Dimensions and Measures for SWG Collections
This topic lists the Dimensions and Measures for the SWG Collections.
SWG - DLP File
The following table lists aggregated events related to files scanned as part of Data Security. Applies to both web browsing and inline access controls for protected applications.
| Field | Type | Description |
|---|---|---|
| Action | Dimension | The action Forcepoint ONE took per policy match. |
| Activity | Dimension | The activity the user was doing that generated the event. |
| App Name | Dimension | The managed application name. |
| Count | Dimension | The number of files in the specific Transaction. |
| Date | Dimension | Date of event—M/D/Y HH:MM:SS AM|PM For example: 7/25/2023, 3:33:31 AM |
| File Size | Dimension | The size of the file scan in bytes. Used to filter transactions based on size. |
| Group Id | Dimension | Internal ID of the user group that applies to this event. |
| Insert Time | Dimension | Timestamp when this event was inserted into the Forcepoint ONE Data lake—M/D/Y HH:MM:SS AM|PM For example: 7/25/2023, 3:33:31 AM |
| Managed | Dimension | Boolean indicating if the event refers to a managed application. |
| Sanctioned | Dimension | Boolean indicating if the event was sanctioned or not. |
| Time | Dimension | Timestamp of event—M/D/Y HH:MM:SS AM|PM For example: 7/25/2023, 3:33:31 AM |
| Type | Dimension | Object type. For example: File, Email, Message, Globalfile or Calendar. |
| User First Name | Dimension | The user's first name if available. Otherwise set to Anonymous or none. |
| User Id | Dimension | The user ID. Contains the user's login (email address) in brackets. |
| User Last Name | Dimension | The user's last name if available. Otherwise set to Anonymous or none. |
| File Count | Measure | The count of files scanned based on the dimension criteria. |
SWG - DLP Logs
The following table lists raw events related to content scanning, including both Data Security and Threat. Applies to both web browsing and inline access controls for protected applications.
| Field | Type | Description |
|---|---|---|
| Agent Header | Dimension | The user agent header seen. |
| Apache Request Id | Dimension | Internal request ID generated by the Forcepoint ONE Dataplane. |
| App Name | Dimension | The managed application name. |
| Create Copy | Dimension | File path if the create copy policy was configured. |
| Date | Dimension | Date of event—M/D/Y HH:MM:SS AM|PM For example: 7/25/2023, 3:33:31 AM |
| Dlp Action | Dimension | The DLP action Forcepoint ONE applied per policy match. |
| Dlp Ip | Dimension | Client IP address captured during the content scanning. |
| Dlp Match Location | Dimension | If the object scanned was an email indicates if the DLP match applied to the Email subject or Email body. Blank otherwise. |
| Doc Ext | Dimension | The filename extension when a file is detected and DLP scanning is applied. |
| Doc Md5 | Dimension | The MD5 hash of the file scanned if available. |
| Doc Name | Dimension | The filename when a file is detected and DLP scanning is applied. Can include PII if the filename is named as such. |
| Doc Sha1 | Dimension | The Sha1 hash of the file scanned if available. |
| Doc Sha256 | Dimension | The Sha254 hash of the file scanned if available. |
| Doc Type | Dimension | The type of document - for example text, PDF, rawscan etc. |
| Domain | Dimension | The fully qualified domain name. |
| File Size | Dimension | The size of the file scan in bytes. Used to filter transactions based on size. |
