Software Secure Access
Activity Manage

V12 Log Format

The CSV fields in the header row of the IPS log.

timestamp,identities,identity types,generator id,signature id,signature message,signature list id,severity,attack classification,cves,ip protocol,session id,source ip,source port,destination ip,destination port,action,operation mode,policy resource id,direction,firewall rule id,ips config type,aws region,application id,casi category ids,data center,organization id,egress IP,egress,enforced by,ftd enforcement id,ftd enforcement name

The description of each field and the log version in which each field was released, up to Version 12. For more information about log versions, see Find Your Log Schema Version.

Field name Description Release version
timestamp The date and time of the IPS detection event, expressed as a UTC-formatted string (e.g., 2024-01-16 17:48:41).

 
Unlike the Secure Access dashboard and reports, Secure Access logs do not convert the timestamp to your local timezone.
v8
identities All tunnel identities that are associated with this request. v8
identity types The type of identity that is associated with this request. v8
generator id Unique ID assigned to the part of the IPS that generated the event. v8
signature id Used to uniquely identify signatures. v8
signature message A brief description of the signature. v8
signature list id Unique ID assigned to a Default or Custom Signature List. v8
severity The severity level of the rule. Valid values are: High, Medium, Low, and Very Low. v8
attack classification The category of attack detected by a rule that is part of a more general type of attack class. Valid values are: trojan-activity, attempted-user, and unknown. v8
cves A list of information about security vulnerabilities and exposures. v8
ip protocol The actual protocol of the traffic, such as TCP, UDP, ICMP. v8
session id The unique identifier of a session, which is used to group the correlated events between various services. v8
source ip The IP of the computer making the request. v8
source port The port number of the request. v8
destination ip The port number of the request. v8
destination port The destination port number of the request. v8
action The action performed when criteria meets a rule, for example: block, warn, and would_block. v8
operation mode The mode of operation of the IPS, either detection or prevention. Valid values are: IDS, IPS, and UNKNOWN. v9
policy resource id The ID of the IPS policy resource. An example of a policy resource is: signature list. v9
direction The direction of the packet that matches the signature. Valid values are: S2C, C2S, and UNKNOWN. v9
firewall rule id The ID of the rule that matches the firewall session. v9
ips config type The type of the IPS configuration. Valid values are: CONFIG, PROFILE, and UNKNOWN. v9
aws region The AWS region where Secure Access stores your logs. v9
application id The ID of the destination application. v10
casi category ids The name of the Application category to which the App ID belongs. v10
data center The name of the data center that processed the user-generated traffic. v10
organization id The Secure Access organization ID. For more information, see Find Your Organization ID . v10
egress ip The public IP address assigned to a session as it exits the Secure Access ZTA infrastructure en route to the destination application. v12
egress TRUEindicates that the egress IP was a reserved IP. v12
enforced by

The Secure Access component or service that enforced the policy or control related to this event (e.g., Firewall, Web Proxy).

v12
ftd enforcement id The unique identifier of the enforcement action taken by a Firepower Threat Defense (FTD) device integrated with Secure Access. v12
ftd enforcement name The name or type of enforcement action taken by a FTD device integrated with Secure Access (e.g., Malware Block, URL Category Block). v12