About the SaaS Security Insights Logs Page

On the SaaS Security Insights Logs page (Logs > Insights > Internet & SaaS > SaaS Security Insights > Logs), you can do the following:

1. Clear all filters. You are redirected to the default Insights page.
2. Click to show or hide the left pane.
3. Choose a predefined time frame or select Custom to use the calendar and time menus to define your own time frame. In Custom, the end date can be up to 92 days after start date.
4. View the records in a log table. You can search for specific entries wherever you see a magnifying glass on a column field name. You can also sort certain columns by ascending or descending order. To customize the column fields:
   • Click the icon (#5 in the following image) on the top right of the logs to list the available fields for display. Tick a box to add a column or clear it to remove a column. Alternatively, click Select all or Deselect all to display or remove all columns.
   • Drag a column to another location.
   • Resize a column by positioning the cursor on its border and dragging it to the desired width.

5. Customize your log view by selecting or deselecting which column fields you want to see.

   Each application category has its own set of columns.

   • Collaboration Columns
     • Action: The SaaS Security API DLP policy rule action.

     No SaaS Security API DLP / Malware policy rule action is performed if a SaaS application detects the malware. If SaaS application detects the malware, the Zscaler service does not run its anti-virus.

     • Advanced Threat Category: If the service detected a threat in the record, it displays the virus or spyware type, if applicable.
     • Application: The type of sanctioned SaaS application (e.g., Slack).
     • Application Category: The type of application category.
     • Channel Name: The name of the Slack, Webex Teams, or Microsoft Teams channel.
     • Collaboration Scope: The collaboration scope and permissions for SaaS application tenant files.
     • Component: The type of component (e.g., Message, Email).
     • DLP Dictionaries: Indicates if data leakage was detected by a DLP dictionary.
     • DLP Engine: Indicates if data leakage was detected by a Data Loss Prevention (DLP) engine.
     • DLP Identifier: Used to search for records using this DLP identifier. Whenever a DLP rule is hit, and the appropriate alert is configured, an email containing this ID is sent to your auditors. Use it as a filter to locate the exact record.
     • Data Center: The name of the data center.
     • Department: The department to which the user belongs. As with the User field, if authentication is not required and the traffic comes from a location specified in the service, this field displays the name of the gateway location. You can sort and search through this column.
     • Document Type: The type of document uploaded or downloaded during the transaction.
     • Download Time: The download time of the suspicious file detected by SaaS Security API.

     • Non-Provisioned Owner: The file owners (inside or outside your organization) that are not provisioned to the Internet & SaaS services.

       When a non-provisioned file owner within your organization is later provisioned to the Internet & SaaS services, the service begins to log the file owner under the User column.

     • External Recipients: The email recipients outside your organization.
     • File ID: The ID of a file. For example, if a file was scanned multiple times, an admin can use the file ID to view the scan trail.
     • File MD5: The MD5 hash for the file.
     • File Size: The size of the file.
     • File Type: The type of file that was either uploaded or downloaded.
     • Internal Recipients: The recipients within your organization.
     • Logged Time: The incident logged time, which is when we perform a scan and evaluate policies and log results. You can sort by ascending or descending order.
     • Message ID: The email message identifier. Every email message has a unique ID. An Exchange or Gmail administrator can log in to their admin portals and search and pull a specific message with this ID if needed.
     • Number of External Recipients: The number of recipients outside your organization.
     • Number of Internal Recipients: The number of recipients within your organization.
     • Policy Type: The type of policy that took action during the record.
     • Rule Name: The name of the rule that triggered the session or aggregated sessions.
     • Run ID: A run is when a scan is stopped and started. Every run is identified and tracked with a run ID.
     • SHA: The secure hash algorithm (SHA).
     • Scan ID: Every scan that is defined in the Historic Scan Configuration has a unique identifier associated with it.
     • Scan Time: The amount of time, in milliseconds, the SaaS Security API policy took to scan content within the tenant.
     • Sender Name: The name of the message sender.
     • Severity: The severity level of the incidents detected by the SaaS Security API DLP policy.
     • Shared Channel Domain: The shared channel domain in Slack, Webex Teams, or Microsoft Teams.
     • Tenant: The sanctioned SaaS application that is integrated with the Zscaler service.
     • Threat Name: If the service detected a threat in the record, it displays the name of the threat. Click to read more information about the threat in the Zscaler Threat Library.
     • Threat Super Category: If the service detected a threat in the record, it displays the Virus and Spyware super category, if applicable.
     • User: The email address of the user who performed the record. If an internet gateway location is specified and authentication is not required, this field displays the name of the gateway location. You can sort and search through this column.

     Close
   • CRM Columns

     • Action: The SaaS Security API DLP policy rule action.

       No SaaS Security API DLP / Malware policy rule action is performed if a SaaS application detects the malware. If SaaS application detects the malware, the Zscaler service does not run its anti-virus.

     • Advanced Threat Category: If the service detected a threat in the record, it displays the virus or spyware type, if applicable.
     • Application: The type of sanctioned SaaS application (e.g., Salesforce and Dynamic 365).
     • Application Category: The type of application category.
     • Collaboration Scope: The collaboration scope and permissions for SaaS application tenant files.
     • DLP Dictionaries: Indicates if data leakage was detected by a DLP dictionary.
     • DLP Engine: Indicates if data leakage was detected by a Data Loss Prevention (DLP) engine.
     • DLP Identifier: Used to search for records using this DLP identifier. Whenever a DLP rule is hit, and the appropriate alert is configured, an email containing this ID is sent to your auditors. Use it as a filter to locate the exact record.
     • Data Center: The name of the data center.
     • Department: The department to which the user belongs. As with the User field, if authentication is not required and the traffic comes from a location specified in the service, this field displays the name of the gateway location. You can sort and search through this column.
     • Document Type: The type of document uploaded or downloaded during the transaction.
     • Download Time: The download time of the suspicious file detected by SaaS Security API.
     • External Collaborators: The collaborators outside your organization.

     • Non-Provisioned Owner: The file owners (inside or outside your organization) that are not provisioned to the Internet & SaaS services.

       When a non-provisioned file owner within your organization is later provisioned to the Internet & SaaS services, the service begins to log the file owner under the User column.

     • File MD5: The MD5 hash for the file.
     • File Message ID
     • File Message Modification Time
     • File Name: The name of the suspicious file detected by SaaS Security API policy.
     • File Size: The size of the file.
     • File Source Location: The source location of the files containing sensitive data that were detected by the SaaS Security API DLP or Malware Detection policy.
     • File Type: The type of file that was either uploaded or downloaded.
     • Internal Collaborators: The internal collaborators within your organization.
     • Logged Time: The incident logged time, which is when we perform a scan and evaluate policies and log results. You can sort by ascending or descending order.
     • Number of External Collaborators: The number of collaborators outside your organization.
     • Number of Internal Collaborators: The number of collaborators within your organization.
     • Object Name: The name of an object (e.g., you might have the object type Opportunity with an object name of "Pepsi".).
     • Object Type: The type of object (e.g., budget request, campaign, opportunity).
     • Policy Type: The type of policy that took action during the record.
     • Public URL: The public URLs used to access a shared file.
     • Rule Name: The name of the rule that triggered the session or aggregated sessions.
     • Run ID: A run is when a scan is stopped and started. Every run is identified and tracked with a run ID.
     • SHA: The secure hash algorithm (SHA).
     • Scan ID: Every scan that is defined in the Historic Scan Configuration has a unique identifier associated with it.
     • Scan Time: The amount of time, in milliseconds, the SaaS Security API policy took to scan content within the tenant.
     • Severity: The severity level of the incidents detected by the SaaS Security API DLP policy.
     • Shared Channel Domain: The shared channel domain in Salesforce or Dynamic 365.
     • Tenant: The sanctioned SaaS application that is integrated with the Zscaler service.
     • Threat Name: If the service detected a threat in the record, it displays the name of the threat. Click to read more information about the threat in the Zscaler Threat Library.
     • Threat Super Category: If the service detected a threat in the record, it displays the Virus and Spyware super category, if applicable.
     • User: The email address of the user who performed the record. If an internet gateway location is specified and authentication is not required, this field displays the name of the gateway location. You can sort and search through this column.

     Close
   • Email Columns

     • Action: The SaaS Security API DLP policy rule action.

       No SaaS Security API DLP / Malware policy rule action is performed if a SaaS application detects the malware. If SaaS application detects the malware, the Zscaler service does not run its anti-virus.

     • Advanced Threat Category: If the service detected a threat in the record, it displays the virus or spyware type, if applicable.
     • Application: The type of sanctioned SaaS application (e.g., Exchange, Gmail, etc.).
     • Application Category: The type of application category.
     • Attachments: The attachments within the email message.
     • DLP Dictionaries: Indicates if data leakage was detected by a DLP dictionary.
     • DLP Engine: Indicates if data leakage was detected by a Data Loss Prevention (DLP) engine.
     • DLP Identifier: Used to search for records using this DLP identifier. Whenever a DLP rule is hit, and the appropriate alert is configured, an email containing this ID is sent to your auditors. Use it as a filter to locate the exact record.
     • Data Center: The name of the data center.
     • Department: The department to which the user belongs. As with the User field, if authentication is not required and the traffic comes from a location specified in the service, this field displays the name of the gateway location. You can sort and search through this column.
     • Document Type: The type of document uploaded or downloaded during the transaction.
     • Download Time: The download time of the suspicious file detected by SaaS Security API.
     • Email Direction: The direction of the email (Inbound or Outbound).

     • Non-Provisioned Owner: The file owners (inside or outside your organization) that are not provisioned to the Internet & SaaS services.

       When a non-provisioned file owner within your organization is later provisioned to the Internet & SaaS services, the service begins to log the file owner under the User column.

     • External Recipients: The email recipients outside your organization.
     • Internal Recipients: The email recipients within your organization.
     • Logged Time: The incident logged time, which is when we perform a scan and evaluate policies and log results. You can sort by ascending or descending order.
     • Mail Sent Time: The time the email was sent.
     • Message ID: The email message identifier. Every email message has a unique ID. An Exchange or Gmail administrator can log in to their admin portals and search and pull a specific message with this ID if needed.
     • Message Size: The size of the email message.
     • Number of External Recipients: The number of recipients outside your organization.
     • Number of Internal Recipients: The number of recipients within your organization.
     • Owner Name: The owner of the mailbox where the questionable email is located. It can be a sender (DLP) or a recipient (Malware).
     • Policy Type: The type of policy that took action during the record.
     • Rule Name: The name of the rule that triggered the session or aggregated sessions.
     • Run ID: A run is when a scan is stopped and started. Every run is identified and tracked with a run ID.
     • Scan ID: Every scan that is defined in the Historic Scan Configuration has a unique identifier associated with it.
     • Scan Time: The amount of time, in milliseconds, the SaaS Security API policy took to scan content within the tenant.
     • Sender Name: The name of the email sender.
     • Severity: The severity level of the incidents detected by the SaaS Security API DLP policy.
     • Shared Channel Domain: The shared channel domain.
     • Tenant: The sanctioned SaaS application that is integrated with the Zscaler service.
     • Thread Name: The name of the email thread.
     • Threat Name: If the service detected a threat in the record, it displays the name of the threat. Click to read more information about the threat in the Zscaler Threat Library.
     • Threat Super Category: If the service detected a threat in the record, it displays the Virus and Spyware super category, if applicable.

