Push Security Events: Cloud Events Samples
Samples of Push Security Events sent from Secure Access to an HTTP listener set up by the organization.
DLP Push Security Events
{
"specversion": "1.0",
"type": "secureaccess.events.security.v1",
"source": "secureaccess.events.security",
"orgid": 8279319,
"integrationid": "webhook.v1:9944d9f6-aa9f-477b-a535-4f35c066e96d",
"id": "de1e578d-d4f4-5f87-9664-e59585330d19",
"time": "2025-12-03T04:24:09.97782319Z",
"datacontenttype": "application/json",
"data": {
"events": [
{
"activity_id": 0,
"category_uid": 4,
"cisco_dlp_metadata": {
"action": "MONITOR",
"application_name": "OpenAI ChatGPT",
"content_type": "-",
"destination_protocol": "",
"destination_url": "http://ab.chatgpt.com/v1/rgstr?k=client-nb0qtYlZuy2tCMN5s5ncnuIBCJncjRViT0IzFm7GqST\u0026st=javascript-client\u0026sv=3.26.0\u0026t=1764735842845\u0026sid=00871a05-3842-4da6-9e46-6cef7b234bc2\u0026ec=8\u0026gz=1",
"event_type": "REAL_TIME",
"file_name": "",
"owner_email": "",
"severity": "CRITICAL",
"taac_profile_id": "",
"taac_tenant_id": "",
"traffic_direction": "INBOUND",
"unique_event_id": "2e7aceae-6ffc-40a1-8a0c-fc1a3e94762a_968e3362-ff99-4c9b-b3fa-9fda76f3a9c6_REQUEST"
},
"cisco_event_id": "2e7aceae-6ffc-40a1-8a0c-fc1a3e94762a",
"cisco_event_type": "dlp",
"cisco_organization_id": 8279319,
"cisco_origins": [
{
"id": 1083323349,
"type": "AD Users"
}
],
"class_uid": 4001,
"dst_endpoint": {
"name": ""
},
"metadata": {
"correlation_id": "2e7aceae-6ffc-40a1-8a0c-fc1a3e94762a",
"product": {
"name": "ciscoSecureAccess"
},
"version": "1.6.0"
},
"policy": {
"data": {
"application_category_name": "",
"classification": "Built-in GDPR Classification",
"classifier_name": "IP Address",
"file_hash": "e07809ad47dcadf6933c3ea27f3197aff9319f0ab72239bcd4ebf869533ebb17",
"file_label": "",
"file_size": 1162,
"private_resource_group_name": "",
"private_resource_name": ""
},
"name": "RK DLP rules -22 Oct"
},
"severity_id": 0,
"time": 1764735842885,
"type_uid": 400100
}
]
}
}
DNS Push Security Events
{
"specversion": "1.0",
"type": "secureaccess.events.security.v1",
"source": "secureaccess.events.security",
"id": "9bcd28c8-27fc-51b8-bc1e-faa321368d81",
"time": "2025-12-03T04:31:56.977554208Z",
"integrationid": "webhook.v1:67b524f7-f23c-4c9e-b91d-227343e764a9",
"orgid": 8257758,
"datacontenttype": "application/json",
"data": {
"events": [
{
"activity_id": 6,
"category_uid": 4,
"cisco_dns_metadata": {
"client_reporting_id": "",
"destination_countries": [],
"handling": "BLOCKED",
"internal_client_ip": "",
"public_suffix": "com"
},
"cisco_event_id": "ac174fec69a1d65a9bd7e4da481da94f46255fc0385d4cb19751d93d0c4c405b",
"cisco_event_type": "dns",
"cisco_organization_id": 8257758,
"cisco_origin": {
"id": 611643136,
"type": "Networks"
},
"cisco_other_origins": [],
"class_uid": 4003,
"metadata": {
"product": {
"name": "ciscoSecureAccess"
},
"version": "1.6.0"
},
"policy": {
"blocked_categories": [
"Block List"
],
"categories": [
"Financial Institutions",
"Block List",
"Cryptomining"
],
"uid": "1738336"
},
"query": {
"hostname": "www.nicehash.com.",
