Skip to main content

Netskope Help

Transaction Event Fields

Admins can search, analyze, and correlate data from app events, alerts, incidents, and transaction events. This helps to find trends, create dashboards, and even trigger alerts to improve your business processes and protect your data.

The following sections display information about the transaction event log file fields and possible values for those fields. Each field is grouped in categories, e.g. Application, Authentication, SSL Policy, etc.

TRANSACTION EVENT FORMAT CONFIGURATION

A log format defines how the contents of a log file should be interpreted. Log formats can also define the fields contained within the log file and the data types for those fields. Netskope currently has two log file formats. Both log file formats are available now and in subsequent releases, more formats will be available. 

The log file format is structured meaning the order of fields is fixed and cannot be changed.

Note

The format version used to generate transaction events is defined in the backend. Contact your Sales Representative or Support to update the transaction events format.

FORMAT 1

#Fields: date time time-taken cs-bytes sc-bytes bytes c-ip s-ip cs-username cs-method cs-uri-scheme cs-uri-query cs-user-agent cs-content-type sc-status sc-content-type cs-dns cs-host cs-uri cs-uri-port cs-referer x-cs-session-id x-cs-access-method x-cs-app x-s-country x-s-latitude x-s-longitude x-s-location x-s-region x-s-zipcode x-c-country x-c-latitude x-c-longitude x-c-location x-c-region x-c-zipcode x-c-os x-c-browser x-c-browser-version x-c-device x-cs-site x-cs-timestamp x-cs-page-id x-cs-userip x-cs-traffic-type x-cs-tunnel-id x-category x-other-category x-type x-server-ssl-err x-client-ssl-err x-transaction-id x-request-id x-cs-sni x-cs-domain-fronted-sni x-category-id x-other-category-id x-sr-headers-name x-sr-headers-value

FORMAT 2

Format 2 is the same as Format 1 with the addition of the italicized fields below.

#Fields: date time time-taken cs-bytes sc-bytes bytes c-ip s-ip cs-username cs-method cs-uri-scheme cs-uri-query cs-user-agent cs-content-type sc-status sc-content-type cs-dns cs-host cs-uri cs-uri-port cs-referer x-cs-session-id x-cs-access-method x-cs-app x-s-country x-s-latitude x-s-longitude x-s-location x-s-region x-s-zipcode x-c-country x-c-latitude x-c-longitude x-c-location x-c-region x-c-zipcode x-c-os x-c-browser x-c-browser-version x-c-device x-cs-site x-cs-timestamp x-cs-page-id x-cs-userip x-cs-traffic-type x-cs-tunnel-id x-category x-other-category x-type x-server-ssl-err x-client-ssl-err x-transaction-id x-request-id x-cs-sni x-cs-domain-fronted-sni x-category-id x-other-category-id x-sr-headers-name x-sr-headers-value x-cs-ssl-ja3 x-sr-ssl-ja3s x-ssl-bypass x-ssl-bypass-reason x-r-cert-subject-cn x-r-cert-issuer-cn x-r-cert-startdate x-r-cert-enddate x-r-cert-valid x-r-cert-expired x-r-cert-untrusted-root x-r-cert-incomplete-chain x-r-cert-self-signed x-r-cert-revoked x-r-cert-revocation-check x-r-cert-mismatch x-cs-ssl-fronting-error x-cs-ssl-handshake-error x-sr-ssl-handshake-error x-sr-ssl-client-certificate-error x-sr-ssl-malformed-ssl x-s-custom-signing-ca-error x-cs-ssl-engine-action x-cs-ssl-engine-action-reason x-sr-ssl-engine-action x-sr-ssl-engine-action-reason x-ssl-policy-src-ip x-ssl-policy-dst-ip x-ssl-policy-dst-host x-ssl-policy-dst-host-source x-ssl-policy-categories x-ssl-policy-action x-ssl-policy-name x-cs-ssl-version x-cs-ssl-cipher x-sr-ssl-version x-sr-ssl-cipher x-cs-src-ip-egress

FORMAT 3

Format 3 is the same as Format 2 with the addition of the italicized fields below.

