You can customize your web logs by using column fields. To learn more about logs, see About Insights Logs.

You can select the following mobile field columns:

• Agent: The user-agent string that the browser included in its GET request. The user-agent string contains browser and system information that the destination server can use to provide appropriate content.
• Bandwidth Class: The bandwidth class to which the URL belongs.
• Bandwidth Rule: Specifies the Bandwidth Control policy rule that applies to this URL.
• Client Connection Cipher: The cipher suite agreed upon during the SSL handshake between the client and the ZIA Public Service Edge. This filter applies to SSL-inspected traffic.
• Client Connection TLS Version: The version of TLS used for communication between the client and the ZIA Public Service Edge. This filter applies to SSL-inspected traffic.
• Client External IP: This is the internet gateway location IP address.
• Client IP: The IP address from which the transaction originated. This can be the internet gateway location IP address or the IP address of the client device.
• Client Session Reused: If an SSL connection between the client and Zscaler was reused for the web transaction.
• Client Trans. Time (ms): The sum of the values in the Proxy Latency and Server Time columns. This is the total time, in milliseconds, from when the browser made the first request to the cloud infrastructure and it returned all the content to the browser.
• Cloud Application: The specific web application that was accessed.
• Cloud Application Class: The specific web application class that was accessed.
• Department: The department to which the user belongs. As with the User field, if authentication is not required and the traffic comes from a location specified in the service, this field displays the name of the gateway location. You can sort and search through this column.
• Device appversion: The Zscaler Client Connector version on the device.
• Device Model: The model of the device.
• Device Name: The name of the device.
• Device OS Type: The OS type of the device.
• Device OS Version: The OS version the device uses.
• Device platform: The platform of the device.
• DLP Dictionaries: Indicates if data leakage was detected by a DLP dictionary.
• DLP Engine: Indicates if data leakage was detected by a Data Loss Prevention (DLP) engine.
• DLP Identifier: Used to search for the transactions using this DLP identifier. Whenever a DLP rule is hit, and the appropriate alert is configured, an email containing this ID is sent to your auditors. Use it as a filter to locate the exact transaction.
• DLP MD5: The MD5 hash for the file that triggered the DLP rule. Whenever a DLP rule is hit, and the appropriate alert is configured, an email containing the MD5 hash of the file is sent to your auditors. Use it as a filter to locate the exact transaction.
• Event Time: The date and time of the transaction. You can sort this column.
• File Name: Only applicable to downloaded and uploaded files.
• IPS Threat Name: The name of the threat detected by the IPS. Clicking the threat name takes you to Zscaler's Threat Library where you can find detailed information about the threat.
• Location: The internet gateway location from which the transaction originated. If the transaction did not originate from a location that was defined in the service, then it is recorded as coming from a remote user. You can sort and search through this column.
• Logged Time: The date and time the transaction was logged.
• MD5: Displays the hash of suspicious files. Click to view the Sandbox Detail Report (requires Advanced Sandbox) or CrowdStrike Endpoint Hits report (if you're integrated with CrowdStrike).
• Mobile Application: The application that was used on a mobile device.
• Mobile Application Category: The category of the application that was used on a mobile device.
• Mobile Application Class: The class of the application that was used on a mobile device.
• Mobile Device Type: The type of mobile device that was used to connect to the corporate network.
• No.: The item number.
• Policy Action: Indicates if the service allowed or blocked the transaction, or cautioned the user about the transaction.
• Policy Type: The type of policy that took action during the transaction. The following policy types appear in this field:
  • Consumer App Control: This refers to the Consumer rule for the Cloud App Control policy.
  • Data Loss Prevention: This refers to the Data Loss Prevention policy.
  • Collaboration & Online Meetings App Control: This refers to the Collaboration & Online Meetings rule for the Cloud App Control policy.
  • Productivity & CRM Tools App Control: This refers to the Productivity & CRM tools rule for the Cloud App Control policy.
  • File Sharing App Control: This refers to the File Sharing rule for the Cloud App Control policy.
  • File Type Control: This refers to the File Type Control policy.
  • Hosting Providers: This refers to the Hosting Providers rule for the Cloud App Control policy.
  • Instant Messaging App Control: This refers to the Instant Messaging rule for the Cloud App Control policy.
  • IT Services: This refers to the IT Services rule for the Cloud App Control policy.
  • Mobile App Store Control: This refers to the Mobile App Store Control policy.
  • Sales & Marketing App Control: This refers to the Sales & Marketing rule for the Cloud App Control policy.
  • Sandbox: This refers to the Sandbox policy.
  • Social Networking/Blogging App Control: This refers to the Social Networking & Blogging rule for the Cloud App Control policy.
  • Streaming Media: This refers to the Streaming Media rule for the Cloud App Control policy.
  • System & Development App Control: This refers to the System & Development rule for the Cloud App Control policy.
  • URL Filtering: This refers to the URL filtering policy.
  • Webmail App Control: This refers to the Webmail rule for the Cloud App Control policy.