"type": "A"
},
"rcode_id": 0,
"severity_id": 0,
"src_endpoint": {
"ip": "35.93.38.97",
"name": ""
},
"time": 1764736282822,
"type_uid": 400306
},
{
"activity_id": 6,
"category_uid": 4,
"cisco_dns_metadata": {
"client_reporting_id": "",
"destination_countries": [],
"handling": "BLOCKED",
"internal_client_ip": "",
"public_suffix": "com"
},
"cisco_event_id": "cceb087a82fdb4ebb673e79b5f225fc9eb9a39960498bfa3edb97577980a7e4a",
"cisco_event_type": "dns",
"cisco_organization_id": 8257758,
"cisco_origin": {
"id": 611643136,
"type": "Networks"
},
"cisco_other_origins": [],
"class_uid": 4003,
"metadata": {
"product": {
"name": "ciscoSecureAccess"
},
"version": "1.6.0"
},
"policy": {
"blocked_categories": [
"Block List"
],
"categories": [
"Block List",
"Cryptomining"
],
"uid": "1738336"
},
"query": {
"hostname": "braiins.com.",
"type": "A"
},
"rcode_id": 0,
"severity_id": 0,
"src_endpoint": {
"ip": "35.93.38.97",
"name": ""
},
"time": 1764736288824,
"type_uid": 400306
}
]
}
}
Web Push Security Events
{
"specversion": "1.0",
"type": "secureaccess.events.security.v1",
"source": "secureaccess.events.security",
"orgid": "8176184",
"integrationid": "webhook.v1:9aeec06f-7f1d-4021-8c05-8aaf5cdc85f8",
"id": "8db6c60a-4120-5184-943e-c1595c4d861a",
"time": "2026-01-06T18:11:59.413539751Z",
"datacontenttype": "application/json",
"data": {
"events": [
{
"activity_id": 0,
"category_uid": 4,
"cisco_ai_supply_chain": {
"model_name": "",
"scr_categories": []
},
"cisco_event_id": "ea8e9dbce5d3d64858b52c9f202f90d4714c7306d15541754edf5f822c69122e",
"cisco_event_type": "web",
"cisco_mcp": [],
"cisco_organization_id": 8176184,
"cisco_origin": {
"id": 1360486259,
"type": "AD Users"
},
"cisco_other_origins": [],
"cisco_swg_metadata": {
"connection_id": "4ab5d08a668d8678",
"forwarding_method": "",
"https_query_params": "",
"internal_client_ip": "10.100.65.127",
"is_decrypted": false,
"is_reserved_ip": false,
"response_sha256": "",
"traffic_source": ""
},
"cisco_swg_verdict": {
"action": "BLOCKED",
"amp_disposition": "",
"amp_malware_name": "",
"amp_score": 0,
"av_engines": [],
"avc": {
"allowed_application_ids": [],
"application_entity_category": "",
"application_entity_name": "",
"application_ids": [],
"blocked_application_ids": []
},
"blocked_categories": [ "Malware" ],
"blocked_destination_countries": [],
"categories": ["Malware","Computer Security"],
"detected_response_file_type": "",
"dlp_status": "",
"http_errors": [],
"remote_browser_isolation": {
"file_action": "",
"isolated_state": "not_isolated"
}
},
"class_uid": 4002,
"dst_endpoint": {
"name": ""
},
"file": {
"name": "",
"type_id":0
},
"http_request": {
"http_method": "GET",
"length": 0,
"referrer": "https://www.eicar.org/",
"url": {
"url_string": "https://secure.eicar.org/eicar_com.zip"
},
"user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/143.0.0.0 Safari/537.36"
},
"http_response": {
"body_length": 0,
"code": 303,
"content_type": "text/html",
"length": 991
},
"metadata": {
"correlation_id": "e7ae6c95-f14d-45bb-b2e4-657d31a61808",
"product": {
"name": "ciscoSecureAccess"
},
"version": "1.6.0"
