| Field Name | Definition |
| appsite | Friendly name for a Website or Application |
| authtype | |
| blocked | This occurs because the user is not authorized to access the site, that is, his access has been “blocked.” However, it can also be caused by technical anomalies, for example, “page not found by server.” |
| bytes | Number of total bytes (transmit and receive) for the session. |
| category | Describes the content of a Web page that was visited. |
| classification | User defined classification for the website content that was visited. Values could be any of the following: Acceptable, Unacceptable and Neutral |
| clientin | |
| clientout | |
| contenttype | Refers to an HTTP header field that specifies the type of data contained in the body of an HTTP request or response. Values could be any of the following: jpeg, mpeg, pdf, html, css, etc. |
| datetime | Date time stamp associated with each recrod hit |
| domain | A fully qualified domain name (FQDN) is a complete and unambiguous domain name that specifies the exact location of a specific resource on the internet. |
| group | Organizational groups are structured in a hierarchical manner, forming a tree-like structure. |
| hit | Number of records (represents a record count) |
| identity | |
| ip | Source IP Address |
| network | |
| outboundip | Destination IP Address |
| proxyport | |
| refererdomain | HTTP header field that indicates the URL or domain from which a user navigated to the current page. |
| resultcode | HTTP status codes that are used to indicate the result or status of an HTTP request made to a web server. Some commonly encountered codes are: 200 OK, 404 Not Found, etc. |
| searchterms | Search query or keyword, refers to the specific words or phrases that a user enters into a search engine to find information on a particular topic. |
| serverin | |
| serverout | |
| source | |
| timeonline | An approximation of the time that a user spends on the Internet. Wavecrest’s Smart Engine algorithms can produce the most accurate time online measurement. |
| user | Field refers to the information recorded about the user associated with a specific network connection or traffic event. |
| useragent | HTTP header field sent by a web browser or other client software when making a request to a web server. It identifies the client’s software, version, and other relevant information to help the server understand the capabilities and requirements of the client. |
| visit | A click action for the purpose of visiting a Web site. One click equals one request for a Web page. |
Tag: Cyfin
| Field Name | Definition |
| action | Action taken for the session; values are alert, allow, deny, drop, drop-all-packets, reset-client, reset-server, reset-both, block-url. |
| action_source | Specifies whether the action taken to allow or block an application was defined in the application or in policy. The actions can be allow, deny, drop, reset- server, reset-client or reset-both for the session. |
| application | Application associated with the session. |
| application_category | The application category specified in the application configuration properties. |
| application_risk | Risk level associated with the application (1=lowest to 5=highest). |
| application_saas | Displays yes if a SaaS application or no if not a SaaS application. |
| application_subcategory | The application subcategory specified in the application configuration properties. |
| application_technology | The application technology specified in the application configuration properties. |
| bytes | Number of total bytes (transmit and receive) for the session. |
| category | Describes the content of a Web page that was visited. |
| contenttype | Refers to an HTTP header field that specifies the type of data contained in the body of an HTTP request or response. Values could be any of the following: jpeg, mpeg, pdf, html, css, etc. |
| datetime | Date time stamp associated with each recrod hit |
| dest_country | Destination country or Internal region for private addresses. |
| dest_ip | Original session destination IP address. |
| dest_zone | Zone the session was destined to. |
| deviceLogType | |
| direction | Indicates the direction of the attack, client-to-server or server-to-client |
| group | Organizational groups are structured in a hierarchical manner, forming a tree-like structure. |
| hit | Number of records (represents a record count) |
| http2_connection | Identifies if traffic used an HTTP/2 Connection or not |
| identity | |
| ip | Original session source IP address. |
| ip_protocol | IP protocol associated with the session. |
| port | Destination port utilized by the session. |
| recordName | |
| referrer | |
| results | |
| rule | Name of the rule that the session matched. |
| severity | |
| source | |
| source_zone | Zone the session was sourced from. |
| threat_category | Describes threat categories used to classify different types of threat signatures. |
| Threat_contenttype | Subtype of the threat and traffic log |
| threat_id | Palo Alto Networks identifier for known and custom threats. |
| type | Specifies the type of log; |
| url | |
| user | Field refers to the information recorded about the user associated with a specific network connection or traffic event. |
| useragent | HTTP header field sent by a web browser or other client software when making a request to a web server. It identifies the client’s software, version, and other relevant information to help the server understand the capabilities and requirements of the client. |
Enhancements
- Data Managements
- Log Data Setup
- Added Microsoft Defender as a configuration option. This feature only available for Cyfin in VM environment.
- Log Data Setup
- Reporting
- Dashboard
- Visualizer
- Added Dashboard level filters. This allows a filter to be applied to all panels with matching data source on the configured dashboard.
- Visualizer
- Dashboard
- Usage statistics
- Added periodic anonymous usage statistics gathering to improve customer experience.
Corrections
- Data Management
- Import
- Disabled auto importing of syslog enabled log configurations because stream is already automatically imported.
- Import
Enhancements
- Logon Accounts
- Added ability to add additional group permissions to imported logon accounts from Active Directory.
- Reporting
- Visit Filter
- Updated algorithm for determining hit versus visit to include additional portions of URL.
- Visit Filter
Enhancements
- System
- Added ability to import Groups and IDs through Directory Agent.
