Attributes List
The contents of the majority of attributes are normalized to lower case. However, for some attributes you may wish to view the original string as entered by the user. Attributes listed with “Original” in parentheses are available in normalized and original form.
Adware
The name of the adware block.
AMP Threat Name
The name of the malware detected and blocked by AMP.
Application Activity
The activity or web application.
Application Name
The name of the web application.
Application Name With Unclassified
The name of the web application or an unclassified result.
Block Type
The pattern, specified in the filter, that generated the block. It can be one of the following:
- adware
-
amp_malware
- category (HTTP)
- category (HTTPS)
- content type
- domain/URL
- file type
- phishing
- possibly unwanted applications (PUAs)
- spyware
- virus
-
webrep
![]() Note |
If more than one pattern is matched, the value of Block Pattern will be “multiple patterns.” |
Block Value
The string that matched the block pattern. It can be one of the following:
- adware name
-
AMP threat name
- category name
- full URL
- MIME type
- name of the content type
- name of the file type
- phishing name
- possibly unwanted application (PUA) name
- spyware name
- virus name
-
webrep name
![]() Note |
Where the block was generated by an exception or by more than one pattern, the value of Block String will be “multiple strings.” |
Category
The web filtering category.
When changes are made to the categories, existing customer data is not migrated. When creating reports, you must include the old and new category names with the “Category in list” filter to ensure that all the results are returned. Composite reports do not need to be updated because they will inherit the settings of the included reports.
Pre-defined reports are updated for you. For example, the “User Analysis” report “Where were the Top 10 Users browsing in the Categories Shopping, Music, Cinema/TV and Sport” originally included the filter “Category in list music, cinema/tv, online shopping, sports.” It now includes the filter “Category in list music, cinema/tv, online shopping, sports, entertainment, shopping, sports and recreation.”
Cipher Suite
Authentication and encryption types, e.g. TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256.
Company Name
Name of the company associated with the data traffic.
Company/Group
Group for the company users, e.g. Active Directory.
Company/User
User associated with a given data traffic.
Connector ID
ID of the Connector software being used to monitor users, e.g. AnyConnect.
Connector Mode
The mode reported by Connector.
Connector OS Name (Original)
The name of the operating system reported by Connector.
Connector OS Version (Original)
The version of the operating system reported by Connector.
Connector ReUse ID
Flag specifying the reuse of the user authentication headers associated with a given connector in TCP connections.
Connector Version
Logs the version of Connector used to embed the directory information. Can be used to easily find out which versions of Connector are deployed in your environment.
Content SHA256
A SHA256 hash of the content sent to or uploaded by the user.
Country Dst Code
The two-letter ISO code of the country where the web server is located, derived from its IP address.
Country Src Code
The two-letter ISO code of the country where the client web browser is located, derived from its IP address.
Day of Month
Used for time series plotting (1 to 31).
Day of Week
Used for time series plotting (monday to sunday).
Destination IP
The IP address of the remote web server.
Domain Username (Original)
The username under which the user is logged in to the domain.
External IP
The IP address that Cisco Cloud Web Security gets from the customer (also known as the egress IP address), for example 192.0.2.0. Alternatively, the subnet of the IP address that Cisco Cloud Web Security gets from the customer (also known as the egress IP address subnet), for example 192.0.2.0/24.
forwarded for
IP address used to locate the origin of a request. For example, if given there is no DC in Africa, users connect to Brazil and are forwarded. This attribute identifies that the user requests actually originated in Africa.
Group (Original)
The name of the directory group logged, for example WinNT://US\SALES.
![]() Note |
Multiple directory groups can be logged for each user. |
Group Domain
The name of the domain logged for the user.
Group Name Part (Original)
The name of directory group (not including either LDAP://<domain> or WinNT://<domain>), for example for WinNT://US\SALES, the group name part is SALES.
Host (Original)
The host part of the URL string, for example, for news.example.com/sport, the host is news.example.com.
![]() Note |
Hosts are case insensitive. |
Hour
Used for time series plotting.
Inbound File Extension
The file extension part of any inbound URL using the HTTP(S) protocol, for example, for index.html the file extension is html.
Inbound File Name
The filename part of any inbound URL using the HTTP(S) protocol, for example, index.html.
Internal IP
The IP address the Connector sees from the internal user, for example 192.168.2.10. Alternatively, the IP address subnet that the Connector sees from the internal user, for example 192.0.2.0/24.
![]() Note |
If an internal user is routed through a NAT device before reaching the internal proxy, the IP address, or subnet, that arrives at the Connector is logged. |
Malware
The name of the malware block.
Minute
Used for time series plotting (00 to 59).
Month
Used for time series plotting (january to december).
Outbound File Extension
The file extension part of any outbound POST using the HTTP(S) protocol, for example for resume.doc the file extension is doc.
Outbound File Name
The filename part of any outbound POST using the HTTP(S) protocol, for example resume.doc.
Path
The path part of the URL string, for example, for news.example.com/sport, the path is /sport.
