diff --git a/packages/zscaler_zia/_dev/build/docs/README.md b/packages/zscaler_zia/_dev/build/docs/README.md index 5986d3fb15b..a393e331708 100644 --- a/packages/zscaler_zia/_dev/build/docs/README.md +++ b/packages/zscaler_zia/_dev/build/docs/README.md @@ -214,14 +214,14 @@ Sample Response: ![Escape feed setup image](../img/escape_feed.png?raw=true) See: [Zscaler Vendor documentation](https://help.zscaler.com/zia/nss-feed-output-format-web-logs) -Zscaler Web Log response format (v5): +Zscaler Web Log response format (v6): ``` -\{"sourcetype":"zscalernss-web","event":\{"time":"%s{time}","cloudname":"%s{cloudname}","host":"%s{host}","serverip":"%s{sip}","external_devid":"%s{external_devid}","devicemodel":"%s{devicemodel}","action":"%s{action}","recordid":"%d{recordid}","reason":"%s{reason}","threatseverity":"%s{threatseverity}","tz":"%s{tz}","filesubtype":"%s{filesubtype}","upload_filesubtype":"%s{upload_filesubtype}","sha256":"%s{sha256}","bamd5":"%s{bamd5}","filename":"%s{filename}","upload_filename":"%s{upload_filename}","filetype":"%s{filetype}","devicename":"%s{devicename}","devicehostname":"%s{devicehostname}","deviceostype":"%s{deviceostype}","deviceosversion":"%s{deviceosversion}","devicetype":"%s{devicetype}","reqsize":"%d{reqsize}","reqmethod":"%s{reqmethod}","refererurl":"%s{referer}","respsize":"%d{respsize}","respcode":"%s{respcode}","reqversion":"%s{reqversion}","respversion":"%s{respversion}","proto":"%s{proto}","company":"%s{company}","dlpmd5":"%s{dlpmd5}","apprulelabel":"%s{apprulelabel}","dlprulename":"%s{dlprulename}","rulelabel":"%s{rulelabel}","urlfilterrulelabel":"%s{urlfilterrulelabel}","cltip":"%s{cip}","cltintip":"%s{cintip}","cltsourceport":"%d{clt_sport}","threatname":"%s{threatname}","cltsslcipher":"%s{clientsslcipher}","clttlsversion":"%s{clienttlsversion}","eurl":"%s{eurl}","url":"%s{url}","useragent":"%s{ua}","login":"%s{login}","applayerprotocol":"%s{alpnprotocol}","appclass":"%s{appclass}","appname":"%s{appname}","appriskscore":"%s{app_risk_score}","bandwidthclassname":"%s{bwclassname}","bandwidthrulename":"%s{bwrulename}","bwthrottle":"%s{bwthrottle}","bypassedtime":"%s{bypassed_etime}","bypassedtraffic":"%d{bypassed_traffic}","cltsslsessreuse":"%s{clientsslsessreuse}","cltpubip":"%s{cpubip}","cltsslfailcount":"%d{cltsslfailcount}","cltsslfailreason":"%s{cltsslfailreason}","contenttype":"%s{contenttype}","datacentercity":"%s{datacentercity}","datacentercountry":"%s{datacentercountry}","datacenter":"%s{datacenter}","day":"%s{day}","day_of_month":"%02d{dd}","dept":"%s{dept}","deviceappversion":"%s{deviceappversion}","deviceowner":"%s{deviceowner}","df_hosthead":"%s{df_hosthead}","df_hostname":"%s{df_hostname}","dlpdicthitcount":"%s{dlpdicthitcount}","dlpdict":"%s{dlpdict}","dlpeng":"%s{dlpeng}","dlpidentifier":"%d{dlpidentifier}","eedone":"%s{eedone}","epochtime":"%d{epochtime}","fileclass":"%s{fileclass}","flow_type":"%s{flow_type}","forward_gateway_ip":"%s{fwd_gw_ip}","forward_gateway_name":"%s{fwd_gw_name}","forward_type":"%s{fwd_type}","hour":"%02d{hh}","is_sslexpiredca":"%s{is_sslexpiredca}","is_sslselfsigned":"%s{is_sslselfsigned}","is_ssluntrustedca":"%s{is_ssluntrustedca}","keyprotectiontype":"%s{keyprotectiontype}","location":"%s{location}","malwarecategory":"%s{malwarecat}","malwareclass":"%s{malwareclass}","minute":"%02d{mm}","mobappcategory":"%s{mobappcat}","mobappname":"%s{mobappname}","mobdevtype":"%s{mobdevtype}","module":"%s{module}","month":"%s{mon}","month_of_year":"%02d{mth}","nssserviceip":"%s{nsssvcip}","oapprulelabel":"%s{oapprulelabel}","obwclassname":"%s{obwclassname}","ocip":"%d{ocip}","ocpubip":"%d{ocpubip}","odevicehostname":"%s{odevicehostname}","odevicename":"%s{odevicename}","odeviceowner":"%s{odeviceowner}","odlpdict":"%s{odlpdict}","odlpeng":"%s{odlpeng}","odlprulename":"%s{odlprulename}","ofwd_gw_name":"%s{ofwd_gw_name}","ologin":"%s{ologin}","ordr_rulename":"%s{ordr_rulename}","ourlcat":"%s{ourlcat}","ourlfilterrulelabel":"%s{ourlfilterrulelabel}","ozpa_app_seg_name":"%s{ozpa_app_seg_name}","externalsslpolicyreason":"%s{externalspr}","productversion":"%s{productversion}","rdr_rulename":"%s{rdr_rulename}","refererhost":"%s{refererhost}","reqheadersize":"%d{reqhdrsize}","reqdatasize":"%d{reqdatasize}","respheadersize":"%d{resphdrsize}","respdatasize":"%d{respdatasize}","riskscore":"%d{riskscore}","ruletype":"%s{ruletype}","second":"%02d{ss}","srvcertchainvalpass":"%s{srvcertchainvalpass}","srvcertvalidationtype":"%s{srvcertvalidationtype}","srvcertvalidityperiod":"%s{srvcertvalidityperiod}","srvsslcipher":"%s{srvsslcipher}","serversslsessreuse":"%s{serversslsessreuse}","srvocspresult":"%s{srvocspresult}","srvtlsversion":"%s{srvtlsversion}","srvwildcardcert":"%s{srvwildcardcert}","ssldecrypted":"%s{ssldecrypted}","throttlereqsize":"%d{throttlereqsize}","throttlerespsize":"%d{throttlerespsize}","totalsize":"%d{totalsize}","trafficredirectmethod":"%s{trafficredirectmethod}","unscannabletype":"%s{unscannabletype}","upload_doctypename":"%s{upload_doctypename}","upload_fileclass":"%s{upload_fileclass}","upload_filetype":"%s{upload_filetype}","urlcatmethod":"%s{urlcatmethod}","urlsubcat":"%s{urlcat}","urlsupercat":"%s{urlsupercat}","urlclass":"%s{urlclass}","useragentclass":"%s{uaclass}","useragenttoken":"%s{ua_token}","userlocationname":"%s{userlocationname}","year":"%04d{yyyy}","ztunnelversion":"%s{ztunnelversion}","zpa_app_seg_name":"%s{zpa_app_seg_name}"\}\} +\{"sourcetype":"zscalernss-web","event":\{"time":"%s{time}","cloudname":"%s{cloudname}","host":"%s{host}","serverip":"%s{sip}","external_devid":"%s{external_devid}","devicemodel":"%s{devicemodel}","action":"%s{action}","recordid":"%d{recordid}","reason":"%s{reason}","threatseverity":"%s{threatseverity}","tz":"%s{tz}","filesubtype":"%s{filesubtype}","upload_filesubtype":"%s{upload_filesubtype}","sha256":"%s{sha256}","bamd5":"%s{bamd5}","filename":"%s{filename}","upload_filename":"%s{upload_filename}","filetype":"%s{filetype}","devicename":"%s{devicename}","devicehostname":"%s{devicehostname}","deviceostype":"%s{deviceostype}","deviceosversion":"%s{deviceosversion}","devicetype":"%s{devicetype}","reqsize":"%d{reqsize}","reqmethod":"%s{reqmethod}","refererurl":"%s{referer}","respsize":"%d{respsize}","respcode":"%s{respcode}","reqversion":"%s{reqversion}","respversion":"%s{respversion}","proto":"%s{proto}","company":"%s{company}","dlpmd5":"%s{dlpmd5}","apprulelabel":"%s{apprulelabel}","dlprulename":"%s{dlprulename}","rulelabel":"%s{rulelabel}","urlfilterrulelabel":"%s{urlfilterrulelabel}","cltip":"%s{cip}","cltintip":"%s{cintip}","cltsourceport":"%d{clt_sport}","threatname":"%s{threatname}","cltsslcipher":"%s{clientsslcipher}","clttlsversion":"%s{clienttlsversion}","eurl":"%s{eurl}","useragent":"%s{ua}","login":"%s{login}","applayerprotocol":"%s{alpnprotocol}","appclass":"%s{appclass}","appname":"%s{appname}","appriskscore":"%s{app_risk_score}","bandwidthclassname":"%s{bwclassname}","bandwidthrulename":"%s{bwrulename}","bwthrottle":"%s{bwthrottle}","bypassedtime":"%s{bypassed_etime}","bypassedtraffic":"%d{bypassed_traffic}","cltsslsessreuse":"%s{clientsslsessreuse}","cltpubip":"%s{cpubip}","cltsslfailcount":"%d{cltsslfailcount}","cltsslfailreason":"%s{cltsslfailreason}","contenttype":"%s{contenttype}","datacentercity":"%s{datacentercity}","datacentercountry":"%s{datacentercountry}","datacenter":"%s{datacenter}","day":"%s{day}","day_of_month":"%02d{dd}","dept":"%s{dept}","deviceappversion":"%s{deviceappversion}","deviceowner":"%s{deviceowner}","df_hosthead":"%s{df_hosthead}","df_hostname":"%s{df_hostname}","dlpdicthitcount":"%s{dlpdicthitcount}","dlpdict":"%s{dlpdict}","dlpeng":"%s{dlpeng}","dlpidentifier":"%d{dlpidentifier}","eedone":"%s{eedone}","epochtime":"%d{epochtime}","fileclass":"%s{fileclass}","flow_type":"%s{flow_type}","forward_gateway_ip":"%s{fwd_gw_ip}","forward_gateway_name":"%s{fwd_gw_name}","forward_type":"%s{fwd_type}","hour":"%02d{hh}","is_sslexpiredca":"%s{is_sslexpiredca}","is_sslselfsigned":"%s{is_sslselfsigned}","is_ssluntrustedca":"%s{is_ssluntrustedca}","keyprotectiontype":"%s{keyprotectiontype}","location":"%s{location}","malwarecategory":"%s{malwarecat}","malwareclass":"%s{malwareclass}","minute":"%02d{mm}","mobappcategory":"%s{mobappcat}","mobappname":"%s{mobappname}","mobdevtype":"%s{mobdevtype}","module":"%s{module}","month":"%s{mon}","month_of_year":"%02d{mth}","nssserviceip":"%s{nsssvcip}","oapprulelabel":"%s{oapprulelabel}","obwclassname":"%s{obwclassname}","ocip":"%d{ocip}","ocpubip":"%d{ocpubip}","odevicehostname":"%s{odevicehostname}","odevicename":"%s{odevicename}","odeviceowner":"%s{odeviceowner}","odlpdict":"%s{odlpdict}","odlpeng":"%s{odlpeng}","odlprulename":"%s{odlprulename}","ofwd_gw_name":"%s{ofwd_gw_name}","ologin":"%s{ologin}","ordr_rulename":"%s{ordr_rulename}","ourlcat":"%s{ourlcat}","ourlfilterrulelabel":"%s{ourlfilterrulelabel}","ozpa_app_seg_name":"%s{ozpa_app_seg_name}","externalsslpolicyreason":"%s{externalspr}","productversion":"%s{productversion}","rdr_rulename":"%s{rdr_rulename}","refererhost":"%s{refererhost}","reqheadersize":"%d{reqhdrsize}","reqdatasize":"%d{reqdatasize}","respheadersize":"%d{resphdrsize}","respdatasize":"%d{respdatasize}","riskscore":"%d{riskscore}","ruletype":"%s{ruletype}","second":"%02d{ss}","srvcertchainvalpass":"%s{srvcertchainvalpass}","srvcertvalidationtype":"%s{srvcertvalidationtype}","srvcertvalidityperiod":"%s{srvcertvalidityperiod}","srvsslcipher":"%s{srvsslcipher}","serversslsessreuse":"%s{serversslsessreuse}","srvocspresult":"%s{srvocspresult}","srvtlsversion":"%s{srvtlsversion}","srvwildcardcert":"%s{srvwildcardcert}","ssldecrypted":"%s{ssldecrypted}","throttlereqsize":"%d{throttlereqsize}","throttlerespsize":"%d{throttlerespsize}","totalsize":"%d{totalsize}","trafficredirectmethod":"%s{trafficredirectmethod}","unscannabletype":"%s{unscannabletype}","upload_doctypename":"%s{upload_doctypename}","upload_fileclass":"%s{upload_fileclass}","upload_filetype":"%s{upload_filetype}","urlcatmethod":"%s{urlcatmethod}","urlsubcat":"%s{urlcat}","urlsupercat":"%s{urlsupercat}","urlclass":"%s{urlclass}","useragentclass":"%s{uaclass}","useragenttoken":"%s{ua_token}","userlocationname":"%s{userlocationname}","year":"%04d{yyyy}","ztunnelversion":"%s{ztunnelversion}","zpa_app_seg_name":"%s{zpa_app_seg_name}"\}\} ``` Sample Response: ```json -{"sourcetype":"zscalernss-web","event":{"time":"Mon Oct 16 22:55:48 2023","cloudname":"zscaler.net","host":"mail.google.com","serverip":"1.128.0.0","external_devid":"1234","devicemodel":"20L8S7WC08","action":"Allowed","recordid":123456789,"reason":"File Attachment Cautioned","threatseverity":"Critical (90–100)","tz":"GMT","filesubtype":"exe","upload_filesubtype":"rar","sha256":"81ec78bc8298568bb5ea66d3c2972b670d0f7459b6cdbbcaacce90ab417ab15c","bamd5":"196a3d797bfee07fe4596b69f4ce1141","filename":"nssfeed.txt","upload_filename":"nssfeed.exe","filetype":"RAR Files","devicename":"PC11NLPA:5F08D97BBF43257A8FB4BBF4061A38AE324EF734","devicehostname":"THINKPADSMITH","deviceostype":"iOS","deviceosversion":"Version 10.14.2 (Build 18C54)","devicetype":"Zscaler Client Connector","reqsize":1300,"reqmethod":"invalid","refererurl":"www.example.com","respsize":10500,"respcode":"100","reqversion":"1.1","respversion":"1","proto":"HTTP","company":"Zscaler","dlpmd5":"154f149b1443fbfa8c121d13e5c019a1","apprulelabel":"File_Sharing_1","dlprulename":"DLP_Rule_1","rulelabel":"URL_Filtering_1","urlfilterrulelabel":"URL_Filtering_2","cltip":"81.2.69.144","cltintip":"89.160.20.128","cltsourceport":12345,"threatname":"EICAR Test File","cltsslcipher":"SSL3_CK_RSA_NULL_MD5","clttlsversion":"SSL2","eurl":"www.trythisencodeurl.com/index","url":"www.trythisencodeurl.com/index","useragent":"Mozilla/5.0","login":"jdoe@safemarch.com","applayerprotocol":"FTP","appclass":"Administration","appname":"Adobe Connect","appriskscore":"1","bandwidthclassname":"Entertainment","bandwidthrulename":"Office 365","bwthrottle":"Yes","bypassedtime":"Mon Oct 16 22:55:48 2023","bypassedtraffic":"1","cltsslsessreuse":"Unknown","cltpubip":"175.16.199.0","cltsslfailcount":100,"cltsslfailreason":"Bad Record Mac","contenttype":"application/vnd_apple_keynote","datacentercity":"Sa","datacentercountry":"US","datacenter":"CA Client Node DC","day":"Mon","day_of_month":16,"dept":"Sales","deviceappversion":"1.128.0.0","deviceowner":"jsmith","df_hosthead":"df_hosthead","df_hostname":"df_hostname","dlpdicthitcount":"4","dlpdict":"Credit Cards","dlpeng":"HIPAA","dlpidentifier":6646484838839026000,"eedone":"Yes","epochtime":1578128400,"fileclass":"Active Web Contents","flow_type":"Direct","forward_gateway_ip":"10.1.1.1","forward_gateway_name":"FWD_1","forward_type":"Direct","hour":22,"is_sslexpiredca":"Yes","is_sslselfsigned":"Yes","is_ssluntrustedca":"Pass","keyprotectiontype":"HSM Protection","location":"Headquarters","malwarecategory":"Adware","malwareclass":"Sandbox","minute":55,"mobappcategory":"Communication","mobappname":"Amazon","mobdevtype":"Google Android","module":"Administration","month":"Oct","month_of_year":10,"nssserviceip":"192.168.2.200","oapprulelabel":"5300295980","obwclassname":"10831489","ocip":6200694987,"ocpubip":624054738,"odevicehostname":"2168890624","odevicename":"2175092224","odeviceowner":"10831489","odlpdict":"10831489","odlpeng":"4094304256","odlprulename":"6857275752","ofwd_gw_name":"8794487099","ologin":"4094304256","ordr_rulename":"3399565100","ourlcat":"7956407282","ourlfilterrulelabel":"4951704103","ozpa_app_seg_name":"7648246731","externalsslpolicyreason":"Blocked","productversion":"5.0.902.95524_04","rdr_rulename":"FWD_Rule_1","refererhost":"www.example.com for http://www.example.com/index.html","reqheadersize":300,"reqdatasize":1000,"respheadersize":500,"respdatasize":10000,"riskscore":10,"ruletype":"File Type Control","second":48,"srvcertchainvalpass":"Unknown","srvcertvalidationtype":"EV (Extended Validation)","srvcertvalidityperiod":"Short","srvsslcipher":"SSL3_CK_RSA_NULL_MD5","serversslsessreuse":"Unknown","srvocspresult":"Good","srvtlsversion":"SSL2","srvwildcardcert":"Unknown","ssldecrypted":"Yes","throttlereqsize":5,"throttlerespsize":7,"totalsize":11800,"trafficredirectmethod":"DNAT (Destination Translation)","unscannabletype":"Encrypted File","upload_doctypename":"Corporate Finance","upload_fileclass":"upload_fileclass","upload_filetype":"RAR Files","urlcatmethod":"Database A","urlsubcat":"Entertainment","urlsupercat":"Travel","urlclass":"Bandwidth Loss","useragentclass":"Firefox","useragenttoken":"Google Chrome (0.x)","userlocationname":"userlocationname","year":2023,"ztunnelversion":"ZTUNNEL_1_0","zpa_app_seg_name":"ZPA_test_app_segment"}} +{"sourcetype":"zscalernss-web","event":{"time":"Mon Oct 16 22:55:48 2023","cloudname":"zscaler.net","host":"mail.google.com","serverip":"1.128.0.0","external_devid":"1234","devicemodel":"20L8S7WC08","action":"Allowed","recordid":123456789,"reason":"File Attachment Cautioned","threatseverity":"Critical (90–100)","tz":"GMT","filesubtype":"exe","upload_filesubtype":"rar","sha256":"81ec78bc8298568bb5ea66d3c2972b670d0f7459b6cdbbcaacce90ab417ab15c","bamd5":"196a3d797bfee07fe4596b69f4ce1141","filename":"nssfeed.txt","upload_filename":"nssfeed.exe","filetype":"RAR Files","devicename":"PC11NLPA:5F08D97BBF43257A8FB4BBF4061A38AE324EF734","devicehostname":"THINKPADSMITH","deviceostype":"iOS","deviceosversion":"Version 10.14.2 (Build 18C54)","devicetype":"Zscaler Client Connector","reqsize":1300,"reqmethod":"invalid","refererurl":"www.example.com","respsize":10500,"respcode":"100","reqversion":"1.1","respversion":"1","proto":"HTTP","company":"Zscaler","dlpmd5":"154f149b1443fbfa8c121d13e5c019a1","apprulelabel":"File_Sharing_1","dlprulename":"DLP_Rule_1","rulelabel":"URL_Filtering_1","urlfilterrulelabel":"URL_Filtering_2","cltip":"81.2.69.144","cltintip":"89.160.20.128","cltsourceport":12345,"threatname":"EICAR Test File","cltsslcipher":"SSL3_CK_RSA_NULL_MD5","clttlsversion":"SSL2","eurl":"www.trythisencodeurl.com/index","useragent":"Mozilla/5.0","login":"jdoe@safemarch.com","applayerprotocol":"FTP","appclass":"Administration","appname":"Adobe Connect","appriskscore":"1","bandwidthclassname":"Entertainment","bandwidthrulename":"Office 365","bwthrottle":"Yes","bypassedtime":"Mon Oct 16 22:55:48 2023","bypassedtraffic":"1","cltsslsessreuse":"Unknown","cltpubip":"175.16.199.0","cltsslfailcount":100,"cltsslfailreason":"Bad Record Mac","contenttype":"application/vnd_apple_keynote","datacentercity":"Sa","datacentercountry":"US","datacenter":"CA Client Node DC","day":"Mon","day_of_month":16,"dept":"Sales","deviceappversion":"1.128.0.0","deviceowner":"jsmith","df_hosthead":"df_hosthead","df_hostname":"df_hostname","dlpdicthitcount":"4","dlpdict":"Credit Cards","dlpeng":"HIPAA","dlpidentifier":6646484838839026000,"eedone":"Yes","epochtime":1578128400,"fileclass":"Active Web Contents","flow_type":"Direct","forward_gateway_ip":"10.1.1.1","forward_gateway_name":"FWD_1","forward_type":"Direct","hour":22,"is_sslexpiredca":"Yes","is_sslselfsigned":"Yes","is_ssluntrustedca":"Pass","keyprotectiontype":"HSM Protection","location":"Headquarters","malwarecategory":"Adware","malwareclass":"Sandbox","minute":55,"mobappcategory":"Communication","mobappname":"Amazon","mobdevtype":"Google Android","module":"Administration","month":"Oct","month_of_year":10,"nssserviceip":"192.168.2.200","oapprulelabel":"5300295980","obwclassname":"10831489","ocip":6200694987,"ocpubip":624054738,"odevicehostname":"2168890624","odevicename":"2175092224","odeviceowner":"10831489","odlpdict":"10831489","odlpeng":"4094304256","odlprulename":"6857275752","ofwd_gw_name":"8794487099","ologin":"4094304256","ordr_rulename":"3399565100","ourlcat":"7956407282","ourlfilterrulelabel":"4951704103","ozpa_app_seg_name":"7648246731","externalsslpolicyreason":"Blocked","productversion":"5.0.902.95524_04","rdr_rulename":"FWD_Rule_1","refererhost":"www.example.com for http://www.example.com/index.html","reqheadersize":300,"reqdatasize":1000,"respheadersize":500,"respdatasize":10000,"riskscore":10,"ruletype":"File Type Control","second":48,"srvcertchainvalpass":"Unknown","srvcertvalidationtype":"EV (Extended Validation)","srvcertvalidityperiod":"Short","srvsslcipher":"SSL3_CK_RSA_NULL_MD5","serversslsessreuse":"Unknown","srvocspresult":"Good","srvtlsversion":"SSL2","srvwildcardcert":"Unknown","ssldecrypted":"Yes","throttlereqsize":5,"throttlerespsize":7,"totalsize":11800,"trafficredirectmethod":"DNAT (Destination Translation)","unscannabletype":"Encrypted File","upload_doctypename":"Corporate Finance","upload_fileclass":"upload_fileclass","upload_filetype":"RAR Files","urlcatmethod":"Database A","urlsubcat":"Entertainment","urlsupercat":"Travel","urlclass":"Bandwidth Loss","useragentclass":"Firefox","useragenttoken":"Google Chrome (0.x)","userlocationname":"userlocationname","year":2023,"ztunnelversion":"ZTUNNEL_1_0","zpa_app_seg_name":"ZPA_test_app_segment"}} ``` ### Enabling the integration in Elastic: diff --git a/packages/zscaler_zia/changelog.yml b/packages/zscaler_zia/changelog.yml index 3eda3016822..8d1dc38bcb6 100644 --- a/packages/zscaler_zia/changelog.yml +++ b/packages/zscaler_zia/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "3.1.0" + changes: + - description: Remove url field from web logs. + type: enhancement + link: https://github.com/elastic/integrations/pull/10776 - version: "3.0.4" changes: - description: Update response format version numbers. diff --git a/packages/zscaler_zia/data_stream/sandbox_report/_dev/test/pipeline/test-common-config.yml b/packages/zscaler_zia/data_stream/sandbox_report/_dev/test/pipeline/test-common-config.yml index 36106b22efb..1f0a54d166d 100644 --- a/packages/zscaler_zia/data_stream/sandbox_report/_dev/test/pipeline/test-common-config.yml +++ b/packages/zscaler_zia/data_stream/sandbox_report/_dev/test/pipeline/test-common-config.yml @@ -2,7 +2,6 @@ fields: tags: - preserve_original_event - preserve_duplicate_custom_fields - dynamic_fields: # This can be removed after ES 8.14 is the minimum version. # Relates: https://github.com/elastic/elasticsearch/pull/105689 diff --git a/packages/zscaler_zia/data_stream/web/_dev/test/pipeline/test-common-config.yml b/packages/zscaler_zia/data_stream/web/_dev/test/pipeline/test-common-config.yml