From 2125a6ee8372124e4dbf9f4a91cf1c5223ca1745 Mon Sep 17 00:00:00 2001 From: Dan Kortschak Date: Wed, 14 May 2025 14:20:06 +0930 Subject: [PATCH 1/8] zscaler_zia: add strict field template mode for tcp and http_endpoint input data streams This checks that the template version matches the current expected template version if the template specifies it, falling back to an assessment of the fields that are present in the message. The check is only performed when enabled, which is not the case by default. --- .../zscaler_zia/_dev/build/docs/README.md | 26 +- packages/zscaler_zia/changelog.yml | 5 + .../pipeline/test-alerts.log-expected.json | 2 +- .../pipeline/test-audit-http-endpoint.log | 3 +- ...test-audit-http-endpoint.log-expected.json | 87 +- .../audit/_dev/test/pipeline/test-audit.log | 7 +- .../pipeline/test-audit.log-expected.json | 224 +- .../_dev/test/pipeline/test-common-config.yml | 2 + .../audit/agent/stream/http_endpoint.yml.hbs | 6 + .../audit/agent/stream/tcp.yml.hbs | 6 + .../elasticsearch/ingest_pipeline/default.yml | 30 +- .../_dev/test/pipeline/test-common-config.yml | 2 + .../test/pipeline/test-dns-http-endpoint.log | 9 +- .../test-dns-http-endpoint.log-expected.json | 681 +++- .../dns/_dev/test/pipeline/test-dns.log | 9 +- .../test/pipeline/test-dns.log-expected.json | 681 +++- .../dns/agent/stream/http_endpoint.yml.hbs | 6 + .../data_stream/dns/agent/stream/tcp.yml.hbs | 6 + .../elasticsearch/ingest_pipeline/default.yml | 30 +- .../_dev/test/pipeline/test-common-config.yml | 2 + .../test-endpoint-dlp-http-endpoint.log | 3 +- ...dpoint-dlp-http-endpoint.log-expected.json | 163 +- .../_dev/test/pipeline/test-endpoint-dlp.log | 6 +- .../test-endpoint-dlp.log-expected.json | 344 +- .../agent/stream/http_endpoint.yml.hbs | 6 + .../endpoint_dlp/agent/stream/tcp.yml.hbs | 6 + .../elasticsearch/ingest_pipeline/default.yml | 30 +- .../_dev/test/pipeline/test-common-config.yml | 2 + .../pipeline/test-firewall-http-endpoint.log | 7 +- ...t-firewall-http-endpoint.log-expected.json | 602 +++- .../_dev/test/pipeline/test-firewall.log | 4 +- .../pipeline/test-firewall.log-expected.json | 492 ++- .../pipeline/test-unicode.json-expected.json | 2 +- .../agent/stream/http_endpoint.yml.hbs | 6 + .../firewall/agent/stream/tcp.yml.hbs | 6 + .../elasticsearch/ingest_pipeline/default.yml | 30 +- .../pipeline/test-sandbox.log-expected.json | 3 +- .../_dev/test/pipeline/test-common-config.yml | 2 + .../pipeline/test-tunnel-http-endpoint.log | 3 +- ...est-tunnel-http-endpoint.log-expected.json | 79 +- .../tunnel/_dev/test/pipeline/test-tunnel.log | 10 +- .../pipeline/test-tunnel.log-expected.json | 327 +- .../tunnel/agent/stream/http_endpoint.yml.hbs | 6 + .../tunnel/agent/stream/tcp.yml.hbs | 6 + .../elasticsearch/ingest_pipeline/default.yml | 34 +- .../_dev/test/pipeline/test-common-config.yml | 6 +- .../test/pipeline/test-web-http-endpoint.log | 2 + .../test-web-http-endpoint.log-expected.json | 848 +++++ .../web/_dev/test/pipeline/test-web.log | 7 + .../test/pipeline/test-web.log-expected.json | 2931 +++++++++++++++++ .../web/agent/stream/http_endpoint.yml.hbs | 6 + .../data_stream/web/agent/stream/tcp.yml.hbs | 6 + .../elasticsearch/ingest_pipeline/default.yml | 30 +- packages/zscaler_zia/docs/README.md | 26 +- packages/zscaler_zia/manifest.yml | 14 +- 55 files changed, 7767 insertions(+), 112 deletions(-) diff --git a/packages/zscaler_zia/_dev/build/docs/README.md b/packages/zscaler_zia/_dev/build/docs/README.md index b04413e9413..e848f9afc11 100644 --- a/packages/zscaler_zia/_dev/build/docs/README.md +++ b/packages/zscaler_zia/_dev/build/docs/README.md @@ -121,12 +121,12 @@ See: [Zscaler Vendor documentation](https://help.zscaler.com/zia/adding-cloud-ns Zscaler Audit Log response format (v1): ``` -\{"sourcetype":"zscalernss-audit","event":\{"time":"%s{time}","recordid":"%d{recordid}","action":"%s{action}","category":"%s{category}","subcategory":"%s{subcategory}","resource":"%s{resource}","interface":"%s{interface}","adminid":"%s{adminid}","clientip":"%s{clientip}","result":"%s{result}","errorcode":"%s{errorcode}","auditlogtype":"%s{auditlogtype}","preaction":%s{preaction},"postaction":%s{postaction}\}\} +\{"version":"v1","sourcetype":"zscalernss-audit","event":\{"time":"%s{time}","recordid":"%d{recordid}","action":"%s{action}","category":"%s{category}","subcategory":"%s{subcategory}","resource":"%s{resource}","interface":"%s{interface}","adminid":"%s{adminid}","clientip":"%s{clientip}","result":"%s{result}","errorcode":"%s{errorcode}","auditlogtype":"%s{auditlogtype}","preaction":%s{preaction},"postaction":%s{postaction}\}\} ``` Sample Response: ```json -{"sourcetype":"zscalernss-audit","event":{"time":"Mon Oct 16 22:55:48 2023","recordid":"1234","action":"Activate","category":"DATA_LOSS_PREVENTION_RESOURCE","subcategory":"DLP_DICTIONARY","resource":"SSL Rule Name","interface":"API","adminid":"example@zscaler.com","clientip":"89.160.20.112","result":"SUCCESS","errorcode":"AUTHENTICATION_FAILED","auditlogtype":"ZIA Portal Audit Log","timezone":"UTC","preaction":{},"postaction":{}}} +{"version":"v1","sourcetype":"zscalernss-audit","event":{"time":"Mon Oct 16 22:55:48 2023","recordid":"1234","action":"Activate","category":"DATA_LOSS_PREVENTION_RESOURCE","subcategory":"DLP_DICTIONARY","resource":"SSL Rule Name","interface":"API","adminid":"example@zscaler.com","clientip":"89.160.20.112","result":"SUCCESS","errorcode":"AUTHENTICATION_FAILED","auditlogtype":"ZIA Portal Audit Log","timezone":"UTC","preaction":{},"postaction":{}}} ``` ### DNS Log @@ -138,12 +138,12 @@ See: [Zscaler Vendor documentation](https://help.zscaler.com/zia/nss-feed-output Zscaler DNS Log response format (v2): ``` -\{"sourcetype":"zscalernss-dns","event":\{"user":"%s{elogin}","department":"%s{edepartment}","location":"%s{elocation}","clt_sip":"%s{cip}","cloudname":"%s{cloudname}","company":"%s{company}","datacenter":"%s{datacenter}","datacentercity":"%s{datacentercity}","datacentercountry":"%s{datacentercountry}","day_of_month":"%02d{dd}","dept":"%s{dept}","deviceappversion":"%s{deviceappversion}","devicehostname":"%s{devicehostname}","devicemodel":"%s{devicemodel}","devicename":"%s{devicename}","deviceostype":"%s{deviceostype}","deviceosversion":"%s{deviceosversion}","deviceowner":"%s{deviceowner}","devicetype":"%s{devicetype}","dnsapp":"%s{dnsapp}","dnsappcat":"%s{dnsappcat}","dns_gateway_status":"%s{dnsgw_flags}","dns_gateway_rule":"%s{dnsgw_slot}","dns_gateway_server_protocol":"%s{dnsgw_srv_proto}","category":"%s{domcat}","durationms":"%d{durationms}","ecs_prefix":"%s{ecs_prefix}","ecs_slot":"%s{ecs_slot}","epochtime":"%d{epochtime}","error":"%s{error}","hour":"%02d{hh}","http_code":"%s{http_code}","istcp":"%d{istcp}","loc":"%s{location}","login":"%s{login}","minutes":"%02d{mm}","month":"%s{mon}","month_of_year":"%02d{mth}","odevicehostname":"%s{odevicehostname}","odevicename":"%s{odevicename}","odeviceowner":"%s{odeviceowner}","odomcat":"%s{odomcat}","protocol":"%s{protocol}","recordid":"%d{recordid}","dns_req":"%s{req}","reqaction":"%s{reqaction}","reqrulelabel":"%s{reqrulelabel}","dns_reqtype":"%s{reqtype}","dns_resp":"%s{res}","resaction":"%s{resaction}","respipcategory":"%s{respipcat}","resrulelabel":"%s{resrulelabel}","restype":"%s{restype}","srv_dip":"%s{sip}","srv_dport":"%d{sport}","second":"%02d{ss}","datetime":"%s{time}","tz":"%s{tz}","year":"%04d{yyyy}"\}\} +\{"version":"v1","sourcetype":"zscalernss-dns","event":\{"user":"%s{elogin}","department":"%s{edepartment}","location":"%s{elocation}","clt_sip":"%s{cip}","cloudname":"%s{cloudname}","company":"%s{company}","datacenter":"%s{datacenter}","datacentercity":"%s{datacentercity}","datacentercountry":"%s{datacentercountry}","day_of_month":"%02d{dd}","dept":"%s{dept}","deviceappversion":"%s{deviceappversion}","devicehostname":"%s{devicehostname}","devicemodel":"%s{devicemodel}","devicename":"%s{devicename}","deviceostype":"%s{deviceostype}","deviceosversion":"%s{deviceosversion}","deviceowner":"%s{deviceowner}","devicetype":"%s{devicetype}","dnsapp":"%s{dnsapp}","dnsappcat":"%s{dnsappcat}","dns_gateway_status":"%s{dnsgw_flags}","dns_gateway_rule":"%s{dnsgw_slot}","dns_gateway_server_protocol":"%s{dnsgw_srv_proto}","category":"%s{domcat}","durationms":"%d{durationms}","ecs_prefix":"%s{ecs_prefix}","ecs_slot":"%s{ecs_slot}","epochtime":"%d{epochtime}","error":"%s{error}","hour":"%02d{hh}","http_code":"%s{http_code}","istcp":"%d{istcp}","loc":"%s{location}","login":"%s{login}","minutes":"%02d{mm}","month":"%s{mon}","month_of_year":"%02d{mth}","odevicehostname":"%s{odevicehostname}","odevicename":"%s{odevicename}","odeviceowner":"%s{odeviceowner}","odomcat":"%s{odomcat}","protocol":"%s{protocol}","recordid":"%d{recordid}","dns_req":"%s{req}","reqaction":"%s{reqaction}","reqrulelabel":"%s{reqrulelabel}","dns_reqtype":"%s{reqtype}","dns_resp":"%s{res}","resaction":"%s{resaction}","respipcategory":"%s{respipcat}","resrulelabel":"%s{resrulelabel}","restype":"%s{restype}","srv_dip":"%s{sip}","srv_dport":"%d{sport}","second":"%02d{ss}","datetime":"%s{time}","tz":"%s{tz}","year":"%04d{yyyy}"\}\} ``` Sample Response: ```json -{"sourcetype":"zscalernss-dns","event":{"cloudname":"zscaler.net","datetime":"Mon Oct 16 22:55:48 2023","devicemodel":"VMware7,1","restype":"IPv4","dns_req":"mail.safemarch.com","dns_reqtype":"A record","error":"EMPTY_RESP","durationms":"1000","recordid":"45648954","tz":"GMT","devicename":"admin","devicehostname":"THINKPADSMITH","deviceostype":"Windows OS","deviceosversion":"Microsoft Windows 10 Enterprise;64 bit","devicetype":"Zscaler Client Connector","http_code":"100","dnsapp":"Google DNS","dns_gateway_server_protocol":"TCP","protocol":"TCP","company":"Zscaler","reqrulelabel":"RULE_1","resrulelabel":"RULE_RES","clt_sip":"81.2.69.192","srv_dip":"175.16.199.0","srv_dport":"1025","user":"jdoe1@safemarch.com","datacentercity":"Sa","datacentercountry":"US","datacenter":"CA Client Node DC","day":"Mon","day_of_month":"16","department":"EDept","dept":"Sales","deviceappversion":"4.3.0.18","deviceowner":"jsmith","dnsappcat":"Network Service","dns_gateway_rule":"DNS GATEWAY Rule 1","dns_gateway_status":"PRIMARY_SERVER_RESPONSE_PASS","category":"Professional Services","ecs_prefix":"192.168.0.0","ecs_slot":"ECS Slot #17","eedone":"Yes","epochtime":"1578128400","hour":"22","istcp":"1","loc":"Headquarters","location":"ELocation","login":"jdoe@safemarch.com","minutes":"55","month":"Oct","month_of_year":"10","oclientsourceip":"9960223283","odevicename":"2175092224","odeviceowner":"10831489","odomcat":"4951704103","odevicehostname":"2168890624","reqaction":"REQ_ALLOW","dns_resp":"www.example.com","respipcategory":"Adult Themes","resaction":"RES_Action","respipcat":"Adult Themes","second":"48","year":"2023"}} +{"version":"v1","sourcetype":"zscalernss-dns","event":{"cloudname":"zscaler.net","datetime":"Mon Oct 16 22:55:48 2023","devicemodel":"VMware7,1","restype":"IPv4","dns_req":"mail.safemarch.com","dns_reqtype":"A record","error":"EMPTY_RESP","durationms":"1000","recordid":"45648954","tz":"GMT","devicename":"admin","devicehostname":"THINKPADSMITH","deviceostype":"Windows OS","deviceosversion":"Microsoft Windows 10 Enterprise;64 bit","devicetype":"Zscaler Client Connector","http_code":"100","dnsapp":"Google DNS","dns_gateway_server_protocol":"TCP","protocol":"TCP","company":"Zscaler","reqrulelabel":"RULE_1","resrulelabel":"RULE_RES","clt_sip":"81.2.69.192","srv_dip":"175.16.199.0","srv_dport":"1025","user":"jdoe1@safemarch.com","datacentercity":"Sa","datacentercountry":"US","datacenter":"CA Client Node DC","day":"Mon","day_of_month":"16","department":"EDept","dept":"Sales","deviceappversion":"4.3.0.18","deviceowner":"jsmith","dnsappcat":"Network Service","dns_gateway_rule":"DNS GATEWAY Rule 1","dns_gateway_status":"PRIMARY_SERVER_RESPONSE_PASS","category":"Professional Services","ecs_prefix":"192.168.0.0","ecs_slot":"ECS Slot #17","eedone":"Yes","epochtime":"1578128400","hour":"22","istcp":"1","loc":"Headquarters","location":"ELocation","login":"jdoe@safemarch.com","minutes":"55","month":"Oct","month_of_year":"10","oclientsourceip":"9960223283","odevicename":"2175092224","odeviceowner":"10831489","odomcat":"4951704103","odevicehostname":"2168890624","reqaction":"REQ_ALLOW","dns_resp":"www.example.com","respipcategory":"Adult Themes","resaction":"RES_Action","respipcat":"Adult Themes","second":"48","year":"2023"}} ``` ### Endpoint DLP Log @@ -155,12 +155,12 @@ See: [Zscaler Vendor documentation](https://help.zscaler.com/zia/nss-feed-output Zscaler Endpoint DLP Log response format (v1): ``` -\{"sourcetype":"zscalernss-edlp","event":\{"actiontaken":"%s{actiontaken}","activitytype":"%s{activitytype}","additionalinfo":"%s{addinfo}","channel":"%s{channel}","confirmaction":"%s{confirmaction}","confirmjustification":"%s{confirmjust}","datacenter":"%s{datacenter}","datacentercity":"%s{datacentercity}","datacentercountry":"%s{datacentercountry}","day":"%s{day}","dd":"%02d{dd}","department":"%s{department}","deviceappversion":"%s{deviceappversion}","devicehostname":"%s{devicehostname}","devicemodel":"%s{devicemodel}","devicename":"%s{devicename}","deviceostype":"%s{deviceostype}","deviceosversion":"%s{deviceosversion}","deviceowner":"%s{deviceowner}","deviceplatform":"%s{deviceplatform}","devicetype":"%s{devicetype}","dlpdictcount":"%s{dlpcounts}","dlpdictnames":"%s{dlpdictnames}","dlpenginenames":"%s{dlpengnames}","dlpidentifier":"%llu{dlpidentifier}","dsttype":"%s{dsttype}","eventtime":"%s{eventtime}","expectedaction":"%s{expectedaction}","filedoctype":"%s{filedoctype}","filedstpath":"%s{filedstpath}","filemd5":"%s{filemd5}","filesha":"%s{filesha}","filesrcpath":"%s{filesrcpath}","filetypecategory":"%s{filetypecategory}","filetypename":"%s{filetypename}","hh":"%02d{hh}","itemdstname":"%s{itemdstname}","itemname":"%s{itemname}","itemsrcname":"%s{itemsrcname}","itemtype":"%s{itemtype}","logtype":"%s{logtype}","mm":"%02d{mm}","mon":"%s{mon}","mth":"%02d{mth}","numdlpdictids":"%u{numdlpdictids}","numdlpengineids":"%u{numdlpengids}","odepartment":"%s{odepartment}","odevicehostname":"%s{odevicehostname}","odevicename":"%s{odevicename}","odeviceowner":"%s{odeviceowner}","odlpdictnames":"%s{odlpdictnames}","odlpenginenames":"%s{odlpengnames}","ofiledstpath":"%s{ofiledstpath}","ofilesrcpath":"%s{ofilesrcpath}","oitemdstname":"%s{oitemdstname}","oitemname":"%s{oitemname}","oitemsrcname":"%s{oitemsrcname}","ootherrulelabels":"%s{ootherrulelabels}","otherrulelabels":"%s{otherrulelabels}","orulename":"%s{otriggeredrulelabel}","ouser":"%s{ouser}","recordid":"%llu{recordid}","feedtime":"%s{rtime}","scannedbytes":"%llu{scanned_bytes}","scantime":"%llu{scantime}","severity":"%s{severity}","srctype":"%s{srctype}","ss":"%02d{ss}","datetime":"%s{time}","rulename":"%s{triggeredrulelabel}","timezone":"%s{tz}","user":"%s{user}","yyyy":"%04d{yyyy}","zdpmode":"%s{zdpmode}"\}\} +\{"version":"v1","sourcetype":"zscalernss-edlp","event":\{"actiontaken":"%s{actiontaken}","activitytype":"%s{activitytype}","additionalinfo":"%s{addinfo}","channel":"%s{channel}","confirmaction":"%s{confirmaction}","confirmjustification":"%s{confirmjust}","datacenter":"%s{datacenter}","datacentercity":"%s{datacentercity}","datacentercountry":"%s{datacentercountry}","day":"%s{day}","dd":"%02d{dd}","department":"%s{department}","deviceappversion":"%s{deviceappversion}","devicehostname":"%s{devicehostname}","devicemodel":"%s{devicemodel}","devicename":"%s{devicename}","deviceostype":"%s{deviceostype}","deviceosversion":"%s{deviceosversion}","deviceowner":"%s{deviceowner}","deviceplatform":"%s{deviceplatform}","devicetype":"%s{devicetype}","dlpdictcount":"%s{dlpcounts}","dlpdictnames":"%s{dlpdictnames}","dlpenginenames":"%s{dlpengnames}","dlpidentifier":"%llu{dlpidentifier}","dsttype":"%s{dsttype}","eventtime":"%s{eventtime}","expectedaction":"%s{expectedaction}","filedoctype":"%s{filedoctype}","filedstpath":"%s{filedstpath}","filemd5":"%s{filemd5}","filesha":"%s{filesha}","filesrcpath":"%s{filesrcpath}","filetypecategory":"%s{filetypecategory}","filetypename":"%s{filetypename}","hh":"%02d{hh}","itemdstname":"%s{itemdstname}","itemname":"%s{itemname}","itemsrcname":"%s{itemsrcname}","itemtype":"%s{itemtype}","logtype":"%s{logtype}","mm":"%02d{mm}","mon":"%s{mon}","mth":"%02d{mth}","numdlpdictids":"%u{numdlpdictids}","numdlpengineids":"%u{numdlpengids}","odepartment":"%s{odepartment}","odevicehostname":"%s{odevicehostname}","odevicename":"%s{odevicename}","odeviceowner":"%s{odeviceowner}","odlpdictnames":"%s{odlpdictnames}","odlpenginenames":"%s{odlpengnames}","ofiledstpath":"%s{ofiledstpath}","ofilesrcpath":"%s{ofilesrcpath}","oitemdstname":"%s{oitemdstname}","oitemname":"%s{oitemname}","oitemsrcname":"%s{oitemsrcname}","ootherrulelabels":"%s{ootherrulelabels}","otherrulelabels":"%s{otherrulelabels}","orulename":"%s{otriggeredrulelabel}","ouser":"%s{ouser}","recordid":"%llu{recordid}","feedtime":"%s{rtime}","scannedbytes":"%llu{scanned_bytes}","scantime":"%llu{scantime}","severity":"%s{severity}","srctype":"%s{srctype}","ss":"%02d{ss}","datetime":"%s{time}","rulename":"%s{triggeredrulelabel}","timezone":"%s{tz}","user":"%s{user}","yyyy":"%04d{yyyy}","zdpmode":"%s{zdpmode}"\}\} ``` Sample Response: ```json -{ "sourcetype": "zscalernss-edlp", "event": { "actiontaken": "allow", "activitytype": "email_sent", "additionalinfo": "File already open by another application", "channel": "Network Drive Transfer", "confirmaction": "confirm", "confirmjustification": "My manager approved it", "datacenter": "Georgia", "datacentercity": "Atlanta", "datacentercountry": "US", "day": "Mon", "dd": "16", "department": "TempDept", "deviceappversion": "Ver-2199", "devicehostname": "Host", "devicemodel": "Model-2022", "devicename": "Dev 1", "deviceostype": "Windows", "deviceosversion": "Win-11", "deviceowner": "Administrator", "deviceplatform": "Windows", "devicetype": "WinUser", "dlpdictcount": "12|13", "dlpdictnames": "dlp: dlp discription|dlp1: dlp discription1|dlp2: dlp discription2", "dlpenginenames": "dlpengine", "dlpidentifier": "12", "dsttype": "personal_cloud_storage", "eventtime": "Mon Oct 16 22:55:48 2023", "expectedaction": "block", "filedoctype": "Medical", "filedstpath": "dest_path", "filemd5": "938c2cc0dcc05f2b68c4287040cfcf71", "filesha": "076085239f3a10b8f387c4e5d4261abf8d109aa641be35a8d4ed2d775eb09612", "filesrcpath": "source_path", "filetypecategory": "PLS File (pls)", "filetypename": "exe64", "hh": "22", "itemdstname": "nanolog", "itemname": "endpoint_dlp", "itemsrcname": "endpoint", "itemtype": "email_attachment", "logtype": "dlp_incident", "mm": "55", "mon": "Oct", "mth": "10", "numdlpdictids": "8", "numdlpengineids": "12", "recordid": "2", "feedtime": "Mon Oct 16 22:55:48 2023", "scannedbytes": "290812", "scantime": "1210", "severity": "High Severity", "srctype": "network_share", "ss": "48", "datetime": "Mon Oct 16 22:55:48 2023", "rulename": "configured_rule", "timezone": "GMT", "user": "TempUser", "yyyy": "2023", "zdpmode": "block mode", "odepartment": "4094304256", "odevicehostname": "4094304255", "odevicename": "4094304251", "odeviceowner": "4094304226", "odlpdictnames": "4094304456", "odlpenginenames": "4094364256", "ofiledstpath": "4094304296", "ofilesrcpath": "4094304206", "oitemdstname": "409430476", "oitemname": "40943042567", "oitemsrcname": "4094305256", "ootherrulelabels": "4036304256", "orulename": "40943049956", "ouser": "40943042569", "otherrulelabels": "9094304256" } } +{"version":"v1","sourcetype":"zscalernss-edlp","event":{"actiontaken":"allow","activitytype":"email_sent","additionalinfo":"File already open by another application","channel":"Network Drive Transfer","confirmaction":"confirm","confirmjustification":"My manager approved it","datacenter":"Georgia","datacentercity":"Atlanta","datacentercountry":"US","day":"Mon","dd":"16","department":"TempDept","deviceappversion":"Ver-2199","devicehostname":"Host","devicemodel":"Model-2022","devicename":"Dev 1","deviceostype":"Windows","deviceosversion":"Win-11","deviceowner":"Administrator","deviceplatform":"Windows","devicetype":"WinUser","dlpdictcount":"12|13","dlpdictnames":"dlp: dlp discription|dlp1: dlp discription1|dlp2: dlp discription2","dlpenginenames":"dlpengine","dlpidentifier":"12","dsttype":"personal_cloud_storage","eventtime":"Mon Oct 16 22:55:48 2023","expectedaction":"block","filedoctype":"Medical","filedstpath":"dest_path","filemd5":"938c2cc0dcc05f2b68c4287040cfcf71","filesha":"076085239f3a10b8f387c4e5d4261abf8d109aa641be35a8d4ed2d775eb09612","filesrcpath":"source_path","filetypecategory":"PLS File (pls)","filetypename":"exe64","hh":"22","itemdstname":"nanolog","itemname":"endpoint_dlp","itemsrcname":"endpoint","itemtype":"email_attachment","logtype":"dlp_incident","mm":"55","mon":"Oct","mth":"10","numdlpdictids":"8","numdlpengineids":"12","recordid":"2","feedtime":"Mon Oct 16 22:55:48 2023","scannedbytes":"290812","scantime":"1210","severity":"High Severity","srctype":"network_share","ss":"48","datetime":"Mon Oct 16 22:55:48 2023","rulename":"configured_rule","timezone":"GMT","user":"TempUser","yyyy":"2023","zdpmode":"block mode","odepartment":"4094304256","odevicehostname":"4094304255","odevicename":"4094304251","odeviceowner":"4094304226","odlpdictnames":"4094304456","odlpenginenames":"4094364256","ofiledstpath":"4094304296","ofilesrcpath":"4094304206","oitemdstname":"409430476","oitemname":"40943042567","oitemsrcname":"4094305256","ootherrulelabels":"4036304256","orulename":"40943049956","ouser":"40943042569","otherrulelabels":"9094304256" } } ``` ### Firewall Log @@ -172,12 +172,12 @@ See: [Zscaler Vendor documentation](https://help.zscaler.com/zia/nss-feed-output Zscaler Firewall Log response format (v2): ``` -\{"sourcetype":"zscalernss-fw","event":\{"datetime":"%s{time}","outbytes":"%ld{outbytes}","cltdomain":"%s{cdfqdn}","destcountry":"%s{destcountry}","cdip":"%s{cdip}","sdip":"%s{sdip}","cdport":"%d{cdport}","sdport":"%d{sdport}","devicemodel":"%s{devicemodel}","action":"%s{action}","duration":"%d{duration}","recordid":"%d{recordid}","tz":"%s{tz}","devicename":"%s{devicename}","devicehostname":"%s{devicehostname}","deviceostype":"%s{deviceostype}","deviceosversion":"%s{deviceosversion}","nwapp":"%s{nwapp}","nwsvc":"%s{nwsvc}","proto":"%s{ipproto}","ipsrulelabel":"%s{ipsrulelabel}","dnatrulelabel":"%s{dnatrulelabel}","rdr_rulename":"%s{rdr_rulename}","rule":"%s{rulelabel}","rulelabel":"%s{erulelabel}","inbytes":"%ld{inbytes}","srcipcountry":"%s{srcip_country}","csip":"%s{csip}","ssip":"%s{ssip}","csport":"%d{csport}","ssport":"%d{ssport}","user":"%s{elogin}","aggregate":"%s{aggregate}","bypassed_session":"%d{bypassed_session}","bypass_time":"%s{bypass_etime}","datacentercity":"%s{datacentercity}","datacentercountry":"%s{datacentercountry}","datacenter":"%s{datacenter}","day_of_month":"%02d{dd}","department":"%s{edepartment}","dept":"%s{dept}","deviceappversion":"%s{deviceappversion}","deviceowner":"%s{deviceowner}","avgduration":"%d{avgduration}","durationms":"%d{durationms}","epochtime":"%d{epochtime}","external_deviceid":"%s{external_deviceid}","flow_type":"%s{flow_type}","forward_gateway_name":"%s{fwd_gw_name}","hour":"%02d{hh}","ipcat":"%s{ipcat}","ips_custom_signature":"%d{ips_custom_signature}","location":"%s{location}","locationname":"%s{elocation}","login":"%s{login}","minute":"%02d{mm}","month":"%s{mon}","month_of_year":"%02d{mth}","dnat":"%s{dnat}","odevicename":"%s{odevicename}","odeviceowner":"%s{odeviceowner}","ofwd_gw_name":"%s{ofwd_gw_name}","odevicehostname":"%s{odevicehostname}","oipcat":"%s{oipcat}","oipsrulelabel":"%s{oipsrulelabel}","ordr_rulename":"%s{ordr_rulename}","orulelabel":"%s{orulelabel}","ozpa_app_seg_name":"%s{ozpa_app_seg_name}","second":"%02d{ss}","numsessions":"%d{numsessions}","stateful":"%s{stateful}","threat_name":"%s{threatname}","threatcat":"%s{threatcat}","threatname":"%s{ethreatname}","tsip":"%s{tsip}","tuntype":"%s{ttype}","year":"%04d{yyyy}","ztunnelversion":"%s{ztunnelversion}","zpa_app_seg_name":"%s{zpa_app_seg_name}"\}\} +\{"version":"v2","sourcetype":"zscalernss-fw","event":\{"datetime":"%s{time}","outbytes":"%ld{outbytes}","cltdomain":"%s{cdfqdn}","destcountry":"%s{destcountry}","cdip":"%s{cdip}","sdip":"%s{sdip}","cdport":"%d{cdport}","sdport":"%d{sdport}","devicemodel":"%s{devicemodel}","action":"%s{action}","duration":"%d{duration}","recordid":"%d{recordid}","tz":"%s{tz}","devicename":"%s{devicename}","devicehostname":"%s{devicehostname}","deviceostype":"%s{deviceostype}","deviceosversion":"%s{deviceosversion}","nwapp":"%s{nwapp}","nwsvc":"%s{nwsvc}","proto":"%s{ipproto}","ipsrulelabel":"%s{ipsrulelabel}","dnatrulelabel":"%s{dnatrulelabel}","rdr_rulename":"%s{rdr_rulename}","rule":"%s{rulelabel}","rulelabel":"%s{erulelabel}","inbytes":"%ld{inbytes}","srcipcountry":"%s{srcip_country}","csip":"%s{csip}","ssip":"%s{ssip}","csport":"%d{csport}","ssport":"%d{ssport}","user":"%s{elogin}","aggregate":"%s{aggregate}","bypassed_session":"%d{bypassed_session}","bypass_time":"%s{bypass_etime}","datacentercity":"%s{datacentercity}","datacentercountry":"%s{datacentercountry}","datacenter":"%s{datacenter}","day_of_month":"%02d{dd}","department":"%s{edepartment}","dept":"%s{dept}","deviceappversion":"%s{deviceappversion}","deviceowner":"%s{deviceowner}","avgduration":"%d{avgduration}","durationms":"%d{durationms}","epochtime":"%d{epochtime}","external_deviceid":"%s{external_deviceid}","flow_type":"%s{flow_type}","forward_gateway_name":"%s{fwd_gw_name}","hour":"%02d{hh}","ipcat":"%s{ipcat}","ips_custom_signature":"%d{ips_custom_signature}","location":"%s{location}","locationname":"%s{elocation}","login":"%s{login}","minute":"%02d{mm}","month":"%s{mon}","month_of_year":"%02d{mth}","dnat":"%s{dnat}","odevicename":"%s{odevicename}","odeviceowner":"%s{odeviceowner}","ofwd_gw_name":"%s{ofwd_gw_name}","odevicehostname":"%s{odevicehostname}","oipcat":"%s{oipcat}","oipsrulelabel":"%s{oipsrulelabel}","ordr_rulename":"%s{ordr_rulename}","orulelabel":"%s{orulelabel}","ozpa_app_seg_name":"%s{ozpa_app_seg_name}","second":"%02d{ss}","numsessions":"%d{numsessions}","stateful":"%s{stateful}","threat_name":"%s{threatname}","threatcat":"%s{threatcat}","threatname":"%s{ethreatname}","tsip":"%s{tsip}","tuntype":"%s{ttype}","year":"%04d{yyyy}","ztunnelversion":"%s{ztunnelversion}","zpa_app_seg_name":"%s{zpa_app_seg_name}"\}\} ``` Sample Response: ```json -{"sourcetype":"zscalernss-fw","event":{"datetime":"Mon Oct 16 22:55:48 2023","cltdomain":"www.example.com","cdip":"2a02:cf40::","outbytes":"10000","cdport":"22","destcountry":"USA","devicemodel":"20L8S7WC08","sdip":"67.43.156.0","duration":"600","sdport":"443","tz":"GMT","action":"Blocked","devicehostname":"THINKPADSMITH","recordid":"123456","deviceosversion":"Version 10.14.2 (Build 18C54)","devicename":"admin","nwsvc":"HTTP","deviceostype":"iOS","ipsrulelabel":"Default IPS Rule","nwapp":"Skype","rdr_rulename":"FWD_Rule_1","proto":"TCP","rulelabel":"rule1","dnatrulelabel":"DNAT_Rule_1","srcipcountry":"United States","rule":"Default_Firewall_Filtering_Rule","ssip":"1.128.0.0","inbytes":"10000","ssport":"22","csip":"0.0.0.0","aggregate":"Yes","csport":"25","bypass_time":"Mon Oct 16 22:55:48 2023","user":"jdoe%40safemarch.com","datacentercountry":"US","bypassed_session":"1","day":"Mon","datacentercity":"Sa","department":"sales","datacenter":"CA Client Node DC","deviceappversion":"2.0.0.120","day_of_month":"16","avgduration":"600","dept":"Sales","eedone":"Yes","deviceowner":"jsmith","external_deviceid":"1234","durationms":"600","forward_gateway_name":"FWD_1","epochtime":"1578128400","ipcat":"Finance","flow_type":"Direct","location":"Headquarters","hour":"22","login":"jdo%40safemarch.com","ips_custom_signature":"0","month":"Oct","locationname":"Headquarters","dnat":"Yes","minute":"55","odevicename":"2175092224","month_of_year":"10","ofwd_gw_name":"8794487099","ocsip":"9960223283","oipcat":"5300295980","odeviceowner":"10831489","odnatlabel":"7956407282","odevicehostname":"2168890624","orulelabel":"624054738","oipsrulelabel":"6200694987","second":"48","ordr_rulename":"3399565100","stateful":"Yes","ozpa_app_seg_name":"7648246731","threatcat":"Botnet Callback","numsessions":"5","tsip":"89.160.20.128","threat_name":"Linux.Backdoor.Tsunami","year":"2023","threatname":"Linux.Backdoor","zpa_app_seg_name":"ZPA_test_app_segment","tuntype":"L2 tunnel","ztunnelversion":"ZTUNNEL_1_0"}} +{"version":"v2","sourcetype":"zscalernss-fw","event":{"datetime":"Mon Oct 16 22:55:48 2023","cltdomain":"www.example.com","cdip":"2a02:cf40::","outbytes":"10000","cdport":"22","destcountry":"USA","devicemodel":"20L8S7WC08","sdip":"67.43.156.0","duration":"600","sdport":"443","tz":"GMT","action":"Blocked","devicehostname":"THINKPADSMITH","recordid":"123456","deviceosversion":"Version 10.14.2 (Build 18C54)","devicename":"admin","nwsvc":"HTTP","deviceostype":"iOS","ipsrulelabel":"Default IPS Rule","nwapp":"Skype","rdr_rulename":"FWD_Rule_1","proto":"TCP","rulelabel":"rule1","dnatrulelabel":"DNAT_Rule_1","srcipcountry":"United States","rule":"Default_Firewall_Filtering_Rule","ssip":"1.128.0.0","inbytes":"10000","ssport":"22","csip":"0.0.0.0","aggregate":"Yes","csport":"25","bypass_time":"Mon Oct 16 22:55:48 2023","user":"jdoe%40safemarch.com","datacentercountry":"US","bypassed_session":"1","day":"Mon","datacentercity":"Sa","department":"sales","datacenter":"CA Client Node DC","deviceappversion":"2.0.0.120","day_of_month":"16","avgduration":"600","dept":"Sales","eedone":"Yes","deviceowner":"jsmith","external_deviceid":"1234","durationms":"600","forward_gateway_name":"FWD_1","epochtime":"1578128400","ipcat":"Finance","flow_type":"Direct","location":"Headquarters","hour":"22","login":"jdo%40safemarch.com","ips_custom_signature":"0","month":"Oct","locationname":"Headquarters","dnat":"Yes","minute":"55","odevicename":"2175092224","month_of_year":"10","ofwd_gw_name":"8794487099","ocsip":"9960223283","oipcat":"5300295980","odeviceowner":"10831489","odnatlabel":"7956407282","odevicehostname":"2168890624","orulelabel":"624054738","oipsrulelabel":"6200694987","second":"48","ordr_rulename":"3399565100","stateful":"Yes","ozpa_app_seg_name":"7648246731","threatcat":"Botnet Callback","numsessions":"5","tsip":"89.160.20.128","threat_name":"Linux.Backdoor.Tsunami","year":"2023","threatname":"Linux.Backdoor","zpa_app_seg_name":"ZPA_test_app_segment","tuntype":"L2 tunnel","ztunnelversion":"ZTUNNEL_1_0"}} ``` ### Tunnel Log @@ -190,24 +190,24 @@ See: [Zscaler Vendor documentation]( https://help.zscaler.com/zia/nss-feed-outpu Zscaler Tunnel Log response formats (v2): - Tunnel Event: ``` - \{"sourcetype":"zscalernss-tunnel","event":\{"datetime":"%s{datetime}","day":"%s{day}","dd":"%02d{dd}","destinationip":"%s{destvip}","event":"%s{event}","eventreason":"%s{eventreason}","hh":"%02d{hh}","locationname":"%s{locationname}","mm":"%02d{mm}","mon":"%s{mon}","mth":"%02d{mth}","olocationname":"%s{olocationname}","ovpncredentialname":"%s{ovpncredentialname}","recordid":"%d{recordid}","sourceip":"%s{sourceip}","sourceport":"%d{srcport}","ss":"%02d{ss}","Recordtype":"%s{tunnelactionname}","tunneltype":"%s{tunneltype}","timezone":"%s{tz}","user":"%s{vpncredentialname}","yyyy":"%04d{yyyy}"\}\} + \{"version":"v2","sourcetype":"zscalernss-tunnel","event":\{"datetime":"%s{datetime}","day":"%s{day}","dd":"%02d{dd}","destinationip":"%s{destvip}","event":"%s{event}","eventreason":"%s{eventreason}","hh":"%02d{hh}","locationname":"%s{locationname}","mm":"%02d{mm}","mon":"%s{mon}","mth":"%02d{mth}","olocationname":"%s{olocationname}","ovpncredentialname":"%s{ovpncredentialname}","recordid":"%d{recordid}","sourceip":"%s{sourceip}","sourceport":"%d{srcport}","ss":"%02d{ss}","Recordtype":"%s{tunnelactionname}","tunneltype":"%s{tunneltype}","timezone":"%s{tz}","user":"%s{vpncredentialname}","yyyy":"%04d{yyyy}"\}\} ``` - Sample Event: ``` - \{"sourcetype":"zscalernss-tunnel","event":\{"datetime":"%s{datetime}","day":"%s{day}","dd":"%02d{dd}","destinationip":"%s{destvip}","dpdrec":"%d{dpdrec}","hh":"%02d{hh}","locationname":"%s{locationname}","mm":"%02d{mm}","mon":"%s{mon}","mth":"%02d{mth}","olocationname":"%s{olocationname}","ovpncredentialname":"%s{ovpncredentialname}","recordid":"%d{recordid}","rxbytes":"%lu{rxbytes}","rxpackets":"%d{rxpackets}","sourceip":"%s{sourceip}","sourceport":"%d{srcport}","ss":"%02d{ss}","Recordtype":"%s{tunnelactionname}","tunneltype":"%s{tunneltype}","txbytes":"%lu{txbytes}","txpackets":"%d{txpackets}","timezone":"%s{tz}","user":"%s{vpncredentialname}","yyyy":"%04d{yyyy}"\}\} + \{"version":"v2","sourcetype":"zscalernss-tunnel","event":\{"datetime":"%s{datetime}","day":"%s{day}","dd":"%02d{dd}","destinationip":"%s{destvip}","dpdrec":"%d{dpdrec}","hh":"%02d{hh}","locationname":"%s{locationname}","mm":"%02d{mm}","mon":"%s{mon}","mth":"%02d{mth}","olocationname":"%s{olocationname}","ovpncredentialname":"%s{ovpncredentialname}","recordid":"%d{recordid}","rxbytes":"%lu{rxbytes}","rxpackets":"%d{rxpackets}","sourceip":"%s{sourceip}","sourceport":"%d{srcport}","ss":"%02d{ss}","Recordtype":"%s{tunnelactionname}","tunneltype":"%s{tunneltype}","txbytes":"%lu{txbytes}","txpackets":"%d{txpackets}","timezone":"%s{tz}","user":"%s{vpncredentialname}","yyyy":"%04d{yyyy}"\}\} ``` - IKE Phase 1 ``` - \{"sourcetype":"zscalernss-tunnel","event":\{"algo":"%s{algo}","authentication":"%s{authentication}","authtype":"%s{authtype}","datetime":"%s{datetime}","day":"%s{day}","dd":"%02d{dd}","destinationip":"%s{destvip}","destinationport":"%d{dstport}","hh":"%02d{hh}","ikeversion":"%d{ikeversion}","lifetime":"%d{lifetime}","locationname":"%s{locationname}","mm":"%02d{mm}","mon":"%s{mon}","mth":"%02d{mth}","olocationname":"%s{olocationname}","ovpncredentialname":"%s{ovpncredentialname}","recordid":"%d{recordid}","sourceip":"%s{sourceip}","spi_in":"%lu{spi_in}","spi_out":"%lu{spi_out}","sourceport":"%d{srcport}","ss":"%02d{ss}","Recordtype":"%s{tunnelactionname}","tunneltype":"IPSEC IKEV %d{ikeversion}","timezone":"%s{tz}","vendorname":"%s{vendorname}","user":"%s{vpncredentialname}","yyyy":"%04d{yyyy}"\}\} + \{"version":"v2","sourcetype":"zscalernss-tunnel","event":\{"algo":"%s{algo}","authentication":"%s{authentication}","authtype":"%s{authtype}","datetime":"%s{datetime}","day":"%s{day}","dd":"%02d{dd}","destinationip":"%s{destvip}","destinationport":"%d{dstport}","hh":"%02d{hh}","ikeversion":"%d{ikeversion}","lifetime":"%d{lifetime}","locationname":"%s{locationname}","mm":"%02d{mm}","mon":"%s{mon}","mth":"%02d{mth}","olocationname":"%s{olocationname}","ovpncredentialname":"%s{ovpncredentialname}","recordid":"%d{recordid}","sourceip":"%s{sourceip}","spi_in":"%lu{spi_in}","spi_out":"%lu{spi_out}","sourceport":"%d{srcport}","ss":"%02d{ss}","Recordtype":"%s{tunnelactionname}","tunneltype":"IPSEC IKEV %d{ikeversion}","timezone":"%s{tz}","vendorname":"%s{vendorname}","user":"%s{vpncredentialname}","yyyy":"%04d{yyyy}"\}\} ``` - IKE Phase 2 ``` - \{"sourcetype":"zscalernss-tunnel","event":\{"algo":"%s{algo}","authentication":"%s{authentication}","authtype":"%s{authtype}","datetime":"%s{datetime}","day":"%s{day}","dd":"%02d{dd}","destinationipend":"%s{destipend}","destinationipstart":"%s{destipstart}","destinationportstart":"%d{destportstart}","destinationip":"%s{destvip}","hh":"%02d{hh}","ikeversion":"%d{ikeversion}","lifebytes":"%d{lifebytes}","lifetime":"%d{lifetime}","locationname":"%s{locationname}","mm":"%02d{mm}","mon":"%s{mon}","mth":"%02d{mth}","olocationname":"%s{olocationname}","ovpncredentialname":"%s{ovpncredentialname}","protocol":"%s{protocol}","recordid":"%d{recordid}","sourceip":"%s{sourceip}","spi":"%d{spi}","srcipend":"%s{srcipend}","srcipstart":"%s{srcipstart}","sourceportstart":"%d{srcportstart}","ss":"%02d{ss}","Recordtype":"%s{tunnelactionname}","tunnelprotocol":"%s{tunnelprotocol}","tunneltype":"IPSEC IKEV %d{ikeversion}","timezone":"%s{tz}","user":"%s{vpncredentialname}","yyyy":"%04d{yyyy}"\}\} + \{"version":"v2","sourcetype":"zscalernss-tunnel","event":\{"algo":"%s{algo}","authentication":"%s{authentication}","authtype":"%s{authtype}","datetime":"%s{datetime}","day":"%s{day}","dd":"%02d{dd}","destinationipend":"%s{destipend}","destinationipstart":"%s{destipstart}","destinationportstart":"%d{destportstart}","destinationip":"%s{destvip}","hh":"%02d{hh}","ikeversion":"%d{ikeversion}","lifebytes":"%d{lifebytes}","lifetime":"%d{lifetime}","locationname":"%s{locationname}","mm":"%02d{mm}","mon":"%s{mon}","mth":"%02d{mth}","olocationname":"%s{olocationname}","ovpncredentialname":"%s{ovpncredentialname}","protocol":"%s{protocol}","recordid":"%d{recordid}","sourceip":"%s{sourceip}","spi":"%d{spi}","srcipend":"%s{srcipend}","srcipstart":"%s{srcipstart}","sourceportstart":"%d{srcportstart}","ss":"%02d{ss}","Recordtype":"%s{tunnelactionname}","tunnelprotocol":"%s{tunnelprotocol}","tunneltype":"IPSEC IKEV %d{ikeversion}","timezone":"%s{tz}","user":"%s{vpncredentialname}","yyyy":"%04d{yyyy}"\}\} ``` Sample Response: ```json -{"sourcetype":"zscalernss-tunnel","event":{"datetime":"Mon Oct 16 22:55:48 2023","destinationip":"67.43.156.1","destinationport":"500","recordid":"111234","timezone":"GMT","sourceip":"67.43.156.0","sourceport":"500","user":"jdoe@safemarch.com","authentication":"HMAC_MD5","authtype":"PSKEY","day":"Mon","dd":"16","algo":"DES_CBC","hh":"22","ikeversion":"IKE_VERSION_2","lifetime":"86400","locationname":"Headquarters","mm":"55","mon":"Oct","mth":"10","olocationname":"2168890624","ovpncredentialname":"4094304256","ss":"48","spi_in":"None","spi_out":"None","Recordtype":"None","vendorname":"CISCO","yyyy":"2023"}} +{"version":"v2","sourcetype":"zscalernss-tunnel","event":{"datetime":"Mon Oct 16 22:55:48 2023","destinationip":"67.43.156.1","destinationport":"500","recordid":"111234","timezone":"GMT","sourceip":"67.43.156.0","sourceport":"500","user":"jdoe@safemarch.com","authentication":"HMAC_MD5","authtype":"PSKEY","day":"Mon","dd":"16","algo":"DES_CBC","hh":"22","ikeversion":"IKE_VERSION_2","lifetime":"86400","locationname":"Headquarters","mm":"55","mon":"Oct","mth":"10","olocationname":"2168890624","ovpncredentialname":"4094304256","ss":"48","spi_in":"None","spi_out":"None","Recordtype":"None","vendorname":"CISCO","yyyy":"2023"}} ``` ### Web Log diff --git a/packages/zscaler_zia/changelog.yml b/packages/zscaler_zia/changelog.yml index 2090dfdf9d3..56557bba702 100644 --- a/packages/zscaler_zia/changelog.yml +++ b/packages/zscaler_zia/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "3.12.0" + changes: + - description: Add strict field template mode for TCP and HTTP Endpoint input data streams. + type: enhancement + link: https://github.com/elastic/integrations/pull/13904 - version: "3.11.0" changes: - description: Update `event.type` from info to access, and add the `event.outcome` ECS field. diff --git a/packages/zscaler_zia/data_stream/alerts/_dev/test/pipeline/test-alerts.log-expected.json b/packages/zscaler_zia/data_stream/alerts/_dev/test/pipeline/test-alerts.log-expected.json index 61de0e80a39..0d4c28b3a83 100644 --- a/packages/zscaler_zia/data_stream/alerts/_dev/test/pipeline/test-alerts.log-expected.json +++ b/packages/zscaler_zia/data_stream/alerts/_dev/test/pipeline/test-alerts.log-expected.json @@ -125,4 +125,4 @@ } } ] -} \ No newline at end of file +} diff --git a/packages/zscaler_zia/data_stream/audit/_dev/test/pipeline/test-audit-http-endpoint.log b/packages/zscaler_zia/data_stream/audit/_dev/test/pipeline/test-audit-http-endpoint.log index 9c783439cbc..64127b58173 100644 --- a/packages/zscaler_zia/data_stream/audit/_dev/test/pipeline/test-audit-http-endpoint.log +++ b/packages/zscaler_zia/data_stream/audit/_dev/test/pipeline/test-audit-http-endpoint.log @@ -1 +1,2 @@ -{ "sourcetype": "zscalernss-audit","input": {"type": "http_endpoint"}, "event": { "time": "Mon Oct 16 22:55:48 2023", "recordid": "1234", "action": "Activate", "category": "DATA_LOSS_PREVENTION_RESOURCE", "subcategory": "DLP_DICTIONARY", "resource": "SSL Rule Name", "interface": "API", "adminid": "example@zscaler.com", "clientip": "89.160.20.112", "result": "SUCCESS", "errorcode": "AUTHENTICATION_FAILED", "auditlogtype": "ZIA Portal Audit Log", "preaction": {}, "postaction": {} } } +{"sourcetype":"zscalernss-audit","input":{"type":"http_endpoint"},"event":{"time":"Mon Oct 16 22:55:48 2023","recordid":"1234","action":"Activate","category":"DATA_LOSS_PREVENTION_RESOURCE","subcategory":"DLP_DICTIONARY","resource":"SSL Rule Name","interface":"API","adminid":"example@zscaler.com","clientip":"89.160.20.112","result":"SUCCESS","errorcode":"AUTHENTICATION_FAILED","auditlogtype":"ZIA Portal Audit Log","preaction":{},"postaction":{},"timezone":"UTC"}} +{"version":"v1","sourcetype":"zscalernss-audit","input":{"type":"http_endpoint"},"event":{"time":"Mon Oct 16 22:55:48 2023","recordid":"1234","action":"Activate","category":"DATA_LOSS_PREVENTION_RESOURCE","subcategory":"DLP_DICTIONARY","resource":"SSL Rule Name","interface":"API","adminid":"example@zscaler.com","clientip":"89.160.20.112","result":"SUCCESS","errorcode":"AUTHENTICATION_FAILED","auditlogtype":"ZIA Portal Audit Log","preaction":{},"postaction":{},"timezone":"UTC"}} diff --git a/packages/zscaler_zia/data_stream/audit/_dev/test/pipeline/test-audit-http-endpoint.log-expected.json b/packages/zscaler_zia/data_stream/audit/_dev/test/pipeline/test-audit-http-endpoint.log-expected.json index 2917991b282..8ede781c49c 100644 --- a/packages/zscaler_zia/data_stream/audit/_dev/test/pipeline/test-audit-http-endpoint.log-expected.json +++ b/packages/zscaler_zia/data_stream/audit/_dev/test/pipeline/test-audit-http-endpoint.log-expected.json @@ -15,7 +15,7 @@ ], "id": "1234", "kind": "event", - "original": "{ \"sourcetype\": \"zscalernss-audit\",\"input\": {\"type\": \"http_endpoint\"}, \"event\": { \"time\": \"Mon Oct 16 22:55:48 2023\", \"recordid\": \"1234\", \"action\": \"Activate\", \"category\": \"DATA_LOSS_PREVENTION_RESOURCE\", \"subcategory\": \"DLP_DICTIONARY\", \"resource\": \"SSL Rule Name\", \"interface\": \"API\", \"adminid\": \"example@zscaler.com\", \"clientip\": \"89.160.20.112\", \"result\": \"SUCCESS\", \"errorcode\": \"AUTHENTICATION_FAILED\", \"auditlogtype\": \"ZIA Portal Audit Log\", \"preaction\": {}, \"postaction\": {} } }", + "original": "{\"sourcetype\":\"zscalernss-audit\",\"input\":{\"type\":\"http_endpoint\"},\"event\":{\"time\":\"Mon Oct 16 22:55:48 2023\",\"recordid\":\"1234\",\"action\":\"Activate\",\"category\":\"DATA_LOSS_PREVENTION_RESOURCE\",\"subcategory\":\"DLP_DICTIONARY\",\"resource\":\"SSL Rule Name\",\"interface\":\"API\",\"adminid\":\"example@zscaler.com\",\"clientip\":\"89.160.20.112\",\"result\":\"SUCCESS\",\"errorcode\":\"AUTHENTICATION_FAILED\",\"auditlogtype\":\"ZIA Portal Audit Log\",\"preaction\":{},\"postaction\":{},\"timezone\":\"UTC\"}}", "outcome": "success", "timezone": "UTC", "type": [ @@ -75,9 +75,90 @@ "resource": "SSL Rule Name", "result": "SUCCESS", "sub_category": "DLP_DICTIONARY", - "time": "2023-10-16T22:55:48.000Z" + "time": "2023-10-16T22:55:48.000Z", + "timezone": "UTC" + } + } + }, + { + "@timestamp": "2023-10-16T22:55:48.000Z", + "ecs": { + "version": "8.11.0" + }, + "error": { + "code": "AUTHENTICATION_FAILED" + }, + "event": { + "action": "activate", + "category": [ + "configuration" + ], + "id": "1234", + "kind": "event", + "original": "{\"version\":\"v1\",\"sourcetype\":\"zscalernss-audit\",\"input\":{\"type\":\"http_endpoint\"},\"event\":{\"time\":\"Mon Oct 16 22:55:48 2023\",\"recordid\":\"1234\",\"action\":\"Activate\",\"category\":\"DATA_LOSS_PREVENTION_RESOURCE\",\"subcategory\":\"DLP_DICTIONARY\",\"resource\":\"SSL Rule Name\",\"interface\":\"API\",\"adminid\":\"example@zscaler.com\",\"clientip\":\"89.160.20.112\",\"result\":\"SUCCESS\",\"errorcode\":\"AUTHENTICATION_FAILED\",\"auditlogtype\":\"ZIA Portal Audit Log\",\"preaction\":{},\"postaction\":{},\"timezone\":\"UTC\"}}", + "outcome": "success", + "timezone": "UTC", + "type": [ + "change" + ] + }, + "related": { + "ip": [ + "89.160.20.112" + ], + "user": [ + "example", + "example@zscaler.com" + ] + }, + "rule": { + "category": "DLP_DICTIONARY", + "name": "SSL Rule Name", + "ruleset": "DATA_LOSS_PREVENTION_RESOURCE" + }, + "source": { + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.112" + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "user": { + "domain": "zscaler.com", + "email": "example@zscaler.com", + "name": "example" + }, + "zscaler_zia": { + "audit": { + "action": "Activate", + "admin_id": "example@zscaler.com", + "audit_log_type": "ZIA Portal Audit Log", + "category": "DATA_LOSS_PREVENTION_RESOURCE", + "client_ip": "89.160.20.112", + "error_code": "AUTHENTICATION_FAILED", + "interface": "API", + "record": { + "id": "1234" + }, + "resource": "SSL Rule Name", + "result": "SUCCESS", + "sub_category": "DLP_DICTIONARY", + "time": "2023-10-16T22:55:48.000Z", + "timezone": "UTC" } } } ] -} \ No newline at end of file +} diff --git a/packages/zscaler_zia/data_stream/audit/_dev/test/pipeline/test-audit.log b/packages/zscaler_zia/data_stream/audit/_dev/test/pipeline/test-audit.log index fda3c570be8..19ae01f743d 100644 --- a/packages/zscaler_zia/data_stream/audit/_dev/test/pipeline/test-audit.log +++ b/packages/zscaler_zia/data_stream/audit/_dev/test/pipeline/test-audit.log @@ -1,3 +1,6 @@ -{ "sourcetype": "zscalernss-audit", "event": { "time": "Mon Oct 16 22:55:48 2023", "recordid": "1234", "action": "Activate", "category": "DATA_LOSS_PREVENTION_RESOURCE", "subcategory": "DLP_DICTIONARY", "resource": "SSL Rule Name", "interface": "API", "adminid": "example@zscaler.com", "clientip": "89.160.20.112", "result": "SUCCESS", "errorcode": "AUTHENTICATION_FAILED", "auditlogtype": "ZIA Portal Audit Log", "preaction": {}, "postaction": {} } } +{ "sourcetype": "zscalernss-audit", "event": { "time": "Mon Oct 16 22:55:48 2023", "recordid": "1234", "action": "Activate", "category": "DATA_LOSS_PREVENTION_RESOURCE", "subcategory": "DLP_DICTIONARY", "resource": "SSL Rule Name", "interface": "API", "adminid": "example@zscaler.com", "clientip": "89.160.20.112", "result": "SUCCESS", "errorcode": "AUTHENTICATION_FAILED", "auditlogtype": "ZIA Portal Audit Log", "preaction": {}, "postaction": {} , "timezone": "UTC"} } { "sourcetype": "zscalernss-audit", "event": { "time": "Mon Oct 16 22:55:48 2023", "recordid": "1234", "action": "Activate", "category": "DATA_LOSS_PREVENTION_RESOURCE", "subcategory": "DLP_DICTIONARY", "resource": "SSL Rule Name", "interface": "API", "adminid": "example@zscaler.com", "clientip": "89.160.20.112", "result": "SUCCESS", "errorcode": "AUTHENTICATION_FAILED", "auditlogtype": "ZIA Portal Audit Log", "timezone": "UTC", "preaction": {}, "postaction": {} } } -{"sourcetype":"zscalernss-audit","event":{"time":"Thu Jan 9 20:38:29 2025","recordid":"737420","action":"SIGN_OUT","category":"LOGIN","subcategory":"LOGIN","resource":"None","interface":"Unknown","adminid":"foo@example.com","clientip":"Unknown","result":"SUCCESS","errorcode":"None","auditlogtype":"EC","preaction":{},"postaction":{}}} +{"sourcetype":"zscalernss-audit","event":{"time":"Thu Jan 9 20:38:29 2025","recordid":"737420","action":"SIGN_OUT","category":"LOGIN","subcategory":"LOGIN","resource":"None","interface":"Unknown","adminid":"foo@example.com","clientip":"Unknown","result":"SUCCESS","errorcode":"None","auditlogtype":"EC","preaction":{},"postaction":{},"timezone":"UTC"}} +{"version":"v1", "sourcetype": "zscalernss-audit", "event": { "time": "Mon Oct 16 22:55:48 2023", "recordid": "1234", "action": "Activate", "category": "DATA_LOSS_PREVENTION_RESOURCE", "subcategory": "DLP_DICTIONARY", "resource": "SSL Rule Name", "interface": "API", "adminid": "example@zscaler.com", "clientip": "89.160.20.112", "result": "SUCCESS", "errorcode": "AUTHENTICATION_FAILED", "auditlogtype": "ZIA Portal Audit Log", "preaction": {}, "postaction": {} , "timezone": "UTC"} } +{"version":"v1", "sourcetype": "zscalernss-audit", "event": { "time": "Mon Oct 16 22:55:48 2023", "recordid": "1234", "action": "Activate", "category": "DATA_LOSS_PREVENTION_RESOURCE", "subcategory": "DLP_DICTIONARY", "resource": "SSL Rule Name", "interface": "API", "adminid": "example@zscaler.com", "clientip": "89.160.20.112", "result": "SUCCESS", "errorcode": "AUTHENTICATION_FAILED", "auditlogtype": "ZIA Portal Audit Log", "timezone": "UTC", "preaction": {}, "postaction": {} } } +{"version":"v1","sourcetype":"zscalernss-audit","event":{"time":"Thu Jan 9 20:38:29 2025","recordid":"737420","action":"SIGN_OUT","category":"LOGIN","subcategory":"LOGIN","resource":"None","interface":"Unknown","adminid":"foo@example.com","clientip":"Unknown","result":"SUCCESS","errorcode":"None","auditlogtype":"EC","preaction":{},"postaction":{},"timezone":"UTC"}} diff --git a/packages/zscaler_zia/data_stream/audit/_dev/test/pipeline/test-audit.log-expected.json b/packages/zscaler_zia/data_stream/audit/_dev/test/pipeline/test-audit.log-expected.json index fdbebbaa533..45a7091fc20 100644 --- a/packages/zscaler_zia/data_stream/audit/_dev/test/pipeline/test-audit.log-expected.json +++ b/packages/zscaler_zia/data_stream/audit/_dev/test/pipeline/test-audit.log-expected.json @@ -15,7 +15,7 @@ ], "id": "1234", "kind": "event", - "original": "{ \"sourcetype\": \"zscalernss-audit\", \"event\": { \"time\": \"Mon Oct 16 22:55:48 