},
"policy": {
"data": {
"destination_list_ids": [],
"security_overridden": false,
"tenant_id": "",
"tenant_profile_name": "",
"time_based_rule": false
},
"uid": "334893"
},
"proxy_endpoint": {
"ip": "151.186.183.15"
},
"severity_id": 0,
"src_endpoint": {
"ip": "10.100.65.127",
"name": ""
},
"time": 1767723105492,
"type_uid": 400200
}
]
}
}
Firewall Push Security Events
{
"specversion": "1.0",
"type": "secureaccess.events.security.v1",
"source": "secureaccess.events.security",
"orgid": 8257939,
"integrationid": "webhook.v1:e64db902-d58c-4899-ac56-e19a88fa2dd9",
"id": "ea7c3540-3bd9-56fe-a189-737531df6d89",
"time": "2025-12-05T04:45:31.880243417Z",
"datacontenttype": "application/json",
"data": {
"events": [
{
"activity_id": 0,
"category_uid": 4,
"cisco_event_id": "ab99c21159cf30bad3ef589cc2cd3a32db6b14f556f0ac96aebd859e3ed85bb2",
"cisco_event_type": "firewall",
"cisco_fw_metadata": {
"app_id": 0,
"app_protocol_id": 1,
"bytes_received": 5789,
"bytes_sent": 611,
"client_application_id": "",
"client_version": "",
"config_mask": 0,
"direction": "S2C",
"dns_query": "",
"egress_ip": "198.51.100.10",
"fw_event_id": "fw-evt-0000",
"http_response_code": 500,
"is_reserved_ip": false,
"match_mask": 0,
"packet_size": 60,
"packets_received": 6,
"packets_sent": 50,
"referenced_host": "",
"tcp_flag_bits": 16,
"traffic_source": "1",
"user_agent": ""
},
"cisco_organization_id": 8257939,
"cisco_origin": {
"id": 1001,
"type": "AD Computers"
},
"cisco_other_origins": [
{
"id": 1002,
"type": "Networks"
}
],
"class_uid": 4001,
"cloud": {
"region": "us-east-1b"
},
"connection_info": {
"direction_id": 0,
"protocol_num": 1,
"uid": "conn-0000-194"
},
"dst_endpoint": {
"ip": "93.184.216.34",
"location": {
"country": "GB"
},
"name": "",
"port": 443
},
"metadata": {
"product": {
"name": "ciscoSecureAccess"
},
"version": "1.6.0"
},
"policy": {
"data": {
"casi_category_ids": [],
"content_category_ids": [
150,
108,
66
],
"content_category_list_ids": [],
"destination_lists": [],
"fw_block_reason": "INTRUSION_BLOCK",
"policy_revision": "v1",
"posture_id": "",
"private_app_id": "",
"private_flow": false
},
"uid": "2001",
"verdict": "BLOCK"
},
"severity_id": 0,
"src_endpoint": {
"ip": "10.0.0.5",
"name": "",
"port": 50000
},
"time": 1764909928923,
"type_uid": 400100,
"url": {
"url_string": ""
}
}
]
}
}
IPS Push Security Events
{
"specversion": "1.0",
"type": "secureaccess.events.security.v1",
"source": "secureaccess.events.security",
"orgid": 8257939,
"integrationid": "webhook.v1:e64db902-d58c-4899-ac56-e19a88fa2dd9",
"id": "72b7b371-b7f8-5143-8a78-3ce7ca4838e0",
"time": "2025-12-10T04:16:52.803090254Z",
"datacontenttype": "application/json",
"data": {
"events": [
{
"activity_id": 0,
"category_uid": 4,
"cisco_event_id": "3df2d21785248f93354252ebe3dc1e5bfa56b9cabf055e2b0d2263593db4dd94",
"cisco_event_type": "intrusion",
"cisco_ips_metadata": {
"action": "WOULD_BLOCK",
"attack_classification": "Misc activity",
"correlation_uid": "b4fa2217825152e",
"direction": "C2S",
"egress_ip": "",
"enforcement_point": "SECURE_ACCESS_CLOUD",
"ftd_enforcement_id": 0,
