Connection Event
Connection Events are generated when the system detects a connection. These events record a variety of information about the connection depending on the type of connection.
You can request fully-qualified connection events from the eStreamer service by including a "ConnectionEvent"
section in the request JSON file. This section must specify the requested fields. The following fields may be requested for
connection events:
-
[FirewallRuleList]
List which contains the firewall rule which triggered the event and all other matching monitor rules.
-
[MonitorRule]
List of all Access Control rules which match the event.
-
[MonitorRuleID]
List of the ID numbers for the monitor rules which match the event.
-
AC_RuleAction
The action associated with the configuration that logged the connection.
For Security Intelligence-monitored connections, the action is that of the first non-Monitor access control rule triggered by the connection, or the default action. Similarly, because traffic matching a Monitor rule is always handled by a subsequent rule or by the default action, the action associated with a connection logged due to a Monitor rule is never Monitor. However, you can still trigger correlation policy violations on connections that match Monitor rules.
Action
Description
Allow
Connections either allowed by access control explicitly, or allowed because a user bypassed an interactive block.
Block, Block with reset
Blocked connections, including:
-
tunnels and other connections blocked by the prefilter policy
-
connections blocked by Security Intelligence.
-
encrypted connections blocked by an SSL policy.
-
connections where an exploit was blocked by an intrusion policy.
-
connections where a file (including malware) was blocked by a file policy.
For connections where the system blocks an intrusion or file, system displays Block, even though you use access control Allow rules to invoke deep inspection.
Fastpath
Non-encrypted tunnels and other connections fastpathed by the prefilter policy.
Interactive Block, Interactive Block with reset
Connections logged when the system initially blocks a user’s HTTP request using an Interactive Block rule. If the user clicks through the warning page that the system displays, additional connections logged for the session have an action of Allow.
Trust
Connections trusted by access control. The system logs trusted TCP connections differently depending on the device model.
Default Action
Connections handled by the access control policy's default action.
(Blank/empty)
The connection closed before enough packets had passed to match a rule.
This can happen only if a facility other than access control, such as intrusion prevention, causes the connection to be logged.
-
-
AC_RuleActionID
ID number of the access control rule action.
-
AC_RuleReason
The reason or reasons the connection was logged, in many situations. For a full list, see Connection Event Reasons.
Connections with a Reason of IP Block, DNS Block, and URL Block have a threshold of 15 seconds per unique initiator-responder pair. After the system blocks one of those connections, it does not generate connection events for additional blocked connections between those two hosts for the next 15 seconds, regardless of port or protocol.
-
AC_RuleReasonID
ID number of the Access Control Rule reason.
-
Application
The application protocol, if available, which represents communications between hosts detected in the traffic that triggered the intrusion event.
-
ApplicationID
ID number of the application.
-
ApplicationProductivityIndex
-
Business relevance of the application. Values may be:
-
1 - Very Low
-
2 - Low
-
3 - Medium
-
4 - High
-
5 - Very High
-
-
ApplicationProtocolNegotiations
TLS Value used to negotiate protocols for data transfer. This value is defined in RFC 7301.
-
ApplicationRiskIndex
The risk associated with detected applications in the traffic that triggered the intrusion event: Very High, High, Medium, Low, and Very Low. Each type of application detected in a connection has an associated risk; this field displays the highest risk of those.
-
AuthenticationSource
Type of authentication used by the user. Values may be:
-
0 - no authorization required
-
1 - passive authentication, AD agent, or ISE session
-
2 - captive portal successful authentication
-
3 - captive portal guest authentication
-
4 - captive portal failed authentication
-
-
ClientAppDetector
The sensor which detected the client.
-
ClientAppDetectorID
ID of the sensor which detected the client.
-
ClientApplication
Name of the client application.
-
ClientApplicationID
The internal identification number for the client application, if applicable.
-
ClientApplicationProductivityIndex
Business relevance of the application. Values may be:
-
1 - Very Low
-
2 - Low
-
3 - Medium
-
4 - High
-
5 - Very High
-
-
ClientApplicationRiskIndex
Risk value of the client application. Values may be:
-
1 - Very Low
-
2 - Low
-
3 - Medium
-
4 - High
-
5 - Very High
-
-
ClientApplicationVersion
The client application and version of that client detected in the connection.
If the system cannot identify the specific client used in the connection, the field displays the word "client" appended to the application protocol name to provide a generic name, for example, FTP client.