| Group Id | Dimension | Internal ID of the user group that applies to this event. |
| Insert Time | Dimension | Timestamp when this event was inserted into the Forcepoint ONE Data lake—M/D/Y HH:MM:SS AM|PM For example: 7/25/2023, 3:33:31 AM |
| Keyword | Dimension | Keyword found during content scanning. |
| Managed | Dimension | Boolean indicating if the event refers to a managed application. |
| Pattern | Dimension | The name of the DLP classifier that matched. |
| Policy Id | Dimension | SSE Policy ID |
| Request Id | Dimension | Internal request ID (GUID) generated by the SmartEdge Agent or Cloud SWG. |
| Sanctioned | Dimension | Boolean indicating if the event was sanctioned or not. |
| Tags | Dimension | Comma separated list of Tag applied to this event. |
| Threat | Dimension | Indicates the malware engine applied if a threat was detected. Blank otherwise. |
| Time | Dimension | Timestamp of event—M/D/Y HH:MM:SS AM|PM For example: 7/25/2023, 3:33:31 AM |
| Type | Dimension | Object type. For example: File, Email, Message, Globalfile or Calendar. |
| Uri | Dimension | Full URI |
| User First Name | Dimension | The user's first name if available. Otherwise set to Anonymous or none. |
| User Full Name | Dimension | The user's full name, if available. |
| User Id | Dimension | The user ID. Contains the user's login (email address) in brackets. |
| User Last Name | Dimension | The user's last name if available. Otherwise set to Anonymous or none |
| Allowed Event Count | Measure | Allowed event count |
| Denied Event Count | Measure | Denied event count |
| Event Count | Measure | DLP Log event count |
| Malware Event Count | Measure | Malware event count |
| User Count | Measure | User count |
SWG - DLP Pattern
The following table lists aggregated web browsing events based on DLP Patterns. Applies to both web browsing and inline access controls for protected applications.
| Field | Type | Description |
|---|---|---|
| Action | Dimension | The action Forcepoint ONE took per policy match. |
| Activity | Dimension | The activity the user was doing that generated the event. |
| App Name | Dimension | The managed application name. |
| Cloud App Id | Dimension | The internal ID of the managed application detected. Blank otherwise |
| Count | Dimension | The number of DLP Patterns matched in the transaction. |
| Date | Dimension | Date of event—M/D/Y HH:MM:SS AM|PM For example: 7/25/2023, 3:33:31 AM |
| Domain | Dimension | The fully qualified domain name. |
| Group Id | Dimension | Internal ID of the user group that applies to this event. |
| Insert Time | Dimension | Timestamp when this event was inserted into the Forcepoint ONE Data lake—M/D/Y HH:MM:SS AM|PM For example: 7/25/2023, 3:33:31 AM |
| Managed | Dimension | Boolean indicating if the event refers to a managed application. |
| Pattern | Dimension | The name of the DLP classifier that matched. |
| Sanctioned | Dimension | Boolean indicating if the event was sanctioned or not. |
| Time | Dimension | Timestamp of event—M/D/Y HH:MM:SS AM|PM For example: 7/25/2023, 3:33:31 AM |
| Type | Dimension | Object type. For example: File, Email, Message, Globalfile or Calendar. |
| Allowed Pattern Count | Measure | Total DLP Allows |
| Denied Pattern Count | Measure | Total DLP Block actions |
| Pattern Count | Measure | Total DLP Pattern match count |
SWG - SWG App
The following table lists aggregated web browsing events based on application.
