Netskope Help

x-cs-app

Cloud application name.

Dropbox

24

x-cs-app-category

Reserved for future use.

N/A

116

x-cs-app-cci

Reserved for future use.

N/A

117

x-cs-app-ccl

Reserved for future use.

N/A

118

x-cs-app-tags

Reserved for future use.

N/A

119

x-cs-app-suite

The cloud application suite name.

Google

120

x-cs-app-instance-id

The cloud application instance ID identified by the proxy.

mycompany.com

121

x-cs-app-instance-name

Reserved for future use.

N/A

122

x-cs-app-instance-tag

Reserved for future use.

N/A

123

x-cs-app-activity

The cloud application activity identified by the proxy.

Browse

124

x-cs-app-from-user

The user identity detected in the cloud application.

user@company.com

125

x-cs-app-to-user

The recipients of a share/send activity detected in the cloud application.

user@partner.com

126

x-cs-app-object-type

The type of the object transferred to/from the cloud application.

File

127

x-cs-app-object-name

The name of the object transferred to/from the cloud application.

sample-data.pdf

128

x-cs-app-object-id

The ID of the object transferred to/from the cloud application.

1iNtlIbpIivrmMEHPgtjEDk_T5Fe0a778

129

cs-username

The client's username.

Bill@companyname.com

9

cs-bytes

Bytes received from the client.

1093

4

sc-bytes

Bytes received from the server.

17084

5

bytes

Sum of client bytes plus server bytes.

18177

6

c-ip

Client IP as seen by the Netskope proxy. This will be the machine IP if available, IPv4 address.

70.42.129.126

7

s-ip

The server IPv4 address.

NOTE: During SSL bypass, the s-ip field displays as Unavailable when it’s neither IPv4 or IPv6.

216.58.193.33

8

x-access-method

Steering method used to access the Netskope cloud.

Client

23

x-cs-userip

The client IP address. If the client IP address is not found, the field is left blank.

199.188.180.55

44

x-cs-tunnel-id

VPN tunnel ID

998a4499-a5a6-4a55-b243-b67ce89dd870

46

x-cs-tunnel-src-ip

The public IP used to contact the NewEdge data plane on the traffic coming from the Client device.

70.42.129.126

98

x-s-dp-name

The dataplane name processing the request.

FR-PAR1

99

x-cs-src-ip

The source IP of the client to proxy session.

70.42.129.126

100

x-cs-src-port

The source port of the client to proxy session.

54447

101

x-cs-dst-ip

The destination IP of the client to proxy session.

216.58.193.67

102

x-cs-dst-port

The destination port of the client to proxy session.

443

103

x-sr-src-ip

The source IP of the proxy to remote server session. This field is blank if dedicated IPs are used.

163.116.163.24

104

x-sr-src-port

The source port of the proxy to remote server session. This field is blank if dedicated IPs are used.

15556

105

x-sr-dst-ip

The destination IP of the proxy to remote server session.

216.58.193.67

106

x-sr-dst-port

The destination port of the proxy to remote server session.

443

107

x-c-os

Operating system of the client.

Windows 10

37

x-c-browser

Client's browser.

Firefox

38

x-c-browser-version

Client's browser version.

50

39

x-c-device

Client's device type.

Windows device

40

x-rs-file-type

The type of the object transferred to/from the remote server.

text/plain

130

x-rs-file-category

The category of the object transferred to/from the remote server.

Word Processor

131

x-rs-file-language

Reserved for future use.

N/A

132

x-rs-file-size

Reserved for future use.

N/A

133

x-rs-file-md5

The MD5 Hash of the object transferred to/from the remote server.

bcdd51c6a4f3f99c4e658f07e4c57e91

134

x-rs-file-sha256

Reserved for future use.

N/A

135

date

Date of generation, YY-MM-DD format.

NOTE: Human readable string for the "x-cs-timestamp" field.

08/07/19

1

time

Time of generation in HH:MM-SEC format in GMT.

NOTE: Human readable string for the "x-cs-timestamp" field.

01:02-39

2

x-cs-timestamp

Date of the request as epoch time.