index 36106b22efb..1f0a54d166d 100644 --- a/packages/zscaler_zia/data_stream/web/_dev/test/pipeline/test-common-config.yml +++ b/packages/zscaler_zia/data_stream/web/_dev/test/pipeline/test-common-config.yml @@ -2,7 +2,6 @@ fields: tags: - preserve_original_event - preserve_duplicate_custom_fields - dynamic_fields: # This can be removed after ES 8.14 is the minimum version. # Relates: https://github.com/elastic/elasticsearch/pull/105689 diff --git a/packages/zscaler_zia/data_stream/web/_dev/test/pipeline/test-web-http-endpoint.log b/packages/zscaler_zia/data_stream/web/_dev/test/pipeline/test-web-http-endpoint.log index 2791ee5b91f..aeac0d96f76 100644 --- a/packages/zscaler_zia/data_stream/web/_dev/test/pipeline/test-web-http-endpoint.log +++ b/packages/zscaler_zia/data_stream/web/_dev/test/pipeline/test-web-http-endpoint.log @@ -1,2 +1,2 @@ -{"sourcetype":"zscalernss-web","event":{"time":"Mon Oct 16 22:55:48 2023","cloudname":"zscaler.net","host":"mail.google.com","serverip":"81.2.69.142","external_devid":"1234","devicemodel":"20L8S7WC08","action":"Allowed","recordid":"123456789","reason":"File Attachment Cautioned","threatseverity":"Critical (90–100)","tz":"GMT","filesubtype":"rar","upload_filesubtype":"rar","sha256":"81ec78bc8298568bb5ea66d3c2972b670d0f7459b6cdbbcaacce90ab417ab15c","bamd5":"196a3d797bfee07fe4596b69f4ce1141","filename":"nssfeed.txt","upload_filename":"nssfeed.exe","filetype":"RAR Files","devicename":"PC11NLPA:5F08D97BBF43257A8FB4BBF4061A38AE324EF734","devicehostname":"THINKPADSMITH","deviceostype":"iOS","deviceosversion":"Version 10.14.2 (Build 18C54)","devicetype":"Zscaler Client Connector","reqsize":"1300","reqmethod":"invalid","refererurl":"www.example.com","respsize":"10500","respcode":"100","reqversion":"1.1","respversion":"1","proto":"HTTP","company":"Zscaler","dlpmd5":"154f149b1443fbfa8c121d13e5c019a1","apprulelabel":"File_Sharing_1","dlprulename":"DLP_Rule_1","rulelabel":"URL_Filtering_1","urlfilterrulelabel":"URL_Filtering_1","cltip":"81.2.69.142","cltintip":"81.2.69.142","cltsourceport":"1235","threatname":"EICAR Test File","cltsslcipher":"SSL3_CK_RSA_NULL_MD5","clttlsversion":"SSL2","eurl":"www.trythisencodeurl.com%2Findex","url":"www.trythisencodeurl.com/index","useragent":"Mozilla/5.0","login":"jdoe@safemarch.com","applayerprotocol":"FTP","appclass":"Administration","appname":"Adobe Connect","appriskscore":"None","bandwidthclassname":"Entertainment","bandwidthrulename":"Office 365","bwthrottle":"Yes","bypassedtime":"Mon Oct 16 22:55:48 2023","bypassedtraffic":"0","cltsslsessreuse":"Unknown","cltpubip":"81.2.69.142","cltsslfailcount":"100","cltsslfailreason":"Bad Record Mac","contenttype":"application/vnd_apple_keynote","datacentercity":"Sa","datacentercountry":"US","datacenter":"CA Client Node DC","day":"Mon","day_of_month":"16","dept":"Sales","deviceappversion":"81.2.69.142","deviceowner":"jsmith","df_hosthead":"df_hosthead","df_hostname":"df_hostname","dlpdicthitcount":"4","dlpdict":"Credit Cards","dlpeng":"HIPAA","dlpidentifier":"6646484838839026000","eedone":"Yes","epochtime":"1578128400","fileclass":"Active Web Contents","flow_type":"Direct","forward_gateway_ip":"10.1.1.1","forward_gateway_name":"FWD_1","forward_type":"Direct","hour":"22","is_sslexpiredca":"Yes","is_sslselfsigned":"Yes","is_ssluntrustedca":"Pass","keyprotectiontype":"HSM Protection","location":"Headquarters","malwarecategory":"Adware","malwareclass":"Sandbox","minute":"55","mobappcategory":"Communication","mobappname":"Amazon","mobdevtype":"Google Android","module":"Administration","month":"Oct","month_of_year":"10","nssserviceip":"192.168.2.200","oapprulelabel":"5300295980","obwclassname":"10831489","ocip":"6200694987","ocpubip":"624054738","odevicehostname":"2168890624","odevicename":"2175092224","odeviceowner":"10831489","odlpdict":"10831489","odlpeng":"4094304256","odlprulename":"6857275752","ofwd_gw_name":"8794487099","ologin":"4094304256","ordr_rulename":"3399565100","ourlcat":"7956407282","ourlfilterrulelabel":"4951704103","ozpa_app_seg_name":"7648246731","externalsslpolicyreason":"Blocked","productversion":"5.0.902.95524_04","rdr_rulename":"FWD_Rule_1","refererhost":"www.example.com for http://www.example.com/index.html","reqheadersize":"300","reqdatasize":"1000","respheadersize":"500","respdatasize":"10000","riskscore":"10","ruletype":"File Type Control","second":"48","srvcertchainvalpass":"Unknown","srvcertvalidationtype":"EV (Extended Validation)","srvcertvalidityperiod":"Short","srvsslcipher":"SSL3_CK_RSA_NULL_MD5","serversslsessreuse":"Unknown","srvocspresult":"Good","srvtlsversion":"SSL2","srvwildcardcert":"Unknown","ssldecrypted":"Yes","throttlereqsize":"5","throttlerespsize":"7","totalsize":"11800","trafficredirectmethod":"DNAT (Destination Translation)","unscannabletype":"Encrypted File","upload_doctypename":"Corporate Finance","upload_fileclass":"upload_fileclass","upload_filetype":"RAR Files","urlcatmethod":"Database A","urlsubcat":"Entertainment","urlsupercat":"Travel","urlclass":"Bandwidth Loss","useragentclass":"Firefox","useragenttoken":"Google Chrome (0.x)","userlocationname":"userlocationname","year":"2023","ztunnelversion":"ZTUNNEL_1_0","zpa_app_seg_name":"ZPA_test_app_segment"}} -{"sourcetype":"zscalernss-web","event":{"time":"Mon Oct 16 22:55:48 2023","cloudname":"zscaler.net","host":"mail.google.com","serverip":"81.2.69.142","external_devid":"1234","devicemodel":"20L8S7WC08","action":"Blocked","recordid":"123456789","reason":"File Attachment Cautioned","threatseverity":"Critical (90–100)","tz":"GMT","filesubtype":"rar","upload_filesubtype":"rar","sha256":"81ec78bc8298568bb5ea66d3c2972b670d0f7459b6cdbbcaacce90ab417ab15c","bamd5":"196a3d797bfee07fe4596b69f4ce1141","filename":"nssfeed.txt","upload_filename":"nssfeed.exe","filetype":"RAR Files","devicename":"PC11NLPA:5F08D97BBF43257A8FB4BBF4061A38AE324EF734","devicehostname":"THINKPADSMITH","deviceostype":"iOS","deviceosversion":"Version 10.14.2 (Build 18C54)","devicetype":"Zscaler Client Connector","reqsize":"1300","reqmethod":"invalid","refererurl":"www.example.com","respsize":"10500","respcode":"100","reqversion":"1.1","respversion":"1","proto":"HTTP","company":"Zscaler","dlpmd5":"154f149b1443fbfa8c121d13e5c019a1","apprulelabel":"File_Sharing_1","dlprulename":"DLP_Rule_1","rulelabel":"URL_Filtering_1","urlfilterrulelabel":"URL_Filtering_1","cltip":"81.2.69.142","cltintip":"81.2.69.142","cltsourceport":"1235","threatname":"EICAR Test File","cltsslcipher":"SSL3_CK_RSA_NULL_MD5","clttlsversion":"SSL2","eurl":"www.trythisencodeurl.com%2Findex","url":"www.trythisencodeurl.com/index","useragent":"Mozilla/5.0","login":"jdoe@safemarch.com","applayerprotocol":"FTP","appclass":"Administration","appname":"Adobe Connect","appriskscore":"None","bandwidthclassname":"Entertainment","bandwidthrulename":"Office 365","bwthrottle":"Yes","bypassedtime":"Mon Oct 16 22:55:48 2023","bypassedtraffic":"1","cltsslsessreuse":"Unknown","cltpubip":"81.2.69.142","cltsslfailcount":"100","cltsslfailreason":"Bad Record Mac","contenttype":"application/vnd_apple_keynote","datacentercity":"Sa","datacentercountry":"US","datacenter":"CA Client Node DC","day":"Mon","day_of_month":"16","dept":"Sales","deviceappversion":"81.2.69.142","deviceowner":"jsmith","df_hosthead":"df_hosthead","df_hostname":"df_hostname","dlpdicthitcount":"4","dlpdict":"Credit Cards","dlpeng":"HIPAA","dlpidentifier":"6646484838839026000","eedone":"Yes","epochtime":"1578128400","fileclass":"Active Web Contents","flow_type":"Direct","forward_gateway_ip":"10.1.1.1","forward_gateway_name":"FWD_1","forward_type":"Direct","hour":"22","is_sslexpiredca":"Yes","is_sslselfsigned":"Yes","is_ssluntrustedca":"Pass","keyprotectiontype":"HSM Protection","location":"Headquarters","malwarecategory":"Adware","malwareclass":"Sandbox","minute":"55","mobappcategory":"Communication","mobappname":"Amazon","mobdevtype":"Google Android","module":"Administration","month":"Oct","month_of_year":"10","nssserviceip":"192.168.2.200","oapprulelabel":"5300295980","obwclassname":"10831489","ocip":"6200694987","ocpubip":"624054738","odevicehostname":"2168890624","odevicename":"2175092224","odeviceowner":"10831489","odlpdict":"10831489","odlpeng":"4094304256","odlprulename":"6857275752","ofwd_gw_name":"8794487099","ologin":"4094304256","ordr_rulename":"3399565100","ourlcat":"7956407282","ourlfilterrulelabel":"4951704103","ozpa_app_seg_name":"7648246731","externalsslpolicyreason":"Blocked","productversion":"5.0.902.95524_04","rdr_rulename":"FWD_Rule_1","refererhost":"www.example.com for http://www.example.com/index.html","reqheadersize":"300","reqdatasize":"1000","respheadersize":"500","respdatasize":"10000","riskscore":"10","ruletype":"File Type Control","second":"48","srvcertchainvalpass":"Unknown","srvcertvalidationtype":"EV (Extended Validation)","srvcertvalidityperiod":"Short","srvsslcipher":"SSL3_CK_RSA_NULL_MD5","serversslsessreuse":"Unknown","srvocspresult":"Good","srvtlsversion":"SSL2","srvwildcardcert":"Unknown","ssldecrypted":"Yes","throttlereqsize":"5","throttlerespsize":"7","totalsize":"11800","trafficredirectmethod":"DNAT (Destination Translation)","unscannabletype":"Encrypted File","upload_doctypename":"Corporate Finance","upload_fileclass":"upload_fileclass","upload_filetype":"RAR Files","urlcatmethod":"Database A","urlsubcat":"Entertainment","urlsupercat":"Travel","urlclass":"Bandwidth Loss","useragentclass":"Firefox","useragenttoken":"Google Chrome (0.x)","userlocationname":"userlocationname","year":"2023","ztunnelversion":"ZTUNNEL_1_0","zpa_app_seg_name":"ZPA_test_app_segment"}} \ No newline at end of file +{"sourcetype":"zscalernss-web","event":{"time":"Mon Oct 16 22:55:48 2023","cloudname":"zscaler.net","host":"mail.google.com","serverip":"81.2.69.142","external_devid":"1234","devicemodel":"20L8S7WC08","action":"Allowed","recordid":"123456789","reason":"File Attachment Cautioned","threatseverity":"Critical (90–100)","tz":"GMT","filesubtype":"rar","upload_filesubtype":"rar","sha256":"81ec78bc8298568bb5ea66d3c2972b670d0f7459b6cdbbcaacce90ab417ab15c","bamd5":"196a3d797bfee07fe4596b69f4ce1141","filename":"nssfeed.txt","upload_filename":"nssfeed.exe","filetype":"RAR Files","devicename":"PC11NLPA:5F08D97BBF43257A8FB4BBF4061A38AE324EF734","devicehostname":"THINKPADSMITH","deviceostype":"iOS","deviceosversion":"Version 10.14.2 (Build 18C54)","devicetype":"Zscaler Client Connector","reqsize":"1300","reqmethod":"invalid","refererurl":"www.example.com","respsize":"10500","respcode":"100","reqversion":"1.1","respversion":"1","proto":"HTTP","company":"Zscaler","dlpmd5":"154f149b1443fbfa8c121d13e5c019a1","apprulelabel":"File_Sharing_1","dlprulename":"DLP_Rule_1","rulelabel":"URL_Filtering_1","urlfilterrulelabel":"URL_Filtering_1","cltip":"81.2.69.142","cltintip":"81.2.69.142","cltsourceport":"1235","threatname":"EICAR Test File","cltsslcipher":"SSL3_CK_RSA_NULL_MD5","clttlsversion":"SSL2","eurl":"www.trythisencodeurl.com%2Findex","useragent":"Mozilla/5.0","login":"jdoe@safemarch.com","applayerprotocol":"FTP","appclass":"Administration","appname":"Adobe Connect","appriskscore":"None","bandwidthclassname":"Entertainment","bandwidthrulename":"Office 365","bwthrottle":"Yes","bypassedtime":"Mon Oct 16 22:55:48 2023","bypassedtraffic":"0","cltsslsessreuse":"Unknown","cltpubip":"81.2.69.142","cltsslfailcount":"100","cltsslfailreason":"Bad Record Mac","contenttype":"application/vnd_apple_keynote","datacentercity":"Sa","datacentercountry":"US","datacenter":"CA Client Node DC","day":"Mon","day_of_month":"16","dept":"Sales","deviceappversion":"81.2.69.142","deviceowner":"jsmith","df_hosthead":"df_hosthead","df_hostname":"df_hostname","dlpdicthitcount":"4","dlpdict":"Credit Cards","dlpeng":"HIPAA","dlpidentifier":"6646484838839026000","eedone":"Yes","epochtime":"1578128400","fileclass":"Active Web Contents","flow_type":"Direct","forward_gateway_ip":"10.1.1.1","forward_gateway_name":"FWD_1","forward_type":"Direct","hour":"22","is_sslexpiredca":"Yes","is_sslselfsigned":"Yes","is_ssluntrustedca":"Pass","keyprotectiontype":"HSM Protection","location":"Headquarters","malwarecategory":"Adware","malwareclass":"Sandbox","minute":"55","mobappcategory":"Communication","mobappname":"Amazon","mobdevtype":"Google Android","module":"Administration","month":"Oct","month_of_year":"10","nssserviceip":"192.168.2.200","oapprulelabel":"5300295980","obwclassname":"10831489","ocip":"6200694987","ocpubip":"624054738","odevicehostname":"2168890624","odevicename":"2175092224","odeviceowner":"10831489","odlpdict":"10831489","odlpeng":"4094304256","odlprulename":"6857275752","ofwd_gw_name":"8794487099","ologin":"4094304256","ordr_rulename":"3399565100","ourlcat":"7956407282","ourlfilterrulelabel":"4951704103","ozpa_app_seg_name":"7648246731","externalsslpolicyreason":"Blocked","productversion":"5.0.902.95524_04","rdr_rulename":"FWD_Rule_1","refererhost":"www.example.com for http://www.example.com/index.html","reqheadersize":"300","reqdatasize":"1000","respheadersize":"500","respdatasize":"10000","riskscore":"10","ruletype":"File Type Control","second":"48","srvcertchainvalpass":"Unknown","srvcertvalidationtype":"EV (Extended Validation)","srvcertvalidityperiod":"Short","srvsslcipher":"SSL3_CK_RSA_NULL_MD5","serversslsessreuse":"Unknown","srvocspresult":"Good","srvtlsversion":"SSL2","srvwildcardcert":"Unknown","ssldecrypted":"Yes","throttlereqsize":"5","throttlerespsize":"7","totalsize":"11800","trafficredirectmethod":"DNAT (Destination Translation)","unscannabletype":"Encrypted File","upload_doctypename":"Corporate Finance","upload_fileclass":"upload_fileclass","upload_filetype":"RAR Files","urlcatmethod":"Database A","urlsubcat":"Entertainment","urlsupercat":"Travel","urlclass":"Bandwidth Loss","useragentclass":"Firefox","useragenttoken":"Google Chrome (0.x)","userlocationname":"userlocationname","year":"2023","ztunnelversion":"ZTUNNEL_1_0","zpa_app_seg_name":"ZPA_test_app_segment"}} +{"sourcetype":"zscalernss-web","event":{"time":"Mon Oct 16 22:55:48 2023","cloudname":"zscaler.net","host":"mail.google.com","serverip":"81.2.69.142","external_devid":"1234","devicemodel":"20L8S7WC08","action":"Blocked","recordid":"123456789","reason":"File Attachment Cautioned","threatseverity":"Critical (90–100)","tz":"GMT","filesubtype":"rar","upload_filesubtype":"rar","sha256":"81ec78bc8298568bb5ea66d3c2972b670d0f7459b6cdbbcaacce90ab417ab15c","bamd5":"196a3d797bfee07fe4596b69f4ce1141","filename":"nssfeed.txt","upload_filename":"nssfeed.exe","filetype":"RAR Files","devicename":"PC11NLPA:5F08D97BBF43257A8FB4BBF4061A38AE324EF734","devicehostname":"THINKPADSMITH","deviceostype":"iOS","deviceosversion":"Version 10.14.2 (Build 18C54)","devicetype":"Zscaler Client Connector","reqsize":"1300","reqmethod":"invalid","refererurl":"www.example.com","respsize":"10500","respcode":"100","reqversion":"1.1","respversion":"1","proto":"HTTP","company":"Zscaler","dlpmd5":"154f149b1443fbfa8c121d13e5c019a1","apprulelabel":"File_Sharing_1","dlprulename":"DLP_Rule_1","rulelabel":"URL_Filtering_1","urlfilterrulelabel":"URL_Filtering_1","cltip":"81.2.69.142","cltintip":"81.2.69.142","cltsourceport":"1235","threatname":"EICAR Test File","cltsslcipher":"SSL3_CK_RSA_NULL_MD5","clttlsversion":"SSL2","eurl":"www.trythisencodeurl.com%2Findex","useragent":"Mozilla/5.0","login":"jdoe@safemarch.com","applayerprotocol":"FTP","appclass":"Administration","appname":"Adobe Connect","appriskscore":"None","bandwidthclassname":"Entertainment","bandwidthrulename":"Office 365","bwthrottle":"Yes","bypassedtime":"Mon Oct 16 22:55:48 2023","bypassedtraffic":"1","cltsslsessreuse":"Unknown","cltpubip":"81.2.69.142","cltsslfailcount":"100","cltsslfailreason":"Bad Record Mac","contenttype":"application/vnd_apple_keynote","datacentercity":"Sa","datacentercountry":"US","datacenter":"CA Client Node DC","day":"Mon","day_of_month":"16","dept":"Sales","deviceappversion":"81.2.69.142","deviceowner":"jsmith","df_hosthead":"df_hosthead","df_hostname":"df_hostname","dlpdicthitcount":"4","dlpdict":"Credit Cards","dlpeng":"HIPAA","dlpidentifier":"6646484838839026000","eedone":"Yes","epochtime":"1578128400","fileclass":"Active Web Contents","flow_type":"Direct","forward_gateway_ip":"10.1.1.1","forward_gateway_name":"FWD_1","forward_type":"Direct","hour":"22","is_sslexpiredca":"Yes","is_sslselfsigned":"Yes","is_ssluntrustedca":"Pass","keyprotectiontype":"HSM Protection","location":"Headquarters","malwarecategory":"Adware","malwareclass":"Sandbox","minute":"55","mobappcategory":"Communication","mobappname":"Amazon","mobdevtype":"Google Android","module":"Administration","month":"Oct","month_of_year":"10","nssserviceip":"192.168.2.200","oapprulelabel":"5300295980","obwclassname":"10831489","ocip":"6200694987","ocpubip":"624054738","odevicehostname":"2168890624","odevicename":"2175092224","odeviceowner":"10831489","odlpdict":"10831489","odlpeng":"4094304256","odlprulename":"6857275752","ofwd_gw_name":"8794487099","ologin":"4094304256","ordr_rulename":"3399565100","ourlcat":"7956407282","ourlfilterrulelabel":"4951704103","ozpa_app_seg_name":"7648246731","externalsslpolicyreason":"Blocked","productversion":"5.0.902.95524_04","rdr_rulename":"FWD_Rule_1","refererhost":"www.example.com for http://www.example.com/index.html","reqheadersize":"300","reqdatasize":"1000","respheadersize":"500","respdatasize":"10000","riskscore":"10","ruletype":"File Type Control","second":"48","srvcertchainvalpass":"Unknown","srvcertvalidationtype":"EV (Extended Validation)","srvcertvalidityperiod":"Short","srvsslcipher":"SSL3_CK_RSA_NULL_MD5","serversslsessreuse":"Unknown","srvocspresult":"Good","srvtlsversion":"SSL2","srvwildcardcert":"Unknown","ssldecrypted":"Yes","throttlereqsize":"5","throttlerespsize":"7","totalsize":"11800","trafficredirectmethod":"DNAT (Destination Translation)","unscannabletype":"Encrypted File","upload_doctypename":"Corporate Finance","upload_fileclass":"upload_fileclass","upload_filetype":"RAR Files","urlcatmethod":"Database A","urlsubcat":"Entertainment","urlsupercat":"Travel","urlclass":"Bandwidth Loss","useragentclass":"Firefox","useragenttoken":"Google Chrome (0.x)","userlocationname":"userlocationname","year":"2023","ztunnelversion":"ZTUNNEL_1_0","zpa_app_seg_name":"ZPA_test_app_segment"}} \ No newline at end of file diff --git a/packages/zscaler_zia/data_stream/web/_dev/test/pipeline/test-web-http-endpoint.log-expected.json b/packages/zscaler_zia/data_stream/web/_dev/test/pipeline/test-web-http-endpoint.log-expected.json index 069c19cc37c..d65fa098a97 100644 --- a/packages/zscaler_zia/data_stream/web/_dev/test/pipeline/test-web-http-endpoint.log-expected.json +++ b/packages/zscaler_zia/data_stream/web/_dev/test/pipeline/test-web-http-endpoint.log-expected.json @@ -37,7 +37,7 @@ ], "id": "123456789", "kind": "event", - "original": "{\"sourcetype\":\"zscalernss-web\",\"event\":{\"time\":\"Mon Oct 16 22:55:48 2023\",\"cloudname\":\"zscaler.net\",\"host\":\"mail.google.com\",\"serverip\":\"81.2.69.142\",\"external_devid\":\"1234\",\"devicemodel\":\"20L8S7WC08\",\"action\":\"Allowed\",\"recordid\":\"123456789\",\"reason\":\"File Attachment Cautioned\",\"threatseverity\":\"Critical (90–100)\",\"tz\":\"GMT\",\"filesubtype\":\"rar\",\"upload_filesubtype\":\"rar\",\"sha256\":\"81ec78bc8298568bb5ea66d3c2972b670d0f7459b6cdbbcaacce90ab417ab15c\",\"bamd5\":\"196a3d797bfee07fe4596b69f4ce1141\",\"filename\":\"nssfeed.txt\",\"upload_filename\":\"nssfeed.exe\",\"filetype\":\"RAR Files\",\"devicename\":\"PC11NLPA:5F08D97BBF43257A8FB4BBF4061A38AE324EF734\",\"devicehostname\":\"THINKPADSMITH\",\"deviceostype\":\"iOS\",\"deviceosversion\":\"Version 10.14.2 (Build 18C54)\",\"devicetype\":\"Zscaler Client Connector\",\"reqsize\":\"1300\",\"reqmethod\":\"invalid\",\"refererurl\":\"www.example.com\",\"respsize\":\"10500\",\"respcode\":\"100\",\"reqversion\":\"1.1\",\"respversion\":\"1\",\"proto\":\"HTTP\",\"company\":\"Zscaler\",\"dlpmd5\":\"154f149b1443fbfa8c121d13e5c019a1\",\"apprulelabel\":\"File_Sharing_1\",\"dlprulename\":\"DLP_Rule_1\",\"rulelabel\":\"URL_Filtering_1\",\"urlfilterrulelabel\":\"URL_Filtering_1\",\"cltip\":\"81.2.69.142\",\"cltintip\":\"81.2.69.142\",\"cltsourceport\":\"1235\",\"threatname\":\"EICAR Test