-
ConnectionDuration
This field exists ONLY as a syslog field; it does not exist in the Firepower Management Center web interface. (The web interface conveys this information using the First Packet and Last Packet columns.)
This field has a value only when logging occurs at the end of the connection. For a start-of-connection syslog message, this field is not output, as it is not known at that time.
For an end-of-connection syslog message, this field indicates the number of seconds between the first packet and the last packet, which may be zero for a short connection. For example, if the timestamp of the syslog is 12:34:56 and the ConnectionDuration is 5, then the first packet was seen at 12:34:51.
-
ConnectionID
A unique identifier for the connection with the server.
-
Context
The metadata identifying the virtual firewall group through which the traffic passed. The system only populates this field for ASA FirePOWER in multiple context mode.
-
DestinationIP_DynamicAttribute
Dynamic Attributes associated with the destination IP address.
-
DestinationSecurityGroup
This field holds the text value associated with the numeric value in DestinationSecurityGroupTag, if available. If the group name is not available as a text value, then this field contains the same integer value as the DestinationSecurityGroupTag field.
-
Device
In the Firepower Management Center web interface, this value constrains summaries and graphs.
The managed device that detected the connection or, for connections generated from NetFlow data, the managed device that processed the data.
-
DeviceIP
IP address of the device that detected the event.
-
DeviceSerialNumber
Serial number of the device that detected the event.
-
DeviceUUID
The unique identifier of the Firepower device that generated an event.
The following fields collectively uniquely identify a connection event: DeviceUUID, First Packet Time, Connection Instance ID, and Connection Counter.
-
DNS_Query
The DNS query submitted in a connection to the name server to look up a domain name.
This field can also hold the domain name for URL filtering matches when DNS filtering is enabled. In this case, the URL field will be blank and the URL Category and URL Reputation fields contain the values associated with the domain.
For more information about DNS filtering, see DNS Filtering: Identify URL Reputation and Category During DNS Lookup.
-
DNS_RecordDescription
Description of the DNS Record.
-
DNS_RecordType
The type of the DNS resource record used to resolve a DNS query submitted in a connection.
-
DNS_RecordTypeID
ID number associated with the DNS Record Type.
-
DNS_ResponseType
The type of the DNS resource record used to resolve a DNS query submitted in a connection.
-
DNS_ResponseTypeID
ID number associated with the DNS Response Type.
-
DNS_Sinkhole
The name of the sinkhole server where the system redirected a connection.
-
DNS_SinkholeUUID
The UUID of the sinkhole server where the system redirected a connection.
-
DNS_TTL
The number of seconds a DNS server caches the DNS resource record.
-
Domain
The domain of the managed device that detected the connection or, for connections generated from NetFlow data, the domain of the managed device that processed the data. This field is only present if you have ever configured the FMC for multitenancy.
-
DynamicAttributes
List of dynamic attributes available for security policies.
-
EgressInterface
The ingress or egress interface associated with the connection. If your deployment includes an asymmetric routing configuration, the ingress and egress interface may not belong to the same inline pair.
-
EgressInterfaceUUID
An interface ID that acts as the unique identifier for the egress interface associated with correlation event.
-
EgressVRF
In networks using virtual routing, the names of the virtual routers through which traffic entered and exited the network.
-
EgressZone
The ingress or egress security zone associated with the connection.
-
EgressZoneUUID
A zone ID that acts as the unique identifier for the egress security zone associated with correlation event.
-
EndpointProfile
The user's endpoint device type, as identified by ISE.
-
EndpointProfileID
ID number of the type of device used by the connection endpoint as identified by ISE. This is unique for each DC and resolved in metadata.
-
EVE_Fingerprint EVE_Process
The TLS fingerprint detected by the Encrypted Visibility Engine (EVE) for the session.
-
EVE_ProcessConfidencePct
The confidence value in the range 0-100% that the encrypted visibility engine has detected the right process. For example, if the process name is Firefox and if the confidence score is 80%, it means that the engine is 80% confident that the process it has detected is Firefox.
-
EVE_ThreatConfidenceIndex
The probability level that the process detected by the encrypted visibility engine contains threat. This field indicates the bands (Very High, High, Medium, Low, or Very Low) based on the value in the threat confidence score.