#Fields: date time time-taken cs-bytes sc-bytes bytes c-ip s-ip cs-username cs-method cs-uri-scheme cs-uri-query cs-user-agent cs-content-type sc-status sc-content-type cs-dns cs-host cs-uri cs-uri-port cs-referer x-cs-session-id x-cs-access-method x-cs-app x-s-country x-s-latitude x-s-longitude x-s-location x-s-region x-s-zipcode x-c-country x-c-latitude x-c-longitude x-c-location x-c-region x-c-zipcode x-c-os x-c-browser x-c-browser-version x-c-device x-cs-site x-cs-timestamp x-cs-page-id x-cs-userip x-cs-traffic-type x-cs-tunnel-id x-category x-other-category x-type x-server-ssl-err x-client-ssl-err x-transaction-id x-request-id x-cs-sni x-cs-domain-fronted-sni x-category-id x-other-category-id x-sr-headers-name x-sr-headers-value x-cs-ssl-ja3 x-sr-ssl-ja3s x-ssl-bypass x-ssl-bypass-reason x-r-cert-subject-cn x-r-cert-issuer-cn x-r-cert-startdate x-r-cert-enddate x-r-cert-valid x-r-cert-expired x-r-cert-untrusted-root x-r-cert-incomplete-chain x-r-cert-self-signed x-r-cert-revoked x-r-cert-revocation-check x-r-cert-mismatch x-cs-ssl-fronting-error x-cs-ssl-handshake-error x-sr-ssl-handshake-error x-sr-ssl-client-certificate-error x-sr-ssl-malformed-ssl x-s-custom-signing-ca-error x-cs-ssl-engine-action x-cs-ssl-engine-action-reason x-sr-ssl-engine-action x-sr-ssl-engine-action-reason x-ssl-policy-src-ip x-ssl-policy-dst-ip x-ssl-policy-dst-host x-ssl-policy-dst-host-source x-ssl-policy-categories x-ssl-policy-action x-ssl-policy-name x-cs-ssl-version x-cs-ssl-cipher x-sr-ssl-version x-sr-ssl-cipher x-cs-src-ip-egress x-s-dp-name x-cs-src-ip x-cs-src-port x-cs-dst-ip x-cs-dst-port x-sr-src-ip x-sr-src-port x-sr-dst-ip x-sr-dst-port x-cs-ip-connect-xff x-cs-ip-xff x-cs-connect-host x-cs-connect-port x-cs-connect-user-agent x-cs-url x-cs-uri-path x-cs-http-version rs-status x-cs-app-category x-cs-app-cci x-cs-app-ccl x-cs-app-tags x-cs-app-suite x-cs-app-instance-id x-cs-app-instance-name x-cs-app-instance-tag x-cs-app-activity x-cs-app-from-user x-cs-app-to-user x-cs-app-object-type x-cs-app-object-name x-cs-app-object-id x-rs-file-type x-rs-file-category x-rs-file-language x-rs-file-size x-rs-file-md5 x-rs-file-sha256 x-error x-c-local-time x-policy-action x-policy-name x-policy-src-ip x-policy-dst-ip x-policy-dst-host x-policy-dst-host-source x-policy-justification-type x-policy-justification-reason x-sc-notification-name

Note

The number listed in the Position column represents the order the particular field appears in the Format list. The number is fixed and is in the same order for Format 1, Format 2, and Format 3.

APPLICATION

FIELD NAME

DESCRIPTION

EXAMPLE

POSITION

x-cs-app

Cloud application name.

Dropbox

24

x-cs-app-category

Cloud application category from the CCI database.

Business Intelligence and Data Analytics

116

x-cs-app-cci

Cloud Confidence Index of the Cloud application from the CCI database.

A number ranging from 0 - 100

117

x-cs-app-ccl

Cloud Confidence Level of the Cloud application from the CCI database.

High Score: 75 to 89

118

x-cs-app-tags

Cloud application tags from the CCI database.

Marketing, HR

119

x-cs-app-suite

The cloud application suite name.

Google

120

x-cs-app-instance-id

The cloud application instance ID identified by the proxy.

mycompany.com

121

x-cs-app-instance-name

Reserved for future use.

