Web Push Security Events
| Secure Access Key | Type | Description |
|---|---|---|
| specversion | string | The version of the Push Security Event schema. |
| type | string | The type of the security event. |
| source | string | The unique label that describes the source of the security event. |
| orgid | integer | The unique identifier of the organization. |
| integrationid | string | The unique identifier of the integration. |
| id | string | The unique identifier for the push security event. |
| time | string | The date and time when the system sent the event. The system formats the timestamp in the ISO 8601 format. |
| datacontenttype | string | The type of the content in the push security event. |
| data | object | The properties of the data for the push security events. |
data
| Secure Access Key | Type | Description |
|---|---|---|
| events | array | The list of push security event messages. |
data.events
| Secure Access Key | OCSF Key | Type | Description |
|---|---|---|---|
| activity_id | number | The unique identifier of the activity that triggered the security event. | |
| category_uid | integer | The unique identifier of the security event category. | |
| cisco_ai_supply_chain | object | The properties of the AI supply chain models. | |
| cisco_event_id | Event ID | string | The unique identifier of the security event. |
| cisco_event_type | string | The type of the security event. | |
| cisco_organization_id | Organization ID | number | The unique identifier of the organization. |
| cisco_mcp | array | The list of the MCP servers. | |
| cisco_origin | object | The properties of the origin. | |
| cisco_other_origins | array | The list of the origins. | |
| cisco_swg_metadata | object | The properties of the Secure Web Gateway (SWG) metadata. | |
| cisco_swg_verdict | object | The properties of the verdict determined by the antivirus and malware engines and the Secure Web Gateway (SWG). | |
| class_uid | number | The unique identifier of the class. | |
| dst_endpoint | object | The IPv4 or IPv6 address of the origin server. | |
| file | object | The properties of the file. | |
| http_request | object | The properties of the HTTP request. | |
| http_response | object | The properties of the HTTP response. | |
| metadata | object | The properties of the metadata for the web events. | |
| policy | object | The properties of the access rules in the Access policy. | |
| proxy_endpoint | object | The properties of the endpoint used by the proxy to communicate with the origin server. | |
| severity_id | number | The unique identifier of the severity. | |
| src_endpoint | object | The properties of the client endpoint. | |
| time | Time | string | The date and time when the system recorded the security event. The system formats the timestamp in milliseconds since the Unix Epoch. |
| type_uid | integer | The unique identifier of the type for the security event. |
data.events.cisco_ai_supply_chain
| Secure Access Key | OCSF Key | Type | Description |
|---|---|---|---|
| model_name | Model Name | string | The name of the AI model. |
| scr_categories | Source Categories | array(string) | The properties of the source category. |
data.events.cisco_mcp
| Secure Access Key | OCSF Key | Type | Description |
|---|---|---|---|
| agent_id | Agent ID | string | The identifier of the MCP agent. |
| mcp_frames | array | The list of the MCP servers. |
data.events.cisco_mcp.mcp_frames
| Secure Access Key | OCSF Key | Type | Description |
|---|---|---|---|
| direction | string | The direction of the frame. | |
| frame_id | string | A unique identifier for the frame that is used to correlate the request and response. | |
| frame_type | string | The type of the frame. | |
| verdict | string | The verdict returned by Cisco semantic inspection engine. | |
| reason | string | The reason for the verdict returned by the Cisco semantic inspection engine. |
data.events.cisco_origin
| Secure Access Key | OCSF Key | Type | Description |
|---|---|---|---|
| id | Origin ID | integer | The unique identifier of the endpoint. |
| type | Origin Type | string | The type of the endpoint, for example: Networks or AD Computers. |
data.events.cisco_other_origins
| Secure Access Key | OCSF Key | Type | Description |
|---|---|---|---|
| id | ID | number | The unique identifier of the endpoint. |
| type | number | The type of the endpoint. Use 1 for Networks and 5 for AD Computers. |
data.events.cisco_swg_metadata
| Secure Access Key | OCSF Key | Type | Description |
|---|---|---|---|
| connection_id | string | The ID of the connection. Use the identifier to correlate this connection with other services. | |