NOTE: This field is the epoch version of the "date" and "time" fields.

1480330369

42

x-error

The error encountered when processing the transaction.

dns-resolution

136

x-c-local-time

The local time of the client calculated from geolocation of the device IP.

Thu Jan 12 08:41:08 2023

137

x-s-country

Destination country

United States

25

x-s-latitude

Destination latitude

37.4192009

26

x-s-longitude

Destination longitude

-122.0574036

27

x-s-location

Destination location (e.g. city)

Menlo Park

28

x-s-region

Destination region (e.g. state)

California

29

x-s-zipcode

Destination zip code

94025

30

x-c-country

Country of the client (user)

United States

31

x-c-latitude

Latitude of the client

37.3394

32

x-c-longitude

Longitude of the client

-121.895

33

x-c-location

Location of the client

Palo Alto

34

x-c-region

Region of the client

California

35

x-c-zipcode

Zip code of the client

84414

36

cs-method

The HTTP method (e.g. GET, POST).

POST

10

cs-uri-scheme

The protocol used.

https

11

cs-uri-query

The query string portion of the HTTP request.

q=a&b=c

12

cs-user-agent

The user-agent header in the HTTP request.

Mozilla/5.0 (Windows NT 10.0; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0

13

cs-content-type

The content-type header in the HTTP request.

application/json

14

sc-status

The HTTP status code received from the server.

200

15

sc-content-type

The content-type header from the response.

text/html

16

cs-dns

The destination domain requested.

google.co.in

17

cs-host

The value in the host header from the request.

google.co.in

18

cs-uri

Path information plus query string.

/home.html?key=123

19

cs-uri-port

Port specified in the request header.

443

20

cs-referer

The value of the referrer header.

https://www.google.com

21

x-cs-session-id

A session for the current user which consists of: user, device, OS, app, browser.

50530900000000000

22

x-cs-site

Destination site.

Google Maps

41

x-cs-page-id

Identifier associated with the page event object.

1170730000000000000

43

x-cs-traffic-type

Type of traffic could be "Web" or "CloudApp".

NOTE: During SSL bypass, x-cs-traffic-type always displays as Unavailable.

Web

45

x-type

The type of log message, which can be "http_transaction" or "WebSocket". 

NOTE: When parsing an HTTP Upgrade response, Netskope uses the Upgrade header to determine if the traffic is WebSocket.

http_transaction

49

x-transaction-id

Transaction ID needed to correlate application events with transaction events.

1821255295454864980

52

x-request-id

Request ID needed to correlate DLP and TSS incidents with transaction events.

2234064361201696768

53

x-sr-headers-name

List of custom headers inserted

X-Dropbox-allowed-Team-Ids, x-my-header

58

x-sr-headers-value

List of custom header values inserted

1234, 123456

59

x-cs-ip-connect-xff

X-Forwarded-For header value received in the Client to Proxy HTTP CONNECT request. This field is empty if there is no CONNECT or if the field is missing.

192.168.1.1

108

x-cs-ip-xff

X-Forwarded-For header value received in the Client to Proxy GET request. This field is empty if there is no header or if GET is not decrypted.

192.168.1.2

109

x-cs-connect-host

The host value received in the Client to Proxy HTTP CONNECT request. This field is empty if there is no CONNECT.

www.google.com

110

x-cs-connect-port

The port value received in the Client to Proxy HTTP CONNECT request. This field is empty if there is no CONNECT.

443

111

x-cs-connect-user-agent

The User-Agent header value received in the Client to Proxy HTTP CONNECT request. This field is empty if there is no CONNECT or the field is missing.

"Mozilla/5.0 (Windows NT 10.0; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0"

112

x-cs-url

The full URL of the request received, includes scheme, host, port, path and query.

https://play.google.com/log?format=json&hasfast=true&authuser=0

113

x-cs-http-version

The version of the HTTP protocol of the request.

HTTP2

114

rs-status

The HTTP status code received from the remote server.

200

115

time-taken

Delta (integer value in ms) when the request processing started and the full response was received.

589

3

x-category

Primary category name applicable for the url in this transaction.