N/A

122

x-cs-app-instance-tag

Reserved for future use.

N/A

123

x-cs-app-activity

The cloud application activity identified by the proxy.

Browse

124

x-cs-app-from-user

The user identity detected in the cloud application.

user@company.com

125

x-cs-app-to-user

The recipients of a share/send activity detected in the cloud application.

user@partner.com

126

x-cs-app-object-type

The type of the object transferred to/from the cloud application.

File

127

x-cs-app-object-name

The name of the object transferred to/from the cloud application.

sample-data.pdf

128

x-cs-app-object-id

The ID of the object transferred to/from the cloud application.

1iNtlIbpIivrmMEHPgtjEDk_T5Fe0a778

129

AUTHENTICATION

FIELD NAME

DESCRIPTION

EXAMPLE

POSITION

cs-username

The client's username.

Bill@companyname.com

9

BYTES

FIELD NAME

DESCRIPTION

EXAMPLE

POSITION

cs-bytes

Bytes received from the client.

1093

4

sc-bytes

Bytes received from the server.

17084

5

bytes

Sum of client bytes plus server bytes.

18177

6

CONNECTION

FIELD NAME

DESCRIPTION

EXAMPLE

POSITION

c-ip

Client IP as seen by the Netskope proxy. This will be the machine IP if available, IPv4 address.

70.42.129.126

7

s-ip

The server IPv4 address.

NOTE: During SSL bypass, the s-ip field displays as Unavailable when it’s neither IPv4 or IPv6.

216.58.193.33

8

x-access-method

Steering method used to access the Netskope cloud.

Client

23

x-cs-userip

The client IP address. If the client IP address is not found, the field is left blank.

199.188.180.55

44

x-cs-tunnel-id

VPN tunnel ID

998a4499-a5a6-4a55-b243-b67ce89dd870

46

x-cs-src-ip-egress

The public IP used to contact the NewEdge data plane on the traffic coming from the Client device.

70.42.129.126

97

x-s-dp-name

The dataplane name processing the request.

FR-PAR1

98

x-cs-src-ip

The source IP of the client to proxy session.

70.42.129.126

99

x-cs-src-port

The source port of the client to proxy session.

54447

100

x-cs-dst-ip

The destination IP of the client to proxy session.

216.58.193.67

101

x-cs-dst-port

The destination port of the client to proxy session.

443

102

x-sr-src-ip

The source IP of the proxy to remote server session. This field is blank if dedicated IPs are used.

163.116.163.24

103

x-sr-src-port

The source port of the proxy to remote server session. This field is blank if dedicated IPs are used.

15556

104

x-sr-dst-ip

The destination IP of the proxy to remote server session.

216.58.193.67

105

x-sr-dst-port

The destination port of the proxy to remote server session.

443

106

DEVICE

FIELD NAME

DESCRIPTION

EXAMPLE

POSITION

x-c-os

Operating system of the client.

Windows 10

37

x-c-browser

Client's browser.

Firefox

38

x-c-browser-version

Client's browser version.

50

39

x-c-device

Client's device type.

Windows device

40

FILE

FIELD NAME

DESCRIPTION

EXAMPLE

POSITION

x-rs-file-type

The type of the object transferred to/from the remote server.

text/plain

130

x-rs-file-category

The category of the object transferred to/from the remote server.

Word Processor

131

x-rs-file-language

Reserved for future use.

N/A

132

x-rs-file-size

Reserved for future use.

N/A

133

x-rs-file-md5

The MD5 Hash of the object transferred to/from the remote server.

bcdd51c6a4f3f99c4e658f07e4c57e91

134

x-rs-file-sha256

Reserved for future use.

N/A

135

GENERAL

FIELD NAME

DESCRIPTION

EXAMPLE

POSITION

date

Date of generation, YY-MM-DD format.

NOTE: Human readable string for the "x-cs-timestamp" field.

08/07/19

1

time

Time of generation in HH:MM-SEC format in GMT.

NOTE: Human readable string for the "x-cs-timestamp" field.

01:02-39

2

x-cs-timestamp

Date of the request as epoch time.

