: SSPM Syslog Field Descriptions
Focus
Focus

SSPM Syslog Field Descriptions

Table of Contents

SSPM Syslog Field Descriptions

Learn about the different fields of each log type that SSPM can forward to an external server.
The following tables list the standard fields of each log type that SSPM can forward to an external server. To help parsing, the delimiter is a comma and each field is a comma-separated value (CSV) string.

Config Scan Event Fields

SSPM generates a config scan event when a config scan detects that the status of an application setting has changed. For example, if the previous scan determined that the setting status was Passed, but the current scan determines the setting status is Failed, SSPM generates a config scan event.
Config Scan Event Fields
Field NameDescription
type
The type of event. In this case, sspm_config_scan.
tenantName
The name of the tenant where the SSPM instance is deployed.
eventDate
The date and time that the event occurred. SSPM logs this information as a high-precision (6-digit milliseconds) timestamp, ending with the UTC offset. The timestamp format is YYYY-MM-DDTHH.MM.SS.ssssss+|-HH:MM. For example: 2024-01-11T11:19:46.360053-08:00.
policyName
The name of the SSPM rule that maps to the application setting. For example, the Salesforce application setting "Block Redirect to Unknown URL" maps to the SSPM rule "Apps are configured to block redirects to unknown URLs to prevent phishing attacks".
policyStatus
The status of the SSPM rule that maps to the application setting. For example, Passed or Failed.
category
The category of the SSPM rule that maps to the application setting. For example, Identity Access Management or Data Security.
settingName
The name of the application setting. For example, Salesforce settings include "Email Domain Allowlist", "Make data protection details available in records", and "Referrer URL protection".
currentValue
The current value of the application setting.
suggestedValue
The value that Palo Alto Networks recommends for the application setting.
status
The status of the application setting, which SSPM determines during the config scan. For example, the status of an application setting might be Passed, Violation, or, if you turned monitoring off for the setting, Waived.
remediationType
The remediation type, which indicates whether automated remediation is available for the setting. This field contains one of the following values:
  • SYSTEM — Indicates that automated remediation is available. When automated remediation is available, the user can resolve a misconfiguration with one click of a button. SSPM uses the application's API to change the setting to the recommended value.
  • MANUAL — Automated remediation is not available.
cloudAppInstance
The name of the application instance in SSPM.

Third-Party Plugin Scan Event Fields

SSPM generates a third-party plugin scan event when a third-party plugin scan of an application completes.
Third-Party Plugin Scan Event Fields
Field NameDescription
type
The type of event. In this case, sspm_supplychain_scan.
tenantName
The name of the tenant where the SSPM instance is deployed.
eventDate
The date and time that the event occurred. SSPM logs this information as a high-precision (6-digit milliseconds) timestamp, ending with the UTC offset. The timestamp format is YYYY-MM-DDTHH.MM.SS.ssssss+|-HH:MM. For example: 2024-01-11T11:19:46.360053-08:00.
appName
The name of the application instance in SSPM. This is the instance of the hosting application that SSPM scanned for connected third-party plugins.
appType
The type of hosting application that SSPM scanned for connected third-party plugins. For example, Google Workspace, Salesforce, or ServiceNow.
thirdPartyAppScanEvents
A list of ThirdPartyAppScanEvent structures, which describe the third-party plugins. See the following table, which describes the fields of a ThirdPartyAppScanEvent structure. The maximum size of this list is 200.
ThirdPartyAppScanEvent Structure Fields
Field NameDescription
thirdPartyAppIdThe ID of the third-party plugin.
thirdPartyAppNameThe name of the third-party application that was installed as a plugin to the hosting application.
typeThe level at which the third-party plugin was installed. Possible values include PRODUCT, ORGANIZATION, WORKSPACE, and USER.
statusThe review status of the third-party plugin. Possible values include Not Reviewed, Reviewed, Revoked, and Revoke In-Progress.
activeUsersThe number of active users of the third-party plugin.
usersRevokedThe number of users who previously had access to the third-party plugin, but who had their access revoked by an administrator.
scopesThe number of application scopes to which the connected third-party plugin has permission.
scopeNamesA list of the application scopes to which the connected third-party plugin has permission.
riskThe risk severity of third-party plugin, which is based on the application scopes to which the plugin has permission. Possible values include High, Medium, and Low.
statusUpdatedTimestampThe date and time that the third-party plugin's status was updated. SSPM logs this information as a high-precision (6-digit milliseconds) timestamp, ending with the UTC offset. The timestamp format is YYYY-MM-DDTHH.MM.SS.ssssss+|-HH:MM. For example: 2024-01-11T11:19:46.360053-08:00.