File\",\"cltsslcipher\":\"SSL3_CK_RSA_NULL_MD5\",\"clttlsversion\":\"SSL2\",\"eurl\":\"www.trythisencodeurl.com%2Findex\",\"url\":\"www.trythisencodeurl.com/index\",\"useragent\":\"Mozilla/5.0\",\"login\":\"jdoe@safemarch.com\",\"applayerprotocol\":\"FTP\",\"appclass\":\"Administration\",\"appname\":\"Adobe Connect\",\"appriskscore\":\"None\",\"bandwidthclassname\":\"Entertainment\",\"bandwidthrulename\":\"Office 365\",\"bwthrottle\":\"Yes\",\"bypassedtime\":\"Mon Oct 16 22:55:48 2023\",\"bypassedtraffic\":\"0\",\"cltsslsessreuse\":\"Unknown\",\"cltpubip\":\"81.2.69.142\",\"cltsslfailcount\":\"100\",\"cltsslfailreason\":\"Bad Record Mac\",\"contenttype\":\"application/vnd_apple_keynote\",\"datacentercity\":\"Sa\",\"datacentercountry\":\"US\",\"datacenter\":\"CA Client Node DC\",\"day\":\"Mon\",\"day_of_month\":\"16\",\"dept\":\"Sales\",\"deviceappversion\":\"81.2.69.142\",\"deviceowner\":\"jsmith\",\"df_hosthead\":\"df_hosthead\",\"df_hostname\":\"df_hostname\",\"dlpdicthitcount\":\"4\",\"dlpdict\":\"Credit Cards\",\"dlpeng\":\"HIPAA\",\"dlpidentifier\":\"6646484838839026000\",\"eedone\":\"Yes\",\"epochtime\":\"1578128400\",\"fileclass\":\"Active Web Contents\",\"flow_type\":\"Direct\",\"forward_gateway_ip\":\"10.1.1.1\",\"forward_gateway_name\":\"FWD_1\",\"forward_type\":\"Direct\",\"hour\":\"22\",\"is_sslexpiredca\":\"Yes\",\"is_sslselfsigned\":\"Yes\",\"is_ssluntrustedca\":\"Pass\",\"keyprotectiontype\":\"HSM Protection\",\"location\":\"Headquarters\",\"malwarecategory\":\"Adware\",\"malwareclass\":\"Sandbox\",\"minute\":\"55\",\"mobappcategory\":\"Communication\",\"mobappname\":\"Amazon\",\"mobdevtype\":\"Google Android\",\"module\":\"Administration\",\"month\":\"Oct\",\"month_of_year\":\"10\",\"nssserviceip\":\"192.168.2.200\",\"oapprulelabel\":\"5300295980\",\"obwclassname\":\"10831489\",\"ocip\":\"6200694987\",\"ocpubip\":\"624054738\",\"odevicehostname\":\"2168890624\",\"odevicename\":\"2175092224\",\"odeviceowner\":\"10831489\",\"odlpdict\":\"10831489\",\"odlpeng\":\"4094304256\",\"odlprulename\":\"6857275752\",\"ofwd_gw_name\":\"8794487099\",\"ologin\":\"4094304256\",\"ordr_rulename\":\"3399565100\",\"ourlcat\":\"7956407282\",\"ourlfilterrulelabel\":\"4951704103\",\"ozpa_app_seg_name\":\"7648246731\",\"externalsslpolicyreason\":\"Blocked\",\"productversion\":\"5.0.902.95524_04\",\"rdr_rulename\":\"FWD_Rule_1\",\"refererhost\":\"www.example.com for http://www.example.com/index.html\",\"reqheadersize\":\"300\",\"reqdatasize\":\"1000\",\"respheadersize\":\"500\",\"respdatasize\":\"10000\",\"riskscore\":\"10\",\"ruletype\":\"File Type Control\",\"second\":\"48\",\"srvcertchainvalpass\":\"Unknown\",\"srvcertvalidationtype\":\"EV (Extended Validation)\",\"srvcertvalidityperiod\":\"Short\",\"srvsslcipher\":\"SSL3_CK_RSA_NULL_MD5\",\"serversslsessreuse\":\"Unknown\",\"srvocspresult\":\"Good\",\"srvtlsversion\":\"SSL2\",\"srvwildcardcert\":\"Unknown\",\"ssldecrypted\":\"Yes\",\"throttlereqsize\":\"5\",\"throttlerespsize\":\"7\",\"totalsize\":\"11800\",\"trafficredirectmethod\":\"DNAT (Destination Translation)\",\"unscannabletype\":\"Encrypted File\",\"upload_doctypename\":\"Corporate Finance\",\"upload_fileclass\":\"upload_fileclass\",\"upload_filetype\":\"RAR Files\",\"urlcatmethod\":\"Database A\",\"urlsubcat\":\"Entertainment\",\"urlsupercat\":\"Travel\",\"urlclass\":\"Bandwidth Loss\",\"useragentclass\":\"Firefox\",\"useragenttoken\":\"Google Chrome (0.x)\",\"userlocationname\":\"userlocationname\",\"year\":\"2023\",\"ztunnelversion\":\"ZTUNNEL_1_0\",\"zpa_app_seg_name\":\"ZPA_test_app_segment\"}}", + "original": "{\"sourcetype\":\"zscalernss-web\",\"event\":{\"time\":\"Mon Oct 16 22:55:48 2023\",\"cloudname\":\"zscaler.net\",\"host\":\"mail.google.com\",\"serverip\":\"81.2.69.142\",\"external_devid\":\"1234\",\"devicemodel\":\"20L8S7WC08\",\"action\":\"Allowed\",\"recordid\":\"123456789\",\"reason\":\"File Attachment Cautioned\",\"threatseverity\":\"Critical (90–100)\",\"tz\":\"GMT\",\"filesubtype\":\"rar\",\"upload_filesubtype\":\"rar\",\"sha256\":\"81ec78bc8298568bb5ea66d3c2972b670d0f7459b6cdbbcaacce90ab417ab15c\",\"bamd5\":\"196a3d797bfee07fe4596b69f4ce1141\",\"filename\":\"nssfeed.txt\",\"upload_filename\":\"nssfeed.exe\",\"filetype\":\"RAR Files\",\"devicename\":\"PC11NLPA:5F08D97BBF43257A8FB4BBF4061A38AE324EF734\",\"devicehostname\":\"THINKPADSMITH\",\"deviceostype\":\"iOS\",\"deviceosversion\":\"Version 10.14.2 (Build 18C54)\",\"devicetype\":\"Zscaler Client Connector\",\"reqsize\":\"1300\",\"reqmethod\":\"invalid\",\"refererurl\":\"www.example.com\",\"respsize\":\"10500\",\"respcode\":\"100\",\"reqversion\":\"1.1\",\"respversion\":\"1\",\"proto\":\"HTTP\",\"company\":\"Zscaler\",\"dlpmd5\":\"154f149b1443fbfa8c121d13e5c019a1\",\"apprulelabel\":\"File_Sharing_1\",\"dlprulename\":\"DLP_Rule_1\",\"rulelabel\":\"URL_Filtering_1\",\"urlfilterrulelabel\":\"URL_Filtering_1\",\"cltip\":\"81.2.69.142\",\"cltintip\":\"81.2.69.142\",\"cltsourceport\":\"1235\",\"threatname\":\"EICAR Test File\",\"cltsslcipher\":\"SSL3_CK_RSA_NULL_MD5\",\"clttlsversion\":\"SSL2\",\"eurl\":\"www.trythisencodeurl.com%2Findex\",\"useragent\":\"Mozilla/5.0\",\"login\":\"jdoe@safemarch.com\",\"applayerprotocol\":\"FTP\",\"appclass\":\"Administration\",\"appname\":\"Adobe Connect\",\"appriskscore\":\"None\",\"bandwidthclassname\":\"Entertainment\",\"bandwidthrulename\":\"Office 365\",\"bwthrottle\":\"Yes\",\"bypassedtime\":\"Mon Oct 16 22:55:48 2023\",\"bypassedtraffic\":\"0\",\"cltsslsessreuse\":\"Unknown\",\"cltpubip\":\"81.2.69.142\",\"cltsslfailcount\":\"100\",\"cltsslfailreason\":\"Bad Record Mac\",\"contenttype\":\"application/vnd_apple_keynote\",\"datacentercity\":\"Sa\",\"datacentercountry\":\"US\",\"datacenter\":\"CA Client Node DC\",\"day\":\"Mon\",\"day_of_month\":\"16\",\"dept\":\"Sales\",\"deviceappversion\":\"81.2.69.142\",\"deviceowner\":\"jsmith\",\"df_hosthead\":\"df_hosthead\",\"df_hostname\":\"df_hostname\",\"dlpdicthitcount\":\"4\",\"dlpdict\":\"Credit Cards\",\"dlpeng\":\"HIPAA\",\"dlpidentifier\":\"6646484838839026000\",\"eedone\":\"Yes\",\"epochtime\":\"1578128400\",\"fileclass\":\"Active Web Contents\",\"flow_type\":\"Direct\",\"forward_gateway_ip\":\"10.1.1.1\",\"forward_gateway_name\":\"FWD_1\",\"forward_type\":\"Direct\",\"hour\":\"22\",\"is_sslexpiredca\":\"Yes\",\"is_sslselfsigned\":\"Yes\",\"is_ssluntrustedca\":\"Pass\",\"keyprotectiontype\":\"HSM Protection\",\"location\":\"Headquarters\",\"malwarecategory\":\"Adware\",\"malwareclass\":\"Sandbox\",\"minute\":\"55\",\"mobappcategory\":\"Communication\",\"mobappname\":\"Amazon\",\"mobdevtype\":\"Google Android\",\"module\":\"Administration\",\"month\":\"Oct\",\"month_of_year\":\"10\",\"nssserviceip\":\"192.168.2.200\",\"oapprulelabel\":\"5300295980\",\"obwclassname\":\"10831489\",\"ocip\":\"6200694987\",\"ocpubip\":\"624054738\",\"odevicehostname\":\"2168890624\",\"odevicename\":\"2175092224\",\"odeviceowner\":\"10831489\",\"odlpdict\":\"10831489\",\"odlpeng\":\"4094304256\",\"odlprulename\":\"6857275752\",\"ofwd_gw_name\":\"8794487099\",\"ologin\":\"4094304256\",\"ordr_rulename\":\"3399565100\",\"ourlcat\":\"7956407282\",\"ourlfilterrulelabel\":\"4951704103\",\"ozpa_app_seg_name\":\"7648246731\",\"externalsslpolicyreason\":\"Blocked\",\"productversion\":\"5.0.902.95524_04\",\"rdr_rulename\":\"FWD_Rule_1\",\"refererhost\":\"www.example.com for http://www.example.com/index.html\",\"reqheadersize\":\"300\",\"reqdatasize\":\"1000\",\"respheadersize\":\"500\",\"respdatasize\":\"10000\",\"riskscore\":\"10\",\"ruletype\":\"File Type Control\",\"second\":\"48\",\"srvcertchainvalpass\":\"Unknown\",\"srvcertvalidationtype\":\"EV (Extended Validation)\",\"srvcertvalidityperiod\":\"Short\",\"srvsslcipher\":\"SSL3_CK_RSA_NULL_MD5\",\"serversslsessreuse\":\"Unknown\",\"srvocspresult\":\"Good\",\"srvtlsversion\":\"SSL2\",\"srvwildcardcert\":\"Unknown\",\"ssldecrypted\":\"Yes\",\"throttlereqsize\":\"5\",\"throttlerespsize\":\"7\",\"totalsize\":\"11800\",\"trafficredirectmethod\":\"DNAT (Destination Translation)\",\"unscannabletype\":\"Encrypted File\",\"upload_doctypename\":\"Corporate Finance\",\"upload_fileclass\":\"upload_fileclass\",\"upload_filetype\":\"RAR Files\",\"urlcatmethod\":\"Database A\",\"urlsubcat\":\"Entertainment\",\"urlsupercat\":\"Travel\",\"urlclass\":\"Bandwidth Loss\",\"useragentclass\":\"Firefox\",\"useragenttoken\":\"Google Chrome (0.x)\",\"userlocationname\":\"userlocationname\",\"year\":\"2023\",\"ztunnelversion\":\"ZTUNNEL_1_0\",\"zpa_app_seg_name\":\"ZPA_test_app_segment\"}}", "reason": "File Attachment Cautioned", "timezone": "GMT", "type": [ @@ -461,7 +461,7 @@ ], "id": "123456789", "kind": "event", - "original": "{\"sourcetype\":\"zscalernss-web\",\"event\":{\"time\":\"Mon Oct 16 22:55:48 2023\",\"cloudname\":\"zscaler.net\",\"host\":\"mail.google.com\",\"serverip\":\"81.2.69.142\",\"external_devid\":\"1234\",\"devicemodel\":\"20L8S7WC08\",\"action\":\"Blocked\",\"recordid\":\"123456789\",\"reason\":\"File Attachment Cautioned\",\"threatseverity\":\"Critical (90–100)\",\"tz\":\"GMT\",\"filesubtype\":\"rar\",\"upload_filesubtype\":\"rar\",\"sha256\":\"81ec78bc8298568bb5ea66d3c2972b670d0f7459b6cdbbcaacce90ab417ab15c\",\"bamd5\":\"196a3d797bfee07fe4596b69f4ce1141\",\"filename\":\"nssfeed.txt\",\"upload_filename\":\"nssfeed.exe\",\"filetype\":\"RAR Files\",\"devicename\":\"PC11NLPA:5F08D97BBF43257A8FB4BBF4061A38AE324EF734\",\"devicehostname\":\"THINKPADSMITH\",\"deviceostype\":\"iOS\",\"deviceosversion\":\"Version 10.14.2 (Build 18C54)\",\"devicetype\":\"Zscaler Client Connector\",\"reqsize\":\"1300\",\"reqmethod\":\"invalid\",\"refererurl\":\"www.example.com\",\"respsize\":\"10500\",\"respcode\":\"100\",\"reqversion\":\"1.1\",\"respversion\":\"1\",\"proto\":\"HTTP\",\"company\":\"Zscaler\",\"dlpmd5\":\"154f149b1443fbfa8c121d13e5c019a1\",\"apprulelabel\":\"File_Sharing_1\",\"dlprulename\":\"DLP_Rule_1\",\"rulelabel\":\"URL_Filtering_1\",\"urlfilterrulelabel\":\"URL_Filtering_1\",\"cltip\":\"81.2.69.142\",\"cltintip\":\"81.2.69.142\",\"cltsourceport\":\"1235\",\"threatname\":\"EICAR Test File\",\"cltsslcipher\":\"SSL3_CK_RSA_NULL_MD5\",\"clttlsversion\":\"SSL2\",\"eurl\":\"www.trythisencodeurl.com%2Findex\",\"url\":\"www.trythisencodeurl.com/index\",\"useragent\":\"Mozilla/5.0\",\"login\":\"jdoe@safemarch.com\",\"applayerprotocol\":\"FTP\",\"appclass\":\"Administration\",\"appname\":\"Adobe Connect\",\"appriskscore\":\"None\",\"bandwidthclassname\":\"Entertainment\",\"bandwidthrulename\":\"Office 365\",\"bwthrottle\":\"Yes\",\"bypassedtime\":\"Mon Oct 16 22:55:48 2023\",\"bypassedtraffic\":\"1\",\"cltsslsessreuse\":\"Unknown\",\"cltpubip\":\"81.2.69.142\",\"cltsslfailcount\":\"100\",\"cltsslfailreason\":\"Bad Record Mac\",\"contenttype\":\"application/vnd_apple_keynote\",\"datacentercity\":\"Sa\",\"datacentercountry\":\"US\",\"datacenter\":\"CA Client Node DC\",\"day\":\"Mon\",\"day_of_month\":\"16\",\"dept\":\"Sales\",\"deviceappversion\":\"81.2.69.142\",\"deviceowner\":\"jsmith\",\"df_hosthead\":\"df_hosthead\",\"df_hostname\":\"df_hostname\",\"dlpdicthitcount\":\"4\",\"dlpdict\":\"Credit Cards\",\"dlpeng\":\"HIPAA\",\"dlpidentifier\":\"6646484838839026000\",\"eedone\":\"Yes\",\"epochtime\":\"1578128400\",\"fileclass\":\"Active Web Contents\",\"flow_type\":\"Direct\",\"forward_gateway_ip\":\"10.1.1.1\",\"forward_gateway_name\":\"FWD_1\",\"forward_type\":\"Direct\",\"hour\":\"22\",\"is_sslexpiredca\":\"Yes\",\"is_sslselfsigned\":\"Yes\",\"is_ssluntrustedca\":\"Pass\",\"keyprotectiontype\":\"HSM Protection\",\"location\":\"Headquarters\",\"malwarecategory\":\"Adware\",\"malwareclass\":\"Sandbox\",\"minute\":\"55\",\"mobappcategory\":\"Communication\",\"mobappname\":\"Amazon\",\"mobdevtype\":\"Google Android\",\"module\":\"Administration\",\"month\":\"Oct\",\"month_of_year\":\"10\",\"nssserviceip\":\"192.168.2.200\",\"oapprulelabel\":\"5300295980\",\"obwclassname\":\"10831489\",\"ocip\":\"6200694987\",\"ocpubip\":\"624054738\",\"odevicehostname\":\"2168890624\",\"odevicename\":\"2175092224\",\"odeviceowner\":\"10831489\",\"odlpdict\":\"10831489\",\"odlpeng\":\"4094304256\",\"odlprulename\":\"6857275752\",\"ofwd_gw_name\":\"8794487099\",\"ologin\":\"4094304256\",\"ordr_rulename\":\"3399565100\",\"ourlcat\":\"7956407282\",\"ourlfilterrulelabel\":\"4951704103\",\"ozpa_app_seg_name\":\"7648246731\",\"externalsslpolicyreason\":\"Blocked\",\"productversion\":\"5.0.902.95524_04\",\"rdr_rulename\":\"FWD_Rule_1\",\"refererhost\":\"www.example.com for http://www.example.com/index.html\",\"reqheadersize\":\"300\",\"reqdatasize\":\"1000\",\"respheadersize\":\"500\",\"respdatasize\":\"10000\",\"riskscore\":\"10\",\"ruletype\":\"File Type Control\",\"second\":\"48\",\"srvcertchainvalpass\":\"Unknown\",\"srvcertvalidationtype\":\"EV (Extended Validation)\",\"srvcertvalidityperiod\":\"Short\",\"srvsslcipher\":\"SSL3_CK_RSA_NULL_MD5\",\"serversslsessreuse\":\"Unknown\",\"srvocspresult\":\"Good\",\"srvtlsversion\":\"SSL2\",\"srvwildcardcert\":\"Unknown\",\"ssldecrypted\":\"Yes\",\"throttlereqsize\":\"5\",\"throttlerespsize\":\"7\",\"totalsize\":\"11800\",\"trafficredirectmethod\":\"DNAT (Destination Translation)\",\"unscannabletype\":\"Encrypted File\",\"upload_doctypename\":\"Corporate Finance\",\"upload_fileclass\":\"upload_fileclass\",\"upload_filetype\":\"RAR Files\",\"urlcatmethod\":\"Database A\",\"urlsubcat\":\"Entertainment\",\"urlsupercat\":\"Travel\",\"urlclass\":\"Bandwidth Loss\",\"useragentclass\":\"Firefox\",\"useragenttoken\":\"Google Chrome (0.x)\",\"userlocationname\":\"userlocationname\",\"year\":\"2023\",\"ztunnelversion\":\"ZTUNNEL_1_0\",\"zpa_app_seg_name\":\"ZPA_test_app_segment\"}}", + "original": "{\"sourcetype\":\"zscalernss-web\",\"event\":{\"time\":\"Mon Oct 16 22:55:48 2023\",\"cloudname\":\"zscaler.net\",\"host\":\"mail.google.com\",\"serverip\":\"81.2.69.142\",\"external_devid\":\"1234\",\"devicemodel\":\"20L8S7WC08\",\"action\":\"Blocked\",\"recordid\":\"123456789\",\"reason\":\"File Attachment Cautioned\",\"threatseverity\":\"Critical (90–100)\",\"tz\":\"GMT\",\"filesubtype\":\"rar\",\"upload_filesubtype\":\"rar\",\"sha256\":\"81ec78bc8298568bb5ea66d3c2972b670d0f7459b6cdbbcaacce90ab417ab15c\",\"bamd5\":\"196a3d797bfee07fe4596b69f4ce1141\",\"filename\":\"nssfeed.txt\",\"upload_filename\":\"nssfeed.exe\",\"filetype\":\"RAR Files\",\"devicename\":\"PC11NLPA:5F08D97BBF43257A8FB4BBF4061A38AE324EF734\",\"devicehostname\":\"THINKPADSMITH\",\"deviceostype\":\"iOS\",\"deviceosversion\":\"Version 10.14.2 (Build 18C54)\",\"devicetype\":\"Zscaler Client Connector\",\"reqsize\":\"1300\",\"reqmethod\":\"invalid\",\"refererurl\":\"www.example.com\",\"respsize\":\"10500\",\"respcode\":\"100\",\"reqversion\":\"1.1\",\"respversion\":\"1\",\"proto\":\"HTTP\",\"company\":\"Zscaler\",\"dlpmd5\":\"154f149b1443fbfa8c121d13e5c019a1\",\"apprulelabel\":\"File_Sharing_1\",\"dlprulename\":\"DLP_Rule_1\",\"rulelabel\":\"URL_Filtering_1\",\"urlfilterrulelabel\":\"URL_Filtering_1\",\"cltip\":\"81.2.69.142\",\"cltintip\":\"81.2.69.142\",\"cltsourceport\":\"1235\",\"threatname\":\"EICAR Test File\",\"cltsslcipher\":\"SSL3_CK_RSA_NULL_MD5\",\"clttlsversion\":\"SSL2\",\"eurl\":\"www.trythisencodeurl.com%2Findex\",\"useragent\":\"Mozilla/5.0\",\"login\":\"jdoe@safemarch.com\",\"applayerprotocol\":\"FTP\",\"appclass\":\"Administration\",\"appname\":\"Adobe Connect\",\"appriskscore\":\"None\",\"bandwidthclassname\":\"Entertainment\",\"bandwidthrulename\":\"Office 365\",\"bwthrottle\":\"Yes\",\"bypassedtime\":\"Mon Oct 16 22:55:48 2023\",\"bypassedtraffic\":\"1\",\"cltsslsessreuse\":\"Unknown\",\"cltpubip\":\"81.2.69.142\",\"cltsslfailcount\":\"100\",\"cltsslfailreason\":\"Bad Record Mac\",\"contenttype\":\"application/vnd_apple_keynote\",\"datacentercity\":\"Sa\",\"datacentercountry\":\"US\",\"datacenter\":\"CA Client Node DC\",\"day\":\"Mon\",\"day_of_month\":\"16\",\"dept\":\"Sales\",\"deviceappversion\":\"81.2.69.142\",\"deviceowner\":\"jsmith\",\"df_hosthead\":\"df_hosthead\",\"df_hostname\":\"df_hostname\",\"dlpdicthitcount\":\"4\",\"dlpdict\":\"Credit Cards\",\"dlpeng\":\"HIPAA\",\"dlpidentifier\":\"6646484838839026000\",\"eedone\":\"Yes\",\"epochtime\":\"1578128400\",\"fileclass\":\"Active Web Contents\",\"flow_type\":\"Direct\",\"forward_gateway_ip\":\"10.1.1.1\",\"forward_gateway_name\":\"FWD_1\",\"forward_type\":\"Direct\",\"hour\":\"22\",\"is_sslexpiredca\":\"Yes\",\"is_sslselfsigned\":\"Yes\",\"is_ssluntrustedca\":\"Pass\",\"keyprotectiontype\":\"HSM Protection\",\"location\":\"Headquarters\",\"malwarecategory\":\"Adware\",\"malwareclass\":\"Sandbox\",\"minute\":\"55\",\"mobappcategory\":\"Communication\",\"mobappname\":\"Amazon\",\"mobdevtype\":\"Google Android\",\"module\":\"Administration\",\"month\":\"Oct\",\"month_of_year\":\"10\",\"nssserviceip\":\"192.168.2.200\",\"oapprulelabel\":\"5300295980\",\"obwclassname\":\"10831489\",\"ocip\":\"6200694987\",\"ocpubip\":\"624054738\",\"odevicehostname\":\"2168890624\",\"odevicename\":\"2175092224\",\"odeviceowner\":\"10831489\",\"odlpdict\":\"10831489\",\"odlpeng\":\"4094304256\",\"odlprulename\":\"6857275752\",\"ofwd_gw_name\":\"8794487099\",\"ologin\":\"4094304256\",\"ordr_rulename\":\"3399565100\",\"ourlcat\":\"7956407282\",\"ourlfilterrulelabel\":\"4951704103\",\"ozpa_app_seg_name\":\"7648246731\",\"externalsslpolicyreason\":\"Blocked\",\"productversion\":\"5.0.902.95524_04\",\"rdr_rulename\":\"FWD_Rule_1\",\"refererhost\":\"www.example.com for http://www.example.com/index.html\",\"reqheadersize\":\"300\",\"reqdatasize\":\"1000\",\"respheadersize\":\"500\",\"respdatasize\":\"10000\",\"riskscore\":\"10\",\"ruletype\":\"File Type Control\",\"second\":\"48\",\"srvcertchainvalpass\":\"Unknown\",\"srvcertvalidationtype\":\"EV (Extended Validation)\",\"srvcertvalidityperiod\":\"Short\",\"srvsslcipher\":\"SSL3_CK_RSA_NULL_MD5\",\"serversslsessreuse\":\"Unknown\",\"srvocspresult\":\"Good\",\"srvtlsversion\":\"SSL2\",\"srvwildcardcert\":\"Unknown\",\"ssldecrypted\":\"Yes\",\"throttlereqsize\":\"5\",\"throttlerespsize\":\"7\",\"totalsize\":\"11800\",\"trafficredirectmethod\":\"DNAT (Destination Translation)\",\"unscannabletype\":\"Encrypted File\",\"upload_doctypename\":\"Corporate Finance\",\"upload_fileclass\":\"upload_fileclass\",\"upload_filetype\":\"RAR Files\",\"urlcatmethod\":\"Database A\",\"urlsubcat\":\"Entertainment\",\"urlsupercat\":\"Travel\",\"urlclass\":\"Bandwidth Loss\",\"useragentclass\":\"Firefox\",\"useragenttoken\":\"Google Chrome (0.x)\",\"userlocationname\":\"userlocationname\",\"year\":\"2023\",\"ztunnelversion\":\"ZTUNNEL_1_0\",\"zpa_app_seg_name\":\"ZPA_test_app_segment\"}}", "reason": "File Attachment Cautioned", "timezone": "GMT", "type": [ diff --git a/packages/zscaler_zia/data_stream/web/_dev/test/pipeline/test-web.log b/packages/zscaler_zia/data_stream/web/_dev/test/pipeline/test-web.log index 2ee6f1318f9..3d2aa66c80e 100644 --- a/packages/zscaler_zia/data_stream/web/_dev/test/pipeline/test-web.log +++ b/packages/zscaler_zia/data_stream/web/_dev/test/pipeline/test-web.log @@ -1,4 +1,4 @@ -{"sourcetype":"zscalernss-web","event":{"time":"Mon Oct 16 22:55:48 2023","cloudname":"zscaler.net","host":"mail.google.com","serverip":"1.128.0.0","external_devid":"1234","devicemodel":"20L8S7WC08","action":"Allowed","recordid":123456789,"reason":"File Attachment Cautioned","threatseverity":"Critical (90–100)","tz":"GMT","filesubtype":"exe","upload_filesubtype":"rar","sha256":"81ec78bc8298568bb5ea66d3c2972b670d0f7459b6cdbbcaacce90ab417ab15c","bamd5":"196a3d797bfee07fe4596b69f4ce1141","filename":"nssfeed.txt","upload_filename":"nssfeed.exe","filetype":"RAR Files","devicename":"PC11NLPA:5F08D97BBF43257A8FB4BBF4061A38AE324EF734","devicehostname":"THINKPADSMITH","deviceostype":"iOS","deviceosversion":"Version 10.14.2 (Build 18C54)","devicetype":"Zscaler Client Connector","reqsize":1300,"reqmethod":"invalid","refererurl":"www.example.com","respsize":10500,"respcode":"100","reqversion":"1.1","respversion":"1","proto":"HTTP","company":"Zscaler","dlpmd5":"154f149b1443fbfa8c121d13e5c019a1","apprulelabel":"File_Sharing_1","dlprulename":"DLP_Rule_1","rulelabel":"URL_Filtering_1","urlfilterrulelabel":"URL_Filtering_2","cltip":"81.2.69.144","cltintip":"89.160.20.128","cltsourceport":12345,"threatname":"EICAR Test