Adware

The name of the adware block.

AMP Threat Name

The name of the malware detected and blocked by AMP.

Application Activity

The activity or web application.

Application Name

The name of the web application.

Application Name With Unclassified

The name of the web application or an unclassified result.

Block Type

The pattern, specified in the filter, that generated the block. It can be one of the following:

• adware

• amp_malware

• category (HTTP)
• category (HTTPS)
• content type
• domain/URL
• file type
• phishing
• possibly unwanted applications (PUAs)
• spyware
• virus

• webrep

Note	If more than one pattern is matched, the value of Block Pattern will be “multiple patterns.”

Block Value

The string that matched the block pattern. It can be one of the following:

• adware name

• AMP threat name

• category name
• full URL
• MIME type
• name of the content type
• name of the file type
• phishing name
• possibly unwanted application (PUA) name
• spyware name
• virus name

• webrep name

Note	Where the block was generated by an exception or by more than one pattern, the value of Block String will be “multiple strings.”

Category

The web filtering category.

When changes are made to the categories, existing customer data is not migrated. When creating reports, you must include the old and new category names with the “Category in list” filter to ensure that all the results are returned. Composite reports do not need to be updated because they will inherit the settings of the included reports.

Pre-defined reports are updated for you. For example, the “User Analysis” report “Where were the Top 10 Users browsing in the Categories Shopping, Music, Cinema/TV and Sport” originally included the filter “Category in list music, cinema/tv, online shopping, sports.” It now includes the filter “Category in list music, cinema/tv, online shopping, sports, entertainment, shopping, sports and recreation.”

Cipher Suite

Authentication and encryption types, e.g. TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256.

Company Name

Name of the company associated with the data traffic.

Company/Group

Group for the company users, e.g. Active Directory.

Company/User

User associated with a given data traffic.

Connector ID

ID of the Connector software being used to monitor users, e.g. AnyConnect.

Connector Mode

The mode reported by Connector.

Connector OS Name (Original)

The name of the operating system reported by Connector.

Connector OS Version (Original)

The version of the operating system reported by Connector.

Connector ReUse ID

Flag specifying the reuse of the user authentication headers associated with a given connector in TCP connections.

Connector Version

Logs the version of Connector used to embed the directory information. Can be used to easily find out which versions of Connector are deployed in your environment.

Content SHA256

A SHA256 hash of the content sent to or uploaded by the user.

Country Dst Code

The two-letter ISO code of the country where the web server is located, derived from its IP address.

Country Src Code

The two-letter ISO code of the country where the client web browser is located, derived from its IP address.

Day of Month

Used for time series plotting (1 to 31).

Day of Week

Used for time series plotting (monday to sunday).

Destination IP

The IP address of the remote web server.

Domain Username (Original)

The username under which the user is logged in to the domain.

External IP

The IP address that Cisco Cloud Web Security gets from the customer (also known as the egress IP address), for example 192.0.2.0. Alternatively, the subnet of the IP address that Cisco Cloud Web Security gets from the customer (also known as the egress IP address subnet), for example 192.0.2.0/24.

forwarded for

IP address used to locate the origin of a request. For example, if given there is no DC in Africa, users connect to Brazil and are forwarded. This attribute identifies that the user requests actually originated in Africa.

Group (Original)

The name of the directory group logged, for example WinNT://US\SALES.

Note	Multiple directory groups can be logged for each user.

Group Domain

The name of the domain logged for the user.

Group Name Part (Original)

The name of directory group (not including either LDAP://<domain> or WinNT://<domain>), for example for WinNT://US\SALES, the group name part is SALES.

Host (Original)

The host part of the URL string, for example, for news.example.com/sport, the host is news.example.com.

Note	Hosts are case insensitive.

Hour

Used for time series plotting.

Inbound File Extension

The file extension part of any inbound URL using the HTTP(S) protocol, for example, for index.html the file extension is html.

Inbound File Name

The filename part of any inbound URL using the HTTP(S) protocol, for example, index.html.

Internal IP

The IP address the Connector sees from the internal user, for example 192.168.2.10. Alternatively, the IP address subnet that the Connector sees from the internal user, for example 192.0.2.0/24.

Note	If an internal user is routed through a NAT device before reaching the internal proxy, the IP address, or subnet, that arrives at the Connector is logged.

Malware

The name of the malware block.

Minute

Used for time series plotting (00 to 59).

Month

Used for time series plotting (january to december).

Outbound File Extension

The file extension part of any outbound POST using the HTTP(S) protocol, for example for resume.doc the file extension is doc.

Outbound File Name

The filename part of any outbound POST using the HTTP(S) protocol, for example resume.doc.

Path

The path part of the URL string, for example, for news.example.com/sport, the path is /sport.

Pattern Name

See the Block Value attribute.

Pattern Type

See the Block Type attribute.