     Close
   • File Columns

     • Action: The SaaS Security API DLP policy rule action.

       No SaaS Security API DLP / Malware policy rule action is performed if a SaaS application detects the malware. If SaaS application detects the malware, the Zscaler service does not run its anti-virus.

     • Advanced Threat Category: If the service detected a threat in the record, it displays the virus or spyware type, if applicable.
     • Application: The type of sanctioned SaaS application (e.g., Box, Microsoft OneDrive, SharePoint, etc.).
     • Application Category: The type of application category.
     • Collaboration Scope: The collaboration scope and permissions for SaaS application tenant files.
     • DLP Dictionaries: Indicates if data leakage was detected by a DLP dictionary.
     • DLP Engine: Indicates if data leakage was detected by a Data Loss Prevention (DLP) engine.
     • DLP Identifier: Used to search for records using this DLP identifier. Whenever a DLP rule is hit, and the appropriate alert is configured, an email containing this ID is sent to your auditors. Use it as a filter to locate the exact record.
     • Data Center: The name of the data center.
     • Department: The department to which the user belongs. As with the User field, if authentication is not required and the traffic comes from a location specified in the service, this field displays the name of the gateway location. You can sort and search through this column.
     • Document Type: The type of document uploaded or downloaded during the transaction.
     • Download Time: The download time of the suspicious file detected by SaaS Security API.
     • External Collaborators: The collaborators outside your organization.

     • Non-Provisioned Owner: The file owners (inside or outside your organization) that are not provisioned to the Internet & SaaS services.

       When a non-provisioned file owner within your organization is later provisioned to the Internet & SaaS services, the service begins to log the file owner under the User column.

     • File ID: The ID of a file. For example, if a file was scanned multiple times, an admin can use the file ID to view the scan trail.
     • File MD5: The MD5 hash for the file.
     • File Modification Time: The date and time when a SaaS Security API DLP policy modified the collaboration scope for SaaS application tenant files.
     • File Name: The name of the suspicious file detected by SaaS Security API policy.
     • File Size: The size of the file.
     • File Source Location: The source location of the files containing sensitive data that were detected by the SaaS Security API DLP or Malware Detection policy.
     • File Type: The type of file that was either uploaded or downloaded.
     • Internal Collaborators: The internal collaborators within your organization.
     • Logged Time: The incident logged time, which is when we perform a scan and evaluate policies and log results. You can sort by ascending or descending order.
     • Number of External Collaborators: The number of collaborators outside your organization.
     • Number of Internal Collaborators: The number of collaborators within your organization.
     • Policy Type: The type of policy that took action during the record.
     • Public URL: The public URLs used to access a shared file.
     • Rule Name: The name of the rule that triggered the session or aggregated sessions.
     • Run ID: A run is when a scan is stopped and started. Every run is identified and tracked with a run ID.
     • SHA: The secure hash algorithm (SHA).
     • Scan ID: Every scan that is defined in the Historic Scan Configuration has a unique identifier associated with it.
     • Scan Time: The amount of time, in milliseconds, the SaaS Security API policy took to scan content within the tenant.
     • Severity: The severity level of the incidents detected by the SaaS Security API DLP policy.
     • Shared Channel Domain: The shared channel domain.
     • Tenant: The sanctioned SaaS application that is integrated with the Zscaler service.
     • Threat Name: If the service detected a threat in the record, it displays the name of the threat. Click to read more information about the threat in the Zscaler Threat Library.
     • Threat Super Category: If the service detected a threat in the record, it displays the Virus and Spyware super category, if applicable.
     • User: The email address of the user who performed the record. If an internet gateway location is specified and authentication is not required, this field displays the name of the gateway location. You can sort and search through this column.

     Close
   • Gen AI Columns

     • Action: The SaaS Security API DLP policy rule action.

       No SaaS Security API DLP / Malware policy rule action is performed if a SaaS application detects the malware. If SaaS application detects the malware, the Zscaler service does not run its anti-virus.

     • Advanced Threat Category: If the service detected a threat in the record, it displays the virus or spyware type, if applicable.
     • Application: The type of sanctioned SaaS application (e.g., ChatGPT).
     • Application Category: The type of application category.
     • Bot Name: The name of the bot that has responded to the DLP.
     • Component: The type of component (e.g., Message, Email).
     • DLP Dictionaries: Indicates if data leakage was detected by a DLP dictionary.
     • DLP Engine: Indicates if data leakage was detected by a Data Loss Prevention (DLP) engine.
     • DLP Identifier: Used to search for records using this DLP identifier. Whenever a DLP rule is hit, and the appropriate alert is configured, an email containing this ID is sent to your auditors. Use it as a filter to locate the exact record.
     • Data Center: The name of the data center.
     • Department: The department to which the user belongs. As with the User field, if authentication is not required and the traffic comes from a location specified in the service, this field displays the name of the gateway location. You can sort and search through this column.
     • Document Type: The type of document uploaded or downloaded during the transaction.
     • Download Time: The download time of the suspicious file detected by SaaS Security API.

     • Non-Provisioned Owner: The file owners (inside or outside your organization) that are not provisioned to the Internet & SaaS services.

       When a non-provisioned file owner within your organization is later provisioned to the Internet & SaaS services, the service begins to log the file owner under the User column.

     • File ID: The ID of a file. For example, if a file was scanned multiple times, an admin can use the file ID to view the scan trail.
     • File MD5: The MD5 hash for the file.
     • File Size: The size of the file.
     • File Type: The type of file that was either uploaded or downloaded.
     • Logged Time: The incident logged time, which is when we perform a scan and evaluate policies and log results. You can sort by ascending or descending order.
     • Message ID: The email message identifier. Every email message has a unique ID. An Exchange or Gmail administrator can log in to their admin portals and search and pull a specific message with this ID if needed.
     • Policy Type: The type of policy that took action during the record.
     • Rule Name: The name of the rule that triggered the session or aggregated sessions.
     • Run ID: A run is when a scan is stopped and started. Every run is identified and tracked with a run ID.
     • SHA: The secure hash algorithm (SHA).
     • Scan ID: Every scan that is defined in the Historic Scan Configuration has a unique identifier associated with it.
     • Scan Time: The amount of time, in milliseconds, the SaaS Security API policy took to scan content within the tenant.
     • Sender Name: The name of the message sender.
     • Sender Type: The type of sender, i.e., bot, system, or user.
     • Severity: The severity level of the incidents detected by the SaaS Security API DLP policy.
     • Tenant: The sanctioned SaaS application that is integrated with the Zscaler service.
     • Threat Name: If the service detected a threat in the record, it displays the name of the threat. Click to read more information about the threat in the Zscaler Threat Library.
     • Threat Super Category: If the service detected a threat in the record, it displays the Virus and Spyware super category, if applicable.
     • User: The email address of the user who performed the record. If an internet gateway location is specified and authentication is not required, this field displays the name of the gateway location. You can sort and search through this column.

     Close
   • ITSM Columns

     • Action: The SaaS Security API DLP policy rule action.

       No SaaS Security API DLP / Malware policy rule action is performed if a SaaS application detects the malware. If SaaS application detects the malware, the Zscaler service does not run its anti-virus.

     • Advanced Threat Category: If the service detected a threat in the record, it displays the virus or spyware type, if applicable.
     • Application: The type of sanctioned SaaS application (e.g., ServiceNow).
     • Application Category: The type of application category.
     • Collaboration Scope: The collaboration scope and permissions for SaaS application tenant files.
     • Component: The type of component (e.g., Message, Email).
     • DLP Dictionaries: Indicates if data leakage was detected by a DLP dictionary.
     • DLP Engine: Indicates if data leakage was detected by a Data Loss Prevention (DLP) engine.
     • DLP Identifier: Used to search for records using this DLP identifier. Whenever a DLP rule is hit, and the appropriate alert is configured, an email containing this ID is sent to your auditors. Use it as a filter to locate the exact record.
     • Data Center: The name of the data center.
     • Department: The department to which the user belongs. As with the User field, if authentication is not required and the traffic comes from a location specified in the service, this field displays the name of the gateway location. You can sort and search through this column.
     • Document Type: The type of document uploaded or downloaded during the transaction.
     • Download Time: The download time of the suspicious file detected by SaaS Security API.
     • External Collaborators: The collaborators outside your organization.

     • Non-Provisioned Owner: The file owners (inside or outside your organization) that are not provisioned to the Internet & SaaS services.

       When a non-provisioned file owner within your organization is later provisioned to the Internet & SaaS services, the service begins to log the file owner under the User column.

     • File MD5: The MD5 hash for the file.
     • File Message: The message of the file.
     • File Message Modification Time: The date and time when a file message was modified.
     • File Name: The name of the suspicious file detected by SaaS Security API policy.
     • File Source Location: The source location of the files containing sensitive data that were detected by the SaaS Security API DLP or Malware Detection policy.
     • Internal Collaborators: The internal collaborators within your organization.
     • Logged Time: The incident logged time, which is when we perform a scan and evaluate policies and log results. You can sort by ascending or descending order.
     • Number of External Collaborators: The number of collaborators outside your organization.
     • Number of Internal Collaborators: The number of collaborators within your organization.
     • Object Name: The name of an object (e.g., you might have the object type Opportunity with an object name of "Pepsi".)
     • Object Type: The type of object (e.g., budget request, campaign, opportunity).
     • Policy Type: The type of policy that took action during the record.
     • Rule Name: The name of the rule that triggered the session or aggregated sessions.
     • Run ID: A run is when a scan is stopped and started. Every run is identified and tracked with a run ID.
     • SHA: The secure hash algorithm (SHA).
     • Scan ID: Every scan that is defined in the Historic Scan Configuration has a unique identifier associated with it.
     • Scan Time: The amount of time, in milliseconds, the SaaS Security API policy took to scan content within the tenant.
     • Severity: The severity level of the incidents detected by the SaaS Security API DLP policy.
     • Shared Channel Domain: The shared channel domain.
     • Tenant: The sanctioned SaaS application that is integrated with the Zscaler service.
     • Threat Name: If the service detected a threat in the record, it displays the name of the threat. Click to read more information about the threat in the Zscaler Threat Library.
     • Threat Super Category: If the service detected a threat in the record, it displays the Virus and Spyware super category, if applicable.
     • User: The email address of the user who performed the record. If an internet gateway location is specified and authentication is not required, this field displays the name of the gateway location. You can sort and search through this column.

     Close
   • Public Cloud Storage Columns

     To enable Amazon S3, Google Cloud Platform, and Microsoft Azure for your organization, contact your Zscaler Account team.

     • Action: The SaaS Security API DLP policy rule action.

       No SaaS Security API DLP / Malware policy rule action is performed if a SaaS application detects the malware. If SaaS application detects the malware, the Zscaler service does not run its anti-virus.