| Field | Type | Description |
|---|---|---|
| Action | Dimension | The action Forcepoint ONE took per policy match. |
| App Name | Dimension | The managed application name. |
| Count | Dimension | The number of Applications detected in the transaction. |
| Date | Dimension | Date of event—M/D/Y HH:MM:SS AM|PM For example: 7/25/2023, 3:33:31 AM |
| Downloaded Bytes | Dimension | The bytes downloaded as part of this event. |
| Enterprise App Category | Dimension | The enterprise app category matched to this event. |
| Enterprise App Score | Dimension | The enterprise app score matched to this event. |
| Group Id | Dimension | Internal ID of the user group that applies to this event. |
| Insert Time | Dimension | Timestamp when this event was inserted into the Forcepoint ONE Data lake—M/D/Y HH:MM:SS AM|PM For example: 7/25/2023, 3:33:31 AM |
| Source Ip | Dimension | The Source IP Address where the event originated from. |
| Time | Dimension | Timestamp of event—M/D/Y HH:MM:SS AM|PM For example: 7/25/2023, 3:33:31 AM |
| Truncated Domain | Dimension | The root domain associated with this event. |
| Trust | Dimension | The trust rating associated with this domain at the time of the event. |
| Uploaded Bytes | Dimension | The bytes uploaded as part of this event. |
| User Email | Dimension | The user's Email address typically corresponds to their UPN. |
| User First Name | Dimension | The user's first name if available. Otherwise set to Anonymous or none |
| User Full Name | Dimension | The user's full name if available. |
| User Id | Dimension | The user ID. Contains the user's login (email address) in brackets. |
| User Last Name | Dimension | The user's last name if available. Otherwise set to Anonymous or none. |
| Distinct App Name Count | Measure | Distinct application name count based on the filtered dimensions. |
| Distinct User Count | Measure | Distinct User count based on the filtered dimensions. |
| Event Count | Measure | App event count |
| Sum Downloaded Bytes | Measure | Sum downloaded bytes based on the filtered dimensions. |
| Sum Uploaded Bytes | Measure | Sum uploaded bytes based on the filtered dimensions. |
SWG - SWG App Category
The following table lists aggregated web browsing events based on application category.
| Field | Type | Description |
|---|---|---|
| Action | Dimension | The action Forcepoint ONE took per policy match. |
| App Name | Dimension | The managed application name. |
| Count | Dimension | The number of Application Categories detected in the transaction. |
| Date | Dimension | Date of event—M/D/Y HH:MM:SS AM|PM For example: 7/25/2023, 3:33:31 AM |
| Downloaded Bytes | Dimension | The bytes downloaded as part of this event. |
| Enterprise App Category | Dimension | The enterprise app category matched to this event. |
| Enterprise App Score | Dimension | The enterprise app score matched to this event. |
| Group Id | Dimension | Internal ID of the user group that applies to this event. |
| Insert Time | Dimension | Timestamp when this event was inserted into the Forcepoint ONE Data lake—M/D/Y HH:MM:SS AM|PM For example: 7/25/2023, 3:33:31 AM |
| Time | Dimension | Timestamp of event—M/D/Y HH:MM:SS AM|PM For example: 7/25/2023, 3:33:31 AM |
| Truncated Domain | Dimension | The root domain associated with this event. |
| Trust | Dimension | The trust rating associated with this domain at the time of the event. |
| Uploaded Bytes | Dimension | The bytes uploaded as part of this event. |
| User Email | Dimension | The user's Email address typically corresponds to their UPN. |
| Distinct User Count | Measure | Distinct User count based on the filtered dimensions. |
| Event Count | Measure | App Category event count. |
| Sum Downloaded Bytes | Measure | Sum downloaded bytes based on the filtered dimensions. |
| Sum Uploaded Bytes | Measure | Sum uploaded bytes based on the filtered dimensions. |
SWG - Web
The following table lists aggregated web browsing events based on web domains.
