Skip to main content

Netskope Help

Transaction Event Fields

The following tables list the transaction event type, field, description, and example.

Date / Time Transaction Events

Field

Description

Example

date

Date of generation, YY-MM-DD format. NOTE: Human readable string for the "x-cs-timestamp" field in the Client Connector Device Information Transaction Events table below.

08/07/19

time

Time of generation in HH:MM-SEC format in GMT. NOTE: Human readable string for the "x-cs-timestamp" field in the Client Connector Device Information Transaction Events table below.

01:02-39

time-taken

Delta (integer value in ms) when the request processing started and the full response was received.

589

Client Connector Device Information Transaction Events

Field

Description

Example

x-c-os

Operating system of the client.

Windows 10

x-c-browser

Client's browser.

Firefox

x-c-browser-version

Client's browser version.

50

x-c-device

Client's device type.

Windows device

x-cs-site

Destination site.

Google Maps

x-cs-timestamp

Date of the request as epoch time. NOTE: This field is the epoch version of the "date" and "time" fields in the Date / Time Transaction Events table above.

1480330369

x-cs-page-id

Identifier associated with the page event object.

1170730000000000000

x-cs-userip

The client IP address. If the client IP address is not found, the field is left blank.

199.188.180.55

Client Transaction Events

Field

Description

Example

cs-bytes

Bytes received from the client.

1093

bytes

Sum of client bytes plus server bytes.

18177

Cloud Application Transaction Events

Field

Description

Example

x-cs-app

Cloud application name.

Dropbox

x-category

Primary category name applicable for the url in this transaction.

"Cloud Storage"

x-other-category

Secondary categories applicable for the url in this transaction.

"News & Media; Entertainment"

x-cs-traffic-type

Type of traffic could be "Web" or "CloudApp".

NOTE: During SSL bypass, x-cs-traffic-type always displays as Unavailable.

Web

Geolocation Transaction Events

Field

Description

Example

x-s-country

Destination country

United States

x-s-latitude

Destination latitude

37.4192009

x-s-longitude

Destination longitude

-122.0574036

x-s-location

Destination location (e.g. city)

Mountain View

x-s-region

Destination region (e.g. state)

California

x-s-zipcode

Destination zip code

94043

x-c-country

Country of the client (user)

United States

x-c-latitude

Latitude of the client

37.3394

x-c-longitude

Longitude of the client

-121.895

x-c-location

Location of the client

Menlo Park

x-c-region

Region of the client

California

x-c-zipcode

Zip code of the client

94025

HTTP Transaction Events

Field

Description

Example

cs-method

The HTTP method (e.g. GET, POST).

POST

cs-uri-scheme

The protocol used.

https

cs-uri-query

The query string portion of the HTTP request.

q=a&b=c

cs-user-agent

The user-agent header in the HTTP request.

Mozilla/5.0 (Windows NT 10.0; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0

cs-content-type

The content-type header in the HTTP request.

application/json

sc-status

The HTTP status code received from the server.

200

sc-content-type

The content-type header from the response.

text/html

cs-dns

The destination domain requested.

google.co.in

cs-host

The value in the host header from the request.

google.co.in

cs-uri

Path information plus query string.

/home.html?key=123

cs-uri-port

Port specified in the request header.

443

cs-referer

The value of the referrer header.

https://www.google.com

x-cs-session-id

A session for the current user which consists of: user, device, OS, app, browser.

50530900000000000

x-request-id

Request ID needed to correlate DLP and TSS incidents with transaction events.

2234064361201696768

x-transaction-id

Transaction ID needed to correlate application events with transaction events.

1821255295454864980

x-cs-domain-fronted-sni

The SNI of the SSL connection where Netskope detected domain fronting. In other words, the SNI and Host header were mismatched. SSL inspection must be enabled to see this field.

google.co.in

x-cs-sni

The hostname that the client is attempting to connect to using the SNI extension in the TLS handshake.

google.co.in

x-category-id

Primary category ID applicable for the url in this transaction, e.g. category ID is 7 for the Cloud Storage category.

7

x-other-category-id

IDs of secondary categories applicable for the url in this transaction, e.g. category ID is 537 for the News & Media; Entertainment category.

537

Network Transaction Events

Field

Description

Example

c-ip

Client IP as seen by the Netskope proxy. This will be the machine IP if available, IPv4 address.

70.42.129.126

s-ip

The server IPv4 address.

NOTE: During SSL bypass, the s-ip field displays as Unavailable when it’s neither IPv4 or IPv6.

216.58.193.67

x-cs-tunnel-id

VPN tunnel ID

998a4499-a5a6-4a55-b243-b67ce89dd870

Server Transaction Events

Field

Description

Example

sc-bytes

Bytes received from the server.

17084

x-type

The type of log message, which can be "http_transaction" or "WebSocket".

http_transaction

x-server-ssl-err

Description of SSL error between proxy and content servers.

Handshake error (error:141A318A:SSL routines: tls_process_ske_dhe:dh key too small) Blocked by SSL_HANDSHAKE_ERROR

x-client-ssl-err

Description of SSL error between client (browser) and proxy.

Handshake error (error:1417A0C1:SSL routines: tls_post_process_client_hello:no shared cipher)

Note

When parsing an HTTP Upgrade response, Netskope uses the Upgrade header to determine if the traffic is WebSocket.

Steering Transaction Event

Field

Description

Example

x-access-method

Steering method used to access the Netskope cloud.

Client

User Information Transaction Event

Field

Description

Example

cs-username

The client's username.

Bill@companyname.com

In this section: