...
Rw ui tabs macro |
---|
proxy.zscaler.accessField | Type | Field Transformation | Source field name | Extra fields |
---|
eventdate | timestamp
| | | | timestamp | timestamp
| Code Block |
---|
ifthenelse(length(timestamp_str) = 19, parse("yyyy/MM/dd hh:mm:ss", timestamp_str), ifthenelse(timestamp_str -> " ", parsedate(timestamp_str, dateformat("MMM D HH:mm:ss YYYY", "UTC")), parsedate(timestamp_str, dateformat("MMM DD HH:mm:ss YYYY", "UTC")))) |
| timestamp_str | | reason | str
| | | | event_id | str
| | | | protocol | str
| | | | action | str
| | | | rulelabel | str
| | | | ruletype | str
| | | | transactionsize | int8
| | | | responsesize | int8
| | | | requestsize | int8
| | | | urlcategory | str
| | | | serverip | ip4
| | | | clienttranstime | int8
| | | | requestmethod | str
| | | | refererurl | str
| | | | useragent | str
| | | | product | str
| | | | productVersion | str
| | | | location | str
| | | | clientIP | ip4
| | | | deviceName | str
| | | | deviceOSType | str
| | | | status | str
| | | | user | str
| | | | url | str
| | | | vendor | str
| | | | hostname | str
| | | | clientpublicIP | ip4
| | | | threatcategory | str
| | | | threatname | str
| | | | threatmd5 | str
| | | | filename | str
| | | | filetype | str
| | | | fileSubtype | str
| | | | contenttype | str
| | | | appname | str
| | | | pagerisk | str
| | | | department | str
| | | | urlsupercategory | str
| | | | appclass | str
| | | | dlpengine | str
| | | | urlclass | str
| | | | threatclass | str
| | | | dlpdictionaries | str
| | | | fileclass | str
| | | | fileScannable | str
| | | | bwthrottle | str
| | | | servertranstime | int8
| | | | trafficredirectmethod | str
| | | | ztunnelVersion | str
| | | | sslinspected | str
| | | | ssldecrypted | str
| | | | externalspr | str
| | | | deviceowner | str
| | | | refererURL | str
| | | | datetime | timestamp
| | | | unscannabletype | str
| | | | devicehostname | str
| | | | clienttranstime_str | str
| | | | transactionsize_str | str
| | | | servertranstime_str | str
| | | | responsesize_str | str
| | | | requestsize_str | str
| | | | upload_filename | str
| | | | upload_filetype | str
| | | | upload_fileclass | str
| | | | upload_filesubtype | str
| | | | upload_doctypename | str
| | | | hostchain | str
| | | ✓ | tag | str
| | | ✓ | rawMessage | str
| | | ✓ |
proxy.zscaler.nssField | Type | Extra fields |
---|
eventdate | timestamp
| | time | str
| | login | str
| | proto | str
| | eurl | str
| | action | str
| | appname | str
| | appclass | str
| | reqsize | int8
| | respsize | int8
| | stime | int8
| | ctime | int8
| | urlclass | str
| | urlsupercat | str
| | urlcat | str
| | malwarecat | str
| | threatname | str
| | riskscore | str
| | dlpeng | str
| | dlpdict | str
| | location | str
| | dept | str
| | cip | ip4
| | sip | ip4
| | reqmethod | str
| | respcode | str
| | ua | str
| | ereferer | str
| | ruletype | str
| | rulelabel | str
| | contenttype | str
| | unscannabletype | str
| | deviceowner | str
| | devicehostname | str
| | hostchain | str
| ✓ | tag | str
| ✓ | rawMessage | str
| |
proxy.zscaler.nss_firewallField | Type | Extra fields |
---|
eventdate | timestamp
| | hostname | str
| | hostchain | str
| ✓ | tag | str
| ✓ | cefVersion | str
| | embDeviceVendor | str
| | embDeviceProduct | str
| | deviceVersion | str
| | signatureID | str
| | name | str
| | severity | str
| | time | str
| | login | str
| | dept | str
| | location | str
| | cdport | str
| | csport | str
| | sdport | str
| | ssport | str
| | csip | ip4
| | cdip | ip4
| | ssip | ip4
| | sdip | ip4
| | tsip | ip4
| | tsport | str
| | ttype | str
| | action | str
| | dnat | str
| | nwsvc | str
| | nwapp | str
| | ipproto | str
| | ipcat | str
| | destcountry | str
| | avgduration | int4
| | rulelabel | str
| | inbytes | int4
| | outbytes | int4
| | duration | int4
| | durationms | int4
| | numsessions | int4
| | ipsrulelabel | str
| | threatcat | str
| | threatname | str
| | recordid | str
| | eedone | str
| | devicehostname | str
| | devicemodel | str
| | devicename | str
| | deviceostype | str
| | deviceosversion | str
| | deviceowner | str
| | deviceappversion | str
| | ztunnelversion | str
| | rawMessage | str
| ✓ |
proxy.zscaler.nss_webField | Type | Extra fields |
---|
eventdate | timestamp
| | hostname | str
| | cefVersion | str
| | embDeviceVendor | str
| | embDeviceProduct | str
| | deviceVersion | str
| | signatureID | str
| | name | str
| | severity | str
| | time | str
| | login | str
| | proto | str
| | eurl | str
| | action | str
| | reason | str
| | appname | str
| | appclass | str
| | reqsize | int8
| | respsize | int8
| | urlclass | str
| | urlsupercat | str
| | urlcat | str
| | malwarecat | str
| | threatname | str
| | riskscore | str
| | dlpeng | str
| | dlpdict | str
| | location | str
| | dept | str
| | cip | ip4
| | sip | ip4
| | reqmethod | str
| | respcode | str
| | ua | str
| | ereferer | str
| | ruletype | str
| | rulelabel | str
| | contenttype | str
| | unscannable | str
| | deviceowner | str
| | devicehostname | str
| | ologin | str
| | throttlereqsize | str
| | throttlerespsize | str
| | bwthrottle | str
| | bwclassname | str
| | bwrulename | str
| | module | str
| | bamd5 | str
| | dlpdicthitcount | str
| | dlpidentifier | str
| | dlpmd5 | str
| | fileclass | str
| | filetype | str
| | filesubtype | str
| | filename | str
| | reqdatasize | str
| | reqhdrsize | str
| | respdatasize | str
| | resphdrsize | str
| | totalsize | str
| | reqversion | str
| | respversion | str
| | referer | str
| | uaclass | str
| | ua_token | str
| | host | str
| | ehost | str
| | refererhost | str
| | erefererpath | str
| | eurlpath | str
| | erefererhost | str
| | url | str
| | df_hostname | str
| | mobappname | str
| | mobappcat | str
| | mobdevtype | str
| | cintip | ip4
| | trafficredirectmethod | str
| | ssldecrypted | str
| | clientsslcipher | str
| | clienttlsversion | str
| | clientsslsessreuse | str
| | srvsslcipher | str
| | srvtlsversion | str
| | srvocspresult | str
| | srvcertchainvalpass | str
| | srvwildcardcert | str
| | serversslsessreuse | str
| | srvcertvalidationtype | str
| | srvcertvalidityperiod | str
| | malwareclass | str
| | devicemodel | str
| | devicename | str
| | deviceostype | str
| | deviceosversion | str
| | deviceappversion | str
| | ztunnelversion | str
| | recordid | str
| | productversion | str
| | nsssvcip | str
| | eedone | str
| | stime | int8
| | ctime | int8
| | hostchain | str
| ✓ | tag | str
| ✓ | rawMessage | str
| ✓ |
proxy.zscaler.zia.alertField | Type | Source field name | Extra fields |
---|
eventdate | timestamp
| | | hostname | str
| | | facility | str
| | | level | str
| | | message | str
| rawMessage | | hostchain | str
| | ✓ | tag | str
| | ✓ | rawMessage | str
| | ✓ |
proxy.zscaler.zia.dnsField | Type | Extra fields |
---|
eventdate | timestamp
| | hostname | str
| | time | timestamp
| | ss | int4
| | mm | int4
| | hh | int4
| | dd | int4
| | mth | int4
| | yyyy | int4
| | reqrulelabel | str
| | reqaction | str
| | resrulelabel | str
| | resaction | str
| | login | str
| | dept | str
| | cip | str
| | durationms | int8
| | sip | str
| | recordid | str
| | location | str
| | req | str
| | domcat | str
| | reqtype | str
| | sport | str
| | hostchain | str
| ✓ | tag | str
| ✓ | rawMessage | str
| ✓ |
proxy.zscaler.zia.firewallField | Type | Source field name | Extra fields |
---|
eventdate | timestamp
| | | hostname | str
| | | sourcetype | str
| | | datetime | timestamp
| time | | csip | ip4
| | | csport | int4
| | | cdip | ip4
| | | cdport | int4
| | | tsip | ip4
| | | tunsport | int4
| tsport | | locationname | str
