SIEM application reports different output after Cloud SWG Event Streaming update (November 2025)
Article ID: 413965
Updated On:
Products
Issue/Introduction
In keeping with Integrated Cyber Defense (ICD) / Open Cybersecurity Schema Framework (OCSF) schema standards, Cloud SWG is improving the JSON output that is delivered by Event Streaming channels. Refer to the following sections to determine how this change will affect your configurations.
Channels using the ICD schema
- The following fields are represented as a number instead of a string:
- connection.url.rep_score_id
- proxy_connection.url.rep_score_id
- The following fields are renamed:
| Previous name | New name |
| connection.protocol_version | product_data.protocol_version |
| policy.rules[ ].desc | product_data.data_leak_detected |
| file.url | product_data.file.url |
| file.sha2 | product_data.file.sha2 |
| file.name | product_data.file.name |
| file.size | product_data.file.size |
| file.rep_score | product_data.file.rep_score |
| file.verdict | product_data.file.verdict |
To allow for a graceful deprecation, duplicate fields with both previous and new names will exist in parallel for a period of time before the previous fields are removed.
Channels using the OCSF schema
The following field is renamed.
| Previous name | New name |
| http_request.connection_info.protocol_ver | unmapped.product_data.protocol_version |
To allow for a graceful deprecation, duplicate fields with both previous and new names will exist in parallel for a period of time before the previous field is removed.
Environment
Cloud SWG.
Event streaming.
Cause
Reporting infrastructure update.
Resolution
For the renamed fields in the ICD and OCSF schemas, update the SIEM applications that consume the event data to use the new names.
No updates are needed for the two changed field types in the ICD schema.
Feedback