• Protocol: Improve the visibility of protocols that traverse within Zscaler’s cloud. The following information is shown:
  • FTP: Transactions from native FTP servers.
  • FTP over HTTP: Transactions from FTP over HTTP websites.
  • HTTPS: HTTPS transactions that have been inspected.
  • SSL: Transactions from SSL/TLS connections that have not been inspected. For example, hosts you've exempted from SSL inspection.
  • Tunnel: Transactions from unidentified encrypted traffic. For example, tunneling applications (e.g., Telnet or SSH) that are encapsulated in HTTP or HTTPS.
  • Tunnel SSL: Undecodable protocol within an SSL connection.
  • WebSocket: Transactions from WebSocket websites.
  • WebSocket SSL: Transactions from WebSocket websites encrypted by SSL.
• Proxy Latency (ms): The time, in milliseconds, added to the transaction by the ZIA Public Service Edge.
• Received Bytes: Specifies how many bytes the destination web server returned for each HTTP request.
• Referrer URL: The URL from which the HTTP request originated.
• Request Method: Indicates if the HTTP request was a GET, POST, or CONNECT request. A GET request is a request to retrieve data, a POST request is a request to submit data to be processed, and a CONNECT request converts the request to a transparent tunnel, usually to facilitate HTTPS.
• Response Code: The destination server’s response. For example, 200 OK means the request succeeded and 404 Not Found means the requested URL was not found.
• Rule Name: The name of the rule that triggered the session or aggregated sessions. This column is only displayed in the logs if the traffic was blocked. By default, this column is not displayed for allowed traffic.
• Sent Bytes: Specifies the size, in bytes, of the HTTP request that was sent to the destination web server.
• Server Certificate Self Signed: If the certificate presented by the Origin Content Server (web server) to the ZIA Public Service Edge was self-signed.
• Server Certificate Validation Type: Validation type for the certificate presented by the server to the ZIA Public Service Edge (EV, OV, or DV).
• Server Certificate Validity Period: The validity duration of the certificate presented by the server to the ZIA Public Service Edge (i.e., how long is the certificate valid for?).
• Server Connection Cert Chain Validity: Whether the certificate presented by the server passed the validation check by the ZIA Public Service Edge or not. The certificate is deemed valid if the certificate is not expired, the signing authority is trusted by Zscaler, OCSP check is passed, the domain name matches the CN/SAN, etc.
• Server Connection Cert Expiry: If the certificate presented by the server to the ZIA Public Service Edge expired or not (Y/N).
• Server Connection Cipher: The cipher suite agreed upon during the SSL handshake between the ZIA Public Service Edge and the server.
• Server Connection OCSP Result: If the OCSP check done by the ZIA Public Service Edge passed or failed.
• Server Connection TLS Version: The version of TLS used for communication between the ZIA Public Service Edge and the server.
• Server IP: The IP address of the destination server.
• Server Session Reused: If the SSL connection on the server side reused or not.
• Server Trans. Time (ms): The time, in milliseconds, it took the destination server to accept the GET request and return all the content to the cloud infrastructure.
• Server Wildcard Certificate: If the certificate presented by the server to the ZIA Public Service Edge a wildcard certificate or not.
• SSL Inspected: Displays Yes if the SSL transaction was decrypted. Otherwise, it displays No.
• Suspicious Content: This field provides the “raw” Page Risk Index score of a URL. To learn more about the Suspicious Content Protection (Page Risk^TM), see About Advanced Threat Protection.
• Threat Category: If the service detected a threat in the transaction, it displays the virus or spyware type, if applicable.
• Threat Super Category: If the service detected a threat in the transaction, it displays the Virus and Spyware super category, if applicable.
• Throttled request bytes: Specifies how many request bytes were throttled.
• Throttled response bytes: Specifies how many response bytes were throttled.
• Total Bytes: The sum of the values in the Received Bytes and Sent Bytes columns.
• Traffic Forwarding: Type of traffic forwarding mechanism for this session. For aggregated sessions, this is the traffic forwarding type of the last session in the aggregate. To learn more about traffic forwarding, see Best Practices for Traffic Forwarding.
• URL: The entire URL of the transaction. Opening a single web page typically requires multiple GET requests in order to fetch all the objects of the page. Each GET request is logged as a transaction. You can sort and search through this column.
• URL Categorization Method: Refers to the source of the URL's category. Database A refers to the proprietary URL database of the service; Database B refers to a third-party vendor’s URL database; AI/ML-based content categorization refers to the content classification of pages that are not present in any of the databases using AI/ML tools. User-Defined indicates that the category was defined by an administrator. None indicates that the category of the URL is unavailable in any of the databases.
• URL Category: The specific URL category to which the URL belongs.
• URL Class: The URL class to which the URL belongs.
• URL Super Category: The URL super category to which the URL belongs.
• User: The email address of the user who performed the transaction. If an internet gateway location was specified and authentication is not required, this field displays the name of the gateway location. You can sort and search through this column.
• Zscaler Client Connector Tunnel Version: The version of the Zscaler Client Connector Z-Tunnel.