Transaction Event Fields

Transaction Event Fields

Admins can search, analyze, and correlate data from app events, alerts, incidents, and transaction events. This helps to find trends, create dashboards, and even trigger alerts to improve your business processes and protect your data.

The following sections display information about the transaction event log file fields and possible values for those fields. Each field is grouped in categories, e.g. Application, Authentication, SSL Policy, etc.

TRANSACTION EVENT FORMAT CONFIGURATION

A log format defines how the contents of a log file should be interpreted. Log formats can also define the fields contained within the log file and the data types for those fields. Netskope currently has two log file formats. Both log file formats are available now and in subsequent releases, more formats will be available. 

The log file format is structured meaning the order of fields is fixed and cannot be changed.

Note

The format version used to generate transaction events is defined in the backend. Contact your Sales Representative or Support to update the transaction events format.

FORMAT 1

#Fields: date time time-taken cs-bytes sc-bytes bytes c-ip s-ip cs-username cs-method cs-uri-scheme cs-uri-query cs-user-agent cs-content-type sc-status sc-content-type cs-dns cs-host cs-uri cs-uri-port cs-referer x-cs-session-id x-cs-access-method x-cs-app x-s-country x-s-latitude x-s-longitude x-s-location x-s-region x-s-zipcode x-c-country x-c-latitude x-c-longitude x-c-location x-c-region x-c-zipcode x-c-os x-c-browser x-c-browser-version x-c-device x-cs-site x-cs-timestamp x-cs-page-id x-cs-userip x-cs-traffic-type x-cs-tunnel-id x-category x-other-category x-type x-server-ssl-err x-client-ssl-err x-transaction-id x-request-id x-cs-sni x-cs-domain-fronted-sni x-category-id x-other-category-id x-sr-headers-name x-sr-headers-value

FORMAT 2

Format 2 is the same as Format 1 with the addition of the italicized fields below.

#Fields: date time time-taken cs-bytes sc-bytes bytes c-ip s-ip cs-username cs-method cs-uri-scheme cs-uri-query cs-user-agent cs-content-type sc-status sc-content-type cs-dns cs-host cs-uri cs-uri-port cs-referer x-cs-session-id x-cs-access-method x-cs-app x-s-country x-s-latitude x-s-longitude x-s-location x-s-region x-s-zipcode x-c-country x-c-latitude x-c-longitude x-c-location x-c-region x-c-zipcode x-c-os x-c-browser x-c-browser-version x-c-device x-cs-site x-cs-timestamp x-cs-page-id x-cs-userip x-cs-traffic-type x-cs-tunnel-id x-category x-other-category x-type x-server-ssl-err x-client-ssl-err x-transaction-id x-request-id x-cs-sni x-cs-domain-fronted-sni x-category-id x-other-category-id x-sr-headers-name x-sr-headers-value x-cs-ssl-ja3 x-sr-ssl-ja3s x-ssl-bypass x-ssl-bypass-reason x-r-cert-subject-cn x-r-cert-issuer-cn x-r-cert-startdate x-r-cert-enddate x-r-cert-valid x-r-cert-expired x-r-cert-untrusted-root x-r-cert-incomplete-chain x-r-cert-self-signed x-r-cert-revoked x-r-cert-revocation-check x-r-cert-mismatch x-cs-ssl-fronting-error x-cs-ssl-handshake-error x-sr-ssl-handshake-error x-sr-ssl-client-certificate-error x-sr-ssl-malformed-ssl x-s-custom-signing-ca-error x-cs-ssl-engine-action x-cs-ssl-engine-action-reason x-sr-ssl-engine-action x-sr-ssl-engine-action-reason x-ssl-policy-src-ip x-ssl-policy-dst-ip x-ssl-policy-dst-host x-ssl-policy-dst-host-source x-ssl-policy-categories x-ssl-policy-action x-ssl-policy-name x-cs-ssl-version x-cs-ssl-cipher x-sr-ssl-version x-sr-ssl-cipher x-cs-src-ip-egress

FORMAT 3

Format 3 is the same as Format 2 with the addition of the italicized fields below.