Phishing

The name of the phishing block.

Policy Violation

The block value where a web filtering rule resulted in a block.

Port

Port number of web request, for example, 80 or 443.

Protocol

• FTP
• HTTP
• HTTPS

PUA

Possibly Unwanted Application name.

Query

The query part of the URL string, for example, for http://www.example.com/search?hl=en&q=free+screensavers&btnG=Example+Search&meta=&aq=f&oq=, the query is hl=en&q=free+screensavers&btnG=Example+Search&meta=&aq=f&oq=.

Note	Using this attribute will increase the time that reports take to generate by a considerable amount.

Referrer Host (Original)

The host part of the referrer URL string, for example, for news.example.com/sport, the host is news.example.com.

Referrer Path

The path part of the referrer URL string, for example, for news.example.com/sport, the path is /sport.

Referrer Port

Port number of referrer, for example 80 or 443.

Referrer Protocol

• FTP
• HTTP
• HTTPS

Referrer Query

The query part of the referrer URL string, for example, for http://www.example.com/search?hl=en&q=free+screensavers&btnG=Example+Search&meta=&aq=f&oq=, the query is hl=en&q=free+screensavers&btnG=Example+Search&meta=&aq=f&oq=.

Referrer Second Level Domain

Normally the referrer organization, for example, in www.example.com, the second level domain is example.

Referrer Top Level Domain

Normally the last part of the referrer domain, for example, com, net, org, gov, and co.uk.

Referrer URL (Original)

The full referrer URL string.

Request Content MD5

The MD5 checksum of the user request.

Request Content Type (Original)

The request MIME type, for example, image/gif, application/pdf, text/html, application/EDI-X12.

Request Major Content Type

The type of request content, for example, if the response content type is application/pdf, then the corresponding major content type is application. Examples include:

• application
• audio
• image
• text
• video

Request Method (Original)

• CONNECT
• GET
• POST

Request Version (Original)

The request version, for example, HTTP/1.0 or HTTP/1.1.

Response Content Type (Original)

The response MIME type, for example, image/gif, application/pdf, text/html, application/EDI-X12.

Response Major Content Type

The type of response content, for example, if the response content type is application/pdf, the corresponding major content type is application. Examples include:

• application
• audio
• image
• text
• video

Response Status Code

Enables you to filter by the response status code, for example, to find all web requests to pages that did not exist, you can filter by 404. More information on status codes can be found at http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html.

Response Version (Original)

The response version, for example, HTTP/1.0 or HTTP/1.1.

Risk Class

The superclass under which the risk is grouped:

• possible business usage
• possible productivity reduction
• heavy bandwidth usage
• potential legal liability
• potential security risk

Rule Action

There are five rule actions you can choose from:

• allow
• authenticate
• block
• warn
• inspect

Note	If a website does not respond to a request, no Rule Action is assigned, but the request is still stored.

Rule Engine

The rule engine that generated the rule action:

• policy evaluator
• scanlet

Rule Name (Original)

The Cisco ScanCenter policy rule name.

Rule Stage

The part where the rule was applied, e.g. response_headers, response_body_start, reqmod.'

Second Level Domain

Typically the organization, for example, in www.example.com, the second level domain is example.

SHA256 Source

Indicates whether the Content SHA256 is a hash of the HTTP request post data or response data: request, response, or N/A.

Spyware

The name of the spyware block.

Threat Type

Each record can include multiple threat types from the following:

• adware
• category
• content type
• extension
• file match
• filter protocol
• phishing
• possibly unwanted applications (PUAs)
• quota
• regular expression
• spyware
• virus

Time Stamp

The time at which the rule action was applied in minutes and seconds. Available only in Detailed Search.

Top Level Domain

Typically the last part of the domain, for example, com, net, org, gov, and co.uk.

URL (Original)

The full URL string.

User (Original)

The logged username (if applicable). It can be in the form of WinNT://<username> or a custom text name.

User Agent (Original)

The complete user agent string, for example, Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1). More information on user agent strings can be found at http://www.useragentstring.com/pages/useragentstring.php.

User Agent Application Name

The user agent application name, for example, Mozilla. See User Agent.

User Agent Application Version

The user agent application version, for example, 4.0. See User Agent.

User Agent Comp Platform

The user agent platform token, for example, Windows NT 5.1. See User Agent.

User Agent Comp Version

The user agent version token, for example, MSIE 7.0. See User Agent.

User Agent Compatibility

The user agent compatibility flag, for example, compatible. See User Agent.

User Domain Name

The domain where the user that made the request belongs.

User Domain Name Part

A lowercase substring of the user domain name.

Via

A list of IP addresses identifying the intermediate proxies processing the user request.

Virus

The name of the Virus block, for example, Trojan.Downloader.abg.

Web Reputation Threat

See the Block Value attribute, given Block Type is webrep.

Year

Used for time series plotting.