"ftd_enforcement_name": "",
"fw_event_id": "9491e4fa2f8fe2cc72187959a4fa199e8df221e19b727f4783df4dda17b35c66−7−1765340200−3813",
"is_reserved_ip": false,
"operation_mode": "IDS",
"snort_generator_id": 1,
"snort_signature_id": 402
},
"cisco_organization_id": 8257939,
"cisco_origin": {
"id": 611117028,
"type": "Network Tunnels"
},
"class_uid": 4001,
"cloud": {
"region": "us-west-2a"
},
"connection_info": {
"direction_id": 0,
"protocol_num": 1
},
"dst_endpoint": {
"ip": "8.8.8.8",
"name": ""
},
"firewall_rule": {
"uid": "1193300"
},
"metadata": {
"product": {
"name": "ciscoSecureAccess"
},
"version": "1.6.0"
},
"policy": {
"data": {
"ips_config_type": "PROFILE",
"ips_resource_id": 6914,
"priority": "LOW"
}
},
"severity_id": 0,
"src_endpoint": {
"ip": "172.31.22.250",
"name": "",
"port": 0
},
"time": 1765340200439,
"type_uid": 400100,
"url": {
"url_string": ""
}
}
]
}
}
RAVPN Push Security Events
{
"specversion": "1.0",
"type": "secureaccess.events.security.v1",
"source": "secureaccess.events.security",
"orgid": 8287046,
"integrationid": "webhook.v1:842c62b9-f45f-404a-bc6a-5fdd2884497b",
"id": "c3d4e9a1-6993-5ed1-b85e-71b871567ee1",
"time": "2025-12-05T11:12:45.043100255Z",
"datacontenttype": "application/json",
"data": {
"events": [
{
"activity_id": 0,
"category_uid": 4,
"cisco_asa": {
"full_log_print_specifiers": "[]",
"syslog_class": "INFORMATION",
"syslog_descriptor": "AAA_RESULT_REJECT",
"syslog_id": "ASA-6-113005",
"syslog_id_with_version": "ASA-6-113005-0",
"syslog_severity": "6"
},
"cisco_dtls_ipsec_tunnel": {
"bytes_received": 0,
"bytes_transmitted": 0,
"cipher_suite": "",
"compression": "",
"connection_timeout": "",
"connection_timeout_left": "",
"destination_port": 0,
"dh_group": "",
"encapsulation": "",
"encryption": "",
"filter_name": "",
"hashing": "",
"id": "",
"idle_timeout": "",
"idle_timeout_left": "",
"ipv6_filter_name": "",
"local_selector": "",
"packets_received": 0,
"packets_received_dropped": 0,
"packets_transmitted": 0,
"packets_transmitted_dropped": 0,
"pfs_group": "",
"prf": "",
"rekey_data": "",
"rekey_data_left": "",
"rekey_interval": "",
"rekey_interval_left": "",
"remote_selector": "",
"source_port": 0
},
"cisco_endpoint_posture": {
"dap_connection_type": "",
"dap_record_name": ""
},
"cisco_event_id": "3ab1911afdd9eadd00c539da4f6c8ff6ff8d25df098244d3a22e045ee9e40768",
"cisco_event_type": "ravpn",
"cisco_organization_id": 8287046,
"cisco_origin": {
"id": 0,
"type": "UNKNOWN",
"user_id": 123
},
"cisco_ravpn_metadata": {
"anyconnect_version": "",
"event_type": "FAILED"
},
"cisco_ravpn_session": {
"assigned_ip": "",
"assigned_ipv6": "",
"audit_session_id": "",
"connected_at": 0,
"disconnection_reason": "",
"duration": "",
"id": "",
"inactivity": "",
"public_ip": "115.167.66.133",
"public_ipv6": "",
"redirect_acl": "",
"redirect_url": "",
"security_group_tag": "",
"session_type": "",
"vpn_profile": "",
"warning_reason": ""
},
"cisco_ssl_ike_tunnel": {
"bytes_received": 0,
"bytes_transmitted": 0,
"cipher_suite": "",
"compression": "",
"connection_timeout": "",
"connection_timeout_left": "",