| location | | tuntype | str
| ttype | | threatcat | str
| | | threatname | str
| | | ipsrulelabel | str
| | | sdip | ip4
| | | sdport | int4
| | | ssip | ip4
| | | ssport | int4
| | | ipcat | str
| | | avgduration | int8
| | | duration | int8
| | | durationms | int8
| | | numsessions | int8
| | | rulelabel | str
| | | action | str
| | | dnat | str
| | | stateful | str
| | | aggregate | str
| | | inbytes | str
| | | outbytes | str
| | | nwapp | str
| | | proto | str
| ipproto | | destcountry | str
| | | nwsvc | str
| | | user | str
| login | | department | str
| dept | | devicehostname | str
| | | deviceowner | str
| | | event | json
| | | hostchain | str
| | ✓ | tag | str
| | ✓ | rawMessage | str
| | ✓ |
proxy.zscaler.zia.saas_collaborationField | Type | Extra fields |
---|
eventdate | timestamp
| | hostname | str
| | tenant | str
| | applicationname | str
| | time | timestamp
| | epochtime | timestamp
| | recordid | str
| | filename | str
| | filetypename | str
| | filesize | int8
| | filemd5 | str
| | collabscope | str
| | department | str
| | policy | str
| | rulelabel | str
| | ruletype | str
| | malware | str
| | threatname | str
| | malwareclass | str
| | dlpdictnames | str
| | dlpenginenames | str
| | dlpidentifier | str
| | severity | str
| | dlpdictcount | str
| | filetypecategory | str
| | component | str
| | sha | str
| | internal_recptnames | str
| | external_recptnames | str
| | ointernal_recptnames | str
| | oexternal_recptnames | str
| | sharedchannel_hostname | str
| | sender | str
| | osender | str
| | esender | str
| | channel_name | str
| | ochannel_name | str
| | datacenter | str
| | datacentercity | str
| | datacentercountry | str
| | hostchain | str
| ✓ | tag | str
| ✓ | rawMessage | str
| ✓ |
proxy.zscaler.zia.saas_crmField | Type | Extra fields |
---|
eventdate | timestamp
| | hostname | str
| | tenant | str
| | applicationname | str
| | time | timestamp
| | epochtime | timestamp
| | recordid | str
| | filename | str
| | filetypename | str
| | filesize | int8
| | filemd5 | str
| | collabscope | str
| | fullurl | str
| | suburl | str
| | department | str
| | policy | str
| | rulelabel | str
| | ruletype | str
| | malware | str
| | threatname | str
| | malwareclass | str
| | dlpdictnames | str
| | dlpenginenames | str
| | dlpidentifier | str
| | severity | str
| | dlpdictcount | str
| | num_internal_collab | str
| | num_external_collab | str
| | objectname | str
| | objecttype | str
| | file_msg_id | str
| | filetypecategory | str
| | hostname2 | str
| | ohostname | str
| | ofullurl | str
| | internal_collabnames | str
| | external_collabnames | str
| | ointernal_collabnames | str
| | oexternal_collabnames | str
| | file_msg_mod_time | str
| | filepath | str
| | component | str
| | sha | str
| | datacenter | str
| | datacentercity | str
| | datacentercountry | str
| | hostchain | str
| ✓ | tag | str
| ✓ | rawMessage | str
| ✓ |
proxy.zscaler.zia.saas_emailField | Type | Extra fields |
---|
eventdate | timestamp
| | hostname | str
| | tenant | str
| | applicationname | str
| | filedownloadtimems | str
| | filescantimems | str
| | time | timestamp
| | epochtime | timestamp
| | recordid | str
| | epochlastmodtime | timestamp
| | department | str
| | policy | str
| | rulelabel | str
| | ruletype | str
| | malware | str
| | threatname | str
| | malwareclass | str
| | dlpdictnames | str
| | dlpenginenames | str
| | dlpidentifier | str
| | severity | str
| | dlpdictcount | str
| | sender | str
| | datacenter | str
| | datacentercity | str
| | datacentercountry | str
| | hostchain | str
| ✓ | tag | str
| ✓ | rawMessage | str
| ✓ |
proxy.zscaler.zia.saas_fileField | Type | Extra fields |
---|
eventdate | timestamp
| | hostname | str
| | tenant | str
| | applicationname | str
| | filedownloadtimems | str
| | filescantimems | str
| | time | timestamp