"Cloud Storage"

47

x-other-category

Secondary categories applicable for the url in this transaction.

"News & Media; Entertainment"

48

x-category-id

Primary category ID applicable for the url in this transaction, e.g. category ID is 7 for the Cloud Storage category.

7

56

x-other-category-id

IDs of secondary categories applicable for the url in this transaction, e.g. category ID is 537 for the News & Media; Entertainment category.

537

57

x-policy-action

The action performed by the proxy on the transaction after the Real-time policy engine analysis (e.g. allow, block, bypass, alert, user alert)

block

138

x-policy-name

The Real-time policy name that triggered the action.

DefaultAction

139

x-policy-src-ip

The source IP computed by the Real-time policy engine from the source IP or XFF header.

10.50.1.192

140

x-policy-dst-ip

The destination IP computed by the Real-time policy engine, from DNS resolution.

142.251.46.206

141

x-policy-dst-host

The hostname computed by the Real-time policy engine. The source for the hostname is provided in the x-policy-dst-host-source field.

chat.google.com

142

x-policy-dst-host-source

The source for the hostname value computed by the Real-time policy engine (e.g. OriginalDestDomain, Sni, Uri, HttpHostHeader).

HttpHostHeader

143

x-policy-justification-type

The justification type selected by the end user in case of "useralert" action.

justification

144

x-policy-justification-reason

The justification provided by the end user in case of "useralert" action.

sharing with a trusted partner

145

x-sc-notification-name

The name of the user notification displayed to the end user in case of action "block" or "useralert".

block_page.html

146

x-cs-sni

The hostname that the client is attempting to connect to using the SNI extension in the TLS handshake.

google.co.in

54

x-cs-domain-fronted-sni

The SNI of the SSL connection where Netskope detected domain fronting. In other words, the SNI and Host header were mismatched. SSL inspection must be enabled to see this field.

google.co.in

55

x-r-cert-subject-cn

The CN attribute of the server certificate received from the destination server.

upload.video.google.com

64

x-r-cert-san

The SAN attribute of the server certificate received from the. destination server.

"DNS:upload.video.google.com, DNS:.clients.google.com, DNS:.docs.google.com, DNS:.drive.google.com, DNS:.gdata.youtube.com, DNS:.googleapis.com, DNS:.photos.google.com, DNS:.youtube-3rd-party.com, DNS:upload.google.com, DNS:.upload.google.com, DNS:upload.youtube.com, DNS:*.upload.youtube.com, DNS:uploads.stage.gdata.youtube.com, DNS:bg-call-donation.goog, DNS:bg-call-donation-alpha.goog, DNS:bg-call-donation-canary.goog, DNS:bg-call-donation-dev.goog"

65

x-r-cert-issuer-cn

The issuer CN attribute of the server certificate received from destination server.

GTS CA 1C3

66

x-r-cert-startdate

The start date/time of the server certificate received from the destination server.

Oct 17 08:18:30 2022 GMT

67

x-r-cert-enddate

The end date/time of the server certificate received from the destination server.

Jan 9 08:18:29 2023 GMT

68

x-r-cert-valid

Overall result of the evaluation of the validity of the server certificate received from destination server. This field doesn't reflect the action of the SSL Engine.

yes

69

x-r-cert-expired

Indicates if the server certificate received from the destination server is expired or not yet valid.

no

70

x-r-cert-untrusted-root

Indicates if the server certificate received from the destination server is signed by a trusted issuer.

no

71

x-r-cert-incomplete-chain

Indicates if the server certificate received from destination server has an incomplete issuer chain.

no

72

x-r-cert-self-signed

Indicates if the server certificate received from  the destination server is self-signed.

no

73

x-r-cert-revoked

Indicates if the server certificate received from the destination server is revoked.

no

74

x-r-cert-revocation-check

Reserved for future use.

n/a

75

x-r-cert-mismatch

Indicates if the server certificate received from the destination server has a mismatch between the SNI and the CN/SAN.

no

76

x-server-ssl-err

Description of SSL error between proxy and content servers.