Pattern Name
See the Block Value attribute.
Pattern Type
See the Block Type attribute.
Phishing
The name of the phishing block.
Policy Violation
The block value where a web filtering rule resulted in a block.
Port
Port number of web request, for example, 80 or 443.
Protocol
- FTP
- HTTP
- HTTPS
PUA
Possibly Unwanted Application name.
Query
The query part of the URL string, for example, for http://www.example.com/search?hl=en&q=free+screensavers&btnG=Example+Search&meta=&aq=f&oq=, the query is hl=en&q=free+screensavers&btnG=Example+Search&meta=&aq=f&oq=.
![]() Note |
Using this attribute will increase the time that reports take to generate by a considerable amount. |
Referrer Host (Original)
The host part of the referrer URL string, for example, for news.example.com/sport, the host is news.example.com.
Referrer Path
The path part of the referrer URL string, for example, for news.example.com/sport, the path is /sport.
Referrer Port
Port number of referrer, for example 80 or 443.
Referrer Protocol
- FTP
- HTTP
- HTTPS
Referrer Query
The query part of the referrer URL string, for example, for http://www.example.com/search?hl=en&q=free+screensavers&btnG=Example+Search&meta=&aq=f&oq=, the query is hl=en&q=free+screensavers&btnG=Example+Search&meta=&aq=f&oq=.
Referrer Second Level Domain
Normally the referrer organization, for example, in www.example.com, the second level domain is example.
Referrer Top Level Domain
Normally the last part of the referrer domain, for example, com, net, org, gov, and co.uk.
Referrer URL (Original)
The full referrer URL string.
Request Content MD5
The MD5 checksum of the user request.
Request Content Type (Original)
The request MIME type, for example, image/gif, application/pdf, text/html, application/EDI-X12.
Request Major Content Type
The type of request content, for example, if the response content type is application/pdf, then the corresponding major content type is application. Examples include:
- application
- audio
- image
- text
- video
Request Method (Original)
- CONNECT
- GET
- POST
Request Version (Original)
The request version, for example, HTTP/1.0 or HTTP/1.1.
Response Content Type (Original)
The response MIME type, for example, image/gif, application/pdf, text/html, application/EDI-X12.
Response Major Content Type
The type of response content, for example, if the response content type is application/pdf, the corresponding major content type is application. Examples include:
- application
- audio
- image
- text
- video
Response Status Code
Enables you to filter by the response status code, for example, to find all web requests to pages that did not exist, you can filter by 404. More information on status codes can be found at http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html.
Response Version (Original)
The response version, for example, HTTP/1.0 or HTTP/1.1.
Risk Class
The superclass under which the risk is grouped:
- possible business usage
- possible productivity reduction
- heavy bandwidth usage
- potential legal liability
- potential security risk
Rule Action
There are five rule actions you can choose from:
- allow
- authenticate
- block
- warn
- inspect
![]() Note |
If a website does not respond to a request, no Rule Action is assigned, but the request is still stored. |
Rule Engine
The rule engine that generated the rule action:
- policy evaluator
- scanlet
Rule Name (Original)
The Cisco ScanCenter policy rule name.
Rule Stage
The part where the rule was applied, e.g. response_headers, response_body_start, reqmod.'
Second Level Domain
Typically the organization, for example, in www.example.com, the second level domain is example.
SHA256 Source
Indicates whether the Content SHA256 is a hash of the HTTP request post data or response data: request, response, or N/A.
Spyware
The name of the spyware block.
Threat Type
Each record can include multiple threat types from the following:
- adware
- category
- content type
- extension
- file match
- filter protocol
- phishing
- possibly unwanted applications (PUAs)
- quota
- regular expression
- spyware
- virus
Time Stamp
The time at which the rule action was applied in minutes and seconds. Available only in Detailed Search.
Top Level Domain
Typically the last part of the domain, for example, com, net, org, gov, and co.uk.
URL (Original)
The full URL string.
User (Original)
The logged username (if applicable). It can be in the form of WinNT://<username> or a custom text name.
User Agent (Original)
The complete user agent string, for example, Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1). More information on user agent strings can be found at http://www.useragentstring.com/pages/useragentstring.php.
User Agent Application Name
The user agent application name, for example, Mozilla. See User Agent.
User Agent Application Version
The user agent application version, for example, 4.0. See User Agent.
User Agent Comp Platform
The user agent platform token, for example, Windows NT 5.1. See User Agent.
User Agent Comp Version
The user agent version token, for example, MSIE 7.0. See User Agent.
User Agent Compatibility
The user agent compatibility flag, for example, compatible. See User Agent.
User Domain Name
The domain where the user that made the request belongs.
User Domain Name Part
A lowercase substring of the user domain name.
Via
A list of IP addresses identifying the intermediate proxies processing the user request.
Virus
The name of the Virus block, for example, Trojan.Downloader.abg.
Web Reputation Threat
See the Block Value attribute, given Block Type is webrep.
Year
Used for time series plotting.