| Description |
desc |
Recommended |
String |
The description of the policy. |
| Effective Date |
effective_date |
Recommended |
Datetime |
The date and time that the specific policy and rule was applied and became operational. Note: The time submission format is the number of milliseconds since 01/01/1970 00:00:00 UTC. |
| Group DescriptionЕxt |
group_desc |
Recommended |
String |
The description of the group to which the policy belongs. |
| Group Name |
group_name |
Recommended |
String |
The name of the group to which the policy belongs. |
| Group IDЕxt |
group_uid |
Recommended |
String |
The unique identifier of the group to which the policy belongs. |
| LabelЕxt |
label |
Recommended |
String |
The label set for the policy. |
| Name |
name |
Recommended |
String |
The name given to the policy; for example "LAMP Policy". |
| Rule CategoryЕxt |
rule_category_id |
Recommended |
Integer |
The category of the primary rule that triggered the violation.
| 0 | Unknown | Rule category is unknown. | |
| 1 | Engine Analysis | Signature detection or machine learning heuristics detected the file. | |
| 2 | Reputation | The file’s reputation is worse than the policy threshold. | |
| 3 | Prevalence | The file’s low usage is suspicious and is not allowed per policy threshold. | |
| 4 | Discovered Date | The file is too new and is not allowed per policy threshold. | |
| 5 | Blocked by User | The file is blocked by the user. | |
| 6 | Blocked by Admin | The file is blocked by the administrator. | |
| 7 | Custom Detection | Custom YARA rule detected the file. | |
| 8 | Compliance | Compliance Scan status. | |
|
| Rule DescriptionЕxt |
rule_desc |
Recommended |
String |
The description of the primary rule that triggered the policy event. |
| Rule Group DescriptionЕxt |
rule_group_desc |
Recommended |
String |
The additional information that describes the group to which the rule belongs. |
| Rule Group Name |
rule_group_name |
Recommended |
String |
The name of the group to which the rule belongs. |
| Rule Group IDЕxt |
rule_group_uid |
Recommended |
String |
The unique identifier of the group to which the rule belongs. |
| Rule Alert |
rule_is_alertable |
Recommended |
Boolean |
Indicates whether the event should be considered for management server alerting. |
| Rule Name |
rule_name |
Recommended |
String |
The name of the primary rule that triggered the policy event. For example: "Software Install Protection - Deny exe Modification", "USB_Registry_Connect_Activity", or "Programs that services should not execute". |
| Rule IDЕxt |
rule_uid |
Recommended |
String |
The unique identifer of the primary rule that triggered the policy event. |
| RulesЕxt |
rules |
Recommended |
Rule Array |
Additional rules that triggered the policy event. |
| StatesЕxt |
state_ids |
Recommended |
Integer Array |
The states related to the policy.
| 1 | Prevention Policy Overridden locally | | |
| 2 | Policy Globally Disabled | | |
| 3 | Prevention Policy Overridden except Self-Protection | | |
| 4 | Default Rule applied | | |
| 5 | Real-Time Event | | |
| 6 | Virtual Event | | |
| 7 | Injected | | |
| 8 | ITA Forwarded | | |
| 9 | CSP Forwarded | | |
| 10 | OS Forwarded | | |
| 11 | ConfigTool | | |
| 12 | IPS Service | | |
| 13 | External Event | | |
| 14 | Solaris non-global one event | | |
| 15 | SVA Generated Event | | |
| 16 | Interactive Flag | | |
| 17 | Service Flag | | |
| 18 | Portal True | | |
| 19 | Portal False | | |
| 20 | Overrideable | | |
| 21 | Exception | | |
| 22 | Bad Reputation | | |
| 23 | Gray Reputation | | |
| 24 | Prevention disabled at sandbox level | | |
| 25 | Policy Good | | |
|
| Type |
type_id |
Recommended |
Integer |
The policy type; one of:
| 0 | Unknown | Policy type is unknown | |
| 1 | Policy Group | Policy group | |
| 2 | Browser Isolation | Application isolation browser policy | |
| 3 | Java Isolation | Application isolation Java® Virtual Machine policy | |
| 4 | Office Isolation | Application Isolation Microsoft Office policy | |
| 5 | PDF Renderer Isolation | Application Isolation PDF Renderer policy | |
| 6 | Generic Isolation | Application Isolation custom policy | |
| 7 | Null Isolation | Application Isolation null policy | |
| 8 | Platform | Application Isolation platform policy | |
| 9 | Allow List | Allow List policy | |
| 10 | Deny List | Deny List policy | |
| 11 | Generic Discovery | Application Isolation generic discovery policy | |
| 12 | Targeted Discovery | Application Isolation targeted discovery policy | |
| 13 | Malware Protection | Malware Protection policy | |
| 14 | Exploit Protection | Exploit Protection policy | |
| 15 | Telemetry | Telemetry policy | |
| 16 | Exception | Exception policy | |
| 17 | System | System policy | |
| 18 | Device Control | Device control policy | |
| 19 | Custom Application Behavior | Custom application behavior policy | |
| 20 | Compliance | Compliance policy | |
| 21 | Threat Defense | Threat defense policy | |
| 22 | Web and Cloud Access Protection | Web and cloud access protection policy | |
| 23 | Mobile | Mobile policy | |
| 24 | Intrusion Prevention | Intrusion prevention policy | |
| 25 | Firewall | Firewall policy | |
| 26 | Detection and Response | Detection and response policy | |
|
| IDЕxt |
uid |
Recommended |
String |
A unique identifier of the policy instance that contains the rule generating the event; ordinarily, client or application-specific. |
| Version |
version |
Recommended |
String |
The policy version number. |