2023\", \"recordid\": \"1234\", \"action\": \"Activate\", \"category\": \"DATA_LOSS_PREVENTION_RESOURCE\", \"subcategory\": \"DLP_DICTIONARY\", \"resource\": \"SSL Rule Name\", \"interface\": \"API\", \"adminid\": \"example@zscaler.com\", \"clientip\": \"89.160.20.112\", \"result\": \"SUCCESS\", \"errorcode\": \"AUTHENTICATION_FAILED\", \"auditlogtype\": \"ZIA Portal Audit Log\", \"preaction\": {}, \"postaction\": {} } }", + "original": "{ \"sourcetype\": \"zscalernss-audit\", \"event\": { \"time\": \"Mon Oct 16 22:55:48 2023\", \"recordid\": \"1234\", \"action\": \"Activate\", \"category\": \"DATA_LOSS_PREVENTION_RESOURCE\", \"subcategory\": \"DLP_DICTIONARY\", \"resource\": \"SSL Rule Name\", \"interface\": \"API\", \"adminid\": \"example@zscaler.com\", \"clientip\": \"89.160.20.112\", \"result\": \"SUCCESS\", \"errorcode\": \"AUTHENTICATION_FAILED\", \"auditlogtype\": \"ZIA Portal Audit Log\", \"preaction\": {}, \"postaction\": {} , \"timezone\": \"UTC\"} }", "outcome": "success", "timezone": "UTC", "type": [ @@ -75,7 +75,8 @@ "resource": "SSL Rule Name", "result": "SUCCESS", "sub_category": "DLP_DICTIONARY", - "time": "2023-10-16T22:55:48.000Z" + "time": "2023-10-16T22:55:48.000Z", + "timezone": "UTC" } } }, @@ -171,7 +172,7 @@ ], "id": "737420", "kind": "event", - "original": "{\"sourcetype\":\"zscalernss-audit\",\"event\":{\"time\":\"Thu Jan 9 20:38:29 2025\",\"recordid\":\"737420\",\"action\":\"SIGN_OUT\",\"category\":\"LOGIN\",\"subcategory\":\"LOGIN\",\"resource\":\"None\",\"interface\":\"Unknown\",\"adminid\":\"foo@example.com\",\"clientip\":\"Unknown\",\"result\":\"SUCCESS\",\"errorcode\":\"None\",\"auditlogtype\":\"EC\",\"preaction\":{},\"postaction\":{}}}", + "original": "{\"sourcetype\":\"zscalernss-audit\",\"event\":{\"time\":\"Thu Jan 9 20:38:29 2025\",\"recordid\":\"737420\",\"action\":\"SIGN_OUT\",\"category\":\"LOGIN\",\"subcategory\":\"LOGIN\",\"resource\":\"None\",\"interface\":\"Unknown\",\"adminid\":\"foo@example.com\",\"clientip\":\"Unknown\",\"result\":\"SUCCESS\",\"errorcode\":\"None\",\"auditlogtype\":\"EC\",\"preaction\":{},\"postaction\":{},\"timezone\":\"UTC\"}}", "outcome": "success", "timezone": "UTC", "type": [ @@ -208,7 +209,222 @@ }, "result": "SUCCESS", "sub_category": "LOGIN", - "time": "2025-01-09T20:38:29.000Z" + "time": "2025-01-09T20:38:29.000Z", + "timezone": "UTC" + } + } + }, + { + "@timestamp": "2023-10-16T22:55:48.000Z", + "ecs": { + "version": "8.11.0" + }, + "error": { + "code": "AUTHENTICATION_FAILED" + }, + "event": { + "action": "activate", + "category": [ + "configuration" + ], + "id": "1234", + "kind": "event", + "original": "{\"version\":\"v1\", \"sourcetype\": \"zscalernss-audit\", \"event\": { \"time\": \"Mon Oct 16 22:55:48 2023\", \"recordid\": \"1234\", \"action\": \"Activate\", \"category\": \"DATA_LOSS_PREVENTION_RESOURCE\", \"subcategory\": \"DLP_DICTIONARY\", \"resource\": \"SSL Rule Name\", \"interface\": \"API\", \"adminid\": \"example@zscaler.com\", \"clientip\": \"89.160.20.112\", \"result\": \"SUCCESS\", \"errorcode\": \"AUTHENTICATION_FAILED\", \"auditlogtype\": \"ZIA Portal Audit Log\", \"preaction\": {}, \"postaction\": {} , \"timezone\": \"UTC\"} }", + "outcome": "success", + "timezone": "UTC", + "type": [ + "change" + ] + }, + "related": { + "ip": [ + "89.160.20.112" + ], + "user": [ + "example", + "example@zscaler.com" + ] + }, + "rule": { + "category": "DLP_DICTIONARY", + "name": "SSL Rule Name", + "ruleset": "DATA_LOSS_PREVENTION_RESOURCE" + }, + "source": { + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.112" + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "user": { + "domain": "zscaler.com", + "email": "example@zscaler.com", + "name": "example" + }, + "zscaler_zia": { + "audit": { + "action": "Activate", + "admin_id": "example@zscaler.com", + "audit_log_type": "ZIA Portal Audit Log", + "category": "DATA_LOSS_PREVENTION_RESOURCE", + "client_ip": "89.160.20.112", + "error_code": "AUTHENTICATION_FAILED", + "interface": "API", + "record": { + "id": "1234" + }, + "resource": "SSL Rule Name", + "result": "SUCCESS", + "sub_category": "DLP_DICTIONARY", + "time": "2023-10-16T22:55:48.000Z", + "timezone": "UTC" + } + } + }, + { + "@timestamp": "2023-10-16T22:55:48.000Z", + "ecs": { + "version": "8.11.0" + }, + "error": { + "code": "AUTHENTICATION_FAILED" + }, + "event": { + "action": "activate", + "category": [ + "configuration" + ], + "id": "1234", + "kind": "event", + "original": "{\"version\":\"v1\", \"sourcetype\": \"zscalernss-audit\", \"event\": { \"time\": \"Mon Oct 16 22:55:48 2023\", \"recordid\": \"1234\", \"action\": \"Activate\", \"category\": \"DATA_LOSS_PREVENTION_RESOURCE\", \"subcategory\": \"DLP_DICTIONARY\", \"resource\": \"SSL Rule Name\", \"interface\": \"API\", \"adminid\": \"example@zscaler.com\", \"clientip\": \"89.160.20.112\", \"result\": \"SUCCESS\", \"errorcode\": \"AUTHENTICATION_FAILED\", \"auditlogtype\": \"ZIA Portal Audit Log\", \"timezone\": \"UTC\", \"preaction\": {}, \"postaction\": {} } }", + "outcome": "success", + "timezone": "UTC", + "type": [ + "change" + ] + }, + "related": { + "ip": [ + "89.160.20.112" + ], + "user": [ + "example", + "example@zscaler.com" + ] + }, + "rule": { + "category": "DLP_DICTIONARY", + "name": "SSL Rule Name", + "ruleset": "DATA_LOSS_PREVENTION_RESOURCE" + }, + "source": { + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.112" + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "user": { + "domain": "zscaler.com", + "email": "example@zscaler.com", + "name": "example" + }, + "zscaler_zia": { + "audit": { + "action": "Activate", + "admin_id": "example@zscaler.com", + "audit_log_type": "ZIA Portal Audit Log", + "category": "DATA_LOSS_PREVENTION_RESOURCE", + "client_ip": "89.160.20.112", + "error_code": "AUTHENTICATION_FAILED", + "interface": "API", + "record": { + "id": "1234" + }, + "resource": "SSL Rule Name", + "result": "SUCCESS", + "sub_category": "DLP_DICTIONARY", + "time": "2023-10-16T22:55:48.000Z", + "timezone": "UTC" + } + } + }, + { + "@timestamp": "2025-01-09T20:38:29.000Z", + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "sign_out", + "category": [ + "authentication" + ], + "id": "737420", + "kind": "event", + "original": "{\"version\":\"v1\",\"sourcetype\":\"zscalernss-audit\",\"event\":{\"time\":\"Thu Jan 9 20:38:29 2025\",\"recordid\":\"737420\",\"action\":\"SIGN_OUT\",\"category\":\"LOGIN\",\"subcategory\":\"LOGIN\",\"resource\":\"None\",\"interface\":\"Unknown\",\"adminid\":\"foo@example.com\",\"clientip\":\"Unknown\",\"result\":\"SUCCESS\",\"errorcode\":\"None\",\"auditlogtype\":\"EC\",\"preaction\":{},\"postaction\":{},\"timezone\":\"UTC\"}}", + "outcome": "success", + "timezone": "UTC", + "type": [ + "info" + ] + }, + "related": { + "user": [ + "foo", + "foo@example.com" + ] + }, + "rule": { + "category": "LOGIN", + "ruleset": "LOGIN" + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "user": { + "domain": "example.com", + "email": "foo@example.com", + "name": "foo" + }, + "zscaler_zia": { + "audit": { + "action": "SIGN_OUT", + "admin_id": "foo@example.com", + "audit_log_type": "EC", + "category": "LOGIN", + "record": { + "id": "737420" + }, + "result": "SUCCESS", + "sub_category": "LOGIN", + "time": "2025-01-09T20:38:29.000Z", + "timezone": "UTC" } } } diff --git a/packages/zscaler_zia/data_stream/audit/_dev/test/pipeline/test-common-config.yml b/packages/zscaler_zia/data_stream/audit/_dev/test/pipeline/test-common-config.yml index be41bb0d476..2e06a253560 100644 --- a/packages/zscaler_zia/data_stream/audit/_dev/test/pipeline/test-common-config.yml +++ b/packages/zscaler_zia/data_stream/audit/_dev/test/pipeline/test-common-config.yml @@ -1,4 +1,6 @@ fields: + _conf: + strict_fields: true tags: - preserve_original_event - preserve_duplicate_custom_fields diff --git a/packages/zscaler_zia/data_stream/audit/agent/stream/http_endpoint.yml.hbs b/packages/zscaler_zia/data_stream/audit/agent/stream/http_endpoint.yml.hbs index f691a1cfe90..e1ac58a6bb7 100644 --- a/packages/zscaler_zia/data_stream/audit/agent/stream/http_endpoint.yml.hbs +++ b/packages/zscaler_zia/data_stream/audit/agent/stream/http_endpoint.yml.hbs @@ -28,6 +28,12 @@ publisher_pipeline.disable_host: true {{#if ssl}} ssl: {{ssl}} {{/if}} +{{#if strict_fields}} +fields_under_root: true +fields: + _conf: + strict_fields: true +{{/if}} {{#if processors}} processors: {{processors}} diff --git a/packages/zscaler_zia/data_stream/audit/agent/stream/tcp.yml.hbs b/packages/zscaler_zia/data_stream/audit/agent/stream/tcp.yml.hbs index d8eb927edd6..2655bae4c06 100644 --- a/packages/zscaler_zia/data_stream/audit/agent/stream/tcp.yml.hbs +++ b/packages/zscaler_zia/data_stream/audit/agent/stream/tcp.yml.hbs @@ -18,6 +18,12 @@ publisher_pipeline.disable_host: true {{#if ssl}} ssl: {{ssl}} {{/if}} +{{#if strict_fields}} +fields_under_root: true +fields: + _conf: + strict_fields: true +{{/if}} {{#if processors}} processors: {{processors}} diff --git a/packages/zscaler_zia/data_stream/audit/elasticsearch/ingest_pipeline/default.yml b/packages/zscaler_zia/data_stream/audit/elasticsearch/ingest_pipeline/default.yml index 168217e7386..bf626911bd0 100644 --- a/packages/zscaler_zia/data_stream/audit/elasticsearch/ingest_pipeline/default.yml +++ b/packages/zscaler_zia/data_stream/audit/elasticsearch/ingest_pipeline/default.yml @@ -37,6 +37,30 @@ processors: tag: rename_resp_event target_field: json ignore_missing: true + - script: + params: + expect: + fields: action|adminid|auditlogtype|category|clientip|errorcode|interface|postaction|preaction|recordid|resource|result|subcategory|time|timezone + version: v1 + if: ctx.json != null && ctx._conf?.strict_fields == true + source: |- + if (ctx.resp?.version == null) { + def fields = []; + for (e in ctx.json.entrySet()) { + fields.add(e.getKey()); + } + Collections.sort(fields); + String signature = String.join("|", fields); + if (signature != params.expect.fields) { + ctx.error = ctx.error ?: [:]; + ctx.error.message = ctx.error.message ?: []; + ctx.error.message.add("field set mismatch: "+signature+" is not expected set of templated fields"); + } + } else if (ctx.resp.version != params.expect.version) { + ctx.error = ctx.error ?: [:]; + ctx.error.message = ctx.error.message ?: []; + ctx.error.message.add("template version mismatch: "+ctx.resp.version.toString()+" is not expected version"); + } - remove: field: resp tag: remove_resp @@ -520,8 +544,10 @@ processors: ignore_missing: true if: ctx.tags == null || !ctx.tags.contains('preserve_duplicate_custom_fields') - remove: - field: json - tag: remove_json + field: + - json + - _conf + tag: remove_unused ignore_missing: true - script: lang: painless diff --git a/packages/zscaler_zia/data_stream/dns/_dev/test/pipeline/test-common-config.yml b/packages/zscaler_zia/data_stream/dns/_dev/test/pipeline/test-common-config.yml index be41bb0d476..2e06a253560 100644 --- a/packages/zscaler_zia/data_stream/dns/_dev/test/pipeline/test-common-config.yml +++ b/packages/zscaler_zia/data_stream/dns/_dev/test/pipeline/test-common-config.yml @@ -1,4 +1,6 @@ fields: + _conf: + strict_fields: true tags: - preserve_original_event - preserve_duplicate_custom_fields diff --git a/packages/zscaler_zia/data_stream/dns/_dev/test/pipeline/test-dns-http-endpoint.log b/packages/zscaler_zia/data_stream/dns/_dev/test/pipeline/test-dns-http-endpoint.log index 29204704ba9..81320d1d4b8 100644 --- a/packages/zscaler_zia/data_stream/dns/_dev/test/pipeline/test-dns-http-endpoint.log +++ b/packages/zscaler_zia/data_stream/dns/_dev/test/pipeline/test-dns-http-endpoint.log @@ -1,3 +1,6 @@ -{"sourcetype":"zscalernss-dns","event":{"cloudname":"zscaler.net","datetime":"Mon Oct 16 22:55:48 2023","devicemodel":"VMware7,1","restype":"IPv4","dns_req":"mail.safemarch.com","dns_reqtype":"A record","error":"EMPTY_RESP","durationms":"1000","recordid":"45648954","tz":"GMT","devicename":"admin","devicehostname":"THINKPADSMITH","deviceostype":"Windows OS","deviceosversion":"Microsoft Windows 10 Enterprise;64 bit","devicetype":"Zscaler Client Connector","http_code":"100","dnsapp":"Google DNS","dns_gateway_server_protocol":"TCP","protocol":"TCP","company":"Zscaler","reqrulelabel":"RULE_1","resrulelabel":"RULE_RES","clt_sip":"81.2.69.192","srv_dip":"175.16.199.0","srv_dport":"1025","user":"jdoe1@safemarch.com","datacentercity":"Sa","datacentercountry":"US","datacenter":"CA Client Node DC","day":"Mon","day_of_month":"16","department":"EDept","dept":"Sales","deviceappversion":"4.3.0.18","deviceowner":"jsmith","dnsappcat":"Network Service","dns_gateway_rule":"DNS GATEWAY Rule 1","dns_gateway_status":"PRIMARY_SERVER_RESPONSE_PASS","category":"Professional Services","ecs_prefix":"192.168.0.0","ecs_slot":"ECS Slot #17","eedone":"No","epochtime":"1578128400","hour":"22","istcp":"0","loc":"Headquarters","location":"ELocation","login":"jdoe@safemarch.com","minutes":"55","month":"Oct","month_of_year":"10","oclientsourceip":"9960223283","odevicename":"2175092224","odeviceowner":"10831489","odomcat":"4951704103","odevicehostname":"2168890624","reqaction":"REQ_ALLOW","dns_resp":"192.168.2.200","resaction":"RES_Action","respipcat":"Adult Themes","second":"48","year":"2023"}} -{"sourcetype":"zscalernss-dns","event":{"cloudname":"zscaler.net","datetime":"Mon Oct 16 22:55:48 2023","devicemodel":"VMware7,1","restype":"IPv4","dns_req":"mail.safemarch.com","dns_reqtype":"A record","error":"EMPTY_RESP","durationms":"1000","recordid":"45648954","tz":"GMT","devicename":"admin","devicehostname":"THINKPADSMITH","deviceostype":"Windows OS","deviceosversion":"Microsoft Windows 10 Enterprise;64 bit","devicetype":"Zscaler Client Connector","http_code":"100","dnsapp":"Google DNS","dns_gateway_server_protocol":"TCP","protocol":"TCP","company":"Zscaler","reqrulelabel":"RULE_1","resrulelabel":"RULE_RES","clt_sip":"81.2.69.192","srv_dip":"175.16.199.0","srv_dport":"1025","user":"jdoe1@safemarch.com","datacentercity":"Sa","datacentercountry":"US","datacenter":"CA Client Node DC","day":"Mon","day_of_month":"16","department":"EDept","dept":"Sales","deviceappversion":"4.3.0.18","deviceowner":"jsmith","dnsappcat":"Network Service","dns_gateway_rule":"DNS GATEWAY Rule 1","dns_gateway_status":"PRIMARY_SERVER_RESPONSE_PASS","category":"Professional Services","ecs_prefix":"192.168.0.0","ecs_slot":"ECS Slot #17","eedone":"Yes","epochtime":"1578128400","hour":"22","istcp":"1","loc":"Headquarters","location":"ELocation","login":"jdoe@safemarch.com","minutes":"55","month":"Oct","month_of_year":"10","oclientsourceip":"9960223283","odevicename":"2175092224","odeviceowner":"10831489","odomcat":"4951704103","odevicehostname":"2168890624","reqaction":"REQ_ALLOW","dns_resp":"192.168.2.200","resaction":"RES_Action","respipcat":"Adult Themes","second":"48","year":"2023"}} -{"sourcetype":"zscalernss-dns","event":{"cloudname":"zscaler.net","datetime":"Mon Oct 16 22:55:48 2023","devicemodel":"VMware7,1","restype":"IPv4","dns_req":"mail.safemarch.com","dns_reqtype":"A record","error":"EMPTY_RESP","durationms":"1000","recordid":"45648954","tz":"GMT","devicename":"admin","devicehostname":"THINKPADSMITH","deviceostype":"Windows OS","deviceosversion":"Microsoft Windows 10 Enterprise;64 bit","devicetype":"Zscaler Client Connector","http_code":"100","dnsapp":"Google DNS","dns_gateway_server_protocol":"TCP","protocol":"TCP","company":"Zscaler","reqrulelabel":"RULE_1","resrulelabel":"RULE_RES","clt_sip":"81.2.69.192","srv_dip":"175.16.199.0","srv_dport":"1025","user":"jdoe1@safemarch.com","datacentercity":"Sa","datacentercountry":"US","datacenter":"CA Client Node DC","day":"Mon","day_of_month":"16","department":"EDept","dept":"Sales","deviceappversion":"4.3.0.18","deviceowner":"jsmith","dnsappcat":"Network Service","dns_gateway_rule":"DNS GATEWAY Rule 1","dns_gateway_status":"PRIMARY_SERVER_RESPONSE_PASS","category":"Professional Services","ecs_prefix":"192.168.0.0","ecs_slot":"ECS Slot #17","eedone":"Yes","epochtime":"1578128400","hour":"22","istcp":"1","loc":"Headquarters","location":"ELocation","login":"jdoe@safemarch.com","minutes":"55","month":"Oct","month_of_year":"10","oclientsourceip":"9960223283","odevicename":"2175092224","odeviceowner":"10831489","odomcat":"4951704103","odevicehostname":"2168890624","reqaction":"REQ_ALLOW","dns_resp":"www.example.com","respipcategory":"Adult Themes","resaction":"RES_Action","respipcat":"Adult Themes","second":"48","year":"2023"}} \ No newline at end of file +{"sourcetype":"zscalernss-dns","event":{"cloudname":"zscaler.net","datetime":"Mon Oct 16 22:55:48 2023","devicemodel":"VMware7,1","restype":"IPv4","dns_req":"mail.safemarch.com","dns_reqtype":"A record","error":"EMPTY_RESP","durationms":"1000","recordid":"45648954","tz":"GMT","devicename":"admin","devicehostname":"THINKPADSMITH","deviceostype":"Windows OS","deviceosversion":"Microsoft Windows 10 Enterprise;64 bit","devicetype":"Zscaler Client Connector","http_code":"100","dnsapp":"Google DNS","dns_gateway_server_protocol":"TCP","protocol":"TCP","company":"Zscaler","reqrulelabel":"RULE_1","resrulelabel":"RULE_RES","clt_sip":"81.2.69.192","srv_dip":"175.16.199.0","srv_dport":"1025","user":"jdoe1@safemarch.com","datacentercity":"Sa","datacentercountry":"US","datacenter":"CA Client Node DC","day":"Mon","day_of_month":"16","department":"EDept","dept":"Sales","deviceappversion":"4.3.0.18","deviceowner":"jsmith","dnsappcat":"Network Service","dns_gateway_rule":"DNS GATEWAY Rule 1","dns_gateway_status":"PRIMARY_SERVER_RESPONSE_PASS","category":"Professional Services","ecs_prefix":"192.168.0.0","ecs_slot":"ECS Slot #17","eedone":"No","epochtime":"1578128400","hour":"22","istcp":"0","loc":"Headquarters","location":"ELocation","login":"jdoe@safemarch.com","minutes":"55","month":"Oct","month_of_year":"10","oclientsourceip":"9960223283","odevicename":"2175092224","odeviceowner":"10831489","odomcat":"4951704103","odevicehostname":"2168890624","reqaction":"REQ_ALLOW","dns_resp":"192.168.2.200","respipcategory":"","resaction":"RES_Action","respipcat":"Adult Themes","second":"48","year":"2023"}} +{"sourcetype":"zscalernss-dns","event":{"cloudname":"zscaler.net","datetime":"Mon Oct 16 22:55:48 2023","devicemodel":"VMware7,1","restype":"IPv4","dns_req":"mail.safemarch.com","dns_reqtype":"A record","error":"EMPTY_RESP","durationms":"1000","recordid":"45648954","tz":"GMT","devicename":"admin","devicehostname":"THINKPADSMITH","deviceostype":"Windows OS","deviceosversion":"Microsoft Windows 10 Enterprise;64 bit","devicetype":"Zscaler Client Connector","http_code":"100","dnsapp":"Google DNS","dns_gateway_server_protocol":"TCP","protocol":"TCP","company":"Zscaler","reqrulelabel":"RULE_1","resrulelabel":"RULE_RES","clt_sip":"81.2.69.192","srv_dip":"175.16.199.0","srv_dport":"1025","user":"jdoe1@safemarch.com","datacentercity":"Sa","datacentercountry":"US","datacenter":"CA Client Node DC","day":"Mon","day_of_month":"16","department":"EDept","dept":"Sales","deviceappversion":"4.3.0.18","deviceowner":"jsmith","dnsappcat":"Network Service","dns_gateway_rule":"DNS GATEWAY Rule 1","dns_gateway_status":"PRIMARY_SERVER_RESPONSE_PASS","category":"Professional Services","ecs_prefix":"192.168.0.0","ecs_slot":"ECS Slot #17","eedone":"Yes","epochtime":"1578128400","hour":"22","istcp":"1","loc":"Headquarters","location":"ELocation","login":"jdoe@safemarch.com","minutes":"55","month":"Oct","month_of_year":"10","oclientsourceip":"9960223283","odevicename":"2175092224","odeviceowner":"10831489","odomcat":"4951704103","odevicehostname":"2168890624","reqaction":"REQ_ALLOW","dns_resp":"192.168.2.200","respipcategory":"","resaction":"RES_Action","respipcat":"Adult Themes","second":"48","year":"2023"}} +{"sourcetype":"zscalernss-dns","event":{"cloudname":"zscaler.net","datetime":"Mon Oct 16 22:55:48 2023","devicemodel":"VMware7,1","restype":"IPv4","dns_req":"mail.safemarch.com","dns_reqtype":"A record","error":"EMPTY_RESP","durationms":"1000","recordid":"45648954","tz":"GMT","devicename":"admin","devicehostname":"THINKPADSMITH","deviceostype":"Windows OS","deviceosversion":"Microsoft Windows 10 Enterprise;64 bit","devicetype":"Zscaler Client Connector","http_code":"100","dnsapp":"Google DNS","dns_gateway_server_protocol":"TCP","protocol":"TCP","company":"Zscaler","reqrulelabel":"RULE_1","resrulelabel":"RULE_RES","clt_sip":"81.2.69.192","srv_dip":"175.16.199.0","srv_dport":"1025","user":"jdoe1@safemarch.com","datacentercity":"Sa","datacentercountry":"US","datacenter":"CA Client Node DC","day":"Mon","day_of_month":"16","department":"EDept","dept":"Sales","deviceappversion":"4.3.0.18","deviceowner":"jsmith","dnsappcat":"Network Service","dns_gateway_rule":"DNS GATEWAY Rule 1","dns_gateway_status":"PRIMARY_SERVER_RESPONSE_PASS","category":"Professional Services","ecs_prefix":"192.168.0.0","ecs_slot":"ECS Slot #17","eedone":"Yes","epochtime":"1578128400","hour":"22","istcp":"1","loc":"Headquarters","location":"ELocation","login":"jdoe@safemarch.com","minutes":"55","month":"Oct","month_of_year":"10","oclientsourceip":"9960223283","odevicename":"2175092224","odeviceowner":"10831489","odomcat":"4951704103","odevicehostname":"2168890624","reqaction":"REQ_ALLOW","dns_resp":"www.example.com","respipcategory":"Adult Themes","resaction":"RES_Action","respipcat":"Adult Themes","second":"48","year":"2023"}} +{"version":"v2","sourcetype":"zscalernss-dns","event":{"cloudname":"zscaler.net","datetime":"Mon Oct 16 22:55:48 2023","devicemodel":"VMware7,1","restype":"IPv4","dns_req":"mail.safemarch.com","dns_reqtype":"A record","error":"EMPTY_RESP","durationms":"1000","recordid":"45648954","tz":"GMT","devicename":"admin","devicehostname":"THINKPADSMITH","deviceostype":"Windows OS","deviceosversion":"Microsoft Windows 10 Enterprise;64 bit","devicetype":"Zscaler Client Connector","http_code":"100","dnsapp":"Google DNS","dns_gateway_server_protocol":"TCP","protocol":"TCP","company":"Zscaler","reqrulelabel":"RULE_1","resrulelabel":"RULE_RES","clt_sip":"81.2.69.192","srv_dip":"175.16.199.0","srv_dport":"1025","user":"jdoe1@safemarch.com","datacentercity":"Sa","datacentercountry":"US","datacenter":"CA Client Node DC","day":"Mon","day_of_month":"16","department":"EDept","dept":"Sales","deviceappversion":"4.3.0.18","deviceowner":"jsmith","dnsappcat":"Network Service","dns_gateway_rule":"DNS GATEWAY Rule 1","dns_gateway_status":"PRIMARY_SERVER_RESPONSE_PASS","category":"Professional Services","ecs_prefix":"192.168.0.0","ecs_slot":"ECS Slot #17","eedone":"No","epochtime":"1578128400","hour":"22","istcp":"0","loc":"Headquarters","location":"ELocation","login":"jdoe@safemarch.com","minutes":"55","month":"Oct","month_of_year":"10","oclientsourceip":"9960223283","odevicename":"2175092224","odeviceowner":"10831489","odomcat":"4951704103","odevicehostname":"2168890624","reqaction":"REQ_ALLOW","dns_resp":"192.168.2.200","respipcategory":"","resaction":"RES_Action","respipcat":"Adult Themes","second":"48","year":"2023"}} +{"version":"v2","sourcetype":"zscalernss-dns","event":{"cloudname":"zscaler.net","datetime":"Mon Oct 16 22:55:48 2023","devicemodel":"VMware7,1","restype":"IPv4","dns_req":"mail.safemarch.com","dns_reqtype":"A record","error":"EMPTY_RESP","durationms":"1000","recordid":"45648954","tz":"GMT","devicename":"admin","devicehostname":"THINKPADSMITH","deviceostype":"Windows OS","deviceosversion":"Microsoft Windows 10 Enterprise;64 bit","devicetype":"Zscaler Client Connector","http_code":"100","dnsapp":"Google DNS","dns_gateway_server_protocol":"TCP","protocol":"TCP","company":"Zscaler","reqrulelabel":"RULE_1","resrulelabel":"RULE_RES","clt_sip":"81.2.69.192","srv_dip":"175.16.199.0","srv_dport":"1025","user":"jdoe1@safemarch.com","datacentercity":"Sa","datacentercountry":"US","datacenter":"CA Client Node DC","day":"Mon","day_of_month":"16","department":"EDept","dept":"Sales","deviceappversion":"4.3.0.18","deviceowner":"jsmith","dnsappcat":"Network Service","dns_gateway_rule":"DNS GATEWAY Rule 1","dns_gateway_status":"PRIMARY_SERVER_RESPONSE_PASS","category":"Professional Services","ecs_prefix":"192.168.0.0","ecs_slot":"ECS Slot #17","eedone":"Yes","epochtime":"1578128400","hour":"22","istcp":"1","loc":"Headquarters","location":"ELocation","login":"jdoe@safemarch.com","minutes":"55","month":"Oct","month_of_year":"10","oclientsourceip":"9960223283","odevicename":"2175092224","odeviceowner":"10831489","odomcat":"4951704103","odevicehostname":"2168890624","reqaction":"REQ_ALLOW","dns_resp":"192.168.2.200","respipcategory":"","resaction":"RES_Action","respipcat":"Adult Themes","second":"48","year":"2023"}} +{"version":"v2","sourcetype":"zscalernss-dns","event":{"cloudname":"zscaler.net","datetime":"Mon Oct 16 22:55:48 2023","devicemodel":"VMware7,1","restype":"IPv4","dns_req":"mail.safemarch.com","dns_reqtype":"A record","error":"EMPTY_RESP","durationms":"1000","recordid":"45648954","tz":"GMT","devicename":"admin","devicehostname":"THINKPADSMITH","deviceostype":"Windows OS","deviceosversion":"Microsoft Windows 10 Enterprise;64 bit","devicetype":"Zscaler Client Connector","http_code":"100","dnsapp":"Google DNS","dns_gateway_server_protocol":"TCP","protocol":"TCP","company":"Zscaler","reqrulelabel":"RULE_1","resrulelabel":"RULE_RES","clt_sip":"81.2.69.192","srv_dip":"175.16.199.0","srv_dport":"1025","user":"jdoe1@safemarch.com","datacentercity":"Sa","datacentercountry":"US","datacenter":"CA Client Node DC","day":"Mon","day_of_month":"16","department":"EDept","dept":"Sales","deviceappversion":"4.3.0.18","deviceowner":"jsmith","dnsappcat":"Network Service","dns_gateway_rule":"DNS GATEWAY Rule 1","dns_gateway_status":"PRIMARY_SERVER_RESPONSE_PASS","category":"Professional Services","ecs_prefix":"192.168.0.0","ecs_slot":"ECS Slot #17","eedone":"Yes","epochtime":"1578128400","hour":"22","istcp":"1","loc":"Headquarters","location":"ELocation","login":"jdoe@safemarch.com","minutes":"55","month":"Oct","month_of_year":"10","oclientsourceip":"9960223283","odevicename":"2175092224","odeviceowner":"10831489","odomcat":"4951704103","odevicehostname":"2168890624","reqaction":"REQ_ALLOW","dns_resp":"www.example.com","respipcategory":"Adult Themes","resaction":"RES_Action","respipcat":"Adult Themes","second":"48","year":"2023"}} diff --git a/packages/zscaler_zia/data_stream/dns/_dev/test/pipeline/test-dns-http-endpoint.log-expected.json b/packages/zscaler_zia/data_stream/dns/_dev/test/pipeline/test-dns-http-endpoint.log-expected.json index 9f1efcef723..e6f00288b94 100644 --- a/packages/zscaler_zia/data_stream/dns/_dev/test/pipeline/test-dns-http-endpoint.log-expected.json +++ b/packages/zscaler_zia/data_stream/dns/_dev/test/pipeline/test-dns-http-endpoint.log-expected.json @@ -51,7 +51,7 @@ "duration": 1000000000, "id": "45648954", "kind": "event", - "original": "{\"sourcetype\":\"zscalernss-dns\",\"event\":{\"cloudname\":\"zscaler.net\",\"datetime\":\"Mon Oct 16 22:55:48 2023\",\"devicemodel\":\"VMware7,1\",\"restype\":\"IPv4\",\"dns_req\":\"mail.safemarch.com\",\"dns_reqtype\":\"A record\",\"error\":\"EMPTY_RESP\",\"durationms\":\"1000\",\"recordid\":\"45648954\",\"tz\":\"GMT\",\"devicename\":\"admin\",\"devicehostname\":\"THINKPADSMITH\",\"deviceostype\":\"Windows OS\",\"deviceosversion\":\"Microsoft Windows 10 Enterprise;64 bit\",\"devicetype\":\"Zscaler Client Connector\",\"http_code\":\"100\",\"dnsapp\":\"Google DNS\",\"dns_gateway_server_protocol\":\"TCP\",\"protocol\":\"TCP\",\"company\":\"Zscaler\",\"reqrulelabel\":\"RULE_1\",\"resrulelabel\":\"RULE_RES\",\"clt_sip\":\"81.2.69.192\",\"srv_dip\":\"175.16.199.0\",\"srv_dport\":\"1025\",\"user\":\"jdoe1@safemarch.com\",\"datacentercity\":\"Sa\",\"datacentercountry\":\"US\",\"datacenter\":\"CA Client Node DC\",\"day\":\"Mon\",\"day_of_month\":\"16\",\"department\":\"EDept\",\"dept\":\"Sales\",\"deviceappversion\":\"4.3.0.18\",\"deviceowner\":\"jsmith\",\"dnsappcat\":\"Network Service\",\"dns_gateway_rule\":\"DNS GATEWAY Rule 1\",\"dns_gateway_status\":\"PRIMARY_SERVER_RESPONSE_PASS\",\"category\":\"Professional Services\",\"ecs_prefix\":\"192.168.0.0\",\"ecs_slot\":\"ECS Slot #17\",\"eedone\":\"No\",\"epochtime\":\"1578128400\",\"hour\":\"22\",\"istcp\":\"0\",\"loc\":\"Headquarters\",\"location\":\"ELocation\",\"login\":\"jdoe@safemarch.com\",\"minutes\":\"55\",\"month\":\"Oct\",\"month_of_year\":\"10\",\"oclientsourceip\":\"9960223283\",\"odevicename\":\"2175092224\",\"odeviceowner\":\"10831489\",\"odomcat\":\"4951704103\",\"odevicehostname\":\"2168890624\",\"reqaction\":\"REQ_ALLOW\",\"dns_resp\":\"192.168.2.200\",\"resaction\":\"RES_Action\",\"respipcat\":\"Adult Themes\",\"second\":\"48\",\"year\":\"2023\"}}", + "original": "{\"sourcetype\":\"zscalernss-dns\",\"event\":{\"cloudname\":\"zscaler.net\",\"datetime\":\"Mon Oct 16 22:55:48 2023\",\"devicemodel\":\"VMware7,1\",\"restype\":\"IPv4\",\"dns_req\":\"mail.safemarch.com\",\"dns_reqtype\":\"A record\",\"error\":\"EMPTY_RESP\",\"durationms\":\"1000\",\"recordid\":\"45648954\",\"tz\":\"GMT\",\"devicename\":\"admin\",\"devicehostname\":\"THINKPADSMITH\",\"deviceostype\":\"Windows OS\",\"deviceosversion\":\"Microsoft Windows 10 Enterprise;64 bit\",\"devicetype\":\"Zscaler Client Connector\",\"http_code\":\"100\",\"dnsapp\":\"Google DNS\",\"dns_gateway_server_protocol\":\"TCP\",\"protocol\":\"TCP\",\"company\":\"Zscaler\",\"reqrulelabel\":\"RULE_1\",\"resrulelabel\":\"RULE_RES\",\"clt_sip\":\"81.2.69.192\",\"srv_dip\":\"175.16.199.0\",\"srv_dport\":\"1025\",\"user\":\"jdoe1@safemarch.com\",\"datacentercity\":\"Sa\",\"datacentercountry\":\"US\",\"datacenter\":\"CA Client Node DC\",\"day\":\"Mon\",\"day_of_month\":\"16\",\"department\":\"EDept\",\"dept\":\"Sales\",\"deviceappversion\":\"4.3.0.18\",\"deviceowner\":\"jsmith\",\"dnsappcat\":\"Network Service\",\"dns_gateway_rule\":\"DNS GATEWAY Rule 1\",\"dns_gateway_status\":\"PRIMARY_SERVER_RESPONSE_PASS\",\"category\":\"Professional Services\",\"ecs_prefix\":\"192.168.0.0\",\"ecs_slot\":\"ECS Slot #17\",\"eedone\":\"No\",\"epochtime\":\"1578128400\",\"hour\":\"22\",\"istcp\":\"0\",\"loc\":\"Headquarters\",\"location\":\"ELocation\",\"login\":\"jdoe@safemarch.com\",\"minutes\":\"55\",\"month\":\"Oct\",\"month_of_year\":\"10\",\"oclientsourceip\":\"9960223283\",\"odevicename\":\"2175092224\",\"odeviceowner\":\"10831489\",\"odomcat\":\"4951704103\",\"odevicehostname\":\"2168890624\",\"reqaction\":\"REQ_ALLOW\",\"dns_resp\":\"192.168.2.200\",\"respipcategory\":\"\",\"resaction\":\"RES_Action\",\"respipcat\":\"Adult Themes\",\"second\":\"48\",\"year\":\"2023\"}}", "timezone": "GMT", "type": [ "info" @@ -277,7 +277,7 @@ "duration": 1000000000, "id": "45648954", "kind": "event", - "original": "{\"sourcetype\":\"zscalernss-dns\",\"event\":{\"cloudname\":\"zscaler.net\",\"datetime\":\"Mon Oct 16 22:55:48 2023\",\"devicemodel\":\"VMware7,1\",\"restype\":\"IPv4\",\"dns_req\":\"mail.safemarch.com\",\"dns_reqtype\":\"A record\",\"error\":\"EMPTY_RESP\",\"durationms\":\"1000\",\"recordid\":\"45648954\",\"tz\":\"GMT\",\"devicename\":\"admin\",\"devicehostname\":\"THINKPADSMITH\",\"deviceostype\":\"Windows OS\",\"deviceosversion\":\"Microsoft Windows 10 Enterprise;64 bit\",\"devicetype\":\"Zscaler Client Connector\",\"http_code\":\"100\",\"dnsapp\":\"Google DNS\",\"dns_gateway_server_protocol\":\"TCP\",\"protocol\":\"TCP\",\"company\":\"Zscaler\",\"reqrulelabel\":\"RULE_1\",\"resrulelabel\":\"RULE_RES\",\"clt_sip\":\"81.2.69.192\",\"srv_dip\":\"175.16.199.0\",\"srv_dport\":\"1025\",\"user\":\"jdoe1@safemarch.com\",\"datacentercity\":\"Sa\",\"datacentercountry\":\"US\",\"datacenter\":\"CA Client Node DC\",\"day\":\"Mon\",\"day_of_month\":\"16\",\"department\":\"EDept\",\"dept\":\"Sales\",\"deviceappversion\":\"4.3.0.18\",\"deviceowner\":\"jsmith\",\"dnsappcat\":\"Network Service\",\"dns_gateway_rule\":\"DNS GATEWAY Rule 1\",\"dns_gateway_status\":\"PRIMARY_SERVER_RESPONSE_PASS\",\"category\":\"Professional Services\",\"ecs_prefix\":\"192.168.0.0\",\"ecs_slot\":\"ECS Slot #17\",\"eedone\":\"Yes\",\"epochtime\":\"1578128400\",\"hour\":\"22\",\"istcp\":\"1\",\"loc\":\"Headquarters\",\"location\":\"ELocation\",\"login\":\"jdoe@safemarch.com\",\"minutes\":\"55\",\"month\":\"Oct\",\"month_of_year\":\"10\",\"oclientsourceip\":\"9960223283\",\"odevicename\":\"2175092224\",\"odeviceowner\":\"10831489\",\"odomcat\":\"4951704103\",\"odevicehostname\":\"2168890624\",\"reqaction\":\"REQ_ALLOW\",\"dns_resp\":\"192.168.2.200\",\"resaction\":\"RES_Action\",\"respipcat\":\"Adult Themes\",\"second\":\"48\",\"year\":\"2023\"}}", + "original": "{\"sourcetype\":\"zscalernss-dns\",\"event\":{\"cloudname\":\"zscaler.net\",\"datetime\":\"Mon Oct 16 22:55:48 2023\",\"devicemodel\":\"VMware7,1\",\"restype\":\"IPv4\",\"dns_req\":\"mail.safemarch.com\",\"dns_reqtype\":\"A record\",\"error\":\"EMPTY_RESP\",\"durationms\":\"1000\",\"recordid\":\"45648954\",\"tz\":\"GMT\",\"devicename\":\"admin\",\"devicehostname\":\"THINKPADSMITH\",\"deviceostype\":\"Windows OS\",\"deviceosversion\":\"Microsoft Windows 10 Enterprise;64 bit\",\"devicetype\":\"Zscaler Client Connector\",\"http_code\":\"100\",\"dnsapp\":\"Google DNS\",\"dns_gateway_server_protocol\":\"TCP\",\"protocol\":\"TCP\",\"company\":\"Zscaler\",\"reqrulelabel\":\"RULE_1\",\"resrulelabel\":\"RULE_RES\",\"clt_sip\":\"81.2.69.192\",\"srv_dip\":\"175.16.199.0\",\"srv_dport\":\"1025\",\"user\":\"jdoe1@safemarch.com\",\"datacentercity\":\"Sa\",\"datacentercountry\":\"US\",\"datacenter\":\"CA Client Node DC\",\"day\":\"Mon\",\"day_of_month\":\"16\",\"department\":\"EDept\",\"dept\":\"Sales\",\"deviceappversion\":\"4.3.0.18\",\"deviceowner\":\"jsmith\",\"dnsappcat\":\"Network Service\",\"dns_gateway_rule\":\"DNS GATEWAY Rule 1\",\"dns_gateway_status\":\"PRIMARY_SERVER_RESPONSE_PASS\",\"category\":\"Professional Services\",\"ecs_prefix\":\"192.168.0.0\",\"ecs_slot\":\"ECS Slot #17\",\"eedone\":\"Yes\",\"epochtime\":\"1578128400\",\"hour\":\"22\",\"istcp\":\"1\",\"loc\":\"Headquarters\",\"location\":\"ELocation\",\"login\":\"jdoe@safemarch.com\",\"minutes\":\"55\",\"month\":\"Oct\",\"month_of_year\":\"10\",\"oclientsourceip\":\"9960223283\",\"odevicename\":\"2175092224\",\"odeviceowner\":\"10831489\",\"odomcat\":\"4951704103\",\"odevicehostname\":\"2168890624\",\"reqaction\":\"REQ_ALLOW\",\"dns_resp\":\"192.168.2.200\",\"respipcategory\":\"\",\"resaction\":\"RES_Action\",\"respipcat\":\"Adult Themes\",\"second\":\"48\",\"year\":\"2023\"}}", "timezone": "GMT", "type": [ "info" @@ -674,6 +674,681 @@ "year": 2023 } } + }, + { + "@timestamp": "2023-10-16T22:55:48.000Z", + "cloud": { + "provider": "zscaler.net" + }, + "destination": { + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, + "ip": "175.16.199.0" + }, + "device": { + "model": { + "name": "VMware7,1" + } + }, + "dns": { + "answers": [ + { + "data": "192.168.2.200", + "type": "IPv4" + } + ], + "question": { + "name": "mail.safemarch.com", + "type": "A record" + }, + "resolved_ip": [ + "192.168.2.200" + ], + "response_code": "EMPTY_RESP" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "network" + ], + "duration": 1000000000, + "id": "45648954", + "kind": "event", + "original": "{\"version\":\"v2\",\"sourcetype\":\"zscalernss-dns\",\"event\":{\"cloudname\":\"zscaler.net\",\"datetime\":\"Mon Oct 16 22:55:48 2023\",\"devicemodel\":\"VMware7,1\",\"restype\":\"IPv4\",\"dns_req\":\"mail.safemarch.com\",\"dns_reqtype\":\"A record\",\"error\":\"EMPTY_RESP\",\"durationms\":\"1000\",\"recordid\":\"45648954\",\"tz\":\"GMT\",\"devicename\":\"admin\",\"devicehostname\":\"THINKPADSMITH\",\"deviceostype\":\"Windows OS\",\"deviceosversion\":\"Microsoft Windows 10 Enterprise;64 bit\",\"devicetype\":\"Zscaler Client Connector\",\"http_code\":\"100\",\"dnsapp\":\"Google DNS\",\"dns_gateway_server_protocol\":\"TCP\",\"protocol\":\"TCP\",\"company\":\"Zscaler\",\"reqrulelabel\":\"RULE_1\",\"resrulelabel\":\"RULE_RES\",\"clt_sip\":\"81.2.69.192\",\"srv_dip\":\"175.16.199.0\",\"srv_dport\":\"1025\",\"user\":\"jdoe1@safemarch.com\",\"datacentercity\":\"Sa\",\"datacentercountry\":\"US\",\"datacenter\":\"CA Client Node DC\",\"day\":\"Mon\",\"day_of_month\":\"16\",\"department\":\"EDept\",\"dept\":\"Sales\",\"deviceappversion\":\"4.3.0.18\",\"deviceowner\":\"jsmith\",\"dnsappcat\":\"Network Service\",\"dns_gateway_rule\":\"DNS GATEWAY Rule 1\",\"dns_gateway_status\":\"PRIMARY_SERVER_RESPONSE_PASS\",\"category\":\"Professional Services\",\"ecs_prefix\":\"192.168.0.0\",\"ecs_slot\":\"ECS Slot #17\",\"eedone\":\"No\",\"epochtime\":\"1578128400\",\"hour\":\"22\",\"istcp\":\"0\",\"loc\":\"Headquarters\",\"location\":\"ELocation\",\"login\":\"jdoe@safemarch.com\",\"minutes\":\"55\",\"month\":\"Oct\",\"month_of_year\":\"10\",\"oclientsourceip\":\"9960223283\",\"odevicename\":\"2175092224\",\"odeviceowner\":\"10831489\",\"odomcat\":\"4951704103\",\"odevicehostname\":\"2168890624\",\"reqaction\":\"REQ_ALLOW\",\"dns_resp\":\"192.168.2.200\",\"respipcategory\":\"\",\"resaction\":\"RES_Action\",\"respipcat\":\"Adult Themes\",\"second\":\"48\",\"year\":\"2023\"}}", + "timezone": "GMT", + "type": [ + "info" + ] + }, + "host": { + "hostname": "admin", + "name": "thinkpadsmith", + "os": { + "version": "Microsoft Windows 10 Enterprise;64 bit" + }, + "type": "Zscaler Client Connector" + }, + "network": { + "application": "google dns", + "protocol": "dns", + "transport": [ + "tcp" + ] + }, + "organization": { + "name": "Zscaler" + }, + "related": { + "hosts": [ + "thinkpadsmith", + "admin" + ], + "ip": [ + "192.168.2.200", + "81.2.69.192", + "175.16.199.0" + ], + "user": [ + "jsmith", + "jdoe1", + "jdoe1@safemarch.com" + ] + }, + "rule": { + "name": [ + "RULE_1", + "RULE_RES" + ] + }, + "source": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.192", + "port": 1025 + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "user": { + "domain": "safemarch.com", + "email": "jdoe1@safemarch.com", + "name": "jdoe1" + }, + "zscaler_zia": { + "dns": { + "client": { + "ip": "81.2.69.192" + }, + "cloud": { + "name": "zscaler.net" + }, + "company": "Zscaler", + "datacenter": { + "city": "Sa", + "country": "US", + "name": "CA Client Node DC" + }, + "day": "Mon", + "day_of_month": 16, + "department": "EDept", + "dept": "Sales", + "device": { + "appversion": "4.3.0.18", + "hostname": "THINKPADSMITH", + "model": "VMware7,1", + "name": "admin", + "os": { + "type": "Windows OS", + "version": "Microsoft Windows 10 Enterprise;64 bit" + }, + "owner": "jsmith", + "type": "Zscaler Client Connector" + }, + "dns": { + "category": "Network Service", + "gateway": { + "rule": "DNS GATEWAY Rule 1", + "server_protocol": "TCP", + "status": "PRIMARY_SERVER_RESPONSE_PASS" + }, + "type": "Google DNS" + }, + "dom": { + "category": "Professional Services" + }, + "duration": { + "milliseconds": 1000 + }, + "ecs": { + "prefix": "192.168.0.0", + "slot": "ECS Slot #17" + }, + "eedone": "No", + "epochtime": "2020-01-04T09:00:00.000Z", + "error": "EMPTY_RESP", + "hour": 22, + "http_code": "100", + "istcp": "0", + "loc": "Headquarters", + "location": "ELocation", + "login": "jdoe@safemarch.com", + "minutes": 55, + "month": "Oct", + "month_of_year": 10, + "obfuscated": { + "client_source_ip": "9960223283", + "device": { + "name": "2175092224", + "owner": "10831489" + }, + "dom": { + "category": "4951704103" + }, + "host_name": "2168890624" + }, + "protocol": "TCP", + "record": { + "id": "45648954" + }, + "request": { + "action": "REQ_ALLOW", + "name": "mail.safemarch.com", + "rule": { + "label": "RULE_1" + }, + "type": "A record" + }, + "response": { + "action": "RES_Action", + "ip": "192.168.2.200", + "rule": { + "label": "RULE_RES" + }, + "type": "IPv4" + }, + "second": 48, + "server": { + "ip": "175.16.199.0", + "port": 1025 + }, + "time": "2023-10-16T22:55:48.000Z", + "timezone": "GMT", + "user": "jdoe1@safemarch.com", + "year": 2023 + } + } + }, + { + "@timestamp": "2023-10-16T22:55:48.000Z", + "cloud": { + "provider": "zscaler.net" + }, + "destination": { + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, + "ip": "175.16.199.0" + }, + "device": { + "model": { + "name": "VMware7,1" + } + }, + "dns": { + "answers": [ + { + "data": "192.168.2.200", + "type": "IPv4" + } + ], + "question": { + "name": "mail.safemarch.com", + "type": "A record" + }, + "resolved_ip": [ + "192.168.2.200" + ], + "response_code": "EMPTY_RESP" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "network" + ], + "duration": 1000000000, + "id": "45648954", + "kind": "event", + "original": "{\"version\":\"v2\",\"sourcetype\":\"zscalernss-dns\",\"event\":{\"cloudname\":\"zscaler.net\",\"datetime\":\"Mon Oct 16 22:55:48 2023\",\"devicemodel\":\"VMware7,1\",\"restype\":\"IPv4\",\"dns_req\":\"mail.safemarch.com\",\"dns_reqtype\":\"A record\",\"error\":\"EMPTY_RESP\",\"durationms\":\"1000\",\"recordid\":\"45648954\",\"tz\":\"GMT\",\"devicename\":\"admin\",\"devicehostname\":\"THINKPADSMITH\",\"deviceostype\":\"Windows OS\",\"deviceosversion\":\"Microsoft Windows 10 Enterprise;64 bit\",\"devicetype\":\"Zscaler Client Connector\",\"http_code\":\"100\",\"dnsapp\":\"Google DNS\",\"dns_gateway_server_protocol\":\"TCP\",\"protocol\":\"TCP\",\"company\":\"Zscaler\",\"reqrulelabel\":\"RULE_1\",\"resrulelabel\":\"RULE_RES\",\"clt_sip\":\"81.2.69.192\",\"srv_dip\":\"175.16.199.0\",\"srv_dport\":\"1025\",\"user\":\"jdoe1@safemarch.com\",\"datacentercity\":\"Sa\",\"datacentercountry\":\"US\",\"datacenter\":\"CA Client Node DC\",\"day\":\"Mon\",\"day_of_month\":\"16\",\"department\":\"EDept\",\"dept\":\"Sales\",\"deviceappversion\":\"4.3.0.18\",\"deviceowner\":\"jsmith\",\"dnsappcat\":\"Network Service\",\"dns_gateway_rule\":\"DNS GATEWAY Rule 1\",\"dns_gateway_status\":\"PRIMARY_SERVER_RESPONSE_PASS\",\"category\":\"Professional Services\",\"ecs_prefix\":\"192.168.0.0\",\"ecs_slot\":\"ECS Slot #17\",\"eedone\":\"Yes\",\"epochtime\":\"1578128400\",\"hour\":\"22\",\"istcp\":\"1\",\"loc\":\"Headquarters\",\"location\":\"ELocation\",\"login\":\"jdoe@safemarch.com\",\"minutes\":\"55\",\"month\":\"Oct\",\"month_of_year\":\"10\",\"oclientsourceip\":\"9960223283\",\"odevicename\":\"2175092224\",\"odeviceowner\":\"10831489\",\"odomcat\":\"4951704103\",\"odevicehostname\":\"2168890624\",\"reqaction\":\"REQ_ALLOW\",\"dns_resp\":\"192.168.2.200\",\"respipcategory\":\"\",\"resaction\":\"RES_Action\",\"respipcat\":\"Adult Themes\",\"second\":\"48\",\"year\":\"2023\"}}", + "timezone": "GMT", + "type": [ + "info" + ] + }, + "host": { + "hostname": "admin", + "name": "thinkpadsmith", + "os": { + "version": "Microsoft Windows 10 Enterprise;64 bit" + }, + "type": "Zscaler Client Connector" + }, + "network": { + "application": "google dns", + "protocol": "dns", + "transport": [ + "tcp" + ] + }, + "organization": { + "name": "Zscaler" + }, + "related": { + "hosts": [ + "thinkpadsmith", + "admin" + ], + "ip": [ + "192.168.2.200", + "81.2.69.192", + "175.16.199.0" + ], + "user": [ + "jsmith", + "jdoe1", + "jdoe1@safemarch.com" + ] + }, + "rule": { + "name": [ + "RULE_1", + "RULE_RES" + ] + }, + "source": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.192", + "port": 1025 + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "user": { + "domain": "safemarch.com", + "email": "jdoe1@safemarch.com", + "name": "jdoe1" + }, + "zscaler_zia": { + "dns": { + "client": { + "ip": "81.2.69.192" + }, + "cloud": { + "name": "zscaler.net" + }, + "company": "Zscaler", + "datacenter": { + "city": "Sa", + "country": "US", + "name": "CA Client Node DC" + }, + "day": "Mon", + "day_of_month": 16, + "department": "EDept", + "dept": "Sales", + "device": { + "appversion": "4.3.0.18", + "hostname": "THINKPADSMITH", + "model": "VMware7,1", + "name": "admin", + "os": { + "type": "Windows OS", + "version": "Microsoft Windows 10 Enterprise;64 bit" + }, + "owner": "jsmith", + "type": "Zscaler Client Connector" + }, + "dns": { + "category": "Network Service", + "gateway": { + "rule": "DNS GATEWAY Rule 1", + "server_protocol": "TCP", + "status": "PRIMARY_SERVER_RESPONSE_PASS" + }, + "type": "Google DNS" + }, + "dom": { + "category": "Professional Services" + }, + "duration": { + "milliseconds": 1000 + }, + "ecs": { + "prefix": "192.168.0.0", + "slot": "ECS Slot #17" + }, + "eedone": "Yes", + "epochtime": "2020-01-04T09:00:00.000Z", + "error": "EMPTY_RESP", + "hour": 22, + "http_code": "100", + "istcp": "1", + "loc": "Headquarters", + "location": "ELocation", + "login": "jdoe@safemarch.com", + "minutes": 55, + "month": "Oct", + "month_of_year": 10, + "obfuscated": { + "client_source_ip": "9960223283", + "device": { + "name": "2175092224", + "owner": "10831489" + }, + "dom": { + "category": "4951704103" + }, + "host_name": "2168890624" + }, + "protocol": "TCP", + "record": { + "id": "45648954" + }, + "request": { + "action": "REQ_ALLOW", + "name": "mail.safemarch.com", + "rule": { + "label": "RULE_1" + }, + "type": "A record" + }, + "response": { + "action": "RES_Action", + "ip": "192.168.2.200", + "rule": { + "label": "RULE_RES" + }, + "type": "IPv4" + }, + "second": 48, + "server": { + "ip": "175.16.199.0", + "port": 1025 + }, + "time": "2023-10-16T22:55:48.000Z", + "timezone": "GMT", + "user": "jdoe1@safemarch.com", + "year": 2023 + } + } + }, + { + "@timestamp": "2023-10-16T22:55:48.000Z", + "cloud": { + "provider": "zscaler.net" + }, + "destination": { + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, + "ip": "175.16.199.0" + }, + "device": { + "model": { + "name": "VMware7,1" + } + }, + "dns": { + "answers": [ + { + "data": "www.example.com", + "type": "IPv4" + } + ], + "question": { + "name": "mail.safemarch.com", + "type": "A record" + }, + "response_code": "EMPTY_RESP" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "network" + ], + "duration": 1000000000, + "id": "45648954", + "kind": "event", + "original": "{\"version\":\"v2\",\"sourcetype\":\"zscalernss-dns\",\"event\":{\"cloudname\":\"zscaler.net\",\"datetime\":\"Mon Oct 16 22:55:48 2023\",\"devicemodel\":\"VMware7,1\",\"restype\":\"IPv4\",\"dns_req\":\"mail.safemarch.com\",\"dns_reqtype\":\"A record\",\"error\":\"EMPTY_RESP\",\"durationms\":\"1000\",\"recordid\":\"45648954\",\"tz\":\"GMT\",\"devicename\":\"admin\",\"devicehostname\":\"THINKPADSMITH\",\"deviceostype\":\"Windows OS\",\"deviceosversion\":\"Microsoft Windows 10 Enterprise;64 bit\",\"devicetype\":\"Zscaler Client Connector\",\"http_code\":\"100\",\"dnsapp\":\"Google DNS\",\"dns_gateway_server_protocol\":\"TCP\",\"protocol\":\"TCP\",\"company\":\"Zscaler\",\"reqrulelabel\":\"RULE_1\",\"resrulelabel\":\"RULE_RES\",\"clt_sip\":\"81.2.69.192\",\"srv_dip\":\"175.16.199.0\",\"srv_dport\":\"1025\",\"user\":\"jdoe1@safemarch.com\",\"datacentercity\":\"Sa\",\"datacentercountry\":\"US\",\"datacenter\":\"CA Client Node DC\",\"day\":\"Mon\",\"day_of_month\":\"16\",\"department\":\"EDept\",\"dept\":\"Sales\",\"deviceappversion\":\"4.3.0.18\",\"deviceowner\":\"jsmith\",\"dnsappcat\":\"Network Service\",\"dns_gateway_rule\":\"DNS GATEWAY Rule 1\",\"dns_gateway_status\":\"PRIMARY_SERVER_RESPONSE_PASS\",\"category\":\"Professional Services\",\"ecs_prefix\":\"192.168.0.0\",\"ecs_slot\":\"ECS Slot #17\",\"eedone\":\"Yes\",\"epochtime\":\"1578128400\",\"hour\":\"22\",\"istcp\":\"1\",\"loc\":\"Headquarters\",\"location\":\"ELocation\",\"login\":\"jdoe@safemarch.com\",\"minutes\":\"55\",\"month\":\"Oct\",\"month_of_year\":\"10\",\"oclientsourceip\":\"9960223283\",\"odevicename\":\"2175092224\",\"odeviceowner\":\"10831489\",\"odomcat\":\"4951704103\",\"odevicehostname\":\"2168890624\",\"reqaction\":\"REQ_ALLOW\",\"dns_resp\":\"www.example.com\",\"respipcategory\":\"Adult Themes\",\"resaction\":\"RES_Action\",\"respipcat\":\"Adult Themes\",\"second\":\"48\",\"year\":\"2023\"}}", + "timezone": "GMT", + "type": [ + "info" + ] + }, + "host": { + "hostname": "admin", + "name": "thinkpadsmith", + "os": { + "version": "Microsoft Windows 10 Enterprise;64 bit" + }, + "type": "Zscaler Client Connector" + }, + "network": { + "application": "google dns", + "protocol": "dns", + "transport": [ + "tcp" + ] + }, + "organization": { + "name": "Zscaler" + }, + "related": { + "hosts": [ + "thinkpadsmith", + "admin" + ], + "ip": [ + "81.2.69.192", + "175.16.199.0" + ], + "user": [ + "jsmith", + "jdoe1", + "jdoe1@safemarch.com" + ] + }, + "rule": { + "name": [ + "RULE_1", + "RULE_RES" + ] + }, + "source": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.192", + "port": 1025 + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "user": { + "domain": "safemarch.com", + "email": "jdoe1@safemarch.com", + "name": "jdoe1" + }, + "zscaler_zia": { + "dns": { + "client": { + "ip": "81.2.69.192" + }, + "cloud": { + "name": "zscaler.net" + }, + "company": "Zscaler", + "datacenter": { + "city": "Sa", + "country": "US", + "name": "CA Client Node DC" + }, + "day": "Mon", + "day_of_month": 16, + "department": "EDept", + "dept": "Sales", + "device": { + "appversion": "4.3.0.18", + "hostname": "THINKPADSMITH", + "model": "VMware7,1", + "name": "admin", + "os": { + "type": "Windows OS", + "version": "Microsoft Windows 10 Enterprise;64 bit" + }, + "owner": "jsmith", + "type": "Zscaler Client Connector" + }, + "dns": { + "category": "Network Service", + "gateway": { + "rule": "DNS GATEWAY Rule 1", + "server_protocol": "TCP", + "status": "PRIMARY_SERVER_RESPONSE_PASS" + }, + "type": "Google DNS" + }, + "dom": { + "category": "Professional Services" + }, + "duration": { + "milliseconds": 1000 + }, + "ecs": { + "prefix": "192.168.0.0", + "slot": "ECS Slot #17" + }, + "eedone": "Yes", + "epochtime": "2020-01-04T09:00:00.000Z", + "error": "EMPTY_RESP", + "hour": 