| | epochtime | timestamp
| | recordid | str
| | filename | str
| | filetypename | str
| | filesource | str
| | filesize | int8
| | lastmodtime | str
| | epochlastmodtime | timestamp
| | filemd5 | str
| | collabscope | str
| | fullurl | str
| | suburl | str
| | department | str
| | user | str
| | policy | str
| | rulelabel | str
| | ruletype | str
| | malware | str
| | threatname | str
| | malwareclass | str
| | dlpdictnames | str
| | dlpenginenames | str
| | dlpidentifier | str
| | severity | str
| | dlpdictcount | str
| | filetypecategory | str
| | hostname2 | str
| | sha | str
| | datacenter | str
| | datacentercity | str
| | datacentercountry | str
| | hostchain | str
| ✓ | tag | str
| ✓ | rawMessage | str
| ✓ |
proxy.zscaler.zia.saas_itsmField | Type | Extra fields |
---|
eventdate | timestamp
| | hostname | str
| | tenant | str
| | applicationname | str
| | filedownloadtimems | str
| | filescantimems | str
| | time | timestamp
| | epochtime | timestamp
| | recordid | str
| | filename | str
| | filetypename | str
| | filesource | str
| | filesize | int8
| | lastmodtime | str
| | epochlastmodtime | timestamp
| | filemd5 | str
| | collabscope | str
| | fullurl | str
| | suburl | str
| | department | str
| | user | str
| | policy | str
| | rulelabel | str
| | ruletype | str
| | malware | str
| | threatname | str
| | malwareclass | str
| | dlpdictnames | str
| | dlpenginenames | str
| | dlpidentifier | str
| | severity | str
| | dlpdictcount | str
| | filetypecategory | str
| | hostname2 | str
| | sha | str
| | datacenter | str
| | datacentercity | str
| | datacentercountry | str
| | hostchain | str
| ✓ | tag | str
| ✓ | rawMessage | str
| ✓ |
proxy.zscaler.zia.saas_repositoryField | Type | Extra fields |
---|
eventdate | timestamp
| | hostname | str
| | tenant | str
| | applicationname | str
| | time | timestamp
| | epochtime | timestamp
| | recordid | str
| | filename | str
| | filetypename | str
| | filesize | int8
| | lastmodtime | str
| | filemd5 | str
| | collabscope | str
| | department | str
| | policy | str
| | rulelabel | str
| | ruletype | str
| | malware | str
| | threatname | str
| | malwareclass | str
| | dlpdictnames | str
| | dlpenginenames | str
| | dlpidentifier | str
| | severity | str
| | dlpdictcount | str
| | num_external_collab | str
| | filetypecategory | str
| | external_collabnames | str
| | oexternal_collabnames | str
| | filepath | str
| | sha | str
| | datacenter | str
| | datacentercity | str
| | datacentercountry | str
| | hostchain | str
| ✓ | tag | str
| ✓ | rawMessage | str
| ✓ |
proxy.zscaler.zia.tunnelField | Type | Field Transformation | Source field name | Extra fields |
---|
eventdate | timestamp
| | | | hostname | str
| | | | datetime | timestamp
| Code Block |
---|
parsedate(replace(datetime_tmp, " ", " "), dateformat("ddd MMM DD HH:mm:ss YYYY", "UTC", "en-US")) |
| datetime_tmp | | tunnelactionname | str
| | | | vpncredentialname | str
| | | | locationname | str
| | | | destvip | str
| | | | sourceip | str
| | | | tunneltype | str
| | | | event | str
| | | | eventreason | str
| | | | srcport | str
| | | | recordid | str
| | | | txbytes | int8
| | | | rxbytes | int8
| | | | txpackets | int4
| | | | rxpackets | int4
| | | | dpdrec | str
| | | | lifetime | str
| | | | spi_in | str
| | | | spi_out | str
| | | | dstport | str
| | | | algo | str
| | | | authentication | str
| | | | authtype | str
| | | | vendorname | str
| | | | ikeversion | str
| | | | spi | str
| | | | destipstart | str
| | | | destipend | str
| | | | srcipstart | str
| | | | srcipend | str
| | | | srcportstart | str
| | | | destportstart | str
| | | | lifebytes | str
| | | | tunnelprotocol | str
| | | | protocol | str
| | | | hostchain | str
| | | ✓ | tag | str
| | | ✓ | rawMessage | str
| | | ✓ |