#Fields: date time time-taken cs-bytes sc-bytes bytes c-ip s-ip cs-username cs-method cs-uri-scheme cs-uri-query cs-user-agent cs-content-type sc-status sc-content-type cs-dns cs-host cs-uri cs-uri-port cs-referer x-cs-session-id x-cs-access-method x-cs-app x-s-country x-s-latitude x-s-longitude x-s-location x-s-region x-s-zipcode x-c-country x-c-latitude x-c-longitude x-c-location x-c-region x-c-zipcode x-c-os x-c-browser x-c-browser-version x-c-device x-cs-site x-cs-timestamp x-cs-page-id x-cs-userip x-cs-traffic-type x-cs-tunnel-id x-category x-other-category x-type x-server-ssl-err x-client-ssl-err x-transaction-id x-request-id x-cs-sni x-cs-domain-fronted-sni x-category-id x-other-category-id x-sr-headers-name x-sr-headers-value x-cs-ssl-ja3 x-sr-ssl-ja3s x-ssl-bypass x-ssl-bypass-reason x-r-cert-subject-cn x-r-cert-issuer-cn x-r-cert-startdate x-r-cert-enddate x-r-cert-valid x-r-cert-expired x-r-cert-untrusted-root x-r-cert-incomplete-chain x-r-cert-self-signed x-r-cert-revoked x-r-cert-revocation-check x-r-cert-mismatch x-cs-ssl-fronting-error x-cs-ssl-handshake-error x-sr-ssl-handshake-error x-sr-ssl-client-certificate-error x-sr-ssl-malformed-ssl x-s-custom-signing-ca-error x-cs-ssl-engine-action x-cs-ssl-engine-action-reason x-sr-ssl-engine-action x-sr-ssl-engine-action-reason x-ssl-policy-src-ip x-ssl-policy-dst-ip x-ssl-policy-dst-host x-ssl-policy-dst-host-source x-ssl-policy-categories x-ssl-policy-action x-ssl-policy-name x-cs-ssl-version x-cs-ssl-cipher x-sr-ssl-version x-sr-ssl-cipher x-cs-src-ip-egress x-s-dp-name x-cs-src-ip x-cs-src-port x-cs-dst-ip x-cs-dst-port x-sr-src-ip x-sr-src-port x-sr-dst-ip x-sr-dst-port x-cs-ip-connect-xff x-cs-ip-xff x-cs-connect-host x-cs-connect-port x-cs-connect-user-agent x-cs-url x-cs-uri-path x-cs-http-version rs-status x-cs-app-category x-cs-app-cci x-cs-app-ccl x-cs-app-tags x-cs-app-suite x-cs-app-instance-id x-cs-app-instance-name x-cs-app-instance-tag x-cs-app-activity x-cs-app-from-user x-cs-app-to-user x-cs-app-object-type x-cs-app-object-name x-cs-app-object-id x-rs-file-type x-rs-file-category x-rs-file-language x-rs-file-size x-rs-file-md5 x-rs-file-sha256 x-error x-c-local-time x-policy-action x-policy-name x-policy-src-ip x-policy-dst-ip x-policy-dst-host x-policy-dst-host-source x-policy-justification-type x-policy-justification-reason x-sc-notification-name

Note

The number listed in the Position column represents the order the particular field appears in the Format list. The number is fixed and is in the same order for Format 1, Format 2, and Format 3.