     • Advanced Threat Category: If the service detected a threat in the record, it displays the virus or spyware type, if applicable.
     • Application: The type of sanctioned SaaS application (e.g., Amazon S3).
     • Application Category: The type of application category.
     • Bucket Name: The name of the bucket.
     • Collaboration Scope: The collaboration scope and permissions for SaaS application tenant files.
     • Collaborators: The collaborators of the files.
     • Data Center: The name of the data center.
     • Department: The department to which the user belongs. As with the User field, if authentication is not required and the traffic comes from a location specified in the service, this field displays the name of the gateway location. You can sort and search through this column.
     • DLP Dictionaries: Indicates if data leakage was detected by a DLP dictionary.
     • DLP Engine: Indicates if data leakage was detected by a Data Loss Prevention (DLP) engine.
     • DLP Identifier: Used to search for the records using this DLP identifier. Whenever a DLP rule is hit, and the appropriate alert is configured, an email containing this ID is sent to your auditors. Use it as a filter to locate the exact record.
     • Document Type: The type of document uploaded or downloaded during the transaction.
     • Download Time: The download time of the suspicious file detected by SaaS Security API.

     • Non-Provisioned Owner: The file owners (inside or outside your organization) that are not provisioned to the Internet & SaaS services.

       When a non-provisioned file owner within your organization is later provisioned to the Internet & SaaS services, the service begins to log the file owner under the User column.

     • File ID: The ID of a file. For example, if a file was scanned multiple times, an admin can use the file ID to view the scan trail.
     • File MD5: The MD5 hash for the file.
     • File Modification Time: The date and time for when a SaaS Security API DLP policy modified the collaboration scope for SaaS application tenant files.
     • File Name: The name of the suspicious file detected by SaaS Security API policy.
     • File Size: The size of the file.
     • File Source Location: The source location of the files containing sensitive data that were detected by the SaaS Security API DLP or Malware Detection policy.
     • File Type: The type of file that was either uploaded or downloaded.
     • Logged Time: The incident logged time, which is when we perform a scan and evaluate policies and log results. You can sort by ascending or descending order.
     • Number of Collaborators: The number of collaborators for the file.
     • Object Type: The type of object.
     • Policy Type: The type of the policy that took action during the record.
     • Public URL: The public URLs used to access a shared file.
     • Rule Name: The name of the rule that triggered on the session or aggregated sessions.
     • Run ID: A run is when a scan is stopped and started. Every run is identified and tracked with a run ID.
     • Scan ID: Every scan that is defined in the Historic Scan Configuration has a unique identifier associated with it.
     • Scan Time: The amount of time, in milliseconds, the SaaS Security API policy took to scan content within the tenant.
     • Severity: The severity level of the incidents detected by the SaaS Security API DLP policy.
     • SHA: The secure hash algorithm (SHA).
     • Tenant: The sanctioned SaaS application that is integrated with the Zscaler service.
     • Threat Name: If the service detected a threat in the record, it displays the name of the threat. Click to read more information about the threat in the Zscaler Threat Library.
     • Threat Super Category: If the service detected a threat in the record, it displays the Virus and Spyware super category, if applicable.
     • User: The email address of the user who performed the record. If an internet gateway location was specified and authentication is not required, this field displays the name of the gateway location. You can sort and search through this column.

     Close
   • Repository Columns

     • Action: The SaaS Security API DLP policy rule action.

       No SaaS Security API DLP / Malware policy rule action is performed if a SaaS application detects the malware. If SaaS application detects the malware, the Zscaler service does not run its anti-virus.

     • Advanced Threat Category: If the service detected a threat in the record, it displays the virus or spyware type, if applicable.
     • Application: The type of sanctioned SaaS application (e.g., GitHub and GitLab).
     • Application Category: The type of application category.
     • Collaboration Scope: The collaboration scope and permissions for SaaS application tenant files.
     • DLP Dictionaries: Indicates if data leakage was detected by a DLP dictionary.
     • DLP Engine: Indicates if data leakage was detected by a Data Loss Prevention (DLP) engine.
     • DLP Identifier: Used to search for records using this DLP identifier. Whenever a DLP rule is hit, and the appropriate alert is configured, an email containing this ID is sent to your auditors. Use it as a filter to locate the exact record.
     • Data Center: The name of the data center.
     • Department: The department to which the user belongs. As with the User field, if authentication is not required and the traffic comes from a location specified in the service, this field displays the name of the gateway location. You can sort and search through this column.
     • Document Type: The type of document uploaded or downloaded during the transaction.
     • Download Time: The download time of the suspicious file detected by SaaS Security API.
     • External Collaborators: The collaborators outside your organization.

     • Non-Provisioned Owner: The file owners (inside or outside your organization) that are not provisioned to the Internet & SaaS services.

       When a non-provisioned file owner within your organization is later provisioned to the Internet & SaaS services, the service begins to log the file owner under the User column.

     • File ID: The ID of a file. For example, if a file was scanned multiple times, an admin can use the file ID to view the scan trail.
     • File MD5: The MD5 hash for the file.
     • File Name: The name of the suspicious file detected by SaaS Security API policy.
     • File Size: The size of the file.
     • File Source Location: The source location of the files containing sensitive data that were detected by the SaaS Security API DLP or Malware Detection policy.
     • Last Modified Time: The last time (date and time) the file was modified. You can sort by ascending or descending order.
     • Logged Time: The incident logged time, which is when we perform a scan and evaluate policies and log results. You can sort by ascending or descending order.
     • Number of External Collaborators: The number of collaborators outside your organization.
     • Policy Type: The type of policy that took action during the record.
     • Project Name: The name of the project.
     • Repository Name: The name of the repository.
     • Rule Name: The name of the rule that triggered the session or aggregated sessions.
     • Run ID: A run is when a scan is stopped and started. Every run is identified and tracked with a run ID.
     • SHA: The secure hash algorithm (SHA).
     • Scan ID: Every scan that is defined in the Historic Scan Configuration has a unique identifier associated with it.
     • Scan Time: The amount of time, in milliseconds, the SaaS Security API policy took to scan content within the tenant.
     • Severity: The severity level of the incidents detected by the SaaS Security API DLP policy.
     • Shared Channel Name
     • Threat Name: If the service detected a threat in the record, it displays the name of the threat. Click to read more information about the threat in the Zscaler Threat Library.
     • Threat Super Category: If the service detected a threat in the record, it displays the Virus and Spyware super category, if applicable.
     • User: The email address of the user who performed the record. If an internet gateway location is specified and authentication is not required, this field displays the name of the gateway location. You can sort and search through this column.

     Close
6. Filter the data by application category. You can filter by Collaboration, CRM, Email, File, Gen AI, ITSM, or Repository. Depending on the application category you select, certain filters change accordingly.

7. Define filters to narrow down the list or to find records, such as those associated with a specific URL. Certain filters, like Users, Departments, Locations, and others, support the selection of multiple values. For these, you can select up to 200 values in a single filter. You can also choose to include or exclude the selected values. Also, certain filters support additional operators (i.e., Does Not Contain, Does Not Start With, Does Not End With, Is Null, Is Not Null) for filters that perform string match, like Threat Super Category and others.

   Each application category has its own set of log filters.