- System Status
- Messages
- Visualizer
- Added screen to view Visualizer profiling information.
- Visualizer
- Messages
- Reporting
- Dashboard
- Visualizer
- Added preconfigured dashboard templates for users to select when creating new dashboards.
- Updated timeframe selection to always be relative when creating/editing dashboards. Modifying the timeframe in the dashboard view page is only temporary and a button is added to reset back to default timeframe selection. Navigating away also resets the timeframe back to dashboard default.
- Visualizer
- Dashboard
Corrections
- Reporting
- Dashboard
- Visualizer
- Corrected visualizer link in product menu when user account does not have a valid email address by redirecting to logon accounts modification screen.
- Visualizer
- Dashboard
Enhancements
- System
- Added ability to import Groups and IDs through Directory Agent.
- System Status
- Messages
- Visualizer
- Added screen to view Visualizer profiling information.
- Visualizer
- Messages
- Reporting
- Dashboard
- Visualizer
- Replaced all existing dashboards with Cyfin Visualizer. This new charting solution allows you to create and save panels on multiple dashboards as opposed to the single view that you had to configure each time you went to the charts. Any non-ad Cyfin logon will automatically be able to log into the visualizer using the same credentials as Cyfin.
- Visualizer
- Dashboard
- Log Configurations
- Added NetExtender VPN format
- Parser
- Added bytes to VPN logout record.
Enhancements
- Managing Metric Server Data Storage and Provisioning
- Log in to Cyfin and your company’s personalized storage metrics will be detailed on the homepage. You will find the Average Daily Data Volume, Storage Remaining, and Days Remaining. This information will provide the ability to calculate your specific storage needs:
- Avg. Daily Data Volume – Average amount of data stored per day.
- Est. Days Remaining – Days remaining until total storage is used.
- Storage Remaining – Amount and percentage of storage available.
- Total Storage – Maximum storage provisioned.
- Log in to Cyfin and your company’s personalized storage metrics will be detailed on the homepage. You will find the Average Daily Data Volume, Storage Remaining, and Days Remaining. This information will provide the ability to calculate your specific storage needs:
Enhancements
- System
- Upgraded Java Run-Time Engine to Version 11.
- Settings
- Email
- Replaced all legacy e-mail client with newer version.
- Added option for e-mail client to connect using ssl.
- Added SSLStart capability to e-mail client.
- Email
Enhancements
- Security
- Updated jQuery library to version 3.6.0 which corrects security issue.
- Log Configurations
- Added Cisco Umbrella Export.
- Added Fortigate Export.
- Added Sophos Web Application.
- Updated CheckPoint config to handle HTTPS Inspection records and URL Filtering records to sites with invalid certificates.
- Performance
- Sped up startup by moving template verifier and empty indices tasks to job queue.
Corrections
- Log Parser
- Fixed parser not handling configurations that have optional header record line.
- Fixed issue of not using correct port field to assign protocol.
- Properly adjusting log date by timezone adjustment in config file.
- Correctly dealing with escape characters in log fields.
- Sped up performance by fixing method to consolidate configurations using the same tokenizer to single parser. An error in the method to identify identical tokenizers was leading to excessive parsers and incorrect stats.
- Log Download
- Fix log download issue by using js window for SSL download and php for non-secure.
Enhancements
- System
- Upgraded Java Run-Time Engine to Version 11.
- Caching product update information to prevent constant polling while on home screen.
- Settings
- Email
- Replaced all legacy e-mail client with newer version.
- Added option for e-mail client to connect using ssl.
- Added SSLStart capability to e-mail client.
- Secure interface
- Forcing TLS1.2 for default interface certificates.
- TT-2232 Added Subject Alternate Names as option to generating Certificate Signature Request.
- Email
- Reporting
- Log File Text Parser
- Updated next generation reporting engine to parse web type data configurations. Product now capable of reading multiple record types for single data configuration.
- Added Office365 reporting module.
- Added configuration option in Data Management – Setup.
- Added Office365 option in Report Templates including all available reporting fields for creating Office 365 report sections.
- Updated Reporting engine to pull data from Office 365 data stored in metric server.
- Log File Text Parser
- Data Management
- Added option to compressed log data that was generated by Wavecrest product (eg. syslog, or CyBlock). This option is disabled by default.
- Syslog
- TT-2287 Removed hostname look-up for each UDP syslog record received.
Corrections
- System
- Removed log4j and replaced with latest fully patched log4j2 version.
- Improved UI speed by removing unnecessary health check calls.
- Removed unused libraries from installer.
- Implemented new library implementation for tracking CPU and Memory usage for Windows installs.
- Data Manager – Log File Download
- TT-2340 Fixed calendar incorrectly setting last available download date.
- Reporting
- Dashboard
- TT-2337 Fixed Palo Alto Traffic chart query that was failing because Classifications is not available for Palo Alto Traffic categories.
- TT-2337 Fixed Palo Alto Traffic chart query using wrong indices when querying data.
- Dashboard Charts – Trend – Classifications
- TT-2235 Corrected parameter issue that caused chart to not load.
- Report Manager
- TT-2314 Fixed the no network segments exist message.
- Dashboard
- Categorization
- TT-2291 URLs that are uppercased in log source now properly match to list or custom URL entries.