"destination_port": 0,
"dh_group": "",
"encapsulation": "",
"encryption": "",
"filter_name": "",
"hashing": "",
"id": "",
"idle_timeout": "",
"idle_timeout_left": "",
"ipv6_filter_name": "",
"local_selector": "",
"packets_received": 0,
"packets_received_dropped": 0,
"packets_transmitted": 0,
"packets_transmitted_dropped": 0,
"pfs_group": "",
"prf": "",
"rekey_data": "",
"rekey_data_left": "",
"rekey_interval": "",
"rekey_interval_left": "",
"remote_selector": "",
"source_port": 0
},
"class_uid": 4001,
"cloud": {
"region": "us-west-2"
},
"device": {
"os": {
"version": ""
}
},
"metadata": {
"product": {
"name": "ciscoSecureAccess"
},
"version": "1.6.0"
},
"policy": {
"data": {
"failed_reasons": [
"AUTHORIZATION-CHECK"
]
}
},
"severity_id": 0,
"src_endpoint": {
"name": ""
},
"time": 1764933160000,
"type_uid": 400100
}
]
}
}
ZTNA Push Security Events
{
"specversion": "1.0",
"type": "secureaccess.events.security.v1",
"source": "secureaccess.events.security",
"orgid": 8257939,
"integrationid": "webhook.v1:e64db902-d58c-4899-ac56-e19a88fa2dd9",
"id": "9d2aae15-0a23-56cd-8fca-115fb9e4a695",
"time": "2025-12-05T04:45:20.87934865Z",
"datacontenttype": "application/json",
"data": {
"events": [
{
"activity_id": 0,
"category_uid": 4,
"cisco_endpoint_posture": {
"ad_joined_sid": "[\"S-1-5-21-9876543210-1111111111-2222222222\"]",
"antimalware_agents": [
"norton[v1.1.1]"
],
"client_browser": "Firefox 109.0",
"client_firewall": "SYS",
"client_geo_location": "Australia",
"client_ip": "192.0.2.100",
"client_os": "Windows 10",
"disk_encryption": "SYS",
"duo_device_id": "DUO5789067",
"system_password": "disabled[]"
},
"cisco_event_id": "00A969F7-247C-23AD-1E18",
"cisco_event_type": "ztna",
"cisco_organization_id": 8257939,
"cisco_origins": [
{
"id": 8452,
"type": "Networks"
}
],
"cisco_source_process_info": [],
"cisco_ztna_metadata": {
"application_port": 3389,
"application_protocol": "TCP",
"applied_tnd": "TND-4",
"detected_tnd": [],
"egress_ip": "198.51.7.40",
"enforcement_point": "SECURE_ACCESS_CLOUD",
"ftd_enforcement_id": "ftd-9040",
"ftd_enforcement_name": "FTD-Device-2",
"headend_type": "CLAP",
"mdm_device_id": "MDM-112680",
"mdm_is_compliant": false,
"mdm_is_managed": false,
"mdm_last_updated": 17635522023980,
"mdm_source": "INTUNE",
"requested_ip_fqdn": "app1.internal.company.com",
"resolved_ip": "172.16.10.21",
"secure_client_version": "5.1.6.0",
"step_up_auth_result": "FAILURE",
"step_up_auth_token_life": 0,
"step_up_auth_type": "SAML_SSO",
"tunnel_type": "HTTP2",
"verdict": "BLOCK",
"zta_profile_id": "ZTA-Profile-6"
},
"class_uid": 4001,
"metadata": {
"correlation_id": "00A969F7-247C-23AD-1E18",
"product": {
"name": "ciscoSecureAccess"
},
"version": "1.6.0"
},
"policy": {
"data": {
"app_connector_group_id": 648,
"block_reason": "Android OS not allowed",
"posture_id": "649",
"private_app_group_id": 0,
"private_app_id": 3246,
"private_resource_group_id": "50757",
"private_resource_id": "12613",
"ruleset_id": 52990
},
"uid": "8833"
},
"severity_id": 0,
"src_endpoint": {
"name": ""
},
"time": 1764909917786,
"type_uid": 400100
}
]
}
}