zscaler_zia: add strict field template mode for tcp and http_endpoint input data streams

This checks that the template version matches the current expected
template version if the template specifies it, falling back to an
assessment of the fields that are present in the message. The check is
only performed when enabled, which is not the case by default.

Author: efd6

packages/zscaler_zia/_dev/build/docs/README.md

@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "3.11.0"
+  changes:
+    - description: Add strict field template mode for TCP and HTTP Endpoint input data streams.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/13904
 - version: "3.10.1"
   changes:
     - description: Fix default request trace enabled behavior.

packages/zscaler_zia/changelog.yml

@@ -125,4 +125,4 @@
             }
         }
     ]
-}
+}

packages/zscaler_zia/data_stream/alerts/_dev/test/pipeline/test-alerts.log-expected.json

@@ -1 +1,2 @@
-{ "sourcetype": "zscalernss-audit","input": {"type": "http_endpoint"}, "event": { "time": "Mon Oct 16 22:55:48 2023", "recordid": "1234", "action": "Activate", "category": "DATA_LOSS_PREVENTION_RESOURCE", "subcategory": "DLP_DICTIONARY", "resource": "SSL Rule Name", "interface": "API", "adminid": "[email protected]", "clientip": "89.160.20.112", "result": "SUCCESS", "errorcode": "AUTHENTICATION_FAILED", "auditlogtype": "ZIA Portal Audit Log", "preaction": {}, "postaction": {} } }
+{"sourcetype":"zscalernss-audit","input":{"type":"http_endpoint"},"event":{"time":"Mon Oct 16 22:55:48 2023","recordid":"1234","action":"Activate","category":"DATA_LOSS_PREVENTION_RESOURCE","subcategory":"DLP_DICTIONARY","resource":"SSL Rule Name","interface":"API","adminid":"[email protected]","clientip":"89.160.20.112","result":"SUCCESS","errorcode":"AUTHENTICATION_FAILED","auditlogtype":"ZIA Portal Audit Log","preaction":{},"postaction":{},"timezone":"UTC"}}
+{"version":"v1","sourcetype":"zscalernss-audit","input":{"type":"http_endpoint"},"event":{"time":"Mon Oct 16 22:55:48 2023","recordid":"1234","action":"Activate","category":"DATA_LOSS_PREVENTION_RESOURCE","subcategory":"DLP_DICTIONARY","resource":"SSL Rule Name","interface":"API","adminid":"[email protected]","clientip":"89.160.20.112","result":"SUCCESS","errorcode":"AUTHENTICATION_FAILED","auditlogtype":"ZIA Portal Audit Log","preaction":{},"postaction":{},"timezone":"UTC"}}

packages/zscaler_zia/data_stream/audit/_dev/test/pipeline/test-audit-http-endpoint.log