   • Collaboration Log Filters
     • Action: Use this filter to view records based on the SaaS Security API DLP policy rule action. The default option for this filter is None. You can search for specific actions. The following actions appear under this filter:
       • Failed to make external sharing read only
       • Failed to make internal sharing read only
       • Failed to make sharing read only
       • Failed to notify end user
       • Failed to quarantine Malware
       • Failed to remove Collaborators
       • Failed to remove Discoverable
       • Failed to remove external sharing
       • Failed to remove Internal Link Share
       • Failed to remove internal sharing
       • Failed to remove Malware
       • Failed to remove Public Link Share
       • Failed to revoke Sharing/Make Private
       • Make internal sharing read only
       • Notify end user
       • Quarantine Malware
       • Read Only for All Collaborators
       • Read Only for External Collaborators
       • Remove Collaborators
       • Remove Discoverable
       • Remove External Collaborators and Shareable Link
       • Remove Internal Link Share
       • Remove Malware
       • Remove Public Link Share
       • Remove Sharing
       • Report Incident Only
       • Report Malware
       • No action
     • Advanced Threat Category: Use this filter to view records associated with a specific advanced threat category. These threats are detected by Malware Protection. The default option for this filter is Any. You can search for specific categories. You can also use the toggle to turn on Threat Name Search to enter all or part of the threat name in the text field, and choose Contains, Starts With, Ends With, Exact Match, Does Not Contain, Does Not End With, Not Null, or Is Null. The following categories appear under this filter:
       • Advanced Browser Exploit
       • Adware
       • Adware/Spyware Sites
       • Archive Bomb
       • Backdoor
       • Benign
       • Boot Virus
       • Botnet Callback
       • Browser Exploit
       • Cross-site Scripting
       • Cryptomining
       • Denial of Service Attack
       • Dialer
       • Domain Generation Algorithm (DGA) Domains
       • Downloader
       • Macro Virus
       • Malicious Content
       • MalwareTool
       • Misdisinfection
       • Other Malware
       • Other Spyware
       • Other Threat
       • Other Virus
       • Password Stealer
       • Peer-to-Peer
       • Privacy Risk
       • Proxy
       • Ransomware
       • Sandbox Adware
       • Sandbox Anonymizer
       • Sandbox Malware
       • Sent for Analysis
       • Spyware Callback
       • Suspicious Content
       • Suspicious Destination
       • Trojan
       • Unauthorized Communication
       • Unrecognized Virus
       • Unwanted Application
       • Web Spam
       • Worm
     • Application: Use this filter to view records associated with a specific SaaS application. The following SaaS applications appear under this filter:
       • Microsoft Teams
       • Slack
       • Webex Teams
     • Channel Name: The name of the Slack, Webex Teams, or Microsoft Teams channel. Enter all or part of the channel name in the text field, and choose Contains, Starts With, Ends With, Exact Match, Does Not Contain, Does Not End With, Not Null, or Is Null.
     • Collaboration Scope: Use this filter to view records based on the collaboration scope and permissions for SaaS application tenant files. The following collaborations appear under this filter:
       • External Collaborators - Edit
       • External Collaborators - View
       • External Link - Edit
       • External Link - View
       • Internal Collaborators - Edit
       • Internal Collaborators - View
       • Internal Link - Edit
       • Internal Link - View
       • Private - Edit
     • Component: Use this filter to view records associated with the type of component. The following components appear under this filter:
       • Message
       • Email
     • Data Center: Use this filter to limit the data to traffic associated with a specific data center.
     • Department: Use this filter to view records associated with a specific department. The default option for this filter is Any. You can search for specific departments. You can choose to include or exclude certain departments.
     • DLP Dictionary: Use this filter to see which records contain this dictionary as a trigger. If a dictionary was triggered, the name of the dictionary is displayed along with a match count indicating the search score or match count for this dictionary. The default option for this filter is None. You can search for specific DLP dictionaries.
     • DLP Engine: Use this filter to view records in which data leakage was detected. The default option for this filter is Any. You can search for specific DLP engines.
     • Document Type: Use this filter to limit the data to traffic associated with a specific upload or download document type. The following types appear under this filter:
       • Corporate Finance
       • Corporate Legal
       • Court Form
       • DMV
       • Immigration
       • Insurance
       • Invoice
       • Legal
       • Medical Information
       • None
       • Real Estate
       • Resume
       • Tax
       • Technical
       • Unknown
     • Download Time: Use this filter to view records associated with the download time. The default option for this filter is All. The following download time ranges appear under this filter:
       • All Sizes
       • 0 - 10SEC
       • 10SEC - 30SEC
       • 30SEC - 1MIN
       • 1MIN - 5MIN
       • 5MIN - 10MIN
       • 10MIN - 30MIN
       • 30MIN - 1HOUR
       • Above 1 HOUR
       • Custom
     • Event: Use this filter to view records associated with the type of event. The default option for this filter is All. The following events appear under this filter:
       • Incidents: Violations against either a DLP or Malware policy. This is caused when a file is scanned for the first time or when a change in the file violates the policy.
       • Scans: Inspections of a file.
     • Non-Provisioned Owner: Use this filter to view records associated with file owners (inside or outside your organization) that are not provisioned to the Internet & SaaS services. The default option for this filter is None. You can search for specific non-provisioned owners.
     • External Recipients: Use this filter to view records associated with specific recipients outside your organization. The default option for this filter is None. You can search for specific external recipients.
     • File ID: Use this filter to view records associated with a file ID. For example, if a file was scanned multiple times, an admin can use the file ID to view the scan trail.
     • File MD5: Use this filter to view records associated with the MD5 hash of a file.
     • File Size: Use this filter to view records associated with a file's size. You can put in a file size range.
     • Internal Recipients: Use this filter to view records associated with specific recipients within your organization. The default option for this filter is None. You can search for specific internal recipients.
     • Message ID: Use this filter to view records associated with the email message identifier. Every email message has a unique ID. An Exchange or Gmail administrator can log in to their admin portals and search and pull a specific message with this ID if needed.
     • Number of External Recipients: Use this filter to view records associated with the number of recipients outside your organization. You can put in your own range.
     • Number of Internal Recipients: Use this filter to view records associated with the number of recipients within your organization. You can put in your own range.
     • Policy Type and Rule Name: Use this filter to view records associated with the policy and rule that took action. The following policy types appear under this filter:
       • DLP
       • Malware
     • Run ID: Use this filter to view records associated with a run ID. A run is when a scan is stopped and started. Every run is identified and tracked with a run ID.
     • Scan ID: Use this filter to view records associated with a scan ID. Every scan that is defined in the Historic Scan Configuration has a unique identifier associated with it.
     • Scan Time: Use this filter to view records associated with the time of a scan. The default option for this filter is All. The following scan time ranges appear under this filter:
       • 0 - 10SEC
       • 10SEC - 30SEC
       • 30SEC - 1MIN
       • 1MIN - 5MIN
       • 5MIN - 10MIN
       • 10MIN - 30MIN
       • 30MIN - 1HOUR
       • Above 1 HOUR
       • Custom
     • Sender Name: Use this filter to view records associated with the sender's name. You can search for a specific sender.
     • SHA: Use this filter to view records associated with a specific secure hash algorithm (SHA). Enter all or part of the SHA in the text field, and choose Contains, Starts With, Ends With, Exact Match, Does Not Contain, Does Not End With, Not Null, or Is Null.
     • Shared Channel Domain: Use this filter to view records associated with a specific shared channel domain in Slack, Webex Teams, or Microsoft Teams. Enter all or part of the shared channel domain in the text field, and choose Contains, Starts With, Ends With, Exact Match, Does Not Contain, Does Not End With, Not Null, or Is Null.
     • Show Delayed Logs: Use this filter to view records based on delayed logs.
     • Tenant: Use this filter to view records associated with a specific tenant. The default option for this filter is All. You can search for specific tenants.
     • Threat Super Category: Use this filter to view records associated with a specific threat super category. The default option for this filter is None. You can search for specific categories. You can also use the toggle to turn on Threat Name Search to enter all or part of the threat name in the text field, and choose Contains, Starts With, Ends With, Exact Match, Does Not Contain, Does Not End With, Not Null, or Is Null. The following categories appear under this filter:
       • Advanced Threat
       • Malware
       • Sandbox
       • Spyware
       • Virus

     Close
   • CRM Log Filters
     • Action: Use this filter to view records based on the SaaS Security API DLP policy rule action. The default option for this filter is None. You can search for specific actions. The following actions appear under this filter:
       • Failed to make external sharing read only
       • Failed to make internal sharing read only
       • Failed to make sharing read only
       • Failed to notify end user
       • Failed to quarantine Malware
       • Failed to remove Collaborators
       • Failed to remove Discoverable
       • Failed to remove external sharing
       • Failed to remove Internal Link Share
       • Failed to remove internal sharing
       • Failed to remove Malware
       • Failed to remove Public Link Share
       • Failed to revoke Sharing/Make Private
       • Make internal sharing read only
       • Notify end user
       • Quarantine Malware
       • Read Only for All Collaborators
       • Read Only for External Collaborators
       • Remove Collaborators
       • Remove Discoverable
       • Remove External Collaborators and Shareable Link
       • Remove Internal Link Share
       • Remove Malware
       • Remove Public Link Share
       • Remove Sharing
       • Report Incident Only
       • Report Malware
       • No action
     • Advanced Threat Category: Use this filter to view records associated with a specific advanced threat category. These threats are detected by Malware Protection. The default option for this filter is Any. You can search for specific categories. You can also use the toggle to turn on Threat Name Search to enter all or part of the threat name in the text field, and choose Contains, Starts With, Ends With, Exact Match, Does Not Contain, Does Not End With, Not Null, or Is Null. The following categories appear under this filter:
       • Advanced Browser Exploit
       • Adware
       • Adware/Spyware Sites
       • Archive Bomb
       • Backdoor
       • Benign
       • Boot Virus
       • Botnet Callback
       • Browser Exploit
       • Cross-site Scripting
       • Cryptomining
       • Denial of Service Attack
       • Dialer
       • Domain Generation Algorithm (DGA) Domains
       • Downloader
       • Macro Virus
       • Malicious Content
       • MalwareTool
       • Misdisinfection
       • Other Malware
       • Other Spyware
       • Other Threat
       • Other Virus
       • Password Stealer
       • Peer-to-Peer
       • Privacy Risk
       • Proxy
       • Ransomware
       • Sandbox Adware
       • Sandbox Anonymizer
       • Sandbox Malware
       • Sent for Analysis
       • Spyware Callback
       • Suspicious Content
       • Suspicious Destination
       • Trojan
       • Unauthorized Communication
       • Unrecognized Virus
       • Unwanted Application
       • Web Spam
       • Worm

     Close
   • Email Log Filters
     • Action: Use this filter to view records based on the SaaS Security API DLP policy rule action. The default option for this filter is None. You can search for specific actions. The following actions appear under this filter:
       • Report Incident Only
       • Report Malware
     • Advanced Threat Category: Use this filter to view records associated with a specific advanced threat category. These threats are detected by Malware Protection. The default option for this filter is Any. You can search for specific categories. You can also use the toggle to turn on Threat Name Search to enter all or part of the threat name in the text field, and choose Contains, Starts With, Ends With, Exact Match, Does Not Contain, Does Not End With, Not Null, or Is Null. The following categories appear under this filter:
       • Advanced Browser Exploit
       • Adware
       • Adware/Spyware Sites
       • Archive Bomb
       • Backdoor
       • Benign
       • Boot Virus
       • Botnet Callback
       • Browser Exploit
       • Cross-site Scripting
       • Cryptomining
       • Denial of Service Attack
       • Dialer
       • Domain Generation Algorithm (DGA) Domains
       • Downloader
       • Macro Virus
       • Malicious Content
       • MalwareTool
       • Misdisinfection
       • Other Malware
       • Other Spyware
       • Other Threat
       • Other Virus
       • Password Stealer
       • Peer-to-Peer
       • Privacy Risk
       • Proxy
       • Ransomware
       • Sandbox Adware
       • Sandbox Anonymizer
       • Sandbox Malware
       • Sent for Analysis
       • Spyware Callback
       • Suspicious Content
       • Suspicious Destination
       • Trojan
       • Unauthorized Communication
       • Unrecognized Virus
       • Unwanted Application
       • Web Spam
       • Worm
     • Application: Use this filter to view records associated with a specific SaaS application. The following SaaS applications appear under this filter:
       • Exchange
       • Gmail
     • Attachment File Name: Use this filter to view records associated with the name of the file attachment in the questionable email. You can filter by Contains, Starts With, Ends With, Exact Match, Does Not Contain, Does Not End With, Not Null, or Is Null.
     • Data Center: Use this filter to limit the data to traffic associated with a specific data center.
     • Department: Use this filter to view records associated with a specific department. The default option for this filter is Any. You can search for specific departments. You can choose to include or exclude certain departments.
     • DLP Dictionary: Use this filter to see which records contain this dictionary as a trigger. If a dictionary was triggered, the name of the dictionary is displayed along with a match count indicating the search score or match count for this dictionary. The default option for this filter is None. You can search for specific DLP dictionaries.
     • DLP Engine: Use this filter to view records in which data leakage was detected. The default option for this filter is Any. You can search for specific DLP engines.
     • Document Type: Use this filter to limit the data to traffic associated with a specific upload or download document type. The following types appear under this filter:
       • Corporate Finance
       • Corporate Legal
       • Court Form
       • DMV
       • Immigration
       • Insurance
       • Invoice
       • Legal
       • Medical Information
       • None
       • Real Estate
       • Resume
       • Tax
       • Technical
       • Unknown
     • Download Time: Use this filter to view records associated with the download time. The default option for this filter is All. The following download time ranges appear under this filter:
       • All Sizes
       • 0 - 10SEC
       • 10SEC - 30SEC
       • 30SEC - 1MIN
       • 1MIN - 5MIN
       • 5MIN - 10MIN
       • 10MIN - 30MIN
       • 30MIN - 1HOUR
       • Above 1 HOUR
       • Custom
     • Email Direction: Use this filter to view records associated with the email direction. The default option for this filter is None. The following directions appear under this filter:
       • Inbound
       • Outbound
     • Event: Use this filter to view records associated with the type of event. The default option for this filter is All. The following events appear under this filter:
       • Incidents: Violations against either a DLP or Malware policy. This is caused when a file is scanned for the first time or when a change in the file violates the policy.
       • Scans: Inspections of a file.
     • Non-Provisioned Owner: Use this filter to view records associated with file owners (inside or outside your organization) that are not provisioned to the Internet & SaaS services. The default option for this filter is None. You can search for specific non-provisioned owners.
     • External Recipients: Use this filter to view records associated with specific email recipients outside your organization. The default option for this filter is None. You can search for specific external recipients.
     • Internal Recipients: Use this filter to view records associated with specific email recipients within your organization. The default option for this filter is None. You can search for specific internal recipients.
     • Message ID: Use this filter to view records associated with the email message identifier. Every email message has a unique ID. An Exchange or Gmail administrator can log in to their admin portals and search and pull a specific message with this ID if needed.
     • Message Size: Use this filter to view records associated with the size of the email message. The default option for this filter is All Sizes. The following size ranges appear under this filter:
       • 0 - 1KB
       • 1KB - 100KB
       • 100KB - 1MB
       • 1MB - 5MB
       • 5MB - 10MB
       • 10MB - 50MB
       • 50MB - 100MB
       • Above 100MB
       • Custom
     • Number of External Recipients: Use this filter to view records associated with the number of recipients outside your organization. You can put in your own range.
     • Number of Internal Recipients: Use this filter to view records associated with the number of recipients within your organization. You can put in your own range.
     • Owner Name: Use this filter to view records associated with the owner of the mailbox where the questionable email is located. It can be a sender (DLP) or a recipient (Malware). The default option for this filter is Any. You can search for specific owners. You can choose to include or exclude certain owners.
     • Policy Type and Rule Name: Use this filter to view records associated with the policy and rule that took action. The following policy types appear under this filter:
       • DLP
       • Malware
     • Run ID: Use this filter to view records associated with a run ID. A run is when a scan is stopped and started. Every run is identified and tracked with a run ID.
     • Scan ID: Use this filter to view records associated with a scan ID. Every scan that is defined in the Historic Scan Configuration has a unique identifier associated with it.
     • Scan Time: Use this filter to view records associated with the time of a scan. The default option for this filter is All. The following scan time ranges appear under this filter:
       • 0 - 10SEC
       • 10SEC - 30SEC
       • 30SEC - 1MIN
       • 1MIN - 5MIN
       • 5MIN - 10MIN
       • 10MIN - 30MIN
       • 30MIN - 1HOUR
       • Above 1 HOUR
       • Custom
     • Sender Name: Use this filter to view records associated with the sender's name. You can search for a specific sender.ecords associated with the sender's name.
     • Severity: Use this filter to view records based on the severity level of the incidents detected by the SaaS Security API DLP policy. The default option for this filter is None. The following levels of severity appear under this filter:
       • High
       • Information
       • Low
       • Medium
     • Show Delayed Logs: Use this filter to view records based on delayed logs.
     • Tenant: Use this filter to view records associated with a specific tenant. The default option for this filter is All. You can search for specific tenants.
     • Thread Name: Use this filter to view records associated with a specific email thread name.
     • Threat Super Category: Use this filter to view records associated with a specific threat super category. The default option for this filter is None. You can search for specific categories. You can also use the toggle to turn on Threat Name Search to enter all or part of the threat name in the text field, and choose Contains, Starts With, Ends With, Exact Match, Does Not Contain, Does Not End With, Not Null, or Is Null. The following categories appear under this filter:
       • Advanced Threat
       • Malware
       • Sandbox
       • Spyware
       • Virus