APPLICATION

FIELD NAMEDESCRIPTIONEXAMPLEPOSITION
x-cs-appCloud application name.Dropbox24
x-cs-app-categoryCloud application category from the CCI database.Business Intelligence and Data Analytics116
x-cs-app-cciCloud Confidence Index of the Cloud application from the CCI database.A number ranging from 0 – 100117
x-cs-app-cclCloud Confidence Level of the Cloud application from the CCI database.High Score: 75 to 89118
x-cs-app-tagsCloud application tags from the CCI database.Marketing, HR119
x-cs-app-suiteThe cloud application suite name.Google120
x-cs-app-instance-idThe cloud application instance ID identified by the proxy.mycompany.com121
x-cs-app-instance-nameReserved for future use.N/A122
x-cs-app-instance-tagReserved for future use.N/A123
x-cs-app-activityThe cloud application activity identified by the proxy.Browse124
x-cs-app-from-userThe user identity detected in the cloud application.user@company.com125
x-cs-app-to-userThe recipients of a share/send activity detected in the cloud application.user@partner.com126
x-cs-app-object-typeThe type of the object transferred to/from the cloud application.File127
x-cs-app-object-nameThe name of the object transferred to/from the cloud application.sample-data.pdf128
x-cs-app-object-idThe ID of the object transferred to/from the cloud application.1iNtlIbpIivrmMEHPgtjEDk_T5Fe0a778129

AUTHENTICATION

FIELD NAMEDESCRIPTIONEXAMPLEPOSITION
cs-usernameThe client’s username.Bill@companyname.com9

BYTES

FIELD NAMEDESCRIPTIONEXAMPLEPOSITION
cs-bytesBytes received from the client.10934
sc-bytesBytes received from the server.170845
bytesSum of client bytes plus server bytes.181776

CONNECTION

FIELD NAMEDESCRIPTIONEXAMPLEPOSITION
c-ipClient IP as seen by the Netskope proxy. This will be the machine IP if available, IPv4 address.70.42.129.1267
s-ipThe server IPv4 address.

NOTE: During SSL bypass, the s-ip field displays as Unavailable when it’s neither IPv4 or IPv6.

216.58.193.338
x-cs-access-methodSteering method used to access the Netskope cloud.Client23
x-cs-useripThe client IP address. If the client IP address is not found, the field is left blank.199.188.180.5544
x-cs-tunnel-idVPN tunnel ID998a4499-a5a6-4a55-b243-b67ce89dd87046
x-cs-src-ip-egressThe public IP used to contact the NewEdge data plane on the traffic coming from the Client device.70.42.129.12697
x-s-dp-nameThe dataplane name processing the request.FR-PAR198
x-cs-src-ipThe source IP of the client to proxy session.70.42.129.12699
x-cs-src-portThe source port of the client to proxy session.54447100
x-cs-dst-ipThe destination IP of the client to proxy session.216.58.193.67101
x-cs-dst-portThe destination port of the client to proxy session.443102
x-sr-src-ipThe source IP of the proxy to remote server session. This field is blank if dedicated IPs are used.163.116.163.24103
x-sr-src-portThe source port of the proxy to remote server session. This field is blank if dedicated IPs are used.15556104
x-sr-dst-ipThe destination IP of the proxy to remote server session.216.58.193.67105
x-sr-dst-portThe destination port of the proxy to remote server session.443106

DEVICE

FIELD NAMEDESCRIPTIONEXAMPLEPOSITION
x-c-osOperating system of the client.Windows 1037
x-c-browserClient’s browser.Firefox38
x-c-browser-versionClient’s browser version.5039
x-c-deviceClient’s device type.Windows device40

FILE

FIELD NAMEDESCRIPTIONEXAMPLEPOSITION
x-rs-file-typeThe type of the object transferred to/from the remote server.text/plain130
x-rs-file-categoryThe category of the object transferred to/from the remote server.Word Processor131
x-rs-file-languageReserved for future use.N/A132
x-rs-file-sizeReserved for future use.N/A133
x-rs-file-md5The MD5 Hash of the object transferred to/from the remote server.bcdd51c6a4f3f99c4e658f07e4c57e91134
x-rs-file-sha256Reserved for future use.N/A135

GENERAL

FIELD NAMEDESCRIPTIONEXAMPLEPOSITION
dateDate of generation, YY-MM-DD format.

NOTE: Human readable string for the “x-cs-timestamp” field.

08/07/191
timeTime of generation in HH:MM-SEC format in GMT.

NOTE: Human readable string for the “x-cs-timestamp” field.

01:02-392
x-cs-timestampDate of the request as epoch time.