22, + "http_code": "100", + "istcp": "1", + "loc": "Headquarters", + "location": "ELocation", + "login": "jdoe@safemarch.com", + "minutes": 55, + "month": "Oct", + "month_of_year": 10, + "obfuscated": { + "client_source_ip": "9960223283", + "device": { + "name": "2175092224", + "owner": "10831489" + }, + "dom": { + "category": "4951704103" + }, + "host_name": "2168890624" + }, + "protocol": "TCP", + "record": { + "id": "45648954" + }, + "request": { + "action": "REQ_ALLOW", + "name": "mail.safemarch.com", + "rule": { + "label": "RULE_1" + }, + "type": "A record" + }, + "response": { + "action": "RES_Action", + "category": "Adult Themes", + "name": "www.example.com", + "rule": { + "label": "RULE_RES" + }, + "type": "IPv4" + }, + "second": 48, + "server": { + "ip": "175.16.199.0", + "port": 1025 + }, + "time": "2023-10-16T22:55:48.000Z", + "timezone": "GMT", + "user": "jdoe1@safemarch.com", + "year": 2023 + } + } } ] -} \ No newline at end of file +} diff --git a/packages/zscaler_zia/data_stream/dns/_dev/test/pipeline/test-dns.log b/packages/zscaler_zia/data_stream/dns/_dev/test/pipeline/test-dns.log index 1738682e545..a10d2ee8aef 100644 --- a/packages/zscaler_zia/data_stream/dns/_dev/test/pipeline/test-dns.log +++ b/packages/zscaler_zia/data_stream/dns/_dev/test/pipeline/test-dns.log @@ -1,3 +1,6 @@ -{"sourcetype":"zscalernss-dns","event":{"cloudname":"zscaler.net","datetime":"Mon Oct 16 22:55:48 2023","dns_resp":"192.168.2.200","devicemodel":"VMware7,1","restype":"IPv4","dns_req":"mail.safemarch.com","dns_reqtype":"A record","error":"EMPTY_RESP","durationms":"1000","recordid":"45648954","tz":"GMT","devicename":"admin","devicehostname":"THINKPADSMITH","deviceostype":"Windows OS","deviceosversion":"Microsoft Windows 10 Enterprise;64 bit","devicetype":"Zscaler Client Connector","http_code":"100","dnsapp":"Google DNS","dns_gateway_server_protocol":"TCP","protocol":"TCP","company":"Zscaler","reqrulelabel":"RULE_1","resrulelabel":"RULE_RES","clt_sip":"81.2.69.192","srv_dip":"175.16.199.0","srv_dport":"1025","user":"jdoe1@safemarch.com","datacentercity":"Sa","datacentercountry":"US","datacenter":"CA Client Node DC","day":"Mon","day_of_month":"16","department":"EDept","dept":"Sales","deviceappversion":"4.3.0.18","deviceowner":"jsmith","dnsappcat":"Network Service","dns_gateway_rule":"DNS GATEWAY Rule 1","dns_gateway_status":"PRIMARY_SERVER_RESPONSE_PASS","category":"Professional Services","ecs_prefix":"192.168.0.0","ecs_slot":"ECS Slot #17","eedone":"No","epochtime":"1578128400","hour":"22","istcp":"0","loc":"Headquarters","location":"ELocation","login":"jdoe@safemarch.com","minutes":"55","month":"Oct","month_of_year":"10","oclientsourceip":"9960223283","odevicename":"2175092224","odeviceowner":"10831489","odomcat":"4951704103","odevicehostname":"2168890624","reqaction":"REQ_ALLOW","resaction":"RES_Action","respipcat":"Adult Themes","second":"48","year":"2023"}} -{"sourcetype":"zscalernss-dns","event":{"cloudname":"zscaler.net","datetime":"Mon Oct 16 22:55:48 2023","dns_resp":"192.168.2.200","devicemodel":"VMware7,1","restype":"IPv4","dns_req":"mail.safemarch.com","dns_reqtype":"A record","error":"EMPTY_RESP","durationms":"1000","recordid":"45648954","tz":"GMT","devicename":"admin","devicehostname":"THINKPADSMITH","deviceostype":"Windows OS","deviceosversion":"Microsoft Windows 10 Enterprise;64 bit","devicetype":"Zscaler Client Connector","http_code":"100","dnsapp":"Google DNS","dns_gateway_server_protocol":"TCP","protocol":"TCP","company":"Zscaler","reqrulelabel":"RULE_1","resrulelabel":"RULE_RES","clt_sip":"81.2.69.192","srv_dip":"175.16.199.0","srv_dport":"1025","user":"jdoe1@safemarch.com","datacentercity":"Sa","datacentercountry":"US","datacenter":"CA Client Node DC","day":"Mon","day_of_month":"16","department":"EDept","dept":"Sales","deviceappversion":"4.3.0.18","deviceowner":"jsmith","dnsappcat":"Network Service","dns_gateway_rule":"DNS GATEWAY Rule 1","dns_gateway_status":"PRIMARY_SERVER_RESPONSE_PASS","category":"Professional Services","ecs_prefix":"192.168.0.0","ecs_slot":"ECS Slot #17","eedone":"Yes","epochtime":"1578128400","hour":"22","istcp":"1","loc":"Headquarters","location":"ELocation","login":"jdoe@safemarch.com","minutes":"55","month":"Oct","month_of_year":"10","oclientsourceip":"9960223283","odevicename":"2175092224","odeviceowner":"10831489","odomcat":"4951704103","odevicehostname":"2168890624","reqaction":"REQ_ALLOW","resaction":"RES_Action","respipcat":"Adult Themes","second":"48","year":"2023"}} -{"sourcetype":"zscalernss-dns","event":{"cloudname":"zscaler.net","datetime":"Mon Oct 16 22:55:48 2023","devicemodel":"VMware7,1","restype":"IPv4","dns_req":"mail.safemarch.com","dns_reqtype":"A record","error":"EMPTY_RESP","durationms":"1000","recordid":"45648954","tz":"GMT","devicename":"admin","devicehostname":"THINKPADSMITH","deviceostype":"Windows OS","deviceosversion":"Microsoft Windows 10 Enterprise;64 bit","devicetype":"Zscaler Client Connector","http_code":"100","dnsapp":"Google DNS","dns_gateway_server_protocol":"TCP","protocol":"TCP","company":"Zscaler","reqrulelabel":"RULE_1","resrulelabel":"RULE_RES","clt_sip":"81.2.69.192","srv_dip":"175.16.199.0","srv_dport":"1025","user":"jdoe1@safemarch.com","datacentercity":"Sa","datacentercountry":"US","datacenter":"CA Client Node DC","day":"Mon","day_of_month":"16","department":"EDept","dept":"Sales","deviceappversion":"4.3.0.18","deviceowner":"jsmith","dnsappcat":"Network Service","dns_gateway_rule":"DNS GATEWAY Rule 1","dns_gateway_status":"PRIMARY_SERVER_RESPONSE_PASS","category":"Professional Services","ecs_prefix":"192.168.0.0","ecs_slot":"ECS Slot #17","eedone":"Yes","epochtime":"1578128400","hour":"22","istcp":"1","loc":"Headquarters","location":"ELocation","login":"jdoe@safemarch.com","minutes":"55","month":"Oct","month_of_year":"10","oclientsourceip":"9960223283","odevicename":"2175092224","odeviceowner":"10831489","odomcat":"4951704103","odevicehostname":"2168890624","reqaction":"REQ_ALLOW","dns_resp":"www.example.com","respipcategory":"Adult Themes","resaction":"RES_Action","respipcat":"Adult Themes","second":"48","year":"2023"}} \ No newline at end of file +{"sourcetype":"zscalernss-dns","event":{"cloudname":"zscaler.net","datetime":"Mon Oct 16 22:55:48 2023","dns_resp":"192.168.2.200","devicemodel":"VMware7,1","restype":"IPv4","dns_req":"mail.safemarch.com","dns_reqtype":"A record","error":"EMPTY_RESP","durationms":"1000","recordid":"45648954","tz":"GMT","devicename":"admin","devicehostname":"THINKPADSMITH","deviceostype":"Windows OS","deviceosversion":"Microsoft Windows 10 Enterprise;64 bit","devicetype":"Zscaler Client Connector","http_code":"100","dnsapp":"Google DNS","dns_gateway_server_protocol":"TCP","protocol":"TCP","company":"Zscaler","reqrulelabel":"RULE_1","resrulelabel":"RULE_RES","clt_sip":"81.2.69.192","srv_dip":"175.16.199.0","srv_dport":"1025","user":"jdoe1@safemarch.com","datacentercity":"Sa","datacentercountry":"US","datacenter":"CA Client Node DC","day":"Mon","day_of_month":"16","department":"EDept","dept":"Sales","deviceappversion":"4.3.0.18","deviceowner":"jsmith","dnsappcat":"Network Service","dns_gateway_rule":"DNS GATEWAY Rule 1","dns_gateway_status":"PRIMARY_SERVER_RESPONSE_PASS","category":"Professional Services","ecs_prefix":"192.168.0.0","ecs_slot":"ECS Slot #17","eedone":"No","epochtime":"1578128400","hour":"22","istcp":"0","loc":"Headquarters","location":"ELocation","login":"jdoe@safemarch.com","minutes":"55","month":"Oct","month_of_year":"10","oclientsourceip":"9960223283","odevicename":"2175092224","odeviceowner":"10831489","odomcat":"4951704103","odevicehostname":"2168890624","reqaction":"REQ_ALLOW","respipcategory":"","resaction":"RES_Action","respipcat":"Adult Themes","second":"48","year":"2023"}} +{"sourcetype":"zscalernss-dns","event":{"cloudname":"zscaler.net","datetime":"Mon Oct 16 22:55:48 2023","dns_resp":"192.168.2.200","devicemodel":"VMware7,1","restype":"IPv4","dns_req":"mail.safemarch.com","dns_reqtype":"A record","error":"EMPTY_RESP","durationms":"1000","recordid":"45648954","tz":"GMT","devicename":"admin","devicehostname":"THINKPADSMITH","deviceostype":"Windows OS","deviceosversion":"Microsoft Windows 10 Enterprise;64 bit","devicetype":"Zscaler Client Connector","http_code":"100","dnsapp":"Google DNS","dns_gateway_server_protocol":"TCP","protocol":"TCP","company":"Zscaler","reqrulelabel":"RULE_1","resrulelabel":"RULE_RES","clt_sip":"81.2.69.192","srv_dip":"175.16.199.0","srv_dport":"1025","user":"jdoe1@safemarch.com","datacentercity":"Sa","datacentercountry":"US","datacenter":"CA Client Node DC","day":"Mon","day_of_month":"16","department":"EDept","dept":"Sales","deviceappversion":"4.3.0.18","deviceowner":"jsmith","dnsappcat":"Network Service","dns_gateway_rule":"DNS GATEWAY Rule 1","dns_gateway_status":"PRIMARY_SERVER_RESPONSE_PASS","category":"Professional Services","ecs_prefix":"192.168.0.0","ecs_slot":"ECS Slot #17","eedone":"Yes","epochtime":"1578128400","hour":"22","istcp":"1","loc":"Headquarters","location":"ELocation","login":"jdoe@safemarch.com","minutes":"55","month":"Oct","month_of_year":"10","oclientsourceip":"9960223283","odevicename":"2175092224","odeviceowner":"10831489","odomcat":"4951704103","odevicehostname":"2168890624","reqaction":"REQ_ALLOW","respipcategory":"","resaction":"RES_Action","respipcat":"Adult Themes","second":"48","year":"2023"}} +{"sourcetype":"zscalernss-dns","event":{"cloudname":"zscaler.net","datetime":"Mon Oct 16 22:55:48 2023","devicemodel":"VMware7,1","restype":"IPv4","dns_req":"mail.safemarch.com","dns_reqtype":"A record","error":"EMPTY_RESP","durationms":"1000","recordid":"45648954","tz":"GMT","devicename":"admin","devicehostname":"THINKPADSMITH","deviceostype":"Windows OS","deviceosversion":"Microsoft Windows 10 Enterprise;64 bit","devicetype":"Zscaler Client Connector","http_code":"100","dnsapp":"Google DNS","dns_gateway_server_protocol":"TCP","protocol":"TCP","company":"Zscaler","reqrulelabel":"RULE_1","resrulelabel":"RULE_RES","clt_sip":"81.2.69.192","srv_dip":"175.16.199.0","srv_dport":"1025","user":"jdoe1@safemarch.com","datacentercity":"Sa","datacentercountry":"US","datacenter":"CA Client Node DC","day":"Mon","day_of_month":"16","department":"EDept","dept":"Sales","deviceappversion":"4.3.0.18","deviceowner":"jsmith","dnsappcat":"Network Service","dns_gateway_rule":"DNS GATEWAY Rule 1","dns_gateway_status":"PRIMARY_SERVER_RESPONSE_PASS","category":"Professional Services","ecs_prefix":"192.168.0.0","ecs_slot":"ECS Slot #17","eedone":"Yes","epochtime":"1578128400","hour":"22","istcp":"1","loc":"Headquarters","location":"ELocation","login":"jdoe@safemarch.com","minutes":"55","month":"Oct","month_of_year":"10","oclientsourceip":"9960223283","odevicename":"2175092224","odeviceowner":"10831489","odomcat":"4951704103","odevicehostname":"2168890624","reqaction":"REQ_ALLOW","dns_resp":"www.example.com","respipcategory":"Adult Themes","resaction":"RES_Action","respipcat":"Adult Themes","second":"48","year":"2023"}} +{"version":"v2","sourcetype":"zscalernss-dns","event":{"cloudname":"zscaler.net","datetime":"Mon Oct 16 22:55:48 2023","dns_resp":"192.168.2.200","devicemodel":"VMware7,1","restype":"IPv4","dns_req":"mail.safemarch.com","dns_reqtype":"A record","error":"EMPTY_RESP","durationms":"1000","recordid":"45648954","tz":"GMT","devicename":"admin","devicehostname":"THINKPADSMITH","deviceostype":"Windows OS","deviceosversion":"Microsoft Windows 10 Enterprise;64 bit","devicetype":"Zscaler Client Connector","http_code":"100","dnsapp":"Google DNS","dns_gateway_server_protocol":"TCP","protocol":"TCP","company":"Zscaler","reqrulelabel":"RULE_1","resrulelabel":"RULE_RES","clt_sip":"81.2.69.192","srv_dip":"175.16.199.0","srv_dport":"1025","user":"jdoe1@safemarch.com","datacentercity":"Sa","datacentercountry":"US","datacenter":"CA Client Node DC","day":"Mon","day_of_month":"16","department":"EDept","dept":"Sales","deviceappversion":"4.3.0.18","deviceowner":"jsmith","dnsappcat":"Network Service","dns_gateway_rule":"DNS GATEWAY Rule 1","dns_gateway_status":"PRIMARY_SERVER_RESPONSE_PASS","category":"Professional Services","ecs_prefix":"192.168.0.0","ecs_slot":"ECS Slot #17","eedone":"No","epochtime":"1578128400","hour":"22","istcp":"0","loc":"Headquarters","location":"ELocation","login":"jdoe@safemarch.com","minutes":"55","month":"Oct","month_of_year":"10","oclientsourceip":"9960223283","odevicename":"2175092224","odeviceowner":"10831489","odomcat":"4951704103","odevicehostname":"2168890624","reqaction":"REQ_ALLOW","respipcategory":"","resaction":"RES_Action","respipcat":"Adult Themes","second":"48","year":"2023"}} +{"version":"v2","sourcetype":"zscalernss-dns","event":{"cloudname":"zscaler.net","datetime":"Mon Oct 16 22:55:48 2023","dns_resp":"192.168.2.200","devicemodel":"VMware7,1","restype":"IPv4","dns_req":"mail.safemarch.com","dns_reqtype":"A record","error":"EMPTY_RESP","durationms":"1000","recordid":"45648954","tz":"GMT","devicename":"admin","devicehostname":"THINKPADSMITH","deviceostype":"Windows OS","deviceosversion":"Microsoft Windows 10 Enterprise;64 bit","devicetype":"Zscaler Client Connector","http_code":"100","dnsapp":"Google DNS","dns_gateway_server_protocol":"TCP","protocol":"TCP","company":"Zscaler","reqrulelabel":"RULE_1","resrulelabel":"RULE_RES","clt_sip":"81.2.69.192","srv_dip":"175.16.199.0","srv_dport":"1025","user":"jdoe1@safemarch.com","datacentercity":"Sa","datacentercountry":"US","datacenter":"CA Client Node DC","day":"Mon","day_of_month":"16","department":"EDept","dept":"Sales","deviceappversion":"4.3.0.18","deviceowner":"jsmith","dnsappcat":"Network Service","dns_gateway_rule":"DNS GATEWAY Rule 1","dns_gateway_status":"PRIMARY_SERVER_RESPONSE_PASS","category":"Professional Services","ecs_prefix":"192.168.0.0","ecs_slot":"ECS Slot #17","eedone":"Yes","epochtime":"1578128400","hour":"22","istcp":"1","loc":"Headquarters","location":"ELocation","login":"jdoe@safemarch.com","minutes":"55","month":"Oct","month_of_year":"10","oclientsourceip":"9960223283","odevicename":"2175092224","odeviceowner":"10831489","odomcat":"4951704103","odevicehostname":"2168890624","reqaction":"REQ_ALLOW","respipcategory":"","resaction":"RES_Action","respipcat":"Adult Themes","second":"48","year":"2023"}} +{"version":"v2","sourcetype":"zscalernss-dns","event":{"cloudname":"zscaler.net","datetime":"Mon Oct 16 22:55:48 2023","devicemodel":"VMware7,1","restype":"IPv4","dns_req":"mail.safemarch.com","dns_reqtype":"A record","error":"EMPTY_RESP","durationms":"1000","recordid":"45648954","tz":"GMT","devicename":"admin","devicehostname":"THINKPADSMITH","deviceostype":"Windows OS","deviceosversion":"Microsoft Windows 10 Enterprise;64 bit","devicetype":"Zscaler Client Connector","http_code":"100","dnsapp":"Google DNS","dns_gateway_server_protocol":"TCP","protocol":"TCP","company":"Zscaler","reqrulelabel":"RULE_1","resrulelabel":"RULE_RES","clt_sip":"81.2.69.192","srv_dip":"175.16.199.0","srv_dport":"1025","user":"jdoe1@safemarch.com","datacentercity":"Sa","datacentercountry":"US","datacenter":"CA Client Node DC","day":"Mon","day_of_month":"16","department":"EDept","dept":"Sales","deviceappversion":"4.3.0.18","deviceowner":"jsmith","dnsappcat":"Network Service","dns_gateway_rule":"DNS GATEWAY Rule 1","dns_gateway_status":"PRIMARY_SERVER_RESPONSE_PASS","category":"Professional Services","ecs_prefix":"192.168.0.0","ecs_slot":"ECS Slot #17","eedone":"Yes","epochtime":"1578128400","hour":"22","istcp":"1","loc":"Headquarters","location":"ELocation","login":"jdoe@safemarch.com","minutes":"55","month":"Oct","month_of_year":"10","oclientsourceip":"9960223283","odevicename":"2175092224","odeviceowner":"10831489","odomcat":"4951704103","odevicehostname":"2168890624","reqaction":"REQ_ALLOW","dns_resp":"www.example.com","respipcategory":"Adult Themes","resaction":"RES_Action","respipcat":"Adult Themes","second":"48","year":"2023"}} diff --git a/packages/zscaler_zia/data_stream/dns/_dev/test/pipeline/test-dns.log-expected.json b/packages/zscaler_zia/data_stream/dns/_dev/test/pipeline/test-dns.log-expected.json index e2f8445e753..1d6cc7e28df 100644 --- a/packages/zscaler_zia/data_stream/dns/_dev/test/pipeline/test-dns.log-expected.json +++ b/packages/zscaler_zia/data_stream/dns/_dev/test/pipeline/test-dns.log-expected.json @@ -51,7 +51,7 @@ "duration": 1000000000, "id": "45648954", "kind": "event", - "original": "{\"sourcetype\":\"zscalernss-dns\",\"event\":{\"cloudname\":\"zscaler.net\",\"datetime\":\"Mon Oct 16 22:55:48 2023\",\"dns_resp\":\"192.168.2.200\",\"devicemodel\":\"VMware7,1\",\"restype\":\"IPv4\",\"dns_req\":\"mail.safemarch.com\",\"dns_reqtype\":\"A record\",\"error\":\"EMPTY_RESP\",\"durationms\":\"1000\",\"recordid\":\"45648954\",\"tz\":\"GMT\",\"devicename\":\"admin\",\"devicehostname\":\"THINKPADSMITH\",\"deviceostype\":\"Windows OS\",\"deviceosversion\":\"Microsoft Windows 10 Enterprise;64 bit\",\"devicetype\":\"Zscaler Client Connector\",\"http_code\":\"100\",\"dnsapp\":\"Google DNS\",\"dns_gateway_server_protocol\":\"TCP\",\"protocol\":\"TCP\",\"company\":\"Zscaler\",\"reqrulelabel\":\"RULE_1\",\"resrulelabel\":\"RULE_RES\",\"clt_sip\":\"81.2.69.192\",\"srv_dip\":\"175.16.199.0\",\"srv_dport\":\"1025\",\"user\":\"jdoe1@safemarch.com\",\"datacentercity\":\"Sa\",\"datacentercountry\":\"US\",\"datacenter\":\"CA Client Node DC\",\"day\":\"Mon\",\"day_of_month\":\"16\",\"department\":\"EDept\",\"dept\":\"Sales\",\"deviceappversion\":\"4.3.0.18\",\"deviceowner\":\"jsmith\",\"dnsappcat\":\"Network Service\",\"dns_gateway_rule\":\"DNS GATEWAY Rule 1\",\"dns_gateway_status\":\"PRIMARY_SERVER_RESPONSE_PASS\",\"category\":\"Professional Services\",\"ecs_prefix\":\"192.168.0.0\",\"ecs_slot\":\"ECS Slot #17\",\"eedone\":\"No\",\"epochtime\":\"1578128400\",\"hour\":\"22\",\"istcp\":\"0\",\"loc\":\"Headquarters\",\"location\":\"ELocation\",\"login\":\"jdoe@safemarch.com\",\"minutes\":\"55\",\"month\":\"Oct\",\"month_of_year\":\"10\",\"oclientsourceip\":\"9960223283\",\"odevicename\":\"2175092224\",\"odeviceowner\":\"10831489\",\"odomcat\":\"4951704103\",\"odevicehostname\":\"2168890624\",\"reqaction\":\"REQ_ALLOW\",\"resaction\":\"RES_Action\",\"respipcat\":\"Adult Themes\",\"second\":\"48\",\"year\":\"2023\"}}", + "original": "{\"sourcetype\":\"zscalernss-dns\",\"event\":{\"cloudname\":\"zscaler.net\",\"datetime\":\"Mon Oct 16 22:55:48 2023\",\"dns_resp\":\"192.168.2.200\",\"devicemodel\":\"VMware7,1\",\"restype\":\"IPv4\",\"dns_req\":\"mail.safemarch.com\",\"dns_reqtype\":\"A record\",\"error\":\"EMPTY_RESP\",\"durationms\":\"1000\",\"recordid\":\"45648954\",\"tz\":\"GMT\",\"devicename\":\"admin\",\"devicehostname\":\"THINKPADSMITH\",\"deviceostype\":\"Windows OS\",\"deviceosversion\":\"Microsoft Windows 10 Enterprise;64 bit\",\"devicetype\":\"Zscaler Client Connector\",\"http_code\":\"100\",\"dnsapp\":\"Google DNS\",\"dns_gateway_server_protocol\":\"TCP\",\"protocol\":\"TCP\",\"company\":\"Zscaler\",\"reqrulelabel\":\"RULE_1\",\"resrulelabel\":\"RULE_RES\",\"clt_sip\":\"81.2.69.192\",\"srv_dip\":\"175.16.199.0\",\"srv_dport\":\"1025\",\"user\":\"jdoe1@safemarch.com\",\"datacentercity\":\"Sa\",\"datacentercountry\":\"US\",\"datacenter\":\"CA Client Node DC\",\"day\":\"Mon\",\"day_of_month\":\"16\",\"department\":\"EDept\",\"dept\":\"Sales\",\"deviceappversion\":\"4.3.0.18\",\"deviceowner\":\"jsmith\",\"dnsappcat\":\"Network Service\",\"dns_gateway_rule\":\"DNS GATEWAY Rule 1\",\"dns_gateway_status\":\"PRIMARY_SERVER_RESPONSE_PASS\",\"category\":\"Professional Services\",\"ecs_prefix\":\"192.168.0.0\",\"ecs_slot\":\"ECS Slot #17\",\"eedone\":\"No\",\"epochtime\":\"1578128400\",\"hour\":\"22\",\"istcp\":\"0\",\"loc\":\"Headquarters\",\"location\":\"ELocation\",\"login\":\"jdoe@safemarch.com\",\"minutes\":\"55\",\"month\":\"Oct\",\"month_of_year\":\"10\",\"oclientsourceip\":\"9960223283\",\"odevicename\":\"2175092224\",\"odeviceowner\":\"10831489\",\"odomcat\":\"4951704103\",\"odevicehostname\":\"2168890624\",\"reqaction\":\"REQ_ALLOW\",\"respipcategory\":\"\",\"resaction\":\"RES_Action\",\"respipcat\":\"Adult Themes\",\"second\":\"48\",\"year\":\"2023\"}}", "timezone": "GMT", "type": [ "info" @@ -277,7 +277,7 @@ "duration": 1000000000, "id": "45648954", "kind": "event", - "original": "{\"sourcetype\":\"zscalernss-dns\",\"event\":{\"cloudname\":\"zscaler.net\",\"datetime\":\"Mon Oct 16 22:55:48 2023\",\"dns_resp\":\"192.168.2.200\",\"devicemodel\":\"VMware7,1\",\"restype\":\"IPv4\",\"dns_req\":\"mail.safemarch.com\",\"dns_reqtype\":\"A record\",\"error\":\"EMPTY_RESP\",\"durationms\":\"1000\",\"recordid\":\"45648954\",\"tz\":\"GMT\",\"devicename\":\"admin\",\"devicehostname\":\"THINKPADSMITH\",\"deviceostype\":\"Windows OS\",\"deviceosversion\":\"Microsoft Windows 10 Enterprise;64 bit\",\"devicetype\":\"Zscaler Client Connector\",\"http_code\":\"100\",\"dnsapp\":\"Google DNS\",\"dns_gateway_server_protocol\":\"TCP\",\"protocol\":\"TCP\",\"company\":\"Zscaler\",\"reqrulelabel\":\"RULE_1\",\"resrulelabel\":\"RULE_RES\",\"clt_sip\":\"81.2.69.192\",\"srv_dip\":\"175.16.199.0\",\"srv_dport\":\"1025\",\"user\":\"jdoe1@safemarch.com\",\"datacentercity\":\"Sa\",\"datacentercountry\":\"US\",\"datacenter\":\"CA Client Node DC\",\"day\":\"Mon\",\"day_of_month\":\"16\",\"department\":\"EDept\",\"dept\":\"Sales\",\"deviceappversion\":\"4.3.0.18\",\"deviceowner\":\"jsmith\",\"dnsappcat\":\"Network Service\",\"dns_gateway_rule\":\"DNS GATEWAY Rule 1\",\"dns_gateway_status\":\"PRIMARY_SERVER_RESPONSE_PASS\",\"category\":\"Professional Services\",\"ecs_prefix\":\"192.168.0.0\",\"ecs_slot\":\"ECS Slot #17\",\"eedone\":\"Yes\",\"epochtime\":\"1578128400\",\"hour\":\"22\",\"istcp\":\"1\",\"loc\":\"Headquarters\",\"location\":\"ELocation\",\"login\":\"jdoe@safemarch.com\",\"minutes\":\"55\",\"month\":\"Oct\",\"month_of_year\":\"10\",\"oclientsourceip\":\"9960223283\",\"odevicename\":\"2175092224\",\"odeviceowner\":\"10831489\",\"odomcat\":\"4951704103\",\"odevicehostname\":\"2168890624\",\"reqaction\":\"REQ_ALLOW\",\"resaction\":\"RES_Action\",\"respipcat\":\"Adult Themes\",\"second\":\"48\",\"year\":\"2023\"}}", + "original": "{\"sourcetype\":\"zscalernss-dns\",\"event\":{\"cloudname\":\"zscaler.net\",\"datetime\":\"Mon Oct 16 22:55:48 2023\",\"dns_resp\":\"192.168.2.200\",\"devicemodel\":\"VMware7,1\",\"restype\":\"IPv4\",\"dns_req\":\"mail.safemarch.com\",\"dns_reqtype\":\"A record\",\"error\":\"EMPTY_RESP\",\"durationms\":\"1000\",\"recordid\":\"45648954\",\"tz\":\"GMT\",\"devicename\":\"admin\",\"devicehostname\":\"THINKPADSMITH\",\"deviceostype\":\"Windows OS\",\"deviceosversion\":\"Microsoft Windows 10 Enterprise;64 bit\",\"devicetype\":\"Zscaler Client Connector\",\"http_code\":\"100\",\"dnsapp\":\"Google DNS\",\"dns_gateway_server_protocol\":\"TCP\",\"protocol\":\"TCP\",\"company\":\"Zscaler\",\"reqrulelabel\":\"RULE_1\",\"resrulelabel\":\"RULE_RES\",\"clt_sip\":\"81.2.69.192\",\"srv_dip\":\"175.16.199.0\",\"srv_dport\":\"1025\",\"user\":\"jdoe1@safemarch.com\",\"datacentercity\":\"Sa\",\"datacentercountry\":\"US\",\"datacenter\":\"CA Client Node DC\",\"day\":\"Mon\",\"day_of_month\":\"16\",\"department\":\"EDept\",\"dept\":\"Sales\",\"deviceappversion\":\"4.3.0.18\",\"deviceowner\":\"jsmith\",\"dnsappcat\":\"Network Service\",\"dns_gateway_rule\":\"DNS GATEWAY Rule 1\",\"dns_gateway_status\":\"PRIMARY_SERVER_RESPONSE_PASS\",\"category\":\"Professional Services\",\"ecs_prefix\":\"192.168.0.0\",\"ecs_slot\":\"ECS Slot #17\",\"eedone\":\"Yes\",\"epochtime\":\"1578128400\",\"hour\":\"22\",\"istcp\":\"1\",\"loc\":\"Headquarters\",\"location\":\"ELocation\",\"login\":\"jdoe@safemarch.com\",\"minutes\":\"55\",\"month\":\"Oct\",\"month_of_year\":\"10\",\"oclientsourceip\":\"9960223283\",\"odevicename\":\"2175092224\",\"odeviceowner\":\"10831489\",\"odomcat\":\"4951704103\",\"odevicehostname\":\"2168890624\",\"reqaction\":\"REQ_ALLOW\",\"respipcategory\":\"\",\"resaction\":\"RES_Action\",\"respipcat\":\"Adult Themes\",\"second\":\"48\",\"year\":\"2023\"}}", "timezone": "GMT", "type": [ "info" @@ -674,6 +674,681 @@ "year": 2023 } } + }, + { + "@timestamp": "2023-10-16T22:55:48.000Z", + "cloud": { + "provider": "zscaler.net" + }, + "destination": { + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, + "ip": "175.16.199.0" + }, + "device": { + "model": { + "name": "VMware7,1" + } + }, + "dns": { + "answers": [ + { + "data": "192.168.2.200", + "type": "IPv4" + } + ], + "question": { + "name": "mail.safemarch.com", + "type": "A record" + }, + "resolved_ip": [ + "192.168.2.200" + ], + "response_code": "EMPTY_RESP" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "network" + ], + "duration": 1000000000, + "id": "45648954", + "kind": "event", + "original": "{\"version\":\"v2\",\"sourcetype\":\"zscalernss-dns\",\"event\":{\"cloudname\":\"zscaler.net\",\"datetime\":\"Mon Oct 16 22:55:48 2023\",\"dns_resp\":\"192.168.2.200\",\"devicemodel\":\"VMware7,1\",\"restype\":\"IPv4\",\"dns_req\":\"mail.safemarch.com\",\"dns_reqtype\":\"A record\",\"error\":\"EMPTY_RESP\",\"durationms\":\"1000\",\"recordid\":\"45648954\",\"tz\":\"GMT\",\"devicename\":\"admin\",\"devicehostname\":\"THINKPADSMITH\",\"deviceostype\":\"Windows OS\",\"deviceosversion\":\"Microsoft Windows 10 Enterprise;64 bit\",\"devicetype\":\"Zscaler Client Connector\",\"http_code\":\"100\",\"dnsapp\":\"Google DNS\",\"dns_gateway_server_protocol\":\"TCP\",\"protocol\":\"TCP\",\"company\":\"Zscaler\",\"reqrulelabel\":\"RULE_1\",\"resrulelabel\":\"RULE_RES\",\"clt_sip\":\"81.2.69.192\",\"srv_dip\":\"175.16.199.0\",\"srv_dport\":\"1025\",\"user\":\"jdoe1@safemarch.com\",\"datacentercity\":\"Sa\",\"datacentercountry\":\"US\",\"datacenter\":\"CA Client Node DC\",\"day\":\"Mon\",\"day_of_month\":\"16\",\"department\":\"EDept\",\"dept\":\"Sales\",\"deviceappversion\":\"4.3.0.18\",\"deviceowner\":\"jsmith\",\"dnsappcat\":\"Network Service\",\"dns_gateway_rule\":\"DNS GATEWAY Rule 1\",\"dns_gateway_status\":\"PRIMARY_SERVER_RESPONSE_PASS\",\"category\":\"Professional Services\",\"ecs_prefix\":\"192.168.0.0\",\"ecs_slot\":\"ECS Slot #17\",\"eedone\":\"No\",\"epochtime\":\"1578128400\",\"hour\":\"22\",\"istcp\":\"0\",\"loc\":\"Headquarters\",\"location\":\"ELocation\",\"login\":\"jdoe@safemarch.com\",\"minutes\":\"55\",\"month\":\"Oct\",\"month_of_year\":\"10\",\"oclientsourceip\":\"9960223283\",\"odevicename\":\"2175092224\",\"odeviceowner\":\"10831489\",\"odomcat\":\"4951704103\",\"odevicehostname\":\"2168890624\",\"reqaction\":\"REQ_ALLOW\",\"respipcategory\":\"\",\"resaction\":\"RES_Action\",\"respipcat\":\"Adult Themes\",\"second\":\"48\",\"year\":\"2023\"}}", + "timezone": "GMT", + "type": [ + "info" + ] + }, + "host": { + "hostname": "admin", + "name": "thinkpadsmith", + "os": { + "version": "Microsoft Windows 10 Enterprise;64 bit" + }, + "type": "Zscaler Client Connector" + }, + "network": { + "application": "google dns", + "protocol": "dns", + "transport": [ + "tcp" + ] + }, + "organization": { + "name": "Zscaler" + }, + "related": { + "hosts": [ + "thinkpadsmith", + "admin" + ], + "ip": [ + "192.168.2.200", + "81.2.69.192", + "175.16.199.0" + ], + "user": [ + "jsmith", + "jdoe1", + "jdoe1@safemarch.com" + ] + }, + "rule": { + "name": [ + "RULE_1", + "RULE_RES" + ] + }, + "source": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.192", + "port": 1025 + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "user": { + "domain": "safemarch.com", + "email": "jdoe1@safemarch.com", + "name": "jdoe1" + }, + "zscaler_zia": { + "dns": { + "client": { + "ip": "81.2.69.192" + }, + "cloud": { + "name": "zscaler.net" + }, + "company": "Zscaler", + "datacenter": { + "city": "Sa", + "country": "US", + "name": "CA Client Node DC" + }, + "day": "Mon", + "day_of_month": 16, + "department": "EDept", + "dept": "Sales", + "device": { + "appversion": "4.3.0.18", + "hostname": "THINKPADSMITH", + "model": "VMware7,1", + "name": "admin", + "os": { + "type": "Windows OS", + "version": "Microsoft Windows 10 Enterprise;64 bit" + }, + "owner": "jsmith", + "type": "Zscaler Client Connector" + }, + "dns": { + "category": "Network Service", + "gateway": { + "rule": "DNS GATEWAY Rule 1", + "server_protocol": "TCP", + "status": "PRIMARY_SERVER_RESPONSE_PASS" + }, + "type": "Google DNS" + }, + "dom": { + "category": "Professional Services" + }, + "duration": { + "milliseconds": 1000 + }, + "ecs": { + "prefix": "192.168.0.0", + "slot": "ECS Slot #17" + }, + "eedone": "No", + "epochtime": "2020-01-04T09:00:00.000Z", + "error": "EMPTY_RESP", + "hour": 22, + "http_code": "100", + "istcp": "0", + "loc": "Headquarters", + "location": "ELocation", + "login": "jdoe@safemarch.com", + "minutes": 55, + "month": "Oct", + "month_of_year": 10, + "obfuscated": { + "client_source_ip": "9960223283", + "device": { + "name": "2175092224", + "owner": "10831489" + }, + "dom": { + "category": "4951704103" + }, + "host_name": "2168890624" + }, + "protocol": "TCP", + "record": { + "id": "45648954" + }, + "request": { + "action": "REQ_ALLOW", + "name": "mail.safemarch.com", + "rule": { + "label": "RULE_1" + }, + "type": "A record" + }, + "response": { + "action": "RES_Action", + "ip": "192.168.2.200", + "rule": { + "label": "RULE_RES" + }, + "type": "IPv4" + }, + "second": 48, + "server": { + "ip": "175.16.199.0", + "port": 1025 + }, + "time": "2023-10-16T22:55:48.000Z", + "timezone": "GMT", + "user": "jdoe1@safemarch.com", + "year": 2023 + } + } + }, + { + "@timestamp": "2023-10-16T22:55:48.000Z", + "cloud": { + "provider": "zscaler.net" + }, + "destination": { + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, + "ip": "175.16.199.0" + }, + "device": { + "model": { + "name": "VMware7,1" + } + }, + "dns": { + "answers": [ + { + "data": "192.168.2.200", + "type": "IPv4" + } + ], + "question": { + "name": "mail.safemarch.com", + "type": "A record" + }, + "resolved_ip": [ + "192.168.2.200" + ], + "response_code": "EMPTY_RESP" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "network" + ], + "duration": 1000000000, + "id": "45648954", + "kind": "event", + "original": "{\"version\":\"v2\",\"sourcetype\":\"zscalernss-dns\",\"event\":{\"cloudname\":\"zscaler.net\",\"datetime\":\"Mon Oct 16 22:55:48 2023\",\"dns_resp\":\"192.168.2.200\",\"devicemodel\":\"VMware7,1\",\"restype\":\"IPv4\",\"dns_req\":\"mail.safemarch.com\",\"dns_reqtype\":\"A record\",\"error\":\"EMPTY_RESP\",\"durationms\":\"1000\",\"recordid\":\"45648954\",\"tz\":\"GMT\",\"devicename\":\"admin\",\"devicehostname\":\"THINKPADSMITH\",\"deviceostype\":\"Windows OS\",\"deviceosversion\":\"Microsoft Windows 10 Enterprise;64 bit\",\"devicetype\":\"Zscaler Client Connector\",\"http_code\":\"100\",\"dnsapp\":\"Google DNS\",\"dns_gateway_server_protocol\":\"TCP\",\"protocol\":\"TCP\",\"company\":\"Zscaler\",\"reqrulelabel\":\"RULE_1\",\"resrulelabel\":\"RULE_RES\",\"clt_sip\":\"81.2.69.192\",\"srv_dip\":\"175.16.199.0\",\"srv_dport\":\"1025\",\"user\":\"jdoe1@safemarch.com\",\"datacentercity\":\"Sa\",\"datacentercountry\":\"US\",\"datacenter\":\"CA Client Node DC\",\"day\":\"Mon\",\"day_of_month\":\"16\",\"department\":\"EDept\",\"dept\":\"Sales\",\"deviceappversion\":\"4.3.0.18\",\"deviceowner\":\"jsmith\",\"dnsappcat\":\"Network Service\",\"dns_gateway_rule\":\"DNS GATEWAY Rule 1\",\"dns_gateway_status\":\"PRIMARY_SERVER_RESPONSE_PASS\",\"category\":\"Professional Services\",\"ecs_prefix\":\"192.168.0.0\",\"ecs_slot\":\"ECS Slot #17\",\"eedone\":\"Yes\",\"epochtime\":\"1578128400\",\"hour\":\"22\",\"istcp\":\"1\",\"loc\":\"Headquarters\",\"location\":\"ELocation\",\"login\":\"jdoe@safemarch.com\",\"minutes\":\"55\",\"month\":\"Oct\",\"month_of_year\":\"10\",\"oclientsourceip\":\"9960223283\",\"odevicename\":\"2175092224\",\"odeviceowner\":\"10831489\",\"odomcat\":\"4951704103\",\"odevicehostname\":\"2168890624\",\"reqaction\":\"REQ_ALLOW\",\"respipcategory\":\"\",\"resaction\":\"RES_Action\",\"respipcat\":\"Adult Themes\",\"second\":\"48\",\"year\":\"2023\"}}", + "timezone": "GMT", + "type": [ + "info" + ] + }, + "host": { + "hostname": "admin", + "name": "thinkpadsmith", + "os": { + "version": "Microsoft Windows 10 Enterprise;64 bit" + }, + "type": "Zscaler Client Connector" + }, + "network": { + "application": "google dns", + "protocol": "dns", + "transport": [ + "tcp" + ] + }, + "organization": { + "name": "Zscaler" + }, + "related": { + "hosts": [ + "thinkpadsmith", + "admin" + ], + "ip": [ + "192.168.2.200", + "81.2.69.192", + "175.16.199.0" + ], + "user": [ + "jsmith", + "jdoe1", + "jdoe1@safemarch.com" + ] + }, + "rule": { + "name": [ + "RULE_1", + "RULE_RES" + ] + }, + "source": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.192", + "port": 1025 + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "user": { + "domain": "safemarch.com", + "email": "jdoe1@safemarch.com", + "name": "jdoe1" + }, + "zscaler_zia": { + "dns": { + "client": { + "ip": "81.2.69.192" + }, + "cloud": { + "name": "zscaler.net" + }, + "company": "Zscaler", + "datacenter": { + "city": "Sa", + "country": "US", + "name": "CA Client Node DC" + }, + "day": "Mon", + "day_of_month": 16, + "department": "EDept", + "dept": "Sales", + "device": { + "appversion": "4.3.0.18", + "hostname": "THINKPADSMITH", + "model": "VMware7,1", + "name": "admin", + "os": { + "type": "Windows OS", + "version": "Microsoft Windows 10 Enterprise;64 bit" + }, + "owner": "jsmith", + "type": "Zscaler Client Connector" + }, + "dns": { + "category": "Network Service", + "gateway": { + "rule": "DNS GATEWAY Rule 1", + "server_protocol": "TCP", + "status": "PRIMARY_SERVER_RESPONSE_PASS" + }, + "type": "Google DNS" + }, + "dom": { + "category": "Professional Services" + }, + "duration": { + "milliseconds": 1000 + }, + "ecs": { + "prefix": "192.168.0.0", + "slot": "ECS Slot #17" + }, + "eedone": "Yes", + "epochtime": "2020-01-04T09:00:00.000Z", + "error": "EMPTY_RESP", + "hour": 22, + "http_code": "100", + "istcp": "1", + "loc": "Headquarters", + "location": "ELocation", + "login": "jdoe@safemarch.com", + "minutes": 55, + "month": "Oct", + "month_of_year": 10, + "obfuscated": { + "client_source_ip": "9960223283", + "device": { + "name": "2175092224", + "owner": "10831489" + }, + "dom": { + "category": "4951704103" + }, + "host_name": "2168890624" + }, + "protocol": "TCP", + "record": { + "id": "45648954" + }, + "request": { + "action": "REQ_ALLOW", + "name": "mail.safemarch.com", + "rule": { + "label": "RULE_1" + }, + "type": "A record" + }, + "response": { + "action": "RES_Action", + "ip": "192.168.2.200", + "rule": { + "label": "RULE_RES" + }, + "type": "IPv4" + }, + "second": 48, + "server": { + "ip": "175.16.199.0", + "port": 1025 + }, + "time": "2023-10-16T22:55:48.000Z", + "timezone": "GMT", + "user": "jdoe1@safemarch.com", + "year": 2023 + } + } + }, + { + "@timestamp": "2023-10-16T22:55:48.000Z", + "cloud": { + "provider": "zscaler.net" + }, + "destination": { + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, + "ip": "175.16.199.0" + }, + "device": { + "model": { + "name": "VMware7,1" + } + }, + "dns": { + "answers": [ + { + "data": "www.example.com", + "type": "IPv4" + } + ], + "question": { + "name": "mail.safemarch.com", + "type": "A record" + }, + "response_code": "EMPTY_RESP" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "network" + ], + "duration": 1000000000, + "id": "45648954", + "kind": "event", + "original": "{\"version\":\"v2\",\"sourcetype\":\"zscalernss-dns\",\"event\":{\"cloudname\":\"zscaler.net\",\"datetime\":\"Mon Oct 16 22:55:48 2023\",\"devicemodel\":\"VMware7,1\",\"restype\":\"IPv4\",\"dns_req\":\"mail.safemarch.com\",\"dns_reqtype\":\"A record\",\"error\":\"EMPTY_RESP\",\"durationms\":\"1000\",\"recordid\":\"45648954\",\"tz\":\"GMT\",\"devicename\":\"admin\",\"devicehostname\":\"THINKPADSMITH\",\"deviceostype\":\"Windows OS\",\"deviceosversion\":\"Microsoft Windows 10 Enterprise;64 bit\",\"devicetype\":\"Zscaler Client Connector\",\"http_code\":\"100\",\"dnsapp\":\"Google DNS\",\"dns_gateway_server_protocol\":\"TCP\",\"protocol\":\"TCP\",\"company\":\"Zscaler\",\"reqrulelabel\":\"RULE_1\",\"resrulelabel\":\"RULE_RES\",\"clt_sip\":\"81.2.69.192\",\"srv_dip\":\"175.16.199.0\",\"srv_dport\":\"1025\",\"user\":\"jdoe1@safemarch.com\",\"datacentercity\":\"Sa\",\"datacentercountry\":\"US\",\"datacenter\":\"CA Client Node DC\",\"day\":\"Mon\",\"day_of_month\":\"16\",\"department\":\"EDept\",\"dept\":\"Sales\",\"deviceappversion\":\"4.3.0.18\",\"deviceowner\":\"jsmith\",\"dnsappcat\":\"Network Service\",\"dns_gateway_rule\":\"DNS GATEWAY Rule 1\",\"dns_gateway_status\":\"PRIMARY_SERVER_RESPONSE_PASS\",\"category\":\"Professional Services\",\"ecs_prefix\":\"192.168.0.0\",\"ecs_slot\":\"ECS Slot #17\",\"eedone\":\"Yes\",\"epochtime\":\"1578128400\",\"hour\":\"22\",\"istcp\":\"1\",\"loc\":\"Headquarters\",\"location\":\"ELocation\",\"login\":\"jdoe@safemarch.com\",\"minutes\":\"55\",\"month\":\"Oct\",\"month_of_year\":\"10\",\"oclientsourceip\":\"9960223283\",\"odevicename\":\"2175092224\",\"odeviceowner\":\"10831489\",\"odomcat\":\"4951704103\",\"odevicehostname\":\"2168890624\",\"reqaction\":\"REQ_ALLOW\",\"dns_resp\":\"www.example.com\",\"respipcategory\":\"Adult Themes\",\"resaction\":\"RES_Action\",\"respipcat\":\"Adult Themes\",\"second\":\"48\",\"year\":\"2023\"}}", + "timezone": "GMT", + "type": [ + "info" + ] + }, + "host": { + "hostname": "admin", + "name": "thinkpadsmith", + "os": { + "version": "Microsoft Windows 10 Enterprise;64 bit" + }, + "type": "Zscaler Client Connector" + }, + "network": { + "application": "google dns", + "protocol": "dns", + "transport": [ + "tcp" + ] + }, + "organization": { + "name": "Zscaler" + }, + "related": { + "hosts": [ + "thinkpadsmith", + "admin" + ], + "ip": [ + "81.2.69.192", + "175.16.199.0" + ], + "user": [ + "jsmith", + "jdoe1", + "jdoe1@safemarch.com" + ] + }, + "rule": { + "name": [ + "RULE_1", + "RULE_RES" + ] + }, + "source": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.192", + "port": 1025 + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "user": { + "domain": "safemarch.com", + "email": "jdoe1@safemarch.com", + "name": "jdoe1" + }, + "zscaler_zia": { + "dns": { + "client": { + "ip": "81.2.69.192" + }, + "cloud": { + "name": "zscaler.net" + }, + "company": "Zscaler", + "datacenter": { + "city": "Sa", + "country": "US", + "name": "CA Client Node DC" + }, + "day": "Mon", + "day_of_month": 16, + "department": "EDept", + "dept": "Sales", + "device": { + "appversion": "4.3.0.18", + "hostname": "THINKPADSMITH", + "model": "VMware7,1", + "name": "admin", + "os": { + "type": "Windows OS", + "version": "Microsoft Windows 10 Enterprise;64 bit" + }, + "owner": "jsmith", + "type": "Zscaler Client Connector" + }, + "dns": { + "category": "Network Service", + "gateway": { + "rule": "DNS GATEWAY Rule 1", + "server_protocol": "TCP", + "status": "PRIMARY_SERVER_RESPONSE_PASS" + }, + "type": "Google DNS" + }, + "dom": { + "category": "Professional Services" + }, + "duration": { + "milliseconds": 1000 + }, + "ecs": { + "prefix": "192.168.0.0", + "slot": "ECS Slot #17" + }, + "eedone": "Yes", + "epochtime": "2020-01-04T09:00:00.000Z", + "error": "EMPTY_RESP", + "hour": 22, + "http_code": "100", + "istcp": "1", + "loc": "Headquarters", + "location": "ELocation", + "login": "jdoe@safemarch.com", + "minutes": 55, + "month": "Oct", + "month_of_year": 10, + "obfuscated": { + "client_source_ip": "9960223283", + "device": { + "name": "2175092224", + "owner": "10831489" + }, + "dom": { + "category": "4951704103" + }, + "host_name": "2168890624" + }, + "protocol": "TCP", + "record": { + "id": "45648954" + }, + "request": { + "action": "REQ_ALLOW", + "name": "mail.safemarch.com", + "rule": { + "label": "RULE_1" + }, + "type": "A record" + }, + "response": { + "action": "RES_Action", + "category": "Adult Themes", + "name": "www.example.com", + "rule": { + "label": "RULE_RES" + }, + "type": "IPv4" + }, + "second": 48, + "server": { + "ip": "175.16.199.0", + "port": 1025 + }, + "time": "2023-10-16T22:55:48.000Z", + "timezone": "GMT", + "user": "jdoe1@safemarch.com", + "year": 2023 + } + } } ] -} \ No newline at end of file +} diff --git a/packages/zscaler_zia/data_stream/dns/agent/stream/http_endpoint.yml.hbs b/packages/zscaler_zia/data_stream/dns/agent/stream/http_endpoint.yml.hbs index f691a1cfe90..e1ac58a6bb7 100644 --- a/packages/zscaler_zia/data_stream/dns/agent/stream/http_endpoint.yml.hbs +++ b/packages/zscaler_zia/data_stream/dns/agent/stream/http_endpoint.yml.hbs @@ -28,6 +28,12 @@ publisher_pipeline.disable_host: true {{#if ssl}} ssl: {{ssl}} {{/if}} +{{#if strict_fields}} +fields_under_root: true +fields: + _conf: + strict_fields: true +{{/if}} {{#if processors}} processors: {{processors}} diff --git a/packages/zscaler_zia/data_stream/dns/agent/stream/tcp.yml.hbs b/packages/zscaler_zia/data_stream/dns/agent/stream/tcp.yml.hbs index d8eb927edd6..2655bae4c06 100644 --- a/packages/zscaler_zia/data_stream/dns/agent/stream/tcp.yml.hbs +++ b/packages/zscaler_zia/data_stream/dns/agent/stream/tcp.yml.hbs @@ -18,6 +18,12 @@ publisher_pipeline.disable_host: true {{#if ssl}} ssl: {{ssl}} {{/if}} +{{#if strict_fields}} +fields_under_root: true +fields: + _conf: + strict_fields: true +{{/if}} {{#if processors}} processors: {{processors}} diff --git a/packages/zscaler_zia/data_stream/dns/elasticsearch/ingest_pipeline/default.yml b/packages/zscaler_zia/data_stream/dns/elasticsearch/ingest_pipeline/default.yml index 665ea7a49d7..81e041e1a63 100644 --- a/packages/zscaler_zia/data_stream/dns/elasticsearch/ingest_pipeline/default.yml +++ b/packages/zscaler_zia/data_stream/dns/elasticsearch/ingest_pipeline/default.yml @@ -37,6 +37,30 @@ processors: tag: rename_resp_event target_field: json ignore_missing: true + - script: + params: + expect: + fields: category|cloudname|clt_sip|company|datacenter|datacentercity|datacentercountry|datetime|day|day_of_month|department|dept|deviceappversion|devicehostname|devicemodel|devicename|deviceostype|deviceosversion|deviceowner|devicetype|dns_gateway_rule|dns_gateway_server_protocol|dns_gateway_status|dns_req|dns_reqtype|dns_resp|dnsapp|dnsappcat|durationms|ecs_prefix|ecs_slot|eedone|epochtime|error|hour|http_code|istcp|loc|location|login|minutes|month|month_of_year|oclientsourceip|odevicehostname|odevicename|odeviceowner|odomcat|protocol|recordid|reqaction|reqrulelabel|resaction|respipcat|respipcategory|resrulelabel|restype|second|srv_dip|srv_dport|tz|user|year + version: v2 + if: ctx.json != null && ctx._conf?.strict_fields == true + source: |- + if (ctx.resp?.version == null) { + def fields = []; + for (e in ctx.json.entrySet()) { + fields.add(e.getKey()); + } + Collections.sort(fields); + String signature = String.join("|", fields); + if (signature != params.expect.fields) { + ctx.error = ctx.error ?: [:]; + ctx.error.message = ctx.error.message ?: []; + ctx.error.message.add("field set mismatch: "+signature+" is not expected set of templated fields"); + } + } else if (ctx.resp.version != params.expect.version) { + ctx.error = ctx.error ?: [:]; + ctx.error.message = ctx.error.message ?: []; + ctx.error.message.add("template version mismatch: "+ctx.resp.version.toString()+" is not expected version"); + } - remove: field: resp tag: remove_resp @@ -775,8 +799,10 @@ processors: ignore_missing: true if: ctx.tags == null || !ctx.tags.contains('preserve_duplicate_custom_fields') - remove: - field: json - tag: remove_json + field: + - json + - _conf + tag: remove_unused ignore_missing: true - script: tag: script_to_drop_null_values diff --git a/packages/zscaler_zia/data_stream/endpoint_dlp/_dev/test/pipeline/test-common-config.yml b/packages/zscaler_zia/data_stream/endpoint_dlp/_dev/test/pipeline/test-common-config.yml index be41bb0d476..2e06a253560 100644 --- a/packages/zscaler_zia/data_stream/endpoint_dlp/_dev/test/pipeline/test-common-config.yml +++ b/packages/zscaler_zia/data_stream/endpoint_dlp/_dev/test/pipeline/test-common-config.yml @@ -1,4 +1,6 @@ fields: + _conf: + strict_fields: true tags: - preserve_original_event - preserve_duplicate_custom_fields diff --git a/packages/zscaler_zia/data_stream/endpoint_dlp/_dev/test/pipeline/test-endpoint-dlp-http-endpoint.log b/packages/zscaler_zia/data_stream/endpoint_dlp/_dev/test/pipeline/test-endpoint-dlp-http-endpoint.log index bf11b2d281e..ad919ac4038 100644 --- a/packages/zscaler_zia/data_stream/endpoint_dlp/_dev/test/pipeline/test-endpoint-dlp-http-endpoint.log +++ b/packages/zscaler_zia/data_stream/endpoint_dlp/_dev/test/pipeline/test-endpoint-dlp-http-endpoint.log @@ -1 +1,2 @@ -{ "sourcetype": "zscalernss-edlp","input": {"type": "http_endpoint"}, "event": { "actiontaken" : "allow", "activitytype" : "email_sent", "additionalinfo" : "File already open by another application", "channel" : "Network Drive Transfer", "confirmaction" : "confirm", "confirmjustification" : "My manager approved it", "datacenter" : "Georgia", "datacentercity" : "Atlanta", "datacentercountry" : "US", "day" : "Mon", "dd" : "16", "department" : "TempDept", "deviceappversion" : "Ver-2199", "devicehostname" : "Host", "devicemodel" : "Model-2022", "devicename" : "Dev 1", "deviceostype" : "Windows", "deviceosversion" : "Win-11", "deviceowner" : "Administrator", "deviceplatform" : "Windows", "devicetype" : "WinUser", "dlpdictcount" : "12|13", "dlpdictnames" : "dlp: dlp discription|dlp2: dlp discription2|dlp3: dlp discription3", "dlpenginenames" : "dlpengine|dlpengine1|dlpengine2", "dlpidentifier" : "12", "dsttype" : "personal_cloud_storage", "eventtime" : "Mon Oct 16 22:55:48 2023", "expectedaction" : "block", "filedoctype" : "Medical", "filedstpath" : "dest_path", "filemd5" : "938c2cc0dcc05f2b68c4287040cfcf71", "filesha" : "076085239f3a10b8f387c4e5d4261abf8d109aa641be35a8d4ed2d775eb09612", "filesrcpath" : "source_path", "filetypecategory" : "PLS File (pls)", "filetypename" : "exe64", "hh" : "22", "itemdstname" : "nanolog", "itemname" : "endpoint_dlp", "itemsrcname" : "endpoint", "itemtype" : "email_attachment", "logtype" : "dlp_incident", "mm" : "55", "mon" : "Oct", "mth" : "10", "numdlpdictids" : "8", "numdlpengineids" : "12", "recordid" : "2", "feedtime" : "Mon Oct 16 22:55:48 2023", "scannedbytes" : "290812", "scantime" : "1210", "severity" : "High Severity", "srctype" : "network_share", "ss" : "48", "datetime" : "Mon Oct 16 22:55:48 2023", "rulename" : "configured_rule", "timezone" : "GMT", "user" : "TempUser", "yyyy" : "2023", "zdpmode" : "block mode" } } +{ "sourcetype": "zscalernss-edlp","input": {"type": "http_endpoint"}, "event": { "actiontaken" : "allow", "activitytype" : "email_sent", "additionalinfo" : "File already open by another application", "channel" : "Network Drive Transfer", "confirmaction" : "confirm", "confirmjustification" : "My manager approved it", "datacenter" : "Georgia", "datacentercity" : "Atlanta", "datacentercountry" : "US", "day" : "Mon", "dd" : "16", "department" : "TempDept", "deviceappversion" : "Ver-2199", "devicehostname" : "Host", "devicemodel" : "Model-2022", "devicename" : "Dev 1", "deviceostype" : "Windows", "deviceosversion" : "Win-11", "deviceowner" : "Administrator", "deviceplatform" : "Windows", "devicetype" : "WinUser", "dlpdictcount" : "12|13", "dlpdictnames" : "dlp: dlp discription|dlp2: dlp discription2|dlp3: dlp discription3", "dlpenginenames" : "dlpengine|dlpengine1|dlpengine2", "dlpidentifier" : "12", "dsttype" : "personal_cloud_storage", "eventtime" : "Mon Oct 16 22:55:48 2023", "expectedaction" : "block", "filedoctype" : "Medical", "filedstpath" : "dest_path", "filemd5" : "938c2cc0dcc05f2b68c4287040cfcf71", "filesha" : "076085239f3a10b8f387c4e5d4261abf8d109aa641be35a8d4ed2d775eb09612", "filesrcpath" : "source_path", "filetypecategory" : "PLS File (pls)", "filetypename" : "exe64", "hh" : "22", "itemdstname" : "nanolog", "itemname" : "endpoint_dlp", "itemsrcname" : "endpoint", "itemtype" : "email_attachment", "logtype" : "dlp_incident", "mm" : "55", "mon" : "Oct", "mth" : "10", "numdlpdictids" : "8", "numdlpengineids" : "12", "recordid" : "2", "feedtime" : "Mon Oct 16 22:55:48 2023", "odepartment": "", "odevicehostname": "", "odevicename": "", "odeviceowner": "", "odlpdictnames": "", "odlpenginenames": "", "ofiledstpath": "", "ofilesrcpath": "", "oitemdstname": "", "oitemname": "", "oitemsrcname": "", "ootherrulelabels": "", "orulename": "", "otherrulelabels": "", "ouser": "", "scannedbytes" : "290812", "scantime" : "1210", "severity" : "High Severity", "srctype" : "network_share", "ss" : "48", "datetime" : "Mon Oct 16 22:55:48 2023", "rulename" : "configured_rule", "timezone" : "GMT", "user" : "TempUser", "yyyy" : "2023", "zdpmode" : "block mode" } } +{"version":"v1", "sourcetype": "zscalernss-edlp","input": {"type": "http_endpoint"}, "event": { "actiontaken" : "allow", "activitytype" : "email_sent", "additionalinfo" : "File already open by another application", "channel" : "Network Drive Transfer", "confirmaction" : "confirm", "confirmjustification" : "My manager approved it", "datacenter" : "Georgia", "datacentercity" : "Atlanta", "datacentercountry" : "US", "day" : "Mon", "dd" : "16", "department" : "TempDept", "deviceappversion" : "Ver-2199", "devicehostname" : "Host", "devicemodel" : "Model-2022", "devicename" : "Dev 1", "deviceostype" : "Windows", "deviceosversion" : "Win-11", "deviceowner" : "Administrator", "deviceplatform" : "Windows", "devicetype" : "WinUser", "dlpdictcount" : "12|13", "dlpdictnames" : "dlp: dlp