File","cltsslcipher":"SSL3_CK_RSA_NULL_MD5","clttlsversion":"SSL2","eurl":"www.trythisencodeurl.com:443/index?qtime=2023-04-12T23%3A20%3A50.52Z","url":"www.trythisencodeurl.com:443/index?qtime=2023-04-12T23:20:50.52Z","useragent":"Mozilla/5.0","login":"jdoe@safemarch.com","applayerprotocol":"FTP","appclass":"Administration","appname":"Adobe Connect","appriskscore":"1","bandwidthclassname":"Entertainment","bandwidthrulename":"Office 365","bwthrottle":"Yes","bypassedtime":"Mon Oct 16 22:55:48 2023","bypassedtraffic":"1","cltsslsessreuse":"Unknown","cltpubip":"175.16.199.0","cltsslfailcount":100,"cltsslfailreason":"Bad Record Mac","contenttype":"application/vnd_apple_keynote","datacentercity":"Sa","datacentercountry":"US","datacenter":"CA Client Node DC","day":"Mon","day_of_month":16,"dept":"Sales","deviceappversion":"1.128.0.0","deviceowner":"jsmith","df_hosthead":"df_hosthead","df_hostname":"df_hostname","dlpdicthitcount":"4","dlpdict":"Credit Cards","dlpeng":"HIPAA","dlpidentifier":6646484838839026000,"eedone":"Yes","epochtime":1578128400,"fileclass":"Active Web Contents","flow_type":"Direct","forward_gateway_ip":"10.1.1.1","forward_gateway_name":"FWD_1","forward_type":"Direct","hour":22,"is_sslexpiredca":"Yes","is_sslselfsigned":"Yes","is_ssluntrustedca":"Pass","keyprotectiontype":"HSM Protection","location":"Headquarters","malwarecategory":"Adware","malwareclass":"Sandbox","minute":55,"mobappcategory":"Communication","mobappname":"Amazon","mobdevtype":"Google Android","module":"Administration","month":"Oct","month_of_year":10,"nssserviceip":"192.168.2.200","oapprulelabel":"5300295980","obwclassname":"10831489","ocip":6200694987,"ocpubip":624054738,"odevicehostname":"2168890624","odevicename":"2175092224","odeviceowner":"10831489","odlpdict":"10831489","odlpeng":"4094304256","odlprulename":"6857275752","ofwd_gw_name":"8794487099","ologin":"4094304256","ordr_rulename":"3399565100","ourlcat":"7956407282","ourlfilterrulelabel":"4951704103","ozpa_app_seg_name":"7648246731","externalsslpolicyreason":"Blocked","productversion":"5.0.902.95524_04","rdr_rulename":"FWD_Rule_1","refererhost":"www.example.com for http://www.example.com/index.html","reqheadersize":300,"reqdatasize":1000,"respheadersize":500,"respdatasize":10000,"riskscore":10,"ruletype":"File Type Control","second":48,"srvcertchainvalpass":"Unknown","srvcertvalidationtype":"EV (Extended Validation)","srvcertvalidityperiod":"Short","srvsslcipher":"SSL3_CK_RSA_NULL_MD5","serversslsessreuse":"Unknown","srvocspresult":"Good","srvtlsversion":"SSL2","srvwildcardcert":"Unknown","ssldecrypted":"Yes","throttlereqsize":5,"throttlerespsize":7,"totalsize":11800,"trafficredirectmethod":"DNAT (Destination Translation)","unscannabletype":"Encrypted File","upload_doctypename":"Corporate Finance","upload_fileclass":"upload_fileclass","upload_filetype":"RAR Files","urlcatmethod":"Database A","urlsubcat":"Entertainment","urlsupercat":"Travel","urlclass":"Bandwidth Loss","useragentclass":"Firefox","useragenttoken":"Google Chrome (0.x)","userlocationname":"userlocationname","year":2023,"ztunnelversion":"ZTUNNEL_1_0","zpa_app_seg_name":"ZPA_test_app_segment"}} -{"sourcetype":"zscalernss-web","event":{"time":"Mon Oct 17 22:55:48 2023","cloudname":"zscaler.net","host":"mail.google.com","serverip":"1.128.0.1","external_devid":"2345","devicemodel":"20L8S7WC09","action":"Allowed","recordid":123456780,"reason":"File Attachment Cautioned","threatseverity":"Critical (90–100)","tz":"GMT","filesubtype":"exe","upload_filesubtype":"rar","sha256":"81ec78bc8298568bb5ea66d3c2972b670d0f7459b6cdbbcaacce90ab417ab15c","bamd5":"196a3d797bfee07fe4596b69f4ce1141","filename":"nssfeed.txt","upload_filename":"nssfeed.exe","filetype":"RAR Files","devicename":"PC11NLPA:5F08D97BBF43257A8FB4BBF4061A38AE324EF734","devicehostname":"THINKPADSMITH","deviceostype":"iOS","deviceosversion":"Version 10.14.2 (Build 18C54)","devicetype":"Zscaler Client Connector","reqsize":1300,"reqmethod":"invalid","refererurl":"www.example.com","respsize":10500,"respcode":"100","reqversion":"1.1","respversion":"1","proto":"HTTPS","company":"Zscaler","dlpmd5":"154f149b1443fbfa8c121d13e5c019a1","apprulelabel":"File_Sharing_1","dlprulename":"DLP_Rule_1","rulelabel":"URL_Filtering_1","urlfilterrulelabel":"URL_Filtering_2","cltip":"81.2.69.144","cltintip":"89.160.20.128","cltsourceport":12345,"threatname":"EICAR Test File","cltsslcipher":"SSL3_CK_RSA_NULL_MD5","clttlsversion":"SSL2","eurl":"www.example.com%3A443","url":"www.example.com:443","useragent":"Mozilla/5.0","login":"jdoe@safemarch.com","applayerprotocol":"FTP","appclass":"Administration","appname":"Adobe Connect","appriskscore":"1","bandwidthclassname":"Entertainment","bandwidthrulename":"Office 365","bwthrottle":"Yes","bypassedtime":"Mon Oct 16 22:55:48 2023","bypassedtraffic":"1","cltsslsessreuse":"Unknown","cltpubip":"175.16.199.0","cltsslfailcount":100,"cltsslfailreason":"Bad Record Mac","contenttype":"application/vnd_apple_keynote","datacentercity":"Sa","datacentercountry":"US","datacenter":"CA Client Node DC","day":"Mon","day_of_month":16,"dept":"Sales","deviceappversion":"1.128.0.1","deviceowner":"jsmith","df_hosthead":"df_hosthead","df_hostname":"df_hostname","dlpdicthitcount":"4","dlpdict":"Credit Cards","dlpeng":"HIPAA","dlpidentifier":6646484838839026000,"eedone":"Yes","epochtime":1578128400,"fileclass":"Active Web Contents","flow_type":"Direct","forward_gateway_ip":"10.1.1.1","forward_gateway_name":"FWD_1","forward_type":"Direct","hour":22,"is_sslexpiredca":"Yes","is_sslselfsigned":"Yes","is_ssluntrustedca":"Pass","keyprotectiontype":"HSM Protection","location":"Headquarters","malwarecategory":"Adware","malwareclass":"Sandbox","minute":55,"mobappcategory":"Communication","mobappname":"Amazon","mobdevtype":"Google Android","module":"Administration","month":"Oct","month_of_year":10,"nssserviceip":"192.168.2.200","oapprulelabel":"5300295980","obwclassname":"10831489","ocip":6200694987,"ocpubip":624054738,"odevicehostname":"2168890624","odevicename":"2175092224","odeviceowner":"10831489","odlpdict":"10831489","odlpeng":"4094304256","odlprulename":"6857275752","ofwd_gw_name":"8794487099","ologin":"4094304256","ordr_rulename":"3399565100","ourlcat":"7956407282","ourlfilterrulelabel":"4951704103","ozpa_app_seg_name":"7648246731","externalsslpolicyreason":"Blocked","productversion":"5.0.902.95524_04","rdr_rulename":"FWD_Rule_1","refererhost":"www.example.com for http://www.example.com/index.html","reqheadersize":300,"reqdatasize":1000,"respheadersize":500,"respdatasize":10000,"riskscore":10,"ruletype":"File Type Control","second":48,"srvcertchainvalpass":"Unknown","srvcertvalidationtype":"EV (Extended Validation)","srvcertvalidityperiod":"Short","srvsslcipher":"SSL3_CK_RSA_NULL_MD5","serversslsessreuse":"Unknown","srvocspresult":"Good","srvtlsversion":"SSL2","srvwildcardcert":"Unknown","ssldecrypted":"Yes","throttlereqsize":5,"throttlerespsize":7,"totalsize":11800,"trafficredirectmethod":"DNAT (Destination Translation)","unscannabletype":"Encrypted File","upload_doctypename":"Corporate Finance","upload_fileclass":"upload_fileclass","upload_filetype":"RAR Files","urlcatmethod":"Database A","urlsubcat":"Entertainment","urlsupercat":"Travel","urlclass":"Bandwidth Loss","useragentclass":"Firefox","useragenttoken":"Google Chrome (0.x)","userlocationname":"userlocationname","year":2023,"ztunnelversion":"ZTUNNEL_1_0","zpa_app_seg_name":"ZPA_test_app_segment"}} -{"sourcetype":"zscalernss-web","event":{"time":"Mon Oct 18 23:55:48 2023","cloudname":"zscaler.net","host":"mail.google.com","serverip":"1.128.0.2","external_devid":"2346","devicemodel":"20L8S7WC10","action":"Allowed","recordid":123456781,"reason":"File Attachment Cautioned","threatseverity":"Critical (90–100)","tz":"GMT","filesubtype":"exe","upload_filesubtype":"rar","sha256":"81ec78bc8298568bb5ea66d3c2972b670d0f7459b6cdbbcaacce90ab417ab15c","bamd5":"196a3d797bfee07fe4596b69f4ce1141","filename":"nssfeed.txt","upload_filename":"nssfeed.exe","filetype":"RAR Files","devicename":"PC11NLPA:5F08D97BBF43257A8FB4BBF4061A38AE324EF734","devicehostname":"THINKPADSMITH","deviceostype":"iOS","deviceosversion":"Version 10.14.2 (Build 18C54)","devicetype":"Zscaler Client Connector","reqsize":1300,"reqmethod":"invalid","refererurl":"www.example.com","respsize":10500,"respcode":"100","reqversion":"1.1","respversion":"1","proto":"SSL","company":"Zscaler","dlpmd5":"154f149b1443fbfa8c121d13e5c019a1","apprulelabel":"File_Sharing_1","dlprulename":"DLP_Rule_1","rulelabel":"URL_Filtering_1","urlfilterrulelabel":"URL_Filtering_2","cltip":"81.2.69.144","cltintip":"89.160.20.128","cltsourceport":12345,"threatname":"EICAR Test File","cltsslcipher":"SSL3_CK_RSA_NULL_MD5","clttlsversion":"SSL2","eurl":"www.example.com.com/params?Id=1&ts=2006-01-02T15%3A04%3A05Z07%3A00&user=65792&version=10.0.19041.1266","url":"www.example.com.com/params?version=10.0.19041.1266&user=65792&Id=1&ts=2006-01-02T15:04:05Z07:00","useragent":"Mozilla/5.0","login":"jdoe@safemarch.com","applayerprotocol":"FTP","appclass":"Administration","appname":"Adobe Connect","appriskscore":"1","bandwidthclassname":"Entertainment","bandwidthrulename":"Office 365","bwthrottle":"Yes","bypassedtime":"Mon Oct 16 22:55:48 2023","bypassedtraffic":"1","cltsslsessreuse":"Unknown","cltpubip":"175.16.199.0","cltsslfailcount":100,"cltsslfailreason":"Bad Record Mac","contenttype":"application/vnd_apple_keynote","datacentercity":"Sa","datacentercountry":"US","datacenter":"CA Client Node DC","day":"Mon","day_of_month":16,"dept":"Sales","deviceappversion":"1.128.0.1","deviceowner":"jsmith","df_hosthead":"df_hosthead","df_hostname":"df_hostname","dlpdicthitcount":"4","dlpdict":"Credit Cards","dlpeng":"HIPAA","dlpidentifier":6646484838839026000,"eedone":"Yes","epochtime":1578128400,"fileclass":"Active Web Contents","flow_type":"Direct","forward_gateway_ip":"10.1.1.1","forward_gateway_name":"FWD_1","forward_type":"Direct","hour":22,"is_sslexpiredca":"Yes","is_sslselfsigned":"Yes","is_ssluntrustedca":"Pass","keyprotectiontype":"HSM Protection","location":"Headquarters","malwarecategory":"Adware","malwareclass":"Sandbox","minute":55,"mobappcategory":"Communication","mobappname":"Amazon","mobdevtype":"Google Android","module":"Administration","month":"Oct","month_of_year":10,"nssserviceip":"192.168.2.200","oapprulelabel":"5300295980","obwclassname":"10831489","ocip":6200694987,"ocpubip":624054738,"odevicehostname":"2168890624","odevicename":"2175092224","odeviceowner":"10831489","odlpdict":"10831489","odlpeng":"4094304256","odlprulename":"6857275752","ofwd_gw_name":"8794487099","ologin":"4094304256","ordr_rulename":"3399565100","ourlcat":"7956407282","ourlfilterrulelabel":"4951704103","ozpa_app_seg_name":"7648246731","externalsslpolicyreason":"Blocked","productversion":"5.0.902.95524_04","rdr_rulename":"FWD_Rule_1","refererhost":"www.example.com for http://www.example.com/index.html","reqheadersize":300,"reqdatasize":1000,"respheadersize":500,"respdatasize":10000,"riskscore":10,"ruletype":"File Type Control","second":48,"srvcertchainvalpass":"Unknown","srvcertvalidationtype":"EV (Extended Validation)","srvcertvalidityperiod":"Short","srvsslcipher":"SSL3_CK_RSA_NULL_MD5","serversslsessreuse":"Unknown","srvocspresult":"Good","srvtlsversion":"SSL2","srvwildcardcert":"Unknown","ssldecrypted":"Yes","throttlereqsize":5,"throttlerespsize":7,"totalsize":11800,"trafficredirectmethod":"DNAT (Destination Translation)","unscannabletype":"Encrypted File","upload_doctypename":"Corporate Finance","upload_fileclass":"upload_fileclass","upload_filetype":"RAR Files","urlcatmethod":"Database A","urlsubcat":"Entertainment","urlsupercat":"Travel","urlclass":"Bandwidth Loss","useragentclass":"Firefox","useragenttoken":"Google Chrome (0.x)","userlocationname":"userlocationname","year":2023,"ztunnelversion":"ZTUNNEL_1_0","zpa_app_seg_name":"ZPA_test_app_segment"}} -{"sourcetype":"zscalernss-web","event":{"time":"Mon Oct 18 23:55:48 2023","cloudname":"zscaler.net","host":"mail.google.com","serverip":"1.128.0.2","external_devid":"2346","devicemodel":"20L8S7WC10","action":"Allowed","recordid":123456781,"reason":"File Attachment Cautioned","threatseverity":"Critical (90–100)","tz":"GMT","filesubtype":"exe","upload_filesubtype":"rar","sha256":"81ec78bc8298568bb5ea66d3c2972b670d0f7459b6cdbbcaacce90ab417ab15c","bamd5":"196a3d797bfee07fe4596b69f4ce1141","filename":"nssfeed.txt","upload_filename":"nssfeed.exe","filetype":"RAR Files","devicename":"PC11NLPA:5F08D97BBF43257A8FB4BBF4061A38AE324EF734","devicehostname":"THINKPADSMITH","deviceostype":"iOS","deviceosversion":"Version 10.14.2 (Build 18C54)","devicetype":"Zscaler Client Connector","reqsize":1300,"reqmethod":"invalid","refererurl":"www.example.com","respsize":10500,"respcode":"100","reqversion":"1.1","respversion":"1","proto":"SSL","company":"Zscaler","dlpmd5":"154f149b1443fbfa8c121d13e5c019a1","apprulelabel":"File_Sharing_1","dlprulename":"DLP_Rule_1","rulelabel":"URL_Filtering_1","urlfilterrulelabel":"URL_Filtering_2","cltip":"81.2.69.144","cltintip":"89.160.20.128","cltsourceport":12345,"threatname":"EICAR Test File","cltsslcipher":"SSL3_CK_RSA_NULL_MD5","clttlsversion":"SSL2","eurl":"www.youtube.com/api/stats/abcd?afmt=251&bat=330.017%3A0.96%3A1&bh=330.017%3A121.264&bwe=330.017%3A7458601&bwm=330.017%3A2407754%3A0.844&c=WEB&cbr=Edge+Chromium&cbrver=115.0.0.0&cl=655399956&cmt=330.017%3A328.837&cos=Windows&cosver=10.0&cplatform=DESKTOP&cplayer=UNIPLAYER&cpn=FUB73SQWxSHKADxvJ&cver=2.20240724.03.00&docid=WVhG_sNVLasD&el=detailpage&fexp=v1%2C23848225%2C137802%2C18617%2C204121%2C230596%2C222097%2C16229%2C133212%2C14625955%2C11684381%2C7222%2C14207%2C9859%2C12177%2C9954%2C1192%2C7913%2C18310%2C273%2C4147%2C2819%2C2%2C16344%2C1424%2C19204%2C9948%2C2196%2C9996%2C19%2C2%2C1082%2C6953%2C101%2C1401%2C9542%2C2471%2C3292%2C2716%2C1538%2C723%2C2575%2C9567%2C1375%2C3761%2C4162%2C8610%2C173%2C201%2C10406%2C321%2C148%2C2%2C343%2C1783%2C14%2C1322%2C50%2C621%2C702%2C1062%2C1769%2C1823%2C896%2C2291%2C2912%2C7568%2C342&fmt=398&ns=yt&referrer=https%3A%2F%2Fwww.youtube.com%2Fwatch%3Fv%3Disa90_67as&sdetail=rv%3Aisa89_68ad&seq=13&sourceid=yw&vps=330.017%3APL","url":"www.youtube.com/api/stats/abcd?fmt=398&afmt=251&cpn=FUB73SQWxSHKADxvJ&el=detailpage&ns=yt&fexp=v1,23848225,137802,18617,204121,230596,222097,16229,133212,14625955,11684381,7222,14207,9859,12177,9954,1192,7913,18310,273,4147,2819,2,16344,1424,19204,9948,2196,9996,19,2,1082,6953,101,1401,9542,2471,3292,2716,1538,723,2575,9567,1375,3761,4162,8610,173,201,10406,321,148,2,343,1783,14,1322,50,621,702,1062,1769,1823,896,2291,2912,7568,342&cl=655399956&seq=13&docid=WVhG_sNVLasD&referrer=https://www.youtube.com/watch?v=isa90_67as&sdetail=rv:isa89_68ad&sourceid=yw&cbr=Edge%20Chromium&cbrver=115.0.0.0&c=WEB&cver=2.20240724.03.00&cplayer=UNIPLAYER&cos=Windows&cosver=10.0&cplatform=DESKTOP&vps=330.017:PL&bwm=330.017:2407754:0.844&bwe=330.017:7458601&bat=330.017:0.96:1&cmt=330.017:328.837&bh=330.017:121.264","useragent":"Mozilla/5.0","login":"jdoe@safemarch.com","applayerprotocol":"FTP","appclass":"Administration","appname":"Adobe Connect","appriskscore":"1","bandwidthclassname":"Entertainment","bandwidthrulename":"Office 365","bwthrottle":"Yes","bypassedtime":"Mon Oct 16 22:55:48 2023","bypassedtraffic":"1","cltsslsessreuse":"Unknown","cltpubip":"175.16.199.0","cltsslfailcount":100,"cltsslfailreason":"Bad Record Mac","contenttype":"application/vnd_apple_keynote","datacentercity":"Sa","datacentercountry":"US","datacenter":"CA Client Node DC","day":"Mon","day_of_month":16,"dept":"Sales","deviceappversion":"1.128.0.1","deviceowner":"jsmith","df_hosthead":"df_hosthead","df_hostname":"df_hostname","dlpdicthitcount":"4","dlpdict":"Credit Cards","dlpeng":"HIPAA","dlpidentifier":6646484838839026000,"eedone":"Yes","epochtime":1578128400,"fileclass":"Active Web Contents","flow_type":"Direct","forward_gateway_ip":"10.1.1.1","forward_gateway_name":"FWD_1","forward_type":"Direct","hour":22,"is_sslexpiredca":"Yes","is_sslselfsigned":"Yes","is_ssluntrustedca":"Pass","keyprotectiontype":"HSM Protection","location":"Headquarters","malwarecategory":"Adware","malwareclass":"Sandbox","minute":55,"mobappcategory":"Communication","mobappname":"Amazon","mobdevtype":"Google Android","module":"Administration","month":"Oct","month_of_year":10,"nssserviceip":"192.168.2.200","oapprulelabel":"5300295980","obwclassname":"10831489","ocip":6200694987,"ocpubip":624054738,"odevicehostname":"2168890624","odevicename":"2175092224","odeviceowner":"10831489","odlpdict":"10831489","odlpeng":"4094304256","odlprulename":"6857275752","ofwd_gw_name":"8794487099","ologin":"4094304256","ordr_rulename":"3399565100","ourlcat":"7956407282","ourlfilterrulelabel":"4951704103","ozpa_app_seg_name":"7648246731","externalsslpolicyreason":"Blocked","productversion":"5.0.902.95524_04","rdr_rulename":"FWD_Rule_1","refererhost":"www.example.com for http://www.example.com/index.html","reqheadersize":300,"reqdatasize":1000,"respheadersize":500,"respdatasize":10000,"riskscore":10,"ruletype":"File Type Control","second":48,"srvcertchainvalpass":"Unknown","srvcertvalidationtype":"EV (Extended Validation)","srvcertvalidityperiod":"Short","srvsslcipher":"SSL3_CK_RSA_NULL_MD5","serversslsessreuse":"Unknown","srvocspresult":"Good","srvtlsversion":"SSL2","srvwildcardcert":"Unknown","ssldecrypted":"Yes","throttlereqsize":5,"throttlerespsize":7,"totalsize":11800,"trafficredirectmethod":"DNAT (Destination Translation)","unscannabletype":"Encrypted File","upload_doctypename":"Corporate Finance","upload_fileclass":"upload_fileclass","upload_filetype":"RAR Files","urlcatmethod":"Database A","urlsubcat":"Entertainment","urlsupercat":"Travel","urlclass":"Bandwidth Loss","useragentclass":"Firefox","useragenttoken":"Google Chrome (0.x)","userlocationname":"userlocationname","year":2023,"ztunnelversion":"ZTUNNEL_1_0","zpa_app_seg_name":"ZPA_test_app_segment"}} \ No newline at end of file +{"sourcetype":"zscalernss-web","event":{"time":"Mon Oct 16 22:55:48 2023","cloudname":"zscaler.net","host":"mail.google.com","serverip":"1.128.0.0","external_devid":"1234","devicemodel":"20L8S7WC08","action":"Allowed","recordid":123456789,"reason":"File Attachment Cautioned","threatseverity":"Critical (90–100)","tz":"GMT","filesubtype":"exe","upload_filesubtype":"rar","sha256":"81ec78bc8298568bb5ea66d3c2972b670d0f7459b6cdbbcaacce90ab417ab15c","bamd5":"196a3d797bfee07fe4596b69f4ce1141","filename":"nssfeed.txt","upload_filename":"nssfeed.exe","filetype":"RAR Files","devicename":"PC11NLPA:5F08D97BBF43257A8FB4BBF4061A38AE324EF734","devicehostname":"THINKPADSMITH","deviceostype":"iOS","deviceosversion":"Version 10.14.2 (Build 18C54)","devicetype":"Zscaler Client Connector","reqsize":1300,"reqmethod":"invalid","refererurl":"www.example.com","respsize":10500,"respcode":"100","reqversion":"1.1","respversion":"1","proto":"HTTP","company":"Zscaler","dlpmd5":"154f149b1443fbfa8c121d13e5c019a1","apprulelabel":"File_Sharing_1","dlprulename":"DLP_Rule_1","rulelabel":"URL_Filtering_1","urlfilterrulelabel":"URL_Filtering_2","cltip":"81.2.69.144","cltintip":"89.160.20.128","cltsourceport":12345,"threatname":"EICAR Test File","cltsslcipher":"SSL3_CK_RSA_NULL_MD5","clttlsversion":"SSL2","eurl":"www.trythisencodeurl.com:443/index?qtime=2023-04-12T23%3A20%3A50.52Z","useragent":"Mozilla/5.0","login":"jdoe@safemarch.com","applayerprotocol":"FTP","appclass":"Administration","appname":"Adobe Connect","appriskscore":"1","bandwidthclassname":"Entertainment","bandwidthrulename":"Office 365","bwthrottle":"Yes","bypassedtime":"Mon Oct 16 22:55:48 2023","bypassedtraffic":"1","cltsslsessreuse":"Unknown","cltpubip":"175.16.199.0","cltsslfailcount":100,"cltsslfailreason":"Bad Record Mac","contenttype":"application/vnd_apple_keynote","datacentercity":"Sa","datacentercountry":"US","datacenter":"CA Client Node DC","day":"Mon","day_of_month":16,"dept":"Sales","deviceappversion":"1.128.0.0","deviceowner":"jsmith","df_hosthead":"df_hosthead","df_hostname":"df_hostname","dlpdicthitcount":"4","dlpdict":"Credit Cards","dlpeng":"HIPAA","dlpidentifier":6646484838839026000,"eedone":"Yes","epochtime":1578128400,"fileclass":"Active Web Contents","flow_type":"Direct","forward_gateway_ip":"10.1.1.1","forward_gateway_name":"FWD_1","forward_type":"Direct","hour":22,"is_sslexpiredca":"Yes","is_sslselfsigned":"Yes","is_ssluntrustedca":"Pass","keyprotectiontype":"HSM