-
EVE_ThreatConfidencePct
The confidence value in the range 0-100% that the process detected by the encrypted visibility engine contains threat. If the threat confidence score is very high, say 90%, then the Encrypted Visibility Process Name field displays "Malware."
-
EventPriority
Whether or not the connection event is a high priority event.
High
priority events are connection events that are associated with an intrusion, Security Intelligence, file, or malware event. All other events areLow
priority. -
EventSecond
UNIX timestamp (seconds since 01/01/1970) of the event’s detection.
-
EventSubtype
The sub-type of malware event.
-
FileCount
The number of files (including malware files) detected or blocked in a connection associated with one or more file events.
-
FirewallPolicy
Name of the access control policy.
-
FirewallPolicyUUID
UUID of the access control policy.
-
FirewallRule
Access control rule that created the connection event.
-
FirewallRuleID
A rule ID number that acts as a unique identifier for the access control rule.
-
FirstPacketSecond
UNIX timestamp of the date and time the first packet was exchanged in the session.
-
Hostname
Domain name of the detected HTTP request.
-
HTTP_Referer
The HTTP referrer, which represents the referrer of a requested URL for HTTP traffic detected in the connection (such as a website that provided a link to, or imported a link from, another URL).
-
HTTP_Response
The HTTP status code sent in response to a client's HTTP request over a connection.
-
ICMP_Code
In the Firepower Management Center web interface, these values constrain summaries and graphs.
The port or ICMP code used by the session responder.
-
ICMP_Type
In the Firepower Management Center web interface, these values constrain summaries and graphs.
The port or ICMP type used by the session initiator.
-
IngressInterface
The ingress or egress interface associated with the connection. If your deployment includes an asymmetric routing configuration, the ingress and egress interface may not belong to the same inline pair.
-
IngressInterfaceUUID
An interface ID that acts as the unique identifier for the ingress interface associated with correlation event.
-
IngressVRF
In networks using virtual routing, the names of the virtual routers through which traffic entered and exited the network.
-
IngressZone
The ingress or egress security zone associated with the connection.
For rezoned encapsulated connections, the ingress field displays the tunnel zone you assigned, instead of the original ingress security zone. The egress field is blank.
-
IngressZoneUUID
A zone ID that acts as the unique identifier for the ingress security zone associated with correlation event.
-
InitiatorBytes
The total number of bytes transmitted by the session initiator or received by the session responder.
-
InitiatorBytesDropped
The number of bytes dropped from the session initiator or session responder due to rate limiting.
-
InitiatorContinent
When a routable IP is detected, the continent associated with the IP address for the session initiator or responder.
-
InitiatorContinentCode
ISO-3166 code for the continent of the source host.
-
InitiatorCountry
When a routable IP is detected, the country associated with the IP address of the session initiator or responder. The system displays an icon of the country’s flag, and the country’s ISO 3166-1 alpha-3 country code. Hover your pointer over the flag icon to view the country’s full name.
-
InitiatorCountryCode
Code for the country of the source host.
-
InitiatorCountryID
ISO-3166 value for the country of the initiating host.
-
InitiatorIP
In the Firepower Management Center web interface, these values constrain summaries and graphs.
The IP address (and host name, if DNS resolution is enabled) of the session initiator or responder.
See also A Note About Initiator/Responder, Source/Destination, and Sender/Receiver Fields.
In the Firepower Management Center web interface, the host icon identifies the IP address that caused the connection to be blocked.
For plaintext, passthrough tunnels either blocked or fastpathed by the prefilter policy, initiator and responder IP addresses represent the tunnel endpoints—the routed interfaces of the network devices on either side of the tunnel.
-
InitiatorPackets
The total number of packets transmitted by the session initiator or received by the session responder.
-
InitiatorPacketsDropped
The number of packets dropped from the session initiator or session responder due to rate limiting.
-
InitiatorPort
Port used by the initiating host.
-
InstanceID
umerical ID of the Snort instance on the managed device that generated the event.
-
IntrusionCount
Number of intrusions that have been triggered by this connection.
-
IOC_Count
Number of indications of compromise that have been triggered by this connection.
-
ManagerName
Name of the Secure Firewall Management Center which detected the event.
-
ManagerUUID
UUID of the Secure Firewall Management Center which detected the event.
-
MatchedRule
The specific rule which triggered the event.
-
NAP_Policy
The network analysis policy (NAP), if any, associated with the generation of the event.