discription|dlp2: dlp discription2|dlp3: dlp discription3", "dlpenginenames" : "dlpengine|dlpengine1|dlpengine2", "dlpidentifier" : "12", "dsttype" : "personal_cloud_storage", "eventtime" : "Mon Oct 16 22:55:48 2023", "expectedaction" : "block", "filedoctype" : "Medical", "filedstpath" : "dest_path", "filemd5" : "938c2cc0dcc05f2b68c4287040cfcf71", "filesha" : "076085239f3a10b8f387c4e5d4261abf8d109aa641be35a8d4ed2d775eb09612", "filesrcpath" : "source_path", "filetypecategory" : "PLS File (pls)", "filetypename" : "exe64", "hh" : "22", "itemdstname" : "nanolog", "itemname" : "endpoint_dlp", "itemsrcname" : "endpoint", "itemtype" : "email_attachment", "logtype" : "dlp_incident", "mm" : "55", "mon" : "Oct", "mth" : "10", "numdlpdictids" : "8", "numdlpengineids" : "12", "recordid" : "2", "feedtime" : "Mon Oct 16 22:55:48 2023", "odepartment": "", "odevicehostname": "", "odevicename": "", "odeviceowner": "", "odlpdictnames": "", "odlpenginenames": "", "ofiledstpath": "", "ofilesrcpath": "", "oitemdstname": "", "oitemname": "", "oitemsrcname": "", "ootherrulelabels": "", "orulename": "", "otherrulelabels": "", "ouser": "", "scannedbytes" : "290812", "scantime" : "1210", "severity" : "High Severity", "srctype" : "network_share", "ss" : "48", "datetime" : "Mon Oct 16 22:55:48 2023", "rulename" : "configured_rule", "timezone" : "GMT", "user" : "TempUser", "yyyy" : "2023", "zdpmode" : "block mode" } } diff --git a/packages/zscaler_zia/data_stream/endpoint_dlp/_dev/test/pipeline/test-endpoint-dlp-http-endpoint.log-expected.json b/packages/zscaler_zia/data_stream/endpoint_dlp/_dev/test/pipeline/test-endpoint-dlp-http-endpoint.log-expected.json index b9e9e8c8c45..a02a96a085b 100644 --- a/packages/zscaler_zia/data_stream/endpoint_dlp/_dev/test/pipeline/test-endpoint-dlp-http-endpoint.log-expected.json +++ b/packages/zscaler_zia/data_stream/endpoint_dlp/_dev/test/pipeline/test-endpoint-dlp-http-endpoint.log-expected.json @@ -17,7 +17,166 @@ ], "id": "2", "kind": "alert", - "original": "{ \"sourcetype\": \"zscalernss-edlp\",\"input\": {\"type\": \"http_endpoint\"}, \"event\": { \"actiontaken\" : \"allow\", \"activitytype\" : \"email_sent\", \"additionalinfo\" : \"File already open by another application\", \"channel\" : \"Network Drive Transfer\", \"confirmaction\" : \"confirm\", \"confirmjustification\" : \"My manager approved it\", \"datacenter\" : \"Georgia\", \"datacentercity\" : \"Atlanta\", \"datacentercountry\" : \"US\", \"day\" : \"Mon\", \"dd\" : \"16\", \"department\" : \"TempDept\", \"deviceappversion\" : \"Ver-2199\", \"devicehostname\" : \"Host\", \"devicemodel\" : \"Model-2022\", \"devicename\" : \"Dev 1\", \"deviceostype\" : \"Windows\", \"deviceosversion\" : \"Win-11\", \"deviceowner\" : \"Administrator\", \"deviceplatform\" : \"Windows\", \"devicetype\" : \"WinUser\", \"dlpdictcount\" : \"12|13\", \"dlpdictnames\" : \"dlp: dlp discription|dlp2: dlp discription2|dlp3: dlp discription3\", \"dlpenginenames\" : \"dlpengine|dlpengine1|dlpengine2\", \"dlpidentifier\" : \"12\", \"dsttype\" : \"personal_cloud_storage\", \"eventtime\" : \"Mon Oct 16 22:55:48 2023\", \"expectedaction\" : \"block\", \"filedoctype\" : \"Medical\", \"filedstpath\" : \"dest_path\", \"filemd5\" : \"938c2cc0dcc05f2b68c4287040cfcf71\", \"filesha\" : \"076085239f3a10b8f387c4e5d4261abf8d109aa641be35a8d4ed2d775eb09612\", \"filesrcpath\" : \"source_path\", \"filetypecategory\" : \"PLS File (pls)\", \"filetypename\" : \"exe64\", \"hh\" : \"22\", \"itemdstname\" : \"nanolog\", \"itemname\" : \"endpoint_dlp\", \"itemsrcname\" : \"endpoint\", \"itemtype\" : \"email_attachment\", \"logtype\" : \"dlp_incident\", \"mm\" : \"55\", \"mon\" : \"Oct\", \"mth\" : \"10\", \"numdlpdictids\" : \"8\", \"numdlpengineids\" : \"12\", \"recordid\" : \"2\", \"feedtime\" : \"Mon Oct 16 22:55:48 2023\", \"scannedbytes\" : \"290812\", \"scantime\" : \"1210\", \"severity\" : \"High Severity\", \"srctype\" : \"network_share\", \"ss\" : \"48\", \"datetime\" : \"Mon Oct 16 22:55:48 2023\", \"rulename\" : \"configured_rule\", \"timezone\" : \"GMT\", \"user\" : \"TempUser\", \"yyyy\" : \"2023\", \"zdpmode\" : \"block mode\" } }", + "original": "{ \"sourcetype\": \"zscalernss-edlp\",\"input\": {\"type\": \"http_endpoint\"}, \"event\": { \"actiontaken\" : \"allow\", \"activitytype\" : \"email_sent\", \"additionalinfo\" : \"File already open by another application\", \"channel\" : \"Network Drive Transfer\", \"confirmaction\" : \"confirm\", \"confirmjustification\" : \"My manager approved it\", \"datacenter\" : \"Georgia\", \"datacentercity\" : \"Atlanta\", \"datacentercountry\" : \"US\", \"day\" : \"Mon\", \"dd\" : \"16\", \"department\" : \"TempDept\", \"deviceappversion\" : \"Ver-2199\", \"devicehostname\" : \"Host\", \"devicemodel\" : \"Model-2022\", \"devicename\" : \"Dev 1\", \"deviceostype\" : \"Windows\", \"deviceosversion\" : \"Win-11\", \"deviceowner\" : \"Administrator\", \"deviceplatform\" : \"Windows\", \"devicetype\" : \"WinUser\", \"dlpdictcount\" : \"12|13\", \"dlpdictnames\" : \"dlp: dlp discription|dlp2: dlp discription2|dlp3: dlp discription3\", \"dlpenginenames\" : \"dlpengine|dlpengine1|dlpengine2\", \"dlpidentifier\" : \"12\", \"dsttype\" : \"personal_cloud_storage\", \"eventtime\" : \"Mon Oct 16 22:55:48 2023\", \"expectedaction\" : \"block\", \"filedoctype\" : \"Medical\", \"filedstpath\" : \"dest_path\", \"filemd5\" : \"938c2cc0dcc05f2b68c4287040cfcf71\", \"filesha\" : \"076085239f3a10b8f387c4e5d4261abf8d109aa641be35a8d4ed2d775eb09612\", \"filesrcpath\" : \"source_path\", \"filetypecategory\" : \"PLS File (pls)\", \"filetypename\" : \"exe64\", \"hh\" : \"22\", \"itemdstname\" : \"nanolog\", \"itemname\" : \"endpoint_dlp\", \"itemsrcname\" : \"endpoint\", \"itemtype\" : \"email_attachment\", \"logtype\" : \"dlp_incident\", \"mm\" : \"55\", \"mon\" : \"Oct\", \"mth\" : \"10\", \"numdlpdictids\" : \"8\", \"numdlpengineids\" : \"12\", \"recordid\" : \"2\", \"feedtime\" : \"Mon Oct 16 22:55:48 2023\", \"odepartment\": \"\", \"odevicehostname\": \"\", \"odevicename\": \"\", \"odeviceowner\": \"\", \"odlpdictnames\": \"\", \"odlpenginenames\": \"\", \"ofiledstpath\": \"\", \"ofilesrcpath\": \"\", \"oitemdstname\": \"\", \"oitemname\": \"\", \"oitemsrcname\": \"\", \"ootherrulelabels\": \"\", \"orulename\": \"\", \"otherrulelabels\": \"\", \"ouser\": \"\", \"scannedbytes\" : \"290812\", \"scantime\" : \"1210\", \"severity\" : \"High Severity\", \"srctype\" : \"network_share\", \"ss\" : \"48\", \"datetime\" : \"Mon Oct 16 22:55:48 2023\", \"rulename\" : \"configured_rule\", \"timezone\" : \"GMT\", \"user\" : \"TempUser\", \"yyyy\" : \"2023\", \"zdpmode\" : \"block mode\" } }", + "timezone": "GMT", + "type": [ + "allowed" + ] + }, + "file": { + "hash": { + "md5": "938c2cc0dcc05f2b68c4287040cfcf71", + "sha256": "076085239f3a10b8f387c4e5d4261abf8d109aa641be35a8d4ed2d775eb09612" + }, + "path": "dest_path", + "type": "file" + }, + "host": { + "hostname": "Dev 1", + "name": "host", + "os": { + "platform": "Windows", + "version": "Win-11" + }, + "type": "WinUser" + }, + "related": { + "hash": [ + "938c2cc0dcc05f2b68c4287040cfcf71", + "076085239f3a10b8f387c4e5d4261abf8d109aa641be35a8d4ed2d775eb09612" + ], + "hosts": [ + "host", + "Dev 1" + ], + "user": [ + "Administrator", + "TempUser" + ] + }, + "rule": { + "name": [ + "configured_rule" + ] + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "user": { + "name": "TempUser" + }, + "zscaler_zia": { + "endpoint_dlp": { + "action_taken": "allow", + "activity_type": "email_sent", + "additional_info": "File already open by another application", + "channel": "Network Drive Transfer", + "confirm_action": "confirm", + "confirm_just": "My manager approved it", + "counts": [ + 12, + 13 + ], + "datacenter": { + "city": "Atlanta", + "country": "US", + "name": "Georgia" + }, + "day": "Mon", + "day_of_month": 16, + "department": "TempDept", + "destination_type": "personal_cloud_storage", + "device": { + "appversion": "Ver-2199", + "hostname": "Host", + "model": "Model-2022", + "name": "Dev 1", + "os": { + "type": "Windows", + "version": "Win-11" + }, + "owner": "Administrator", + "platform": "Windows", + "type": "WinUser" + }, + "dictionary": { + "id": 8 + }, + "dictionary_names": [ + "dlp", + "dlp2", + "dlp3" + ], + "engine": { + "id": 12 + }, + "engine_names": [ + "dlpengine", + "dlpengine1", + "dlpengine2" + ], + "event_time": "2023-10-16T22:55:48.000Z", + "expected_action": "block", + "feed_time": "2023-10-16T22:55:48.000Z", + "file": { + "destination_path": "dest_path", + "doc_type": "Medical", + "md5": "938c2cc0dcc05f2b68c4287040cfcf71", + "sha256": "076085239f3a10b8f387c4e5d4261abf8d109aa641be35a8d4ed2d775eb09612", + "source_path": "source_path", + "type": { + "name": "exe64" + }, + "type_category": "PLS File (pls)" + }, + "hour": 22, + "identifier": "12", + "item": { + "destination_name": "nanolog", + "name": "endpoint_dlp", + "source_name": "endpoint", + "type": "email_attachment" + }, + "log_type": "dlp_incident", + "minute": 55, + "month": "Oct", + "month_of_year": 10, + "record": { + "id": "2" + }, + "scan_time": 1210, + "scanned_bytes": 290812, + "second": 48, + "severity": "High Severity", + "source_type": "network_share", + "time": "2023-10-16T22:55:48.000Z", + "timezone": "GMT", + "triggered_rule_label": "configured_rule", + "user": "TempUser", + "year": 2023, + "zdp_mode": "block mode" + } + } + }, + { + "@timestamp": "2023-10-16T22:55:48.000Z", + "device": { + "model": { + "identifier": "Model-2022" + } + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "allow", + "category": [ + "intrusion_detection" + ], + "id": "2", + "kind": "alert", + "original": "{\"version\":\"v1\", \"sourcetype\": \"zscalernss-edlp\",\"input\": {\"type\": \"http_endpoint\"}, \"event\": { \"actiontaken\" : \"allow\", \"activitytype\" : \"email_sent\", \"additionalinfo\" : \"File already open by another application\", \"channel\" : \"Network Drive Transfer\", \"confirmaction\" : \"confirm\", \"confirmjustification\" : \"My manager approved it\", \"datacenter\" : \"Georgia\", \"datacentercity\" : \"Atlanta\", \"datacentercountry\" : \"US\", \"day\" : \"Mon\", \"dd\" : \"16\", \"department\" : \"TempDept\", \"deviceappversion\" : \"Ver-2199\", \"devicehostname\" : \"Host\", \"devicemodel\" : \"Model-2022\", \"devicename\" : \"Dev 1\", \"deviceostype\" : \"Windows\", \"deviceosversion\" : \"Win-11\", \"deviceowner\" : \"Administrator\", \"deviceplatform\" : \"Windows\", \"devicetype\" : \"WinUser\", \"dlpdictcount\" : \"12|13\", \"dlpdictnames\" : \"dlp: dlp discription|dlp2: dlp discription2|dlp3: dlp discription3\", \"dlpenginenames\" : \"dlpengine|dlpengine1|dlpengine2\", \"dlpidentifier\" : \"12\", \"dsttype\" : \"personal_cloud_storage\", \"eventtime\" : \"Mon Oct 16 22:55:48 2023\", \"expectedaction\" : \"block\", \"filedoctype\" : \"Medical\", \"filedstpath\" : \"dest_path\", \"filemd5\" : \"938c2cc0dcc05f2b68c4287040cfcf71\", \"filesha\" : \"076085239f3a10b8f387c4e5d4261abf8d109aa641be35a8d4ed2d775eb09612\", \"filesrcpath\" : \"source_path\", \"filetypecategory\" : \"PLS File (pls)\", \"filetypename\" : \"exe64\", \"hh\" : \"22\", \"itemdstname\" : \"nanolog\", \"itemname\" : \"endpoint_dlp\", \"itemsrcname\" : \"endpoint\", \"itemtype\" : \"email_attachment\", \"logtype\" : \"dlp_incident\", \"mm\" : \"55\", \"mon\" : \"Oct\", \"mth\" : \"10\", \"numdlpdictids\" : \"8\", \"numdlpengineids\" : \"12\", \"recordid\" : \"2\", \"feedtime\" : \"Mon Oct 16 22:55:48 2023\", \"odepartment\": \"\", \"odevicehostname\": \"\", \"odevicename\": \"\", \"odeviceowner\": \"\", \"odlpdictnames\": \"\", \"odlpenginenames\": \"\", \"ofiledstpath\": \"\", \"ofilesrcpath\": \"\", \"oitemdstname\": \"\", \"oitemname\": \"\", \"oitemsrcname\": \"\", \"ootherrulelabels\": \"\", \"orulename\": \"\", \"otherrulelabels\": \"\", \"ouser\": \"\", \"scannedbytes\" : \"290812\", \"scantime\" : \"1210\", \"severity\" : \"High Severity\", \"srctype\" : \"network_share\", \"ss\" : \"48\", \"datetime\" : \"Mon Oct 16 22:55:48 2023\", \"rulename\" : \"configured_rule\", \"timezone\" : \"GMT\", \"user\" : \"TempUser\", \"yyyy\" : \"2023\", \"zdpmode\" : \"block mode\" } }", "timezone": "GMT", "type": [ "allowed" @@ -160,4 +319,4 @@ } } ] -} \ No newline at end of file +} diff --git a/packages/zscaler_zia/data_stream/endpoint_dlp/_dev/test/pipeline/test-endpoint-dlp.log b/packages/zscaler_zia/data_stream/endpoint_dlp/_dev/test/pipeline/test-endpoint-dlp.log index 65012448c03..4a6f60b2e0a 100644 --- a/packages/zscaler_zia/data_stream/endpoint_dlp/_dev/test/pipeline/test-endpoint-dlp.log +++ b/packages/zscaler_zia/data_stream/endpoint_dlp/_dev/test/pipeline/test-endpoint-dlp.log @@ -1,2 +1,4 @@ -{ "sourcetype": "zscalernss-edlp", "event": { "actiontaken" : "allow", "activitytype" : "email_sent", "additionalinfo" : "File already open by another application", "channel" : "Network Drive Transfer", "confirmaction" : "confirm", "confirmjustification" : "My manager approved it", "datacenter" : "Georgia", "datacentercity" : "Atlanta", "datacentercountry" : "US", "day" : "Mon", "dd" : "16", "department" : "TempDept", "deviceappversion" : "Ver-2199", "devicehostname" : "Host", "devicemodel" : "Model-2022", "devicename" : "Dev 1", "deviceostype" : "Windows", "deviceosversion" : "Win-11", "deviceowner" : "Administrator", "deviceplatform" : "Windows", "devicetype" : "WinUser", "dlpdictcount" : "12|13", "dlpdictnames" : "dlp: dlp discription|dlp1: dlp discription1|dlp2: dlp discription2", "dlpenginenames" : "dlpengine", "dlpidentifier" : "12", "dsttype" : "personal_cloud_storage", "eventtime" : "Mon Oct 16 22:55:48 2023", "expectedaction" : "block", "filedoctype" : "Medical", "filedstpath" : "dest_path", "filemd5" : "938c2cc0dcc05f2b68c4287040cfcf71", "filesha" : "076085239f3a10b8f387c4e5d4261abf8d109aa641be35a8d4ed2d775eb09612", "filesrcpath" : "source_path", "filetypecategory" : "PLS File (pls)", "filetypename" : "exe64", "hh" : "22", "itemdstname" : "nanolog", "itemname" : "endpoint_dlp", "itemsrcname" : "endpoint", "itemtype" : "email_attachment", "logtype" : "dlp_incident", "mm" : "55", "mon" : "Oct", "mth" : "10", "numdlpdictids" : "8", "numdlpengineids" : "12", "recordid" : "2", "feedtime" : "Mon Oct 16 22:55:48 2023", "scannedbytes" : "290812", "scantime" : "1210", "severity" : "High Severity", "srctype" : "network_share", "ss" : "48", "datetime" : "Mon Oct 16 22:55:48 2023", "rulename" : "configured_rule", "timezone" : "GMT", "user" : "TempUser", "yyyy" : "2023", "zdpmode" : "block mode" } } -{ "sourcetype": "zscalernss-edlp", "event": { "actiontaken": "allow", "activitytype": "email_sent", "additionalinfo": "File already open by another application", "channel": "Network Drive Transfer", "confirmaction": "confirm", "confirmjustification": "My manager approved it", "datacenter": "Georgia", "datacentercity": "Atlanta", "datacentercountry": "US", "day": "Mon", "dd": "16", "department": "TempDept", "deviceappversion": "Ver-2199", "devicehostname": "Host", "devicemodel": "Model-2022", "devicename": "Dev 1", "deviceostype": "Windows", "deviceosversion": "Win-11", "deviceowner": "Administrator", "deviceplatform": "Windows", "devicetype": "WinUser", "dlpdictcount": "12|13", "dlpdictnames": "dlp: dlp discription|dlp1: dlp discription1|dlp2: dlp discription2", "dlpenginenames": "dlpengine", "dlpidentifier": "12", "dsttype": "personal_cloud_storage", "eventtime": "Mon Oct 16 22:55:48 2023", "expectedaction": "block", "filedoctype": "Medical", "filedstpath": "dest_path", "filemd5": "938c2cc0dcc05f2b68c4287040cfcf71", "filesha": "076085239f3a10b8f387c4e5d4261abf8d109aa641be35a8d4ed2d775eb09612", "filesrcpath": "source_path", "filetypecategory": "PLS File (pls)", "filetypename": "exe64", "hh": "22", "itemdstname": "nanolog", "itemname": "endpoint_dlp", "itemsrcname": "endpoint", "itemtype": "email_attachment", "logtype": "dlp_incident", "mm": "55", "mon": "Oct", "mth": "10", "numdlpdictids": "8", "numdlpengineids": "12", "recordid": "2", "feedtime": "Mon Oct 16 22:55:48 2023", "scannedbytes": "290812", "scantime": "1210", "severity": "High Severity", "srctype": "network_share", "ss": "48", "datetime": "Mon Oct 16 22:55:48 2023", "rulename": "configured_rule", "timezone": "GMT", "user": "TempUser", "yyyy": "2023", "zdpmode": "block mode", "odepartment": "4094304256", "odevicehostname": "4094304255", "odevicename": "4094304251", "odeviceowner": "4094304226", "odlpdictnames": "4094304456", "odlpenginenames": "4094364256", "ofiledstpath": "4094304296", "ofilesrcpath": "4094304206", "oitemdstname": "409430476", "oitemname": "40943042567", "oitemsrcname": "4094305256", "ootherrulelabels": "4036304256", "orulename": "40943049956", "ouser": "40943042569", "otherrulelabels": "9094304256" } } \ No newline at end of file +{ "sourcetype": "zscalernss-edlp", "event": { "actiontaken" : "allow", "activitytype" : "email_sent", "additionalinfo" : "File already open by another application", "channel" : "Network Drive Transfer", "confirmaction" : "confirm", "confirmjustification" : "My manager approved it", "datacenter" : "Georgia", "datacentercity" : "Atlanta", "datacentercountry" : "US", "day" : "Mon", "dd" : "16", "department" : "TempDept", "deviceappversion" : "Ver-2199", "devicehostname" : "Host", "devicemodel" : "Model-2022", "devicename" : "Dev 1", "deviceostype" : "Windows", "deviceosversion" : "Win-11", "deviceowner" : "Administrator", "deviceplatform" : "Windows", "devicetype" : "WinUser", "dlpdictcount" : "12|13", "dlpdictnames" : "dlp: dlp discription|dlp1: dlp discription1|dlp2: dlp discription2", "dlpenginenames" : "dlpengine", "dlpidentifier" : "12", "dsttype" : "personal_cloud_storage", "eventtime" : "Mon Oct 16 22:55:48 2023", "expectedaction" : "block", "filedoctype" : "Medical", "filedstpath" : "dest_path", "filemd5" : "938c2cc0dcc05f2b68c4287040cfcf71", "filesha" : "076085239f3a10b8f387c4e5d4261abf8d109aa641be35a8d4ed2d775eb09612", "filesrcpath" : "source_path", "filetypecategory" : "PLS File (pls)", "filetypename" : "exe64", "hh" : "22", "itemdstname" : "nanolog", "itemname" : "endpoint_dlp", "itemsrcname" : "endpoint", "itemtype" : "email_attachment", "logtype" : "dlp_incident", "mm" : "55", "mon" : "Oct", "mth" : "10", "numdlpdictids" : "8", "numdlpengineids" : "12", "recordid" : "2", "feedtime" : "Mon Oct 16 22:55:48 2023","odepartment": "", "odevicehostname": "", "odevicename": "", "odeviceowner": "", "odlpdictnames": "", "odlpenginenames": "", "ofiledstpath": "", "ofilesrcpath": "", "oitemdstname": "", "oitemname": "", "oitemsrcname": "", "ootherrulelabels": "", "orulename": "", "otherrulelabels": "", "ouser": "", "scannedbytes" : "290812", "scantime" : "1210", "severity" : "High Severity", "srctype" : "network_share", "ss" : "48", "datetime" : "Mon Oct 16 22:55:48 2023", "rulename" : "configured_rule", "timezone" : "GMT", "user" : "TempUser", "yyyy" : "2023", "zdpmode" : "block mode" } } +{ "sourcetype": "zscalernss-edlp", "event": { "actiontaken": "allow", "activitytype": "email_sent", "additionalinfo": "File already open by another application", "channel": "Network Drive Transfer", "confirmaction": "confirm", "confirmjustification": "My manager approved it", "datacenter": "Georgia", "datacentercity": "Atlanta", "datacentercountry": "US", "day": "Mon", "dd": "16", "department": "TempDept", "deviceappversion": "Ver-2199", "devicehostname": "Host", "devicemodel": "Model-2022", "devicename": "Dev 1", "deviceostype": "Windows", "deviceosversion": "Win-11", "deviceowner": "Administrator", "deviceplatform": "Windows", "devicetype": "WinUser", "dlpdictcount": "12|13", "dlpdictnames": "dlp: dlp discription|dlp1: dlp discription1|dlp2: dlp discription2", "dlpenginenames": "dlpengine", "dlpidentifier": "12", "dsttype": "personal_cloud_storage", "eventtime": "Mon Oct 16 22:55:48 2023", "expectedaction": "block", "filedoctype": "Medical", "filedstpath": "dest_path", "filemd5": "938c2cc0dcc05f2b68c4287040cfcf71", "filesha": "076085239f3a10b8f387c4e5d4261abf8d109aa641be35a8d4ed2d775eb09612", "filesrcpath": "source_path", "filetypecategory": "PLS File (pls)", "filetypename": "exe64", "hh": "22", "itemdstname": "nanolog", "itemname": "endpoint_dlp", "itemsrcname": "endpoint", "itemtype": "email_attachment", "logtype": "dlp_incident", "mm": "55", "mon": "Oct", "mth": "10", "numdlpdictids": "8", "numdlpengineids": "12", "recordid": "2", "feedtime": "Mon Oct 16 22:55:48 2023", "scannedbytes": "290812", "scantime": "1210", "severity": "High Severity", "srctype": "network_share", "ss": "48", "datetime": "Mon Oct 16 22:55:48 2023", "rulename": "configured_rule", "timezone": "GMT", "user": "TempUser", "yyyy": "2023", "zdpmode": "block mode", "odepartment": "4094304256", "odevicehostname": "4094304255", "odevicename": "4094304251", "odeviceowner": "4094304226", "odlpdictnames": "4094304456", "odlpenginenames": "4094364256", "ofiledstpath": "4094304296", "ofilesrcpath": "4094304206", "oitemdstname": "409430476", "oitemname": "40943042567", "oitemsrcname": "4094305256", "ootherrulelabels": "4036304256", "orulename": "40943049956", "ouser": "40943042569", "otherrulelabels": "9094304256" } } +{"version":"v1", "sourcetype": "zscalernss-edlp", "event": { "actiontaken" : "allow", "activitytype" : "email_sent", "additionalinfo" : "File already open by another application", "channel" : "Network Drive Transfer", "confirmaction" : "confirm", "confirmjustification" : "My manager approved it", "datacenter" : "Georgia", "datacentercity" : "Atlanta", "datacentercountry" : "US", "day" : "Mon", "dd" : "16", "department" : "TempDept", "deviceappversion" : "Ver-2199", "devicehostname" : "Host", "devicemodel" : "Model-2022", "devicename" : "Dev 1", "deviceostype" : "Windows", "deviceosversion" : "Win-11", "deviceowner" : "Administrator", "deviceplatform" : "Windows", "devicetype" : "WinUser", "dlpdictcount" : "12|13", "dlpdictnames" : "dlp: dlp discription|dlp1: dlp discription1|dlp2: dlp discription2", "dlpenginenames" : "dlpengine", "dlpidentifier" : "12", "dsttype" : "personal_cloud_storage", "eventtime" : "Mon Oct 16 22:55:48 2023", "expectedaction" : "block", "filedoctype" : "Medical", "filedstpath" : "dest_path", "filemd5" : "938c2cc0dcc05f2b68c4287040cfcf71", "filesha" : "076085239f3a10b8f387c4e5d4261abf8d109aa641be35a8d4ed2d775eb09612", "filesrcpath" : "source_path", "filetypecategory" : "PLS File (pls)", "filetypename" : "exe64", "hh" : "22", "itemdstname" : "nanolog", "itemname" : "endpoint_dlp", "itemsrcname" : "endpoint", "itemtype" : "email_attachment", "logtype" : "dlp_incident", "mm" : "55", "mon" : "Oct", "mth" : "10", "numdlpdictids" : "8", "numdlpengineids" : "12", "recordid" : "2", "feedtime" : "Mon Oct 16 22:55:48 2023","odepartment": "", "odevicehostname": "", "odevicename": "", "odeviceowner": "", "odlpdictnames": "", "odlpenginenames": "", "ofiledstpath": "", "ofilesrcpath": "", "oitemdstname": "", "oitemname": "", "oitemsrcname": "", "ootherrulelabels": "", "orulename": "", "otherrulelabels": "", "ouser": "", "scannedbytes" : "290812", "scantime" : "1210", "severity" : "High Severity", "srctype" : "network_share", "ss" : "48", "datetime" : "Mon Oct 16 22:55:48 2023", "rulename" : "configured_rule", "timezone" : "GMT", "user" : "TempUser", "yyyy" : "2023", "zdpmode" : "block mode" } } +{"version":"v1", "sourcetype": "zscalernss-edlp", "event": { "actiontaken": "allow", "activitytype": "email_sent", "additionalinfo": "File already open by another application", "channel": "Network Drive Transfer", "confirmaction": "confirm", "confirmjustification": "My manager approved it", "datacenter": "Georgia", "datacentercity": "Atlanta", "datacentercountry": "US", "day": "Mon", "dd": "16", "department": "TempDept", "deviceappversion": "Ver-2199", "devicehostname": "Host", "devicemodel": "Model-2022", "devicename": "Dev 1", "deviceostype": "Windows", "deviceosversion": "Win-11", "deviceowner": "Administrator", "deviceplatform": "Windows", "devicetype": "WinUser", "dlpdictcount": "12|13", "dlpdictnames": "dlp: dlp discription|dlp1: dlp discription1|dlp2: dlp discription2", "dlpenginenames": "dlpengine", "dlpidentifier": "12", "dsttype": "personal_cloud_storage", "eventtime": "Mon Oct 16 22:55:48 2023", "expectedaction": "block", "filedoctype": "Medical", "filedstpath": "dest_path", "filemd5": "938c2cc0dcc05f2b68c4287040cfcf71", "filesha": "076085239f3a10b8f387c4e5d4261abf8d109aa641be35a8d4ed2d775eb09612", "filesrcpath": "source_path", "filetypecategory": "PLS File (pls)", "filetypename": "exe64", "hh": "22", "itemdstname": "nanolog", "itemname": "endpoint_dlp", "itemsrcname": "endpoint", "itemtype": "email_attachment", "logtype": "dlp_incident", "mm": "55", "mon": "Oct", "mth": "10", "numdlpdictids": "8", "numdlpengineids": "12", "recordid": "2", "feedtime": "Mon Oct 16 22:55:48 2023", "scannedbytes": "290812", "scantime": "1210", "severity": "High Severity", "srctype": "network_share", "ss": "48", "datetime": "Mon Oct 16 22:55:48 2023", "rulename": "configured_rule", "timezone": "GMT", "user": "TempUser", "yyyy": "2023", "zdpmode": "block mode", "odepartment": "4094304256", "odevicehostname": "4094304255", "odevicename": "4094304251", "odeviceowner": "4094304226", "odlpdictnames": "4094304456", "odlpenginenames": "4094364256", "ofiledstpath": "4094304296", "ofilesrcpath": "4094304206", "oitemdstname": "409430476", "oitemname": "40943042567", "oitemsrcname": "4094305256", "ootherrulelabels": "4036304256", "orulename": "40943049956", "ouser": "40943042569", "otherrulelabels": "9094304256" } } diff --git a/packages/zscaler_zia/data_stream/endpoint_dlp/_dev/test/pipeline/test-endpoint-dlp.log-expected.json b/packages/zscaler_zia/data_stream/endpoint_dlp/_dev/test/pipeline/test-endpoint-dlp.log-expected.json index b72d61a3644..7bd5a2d65ee 100644 --- a/packages/zscaler_zia/data_stream/endpoint_dlp/_dev/test/pipeline/test-endpoint-dlp.log-expected.json +++ b/packages/zscaler_zia/data_stream/endpoint_dlp/_dev/test/pipeline/test-endpoint-dlp.log-expected.json @@ -17,7 +17,7 @@ ], "id": "2", "kind": "alert", - "original": "{ \"sourcetype\": \"zscalernss-edlp\", \"event\": { \"actiontaken\" : \"allow\", \"activitytype\" : \"email_sent\", \"additionalinfo\" : \"File already open by another application\", \"channel\" : \"Network Drive Transfer\", \"confirmaction\" : \"confirm\", \"confirmjustification\" : \"My manager approved it\", \"datacenter\" : \"Georgia\", \"datacentercity\" : \"Atlanta\", \"datacentercountry\" : \"US\", \"day\" : \"Mon\", \"dd\" : \"16\", \"department\" : \"TempDept\", \"deviceappversion\" : \"Ver-2199\", \"devicehostname\" : \"Host\", \"devicemodel\" : \"Model-2022\", \"devicename\" : \"Dev 1\", \"deviceostype\" : \"Windows\", \"deviceosversion\" : \"Win-11\", \"deviceowner\" : \"Administrator\", \"deviceplatform\" : \"Windows\", \"devicetype\" : \"WinUser\", \"dlpdictcount\" : \"12|13\", \"dlpdictnames\" : \"dlp: dlp discription|dlp1: dlp discription1|dlp2: dlp discription2\", \"dlpenginenames\" : \"dlpengine\", \"dlpidentifier\" : \"12\", \"dsttype\" : \"personal_cloud_storage\", \"eventtime\" : \"Mon Oct 16 22:55:48 2023\", \"expectedaction\" : \"block\", \"filedoctype\" : \"Medical\", \"filedstpath\" : \"dest_path\", \"filemd5\" : \"938c2cc0dcc05f2b68c4287040cfcf71\", \"filesha\" : \"076085239f3a10b8f387c4e5d4261abf8d109aa641be35a8d4ed2d775eb09612\", \"filesrcpath\" : \"source_path\", \"filetypecategory\" : \"PLS File (pls)\", \"filetypename\" : \"exe64\", \"hh\" : \"22\", \"itemdstname\" : \"nanolog\", \"itemname\" : \"endpoint_dlp\", \"itemsrcname\" : \"endpoint\", \"itemtype\" : \"email_attachment\", \"logtype\" : \"dlp_incident\", \"mm\" : \"55\", \"mon\" : \"Oct\", \"mth\" : \"10\", \"numdlpdictids\" : \"8\", \"numdlpengineids\" : \"12\", \"recordid\" : \"2\", \"feedtime\" : \"Mon Oct 16 22:55:48 2023\", \"scannedbytes\" : \"290812\", \"scantime\" : \"1210\", \"severity\" : \"High Severity\", \"srctype\" : \"network_share\", \"ss\" : \"48\", \"datetime\" : \"Mon Oct 16 22:55:48 2023\", \"rulename\" : \"configured_rule\", \"timezone\" : \"GMT\", \"user\" : \"TempUser\", \"yyyy\" : \"2023\", \"zdpmode\" : \"block mode\" } }", + "original": "{ \"sourcetype\": \"zscalernss-edlp\", \"event\": { \"actiontaken\" : \"allow\", \"activitytype\" : \"email_sent\", \"additionalinfo\" : \"File already open by another application\", \"channel\" : \"Network Drive Transfer\", \"confirmaction\" : \"confirm\", \"confirmjustification\" : \"My manager approved it\", \"datacenter\" : \"Georgia\", \"datacentercity\" : \"Atlanta\", \"datacentercountry\" : \"US\", \"day\" : \"Mon\", \"dd\" : \"16\", \"department\" : \"TempDept\", \"deviceappversion\" : \"Ver-2199\", \"devicehostname\" : \"Host\", \"devicemodel\" : \"Model-2022\", \"devicename\" : \"Dev 1\", \"deviceostype\" : \"Windows\", \"deviceosversion\" : \"Win-11\", \"deviceowner\" : \"Administrator\", \"deviceplatform\" : \"Windows\", \"devicetype\" : \"WinUser\", \"dlpdictcount\" : \"12|13\", \"dlpdictnames\" : \"dlp: dlp discription|dlp1: dlp discription1|dlp2: dlp discription2\", \"dlpenginenames\" : \"dlpengine\", \"dlpidentifier\" : \"12\", \"dsttype\" : \"personal_cloud_storage\", \"eventtime\" : \"Mon Oct 16 22:55:48 2023\", \"expectedaction\" : \"block\", \"filedoctype\" : \"Medical\", \"filedstpath\" : \"dest_path\", \"filemd5\" : \"938c2cc0dcc05f2b68c4287040cfcf71\", \"filesha\" : \"076085239f3a10b8f387c4e5d4261abf8d109aa641be35a8d4ed2d775eb09612\", \"filesrcpath\" : \"source_path\", \"filetypecategory\" : \"PLS File (pls)\", \"filetypename\" : \"exe64\", \"hh\" : \"22\", \"itemdstname\" : \"nanolog\", \"itemname\" : \"endpoint_dlp\", \"itemsrcname\" : \"endpoint\", \"itemtype\" : \"email_attachment\", \"logtype\" : \"dlp_incident\", \"mm\" : \"55\", \"mon\" : \"Oct\", \"mth\" : \"10\", \"numdlpdictids\" : \"8\", \"numdlpengineids\" : \"12\", \"recordid\" : \"2\", \"feedtime\" : \"Mon Oct 16 22:55:48 2023\",\"odepartment\": \"\", \"odevicehostname\": \"\", \"odevicename\": \"\", \"odeviceowner\": \"\", \"odlpdictnames\": \"\", \"odlpenginenames\": \"\", \"ofiledstpath\": \"\", \"ofilesrcpath\": \"\", \"oitemdstname\": \"\", \"oitemname\": \"\", \"oitemsrcname\": \"\", \"ootherrulelabels\": \"\", \"orulename\": \"\", \"otherrulelabels\": \"\", \"ouser\": \"\", \"scannedbytes\" : \"290812\", \"scantime\" : \"1210\", \"severity\" : \"High Severity\", \"srctype\" : \"network_share\", \"ss\" : \"48\", \"datetime\" : \"Mon Oct 16 22:55:48 2023\", \"rulename\" : \"configured_rule\", \"timezone\" : \"GMT\", \"user\" : \"TempUser\", \"yyyy\" : \"2023\", \"zdpmode\" : \"block mode\" } }", "timezone": "GMT", "type": [ "allowed" @@ -339,6 +339,346 @@ "zdp_mode": "block mode" } } + }, + { + "@timestamp": "2023-10-16T22:55:48.000Z", + "device": { + "model": { + "identifier": "Model-2022" + } + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "allow", + "category": [ + "intrusion_detection" + ], + "id": "2", + "kind": "alert", + "original": "{\"version\":\"v1\", \"sourcetype\": \"zscalernss-edlp\", \"event\": { \"actiontaken\" : \"allow\", \"activitytype\" : \"email_sent\", \"additionalinfo\" : \"File already open by another application\", \"channel\" : \"Network Drive Transfer\", \"confirmaction\" : \"confirm\", \"confirmjustification\" : \"My manager approved it\", \"datacenter\" : \"Georgia\", \"datacentercity\" : \"Atlanta\", \"datacentercountry\" : \"US\", \"day\" : \"Mon\", \"dd\" : \"16\", \"department\" : \"TempDept\", \"deviceappversion\" : \"Ver-2199\", \"devicehostname\" : \"Host\", \"devicemodel\" : \"Model-2022\", \"devicename\" : \"Dev 1\", \"deviceostype\" : \"Windows\", \"deviceosversion\" : \"Win-11\", \"deviceowner\" : \"Administrator\", \"deviceplatform\" : \"Windows\", \"devicetype\" : \"WinUser\", \"dlpdictcount\" : \"12|13\", \"dlpdictnames\" : \"dlp: dlp discription|dlp1: dlp discription1|dlp2: dlp discription2\", \"dlpenginenames\" : \"dlpengine\", \"dlpidentifier\" : \"12\", \"dsttype\" : \"personal_cloud_storage\", \"eventtime\" : \"Mon Oct 16 22:55:48 2023\", \"expectedaction\" : \"block\", \"filedoctype\" : \"Medical\", \"filedstpath\" : \"dest_path\", \"filemd5\" : \"938c2cc0dcc05f2b68c4287040cfcf71\", \"filesha\" : \"076085239f3a10b8f387c4e5d4261abf8d109aa641be35a8d4ed2d775eb09612\", \"filesrcpath\" : \"source_path\", \"filetypecategory\" : \"PLS File (pls)\", \"filetypename\" : \"exe64\", \"hh\" : \"22\", \"itemdstname\" : \"nanolog\", \"itemname\" : \"endpoint_dlp\", \"itemsrcname\" : \"endpoint\", \"itemtype\" : \"email_attachment\", \"logtype\" : \"dlp_incident\", \"mm\" : \"55\", \"mon\" : \"Oct\", \"mth\" : \"10\", \"numdlpdictids\" : \"8\", \"numdlpengineids\" : \"12\", \"recordid\" : \"2\", \"feedtime\" : \"Mon Oct 16 22:55:48 2023\",\"odepartment\": \"\", \"odevicehostname\": \"\", \"odevicename\": \"\", \"odeviceowner\": \"\", \"odlpdictnames\": \"\", \"odlpenginenames\": \"\", \"ofiledstpath\": \"\", \"ofilesrcpath\": \"\", \"oitemdstname\": \"\", \"oitemname\": \"\", \"oitemsrcname\": \"\", \"ootherrulelabels\": \"\", \"orulename\": \"\", \"otherrulelabels\": \"\", \"ouser\": \"\", \"scannedbytes\" : \"290812\", \"scantime\" : \"1210\", \"severity\" : \"High Severity\", \"srctype\" : \"network_share\", \"ss\" : \"48\", \"datetime\" : \"Mon Oct 16 22:55:48 2023\", \"rulename\" : \"configured_rule\", \"timezone\" : \"GMT\", \"user\" : \"TempUser\", \"yyyy\" : \"2023\", \"zdpmode\" : \"block mode\" } }", + "timezone": "GMT", + "type": [ + "allowed" + ] + }, + "file": { + "hash": { + "md5": "938c2cc0dcc05f2b68c4287040cfcf71", + "sha256": "076085239f3a10b8f387c4e5d4261abf8d109aa641be35a8d4ed2d775eb09612" + }, + "path": "dest_path", + "type": "file" + }, + "host": { + "hostname": "Dev 1", + "name": "host", + "os": { + "platform": "Windows", + "version": "Win-11" + }, + "type": "WinUser" + }, + "related": { + "hash": [ + "938c2cc0dcc05f2b68c4287040cfcf71", + "076085239f3a10b8f387c4e5d4261abf8d109aa641be35a8d4ed2d775eb09612" + ], + "hosts": [ + "host", + "Dev 1" + ], + "user": [ + "Administrator", + "TempUser" + ] + }, + "rule": { + "name": [ + "configured_rule" + ] + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "user": { + "name": "TempUser" + }, + "zscaler_zia": { + "endpoint_dlp": { + "action_taken": "allow", + "activity_type": "email_sent", + "additional_info": "File already open by another application", + "channel": "Network Drive Transfer", + "confirm_action": "confirm", + "confirm_just": "My manager approved it", + "counts": [ + 12, + 13 + ], + "datacenter": { + "city": "Atlanta", + "country": "US", + "name": "Georgia" + }, + "day": "Mon", + "day_of_month": 16, + "department": "TempDept", + "destination_type": "personal_cloud_storage", + "device": { + "appversion": "Ver-2199", + "hostname": "Host", + "model": "Model-2022", + "name": "Dev 1", + "os": { + "type": "Windows", + "version": "Win-11" + }, + "owner": "Administrator", + "platform": "Windows", + "type": "WinUser" + }, + "dictionary": { + "id": 8 + }, + "dictionary_names": [ + "dlp", + "dlp1", + "dlp2" + ], + "engine": { + "id": 12 + }, + "engine_names": [ + "dlpengine" + ], + "event_time": "2023-10-16T22:55:48.000Z", + "expected_action": "block", + "feed_time": "2023-10-16T22:55:48.000Z", + "file": { + "destination_path": "dest_path", + "doc_type": "Medical", + "md5": "938c2cc0dcc05f2b68c4287040cfcf71", + "sha256": "076085239f3a10b8f387c4e5d4261abf8d109aa641be35a8d4ed2d775eb09612", + "source_path": "source_path", + "type": { + "name": "exe64" + }, + "type_category": "PLS File (pls)" + }, + "hour": 22, + "identifier": "12", + "item": { + "destination_name": "nanolog", + "name": "endpoint_dlp", + "source_name": "endpoint", + "type": "email_attachment" + }, + "log_type": "dlp_incident", + "minute": 55, + "month": "Oct", + "month_of_year": 10, + "record": { + "id": "2" + }, + "scan_time": 1210, + "scanned_bytes": 290812, + "second": 48, + "severity": "High Severity", + "source_type": "network_share", + "time": "2023-10-16T22:55:48.000Z", + "timezone": "GMT", + "triggered_rule_label": "configured_rule", + "user": "TempUser", + "year": 2023, + "zdp_mode": "block mode" + } + } + }, + { + "@timestamp": "2023-10-16T22:55:48.000Z", + "device": { + "model": { + "identifier": "Model-2022" + } + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "allow", + "category": [ + "intrusion_detection" + ], + "id": "2", + "kind": "alert", + "original": "{\"version\":\"v1\", \"sourcetype\": \"zscalernss-edlp\", \"event\": { \"actiontaken\": \"allow\", \"activitytype\": \"email_sent\", \"additionalinfo\": \"File already open by another application\", \"channel\": \"Network Drive Transfer\", \"confirmaction\": \"confirm\", \"confirmjustification\": \"My manager approved it\", \"datacenter\": \"Georgia\", \"datacentercity\": \"Atlanta\", \"datacentercountry\": \"US\", \"day\": \"Mon\", \"dd\": \"16\", \"department\": \"TempDept\", \"deviceappversion\": \"Ver-2199\", \"devicehostname\": \"Host\", \"devicemodel\": \"Model-2022\", \"devicename\": \"Dev 1\", \"deviceostype\": \"Windows\", \"deviceosversion\": \"Win-11\", \"deviceowner\": \"Administrator\", \"deviceplatform\": \"Windows\", \"devicetype\": \"WinUser\", \"dlpdictcount\": \"12|13\", \"dlpdictnames\": \"dlp: dlp discription|dlp1: dlp discription1|dlp2: dlp discription2\", \"dlpenginenames\": \"dlpengine\", \"dlpidentifier\": \"12\", \"dsttype\": \"personal_cloud_storage\", \"eventtime\": \"Mon Oct 16 22:55:48 2023\", \"expectedaction\": \"block\", \"filedoctype\": \"Medical\", \"filedstpath\": \"dest_path\", \"filemd5\": \"938c2cc0dcc05f2b68c4287040cfcf71\", \"filesha\": \"076085239f3a10b8f387c4e5d4261abf8d109aa641be35a8d4ed2d775eb09612\", \"filesrcpath\": \"source_path\", \"filetypecategory\": \"PLS File (pls)\", \"filetypename\": \"exe64\", \"hh\": \"22\", \"itemdstname\": \"nanolog\", \"itemname\": \"endpoint_dlp\", \"itemsrcname\": \"endpoint\", \"itemtype\": \"email_attachment\", \"logtype\": \"dlp_incident\", \"mm\": \"55\", \"mon\": \"Oct\", \"mth\": \"10\", \"numdlpdictids\": \"8\", \"numdlpengineids\": \"12\", \"recordid\": \"2\", \"feedtime\": \"Mon Oct 16 22:55:48 2023\", \"scannedbytes\": \"290812\", \"scantime\": \"1210\", \"severity\": \"High Severity\", \"srctype\": \"network_share\", \"ss\": \"48\", \"datetime\": \"Mon Oct 16 22:55:48 2023\", \"rulename\": \"configured_rule\", \"timezone\": \"GMT\", \"user\": \"TempUser\", \"yyyy\": \"2023\", \"zdpmode\": \"block mode\", \"odepartment\": \"4094304256\", \"odevicehostname\": \"4094304255\", \"odevicename\": \"4094304251\", \"odeviceowner\": \"4094304226\", \"odlpdictnames\": \"4094304456\", \"odlpenginenames\": \"4094364256\", \"ofiledstpath\": \"4094304296\", \"ofilesrcpath\": \"4094304206\", \"oitemdstname\": \"409430476\", \"oitemname\": \"40943042567\", \"oitemsrcname\": \"4094305256\", \"ootherrulelabels\": \"4036304256\", \"orulename\": \"40943049956\", \"ouser\": \"40943042569\", \"otherrulelabels\": \"9094304256\" } }", + "timezone": "GMT", + "type": [ + "allowed" + ] + }, + "file": { + "hash": { + "md5": "938c2cc0dcc05f2b68c4287040cfcf71", + "sha256": "076085239f3a10b8f387c4e5d4261abf8d109aa641be35a8d4ed2d775eb09612" + }, + "path": "dest_path", + "type": "file" + }, + "host": { + "hostname": "Dev 1", + "name": "host", + "os": { + "platform": "Windows", + "version": "Win-11" + }, + "type": "WinUser" + }, + "related": { + "hash": [ + "938c2cc0dcc05f2b68c4287040cfcf71", + "076085239f3a10b8f387c4e5d4261abf8d109aa641be35a8d4ed2d775eb09612" + ], + "hosts": [ + "host", + "Dev 1" + ], + "user": [ + "Administrator", + "TempUser" + ] + }, + "rule": { + "name": [ + "9094304256", + "configured_rule" + ] + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "user": { + "name": "TempUser" + }, + "zscaler_zia": { + "endpoint_dlp": { + "action_taken": "allow", + "activity_type": "email_sent", + "additional_info": "File already open by another application", + "channel": "Network Drive Transfer", + "confirm_action": "confirm", + "confirm_just": "My manager approved it", + "counts": [ + 12, + 13 + ], + "datacenter": { + "city": "Atlanta", + "country": "US", + "name": "Georgia" + }, + "day": "Mon", + "day_of_month": 16, + "department": "TempDept", + "destination_type": "personal_cloud_storage", + "device": { + "appversion": "Ver-2199", + "hostname": "Host", + "model": "Model-2022", + "name": "Dev 1", + "os": { + "type": "Windows", + "version": "Win-11" + }, + "owner": "Administrator", + "platform": "Windows", + "type": "WinUser" + }, + "dictionary": { + "id": 8 + }, + "dictionary_names": [ + "dlp", + "dlp1", + "dlp2" + ], + "engine": { + "id": 12 + }, + "engine_names": [ + "dlpengine" + ], + "event_time": "2023-10-16T22:55:48.000Z", + "expected_action": "block", + "feed_time": "2023-10-16T22:55:48.000Z", + "file": { + "destination_path": "dest_path", + "doc_type": "Medical", + "md5": "938c2cc0dcc05f2b68c4287040cfcf71", + "sha256": "076085239f3a10b8f387c4e5d4261abf8d109aa641be35a8d4ed2d775eb09612", + "source_path": "source_path", + "type": { + "name": "exe64" + }, + "type_category": "PLS File (pls)" + }, + "hour": 22, + "identifier": "12", + "item": { + "destination_name": "nanolog", + "name": "endpoint_dlp", + "source_name": "endpoint", + "type": "email_attachment" + }, + "log_type": "dlp_incident", + "minute": 55, + "month": "Oct", + "month_of_year": 10, + "obfuscated": { + "department": "4094304256", + "device": { + "hostname": "4094304255", + "name": "4094304251", + "owner": "4094304226" + }, + "dlp": { + "dictionary_names": "4094304456", + "engine_names": "4094364256" + }, + "file": { + "destination_path": "4094304296", + "source_path": "4094304206" + }, + "item": { + "destination_names": "409430476", + "name": "40943042567", + "source_names": "4094305256" + }, + "other_rule_labels": "4036304256", + "triggered_rule_label": "40943049956", + "user": "40943042569" + }, + "other_rule_labels": "9094304256", + "record": { + "id": "2" + }, + "scan_time": 1210, + "scanned_bytes": 290812, + "second": 48, + "severity": "High Severity", + "source_type": "network_share", + "time": "2023-10-16T22:55:48.000Z", + "timezone": "GMT", + "triggered_rule_label": "configured_rule", + "user": "TempUser", + "year": 2023, + "zdp_mode": "block mode" + } + } } ] -} \ No newline at end of file +} diff --git a/packages/zscaler_zia/data_stream/endpoint_dlp/agent/stream/http_endpoint.yml.hbs b/packages/zscaler_zia/data_stream/endpoint_dlp/agent/stream/http_endpoint.yml.hbs index f691a1cfe90..e1ac58a6bb7 100644 --- a/packages/zscaler_zia/data_stream/endpoint_dlp/agent/stream/http_endpoint.yml.hbs +++ b/packages/zscaler_zia/data_stream/endpoint_dlp/agent/stream/http_endpoint.yml.hbs @@ -28,6 +28,12 @@ publisher_pipeline.disable_host: true {{#if ssl}} ssl: {{ssl}} {{/if}} +{{#if strict_fields}} +fields_under_root: true +fields: + _conf: + strict_fields: true +{{/if}} {{#if processors}} processors: {{processors}} diff --git a/packages/zscaler_zia/data_stream/endpoint_dlp/agent/stream/tcp.yml.hbs b/packages/zscaler_zia/data_stream/endpoint_dlp/agent/stream/tcp.yml.hbs index d8eb927edd6..2655bae4c06 100644 --- a/packages/zscaler_zia/data_stream/endpoint_dlp/agent/stream/tcp.yml.hbs +++ b/packages/zscaler_zia/data_stream/endpoint_dlp/agent/stream/tcp.yml.hbs @@ -18,6 +18,12 @@ publisher_pipeline.disable_host: true {{#if ssl}} ssl: {{ssl}} {{/if}} +{{#if strict_fields}} +fields_under_root: true +fields: + _conf: + strict_fields: true +{{/if}} {{#if processors}} processors: {{processors}} diff --git a/packages/zscaler_zia/data_stream/endpoint_dlp/elasticsearch/ingest_pipeline/default.yml b/packages/zscaler_zia/data_stream/endpoint_dlp/elasticsearch/ingest_pipeline/default.yml index 0fd7c0e10dd..685ad29c18a 100644 --- a/packages/zscaler_zia/data_stream/endpoint_dlp/elasticsearch/ingest_pipeline/default.yml +++ b/packages/zscaler_zia/data_stream/endpoint_dlp/elasticsearch/ingest_pipeline/default.yml @@ -37,6 +37,30 @@ processors: tag: rename_resp_event target_field: json ignore_missing: true + - script: + params: + expect: + fields: actiontaken|activitytype|additionalinfo|channel|confirmaction|confirmjustification|datacenter|datacentercity|datacentercountry|datetime|day|dd|department|deviceappversion|devicehostname|devicemodel|devicename|deviceostype|deviceosversion|deviceowner|deviceplatform|devicetype|dlpdictcount|dlpdictnames|dlpenginenames|dlpidentifier|dsttype|eventtime|expectedaction|feedtime|filedoctype|filedstpath|filemd5|filesha|filesrcpath|filetypecategory|filetypename|hh|itemdstname|itemname|itemsrcname|itemtype|logtype|mm|mon|mth|numdlpdictids|numdlpengineids|odepartment|odevicehostname|odevicename|odeviceowner|odlpdictnames|odlpenginenames|ofiledstpath|ofilesrcpath|oitemdstname|oitemname|oitemsrcname|ootherrulelabels|orulename|otherrulelabels|ouser|recordid|rulename|scannedbytes|scantime|severity|srctype|ss|timezone|user|yyyy|zdpmode + version: v1 + if: ctx.json != null && ctx._conf?.strict_fields == true + source: |- + if (ctx.resp?.version == null) { + def fields = []; + for (e in ctx.json.entrySet()) { + fields.add(e.getKey()); + } + Collections.sort(fields); + String signature = String.join("|", fields); + if (signature != params.expect.fields) { + ctx.error = ctx.error ?: [:]; + ctx.error.message = ctx.error.message ?: []; + ctx.error.message.add("field set mismatch: "+signature+" is not expected set of templated fields"); + } + } else if (ctx.resp.version != params.expect.version) { + ctx.error = ctx.error ?: [:]; + ctx.error.message = ctx.error.message ?: []; + ctx.error.message.add("template version mismatch: "+ctx.resp.version.toString()+" is not expected version"); + } - remove: field: resp tag: remove_resp @@ -790,8 +814,10 @@ processors: ignore_missing: true if: ctx.tags == null || !ctx.tags.contains('preserve_duplicate_custom_fields') - remove: - field: json - tag: remove_json + field: + - json + - _conf + tag: remove_unused ignore_missing: true - script: lang: painless diff --git a/packages/zscaler_zia/data_stream/firewall/_dev/test/pipeline/test-common-config.yml b/packages/zscaler_zia/data_stream/firewall/_dev/test/pipeline/test-common-config.yml index be41bb0d476..2e06a253560 100644 --- a/packages/zscaler_zia/data_stream/firewall/_dev/test/pipeline/test-common-config.yml +++ b/packages/zscaler_zia/data_stream/firewall/_dev/test/pipeline/test-common-config.yml @@ -1,4 +1,6 @@ fields: + _conf: + strict_fields: true tags: - preserve_original_event - preserve_duplicate_custom_fields diff --git a/packages/zscaler_zia/data_stream/firewall/_dev/test/pipeline/test-firewall-http-endpoint.log b/packages/zscaler_zia/data_stream/firewall/_dev/test/pipeline/test-firewall-http-endpoint.log index 80f022ac1e3..18e7ae8d998 100644 --- a/packages/zscaler_zia/data_stream/firewall/_dev/test/pipeline/test-firewall-http-endpoint.log +++ b/packages/zscaler_zia/data_stream/firewall/_dev/test/pipeline/test-firewall-http-endpoint.log @@ -1,3 +1,6 @@ {"sourcetype":"zscalernss-fw","event":{"datetime":"Mon Oct 16 22:55:48 2023","cltdomain":"www.example.com","cdip":"1.128.0.0","outbytes":"10000","cdport":"22","destcountry":"USA","devicemodel":"20L8S7WC08","sdip":"1.128.0.0","duration":"600","sdport":"443","tz":"GMT","action":"Blocked","devicehostname":"THINKPADSMITH","recordid":"123456","deviceosversion":"Version 10.14.2 (Build 18C54)","devicename":"admin","nwsvc":"HTTP","deviceostype":"iOS","ipsrulelabel":"Default IPS Rule","nwapp":"Skype","rdr_rulename":"FWD_Rule_1","proto":"TCP","rulelabel":"rule1","dnatrulelabel":"DNAT_Rule_1","srcipcountry":"United States","rule":"Default_Firewall_Filtering_Rule","ssip":"1.128.0.0","inbytes":"10000","ssport":"22","csip":"0.0.0.0","aggregate":"Yes","csport":"22","bypass_time":"Mon Oct 16 22:55:48 2023","user":"jdoe%40safemarch.com","datacentercountry":"US","bypassed_session":"0","day":"Mon","datacentercity":"Sa","department":"sales","datacenter":"CA Client Node DC","deviceappversion":"2.0.0.120","day_of_month":"16","avgduration":"600","dept":"Sales","eedone":"Yes","deviceowner":"jsmith","external_deviceid":"1234","durationms":"600","forward_gateway_name":"FWD_1","epochtime":"1578128400","ipcat":"Finance","flow_type":"Direct","location":"Headquarters","hour":"22","login":"jdo%40safemarch.com","ips_custom_signature":"0","month":"Oct","locationname":"Headquarters","dnat":"Yes","minute":"55","odevicename":"2175092224","month_of_year":"10","ofwd_gw_name":"8794487099","ocsip":"9960223283","oipcat":"5300295980","odeviceowner":"10831489","odnatlabel":"7956407282","odevicehostname":"2168890624","orulelabel":"624054738","oipsrulelabel":"6200694987","second":"48","ordr_rulename":"3399565100","stateful":"Yes","ozpa_app_seg_name":"7648246731","threatcat":"Botnet Callback","numsessions":"5","tsip":"89.160.20.128","threat_name":"Linux.Backdoor.Tsunami","year":"2023","threatname":"Linux.Backdoor","zpa_app_seg_name":"ZPA_test_app_segment","tuntype":"L2 tunnel","ztunnelversion":"ZTUNNEL_1_0"}} -{"sourcetype":"zscalernss-fw", "event":{"durationms":"1234","avgduration":"1234","sdip":"0.0.0.0","aggregate":"No","department":"Unknown","nwapp":"NotAvailable","proto":"IP","datetime":"Tue Dec 31 02:22:22 2022","nwsvc":"None","dnat":"No","threatcat":"None","cdport":"120","duration":"1","ipcat":"Other","deviceowner":"NA","csip":"0.0.0.0","devicehostname":"NA","csport":"123","tunsport":"0","destcountry":"NA","rulelabel":"None","locationname":"Unknown","action":"OutOfRange","stateful":"Yes","outbytes":"0","inbytes":"0","ssport":"0","user":"Unknown","tuntype":"OutOfRange","numsessions":"1","ssip":"0.0.0.0","threatname":"None","ipsrulelabel":"None","tsip":"0.0.0.0","sdport":"456","cdip":"0.0.0.0"}} -{"sourcetype":"zscalernss-fw","event":{"datetime":"Mon