@@ -15,7 +15,7 @@
                 ],
                 "id": "1234",
                 "kind": "event",
-                "original": "{ \"sourcetype\": \"zscalernss-audit\",\"input\": {\"type\": \"http_endpoint\"}, \"event\": { \"time\": \"Mon Oct 16 22:55:48 2023\", \"recordid\": \"1234\", \"action\": \"Activate\", \"category\": \"DATA_LOSS_PREVENTION_RESOURCE\", \"subcategory\": \"DLP_DICTIONARY\", \"resource\": \"SSL Rule Name\", \"interface\": \"API\", \"adminid\": \"[email protected]\", \"clientip\": \"89.160.20.112\", \"result\": \"SUCCESS\", \"errorcode\": \"AUTHENTICATION_FAILED\", \"auditlogtype\": \"ZIA Portal Audit Log\", \"preaction\": {}, \"postaction\": {} } }",
+                "original": "{\"sourcetype\":\"zscalernss-audit\",\"input\":{\"type\":\"http_endpoint\"},\"event\":{\"time\":\"Mon Oct 16 22:55:48 2023\",\"recordid\":\"1234\",\"action\":\"Activate\",\"category\":\"DATA_LOSS_PREVENTION_RESOURCE\",\"subcategory\":\"DLP_DICTIONARY\",\"resource\":\"SSL Rule Name\",\"interface\":\"API\",\"adminid\":\"[email protected]\",\"clientip\":\"89.160.20.112\",\"result\":\"SUCCESS\",\"errorcode\":\"AUTHENTICATION_FAILED\",\"auditlogtype\":\"ZIA Portal Audit Log\",\"preaction\":{},\"postaction\":{},\"timezone\":\"UTC\"}}",
                 "outcome": "success",
                 "timezone": "UTC",
                 "type": [
@@ -75,9 +75,90 @@
                     "resource": "SSL Rule Name",
                     "result": "SUCCESS",
                     "sub_category": "DLP_DICTIONARY",
-                    "time": "2023-10-16T22:55:48.000Z"
+                    "time": "2023-10-16T22:55:48.000Z",
+                    "timezone": "UTC"
+                }
+            }
+        },
+        {
+            "@timestamp": "2023-10-16T22:55:48.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "error": {
+                "code": "AUTHENTICATION_FAILED"
+            },
+            "event": {
+                "action": "activate",
+                "category": [
+                    "configuration"
+                ],
+                "id": "1234",
+                "kind": "event",
+                "original": "{\"version\":\"v1\",\"sourcetype\":\"zscalernss-audit\",\"input\":{\"type\":\"http_endpoint\"},\"event\":{\"time\":\"Mon Oct 16 22:55:48 2023\",\"recordid\":\"1234\",\"action\":\"Activate\",\"category\":\"DATA_LOSS_PREVENTION_RESOURCE\",\"subcategory\":\"DLP_DICTIONARY\",\"resource\":\"SSL Rule Name\",\"interface\":\"API\",\"adminid\":\"[email protected]\",\"clientip\":\"89.160.20.112\",\"result\":\"SUCCESS\",\"errorcode\":\"AUTHENTICATION_FAILED\",\"auditlogtype\":\"ZIA Portal Audit Log\",\"preaction\":{},\"postaction\":{},\"timezone\":\"UTC\"}}",
+                "outcome": "success",
+                "timezone": "UTC",
+                "type": [
+                    "change"
+                ]
+            },
+            "related": {
+                "ip": [
+                    "89.160.20.112"
+                ],
+                "user": [
+                    "example",
+                    "[email protected]"
+                ]
+            },
+            "rule": {
+                "category": "DLP_DICTIONARY",
+                "name": "SSL Rule Name",
+                "ruleset": "DATA_LOSS_PREVENTION_RESOURCE"
+            },
+            "source": {
+                "geo": {
+                    "city_name": "Linköping",
+                    "continent_name": "Europe",
+                    "country_iso_code": "SE",
+                    "country_name": "Sweden",
+                    "location": {
+                        "lat": 58.4167,
+                        "lon": 15.6167
+                    },
+                    "region_iso_code": "SE-E",
+                    "region_name": "Östergötland County"
+                },
+                "ip": "89.160.20.112"
+            },
+            "tags": [
+                "preserve_original_event",
+                "preserve_duplicate_custom_fields"
+            ],
+            "user": {
+                "domain": "zscaler.com",
+                "email": "[email protected]",
+                "name": "example"
+            },
+            "zscaler_zia": {
+                "audit": {
+                    "action": "Activate",
+                    "admin_id": "[email protected]",
+                    "audit_log_type": "ZIA Portal Audit Log",
+                    "category": "DATA_LOSS_PREVENTION_RESOURCE",
+                    "client_ip": "89.160.20.112",
+                    "error_code": "AUTHENTICATION_FAILED",
+                    "interface": "API",
+                    "record": {
+                        "id": "1234"
+                    },
+                    "resource": "SSL Rule Name",
+                    "result": "SUCCESS",
+                    "sub_category": "DLP_DICTIONARY",
+                    "time": "2023-10-16T22:55:48.000Z",
+                    "timezone": "UTC"
                 }
             }
         }
     ]
-}
+}

packages/zscaler_zia/data_stream/audit/_dev/test/pipeline/test-audit-http-endpoint.log-expected.json

