ZTNA Push Security Events
| Secure Access Key | Type | Description |
|---|---|---|
| specversion | string | The version of the Push Security Event schema. |
| type | string | The type of the security event. |
| source | string | The unique label that describes the source of the security event. |
| orgid | integer | The unique identifier of the organization. |
| integrationid | string | The unique identifier of the integration. |
| id | string | The unique identifier for the push security event. |
| time | string | The date and time when the system sent the event. The system formats the timestamp in the ISO 8601 format. |
| datacontenttype | string | The type of the content in the push security event. |
| data | object | The properties of the data for the push security events. |
data
| Secure Access Key | Type | Description |
|---|---|---|
| events | array | The list of push security event messages. |
data.events
| Secure Access Key | OCSF Key | Type | Description |
|---|---|---|---|
| activity_id | integer | The unique identifier of the activity that triggered the security event. | |
| category_uid | integer | The unique identifier of the security event category. | |
| cisco_event_id | Event ID | string | The unique identifier of the security event. |
| cisco_event_type | string | The type of the security event. | |
| cisco_organization_id | Organization ID | number | The unique identifier of the organization. |
| cisco_endpoint_posture | object | ||
| cisco_origins | array | The list of the origins. | |
| cisco_source_process_info | array | The list of the source process information for the transaction. | |
| cisco_ztna_metadata | object | The properties of the Cisco ZTNA metadata. | |
| class_uid | integer | The unique identifier of the class. | |
| metadata | object | The metadata for the security event. | |
| policy | object | The properties of the components and profiles for the access rules in the Access policy. | |
| severity_id | number | The unique identifier of the severity. | |
| src_endpoint | object | The properties of the client endpoint. | |
| time | Time | string | The date and time when the system recorded the security event. The system formats the timestamp in milliseconds since the Unix Epoch. |
| type_uid | integer | The unique identifier of the type for the security event. |
data.events.cisco_endpoint_posture
| Secure Access Key | OCSF Key | Type | Description |
|---|---|---|---|
| ad_joined_sid | AD Joined SID | string | The identifier of the AD device joined with the SID. |
| antimalware_agents | Antimalware Agents | array(string) | The label that describes the anti-malware agent. |
| client_browser | Client Browser | string | The descriptive label that identifies the client browser. |
| client_firewall | Client Firewall | string | The descriptive label that identifies the client firewall. |
| client_geo_location | Client Geo Location | string | The geographic location of the client. |
| client_ip | Client IP | string | The IPv4 or IPv6 address of the client. |
| client_os | Client OS | string | The operating system (OS) of the client. |
| disk_encryption | Disk Encryption | string | The type of disk encryption enabled on the client. |
| duo_device_id | Duo Device ID | string | The identifier of the DUO device. |
| system_password | System Password | string | The adminstrative password of the client system. |
data.events.cisco_origins
| Secure Access Key | OCSF Key | Type | Description |
|---|---|---|---|
| id | integer | The unique identifier of the endpoint. | |
| type | string | The type of the endpoint. |
data.events.cisco_source_process_info
| Secure Access Key | OCSF Key | Type | Description |
|---|---|---|---|
| process_id | number | The identifier of the process. | |
| process_name | string | The descriptive label for the process. | |
| process_hash | string | The hash of the source process. | |
| process_user_name | string | The name of the user for the source process in the transaction. |
data.events.cisco_ztna_metadata
| Secure Access Key | OCSF Key | Type | Description |
|---|---|---|---|
| application_port | Application Port | number | The port number used for the application. |
| application_protocol | Application Protocol | string | The protocol used for the application. |
| applied_tnd | Applied Tnd | string | The detected trusted networks applied to the access rules in the policy. |
| detected_tnd | Detected Tnd | array(string) | The trusted network detected by the client. |
| egress_ip | Egress IP | string | The IPv4 or IPv6 address associated with the egress of the traffic from the client system. |
| enforcement_point | Enforcement Point | string | The description of the point of enforcement. |
| ftd_enforcement_id | FTD Enforcement ID | number | The identifier of the Cisco Firepower Threat Defense (FTD) device. |
| ftd_enforcement_name | FTD Enforcement Name | string | The name of the Cisco Firepower Threat Defense (FTD) device. |
| headend_type | Headend Type | string | The type of the headend for the tunnel to the system. |
| mdm_device_id | MDM Device ID | string | The identifier of the Mobile Device Management (MDM) device. |
| mdm_is_compliant | MDM Is Compliant | boolean | Specifies whether the MDM device is compliant. |
| mdm_is_managed | MDM Is Managed | boolean | |
| mdm_last_updated | MDM Last Updated | number | The date and time when the system updated the MDM device. |
| mdm_source | MDM Source | string | The source of the MDM device. |
| requested_ip_fqdn | Requested IP FQDN | string | The IP address for the fully-qualified domain name. |
| resolved_ip | Resolved IP | string | The IP address of the client. |
| secure_client_version | Secure Client Version | string | The version of the Cisco Secure Client in use by the user device. |
| step_up_auth_result | Step Up Auth Result | string | The result of the step-up authentication. |
| step_up_auth_token_life | Step Up Auth Token Life | number | The expiry of the step-up authentication used by the system. |
| step_up_auth_type | Step Up Auth Type | string | The type of the step-up authentication used by the system. |
| tunnel_type | Tunnel Type | string | The type of the network tunnel. |
| verdict | Verdict | string | The label of the verdict assigned to the destination. |
| zta_profile_id | ZTA Profile ID | string | The unique identifierof the Zero Trust profile. |
data.events.metadata
| Secure Access Key | OCSF Key | Type | Description |
|---|---|---|---|
| correlation_id | string | The unique identifier of the correlation. | |
| product | object | The properties of the product. | |
| version | string | The version of the product. |
data.events.metadata.product
| Secure Access Key | OCSF Key | Type | Description |
|---|---|---|---|
| name | string | The name of the product. |
data.events.policy
| Secure Access Key | OCSF Key | Type | Description |
|---|---|---|---|
| data | object | The properties of the data in the organization's Access policy. | |
| uid | Rule ID | integer | The unique identifier of the access rule in the Access policy that matches the network traffic. |
data.events.policy.data
| Secure Access Key | OCSF Key | Type | Description |
|---|---|---|---|
| app_connector_group_id | App Connector Group ID | number | The identifier of the resource connector group. |
| block_reason | Block Reason | string | The description that explains why the system blocked the network traffic. |
| posture_id | Posture ID | string | The identifier of the posture profile. |
| private_app_group_id | Private App Group ID | number | The identifier of the private application group. |
| private_app_id | Private App ID | number | The identifier of the private application. |
| private_resource_group_id | Private Resource Group ID | string | The identifier of the private resource group. |
| private_resource_id | Private Resource ID | string | The identifier of the private resource. |
| ruleset_id | Ruleset ID | number | The identifier of the access rule. |
data.events.src_endpoint
| Secure Access Key | OCSF Key | Type | Description |
|---|---|---|---|
| name | string | The hostname of the client endpoint. |