-
NAP_PolicyUUID
The UUID of the Network Analysis Policy that created the intrusion event.
-
NAT_InitiatorIP
The NAT translated IP address of the session initiator or responder.
-
NAT_InitiatorPort
The NAT translated port of the session initiator or responder.
-
NAT_ResponderIP
The NAT translated IP address of the session initiator or responder.
-
NAT_ResponderPort
The NAT translated port of the session initiator or responder.
-
NetBIOS_Domain
The NetBIOS domain used in the session.
-
NetflowDestinationAS
For connections generated from NetFlow data, the border gateway protocol autonomous system number for the source or destination of traffic in the connection.
-
NetflowDestinationTOS
For connections generated from NetFlow data, the setting for the type-of-service (TOS) byte when connection traffic entered or exited the NetFlow exporter.
-
NetflowSNMP_In
For connections generated from NetFlow data, the interface index for the interface where connection traffic entered or exited the NetFlow exporter.
-
NetflowSNMP_Out
For connections generated from NetFlow data, the interface index for the interface where connection traffic entered or exited the NetFlow exporter.
-
NetflowSourceAS
For connections generated from NetFlow data, the border gateway protocol autonomous system number for the source or destination of traffic in the connection.
-
NetflowSourceTOS
For connections generated from NetFlow data, the setting for the type-of-service (TOS) byte when connection traffic entered or exited the NetFlow exporter.
-
NetmapID
The first bit of this field is a flag indicating whether the header is an extended header containing an archive timestamp. The remaining 15 bits are an optional field containing the Netmap ID for the domain on which the event was detected. If this field is not used, it is left empty. Netmap IDs map to domains as provided in metadata.
-
OriginalInitiatorIP
Contains the IP address of the original initiator of the connection.
-
PrefilterPolicy
The prefilter policy that handled the connection.
-
Protocol
In the Firepower Management Center web interface:
-
This value constrains summaries and graphs.
-
This field is available only as a search field.
The transport protocol used in the connection. To search for a specific protocol, use the name or number protocol as listed in http://www.iana.org/assignments/protocol-numbers.
-
-
ProtocolID
IANA protocol number specified by the user.
-
QOS_AppliedInterface
For rate-limited connections, the name of the interface where you applied rate limiting.
-
QOS_Policy
The QoS policy that rate limited the connection.
-
QOS_Rule
The QoS rule that rate limited the connection.
-
QOS_RuleID
Internal ID number of the Quality of Service rule applied to the connection, if applicable.
-
RealmID
The ID number of the realm. This field is the unique key for this record.
-
ReferencedHost
If the protocol in the connection is HTTP or HTTPS, this field displays the host name that the respective protocol was using.
-
ResponderBytes
The total number of bytes transmitted by the session initiator or received by the session responder.
-
ResponderBytesDropped
The number of bytes dropped from the session initiator or session responder due to rate limiting.
-
ResponderContinent
When a routable IP is detected, the continent associated with the IP address for the session initiator or responder.
-
ResponderContinentCode
ISO-3166 Code for the continent of the destination host.
-
ResponderCountry
When a routable IP is detected, the country associated with the IP address of the session initiator or responder. The system displays an icon of the country’s flag, and the country’s ISO 3166-1 alpha-3 country code. Hover your pointer over the flag icon to view the country’s full name.
-
ResponderCountryCode
ISO-3166 code for the country of the destination host.
-
ResponderCountryID
Code for the country of the destination host.
-
ResponderIP
In the Firepower Management Center web interface, these values constrain summaries and graphs.
The IP address (and host name, if DNS resolution is enabled) of the session initiator or responder.
See also A Note About Initiator/Responder, Source/Destination, and Sender/Receiver Fields.
In the Firepower Management Center web interface, the host icon identifies the IP address that caused the connection to be blocked.
For plaintext, passthrough tunnels either blocked or fastpathed by the prefilter policy, initiator and responder IP addresses represent the tunnel endpoints—the routed interfaces of the network devices on either side of the tunnel.
-
ResponderPackets
The total number of packets transmitted by the session initiator or received by the session responder.
-
ResponderPacketsDropped
The number of packets dropped from the session initiator or session responder due to rate limiting.
-
ResponderPort
Port used by the responding host.
-
SecurityGroupID
ID number assigned to the user by ISE based on policy.
-
SensorID
The identification number of the detecting managed device.
-
SI_Layer
The IP layer that matched the IP block list.