Protection","location":"Headquarters","malwarecategory":"Adware","malwareclass":"Sandbox","minute":55,"mobappcategory":"Communication","mobappname":"Amazon","mobdevtype":"Google Android","module":"Administration","month":"Oct","month_of_year":10,"nssserviceip":"192.168.2.200","oapprulelabel":"5300295980","obwclassname":"10831489","ocip":6200694987,"ocpubip":624054738,"odevicehostname":"2168890624","odevicename":"2175092224","odeviceowner":"10831489","odlpdict":"10831489","odlpeng":"4094304256","odlprulename":"6857275752","ofwd_gw_name":"8794487099","ologin":"4094304256","ordr_rulename":"3399565100","ourlcat":"7956407282","ourlfilterrulelabel":"4951704103","ozpa_app_seg_name":"7648246731","externalsslpolicyreason":"Blocked","productversion":"5.0.902.95524_04","rdr_rulename":"FWD_Rule_1","refererhost":"www.example.com for http://www.example.com/index.html","reqheadersize":300,"reqdatasize":1000,"respheadersize":500,"respdatasize":10000,"riskscore":10,"ruletype":"File Type Control","second":48,"srvcertchainvalpass":"Unknown","srvcertvalidationtype":"EV (Extended Validation)","srvcertvalidityperiod":"Short","srvsslcipher":"SSL3_CK_RSA_NULL_MD5","serversslsessreuse":"Unknown","srvocspresult":"Good","srvtlsversion":"SSL2","srvwildcardcert":"Unknown","ssldecrypted":"Yes","throttlereqsize":5,"throttlerespsize":7,"totalsize":11800,"trafficredirectmethod":"DNAT (Destination Translation)","unscannabletype":"Encrypted File","upload_doctypename":"Corporate Finance","upload_fileclass":"upload_fileclass","upload_filetype":"RAR Files","urlcatmethod":"Database A","urlsubcat":"Entertainment","urlsupercat":"Travel","urlclass":"Bandwidth Loss","useragentclass":"Firefox","useragenttoken":"Google Chrome (0.x)","userlocationname":"userlocationname","year":2023,"ztunnelversion":"ZTUNNEL_1_0","zpa_app_seg_name":"ZPA_test_app_segment"}} +{"sourcetype":"zscalernss-web","event":{"time":"Mon Oct 17 22:55:48 2023","cloudname":"zscaler.net","host":"mail.google.com","serverip":"1.128.0.1","external_devid":"2345","devicemodel":"20L8S7WC09","action":"Allowed","recordid":123456780,"reason":"File Attachment Cautioned","threatseverity":"Critical (90–100)","tz":"GMT","filesubtype":"exe","upload_filesubtype":"rar","sha256":"81ec78bc8298568bb5ea66d3c2972b670d0f7459b6cdbbcaacce90ab417ab15c","bamd5":"196a3d797bfee07fe4596b69f4ce1141","filename":"nssfeed.txt","upload_filename":"nssfeed.exe","filetype":"RAR Files","devicename":"PC11NLPA:5F08D97BBF43257A8FB4BBF4061A38AE324EF734","devicehostname":"THINKPADSMITH","deviceostype":"iOS","deviceosversion":"Version 10.14.2 (Build 18C54)","devicetype":"Zscaler Client Connector","reqsize":1300,"reqmethod":"invalid","refererurl":"www.example.com","respsize":10500,"respcode":"100","reqversion":"1.1","respversion":"1","proto":"HTTPS","company":"Zscaler","dlpmd5":"154f149b1443fbfa8c121d13e5c019a1","apprulelabel":"File_Sharing_1","dlprulename":"DLP_Rule_1","rulelabel":"URL_Filtering_1","urlfilterrulelabel":"URL_Filtering_2","cltip":"81.2.69.144","cltintip":"89.160.20.128","cltsourceport":12345,"threatname":"EICAR Test File","cltsslcipher":"SSL3_CK_RSA_NULL_MD5","clttlsversion":"SSL2","eurl":"www.example.com%3A443","useragent":"Mozilla/5.0","login":"jdoe@safemarch.com","applayerprotocol":"FTP","appclass":"Administration","appname":"Adobe Connect","appriskscore":"1","bandwidthclassname":"Entertainment","bandwidthrulename":"Office 365","bwthrottle":"Yes","bypassedtime":"Mon Oct 16 22:55:48 2023","bypassedtraffic":"1","cltsslsessreuse":"Unknown","cltpubip":"175.16.199.0","cltsslfailcount":100,"cltsslfailreason":"Bad Record Mac","contenttype":"application/vnd_apple_keynote","datacentercity":"Sa","datacentercountry":"US","datacenter":"CA Client Node DC","day":"Mon","day_of_month":16,"dept":"Sales","deviceappversion":"1.128.0.1","deviceowner":"jsmith","df_hosthead":"df_hosthead","df_hostname":"df_hostname","dlpdicthitcount":"4","dlpdict":"Credit Cards","dlpeng":"HIPAA","dlpidentifier":6646484838839026000,"eedone":"Yes","epochtime":1578128400,"fileclass":"Active Web Contents","flow_type":"Direct","forward_gateway_ip":"10.1.1.1","forward_gateway_name":"FWD_1","forward_type":"Direct","hour":22,"is_sslexpiredca":"Yes","is_sslselfsigned":"Yes","is_ssluntrustedca":"Pass","keyprotectiontype":"HSM Protection","location":"Headquarters","malwarecategory":"Adware","malwareclass":"Sandbox","minute":55,"mobappcategory":"Communication","mobappname":"Amazon","mobdevtype":"Google Android","module":"Administration","month":"Oct","month_of_year":10,"nssserviceip":"192.168.2.200","oapprulelabel":"5300295980","obwclassname":"10831489","ocip":6200694987,"ocpubip":624054738,"odevicehostname":"2168890624","odevicename":"2175092224","odeviceowner":"10831489","odlpdict":"10831489","odlpeng":"4094304256","odlprulename":"6857275752","ofwd_gw_name":"8794487099","ologin":"4094304256","ordr_rulename":"3399565100","ourlcat":"7956407282","ourlfilterrulelabel":"4951704103","ozpa_app_seg_name":"7648246731","externalsslpolicyreason":"Blocked","productversion":"5.0.902.95524_04","rdr_rulename":"FWD_Rule_1","refererhost":"www.example.com for http://www.example.com/index.html","reqheadersize":300,"reqdatasize":1000,"respheadersize":500,"respdatasize":10000,"riskscore":10,"ruletype":"File Type Control","second":48,"srvcertchainvalpass":"Unknown","srvcertvalidationtype":"EV (Extended Validation)","srvcertvalidityperiod":"Short","srvsslcipher":"SSL3_CK_RSA_NULL_MD5","serversslsessreuse":"Unknown","srvocspresult":"Good","srvtlsversion":"SSL2","srvwildcardcert":"Unknown","ssldecrypted":"Yes","throttlereqsize":5,"throttlerespsize":7,"totalsize":11800,"trafficredirectmethod":"DNAT (Destination Translation)","unscannabletype":"Encrypted File","upload_doctypename":"Corporate Finance","upload_fileclass":"upload_fileclass","upload_filetype":"RAR Files","urlcatmethod":"Database A","urlsubcat":"Entertainment","urlsupercat":"Travel","urlclass":"Bandwidth Loss","useragentclass":"Firefox","useragenttoken":"Google Chrome (0.x)","userlocationname":"userlocationname","year":2023,"ztunnelversion":"ZTUNNEL_1_0","zpa_app_seg_name":"ZPA_test_app_segment"}} +{"sourcetype":"zscalernss-web","event":{"time":"Mon Oct 18 23:55:48 2023","cloudname":"zscaler.net","host":"mail.google.com","serverip":"1.128.0.2","external_devid":"2346","devicemodel":"20L8S7WC10","action":"Allowed","recordid":123456781,"reason":"File Attachment Cautioned","threatseverity":"Critical (90–100)","tz":"GMT","filesubtype":"exe","upload_filesubtype":"rar","sha256":"81ec78bc8298568bb5ea66d3c2972b670d0f7459b6cdbbcaacce90ab417ab15c","bamd5":"196a3d797bfee07fe4596b69f4ce1141","filename":"nssfeed.txt","upload_filename":"nssfeed.exe","filetype":"RAR Files","devicename":"PC11NLPA:5F08D97BBF43257A8FB4BBF4061A38AE324EF734","devicehostname":"THINKPADSMITH","deviceostype":"iOS","deviceosversion":"Version 10.14.2 (Build 18C54)","devicetype":"Zscaler Client Connector","reqsize":1300,"reqmethod":"invalid","refererurl":"www.example.com","respsize":10500,"respcode":"100","reqversion":"1.1","respversion":"1","proto":"SSL","company":"Zscaler","dlpmd5":"154f149b1443fbfa8c121d13e5c019a1","apprulelabel":"File_Sharing_1","dlprulename":"DLP_Rule_1","rulelabel":"URL_Filtering_1","urlfilterrulelabel":"URL_Filtering_2","cltip":"81.2.69.144","cltintip":"89.160.20.128","cltsourceport":12345,"threatname":"EICAR Test File","cltsslcipher":"SSL3_CK_RSA_NULL_MD5","clttlsversion":"SSL2","eurl":"www.example.com.com/params?Id=1&ts=2006-01-02T15%3A04%3A05Z07%3A00&user=65792&version=10.0.19041.1266","useragent":"Mozilla/5.0","login":"jdoe@safemarch.com","applayerprotocol":"FTP","appclass":"Administration","appname":"Adobe Connect","appriskscore":"1","bandwidthclassname":"Entertainment","bandwidthrulename":"Office 365","bwthrottle":"Yes","bypassedtime":"Mon Oct 16 22:55:48 2023","bypassedtraffic":"1","cltsslsessreuse":"Unknown","cltpubip":"175.16.199.0","cltsslfailcount":100,"cltsslfailreason":"Bad Record Mac","contenttype":"application/vnd_apple_keynote","datacentercity":"Sa","datacentercountry":"US","datacenter":"CA Client Node DC","day":"Mon","day_of_month":16,"dept":"Sales","deviceappversion":"1.128.0.1","deviceowner":"jsmith","df_hosthead":"df_hosthead","df_hostname":"df_hostname","dlpdicthitcount":"4","dlpdict":"Credit Cards","dlpeng":"HIPAA","dlpidentifier":6646484838839026000,"eedone":"Yes","epochtime":1578128400,"fileclass":"Active Web Contents","flow_type":"Direct","forward_gateway_ip":"10.1.1.1","forward_gateway_name":"FWD_1","forward_type":"Direct","hour":22,"is_sslexpiredca":"Yes","is_sslselfsigned":"Yes","is_ssluntrustedca":"Pass","keyprotectiontype":"HSM Protection","location":"Headquarters","malwarecategory":"Adware","malwareclass":"Sandbox","minute":55,"mobappcategory":"Communication","mobappname":"Amazon","mobdevtype":"Google Android","module":"Administration","month":"Oct","month_of_year":10,"nssserviceip":"192.168.2.200","oapprulelabel":"5300295980","obwclassname":"10831489","ocip":6200694987,"ocpubip":624054738,"odevicehostname":"2168890624","odevicename":"2175092224","odeviceowner":"10831489","odlpdict":"10831489","odlpeng":"4094304256","odlprulename":"6857275752","ofwd_gw_name":"8794487099","ologin":"4094304256","ordr_rulename":"3399565100","ourlcat":"7956407282","ourlfilterrulelabel":"4951704103","ozpa_app_seg_name":"7648246731","externalsslpolicyreason":"Blocked","productversion":"5.0.902.95524_04","rdr_rulename":"FWD_Rule_1","refererhost":"www.example.com for http://www.example.com/index.html","reqheadersize":300,"reqdatasize":1000,"respheadersize":500,"respdatasize":10000,"riskscore":10,"ruletype":"File Type Control","second":48,"srvcertchainvalpass":"Unknown","srvcertvalidationtype":"EV (Extended Validation)","srvcertvalidityperiod":"Short","srvsslcipher":"SSL3_CK_RSA_NULL_MD5","serversslsessreuse":"Unknown","srvocspresult":"Good","srvtlsversion":"SSL2","srvwildcardcert":"Unknown","ssldecrypted":"Yes","throttlereqsize":5,"throttlerespsize":7,"totalsize":11800,"trafficredirectmethod":"DNAT (Destination Translation)","unscannabletype":"Encrypted File","upload_doctypename":"Corporate Finance","upload_fileclass":"upload_fileclass","upload_filetype":"RAR Files","urlcatmethod":"Database A","urlsubcat":"Entertainment","urlsupercat":"Travel","urlclass":"Bandwidth Loss","useragentclass":"Firefox","useragenttoken":"Google Chrome (0.x)","userlocationname":"userlocationname","year":2023,"ztunnelversion":"ZTUNNEL_1_0","zpa_app_seg_name":"ZPA_test_app_segment"}} +{"sourcetype":"zscalernss-web","event":{"time":"Mon Oct 18 23:55:48 2023","cloudname":"zscaler.net","host":"mail.google.com","serverip":"1.128.0.2","external_devid":"2346","devicemodel":"20L8S7WC10","action":"Allowed","recordid":123456781,"reason":"File Attachment Cautioned","threatseverity":"Critical (90–100)","tz":"GMT","filesubtype":"exe","upload_filesubtype":"rar","sha256":"81ec78bc8298568bb5ea66d3c2972b670d0f7459b6cdbbcaacce90ab417ab15c","bamd5":"196a3d797bfee07fe4596b69f4ce1141","filename":"nssfeed.txt","upload_filename":"nssfeed.exe","filetype":"RAR Files","devicename":"PC11NLPA:5F08D97BBF43257A8FB4BBF4061A38AE324EF734","devicehostname":"THINKPADSMITH","deviceostype":"iOS","deviceosversion":"Version 10.14.2 (Build 18C54)","devicetype":"Zscaler Client Connector","reqsize":1300,"reqmethod":"invalid","refererurl":"www.example.com","respsize":10500,"respcode":"100","reqversion":"1.1","respversion":"1","proto":"SSL","company":"Zscaler","dlpmd5":"154f149b1443fbfa8c121d13e5c019a1","apprulelabel":"File_Sharing_1","dlprulename":"DLP_Rule_1","rulelabel":"URL_Filtering_1","urlfilterrulelabel":"URL_Filtering_2","cltip":"81.2.69.144","cltintip":"89.160.20.128","cltsourceport":12345,"threatname":"EICAR Test File","cltsslcipher":"SSL3_CK_RSA_NULL_MD5","clttlsversion":"SSL2","eurl":"www.youtube.com/api/stats/abcd?afmt=251&bat=330.017%3A0.96%3A1&bh=330.017%3A121.264&bwe=330.017%3A7458601&bwm=330.017%3A2407754%3A0.844&c=WEB&cbr=Edge+Chromium&cbrver=115.0.0.0&cl=655399956&cmt=330.017%3A328.837&cos=Windows&cosver=10.0&cplatform=DESKTOP&cplayer=UNIPLAYER&cpn=FUB73SQWxSHKADxvJ&cver=2.20240724.03.00&docid=WVhG_sNVLasD&el=detailpage&fexp=v1%2C23848225%2C137802%2C18617%2C204121%2C230596%2C222097%2C16229%2C133212%2C14625955%2C11684381%2C7222%2C14207%2C9859%2C12177%2C9954%2C1192%2C7913%2C18310%2C273%2C4147%2C2819%2C2%2C16344%2C1424%2C19204%2C9948%2C2196%2C9996%2C19%2C2%2C1082%2C6953%2C101%2C1401%2C9542%2C2471%2C3292%2C2716%2C1538%2C723%2C2575%2C9567%2C1375%2C3761%2C4162%2C8610%2C173%2C201%2C10406%2C321%2C148%2C2%2C343%2C1783%2C14%2C1322%2C50%2C621%2C702%2C1062%2C1769%2C1823%2C896%2C2291%2C2912%2C7568%2C342&fmt=398&ns=yt&referrer=https%3A%2F%2Fwww.youtube.com%2Fwatch%3Fv%3Disa90_67as&sdetail=rv%3Aisa89_68ad&seq=13&sourceid=yw&vps=330.017%3APL","useragent":"Mozilla/5.0","login":"jdoe@safemarch.com","applayerprotocol":"FTP","appclass":"Administration","appname":"Adobe Connect","appriskscore":"1","bandwidthclassname":"Entertainment","bandwidthrulename":"Office 365","bwthrottle":"Yes","bypassedtime":"Mon Oct 16 22:55:48 2023","bypassedtraffic":"1","cltsslsessreuse":"Unknown","cltpubip":"175.16.199.0","cltsslfailcount":100,"cltsslfailreason":"Bad Record Mac","contenttype":"application/vnd_apple_keynote","datacentercity":"Sa","datacentercountry":"US","datacenter":"CA Client Node DC","day":"Mon","day_of_month":16,"dept":"Sales","deviceappversion":"1.128.0.1","deviceowner":"jsmith","df_hosthead":"df_hosthead","df_hostname":"df_hostname","dlpdicthitcount":"4","dlpdict":"Credit Cards","dlpeng":"HIPAA","dlpidentifier":6646484838839026000,"eedone":"Yes","epochtime":1578128400,"fileclass":"Active Web Contents","flow_type":"Direct","forward_gateway_ip":"10.1.1.1","forward_gateway_name":"FWD_1","forward_type":"Direct","hour":22,"is_sslexpiredca":"Yes","is_sslselfsigned":"Yes","is_ssluntrustedca":"Pass","keyprotectiontype":"HSM Protection","location":"Headquarters","malwarecategory":"Adware","malwareclass":"Sandbox","minute":55,"mobappcategory":"Communication","mobappname":"Amazon","mobdevtype":"Google Android","module":"Administration","month":"Oct","month_of_year":10,"nssserviceip":"192.168.2.200","oapprulelabel":"5300295980","obwclassname":"10831489","ocip":6200694987,"ocpubip":624054738,"odevicehostname":"2168890624","odevicename":"2175092224","odeviceowner":"10831489","odlpdict":"10831489","odlpeng":"4094304256","odlprulename":"6857275752","ofwd_gw_name":"8794487099","ologin":"4094304256","ordr_rulename":"3399565100","ourlcat":"7956407282","ourlfilterrulelabel":"4951704103","ozpa_app_seg_name":"7648246731","externalsslpolicyreason":"Blocked","productversion":"5.0.902.95524_04","rdr_rulename":"FWD_Rule_1","refererhost":"www.example.com for http://www.example.com/index.html","reqheadersize":300,"reqdatasize":1000,"respheadersize":500,"respdatasize":10000,"riskscore":10,"ruletype":"File Type Control","second":48,"srvcertchainvalpass":"Unknown","srvcertvalidationtype":"EV (Extended Validation)","srvcertvalidityperiod":"Short","srvsslcipher":"SSL3_CK_RSA_NULL_MD5","serversslsessreuse":"Unknown","srvocspresult":"Good","srvtlsversion":"SSL2","srvwildcardcert":"Unknown","ssldecrypted":"Yes","throttlereqsize":5,"throttlerespsize":7,"totalsize":11800,"trafficredirectmethod":"DNAT (Destination Translation)","unscannabletype":"Encrypted File","upload_doctypename":"Corporate Finance","upload_fileclass":"upload_fileclass","upload_filetype":"RAR Files","urlcatmethod":"Database A","urlsubcat":"Entertainment","urlsupercat":"Travel","urlclass":"Bandwidth Loss","useragentclass":"Firefox","useragenttoken":"Google Chrome (0.x)","userlocationname":"userlocationname","year":2023,"ztunnelversion":"ZTUNNEL_1_0","zpa_app_seg_name":"ZPA_test_app_segment"}} \ No newline at end of file diff --git a/packages/zscaler_zia/data_stream/web/_dev/test/pipeline/test-web.log-expected.json b/packages/zscaler_zia/data_stream/web/_dev/test/pipeline/test-web.log-expected.json index 6e17e033539..73ba3678ed7 100644 --- a/packages/zscaler_zia/data_stream/web/_dev/test/pipeline/test-web.log-expected.json +++ b/packages/zscaler_zia/data_stream/web/_dev/test/pipeline/test-web.log-expected.json @@ -25,7 +25,7 @@ ], "id": "123456789", "kind": "event", - "original": "{\"sourcetype\":\"zscalernss-web\",\"event\":{\"time\":\"Mon Oct 16 22:55:48 2023\",\"cloudname\":\"zscaler.net\",\"host\":\"mail.google.com\",\"serverip\":\"1.128.0.0\",\"external_devid\":\"1234\",\"devicemodel\":\"20L8S7WC08\",\"action\":\"Allowed\",\"recordid\":123456789,\"reason\":\"File Attachment Cautioned\",\"threatseverity\":\"Critical (90–100)\",\"tz\":\"GMT\",\"filesubtype\":\"exe\",\"upload_filesubtype\":\"rar\",\"sha256\":\"81ec78bc8298568bb5ea66d3c2972b670d0f7459b6cdbbcaacce90ab417ab15c\",\"bamd5\":\"196a3d797bfee07fe4596b69f4ce1141\",\"filename\":\"nssfeed.txt\",\"upload_filename\":\"nssfeed.exe\",\"filetype\":\"RAR Files\",\"devicename\":\"PC11NLPA:5F08D97BBF43257A8FB4BBF4061A38AE324EF734\",\"devicehostname\":\"THINKPADSMITH\",\"deviceostype\":\"iOS\",\"deviceosversion\":\"Version 10.14.2 (Build 18C54)\",\"devicetype\":\"Zscaler Client Connector\",\"reqsize\":1300,\"reqmethod\":\"invalid\",\"refererurl\":\"www.example.com\",\"respsize\":10500,\"respcode\":\"100\",\"reqversion\":\"1.1\",\"respversion\":\"1\",\"proto\":\"HTTP\",\"company\":\"Zscaler\",\"dlpmd5\":\"154f149b1443fbfa8c121d13e5c019a1\",\"apprulelabel\":\"File_Sharing_1\",\"dlprulename\":\"DLP_Rule_1\",\"rulelabel\":\"URL_Filtering_1\",\"urlfilterrulelabel\":\"URL_Filtering_2\",\"cltip\":\"81.2.69.144\",\"cltintip\":\"89.160.20.128\",\"cltsourceport\":12345,\"threatname\":\"EICAR Test File\",\"cltsslcipher\":\"SSL3_CK_RSA_NULL_MD5\",\"clttlsversion\":\"SSL2\",\"eurl\":\"www.trythisencodeurl.com:443/index?qtime=2023-04-12T23%3A20%3A50.52Z\",\"url\":\"www.trythisencodeurl.com:443/index?qtime=2023-04-12T23:20:50.52Z\",\"useragent\":\"Mozilla/5.0\",\"login\":\"jdoe@safemarch.com\",\"applayerprotocol\":\"FTP\",\"appclass\":\"Administration\",\"appname\":\"Adobe Connect\",\"appriskscore\":\"1\",\"bandwidthclassname\":\"Entertainment\",\"bandwidthrulename\":\"Office 365\",\"bwthrottle\":\"Yes\",\"bypassedtime\":\"Mon Oct 16 22:55:48 2023\",\"bypassedtraffic\":\"1\",\"cltsslsessreuse\":\"Unknown\",\"cltpubip\":\"175.16.199.0\",\"cltsslfailcount\":100,\"cltsslfailreason\":\"Bad Record Mac\",\"contenttype\":\"application/vnd_apple_keynote\",\"datacentercity\":\"Sa\",\"datacentercountry\":\"US\",\"datacenter\":\"CA Client Node DC\",\"day\":\"Mon\",\"day_of_month\":16,\"dept\":\"Sales\",\"deviceappversion\":\"1.128.0.0\",\"deviceowner\":\"jsmith\",\"df_hosthead\":\"df_hosthead\",\"df_hostname\":\"df_hostname\",\"dlpdicthitcount\":\"4\",\"dlpdict\":\"Credit Cards\",\"dlpeng\":\"HIPAA\",\"dlpidentifier\":6646484838839026000,\"eedone\":\"Yes\",\"epochtime\":1578128400,\"fileclass\":\"Active Web Contents\",\"flow_type\":\"Direct\",\"forward_gateway_ip\":\"10.1.1.1\",\"forward_gateway_name\":\"FWD_1\",\"forward_type\":\"Direct\",\"hour\":22,\"is_sslexpiredca\":\"Yes\",\"is_sslselfsigned\":\"Yes\",\"is_ssluntrustedca\":\"Pass\",\"keyprotectiontype\":\"HSM Protection\",\"location\":\"Headquarters\",\"malwarecategory\":\"Adware\",\"malwareclass\":\"Sandbox\",\"minute\":55,\"mobappcategory\":\"Communication\",\"mobappname\":\"Amazon\",\"mobdevtype\":\"Google Android\",\"module\":\"Administration\",\"month\":\"Oct\",\"month_of_year\":10,\"nssserviceip\":\"192.168.2.200\",\"oapprulelabel\":\"5300295980\",\"obwclassname\":\"10831489\",\"ocip\":6200694987,\"ocpubip\":624054738,\"odevicehostname\":\"2168890624\",\"odevicename\":\"2175092224\",\"odeviceowner\":\"10831489\",\"odlpdict\":\"10831489\",\"odlpeng\":\"4094304256\",\"odlprulename\":\"6857275752\",\"ofwd_gw_name\":\"8794487099\",\"ologin\":\"4094304256\",\"ordr_rulename\":\"3399565100\",\"ourlcat\":\"7956407282\",\"ourlfilterrulelabel\":\"4951704103\",\"ozpa_app_seg_name\":\"7648246731\",\"externalsslpolicyreason\":\"Blocked\",\"productversion\":\"5.0.902.95524_04\",\"rdr_rulename\":\"FWD_Rule_1\",\"refererhost\":\"www.example.com for http://www.example.com/index.html\",\"reqheadersize\":300,\"reqdatasize\":1000,\"respheadersize\":500,\"respdatasize\":10000,\"riskscore\":10,\"ruletype\":\"File Type Control\",\"second\":48,\"srvcertchainvalpass\":\"Unknown\",\"srvcertvalidationtype\":\"EV (Extended Validation)\",\"srvcertvalidityperiod\":\"Short\",\"srvsslcipher\":\"SSL3_CK_RSA_NULL_MD5\",\"serversslsessreuse\":\"Unknown\",\"srvocspresult\":\"Good\",\"srvtlsversion\":\"SSL2\",\"srvwildcardcert\":\"Unknown\",\"ssldecrypted\":\"Yes\",\"throttlereqsize\":5,\"throttlerespsize\":7,\"totalsize\":11800,\"trafficredirectmethod\":\"DNAT (Destination Translation)\",\"unscannabletype\":\"Encrypted File\",\"upload_doctypename\":\"Corporate Finance\",\"upload_fileclass\":\"upload_fileclass\",\"upload_filetype\":\"RAR Files\",\"urlcatmethod\":\"Database A\",\"urlsubcat\":\"Entertainment\",\"urlsupercat\":\"Travel\",\"urlclass\":\"Bandwidth Loss\",\"useragentclass\":\"Firefox\",\"useragenttoken\":\"Google Chrome (0.x)\",\"userlocationname\":\"userlocationname\",\"year\":2023,\"ztunnelversion\":\"ZTUNNEL_1_0\",\"zpa_app_seg_name\":\"ZPA_test_app_segment\"}}", + "original": "{\"sourcetype\":\"zscalernss-web\",\"event\":{\"time\":\"Mon Oct 16 22:55:48 2023\",\"cloudname\":\"zscaler.net\",\"host\":\"mail.google.com\",\"serverip\":\"1.128.0.0\",\"external_devid\":\"1234\",\"devicemodel\":\"20L8S7WC08\",\"action\":\"Allowed\",\"recordid\":123456789,\"reason\":\"File Attachment Cautioned\",\"threatseverity\":\"Critical (90–100)\",\"tz\":\"GMT\",\"filesubtype\":\"exe\",\"upload_filesubtype\":\"rar\",\"sha256\":\"81ec78bc8298568bb5ea66d3c2972b670d0f7459b6cdbbcaacce90ab417ab15c\",\"bamd5\":\"196a3d797bfee07fe4596b69f4ce1141\",\"filename\":\"nssfeed.txt\",\"upload_filename\":\"nssfeed.exe\",\"filetype\":\"RAR Files\",\"devicename\":\"PC11NLPA:5F08D97BBF43257A8FB4BBF4061A38AE324EF734\",\"devicehostname\":\"THINKPADSMITH\",\"deviceostype\":\"iOS\",\"deviceosversion\":\"Version 10.14.2 (Build 18C54)\",\"devicetype\":\"Zscaler Client Connector\",\"reqsize\":1300,\"reqmethod\":\"invalid\",\"refererurl\":\"www.example.com\",\"respsize\":10500,\"respcode\":\"100\",\"reqversion\":\"1.1\",\"respversion\":\"1\",\"proto\":\"HTTP\",\"company\":\"Zscaler\",\"dlpmd5\":\"154f149b1443fbfa8c121d13e5c019a1\",\"apprulelabel\":\"File_Sharing_1\",\"dlprulename\":\"DLP_Rule_1\",\"rulelabel\":\"URL_Filtering_1\",\"urlfilterrulelabel\":\"URL_Filtering_2\",\"cltip\":\"81.2.69.144\",\"cltintip\":\"89.160.20.128\",\"cltsourceport\":12345,\"threatname\":\"EICAR Test File\",\"cltsslcipher\":\"SSL3_CK_RSA_NULL_MD5\",\"clttlsversion\":\"SSL2\",\"eurl\":\"www.trythisencodeurl.com:443/index?qtime=2023-04-12T23%3A20%3A50.52Z\",\"useragent\":\"Mozilla/5.0\",\"login\":\"jdoe@safemarch.com\",\"applayerprotocol\":\"FTP\",\"appclass\":\"Administration\",\"appname\":\"Adobe Connect\",\"appriskscore\":\"1\",\"bandwidthclassname\":\"Entertainment\",\"bandwidthrulename\":\"Office 365\",\"bwthrottle\":\"Yes\",\"bypassedtime\":\"Mon Oct 16 22:55:48 2023\",\"bypassedtraffic\":\"1\",\"cltsslsessreuse\":\"Unknown\",\"cltpubip\":\"175.16.199.0\",\"cltsslfailcount\":100,\"cltsslfailreason\":\"Bad Record Mac\",\"contenttype\":\"application/vnd_apple_keynote\",\"datacentercity\":\"Sa\",\"datacentercountry\":\"US\",\"datacenter\":\"CA Client Node DC\",\"day\":\"Mon\",\"day_of_month\":16,\"dept\":\"Sales\",\"deviceappversion\":\"1.128.0.0\",\"deviceowner\":\"jsmith\",\"df_hosthead\":\"df_hosthead\",\"df_hostname\":\"df_hostname\",\"dlpdicthitcount\":\"4\",\"dlpdict\":\"Credit Cards\",\"dlpeng\":\"HIPAA\",\"dlpidentifier\":6646484838839026000,\"eedone\":\"Yes\",\"epochtime\":1578128400,\"fileclass\":\"Active Web Contents\",\"flow_type\":\"Direct\",\"forward_gateway_ip\":\"10.1.1.1\",\"forward_gateway_name\":\"FWD_1\",\"forward_type\":\"Direct\",\"hour\":22,\"is_sslexpiredca\":\"Yes\",\"is_sslselfsigned\":\"Yes\",\"is_ssluntrustedca\":\"Pass\",\"keyprotectiontype\":\"HSM Protection\",\"location\":\"Headquarters\",\"malwarecategory\":\"Adware\",\"malwareclass\":\"Sandbox\",\"minute\":55,\"mobappcategory\":\"Communication\",\"mobappname\":\"Amazon\",\"mobdevtype\":\"Google Android\",\"module\":\"Administration\",\"month\":\"Oct\",\"month_of_year\":10,\"nssserviceip\":\"192.168.2.200\",\"oapprulelabel\":\"5300295980\",\"obwclassname\":\"10831489\",\"ocip\":6200694987,\"ocpubip\":624054738,\"odevicehostname\":\"2168890624\",\"odevicename\":\"2175092224\",\"odeviceowner\":\"10831489\",\"odlpdict\":\"10831489\",\"odlpeng\":\"4094304256\",\"odlprulename\":\"6857275752\",\"ofwd_gw_name\":\"8794487099\",\"ologin\":\"4094304256\",\"ordr_rulename\":\"3399565100\",\"ourlcat\":\"7956407282\",\"ourlfilterrulelabel\":\"4951704103\",\"ozpa_app_seg_name\":\"7648246731\",\"externalsslpolicyreason\":\"Blocked\",\"productversion\":\"5.0.902.95524_04\",\"rdr_rulename\":\"FWD_Rule_1\",\"refererhost\":\"www.example.com for http://www.example.com/index.html\",\"reqheadersize\":300,\"reqdatasize\":1000,\"respheadersize\":500,\"respdatasize\":10000,\"riskscore\":10,\"ruletype\":\"File Type Control\",\"second\":48,\"srvcertchainvalpass\":\"Unknown\",\"srvcertvalidationtype\":\"EV (Extended Validation)\",\"srvcertvalidityperiod\":\"Short\",\"srvsslcipher\":\"SSL3_CK_RSA_NULL_MD5\",\"serversslsessreuse\":\"Unknown\",\"srvocspresult\":\"Good\",\"srvtlsversion\":\"SSL2\",\"srvwildcardcert\":\"Unknown\",\"ssldecrypted\":\"Yes\",\"throttlereqsize\":5,\"throttlerespsize\":7,\"totalsize\":11800,\"trafficredirectmethod\":\"DNAT (Destination Translation)\",\"unscannabletype\":\"Encrypted File\",\"upload_doctypename\":\"Corporate Finance\",\"upload_fileclass\":\"upload_fileclass\",\"upload_filetype\":\"RAR Files\",\"urlcatmethod\":\"Database A\",\"urlsubcat\":\"Entertainment\",\"urlsupercat\":\"Travel\",\"urlclass\":\"Bandwidth Loss\",\"useragentclass\":\"Firefox\",\"useragenttoken\":\"Google Chrome (0.x)\",\"userlocationname\":\"userlocationname\",\"year\":2023,\"ztunnelversion\":\"ZTUNNEL_1_0\",\"zpa_app_seg_name\":\"ZPA_test_app_segment\"}}", "reason": "File Attachment Cautioned", "timezone": "GMT", "type": [ @@ -445,7 +445,7 @@ ], "id": "123456780", "kind": "event", - "original": "{\"sourcetype\":\"zscalernss-web\",\"event\":{\"time\":\"Mon Oct 17 22:55:48 2023\",\"cloudname\":\"zscaler.net\",\"host\":\"mail.google.com\",\"serverip\":\"1.128.0.1\",\"external_devid\":\"2345\",\"devicemodel\":\"20L8S7WC09\",\"action\":\"Allowed\",\"recordid\":123456780,\"reason\":\"File Attachment Cautioned\",\"threatseverity\":\"Critical (90–100)\",\"tz\":\"GMT\",\"filesubtype\":\"exe\",\"upload_filesubtype\":\"rar\",\"sha256\":\"81ec78bc8298568bb5ea66d3c2972b670d0f7459b6cdbbcaacce90ab417ab15c\",\"bamd5\":\"196a3d797bfee07fe4596b69f4ce1141\",\"filename\":\"nssfeed.txt\",\"upload_filename\":\"nssfeed.exe\",\"filetype\":\"RAR Files\",\"devicename\":\"PC11NLPA:5F08D97BBF43257A8FB4BBF4061A38AE324EF734\",\"devicehostname\":\"THINKPADSMITH\",\"deviceostype\":\"iOS\",\"deviceosversion\":\"Version 10.14.2 (Build 18C54)\",\"devicetype\":\"Zscaler Client Connector\",\"reqsize\":1300,\"reqmethod\":\"invalid\",\"refererurl\":\"www.example.com\",\"respsize\":10500,\"respcode\":\"100\",\"reqversion\":\"1.1\",\"respversion\":\"1\",\"proto\":\"HTTPS\",\"company\":\"Zscaler\",\"dlpmd5\":\"154f149b1443fbfa8c121d13e5c019a1\",\"apprulelabel\":\"File_Sharing_1\",\"dlprulename\":\"DLP_Rule_1\",\"rulelabel\":\"URL_Filtering_1\",\"urlfilterrulelabel\":\"URL_Filtering_2\",\"cltip\":\"81.2.69.144\",\"cltintip\":\"89.160.20.128\",\"cltsourceport\":12345,\"threatname\":\"EICAR Test File\",\"cltsslcipher\":\"SSL3_CK_RSA_NULL_MD5\",\"clttlsversion\":\"SSL2\",\"eurl\":\"www.example.com%3A443\",\"url\":\"www.example.com:443\",\"useragent\":\"Mozilla/5.0\",\"login\":\"jdoe@safemarch.com\",\"applayerprotocol\":\"FTP\",\"appclass\":\"Administration\",\"appname\":\"Adobe Connect\",\"appriskscore\":\"1\",\"bandwidthclassname\":\"Entertainment\",\"bandwidthrulename\":\"Office 365\",\"bwthrottle\":\"Yes\",\"bypassedtime\":\"Mon Oct 16 22:55:48 2023\",\"bypassedtraffic\":\"1\",\"cltsslsessreuse\":\"Unknown\",\"cltpubip\":\"175.16.199.0\",\"cltsslfailcount\":100,\"cltsslfailreason\":\"Bad Record Mac\",\"contenttype\":\"application/vnd_apple_keynote\",\"datacentercity\":\"Sa\",\"datacentercountry\":\"US\",\"datacenter\":\"CA Client Node DC\",\"day\":\"Mon\",\"day_of_month\":16,\"dept\":\"Sales\",\"deviceappversion\":\"1.128.0.1\",\"deviceowner\":\"jsmith\",\"df_hosthead\":\"df_hosthead\",\"df_hostname\":\"df_hostname\",\"dlpdicthitcount\":\"4\",\"dlpdict\":\"Credit Cards\",\"dlpeng\":\"HIPAA\",\"dlpidentifier\":6646484838839026000,\"eedone\":\"Yes\",\"epochtime\":1578128400,\"fileclass\":\"Active Web Contents\",\"flow_type\":\"Direct\",\"forward_gateway_ip\":\"10.1.1.1\",\"forward_gateway_name\":\"FWD_1\",\"forward_type\":\"Direct\",\"hour\":22,\"is_sslexpiredca\":\"Yes\",\"is_sslselfsigned\":\"Yes\",\"is_ssluntrustedca\":\"Pass\",\"keyprotectiontype\":\"HSM Protection\",\"location\":\"Headquarters\",\"malwarecategory\":\"Adware\",\"malwareclass\":\"Sandbox\",\"minute\":55,\"mobappcategory\":\"Communication\",\"mobappname\":\"Amazon\",\"mobdevtype\":\"Google Android\",\"module\":\"Administration\",\"month\":\"Oct\",\"month_of_year\":10,\"nssserviceip\":\"192.168.2.200\",\"oapprulelabel\":\"5300295980\",\"obwclassname\":\"10831489\",\"ocip\":6200694987,\"ocpubip\":624054738,\"odevicehostname\":\"2168890624\",\"odevicename\":\"2175092224\",\"odeviceowner\":\"10831489\",\"odlpdict\":\"10831489\",\"odlpeng\":\"4094304256\",\"odlprulename\":\"6857275752\",\"ofwd_gw_name\":\"8794487099\",\"ologin\":\"4094304256\",\"ordr_rulename\":\"3399565100\",\"ourlcat\":\"7956407282\",\"ourlfilterrulelabel\":\"4951704103\",\"ozpa_app_seg_name\":\"7648246731\",\"externalsslpolicyreason\":\"Blocked\",\"productversion\":\"5.0.902.95524_04\",\"rdr_rulename\":\"FWD_Rule_1\",\"refererhost\":\"www.example.com for http://www.example.com/index.html\",\"reqheadersize\":300,\"reqdatasize\":1000,\"respheadersize\":500,\"respdatasize\":10000,\"riskscore\":10,\"ruletype\":\"File Type Control\",\"second\":48,\"srvcertchainvalpass\":\"Unknown\",\"srvcertvalidationtype\":\"EV (Extended Validation)\",\"srvcertvalidityperiod\":\"Short\",\"srvsslcipher\":\"SSL3_CK_RSA_NULL_MD5\",\"serversslsessreuse\":\"Unknown\",\"srvocspresult\":\"Good\",\"srvtlsversion\":\"SSL2\",\"srvwildcardcert\":\"Unknown\",\"ssldecrypted\":\"Yes\",\"throttlereqsize\":5,\"throttlerespsize\":7,\"totalsize\":11800,\"trafficredirectmethod\":\"DNAT (Destination Translation)\",\"unscannabletype\":\"Encrypted File\",\"upload_doctypename\":\"Corporate Finance\",\"upload_fileclass\":\"upload_fileclass\",\"upload_filetype\":\"RAR Files\",\"urlcatmethod\":\"Database A\",\"urlsubcat\":\"Entertainment\",\"urlsupercat\":\"Travel\",\"urlclass\":\"Bandwidth Loss\",\"useragentclass\":\"Firefox\",\"useragenttoken\":\"Google Chrome (0.x)\",\"userlocationname\":\"userlocationname\",\"year\":2023,\"ztunnelversion\":\"ZTUNNEL_1_0\",\"zpa_app_seg_name\":\"ZPA_test_app_segment\"}}", + "original": "{\"sourcetype\":\"zscalernss-web\",\"event\":{\"time\":\"Mon Oct 17 22:55:48 2023\",\"cloudname\":\"zscaler.net\",\"host\":\"mail.google.com\",\"serverip\":\"1.128.0.1\",\"external_devid\":\"2345\",\"devicemodel\":\"20L8S7WC09\",\"action\":\"Allowed\",\"recordid\":123456780,\"reason\":\"File Attachment Cautioned\",\"threatseverity\":\"Critical (90–100)\",\"tz\":\"GMT\",\"filesubtype\":\"exe\",\"upload_filesubtype\":\"rar\",\"sha256\":\"81ec78bc8298568bb5ea66d3c2972b670d0f7459b6cdbbcaacce90ab417ab15c\",\"bamd5\":\"196a3d797bfee07fe4596b69f4ce1141\",\"filename\":\"nssfeed.txt\",\"upload_filename\":\"nssfeed.exe\",\"filetype\":\"RAR Files\",\"devicename\":\"PC11NLPA:5F08D97BBF43257A8FB4BBF4061A38AE324EF734\",\"devicehostname\":\"THINKPADSMITH\",\"deviceostype\":\"iOS\",\"deviceosversion\":\"Version 10.14.2 (Build 18C54)\",\"devicetype\":\"Zscaler Client Connector\",\"reqsize\":1300,\"reqmethod\":\"invalid\",\"refererurl\":\"www.example.com\",\"respsize\":10500,\"respcode\":\"100\",\"reqversion\":\"1.1\",\"respversion\":\"1\",\"proto\":\"HTTPS\",\"company\":\"Zscaler\",\"dlpmd5\":\"154f149b1443fbfa8c121d13e5c019a1\",\"apprulelabel\":\"File_Sharing_1\",\"dlprulename\":\"DLP_Rule_1\",\"rulelabel\":\"URL_Filtering_1\",\"urlfilterrulelabel\":\"URL_Filtering_2\",\"cltip\":\"81.2.69.144\",\"cltintip\":\"89.160.20.128\",\"cltsourceport\":12345,\"threatname\":\"EICAR Test File\",\"cltsslcipher\":\"SSL3_CK_RSA_NULL_MD5\",\"clttlsversion\":\"SSL2\",\"eurl\":\"www.example.com%3A443\",\"useragent\":\"Mozilla/5.0\",\"login\":\"jdoe@safemarch.com\",\"applayerprotocol\":\"FTP\",\"appclass\":\"Administration\",\"appname\":\"Adobe Connect\",\"appriskscore\":\"1\",\"bandwidthclassname\":\"Entertainment\",\"bandwidthrulename\":\"Office 365\",\"bwthrottle\":\"Yes\",\"bypassedtime\":\"Mon Oct 16 22:55:48 2023\",\"bypassedtraffic\":\"1\",\"cltsslsessreuse\":\"Unknown\",\"cltpubip\":\"175.16.199.0\",\"cltsslfailcount\":100,\"cltsslfailreason\":\"Bad Record Mac\",\"contenttype\":\"application/vnd_apple_keynote\",\"datacentercity\":\"Sa\",\"datacentercountry\":\"US\",\"datacenter\":\"CA Client Node DC\",\"day\":\"Mon\",\"day_of_month\":16,\"dept\":\"Sales\",\"deviceappversion\":\"1.128.0.1\",\"deviceowner\":\"jsmith\",\"df_hosthead\":\"df_hosthead\",\"df_hostname\":\"df_hostname\",\"dlpdicthitcount\":\"4\",\"dlpdict\":\"Credit Cards\",\"dlpeng\":\"HIPAA\",\"dlpidentifier\":6646484838839026000,\"eedone\":\"Yes\",\"epochtime\":1578128400,\"fileclass\":\"Active Web Contents\",\"flow_type\":\"Direct\",\"forward_gateway_ip\":\"10.1.1.1\",\"forward_gateway_name\":\"FWD_1\",\"forward_type\":\"Direct\",\"hour\":22,\"is_sslexpiredca\":\"Yes\",\"is_sslselfsigned\":\"Yes\",\"is_ssluntrustedca\":\"Pass\",\"keyprotectiontype\":\"HSM Protection\",\"location\":\"Headquarters\",\"malwarecategory\":\"Adware\",\"malwareclass\":\"Sandbox\",\"minute\":55,\"mobappcategory\":\"Communication\",\"mobappname\":\"Amazon\",\"mobdevtype\":\"Google Android\",\"module\":\"Administration\",\"month\":\"Oct\",\"month_of_year\":10,\"nssserviceip\":\"192.168.2.200\",\"oapprulelabel\":\"5300295980\",\"obwclassname\":\"10831489\",\"ocip\":6200694987,\"ocpubip\":624054738,\"odevicehostname\":\"2168890624\",\"odevicename\":\"2175092224\",\"odeviceowner\":\"10831489\",\"odlpdict\":\"10831489\",\"odlpeng\":\"4094304256\",\"odlprulename\":\"6857275752\",\"ofwd_gw_name\":\"8794487099\",\"ologin\":\"4094304256\",\"ordr_rulename\":\"3399565100\",\"ourlcat\":\"7956407282\",\"ourlfilterrulelabel\":\"4951704103\",\"ozpa_app_seg_name\":\"7648246731\",\"externalsslpolicyreason\":\"Blocked\",\"productversion\":\"5.0.902.95524_04\",\"rdr_rulename\":\"FWD_Rule_1\",\"refererhost\":\"www.example.com for http://www.example.com/index.html\",\"reqheadersize\":300,\"reqdatasize\":1000,\"respheadersize\":500,\"respdatasize\":10000,\"riskscore\":10,\"ruletype\":\"File Type Control\",\"second\":48,\"srvcertchainvalpass\":\"Unknown\",\"srvcertvalidationtype\":\"EV (Extended Validation)\",\"srvcertvalidityperiod\":\"Short\",\"srvsslcipher\":\"SSL3_CK_RSA_NULL_MD5\",\"serversslsessreuse\":\"Unknown\",\"srvocspresult\":\"Good\",\"srvtlsversion\":\"SSL2\",\"srvwildcardcert\":\"Unknown\",\"ssldecrypted\":\"Yes\",\"throttlereqsize\":5,\"throttlerespsize\":7,\"totalsize\":11800,\"trafficredirectmethod\":\"DNAT (Destination Translation)\",\"unscannabletype\":\"Encrypted File\",\"upload_doctypename\":\"Corporate Finance\",\"upload_fileclass\":\"upload_fileclass\",\"upload_filetype\":\"RAR Files\",\"urlcatmethod\":\"Database A\",\"urlsubcat\":\"Entertainment\",\"urlsupercat\":\"Travel\",\"urlclass\":\"Bandwidth Loss\",\"useragentclass\":\"Firefox\",\"useragenttoken\":\"Google Chrome (0.x)\",\"userlocationname\":\"userlocationname\",\"year\":2023,\"ztunnelversion\":\"ZTUNNEL_1_0\",\"zpa_app_seg_name\":\"ZPA_test_app_segment\"}}", "reason": "File Attachment Cautioned", "timezone": "GMT", "type": [ @@ -863,7 +863,7 @@ ], "id": "123456781", "kind": "event", - "original": "{\"sourcetype\":\"zscalernss-web\",\"event\":{\"time\":\"Mon Oct 18 23:55:48 2023\",\"cloudname\":\"zscaler.net\",\"host\":\"mail.google.com\",\"serverip\":\"1.128.0.2\",\"external_devid\":\"2346\",\"devicemodel\":\"20L8S7WC10\",\"action\":\"Allowed\",\"recordid\":123456781,\"reason\":\"File Attachment Cautioned\",\"threatseverity\":\"Critical (90–100)\",\"tz\":\"GMT\",\"filesubtype\":\"exe\",\"upload_filesubtype\":\"rar\",\"sha256\":\"81ec78bc8298568bb5ea66d3c2972b670d0f7459b6cdbbcaacce90ab417ab15c\",\"bamd5\":\"196a3d797bfee07fe4596b69f4ce1141\",\"filename\":\"nssfeed.txt\",\"upload_filename\":\"nssfeed.exe\",\"filetype\":\"RAR Files\",\"devicename\":\"PC11NLPA:5F08D97BBF43257A8FB4BBF4061A38AE324EF734\",\"devicehostname\":\"THINKPADSMITH\",\"deviceostype\":\"iOS\",\"deviceosversion\":\"Version 10.14.2 (Build 18C54)\",\"devicetype\":\"Zscaler Client Connector\",\"reqsize\":1300,\"reqmethod\":\"invalid\",\"refererurl\":\"www.example.com\",\"respsize\":10500,\"respcode\":\"100\",\"reqversion\":\"1.1\",\"respversion\":\"1\",\"proto\":\"SSL\",\"company\":\"Zscaler\",\"dlpmd5\":\"154f149b1443fbfa8c121d13e5c019a1\",\"apprulelabel\":\"File_Sharing_1\",\"dlprulename\":\"DLP_Rule_1\",\"rulelabel\":\"URL_Filtering_1\",\"urlfilterrulelabel\":\"URL_Filtering_2\",\"cltip\":\"81.2.69.144\",\"cltintip\":\"89.160.20.128\",\"cltsourceport\":12345,\"threatname\":\"EICAR Test File\",\"cltsslcipher\":\"SSL3_CK_RSA_NULL_MD5\",\"clttlsversion\":\"SSL2\",\"eurl\":\"www.example.com.com/params?Id=1&ts=2006-01-02T15%3A04%3A05Z07%3A00&user=65792&version=10.0.19041.1266\",\"url\":\"www.example.com.com/params?version=10.0.19041.1266&user=65792&Id=1&ts=2006-01-02T15:04:05Z07:00\",\"useragent\":\"Mozilla/5.0\",\"login\":\"jdoe@safemarch.com\",\"applayerprotocol\":\"FTP\",\"appclass\":\"Administration\",\"appname\":\"Adobe Connect\",\"appriskscore\":\"1\",\"bandwidthclassname\":\"Entertainment\",\"bandwidthrulename\":\"Office 365\",\"bwthrottle\":\"Yes\",\"bypassedtime\":\"Mon Oct 16 22:55:48 2023\",\"bypassedtraffic\":\"1\",\"cltsslsessreuse\":\"Unknown\",\"cltpubip\":\"175.16.199.0\",\"cltsslfailcount\":100,\"cltsslfailreason\":\"Bad Record Mac\",\"contenttype\":\"application/vnd_apple_keynote\",\"datacentercity\":\"Sa\",\"datacentercountry\":\"US\",\"datacenter\":\"CA Client Node DC\",\"day\":\"Mon\",\"day_of_month\":16,\"dept\":\"Sales\",\"deviceappversion\":\"1.128.0.1\",\"deviceowner\":\"jsmith\",\"df_hosthead\":\"df_hosthead\",\"df_hostname\":\"df_hostname\",\"dlpdicthitcount\":\"4\",\"dlpdict\":\"Credit Cards\",\"dlpeng\":\"HIPAA\",\"dlpidentifier\":6646484838839026000,\"eedone\":\"Yes\",\"epochtime\":1578128400,\"fileclass\":\"Active Web Contents\",\"flow_type\":\"Direct\",\"forward_gateway_ip\":\"10.1.1.1\",\"forward_gateway_name\":\"FWD_1\",\"forward_type\":\"Direct\",\"hour\":22,\"is_sslexpiredca\":\"Yes\",\"is_sslselfsigned\":\"Yes\",\"is_ssluntrustedca\":\"Pass\",\"keyprotectiontype\":\"HSM Protection\",\"location\":\"Headquarters\",\"malwarecategory\":\"Adware\",\"malwareclass\":\"Sandbox\",\"minute\":55,\"mobappcategory\":\"Communication\",\"mobappname\":\"Amazon\",\"mobdevtype\":\"Google Android\",\"module\":\"Administration\",\"month\":\"Oct\",\"month_of_year\":10,\"nssserviceip\":\"192.168.2.200\",\"oapprulelabel\":\"5300295980\",\"obwclassname\":\"10831489\",\"ocip\":6200694987,\"ocpubip\":624054738,\"odevicehostname\":\"2168890624\",\"odevicename\":\"2175092224\",\"odeviceowner\":\"10831489\",\"odlpdict\":\"10831489\",\"odlpeng\":\"4094304256\",\"odlprulename\":\"6857275752\",\"ofwd_gw_name\":\"8794487099\",\"ologin\":\"4094304256\",\"ordr_rulename\":\"3399565100\",\"ourlcat\":\"7956407282\",\"ourlfilterrulelabel\":\"4951704103\",\"ozpa_app_seg_name\":\"7648246731\",\"externalsslpolicyreason\":\"Blocked\",\"productversion\":\"5.0.902.95524_04\",\"rdr_rulename\":\"FWD_Rule_1\",\"refererhost\":\"www.example.com for http://www.example.com/index.html\",\"reqheadersize\":300,\"reqdatasize\":1000,\"respheadersize\":500,\"respdatasize\":10000,\"riskscore\":10,\"ruletype\":\"File Type Control\",\"second\":48,\"srvcertchainvalpass\":\"Unknown\",\"srvcertvalidationtype\":\"EV (Extended Validation)\",\"srvcertvalidityperiod\":\"Short\",\"srvsslcipher\":\"SSL3_CK_RSA_NULL_MD5\",\"serversslsessreuse\":\"Unknown\",\"srvocspresult\":\"Good\",\"srvtlsversion\":\"SSL2\",\"srvwildcardcert\":\"Unknown\",\"ssldecrypted\":\"Yes\",\"throttlereqsize\":5,\"throttlerespsize\":7,\"totalsize\":11800,\"trafficredirectmethod\":\"DNAT (Destination