Document toolboxDocument toolbox

NSS feeds for SaaS security logs

Owned by Juan Tomás Alonso Nieto (Deactivated)
May 23, 2022
5 min read

Only for NSS web server.

A large number of filters or complex filters, such as string search, might impact the performance of the NSS.

You can configure multiple types of filters. For example, if an admin selects the location HQ and department Finance, the NSS will select logs that belong to both the HQ location and the Finance department.

To configure a feed for SaaS security logs:

Available filters

Policy Type

Filter logs based on the specific policy type. You can specify multiple policies.

Policy Action

Filter logs based on the specific policy action taken. You can specify multiple policy actions.

Scan Time

Filter logs based on the time the SaaS Security API policy took to scan content within the tenant. Enter either a specific value or a range with a dash. The default unit of measure is milliseconds, but you can specify this unit using either MS or SEC. For example: 10MS-100MS. 

Event

Choose the type of event.

Who

  • Departments: Filter logs to specific departments that generated transactions. You can search for users by user name or email address. There's no limit to the number of users that you can select. Users that are deleted after they are selected appear with a strikethrough line.

  • Groups: Filter logs to specific groups that generated transactions. You can search for users by user name or email address. There's no limit to the number of users that you can select. Users that are deleted after they are selected appear with a strikethrough line.

  • Users: Filter logs to specific users that generated transactions. You can search for users by user name or email address. There's no limit to the number of users that you can select. Users that are deleted after they are selected appear with a strikethrough line.  

ITSM

  • File Name: Filter logs to specific file names. You can enter multiple file names separated by commas.

  • File Size: Filter logs based on their file size. Enter either a specific size or a range with a dash. You can enter multiple values separated by commas. By default, the service uses bytes, but you can also specify KB, MB, GB, or TB. For example: 10KB-1MB, 200.

  • File Source: Filter logs based on their source location.

  • External Owner: Filter logs associated with the external owner (outside your organization) of the questionable file. Multiple selections are allowed.

  • Internal Collaborators: Filter logs associated with specific collaborators within your organization. Multiple selections are allowed.

  • External Collaborators: Filter logs associated with specific collaborators outside of your organization. Multiple selections are allowed.

  • Object Type: Choose Any to inspect all object types or choose an object type

  • Object Name: Filter logs to specific object names.  You can enter multiple object names separated by commas.

Collaboration

  • External Recipients: Filter logs to specific recipients outside your organization.  Multiple selections are allowed.

  • Internal Recipients: Filter logs to specific recipients within your organization.  Multiple selections are allowed.

  • Channel Name: Filter logs to specific channel names.  You can enter multiple channel names separated by commas.

File

  • File Type Category: Filter logs based on the file type category detected from the content. Multiple selections are allowed.

  • File Name: Filter logs to specific file names. You can enter multiple file names separated by commas.

  • File Size: Filter logs based on their file size. Enter either a specific size or a range with a dash. You can enter multiple values separated by commas. By default, the service uses bytes, but you can also specify KB, MB, GB, or TB. For example: 10KB-1MB, 200.

DLP

  • DLP Engines: Filter logs to transactions in which data leakage was detected based on specific DLP engines. Multiple selections are allowed.

  • DLP Dictionaries: Filter logs to transactions in which data leakage was detected based on specific DLP dictionaries. Multiple selections are allowed.

  • Severity: Choose the severity level of the incidents detected by the SaaS Security API DLP policy.

Malware

  • Threat Class: Filter logs based on the specific threat class. You can specify multiple threat classes.

  • Threat Category: Filter logs based on the specific threat category. You can specify multiple threat categories.

  • Threat Name: Filter logs based on specific threats that were detected. You can specify multiple threat names separated by commas.

Application

  • SaaS Application: Filter logs based on the specific sanctioned SaaS application. You can specify multiple applications.

  • SaaS Application Tenant: Filter logs based on the specific SaaS application tenant. You can specify multiple tenants.