-
SourceIP_DynamicAttribute
Dynamic Attributes associated with the source IP address.
-
SourceSecurityGroupTagType
How the Source Security Group Tag was assigned:
-
0 — Unknown
-
1 — Inline
-
2 — Session Directory
-
3 — Security Group Tag Exchange Protocol (SXP)
-
-
SSL_ActualAction
In the Firepower Management Center web interface, this field is a search field only.
The system displays field values in the SSL Status field on search workflow pages.
The action the system applied to encrypted traffic in the SSL policy.
Action
Description
Block/Block with reset
Represents blocked encrypted connections.
Decrypt (Resign)
Represents an outgoing connection decrypted using a re-signed server certificate.
Decrypt (Replace Key)
Represents an outgoing connection decrypted using a self-signed server certificate with a substituted public key.
Decrypt (Known Key)
Represents an incoming connection decrypted using a known private key.
Default Action
Indicates the connection was handled by the default action.
Do not Decrypt
Represents a connection the system did not decrypt.
-
SSL_ActualActionID
Code for the action performed on the connection based on the SSL Rule.
-
SSL_Cert
The information stored on the public key certificate used to encrypt traffic, including:
-
Subject/Issuer Common Name
-
Subject/Issuer Organization
-
Subject/Issuer Organization Unit
-
Not Valid Before/After
-
Serial Number
-
Certificate Fingerprint
-
Public Key Fingerprint
-
-
SSL_CertFingerprint
SHA1 hash of the SSL Server certificate.
-
SSL_CipherSuite
A macro value representing a cipher suite used to encrypt the connection. See https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml for cipher suite value designations.
-
SSL_ExpectedAction
In the Firepower Management Center web interface, this field is a search field only.
The action the system expected to apply to encrypted traffic, given the SSL rule in effect.
Enter any of the values listed for SSL Actual Action.
-
SSL_FlowError
The error name and hexadecimal code if an error occurred during the TLS/SSL session; Success if no error occurred.
-
SSL_FlowFlags
The first ten debugging level flags for an encrypted connection. On a workflow page, to view all flags, click the ellipsis (...).
-
SSL_FlowMessages
The keywords below indicate encrypted traffic is associated with the specified message type exchanged between client and server during the TLS/SSL handshake. See http://tools.ietf.org/html/rfc5246 for more information.
-
HELLO_REQUEST
-
CLIENT_ALERT
-
SERVER_ALERT
-
CLIENT_HELLO
-
SERVER_HELLO
-
SERVER_CERTIFICATE
-
SERVER_KEY_EXCHANGE
-
CERTIFICATE_REQUEST
-
SERVER_HELLO_DONE
-
CLIENT_CERTIFICATE
-
CLIENT_KEY_EXCHANGE
-
CERTIFICATE_VERIFY
-
CLIENT_CHANGE_CIPHER_SPEC
-
CLIENT_FINISHED
-
SERVER_CHANGE_CIPHER_SPEC
-
SERVER_FINISHED
-
NEW_SESSION_TICKET
-
HANDSHAKE_OTHER
-
APP_DATA_FROM_CLIENT
-
APP_DATA_FROM_SERVER
-
SERVER_NAME_MISMATCH
The server certificate seen in the session has a Common Name or SAN values not corresponding to the destined domain name.
-
CERTIFICATE_CACHE_HIT
A certificate matching the destined domain name was found in the cache.
-
CERTIFICATE_CACHE_MISS
A certificate matching the destined domain name was not found in the cache.
-
-
SSL_FlowStatus
The reason the system failed to decrypt encrypted traffic:
-
Unknown
-
No Match
-
Success
-
Uncached Session
-
Unknown Cipher Suite
-
Unsupported Cipher Suite
-
Unsupported SSL Version
-
SSL Compression Used
-
Session Undecryptable in Passive Mode
-
Handshake Error
-
Decryption Error
-
Pending Server Name Category Lookup
-
Pending Common Name Category Lookup
-
Internal Error
-
Incomplete Handshake
-
Network Parameters Unavailable
-
Invalid Server Certificate Handle
-
Server Certificate Fingerprint Unavailable
-
Cannot Cache Subject DN
-
Cannot Cache Issuer DN
-
Unknown SSL Version
-
External Certificate List Unavailable
-
External Certificate Fingerprint Unavailable
-
Internal Certificate List Invalid
-
Internal Certificate List Unavailable
-
Internal Certificate Unavailable
-
Internal Certificate Fingerprint Unavailable
-
Server Certificate Validation Unavailable
-
Server Certificate Validation Failure
-
Invalid Action
-
-
SSL_Policy
The SSL policy that handled the connection.