NOTE: This field is the epoch version of the "date" and "time" fields.

1480330369

42

x-error

The error encountered when processing the transaction.

dns-resolution

136

x-c-local-time

The local time of the client calculated from geolocation of the device IP.

Thu Jan 12 08:41:08 2023

137

GEOLOCATION

FIELD NAME

DESCRIPTION

EXAMPLE

POSITION

x-s-country

Destination country

United States

25

x-s-latitude

Destination latitude

37.4192009

26

x-s-longitude

Destination longitude

-122.0574036

27

x-s-location

Destination location (e.g. city)

Menlo Park

28

x-s-region

Destination region (e.g. state)

California

29

x-s-zipcode

Destination zip code

94025

30

x-c-country

Country of the client (user)

United States

31

x-c-latitude

Latitude of the client

37.3394

32

x-c-longitude

Longitude of the client

-121.895

33

x-c-location

Location of the client

Palo Alto

34

x-c-region

Region of the client

California

35

x-c-zipcode

Zip code of the client

84414

36

HTTP

FIELD NAME

DESCRIPTION

EXAMPLE

POSITION

cs-method

The HTTP method (e.g. GET, POST).

POST

10

cs-uri-scheme

The protocol used.

https

11

cs-uri-query

The query string portion of the HTTP request.

q=a&b=c

12

cs-user-agent

The user-agent header in the HTTP request.

Mozilla/5.0 (Windows NT 10.0; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0

13

cs-content-type

The content-type header in the HTTP request.

application/json

14

sc-status

The HTTP status code received from the server.

200

15

sc-content-type

The content-type header from the response.

text/html

16

cs-dns

The destination domain requested.

google.co.in

17

cs-host

The value in the host header from the request.

google.co.in

18

cs-uri

Path information plus query string.

/home.html?key=123

19

cs-uri-port

Port specified in the request header.

443

20

cs-referer

The value of the referrer header.

https://www.google.com

21

x-cs-session-id

A session for the current user which consists of: user, device, OS, app, browser.

50530900000000000

22

x-cs-site

Destination site.

Google Maps

41

x-cs-page-id

Identifier associated with the page event object.

1170730000000000000

43

x-cs-traffic-type

Type of traffic could be "Web" or "CloudApp".

NOTE: During SSL bypass, x-cs-traffic-type always displays as Unavailable.

Web

45

x-type

The type of log message, which can be "http_transaction" or "WebSocket". 

NOTE: When parsing an HTTP Upgrade response, Netskope uses the Upgrade header to determine if the traffic is WebSocket.

http_transaction

49

x-transaction-id

Transaction ID needed to correlate application events with transaction events.

1821255295454864980

52

x-request-id

Request ID needed to correlate DLP and TSS incidents with transaction events.

2234064361201696768

53

x-sr-headers-name

List of custom headers inserted

X-Dropbox-allowed-Team-Ids, x-my-header

58

x-sr-headers-value

List of custom header values inserted

1234, 123456

59

x-cs-ip-connect-xff

X-Forwarded-For header value received in the Client to Proxy HTTP CONNECT request. This field is empty if there is no CONNECT or if the field is missing.

192.168.1.1

107

x-cs-ip-xff

X-Forwarded-For header value received in the Client to Proxy GET request. This field is empty if there is no header or if GET is not decrypted.

192.168.1.2

108

x-cs-connect-host

The host value received in the Client to Proxy HTTP CONNECT request. This field is empty if there is no CONNECT.

www.google.com

109

x-cs-connect-port

The port value received in the Client to Proxy HTTP CONNECT request. This field is empty if there is no CONNECT.

443

110

x-cs-connect-user-agent

The User-Agent header value received in the Client to Proxy HTTP CONNECT request. This field is empty if there is no CONNECT or the field is missing.

"Mozilla/5.0 (Windows NT 10.0; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0"

111

x-cs-url

The full URL of the request received, includes scheme, host, port, path and query.

https://play.google.com/log?format=json&hasfast=true&authuser=0

112

x-cs-uri-path

Path of the URI from the received HTTP request.

/example/path

113

x-cs-http-version

The version of the HTTP protocol of the request.