     Close
   • File Log Filters
     • Action: Use this filter to view records based on the SaaS Security API DLP policy rule action. The default option for this filter is None. You can search for specific actions. The following actions appear under this filter:
       • Failed to make external sharing read only
       • Failed to make internal sharing read only
       • Failed to make sharing read only
       • Failed to notify end user
       • Failed to quarantine Malware
       • Failed to remove Collaborators
       • Failed to remove Discoverable
       • Failed to remove external sharing
       • Failed to remove Internal Link Share
       • Failed to remove internal sharing
       • Failed to remove Malware
       • Failed to remove Public Link Share
       • Failed to revoke Sharing/Make Private
       • Make internal sharing read only
       • Notify end user
       • Quarantine Malware
       • Read Only for All Collaborators
       • Read Only for External Collaborators
       • Remove Collaborators
       • Remove Discoverable
       • Remove External Collaborators and Shareable Link
       • Remove Internal Link Share
       • Remove Malware
       • Remove Public Link Share
       • Remove Sharing
       • Report Incident Only
       • Report Malware
       • No action
     • Advanced Threat Category: Use this filter to view records associated with a specific advanced threat category. These threats are detected by Malware Protection. The default option for this filter is Any. You can search for specific categories. You can also use the toggle to turn on Threat Name Search to enter all or part of the threat name in the text field, and choose Contains, Starts With, Ends With, Exact Match, Does Not Contain, Does Not End With, Not Null, or Is Null. The following categories appear under this filter:
       • Advanced Browser Exploit
       • Adware
       • Adware/Spyware Sites
       • Archive Bomb
       • Backdoor
       • Benign
       • Boot Virus
       • Botnet Callback
       • Browser Exploit
       • Cross-site Scripting
       • Cryptomining
       • Denial of Service Attack
       • Dialer
       • Domain Generation Algorithm (DGA) Domains
       • Downloader
       • Macro Virus
       • Malicious Content
       • MalwareTool
       • Misdisinfection
       • Other Malware
       • Other Spyware
       • Other Threat
       • Other Virus
       • Password Stealer
       • Peer-to-Peer
       • Privacy Risk
       • Proxy
       • Ransomware
       • Sandbox Adware
       • Sandbox Anonymizer
       • Sandbox Malware
       • Sent for Analysis
       • Spyware Callback
       • Suspicious Content
       • Suspicious Destination
       • Trojan
       • Unauthorized Communication
       • Unrecognized Virus
       • Unwanted Application
       • Web Spam
       • Worm
     • Application: Use this filter to view records associated with a specific SaaS application. The following SaaS applications appear under this filter:
       • Box
       • Confluence
       • Dropbox
       • Google Drive
       • OneDrive
       • ShareFile
       • SharePoint
       • Smartsheet
     • Collaboration Scope: Use this filter to view records based on the collaboration scope and permissions for SaaS application tenant files. The following collaborations appear under this filter:
       • External Collaborators - Edit
       • External Collaborators - View
       • External Link - Edit
       • External Link - View
       • Internal Collaborators - Edit
       • Internal Collaborators - View
       • Internal Link - Edit
       • Internal Link - View
       • Private - Edit
     • Data Center: Use this filter to limit the data to traffic associated with a specific data center.
     • Department: Use this filter to view records associated with a specific department. The default option for this filter is Any. You can search for specific departments. You can choose to include or exclude certain departments.
     • DLP Dictionary: Use this filter to see which records contain this dictionary as a trigger. If a dictionary was triggered, the name of the dictionary is displayed along with a match count indicating the search score or match count for this dictionary. The default option for this filter is None. You can search for specific DLP dictionaries.
     • DLP Engine: Use this filter to view records in which data leakage was detected. The default option for this filter is Any. You can search for specific DLP engines.
     • Document Type: Use this filter to limit the data to traffic associated with a specific upload or download document type. The following types appear under this filter:
       • Corporate Finance
       • Corporate Legal
       • Court Form
       • DMV
       • Immigration
       • Insurance
       • Invoice
       • Legal
       • Medical Information
       • None
       • Real Estate
       • Resume
       • Tax
       • Technical
       • Unknown
     • Download Time: Use this filter to view records associated with the download time. The default option for this filter is All. The following download time ranges appear under this filter:
       • All Sizes
       • 0 - 10 SEC
       • 10 SEC - 30 SEC
       • 30 SEC - 1 MIN
       • 1 MIN - 5 MIN
       • 5 MIN - 10 MIN
       • 10 MIN - 30 MIN
       • 30 MIN - 1 HOUR
       • Above 1 HOUR
       • Custom
     • Event: Use this filter to view records associated with the type of event. The default option for this filter is All. You can choose from the following events:
       • Incidents: Violations against either a DLP or Malware policy. This is caused when a file is scanned for the first time or when a change in the file violates the policy.
       • Scans: Inspections of a file.
     • External Collaborators: Use this filter to view records associated with specific collaborators outside your organization. The default option for this filter is None. You can search for specific external collaborators.
     • Non-Provisioned Owner: Use this filter to view records associated with file owners (inside or outside your organization) that are not provisioned to the Internet & SaaS services. The default option for this filter is None. You can search for specific non-provisioned owners.
     • File ID: Use this filter to view records associated with a file ID. For example, if a file was scanned multiple times, an admin can use the file ID to view the scan trail.
     • File MD5: Use this filter to view records associated with the MD5 hash of a file.
     • File Name: Use this filter to view records associated with the file name. Enter all or part of the file name in the text field, and choose Contains, Starts With, Ends With, Exact Match, Does Not Contain, Does Not End With, Not Null, or Is Null.
     • File Size: Use this filter to view records associated with a file's size. You can put in a file size range.
     • File Source Location: Use this filter to view records associated with the file source location. You can filter by Contains, Starts With, Ends With, Exact Match, Does Not Contain, Does Not End With, Not Null, or Is Null.
     • Internal Collaborators: Use this filter to view records associated with specific collaborators within your organization. The default option for this filter is None. You can search for specific internal collaborators.
     • Number of External Collaborators: Use this filter to view records associated with the number of collaborators outside your organization. You can put in your own range.
     • Number of Internal Collaborators: Use this filter to view records associated with the number of collaborators within your organization. You can put in your own range.
     • Policy Type and Rule Name: Use this filter to view records associated with the policy and rule that took action. The following policy types appear under this filter:
       • DLP
       • Malware
     • Public URL: Use this filter to view records associated with a public URL used to access a shared file. You can choose either URL, Path, or Host. Enter all or part of the public URL, path, or host in the text field, and choose Contains, Starts With, Ends With, Exact Match, Does Not Contain, Does Not End With, Not Null, or Is Null.
     • Run ID: Use this filter to view records associated with a run ID. A run is when a scan is stopped and started. Every run is identified and tracked with a run ID.
     • Scan ID: Use this filter to view records associated with a scan ID. Every scan that is defined in the Historic Scan Configuration has a unique identifier associated with it.
     • Scan Time: Use this filter to view records associated with the time of a scan. The default option for this filter is All. The following scan time ranges appear under this filter:
       • 0 - 10SEC
       • 10SEC - 30SEC
       • 30SEC - 1MIN
       • 1MIN - 5MIN
       • 5MIN - 10MIN
       • 10MIN - 30MIN
       • 30MIN - 1HOUR
       • Above 1 HOUR
       • Custom
     • Severity: Use this filter to view records based on the severity level of the incidents detected by the SaaS Security API DLP policy. The default option for this filter is None. The following levels of severity appear under this filter:
       • High
       • Information
       • Low
       • Medium
     • SHA: Use this filter to view records associated with a specific secure hash algorithm (SHA). Enter all or part of the SHA in the text field, and choose Contains, Starts With, Ends With, Exact Match, Does Not Contain, Does Not End With, Not Null, or Is Null.
     • Show Delayed Logs: Use this filter to view records based on delayed logs.
     • Tenant: Use this filter to view records associated with a specific tenant. The default option for this filter is All. You can search for specific tenants.
     • Threat Super Category: Use this filter to view records associated with a specific threat super category. The default option for this filter is None. You can search for specific categories. You can also use the toggle to turn on Threat Name Search to enter all or part of the threat name in the text field, and choose Contains, Starts With, Ends With, Exact Match, Does Not Contain, Does Not End With, Not Null, or Is Null. The following categories appear under this filter:
       • Advanced Threat
       • Malware
       • Sandbox
       • Spyware
       • Virus
     • User: Use this filter to view records associated with the owner of the questionable file. The default option for this filter is Any. You can search for specific file owners. You can choose to include or exclude certain file owners.