If TLS server identity discovery is enabled in the access control policy advanced settings, and there is no SSL policy associated with the access control policy, this field holds none for all SSL events.
-
SSL_PolicyUUID
The UUID of the SSL Policy. This field is the unique key for this record.
-
SSL_Rule
The SSL rule or default action that handled the connection, as well as the first Monitor rule matched by that connection. If the connection matched a Monitor rule, the field displays the name of the rule that handled the connection, followed by the Monitor rule name.
-
SSL_RuleID
ID number of the SSL rule or default action that handled the connection.
-
SSL_Server
Hostname of the server with which the client established an encrypted connection.
-
SSL_ServerCertStatus
The SSL Server Certificate Status Number. This field is the unique key for this record.
-
SSL_SessionID
The hexadecimal Session ID negotiated between the client and server during the TLS/SSL handshake.
-
SSL_TicketID
A hexadecimal hash value of the session ticket information sent during the TLS/SSL handshake.
-
SSL_URL_Category
URL categories for the URL visited in the encrypted connection.
This field exists ONLY as a syslog field; in the Firepower Management Center web interface, values in this field are included in the URL Category column.
-
SSL_Version
The TLS/SSL protocol version used to encrypt the connection:
-
Unknown
-
SSLv2.0
-
SSLv3.0
-
TLSv1.0
-
TLSv1.1
-
TLSv1.2
-
TLSv1.3
-
-
SSL_VersionID
SSL Version ID number. This field is the unique key for this record.
-
TCP_Flags
For connections generated from NetFlow data, the TCP flags detected in the connection.
When searching this field, enter a list of comma-separated TCP flags to view all connections that have at least one of those flags.
-
TunnelRule
The tunnel rule, prefilter rule, or prefilter policy default action that handled the connection.
-
TunnelRuleID
Internal identifier for the tunnel rule that triggered the event, if applicable.
-
URL
The URL requested by the monitored host during the session and its associated category and reputation, if available.
-
URL_Category
For an event to display URL category and reputation, you must include the applicable URL rules in an access control policy and configure the rule with URL category and URL reputation under the URLs tab.
URL category and reputation do not appear in an event if the connection is processed before it matches a URL rule.
-
URL_CategoryID
ID number of the URL category. This field is the unique key for this record.
-
URL_Reputation
For an event to display URL category and reputation, you must include the applicable URL rules in an access control policy and configure the rule with URL category and URL reputation under the URLs tab.
URL category and reputation do not appear in an event if the connection is processed before it matches a URL rule.
-
URL_ReputationLevel
Reputation level assigned to the URL. This value is from 1 to 5, with 1 being untrusted and 5 being trusted.
-
UserAgent
The user-agent string application information extracted from HTTP traffic detected in the connection.
-
UserID
Internal identification number for the user who last logged into the host that generated the traffic.
-
UserName
The username associated with the IP address of the host that initiated the connection, which may or may not be the source host of the exploit. This user value is typically known only for users on your network.
-
UserProtocol
IANA protocol number specified by the user.
-
VLAN_ID
The innermost VLAN ID associated with the packet that triggered the connection.
-
WebApplication
The web application, which represents the content or requested URL for HTTP traffic detected in the connection.
If the web application does not match the URL for the event, the traffic is probably referred traffic, such as advertisement traffic. If the system detects referred traffic, it stores the referring application (if available) and lists that application as the web application.
If the system cannot identify the specific web application in HTTP traffic, this field displays Web Browsing.
-
WebApplicationHTTP
If the system detects an application protocol of HTTP but cannot detect a specific web application, the system supplies a generic web browsing designation instead.
-
WebApplicationID
The internal identification number of the detected web application, if applicable.
-
WebApplicationProductivityIndex
Criteria that characterize the application to help you understand the application's function.
-
ZeroTrustApplication
The Zero Trust Application detected in the event.
-
ZeroTrustApplicationGroup
The Zero Trust Application Group to which the Zero Trust Application belongs.
-
ZeroTrustApplicationPolicy
The Zero Trust Application policy triggered by the event.