Oct 16 22:55:48 2023","cltdomain":"www.example.com","cdip":"2a02:cf40::","outbytes":"10000","cdport":"22","destcountry":"USA","devicemodel":"20L8S7WC08","sdip":"67.43.156.0","duration":"600","sdport":"443","tz":"GMT","action":"Blocked","devicehostname":"THINKPADSMITH","recordid":"123456","deviceosversion":"Version 10.14.2 (Build 18C54)","devicename":"admin","nwsvc":"HTTP","deviceostype":"iOS","ipsrulelabel":"Default IPS Rule","nwapp":"Skype","rdr_rulename":"FWD_Rule_1","proto":"TCP","rulelabel":"rule1","dnatrulelabel":"DNAT_Rule_1","srcipcountry":"United States","rule":"Default_Firewall_Filtering_Rule","ssip":"1.128.0.0","inbytes":"10000","ssport":"22","csip":"0.0.0.0","aggregate":"Yes","csport":"25","bypass_time":"Mon Oct 16 22:55:48 2023","user":"jdoe%40safemarch.com","datacentercountry":"US","bypassed_session":"1","day":"Mon","datacentercity":"Sa","department":"sales","datacenter":"CA Client Node DC","deviceappversion":"2.0.0.120","day_of_month":"16","avgduration":"600","dept":"Sales","eedone":"Yes","deviceowner":"jsmith","external_deviceid":"1234","durationms":"600","forward_gateway_name":"FWD_1","epochtime":"1578128400","ipcat":"Finance","flow_type":"Direct","location":"Headquarters","hour":"22","login":"jdo%40safemarch.com","ips_custom_signature":"0","month":"Oct","locationname":"Headquarters","dnat":"Yes","minute":"55","odevicename":"2175092224","month_of_year":"10","ofwd_gw_name":"8794487099","ocsip":"9960223283","oipcat":"5300295980","odeviceowner":"10831489","odnatlabel":"7956407282","odevicehostname":"2168890624","orulelabel":"624054738","oipsrulelabel":"6200694987","second":"48","ordr_rulename":"3399565100","stateful":"Yes","ozpa_app_seg_name":"7648246731","threatcat":"Botnet Callback","numsessions":"5","tsip":"89.160.20.128","threat_name":"Linux.Backdoor.Tsunami","year":"2023","threatname":"Linux.Backdoor","zpa_app_seg_name":"ZPA_test_app_segment","tuntype":"L2 tunnel","ztunnelversion":"ZTUNNEL_1_0"}} \ No newline at end of file +{"sourcetype":"zscalernss-fw", "event":{"durationms":"1234","avgduration":"1234","sdip":"0.0.0.0","aggregate":"No","department":"Unknown","nwapp":"NotAvailable","proto":"IP","datetime":"Tue Dec 31 02:22:22 2022","nwsvc":"None","dnat":"No","threatcat":"None","cdport":"120","duration":"1","ipcat":"Other","deviceowner":"NA","csip":"0.0.0.0","devicehostname":"NA","csport":"123","destcountry":"NA","rulelabel":"None","locationname":"Unknown","action":"OutOfRange","stateful":"Yes","outbytes":"0","inbytes":"0","ssport":"0","user":"Unknown","tuntype":"OutOfRange","numsessions":"1","ssip":"0.0.0.0","threatname":"None","ipsrulelabel":"None","tsip":"0.0.0.0","sdport":"456","cdip":"0.0.0.0","bypass_time":"", "bypassed_session":"", "cltdomain":"", "datacenter":"", "datacentercity":"", "datacentercountry":"", "day":"", "day_of_month":"", "dept":"", "deviceappversion":"", "devicemodel":"", "devicename":"", "deviceostype":"", "deviceosversion":"", "dnatrulelabel":"", "eedone":"", "epochtime":"", "external_deviceid":"", "flow_type":"", "forward_gateway_name":"", "hour":"", "ips_custom_signature":"", "location":"", "login":"", "minute":"", "month":"", "month_of_year":"", "ocsip":"", "odevicehostname":"", "odevicename":"", "odeviceowner":"", "odnatlabel":"", "ofwd_gw_name":"", "oipcat":"", "oipsrulelabel":"", "ordr_rulename":"", "orulelabel":"", "ozpa_app_seg_name":"", "rdr_rulename":"", "recordid":"", "rule":"", "second":"", "srcipcountry":"", "threat_name":"", "tz":"", "year":"", "zpa_app_seg_name":"", "ztunnelversion":""}} +{"sourcetype":"zscalernss-fw","event":{"datetime":"Mon Oct 16 22:55:48 2023","cltdomain":"www.example.com","cdip":"2a02:cf40::","outbytes":"10000","cdport":"22","destcountry":"USA","devicemodel":"20L8S7WC08","sdip":"67.43.156.0","duration":"600","sdport":"443","tz":"GMT","action":"Blocked","devicehostname":"THINKPADSMITH","recordid":"123456","deviceosversion":"Version 10.14.2 (Build 18C54)","devicename":"admin","nwsvc":"HTTP","deviceostype":"iOS","ipsrulelabel":"Default IPS Rule","nwapp":"Skype","rdr_rulename":"FWD_Rule_1","proto":"TCP","rulelabel":"rule1","dnatrulelabel":"DNAT_Rule_1","srcipcountry":"United States","rule":"Default_Firewall_Filtering_Rule","ssip":"1.128.0.0","inbytes":"10000","ssport":"22","csip":"0.0.0.0","aggregate":"Yes","csport":"25","bypass_time":"Mon Oct 16 22:55:48 2023","user":"jdoe%40safemarch.com","datacentercountry":"US","bypassed_session":"1","day":"Mon","datacentercity":"Sa","department":"sales","datacenter":"CA Client Node DC","deviceappversion":"2.0.0.120","day_of_month":"16","avgduration":"600","dept":"Sales","eedone":"Yes","deviceowner":"jsmith","external_deviceid":"1234","durationms":"600","forward_gateway_name":"FWD_1","epochtime":"1578128400","ipcat":"Finance","flow_type":"Direct","location":"Headquarters","hour":"22","login":"jdo%40safemarch.com","ips_custom_signature":"0","month":"Oct","locationname":"Headquarters","dnat":"Yes","minute":"55","odevicename":"2175092224","month_of_year":"10","ofwd_gw_name":"8794487099","ocsip":"9960223283","oipcat":"5300295980","odeviceowner":"10831489","odnatlabel":"7956407282","odevicehostname":"2168890624","orulelabel":"624054738","oipsrulelabel":"6200694987","second":"48","ordr_rulename":"3399565100","stateful":"Yes","ozpa_app_seg_name":"7648246731","threatcat":"Botnet Callback","numsessions":"5","tsip":"89.160.20.128","threat_name":"Linux.Backdoor.Tsunami","year":"2023","threatname":"Linux.Backdoor","zpa_app_seg_name":"ZPA_test_app_segment","tuntype":"L2 tunnel","ztunnelversion":"ZTUNNEL_1_0"}} +{"version":"v2","sourcetype":"zscalernss-fw","event":{"datetime":"Mon Oct 16 22:55:48 2023","cltdomain":"www.example.com","cdip":"1.128.0.0","outbytes":"10000","cdport":"22","destcountry":"USA","devicemodel":"20L8S7WC08","sdip":"1.128.0.0","duration":"600","sdport":"443","tz":"GMT","action":"Blocked","devicehostname":"THINKPADSMITH","recordid":"123456","deviceosversion":"Version 10.14.2 (Build 18C54)","devicename":"admin","nwsvc":"HTTP","deviceostype":"iOS","ipsrulelabel":"Default IPS Rule","nwapp":"Skype","rdr_rulename":"FWD_Rule_1","proto":"TCP","rulelabel":"rule1","dnatrulelabel":"DNAT_Rule_1","srcipcountry":"United States","rule":"Default_Firewall_Filtering_Rule","ssip":"1.128.0.0","inbytes":"10000","ssport":"22","csip":"0.0.0.0","aggregate":"Yes","csport":"22","bypass_time":"Mon Oct 16 22:55:48 2023","user":"jdoe%40safemarch.com","datacentercountry":"US","bypassed_session":"0","day":"Mon","datacentercity":"Sa","department":"sales","datacenter":"CA Client Node DC","deviceappversion":"2.0.0.120","day_of_month":"16","avgduration":"600","dept":"Sales","eedone":"Yes","deviceowner":"jsmith","external_deviceid":"1234","durationms":"600","forward_gateway_name":"FWD_1","epochtime":"1578128400","ipcat":"Finance","flow_type":"Direct","location":"Headquarters","hour":"22","login":"jdo%40safemarch.com","ips_custom_signature":"0","month":"Oct","locationname":"Headquarters","dnat":"Yes","minute":"55","odevicename":"2175092224","month_of_year":"10","ofwd_gw_name":"8794487099","ocsip":"9960223283","oipcat":"5300295980","odeviceowner":"10831489","odnatlabel":"7956407282","odevicehostname":"2168890624","orulelabel":"624054738","oipsrulelabel":"6200694987","second":"48","ordr_rulename":"3399565100","stateful":"Yes","ozpa_app_seg_name":"7648246731","threatcat":"Botnet Callback","numsessions":"5","tsip":"89.160.20.128","threat_name":"Linux.Backdoor.Tsunami","year":"2023","threatname":"Linux.Backdoor","zpa_app_seg_name":"ZPA_test_app_segment","tuntype":"L2 tunnel","ztunnelversion":"ZTUNNEL_1_0"}} +{"version":"v2","sourcetype":"zscalernss-fw", "event":{"durationms":"1234","avgduration":"1234","sdip":"0.0.0.0","aggregate":"No","department":"Unknown","nwapp":"NotAvailable","proto":"IP","datetime":"Tue Dec 31 02:22:22 2022","nwsvc":"None","dnat":"No","threatcat":"None","cdport":"120","duration":"1","ipcat":"Other","deviceowner":"NA","csip":"0.0.0.0","devicehostname":"NA","csport":"123","destcountry":"NA","rulelabel":"None","locationname":"Unknown","action":"OutOfRange","stateful":"Yes","outbytes":"0","inbytes":"0","ssport":"0","user":"Unknown","tuntype":"OutOfRange","numsessions":"1","ssip":"0.0.0.0","threatname":"None","ipsrulelabel":"None","tsip":"0.0.0.0","sdport":"456","cdip":"0.0.0.0","bypass_time":"", "bypassed_session":"", "cltdomain":"", "datacenter":"", "datacentercity":"", "datacentercountry":"", "day":"", "day_of_month":"", "dept":"", "deviceappversion":"", "devicemodel":"", "devicename":"", "deviceostype":"", "deviceosversion":"", "dnatrulelabel":"", "eedone":"", "epochtime":"", "external_deviceid":"", "flow_type":"", "forward_gateway_name":"", "hour":"", "ips_custom_signature":"", "location":"", "login":"", "minute":"", "month":"", "month_of_year":"", "ocsip":"", "odevicehostname":"", "odevicename":"", "odeviceowner":"", "odnatlabel":"", "ofwd_gw_name":"", "oipcat":"", "oipsrulelabel":"", "ordr_rulename":"", "orulelabel":"", "ozpa_app_seg_name":"", "rdr_rulename":"", "recordid":"", "rule":"", "second":"", "srcipcountry":"", "threat_name":"", "tz":"", "year":"", "zpa_app_seg_name":"", "ztunnelversion":""}} +{"version":"v2","sourcetype":"zscalernss-fw","event":{"datetime":"Mon Oct 16 22:55:48 2023","cltdomain":"www.example.com","cdip":"2a02:cf40::","outbytes":"10000","cdport":"22","destcountry":"USA","devicemodel":"20L8S7WC08","sdip":"67.43.156.0","duration":"600","sdport":"443","tz":"GMT","action":"Blocked","devicehostname":"THINKPADSMITH","recordid":"123456","deviceosversion":"Version 10.14.2 (Build 18C54)","devicename":"admin","nwsvc":"HTTP","deviceostype":"iOS","ipsrulelabel":"Default IPS Rule","nwapp":"Skype","rdr_rulename":"FWD_Rule_1","proto":"TCP","rulelabel":"rule1","dnatrulelabel":"DNAT_Rule_1","srcipcountry":"United States","rule":"Default_Firewall_Filtering_Rule","ssip":"1.128.0.0","inbytes":"10000","ssport":"22","csip":"0.0.0.0","aggregate":"Yes","csport":"25","bypass_time":"Mon Oct 16 22:55:48 2023","user":"jdoe%40safemarch.com","datacentercountry":"US","bypassed_session":"1","day":"Mon","datacentercity":"Sa","department":"sales","datacenter":"CA Client Node DC","deviceappversion":"2.0.0.120","day_of_month":"16","avgduration":"600","dept":"Sales","eedone":"Yes","deviceowner":"jsmith","external_deviceid":"1234","durationms":"600","forward_gateway_name":"FWD_1","epochtime":"1578128400","ipcat":"Finance","flow_type":"Direct","location":"Headquarters","hour":"22","login":"jdo%40safemarch.com","ips_custom_signature":"0","month":"Oct","locationname":"Headquarters","dnat":"Yes","minute":"55","odevicename":"2175092224","month_of_year":"10","ofwd_gw_name":"8794487099","ocsip":"9960223283","oipcat":"5300295980","odeviceowner":"10831489","odnatlabel":"7956407282","odevicehostname":"2168890624","orulelabel":"624054738","oipsrulelabel":"6200694987","second":"48","ordr_rulename":"3399565100","stateful":"Yes","ozpa_app_seg_name":"7648246731","threatcat":"Botnet Callback","numsessions":"5","tsip":"89.160.20.128","threat_name":"Linux.Backdoor.Tsunami","year":"2023","threatname":"Linux.Backdoor","zpa_app_seg_name":"ZPA_test_app_segment","tuntype":"L2 tunnel","ztunnelversion":"ZTUNNEL_1_0"}} diff --git a/packages/zscaler_zia/data_stream/firewall/_dev/test/pipeline/test-firewall-http-endpoint.log-expected.json b/packages/zscaler_zia/data_stream/firewall/_dev/test/pipeline/test-firewall-http-endpoint.log-expected.json index 3789a1de020..21e9d29ae89 100644 --- a/packages/zscaler_zia/data_stream/firewall/_dev/test/pipeline/test-firewall-http-endpoint.log-expected.json +++ b/packages/zscaler_zia/data_stream/firewall/_dev/test/pipeline/test-firewall-http-endpoint.log-expected.json @@ -261,7 +261,7 @@ ], "duration": 1234000000, "kind": "event", - "original": "{\"sourcetype\":\"zscalernss-fw\", \"event\":{\"durationms\":\"1234\",\"avgduration\":\"1234\",\"sdip\":\"0.0.0.0\",\"aggregate\":\"No\",\"department\":\"Unknown\",\"nwapp\":\"NotAvailable\",\"proto\":\"IP\",\"datetime\":\"Tue Dec 31 02:22:22 2022\",\"nwsvc\":\"None\",\"dnat\":\"No\",\"threatcat\":\"None\",\"cdport\":\"120\",\"duration\":\"1\",\"ipcat\":\"Other\",\"deviceowner\":\"NA\",\"csip\":\"0.0.0.0\",\"devicehostname\":\"NA\",\"csport\":\"123\",\"tunsport\":\"0\",\"destcountry\":\"NA\",\"rulelabel\":\"None\",\"locationname\":\"Unknown\",\"action\":\"OutOfRange\",\"stateful\":\"Yes\",\"outbytes\":\"0\",\"inbytes\":\"0\",\"ssport\":\"0\",\"user\":\"Unknown\",\"tuntype\":\"OutOfRange\",\"numsessions\":\"1\",\"ssip\":\"0.0.0.0\",\"threatname\":\"None\",\"ipsrulelabel\":\"None\",\"tsip\":\"0.0.0.0\",\"sdport\":\"456\",\"cdip\":\"0.0.0.0\"}}", + "original": "{\"sourcetype\":\"zscalernss-fw\", \"event\":{\"durationms\":\"1234\",\"avgduration\":\"1234\",\"sdip\":\"0.0.0.0\",\"aggregate\":\"No\",\"department\":\"Unknown\",\"nwapp\":\"NotAvailable\",\"proto\":\"IP\",\"datetime\":\"Tue Dec 31 02:22:22 2022\",\"nwsvc\":\"None\",\"dnat\":\"No\",\"threatcat\":\"None\",\"cdport\":\"120\",\"duration\":\"1\",\"ipcat\":\"Other\",\"deviceowner\":\"NA\",\"csip\":\"0.0.0.0\",\"devicehostname\":\"NA\",\"csport\":\"123\",\"destcountry\":\"NA\",\"rulelabel\":\"None\",\"locationname\":\"Unknown\",\"action\":\"OutOfRange\",\"stateful\":\"Yes\",\"outbytes\":\"0\",\"inbytes\":\"0\",\"ssport\":\"0\",\"user\":\"Unknown\",\"tuntype\":\"OutOfRange\",\"numsessions\":\"1\",\"ssip\":\"0.0.0.0\",\"threatname\":\"None\",\"ipsrulelabel\":\"None\",\"tsip\":\"0.0.0.0\",\"sdport\":\"456\",\"cdip\":\"0.0.0.0\",\"bypass_time\":\"\", \"bypassed_session\":\"\", \"cltdomain\":\"\", \"datacenter\":\"\", \"datacentercity\":\"\", \"datacentercountry\":\"\", \"day\":\"\", \"day_of_month\":\"\", \"dept\":\"\", \"deviceappversion\":\"\", \"devicemodel\":\"\", \"devicename\":\"\", \"deviceostype\":\"\", \"deviceosversion\":\"\", \"dnatrulelabel\":\"\", \"eedone\":\"\", \"epochtime\":\"\", \"external_deviceid\":\"\", \"flow_type\":\"\", \"forward_gateway_name\":\"\", \"hour\":\"\", \"ips_custom_signature\":\"\", \"location\":\"\", \"login\":\"\", \"minute\":\"\", \"month\":\"\", \"month_of_year\":\"\", \"ocsip\":\"\", \"odevicehostname\":\"\", \"odevicename\":\"\", \"odeviceowner\":\"\", \"odnatlabel\":\"\", \"ofwd_gw_name\":\"\", \"oipcat\":\"\", \"oipsrulelabel\":\"\", \"ordr_rulename\":\"\", \"orulelabel\":\"\", \"ozpa_app_seg_name\":\"\", \"rdr_rulename\":\"\", \"recordid\":\"\", \"rule\":\"\", \"second\":\"\", \"srcipcountry\":\"\", \"threat_name\":\"\", \"tz\":\"\", \"year\":\"\", \"zpa_app_seg_name\":\"\", \"ztunnelversion\":\"\"}}", "timezone": "UTC", "type": [ "info" @@ -597,6 +597,604 @@ "zpa_app_segment": "ZPA_test_app_segment" } } + }, + { + "@timestamp": "2023-10-16T22:55:48.000Z", + "destination": { + "bytes": 10000, + "domain": "www.example.com", + "geo": { + "country_iso_code": "USA" + }, + "ip": "1.128.0.0", + "port": [ + 22, + 443 + ] + }, + "device": { + "model": { + "identifier": "20L8S7WC08" + } + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "blocked", + "category": [ + "network" + ], + "duration": 600000000, + "id": "123456", + "kind": "event", + "original": "{\"version\":\"v2\",\"sourcetype\":\"zscalernss-fw\",\"event\":{\"datetime\":\"Mon Oct 16 22:55:48 2023\",\"cltdomain\":\"www.example.com\",\"cdip\":\"1.128.0.0\",\"outbytes\":\"10000\",\"cdport\":\"22\",\"destcountry\":\"USA\",\"devicemodel\":\"20L8S7WC08\",\"sdip\":\"1.128.0.0\",\"duration\":\"600\",\"sdport\":\"443\",\"tz\":\"GMT\",\"action\":\"Blocked\",\"devicehostname\":\"THINKPADSMITH\",\"recordid\":\"123456\",\"deviceosversion\":\"Version 10.14.2 (Build 18C54)\",\"devicename\":\"admin\",\"nwsvc\":\"HTTP\",\"deviceostype\":\"iOS\",\"ipsrulelabel\":\"Default IPS Rule\",\"nwapp\":\"Skype\",\"rdr_rulename\":\"FWD_Rule_1\",\"proto\":\"TCP\",\"rulelabel\":\"rule1\",\"dnatrulelabel\":\"DNAT_Rule_1\",\"srcipcountry\":\"United States\",\"rule\":\"Default_Firewall_Filtering_Rule\",\"ssip\":\"1.128.0.0\",\"inbytes\":\"10000\",\"ssport\":\"22\",\"csip\":\"0.0.0.0\",\"aggregate\":\"Yes\",\"csport\":\"22\",\"bypass_time\":\"Mon Oct 16 22:55:48 2023\",\"user\":\"jdoe%40safemarch.com\",\"datacentercountry\":\"US\",\"bypassed_session\":\"0\",\"day\":\"Mon\",\"datacentercity\":\"Sa\",\"department\":\"sales\",\"datacenter\":\"CA Client Node DC\",\"deviceappversion\":\"2.0.0.120\",\"day_of_month\":\"16\",\"avgduration\":\"600\",\"dept\":\"Sales\",\"eedone\":\"Yes\",\"deviceowner\":\"jsmith\",\"external_deviceid\":\"1234\",\"durationms\":\"600\",\"forward_gateway_name\":\"FWD_1\",\"epochtime\":\"1578128400\",\"ipcat\":\"Finance\",\"flow_type\":\"Direct\",\"location\":\"Headquarters\",\"hour\":\"22\",\"login\":\"jdo%40safemarch.com\",\"ips_custom_signature\":\"0\",\"month\":\"Oct\",\"locationname\":\"Headquarters\",\"dnat\":\"Yes\",\"minute\":\"55\",\"odevicename\":\"2175092224\",\"month_of_year\":\"10\",\"ofwd_gw_name\":\"8794487099\",\"ocsip\":\"9960223283\",\"oipcat\":\"5300295980\",\"odeviceowner\":\"10831489\",\"odnatlabel\":\"7956407282\",\"odevicehostname\":\"2168890624\",\"orulelabel\":\"624054738\",\"oipsrulelabel\":\"6200694987\",\"second\":\"48\",\"ordr_rulename\":\"3399565100\",\"stateful\":\"Yes\",\"ozpa_app_seg_name\":\"7648246731\",\"threatcat\":\"Botnet Callback\",\"numsessions\":\"5\",\"tsip\":\"89.160.20.128\",\"threat_name\":\"Linux.Backdoor.Tsunami\",\"year\":\"2023\",\"threatname\":\"Linux.Backdoor\",\"zpa_app_seg_name\":\"ZPA_test_app_segment\",\"tuntype\":\"L2 tunnel\",\"ztunnelversion\":\"ZTUNNEL_1_0\"}}", + "timezone": "GMT", + "type": [ + "denied" + ] + }, + "host": { + "hostname": "admin", + "name": "thinkpadsmith", + "os": { + "type": "ios", + "version": "Version 10.14.2 (Build 18C54)" + } + }, + "network": { + "application": "skype", + "bytes": 20000, + "protocol": "http", + "transport": "tcp" + }, + "observer": { + "product": "ZIA", + "type": "firewall", + "vendor": "Zscaler" + }, + "related": { + "hosts": [ + "thinkpadsmith", + "admin" + ], + "ip": [ + "1.128.0.0", + "0.0.0.0", + "89.160.20.128" + ], + "user": [ + "jsmith", + "jdoe", + "jdoe@safemarch.com" + ] + }, + "rule": { + "name": [ + "Default IPS Rule", + "DNAT_Rule_1", + "FWD_Rule_1", + "Default_Firewall_Filtering_Rule", + "rule1" + ] + }, + "source": { + "bytes": 10000, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "0.0.0.0", + "nat": { + "ip": "89.160.20.128" + }, + "port": [ + 22 + ] + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "user": { + "domain": "safemarch.com", + "email": "jdoe@safemarch.com", + "name": "jdoe" + }, + "zscaler_zia": { + "firewall": { + "action": "Blocked", + "aggregate": "Yes", + "bypassed": { + "session": "0", + "time": "2023-10-16T22:55:48.000Z" + }, + "bytes_in": 10000, + "client": { + "destination": { + "ip": "1.128.0.0", + "port": 22 + }, + "domain": "www.example.com", + "source": { + "ip": "0.0.0.0", + "port": 22 + } + }, + "datacenter": { + "city": "Sa", + "country": "US", + "name": "CA Client Node DC" + }, + "day": "Mon", + "day_of_month": 16, + "department": "sales", + "dept": "Sales", + "destination": { + "country": "USA" + }, + "device": { + "appversion": "2.0.0.120", + "hostname": "THINKPADSMITH", + "model": "20L8S7WC08", + "name": "admin", + "os": { + "type": "iOS", + "version": "Version 10.14.2 (Build 18C54)" + }, + "owner": "jsmith" + }, + "duration": { + "average_duration": 600, + "milliseconds": 600, + "seconds": 600 + }, + "eedone": "Yes", + "epochtime": "2020-01-04T09:00:00.000Z", + "external_device_id": "1234", + "flow_type": "Direct", + "forward_gateway_name": "FWD_1", + "hour": 22, + "ip_category": "Finance", + "ip_protocol": "TCP", + "ips": { + "custom_signature": "0", + "rule_label": "Default IPS Rule" + }, + "location": "Headquarters", + "location_name": "Headquarters", + "login": "jdo@safemarch.com", + "minutes": 55, + "month": "Oct", + "month_of_year": 10, + "nat": "Yes", + "nat_rule_label": "DNAT_Rule_1", + "network": { + "application": "Skype", + "service": "HTTP" + }, + "obfuscated": { + "client_source_ip": "9960223283", + "device": { + "name": "2175092224", + "owner": "10831489" + }, + "forward_gateway_name": "8794487099", + "host_name": "2168890624", + "ip": { + "category": "5300295980" + }, + "ips_rule_label": "6200694987", + "nat_label": "7956407282", + "redirect_policy_name": "3399565100", + "rule_label": "624054738", + "zpa_app_segment": "7648246731" + }, + "out_bytes": 10000, + "record": { + "id": "123456" + }, + "redirect_policy_name": "FWD_Rule_1", + "rule": "Default_Firewall_Filtering_Rule", + "rule_label": "rule1", + "second": 48, + "server": { + "destination": { + "ip": "1.128.0.0", + "port": 443 + }, + "source": { + "ip": "1.128.0.0", + "port": 22 + } + }, + "session": { + "count": 5 + }, + "source_ip_country": "United States", + "stateful": "Yes", + "threat": { + "category": "Botnet Callback", + "name": "Linux.Backdoor" + }, + "threat_name": "Linux.Backdoor.Tsunami", + "time": "2023-10-16T22:55:48.000Z", + "timezone": "GMT", + "tunnel": { + "ip": "89.160.20.128", + "type": "L2 tunnel" + }, + "user": "jdoe@safemarch.com", + "year": 2023, + "z_tunnel_version": "ZTUNNEL_1_0", + "zpa_app_segment": "ZPA_test_app_segment" + } + } + }, + { + "@timestamp": "2022-12-31T02:22:22.000Z", + "destination": { + "bytes": 0, + "ip": "0.0.0.0", + "port": [ + 120, + 456 + ] + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "outofrange", + "category": [ + "network" + ], + "duration": 1234000000, + "kind": "event", + "original": "{\"version\":\"v2\",\"sourcetype\":\"zscalernss-fw\", \"event\":{\"durationms\":\"1234\",\"avgduration\":\"1234\",\"sdip\":\"0.0.0.0\",\"aggregate\":\"No\",\"department\":\"Unknown\",\"nwapp\":\"NotAvailable\",\"proto\":\"IP\",\"datetime\":\"Tue Dec 31 02:22:22 2022\",\"nwsvc\":\"None\",\"dnat\":\"No\",\"threatcat\":\"None\",\"cdport\":\"120\",\"duration\":\"1\",\"ipcat\":\"Other\",\"deviceowner\":\"NA\",\"csip\":\"0.0.0.0\",\"devicehostname\":\"NA\",\"csport\":\"123\",\"destcountry\":\"NA\",\"rulelabel\":\"None\",\"locationname\":\"Unknown\",\"action\":\"OutOfRange\",\"stateful\":\"Yes\",\"outbytes\":\"0\",\"inbytes\":\"0\",\"ssport\":\"0\",\"user\":\"Unknown\",\"tuntype\":\"OutOfRange\",\"numsessions\":\"1\",\"ssip\":\"0.0.0.0\",\"threatname\":\"None\",\"ipsrulelabel\":\"None\",\"tsip\":\"0.0.0.0\",\"sdport\":\"456\",\"cdip\":\"0.0.0.0\",\"bypass_time\":\"\", \"bypassed_session\":\"\", \"cltdomain\":\"\", \"datacenter\":\"\", \"datacentercity\":\"\", \"datacentercountry\":\"\", \"day\":\"\", \"day_of_month\":\"\", \"dept\":\"\", \"deviceappversion\":\"\", \"devicemodel\":\"\", \"devicename\":\"\", \"deviceostype\":\"\", \"deviceosversion\":\"\", \"dnatrulelabel\":\"\", \"eedone\":\"\", \"epochtime\":\"\", \"external_deviceid\":\"\", \"flow_type\":\"\", \"forward_gateway_name\":\"\", \"hour\":\"\", \"ips_custom_signature\":\"\", \"location\":\"\", \"login\":\"\", \"minute\":\"\", \"month\":\"\", \"month_of_year\":\"\", \"ocsip\":\"\", \"odevicehostname\":\"\", \"odevicename\":\"\", \"odeviceowner\":\"\", \"odnatlabel\":\"\", \"ofwd_gw_name\":\"\", \"oipcat\":\"\", \"oipsrulelabel\":\"\", \"ordr_rulename\":\"\", \"orulelabel\":\"\", \"ozpa_app_seg_name\":\"\", \"rdr_rulename\":\"\", \"recordid\":\"\", \"rule\":\"\", \"second\":\"\", \"srcipcountry\":\"\", \"threat_name\":\"\", \"tz\":\"\", \"year\":\"\", \"zpa_app_seg_name\":\"\", \"ztunnelversion\":\"\"}}", + "timezone": "UTC", + "type": [ + "info" + ] + }, + "network": { + "application": "notavailable", + "bytes": 0, + "transport": "ip" + }, + "observer": { + "product": "ZIA", + "type": "firewall", + "vendor": "Zscaler" + }, + "related": { + "ip": [ + "0.0.0.0" + ] + }, + "source": { + "bytes": 0, + "ip": "0.0.0.0", + "nat": { + "ip": "0.0.0.0" + }, + "port": [ + 123, + 0 + ] + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "zscaler_zia": { + "firewall": { + "action": "OutOfRange", + "aggregate": "No", + "bytes_in": 0, + "client": { + "destination": { + "ip": "0.0.0.0", + "port": 120 + }, + "source": { + "ip": "0.0.0.0", + "port": 123 + } + }, + "department": "Unknown", + "duration": { + "average_duration": 1234, + "milliseconds": 1234, + "seconds": 1 + }, + "ip_category": "Other", + "ip_protocol": "IP", + "location_name": "Unknown", + "nat": "No", + "network": { + "application": "NotAvailable" + }, + "out_bytes": 0, + "server": { + "destination": { + "ip": "0.0.0.0", + "port": 456 + }, + "source": { + "ip": "0.0.0.0", + "port": 0 + } + }, + "session": { + "count": 1 + }, + "stateful": "Yes", + "time": "2022-12-31T02:22:22.000Z", + "tunnel": { + "ip": "0.0.0.0", + "type": "OutOfRange" + } + } + } + }, + { + "@timestamp": "2023-10-16T22:55:48.000Z", + "destination": { + "bytes": 10000, + "domain": "www.example.com", + "geo": { + "continent_name": "Europe", + "country_iso_code": "NO", + "country_name": "Norway", + "location": { + "lat": 62.0, + "lon": 10.0 + } + }, + "ip": "2a02:cf40::", + "port": [ + 22, + 443 + ] + }, + "device": { + "model": { + "identifier": "20L8S7WC08" + } + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "blocked", + "category": [ + "network" + ], + "duration": 600000000, + "id": "123456", + "kind": "event", + "original": "{\"version\":\"v2\",\"sourcetype\":\"zscalernss-fw\",\"event\":{\"datetime\":\"Mon Oct 16 22:55:48 2023\",\"cltdomain\":\"www.example.com\",\"cdip\":\"2a02:cf40::\",\"outbytes\":\"10000\",\"cdport\":\"22\",\"destcountry\":\"USA\",\"devicemodel\":\"20L8S7WC08\",\"sdip\":\"67.43.156.0\",\"duration\":\"600\",\"sdport\":\"443\",\"tz\":\"GMT\",\"action\":\"Blocked\",\"devicehostname\":\"THINKPADSMITH\",\"recordid\":\"123456\",\"deviceosversion\":\"Version 10.14.2 (Build 18C54)\",\"devicename\":\"admin\",\"nwsvc\":\"HTTP\",\"deviceostype\":\"iOS\",\"ipsrulelabel\":\"Default IPS Rule\",\"nwapp\":\"Skype\",\"rdr_rulename\":\"FWD_Rule_1\",\"proto\":\"TCP\",\"rulelabel\":\"rule1\",\"dnatrulelabel\":\"DNAT_Rule_1\",\"srcipcountry\":\"United States\",\"rule\":\"Default_Firewall_Filtering_Rule\",\"ssip\":\"1.128.0.0\",\"inbytes\":\"10000\",\"ssport\":\"22\",\"csip\":\"0.0.0.0\",\"aggregate\":\"Yes\",\"csport\":\"25\",\"bypass_time\":\"Mon Oct 16 22:55:48 2023\",\"user\":\"jdoe%40safemarch.com\",\"datacentercountry\":\"US\",\"bypassed_session\":\"1\",\"day\":\"Mon\",\"datacentercity\":\"Sa\",\"department\":\"sales\",\"datacenter\":\"CA Client Node DC\",\"deviceappversion\":\"2.0.0.120\",\"day_of_month\":\"16\",\"avgduration\":\"600\",\"dept\":\"Sales\",\"eedone\":\"Yes\",\"deviceowner\":\"jsmith\",\"external_deviceid\":\"1234\",\"durationms\":\"600\",\"forward_gateway_name\":\"FWD_1\",\"epochtime\":\"1578128400\",\"ipcat\":\"Finance\",\"flow_type\":\"Direct\",\"location\":\"Headquarters\",\"hour\":\"22\",\"login\":\"jdo%40safemarch.com\",\"ips_custom_signature\":\"0\",\"month\":\"Oct\",\"locationname\":\"Headquarters\",\"dnat\":\"Yes\",\"minute\":\"55\",\"odevicename\":\"2175092224\",\"month_of_year\":\"10\",\"ofwd_gw_name\":\"8794487099\",\"ocsip\":\"9960223283\",\"oipcat\":\"5300295980\",\"odeviceowner\":\"10831489\",\"odnatlabel\":\"7956407282\",\"odevicehostname\":\"2168890624\",\"orulelabel\":\"624054738\",\"oipsrulelabel\":\"6200694987\",\"second\":\"48\",\"ordr_rulename\":\"3399565100\",\"stateful\":\"Yes\",\"ozpa_app_seg_name\":\"7648246731\",\"threatcat\":\"Botnet Callback\",\"numsessions\":\"5\",\"tsip\":\"89.160.20.128\",\"threat_name\":\"Linux.Backdoor.Tsunami\",\"year\":\"2023\",\"threatname\":\"Linux.Backdoor\",\"zpa_app_seg_name\":\"ZPA_test_app_segment\",\"tuntype\":\"L2 tunnel\",\"ztunnelversion\":\"ZTUNNEL_1_0\"}}", + "timezone": "GMT", + "type": [ + "denied" + ] + }, + "host": { + "hostname": "admin", + "name": "thinkpadsmith", + "os": { + "type": "ios", + "version": "Version 10.14.2 (Build 18C54)" + } + }, + "network": { + "application": "skype", + "bytes": 20000, + "protocol": "http", + "transport": "tcp" + }, + "observer": { + "product": "ZIA", + "type": "firewall", + "vendor": "Zscaler" + }, + "related": { + "hosts": [ + "thinkpadsmith", + "admin" + ], + "ip": [ + "2a02:cf40::", + "0.0.0.0", + "67.43.156.0", + "1.128.0.0", + "89.160.20.128" + ], + "user": [ + "jsmith", + "jdoe", + "jdoe@safemarch.com" + ] + }, + "rule": { + "name": [ + "Default IPS Rule", + "DNAT_Rule_1", + "FWD_Rule_1", + "Default_Firewall_Filtering_Rule", + "rule1" + ] + }, + "source": { + "bytes": 10000, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "0.0.0.0", + "nat": { + "ip": "89.160.20.128" + }, + "port": [ + 25, + 22 + ] + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "user": { + "domain": "safemarch.com", + "email": "jdoe@safemarch.com", + "name": "jdoe" + }, + "zscaler_zia": { + "firewall": { + "action": "Blocked", + "aggregate": "Yes", + "bypassed": { + "session": "1", + "time": "2023-10-16T22:55:48.000Z" + }, + "bytes_in": 10000, + "client": { + "destination": { + "ip": "2a02:cf40::", + "port": 22 + }, + "domain": "www.example.com", + "source": { + "ip": "0.0.0.0", + "port": 25 + } + }, + "datacenter": { + "city": "Sa", + "country": "US", + "name": "CA Client Node DC" + }, + "day": "Mon", + "day_of_month": 16, + "department": "sales", + "dept": "Sales", + "destination": { + "country": "USA" + }, + "device": { + "appversion": "2.0.0.120", + "hostname": "THINKPADSMITH", + "model": "20L8S7WC08", + "name": "admin", + "os": { + "type": "iOS", + "version": "Version 10.14.2 (Build 18C54)" + }, + "owner": "jsmith" + }, + "duration": { + "average_duration": 600, + "milliseconds": 600, + "seconds": 600 + }, + "eedone": "Yes", + "epochtime": "2020-01-04T09:00:00.000Z", + "external_device_id": "1234", + "flow_type": "Direct", + "forward_gateway_name": "FWD_1", + "hour": 22, + "ip_category": "Finance", + "ip_protocol": "TCP", + "ips": { + "custom_signature": "0", + "rule_label": "Default IPS Rule" + }, + "location": "Headquarters", + "location_name": "Headquarters", + "login": "jdo@safemarch.com", + "minutes": 55, + "month": "Oct", + "month_of_year": 10, + "nat": "Yes", + "nat_rule_label": "DNAT_Rule_1", + "network": { + "application": "Skype", + "service": "HTTP" + }, + "obfuscated": { + "client_source_ip": "9960223283", + "device": { + "name": "2175092224", + "owner": "10831489" + }, + "forward_gateway_name": "8794487099", + "host_name": "2168890624", + "ip": { + "category": "5300295980" + }, + "ips_rule_label": "6200694987", + "nat_label": "7956407282", + "redirect_policy_name": "3399565100", + "rule_label": "624054738", + "zpa_app_segment": "7648246731" + }, + "out_bytes": 10000, + "record": { + "id": "123456" + }, + "redirect_policy_name": "FWD_Rule_1", + "rule": "Default_Firewall_Filtering_Rule", + "rule_label": "rule1", + "second": 48, + "server": { + "destination": { + "ip": "67.43.156.0", + "port": 443 + }, + "source": { + "ip": "1.128.0.0", + "port": 22 + } + }, + "session": { + "count": 5 + }, + "source_ip_country": "United States", + "stateful": "Yes", + "threat": { + "category": "Botnet Callback", + "name": "Linux.Backdoor" + }, + "threat_name": "Linux.Backdoor.Tsunami", + "time": "2023-10-16T22:55:48.000Z", + "timezone": "GMT", + "tunnel": { + "ip": "89.160.20.128", + "type": "L2 tunnel" + }, + "user": "jdoe@safemarch.com", + "year": 2023, + "z_tunnel_version": "ZTUNNEL_1_0", + "zpa_app_segment": "ZPA_test_app_segment" + } + } } ] -} \ No newline at end of file +} diff --git a/packages/zscaler_zia/data_stream/firewall/_dev/test/pipeline/test-firewall.log b/packages/zscaler_zia/data_stream/firewall/_dev/test/pipeline/test-firewall.log index c28dd885325..99a0b4610f6 100644 --- a/packages/zscaler_zia/data_stream/firewall/_dev/test/pipeline/test-firewall.log +++ b/packages/zscaler_zia/data_stream/firewall/_dev/test/pipeline/test-firewall.log @@ -1,2 +1,4 @@ {"sourcetype":"zscalernss-fw","event":{"datetime":"Mon Oct 16 22:55:48 2023","cltdomain":"www.example.com","cdip":"1.128.0.0","outbytes":"10000","cdport":"22","destcountry":"USA","devicemodel":"20L8S7WC08","sdip":"1.128.0.0","duration":"600","sdport":"443","tz":"GMT","action":"Blocked","devicehostname":"THINKPADSMITH","recordid":"123456","deviceosversion":"Version 10.14.2 (Build 18C54)","devicename":"admin","nwsvc":"HTTP","deviceostype":"iOS","ipsrulelabel":"Default IPS Rule","nwapp":"Skype","rdr_rulename":"FWD_Rule_1","proto":"TCP","rulelabel":"rule1","dnatrulelabel":"DNAT_Rule_1","srcipcountry":"United States","rule":"Default_Firewall_Filtering_Rule","ssip":"1.128.0.0","inbytes":"10000","ssport":"22","csip":"1.128.0.0","aggregate":"Yes","csport":"22","bypass_time":"Mon Oct 16 22:55:48 2023","user":"jdoe@safemarch.com","datacentercountry":"US","bypassed_session":"1","day":"Mon","datacentercity":"Sa","department":"sales","datacenter":"CA Client Node DC","deviceappversion":"2.0.0.120","day_of_month":"16","avgduration":"600","dept":"Sales","eedone":"Yes","deviceowner":"jsmith","external_deviceid":"1234","durationms":"600","forward_gateway_name":"FWD_1","epochtime":"1578128400","ipcat":"Finance","flow_type":"Direct","location":"Headquarters","hour":"22","login":"jdo@safemarch.com","ips_custom_signature":"1","month":"Oct","locationname":"Headquarters","dnat":"Yes","minute":"55","odevicename":"2175092224","month_of_year":"10","ofwd_gw_name":"8794487099","ocsip":"9960223283","oipcat":"5300295980","odeviceowner":"10831489","odnatlabel":"7956407282","odevicehostname":"2168890624","orulelabel":"624054738","oipsrulelabel":"6200694987","second":"48","ordr_rulename":"3399565100","stateful":"Yes","ozpa_app_seg_name":"7648246731","threatcat":"Botnet Callback","numsessions":"5","tsip":"89.160.20.128","threat_name":"Linux.Backdoor.Tsunami","year":"2023","threatname":"Linux.Backdoor","zpa_app_seg_name":"ZPA_test_app_segment","tuntype":"L2 tunnel","ztunnelversion":"ZTUNNEL_1_0"}} -{"sourcetype":"zscalernss-fw","event":{"datetime":"Mon Oct 16 22:55:48 2023","cltdomain":"www.example.com","cdip":"2a02:cf40::","outbytes":"10000","cdport":"22","destcountry":"USA","devicemodel":"20L8S7WC08","sdip":"67.43.156.0","duration":"600","sdport":"443","tz":"GMT","action":"Blocked","devicehostname":"THINKPADSMITH","recordid":"123456","deviceosversion":"Version 10.14.2 (Build 18C54)","devicename":"admin","nwsvc":"HTTP","deviceostype":"iOS","ipsrulelabel":"Default IPS Rule","nwapp":"Skype","rdr_rulename":"FWD_Rule_1","proto":"TCP","rulelabel":"rule1","dnatrulelabel":"DNAT_Rule_1","srcipcountry":"United States","rule":"Default_Firewall_Filtering_Rule","ssip":"1.128.0.0","inbytes":"10000","ssport":"22","csip":"0.0.0.0","aggregate":"Yes","csport":"25","bypass_time":"Mon Oct 16 22:55:48 2023","user":"jdoe%40safemarch.com","datacentercountry":"US","bypassed_session":"1","day":"Mon","datacentercity":"Sa","department":"sales","datacenter":"CA Client Node DC","deviceappversion":"2.0.0.120","day_of_month":"16","avgduration":"600","dept":"Sales","eedone":"Yes","deviceowner":"jsmith","external_deviceid":"1234","durationms":"600","forward_gateway_name":"FWD_1","epochtime":"1578128400","ipcat":"Finance","flow_type":"Direct","location":"Headquarters","hour":"22","login":"jdo%40safemarch.com","ips_custom_signature":"0","month":"Oct","locationname":"Headquarters","dnat":"Yes","minute":"55","odevicename":"2175092224","month_of_year":"10","ofwd_gw_name":"8794487099","ocsip":"9960223283","oipcat":"5300295980","odeviceowner":"10831489","odnatlabel":"7956407282","odevicehostname":"2168890624","orulelabel":"624054738","oipsrulelabel":"6200694987","second":"48","ordr_rulename":"3399565100","stateful":"Yes","ozpa_app_seg_name":"7648246731","threatcat":"Botnet Callback","numsessions":"5","tsip":"89.160.20.128","threat_name":"Linux.Backdoor.Tsunami","year":"2023","threatname":"Linux.Backdoor","zpa_app_seg_name":"ZPA_test_app_segment","tuntype":"L2 tunnel","ztunnelversion":"ZTUNNEL_1_0"}} \ No newline at end of file +{"sourcetype":"zscalernss-fw","event":{"datetime":"Mon Oct 16 22:55:48 2023","cltdomain":"www.example.com","cdip":"2a02:cf40::","outbytes":"10000","cdport":"22","destcountry":"USA","devicemodel":"20L8S7WC08","sdip":"67.43.156.0","duration":"600","sdport":"443","tz":"GMT","action":"Blocked","devicehostname":"THINKPADSMITH","recordid":"123456","deviceosversion":"Version 10.14.2 (Build 18C54)","devicename":"admin","nwsvc":"HTTP","deviceostype":"iOS","ipsrulelabel":"Default IPS Rule","nwapp":"Skype","rdr_rulename":"FWD_Rule_1","proto":"TCP","rulelabel":"rule1","dnatrulelabel":"DNAT_Rule_1","srcipcountry":"United States","rule":"Default_Firewall_Filtering_Rule","ssip":"1.128.0.0","inbytes":"10000","ssport":"22","csip":"0.0.0.0","aggregate":"Yes","csport":"25","bypass_time":"Mon Oct 16 22:55:48 2023","user":"jdoe%40safemarch.com","datacentercountry":"US","bypassed_session":"1","day":"Mon","datacentercity":"Sa","department":"sales","datacenter":"CA Client Node DC","deviceappversion":"2.0.0.120","day_of_month":"16","avgduration":"600","dept":"Sales","eedone":"Yes","deviceowner":"jsmith","external_deviceid":"1234","durationms":"600","forward_gateway_name":"FWD_1","epochtime":"1578128400","ipcat":"Finance","flow_type":"Direct","location":"Headquarters","hour":"22","login":"jdo%40safemarch.com","ips_custom_signature":"0","month":"Oct","locationname":"Headquarters","dnat":"Yes","minute":"55","odevicename":"2175092224","month_of_year":"10","ofwd_gw_name":"8794487099","ocsip":"9960223283","oipcat":"5300295980","odeviceowner":"10831489","odnatlabel":"7956407282","odevicehostname":"2168890624","orulelabel":"624054738","oipsrulelabel":"6200694987","second":"48","ordr_rulename":"3399565100","stateful":"Yes","ozpa_app_seg_name":"7648246731","threatcat":"Botnet Callback","numsessions":"5","tsip":"89.160.20.128","threat_name":"Linux.Backdoor.Tsunami","year":"2023","threatname":"Linux.Backdoor","zpa_app_seg_name":"ZPA_test_app_segment","tuntype":"L2 tunnel","ztunnelversion":"ZTUNNEL_1_0"}} +{"version":"v2","sourcetype":"zscalernss-fw","event":{"datetime":"Mon Oct 16 22:55:48 2023","cltdomain":"www.example.com","cdip":"1.128.0.0","outbytes":"10000","cdport":"22","destcountry":"USA","devicemodel":"20L8S7WC08","sdip":"1.128.0.0","duration":"600","sdport":"443","tz":"GMT","action":"Blocked","devicehostname":"THINKPADSMITH","recordid":"123456","deviceosversion":"Version 10.14.2 (Build 18C54)","devicename":"admin","nwsvc":"HTTP","deviceostype":"iOS","ipsrulelabel":"Default IPS Rule","nwapp":"Skype","rdr_rulename":"FWD_Rule_1","proto":"TCP","rulelabel":"rule1","dnatrulelabel":"DNAT_Rule_1","srcipcountry":"United States","rule":"Default_Firewall_Filtering_Rule","ssip":"1.128.0.0","inbytes":"10000","ssport":"22","csip":"1.128.0.0","aggregate":"Yes","csport":"22","bypass_time":"Mon Oct 16 22:55:48 2023","user":"jdoe@safemarch.com","datacentercountry":"US","bypassed_session":"1","day":"Mon","datacentercity":"Sa","department":"sales","datacenter":"CA Client Node DC","deviceappversion":"2.0.0.120","day_of_month":"16","avgduration":"600","dept":"Sales","eedone":"Yes","deviceowner":"jsmith","external_deviceid":"1234","durationms":"600","forward_gateway_name":"FWD_1","epochtime":"1578128400","ipcat":"Finance","flow_type":"Direct","location":"Headquarters","hour":"22","login":"jdo@safemarch.com","ips_custom_signature":"1","month":"Oct","locationname":"Headquarters","dnat":"Yes","minute":"55","odevicename":"2175092224","month_of_year":"10","ofwd_gw_name":"8794487099","ocsip":"9960223283","oipcat":"5300295980","odeviceowner":"10831489","odnatlabel":"7956407282","odevicehostname":"2168890624","orulelabel":"624054738","oipsrulelabel":"6200694987","second":"48","ordr_rulename":"3399565100","stateful":"Yes","ozpa_app_seg_name":"7648246731","threatcat":"Botnet Callback","numsessions":"5","tsip":"89.160.20.128","threat_name":"Linux.Backdoor.Tsunami","year":"2023","threatname":"Linux.Backdoor","zpa_app_seg_name":"ZPA_test_app_segment","tuntype":"L2 tunnel","ztunnelversion":"ZTUNNEL_1_0"}} +{"version":"v2","sourcetype":"zscalernss-fw","event":{"datetime":"Mon Oct 16 22:55:48 2023","cltdomain":"www.example.com","cdip":"2a02:cf40::","outbytes":"10000","cdport":"22","destcountry":"USA","devicemodel":"20L8S7WC08","sdip":"67.43.156.0","duration":"600","sdport":"443","tz":"GMT","action":"Blocked","devicehostname":"THINKPADSMITH","recordid":"123456","deviceosversion":"Version 10.14.2 (Build 18C54)","devicename":"admin","nwsvc":"HTTP","deviceostype":"iOS","ipsrulelabel":"Default IPS Rule","nwapp":"Skype","rdr_rulename":"FWD_Rule_1","proto":"TCP","rulelabel":"rule1","dnatrulelabel":"DNAT_Rule_1","srcipcountry":"United States","rule":"Default_Firewall_Filtering_Rule","ssip":"1.128.0.0","inbytes":"10000","ssport":"22","csip":"0.0.0.0","aggregate":"Yes","csport":"25","bypass_time":"Mon Oct 16 22:55:48 2023","user":"jdoe%40safemarch.com","datacentercountry":"US","bypassed_session":"1","day":"Mon","datacentercity":"Sa","department":"sales","datacenter":"CA Client Node DC","deviceappversion":"2.0.0.120","day_of_month":"16","avgduration":"600","dept":"Sales","eedone":"Yes","deviceowner":"jsmith","external_deviceid":"1234","durationms":"600","forward_gateway_name":"FWD_1","epochtime":"1578128400","ipcat":"Finance","flow_type":"Direct","location":"Headquarters","hour":"22","login":"jdo%40safemarch.com","ips_custom_signature":"0","month":"Oct","locationname":"Headquarters","dnat":"Yes","minute":"55","odevicename":"2175092224","month_of_year":"10","ofwd_gw_name":"8794487099","ocsip":"9960223283","oipcat":"5300295980","odeviceowner":"10831489","odnatlabel":"7956407282","odevicehostname":"2168890624","orulelabel":"624054738","oipsrulelabel":"6200694987","second":"48","ordr_rulename":"3399565100","stateful":"Yes","ozpa_app_seg_name":"7648246731","threatcat":"Botnet Callback","numsessions":"5","tsip":"89.160.20.128","threat_name":"Linux.Backdoor.Tsunami","year":"2023","threatname":"Linux.Backdoor","zpa_app_seg_name":"ZPA_test_app_segment","tuntype":"L2 tunnel","ztunnelversion":"ZTUNNEL_1_0"}} diff --git a/packages/zscaler_zia/data_stream/firewall/_dev/test/pipeline/test-firewall.log-expected.json b/packages/zscaler_zia/data_stream/firewall/_dev/test/pipeline/test-firewall.log-expected.json index d0079f7ef10..7e38351ed14 100644 --- a/packages/zscaler_zia/data_stream/firewall/_dev/test/pipeline/test-firewall.log-expected.json +++ b/packages/zscaler_zia/data_stream/firewall/_dev/test/pipeline/test-firewall.log-expected.json @@ -489,6 +489,496 @@ "zpa_app_segment": "ZPA_test_app_segment" } } + }, + { + "@timestamp": "2023-10-16T22:55:48.000Z", + "destination": { + "bytes": 10000, + "domain": "www.example.com", + "geo": { + "country_iso_code": "USA" + }, + "ip": "1.128.0.0", + "port": [ + 22, + 443 + ] + }, + "device": { + "model": { + "identifier": "20L8S7WC08" + } + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "blocked", + "category": [ + "network" + ], + "duration": 600000000, + "id": "123456", + "kind": "event", + "original": "{\"version\":\"v2\",\"sourcetype\":\"zscalernss-fw\",\"event\":{\"datetime\":\"Mon Oct 16 22:55:48 2023\",\"cltdomain\":\"www.example.com\",\"cdip\":\"1.128.0.0\",\"outbytes\":\"10000\",\"cdport\":\"22\",\"destcountry\":\"USA\",\"devicemodel\":\"20L8S7WC08\",\"sdip\":\"1.128.0.0\",\"duration\":\"600\",\"sdport\":\"443\",\"tz\":\"GMT\",\"action\":\"Blocked\",\"devicehostname\":\"THINKPADSMITH\",\"recordid\":\"123456\",\"deviceosversion\":\"Version 10.14.2 (Build 18C54)\",\"devicename\":\"admin\",\"nwsvc\":\"HTTP\",\"deviceostype\":\"iOS\",\"ipsrulelabel\":\"Default IPS Rule\",\"nwapp\":\"Skype\",\"rdr_rulename\":\"FWD_Rule_1\",\"proto\":\"TCP\",\"rulelabel\":\"rule1\",\"dnatrulelabel\":\"DNAT_Rule_1\",\"srcipcountry\":\"United States\",\"rule\":\"Default_Firewall_Filtering_Rule\",\"ssip\":\"1.128.0.0\",\"inbytes\":\"10000\",\"ssport\":\"22\",\"csip\":\"1.128.0.0\",\"aggregate\":\"Yes\",\"csport\":\"22\",\"bypass_time\":\"Mon Oct 16 22:55:48 2023\",\"user\":\"jdoe@safemarch.com\",\"datacentercountry\":\"US\",\"bypassed_session\":\"1\",\"day\":\"Mon\",\"datacentercity\":\"Sa\",\"department\":\"sales\",\"datacenter\":\"CA Client Node DC\",\"deviceappversion\":\"2.0.0.120\",\"day_of_month\":\"16\",\"avgduration\":\"600\",\"dept\":\"Sales\",\"eedone\":\"Yes\",\"deviceowner\":\"jsmith\",\"external_deviceid\":\"1234\",\"durationms\":\"600\",\"forward_gateway_name\":\"FWD_1\",\"epochtime\":\"1578128400\",\"ipcat\":\"Finance\",\"flow_type\":\"Direct\",\"location\":\"Headquarters\",\"hour\":\"22\",\"login\":\"jdo@safemarch.com\",\"ips_custom_signature\":\"1\",\"month\":\"Oct\",\"locationname\":\"Headquarters\",\"dnat\":\"Yes\",\"minute\":\"55\",\"odevicename\":\"2175092224\",\"month_of_year\":\"10\",\"ofwd_gw_name\":\"8794487099\",\"ocsip\":\"9960223283\",\"oipcat\":\"5300295980\",\"odeviceowner\":\"10831489\",\"odnatlabel\":\"7956407282\",\"odevicehostname\":\"2168890624\",\"orulelabel\":\"624054738\",\"oipsrulelabel\":\"6200694987\",\"second\":\"48\",\"ordr_rulename\":\"3399565100\",\"stateful\":\"Yes\",\"ozpa_app_seg_name\":\"7648246731\",\"threatcat\":\"Botnet Callback\",\"numsessions\":\"5\",\"tsip\":\"89.160.20.128\",\"threat_name\":\"Linux.Backdoor.Tsunami\",\"year\":\"2023\",\"threatname\":\"Linux.Backdoor\",\"zpa_app_seg_name\":\"ZPA_test_app_segment\",\"tuntype\":\"L2 tunnel\",\"ztunnelversion\":\"ZTUNNEL_1_0\"}}", + "timezone": "GMT", + "type": [ + "denied" + ] + }, + "host": { + "hostname": "admin", + "name": "thinkpadsmith", + "os": { + "type": "ios", + "version": "Version 10.14.2 (Build 18C54)" + } + }, + "network": { + "application": "skype", + "bytes": 20000, + "protocol": "http", + "transport": "tcp" + }, + "observer": { + "product": "ZIA", + "type": "firewall", + "vendor": "Zscaler" + }, + "related": { + "hosts": [ + "thinkpadsmith", + "admin" + ], + "ip": [ + "1.128.0.0", + "89.160.20.128" + ], + "user": [ + "jsmith", + "jdoe", + "jdoe@safemarch.com" + ] + }, + "rule": { + "name": [ + "Default IPS Rule", + "DNAT_Rule_1", + "FWD_Rule_1", + "Default_Firewall_Filtering_Rule", + "rule1" + ] + }, + "source": { + "bytes": 10000, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "1.128.0.0", + "nat": { + "ip": "89.160.20.128" + }, + "port": [ + 22 + ] + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "user": { + "domain": "safemarch.com", + "email": "jdoe@safemarch.com", + "name": "jdoe" + }, + "zscaler_zia": { + "firewall": { + "action": "Blocked", + "aggregate": "Yes", + "bypassed": { + "session": "1", + "time": "2023-10-16T22:55:48.000Z" + }, + "bytes_in": 10000, + "client": { + "destination": { + "ip": "1.128.0.0", + "port": 22 + }, + "domain": "www.example.com", + "source": { + "ip": "1.128.0.0", + "port": 22 + } + }, + "datacenter": { + "city": "Sa", + "country": "US", + "name": "CA Client Node DC" + }, + "day": "Mon", + "day_of_month": 16, + "department": "sales", + "dept": "Sales", + "destination": { + "country": "USA" + }, + "device": { + "appversion": "2.0.0.120", + "hostname": "THINKPADSMITH", + "model": "20L8S7WC08", + "name": "admin", + "os": { + "type": "iOS", + "version": "Version 10.14.2 (Build 18C54)" + }, + "owner": "jsmith" + }, + "duration": { + "average_duration": 600, + "milliseconds": 600, + "seconds": 600 + }, + "eedone": "Yes", + "epochtime": "2020-01-04T09:00:00.000Z", + "external_device_id": "1234", + "flow_type": "Direct", + "forward_gateway_name": "FWD_1", + "hour": 22, + "ip_category": "Finance", + "ip_protocol": "TCP", + "ips": { + "custom_signature": "1", + "rule_label": "Default IPS Rule" + }, + "location": "Headquarters", + "location_name": "Headquarters", + "login": "jdo@safemarch.com", + "minutes": 55, + "month": "Oct", + "month_of_year": 10, + "nat": "Yes", + "nat_rule_label": "DNAT_Rule_1", + "network": { + "application": "Skype", + "service": "HTTP" + }, + "obfuscated": { + "client_source_ip": "9960223283", + "device": { + "name": "2175092224", + "owner": "10831489" + }, + "forward_gateway_name": "8794487099", + "host_name": "2168890624", + "ip": { + "category": "5300295980" + }, + "ips_rule_label": "6200694987", + "nat_label": "7956407282", + "redirect_policy_name": "3399565100", + "rule_label": "624054738", + "zpa_app_segment": "7648246731" + }, + "out_bytes": 10000, + "record": { + "id": "123456" + }, + "redirect_policy_name": "FWD_Rule_1", + "rule": "Default_Firewall_Filtering_Rule", + "rule_label": "rule1", + "second": 48, + "server": { + "destination": { + "ip": "1.128.0.0", + "port": 443 + }, + "source": { + "ip": "1.128.0.0", + "port": 22 + } + }, + "session": { + "count": 5 + }, + "source_ip_country": "United States", + "stateful": "Yes", + "threat": { + "category": "Botnet Callback", + "name": "Linux.Backdoor" + }, + "threat_name": "Linux.Backdoor.Tsunami", + "time": "2023-10-16T22:55:48.000Z", + "timezone": "GMT", + "tunnel": { + "ip": "89.160.20.128", + "type": "L2 tunnel" + }, + "user": "jdoe@safemarch.com", + "year": 2023, + "z_tunnel_version": "ZTUNNEL_1_0", + "zpa_app_segment": "ZPA_test_app_segment" + } + } + }, + { + "@timestamp": "2023-10-16T22:55:48.000Z", + "destination": { + "bytes": 10000, + "domain": "www.example.com", + "geo": { + "continent_name": "Europe", + "country_iso_code": "NO", + "country_name": "Norway", + "location": { + "lat": 62.0, + "lon": 10.0 + } + }, + "ip": "2a02:cf40::", + "port": [ + 22, + 443 + ] + }, + "device": { + "model": { + "identifier": "20L8S7WC08" + } + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "blocked", + "category": [ + "network" + ], + "duration": 