     Close
   • Gen AI Log Filters
     • Action: Use this filter to view records based on the SaaS Security API DLP policy rule action. The default option for this filter is None. You can search for specific actions. Choose the action Report Incident Only under this filter.
     • Advanced Threat Category: Use this filter to view records associated with a specific advanced threat category. These threats are detected by Malware Protection. The default option for this filter is Any. You can search for specific categories. You can also use the toggle to turn on Threat Name Search to enter all or part of the threat name in the text field, and choose Contains, Starts With, Ends With, Exact Match, Does Not Contain, Does Not End With, Not Null, or Is Null. The following categories appear under this filter:
       • Advanced Browser Exploit
       • Adware
       • Adware/Spyware Sites
       • Archive Bomb
       • Backdoor
       • Benign
       • Boot Virus
       • Botnet Callback
       • Browser Exploit
       • Cross-site Scripting
       • Cryptomining
       • Denial of Service Attack
       • Dialer
       • Domain Generation Algorithm (DGA) Domains
       • Downloader
       • Macro Virus
       • Malicious Content
       • MalwareTool
       • Misdisinfection
       • Other Malware
       • Other Spyware
       • Other Threat
       • Other Virus
       • Password Stealer
       • Peer-to-Peer
       • Privacy Risk
       • Proxy
       • Ransomware
       • Sandbox Adware
       • Sandbox Anonymizer
       • Sandbox Malware
       • Sent for Analysis
       • Spyware Callback
       • Suspicious Content
       • Suspicious Destination
       • Trojan
       • Unauthorized Communication
       • Unrecognized Virus
       • Unwanted Application
       • Web Spam
       • Worm
     • Application: Use this filter to view records associated with a specific generative AI application. The following applications appear under this filter:
       • ChatGPT
     • Bot Name: Use this filter to view records associated with a specific bot name. Enter all or part of the bot name in the text field, and choose Contains, Starts With, Ends With, Exact Match, Does Not Contain, Does Not End With, Not Null, or Is Null.
     • Component: Use this filter to view records associated with the type of component. The default option for this filter is None. The following components appear under this filter:
       • File
       • Message
     • Data Center: Use this filter to limit the data to traffic associated with a specific data center.
     • Department: Use this filter to view records associated with a specific department. The default option for this filter is Any. You can search for specific departments. You can choose to include or exclude certain departments.
     • DLP Dictionary: Use this filter to see which records contain this dictionary as a trigger. If a dictionary was triggered, the name of the dictionary is displayed along with a match count indicating the search score or match count for this dictionary. The default option for this filter is None. You can search for specific DLP dictionaries.
     • DLP Engine: Use this filter to view records in which data leakage was detected. The default option for this filter is Any. You can search for specific DLP engines.
     • Document Type: Use this filter to limit the data to traffic associated with a specific upload or download document type. The following types appear under this filter:
       • Corporate Finance
       • Corporate Legal
       • Court Form
       • DMV
       • Immigration
       • Insurance
       • Invoice
       • Legal
       • Medical Information
       • None
       • Real Estate
       • Resume
       • Tax
       • Technical
       • Unknown
     • Download Time: Use this filter to view records associated with the download time. The default option for this filter is All. The following download time ranges appear under this filter:
       • All Sizes
       • 0 - 10SEC
       • 10SEC - 30SEC
       • 30SEC - 1MIN
       • 1MIN - 5MIN
       • 5MIN - 10MIN
       • 10MIN - 30MIN
       • 30MIN - 1HOUR
       • Above 1 HOUR
       • Custom
     • Event: Use this filter to view records associated with the type of event. The default option for this filter is All. The following events appear under this filter:
       • Incident: Violations against either a DLP or Malware policy. This is caused when a file is scanned for the first time or when a change in the file violates the policy.
       • Violation
       • xceliware
     • File MD5: Use this filter to view records associated with the MD5 hash of a file.
     • File Name: Use this filter to view records associated with the file name. Enter all or part of the file name in the text field, and choose Contains, Starts With, Ends With, Exact Match, Does Not Contain, Does Not End With, Not Null, or Is Null.
     • File Size: Use this filter to view records associated with a file's size. You can type in a file size range.
     • File Type: The type of file that was either uploaded or downloaded.
     • Message ID: Use this filter to view records associated with the email message identifier. Every email message has a unique ID. An Exchange or Gmail administrator can log in to their admin portals and search and pull a specific message with this ID if needed.
     • Non-Provisioned Owner: Use this filter to view records associated with file owners (inside or outside your organization) that are not provisioned to the Internet & SaaS services. The default option for this filter is None. You can search for specific non-provisioned owners.
     • Policy Type and Rule Name: Use this filter to view records associated with the policy and rule that took action. The following policy types appear under this filter:
       • DLP
       • Malware
     • Run ID: Use this filter to view records associated with a run ID. A run is when a scan is stopped and started. Every run is identified and tracked with a run ID.
     • Scan ID: Use this filter to view records associated with a scan ID. Every scan that is defined in the Historic Scan Configuration has a unique identifier associated with it.
     • Scan Time: Use this filter to view records associated with the time of a scan. The default option for this filter is All. The following scan time ranges appear under this filter:
       • 0 - 10SEC
       • 10SEC - 30SEC
       • 30SEC - 1MIN
       • 1MIN - 5MIN
       • 5MIN - 10MIN
       • 10MIN - 30MIN
       • 30MIN - 1HOUR
       • Above 1 HOUR
       • Custom
     • Sender Type: Use this filter to view records associated with a sender. The default option for this filter is None. The following sender types appear under this filter:
       • Bot
       • System
       • User
     • Severity: Use this filter to view records based on the severity level of the incidents detected by the SaaS Security API DLP policy. The default option for this filter is None. The following levels of severity appear under this filter:
       • High
       • Information
       • Low
       • Medium
     • SHA: Use this filter to view records associated with a specific secure hash algorithm (SHA). Enter all or part of the SHA in the text field, and choose Contains, Starts With, Ends With, Exact Match, Does Not Contain, Does Not End With, Not Null, or Is Null.
     • Show Delayed Logs: Use this filter to view records based on delayed logs.
     • Tenant: Use this filter to view records associated with a specific tenant. The default option for this filter is All. You can search for specific tenants.
     • Threat Name Search: Use this filter to view records associated with a specific threat name. Enter all or part of the threat name in the text field, and choose Contains, Starts With, Ends With, Exact Match, Does Not Contain, Does Not End With, Not Null, or Is Null.
     • Threat Super Category: Use this filter to view records associated with a specific threat super category. The default option for this filter is None. You can search for specific categories. You can also use the toggle to turn on Threat Name Search to enter all or part of the threat name in the text field, and choose Contains, Starts With, Ends With, Exact Match, Does Not Contain, Does Not End With, Not Null, or Is Null. The following categories appear under this filter:
       • Advanced Threat
       • Malware
       • Sandbox
       • Spyware
       • Virus
     • User: Use this filter to view records associated with a specific user.