NOTE: This field is the epoch version of the “date” and “time” fields.

148033036942
x-errorThe error encountered when processing the transaction.dns-resolution136
x-c-local-timeThe local time of the client calculated from geolocation of the device IP.Thu Jan 12 08:41:08 2023137

GEOLOCATION

FIELD NAMEDESCRIPTIONEXAMPLEPOSITION
x-s-countryDestination countryUnited States25
x-s-latitudeDestination latitude37.419200926
x-s-longitudeDestination longitude-122.057403627
x-s-locationDestination location (e.g. city)Menlo Park28
x-s-regionDestination region (e.g. state)California29
x-s-zipcodeDestination zip code9402530
x-c-countryCountry of the client (user)United States31
x-c-latitudeLatitude of the client37.339432
x-c-longitudeLongitude of the client-121.89533
x-c-locationLocation of the clientPalo Alto34
x-c-regionRegion of the clientCalifornia35
x-c-zipcodeZip code of the client8441436

HTTP

FIELD NAMEDESCRIPTIONEXAMPLEPOSITION
cs-methodThe HTTP method (e.g. GET, POST).POST10
cs-uri-schemeThe protocol used.https11
cs-uri-queryThe query string portion of the HTTP request.q=a&b=c12
cs-user-agentThe user-agent header in the HTTP request.Mozilla/5.0 (Windows NT 10.0; WOW64; rv:50.0) Gecko/20100101 Firefox/50.013
cs-content-typeThe content-type header in the HTTP request.application/json14
sc-statusThe HTTP status code received from the server.20015
sc-content-typeThe content-type header from the response.text/html16
cs-dnsThe destination domain requested.google.co.in17
cs-hostThe value in the host header from the request.google.co.in18
cs-uriPath information plus query string./home.html?key=12319
cs-uri-portPort specified in the request header.44320
cs-refererThe value of the referrer header.https://www.google.com21
x-cs-session-idA session for the current user which consists of: user, device, OS, app, browser.5053090000000000022
x-cs-siteDestination site.Google Maps41
x-cs-page-idIdentifier associated with the page event object.117073000000000000043
x-cs-traffic-typeType of traffic could be “Web” or “CloudApp”.

NOTE: During SSL bypass, x-cs-traffic-type always displays as Unavailable.

Web45
x-typeThe type of log message, which can be “http_transaction” or “WebSocket”. 

NOTE: When parsing an HTTP Upgrade response, Netskope uses the Upgrade header to determine if the traffic is WebSocket.

http_transaction49
x-transaction-idTransaction ID needed to correlate application events with transaction events.182125529545486498052
x-request-idRequest ID needed to correlate DLP and TSS incidents with transaction events.223406436120169676853
x-sr-headers-nameList of custom headers insertedX-Dropbox-allowed-Team-Ids, x-my-header58
x-sr-headers-valueList of custom header values inserted1234, 12345659
x-cs-ip-connect-xffX-Forwarded-For header value received in the Client to Proxy HTTP CONNECT request. This field is empty if there is no CONNECT or if the field is missing.192.168.1.1107
x-cs-ip-xffX-Forwarded-For header value received in the Client to Proxy GET request. This field is empty if there is no header or if GET is not decrypted.192.168.1.2108
x-cs-connect-hostThe host value received in the Client to Proxy HTTP CONNECT request. This field is empty if there is no CONNECT.www.google.com109
x-cs-connect-portThe port value received in the Client to Proxy HTTP CONNECT request. This field is empty if there is no CONNECT.443110
x-cs-connect-user-agentThe User-Agent header value received in the Client to Proxy HTTP CONNECT request. This field is empty if there is no CONNECT or the field is missing.“Mozilla/5.0 (Windows NT 10.0; WOW64; rv:50.0)Gecko/20100101 Firefox/50.0”111
x-cs-urlThe full URL of the request received, includes scheme, host, port, path and query.https://play.google.com/log?format=json&hasfast=true&authuser=0112
x-cs-uri-pathPath of the URI from the received HTTP request./example/path113
x-cs-http-versionThe version of the HTTP protocol of the request.HTTP2114
rs-statusThe HTTP status code received from the remote server.200115

PERFORMANCE

FIELD NAMEDESCRIPTIONEXAMPLEPOSITION
time-takenDelta (integer value in ms) when the request processing started and the full response was received.5893

REAL-TIME PROTECTION POLICY

FIELD NAMEDESCRIPTIONEXAMPLEPOSITION
x-categoryPrimary category name applicable for the url in this transaction.“Cloud Storage”47
x-other-categorySecondary categories applicable for the url in this transaction.“News & Media; Entertainment”48
x-category-idPrimary category ID applicable for the url in this transaction, e.g. category ID is 7 for the Cloud Storage category.756
x-other-category-idIDs of secondary categories applicable for the url in this transaction, e.g. category ID is 537 for the News & Media; Entertainment category.53757
x-policy-actionThe action performed by the proxy on the transaction after the Real-time policy engine analysis (e.g. allow, block, bypass, alert, user alert)block138
x-policy-nameThe Real-time policy name that triggered the action.DefaultAction139
x-policy-src-ipThe source IP computed by the Real-time policy engine from the source IP or XFF header.10.50.1.192140
x-policy-dst-ipThe destination IP computed by the Real-time policy engine, from DNS resolution.142.251.46.206141
x-policy-dst-hostThe hostname computed by the Real-time policy engine. The source for the hostname is provided in the x-policy-dst-host-source field.chat.google.com142
x-policy-dst-host-sourceThe source for the hostname value computed by the Real-time policy engine (e.g. OriginalDestDomain, Sni, Uri, HttpHostHeader).HttpHostHeader143
x-policy-justification-typeThe justification type selected by the end user in case of “useralert” action.justification144
x-policy-justification-reasonThe justification provided by the end user in case of “useralert” action.sharing with a trusted partner145
x-sc-notification-nameThe name of the user notification displayed to the end user in case of action “block” or “useralert”.block_page.html146

SSL CERTIFICATE

FIELD NAMEDESCRIPTIONEXAMPLEPOSITION
x-cs-sniThe hostname that the client is attempting to connect to using the SNI extension in the TLS handshake.google.co.in54
x-cs-domain-fronted-sniThe SNI of the SSL connection where Netskope detected domain fronting. In other words, the SNI and Host header were mismatched. SSL inspection must be enabled to see this field.google.co.in55
x-r-cert-subject-cnThe CN attribute of the server certificate received from the destination server.upload.video.google.com64
x-r-cert-issuer-cnThe issuer CN attribute of the server certificate received from destination server.GTS CA 1C365
x-r-cert-startdateThe start date/time of the server certificate received from the destination server.Oct 17 08:18:30 2022 GMT66
x-r-cert-enddateThe end date/time of the server certificate received from the destination server.Jan 9 08:18:29 2023 GMT67
x-r-cert-validOverall result of the evaluation of the validity of the server certificate received from destination server. This field doesn’t reflect the action of the SSL Engine.yes68
x-r-cert-expiredIndicates if the server certificate received from the destination server is expired or not yet valid.no69
x-r-cert-untrusted-rootIndicates if the server certificate received from the destination server is signed by a trusted issuer.no70
x-r-cert-incomplete-chainIndicates if the server certificate received from destination server has an incomplete issuer chain.no71
x-r-cert-self-signedIndicates if the server certificate received from  the destination server is self-signed.no72
x-r-cert-revokedIndicates if the server certificate received from the destination server is revoked.no73
x-r-cert-revocation-checkReserved for future use.n/a74
x-r-cert-mismatchIndicates if the server certificate received from the destination server has a mismatch between the SNI and the CN/SAN.no75

SSL ENGINE

FIELD NAMEDESCRIPTIONEXAMPLEPOSITION
x-server-ssl-errDescription of SSL error between proxy and content servers.Handshake error (error:141A318A:SSL routines: tls_process_ske_dhe:dh key too small) Blocked by SSL_HANDSHAKE_ERROR50
x-client-ssl-errDescription of SSL error between client (browser) and proxy.Handshake error (error:1417A0C1:SSL routines: tls_post_process_client_hello:no shared cipher)51
x-cs-ssl-ja3Fingerprints the way the Client communicates over TLS.2d908070f157946cc4ea9dca39dbe37460
x-sr-ssl-ja3sFingerprints the way the server responds to the TLS.907bf3ecef1c987c889946b737b43de861
x-cs-ssl-fronting-errorIndicates if the server certificate received from the destination server has a mismatch between the SNI and the hostname of the encrypted HTTP request.no76
x-cs-ssl-handshake-errorIndicates if the SSL Engine encountered a problem when establishing the SSL/TLS negotiation.

For more information, refer to the x-server-ssl-err and x-client-ssl-err fields.

no77
x-sr-ssl-handshake-errorIndicates if the SSL Engine encountered a problem to establish SSL/TLS negotiation.

For more information, refer to the x-server-ssl-err and x-client-ssl-err fields for more information.

no78
x-sr-ssl-client-certificate-errorIndicates that the destination server requested a Client certificate during SSL/TLS negotiation.yes79
x-sr-ssl-malformed-sslIndicates that the SSL Engine encountered a malformed SSL packet during SSL/TLS negotiation.yes80
x-s-custom-signing-ca-errorIndicates that the SSL Engine failed to intercept with a Custom signing CA.no81
x-cs-ssl-engine-actionIndicates the result of the SSL Engine behavior after certificate evaluation and SSL/TLS negotiation. Possible values include: allow, block, or bypass.allow82
x-cs-ssl-engine-action-reasonProvides details of the SSL Engine action.SSL Error – Incomplete Certificate Trust Chain83
x-sr-ssl-engine-actionIndicates the result of the SSL Engine behavior after certificate evaluation and SSL/TLS Negotiation. Possible values include: allow, block, or bypass.allow84
x-sr-ssl-engine-action-reasonProvides details of the SSL Engine action.InvalidCert (malformed or invalid certificate)85
x-cs-ssl-versionThe SSL Version negotiated between the Client device and the NewEdge data plane for the HTTPS request.TLSv1.393
x-cs-ssl-cipherThe SSL Cipher negotiated between the Client device and the NewEdge data plane for the HTTPS request.TLS_AES_256_GCM_SHA38494
x-sr-ssl-versionThe SSL Version negotiated between the NewEdge data plane and the Destination Server for the HTTPS request.TLSv1.395
x-sr-ssl-cipherThe SSL Cipher negotiated between the NewEdge data plane and the Destination Server for the HTTPS request.TLS_AES_256_GCM_SHA38496

SSL POLICY

FIELD NAMEDESCRIPTIONEXAMPLEPOSITION
x-ssl-bypassIndicates if the request was SSL bypassed.No62
x-ssl-bypass-reasonInidacates if the request was SSL bypassed, this field provides the reason.SSL Error – SSL Handshake Error63
x-ssl-policy-src-ipThe Source IP computed by the SSL Policy Engine to evaluate the SSL Decryption Policies.10.1.1.186
x-ssl-policy-dst-ipThe Destination IP computed by the SSL Policy Engine to evaluate the SSL Decryption Policies.141.193.213.2087
x-ssl-policy-dst-hostThe Destination Hostname computed by the SSL Policy Engine to evaluate the SSL Decryption Policies.www.netskope.com88
x-ssl-policy-dst-host-sourceDescribes how the Destination Hostname was computed by the SSL Policy Engine. Possible values include from SNI or original hostSni89
x-ssl-policy-categoriesDestination Hostname Categories computed by the SSL Policy Engine to evaluate the SSL Decryption Policies.Content Server, Cloud Storage90
x-ssl-policy-actionAction of the SSL Decryption Policy that matched the request. Possible values include, Decrypt or Do not decrypt.Do not decrypt91
x-ssl-policy-nameName of the SSL Decryption Policy that matched the request.Do not decrypt Financial Services92
Share this Doc

Transaction Event Fields

Or copy link

In this topic ...