proxy.zscaler.zia.webField | Type | Field Transformation | Source field name | Extra fields |
---|
eventdate | timestamp
| | | | hostname | str
| | | | sourcetype | str
| | | | time | timestamp
| | | | datetime | timestamp
| | | | tz | str
| | | | ss | int4
| | | | mm | int4
| | | | hh | int4
| | | | dd | int4
| | | | mth | int4
| | | | mon | str
| | | | yyyy | int4
| | | | day | str
| | | | epochtime | timestamp
| | | | department | str
| | dept | | user | str
| | login | | throttlereqsize | int8
| | | | throttlerespsize | int8
| | | | bwthrottle | str
| | | | bwclassname | str
| | | | bwrulename | str
| | | | appname | str
| | | | appclass | str
| | | | module | str
| | | | bamd5 | str
| | | | datacenter | str
| | | | datacentercity | str
| | | | datacentercountry | str
| | | | dlpdictionaries | str
| | dlpdict | | dlpdicthitcount | str
| | | | dlpengine | str
| | dlpeng | | dlpidentifier | int8
| | | | dlpmd5 | str
| | | | fileclass | str
| | | | filetype | str
| | | | filesubtype | str
| | | | filename | str
| | | | upload_fileclass | str
| | | | upload_filetype | str
| | | | upload_filename | str
| | | | upload_filesubtype | str
| | | | upload_doctypename | str
| | | | unscannable | str
| | | | unscannabletype | str
| | | | reqdatasize | int8
| | | | reqhdrsize | int8
| | | | requestsize | str
| | reqsize | | respdatasize | int8
| | | | resphdrsize | int8
| | | | responsesize | str
| | respsize | | transactionsize | str
| | totalsize | | requestmethod | str
| | reqmethod | | reqversion | str
| | | | status | str
| | respcode | | respversion | str
| | | | referer_url | str
| | referer | | uaclass | str
| | | | useragent | str
| | ua | | ua_token | str
| | | | event__hostname | str
| | host | | ehost | str
| | | | eurl | str
| | | | ereferer | str
| | | | contenttype | str
| | | | refererhost | str
| | | | erefererpath | str
| | | | eurlpath | str
| | | | erefererhost | str
| | | | url | str
| | | | df_hostname | str
| | | | mobappname | str
| | | | mobappcat | str
| | | | mobdevtype | str
| | | | clientpublicIP | ip4
| | cip | | ClientIP | ip4
| | cintip | | serverip | ip4
| | sip | | protocol | str
| | proto | | trafficredirectmethod | str
| | | | location | str
| | | | rulelabel | str
| | | | ruletype | str
| | | | reason | str
| | | | action | str
| | | | ssldecrypted | str
| | | | clientsslcipher | str
| | | | clienttlsversion | str
| | | | clientsslsessreuse | str
| | | | srvsslcipher | str
| | | | srvtlsversion | str
| | | | srvocspresult | str
| | | | srvcertchainvalpass | str
| | | | srvwildcardcert | str
| | | | serversslsessreuse | str
| | | | srvcertvalidationtype | str
| | | | srvcertvalidityperiod | str
| | | | pagerisk | str
| | riskscore | | threatname | str
| | | | threatclass | str
| | malwareclass | | threatcategory | str
| | malwarecat | | urlclass | str
| | | | urlsupercategory | str
| | urlsupercat | | urlcategory | str
| | urlcat | | devicehostname | str
| | | | devicemodel | str
| | | | devicename | str
| | | | deviceostype | str
| | | | deviceosversion | str
| | | | deviceowner | str
| | | | deviceappversion | ip4
| | | | ztunnelversion | str
| | | | recordid | int8
| | | | event_id | str
| | recordid | | product | str
| | | | productversion | str
| | | | vendor | str
| | | | nsssvcip | ip4
| | | | eedone | str
| | | | keyprotectiontype | str
| | | | event | json
| | | | hostchain | str
| | | ✓ | tag | str
| | | ✓ | rawMessage | str
| | | ✓ |
|
How is the data sent to Devo?
You can forward logs generated by Zscaler in both CEF0 and CSV format using any Syslog drain (for example, Syslog-ng).
Note |
---|
Please, contact Devo for support about how to configure Zscaler NSS Web / Firewall feeds' output (for example, fields order for CSV format or csX and cnX fields mapping for CEF format) before starting to use nss_web or nss_firewall parsers. |
...