| Field | Type | Description |
|---|---|---|
| Action | Dimension | The action Forcepoint ONE took per policy match. |
| Count | Dimension | The number of web domains detected in the transaction. |
| Date | Dimension | Date of event—M/D/Y HH:MM:SS AM|PM For example: 7/25/2023, 3:33:31 AM |
| Destination | Dimension | The destination in the form of a URL. |
| Domain | Dimension | The fully qualified domain name. |
| Downloaded Bytes | Dimension | The bytes downloaded as part of this event. |
| Group Id | Dimension | Internal ID of the user group that applies to this event. |
| Insert Time | Dimension | Timestamp when this event was inserted into the Forcepoint ONE Data lake—M/D/Y HH:MM:SS AM|PM For example: 7/25/2023, 3:33:31 AM |
| Risk | Dimension | The risk category assigned to this event. |
| Source Ip | Dimension | The Source IP Address where the event originated from. |
| Time | Dimension | Timestamp of event—M/D/Y HH:MM:SS AM|PM For example: 7/25/2023, 3:33:31 AM |
| Uploaded Bytes | Dimension | The bytes uploaded as part of this event. |
| Uri | Dimension | Full URI |
| User Email | Dimension | The user's Email address typically corresponds to their UPN. |
| User First Name | Dimension | The user's first name if available. Otherwise set to Anonymous or none |
| User Id | Dimension | The user ID. Contains the user's login (email address) in brackets. |
| User Last Name | Dimension | The user's last name if available. Otherwise set to Anonymous or none. |
| Web Reputation | Dimension | The web reputation score attached to this event. |
| Web Reputation Category | Dimension | The web reputation category attached to this event. |
| Distinct Destination Count | Measure | Distinct destination count based on the filtered dimensions. |
| Distinct Domain Count | Measure | Distinct domain count based on the filtered dimensions. |
| Distinct User Count | Measure | Distinct User count based on the filtered dimensions. |
| Event Count | Measure | Web event count. |
| Sum Downloaded Bytes | Measure | Sum downloaded bytes based on the filtered dimensions. |
| Sum Uploaded Bytes | Measure | Sum uploaded bytes based on the filtered dimensions. |
SWG - Web Category
The following table lists aggregated web browsing events based on web category.
| Field | Type | Description |
|---|---|---|
| Action | Dimension | The action Forcepoint ONE took per policy match. |
| Count | Dimension | The number of web categories detected in the transaction. |
| Date | Dimension | Date of event—M/D/Y HH:MM:SS AM|PM For example: 7/25/2023, 3:33:31 AM |
| Destination | Dimension | The destination in the form of a URL. |
| Domain | Dimension | The fully qualified domain name. |
| Downloaded Bytes | Dimension | The bytes downloaded as part of this event. |
| Group Id | Dimension | Internal ID of the user group that applies to this event. |
| Insert Time | Dimension | Timestamp when this event was inserted into the Forcepoint ONE Data lake—M/D/Y HH:MM:SS AM|PM For example: 7/25/2023, 3:33:31 AM |
| Risk | Dimension | The risk category assigned to this event. |
| Time | Dimension | Timestamp of event—M/D/Y HH:MM:SS AM|PM For example: 7/25/2023, 3:33:31 AM |
| Uploaded Bytes | Dimension | The bytes uploaded as part of this event. |
| Uri | Dimension | Full URI |
| User Email | Dimension | The user's email address typically corresponds to their UPN. |
| User First Name | Dimension | The user's first name if available. Otherwise set to Anonymous or none. |
| User Id | Dimension | The user ID. Contains the user's login (email address) in brackets. |
| User Last Name | Dimension | The user's last name if available. Otherwise set to Anonymous or none. |
| Web Reputation | Dimension | The web reputation score attached to this event. |
| Web Reputation Category | Dimension | The web reputation category attached to this event. |
| Distinct User Count | Measure | Distinct User count based on the filtered dimensions. |
| Event Count | Measure | Web category event count |
| Sum Downloaded Bytes | Measure | Sum downloaded bytes based on the filtered dimensions. |
| Sum Uploaded Bytes | Measure | Sum uploaded bytes based on the filtered dimensions. |
SWG - Web Class
The following table lists aggregated web browsing events based on web category class.
| Field | Type | Description |
|---|---|---|
| Action | Dimension | The action Forcepoint ONE took per policy match. |
| Class | Dimension | The web category attached to this event. |
| Count | Dimension | The number of web category classes detected in the transaction. |
| Date | Dimension | Date of event—M/D/Y HH:MM:SS AM|PM For example: 7/25/2023, 3:33:31 AM |
| Domain | Dimension | The fully qualified domain name. |
| Insert Time | Dimension | Timestamp when this event was inserted into the Forcepoint ONE Data lake—M/D/Y HH:MM:SS AM|PM For example: 7/25/2023, 3:33:31 AM |
| Time | Dimension | Timestamp of event—M/D/Y HH:MM:SS AM|PM For example: 7/25/2023, 3:33:31 AM |
| Event Count | Measure | Web class event count |