     Close
   • ITSM Log Filters
     • Action: Use this filter to view records based on the SaaS Security API DLP policy rule action. The default option for this filter is None. You can search for specific actions. The following actions appear under this filter:
       • Failed to make external sharing read only
       • Failed to make internal sharing read only
       • Failed to make sharing read only
       • Failed to notify end user
       • Failed to quarantine Malware
       • Failed to remove Collaborators
       • Failed to remove Discoverable
       • Failed to remove external sharing
       • Failed to remove Internal Link Share
       • Failed to remove internal sharing
       • Failed to remove Malware
       • Failed to remove Public Link Share
       • Failed to revoke Sharing/Make Private
       • Make internal sharing read only
       • Notify end user
       • Quarantine Malware
       • Read Only for All Collaborators
       • Read Only for External Collaborators
       • Remove Collaborators
       • Remove Discoverable
       • Remove External Collaborators and Shareable Link
       • Remove Internal Link Share
       • Remove Malware
       • Remove Public Link Share
       • Remove Sharing
       • Report Incident Only
       • Report Malware
       • No action
     • Advanced Threat Category: Use this filter to view records associated with a specific advanced threat category. These threats are detected by Malware Protection. The default option for this filter is Any. You can search for specific categories. You can also use the toggle to turn on Threat Name Search to enter all or part of the threat name in the text field, and choose Contains, Starts With, Ends With, Exact Match, Does Not Contain, Does Not End With, Not Null, or Is Null. The following categories appear under this filter:
       • Advanced Browser Exploit
       • Adware
       • Adware/Spyware Sites
       • Archive Bomb
       • Backdoor
       • Benign
       • Boot Virus
       • Botnet Callback
       • Browser Exploit
       • Cross-site Scripting
       • Cryptomining
       • Denial of Service Attack
       • Dialer
       • Domain Generated Algorithm Domains
       • Downloader
       • Macro Virus
       • Malicious Content
       • MalwareTool
       • Misdisinfection
       • Other Malware
       • Other Spyware
       • Other Threat
       • Other Virus
       • Password Stealer
       • Peer-to-Peer
       • Privacy Risk
       • Proxy
       • Ransomware
       • Sandbox Adware
       • Sandbox Anonymizer
       • Sandbox Malware
       • Sent for Analysis
       • Spyware Callback
       • Suspicious Content
       • Suspicious Destination
       • Trojan
       • Unauthorized Communication
       • Unrecognized Virus
       • Unwanted Application
       • Web Spam
       • Worm
     • Application: Use this filter to view records associated with a specific SaaS application. The following SaaS applications appear under this filter:
       • Jira Software
       • ServiceNow
     • Collaboration Scope: Use this filter to view records based on the collaboration scope and permissions for SaaS application tenant files. The following collaborations appear under this filter:
       • External Collaborators - Edit
       • External Collaborators - View
       • External Link - Edit
       • External Link - View
       • Internal Collaborators - Edit
       • Internal Collaborators - View
       • Internal Link - Edit
       • Internal Link - View
       • Private - Edit
     • Component: Use this filter to view records associated with the type of component. The following components appear under this filter:
       • Message
       • Email
     • Data Center: Use this filter to limit the data to traffic associated with a specific data center.
     • Department: Use this filter to view records associated with a specific department. The default option for this filter is Any. You can search for specific departments. You can choose to include or exclude certain departments.
     • DLP Dictionary: Use this filter to see which records contain this dictionary as a trigger. If a dictionary was triggered, the name of the dictionary is displayed along with a match count indicating the search score or match count for this dictionary. The default option for this filter is None. You can search for specific DLP dictionaries.
     • DLP Engine: Use this filter to view records in which data leakage was detected. The default option for this filter is Any. You can search for specific DLP engines.
     • Document Type: Use this filter to limit the data to traffic associated with a specific upload or download document type. The following types appear under this filter:
       • Corporate Finance
       • Corporate Legal
       • Court Form
       • DMV
       • Immigration
       • Insurance
       • Invoice
       • Legal
       • Medical Information
       • None
       • Real Estate
       • Resume
       • Tax
       • Technical
       • Unknown
     • Download Time: Use this filter to view records associated with the download time. The default option for this filter is All. The following download time ranges appear under this filter:
       • All Sizes
       • 0 - 10SEC
       • 10SEC - 30SEC
       • 30SEC - 1MIN
       • 1MIN - 5MIN
       • 5MIN - 10MIN
       • 10MIN - 30MIN
       • 30MIN - 1HOUR
       • Above 1 HOUR
       • Custom
     • Event: Use this filter to view records associated with the type of event. The default option for this filter is All. The following events appear under this filter:
       • Incidents: Violations against either a DLP or Malware policy. This is caused when a file is scanned for the first time or when a change in the file violates the policy.
       • Scans: Inspections of a file.
     • External Collaborators: Use this filter to view records associated with specific collaborators outside your organization. The default option for this filter is None. You can search for specific external collaborators.
     • Non-Provisioned Owner: Use this filter to view records associated with file owners (inside or outside your organization) that are not provisioned to the Internet & SaaS services. The default option for this filter is None. You can search for specific non-provisioned owners.
     • File MD5: Use this filter to view records associated with the MD5 hash of a file.
     • File Message ID: Use this filter to view records associated with the file's message ID. Enter all or part of the file message ID in the text field, and choose Contains, Starts With, Ends With, Exact Match, Does Not Contain, Does Not End With, Not Null, or Is Null.
     • File Name: Use this filter to view records associated with the file name. Enter all or part of the file name in the text field, and choose Contains, Starts With, Ends With, Exact Match, Does Not Contain, Does Not End With, Not Null, or Is Null.
     • File Source Location: Use this filter to view records associated with the file source location. You can filter by Contains, Starts With, Ends With, Exact Match, Does Not Contain, Does Not End With, Not Null, or Is Null.
     • Internal Collaborators: Use this filter to view records associated with specific collaborators within your organization. The default option for this filter is None. You can search for specific internal collaborators.
     • Number of External Collaborators: Use this filter to view records associated with the number of collaborators outside your organization. You can put in your own range.
     • Number of Internal Collaborators: Use this filter to view records associated with the number of collaborators within your organization. You can put in your own range.
     • Object Name: Use this filter to view records associated with a specific object name (e.g., you might have the object type Opportunity with an object name of "Pepsi"). You can filter by Contains, Starts With, Ends With, Exact Match, Does Not Contain, Does Not End With, Not Null, or Is Null.
     • Object Type: Use this filter to view records associated with a specific object type (e.g., Account, Organization, Profile). The default option for this filter is None. You can search for specific object types.
     • Policy Type and Rule Name: Use this filter to view records associated with the policy and rule that took action. The following policy types appear under this filter:
       • DLP
       • Malware
     • Public URL: Use this filter to view records associated with a public URL used to access a shared file. You can choose either URL, Path, or Host. Enter all or part of the public URL, path, or host in the text field, and choose Contains, Starts With, Ends With, Exact Match, Does Not Contain, Does Not End With, Not Null, or Is Null.
     • Run ID: Use this filter to view records associated with a run ID. A run is when a scan is stopped and started. Every run is identified and tracked with a run ID.
     • Scan ID: Use this filter to view records associated with a scan ID. Every scan that is defined in the Historic Scan Configuration has a unique identifier associated with it.
     • Scan Time: Use this filter to view records associated with the time of a scan. The default option for this filter is All. The following scan time ranges appear under this filter:
       • 0 - 10SEC
       • 10SEC - 30SEC
       • 30SEC - 1MIN
       • 1MIN - 5MIN
       • 5MIN - 10MIN
       • 10MIN - 30MIN
       • 30MIN - 1HOUR
       • Above 1 HOUR
       • Custom
     • Severity: Use this filter to view records based on the severity level of the incidents detected by the SaaS Security API DLP policy. The default option for this filter is None. The following levels of severity appear under this filter:
       • High
       • Information
       • Low
       • Medium
     • SHA: Use this filter to view records associated with a specific secure hash algorithm (SHA). Enter all or part of the SHA in the text field, and choose Contains, Starts With, Ends With, Exact Match, Does Not Contain, Does Not End With, Not Null, or Is Null.
     • Show Delayed Logs: Use this filter to view records based on delayed logs.
     • Tenant: Use this filter to view records associated with a specific tenant. The default option for this filter is All. You can search for specific tenants.
     • Threat Super Category: Use this filter to view records associated with a specific threat super category. The default option for this filter is None. You can search for specific categories. You can also use the toggle to turn on Threat Name Search to enter all or part of the threat name in the text field, and choose Contains, Starts With, Ends With, Exact Match, Does Not Contain, Does Not End With, Not Null, or Is Null. The following categories appear under this filter:
       • Advanced Threat
       • Malware
       • Sandbox
       • Spyware
       • Virus

     Close
   • Public Cloud Storage Log Filters

     To enable Amazon S3, Google Cloud Platform, and Microsoft Azure for your organization, contact your Zscaler Account team.

     • Action: Use this filter to view records based on the SaaS Security API DLP policy rule action. The default option for this filter is None. You can search for specific actions. The following actions appear under this filter:
       • Failed to make external sharing read only
       • Failed to make internal sharing read only
       • Failed to make sharing read only
       • Failed to notify end user
       • Failed to quarantine Malware
       • Failed to remove Collaborators
       • Failed to remove Discoverable
       • Failed to remove external sharing
       • Failed to remove Internal Link Share
       • Failed to remove internal sharing
       • Failed to remove Malware
       • Failed to remove Public Link Share
       • Failed to revoke Sharing/Make Private
       • Make internal sharing read only
       • Notify end user
       • Quarantine Malware
       • Read Only for All Collaborators
       • Read Only for External Collaborators
       • Remove Collaborators
       • Remove Discoverable
       • Remove External Collaborators and Shareable Link
       • Remove Internal Link Share
       • Remove Malware
       • Remove Public Link Share
       • Remove Sharing
       • Report Incident Only
       • Report Malware
       • No action
     • Advanced Threat Category: Use this filter to view records associated with a specific advanced threat category. These threats are detected by Malware Protection. The default option for this filter is Any. You can search for specific categories. You can also use the toggle to turn on Threat Name Search to enter all or part of the threat name in the text field, and choose Contains, Starts With, Ends With, Exact Match, Does Not Contain, Does Not End With, Not Null, or Is Null. The following categories appear under this filter:
       • Advanced Browser Exploit
       • Adware
       • Adware/Spyware Sites
       • Archive Bomb
       • Backdoor
       • Benign
       • Boot Virus
       • Botnet Callback
       • Browser Exploit
       • Cross-site Scripting
       • Cryptomining
       • Denial of Service Attack
       • Dialer
       • Domain Generation Algorithm (DGA) Domains
       • Downloader
       • Macro Virus
       • Malicious Content
       • MalwareTool
       • Misdisinfection
       • Other Malware
       • Other Spyware
       • Other Threat
       • Other Virus
       • Password Stealer
       • Peer-to-Peer
       • Privacy Risk
       • Proxy
       • Ransomware
       • Sandbox Adware
       • Sandbox Anonymizer
       • Sandbox Malware
       • Sent for Analysis
       • Spyware Callback
       • Suspicious Content
       • Suspicious Destination
       • Trojan
       • Unauthorized Communication
       • Unrecognized Virus
       • Unwanted Application
       • Web Spam
       • Worm
     • Application: Use this filter to view records associated with a specific SaaS application. The following SaaS application appear under this filter:
       • Amazon S3
       • Google Cloud Platform
       • Microsoft Azure
     • Bucket Name: Use this filter to view records associated with a specific bucket.
     • Collaboration Scope: Use this filter to view records based on the collaboration scope and permissions for SaaS application tenant files. The following collaborations appear under this filter:
       • External Collaborators - Edit
       • External Collaborators - View
       • External Link - Edit
       • External Link - View
       • Internal Collaborators - Edit
       • Internal Collaborators - View
       • Internal Link - Edit
       • Internal Link - View
       • Private - Edit
     • Collaborators: Use this filter to view records associated with specific collaborators. The default option for this filter is None. You can search for specific collaborators.
     • Data Center: Use this filter to limit the data to traffic associated with a specific data center.
     • Department: Use this filter to view records associated with a specific department. The default option for this filter is Any. You can search for specific departments. You can choose to include or exclude certain departments.
     • DLP Dictionary: Use this filter to see which records contain this dictionary as a trigger. If a dictionary was triggered, the name of the dictionary is displayed along with a match count indicating the search score or match count for this dictionary. The default option for this filter is None. You can search for specific DLP dictionaries.
     • DLP Engine: Use this filter to view records in which data leakage was detected. The default option for this filter is Any. You can search for specific DLP engines.
     • Document Type: Use this filter to limit the data to traffic associated with a specific upload or download document type. The following types appear under this filter:
       • Corporate Finance
       • Corporate Legal
       • Court Form
       • DMV
       • Immigration
       • Insurance
       • Invoice
       • Legal
       • Medical Information
       • None
       • Real Estate
       • Resume
       • Tax
       • Technical
       • Unknown
     • Download Time: Use this filter to view records associated with the download time. The default option for this filter is All. The following download time ranges appear under this filter:
       • All Sizes
       • 0 - 10SEC
       • 10SEC - 30SEC
       • 30SEC - 1MIN
       • 1MIN - 5MIN
       • 5MIN - 10MIN
       • 10MIN - 30MIN
       • 30MIN - 1HOUR
       • Above 1 HOUR
       • Custom
     • Event: Use this filter to view records associated with the type of event. The default option for this filter is All. The following events appear under this filter:
       • Incidents: Violations against either a DLP or Malware policy. This is caused when a file is scanned for the first time or when a change in the file violates the policy.
       • Scans: Inspections of a file.
     • Non-Provisioned Owner: Use this filter to view records associated with file owners (inside or outside your organization) that are not provisioned to the Internet & SaaS services. The default option for this filter is None. You can search for specific non-provisioned owners.
     • File ID: Use this filter to view records associated with a file ID. For example, if a file was scanned multiple times, an admin can use the file ID to view the scan trail.
     • File MD5: Use this filter to view records associated with the MD5 hash of a file.
     • File Name: Use this filter to view records associated with the file name. Enter all or part of the file name in the text field, and choose Contains, Starts With, Ends With, Exact Match, Does Not Contain, Does Not End With, Not Null, or Is Null.
     • File Size: Use this filter to view records associated with a file's size. You can put in a file size range.
     • File Source Location: Use this filter to view records associated with the file source location. You can filter by Contains, Starts With, Ends With, Exact Match, Does Not Contain, Does Not End With, Not Null, or Is Null.
     • Number of Collaborators: Use this filter to view records associated with the number of collaborators. You can put in your own range.
     • Policy Type and Rule Name: Use this filter to view records associated with the policy and rule that took action. The following policy types appear under this filter:
       • DLP
       • Malware
     • Public URL: Use this filter to view records associated with a public URL used to access a shared file. You can choose either URL, Path, or Host. Enter all or part of the public URL, path, or host in the text field, and choose Contains, Starts With, Ends With, Exact Match, Does Not Contain, Does Not End With, Not Null, or Is Null.
     • Run ID: Use this filter to view records associated with a run ID. A run is when a scan is stopped and started. Every run is identified and tracked with a run ID.
     • Scan ID: Use this filter to view records associated with a scan ID. Every scan that is defined in the Historic Scan Configuration has a unique identifier associated with it.
     • Scan Time: Use this filter to view records associated with the time of a scan. The default option for this filter is All. The following scan time ranges appear under this filter:
       • 0 - 10SEC
       • 10SEC - 30SEC
       • 30SEC - 1MIN
       • 1MIN - 5MIN
       • 5MIN - 10MIN
       • 10MIN - 30MIN
       • 30MIN - 1HOUR
       • Above 1 HOUR
       • Custom
     • Severity: Use this filter to view records based on the severity level of the incidents detected by the SaaS Security API DLP policy. The default option for this filter is None. The following levels of severity appear under this filter:
       • High
       • Information
       • Low
       • Medium
     • SHA: Use this filter to view records associated with a specific secure hash algorithm (SHA). Enter all or part of the SHA in the text field, and choose Contains, Starts With, Ends With, Exact Match, Does Not Contain, Does Not End With, Not Null, or Is Null.
     • Show Delayed Logs: Use this filter to view records based on delayed logs.
     • Tenant: Use this filter to view records associated with a specific tenant. The default option for this filter is All. You can search for specific tenants.
     • Threat Name Search: Use this filter to view records associated with a specific threat. Enter all or part of the threat name in the text field, and choose Contains, Starts With, Ends With, Exact Match, Does Not Contain, Does Not End With, Not Null, or Is Null.
     • Threat Super Category: Use this filter to view records associated with a specific threat super category. The default option for this filter is None. You can search for specific categories. You can also use the toggle to turn on Threat Name Search to enter all or part of the threat name in the text field, and choose Contains, Starts With, Ends With, Exact Match, Does Not Contain, Does Not End With, Not Null, or Is Null. The following categories appear under this filter:
       • Advanced Threat
       • Malware
       • Sandbox
       • Spyware
       • Virus
     • User: Use this filter to view records associated with the owner of the questionable file. The default option for this filter is Any. You can search for specific file owners. You can choose to include or exclude certain file owners.

