Events
| Secure Access Key | Type | Description |
|---|---|---|
| specversion | string | The version of the Push Security Event schema. |
| type | string | The type of the security event. |
| source | string | The unique label that describes the source of the security event. |
| orgid | integer | The unique identifier of the organization. |
| integrationid | string | The unique identifier of the integration. |
| id | string | The unique identifier for the push security event. |
| time | string | The date and time when the system sent the event. The system formats the timestamp in the ISO 8601 format. |
| datacontenttype | string | The type of the content in the push security event. |
| data | object | The properties of the data for the push security events. |
data
| Secure Access Key | Type | Description |
|---|---|---|
| events | array | The list of push security event messages. |
data.events
| Secure Access Key | OCSF Key | Type | Description |
|---|---|---|---|
| activity_id | integer | The unique identifier of the activity that triggered the security event. | |
| category_uid | integer | The unique identifier of the security event category. | |
| cisco_dns_metadata | object | The properties of the Cisco DNS metadata. | |
| cisco_event_id | Event ID | string | The unique identifier of the security event. |
| cisco_event_type | string | The type of the security event. | |
| cisco_organization_id | Organization ID | number | The unique identifier of the organization. |
| cisco_origin | object | The properties of the origin. | |
| cisco_other_origins | array | The list of the other origins. | |
| class_uid | integer | The unique identifier of the class. | |
| metadata | object | The metadata for the security event. | |
| policy | object | The properties of the components and profiles for the access rules in the Access policy. | |
| query | object | The properties of the DNS request. | |
| rcode_id | RCode | number | The RCODE sent to the client. O is NOERROR, 2 is SERVFAIL, 3 is NXDOMAIN. |
| severity_id | number | The unique identifier of the severity. | |
| src_endpoint | object | The properties of the client endpoint. | |
| time | Timestamp | string | The date and time when the system recorded the security event. The system formats the timestamp in milliseconds since the Unix Epoch. |
| type_uid | integer | The unique identifier of the type for the security event. |
data.events.cisco_dns_metadata
| Secure Access Key | OCSF Key | Type | Description |
|---|---|---|---|
| client_reporting_id | Client Reporting ID | string | The unique ID of a type of component in a specific device. |
| destination_countries | Destination Countries | array(string) | The ISO-3166 alpha-2 country code associated with an IP address of the destination. |
| handling | Handling | string | The label that describes the status of the push security event. The possible values are: APPLICATION, BLOCKED, BOTNET, DOMAINTAGGING, EXPIRED, MALWARE, NAVIGATION, NODATA, NORMAL, NXDOMAIN, PHISH, SERVFAIL, SUSPICIOUS, WILDCARD, URL_PROXY, SECURITY, WHITELISTED, REFUSED, SINKHOLE, URL_PROXY_HTTPS, PDNS, ALLOWLISTED |
| internal_client_ip | Internal Client IP | string | The IP address of a client that connects to the DNS resolver through a Secure Access virtual appliance. The IP address is IPv4 or IPv6 and most likely private/ |
| public_suffix | Public Suffix | string | The suffix of the public domain associated with the destination and the security event. |
data.events.cisco_origin
| Secure Access Key | OCSF Key | Type | Description |
|---|---|---|---|
| id | Origin ID | integer | The unique identifier of the endpoint. |
| type | Origin Type | string | The type of the endpoint, for example: Networks, AD Computer. |
data.events.cisco_other_origins
| Secure Access Key | OCSF Key | Type | Description |
|---|---|---|---|
| id | Origin ID | integer | The unique identifier of the endpoint, for example: Networks, AD Computer.. |
| type | Origin Type | number | The type of the endpoint. The possible values are: 1 is Networks, 5 is ADComputers. |
data.events.metadata
| Secure Access Key | OCSF Key | Type | Description |
|---|---|---|---|
| product | object | The properties of the product. | |
| version | string | The version of the product. |
data.events.metadata.product
| Secure Access Key | OCSF Key | Type | Description |
|---|---|---|---|
| name | string | The name of the product. |
data.events.policy
| Secure Access Key | OCSF Key | Type | Description |
|---|---|---|---|
| blocked_categories | Blocked Categories | array(string) | The security category associated with the destination. |
| categories | Categories | array(string) | The label for the security category. |
| uid | Rule ID | integer | The unique identifier of the access rule in the Access policy that matches the network traffic. |
data.events.query
| Secure Access Key | OCSF Key | Type | Description |
|---|---|---|---|
| hostname | Query Name | string | The hostname in the DNS request. |
| type | Query Type | string | The record type of the DNS request. For example: 1 for a A record, 16 for a TXT record. |
data.events.src_endpoint
| Secure Access Key | OCSF Key | Type | Description |
|---|---|---|---|
| ip | External Client IP | string | The public IPv4 or IPv6 address of the client endpoint seen by the DNS resolver. |
| name | string | The hostname of the client endpoint. |