600000000, + "id": "123456", + "kind": "event", + "original": "{\"version\":\"v2\",\"sourcetype\":\"zscalernss-fw\",\"event\":{\"datetime\":\"Mon Oct 16 22:55:48 2023\",\"cltdomain\":\"www.example.com\",\"cdip\":\"2a02:cf40::\",\"outbytes\":\"10000\",\"cdport\":\"22\",\"destcountry\":\"USA\",\"devicemodel\":\"20L8S7WC08\",\"sdip\":\"67.43.156.0\",\"duration\":\"600\",\"sdport\":\"443\",\"tz\":\"GMT\",\"action\":\"Blocked\",\"devicehostname\":\"THINKPADSMITH\",\"recordid\":\"123456\",\"deviceosversion\":\"Version 10.14.2 (Build 18C54)\",\"devicename\":\"admin\",\"nwsvc\":\"HTTP\",\"deviceostype\":\"iOS\",\"ipsrulelabel\":\"Default IPS Rule\",\"nwapp\":\"Skype\",\"rdr_rulename\":\"FWD_Rule_1\",\"proto\":\"TCP\",\"rulelabel\":\"rule1\",\"dnatrulelabel\":\"DNAT_Rule_1\",\"srcipcountry\":\"United States\",\"rule\":\"Default_Firewall_Filtering_Rule\",\"ssip\":\"1.128.0.0\",\"inbytes\":\"10000\",\"ssport\":\"22\",\"csip\":\"0.0.0.0\",\"aggregate\":\"Yes\",\"csport\":\"25\",\"bypass_time\":\"Mon Oct 16 22:55:48 2023\",\"user\":\"jdoe%40safemarch.com\",\"datacentercountry\":\"US\",\"bypassed_session\":\"1\",\"day\":\"Mon\",\"datacentercity\":\"Sa\",\"department\":\"sales\",\"datacenter\":\"CA Client Node DC\",\"deviceappversion\":\"2.0.0.120\",\"day_of_month\":\"16\",\"avgduration\":\"600\",\"dept\":\"Sales\",\"eedone\":\"Yes\",\"deviceowner\":\"jsmith\",\"external_deviceid\":\"1234\",\"durationms\":\"600\",\"forward_gateway_name\":\"FWD_1\",\"epochtime\":\"1578128400\",\"ipcat\":\"Finance\",\"flow_type\":\"Direct\",\"location\":\"Headquarters\",\"hour\":\"22\",\"login\":\"jdo%40safemarch.com\",\"ips_custom_signature\":\"0\",\"month\":\"Oct\",\"locationname\":\"Headquarters\",\"dnat\":\"Yes\",\"minute\":\"55\",\"odevicename\":\"2175092224\",\"month_of_year\":\"10\",\"ofwd_gw_name\":\"8794487099\",\"ocsip\":\"9960223283\",\"oipcat\":\"5300295980\",\"odeviceowner\":\"10831489\",\"odnatlabel\":\"7956407282\",\"odevicehostname\":\"2168890624\",\"orulelabel\":\"624054738\",\"oipsrulelabel\":\"6200694987\",\"second\":\"48\",\"ordr_rulename\":\"3399565100\",\"stateful\":\"Yes\",\"ozpa_app_seg_name\":\"7648246731\",\"threatcat\":\"Botnet Callback\",\"numsessions\":\"5\",\"tsip\":\"89.160.20.128\",\"threat_name\":\"Linux.Backdoor.Tsunami\",\"year\":\"2023\",\"threatname\":\"Linux.Backdoor\",\"zpa_app_seg_name\":\"ZPA_test_app_segment\",\"tuntype\":\"L2 tunnel\",\"ztunnelversion\":\"ZTUNNEL_1_0\"}}", + "timezone": "GMT", + "type": [ + "denied" + ] + }, + "host": { + "hostname": "admin", + "name": "thinkpadsmith", + "os": { + "type": "ios", + "version": "Version 10.14.2 (Build 18C54)" + } + }, + "network": { + "application": "skype", + "bytes": 20000, + "protocol": "http", + "transport": "tcp" + }, + "observer": { + "product": "ZIA", + "type": "firewall", + "vendor": "Zscaler" + }, + "related": { + "hosts": [ + "thinkpadsmith", + "admin" + ], + "ip": [ + "2a02:cf40::", + "0.0.0.0", + "67.43.156.0", + "1.128.0.0", + "89.160.20.128" + ], + "user": [ + "jsmith", + "jdoe", + "jdoe@safemarch.com" + ] + }, + "rule": { + "name": [ + "Default IPS Rule", + "DNAT_Rule_1", + "FWD_Rule_1", + "Default_Firewall_Filtering_Rule", + "rule1" + ] + }, + "source": { + "bytes": 10000, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "0.0.0.0", + "nat": { + "ip": "89.160.20.128" + }, + "port": [ + 25, + 22 + ] + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "user": { + "domain": "safemarch.com", + "email": "jdoe@safemarch.com", + "name": "jdoe" + }, + "zscaler_zia": { + "firewall": { + "action": "Blocked", + "aggregate": "Yes", + "bypassed": { + "session": "1", + "time": "2023-10-16T22:55:48.000Z" + }, + "bytes_in": 10000, + "client": { + "destination": { + "ip": "2a02:cf40::", + "port": 22 + }, + "domain": "www.example.com", + "source": { + "ip": "0.0.0.0", + "port": 25 + } + }, + "datacenter": { + "city": "Sa", + "country": "US", + "name": "CA Client Node DC" + }, + "day": "Mon", + "day_of_month": 16, + "department": "sales", + "dept": "Sales", + "destination": { + "country": "USA" + }, + "device": { + "appversion": "2.0.0.120", + "hostname": "THINKPADSMITH", + "model": "20L8S7WC08", + "name": "admin", + "os": { + "type": "iOS", + "version": "Version 10.14.2 (Build 18C54)" + }, + "owner": "jsmith" + }, + "duration": { + "average_duration": 600, + "milliseconds": 600, + "seconds": 600 + }, + "eedone": "Yes", + "epochtime": "2020-01-04T09:00:00.000Z", + "external_device_id": "1234", + "flow_type": "Direct", + "forward_gateway_name": "FWD_1", + "hour": 22, + "ip_category": "Finance", + "ip_protocol": "TCP", + "ips": { + "custom_signature": "0", + "rule_label": "Default IPS Rule" + }, + "location": "Headquarters", + "location_name": "Headquarters", + "login": "jdo@safemarch.com", + "minutes": 55, + "month": "Oct", + "month_of_year": 10, + "nat": "Yes", + "nat_rule_label": "DNAT_Rule_1", + "network": { + "application": "Skype", + "service": "HTTP" + }, + "obfuscated": { + "client_source_ip": "9960223283", + "device": { + "name": "2175092224", + "owner": "10831489" + }, + "forward_gateway_name": "8794487099", + "host_name": "2168890624", + "ip": { + "category": "5300295980" + }, + "ips_rule_label": "6200694987", + "nat_label": "7956407282", + "redirect_policy_name": "3399565100", + "rule_label": "624054738", + "zpa_app_segment": "7648246731" + }, + "out_bytes": 10000, + "record": { + "id": "123456" + }, + "redirect_policy_name": "FWD_Rule_1", + "rule": "Default_Firewall_Filtering_Rule", + "rule_label": "rule1", + "second": 48, + "server": { + "destination": { + "ip": "67.43.156.0", + "port": 443 + }, + "source": { + "ip": "1.128.0.0", + "port": 22 + } + }, + "session": { + "count": 5 + }, + "source_ip_country": "United States", + "stateful": "Yes", + "threat": { + "category": "Botnet Callback", + "name": "Linux.Backdoor" + }, + "threat_name": "Linux.Backdoor.Tsunami", + "time": "2023-10-16T22:55:48.000Z", + "timezone": "GMT", + "tunnel": { + "ip": "89.160.20.128", + "type": "L2 tunnel" + }, + "user": "jdoe@safemarch.com", + "year": 2023, + "z_tunnel_version": "ZTUNNEL_1_0", + "zpa_app_segment": "ZPA_test_app_segment" + } + } } ] -} \ No newline at end of file +} diff --git a/packages/zscaler_zia/data_stream/firewall/_dev/test/pipeline/test-unicode.json-expected.json b/packages/zscaler_zia/data_stream/firewall/_dev/test/pipeline/test-unicode.json-expected.json index a9a4ca5aa92..c51b2d6f3c9 100644 --- a/packages/zscaler_zia/data_stream/firewall/_dev/test/pipeline/test-unicode.json-expected.json +++ b/packages/zscaler_zia/data_stream/firewall/_dev/test/pipeline/test-unicode.json-expected.json @@ -251,4 +251,4 @@ } } ] -} \ No newline at end of file +} diff --git a/packages/zscaler_zia/data_stream/firewall/agent/stream/http_endpoint.yml.hbs b/packages/zscaler_zia/data_stream/firewall/agent/stream/http_endpoint.yml.hbs index f691a1cfe90..e1ac58a6bb7 100644 --- a/packages/zscaler_zia/data_stream/firewall/agent/stream/http_endpoint.yml.hbs +++ b/packages/zscaler_zia/data_stream/firewall/agent/stream/http_endpoint.yml.hbs @@ -28,6 +28,12 @@ publisher_pipeline.disable_host: true {{#if ssl}} ssl: {{ssl}} {{/if}} +{{#if strict_fields}} +fields_under_root: true +fields: + _conf: + strict_fields: true +{{/if}} {{#if processors}} processors: {{processors}} diff --git a/packages/zscaler_zia/data_stream/firewall/agent/stream/tcp.yml.hbs b/packages/zscaler_zia/data_stream/firewall/agent/stream/tcp.yml.hbs index d8eb927edd6..2655bae4c06 100644 --- a/packages/zscaler_zia/data_stream/firewall/agent/stream/tcp.yml.hbs +++ b/packages/zscaler_zia/data_stream/firewall/agent/stream/tcp.yml.hbs @@ -18,6 +18,12 @@ publisher_pipeline.disable_host: true {{#if ssl}} ssl: {{ssl}} {{/if}} +{{#if strict_fields}} +fields_under_root: true +fields: + _conf: + strict_fields: true +{{/if}} {{#if processors}} processors: {{processors}} diff --git a/packages/zscaler_zia/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml b/packages/zscaler_zia/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml index d0563ec8ded..b6f068c89bb 100644 --- a/packages/zscaler_zia/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml +++ b/packages/zscaler_zia/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml @@ -43,6 +43,30 @@ processors: tag: rename_resp_event target_field: json ignore_missing: true + - script: + params: + expect: + fields: action|aggregate|avgduration|bypass_time|bypassed_session|cdip|cdport|cltdomain|csip|csport|datacenter|datacentercity|datacentercountry|datetime|day|day_of_month|department|dept|destcountry|deviceappversion|devicehostname|devicemodel|devicename|deviceostype|deviceosversion|deviceowner|dnat|dnatrulelabel|duration|durationms|eedone|epochtime|external_deviceid|flow_type|forward_gateway_name|hour|inbytes|ipcat|ips_custom_signature|ipsrulelabel|location|locationname|login|minute|month|month_of_year|numsessions|nwapp|nwsvc|ocsip|odevicehostname|odevicename|odeviceowner|odnatlabel|ofwd_gw_name|oipcat|oipsrulelabel|ordr_rulename|orulelabel|outbytes|ozpa_app_seg_name|proto|rdr_rulename|recordid|rule|rulelabel|sdip|sdport|second|srcipcountry|ssip|ssport|stateful|threat_name|threatcat|threatname|tsip|tuntype|tz|user|year|zpa_app_seg_name|ztunnelversion + version: v2 + if: ctx.json != null && ctx._conf?.strict_fields == true + source: |- + if (ctx.resp?.version == null) { + def fields = []; + for (e in ctx.json.entrySet()) { + fields.add(e.getKey()); + } + Collections.sort(fields); + String signature = String.join("|", fields); + if (signature != params.expect.fields) { + ctx.error = ctx.error ?: [:]; + ctx.error.message = ctx.error.message ?: []; + ctx.error.message.add("field set mismatch: "+signature+" is not expected set of templated fields"); + } + } else if (ctx.resp?.version != params.expect.version) { + ctx.error = ctx.error ?: [:]; + ctx.error.message = ctx.error.message ?: []; + ctx.error.message.add("template version mismatch: "+ctx.resp?.version.toString()+" is not expected version"); + } - remove: field: resp tag: remove_resp @@ -1078,8 +1102,10 @@ processors: ignore_missing: true if: ctx.tags == null || !ctx.tags.contains('preserve_duplicate_custom_fields') - remove: - field: json - tag: remove_json + field: + - json + - _conf + tag: remove_unused ignore_missing: true - script: tag: script_to_drop_null_values diff --git a/packages/zscaler_zia/data_stream/sandbox_report/_dev/test/pipeline/test-sandbox.log-expected.json b/packages/zscaler_zia/data_stream/sandbox_report/_dev/test/pipeline/test-sandbox.log-expected.json index 12bebcf705e..db35a2f0bab 100644 --- a/packages/zscaler_zia/data_stream/sandbox_report/_dev/test/pipeline/test-sandbox.log-expected.json +++ b/packages/zscaler_zia/data_stream/sandbox_report/_dev/test/pipeline/test-sandbox.log-expected.json @@ -52,7 +52,6 @@ } }, "url": { - "extension": "com", "original": "www.example.com", "path": "www.example.com" }, @@ -104,4 +103,4 @@ } } ] -} \ No newline at end of file +} diff --git a/packages/zscaler_zia/data_stream/tunnel/_dev/test/pipeline/test-common-config.yml b/packages/zscaler_zia/data_stream/tunnel/_dev/test/pipeline/test-common-config.yml index be41bb0d476..2e06a253560 100644 --- a/packages/zscaler_zia/data_stream/tunnel/_dev/test/pipeline/test-common-config.yml +++ b/packages/zscaler_zia/data_stream/tunnel/_dev/test/pipeline/test-common-config.yml @@ -1,4 +1,6 @@ fields: + _conf: + strict_fields: true tags: - preserve_original_event - preserve_duplicate_custom_fields diff --git a/packages/zscaler_zia/data_stream/tunnel/_dev/test/pipeline/test-tunnel-http-endpoint.log b/packages/zscaler_zia/data_stream/tunnel/_dev/test/pipeline/test-tunnel-http-endpoint.log index ab731f512b3..35ac3f115fb 100644 --- a/packages/zscaler_zia/data_stream/tunnel/_dev/test/pipeline/test-tunnel-http-endpoint.log +++ b/packages/zscaler_zia/data_stream/tunnel/_dev/test/pipeline/test-tunnel-http-endpoint.log @@ -1 +1,2 @@ -{"sourcetype":"zscalernss-tunnel", "event":{"locationname":"Unknown","sourceport":"0","rxbytes":"0","tunneltype":"GRE","dpdrec":"0","destinationip":"0.0.0.0","recordid":"7083029673927507968","datetime":"Tue Dec 31 08:08:08 2021","sourceip":"0.0.0.0","txbytes":"0","Recordtype":"Tunnel Samples","user":"Unknown"}} +{"sourcetype":"zscalernss-tunnel","event":{"locationname":"Unknown","sourceport":"0","rxbytes":"0","tunneltype":"GRE","dpdrec":"0","destinationip":"0.0.0.0","recordid":"7083029673927507968","datetime":"Tue Dec 31 08:08:08 2021","sourceip":"0.0.0.0","txbytes":"0","Recordtype":"Tunnel Samples","user":"Unknown","day":"","dd":"","hh":"","mm":"","mon":"","mth":"","olocationname":"","ovpncredentialname":"","rxpackets":"","ss":"","timezone":"","txpackets":"","yyyy":""}} +{"version":"v2","sourcetype":"zscalernss-tunnel","event":{"locationname":"Unknown","sourceport":"0","rxbytes":"0","tunneltype":"GRE","dpdrec":"0","destinationip":"0.0.0.0","recordid":"7083029673927507968","datetime":"Tue Dec 31 08:08:08 2021","sourceip":"0.0.0.0","txbytes":"0","Recordtype":"Tunnel Samples","user":"Unknown","day":"","dd":"","hh":"","mm":"","mon":"","mth":"","olocationname":"","ovpncredentialname":"","rxpackets":"","ss":"","timezone":"","txpackets":"","yyyy":""}} diff --git a/packages/zscaler_zia/data_stream/tunnel/_dev/test/pipeline/test-tunnel-http-endpoint.log-expected.json b/packages/zscaler_zia/data_stream/tunnel/_dev/test/pipeline/test-tunnel-http-endpoint.log-expected.json index 1f738072f43..1621e866330 100644 --- a/packages/zscaler_zia/data_stream/tunnel/_dev/test/pipeline/test-tunnel-http-endpoint.log-expected.json +++ b/packages/zscaler_zia/data_stream/tunnel/_dev/test/pipeline/test-tunnel-http-endpoint.log-expected.json @@ -15,7 +15,82 @@ ], "id": "7083029673927507968", "kind": "event", - "original": "{\"sourcetype\":\"zscalernss-tunnel\", \"event\":{\"locationname\":\"Unknown\",\"sourceport\":\"0\",\"rxbytes\":\"0\",\"tunneltype\":\"GRE\",\"dpdrec\":\"0\",\"destinationip\":\"0.0.0.0\",\"recordid\":\"7083029673927507968\",\"datetime\":\"Tue Dec 31 08:08:08 2021\",\"sourceip\":\"0.0.0.0\",\"txbytes\":\"0\",\"Recordtype\":\"Tunnel Samples\",\"user\":\"Unknown\"}}", + "original": "{\"sourcetype\":\"zscalernss-tunnel\",\"event\":{\"locationname\":\"Unknown\",\"sourceport\":\"0\",\"rxbytes\":\"0\",\"tunneltype\":\"GRE\",\"dpdrec\":\"0\",\"destinationip\":\"0.0.0.0\",\"recordid\":\"7083029673927507968\",\"datetime\":\"Tue Dec 31 08:08:08 2021\",\"sourceip\":\"0.0.0.0\",\"txbytes\":\"0\",\"Recordtype\":\"Tunnel Samples\",\"user\":\"Unknown\",\"day\":\"\",\"dd\":\"\",\"hh\":\"\",\"mm\":\"\",\"mon\":\"\",\"mth\":\"\",\"olocationname\":\"\",\"ovpncredentialname\":\"\",\"rxpackets\":\"\",\"ss\":\"\",\"timezone\":\"\",\"txpackets\":\"\",\"yyyy\":\"\"}}", + "timezone": "UTC", + "type": [ + "info" + ] + }, + "network": { + "community_id": "1:y8Yi03w0LBfVdMLE1UG7vvaUt5w=", + "iana_number": "47", + "transport": "gre" + }, + "related": { + "ip": [ + "0.0.0.0" + ], + "user": [ + "Unknown" + ] + }, + "source": { + "bytes": 0, + "ip": "0.0.0.0", + "port": 0 + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "user": { + "email": "Unknown" + }, + "zscaler_zia": { + "tunnel": { + "action": { + "type": "Tunnel Samples" + }, + "bytes": { + "received": 0, + "sent": 0 + }, + "datetime": "2021-12-31T08:08:08.000Z", + "destination": { + "vip": { + "address": "0.0.0.0" + } + }, + "dpd_packets": 0, + "locationname": "Unknown", + "record": { + "id": "7083029673927507968" + }, + "source": { + "ip": "0.0.0.0", + "port": 0 + }, + "type": "GRE", + "vpn_credential_name": "Unknown" + } + } + }, + { + "@timestamp": "2021-12-31T08:08:08.000Z", + "destination": { + "bytes": 0, + "ip": "0.0.0.0" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "network" + ], + "id": "7083029673927507968", + "kind": "event", + "original": "{\"version\":\"v2\",\"sourcetype\":\"zscalernss-tunnel\",\"event\":{\"locationname\":\"Unknown\",\"sourceport\":\"0\",\"rxbytes\":\"0\",\"tunneltype\":\"GRE\",\"dpdrec\":\"0\",\"destinationip\":\"0.0.0.0\",\"recordid\":\"7083029673927507968\",\"datetime\":\"Tue Dec 31 08:08:08 2021\",\"sourceip\":\"0.0.0.0\",\"txbytes\":\"0\",\"Recordtype\":\"Tunnel Samples\",\"user\":\"Unknown\",\"day\":\"\",\"dd\":\"\",\"hh\":\"\",\"mm\":\"\",\"mon\":\"\",\"mth\":\"\",\"olocationname\":\"\",\"ovpncredentialname\":\"\",\"rxpackets\":\"\",\"ss\":\"\",\"timezone\":\"\",\"txpackets\":\"\",\"yyyy\":\"\"}}", "timezone": "UTC", "type": [ "info" @@ -76,4 +151,4 @@ } } ] -} \ No newline at end of file +} diff --git a/packages/zscaler_zia/data_stream/tunnel/_dev/test/pipeline/test-tunnel.log b/packages/zscaler_zia/data_stream/tunnel/_dev/test/pipeline/test-tunnel.log index 1a8d6820cca..ddd4b6b1625 100644 --- a/packages/zscaler_zia/data_stream/tunnel/_dev/test/pipeline/test-tunnel.log +++ b/packages/zscaler_zia/data_stream/tunnel/_dev/test/pipeline/test-tunnel.log @@ -1,4 +1,8 @@ -{ "sourcetype" : "zscalernss-tunnel", "event" : {"datetime":"Thu Dec 31 11:11:11 2021","Recordtype":"IPSec Phase2","tunneltype":"IPSEC IKEV 1","user":"81.2.69.145","locationname":"some-location","sourceip":"81.2.69.145","destinationip":"81.2.69.143","sourceport":"0","sourceportstart":"0","destinationportstart":"0","srcipstart":"81.2.69.145","srcipend":"81.2.69.145","destinationipstart":"81.2.69.143","destinationipend":"81.2.69.143","lifetime":"3600","ikeversion":"1","lifebytes":"0","spi":"123456789","algo":"AES","authentication":"HMAC-SHA-1","authtype":"None","protocol":"Any","tunnelprotocol":"ESP","recordid":"1111111111111111111"}} -{ "sourcetype" : "zscalernss-tunnel", "event" : {"datetime":"Thu Dec 31 11:11:11 2021","Recordtype":"IPSec Phase1","tunneltype":"IPSEC IKEV 2","user":"81.2.69.145","locationname":"some-location","sourceip":"81.2.69.145","destinationip":"81.2.69.143","sourceport":"500","destinationport":"500","lifetime":"0","ikeversion":"2","spi_in":"00000000000000000000","spi_out":"11111111111111111111","algo":"AES-CBS","authentication":"HMAC-SHA1-96","authtype":"PSK","recordid":"1111111111111111111"}} -{ "sourcetype" : "zscalernss-tunnel", "event" : {"datetime":"Thu Dec 31 11:11:11 2021","Recordtype":"Tunnel Event","tunneltype":"IPSec IKEv2","user":"81.2.69.145","locationname":"some-location","sourceip":"81.2.69.145","destinationip":"81.2.69.143","sourceport":"500","event":"IPsec tunnel is up","eventreason":"None","recordid":"1111111111111111111"}} +{ "sourcetype" : "zscalernss-tunnel", "event" : {"datetime":"Thu Dec 31 11:11:11 2021","Recordtype":"IPSec Phase2","tunneltype":"IPSEC IKEV 1","user":"81.2.69.145","locationname":"some-location","sourceip":"81.2.69.145","destinationip":"81.2.69.143","sourceport":"0","lifetime":"3600","ikeversion":"1","algo":"AES","authentication":"HMAC-SHA-1","authtype":"None","recordid":"1111111111111111111","day":"","dd":"","destinationport":"","hh":"","mm":"","mon":"","mth":"","olocationname":"","ovpncredentialname":"","spi_in":"","spi_out":"","ss":"","timezone":"","vendorname":"","yyyy":""}} +{ "sourcetype" : "zscalernss-tunnel", "event" : {"datetime":"Thu Dec 31 11:11:11 2021","Recordtype":"IPSec Phase1","tunneltype":"IPSEC IKEV 2","user":"81.2.69.145","locationname":"some-location","sourceip":"81.2.69.145","destinationip":"81.2.69.143","sourceport":"500","destinationport":"500","lifetime":"0","ikeversion":"2","spi_in":"00000000000000000000","spi_out":"11111111111111111111","algo":"AES-CBS","authentication":"HMAC-SHA1-96","authtype":"PSK","recordid":"1111111111111111111","day":"","dd":"","hh":"","mm":"","mon":"","mth":"","olocationname":"","ovpncredentialname":"","ss":"","timezone":"","vendorname":"","yyyy":""}} +{ "sourcetype" : "zscalernss-tunnel", "event" : {"datetime":"Thu Dec 31 11:11:11 2021","Recordtype":"Tunnel Event","tunneltype":"IPSec IKEv2","user":"81.2.69.145","locationname":"some-location","sourceip":"81.2.69.145","destinationip":"81.2.69.143","sourceport":"500","event":"IPsec tunnel is up","eventreason":"None","recordid":"1111111111111111111","day":"","dd":"","hh":"","mm":"","mon":"","mth":"","olocationname":"","ovpncredentialname":"","ss":"","timezone":"","yyyy":""}} { "sourcetype": "zscalernss-tunnel", "event": { "algo": "DES_CBC", "authentication": "HMAC_MD5", "authtype": "PSKEY", "datetime": "Mon Oct 16 22:55:48 2023", "day": "Mon", "dd": "16", "destinationip": "89.160.20.112", "destinationport": "443", "hh": "24", "ikeversion": "1", "lifetime": "86400", "locationname": "Headquarters", "mm": "55", "mon": "Oct", "mth": "10", "olocationname": "2168890624", "ovpncredentialname": "2168890624", "recordid": "1234", "sourceip": "89.160.20.113", "spi_in": "12", "spi_out": "34", "sourceport": "8080", "ss": "6", "Recordtype": "WL_TUNNEL_IPSECPHASE1", "tunneltype": "IPSEC IKEV 1", "timezone": "GMT+03:30", "vendorname": "CISCO", "user": "jdoe@safemarch.com", "yyyy": "2023" } } +{"version":"v2", "sourcetype" : "zscalernss-tunnel", "event" : {"datetime":"Thu Dec 31 11:11:11 2021","Recordtype":"IPSec Phase2","tunneltype":"IPSEC IKEV 1","user":"81.2.69.145","locationname":"some-location","sourceip":"81.2.69.145","destinationip":"81.2.69.143","sourceport":"0","lifetime":"3600","ikeversion":"1","algo":"AES","authentication":"HMAC-SHA-1","authtype":"None","recordid":"1111111111111111111","day":"","dd":"","destinationport":"","hh":"","mm":"","mon":"","mth":"","olocationname":"","ovpncredentialname":"","spi_in":"","spi_out":"","ss":"","timezone":"","vendorname":"","yyyy":""}} +{"version":"v2", "sourcetype" : "zscalernss-tunnel", "event" : {"datetime":"Thu Dec 31 11:11:11 2021","Recordtype":"IPSec Phase1","tunneltype":"IPSEC IKEV 2","user":"81.2.69.145","locationname":"some-location","sourceip":"81.2.69.145","destinationip":"81.2.69.143","sourceport":"500","destinationport":"500","lifetime":"0","ikeversion":"2","spi_in":"00000000000000000000","spi_out":"11111111111111111111","algo":"AES-CBS","authentication":"HMAC-SHA1-96","authtype":"PSK","recordid":"1111111111111111111","day":"","dd":"","hh":"","mm":"","mon":"","mth":"","olocationname":"","ovpncredentialname":"","ss":"","timezone":"","vendorname":"","yyyy":""}} +{"version":"v2", "sourcetype" : "zscalernss-tunnel", "event" : {"datetime":"Thu Dec 31 11:11:11 2021","Recordtype":"Tunnel Event","tunneltype":"IPSec IKEv2","user":"81.2.69.145","locationname":"some-location","sourceip":"81.2.69.145","destinationip":"81.2.69.143","sourceport":"500","event":"IPsec tunnel is up","eventreason":"None","recordid":"1111111111111111111","day":"","dd":"","hh":"","mm":"","mon":"","mth":"","olocationname":"","ovpncredentialname":"","ss":"","timezone":"","yyyy":""}} +{"version":"v2", "sourcetype": "zscalernss-tunnel", "event": { "algo": "DES_CBC", "authentication": "HMAC_MD5", "authtype": "PSKEY", "datetime": "Mon Oct 16 22:55:48 2023", "day": "Mon", "dd": "16", "destinationip": "89.160.20.112", "destinationport": "443", "hh": "24", "ikeversion": "1", "lifetime": "86400", "locationname": "Headquarters", "mm": "55", "mon": "Oct", "mth": "10", "olocationname": "2168890624", "ovpncredentialname": "2168890624", "recordid": "1234", "sourceip": "89.160.20.113", "spi_in": "12", "spi_out": "34", "sourceport": "8080", "ss": "6", "Recordtype": "WL_TUNNEL_IPSECPHASE1", "tunneltype": "IPSEC IKEV 1", "timezone": "GMT+03:30", "vendorname": "CISCO", "user": "jdoe@safemarch.com", "yyyy": "2023" } } diff --git a/packages/zscaler_zia/data_stream/tunnel/_dev/test/pipeline/test-tunnel.log-expected.json b/packages/zscaler_zia/data_stream/tunnel/_dev/test/pipeline/test-tunnel.log-expected.json index 61848b41934..a715eb14a01 100644 --- a/packages/zscaler_zia/data_stream/tunnel/_dev/test/pipeline/test-tunnel.log-expected.json +++ b/packages/zscaler_zia/data_stream/tunnel/_dev/test/pipeline/test-tunnel.log-expected.json @@ -14,7 +14,7 @@ ], "id": "1111111111111111111", "kind": "event", - "original": "{ \"sourcetype\" : \"zscalernss-tunnel\", \"event\" : {\"datetime\":\"Thu Dec 31 11:11:11 2021\",\"Recordtype\":\"IPSec Phase2\",\"tunneltype\":\"IPSEC IKEV 1\",\"user\":\"81.2.69.145\",\"locationname\":\"some-location\",\"sourceip\":\"81.2.69.145\",\"destinationip\":\"81.2.69.143\",\"sourceport\":\"0\",\"sourceportstart\":\"0\",\"destinationportstart\":\"0\",\"srcipstart\":\"81.2.69.145\",\"srcipend\":\"81.2.69.145\",\"destinationipstart\":\"81.2.69.143\",\"destinationipend\":\"81.2.69.143\",\"lifetime\":\"3600\",\"ikeversion\":\"1\",\"lifebytes\":\"0\",\"spi\":\"123456789\",\"algo\":\"AES\",\"authentication\":\"HMAC-SHA-1\",\"authtype\":\"None\",\"protocol\":\"Any\",\"tunnelprotocol\":\"ESP\",\"recordid\":\"1111111111111111111\"}}", + "original": "{ \"sourcetype\" : \"zscalernss-tunnel\", \"event\" : {\"datetime\":\"Thu Dec 31 11:11:11 2021\",\"Recordtype\":\"IPSec Phase2\",\"tunneltype\":\"IPSEC IKEV 1\",\"user\":\"81.2.69.145\",\"locationname\":\"some-location\",\"sourceip\":\"81.2.69.145\",\"destinationip\":\"81.2.69.143\",\"sourceport\":\"0\",\"lifetime\":\"3600\",\"ikeversion\":\"1\",\"algo\":\"AES\",\"authentication\":\"HMAC-SHA-1\",\"authtype\":\"None\",\"recordid\":\"1111111111111111111\",\"day\":\"\",\"dd\":\"\",\"destinationport\":\"\",\"hh\":\"\",\"mm\":\"\",\"mon\":\"\",\"mth\":\"\",\"olocationname\":\"\",\"ovpncredentialname\":\"\",\"spi_in\":\"\",\"spi_out\":\"\",\"ss\":\"\",\"timezone\":\"\",\"vendorname\":\"\",\"yyyy\":\"\"}}", "timezone": "UTC", "type": [ "info" @@ -44,13 +44,6 @@ }, "datetime": "2021-12-31T11:11:11.000Z", "destination": { - "end": { - "ip": "81.2.69.143" - }, - "start": { - "ip": "81.2.69.143", - "port": 0 - }, "vip": { "address": "81.2.69.143" } @@ -60,29 +53,315 @@ }, "ikeversion": "1", "life": { - "bytes": 0, "time": 3600 }, "locationname": "some-location", - "policy": { - "protocol": "Any" + "record": { + "id": "1111111111111111111" + }, + "source": { + "ip": "81.2.69.145", + "port": 0 + }, + "type": "IPSEC IKEV 1", + "user_ip": "81.2.69.145" + } + } + }, + { + "@timestamp": "2021-12-31T11:11:11.000Z", + "destination": { + "ip": "81.2.69.143", + "port": 500 + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "network" + ], + "id": "1111111111111111111", + "kind": "event", + "original": "{ \"sourcetype\" : \"zscalernss-tunnel\", \"event\" : {\"datetime\":\"Thu Dec 31 11:11:11 2021\",\"Recordtype\":\"IPSec Phase1\",\"tunneltype\":\"IPSEC IKEV 2\",\"user\":\"81.2.69.145\",\"locationname\":\"some-location\",\"sourceip\":\"81.2.69.145\",\"destinationip\":\"81.2.69.143\",\"sourceport\":\"500\",\"destinationport\":\"500\",\"lifetime\":\"0\",\"ikeversion\":\"2\",\"spi_in\":\"00000000000000000000\",\"spi_out\":\"11111111111111111111\",\"algo\":\"AES-CBS\",\"authentication\":\"HMAC-SHA1-96\",\"authtype\":\"PSK\",\"recordid\":\"1111111111111111111\",\"day\":\"\",\"dd\":\"\",\"hh\":\"\",\"mm\":\"\",\"mon\":\"\",\"mth\":\"\",\"olocationname\":\"\",\"ovpncredentialname\":\"\",\"ss\":\"\",\"timezone\":\"\",\"vendorname\":\"\",\"yyyy\":\"\"}}", + "timezone": "UTC", + "type": [ + "info" + ] + }, + "related": { + "ip": [ + "81.2.69.143", + "81.2.69.145" + ] + }, + "source": { + "ip": "81.2.69.145", + "port": 500 + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "zscaler_zia": { + "tunnel": { + "action": { + "type": "IPSec Phase1" }, - "protocol": "ESP", + "authentication": { + "algorithm": "HMAC-SHA1-96", + "type": "PSK" + }, + "datetime": "2021-12-31T11:11:11.000Z", + "destination": { + "port": 500, + "vip": { + "address": "81.2.69.143" + } + }, + "encryption": { + "algorithm": "AES-CBS" + }, + "ikeversion": "2", + "life": { + "time": 0 + }, + "locationname": "some-location", "record": { "id": "1111111111111111111" }, "source": { - "end": { - "ip": "81.2.69.145" - }, "ip": "81.2.69.145", - "port": 0, - "start": { - "ip": "81.2.69.145", - "port": 0 + "port": 500 + }, + "spi_in": "00000000000000000000", + "spi_out": "11111111111111111111", + "type": "IPSEC IKEV 2", + "user_ip": "81.2.69.145" + } + } + }, + { + "@timestamp": "2021-12-31T11:11:11.000Z", + "destination": { + "ip": "81.2.69.143" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "ipsec-tunnel-is-up", + "category": [ + "network" + ], + "id": "1111111111111111111", + "kind": "event", + "original": "{ \"sourcetype\" : \"zscalernss-tunnel\", \"event\" : {\"datetime\":\"Thu Dec 31 11:11:11 2021\",\"Recordtype\":\"Tunnel Event\",\"tunneltype\":\"IPSec IKEv2\",\"user\":\"81.2.69.145\",\"locationname\":\"some-location\",\"sourceip\":\"81.2.69.145\",\"destinationip\":\"81.2.69.143\",\"sourceport\":\"500\",\"event\":\"IPsec tunnel is up\",\"eventreason\":\"None\",\"recordid\":\"1111111111111111111\",\"day\":\"\",\"dd\":\"\",\"hh\":\"\",\"mm\":\"\",\"mon\":\"\",\"mth\":\"\",\"olocationname\":\"\",\"ovpncredentialname\":\"\",\"ss\":\"\",\"timezone\":\"\",\"yyyy\":\"\"}}", + "timezone": "UTC", + "type": [ + "info" + ] + }, + "related": { + "ip": [ + "81.2.69.143", + "81.2.69.145" + ] + }, + "source": { + "ip": "81.2.69.145", + "port": 500 + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "zscaler_zia": { + "tunnel": { + "action": { + "type": "Tunnel Event" + }, + "datetime": "2021-12-31T11:11:11.000Z", + "destination": { + "vip": { + "address": "81.2.69.143" + } + }, + "event": "IPsec tunnel is up", + "locationname": "some-location", + "record": { + "id": "1111111111111111111" + }, + "source": { + "ip": "81.2.69.145", + "port": 500 + }, + "type": "IPSec IKEv2", + "user_ip": "81.2.69.145" + } + } + }, + { + "@timestamp": "2023-10-16T22:55:48.000+03:30", + "destination": { + "ip": "89.160.20.112", + "port": 443 + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "network" + ], + "id": "1234", + "kind": "event", + "original": "{ \"sourcetype\": \"zscalernss-tunnel\", \"event\": { \"algo\": \"DES_CBC\", \"authentication\": \"HMAC_MD5\", \"authtype\": \"PSKEY\", \"datetime\": \"Mon Oct 16 22:55:48 2023\", \"day\": \"Mon\", \"dd\": \"16\", \"destinationip\": \"89.160.20.112\", \"destinationport\": \"443\", \"hh\": \"24\", \"ikeversion\": \"1\", \"lifetime\": \"86400\", \"locationname\": \"Headquarters\", \"mm\": \"55\", \"mon\": \"Oct\", \"mth\": \"10\", \"olocationname\": \"2168890624\", \"ovpncredentialname\": \"2168890624\", \"recordid\": \"1234\", \"sourceip\": \"89.160.20.113\", \"spi_in\": \"12\", \"spi_out\": \"34\", \"sourceport\": \"8080\", \"ss\": \"6\", \"Recordtype\": \"WL_TUNNEL_IPSECPHASE1\", \"tunneltype\": \"IPSEC IKEV 1\", \"timezone\": \"GMT+03:30\", \"vendorname\": \"CISCO\", \"user\": \"jdoe@safemarch.com\", \"yyyy\": \"2023\" } }", + "timezone": "GMT+03:30", + "type": [ + "info" + ] + }, + "related": { + "ip": [ + "89.160.20.112", + "89.160.20.113" + ], + "user": [ + "jdoe", + "jdoe@safemarch.com" + ] + }, + "source": { + "ip": "89.160.20.113", + "port": 8080 + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "user": { + "domain": "safemarch.com", + "email": "jdoe@safemarch.com", + "name": "jdoe" + }, + "zscaler_zia": { + "tunnel": { + "action": { + "type": "WL_TUNNEL_IPSECPHASE1" + }, + "authentication": { + "algorithm": "HMAC_MD5", + "type": "PSKEY" + }, + "datetime": "2023-10-16T22:55:48.000+03:30", + "day": "Mon", + "day_of_month": 16, + "destination": { + "port": 443, + "vip": { + "address": "89.160.20.112" } }, - "spi": "123456789", + "encryption": { + "algorithm": "DES_CBC" + }, + "hour": 24, + "ikeversion": "1", + "life": { + "time": 86400 + }, + "locationname": "Headquarters", + "minute": 55, + "month": "Oct", + "month_of_year": 10, + "obfuscated": { + "location_name": "2168890624", + "vpn_credential_name": "2168890624" + }, + "record": { + "id": "1234" + }, + "second": 6, + "source": { + "ip": "89.160.20.113", + "port": 8080 + }, + "spi_in": "12", + "spi_out": "34", + "timezone": "GMT+03:30", + "type": "IPSEC IKEV 1", + "vendor": { + "name": "CISCO" + }, + "vpn_credential_name": "jdoe@safemarch.com", + "year": 2023 + } + } + }, + { + "@timestamp": "2021-12-31T11:11:11.000Z", + "destination": { + "ip": "81.2.69.143" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "network" + ], + "id": "1111111111111111111", + "kind": "event", + "original": "{\"version\":\"v2\", \"sourcetype\" : \"zscalernss-tunnel\", \"event\" : {\"datetime\":\"Thu Dec 31 11:11:11 2021\",\"Recordtype\":\"IPSec Phase2\",\"tunneltype\":\"IPSEC IKEV 1\",\"user\":\"81.2.69.145\",\"locationname\":\"some-location\",\"sourceip\":\"81.2.69.145\",\"destinationip\":\"81.2.69.143\",\"sourceport\":\"0\",\"lifetime\":\"3600\",\"ikeversion\":\"1\",\"algo\":\"AES\",\"authentication\":\"HMAC-SHA-1\",\"authtype\":\"None\",\"recordid\":\"1111111111111111111\",\"day\":\"\",\"dd\":\"\",\"destinationport\":\"\",\"hh\":\"\",\"mm\":\"\",\"mon\":\"\",\"mth\":\"\",\"olocationname\":\"\",\"ovpncredentialname\":\"\",\"spi_in\":\"\",\"spi_out\":\"\",\"ss\":\"\",\"timezone\":\"\",\"vendorname\":\"\",\"yyyy\":\"\"}}", + "timezone": "UTC", + "type": [ + "info" + ] + }, + "related": { + "ip": [ + "81.2.69.143", + "81.2.69.145" + ] + }, + "source": { + "ip": "81.2.69.145", + "port": 0 + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "zscaler_zia": { + "tunnel": { + "action": { + "type": "IPSec Phase2" + }, + "authentication": { + "algorithm": "HMAC-SHA-1" + }, + "datetime": "2021-12-31T11:11:11.000Z", + "destination": { + "vip": { + "address": "81.2.69.143" + } + }, + "encryption": { + "algorithm": "AES" + }, + "ikeversion": "1", + "life": { + "time": 3600 + }, + "locationname": "some-location", + "record": { + "id": "1111111111111111111" + }, + "source": { + "ip": "81.2.69.145", + "port": 0 + }, "type": "IPSEC IKEV 1", "user_ip": "81.2.69.145" } @@ -103,7 +382,7 @@ ], "id": "1111111111111111111", "kind": "event", - "original": "{ \"sourcetype\" : \"zscalernss-tunnel\", \"event\" : {\"datetime\":\"Thu Dec 31 11:11:11 2021\",\"Recordtype\":\"IPSec Phase1\",\"tunneltype\":\"IPSEC IKEV 2\",\"user\":\"81.2.69.145\",\"locationname\":\"some-location\",\"sourceip\":\"81.2.69.145\",\"destinationip\":\"81.2.69.143\",\"sourceport\":\"500\",\"destinationport\":\"500\",\"lifetime\":\"0\",\"ikeversion\":\"2\",\"spi_in\":\"00000000000000000000\",\"spi_out\":\"11111111111111111111\",\"algo\":\"AES-CBS\",\"authentication\":\"HMAC-SHA1-96\",\"authtype\":\"PSK\",\"recordid\":\"1111111111111111111\"}}", + "original": "{\"version\":\"v2\", \"sourcetype\" : \"zscalernss-tunnel\", \"event\" : {\"datetime\":\"Thu Dec 31 11:11:11 2021\",\"Recordtype\":\"IPSec Phase1\",\"tunneltype\":\"IPSEC IKEV 2\",\"user\":\"81.2.69.145\",\"locationname\":\"some-location\",\"sourceip\":\"81.2.69.145\",\"destinationip\":\"81.2.69.143\",\"sourceport\":\"500\",\"destinationport\":\"500\",\"lifetime\":\"0\",\"ikeversion\":\"2\",\"spi_in\":\"00000000000000000000\",\"spi_out\":\"11111111111111111111\",\"algo\":\"AES-CBS\",\"authentication\":\"HMAC-SHA1-96\",\"authtype\":\"PSK\",\"recordid\":\"1111111111111111111\",\"day\":\"\",\"dd\":\"\",\"hh\":\"\",\"mm\":\"\",\"mon\":\"\",\"mth\":\"\",\"olocationname\":\"\",\"ovpncredentialname\":\"\",\"ss\":\"\",\"timezone\":\"\",\"vendorname\":\"\",\"yyyy\":\"\"}}", "timezone": "UTC", "type": [ "info" @@ -176,7 +455,7 @@ ], "id": "1111111111111111111", "kind": "event", - "original": "{ \"sourcetype\" : \"zscalernss-tunnel\", \"event\" : {\"datetime\":\"Thu Dec 31 11:11:11 2021\",\"Recordtype\":\"Tunnel Event\",\"tunneltype\":\"IPSec IKEv2\",\"user\":\"81.2.69.145\",\"locationname\":\"some-location\",\"sourceip\":\"81.2.69.145\",\"destinationip\":\"81.2.69.143\",\"sourceport\":\"500\",\"event\":\"IPsec tunnel is up\",\"eventreason\":\"None\",\"recordid\":\"1111111111111111111\"}}", + "original": "{\"version\":\"v2\", \"sourcetype\" : \"zscalernss-tunnel\", \"event\" : {\"datetime\":\"Thu Dec 31 11:11:11 2021\",\"Recordtype\":\"Tunnel Event\",\"tunneltype\":\"IPSec IKEv2\",\"user\":\"81.2.69.145\",\"locationname\":\"some-location\",\"sourceip\":\"81.2.69.145\",\"destinationip\":\"81.2.69.143\",\"sourceport\":\"500\",\"event\":\"IPsec tunnel is up\",\"eventreason\":\"None\",\"recordid\":\"1111111111111111111\",\"day\":\"\",\"dd\":\"\",\"hh\":\"\",\"mm\":\"\",\"mon\":\"\",\"mth\":\"\",\"olocationname\":\"\",\"ovpncredentialname\":\"\",\"ss\":\"\",\"timezone\":\"\",\"yyyy\":\"\"}}", "timezone": "UTC", "type": [ "info" @@ -236,7 +515,7 @@ ], "id": "1234", "kind": "event", - "original": "{ \"sourcetype\": \"zscalernss-tunnel\", \"event\": { \"algo\": \"DES_CBC\", \"authentication\": \"HMAC_MD5\", \"authtype\": \"PSKEY\", \"datetime\": \"Mon Oct 16 22:55:48 2023\", \"day\": \"Mon\", \"dd\": \"16\", \"destinationip\": \"89.160.20.112\", \"destinationport\": \"443\", \"hh\": \"24\", \"ikeversion\": \"1\", \"lifetime\": \"86400\", \"locationname\": \"Headquarters\", \"mm\": \"55\", \"mon\": \"Oct\", \"mth\": \"10\", \"olocationname\": \"2168890624\", \"ovpncredentialname\": \"2168890624\", \"recordid\": \"1234\", \"sourceip\": \"89.160.20.113\", \"spi_in\": \"12\", \"spi_out\": \"34\", \"sourceport\": \"8080\", \"ss\": \"6\", \"Recordtype\": \"WL_TUNNEL_IPSECPHASE1\", \"tunneltype\": \"IPSEC IKEV 1\", \"timezone\": \"GMT+03:30\", \"vendorname\": \"CISCO\", \"user\": \"jdoe@safemarch.com\", \"yyyy\": \"2023\" } }", + "original": "{\"version\":\"v2\", \"sourcetype\": \"zscalernss-tunnel\", \"event\": { \"algo\": \"DES_CBC\", \"authentication\": \"HMAC_MD5\", \"authtype\": \"PSKEY\", \"datetime\": \"Mon Oct 16 22:55:48 2023\", \"day\": \"Mon\", \"dd\": \"16\", \"destinationip\": \"89.160.20.112\", \"destinationport\": \"443\", \"hh\": \"24\", \"ikeversion\": \"1\", \"lifetime\": \"86400\", \"locationname\": \"Headquarters\", \"mm\": \"55\", \"mon\": \"Oct\", \"mth\": \"10\", \"olocationname\": \"2168890624\", \"ovpncredentialname\": \"2168890624\", \"recordid\": \"1234\", \"sourceip\": \"89.160.20.113\", \"spi_in\": \"12\", \"spi_out\": \"34\", \"sourceport\": \"8080\", \"ss\": \"6\", \"Recordtype\": \"WL_TUNNEL_IPSECPHASE1\", \"tunneltype\": \"IPSEC IKEV 1\", \"timezone\": \"GMT+03:30\", \"vendorname\": \"CISCO\", \"user\": \"jdoe@safemarch.com\", \"yyyy\": \"2023\" } }", "timezone": "GMT+03:30", "type": [ "info" @@ -320,4 +599,4 @@ } } ] -} \ No newline at end of file +} diff --git a/packages/zscaler_zia/data_stream/tunnel/agent/stream/http_endpoint.yml.hbs b/packages/zscaler_zia/data_stream/tunnel/agent/stream/http_endpoint.yml.hbs index f691a1cfe90..e1ac58a6bb7 100644 --- a/packages/zscaler_zia/data_stream/tunnel/agent/stream/http_endpoint.yml.hbs +++ b/packages/zscaler_zia/data_stream/tunnel/agent/stream/http_endpoint.yml.hbs @@ -28,6 +28,12 @@ publisher_pipeline.disable_host: true {{#if ssl}} ssl: {{ssl}} {{/if}} +{{#if strict_fields}} +fields_under_root: true +fields: + _conf: + strict_fields: true +{{/if}} {{#if processors}} processors: {{processors}} diff --git a/packages/zscaler_zia/data_stream/tunnel/agent/stream/tcp.yml.hbs b/packages/zscaler_zia/data_stream/tunnel/agent/stream/tcp.yml.hbs index d8eb927edd6..2655bae4c06 100644 --- a/packages/zscaler_zia/data_stream/tunnel/agent/stream/tcp.yml.hbs +++ b/packages/zscaler_zia/data_stream/tunnel/agent/stream/tcp.yml.hbs @@ -18,6 +18,12 @@ publisher_pipeline.disable_host: true {{#if ssl}} ssl: {{ssl}} {{/if}} +{{#if strict_fields}} +fields_under_root: true +fields: + _conf: + strict_fields: true +{{/if}} {{#if processors}} processors: {{processors}} diff --git a/packages/zscaler_zia/data_stream/tunnel/elasticsearch/ingest_pipeline/default.yml b/packages/zscaler_zia/data_stream/tunnel/elasticsearch/ingest_pipeline/default.yml index e66590df0bb..1e6732225b8 100644 --- a/packages/zscaler_zia/data_stream/tunnel/elasticsearch/ingest_pipeline/default.yml +++ b/packages/zscaler_zia/data_stream/tunnel/elasticsearch/ingest_pipeline/default.yml @@ -37,6 +37,34 @@ processors: tag: rename_resp_event target_field: json ignore_missing: true + - script: + params: + expect: + fields: + "Recordtype|datetime|day|dd|destinationip|event|eventreason|hh|locationname|mm|mon|mth|olocationname|ovpncredentialname|recordid|sourceip|sourceport|ss|timezone|tunneltype|user|yyyy": true + "Recordtype|datetime|day|dd|destinationip|dpdrec|hh|locationname|mm|mon|mth|olocationname|ovpncredentialname|recordid|rxbytes|rxpackets|sourceip|sourceport|ss|timezone|tunneltype|txbytes|txpackets|user|yyyy": true + "Recordtype|algo|authentication|authtype|datetime|day|dd|destinationip|destinationport|hh|ikeversion|lifetime|locationname|mm|mon|mth|olocationname|ovpncredentialname|recordid|sourceip|sourceport|spi_in|spi_out|ss|timezone|tunneltype|user|vendorname|yyyy": true + "Recordtype|algo|authentication|authtype|datetime|day|dd|destinationipend|destinationipstart|destinationportstart|destinationip|hh|ikeversion|lifebytes|lifetime|locationname|mm|mon|mth|olocationname|ovpncredentialname|protocol|recordid|sourceip|spi|srcipend|srcipstart|sourceportstart|ss|tunnelprotocol|tunneltype|timezone|user|yyyy": true + version: v2 + if: ctx.json != null && ctx._conf?.strict_fields == true + source: |- + if (ctx.resp?.version == null) { + def fields = []; + for (e in ctx.json.entrySet()) { + fields.add(e.getKey()); + } + Collections.sort(fields); + String signature = String.join("|", fields); + if (params.expect.fields[signature] != true) { + ctx.error = ctx.error ?: [:]; + ctx.error.message = ctx.error.message ?: []; + ctx.error.message.add("field set mismatch: "+signature+" is not expected set of templated fields"); + } + } else if (ctx.resp.version != params.expect.version) { + ctx.error = ctx.error ?: [:]; + ctx.error.message = ctx.error.message ?: []; + ctx.error.message.add("template version mismatch: "+ctx.resp.version.toString()+" is not expected version"); + } - remove: field: resp tag: remove_resp @@ -687,8 +715,10 @@ processors: ignore_missing: true if: ctx.tags == null || !ctx.tags.contains('preserve_duplicate_custom_fields') - remove: - field: json - tag: remove_json + field: + - json + - _conf + tag: remove_unused ignore_missing: true - script: lang: painless diff --git a/packages/zscaler_zia/data_stream/web/_dev/test/pipeline/test-common-config.yml b/packages/zscaler_zia/data_stream/web/_dev/test/pipeline/test-common-config.yml index 1f0a54d166d..2e06a253560 100644 --- a/packages/zscaler_zia/data_stream/web/_dev/test/pipeline/test-common-config.yml +++ b/packages/zscaler_zia/data_stream/web/_dev/test/pipeline/test-common-config.yml @@ -1,8 +1,6 @@ fields: + _conf: + strict_fields: true tags: - preserve_original_event - preserve_duplicate_custom_fields -dynamic_fields: - # This can be removed after ES 8.14 is the minimum version. - # Relates: https://github.com/elastic/elasticsearch/pull/105689 - url.extension: '^.