     Close
   • Repository Log Filters
     • Action: Use this filter to view records based on the SaaS Security API DLP policy rule action. The default option for this filter is None. You can search for specific actions. The following actions appear under this filter:
       • Failed to make external sharing read only
       • Failed to make internal sharing read only
       • Failed to make sharing read only
       • Failed to notify end user
       • Failed to quarantine Malware
       • Failed to remove Collaborators
       • Failed to remove Discoverable
       • Failed to remove external sharing
       • Failed to remove Internal Link Share
       • Failed to remove internal sharing
       • Failed to remove Malware
       • Failed to remove Public Link Share
       • Failed to revoke Sharing/Make Private
       • Make internal sharing read only
       • Notify end user
       • Quarantine Malware
       • Read Only for All Collaborators
       • Read Only for External Collaborators
       • Remove Collaborators
       • Remove Discoverable
       • Remove External Collaborators and Shareable Link
       • Remove Internal Link Share
       • Remove Malware
       • Remove Public Link Share
       • Remove Sharing
       • Report Incident Only
       • Report Malware
       • No action
     • Advanced Threat Category: Use this filter to view records associated with a specific advanced threat category. These threats are detected by Malware Protection. The default option for this filter is Any. You can search for specific categories. You can also use the toggle to turn on Threat Name Search to enter all or part of the threat name in the text field, and choose Contains, Starts With, Ends With, Exact Match, Does Not Contain, Does Not End With, Not Null, or Is Null. The following categories appear under this filter:
       • Advanced Browser Exploit
       • Adware
       • Adware/Spyware Sites
       • Archive Bomb
       • Backdoor
       • Benign
       • Boot Virus
       • Botnet Callback
       • Browser Exploit
       • Cross-site Scripting
       • Cryptomining
       • Denial of Service Attack
       • Dialer
       • Domain Generation Algorithm (DGA) Domains
       • Downloader
       • Macro Virus
       • Malicious Content
       • MalwareTool
       • Misdisinfection
       • Other Malware
       • Other Spyware
       • Other Threat
       • Other Virus
       • Password Stealer
       • Peer-to-Peer
       • Privacy Risk
       • Proxy
       • Ransomware
       • Sandbox Adware
       • Sandbox Anonymizer
       • Sandbox Malware
       • Sent for Analysis
       • Spyware Callback
       • Suspicious Content
       • Suspicious Destination
       • Trojan
       • Unauthorized Communication
       • Unrecognized Virus
       • Unwanted Application
       • Web Spam
       • Worm
     • Application: Use this filter to view records associated with a specific SaaS application. The following SaaS application appear under this filter:
       • Bitbucket
       • GitHub
       • GitLab
     • Collaboration Scope: Use this filter to view records based on the collaboration scope and permissions for SaaS application tenant files. The following collaborations appear under this filter:
       • External Collaborators - Edit
       • External Collaborators - View
       • External Link - Edit
       • External Link - View
       • Internal Collaborators - Edit
       • Internal Collaborators - View
       • Internal Link - Edit
       • Internal Link - View
       • Private - Edit
     • Data Center: Use this filter to limit the data to traffic associated with a specific data center.
     • Department: Use this filter to view records associated with a specific department. The default option for this filter is Any. You can search for specific departments. You can choose to include or exclude certain departments.
     • DLP Dictionary: Use this filter to see which records contain this dictionary as a trigger. If a dictionary was triggered, the name of the dictionary is displayed along with a match count indicating the search score or match count for this dictionary. The default option for this filter is None. You can search for specific DLP dictionaries.
     • DLP Engine: Use this filter to view records in which data leakage was detected. The default option for this filter is Any. You can search for specific DLP engines.
     • Document Type: Use this filter to limit the data to traffic associated with a specific upload or download document type. The following types appear under this filter:
       • Corporate Finance
       • Corporate Legal
       • Court Form
       • DMV
       • Immigration
       • Insurance
       • Invoice
       • Legal
       • Medical Information
       • None
       • Real Estate
       • Resume
       • Tax
       • Technical
       • Unknown
     • Download Time: Use this filter to view records associated with the download time. The default option for this filter is All. The following download time ranges appear under this filter:
       • All Sizes
       • 0 - 10SEC
       • 10SEC - 30SEC
       • 30SEC - 1MIN
       • 1MIN - 5MIN
       • 5MIN - 10MIN
       • 10MIN - 30MIN
       • 30MIN - 1HOUR
       • Above 1 HOUR
       • Custom
     • Event: Use this filter to view records associated with the type of event. The default option for this filter is All. The following events appear under this filter:
       • Incidents: Violations against either a DLP or Malware policy. This is caused when a file is scanned for the first time or when a change in the file violates the policy.
       • Scans: Inspections of a file.
     • External Collaborators: Use this filter to view records associated with specific collaborators outside your organization. The default option for this filter is None. You can search for specific external collaborators.
     • Non-Provisioned Owner: Use this filter to view records associated with file owners (inside or outside your organization) that are not provisioned to the Internet & SaaS services. The default option for this filter is None. You can search for specific non-provisioned owners.
     • File ID: Use this filter to view records associated with a file ID. For example, if a file was scanned multiple times, an admin can use the file ID to view the scan trail.
     • File MD5: Use this filter to view records associated with the MD5 hash of a file.
     • File Name: Use this filter to view records associated with the file name. Enter all or part of the file name in the text field, and choose Contains, Starts With, Ends With, Exact Match, Does Not Contain, Does Not End With, Not Null, or Is Null.
     • File Size: Use this filter to view records associated with a file's size. You can put in a file size range.
     • File Source Location: Use this filter to view records associated with a file source location. You can filter by Contains, Starts With, Ends With, Exact Match, Does Not Contain, Does Not End With, Not Null, or Is Null.
     • Number of External Collaborators: Use this filter to view records associated with the number of collaborators outside your organization. You can put in your own range.
     • Policy Type and Rule Name: Use this filter to view records associated with the policy and rule that took action. The following policy types appear under this filter:
       • DLP
       • Malware
     • Project Name: Use this filter to view records associated with a specific project name. You can filter by Contains, Starts With, Ends With, Exact Match, Does Not Contain, Does Not End With, Not Null, or Is Null.
     • Run ID: Use this filter to view records associated with a run ID. A run is when a scan is stopped and started. Every run is identified and tracked with a run ID.
     • Scan ID: Use this filter to view records associated with a scan ID. Every scan that is defined in the Historic Scan Configuration has a unique identifier associated with it.
     • Scan Time: Use this filter to view records associated with the time of a scan. The default option for this filter is All. The following scan time ranges appear under this filter:
       • 0 - 10SEC
       • 10SEC - 30SEC
       • 30SEC - 1MIN
       • 1MIN - 5MIN
       • 5MIN - 10MIN
       • 10MIN - 30MIN
       • 30MIN - 1HOUR
       • Above 1 HOUR
       • Custom
     • Severity: Use this filter to view records based on the severity level of the incidents detected by the SaaS Security API DLP policy. The default option for this filter is None. The following levels of severity appear under this filter:
       • High
       • Information
       • Low
       • Medium
     • SHA: Use this filter to view records associated with a specific secure hash algorithm (SHA). Enter all or part of the SHA in the text field, and choose Contains, Starts With, Ends With, Exact Match, Does Not Contain, Does Not End With, Not Null, or Is Null.
     • Show Delayed Logs: Use this filter to view records based on delayed logs.
     • Tenant: Use this filter to view records associated with a specific tenant. The default option for this filter is All. You can search for specific tenants.
     • Threat Super Category: Use this filter to view records associated with a specific threat super category. The default option for this filter is None. You can search for specific categories. You can also use the toggle to turn on Threat Name Search to enter all or part of the threat name in the text field, and choose Contains, Starts With, Ends With, Exact Match, Does Not Contain, Does Not End With, Not Null, or Is Null. The following categories appear under this filter:
       • Advanced Threat
       • Malware
       • Sandbox
       • Spyware
       • Virus

     Close
8. You can either download the list of transactions as a CSV file or keep it displayed on your screen. When you download the list, the Zscaler service only exports visible columns. It exports up to 100K lines of data at a time. You can continue to use the service while the export is in progress. The limit for the number of times you can export is 20 requests/hour. For a complete list of ranges and limits per feature, see Ranges & Limitations.
9. Choose the number of records that you want displayed on the page.
10. Always click Apply Filters to activate your changes.
11. View the weblog time, which appears at the bottom of every window. The Nanolog servers collect the logs of all users worldwide, and then consolidates and correlates them. The weblog time displays the date and time of the logs that are being processed by the Nanolog servers.
12. Go to the Insights page.