@@ -1,3 +1,6 @@
-{ "sourcetype": "zscalernss-audit", "event": { "time": "Mon Oct 16 22:55:48 2023", "recordid": "1234", "action": "Activate", "category": "DATA_LOSS_PREVENTION_RESOURCE", "subcategory": "DLP_DICTIONARY", "resource": "SSL Rule Name", "interface": "API", "adminid": "[email protected]", "clientip": "89.160.20.112", "result": "SUCCESS", "errorcode": "AUTHENTICATION_FAILED", "auditlogtype": "ZIA Portal Audit Log", "preaction": {}, "postaction": {} } }
+{ "sourcetype": "zscalernss-audit", "event": { "time": "Mon Oct 16 22:55:48 2023", "recordid": "1234", "action": "Activate", "category": "DATA_LOSS_PREVENTION_RESOURCE", "subcategory": "DLP_DICTIONARY", "resource": "SSL Rule Name", "interface": "API", "adminid": "[email protected]", "clientip": "89.160.20.112", "result": "SUCCESS", "errorcode": "AUTHENTICATION_FAILED", "auditlogtype": "ZIA Portal Audit Log", "preaction": {}, "postaction": {} , "timezone": "UTC"} }
 { "sourcetype": "zscalernss-audit", "event": { "time": "Mon Oct 16 22:55:48 2023", "recordid": "1234", "action": "Activate", "category": "DATA_LOSS_PREVENTION_RESOURCE", "subcategory": "DLP_DICTIONARY", "resource": "SSL Rule Name", "interface": "API", "adminid": "[email protected]", "clientip": "89.160.20.112", "result": "SUCCESS", "errorcode": "AUTHENTICATION_FAILED", "auditlogtype": "ZIA Portal Audit Log", "timezone": "UTC", "preaction": {}, "postaction": {} } }
-{"sourcetype":"zscalernss-audit","event":{"time":"Thu Jan  9 20:38:29 2025","recordid":"737420","action":"SIGN_OUT","category":"LOGIN","subcategory":"LOGIN","resource":"None","interface":"Unknown","adminid":"[email protected]","clientip":"Unknown","result":"SUCCESS","errorcode":"None","auditlogtype":"EC","preaction":{},"postaction":{}}}
+{"sourcetype":"zscalernss-audit","event":{"time":"Thu Jan  9 20:38:29 2025","recordid":"737420","action":"SIGN_OUT","category":"LOGIN","subcategory":"LOGIN","resource":"None","interface":"Unknown","adminid":"[email protected]","clientip":"Unknown","result":"SUCCESS","errorcode":"None","auditlogtype":"EC","preaction":{},"postaction":{},"timezone":"UTC"}}
+{"version":"v1", "sourcetype": "zscalernss-audit", "event": { "time": "Mon Oct 16 22:55:48 2023", "recordid": "1234", "action": "Activate", "category": "DATA_LOSS_PREVENTION_RESOURCE", "subcategory": "DLP_DICTIONARY", "resource": "SSL Rule Name", "interface": "API", "adminid": "[email protected]", "clientip": "89.160.20.112", "result": "SUCCESS", "errorcode": "AUTHENTICATION_FAILED", "auditlogtype": "ZIA Portal Audit Log", "preaction": {}, "postaction": {} , "timezone": "UTC"} }
+{"version":"v1", "sourcetype": "zscalernss-audit", "event": { "time": "Mon Oct 16 22:55:48 2023", "recordid": "1234", "action": "Activate", "category": "DATA_LOSS_PREVENTION_RESOURCE", "subcategory": "DLP_DICTIONARY", "resource": "SSL Rule Name", "interface": "API", "adminid": "[email protected]", "clientip": "89.160.20.112", "result": "SUCCESS", "errorcode": "AUTHENTICATION_FAILED", "auditlogtype": "ZIA Portal Audit Log", "timezone": "UTC", "preaction": {}, "postaction": {} } }
+{"version":"v1","sourcetype":"zscalernss-audit","event":{"time":"Thu Jan  9 20:38:29 2025","recordid":"737420","action":"SIGN_OUT","category":"LOGIN","subcategory":"LOGIN","resource":"None","interface":"Unknown","adminid":"[email protected]","clientip":"Unknown","result":"SUCCESS","errorcode":"None","auditlogtype":"EC","preaction":{},"postaction":{},"timezone":"UTC"}}