Handshake error (error:141A318A:SSL routines: tls_process_ske_dhe:dh key too small) Blocked by SSL_HANDSHAKE_ERROR

50

x-client-ssl-err

Description of SSL error between client (browser) and proxy.

Handshake error (error:1417A0C1:SSL routines: tls_post_process_client_hello:no shared cipher)

51

x-cs-ssl-ja3

Fingerprints the way the Client communicates over TLS.

2d908070f157946cc4ea9dca39dbe374

60

x-sr-ssl-ja3s

Fingerprints the way the server responds to the TLS.

907bf3ecef1c987c889946b737b43de8

61

x-cs-ssl-fronting-error

Indicates if the server certificate received from the destination server has a mismatch between the SNI and the hostname of the encrypted HTTP request.

no

77

x-cs-ssl-handshake-error

Indicates if the SSL Engine encountered a problem when establishing the SSL/TLS negotiation.

For more information, refer to the x-server-ssl-err and x-client-ssl-err fields.

no

78

x-sr-ssl-handshake-error

Indicates if the SSL Engine encountered a problem to establish SSL/TLS negotiation.

For more information, refer to the x-server-ssl-err and x-client-ssl-err fields for more information.

no

79

x-sr-ssl-client-certificate-error

Indicates that the destination server requested a Client certificate during SSL/TLS negotiation.

yes

80

x-sr-ssl-malformed-ssl

Indicates that the SSL Engine encountered a malformed SSL packet during SSL/TLS negotiation.

yes

81

x-s-custom-signing-ca-error

Indicates that the SSL Engine failed to intercept with a Custom signing CA.

no

82

x-cs-ssl-engine-action

Indicates the result of the SSL Engine behavior after certificate evaluation and SSL/TLS negotiation. Possible values include: allow, block, or bypass.

allow

83

x-cs-ssl-engine-action-reason

Provides details of the SSL Engine action.

SSL Error - Incomplete Certificate Trust Chain

84

x-sr-ssl-engine-action

Indicates the result of the SSL Engine behavior after certificate evaluation and SSL/TLS Negotiation. Possible values include: allow, block, or bypass.

allow

85

x-sr-ssl-engine-action-reason

Provides details of the SSL Engine action.

InvalidCert (malformed or invalid certificate)

86

x-cs-ssl-version

The SSL Version negotiated between the Client device and the NewEdge data plane for the HTTPS request.

TLSv1.3

94

x-cs-ssl-cipher

The SSL Cipher negotiated between the Client device and the NewEdge data plane for the HTTPS request.

TLS_AES_256_GCM_SHA384

95

x-sr-ssl-version

The SSL Version negotiated between the NewEdge data plane and the Destination Server for the HTTPS request.

TLSv1.3

96

x-sr-ssl-cipher

The SSL Cipher negotiated between the NewEdge data plane and the Destination Server for the HTTPS request.

TLS_AES_256_GCM_SHA384

97

x-ssl-bypass

Indicates if the request was SSL bypassed.

No

62

x-ssl-bypass-reason

Inidacates if the request was SSL bypassed, this field provides the reason.

SSL Error - SSL Handshake Error

63

x-ssl-policy-src-ip

The Source IP computed by the SSL Policy Engine to evaluate the SSL Decryption Policies.

10.1.1.1

87

x-ssl-policy-dst-ip

The Destination IP computed by the SSL Policy Engine to evaluate the SSL Decryption Policies.

141.193.213.20

88

x-ssl-policy-dst-host

The Destination Hostname computed by the SSL Policy Engine to evaluate the SSL Decryption Policies.

www.netskope.com

89

x-ssl-policy-dst-host-source

Describes how the Destination Hostname was computed by the SSL Policy Engine. Possible values include from SNI or original host

Sni

90

x-ssl-policy-categories

Destination Hostname Categories computed by the SSL Policy Engine to evaluate the SSL Decryption Policies.

Content Server, Cloud Storage

91

x-ssl-policy-action

Action of the SSL Decryption Policy that matched the request. Possible values include, Decrypt or Do not decrypt.

Do not decrypt

92

x-ssl-policy-name

Name of the SSL Decryption Policy that matched the request.

Do not decrypt Financial Services

93