| forwarding_method | Forwarding Method | string | The type of method used to forward the identity of the client to the proxy. |
| https_query_params | Query Params | string | The query parameters in the HTTP message. |
| internal_client_ip | Internal Client IP | string | The internal IP address of the client connecting to the proxy through a forwarding method such as a Virtual Appliance or SAML. |
| is_decrypted | Decrypted | boolean | Specifies whether the HTTP message is decrypted. |
| is_reserved_ip | Is reserved IP | boolean | Specifies whether the IP address is reserved for the organization. |
| response_sha256 | Response sha256 | string | The SHA-256 hash of the response body. |
| traffic_source | Traffic Source | number | The source of the web traffic. The possible values are 0 - Unknown, 1 - VPN, 2 – ZTNA, 3 - Network Tunnel, 4 - Network, 5 - SWG Roaming. |
data.events.cisco_swg_verdict
| Secure Access Key | OCSF Key | Type | Description |
|---|---|---|---|
| action | Action | string | The action (allow or block) in the access rule associated with the web traffic. |
| amp_disposition | Dispostion | string | A file's disposition is a categorization from the AMP cloud that determines what actions are taken on the file download. |
| amp_malware_name | Malware Name | string | The name of the malware detected by AMP. |
| amp_score | Score | number | The risk score associated with the file or object in the web traffic. |
| av_engines | Name | array | The list of the properties for the antivirus (AV) engines. |
| avc | Application IDs | object | The properties of the application visibility and control. |
| blocked_categories | array(string) | The category that matches the request and the block action in the access rules. | |
| blocked_destination_countries | Blocked Destination Countries | array(string) | The ISO-3166 ID of the country associated with the destination IPs and the block action in the access rules. |
| categories | Categories | array(string) | The category that matches the request. |
| detected_response_file_type | Detected Response File Type | string | The type of file in the detected response by the file type control that resulted in a block based on various signals. |
| dlp_status | DLP Status | string | The status that was returned from the inline DLP scanning. |
| http_errors | Type | array | The list of HTTP errors. |
| remote_browser_isolation | Isolated State | object | The properties of the Remote Browser Isolation (RBI) session. |
data.events.cisco_swg_verdict.av_engines
| Secure Access Key | OCSF Key | Type | Description |
|---|---|---|---|
| name | Name | string | The name of the AV Engine used to scan the files. For example: kaspersky, bitdefender. |
| data_version | Data Version | string | The version of the data package, which includes the timestamp of the signatures. |
| engine_version | Engine Version | string | The version of the AV engine used to scan the files. |
| threats | Threats | array(string) | The name of the threat returned by the AV engine. |
data.events.cisco_swg_verdict.avc
| Secure Access Key | OCSF Key | Type | Description |
|---|---|---|---|
| allowed_application_ids | Allowed Application IDs | array(string) | The identifier of the application that matches the request and the allow action in the access rules. |
| application_entity_category | Application Entity Category | string | The category attribute associated with the application entity. |
| application_entity_name | Application Entity Name | string | The name of the entity or user within the application. In the case for YouTube, this is a channel name which is also a string identifying the actual channel name. For example, '@CiscoSystems' in the Cisco YouTube channel (https://www.youtube.com/@CiscoSystems). |
| application_ids | Application IDs | array(string) | The identifier of the web applications. |
| blocked_application_ids | Blocked Application IDs | array(string) | The identifier of the application that matches the request and the block action in the access rules. |
data.events.cisco_swg_verdict.http_errors
| Secure Access Key | OCSF Key | Type | Description |
|---|---|---|---|
| type | Type | string | The label for the type of HTTP error. |
| code | Code | string | The code of the HTTP error. |
| reason | Reason | string | The reason for the HTTP error. |
| attributes | Attributes | array(string) | The attribute of the HTTP error. |
data.events.cisco_swg_verdict.remote_browser_isolation
| Secure Access Key | OCSF Key | Type | Description |
|---|---|---|---|