*$' diff --git a/packages/zscaler_zia/data_stream/web/_dev/test/pipeline/test-web-http-endpoint.log b/packages/zscaler_zia/data_stream/web/_dev/test/pipeline/test-web-http-endpoint.log index c40d5717740..ec61758c72a 100644 --- a/packages/zscaler_zia/data_stream/web/_dev/test/pipeline/test-web-http-endpoint.log +++ b/packages/zscaler_zia/data_stream/web/_dev/test/pipeline/test-web-http-endpoint.log @@ -1,2 +1,4 @@ +{"sourcetype":"zscalernss-web","event":{"time":"Mon Oct 16 22:55:48 2023","cloudname":"zscaler.net","host":"mail.google.com","serverip":"81.2.69.142","external_devid":"1234","devicemodel":"20L8S7WC08","action":"Allowed","recordid":"123456789","reason":"File Attachment Cautioned","threatseverity":"Critical (90–100)","tz":"GMT","filesubtype":"rar","upload_filesubtype":"rar","sha256":"81ec78bc8298568bb5ea66d3c2972b670d0f7459b6cdbbcaacce90ab417ab15c","bamd5":"196a3d797bfee07fe4596b69f4ce1141","filename":"nssfeed.txt","upload_filename":"nssfeed.exe","filetype":"RAR Files","devicename":"PC11NLPA:5F08D97BBF43257A8FB4BBF4061A38AE324EF734","devicehostname":"THINKPADSMITH","deviceostype":"iOS","deviceosversion":"Version 10.14.2 (Build 18C54)","devicetype":"Zscaler Client Connector","reqsize":"1300","reqmethod":"invalid","b64referer":"d3d3LmV4YW1wbGUuY29t","respsize":"10500","respcode":"100","reqversion":"1.1","respversion":"1","proto":"HTTP","company":"Zscaler","dlpmd5":"154f149b1443fbfa8c121d13e5c019a1","apprulelabel":"File_Sharing_1","dlprulename":"DLP_Rule_1","rulelabel":"URL_Filtering_1","urlfilterrulelabel":"URL_Filtering_1","cltip":"81.2.69.142","cltintip":"81.2.69.142","cltsourceport":"1235","threatname":"EICAR Test File","cltsslcipher":"SSL3_CK_RSA_NULL_MD5","clttlsversion":"SSL2","b64url":"d3d3LnRyeXRoaXNlbmNvZGV1cmwuY29tL2luZGV4","useragent":"Mozilla/5.0","login":"jdoe@safemarch.com","applayerprotocol":"FTP","appclass":"Administration","appname":"Adobe Connect","appriskscore":"None","bandwidthclassname":"Entertainment","bandwidthrulename":"Office 365","bwthrottle":"Yes","bypassedtime":"Mon Oct 16 22:55:48 2023","bypassedtraffic":"0","cltsslsessreuse":"Unknown","cltpubip":"81.2.69.142","cltsslfailcount":"100","cltsslfailreason":"Bad Record Mac","contenttype":"application/vnd_apple_keynote","datacentercity":"Sa","datacentercountry":"US","datacenter":"CA Client Node DC","day":"Mon","day_of_month":"16","dept":"Sales","deviceappversion":"81.2.69.142","deviceowner":"jsmith","df_hosthead":"df_hosthead","df_hostname":"df_hostname","dlpdicthitcount":"4","dlpdict":"Credit Cards","dlpeng":"HIPAA","dlpidentifier":"6646484838839026000","eedone":"Yes","epochtime":"1578128400","fileclass":"Active Web Contents","flow_type":"Direct","forward_gateway_ip":"10.1.1.1","forward_gateway_name":"FWD_1","forward_type":"Direct","hour":"22","is_sslexpiredca":"Yes","is_sslselfsigned":"Yes","is_ssluntrustedca":"Pass","keyprotectiontype":"HSM Protection","location":"Headquarters","malwarecategory":"Adware","malwareclass":"Sandbox","minute":"55","mobappcategory":"Communication","mobappname":"Amazon","mobdevtype":"Google Android","module":"Administration","month":"Oct","month_of_year":"10","nssserviceip":"192.168.2.200","oapprulelabel":"5300295980","obwclassname":"10831489","ocip":"6200694987","ocpubip":"624054738","odevicehostname":"2168890624","odevicename":"2175092224","odeviceowner":"10831489","odlpdict":"10831489","odlpeng":"4094304256","odlprulename":"6857275752","ofwd_gw_name":"8794487099","ologin":"4094304256","ordr_rulename":"3399565100","ourlcat":"7956407282","ourlfilterrulelabel":"4951704103","ozpa_app_seg_name":"7648246731","externalsslpolicyreason":"Blocked","productversion":"5.0.902.95524_04","rdr_rulename":"FWD_Rule_1","refererhost":"www.example.com for http://www.example.com/index.html","reqheadersize":"300","reqdatasize":"1000","respheadersize":"500","respdatasize":"10000","riskscore":"10","ruletype":"File Type Control","second":"48","srvcertchainvalpass":"Unknown","srvcertvalidationtype":"EV (Extended Validation)","srvcertvalidityperiod":"Short","srvsslcipher":"SSL3_CK_RSA_NULL_MD5","serversslsessreuse":"Unknown","srvocspresult":"Good","srvtlsversion":"SSL2","srvwildcardcert":"Unknown","ssldecrypted":"Yes","throttlereqsize":"5","throttlerespsize":"7","totalsize":"11800","trafficredirectmethod":"DNAT (Destination Translation)","unscannabletype":"Encrypted File","upload_doctypename":"Corporate Finance","upload_fileclass":"upload_fileclass","upload_filetype":"RAR Files","urlcatmethod":"Database A","urlsubcat":"Entertainment","urlsupercat":"Travel","urlclass":"Bandwidth Loss","useragentclass":"Firefox","useragenttoken":"Google Chrome (0.x)","userlocationname":"userlocationname","year":"2023","ztunnelversion":"ZTUNNEL_1_0","zpa_app_seg_name":"ZPA_test_app_segment"}} +{"sourcetype":"zscalernss-web","event":{"time":"Mon Oct 16 22:55:48 2023","cloudname":"zscaler.net","host":"mail.google.com","serverip":"81.2.69.142","external_devid":"1234","devicemodel":"20L8S7WC08","action":"Blocked","recordid":"123456789","reason":"File Attachment Cautioned","threatseverity":"Critical (90–100)","tz":"GMT","filesubtype":"rar","upload_filesubtype":"rar","sha256":"81ec78bc8298568bb5ea66d3c2972b670d0f7459b6cdbbcaacce90ab417ab15c","bamd5":"196a3d797bfee07fe4596b69f4ce1141","filename":"nssfeed.txt","upload_filename":"nssfeed.exe","filetype":"RAR Files","devicename":"PC11NLPA:5F08D97BBF43257A8FB4BBF4061A38AE324EF734","devicehostname":"THINKPADSMITH","deviceostype":"iOS","deviceosversion":"Version 10.14.2 (Build 18C54)","devicetype":"Zscaler Client Connector","reqsize":"1300","reqmethod":"invalid","b64referer":"d3d3LmV4YW1wbGUuY29t","respsize":"10500","respcode":"100","reqversion":"1.1","respversion":"1","proto":"HTTP","company":"Zscaler","dlpmd5":"154f149b1443fbfa8c121d13e5c019a1","apprulelabel":"File_Sharing_1","dlprulename":"DLP_Rule_1","rulelabel":"URL_Filtering_1","urlfilterrulelabel":"URL_Filtering_1","cltip":"81.2.69.142","cltintip":"81.2.69.142","cltsourceport":"1235","threatname":"EICAR Test File","cltsslcipher":"SSL3_CK_RSA_NULL_MD5","clttlsversion":"SSL2","b64url":"d3d3LnRyeXRoaXNlbmNvZGV1cmwuY29tL2luZGV4","useragent":"Mozilla/5.0","login":"jdoe@safemarch.com","applayerprotocol":"FTP","appclass":"Administration","appname":"Adobe Connect","appriskscore":"None","bandwidthclassname":"Entertainment","bandwidthrulename":"Office 365","bwthrottle":"Yes","bypassedtime":"Mon Oct 16 22:55:48 2023","bypassedtraffic":"1","cltsslsessreuse":"Unknown","cltpubip":"81.2.69.142","cltsslfailcount":"100","cltsslfailreason":"Bad Record Mac","contenttype":"application/vnd_apple_keynote","datacentercity":"Sa","datacentercountry":"US","datacenter":"CA Client Node DC","day":"Mon","day_of_month":"16","dept":"Sales","deviceappversion":"81.2.69.142","deviceowner":"jsmith","df_hosthead":"df_hosthead","df_hostname":"df_hostname","dlpdicthitcount":"4","dlpdict":"Credit Cards","dlpeng":"HIPAA","dlpidentifier":"6646484838839026000","eedone":"Yes","epochtime":"1578128400","fileclass":"Active Web Contents","flow_type":"Direct","forward_gateway_ip":"10.1.1.1","forward_gateway_name":"FWD_1","forward_type":"Direct","hour":"22","is_sslexpiredca":"Yes","is_sslselfsigned":"Yes","is_ssluntrustedca":"Pass","keyprotectiontype":"HSM Protection","location":"Headquarters","malwarecategory":"Adware","malwareclass":"Sandbox","minute":"55","mobappcategory":"Communication","mobappname":"Amazon","mobdevtype":"Google Android","module":"Administration","month":"Oct","month_of_year":"10","nssserviceip":"192.168.2.200","oapprulelabel":"5300295980","obwclassname":"10831489","ocip":"6200694987","ocpubip":"624054738","odevicehostname":"2168890624","odevicename":"2175092224","odeviceowner":"10831489","odlpdict":"10831489","odlpeng":"4094304256","odlprulename":"6857275752","ofwd_gw_name":"8794487099","ologin":"4094304256","ordr_rulename":"3399565100","ourlcat":"7956407282","ourlfilterrulelabel":"4951704103","ozpa_app_seg_name":"7648246731","externalsslpolicyreason":"Blocked","productversion":"5.0.902.95524_04","rdr_rulename":"FWD_Rule_1","refererhost":"www.example.com for http://www.example.com/index.html","reqheadersize":"300","reqdatasize":"1000","respheadersize":"500","respdatasize":"10000","riskscore":"10","ruletype":"File Type Control","second":"48","srvcertchainvalpass":"Unknown","srvcertvalidationtype":"EV (Extended Validation)","srvcertvalidityperiod":"Short","srvsslcipher":"SSL3_CK_RSA_NULL_MD5","serversslsessreuse":"Unknown","srvocspresult":"Good","srvtlsversion":"SSL2","srvwildcardcert":"Unknown","ssldecrypted":"Yes","throttlereqsize":"5","throttlerespsize":"7","totalsize":"11800","trafficredirectmethod":"DNAT (Destination Translation)","unscannabletype":"Encrypted File","upload_doctypename":"Corporate Finance","upload_fileclass":"upload_fileclass","upload_filetype":"RAR Files","urlcatmethod":"Database A","urlsubcat":"Entertainment","urlsupercat":"Travel","urlclass":"Bandwidth Loss","useragentclass":"Firefox","useragenttoken":"Google Chrome (0.x)","userlocationname":"userlocationname","year":"2023","ztunnelversion":"ZTUNNEL_1_0","zpa_app_seg_name":"ZPA_test_app_segment"}} {"version":"v9","sourcetype":"zscalernss-web","event":{"time":"Mon Oct 16 22:55:48 2023","cloudname":"zscaler.net","host":"mail.google.com","serverip":"81.2.69.142","external_devid":"1234","devicemodel":"20L8S7WC08","action":"Allowed","recordid":"123456789","reason":"File Attachment Cautioned","threatseverity":"Critical (90–100)","tz":"GMT","filesubtype":"rar","upload_filesubtype":"rar","sha256":"81ec78bc8298568bb5ea66d3c2972b670d0f7459b6cdbbcaacce90ab417ab15c","bamd5":"196a3d797bfee07fe4596b69f4ce1141","filename":"nssfeed.txt","upload_filename":"nssfeed.exe","filetype":"RAR Files","devicename":"PC11NLPA:5F08D97BBF43257A8FB4BBF4061A38AE324EF734","devicehostname":"THINKPADSMITH","deviceostype":"iOS","deviceosversion":"Version 10.14.2 (Build 18C54)","devicetype":"Zscaler Client Connector","reqsize":"1300","reqmethod":"invalid","b64referer":"d3d3LmV4YW1wbGUuY29t","respsize":"10500","respcode":"100","reqversion":"1.1","respversion":"1","proto":"HTTP","company":"Zscaler","dlpmd5":"154f149b1443fbfa8c121d13e5c019a1","apprulelabel":"File_Sharing_1","dlprulename":"DLP_Rule_1","rulelabel":"URL_Filtering_1","urlfilterrulelabel":"URL_Filtering_1","cltip":"81.2.69.142","cltintip":"81.2.69.142","cltsourceport":"1235","threatname":"EICAR Test File","cltsslcipher":"SSL3_CK_RSA_NULL_MD5","clttlsversion":"SSL2","b64url":"d3d3LnRyeXRoaXNlbmNvZGV1cmwuY29tL2luZGV4","useragent":"Mozilla/5.0","login":"jdoe@safemarch.com","applayerprotocol":"FTP","appclass":"Administration","appname":"Adobe Connect","appriskscore":"None","bandwidthclassname":"Entertainment","bandwidthrulename":"Office 365","bwthrottle":"Yes","bypassedtime":"Mon Oct 16 22:55:48 2023","bypassedtraffic":"0","cltsslsessreuse":"Unknown","cltpubip":"81.2.69.142","cltsslfailcount":"100","cltsslfailreason":"Bad Record Mac","contenttype":"application/vnd_apple_keynote","datacentercity":"Sa","datacentercountry":"US","datacenter":"CA Client Node DC","day":"Mon","day_of_month":"16","dept":"Sales","deviceappversion":"81.2.69.142","deviceowner":"jsmith","df_hosthead":"df_hosthead","df_hostname":"df_hostname","dlpdicthitcount":"4","dlpdict":"Credit Cards","dlpeng":"HIPAA","dlpidentifier":"6646484838839026000","eedone":"Yes","epochtime":"1578128400","fileclass":"Active Web Contents","flow_type":"Direct","forward_gateway_ip":"10.1.1.1","forward_gateway_name":"FWD_1","forward_type":"Direct","hour":"22","is_sslexpiredca":"Yes","is_sslselfsigned":"Yes","is_ssluntrustedca":"Pass","keyprotectiontype":"HSM Protection","location":"Headquarters","malwarecategory":"Adware","malwareclass":"Sandbox","minute":"55","mobappcategory":"Communication","mobappname":"Amazon","mobdevtype":"Google Android","module":"Administration","month":"Oct","month_of_year":"10","nssserviceip":"192.168.2.200","oapprulelabel":"5300295980","obwclassname":"10831489","ocip":"6200694987","ocpubip":"624054738","odevicehostname":"2168890624","odevicename":"2175092224","odeviceowner":"10831489","odlpdict":"10831489","odlpeng":"4094304256","odlprulename":"6857275752","ofwd_gw_name":"8794487099","ologin":"4094304256","ordr_rulename":"3399565100","ourlcat":"7956407282","ourlfilterrulelabel":"4951704103","ozpa_app_seg_name":"7648246731","externalsslpolicyreason":"Blocked","productversion":"5.0.902.95524_04","rdr_rulename":"FWD_Rule_1","refererhost":"www.example.com for http://www.example.com/index.html","reqheadersize":"300","reqdatasize":"1000","respheadersize":"500","respdatasize":"10000","riskscore":"10","ruletype":"File Type Control","second":"48","srvcertchainvalpass":"Unknown","srvcertvalidationtype":"EV (Extended Validation)","srvcertvalidityperiod":"Short","srvsslcipher":"SSL3_CK_RSA_NULL_MD5","serversslsessreuse":"Unknown","srvocspresult":"Good","srvtlsversion":"SSL2","srvwildcardcert":"Unknown","ssldecrypted":"Yes","throttlereqsize":"5","throttlerespsize":"7","totalsize":"11800","trafficredirectmethod":"DNAT (Destination Translation)","unscannabletype":"Encrypted File","upload_doctypename":"Corporate Finance","upload_fileclass":"upload_fileclass","upload_filetype":"RAR Files","urlcatmethod":"Database A","urlsubcat":"Entertainment","urlsupercat":"Travel","urlclass":"Bandwidth Loss","useragentclass":"Firefox","useragenttoken":"Google Chrome (0.x)","userlocationname":"userlocationname","year":"2023","ztunnelversion":"ZTUNNEL_1_0","zpa_app_seg_name":"ZPA_test_app_segment"}} {"version":"v9","sourcetype":"zscalernss-web","event":{"time":"Mon Oct 16 22:55:48 2023","cloudname":"zscaler.net","host":"mail.google.com","serverip":"81.2.69.142","external_devid":"1234","devicemodel":"20L8S7WC08","action":"Blocked","recordid":"123456789","reason":"File Attachment Cautioned","threatseverity":"Critical (90–100)","tz":"GMT","filesubtype":"rar","upload_filesubtype":"rar","sha256":"81ec78bc8298568bb5ea66d3c2972b670d0f7459b6cdbbcaacce90ab417ab15c","bamd5":"196a3d797bfee07fe4596b69f4ce1141","filename":"nssfeed.txt","upload_filename":"nssfeed.exe","filetype":"RAR Files","devicename":"PC11NLPA:5F08D97BBF43257A8FB4BBF4061A38AE324EF734","devicehostname":"THINKPADSMITH","deviceostype":"iOS","deviceosversion":"Version 10.14.2 (Build 18C54)","devicetype":"Zscaler Client Connector","reqsize":"1300","reqmethod":"invalid","b64referer":"d3d3LmV4YW1wbGUuY29t","respsize":"10500","respcode":"100","reqversion":"1.1","respversion":"1","proto":"HTTP","company":"Zscaler","dlpmd5":"154f149b1443fbfa8c121d13e5c019a1","apprulelabel":"File_Sharing_1","dlprulename":"DLP_Rule_1","rulelabel":"URL_Filtering_1","urlfilterrulelabel":"URL_Filtering_1","cltip":"81.2.69.142","cltintip":"81.2.69.142","cltsourceport":"1235","threatname":"EICAR Test File","cltsslcipher":"SSL3_CK_RSA_NULL_MD5","clttlsversion":"SSL2","b64url":"d3d3LnRyeXRoaXNlbmNvZGV1cmwuY29tL2luZGV4","useragent":"Mozilla/5.0","login":"jdoe@safemarch.com","applayerprotocol":"FTP","appclass":"Administration","appname":"Adobe Connect","appriskscore":"None","bandwidthclassname":"Entertainment","bandwidthrulename":"Office 365","bwthrottle":"Yes","bypassedtime":"Mon Oct 16 22:55:48 2023","bypassedtraffic":"1","cltsslsessreuse":"Unknown","cltpubip":"81.2.69.142","cltsslfailcount":"100","cltsslfailreason":"Bad Record Mac","contenttype":"application/vnd_apple_keynote","datacentercity":"Sa","datacentercountry":"US","datacenter":"CA Client Node DC","day":"Mon","day_of_month":"16","dept":"Sales","deviceappversion":"81.2.69.142","deviceowner":"jsmith","df_hosthead":"df_hosthead","df_hostname":"df_hostname","dlpdicthitcount":"4","dlpdict":"Credit Cards","dlpeng":"HIPAA","dlpidentifier":"6646484838839026000","eedone":"Yes","epochtime":"1578128400","fileclass":"Active Web Contents","flow_type":"Direct","forward_gateway_ip":"10.1.1.1","forward_gateway_name":"FWD_1","forward_type":"Direct","hour":"22","is_sslexpiredca":"Yes","is_sslselfsigned":"Yes","is_ssluntrustedca":"Pass","keyprotectiontype":"HSM Protection","location":"Headquarters","malwarecategory":"Adware","malwareclass":"Sandbox","minute":"55","mobappcategory":"Communication","mobappname":"Amazon","mobdevtype":"Google Android","module":"Administration","month":"Oct","month_of_year":"10","nssserviceip":"192.168.2.200","oapprulelabel":"5300295980","obwclassname":"10831489","ocip":"6200694987","ocpubip":"624054738","odevicehostname":"2168890624","odevicename":"2175092224","odeviceowner":"10831489","odlpdict":"10831489","odlpeng":"4094304256","odlprulename":"6857275752","ofwd_gw_name":"8794487099","ologin":"4094304256","ordr_rulename":"3399565100","ourlcat":"7956407282","ourlfilterrulelabel":"4951704103","ozpa_app_seg_name":"7648246731","externalsslpolicyreason":"Blocked","productversion":"5.0.902.95524_04","rdr_rulename":"FWD_Rule_1","refererhost":"www.example.com for http://www.example.com/index.html","reqheadersize":"300","reqdatasize":"1000","respheadersize":"500","respdatasize":"10000","riskscore":"10","ruletype":"File Type Control","second":"48","srvcertchainvalpass":"Unknown","srvcertvalidationtype":"EV (Extended Validation)","srvcertvalidityperiod":"Short","srvsslcipher":"SSL3_CK_RSA_NULL_MD5","serversslsessreuse":"Unknown","srvocspresult":"Good","srvtlsversion":"SSL2","srvwildcardcert":"Unknown","ssldecrypted":"Yes","throttlereqsize":"5","throttlerespsize":"7","totalsize":"11800","trafficredirectmethod":"DNAT (Destination Translation)","unscannabletype":"Encrypted File","upload_doctypename":"Corporate Finance","upload_fileclass":"upload_fileclass","upload_filetype":"RAR Files","urlcatmethod":"Database A","urlsubcat":"Entertainment","urlsupercat":"Travel","urlclass":"Bandwidth Loss","useragentclass":"Firefox","useragenttoken":"Google Chrome (0.x)","userlocationname":"userlocationname","year":"2023","ztunnelversion":"ZTUNNEL_1_0","zpa_app_seg_name":"ZPA_test_app_segment"}} diff --git a/packages/zscaler_zia/data_stream/web/_dev/test/pipeline/test-web-http-endpoint.log-expected.json b/packages/zscaler_zia/data_stream/web/_dev/test/pipeline/test-web-http-endpoint.log-expected.json index 18d8dd5ae7e..75941dbf9ac 100644 --- a/packages/zscaler_zia/data_stream/web/_dev/test/pipeline/test-web-http-endpoint.log-expected.json +++ b/packages/zscaler_zia/data_stream/web/_dev/test/pipeline/test-web-http-endpoint.log-expected.json @@ -1,5 +1,853 @@ { "expected": [ + { + "@timestamp": "2023-10-16T22:55:48.000Z", + "cloud": { + "provider": "zscaler.net" + }, + "destination": { + "domain": "mail.google.com", + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.142" + }, + "device": { + "id": "1234", + "model": { + "identifier": "20L8S7WC08" + } + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "allowed", + "category": [ + "web" + ], + "id": "123456789", + "kind": "event", + "original": "{\"sourcetype\":\"zscalernss-web\",\"event\":{\"time\":\"Mon Oct 16 22:55:48 2023\",\"cloudname\":\"zscaler.net\",\"host\":\"mail.google.com\",\"serverip\":\"81.2.69.142\",\"external_devid\":\"1234\",\"devicemodel\":\"20L8S7WC08\",\"action\":\"Allowed\",\"recordid\":\"123456789\",\"reason\":\"File Attachment Cautioned\",\"threatseverity\":\"Critical (90–100)\",\"tz\":\"GMT\",\"filesubtype\":\"rar\",\"upload_filesubtype\":\"rar\",\"sha256\":\"81ec78bc8298568bb5ea66d3c2972b670d0f7459b6cdbbcaacce90ab417ab15c\",\"bamd5\":\"196a3d797bfee07fe4596b69f4ce1141\",\"filename\":\"nssfeed.txt\",\"upload_filename\":\"nssfeed.exe\",\"filetype\":\"RAR Files\",\"devicename\":\"PC11NLPA:5F08D97BBF43257A8FB4BBF4061A38AE324EF734\",\"devicehostname\":\"THINKPADSMITH\",\"deviceostype\":\"iOS\",\"deviceosversion\":\"Version 10.14.2 (Build 18C54)\",\"devicetype\":\"Zscaler Client Connector\",\"reqsize\":\"1300\",\"reqmethod\":\"invalid\",\"b64referer\":\"d3d3LmV4YW1wbGUuY29t\",\"respsize\":\"10500\",\"respcode\":\"100\",\"reqversion\":\"1.1\",\"respversion\":\"1\",\"proto\":\"HTTP\",\"company\":\"Zscaler\",\"dlpmd5\":\"154f149b1443fbfa8c121d13e5c019a1\",\"apprulelabel\":\"File_Sharing_1\",\"dlprulename\":\"DLP_Rule_1\",\"rulelabel\":\"URL_Filtering_1\",\"urlfilterrulelabel\":\"URL_Filtering_1\",\"cltip\":\"81.2.69.142\",\"cltintip\":\"81.2.69.142\",\"cltsourceport\":\"1235\",\"threatname\":\"EICAR Test File\",\"cltsslcipher\":\"SSL3_CK_RSA_NULL_MD5\",\"clttlsversion\":\"SSL2\",\"b64url\":\"d3d3LnRyeXRoaXNlbmNvZGV1cmwuY29tL2luZGV4\",\"useragent\":\"Mozilla/5.0\",\"login\":\"jdoe@safemarch.com\",\"applayerprotocol\":\"FTP\",\"appclass\":\"Administration\",\"appname\":\"Adobe Connect\",\"appriskscore\":\"None\",\"bandwidthclassname\":\"Entertainment\",\"bandwidthrulename\":\"Office 365\",\"bwthrottle\":\"Yes\",\"bypassedtime\":\"Mon Oct 16 22:55:48 2023\",\"bypassedtraffic\":\"0\",\"cltsslsessreuse\":\"Unknown\",\"cltpubip\":\"81.2.69.142\",\"cltsslfailcount\":\"100\",\"cltsslfailreason\":\"Bad Record Mac\",\"contenttype\":\"application/vnd_apple_keynote\",\"datacentercity\":\"Sa\",\"datacentercountry\":\"US\",\"datacenter\":\"CA Client Node DC\",\"day\":\"Mon\",\"day_of_month\":\"16\",\"dept\":\"Sales\",\"deviceappversion\":\"81.2.69.142\",\"deviceowner\":\"jsmith\",\"df_hosthead\":\"df_hosthead\",\"df_hostname\":\"df_hostname\",\"dlpdicthitcount\":\"4\",\"dlpdict\":\"Credit Cards\",\"dlpeng\":\"HIPAA\",\"dlpidentifier\":\"6646484838839026000\",\"eedone\":\"Yes\",\"epochtime\":\"1578128400\",\"fileclass\":\"Active Web Contents\",\"flow_type\":\"Direct\",\"forward_gateway_ip\":\"10.1.1.1\",\"forward_gateway_name\":\"FWD_1\",\"forward_type\":\"Direct\",\"hour\":\"22\",\"is_sslexpiredca\":\"Yes\",\"is_sslselfsigned\":\"Yes\",\"is_ssluntrustedca\":\"Pass\",\"keyprotectiontype\":\"HSM Protection\",\"location\":\"Headquarters\",\"malwarecategory\":\"Adware\",\"malwareclass\":\"Sandbox\",\"minute\":\"55\",\"mobappcategory\":\"Communication\",\"mobappname\":\"Amazon\",\"mobdevtype\":\"Google Android\",\"module\":\"Administration\",\"month\":\"Oct\",\"month_of_year\":\"10\",\"nssserviceip\":\"192.168.2.200\",\"oapprulelabel\":\"5300295980\",\"obwclassname\":\"10831489\",\"ocip\":\"6200694987\",\"ocpubip\":\"624054738\",\"odevicehostname\":\"2168890624\",\"odevicename\":\"2175092224\",\"odeviceowner\":\"10831489\",\"odlpdict\":\"10831489\",\"odlpeng\":\"4094304256\",\"odlprulename\":\"6857275752\",\"ofwd_gw_name\":\"8794487099\",\"ologin\":\"4094304256\",\"ordr_rulename\":\"3399565100\",\"ourlcat\":\"7956407282\",\"ourlfilterrulelabel\":\"4951704103\",\"ozpa_app_seg_name\":\"7648246731\",\"externalsslpolicyreason\":\"Blocked\",\"productversion\":\"5.0.902.95524_04\",\"rdr_rulename\":\"FWD_Rule_1\",\"refererhost\":\"www.example.com for http://www.example.com/index.html\",\"reqheadersize\":\"300\",\"reqdatasize\":\"1000\",\"respheadersize\":\"500\",\"respdatasize\":\"10000\",\"riskscore\":\"10\",\"ruletype\":\"File Type Control\",\"second\":\"48\",\"srvcertchainvalpass\":\"Unknown\",\"srvcertvalidationtype\":\"EV (Extended Validation)\",\"srvcertvalidityperiod\":\"Short\",\"srvsslcipher\":\"SSL3_CK_RSA_NULL_MD5\",\"serversslsessreuse\":\"Unknown\",\"srvocspresult\":\"Good\",\"srvtlsversion\":\"SSL2\",\"srvwildcardcert\":\"Unknown\",\"ssldecrypted\":\"Yes\",\"throttlereqsize\":\"5\",\"throttlerespsize\":\"7\",\"totalsize\":\"11800\",\"trafficredirectmethod\":\"DNAT (Destination Translation)\",\"unscannabletype\":\"Encrypted File\",\"upload_doctypename\":\"Corporate Finance\",\"upload_fileclass\":\"upload_fileclass\",\"upload_filetype\":\"RAR Files\",\"urlcatmethod\":\"Database A\",\"urlsubcat\":\"Entertainment\",\"urlsupercat\":\"Travel\",\"urlclass\":\"Bandwidth Loss\",\"useragentclass\":\"Firefox\",\"useragenttoken\":\"Google Chrome (0.x)\",\"userlocationname\":\"userlocationname\",\"year\":\"2023\",\"ztunnelversion\":\"ZTUNNEL_1_0\",\"zpa_app_seg_name\":\"ZPA_test_app_segment\"}}", + "reason": "File Attachment Cautioned", + "timezone": "GMT", + "type": [ + "info" + ] + }, + "file": { + "extension": [ + "rar" + ], + "hash": { + "md5": "196a3d797bfee07fe4596b69f4ce1141", + "sha256": "81ec78bc8298568bb5ea66d3c2972b670d0f7459b6cdbbcaacce90ab417ab15c" + }, + "name": [ + "nssfeed.txt", + "nssfeed.exe" + ], + "type": "file" + }, + "host": { + "hostname": "PC11NLPA:5F08D97BBF43257A8FB4BBF4061A38AE324EF734", + "name": "thinkpadsmith", + "os": { + "type": "ios", + "version": "Version 10.14.2 (Build 18C54)" + }, + "type": "Zscaler Client Connector" + }, + "http": { + "request": { + "bytes": 1300, + "method": "invalid", + "referrer": "www.example.com" + }, + "response": { + "bytes": 10500 + }, + "version": [ + "1.1", + "1" + ] + }, + "network": { + "protocol": "http" + }, + "organization": { + "name": "Zscaler" + }, + "related": { + "hash": [ + "154f149b1443fbfa8c121d13e5c019a1", + "196a3d797bfee07fe4596b69f4ce1141", + "81ec78bc8298568bb5ea66d3c2972b670d0f7459b6cdbbcaacce90ab417ab15c" + ], + "hosts": [ + "thinkpadsmith", + "PC11NLPA:5F08D97BBF43257A8FB4BBF4061A38AE324EF734" + ], + "ip": [ + "81.2.69.142", + "10.1.1.1", + "192.168.2.200" + ], + "user": [ + "jsmith", + "jdoe", + "jdoe@safemarch.com" + ] + }, + "rule": { + "name": [ + "File_Sharing_1", + "DLP_Rule_1", + "URL_Filtering_1" + ] + }, + "source": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.142", + "nat": { + "ip": "81.2.69.142" + }, + "port": 1235 + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "threat": { + "indicator": { + "name": "196a3d797bfee07fe4596b69f4ce1141" + } + }, + "tls": { + "cipher": "SSL3_CK_RSA_NULL_MD5" + }, + "url": { + "domain": "www.trythisencodeurl.com", + "full": "http://www.trythisencodeurl.com/index", + "original": "http://www.trythisencodeurl.com/index", + "path": "/index", + "scheme": "http" + }, + "user": { + "domain": "safemarch.com", + "email": "jdoe@safemarch.com", + "name": "jdoe" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "Other", + "original": "Mozilla/5.0" + }, + "zscaler_zia": { + "web": { + "action": "Allowed", + "alpn_protocol": "FTP", + "app": { + "class": "Administration", + "name": "Adobe Connect", + "rule_label": "File_Sharing_1" + }, + "bandwidth_class_name": "Entertainment", + "bandwidth_rule_name": "Office 365", + "bandwidth_throttle": "Yes", + "bypassed": { + "time": "2023-10-16T22:55:48.000Z", + "traffic": "0" + }, + "client": { + "cipher": "SSL3_CK_RSA_NULL_MD5", + "cipher_reuse": "Unknown", + "internet": { + "ip": "81.2.69.142" + }, + "ip": "81.2.69.142", + "public_ip": "81.2.69.142", + "source_port": 1235, + "ssl": { + "fail_count": 100, + "fail_reason": "Bad Record Mac" + }, + "tls_version": "SSL2" + }, + "cloud_name": "zscaler.net", + "company": "Zscaler", + "content_type": "application/vnd_apple_keynote", + "datacenter": { + "city": "Sa", + "country": "US", + "name": "CA Client Node DC" + }, + "day": "Mon", + "day_of_month": 16, + "department": "Sales", + "device": { + "appversion": "81.2.69.142", + "hostname": "THINKPADSMITH", + "model": "20L8S7WC08", + "name": "PC11NLPA:5F08D97BBF43257A8FB4BBF4061A38AE324EF734", + "os": { + "type": "iOS", + "version": "Version 10.14.2 (Build 18C54)" + }, + "owner": "jsmith", + "type": "Zscaler Client Connector" + }, + "df": { + "host": { + "head": "df_hosthead", + "name": "df_hostname" + } + }, + "dlp": { + "dictionaries": { + "hit_count": "4", + "name": "Credit Cards" + }, + "engine": "HIPAA", + "identifier": "6646484838839026000", + "md5": "154f149b1443fbfa8c121d13e5c019a1", + "rule": { + "name": "DLP_Rule_1" + } + }, + "eedone": "Yes", + "epochtime": "2020-01-04T09:00:00.000Z", + "external": { + "device": { + "id": "1234" + } + }, + "file": { + "class": "Active Web Contents", + "name": "nssfeed.txt", + "subtype": "rar", + "type": "RAR Files" + }, + "flow_type": "Direct", + "forward_gateway": { + "ip": "10.1.1.1", + "name": "FWD_1" + }, + "forward_type": "Direct", + "host": "mail.google.com", + "hour": 22, + "is_ssl_certificate_expired": "Yes", + "is_ssl_certificate_selfsigned": "Yes", + "is_ssl_certificate_untrusted": "Pass", + "key_protection_type": "HSM Protection", + "location": "Headquarters", + "login": "jdoe@safemarch.com", + "malware": { + "category": "Adware", + "class": "Sandbox" + }, + "md5_hash": "196a3d797bfee07fe4596b69f4ce1141", + "minute": 55, + "mobile": { + "application": { + "category": "Communication", + "name": "Amazon" + }, + "dev": { + "type": "Google Android" + } + }, + "module": "Administration", + "month": "Oct", + "month_of_year": 10, + "nss": { + "service": { + "ip": "192.168.2.200" + } + }, + "obfuscated": { + "app_rule_label": "5300295980", + "bendwidth": { + "class_name": "10831489" + }, + "client": { + "ip": "6200694987", + "public": { + "ip": "624054738" + } + }, + "device": { + "host_name": "2168890624", + "name": "2175092224", + "owner": "10831489" + }, + "dlp": { + "dictionaries": "10831489", + "engine": "4094304256", + "rule": { + "name": "6857275752" + } + }, + "forward_gateway_name": "8794487099", + "login": "4094304256", + "rule": { + "name": "3399565100" + }, + "url": { + "category": "7956407282", + "filter_rule_label": "4951704103" + }, + "zpa_app_segment": "7648246731" + }, + "policy": { + "reason": "Blocked" + }, + "product_version": "5.0.902.95524_04", + "prototype": "HTTP", + "reason": "File Attachment Cautioned", + "record": { + "id": "123456789" + }, + "redirect_policy_name": "FWD_Rule_1", + "referer": { + "host": "www.example.com for http://www.example.com/index.html", + "name": "www.example.com" + }, + "request": { + "header_size": 300, + "method": "invalid", + "payload": 1000, + "size": 1300, + "version": "1.1" + }, + "response": { + "code": "100", + "header_size": 500, + "payload": 10000, + "size": 10500, + "version": "1" + }, + "risk": { + "score": 10.0 + }, + "rule": { + "name": "URL_Filtering_1", + "type": "File Type Control" + }, + "second": 48, + "server": { + "certificate": { + "validation": { + "period": "Short" + } + }, + "certificate_validation_chain": "Unknown", + "certificate_validation_type": "EV (Extended Validation)", + "cipher": "SSL3_CK_RSA_NULL_MD5", + "cipher_reuse": "Unknown", + "ip": "81.2.69.142", + "ocsp_result": "Good", + "tls_version": "SSL2", + "wildcard_certificate": "Unknown" + }, + "sha256": "81ec78bc8298568bb5ea66d3c2972b670d0f7459b6cdbbcaacce90ab417ab15c", + "ssl_decrypted": "Yes", + "threat": { + "name": "EICAR Test File", + "severity": "Critical (90–100)" + }, + "throttle": { + "request_size": 5, + "response_size": 7 + }, + "time": "2023-10-16T22:55:48.000Z", + "timezone": "GMT", + "total": { + "size": 11800 + }, + "traffic_redirect_method": "DNAT (Destination Translation)", + "unscannable": { + "type": "Encrypted File" + }, + "upload": { + "doc": { + "type_name": "Corporate Finance" + }, + "file": { + "class": "upload_fileclass", + "name": "nssfeed.exe", + "subtype": "rar", + "type": "RAR Files" + } + }, + "url": { + "category": { + "sub": "Entertainment", + "super": "Travel" + }, + "category_method": "Database A", + "class": "Bandwidth Loss", + "filter_rule_label": "URL_Filtering_1", + "name": "www.trythisencodeurl.com/index" + }, + "user_agent": { + "class": "Firefox", + "name": "Mozilla/5.0", + "token": "Google Chrome (0.x)" + }, + "user_location_name": "userlocationname", + "year": 2023, + "z_tunnel_version": "ZTUNNEL_1_0", + "zpa_app_segment": "ZPA_test_app_segment" + } + } + }, + { + "@timestamp": "2023-10-16T22:55:48.000Z", + "cloud": { + "provider": "zscaler.net" + }, + "destination": { + "domain": "mail.google.com", + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.142" + }, + "device": { + "id": "1234", + "model": { + "identifier": "20L8S7WC08" + } + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "blocked", + "category": [ + "web" + ], + "id": "123456789", + "kind": "event", + "original": "{\"sourcetype\":\"zscalernss-web\",\"event\":{\"time\":\"Mon Oct 16 22:55:48 2023\",\"cloudname\":\"zscaler.net\",\"host\":\"mail.google.com\",\"serverip\":\"81.2.69.142\",\"external_devid\":\"1234\",\"devicemodel\":\"20L8S7WC08\",\"action\":\"Blocked\",\"recordid\":\"123456789\",\"reason\":\"File Attachment Cautioned\",\"threatseverity\":\"Critical (90–100)\",\"tz\":\"GMT\",\"filesubtype\":\"rar\",\"upload_filesubtype\":\"rar\",\"sha256\":\"81ec78bc8298568bb5ea66d3c2972b670d0f7459b6cdbbcaacce90ab417ab15c\",\"bamd5\":\"196a3d797bfee07fe4596b69f4ce1141\",\"filename\":\"nssfeed.txt\",\"upload_filename\":\"nssfeed.exe\",\"filetype\":\"RAR Files\",\"devicename\":\"PC11NLPA:5F08D97BBF43257A8FB4BBF4061A38AE324EF734\",\"devicehostname\":\"THINKPADSMITH\",\"deviceostype\":\"iOS\",\"deviceosversion\":\"Version 10.14.2 (Build 18C54)\",\"devicetype\":\"Zscaler Client Connector\",\"reqsize\":\"1300\",\"reqmethod\":\"invalid\",\"b64referer\":\"d3d3LmV4YW1wbGUuY29t\",\"respsize\":\"10500\",\"respcode\":\"100\",\"reqversion\":\"1.1\",\"respversion\":\"1\",\"proto\":\"HTTP\",\"company\":\"Zscaler\",\"dlpmd5\":\"154f149b1443fbfa8c121d13e5c019a1\",\"apprulelabel\":\"File_Sharing_1\",\"dlprulename\":\"DLP_Rule_1\",\"rulelabel\":\"URL_Filtering_1\",\"urlfilterrulelabel\":\"URL_Filtering_1\",\"cltip\":\"81.2.69.142\",\"cltintip\":\"81.2.69.142\",\"cltsourceport\":\"1235\",\"threatname\":\"EICAR Test File\",\"cltsslcipher\":\"SSL3_CK_RSA_NULL_MD5\",\"clttlsversion\":\"SSL2\",\"b64url\":\"d3d3LnRyeXRoaXNlbmNvZGV1cmwuY29tL2luZGV4\",\"useragent\":\"Mozilla/5.0\",\"login\":\"jdoe@safemarch.com\",\"applayerprotocol\":\"FTP\",\"appclass\":\"Administration\",\"appname\":\"Adobe Connect\",\"appriskscore\":\"None\",\"bandwidthclassname\":\"Entertainment\",\"bandwidthrulename\":\"Office 365\",\"bwthrottle\":\"Yes\",\"bypassedtime\":\"Mon Oct 16 22:55:48 2023\",\"bypassedtraffic\":\"1\",\"cltsslsessreuse\":\"Unknown\",\"cltpubip\":\"81.2.69.142\",\"cltsslfailcount\":\"100\",\"cltsslfailreason\":\"Bad Record Mac\",\"contenttype\":\"application/vnd_apple_keynote\",\"datacentercity\":\"Sa\",\"datacentercountry\":\"US\",\"datacenter\":\"CA Client Node DC\",\"day\":\"Mon\",\"day_of_month\":\"16\",\"dept\":\"Sales\",\"deviceappversion\":\"81.2.69.142\",\"deviceowner\":\"jsmith\",\"df_hosthead\":\"df_hosthead\",\"df_hostname\":\"df_hostname\",\"dlpdicthitcount\":\"4\",\"dlpdict\":\"Credit Cards\",\"dlpeng\":\"HIPAA\",\"dlpidentifier\":\"6646484838839026000\",\"eedone\":\"Yes\",\"epochtime\":\"1578128400\",\"fileclass\":\"Active Web Contents\",\"flow_type\":\"Direct\",\"forward_gateway_ip\":\"10.1.1.1\",\"forward_gateway_name\":\"FWD_1\",\"forward_type\":\"Direct\",\"hour\":\"22\",\"is_sslexpiredca\":\"Yes\",\"is_sslselfsigned\":\"Yes\",\"is_ssluntrustedca\":\"Pass\",\"keyprotectiontype\":\"HSM Protection\",\"location\":\"Headquarters\",\"malwarecategory\":\"Adware\",\"malwareclass\":\"Sandbox\",\"minute\":\"55\",\"mobappcategory\":\"Communication\",\"mobappname\":\"Amazon\",\"mobdevtype\":\"Google Android\",\"module\":\"Administration\",\"month\":\"Oct\",\"month_of_year\":\"10\",\"nssserviceip\":\"192.168.2.200\",\"oapprulelabel\":\"5300295980\",\"obwclassname\":\"10831489\",\"ocip\":\"6200694987\",\"ocpubip\":\"624054738\",\"odevicehostname\":\"2168890624\",\"odevicename\":\"2175092224\",\"odeviceowner\":\"10831489\",\"odlpdict\":\"10831489\",\"odlpeng\":\"4094304256\",\"odlprulename\":\"6857275752\",\"ofwd_gw_name\":\"8794487099\",\"ologin\":\"4094304256\",\"ordr_rulename\":\"3399565100\",\"ourlcat\":\"7956407282\",\"ourlfilterrulelabel\":\"4951704103\",\"ozpa_app_seg_name\":\"7648246731\",\"externalsslpolicyreason\":\"Blocked\",\"productversion\":\"5.0.902.95524_04\",\"rdr_rulename\":\"FWD_Rule_1\",\"refererhost\":\"www.example.com for http://www.example.com/index.html\",\"reqheadersize\":\"300\",\"reqdatasize\":\"1000\",\"respheadersize\":\"500\",\"respdatasize\":\"10000\",\"riskscore\":\"10\",\"ruletype\":\"File Type Control\",\"second\":\"48\",\"srvcertchainvalpass\":\"Unknown\",\"srvcertvalidationtype\":\"EV (Extended Validation)\",\"srvcertvalidityperiod\":\"Short\",\"srvsslcipher\":\"SSL3_CK_RSA_NULL_MD5\",\"serversslsessreuse\":\"Unknown\",\"srvocspresult\":\"Good\",\"srvtlsversion\":\"SSL2\",\"srvwildcardcert\":\"Unknown\",\"ssldecrypted\":\"Yes\",\"throttlereqsize\":\"5\",\"throttlerespsize\":\"7\",\"totalsize\":\"11800\",\"trafficredirectmethod\":\"DNAT (Destination Translation)\",\"unscannabletype\":\"Encrypted File\",\"upload_doctypename\":\"Corporate Finance\",\"upload_fileclass\":\"upload_fileclass\",\"upload_filetype\":\"RAR Files\",\"urlcatmethod\":\"Database A\",\"urlsubcat\":\"Entertainment\",\"urlsupercat\":\"Travel\",\"urlclass\":\"Bandwidth Loss\",\"useragentclass\":\"Firefox\",\"useragenttoken\":\"Google Chrome (0.x)\",\"userlocationname\":\"userlocationname\",\"year\":\"2023\",\"ztunnelversion\":\"ZTUNNEL_1_0\",\"zpa_app_seg_name\":\"ZPA_test_app_segment\"}}", + "reason": "File Attachment Cautioned", + "timezone": "GMT", + "type": [ + "info" + ] + }, + "file": { + "extension": [ + "rar" + ], + "hash": { + "md5": "196a3d797bfee07fe4596b69f4ce1141", + "sha256": "81ec78bc8298568bb5ea66d3c2972b670d0f7459b6cdbbcaacce90ab417ab15c" + }, + "name": [ + "nssfeed.txt", + "nssfeed.exe" + ], + "type": "file" + }, + "host": { + "hostname": "PC11NLPA:5F08D97BBF43257A8FB4BBF4061A38AE324EF734", + "name": "thinkpadsmith", + "os": { + "type": "ios", + "version": "Version 10.14.2 (Build 18C54)" + }, + "type": "Zscaler Client Connector" + }, + "http": { + "request": { + "bytes": 1300, + "method": "invalid", + "referrer": "www.example.com" + }, + "response": { + "bytes": 10500 + }, + "version": [ + "1.1", + "1" + ] + }, + "network": { + "protocol": "http" + }, + "organization": { + "name": "Zscaler" + }, + "related": { + "hash": [ + "154f149b1443fbfa8c121d13e5c019a1", + "196a3d797bfee07fe4596b69f4ce1141", + "81ec78bc8298568bb5ea66d3c2972b670d0f7459b6cdbbcaacce90ab417ab15c" + ], + "hosts": [ + "thinkpadsmith", + "PC11NLPA:5F08D97BBF43257A8FB4BBF4061A38AE324EF734" + ], + "ip": [ + "81.2.69.142", + "10.1.1.1", + "192.168.2.200" + ], + "user": [ + "jsmith", + "jdoe", + "jdoe@safemarch.com" + ] + }, + "rule": { + "name": [ + "File_Sharing_1", + "DLP_Rule_1", + "URL_Filtering_1" + ] + }, + "source": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.142", + "nat": { + "ip": "81.2.69.142" + }, + "port": 1235 + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "threat": { + "indicator": { + "name": "196a3d797bfee07fe4596b69f4ce1141" + } + }, + "tls": { + "cipher": "SSL3_CK_RSA_NULL_MD5" + }, + "url": { + "domain": "www.trythisencodeurl.com", + "full": "http://www.trythisencodeurl.com/index", + "original": "http://www.trythisencodeurl.com/index", + "path": "/index", + "scheme": "http" + }, + "user": { + "domain": "safemarch.com", + "email": "jdoe@safemarch.com", + "name": "jdoe" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "Other", + "original": "Mozilla/5.0" + }, + "zscaler_zia": { + "web": { + "action": "Blocked", + "alpn_protocol": "FTP", + "app": { + "class": "Administration", + "name": "Adobe Connect", + "rule_label": "File_Sharing_1" + }, + "bandwidth_class_name": "Entertainment", + "bandwidth_rule_name": "Office 365", + "bandwidth_throttle": "Yes", + "bypassed": { + "time": "2023-10-16T22:55:48.000Z", + "traffic": "1" + }, + "client": { + "cipher": "SSL3_CK_RSA_NULL_MD5", + "cipher_reuse": "Unknown", + "internet": { + "ip": "81.2.69.142" + }, + "ip": "81.2.69.142", + "public_ip": "81.2.69.142", + "source_port": 1235, + "ssl": { + "fail_count": 100, + "fail_reason": "Bad Record Mac" + }, + "tls_version": "SSL2" + }, + "cloud_name": "zscaler.net", + "company": "Zscaler", + "content_type": "application/vnd_apple_keynote", + "datacenter": { + "city": "Sa", + "country": "US", + "name": "CA Client Node DC" + }, + "day": "Mon", + "day_of_month": 16, + "department": "Sales", + "device": { + "appversion": "81.2.69.142", + "hostname": "THINKPADSMITH", + "model": "20L8S7WC08", + "name": "PC11NLPA:5F08D97BBF43257A8FB4BBF4061A38AE324EF734", + "os": { + "type": "iOS", + "version": "Version 10.14.2 (Build 18C54)" + }, + "owner": "jsmith", + "type": "Zscaler Client Connector" + }, + "df": { + "host": { + "head": "df_hosthead", + "name": "df_hostname" + } + }, + "dlp": { + "dictionaries": { + "hit_count": "4", + "name": "Credit Cards" + }, + "engine": "HIPAA", + "identifier": "6646484838839026000", + "md5": "154f149b1443fbfa8c121d13e5c019a1", + "rule": { + "name": "DLP_Rule_1" + } + }, + "eedone": "Yes", + "epochtime": "2020-01-04T09:00:00.000Z", + "external": { + "device": { + "id": "1234" + } + }, + "file": { + "class": "Active Web Contents", + "name": "nssfeed.txt", + "subtype": "rar", + "type": "RAR Files" + }, + "flow_type": "Direct", + "forward_gateway": { + "ip": "10.1.1.1", + "name": "FWD_1" + }, + "forward_type": "Direct", + "host": "mail.google.com", + "hour": 22, + "is_ssl_certificate_expired": "Yes", + "is_ssl_certificate_selfsigned": "Yes", + "is_ssl_certificate_untrusted": "Pass", + "key_protection_type": "HSM Protection", + "location": "Headquarters", + "login": "jdoe@safemarch.com", + "malware": { + "category": "Adware", + "class": "Sandbox" + }, + "md5_hash": "196a3d797bfee07fe4596b69f4ce1141", + "minute": 55, + "mobile": { + "application": { + "category": "Communication", + "name": "Amazon" + }, + "dev": { + "type": "Google Android" + } + }, + "module": "Administration", + "month": "Oct", + "month_of_year": 10, + "nss": { + "service": { + "ip": "192.168.2.200" + } + }, + "obfuscated": { + "app_rule_label": "5300295980", + "bendwidth": { + "class_name": "10831489" + }, + "client": { + "ip": "6200694987", + "public": { + "ip": "624054738" + } + }, + "device": { + "host_name": "2168890624", + "name": "2175092224", + "owner": "10831489" + }, + "dlp": { + "dictionaries": "10831489", + "engine": "4094304256", + "rule": { + "name": "6857275752" + } + }, + "forward_gateway_name": "8794487099", + "login": "4094304256", + "rule": { + "name": "3399565100" + }, + "url": { + "category": "7956407282", + "filter_rule_label": "4951704103" + }, + "zpa_app_segment": "7648246731" + }, + "policy": { + "reason": "Blocked" + }, + "product_version": "5.0.902.95524_04", + "prototype": "HTTP", + "reason": "File Attachment Cautioned", + "record": { + "id": "123456789" + }, + "redirect_policy_name": "FWD_Rule_1", + "referer": { + "host": "www.example.com for http://www.example.com/index.html", + "name": "www.example.com" + }, + "request": { + "header_size": 300, + "method": "invalid", + "payload": 1000, + "size": 1300, + "version": "1.1" + }, + "response": { + "code": "100", + "header_size": 500, + "payload": 10000, + "size": 10500, + "version": "1" + }, + "risk": { + "score": 10.0 + }, + "rule": { + "name": "URL_Filtering_1", + "type": "File Type Control" + }, + "second": 48, + "server": { + "certificate": { + "validation": { + "period": "Short" + } + }, + "certificate_validation_chain": "Unknown", + "certificate_validation_type": "EV (Extended Validation)", + "cipher": "SSL3_CK_RSA_NULL_MD5", + "cipher_reuse": "Unknown", + "ip": "81.2.69.142", + "ocsp_result": "Good", + "tls_version": "SSL2", + "wildcard_certificate": "Unknown" + }, + "sha256": "81ec78bc8298568bb5ea66d3c2972b670d0f7459b6cdbbcaacce90ab417ab15c", + "ssl_decrypted": "Yes", + "threat": { + "name": "EICAR Test File", + "severity": "Critical (90–100)" + }, + "throttle": { + "request_size": 5, + "response_size": 7 + }, + "time": "2023-10-16T22:55:48.000Z", + "timezone": "GMT", + "total": { + "size": 11800 + }, + "traffic_redirect_method": "DNAT (Destination Translation)", + "unscannable": { + "type": "Encrypted File" + }, + "upload": { + "doc": { + "type_name": "Corporate Finance" + }, + "file": { + "class": "upload_fileclass", + "name": "nssfeed.exe", + "subtype": "rar", + "type": "RAR Files" + } + }, + "url": { + "category": { + "sub": "Entertainment", + "super": "Travel" + }, + "category_method": "Database A", + "class": "Bandwidth Loss", + "filter_rule_label": "URL_Filtering_1", + "name": "www.trythisencodeurl.com/index" + }, + "user_agent": { + "class": "Firefox", + "name": "Mozilla/5.0", + "token": "Google Chrome (0.x)" + }, + "user_location_name": "userlocationname", + "year": 2023, + "z_tunnel_version": "ZTUNNEL_1_0", + "zpa_app_segment": "ZPA_test_app_segment" + } + } + }, { "@timestamp": "2023-10-16T22:55:48.000Z", "cloud": { diff --git a/packages/zscaler_zia/data_stream/web/_dev/test/pipeline/test-web.log b/packages/zscaler_zia/data_stream/web/_dev/test/pipeline/test-web.log index b715ebe1eff..d9bbe4cab2b 100644 --- a/packages/zscaler_zia/data_stream/web/_dev/test/pipeline/test-web.log +++ b/packages/zscaler_zia/data_stream/web/_dev/test/pipeline/test-web.log @@ -1,3 +1,10 @@ +{"sourcetype":"zscalernss-web","event":{"time":"Mon Oct 16 22:55:48 2023","cloudname":"zscaler.net","host":"mail.google.com","serverip":"1.128.0.0","external_devid":"1234","devicemodel":"20L8S7WC08","action":"Allowed","recordid":123456789,"reason":"File Attachment Cautioned","threatseverity":"Critical (90–100)","tz":"GMT","filesubtype":"exe","upload_filesubtype":"rar","sha256":"81ec78bc8298568bb5ea66d3c2972b670d0f7459b6cdbbcaacce90ab417ab15c","bamd5":"196a3d797bfee07fe4596b69f4ce1141","filename":"nssfeed.txt","upload_filename":"nssfeed.exe","filetype":"RAR Files","devicename":"PC11NLPA%3A5F08D97BBF43257A8FB4BBF4061A38AE324EF734","devicehostname":"THINKPADSMITH","deviceostype":"iOS","deviceosversion":"Version 10.14.2 (Build 18C54)","devicetype":"Zscaler Client Connector","reqsize":1300,"reqmethod":"invalid","b64referer":"d3d3LmV4YW1wbGUuY29t","respsize":10500,"respcode":"100","reqversion":"1.1","respversion":"1","proto":"HTTP","company":"Zscaler","dlpmd5":"154f149b1443fbfa8c121d13e5c019a1","apprulelabel":"File_Sharing_1","dlprulename":"DLP_Rule_1","rulelabel":"URL_Filtering_1","urlfilterrulelabel":"URL_Filtering_2","cltip":"81.2.69.144","cltintip":"89.160.20.128","cltsourceport":12345,"threatname":"EICAR Test File","cltsslcipher":"SSL3_CK_RSA_NULL_MD5","clttlsversion":"SSL2","b64url":"d3d3LnRyeXRoaXNlbmNvZGV1cmwuY29tOjQ0My9pbmRleD9xdGltZT0yMDIzLTA0LTEyVDIzOjIwOjUwLjUyWg==","useragent":"Mozilla/5.0","login":"jdoe@safemarch.com","applayerprotocol":"FTP","appclass":"Administration","appname":"Adobe Connect","appriskscore":"1","bandwidthclassname":"Entertainment","bandwidthrulename":"Office 365","bwthrottle":"Yes","bypassedtime":"Mon Oct 16 22:55:48 2023","bypassedtraffic":"1","cltsslsessreuse":"Unknown","cltpubip":"175.16.199.0","cltsslfailcount":100,"cltsslfailreason":"Bad Record Mac","contenttype":"application/vnd_apple_keynote","datacentercity":"Sa","datacentercountry":"US","datacenter":"CA Client Node DC","day":"Mon","day_of_month":16,"dept":"Sales","deviceappversion":"1.128.0.0","deviceowner":"jsmith","df_hosthead":"df_hosthead","df_hostname":"df_hostname","dlpdicthitcount":"4","dlpdict":"Credit Cards","dlpeng":"HIPAA","dlpidentifier":6646484838839026000,"eedone":"Yes","epochtime":1578128400,"fileclass":"Active Web Contents","flow_type":"Direct","forward_gateway_ip":"10.1.1.1","forward_gateway_name":"FWD_1","forward_type":"Direct","hour":22,"is_sslexpiredca":"Yes","is_sslselfsigned":"Yes","is_ssluntrustedca":"Pass","keyprotectiontype":"HSM Protection","location":"Headquarters","malwarecategory":"Adware","malwareclass":"Sandbox","minute":55,"mobappcategory":"Communication","mobappname":"Amazon","mobdevtype":"Google Android","module":"Administration","month":"Oct","month_of_year":10,"nssserviceip":"192.168.2.200","oapprulelabel":"5300295980","obwclassname":"10831489","ocip":6200694987,"ocpubip":624054738,"odevicehostname":"2168890624","odevicename":"2175092224","odeviceowner":"10831489","odlpdict":"10831489","odlpeng":"4094304256","odlprulename":"6857275752","ofwd_gw_name":"8794487099","ologin":"4094304256","ordr_rulename":"3399565100","ourlcat":"7956407282","ourlfilterrulelabel":"4951704103","ozpa_app_seg_name":"7648246731","externalsslpolicyreason":"Blocked","productversion":"5.0.902.95524_04","rdr_rulename":"FWD_Rule_1","refererhost":"www.example.com for http://www.example.com/index.html","reqheadersize":300,"reqdatasize":1000,"respheadersize":500,"respdatasize":10000,"riskscore":10,"ruletype":"File Type Control","second":48,"srvcertchainvalpass":"Unknown","srvcertvalidationtype":"EV (Extended Validation)","srvcertvalidityperiod":"Short","srvsslcipher":"SSL3_CK_RSA_NULL_MD5","serversslsessreuse":"Unknown","srvocspresult":"Good","srvtlsversion":"SSL2","srvwildcardcert":"Unknown","ssldecrypted":"Yes","throttlereqsize":5,"throttlerespsize":7,"totalsize":11800,"trafficredirectmethod":"DNAT (Destination Translation)","unscannabletype":"Encrypted File","upload_doctypename":"Corporate Finance","upload_fileclass":"upload_fileclass","upload_filetype":"RAR Files","urlcatmethod":"Database A","urlsubcat":"Entertainment","urlsupercat":"Travel","urlclass":"Bandwidth Loss","useragentclass":"Firefox","useragenttoken":"Google Chrome (0.x)","userlocationname":"userlocationname","year":2023,"ztunnelversion":"ZTUNNEL_1_0","zpa_app_seg_name":"ZPA_test_app_segment"}} +{"sourcetype":"zscalernss-web","event":{"time":"Mon Oct 17 22:55:48 2023","cloudname":"zscaler.net","host":"mail.google.com","serverip":"1.128.0.1","external_devid":"2345","devicemodel":"20L8S7WC09","action":"Allowed","recordid":123456780,"reason":"File Attachment Cautioned","threatseverity":"Critical (90–100)","tz":"GMT","filesubtype":"exe","upload_filesubtype":"rar","sha256":"81ec78bc8298568bb5ea66d3c2972b670d0f7459b6cdbbcaacce90ab417ab15c","bamd5":"196a3d797bfee07fe4596b69f4ce1141","filename":"nssfeed.txt","upload_filename":"nssfeed.exe","filetype":"RAR Files","devicename":"PC11NLPA%3A5F08D97BBF43257A8FB4BBF4061A38AE324EF734","devicehostname":"THINKPADSMITH","deviceostype":"iOS","deviceosversion":"Version 10.14.2 (Build 18C54)","devicetype":"Zscaler Client Connector","reqsize":1300,"reqmethod":"invalid","b64referer":"d3d3LmV4YW1wbGUuY29t","respsize":10500,"respcode":"100","reqversion":"1.1","respversion":"1","proto":"HTTPS","company":"Zscaler","dlpmd5":"154f149b1443fbfa8c121d13e5c019a1","apprulelabel":"File_Sharing_1","dlprulename":"DLP_Rule_1","rulelabel":"URL_Filtering_1","urlfilterrulelabel":"URL_Filtering_2","cltip":"81.2.69.144","cltintip":"89.160.20.128","cltsourceport":12345,"threatname":"EICAR Test File","cltsslcipher":"SSL3_CK_RSA_NULL_MD5","clttlsversion":"SSL2","b64url":"d3d3LmV4YW1wbGUuY29tOjQ0Mw==","useragent":"Mozilla/5.0","login":"jdoe@safemarch.com","applayerprotocol":"FTP","appclass":"Administration","appname":"Adobe Connect","appriskscore":"1","bandwidthclassname":"Entertainment","bandwidthrulename":"Office 365","bwthrottle":"Yes","bypassedtime":"Mon Oct 16 22:55:48 2023","bypassedtraffic":"1","cltsslsessreuse":"Unknown","cltpubip":"175.16.199.0","cltsslfailcount":100,"cltsslfailreason":"Bad Record Mac","contenttype":"application/vnd_apple_keynote","datacentercity":"Sa","datacentercountry":"US","datacenter":"CA Client Node DC","day":"Mon","day_of_month":16,"dept":"Sales","deviceappversion":"1.128.0.1","deviceowner":"jsmith","df_hosthead":"df_hosthead","df_hostname":"df_hostname","dlpdicthitcount":"4","dlpdict":"Credit Cards","dlpeng":"HIPAA","dlpidentifier":6646484838839026000,"eedone":"Yes","epochtime":1578128400,"fileclass":"Active Web Contents","flow_type":"Direct","forward_gateway_ip":"10.1.1.1","forward_gateway_name":"FWD_1","forward_type":"Direct","hour":22,"is_sslexpiredca":"Yes","is_sslselfsigned":"Yes","is_ssluntrustedca":"Pass","keyprotectiontype":"HSM Protection","location":"Headquarters","malwarecategory":"Adware","malwareclass":"Sandbox","minute":55,"mobappcategory":"Communication","mobappname":"Amazon","mobdevtype":"Google Android","module":"Administration","month":"Oct","month_of_year":10,"nssserviceip":"192.168.2.200","oapprulelabel":"5300295980","obwclassname":"10831489","ocip":6200694987,"ocpubip":624054738,"odevicehostname":"2168890624","odevicename":"2175092224","odeviceowner":"10831489","odlpdict":"10831489","odlpeng":"4094304256","odlprulename":"6857275752","ofwd_gw_name":"8794487099","ologin":"4094304256","ordr_rulename":"3399565100","ourlcat":"7956407282","ourlfilterrulelabel":"4951704103","ozpa_app_seg_name":"7648246731","externalsslpolicyreason":"Blocked","productversion":"5.0.902.95524_04","rdr_rulename":"FWD_Rule_1","refererhost":"www.example.com for http://www.example.com/index.html","reqheadersize":300,"reqdatasize":1000,"respheadersize":500,"respdatasize":10000,"riskscore":10,"ruletype":"File Type Control","second":48,"srvcertchainvalpass":"Unknown","srvcertvalidationtype":"EV (Extended Validation)","srvcertvalidityperiod":"Short","srvsslcipher":"SSL3_CK_RSA_NULL_MD5","serversslsessreuse":"Unknown","srvocspresult":"Good","srvtlsversion":"SSL2","srvwildcardcert":"Unknown","ssldecrypted":"Yes","throttlereqsize":5,"throttlerespsize":7,"totalsize":11800,"trafficredirectmethod":"DNAT (Destination Translation)","unscannabletype":"Encrypted File","upload_doctypename":"Corporate Finance","upload_fileclass":"upload_fileclass","upload_filetype":"RAR Files","urlcatmethod":"Database A","urlsubcat":"Entertainment","urlsupercat":"Travel","urlclass":"Bandwidth Loss","useragentclass":"Firefox","useragenttoken":"Google Chrome (0.x)","userlocationname":"userlocationname","year":2023,"ztunnelversion":"ZTUNNEL_1_0","zpa_app_seg_name":"ZPA_test_app_segment"}} +{"sourcetype":"zscalernss-web","event":{"time":"Mon Oct 18 23:55:48 2023","cloudname":"zscaler.net","host":"mail.google.com","serverip":"1.128.0.2","external_devid":"2346","devicemodel":"20L8S7WC10","action":"Allowed","recordid":123456781,"reason":"File Attachment Cautioned","threatseverity":"Critical (90–100)","tz":"GMT","filesubtype":"exe","upload_filesubtype":"rar","sha256":"81ec78bc8298568bb5ea66d3c2972b670d0f7459b6cdbbcaacce90ab417ab15c","bamd5":"196a3d797bfee07fe4596b69f4ce1141","filename":"nssfeed.txt","upload_filename":"nssfeed.exe","filetype":"RAR Files","devicename":"PC11NLPA%3A5F08D97BBF43257A8FB4BBF4061A38AE324EF734","devicehostname":"THINKPADSMITH","deviceostype":"iOS","deviceosversion":"Version 10.14.2 (Build 18C54)","devicetype":"Zscaler Client Connector","reqsize":1300,"reqmethod":"invalid","b64referer":"d3d3LmV4YW1wbGUuY29t","respsize":10500,"respcode":"100","reqversion":"1.1","respversion":"1","proto":"SSL","company":"Zscaler","dlpmd5":"154f149b1443fbfa8c121d13e5c019a1","apprulelabel":"File_Sharing_1","dlprulename":"DLP_Rule_1","rulelabel":"URL_Filtering_1","urlfilterrulelabel":"URL_Filtering_2","cltip":"81.2.69.144","cltintip":"89.160.20.128","cltsourceport":12345,"threatname":"EICAR Test File","cltsslcipher":"SSL3_CK_RSA_NULL_MD5","clttlsversion":"SSL2","b64url":"d3d3LmV4YW1wbGUuY29tLmNvbS9wYXJhbXM/SWQ9MSZ0cz0yMDA2LTAxLTAyVDE1OjA0OjA1WjA3OjAwJnVzZXI9NjU3OTImdmVyc2lvbj0xMC4wLjE5MDQxLjEyNjY=","useragent":"Mozilla/5.0","login":"jdoe@safemarch.com","applayerprotocol":"FTP","appclass":"Administration","appname":"Adobe Connect","appriskscore":"1","bandwidthclassname":"Entertainment","bandwidthrulename":"Office 365","bwthrottle":"Yes","bypassedtime":"Mon Oct 16 22:55:48 2023","bypassedtraffic":"1","cltsslsessreuse":"Unknown","cltpubip":"175.16.199.0","cltsslfailcount":100,"cltsslfailreason":"Bad Record Mac","contenttype":"application/vnd_apple_keynote","datacentercity":"Sa","datacentercountry":"US","datacenter":"CA Client Node DC","day":"Mon","day_of_month":16,"dept":"Sales","deviceappversion":"1.128.0.1","deviceowner":"jsmith","df_hosthead":"df_hosthead","df_hostname":"df_hostname","dlpdicthitcount":"4","dlpdict":"Credit Cards","dlpeng":"HIPAA","dlpidentifier":6646484838839026000,"eedone":"Yes","epochtime":1578128400,"fileclass":"Active Web Contents","flow_type":"Direct","forward_gateway_ip":"10.1.1.1","forward_gateway_name":"FWD_1","forward_type":"Direct","hour":22,"is_sslexpiredca":"Yes","is_sslselfsigned":"Yes","is_ssluntrustedca":"Pass","keyprotectiontype":"HSM Protection","location":"Headquarters","malwarecategory":"Adware","malwareclass":"Sandbox","minute":55,"mobappcategory":"Communication","mobappname":"Amazon","mobdevtype":"Google Android","module":"Administration","month":"Oct","month_of_year":10,"nssserviceip":"192.168.2.200","oapprulelabel":"5300295980","obwclassname":"10831489","ocip":6200694987,"ocpubip":624054738,"odevicehostname":"2168890624","odevicename":"2175092224","odeviceowner":"10831489","odlpdict":"10831489","odlpeng":"4094304256","odlprulename":"6857275752","ofwd_gw_name":"8794487099","ologin":"4094304256","ordr_rulename":"3399565100","ourlcat":"7956407282","ourlfilterrulelabel":"4951704103","ozpa_app_seg_name":"7648246731","externalsslpolicyreason":"Blocked","productversion":"5.0.902.95524_04","rdr_rulename":"FWD_Rule_1","refererhost":"www.example.com for http://www.example.com/index.html","reqheadersize":300,"reqdatasize":1000,"respheadersize":500,"respdatasize":10000,"riskscore":10,"ruletype":"File Type Control","second":48,"srvcertchainvalpass":"Unknown","srvcertvalidationtype":"EV (Extended