Translation)\",\"unscannabletype\":\"Encrypted File\",\"upload_doctypename\":\"Corporate Finance\",\"upload_fileclass\":\"upload_fileclass\",\"upload_filetype\":\"RAR Files\",\"urlcatmethod\":\"Database A\",\"urlsubcat\":\"Entertainment\",\"urlsupercat\":\"Travel\",\"urlclass\":\"Bandwidth Loss\",\"useragentclass\":\"Firefox\",\"useragenttoken\":\"Google Chrome (0.x)\",\"userlocationname\":\"userlocationname\",\"year\":2023,\"ztunnelversion\":\"ZTUNNEL_1_0\",\"zpa_app_seg_name\":\"ZPA_test_app_segment\"}}", + "original": "{\"sourcetype\":\"zscalernss-web\",\"event\":{\"time\":\"Mon Oct 18 23:55:48 2023\",\"cloudname\":\"zscaler.net\",\"host\":\"mail.google.com\",\"serverip\":\"1.128.0.2\",\"external_devid\":\"2346\",\"devicemodel\":\"20L8S7WC10\",\"action\":\"Allowed\",\"recordid\":123456781,\"reason\":\"File Attachment Cautioned\",\"threatseverity\":\"Critical (90–100)\",\"tz\":\"GMT\",\"filesubtype\":\"exe\",\"upload_filesubtype\":\"rar\",\"sha256\":\"81ec78bc8298568bb5ea66d3c2972b670d0f7459b6cdbbcaacce90ab417ab15c\",\"bamd5\":\"196a3d797bfee07fe4596b69f4ce1141\",\"filename\":\"nssfeed.txt\",\"upload_filename\":\"nssfeed.exe\",\"filetype\":\"RAR Files\",\"devicename\":\"PC11NLPA:5F08D97BBF43257A8FB4BBF4061A38AE324EF734\",\"devicehostname\":\"THINKPADSMITH\",\"deviceostype\":\"iOS\",\"deviceosversion\":\"Version 10.14.2 (Build 18C54)\",\"devicetype\":\"Zscaler Client Connector\",\"reqsize\":1300,\"reqmethod\":\"invalid\",\"refererurl\":\"www.example.com\",\"respsize\":10500,\"respcode\":\"100\",\"reqversion\":\"1.1\",\"respversion\":\"1\",\"proto\":\"SSL\",\"company\":\"Zscaler\",\"dlpmd5\":\"154f149b1443fbfa8c121d13e5c019a1\",\"apprulelabel\":\"File_Sharing_1\",\"dlprulename\":\"DLP_Rule_1\",\"rulelabel\":\"URL_Filtering_1\",\"urlfilterrulelabel\":\"URL_Filtering_2\",\"cltip\":\"81.2.69.144\",\"cltintip\":\"89.160.20.128\",\"cltsourceport\":12345,\"threatname\":\"EICAR Test File\",\"cltsslcipher\":\"SSL3_CK_RSA_NULL_MD5\",\"clttlsversion\":\"SSL2\",\"eurl\":\"www.example.com.com/params?Id=1&ts=2006-01-02T15%3A04%3A05Z07%3A00&user=65792&version=10.0.19041.1266\",\"useragent\":\"Mozilla/5.0\",\"login\":\"jdoe@safemarch.com\",\"applayerprotocol\":\"FTP\",\"appclass\":\"Administration\",\"appname\":\"Adobe Connect\",\"appriskscore\":\"1\",\"bandwidthclassname\":\"Entertainment\",\"bandwidthrulename\":\"Office 365\",\"bwthrottle\":\"Yes\",\"bypassedtime\":\"Mon Oct 16 22:55:48 2023\",\"bypassedtraffic\":\"1\",\"cltsslsessreuse\":\"Unknown\",\"cltpubip\":\"175.16.199.0\",\"cltsslfailcount\":100,\"cltsslfailreason\":\"Bad Record Mac\",\"contenttype\":\"application/vnd_apple_keynote\",\"datacentercity\":\"Sa\",\"datacentercountry\":\"US\",\"datacenter\":\"CA Client Node DC\",\"day\":\"Mon\",\"day_of_month\":16,\"dept\":\"Sales\",\"deviceappversion\":\"1.128.0.1\",\"deviceowner\":\"jsmith\",\"df_hosthead\":\"df_hosthead\",\"df_hostname\":\"df_hostname\",\"dlpdicthitcount\":\"4\",\"dlpdict\":\"Credit Cards\",\"dlpeng\":\"HIPAA\",\"dlpidentifier\":6646484838839026000,\"eedone\":\"Yes\",\"epochtime\":1578128400,\"fileclass\":\"Active Web Contents\",\"flow_type\":\"Direct\",\"forward_gateway_ip\":\"10.1.1.1\",\"forward_gateway_name\":\"FWD_1\",\"forward_type\":\"Direct\",\"hour\":22,\"is_sslexpiredca\":\"Yes\",\"is_sslselfsigned\":\"Yes\",\"is_ssluntrustedca\":\"Pass\",\"keyprotectiontype\":\"HSM Protection\",\"location\":\"Headquarters\",\"malwarecategory\":\"Adware\",\"malwareclass\":\"Sandbox\",\"minute\":55,\"mobappcategory\":\"Communication\",\"mobappname\":\"Amazon\",\"mobdevtype\":\"Google Android\",\"module\":\"Administration\",\"month\":\"Oct\",\"month_of_year\":10,\"nssserviceip\":\"192.168.2.200\",\"oapprulelabel\":\"5300295980\",\"obwclassname\":\"10831489\",\"ocip\":6200694987,\"ocpubip\":624054738,\"odevicehostname\":\"2168890624\",\"odevicename\":\"2175092224\",\"odeviceowner\":\"10831489\",\"odlpdict\":\"10831489\",\"odlpeng\":\"4094304256\",\"odlprulename\":\"6857275752\",\"ofwd_gw_name\":\"8794487099\",\"ologin\":\"4094304256\",\"ordr_rulename\":\"3399565100\",\"ourlcat\":\"7956407282\",\"ourlfilterrulelabel\":\"4951704103\",\"ozpa_app_seg_name\":\"7648246731\",\"externalsslpolicyreason\":\"Blocked\",\"productversion\":\"5.0.902.95524_04\",\"rdr_rulename\":\"FWD_Rule_1\",\"refererhost\":\"www.example.com for http://www.example.com/index.html\",\"reqheadersize\":300,\"reqdatasize\":1000,\"respheadersize\":500,\"respdatasize\":10000,\"riskscore\":10,\"ruletype\":\"File Type Control\",\"second\":48,\"srvcertchainvalpass\":\"Unknown\",\"srvcertvalidationtype\":\"EV (Extended Validation)\",\"srvcertvalidityperiod\":\"Short\",\"srvsslcipher\":\"SSL3_CK_RSA_NULL_MD5\",\"serversslsessreuse\":\"Unknown\",\"srvocspresult\":\"Good\",\"srvtlsversion\":\"SSL2\",\"srvwildcardcert\":\"Unknown\",\"ssldecrypted\":\"Yes\",\"throttlereqsize\":5,\"throttlerespsize\":7,\"totalsize\":11800,\"trafficredirectmethod\":\"DNAT (Destination Translation)\",\"unscannabletype\":\"Encrypted File\",\"upload_doctypename\":\"Corporate Finance\",\"upload_fileclass\":\"upload_fileclass\",\"upload_filetype\":\"RAR Files\",\"urlcatmethod\":\"Database A\",\"urlsubcat\":\"Entertainment\",\"urlsupercat\":\"Travel\",\"urlclass\":\"Bandwidth Loss\",\"useragentclass\":\"Firefox\",\"useragenttoken\":\"Google Chrome (0.x)\",\"userlocationname\":\"userlocationname\",\"year\":2023,\"ztunnelversion\":\"ZTUNNEL_1_0\",\"zpa_app_seg_name\":\"ZPA_test_app_segment\"}}", "reason": "File Attachment Cautioned", "timezone": "GMT", "type": [ @@ -1243,7 +1243,7 @@ "category_method": "Database A", "class": "Bandwidth Loss", "filter_rule_label": "URL_Filtering_2", - "name": "www.example.com.com/params?version=10.0.19041.1266&user=65792&Id=1&ts=2006-01-02T15:04:05Z07:00" + "name": "www.example.com.com/params?Id=1&ts=2006-01-02T15:04:05Z07:00&user=65792&version=10.0.19041.1266" }, "user_agent": { "class": "Firefox", @@ -1282,7 +1282,7 @@ ], "id": "123456781", "kind": "event", - "original": "{\"sourcetype\":\"zscalernss-web\",\"event\":{\"time\":\"Mon Oct 18 23:55:48 2023\",\"cloudname\":\"zscaler.net\",\"host\":\"mail.google.com\",\"serverip\":\"1.128.0.2\",\"external_devid\":\"2346\",\"devicemodel\":\"20L8S7WC10\",\"action\":\"Allowed\",\"recordid\":123456781,\"reason\":\"File Attachment Cautioned\",\"threatseverity\":\"Critical (90–100)\",\"tz\":\"GMT\",\"filesubtype\":\"exe\",\"upload_filesubtype\":\"rar\",\"sha256\":\"81ec78bc8298568bb5ea66d3c2972b670d0f7459b6cdbbcaacce90ab417ab15c\",\"bamd5\":\"196a3d797bfee07fe4596b69f4ce1141\",\"filename\":\"nssfeed.txt\",\"upload_filename\":\"nssfeed.exe\",\"filetype\":\"RAR Files\",\"devicename\":\"PC11NLPA:5F08D97BBF43257A8FB4BBF4061A38AE324EF734\",\"devicehostname\":\"THINKPADSMITH\",\"deviceostype\":\"iOS\",\"deviceosversion\":\"Version 10.14.2 (Build 18C54)\",\"devicetype\":\"Zscaler Client Connector\",\"reqsize\":1300,\"reqmethod\":\"invalid\",\"refererurl\":\"www.example.com\",\"respsize\":10500,\"respcode\":\"100\",\"reqversion\":\"1.1\",\"respversion\":\"1\",\"proto\":\"SSL\",\"company\":\"Zscaler\",\"dlpmd5\":\"154f149b1443fbfa8c121d13e5c019a1\",\"apprulelabel\":\"File_Sharing_1\",\"dlprulename\":\"DLP_Rule_1\",\"rulelabel\":\"URL_Filtering_1\",\"urlfilterrulelabel\":\"URL_Filtering_2\",\"cltip\":\"81.2.69.144\",\"cltintip\":\"89.160.20.128\",\"cltsourceport\":12345,\"threatname\":\"EICAR Test File\",\"cltsslcipher\":\"SSL3_CK_RSA_NULL_MD5\",\"clttlsversion\":\"SSL2\",\"eurl\":\"www.youtube.com/api/stats/abcd?afmt=251&bat=330.017%3A0.96%3A1&bh=330.017%3A121.264&bwe=330.017%3A7458601&bwm=330.017%3A2407754%3A0.844&c=WEB&cbr=Edge+Chromium&cbrver=115.0.0.0&cl=655399956&cmt=330.017%3A328.837&cos=Windows&cosver=10.0&cplatform=DESKTOP&cplayer=UNIPLAYER&cpn=FUB73SQWxSHKADxvJ&cver=2.20240724.03.00&docid=WVhG_sNVLasD&el=detailpage&fexp=v1%2C23848225%2C137802%2C18617%2C204121%2C230596%2C222097%2C16229%2C133212%2C14625955%2C11684381%2C7222%2C14207%2C9859%2C12177%2C9954%2C1192%2C7913%2C18310%2C273%2C4147%2C2819%2C2%2C16344%2C1424%2C19204%2C9948%2C2196%2C9996%2C19%2C2%2C1082%2C6953%2C101%2C1401%2C9542%2C2471%2C3292%2C2716%2C1538%2C723%2C2575%2C9567%2C1375%2C3761%2C4162%2C8610%2C173%2C201%2C10406%2C321%2C148%2C2%2C343%2C1783%2C14%2C1322%2C50%2C621%2C702%2C1062%2C1769%2C1823%2C896%2C2291%2C2912%2C7568%2C342&fmt=398&ns=yt&referrer=https%3A%2F%2Fwww.youtube.com%2Fwatch%3Fv%3Disa90_67as&sdetail=rv%3Aisa89_68ad&seq=13&sourceid=yw&vps=330.017%3APL\",\"url\":\"www.youtube.com/api/stats/abcd?fmt=398&afmt=251&cpn=FUB73SQWxSHKADxvJ&el=detailpage&ns=yt&fexp=v1,23848225,137802,18617,204121,230596,222097,16229,133212,14625955,11684381,7222,14207,9859,12177,9954,1192,7913,18310,273,4147,2819,2,16344,1424,19204,9948,2196,9996,19,2,1082,6953,101,1401,9542,2471,3292,2716,1538,723,2575,9567,1375,3761,4162,8610,173,201,10406,321,148,2,343,1783,14,1322,50,621,702,1062,1769,1823,896,2291,2912,7568,342&cl=655399956&seq=13&docid=WVhG_sNVLasD&referrer=https://www.youtube.com/watch?v=isa90_67as&sdetail=rv:isa89_68ad&sourceid=yw&cbr=Edge%20Chromium&cbrver=115.0.0.0&c=WEB&cver=2.20240724.03.00&cplayer=UNIPLAYER&cos=Windows&cosver=10.0&cplatform=DESKTOP&vps=330.017:PL&bwm=330.017:2407754:0.844&bwe=330.017:7458601&bat=330.017:0.96:1&cmt=330.017:328.837&bh=330.017:121.264\",\"useragent\":\"Mozilla/5.0\",\"login\":\"jdoe@safemarch.com\",\"applayerprotocol\":\"FTP\",\"appclass\":\"Administration\",\"appname\":\"Adobe Connect\",\"appriskscore\":\"1\",\"bandwidthclassname\":\"Entertainment\",\"bandwidthrulename\":\"Office 365\",\"bwthrottle\":\"Yes\",\"bypassedtime\":\"Mon Oct 16 22:55:48 2023\",\"bypassedtraffic\":\"1\",\"cltsslsessreuse\":\"Unknown\",\"cltpubip\":\"175.16.199.0\",\"cltsslfailcount\":100,\"cltsslfailreason\":\"Bad Record Mac\",\"contenttype\":\"application/vnd_apple_keynote\",\"datacentercity\":\"Sa\",\"datacentercountry\":\"US\",\"datacenter\":\"CA Client Node DC\",\"day\":\"Mon\",\"day_of_month\":16,\"dept\":\"Sales\",\"deviceappversion\":\"1.128.0.1\",\"deviceowner\":\"jsmith\",\"df_hosthead\":\"df_hosthead\",\"df_hostname\":\"df_hostname\",\"dlpdicthitcount\":\"4\",\"dlpdict\":\"Credit Cards\",\"dlpeng\":\"HIPAA\",\"dlpidentifier\":6646484838839026000,\"eedone\":\"Yes\",\"epochtime\":1578128400,\"fileclass\":\"Active Web Contents\",\"flow_type\":\"Direct\",\"forward_gateway_ip\":\"10.1.1.1\",\"forward_gateway_name\":\"FWD_1\",\"forward_type\":\"Direct\",\"hour\":22,\"is_sslexpiredca\":\"Yes\",\"is_sslselfsigned\":\"Yes\",\"is_ssluntrustedca\":\"Pass\",\"keyprotectiontype\":\"HSM Protection\",\"location\":\"Headquarters\",\"malwarecategory\":\"Adware\",\"malwareclass\":\"Sandbox\",\"minute\":55,\"mobappcategory\":\"Communication\",\"mobappname\":\"Amazon\",\"mobdevtype\":\"Google Android\",\"module\":\"Administration\",\"month\":\"Oct\",\"month_of_year\":10,\"nssserviceip\":\"192.168.2.200\",\"oapprulelabel\":\"5300295980\",\"obwclassname\":\"10831489\",\"ocip\":6200694987,\"ocpubip\":624054738,\"odevicehostname\":\"2168890624\",\"odevicename\":\"2175092224\",\"odeviceowner\":\"10831489\",\"odlpdict\":\"10831489\",\"odlpeng\":\"4094304256\",\"odlprulename\":\"6857275752\",\"ofwd_gw_name\":\"8794487099\",\"ologin\":\"4094304256\",\"ordr_rulename\":\"3399565100\",\"ourlcat\":\"7956407282\",\"ourlfilterrulelabel\":\"4951704103\",\"ozpa_app_seg_name\":\"7648246731\",\"externalsslpolicyreason\":\"Blocked\",\"productversion\":\"5.0.902.95524_04\",\"rdr_rulename\":\"FWD_Rule_1\",\"refererhost\":\"www.example.com for http://www.example.com/index.html\",\"reqheadersize\":300,\"reqdatasize\":1000,\"respheadersize\":500,\"respdatasize\":10000,\"riskscore\":10,\"ruletype\":\"File Type Control\",\"second\":48,\"srvcertchainvalpass\":\"Unknown\",\"srvcertvalidationtype\":\"EV (Extended Validation)\",\"srvcertvalidityperiod\":\"Short\",\"srvsslcipher\":\"SSL3_CK_RSA_NULL_MD5\",\"serversslsessreuse\":\"Unknown\",\"srvocspresult\":\"Good\",\"srvtlsversion\":\"SSL2\",\"srvwildcardcert\":\"Unknown\",\"ssldecrypted\":\"Yes\",\"throttlereqsize\":5,\"throttlerespsize\":7,\"totalsize\":11800,\"trafficredirectmethod\":\"DNAT (Destination Translation)\",\"unscannabletype\":\"Encrypted File\",\"upload_doctypename\":\"Corporate Finance\",\"upload_fileclass\":\"upload_fileclass\",\"upload_filetype\":\"RAR Files\",\"urlcatmethod\":\"Database A\",\"urlsubcat\":\"Entertainment\",\"urlsupercat\":\"Travel\",\"urlclass\":\"Bandwidth Loss\",\"useragentclass\":\"Firefox\",\"useragenttoken\":\"Google Chrome (0.x)\",\"userlocationname\":\"userlocationname\",\"year\":2023,\"ztunnelversion\":\"ZTUNNEL_1_0\",\"zpa_app_seg_name\":\"ZPA_test_app_segment\"}}", + "original": "{\"sourcetype\":\"zscalernss-web\",\"event\":{\"time\":\"Mon Oct 18 23:55:48 2023\",\"cloudname\":\"zscaler.net\",\"host\":\"mail.google.com\",\"serverip\":\"1.128.0.2\",\"external_devid\":\"2346\",\"devicemodel\":\"20L8S7WC10\",\"action\":\"Allowed\",\"recordid\":123456781,\"reason\":\"File Attachment Cautioned\",\"threatseverity\":\"Critical (90–100)\",\"tz\":\"GMT\",\"filesubtype\":\"exe\",\"upload_filesubtype\":\"rar\",\"sha256\":\"81ec78bc8298568bb5ea66d3c2972b670d0f7459b6cdbbcaacce90ab417ab15c\",\"bamd5\":\"196a3d797bfee07fe4596b69f4ce1141\",\"filename\":\"nssfeed.txt\",\"upload_filename\":\"nssfeed.exe\",\"filetype\":\"RAR Files\",\"devicename\":\"PC11NLPA:5F08D97BBF43257A8FB4BBF4061A38AE324EF734\",\"devicehostname\":\"THINKPADSMITH\",\"deviceostype\":\"iOS\",\"deviceosversion\":\"Version 10.14.2 (Build 18C54)\",\"devicetype\":\"Zscaler Client Connector\",\"reqsize\":1300,\"reqmethod\":\"invalid\",\"refererurl\":\"www.example.com\",\"respsize\":10500,\"respcode\":\"100\",\"reqversion\":\"1.1\",\"respversion\":\"1\",\"proto\":\"SSL\",\"company\":\"Zscaler\",\"dlpmd5\":\"154f149b1443fbfa8c121d13e5c019a1\",\"apprulelabel\":\"File_Sharing_1\",\"dlprulename\":\"DLP_Rule_1\",\"rulelabel\":\"URL_Filtering_1\",\"urlfilterrulelabel\":\"URL_Filtering_2\",\"cltip\":\"81.2.69.144\",\"cltintip\":\"89.160.20.128\",\"cltsourceport\":12345,\"threatname\":\"EICAR Test File\",\"cltsslcipher\":\"SSL3_CK_RSA_NULL_MD5\",\"clttlsversion\":\"SSL2\",\"eurl\":\"www.youtube.com/api/stats/abcd?afmt=251&bat=330.017%3A0.96%3A1&bh=330.017%3A121.264&bwe=330.017%3A7458601&bwm=330.017%3A2407754%3A0.844&c=WEB&cbr=Edge+Chromium&cbrver=115.0.0.0&cl=655399956&cmt=330.017%3A328.837&cos=Windows&cosver=10.0&cplatform=DESKTOP&cplayer=UNIPLAYER&cpn=FUB73SQWxSHKADxvJ&cver=2.20240724.03.00&docid=WVhG_sNVLasD&el=detailpage&fexp=v1%2C23848225%2C137802%2C18617%2C204121%2C230596%2C222097%2C16229%2C133212%2C14625955%2C11684381%2C7222%2C14207%2C9859%2C12177%2C9954%2C1192%2C7913%2C18310%2C273%2C4147%2C2819%2C2%2C16344%2C1424%2C19204%2C9948%2C2196%2C9996%2C19%2C2%2C1082%2C6953%2C101%2C1401%2C9542%2C2471%2C3292%2C2716%2C1538%2C723%2C2575%2C9567%2C1375%2C3761%2C4162%2C8610%2C173%2C201%2C10406%2C321%2C148%2C2%2C343%2C1783%2C14%2C1322%2C50%2C621%2C702%2C1062%2C1769%2C1823%2C896%2C2291%2C2912%2C7568%2C342&fmt=398&ns=yt&referrer=https%3A%2F%2Fwww.youtube.com%2Fwatch%3Fv%3Disa90_67as&sdetail=rv%3Aisa89_68ad&seq=13&sourceid=yw&vps=330.017%3APL\",\"useragent\":\"Mozilla/5.0\",\"login\":\"jdoe@safemarch.com\",\"applayerprotocol\":\"FTP\",\"appclass\":\"Administration\",\"appname\":\"Adobe Connect\",\"appriskscore\":\"1\",\"bandwidthclassname\":\"Entertainment\",\"bandwidthrulename\":\"Office 365\",\"bwthrottle\":\"Yes\",\"bypassedtime\":\"Mon Oct 16 22:55:48 2023\",\"bypassedtraffic\":\"1\",\"cltsslsessreuse\":\"Unknown\",\"cltpubip\":\"175.16.199.0\",\"cltsslfailcount\":100,\"cltsslfailreason\":\"Bad Record Mac\",\"contenttype\":\"application/vnd_apple_keynote\",\"datacentercity\":\"Sa\",\"datacentercountry\":\"US\",\"datacenter\":\"CA Client Node DC\",\"day\":\"Mon\",\"day_of_month\":16,\"dept\":\"Sales\",\"deviceappversion\":\"1.128.0.1\",\"deviceowner\":\"jsmith\",\"df_hosthead\":\"df_hosthead\",\"df_hostname\":\"df_hostname\",\"dlpdicthitcount\":\"4\",\"dlpdict\":\"Credit Cards\",\"dlpeng\":\"HIPAA\",\"dlpidentifier\":6646484838839026000,\"eedone\":\"Yes\",\"epochtime\":1578128400,\"fileclass\":\"Active Web Contents\",\"flow_type\":\"Direct\",\"forward_gateway_ip\":\"10.1.1.1\",\"forward_gateway_name\":\"FWD_1\",\"forward_type\":\"Direct\",\"hour\":22,\"is_sslexpiredca\":\"Yes\",\"is_sslselfsigned\":\"Yes\",\"is_ssluntrustedca\":\"Pass\",\"keyprotectiontype\":\"HSM Protection\",\"location\":\"Headquarters\",\"malwarecategory\":\"Adware\",\"malwareclass\":\"Sandbox\",\"minute\":55,\"mobappcategory\":\"Communication\",\"mobappname\":\"Amazon\",\"mobdevtype\":\"Google Android\",\"module\":\"Administration\",\"month\":\"Oct\",\"month_of_year\":10,\"nssserviceip\":\"192.168.2.200\",\"oapprulelabel\":\"5300295980\",\"obwclassname\":\"10831489\",\"ocip\":6200694987,\"ocpubip\":624054738,\"odevicehostname\":\"2168890624\",\"odevicename\":\"2175092224\",\"odeviceowner\":\"10831489\",\"odlpdict\":\"10831489\",\"odlpeng\":\"4094304256\",\"odlprulename\":\"6857275752\",\"ofwd_gw_name\":\"8794487099\",\"ologin\":\"4094304256\",\"ordr_rulename\":\"3399565100\",\"ourlcat\":\"7956407282\",\"ourlfilterrulelabel\":\"4951704103\",\"ozpa_app_seg_name\":\"7648246731\",\"externalsslpolicyreason\":\"Blocked\",\"productversion\":\"5.0.902.95524_04\",\"rdr_rulename\":\"FWD_Rule_1\",\"refererhost\":\"www.example.com for http://www.example.com/index.html\",\"reqheadersize\":300,\"reqdatasize\":1000,\"respheadersize\":500,\"respdatasize\":10000,\"riskscore\":10,\"ruletype\":\"File Type Control\",\"second\":48,\"srvcertchainvalpass\":\"Unknown\",\"srvcertvalidationtype\":\"EV (Extended Validation)\",\"srvcertvalidityperiod\":\"Short\",\"srvsslcipher\":\"SSL3_CK_RSA_NULL_MD5\",\"serversslsessreuse\":\"Unknown\",\"srvocspresult\":\"Good\",\"srvtlsversion\":\"SSL2\",\"srvwildcardcert\":\"Unknown\",\"ssldecrypted\":\"Yes\",\"throttlereqsize\":5,\"throttlerespsize\":7,\"totalsize\":11800,\"trafficredirectmethod\":\"DNAT (Destination Translation)\",\"unscannabletype\":\"Encrypted File\",\"upload_doctypename\":\"Corporate Finance\",\"upload_fileclass\":\"upload_fileclass\",\"upload_filetype\":\"RAR Files\",\"urlcatmethod\":\"Database A\",\"urlsubcat\":\"Entertainment\",\"urlsupercat\":\"Travel\",\"urlclass\":\"Bandwidth Loss\",\"useragentclass\":\"Firefox\",\"useragenttoken\":\"Google Chrome (0.x)\",\"userlocationname\":\"userlocationname\",\"year\":2023,\"ztunnelversion\":\"ZTUNNEL_1_0\",\"zpa_app_seg_name\":\"ZPA_test_app_segment\"}}", "reason": "File Attachment Cautioned", "timezone": "GMT", "type": [ @@ -1662,7 +1662,7 @@ "category_method": "Database A", "class": "Bandwidth Loss", "filter_rule_label": "URL_Filtering_2", - "name": "www.youtube.com/api/stats/abcd?fmt=398&afmt=251&cpn=FUB73SQWxSHKADxvJ&el=detailpage&ns=yt&fexp=v1,23848225,137802,18617,204121,230596,222097,16229,133212,14625955,11684381,7222,14207,9859,12177,9954,1192,7913,18310,273,4147,2819,2,16344,1424,19204,9948,2196,9996,19,2,1082,6953,101,1401,9542,2471,3292,2716,1538,723,2575,9567,1375,3761,4162,8610,173,201,10406,321,148,2,343,1783,14,1322,50,621,702,1062,1769,1823,896,2291,2912,7568,342&cl=655399956&seq=13&docid=WVhG_sNVLasD&referrer=https://www.youtube.com/watch?v=isa90_67as&sdetail=rv:isa89_68ad&sourceid=yw&cbr=Edge Chromium&cbrver=115.0.0.0&c=WEB&cver=2.20240724.03.00&cplayer=UNIPLAYER&cos=Windows&cosver=10.0&cplatform=DESKTOP&vps=330.017:PL&bwm=330.017:2407754:0.844&bwe=330.017:7458601&bat=330.017:0.96:1&cmt=330.017:328.837&bh=330.017:121.264" + "name": "www.youtube.com/api/stats/abcd?afmt=251&bat=330.017:0.96:1&bh=330.017:121.264&bwe=330.017:7458601&bwm=330.017:2407754:0.844&c=WEB&cbr=Edge Chromium&cbrver=115.0.0.0&cl=655399956&cmt=330.017:328.837&cos=Windows&cosver=10.0&cplatform=DESKTOP&cplayer=UNIPLAYER&cpn=FUB73SQWxSHKADxvJ&cver=2.20240724.03.00&docid=WVhG_sNVLasD&el=detailpage&fexp=v1,23848225,137802,18617,204121,230596,222097,16229,133212,14625955,11684381,7222,14207,9859,12177,9954,1192,7913,18310,273,4147,2819,2,16344,1424,19204,9948,2196,9996,19,2,1082,6953,101,1401,9542,2471,3292,2716,1538,723,2575,9567,1375,3761,4162,8610,173,201,10406,321,148,2,343,1783,14,1322,50,621,702,1062,1769,1823,896,2291,2912,7568,342&fmt=398&ns=yt&referrer=https://www.youtube.com/watch?v=isa90_67as&sdetail=rv:isa89_68ad&seq=13&sourceid=yw&vps=330.017:PL" }, "user_agent": { "class": "Firefox", diff --git a/packages/zscaler_zia/data_stream/web/elasticsearch/ingest_pipeline/default.yml