HTTP2

114

rs-status

The HTTP status code received from the remote server.

200

115

PERFORMANCE

FIELD NAME

DESCRIPTION

EXAMPLE

POSITION

time-taken

Delta (integer value in ms) when the request processing started and the full response was received.

589

3

REAL-TIME PROTECTION POLICY

FIELD NAME

DESCRIPTION

EXAMPLE

POSITION

x-category

Primary category name applicable for the url in this transaction.

"Cloud Storage"

47

x-other-category

Secondary categories applicable for the url in this transaction.

"News & Media; Entertainment"

48

x-category-id

Primary category ID applicable for the url in this transaction, e.g. category ID is 7 for the Cloud Storage category.

7

56

x-other-category-id

IDs of secondary categories applicable for the url in this transaction, e.g. category ID is 537 for the News & Media; Entertainment category.

537

57

x-policy-action

The action performed by the proxy on the transaction after the Real-time policy engine analysis (e.g. allow, block, bypass, alert, user alert)

block

138

x-policy-name

The Real-time policy name that triggered the action.

DefaultAction

139

x-policy-src-ip

The source IP computed by the Real-time policy engine from the source IP or XFF header.

10.50.1.192

140

x-policy-dst-ip

The destination IP computed by the Real-time policy engine, from DNS resolution.

142.251.46.206

141

x-policy-dst-host

The hostname computed by the Real-time policy engine. The source for the hostname is provided in the x-policy-dst-host-source field.

chat.google.com

142

x-policy-dst-host-source

The source for the hostname value computed by the Real-time policy engine (e.g. OriginalDestDomain, Sni, Uri, HttpHostHeader).

HttpHostHeader

143

x-policy-justification-type

The justification type selected by the end user in case of "useralert" action.

justification

144

x-policy-justification-reason

The justification provided by the end user in case of "useralert" action.

sharing with a trusted partner

145

x-sc-notification-name

The name of the user notification displayed to the end user in case of action "block" or "useralert".

block_page.html

146

SSL CERTIFICATE

FIELD NAME

DESCRIPTION

EXAMPLE

POSITION

x-cs-sni

The hostname that the client is attempting to connect to using the SNI extension in the TLS handshake.

google.co.in

54

x-cs-domain-fronted-sni

The SNI of the SSL connection where Netskope detected domain fronting. In other words, the SNI and Host header were mismatched. SSL inspection must be enabled to see this field.

google.co.in

55

x-r-cert-subject-cn

The CN attribute of the server certificate received from the destination server.

upload.video.google.com

64

x-r-cert-issuer-cn

The issuer CN attribute of the server certificate received from destination server.

GTS CA 1C3

65

x-r-cert-startdate

The start date/time of the server certificate received from the destination server.

Oct 17 08:18:30 2022 GMT

66

x-r-cert-enddate

The end date/time of the server certificate received from the destination server.

Jan 9 08:18:29 2023 GMT

67

x-r-cert-valid

Overall result of the evaluation of the validity of the server certificate received from destination server. This field doesn't reflect the action of the SSL Engine.

yes

68

x-r-cert-expired

Indicates if the server certificate received from the destination server is expired or not yet valid.

no

69

x-r-cert-untrusted-root

Indicates if the server certificate received from the destination server is signed by a trusted issuer.

no

70

x-r-cert-incomplete-chain

Indicates if the server certificate received from destination server has an incomplete issuer chain.

no

71

x-r-cert-self-signed

Indicates if the server certificate received from  the destination server is self-signed.

no

72

x-r-cert-revoked

Indicates if the server certificate received from the destination server is revoked.

no

73

x-r-cert-revocation-check

Reserved for future use.

n/a

74

x-r-cert-mismatch

Indicates if the server certificate received from the destination server has a mismatch between the SNI and the CN/SAN.

no

75

SSL ENGINE

FIELD NAME

DESCRIPTION

EXAMPLE

POSITION

x-server-ssl-err

Description of SSL error between proxy and content servers.

Handshake error (error:141A318A:SSL routines: tls_process_ske_dhe:dh key too small) Blocked by SSL_HANDSHAKE_ERROR

50

x-client-ssl-err

Description of SSL error between client (browser) and proxy.

