V12 Log Format
The CSV fields in the header row of the File Events log.
timestamp,organization id,retention policy in days,aws region,firewall eventid,file action,disposition,sha256,direction,threat name,filestatic analysis,threat score,filetype id,filename,filesize,archive filename,archive filedepth,archive sha,dlp status,enforced by,ftd enforcement id,ftd enforcement name
The description of each field and the log version in which each field was released, up to Version 12. For more information about log versions, see Find Your Log Schema Version.
| Field name | Description | Release version |
|---|---|---|
| timestamp | The timestamp of the request transaction in UTC (e.g., 2024-01-16 17:48:41). | v9 |
| organization id | The Secure Access organization ID. For more information, see Find Your Organization ID. | v9 |
| retention policy | The number of days that AWS S3 stores your Secure Access File Events log. | v9 |
| aws region | The AWS region where Secure Access stores your logs. | v9 |
| firewall event id | The ID of the firewall event. Populated only for traffic handled by Cisco Secure Firewall. | v9 |
| file action | The action taken on a file in a remote browser isolation session. Valid values are: UNKNOWN, DETECT, BLOCK, MALWARE_CLOUD_LOOKUP, MALWARE_WHITELIST, CLOUD_LOOKUP_TIMEOUT, CUSTOM_DETECTION, CUSTOM_DETECTION_BLOCK, ARCHIVE_BLOCK_DEPTH_EXCEEDED, ARCHIVE_BLOCK_ENCRYPTED, ARCHIVE_BLOCK_FAILED_TO_INSPECT, TID_BLOCK | v9 |
| disposition | The status of the files proxied and scanned by Cisco Advanced Malware Protection (AMP) as part of the File Inspection feature. Valid values are: CLEAN, MALWARE, UNKNOWN. | v9 |
| sha256 | The SHA-256 checksum hash of the file. | v9 |
| direction | The traffic direction of the file event. Valid values are: UNKNOWN, UPLOAD, DOWNLOAD. | v9 |
| threat name | Name of the threat identified for files with MALWARE disposition. | v9 |
| file static analysis | The status of the file static sample analysis. For more information, see Cisco Secure Malware Analytics (formerly Threat Grid) Details. Valid values are: UNKNOWN, NOT_ANALYZED, ANALYSIS_COMPLETE_NO_VIRUS, ANALYSIS_FAILED, ANALYSIS_COMPLETE_MALWARE_DETECTED | v9 |
| threat score | The threat score most recently associated with this file. This is a value from 0 to 100. | v9 |
| file type id | The type of file. For example, PDF or MSEXE. | v9 |
| file name | The name of the file involved with the activity. | v9 |
| file size | The size of the file in bytes. | v9 |
| archive file name | The name of the archive file involved with the activity. | v9 |
| archive depth | The level (if any) at which the file was nested in an archive file. | v9 |
| archive sha | The SHA-256 checksum hash of the archive file. | v9 |
| dlp status | The verdict of the DLP scanning service. For more information, see Manage the Data Loss Prevention Policy. Valid values are: FW_FILE_DLP_NONE, FW_FILE_DLP_SENT, FW_FILE_DLP_SUCCESS, FW_FILE_DLP_FAIL_ON_MIN_FILESIZE, FW_FILE_DLP_FAIL_ON_MAX_FILESIZE, FW_FILE_DLP_FAIL_ON_MEMCAP, FW_FILE_DLP_FAIL_ON_FULL_QUEUE, FW_FILE_DLP_FAIL_ON_SEND, FW_FILE_DLP_FAIL_ON_NO_RESPONSE, FW_FILE_DLP_FAIL_ON_CLOUD_SEND, FW_FILE_DLP_VERDICT_FAIL, FW_FILE_DLP_VERDICT_UNKNOWN, FW_FILE_DLP_VERDICT_CLEAN, FW_FILE_DLP_VERDICT_DATA_LEAK, FW_FILE_DLP_VERDICT_MALICIOUS, FW_FILE_DLP_VERDICT_TIMEOUT | v9 |
| enforced by |
The Secure Access component or service that enforced the policy or control related to this event (e.g., Firewall, Web Proxy). |
v12 |
| ftd enforcement id | The unique identifier of the enforcement action taken by a Firepower Threat Defense (FTD) device integrated with Secure Access. | v12 |
| ftd enforcement name | The name or type of enforcement action taken by a FTD device integrated with Secure Access (e.g., Malware Block, URL Category Block). | v12 |