| file_action | File Action | string | The type of action taken on the file. |
| isolated_state | Isolated State | string | The status of the remote browser isolation (RBI) session for the web request. |
data.events.dst_endpoint
| Secure Access Key | OCSF Key | Type | Description |
|---|---|---|---|
| ip | Destination IP | string | The IPv4 or IPv6 address of the origin server (destination). For example: 1.2.3.4', '2001:db8::1. |
data.events.file
| Secure Access Key | OCSF Key | Type | Description |
|---|---|---|---|
| name | File Name | string | The name of the file listed in the response as the Content-Disposition: attachment. |
| type_id | number | The identifier of the type of file listed in the response as the Content-Disposition: attachment. |
data.events.http_request
| Secure Access Key | OCSF Key | Type | Description |
|---|---|---|---|
| http_method | Request Method | string | The HTTP request method, for example: GET, POST, HEAD, DELETE, PATCH. |
| length | Total Size in bytes | number | The total number of bytes sent from the client for the full request. The number of bytes is set in the Content-Length heading in the HTTP request. |
| referrer | Referrer | string | The address of the previous web page where a link to the currently requested page was followed as captured by the proxy. For example: 'http://www.example.com/index.html?a=b&c=a%20word'). |
| url | Request URL | object | The properties of the Uniform Resource Locator (URL) defined by RFC 1738. |
| user_agent | User Agent | string | The name of the user agent as captured by the proxy. For example: 'Mozilla/5.0 (X11; Linux x86_64; rv:12.0) Gecko/20100101 Firefox/21.0'). |
data.events.http_request.url
| Secure Access Key | OCSF Key | Type | Description |
|---|---|---|---|
| url_string | Request URL | string | The Uniform Resource Locator (URL) of the web resource requested as defined by RFC 1738. For example: 'http://www.example.com/index.html?a=b&c=a%20word'). |
data.events.http_response
| Secure Access Key | OCSF Key | Type | Description |
|---|---|---|---|
| body_length | Body Size in bytes | number | The length of the HTTP message body. |
| code | Response Status Code | number | The HTTP status code for the HTTP message. |
| content_type | Response Content Type | string | The value of the Content-Type header in the HTTP message. |
| length | Total Size in bytes | number | The value of the Content-Length header in the HTTP message. |
data.events.metadata
| Secure Access Key | OCSF Key | Type | Description |
|---|---|---|---|
| correlation_id | Transaction ID | string | The identifier of the transaction used for the correlation with the UUID of another service. |
| product | object | The properties of the product. | |
| version | string | The version of the product. |
data.events.metadata.product
| Secure Access Key | OCSF Key | Type | Description |
|---|---|---|---|
| name | string | The name of the product. |
data.events.policy
| Secure Access Key | OCSF Key | Type | Description |
|---|---|---|---|
| data | object | The properties of the policy data. | |
| uid | Rule ID | string | The unique identifier of the access rule that applies to the web traffic in the Access policy. |
data.events.policy.data
| Secure Access Key | OCSF Key | Type | Description |
|---|---|---|---|
| destination_list_ids | Destination List IDs | array(string) | The ID of the destination list selected on the access rules in the Access policy and apply to the web traffic. |
| security_overridden | Security Overridden | boolean | Specifies whether the system has overriden security filtering access rules in the Access policy and not applied during rule enforcement. |
| tenant_id | Tenant ID | string | The ID of the tenant that the system extracted from the HTTP request. |
| tenant_profile_name | Tenant Profile Name | string | The name of the tenant control profile configured in the access rule in the Access policy. The traffic matches the tenant control profile for the matcheing tenant ID. |
| time_based_rule | Time Based Rule | boolean | Specifies whether a schedule is enabled on the access rule that applies to the web traffic in the Access policy. |
data.events.proxy_endpoint
| Secure Access Key | OCSF Key | Type | Description |
|---|---|---|---|
| ip | Egress IP | string | The IPv4 or IPv6 address used by the proxy to communicate with the origin server. |
data.events.src_endpoint
| Secure Access Key | OCSF Key | Type | Description |
|---|---|---|---|
| ip | External Client IP | string | The IPv4 or IPv6 address of a client as seen by the proxy. For example: 1.2.3.4, 2001:db8::1. |