Handshake error (error:1417A0C1:SSL routines: tls_post_process_client_hello:no shared cipher)

51

x-cs-ssl-ja3

Fingerprints the way the Client communicates over TLS.

2d908070f157946cc4ea9dca39dbe374

60

x-sr-ssl-ja3s

Fingerprints the way the server responds to the TLS.

907bf3ecef1c987c889946b737b43de8

61

x-cs-ssl-fronting-error

Indicates if the server certificate received from the destination server has a mismatch between the SNI and the hostname of the encrypted HTTP request.

no

76

x-cs-ssl-handshake-error

Indicates if the SSL Engine encountered a problem when establishing the SSL/TLS negotiation.

For more information, refer to the x-server-ssl-err and x-client-ssl-err fields.

no

77

x-sr-ssl-handshake-error

Indicates if the SSL Engine encountered a problem to establish SSL/TLS negotiation.

For more information, refer to the x-server-ssl-err and x-client-ssl-err fields for more information.

no

78

x-sr-ssl-client-certificate-error

Indicates that the destination server requested a Client certificate during SSL/TLS negotiation.

yes

79

x-sr-ssl-malformed-ssl

Indicates that the SSL Engine encountered a malformed SSL packet during SSL/TLS negotiation.

yes

80

x-s-custom-signing-ca-error

Indicates that the SSL Engine failed to intercept with a Custom signing CA.

no

81

x-cs-ssl-engine-action

Indicates the result of the SSL Engine behavior after certificate evaluation and SSL/TLS negotiation. Possible values include: allow, block, or bypass.

allow

82

x-cs-ssl-engine-action-reason

Provides details of the SSL Engine action.

SSL Error - Incomplete Certificate Trust Chain

83

x-sr-ssl-engine-action

Indicates the result of the SSL Engine behavior after certificate evaluation and SSL/TLS Negotiation. Possible values include: allow, block, or bypass.

allow

84

x-sr-ssl-engine-action-reason

Provides details of the SSL Engine action.

InvalidCert (malformed or invalid certificate)

85

x-cs-ssl-version

The SSL Version negotiated between the Client device and the NewEdge data plane for the HTTPS request.

TLSv1.3

93

x-cs-ssl-cipher

The SSL Cipher negotiated between the Client device and the NewEdge data plane for the HTTPS request.

TLS_AES_256_GCM_SHA384

94

x-sr-ssl-version

The SSL Version negotiated between the NewEdge data plane and the Destination Server for the HTTPS request.

TLSv1.3

95

x-sr-ssl-cipher

The SSL Cipher negotiated between the NewEdge data plane and the Destination Server for the HTTPS request.

TLS_AES_256_GCM_SHA384

96

SSL POLICY

FIELD NAME

DESCRIPTION

EXAMPLE

POSITION

x-ssl-bypass

Indicates if the request was SSL bypassed.

No

62

x-ssl-bypass-reason

Inidacates if the request was SSL bypassed, this field provides the reason.

SSL Error - SSL Handshake Error

63

x-ssl-policy-src-ip

The Source IP computed by the SSL Policy Engine to evaluate the SSL Decryption Policies.

10.1.1.1

86

x-ssl-policy-dst-ip

The Destination IP computed by the SSL Policy Engine to evaluate the SSL Decryption Policies.

141.193.213.20

87

x-ssl-policy-dst-host

The Destination Hostname computed by the SSL Policy Engine to evaluate the SSL Decryption Policies.

www.netskope.com

88

x-ssl-policy-dst-host-source

Describes how the Destination Hostname was computed by the SSL Policy Engine. Possible values include from SNI or original host

Sni

89

x-ssl-policy-categories

Destination Hostname Categories computed by the SSL Policy Engine to evaluate the SSL Decryption Policies.

Content Server, Cloud Storage

90

x-ssl-policy-action

Action of the SSL Decryption Policy that matched the request. Possible values include, Decrypt or Do not decrypt.

Do not decrypt

91

x-ssl-policy-name

Name of the SSL Decryption Policy that matched the request.

Do not decrypt Financial Services

92