Events Table Attributes
The Events table provides detailed information about each event that has occurred. It includes fields that describe the event itself, the file involved, the applications used, and the user's interaction.
The following table provides the list of event attributes that are displayed in the table.
| Column Name | Description |
|---|---|
| App commandline | The command line used to start the application involved in the event. |
| App description | A description of the application involved in the event. |
| App main window title | The title of the main window of the application that generated the event. |
| App name | The name of the application that was part of the event. |
| App package name | The package name for modern Windows applications involved in the event. |
| Blocked | A flag indicating whether the event was blocked by a policy. |
| Browser page domain | The domain extracted from the referrer URL of the browser page. |
| Browser page title | The title of the browser page where the event occurred. |
| Browser page url | The referrer URL of the browser page. |
| Cloud access level | The cloud sharing access role type, such as viewer, editor, or commenter. |
| Cloud app | The type of cloud application, for example, OneDrive, SharePoint, or Google Drive. |
| Cloud app account | The user account used to log in to the cloud application. |
| Cloud destination account | The email addresses of the cloud app accounts that have been granted sharing access as a destination for the data. |
| Cloud destination groups | The group name in the cloud application that has been granted sharing access as a destination for the data. |
| Cloud domain | The domain of the cloud application. |
| Cloud messaging groups | The source or destination group name in the cloud messaging app. |
| Cloud messaging users | The source or destination username in the cloud messaging app. |
| Cloud provider | The type of cloud provider storing the data, for example, Office 365 or Salesforce. |
| Cloud scope | The scope of users with cloud sharing access, for example, user, group, or anyone. |
| Cloud workspace | The workspace name of the cloud application (e.g., in Slack or other collaboration apps). |
| Content identification policies | The policies that matched the event's content, if any. |
| Content uri | The URL path of the content involved in the event. |
| Data size | The size of a piece of data involved in the event, such as data copied and pasted. |
| Dataset | The dataset used to classify the data that was involved in the event. |
| Destination file path | The specific location where the data resides after the event. |
| Destination location outline | The type of destination location for the event, such as endpoint, website, etc. |
| Destination type | A short outline of the destination location (e.g., node, hostname for an endpoint; email for cloud; device name for removable media). |
| Document tags | Any document tags applied to the document containing the sensitive data. |
| Domain | The domain name where the event occurred, in the format sub.domain.tld. |
| Domain category | A classification that categorizes domains based on content type, purpose, or industry. |
| Email account | The email address identifying a mailbox where the data involved in the event resides. |
| Email groups | The geographic location of the email account. |
| Endpoint id | An identifier for the endpoint where the event was generated. |
| Event time | The time at which the event occurred. |
| Event type | The type of event that led to data arriving or leaving a location. |
| Exact data match | The exact data match attributes that were found in the event. |
| Fail close statuses | The status of a policy when the policy response pop-up was not displayed to the user due to a session timeout or device connectivity issues. |
| File | The name of the file involved in the event. |
| File extension | The file type or extension of the file. |
| File size | The size of the file in bytes. |
| Group name | The list of Active Directory groups to which the user belongs. |
| Hostname | The hostname of the endpoint or share where the data resides. |
| Local machine name | The hostname of the machine where the event happened. |
| Local time utc | The time in UTC when the event occurred. |
| Local user name | The username of the user who caused the event. |
| Local user sid | The Security Identifier (SID) of the user who caused the event. |
| Md5 hash | The MD5 hash of the file involved in the event. |
| Media category | The type of removable media used, if applicable. |
| Notion account id | The unique ID of the Notion account involved in the event. |
| Notion account name | The name of the Notion account involved in the event. |
| Notion page full path | The full path of the Notion page involved in the event. |
| Notion page id | The unique ID of the Notion page involved in the event. |
| Notion page name | The name of the Notion page involved in the event. |
| Policy | The policy that matched the event. |
| Printer name | The name of the printer used for the event. |
| Removable device name | The name of the removable device used. |
| Removable device product id | The 16-bit number assigned to a specific USB device model. |
| Removable device vendor id | The 16-bit number assigned to the USB device manufacturer. |
| Repository name | The name of the repository containing the data. |
| Repository organization | The organization structure of the content repository. |
| Salesforce account domains | The Salesforce domain name from the user's email address. |
| Salesforce account id | The unique ID of the Salesforce account involved in the event. |
| Salesforce account name | The name of the Salesforce account involved in the event. |
| Salesforce opportunity id | The unique ID of the Salesforce opportunity involved in the event. |
| Salesforce opportunity name | The name of the Salesforce opportunity involved in the event. |
| Salesforce report id | The unique ID of the Salesforce report involved in the event. |
| Salesforce report name | The name of the Salesforce report involved in the event. |
| Sensor type | The type of sensor that generated the event (e.g., Endpoint Sensor, Cloud Sensor). |
| Sensitivity | The sensitivity rating assigned in the dataset definition. Possible values include Critical, High, Moderate, Low, and Unrestricted. |
| Severity | The severity of the event as defined in the policy. Possible values include Critical, High, Medium, Low, and Informational. |
| Sha256 hash | The SHA256 hash of the file involved in the event. |
| Source file path | The file path location of the source containing the data. |
| Source location outline | The type of source location for the event, such as endpoint, website, etc. |
| Source type | A short outline of the source location (e.g., node, hostname for an endpoint; email for cloud; device name for removable media). |
| Temporary blocked | This applies when an action is blocked temporarily because a policy is triggered multiple times in a short duration due to throttling. |
| Url | The exact URL used to access the data. |
| Users | The user who caused the event. |