b/packages/zscaler_zia/data_stream/web/elasticsearch/ingest_pipeline/default.yml index 2369117470f..029de9d0f05 100644 --- a/packages/zscaler_zia/data_stream/web/elasticsearch/ingest_pipeline/default.yml +++ b/packages/zscaler_zia/data_stream/web/elasticsearch/ingest_pipeline/default.yml @@ -1322,17 +1322,16 @@ processors: value: '{{{zscaler_zia.web.url.filter_rule_label}}}' allow_duplicates: false if: ctx.zscaler_zia?.web?.url?.filter_rule_label != null - - urldecode: - field: json.url - target_field: zscaler_zia.web.url.name - tag: urldecode_url - ignore_missing: true - ignore_failure: true - urldecode: field: json.eurl target_field: json.eurl tag: urldecode_eurl ignore_missing: true + - set: + field: zscaler_zia.web.url.name + tag: set_web_url_name + copy_from: json.eurl + ignore_empty_value: true - script: description: Build URI for parsing. tag: Build URI for parsing diff --git a/packages/zscaler_zia/docs/README.md b/packages/zscaler_zia/docs/README.md index ed24eeb719d..30a7ce2559b 100644 --- a/packages/zscaler_zia/docs/README.md +++ b/packages/zscaler_zia/docs/README.md @@ -214,14 +214,14 @@ Sample Response: ![Escape feed setup image](../img/escape_feed.png?raw=true) See: [Zscaler Vendor documentation](https://help.zscaler.com/zia/nss-feed-output-format-web-logs) -Zscaler Web Log response format (v5): +Zscaler Web Log response format (v6): ``` -\{"sourcetype":"zscalernss-web","event":\{"time":"%s{time}","cloudname":"%s{cloudname}","host":"%s{host}","serverip":"%s{sip}","external_devid":"%s{external_devid}","devicemodel":"%s{devicemodel}","action":"%s{action}","recordid":"%d{recordid}","reason":"%s{reason}","threatseverity":"%s{threatseverity}","tz":"%s{tz}","filesubtype":"%s{filesubtype}","upload_filesubtype":"%s{upload_filesubtype}","sha256":"%s{sha256}","bamd5":"%s{bamd5}","filename":"%s{filename}","upload_filename":"%s{upload_filename}","filetype":"%s{filetype}","devicename":"%s{devicename}","devicehostname":"%s{devicehostname}","deviceostype":"%s{deviceostype}","deviceosversion":"%s{deviceosversion}","devicetype":"%s{devicetype}","reqsize":"%d{reqsize}","reqmethod":"%s{reqmethod}","refererurl":"%s{referer}","respsize":"%d{respsize}","respcode":"%s{respcode}","reqversion":"%s{reqversion}","respversion":"%s{respversion}","proto":"%s{proto}","company":"%s{company}","dlpmd5":"%s{dlpmd5}","apprulelabel":"%s{apprulelabel}","dlprulename":"%s{dlprulename}","rulelabel":"%s{rulelabel}","urlfilterrulelabel":"%s{urlfilterrulelabel}","cltip":"%s{cip}","cltintip":"%s{cintip}","cltsourceport":"%d{clt_sport}","threatname":"%s{threatname}","cltsslcipher":"%s{clientsslcipher}","clttlsversion":"%s{clienttlsversion}","eurl":"%s{eurl}","url":"%s{url}","useragent":"%s{ua}","login":"%s{login}","applayerprotocol":"%s{alpnprotocol}","appclass":"%s{appclass}","appname":"%s{appname}","appriskscore":"%s{app_risk_score}","bandwidthclassname":"%s{bwclassname}","bandwidthrulename":"%s{bwrulename}","bwthrottle":"%s{bwthrottle}","bypassedtime":"%s{bypassed_etime}","bypassedtraffic":"%d{bypassed_traffic}","cltsslsessreuse":"%s{clientsslsessreuse}","cltpubip":"%s{cpubip}","cltsslfailcount":"%d{cltsslfailcount}","cltsslfailreason":"%s{cltsslfailreason}","contenttype":"%s{contenttype}","datacentercity":"%s{datacentercity}","datacentercountry":"%s{datacentercountry}","datacenter":"%s{datacenter}","day":"%s{day}","day_of_month":"%02d{dd}","dept":"%s{dept}","deviceappversion":"%s{deviceappversion}","deviceowner":"%s{deviceowner}","df_hosthead":"%s{df_hosthead}","df_hostname":"%s{df_hostname}","dlpdicthitcount":"%s{dlpdicthitcount}","dlpdict":"%s{dlpdict}","dlpeng":"%s{dlpeng}","dlpidentifier":"%d{dlpidentifier}","eedone":"%s{eedone}","epochtime":"%d{epochtime}","fileclass":"%s{fileclass}","flow_type":"%s{flow_type}","forward_gateway_ip":"%s{fwd_gw_ip}","forward_gateway_name":"%s{fwd_gw_name}","forward_type":"%s{fwd_type}","hour":"%02d{hh}","is_sslexpiredca":"%s{is_sslexpiredca}","is_sslselfsigned":"%s{is_sslselfsigned}","is_ssluntrustedca":"%s{is_ssluntrustedca}","keyprotectiontype":"%s{keyprotectiontype}","location":"%s{location}","malwarecategory":"%s{malwarecat}","malwareclass":"%s{malwareclass}","minute":"%02d{mm}","mobappcategory":"%s{mobappcat}","mobappname":"%s{mobappname}","mobdevtype":"%s{mobdevtype}","module":"%s{module}","month":"%s{mon}","month_of_year":"%02d{mth}","nssserviceip":"%s{nsssvcip}","oapprulelabel":"%s{oapprulelabel}","obwclassname":"%s{obwclassname}","ocip":"%d{ocip}","ocpubip":"%d{ocpubip}","odevicehostname":"%s{odevicehostname}","odevicename":"%s{odevicename}","odeviceowner":"%s{odeviceowner}","odlpdict":"%s{odlpdict}","odlpeng":"%s{odlpeng}","odlprulename":"%s{odlprulename}","ofwd_gw_name":"%s{ofwd_gw_name}","ologin":"%s{ologin}","ordr_rulename":"%s{ordr_rulename}","ourlcat":"%s{ourlcat}","ourlfilterrulelabel":"%s{ourlfilterrulelabel}","ozpa_app_seg_name":"%s{ozpa_app_seg_name}","externalsslpolicyreason":"%s{externalspr}","productversion":"%s{productversion}","rdr_rulename":"%s{rdr_rulename}","refererhost":"%s{refererhost}","reqheadersize":"%d{reqhdrsize}","reqdatasize":"%d{reqdatasize}","respheadersize":"%d{resphdrsize}","respdatasize":"%d{respdatasize}","riskscore":"%d{riskscore}","ruletype":"%s{ruletype}","second":"%02d{ss}","srvcertchainvalpass":"%s{srvcertchainvalpass}","srvcertvalidationtype":"%s{srvcertvalidationtype}","srvcertvalidityperiod":"%s{srvcertvalidityperiod}","srvsslcipher":"%s{srvsslcipher}","serversslsessreuse":"%s{serversslsessreuse}","srvocspresult":"%s{srvocspresult}","srvtlsversion":"%s{srvtlsversion}","srvwildcardcert":"%s{srvwildcardcert}","ssldecrypted":"%s{ssldecrypted}","throttlereqsize":"%d{throttlereqsize}","throttlerespsize":"%d{throttlerespsize}","totalsize":"%d{totalsize}","trafficredirectmethod":"%s{trafficredirectmethod}","unscannabletype":"%s{unscannabletype}","upload_doctypename":"%s{upload_doctypename}","upload_fileclass":"%s{upload_fileclass}","upload_filetype":"%s{upload_filetype}","urlcatmethod":"%s{urlcatmethod}","urlsubcat":"%s{urlcat}","urlsupercat":"%s{urlsupercat}","urlclass":"%s{urlclass}","useragentclass":"%s{uaclass}","useragenttoken":"%s{ua_token}","userlocationname":"%s{userlocationname}","year":"%04d{yyyy}","ztunnelversion":"%s{ztunnelversion}","zpa_app_seg_name":"%s{zpa_app_seg_name}"\}\} +\{"sourcetype":"zscalernss-web","event":\{"time":"%s{time}","cloudname":"%s{cloudname}","host":"%s{host}","serverip":"%s{sip}","external_devid":"%s{external_devid}","devicemodel":"%s{devicemodel}","action":"%s{action}","recordid":"%d{recordid}","reason":"%s{reason}","threatseverity":"%s{threatseverity}","tz":"%s{tz}","filesubtype":"%s{filesubtype}","upload_filesubtype":"%s{upload_filesubtype}","sha256":"%s{sha256}","bamd5":"%s{bamd5}","filename":"%s{filename}","upload_filename":"%s{upload_filename}","filetype":"%s{filetype}","devicename":"%s{devicename}","devicehostname":"%s{devicehostname}","deviceostype":"%s{deviceostype}","deviceosversion":"%s{deviceosversion}","devicetype":"%s{devicetype}","reqsize":"%d{reqsize}","reqmethod":"%s{reqmethod}","refererurl":"%s{referer}","respsize":"%d{respsize}","respcode":"%s{respcode}","reqversion":"%s{reqversion}","respversion":"%s{respversion}","proto":"%s{proto}","company":"%s{company}","dlpmd5":"%s{dlpmd5}","apprulelabel":"%s{apprulelabel}","dlprulename":"%s{dlprulename}","rulelabel":"%s{rulelabel}","urlfilterrulelabel":"%s{urlfilterrulelabel}","cltip":"%s{cip}","cltintip":"%s{cintip}","cltsourceport":"%d{clt_sport}","threatname":"%s{threatname}","cltsslcipher":"%s{clientsslcipher}","clttlsversion":"%s{clienttlsversion}","eurl":"%s{eurl}","useragent":"%s{ua}","login":"%s{login}","applayerprotocol":"%s{alpnprotocol}","appclass":"%s{appclass}","appname":"%s{appname}","appriskscore":"%s{app_risk_score}","bandwidthclassname":"%s{bwclassname}","bandwidthrulename":"%s{bwrulename}","bwthrottle":"%s{bwthrottle}","bypassedtime":"%s{bypassed_etime}","bypassedtraffic":"%d{bypassed_traffic}","cltsslsessreuse":"%s{clientsslsessreuse}","cltpubip":"%s{cpubip}","cltsslfailcount":"%d{cltsslfailcount}","cltsslfailreason":"%s{cltsslfailreason}","contenttype":"%s{contenttype}","datacentercity":"%s{datacentercity}","datacentercountry":"%s{datacentercountry}","datacenter":"%s{datacenter}","day":"%s{day}","day_of_month":"%02d{dd}","dept":"%s{dept}","deviceappversion":"%s{deviceappversion}","deviceowner":"%s{deviceowner}","df_hosthead":"%s{df_hosthead}","df_hostname":"%s{df_hostname}","dlpdicthitcount":"%s{dlpdicthitcount}","dlpdict":"%s{dlpdict}","dlpeng":"%s{dlpeng}","dlpidentifier":"%d{dlpidentifier}","eedone":"%s{eedone}","epochtime":"%d{epochtime}","fileclass":"%s{fileclass}","flow_type":"%s{flow_type}","forward_gateway_ip":"%s{fwd_gw_ip}","forward_gateway_name":"%s{fwd_gw_name}","forward_type":"%s{fwd_type}","hour":"%02d{hh}","is_sslexpiredca":"%s{is_sslexpiredca}","is_sslselfsigned":"%s{is_sslselfsigned}","is_ssluntrustedca":"%s{is_ssluntrustedca}","keyprotectiontype":"%s{keyprotectiontype}","location":"%s{location}","malwarecategory":"%s{malwarecat}","malwareclass":"%s{malwareclass}","minute":"%02d{mm}","mobappcategory":"%s{mobappcat}","mobappname":"%s{mobappname}","mobdevtype":"%s{mobdevtype}","module":"%s{module}","month":"%s{mon}","month_of_year":"%02d{mth}","nssserviceip":"%s{nsssvcip}","oapprulelabel":"%s{oapprulelabel}","obwclassname":"%s{obwclassname}","ocip":"%d{ocip}","ocpubip":"%d{ocpubip}","odevicehostname":"%s{odevicehostname}","odevicename":"%s{odevicename}","odeviceowner":"%s{odeviceowner}","odlpdict":"%s{odlpdict}","odlpeng":"%s{odlpeng}","odlprulename":"%s{odlprulename}","ofwd_gw_name":"%s{ofwd_gw_name}","ologin":"%s{ologin}","ordr_rulename":"%s{ordr_rulename}","ourlcat":"%s{ourlcat}","ourlfilterrulelabel":"%s{ourlfilterrulelabel}","ozpa_app_seg_name":"%s{ozpa_app_seg_name}","externalsslpolicyreason":"%s{externalspr}","productversion":"%s{productversion}","rdr_rulename":"%s{rdr_rulename}","refererhost":"%s{refererhost}","reqheadersize":"%d{reqhdrsize}","reqdatasize":"%d{reqdatasize}","respheadersize":"%d{resphdrsize}","respdatasize":"%d{respdatasize}","riskscore":"%d{riskscore}","ruletype":"%s{ruletype}","second":"%02d{ss}","srvcertchainvalpass":"%s{srvcertchainvalpass}","srvcertvalidationtype":"%s{srvcertvalidationtype}","srvcertvalidityperiod":"%s{srvcertvalidityperiod}","srvsslcipher":"%s{srvsslcipher}","serversslsessreuse":"%s{serversslsessreuse}","srvocspresult":"%s{srvocspresult}","srvtlsversion":"%s{srvtlsversion}","srvwildcardcert":"%s{srvwildcardcert}","ssldecrypted":"%s{ssldecrypted}","throttlereqsize":"%d{throttlereqsize}","throttlerespsize":"%d{throttlerespsize}","totalsize":"%d{totalsize}","trafficredirectmethod":"%s{trafficredirectmethod}","unscannabletype":"%s{unscannabletype}","upload_doctypename":"%s{upload_doctypename}","upload_fileclass":"%s{upload_fileclass}","upload_filetype":"%s{upload_filetype}","urlcatmethod":"%s{urlcatmethod}","urlsubcat":"%s{urlcat}","urlsupercat":"%s{urlsupercat}","urlclass":"%s{urlclass}","useragentclass":"%s{uaclass}","useragenttoken":"%s{ua_token}","userlocationname":"%s{userlocationname}","year":"%04d{yyyy}","ztunnelversion":"%s{ztunnelversion}","zpa_app_seg_name":"%s{zpa_app_seg_name}"\}\} ``` Sample Response: ```json -{"sourcetype":"zscalernss-web","event":{"time":"Mon Oct 16 22:55:48 2023","cloudname":"zscaler.net","host":"mail.google.com","serverip":"1.128.0.0","external_devid":"1234","devicemodel":"20L8S7WC08","action":"Allowed","recordid":123456789,"reason":"File Attachment Cautioned","threatseverity":"Critical (90–100)","tz":"GMT","filesubtype":"exe","upload_filesubtype":"rar","sha256":"81ec78bc8298568bb5ea66d3c2972b670d0f7459b6cdbbcaacce90ab417ab15c","bamd5":"196a3d797bfee07fe4596b69f4ce1141","filename":"nssfeed.txt","upload_filename":"nssfeed.exe","filetype":"RAR Files","devicename":"PC11NLPA:5F08D97BBF43257A8FB4BBF4061A38AE324EF734","devicehostname":"THINKPADSMITH","deviceostype":"iOS","deviceosversion":"Version 10.14.2 (Build 18C54)","devicetype":"Zscaler Client Connector","reqsize":1300,"reqmethod":"invalid","refererurl":"www.example.com","respsize":10500,"respcode":"100","reqversion":"1.1","respversion":"1","proto":"HTTP","company":"Zscaler","dlpmd5":"154f149b1443fbfa8c121d13e5c019a1","apprulelabel":"File_Sharing_1","dlprulename":"DLP_Rule_1","rulelabel":"URL_Filtering_1","urlfilterrulelabel":"URL_Filtering_2","cltip":"81.2.69.144","cltintip":"89.160.20.128","cltsourceport":12345,"threatname":"EICAR Test File","cltsslcipher":"SSL3_CK_RSA_NULL_MD5","clttlsversion":"SSL2","eurl":"www.trythisencodeurl.com/index","url":"www.trythisencodeurl.com/index","useragent":"Mozilla/5.0","login":"jdoe@safemarch.com","applayerprotocol":"FTP","appclass":"Administration","appname":"Adobe Connect","appriskscore":"1","bandwidthclassname":"Entertainment","bandwidthrulename":"Office 365","bwthrottle":"Yes","bypassedtime":"Mon Oct 16 22:55:48 2023","bypassedtraffic":"1","cltsslsessreuse":"Unknown","cltpubip":"175.16.199.0","cltsslfailcount":100,"cltsslfailreason":"Bad Record Mac","contenttype":"application/vnd_apple_keynote","datacentercity":"Sa","datacentercountry":"US","datacenter":"CA Client Node DC","day":"Mon","day_of_month":16,"dept":"Sales","deviceappversion":"1.128.0.0","deviceowner":"jsmith","df_hosthead":"df_hosthead","df_hostname":"df_hostname","dlpdicthitcount":"4","dlpdict":"Credit Cards","dlpeng":"HIPAA","dlpidentifier":6646484838839026000,"eedone":"Yes","epochtime":1578128400,"fileclass":"Active Web Contents","flow_type":"Direct","forward_gateway_ip":"10.1.1.1","forward_gateway_name":"FWD_1","forward_type":"Direct","hour":22,"is_sslexpiredca":"Yes","is_sslselfsigned":"Yes","is_ssluntrustedca":"Pass","keyprotectiontype":"HSM Protection","location":"Headquarters","malwarecategory":"Adware","malwareclass":"Sandbox","minute":55,"mobappcategory":"Communication","mobappname":"Amazon","mobdevtype":"Google Android","module":"Administration","month":"Oct","month_of_year":10,"nssserviceip":"192.168.2.200","oapprulelabel":"5300295980","obwclassname":"10831489","ocip":6200694987,"ocpubip":624054738,"odevicehostname":"2168890624","odevicename":"2175092224","odeviceowner":"10831489","odlpdict":"10831489","odlpeng":"4094304256","odlprulename":"6857275752","ofwd_gw_name":"8794487099","ologin":"4094304256","ordr_rulename":"3399565100","ourlcat":"7956407282","ourlfilterrulelabel":"4951704103","ozpa_app_seg_name":"7648246731","externalsslpolicyreason":"Blocked","productversion":"5.0.902.95524_04","rdr_rulename":"FWD_Rule_1","refererhost":"www.example.com for http://www.example.com/index.html","reqheadersize":300,"reqdatasize":1000,"respheadersize":500,"respdatasize":10000,"riskscore":10,"ruletype":"File Type Control","second":48,"srvcertchainvalpass":"Unknown","srvcertvalidationtype":"EV (Extended Validation)","srvcertvalidityperiod":"Short","srvsslcipher":"SSL3_CK_RSA_NULL_MD5","serversslsessreuse":"Unknown","srvocspresult":"Good","srvtlsversion":"SSL2","srvwildcardcert":"Unknown","ssldecrypted":"Yes","throttlereqsize":5,"throttlerespsize":7,"totalsize":11800,"trafficredirectmethod":"DNAT (Destination Translation)","unscannabletype":"Encrypted File","upload_doctypename":"Corporate Finance","upload_fileclass":"upload_fileclass","upload_filetype":"RAR Files","urlcatmethod":"Database A","urlsubcat":"Entertainment","urlsupercat":"Travel","urlclass":"Bandwidth Loss","useragentclass":"Firefox","useragenttoken":"Google Chrome (0.x)","userlocationname":"userlocationname","year":2023,"ztunnelversion":"ZTUNNEL_1_0","zpa_app_seg_name":"ZPA_test_app_segment"}} +{"sourcetype":"zscalernss-web","event":{"time":"Mon Oct 16 22:55:48 2023","cloudname":"zscaler.net","host":"mail.google.com","serverip":"1.128.0.0","external_devid":"1234","devicemodel":"20L8S7WC08","action":"Allowed","recordid":123456789,"reason":"File Attachment Cautioned","threatseverity":"Critical (90–100)","tz":"GMT","filesubtype":"exe","upload_filesubtype":"rar","sha256":"81ec78bc8298568bb5ea66d3c2972b670d0f7459b6cdbbcaacce90ab417ab15c","bamd5":"196a3d797bfee07fe4596b69f4ce1141","filename":"nssfeed.txt","upload_filename":"nssfeed.exe","filetype":"RAR Files","devicename":"PC11NLPA:5F08D97BBF43257A8FB4BBF4061A38AE324EF734","devicehostname":"THINKPADSMITH","deviceostype":"iOS","deviceosversion":"Version 10.14.2 (Build 18C54)","devicetype":"Zscaler Client Connector","reqsize":1300,"reqmethod":"invalid","refererurl":"www.example.com","respsize":10500,"respcode":"100","reqversion":"1.1","respversion":"1","proto":"HTTP","company":"Zscaler","dlpmd5":"154f149b1443fbfa8c121d13e5c019a1","apprulelabel":"File_Sharing_1","dlprulename":"DLP_Rule_1","rulelabel":"URL_Filtering_1","urlfilterrulelabel":"URL_Filtering_2","cltip":"81.2.69.144","cltintip":"89.160.20.128","cltsourceport":12345,"threatname":"EICAR Test File","cltsslcipher":"SSL3_CK_RSA_NULL_MD5","clttlsversion":"SSL2","eurl":"www.trythisencodeurl.com/index","useragent":"Mozilla/5.0","login":"jdoe@safemarch.com","applayerprotocol":"FTP","appclass":"Administration","appname":"Adobe Connect","appriskscore":"1","bandwidthclassname":"Entertainment","bandwidthrulename":"Office 365","bwthrottle":"Yes","bypassedtime":"Mon Oct 16 22:55:48 2023","bypassedtraffic":"1","cltsslsessreuse":"Unknown","cltpubip":"175.16.199.0","cltsslfailcount":100,"cltsslfailreason":"Bad Record Mac","contenttype":"application/vnd_apple_keynote","datacentercity":"Sa","datacentercountry":"US","datacenter":"CA Client Node DC","day":"Mon","day_of_month":16,"dept":"Sales","deviceappversion":"1.128.0.0","deviceowner":"jsmith","df_hosthead":"df_hosthead","df_hostname":"df_hostname","dlpdicthitcount":"4","dlpdict":"Credit Cards","dlpeng":"HIPAA","dlpidentifier":6646484838839026000,"eedone":"Yes","epochtime":1578128400,"fileclass":"Active Web Contents","flow_type":"Direct","forward_gateway_ip":"10.1.1.1","forward_gateway_name":"FWD_1","forward_type":"Direct","hour":22,"is_sslexpiredca":"Yes","is_sslselfsigned":"Yes","is_ssluntrustedca":"Pass","keyprotectiontype":"HSM Protection","location":"Headquarters","malwarecategory":"Adware","malwareclass":"Sandbox","minute":55,"mobappcategory":"Communication","mobappname":"Amazon","mobdevtype":"Google Android","module":"Administration","month":"Oct","month_of_year":10,"nssserviceip":"192.168.2.200","oapprulelabel":"5300295980","obwclassname":"10831489","ocip":6200694987,"ocpubip":624054738,"odevicehostname":"2168890624","odevicename":"2175092224","odeviceowner":"10831489","odlpdict":"10831489","odlpeng":"4094304256","odlprulename":"6857275752","ofwd_gw_name":"8794487099","ologin":"4094304256","ordr_rulename":"3399565100","ourlcat":"7956407282","ourlfilterrulelabel":"4951704103","ozpa_app_seg_name":"7648246731","externalsslpolicyreason":"Blocked","productversion":"5.0.902.95524_04","rdr_rulename":"FWD_Rule_1","refererhost":"www.example.com for http://www.example.com/index.html","reqheadersize":300,"reqdatasize":1000,"respheadersize":500,"respdatasize":10000,"riskscore":10,"ruletype":"File Type Control","second":48,"srvcertchainvalpass":"Unknown","srvcertvalidationtype":"EV (Extended Validation)","srvcertvalidityperiod":"Short","srvsslcipher":"SSL3_CK_RSA_NULL_MD5","serversslsessreuse":"Unknown","srvocspresult":"Good","srvtlsversion":"SSL2","srvwildcardcert":"Unknown","ssldecrypted":"Yes","throttlereqsize":5,"throttlerespsize":7,"totalsize":11800,"trafficredirectmethod":"DNAT (Destination Translation)","unscannabletype":"Encrypted File","upload_doctypename":"Corporate Finance","upload_fileclass":"upload_fileclass","upload_filetype":"RAR Files","urlcatmethod":"Database A","urlsubcat":"Entertainment","urlsupercat":"Travel","urlclass":"Bandwidth Loss","useragentclass":"Firefox","useragenttoken":"Google Chrome (0.x)","userlocationname":"userlocationname","year":2023,"ztunnelversion":"ZTUNNEL_1_0","zpa_app_seg_name":"ZPA_test_app_segment"}} ``` ### Enabling the integration in Elastic: diff --git a/packages/zscaler_zia/manifest.yml b/packages/zscaler_zia/manifest.yml index dde47f3d7b7..81ce82c2125 100644 --- a/packages/zscaler_zia/manifest.yml +++ b/packages/zscaler_zia/manifest.yml @@ -1,7 +1,7 @@ format_version: "3.0.3" name: zscaler_zia title: Zscaler Internet Access -version: "3.0.4" +version: "3.1.0" description: Collect logs from Zscaler Internet Access (ZIA) with Elastic Agent. type: integration categories: