Transaction Event Fields
The following tables list the transaction event type, field, description, and example.
Date / Time Transaction Events
Field | Description | Example |
---|---|---|
date | Date of generation, YY-MM-DD format. | 08/07/19 |
time | Time of generation in HH:MM-SEC format in GMT. | 01:02-39 |
time-taken | Delta (integer value in ms) when the request processing started and the full response was received. | 589 |
Client Connector Device Information Transaction Events
Field | Description | Example |
---|---|---|
x-c-os | Operating system of the client. | Windows 10 |
x-c-browser | Client's browser. | Firefox |
x-c-browser-version | Client's browser version. | 50 |
x-c-device | Client's device type. | Windows device |
x-cs-site | Destination site. | Google Maps |
x-cs-timestamp | Date of the request as epoch time. | 1480330369 |
x-cs-page-id | Identifier associated with the page event object. | 1170730000000000000 |
x-cs-userip | The client IP address. | 199.188.180.55 |
Client Transaction Events
Field | Description | Example |
---|---|---|
cs-bytes | Bytes received from the client. | 1093 |
bytes | Sum of client bytes plus server bytes. | 18177 |
Cloud Application Transaction Events
Field | Description | Example |
---|---|---|
x-cs-app | Cloud application name. | Dropbox |
x-category | Primary category name applicable for the url in this transaction. | "Cloud Storage" |
x-other-category | Secondary categories applicable for the url in this transaction. | "News & Media; Entertainment" |
x-cs-traffic-type | Type of traffic could be "Web" or "CloudApp". | Web |
Geolocation Transaction Events
Field | Description | Example |
---|---|---|
x-s-country | Destination country | United States |
x-s-latitude | Destination latitude | 37.4192009 |
x-s-longitude | Destination longitude | -122.0574036 |
x-s-location | Destination location (e.g. city) | Mountain View |
x-s-region | Destination region (e.g. state) | California |
x-s-zipcode | Destination zip code | 94043 |
x-c-country | Country of the client (user) | United States |
x-c-latitude | Latitude of the client | 37.3394 |
x-c-longitude | Longitude of the client | -121.895 |
x-c-location | Location of the client | Menlo Park |
x-c-region | Region of the client | California |
x-c-zipcode | Zip code of the client | 94025 |
HTTP Transaction Events
Field | Description | Example |
---|---|---|
cs-method | The HTTP method (e.g. GET, POST). | POST |
cs-uri-scheme | The protocol used. | https |
cs-uri-query | The query string portion of the HTTP request. | q=a&b=c |
cs-user-agent | The user-agent header in the HTTP request. | Mozilla/5.0 (Windows NT 10.0; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0 |
cs-content-type | The content-type header in the HTTP request. | application/json |
sc-status | The HTTP status code received from the server. | 200 |
sc-content-type | The content-type header from the response. | text/html |
cs-dns | The destination domain requested. | google.co.in |
cs-host | The value in the host header from the request. | google.co.in |
cs-uri | Path information plus query string. | /home.html?key=123 |
cs-uri-port | Port specified in the request header. | 443 |
cs-referer | The value of the referrer header. | https://www.google.com |
x-cs-session-id | A session for the current user which consists of: user, device, OS, app, browser. | 50530900000000000 |
x-request-id | Request ID needed to correlate DLP and TSS incidents with transaction events. | 2234064361201696768 |
x-transaction-id | Transaction ID needed to correlate application events with transaction events. | 1821255295454864980 |
x-cs-domain-fronted-sni | The SNI of the SSL connection where Netskope detected domain fronting. In other words, the SNI and Host header were mismatched. SSL inspection must be enabled to see this field. | google.co.in |
x-cs-sni | The hostname that the client is attempting to connect to using the SNI extension in the TLS handshake. | google.co.in |
Network Transaction Events
Field | Description | Example |
---|---|---|
c-ip | Client IP as seen by the Netskope proxy. This will be the machine IP if available, IPv4 address. | 70.42.129.126 |
s-ip | The server IPv4 address. | 216.58.193.67 |
x-cs-tunnel-id | VPN tunnel ID | 998a4499-a5a6-4a55-b243-b67ce89dd870 |
Server Transaction Events
Field | Description | Example |
---|---|---|
sc-bytes | Bytes received from the server. | 17084 |
x-type | The type of log message, which can be "http_transaction" or "WebSocket". | http_transaction |
x-server-ssl-err | Description of SSL error between proxy and content servers. | Handshake error (error:141A318A:SSL routines: tls_process_ske_dhe:dh key too small) Blocked by SSL_HANDSHAKE_ERROR |
x-client-ssl-err | Description of SSL error between client (browser) and proxy. | Handshake error (error:1417A0C1:SSL routines: tls_post_process_client_hello:no shared cipher) |
Note
When parsing an HTTP Upgrade response, Netskope uses the Upgrade header to determine if the traffic is WebSocket.
Steering Transaction Event
Field | Description | Example |
---|---|---|
x-access-method | Steering method used to access the Netskope cloud. | Client |
User Information Transaction Event
Field | Description | Example |
---|---|---|
cs-username | The client's username. | Bill@companyname.com |