Validation)","srvcertvalidityperiod":"Short","srvsslcipher":"SSL3_CK_RSA_NULL_MD5","serversslsessreuse":"Unknown","srvocspresult":"Good","srvtlsversion":"SSL2","srvwildcardcert":"Unknown","ssldecrypted":"Yes","throttlereqsize":5,"throttlerespsize":7,"totalsize":11800,"trafficredirectmethod":"DNAT (Destination Translation)","unscannabletype":"Encrypted File","upload_doctypename":"Corporate Finance","upload_fileclass":"upload_fileclass","upload_filetype":"RAR Files","urlcatmethod":"Database A","urlsubcat":"Entertainment","urlsupercat":"Travel","urlclass":"Bandwidth Loss","useragentclass":"Firefox","useragenttoken":"Google Chrome (0.x)","userlocationname":"userlocationname","year":2023,"ztunnelversion":"ZTUNNEL_1_0","zpa_app_seg_name":"ZPA_test_app_segment"}} +{"sourcetype":"zscalernss-web","event":{"time":"Mon Oct 18 23:55:48 2023","cloudname":"zscaler.net","host":"mail.google.com","serverip":"1.128.0.2","external_devid":"2346","devicemodel":"20L8S7WC10","action":"Allowed","recordid":123456781,"reason":"File Attachment Cautioned","threatseverity":"Critical (90–100)","tz":"GMT","filesubtype":"exe","upload_filesubtype":"rar","sha256":"81ec78bc8298568bb5ea66d3c2972b670d0f7459b6cdbbcaacce90ab417ab15c","bamd5":"196a3d797bfee07fe4596b69f4ce1141","filename":"nssfeed.txt","upload_filename":"nssfeed.exe","filetype":"RAR Files","devicename":"PC11NLPA%3A5F08D97BBF43257A8FB4BBF4061A38AE324EF734","devicehostname":"THINKPADSMITH","deviceostype":"iOS","deviceosversion":"Version 10.14.2 (Build 18C54)","devicetype":"Zscaler Client Connector","reqsize":1300,"reqmethod":"invalid","b64referer":"d3d3LmV4YW1wbGUuY29t","respsize":10500,"respcode":"100","reqversion":"1.1","respversion":"1","proto":"SSL","company":"Zscaler","dlpmd5":"154f149b1443fbfa8c121d13e5c019a1","apprulelabel":"File_Sharing_1","dlprulename":"DLP_Rule_1","rulelabel":"URL_Filtering_1","urlfilterrulelabel":"URL_Filtering_2","cltip":"81.2.69.144","cltintip":"89.160.20.128","cltsourceport":12345,"threatname":"EICAR Test File","cltsslcipher":"SSL3_CK_RSA_NULL_MD5","clttlsversion":"SSL2","b64url":"d3d3LnlvdXR1YmUuY29tL2FwaS9zdGF0cy9hYmNkP2FmbXQ9MjUxJmJhdD0zMzAuMDE3OjAuOTY6MSZiaD0zMzAuMDE3OjEyMS4yNjQmYndlPTMzMC4wMTc6NzQ1ODYwMSZid209MzMwLjAxNzoyNDA3NzU0OjAuODQ0JmM9V0VCJmNicj1FZGdlIENocm9taXVtJmNicnZlcj0xMTUuMC4wLjAmY2w9NjU1Mzk5OTU2JmNtdD0zMzAuMDE3OjMyOC44MzcmY29zPVdpbmRvd3MmY29zdmVyPTEwLjAmY3BsYXRmb3JtPURFU0tUT1AmY3BsYXllcj1VTklQTEFZRVImY3BuPUZVQjczU1FXeFNIS0FEeHZKJmN2ZXI9Mi4yMDI0MDcyNC4wMy4wMCZkb2NpZD1XVmhHX3NOVkxhc0QmZWw9ZGV0YWlscGFnZSZmZXhwPXYxLDIzODQ4MjI1LDEzNzgwMiwxODYxNywyMDQxMjEsMjMwNTk2LDIyMjA5NywxNjIyOSwxMzMyMTIsMTQ2MjU5NTUsMTE2ODQzODEsNzIyMiwxNDIwNyw5ODU5LDEyMTc3LDk5NTQsMTE5Miw3OTEzLDE4MzEwLDI3Myw0MTQ3LDI4MTksMiwxNjM0NCwxNDI0LDE5MjA0LDk5NDgsMjE5Niw5OTk2LDE5LDIsMTA4Miw2OTUzLDEwMSwxNDAxLDk1NDIsMjQ3MSwzMjkyLDI3MTYsMTUzOCw3MjMsMjU3NSw5NTY3LDEzNzUsMzc2MSw0MTYyLDg2MTAsMTczLDIwMSwxMDQwNiwzMjEsMTQ4LDIsMzQzLDE3ODMsMTQsMTMyMiw1MCw2MjEsNzAyLDEwNjIsMTc2OSwxODIzLDg5NiwyMjkxLDI5MTIsNzU2OCwzNDImZm10PTM5OCZucz15dCZyZWZlcnJlcj1odHRwczovL3d3dy55b3V0dWJlLmNvbS93YXRjaD92PWlzYTkwXzY3YXMmc2RldGFpbD1ydjppc2E4OV82OGFkJnNlcT0xMyZzb3VyY2VpZD15dyZ2cHM9MzMwLjAxNzpQTA==","useragent":"Mozilla/5.0","login":"jdoe@safemarch.com","applayerprotocol":"FTP","appclass":"Administration","appname":"Adobe Connect","appriskscore":"1","bandwidthclassname":"Entertainment","bandwidthrulename":"Office 365","bwthrottle":"Yes","bypassedtime":"Mon Oct 16 22:55:48 2023","bypassedtraffic":"1","cltsslsessreuse":"Unknown","cltpubip":"175.16.199.0","cltsslfailcount":100,"cltsslfailreason":"Bad Record Mac","contenttype":"application/vnd_apple_keynote","datacentercity":"Sa","datacentercountry":"US","datacenter":"CA Client Node DC","day":"Mon","day_of_month":16,"dept":"Sales","deviceappversion":"1.128.0.1","deviceowner":"jsmith","df_hosthead":"df_hosthead","df_hostname":"df_hostname","dlpdicthitcount":"4","dlpdict":"Credit Cards","dlpeng":"HIPAA","dlpidentifier":6646484838839026000,"eedone":"Yes","epochtime":1578128400,"fileclass":"Active Web Contents","flow_type":"Direct","forward_gateway_ip":"10.1.1.1","forward_gateway_name":"FWD_1","forward_type":"Direct","hour":22,"is_sslexpiredca":"Yes","is_sslselfsigned":"Yes","is_ssluntrustedca":"Pass","keyprotectiontype":"HSM Protection","location":"Headquarters","malwarecategory":"Adware","malwareclass":"Sandbox","minute":55,"mobappcategory":"Communication","mobappname":"Amazon","mobdevtype":"Google Android","module":"Administration","month":"Oct","month_of_year":10,"nssserviceip":"192.168.2.200","oapprulelabel":"5300295980","obwclassname":"10831489","ocip":6200694987,"ocpubip":624054738,"odevicehostname":"2168890624","odevicename":"2175092224","odeviceowner":"10831489","odlpdict":"10831489","odlpeng":"4094304256","odlprulename":"6857275752","ofwd_gw_name":"8794487099","ologin":"4094304256","ordr_rulename":"3399565100","ourlcat":"7956407282","ourlfilterrulelabel":"4951704103","ozpa_app_seg_name":"7648246731","externalsslpolicyreason":"Blocked","productversion":"5.0.902.95524_04","rdr_rulename":"FWD_Rule_1","refererhost":"www.example.com for http://www.example.com/index.html","reqheadersize":300,"reqdatasize":1000,"respheadersize":500,"respdatasize":10000,"riskscore":10,"ruletype":"File Type Control","second":48,"srvcertchainvalpass":"Unknown","srvcertvalidationtype":"EV (Extended Validation)","srvcertvalidityperiod":"Short","srvsslcipher":"SSL3_CK_RSA_NULL_MD5","serversslsessreuse":"Unknown","srvocspresult":"Good","srvtlsversion":"SSL2","srvwildcardcert":"Unknown","ssldecrypted":"Yes","throttlereqsize":5,"throttlerespsize":7,"totalsize":11800,"trafficredirectmethod":"DNAT (Destination Translation)","unscannabletype":"Encrypted File","upload_doctypename":"Corporate Finance","upload_fileclass":"upload_fileclass","upload_filetype":"RAR Files","urlcatmethod":"Database A","urlsubcat":"Entertainment","urlsupercat":"Travel","urlclass":"Bandwidth Loss","useragentclass":"Firefox","useragenttoken":"Google Chrome (0.x)","userlocationname":"userlocationname","year":2023,"ztunnelversion":"ZTUNNEL_1_0","zpa_app_seg_name":"ZPA_test_app_segment"}} +{"sourcetype":"zscalernss-web","event":{"time":"Mon Oct 20 22:55:48 2023","cloudname":"zscaler.net","host":"mail.google.com","serverip":"1.128.0.4","external_devid":"2347","devicemodel":"20L8S7WC12","action":"Allowed","recordid":123456782,"reason":"File Attachment Cautioned","threatseverity":"Critical (90–100)","tz":"GMT","filesubtype":"exe","upload_filesubtype":"rar","sha256":"81ec78bc8298568bb5ea66d3c2972b670d0f7459b6cdbbcaacce90ab417ab15c","bamd5":"196a3d797bfee07fe4596b69f4ce1141","filename":"nssfeed.txt","upload_filename":"nssfeed.exe","filetype":"RAR Files","devicename":"device%5CrN%40me","devicehostname":"THINKPADSMITH","deviceostype":"iOS","deviceosversion":"Version 10.14.2 (Build 18C54)","devicetype":"Zscaler Client Connector","reqsize":1300,"reqmethod":"invalid","b64referer":"d3d3LmV4YW1wbGUuY29tL3NlYXJjaD9maWx0ZXJzPWd1aWQlM0ElMjI0MC1lbi1kaWElMjIrbGFuZyUzQSUyMmVuJTIyJmZvcm09UzAwJnE9aG93K3RvK3VzZStyZW1vdGUrZGVza3RvcCt0bytjb25uZWN0K3RvK2Erd2luZG93cysxMCtwYw==","respsize":10500,"respcode":"100","reqversion":"1.1","respversion":"1","proto":"HTTPS","company":"Zscaler","dlpmd5":"154f149b1443fbfa8c121d13e5c019a1","apprulelabel":"File_Sharing_1","dlprulename":"DLP_Rule_1","rulelabel":"URL_Filtering_1","urlfilterrulelabel":"URL_Filtering_2","cltip":"81.2.69.144","cltintip":"89.160.20.128","cltsourceport":12345,"threatname":"EICAR Test File","cltsslcipher":"SSL3_CK_RSA_NULL_MD5","clttlsversion":"SSL2","b64url":"d3d3LmV4YW1wbGUuY29tOjQ0Mw==","useragent":"Mozilla/5.0","login":"jdoe@safemarch.com","applayerprotocol":"FTP","appclass":"Administration","appname":"Adobe Connect","appriskscore":"1","bandwidthclassname":"Entertainment","bandwidthrulename":"Office 365","bwthrottle":"Yes","bypassedtime":"Mon Oct 16 22:55:48 2023","bypassedtraffic":"1","cltsslsessreuse":"Unknown","cltpubip":"175.16.199.0","cltsslfailcount":100,"cltsslfailreason":"Bad Record Mac","contenttype":"application/vnd_apple_keynote","datacentercity":"Sa","datacentercountry":"US","datacenter":"CA Client Node DC","day":"Mon","day_of_month":16,"dept":"Sales","deviceappversion":"1.128.0.1","deviceowner":"jsmith","df_hosthead":"df_hosthead","df_hostname":"df_hostname","dlpdicthitcount":"4","dlpdict":"Credit Cards","dlpeng":"HIPAA","dlpidentifier":6646484838839026000,"eedone":"Yes","epochtime":1578128400,"fileclass":"Active Web Contents","flow_type":"Direct","forward_gateway_ip":"10.1.1.1","forward_gateway_name":"FWD_1","forward_type":"Direct","hour":22,"is_sslexpiredca":"Yes","is_sslselfsigned":"Yes","is_ssluntrustedca":"Pass","keyprotectiontype":"HSM Protection","location":"Headquarters","malwarecategory":"Adware","malwareclass":"Sandbox","minute":55,"mobappcategory":"Communication","mobappname":"Amazon","mobdevtype":"Google Android","module":"Administration","month":"Oct","month_of_year":10,"nssserviceip":"192.168.2.200","oapprulelabel":"5300295980","obwclassname":"10831489","ocip":6200694987,"ocpubip":624054738,"odevicehostname":"2168890624","odevicename":"2175092224","odeviceowner":"10831489","odlpdict":"10831489","odlpeng":"4094304256","odlprulename":"6857275752","ofwd_gw_name":"8794487099","ologin":"4094304256","ordr_rulename":"3399565100","ourlcat":"7956407282","ourlfilterrulelabel":"4951704103","ozpa_app_seg_name":"7648246731","externalsslpolicyreason":"Blocked","productversion":"5.0.902.95524_04","rdr_rulename":"FWD_Rule_1","refererhost":"www.example.com for http://www.example.com/index.html","reqheadersize":300,"reqdatasize":1000,"respheadersize":500,"respdatasize":10000,"riskscore":10,"ruletype":"File Type Control","second":48,"srvcertchainvalpass":"Unknown","srvcertvalidationtype":"EV (Extended Validation)","srvcertvalidityperiod":"Short","srvsslcipher":"SSL3_CK_RSA_NULL_MD5","serversslsessreuse":"Unknown","srvocspresult":"Good","srvtlsversion":"SSL2","srvwildcardcert":"Unknown","ssldecrypted":"Yes","throttlereqsize":5,"throttlerespsize":7,"totalsize":11800,"trafficredirectmethod":"DNAT (Destination Translation)","unscannabletype":"Encrypted File","upload_doctypename":"Corporate Finance","upload_fileclass":"upload_fileclass","upload_filetype":"RAR Files","urlcatmethod":"Database A","urlsubcat":"Entertainment","urlsupercat":"Travel","urlclass":"Bandwidth Loss","useragentclass":"Firefox","useragenttoken":"Google Chrome (0.x)","userlocationname":"userlocationname","year":2023,"ztunnelversion":"ZTUNNEL_1_0","zpa_app_seg_name":"ZPA_test_app_segment"}} +{"sourcetype":"zscalernss-web","event":{"time":"Mon Oct 20 22:55:48 2023","cloudname":"zscaler.net","host":"mail.google.com","serverip":"1.128.0.4","external_devid":"2347","devicemodel":"20L8S7WC12","action":"Allowed","recordid":123456782,"reason":"File Attachment Cautioned","threatseverity":"Critical (90–100)","tz":"GMT","filesubtype":"exe","upload_filesubtype":"rar","sha256":"81ec78bc8298568bb5ea66d3c2972b670d0f7459b6cdbbcaacce90ab417ab15c","bamd5":"196a3d797bfee07fe4596b69f4ce1141","filename":"nssfeed%.txt","upload_filename":"nssfeed%.exe","filetype":"RAR Files","devicename":"device%5CrN%40me","devicehostname":"THINKPADSMITH","deviceostype":"iOS","deviceosversion":"Version 10.14.2 (Build 18C54)","devicetype":"Zscaler Client Connector","reqsize":1300,"reqmethod":"invalid","b64referer":"d3d3LmV4YW1wbGUuY29tL3NlYXJjaD9maWx0ZXJzPWd1aWQlM0ElMjI0MC1lbi1kaWElMjIrbGFuZyUzQSUyMmVuJTIyJmZvcm09UzAwJnE9aG93K3RvK3VzZStyZW1vdGUrZGVza3RvcCt0bytjb25uZWN0K3RvK2Erd2luZG93cysxMCtwYw==","respsize":10500,"respcode":"100","reqversion":"1.1","respversion":"1","proto":"HTTPS","company":"Zscaler","dlpmd5":"154f149b1443fbfa8c121d13e5c019a1","apprulelabel":"File_Sharing_1","dlprulename":"DLP_Rule_1","rulelabel":"URL_Filtering_1","urlfilterrulelabel":"URL_Filtering_2","cltip":"81.2.69.144","cltintip":"89.160.20.128","cltsourceport":12345,"threatname":"EICAR Test File","cltsslcipher":"SSL3_CK_RSA_NULL_MD5","clttlsversion":"SSL2","b64url":"dC5jb3Vwb25zLmNvbS9iLnBocD90cmFuc2FjdGlvbklkPUkvdHNJZD09JmV2ZW50VHlwZT1FbGVtZW50SW5WaWV3JmVsZW1lbnROYW1lPVROX1NXQiZvYmplY3RzPXsibGlua1VybCI6Imh0dHBzOi8vd3d3LmNvdXBvbnMuY29tL2RhaWx5LXNhbGVzLzcyLWhvdXItY2xlYXJvdXQiLCJsaW5rVGV4dCI6IlVwJTIwdG8lMjA3MCUlMjBPRkYlMjB8JTIwNzItSG91ciUyMENsZWFyb3V0IiwidGV4dENvbG9yIjoiI0ZGRkZGRiIsInByb21vRW5kRGF0ZSI6bnVsbCwiY3VzdG9tRmllbGQxIjoiVXAlMjB0byUyMDcwJSUyME9GRiUyMHwlMjA3Mi1Ib3VyJTIwQ2xlYXJvdXQifSZsaW5rVXJsPWh0dHBzOi8vd3d3LmNvdXBvbnMuY29tL2RhaWx5LXNhbGVzLzcyLWhvdXItY2xlYXJvdXQmbGlua1RleHQ9VXAlMjB0byUyMDcwJSUyME9GRiUyMHwlMjA3Mi1Ib3VyJTIwQ2xlYXJvdXQmdGV4dENvbG9yPSNGRkZGRkYmcHJvbW9FbmREYXRlPSZjdXN0b21GaWVsZDE9VXAlMjB0byUyMDcwJSUyME9GRiUyMHwlMjA3Mi1Ib3VyJTIwQ2xlYXJvdXQmcGFnZUlkPSZ0aW1lc3RhbXA9MTcyNDY4Mjc3NzE5OA==","useragent":"Mozilla/5.0","login":"jdoe@safemarch.com","applayerprotocol":"FTP","appclass":"Administration","appname":"Adobe Connect","appriskscore":"1","bandwidthclassname":"Entertainment","bandwidthrulename":"Office 365","bwthrottle":"Yes","bypassedtime":"Mon Oct 16 22:55:48 2023","bypassedtraffic":"1","cltsslsessreuse":"Unknown","cltpubip":"175.16.199.0","cltsslfailcount":100,"cltsslfailreason":"Bad Record Mac","contenttype":"application/vnd_apple_keynote","datacentercity":"Sa","datacentercountry":"US","datacenter":"CA Client Node DC","day":"Mon","day_of_month":16,"dept":"Sales","deviceappversion":"1.128.0.1","deviceowner":"jsmith","df_hosthead":"df_hosthead","df_hostname":"df_hostname","dlpdicthitcount":"4","dlpdict":"Credit Cards","dlpeng":"HIPAA","dlpidentifier":6646484838839026000,"eedone":"Yes","epochtime":1578128400,"fileclass":"Active Web Contents","flow_type":"Direct","forward_gateway_ip":"10.1.1.1","forward_gateway_name":"FWD_1","forward_type":"Direct","hour":22,"is_sslexpiredca":"Yes","is_sslselfsigned":"Yes","is_ssluntrustedca":"Pass","keyprotectiontype":"HSM Protection","location":"Headquarters","malwarecategory":"Adware","malwareclass":"Sandbox","minute":55,"mobappcategory":"Communication","mobappname":"Amazon","mobdevtype":"Google Android","module":"Administration","month":"Oct","month_of_year":10,"nssserviceip":"192.168.2.200","oapprulelabel":"5300295980","obwclassname":"10831489","ocip":6200694987,"ocpubip":624054738,"odevicehostname":"2168890624","odevicename":"2175092224","odeviceowner":"10831489","odlpdict":"10831489","odlpeng":"4094304256","odlprulename":"6857275752","ofwd_gw_name":"8794487099","ologin":"4094304256","ordr_rulename":"3399565100","ourlcat":"7956407282","ourlfilterrulelabel":"4951704103","ozpa_app_seg_name":"7648246731","externalsslpolicyreason":"Blocked","productversion":"5.0.902.95524_04","rdr_rulename":"FWD_Rule_1","refererhost":"www.example.com for http://www.example.com/index.html","reqheadersize":300,"reqdatasize":1000,"respheadersize":500,"respdatasize":10000,"riskscore":10,"ruletype":"File Type Control","second":48,"srvcertchainvalpass":"Unknown","srvcertvalidationtype":"EV (Extended Validation)","srvcertvalidityperiod":"Short","srvsslcipher":"SSL3_CK_RSA_NULL_MD5","serversslsessreuse":"Unknown","srvocspresult":"Good","srvtlsversion":"SSL2","srvwildcardcert":"Unknown","ssldecrypted":"Yes","throttlereqsize":5,"throttlerespsize":7,"totalsize":11800,"trafficredirectmethod":"DNAT (Destination Translation)","unscannabletype":"Encrypted File","upload_doctypename":"Corporate Finance","upload_fileclass":"upload_fileclass","upload_filetype":"RAR Files","urlcatmethod":"Database A","urlsubcat":"Entertainment","urlsupercat":"Travel","urlclass":"Bandwidth Loss","useragentclass":"Firefox","useragenttoken":"Google Chrome (0.x)","userlocationname":"userlocationname","year":2023,"ztunnelversion":"ZTUNNEL_1_0","zpa_app_seg_name":"ZPA_test_app_segment"}} +{"sourcetype":"zscalernss-web","event":{"time":"Mon Oct 20 22:55:48 2023","cloudname":"zscaler.net","host":"mail.google.com","serverip":"1.128.0.4","external_devid":"2347","devicemodel":"20L8S7WC12","action":"Allowed","recordid":123456782,"reason":"File Attachment Cautioned","threatseverity":"Critical (90–100)","tz":"GMT","filesubtype":"exe","upload_filesubtype":"rar","sha256":"81ec78bc8298568bb5ea66d3c2972b670d0f7459b6cdbbcaacce90ab417ab15c","bamd5":"196a3d797bfee07fe4596b69f4ce1141","filename":"nssfeed.txt","upload_filename":"nssfeed.exe","filetype":"RAR Files","devicename":"device%5CrN%40me","devicehostname":"THINKPADSMITH","deviceostype":"iOS","deviceosversion":"Version 10.14.2 (Build 18C54)","devicetype":"Zscaler Client Connector","reqsize":1300,"reqmethod":"invalid","b64referer":"d3d3LmV4YW1wbGUuY29tL3NlYXJjaD9maWx0ZXJzPWd1aWQlM0ElMjI0MC1lbi1kaWElMjIrbGFuZyUzQSUyMmVuJTIyJmZvcm09UzAwJnE9aG93K3RvK3VzZStyZW1vdGUrZGVza3RvcCt0bytjb25uZWN0K3RvK2Erd2luZG93cysxMCtwYw==","respsize":10500,"respcode":"100","reqversion":"1.1","respversion":"1","proto":"HTTPS","company":"Zscaler","dlpmd5":"154f149b1443fbfa8c121d13e5c019a1","apprulelabel":"File_Sharing_1","dlprulename":"DLP_Rule_1","rulelabel":"URL_Filtering_1","urlfilterrulelabel":"URL_Filtering_2","cltip":"81.2.69.144","cltintip":"89.160.20.128","cltsourceport":12345,"threatname":"EICAR Test File","cltsslcipher":"SSL3_CK_RSA_NULL_MD5","clttlsversion":"SSL2","b64url":"ZXhhbXBsZS5jb20vP3BhcnRuZXI9MjcxJnNtYXJ0bWFwPTEmcmVkaXJlY3Q9aHR0cHM6Ly9leGFtcGxlLmNvbS9zZXR1aWQ/ZW50aXR5PTE0NSZjb2RlPSVfcmlk","useragent":"Mozilla/5.0","login":"jdoe","applayerprotocol":"FTP","appclass":"Administration","appname":"Adobe Connect","appriskscore":"1","bandwidthclassname":"Entertainment","bandwidthrulename":"Office 365","bwthrottle":"Yes","bypassedtime":"Mon Oct 16 22:55:48 2023","bypassedtraffic":"1","cltsslsessreuse":"Unknown","cltpubip":"175.16.199.0","cltsslfailcount":100,"cltsslfailreason":"Bad Record Mac","contenttype":"application/vnd_apple_keynote","datacentercity":"Sa","datacentercountry":"US","datacenter":"CA Client Node DC","day":"Mon","day_of_month":16,"dept":"Sales","deviceappversion":"1.128.0.1","deviceowner":"jsmith","df_hosthead":"df_hosthead","df_hostname":"df_hostname","dlpdicthitcount":"4","dlpdict":"Credit Cards","dlpeng":"HIPAA","dlpidentifier":6646484838839026000,"eedone":"Yes","epochtime":1578128400,"fileclass":"Active Web Contents","flow_type":"Direct","forward_gateway_ip":"10.1.1.1","forward_gateway_name":"FWD_1","forward_type":"Direct","hour":22,"is_sslexpiredca":"Yes","is_sslselfsigned":"Yes","is_ssluntrustedca":"Pass","keyprotectiontype":"HSM Protection","location":"Headquarters","malwarecategory":"Adware","malwareclass":"Sandbox","minute":55,"mobappcategory":"Communication","mobappname":"Amazon","mobdevtype":"Google Android","module":"Administration","month":"Oct","month_of_year":10,"nssserviceip":"192.168.2.200","oapprulelabel":"5300295980","obwclassname":"10831489","ocip":6200694987,"ocpubip":624054738,"odevicehostname":"2168890624","odevicename":"2175092224","odeviceowner":"10831489","odlpdict":"10831489","odlpeng":"4094304256","odlprulename":"6857275752","ofwd_gw_name":"8794487099","ologin":"4094304256","ordr_rulename":"3399565100","ourlcat":"7956407282","ourlfilterrulelabel":"4951704103","ozpa_app_seg_name":"7648246731","externalsslpolicyreason":"Blocked","productversion":"5.0.902.95524_04","rdr_rulename":"FWD_Rule_1","refererhost":"www.example.com for http://www.example.com/index.html","reqheadersize":300,"reqdatasize":1000,"respheadersize":500,"respdatasize":10000,"riskscore":10,"ruletype":"File Type Control","second":48,"srvcertchainvalpass":"Unknown","srvcertvalidationtype":"EV (Extended Validation)","srvcertvalidityperiod":"Short","srvsslcipher":"SSL3_CK_RSA_NULL_MD5","serversslsessreuse":"Unknown","srvocspresult":"Good","srvtlsversion":"SSL2","srvwildcardcert":"Unknown","ssldecrypted":"Yes","throttlereqsize":5,"throttlerespsize":7,"totalsize":11800,"trafficredirectmethod":"DNAT (Destination Translation)","unscannabletype":"Encrypted File","upload_doctypename":"Corporate Finance","upload_fileclass":"upload_fileclass","upload_filetype":"RAR Files","urlcatmethod":"Database A","urlsubcat":"Entertainment","urlsupercat":"Travel","urlclass":"Bandwidth Loss","useragentclass":"Firefox","useragenttoken":"Google Chrome (0.x)","userlocationname":"userlocationname","year":2023,"ztunnelversion":"ZTUNNEL_1_0","zpa_app_seg_name":"ZPA_test_app_segment"}} {"version":"v9","sourcetype":"zscalernss-web","event":{"time":"Mon Oct 16 22:55:48 2023","cloudname":"zscaler.net","host":"mail.google.com","serverip":"1.128.0.0","external_devid":"1234","devicemodel":"20L8S7WC08","action":"Allowed","recordid":123456789,"reason":"File Attachment Cautioned","threatseverity":"Critical (90–100)","tz":"GMT","filesubtype":"exe","upload_filesubtype":"rar","sha256":"81ec78bc8298568bb5ea66d3c2972b670d0f7459b6cdbbcaacce90ab417ab15c","bamd5":"196a3d797bfee07fe4596b69f4ce1141","filename":"nssfeed.txt","upload_filename":"nssfeed.exe","filetype":"RAR Files","devicename":"PC11NLPA%3A5F08D97BBF43257A8FB4BBF4061A38AE324EF734","devicehostname":"THINKPADSMITH","deviceostype":"iOS","deviceosversion":"Version 10.14.2 (Build 18C54)","devicetype":"Zscaler Client Connector","reqsize":1300,"reqmethod":"invalid","b64referer":"d3d3LmV4YW1wbGUuY29t","respsize":10500,"respcode":"100","reqversion":"1.1","respversion":"1","proto":"HTTP","company":"Zscaler","dlpmd5":"154f149b1443fbfa8c121d13e5c019a1","apprulelabel":"File_Sharing_1","dlprulename":"DLP_Rule_1","rulelabel":"URL_Filtering_1","urlfilterrulelabel":"URL_Filtering_2","cltip":"81.2.69.144","cltintip":"89.160.20.128","cltsourceport":12345,"threatname":"EICAR Test File","cltsslcipher":"SSL3_CK_RSA_NULL_MD5","clttlsversion":"SSL2","b64url":"d3d3LnRyeXRoaXNlbmNvZGV1cmwuY29tOjQ0My9pbmRleD9xdGltZT0yMDIzLTA0LTEyVDIzOjIwOjUwLjUyWg==","useragent":"Mozilla/5.0","login":"jdoe@safemarch.com","applayerprotocol":"FTP","appclass":"Administration","appname":"Adobe Connect","appriskscore":"1","bandwidthclassname":"Entertainment","bandwidthrulename":"Office 365","bwthrottle":"Yes","bypassedtime":"Mon Oct 16 22:55:48 2023","bypassedtraffic":"1","cltsslsessreuse":"Unknown","cltpubip":"175.16.199.0","cltsslfailcount":100,"cltsslfailreason":"Bad Record Mac","contenttype":"application/vnd_apple_keynote","datacentercity":"Sa","datacentercountry":"US","datacenter":"CA Client Node DC","day":"Mon","day_of_month":16,"dept":"Sales","deviceappversion":"1.128.0.0","deviceowner":"jsmith","df_hosthead":"df_hosthead","df_hostname":"df_hostname","dlpdicthitcount":"4","dlpdict":"Credit Cards","dlpeng":"HIPAA","dlpidentifier":6646484838839026000,"eedone":"Yes","epochtime":1578128400,"fileclass":"Active Web Contents","flow_type":"Direct","forward_gateway_ip":"10.1.1.1","forward_gateway_name":"FWD_1","forward_type":"Direct","hour":22,"is_sslexpiredca":"Yes","is_sslselfsigned":"Yes","is_ssluntrustedca":"Pass","keyprotectiontype":"HSM Protection","location":"Headquarters","malwarecategory":"Adware","malwareclass":"Sandbox","minute":55,"mobappcategory":"Communication","mobappname":"Amazon","mobdevtype":"Google Android","module":"Administration","month":"Oct","month_of_year":10,"nssserviceip":"192.168.2.200","oapprulelabel":"5300295980","obwclassname":"10831489","ocip":6200694987,"ocpubip":624054738,"odevicehostname":"2168890624","odevicename":"2175092224","odeviceowner":"10831489","odlpdict":"10831489","odlpeng":"4094304256","odlprulename":"6857275752","ofwd_gw_name":"8794487099","ologin":"4094304256","ordr_rulename":"3399565100","ourlcat":"7956407282","ourlfilterrulelabel":"4951704103","ozpa_app_seg_name":"7648246731","externalsslpolicyreason":"Blocked","productversion":"5.0.902.95524_04","rdr_rulename":"FWD_Rule_1","refererhost":"www.example.com for http://www.example.com/index.html","reqheadersize":300,"reqdatasize":1000,"respheadersize":500,"respdatasize":10000,"riskscore":10,"ruletype":"File Type Control","second":48,"srvcertchainvalpass":"Unknown","srvcertvalidationtype":"EV (Extended Validation)","srvcertvalidityperiod":"Short","srvsslcipher":"SSL3_CK_RSA_NULL_MD5","serversslsessreuse":"Unknown","srvocspresult":"Good","srvtlsversion":"SSL2","srvwildcardcert":"Unknown","ssldecrypted":"Yes","throttlereqsize":5,"throttlerespsize":7,"totalsize":11800,"trafficredirectmethod":"DNAT (Destination Translation)","unscannabletype":"Encrypted File","upload_doctypename":"Corporate Finance","upload_fileclass":"upload_fileclass","upload_filetype":"RAR Files","urlcatmethod":"Database A","urlsubcat":"Entertainment","urlsupercat":"Travel","urlclass":"Bandwidth Loss","useragentclass":"Firefox","useragenttoken":"Google Chrome (0.x)","userlocationname":"userlocationname","year":2023,"ztunnelversion":"ZTUNNEL_1_0","zpa_app_seg_name":"ZPA_test_app_segment"}} {"version":"v9","sourcetype":"zscalernss-web","event":{"time":"Mon Oct 17 22:55:48 2023","cloudname":"zscaler.net","host":"mail.google.com","serverip":"1.128.0.1","external_devid":"2345","devicemodel":"20L8S7WC09","action":"Allowed","recordid":123456780,"reason":"File Attachment Cautioned","threatseverity":"Critical (90–100)","tz":"GMT","filesubtype":"exe","upload_filesubtype":"rar","sha256":"81ec78bc8298568bb5ea66d3c2972b670d0f7459b6cdbbcaacce90ab417ab15c","bamd5":"196a3d797bfee07fe4596b69f4ce1141","filename":"nssfeed.txt","upload_filename":"nssfeed.exe","filetype":"RAR Files","devicename":"PC11NLPA%3A5F08D97BBF43257A8FB4BBF4061A38AE324EF734","devicehostname":"THINKPADSMITH","deviceostype":"iOS","deviceosversion":"Version 10.14.2 (Build 18C54)","devicetype":"Zscaler Client Connector","reqsize":1300,"reqmethod":"invalid","b64referer":"d3d3LmV4YW1wbGUuY29t","respsize":10500,"respcode":"100","reqversion":"1.1","respversion":"1","proto":"HTTPS","company":"Zscaler","dlpmd5":"154f149b1443fbfa8c121d13e5c019a1","apprulelabel":"File_Sharing_1","dlprulename":"DLP_Rule_1","rulelabel":"URL_Filtering_1","urlfilterrulelabel":"URL_Filtering_2","cltip":"81.2.69.144","cltintip":"89.160.20.128","cltsourceport":12345,"threatname":"EICAR Test File","cltsslcipher":"SSL3_CK_RSA_NULL_MD5","clttlsversion":"SSL2","b64url":"d3d3LmV4YW1wbGUuY29tOjQ0Mw==","useragent":"Mozilla/5.0","login":"jdoe@safemarch.com","applayerprotocol":"FTP","appclass":"Administration","appname":"Adobe Connect","appriskscore":"1","bandwidthclassname":"Entertainment","bandwidthrulename":"Office 365","bwthrottle":"Yes","bypassedtime":"Mon Oct 16 22:55:48 2023","bypassedtraffic":"1","cltsslsessreuse":"Unknown","cltpubip":"175.16.199.0","cltsslfailcount":100,"cltsslfailreason":"Bad Record Mac","contenttype":"application/vnd_apple_keynote","datacentercity":"Sa","datacentercountry":"US","datacenter":"CA Client Node DC","day":"Mon","day_of_month":16,"dept":"Sales","deviceappversion":"1.128.0.1","deviceowner":"jsmith","df_hosthead":"df_hosthead","df_hostname":"df_hostname","dlpdicthitcount":"4","dlpdict":"Credit Cards","dlpeng":"HIPAA","dlpidentifier":6646484838839026000,"eedone":"Yes","epochtime":1578128400,"fileclass":"Active Web Contents","flow_type":"Direct","forward_gateway_ip":"10.1.1.1","forward_gateway_name":"FWD_1","forward_type":"Direct","hour":22,"is_sslexpiredca":"Yes","is_sslselfsigned":"Yes","is_ssluntrustedca":"Pass","keyprotectiontype":"HSM Protection","location":"Headquarters","malwarecategory":"Adware","malwareclass":"Sandbox","minute":55,"mobappcategory":"Communication","mobappname":"Amazon","mobdevtype":"Google Android","module":"Administration","month":"Oct","month_of_year":10,"nssserviceip":"192.168.2.200","oapprulelabel":"5300295980","obwclassname":"10831489","ocip":6200694987,"ocpubip":624054738,"odevicehostname":"2168890624","odevicename":"2175092224","odeviceowner":"10831489","odlpdict":"10831489","odlpeng":"4094304256","odlprulename":"6857275752","ofwd_gw_name":"8794487099","ologin":"4094304256","ordr_rulename":"3399565100","ourlcat":"7956407282","ourlfilterrulelabel":"4951704103","ozpa_app_seg_name":"7648246731","externalsslpolicyreason":"Blocked","productversion":"5.0.902.95524_04","rdr_rulename":"FWD_Rule_1","refererhost":"www.example.com for http://www.example.com/index.html","reqheadersize":300,"reqdatasize":1000,"respheadersize":500,"respdatasize":10000,"riskscore":10,"ruletype":"File Type Control","second":48,"srvcertchainvalpass":"Unknown","srvcertvalidationtype":"EV (Extended Validation)","srvcertvalidityperiod":"Short","srvsslcipher":"SSL3_CK_RSA_NULL_MD5","serversslsessreuse":"Unknown","srvocspresult":"Good","srvtlsversion":"SSL2","srvwildcardcert":"Unknown","ssldecrypted":"Yes","throttlereqsize":5,"throttlerespsize":7,"totalsize":11800,"trafficredirectmethod":"DNAT (Destination Translation)","unscannabletype":"Encrypted File","upload_doctypename":"Corporate Finance","upload_fileclass":"upload_fileclass","upload_filetype":"RAR Files","urlcatmethod":"Database A","urlsubcat":"Entertainment","urlsupercat":"Travel","urlclass":"Bandwidth Loss","useragentclass":"Firefox","useragenttoken":"Google Chrome (0.x)","userlocationname":"userlocationname","year":2023,"ztunnelversion":"ZTUNNEL_1_0","zpa_app_seg_name":"ZPA_test_app_segment"}} {"version":"v9","sourcetype":"zscalernss-web","event":{"time":"Mon Oct 18 23:55:48 2023","cloudname":"zscaler.net","host":"mail.google.com","serverip":"1.128.0.2","external_devid":"2346","devicemodel":"20L8S7WC10","action":"Allowed","recordid":123456781,"reason":"File Attachment Cautioned","threatseverity":"Critical (90–100)","tz":"GMT","filesubtype":"exe","upload_filesubtype":"rar","sha256":"81ec78bc8298568bb5ea66d3c2972b670d0f7459b6cdbbcaacce90ab417ab15c","bamd5":"196a3d797bfee07fe4596b69f4ce1141","filename":"nssfeed.txt","upload_filename":"nssfeed.exe","filetype":"RAR Files","devicename":"PC11NLPA%3A5F08D97BBF43257A8FB4BBF4061A38AE324EF734","devicehostname":"THINKPADSMITH","deviceostype":"iOS","deviceosversion":"Version 10.14.2 (Build 18C54)","devicetype":"Zscaler Client Connector","reqsize":1300,"reqmethod":"invalid","b64referer":"d3d3LmV4YW1wbGUuY29t","respsize":10500,"respcode":"100","reqversion":"1.1","respversion":"1","proto":"SSL","company":"Zscaler","dlpmd5":"154f149b1443fbfa8c121d13e5c019a1","apprulelabel":"File_Sharing_1","dlprulename":"DLP_Rule_1","rulelabel":"URL_Filtering_1","urlfilterrulelabel":"URL_Filtering_2","cltip":"81.2.69.144","cltintip":"89.160.20.128","cltsourceport":12345,"threatname":"EICAR Test File","cltsslcipher":"SSL3_CK_RSA_NULL_MD5","clttlsversion":"SSL2","b64url":"d3d3LmV4YW1wbGUuY29tLmNvbS9wYXJhbXM/SWQ9MSZ0cz0yMDA2LTAxLTAyVDE1OjA0OjA1WjA3OjAwJnVzZXI9NjU3OTImdmVyc2lvbj0xMC4wLjE5MDQxLjEyNjY=","useragent":"Mozilla/5.0","login":"jdoe@safemarch.com","applayerprotocol":"FTP","appclass":"Administration","appname":"Adobe Connect","appriskscore":"1","bandwidthclassname":"Entertainment","bandwidthrulename":"Office 365","bwthrottle":"Yes","bypassedtime":"Mon Oct 16 22:55:48 2023","bypassedtraffic":"1","cltsslsessreuse":"Unknown","cltpubip":"175.16.199.0","cltsslfailcount":100,"cltsslfailreason":"Bad Record Mac","contenttype":"application/vnd_apple_keynote","datacentercity":"Sa","datacentercountry":"US","datacenter":"CA Client Node DC","day":"Mon","day_of_month":16,"dept":"Sales","deviceappversion":"1.128.0.1","deviceowner":"jsmith","df_hosthead":"df_hosthead","df_hostname":"df_hostname","dlpdicthitcount":"4","dlpdict":"Credit Cards","dlpeng":"HIPAA","dlpidentifier":6646484838839026000,"eedone":"Yes","epochtime":1578128400,"fileclass":"Active Web Contents","flow_type":"Direct","forward_gateway_ip":"10.1.1.1","forward_gateway_name":"FWD_1","forward_type":"Direct","hour":22,"is_sslexpiredca":"Yes","is_sslselfsigned":"Yes","is_ssluntrustedca":"Pass","keyprotectiontype":"HSM Protection","location":"Headquarters","malwarecategory":"Adware","malwareclass":"Sandbox","minute":55,"mobappcategory":"Communication","mobappname":"Amazon","mobdevtype":"Google Android","module":"Administration","month":"Oct","month_of_year":10,"nssserviceip":"192.168.2.200","oapprulelabel":"5300295980","obwclassname":"10831489","ocip":6200694987,"ocpubip":624054738,"odevicehostname":"2168890624","odevicename":"2175092224","odeviceowner":"10831489","odlpdict":"10831489","odlpeng":"4094304256","odlprulename":"6857275752","ofwd_gw_name":"8794487099","ologin":"4094304256","ordr_rulename":"3399565100","ourlcat":"7956407282","ourlfilterrulelabel":"4951704103","ozpa_app_seg_name":"7648246731","externalsslpolicyreason":"Blocked","productversion":"5.0.902.95524_04","rdr_rulename":"FWD_Rule_1","refererhost":"www.example.com for http://www.example.com/index.html","reqheadersize":300,"reqdatasize":1000,"respheadersize":500,"respdatasize":10000,"riskscore":10,"ruletype":"File Type Control","second":48,"srvcertchainvalpass":"Unknown","srvcertvalidationtype":"EV (Extended Validation)","srvcertvalidityperiod":"Short","srvsslcipher":"SSL3_CK_RSA_NULL_MD5","serversslsessreuse":"Unknown","srvocspresult":"Good","srvtlsversion":"SSL2","srvwildcardcert":"Unknown","ssldecrypted":"Yes","throttlereqsize":5,"throttlerespsize":7,"totalsize":11800,"trafficredirectmethod":"DNAT (Destination Translation)","unscannabletype":"Encrypted File","upload_doctypename":"Corporate Finance","upload_fileclass":"upload_fileclass","upload_filetype":"RAR Files","urlcatmethod":"Database A","urlsubcat":"Entertainment","urlsupercat":"Travel","urlclass":"Bandwidth Loss","useragentclass":"Firefox","useragenttoken":"Google Chrome (0.x)","userlocationname":"userlocationname","year":2023,"ztunnelversion":"ZTUNNEL_1_0","zpa_app_seg_name":"ZPA_test_app_segment"}} diff --git a/packages/zscaler_zia/data_stream/web/_dev/test/pipeline/test-web.log-expected.json b/packages/zscaler_zia/data_stream/web/_dev/test/pipeline/test-web.log-expected.json index 2ff700db5e7..3dfe05a9514 100644 --- a/packages/zscaler_zia/data_stream/web/_dev/test/pipeline/test-web.log-expected.json +++ b/packages/zscaler_zia/data_stream/web/_dev/test/pipeline/test-web.log-expected.json @@ -1,5 +1,2936 @@ { "expected": [ + { + "@timestamp": "2023-10-16T22:55:48.000Z", + "cloud": { + "provider": "zscaler.net" + }, + "destination": { + "domain": "mail.google.com", + "ip": "1.128.0.0" + }, + "device": { + "id": "1234", + "model": { + "identifier": "20L8S7WC08" + } + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "allowed", + "category": [ + "web" + ], + "id": "123456789", + "kind": "event", + "original": "{\"sourcetype\":\"zscalernss-web\",\"event\":{\"time\":\"Mon Oct 16 22:55:48 2023\",\"cloudname\":\"zscaler.net\",\"host\":\"mail.google.com\",\"serverip\":\"1.128.0.0\",\"external_devid\":\"1234\",\"devicemodel\":\"20L8S7WC08\",\"action\":\"Allowed\",\"recordid\":123456789,\"reason\":\"File Attachment Cautioned\",\"threatseverity\":\"Critical (90–100)\",\"tz\":\"GMT\",\"filesubtype\":\"exe\",\"upload_filesubtype\":\"rar\",\"sha256\":\"81ec78bc8298568bb5ea66d3c2972b670d0f7459b6cdbbcaacce90ab417ab15c\",\"bamd5\":\"196a3d797bfee07fe4596b69f4ce1141\",\"filename\":\"nssfeed.txt\",\"upload_filename\":\"nssfeed.exe\",\"filetype\":\"RAR Files\",\"devicename\":\"PC11NLPA%3A5F08D97BBF43257A8FB4BBF4061A38AE324EF734\",\"devicehostname\":\"THINKPADSMITH\",\"deviceostype\":\"iOS\",\"deviceosversion\":\"Version 10.14.2 (Build 18C54)\",\"devicetype\":\"Zscaler Client Connector\",\"reqsize\":1300,\"reqmethod\":\"invalid\",\"b64referer\":\"d3d3LmV4YW1wbGUuY29t\",\"respsize\":10500,\"respcode\":\"100\",\"reqversion\":\"1.1\",\"respversion\":\"1\",\"proto\":\"HTTP\",\"company\":\"Zscaler\",\"dlpmd5\":\"154f149b1443fbfa8c121d13e5c019a1\",\"apprulelabel\":\"File_Sharing_1\",\"dlprulename\":\"DLP_Rule_1\",\"rulelabel\":\"URL_Filtering_1\",\"urlfilterrulelabel\":\"URL_Filtering_2\",\"cltip\":\"81.2.69.144\",\"cltintip\":\"89.160.20.128\",\"cltsourceport\":12345,\"threatname\":\"EICAR Test File\",\"cltsslcipher\":\"SSL3_CK_RSA_NULL_MD5\",\"clttlsversion\":\"SSL2\",\"b64url\":\"d3d3LnRyeXRoaXNlbmNvZGV1cmwuY29tOjQ0My9pbmRleD9xdGltZT0yMDIzLTA0LTEyVDIzOjIwOjUwLjUyWg==\",\"useragent\":\"Mozilla/5.0\",\"login\":\"jdoe@safemarch.com\",\"applayerprotocol\":\"FTP\",\"appclass\":\"Administration\",\"appname\":\"Adobe Connect\",\"appriskscore\":\"1\",\"bandwidthclassname\":\"Entertainment\",\"bandwidthrulename\":\"Office 365\",\"bwthrottle\":\"Yes\",\"bypassedtime\":\"Mon Oct 16 22:55:48 2023\",\"bypassedtraffic\":\"1\",\"cltsslsessreuse\":\"Unknown\",\"cltpubip\":\"175.16.199.0\",\"cltsslfailcount\":100,\"cltsslfailreason\":\"Bad Record Mac\",\"contenttype\":\"application/vnd_apple_keynote\",\"datacentercity\":\"Sa\",\"datacentercountry\":\"US\",\"datacenter\":\"CA Client Node DC\",\"day\":\"Mon\",\"day_of_month\":16,\"dept\":\"Sales\",\"deviceappversion\":\"1.128.0.0\",\"deviceowner\":\"jsmith\",\"df_hosthead\":\"df_hosthead\",\"df_hostname\":\"df_hostname\",\"dlpdicthitcount\":\"4\",\"dlpdict\":\"Credit Cards\",\"dlpeng\":\"HIPAA\",\"dlpidentifier\":6646484838839026000,\"eedone\":\"Yes\",\"epochtime\":1578128400,\"fileclass\":\"Active Web Contents\",\"flow_type\":\"Direct\",\"forward_gateway_ip\":\"10.1.1.1\",\"forward_gateway_name\":\"FWD_1\",\"forward_type\":\"Direct\",\"hour\":22,\"is_sslexpiredca\":\"Yes\",\"is_sslselfsigned\":\"Yes\",\"is_ssluntrustedca\":\"Pass\",\"keyprotectiontype\":\"HSM Protection\",\"location\":\"Headquarters\",\"malwarecategory\":\"Adware\",\"malwareclass\":\"Sandbox\",\"minute\":55,\"mobappcategory\":\"Communication\",\"mobappname\":\"Amazon\",\"mobdevtype\":\"Google Android\",\"module\":\"Administration\",\"month\":\"Oct\",\"month_of_year\":10,\"nssserviceip\":\"192.168.2.200\",\"oapprulelabel\":\"5300295980\",\"obwclassname\":\"10831489\",\"ocip\":6200694987,\"ocpubip\":624054738,\"odevicehostname\":\"2168890624\",\"odevicename\":\"2175092224\",\"odeviceowner\":\"10831489\",\"odlpdict\":\"10831489\",\"odlpeng\":\"4094304256\",\"odlprulename\":\"6857275752\",\"ofwd_gw_name\":\"8794487099\",\"ologin\":\"4094304256\",\"ordr_rulename\":\"3399565100\",\"ourlcat\":\"7956407282\",\"ourlfilterrulelabel\":\"4951704103\",\"ozpa_app_seg_name\":\"7648246731\",\"externalsslpolicyreason\":\"Blocked\",\"productversion\":\"5.0.902.95524_04\",\"rdr_rulename\":\"FWD_Rule_1\",\"refererhost\":\"www.example.com for http://www.example.com/index.html\",\"reqheadersize\":300,\"reqdatasize\":1000,\"respheadersize\":500,\"respdatasize\":10000,\"riskscore\":10,\"ruletype\":\"File Type Control\",\"second\":48,\"srvcertchainvalpass\":\"Unknown\",\"srvcertvalidationtype\":\"EV (Extended Validation)\",\"srvcertvalidityperiod\":\"Short\",\"srvsslcipher\":\"SSL3_CK_RSA_NULL_MD5\",\"serversslsessreuse\":\"Unknown\",\"srvocspresult\":\"Good\",\"srvtlsversion\":\"SSL2\",\"srvwildcardcert\":\"Unknown\",\"ssldecrypted\":\"Yes\",\"throttlereqsize\":5,\"throttlerespsize\":7,\"totalsize\":11800,\"trafficredirectmethod\":\"DNAT (Destination Translation)\",\"unscannabletype\":\"Encrypted File\",\"upload_doctypename\":\"Corporate Finance\",\"upload_fileclass\":\"upload_fileclass\",\"upload_filetype\":\"RAR Files\",\"urlcatmethod\":\"Database A\",\"urlsubcat\":\"Entertainment\",\"urlsupercat\":\"Travel\",\"urlclass\":\"Bandwidth Loss\",\"useragentclass\":\"Firefox\",\"useragenttoken\":\"Google Chrome (0.x)\",\"userlocationname\":\"userlocationname\",\"year\":2023,\"ztunnelversion\":\"ZTUNNEL_1_0\",\"zpa_app_seg_name\":\"ZPA_test_app_segment\"}}", + "reason": "File Attachment Cautioned", + "timezone": "GMT", + "type": [ + "info" + ] + }, + "file": { + "extension": [ + "exe", + "rar" + ], + "hash": { + "md5": "196a3d797bfee07fe4596b69f4ce1141", + "sha256": "81ec78bc8298568bb5ea66d3c2972b670d0f7459b6cdbbcaacce90ab417ab15c" + }, + "name": [ + "nssfeed.txt", + "nssfeed.exe" + ], + "type": "file" + }, + "host": { + "hostname": "PC11NLPA:5F08D97BBF43257A8FB4BBF4061A38AE324EF734", + "name": "thinkpadsmith", + "os": { + "type": "ios", + "version": "Version 10.14.2 (Build 18C54)" + }, + "type": "Zscaler Client Connector" + }, + "http": { + "request": { + "bytes": 1300, + "method": "invalid", + "referrer": "www.example.com" + }, + "response": { + "bytes": 10500 + }, + "version": [ + "1.1", + "1" + ] + }, + "network": { + "protocol": "http" + }, + "organization": { + "name": "Zscaler" + }, + "related": { + "hash": [ + "154f149b1443fbfa8c121d13e5c019a1", + "196a3d797bfee07fe4596b69f4ce1141", + "81ec78bc8298568bb5ea66d3c2972b670d0f7459b6cdbbcaacce90ab417ab15c" + ], + "hosts": [ + "thinkpadsmith", + "PC11NLPA:5F08D97BBF43257A8FB4BBF4061A38AE324EF734" + ], + "ip": [ + "89.160.20.128", + "175.16.199.0", + "10.1.1.1", + "192.168.2.200", + "81.2.69.144", + "1.128.0.0" + ], + "user": [ + "jsmith", + "jdoe", + "jdoe@safemarch.com" + ] + }, + "rule": { + "name": [ + "File_Sharing_1", + "DLP_Rule_1", + "URL_Filtering_1", + "URL_Filtering_2" + ] + }, + "source": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.144", + "nat": { + "ip": "89.160.20.128" + }, + "port": 12345 + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "threat": { + "indicator": { + "name": "196a3d797bfee07fe4596b69f4ce1141" + } + }, + "tls": { + "cipher": "SSL3_CK_RSA_NULL_MD5" + }, + "url": { + "domain": "www.trythisencodeurl.com", + "full": "http://www.trythisencodeurl.com:443/index?qtime=2023-04-12T23:20:50.52Z", + "original": "http://www.trythisencodeurl.com:443/index?qtime=2023-04-12T23:20:50.52Z", + "path": "/index", + "port": 443, + "query": "qtime=2023-04-12T23:20:50.52Z", + "scheme": "http" + }, + "user": { + "domain": "safemarch.com", + "email": "jdoe@safemarch.com", + "name": "jdoe" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "Other", + "original": "Mozilla/5.0" + }, + "zscaler_zia": { + "web": { + "action": "Allowed", + "alpn_protocol": "FTP", + "app": { + "class": "Administration", + "name": "Adobe Connect", + "risk_score": "1", + "rule_label": "File_Sharing_1" + }, + "bandwidth_class_name": "Entertainment", + "bandwidth_rule_name": "Office 365", + "bandwidth_throttle": "Yes", + "bypassed": { + "time": "2023-10-16T22:55:48.000Z", + "traffic": "1" + }, + "client": { + "cipher": "SSL3_CK_RSA_NULL_MD5", + "cipher_reuse": "Unknown", + "internet": { + "ip": "89.160.20.128" + }, + "ip": "81.2.69.144", + "public_ip": "175.16.199.0", + "source_port": 12345, + "ssl": { + "fail_count": 100, + "fail_reason": "Bad Record Mac" + }, + "tls_version": "SSL2" + }, + "cloud_name": "zscaler.net", + "company": "Zscaler", + "content_type": "application/vnd_apple_keynote", + "datacenter": { + "city": "Sa", + "country": "US", + "name": "CA Client Node DC" + }, + "day": "Mon", + "day_of_month": 16, + "department": "Sales", + "device": { + "appversion": "1.128.0.0", + "hostname": "THINKPADSMITH", + "model": "20L8S7WC08", + "name": "PC11NLPA:5F08D97BBF43257A8FB4BBF4061A38AE324EF734", + "os": { + "type": "iOS", + "version": "Version 10.14.2 (Build 18C54)" + }, + "owner": "jsmith", + "type": "Zscaler Client Connector" + }, + "df": { + "host": { + "head": "df_hosthead", + "name": "df_hostname" + } + }, + "dlp": { + "dictionaries": { + "hit_count": "4", + "name": "Credit Cards" + }, + "engine": "HIPAA", + "identifier": "6646484838839026000", + "md5": "154f149b1443fbfa8c121d13e5c019a1", + "rule": { + "name": "DLP_Rule_1" + } + }, + "eedone": "Yes", + "epochtime": "2020-01-04T09:00:00.000Z", + "external": { + "device": { + "id": "1234" + } + }, + "file": { + "class": "Active Web Contents", + "name": "nssfeed.txt", + "subtype": "exe", + "type": "RAR Files" + }, + "flow_type": "Direct", + "forward_gateway": { + "ip": "10.1.1.1", + "name": "FWD_1" + }, + "forward_type": "Direct", + "host": "mail.google.com", + "hour": 22, + "is_ssl_certificate_expired": "Yes", + "is_ssl_certificate_selfsigned": "Yes", + "is_ssl_certificate_untrusted": "Pass", + "key_protection_type": "HSM Protection", + "location": "Headquarters", + "login": "jdoe@safemarch.com", + "malware": { + "category": "Adware", + "class": "Sandbox" + }, + "md5_hash": "196a3d797bfee07fe4596b69f4ce1141", + "minute": 55, + "mobile": { + "application": { + "category": "Communication", + "name": "Amazon" + }, + "dev": { + "type": "Google Android" + } + }, + "module": "Administration", + "month": "Oct", + "month_of_year": 10, + "nss": { + "service": { + "ip": "192.168.2.200" + } + }, + "obfuscated": { + "app_rule_label": "5300295980", + "bendwidth": { + "class_name": "10831489" + }, + "client": { + "ip": "6200694987", + "public": { + "ip": "624054738" + } + }, + "device": { + "host_name": "2168890624", + "name": "2175092224", + "owner": "10831489" + }, + "dlp": { + "dictionaries": "10831489", + "engine": "4094304256", + "rule": { + "name": "6857275752" + } + }, + "forward_gateway_name": "8794487099", + "login": "4094304256", + "rule": { + "name": "3399565100" + }, + "url": { + "category": "7956407282", + "filter_rule_label": "4951704103" + }, + "zpa_app_segment": "7648246731" + }, + "policy": { + "reason": "Blocked" + }, + "product_version": "5.0.902.95524_04", + "prototype": "HTTP", + "reason": "File Attachment Cautioned", + "record": { + "id": "123456789" + }, + "redirect_policy_name": "FWD_Rule_1", + "referer": { + "host": "www.example.com for http://www.example.com/index.html", + "name": "www.example.com" + }, + "request": { + "header_size": 300, + "method": "invalid", + "payload": 1000, + "size": 1300, + "version": "1.1" + }, + "response": { + "code": "100", + "header_size": 500, + "payload": 10000, + "size": 10500, + "version": "1" + }, + "risk": { + "score": 10.0 + }, + "rule": { + "name": "URL_Filtering_1", + "type": "File Type Control" + }, + "second": 48, + "server": { + "certificate": { + "validation": { + "period": "Short" + } + }, + "certificate_validation_chain": "Unknown", + "certificate_validation_type": "EV (Extended Validation)", + "cipher": "SSL3_CK_RSA_NULL_MD5", + "cipher_reuse": "Unknown", + "ip": "1.128.0.0", + "ocsp_result": "Good", + "tls_version": "SSL2", + "wildcard_certificate": "Unknown" + }, + "sha256": "81ec78bc8298568bb5ea66d3c2972b670d0f7459b6cdbbcaacce90ab417ab15c", + "ssl_decrypted": "Yes", + "threat": { + "name": "EICAR Test File", + "severity": "Critical (90–100)" + }, + "throttle": { + "request_size": 5, + "response_size": 7 + }, + "time": "2023-10-16T22:55:48.000Z", + "timezone": "GMT", + "total": { + "size": 11800 + }, + "traffic_redirect_method": "DNAT (Destination Translation)", + "unscannable": { + "type": "Encrypted File" + }, + "upload": { + "doc": { + "type_name": "Corporate Finance" + }, + "file": { + "class": "upload_fileclass", + "name": "nssfeed.exe", + "subtype": "rar", + "type": "RAR Files" + } + }, + "url": { + "category": { + "sub": "Entertainment", + "super": "Travel" + }, + "category_method": "Database A", + "class": "Bandwidth Loss", + "filter_rule_label": "URL_Filtering_2", + "name": "www.trythisencodeurl.com:443/index?qtime=2023-04-12T23:20:50.52Z" + }, + "user_agent": { + "class": "Firefox", + "name": "Mozilla/5.0", + "token": "Google Chrome (0.x)" + }, + "user_location_name": "userlocationname", + "year": 2023, + "z_tunnel_version": "ZTUNNEL_1_0", + "zpa_app_segment": "ZPA_test_app_segment" + } + } + }, + { + "@timestamp": "2023-10-17T22:55:48.000Z", + "cloud": { + "provider": "zscaler.net" + }, + "destination": { + "domain": "mail.google.com", + "ip": "1.128.0.1" + }, + "device": { + "id": "2345", + "model": { + "identifier": "20L8S7WC09" + } + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "allowed", + "category": [ + "web" + ], + "id": "123456780", + "kind": "event", + "original": "{\"sourcetype\":\"zscalernss-web\",\"event\":{\"time\":\"Mon Oct 17 22:55:48 2023\",\"cloudname\":\"zscaler.net\",\"host\":\"mail.google.com\",\"serverip\":\"1.128.0.1\",\"external_devid\":\"2345\",\"devicemodel\":\"20L8S7WC09\",\"action\":\"Allowed\",\"recordid\":123456780,\"reason\":\"File Attachment Cautioned\",\"threatseverity\":\"Critical (90–100)\",\"tz\":\"GMT\",\"filesubtype\":\"exe\",\"upload_filesubtype\":\"rar\",\"sha256\":\"81ec78bc8298568bb5ea66d3c2972b670d0f7459b6cdbbcaacce90ab417ab15c\",\"bamd5\":\"196a3d797bfee07fe4596b69f4ce1141\",\"filename\":\"nssfeed.txt\",\"upload_filename\":\"nssfeed.exe\",\"filetype\":\"RAR Files\",\"devicename\":\"PC11NLPA%3A5F08D97BBF43257A8FB4BBF4061A38AE324EF734\",\"devicehostname\":\"THINKPADSMITH\",\"deviceostype\":\"iOS\",\"deviceosversion\":\"Version 10.14.2 (Build 18C54)\",\"devicetype\":\"Zscaler Client Connector\",\"reqsize\":1300,\"reqmethod\":\"invalid\",\"b64referer\":\"d3d3LmV4YW1wbGUuY29t\",\"respsize\":10500,\"respcode\":\"100\",\"reqversion\":\"1.1\",\"respversion\":\"1\",\"proto\":\"HTTPS\",\"company\":\"Zscaler\",\"dlpmd5\":\"154f149b1443fbfa8c121d13e5c019a1\",\"apprulelabel\":\"File_Sharing_1\",\"dlprulename\":\"DLP_Rule_1\",\"rulelabel\":\"URL_Filtering_1\",\"urlfilterrulelabel\":\"URL_Filtering_2\",\"cltip\":\"81.2.69.144\",\"cltintip\":\"89.160.20.128\",\"cltsourceport\":12345,\"threatname\":\"EICAR Test File\",\"cltsslcipher\":\"SSL3_CK_RSA_NULL_MD5\",\"clttlsversion\":\"SSL2\",\"b64url\":\"d3d3LmV4YW1wbGUuY29tOjQ0Mw==\",\"useragent\":\"Mozilla/5.0\",\"login\":\"jdoe@safemarch.com\",\"applayerprotocol\":\"FTP\",\"appclass\":\"Administration\",\"appname\":\"Adobe Connect\",\"appriskscore\":\"1\",\"bandwidthclassname\":\"Entertainment\",\"bandwidthrulename\":\"Office 365\",\"bwthrottle\":\"Yes\",\"bypassedtime\":\"Mon Oct 16 22:55:48 2023\",\"bypassedtraffic\":\"1\",\"cltsslsessreuse\":\"Unknown\",\"cltpubip\":\"175.16.199.0\",\"cltsslfailcount\":100,\"cltsslfailreason\":\"Bad Record Mac\",\"contenttype\":\"application/vnd_apple_keynote\",\"datacentercity\":\"Sa\",\"datacentercountry\":\"US\",\"datacenter\":\"CA Client Node DC\",\"day\":\"Mon\",\"day_of_month\":16,\"dept\":\"Sales\",\"deviceappversion\":\"1.128.0.1\",\"deviceowner\":\"jsmith\",\"df_hosthead\":\"df_hosthead\",\"df_hostname\":\"df_hostname\",\"dlpdicthitcount\":\"4\",\"dlpdict\":\"Credit Cards\",\"dlpeng\":\"HIPAA\",\"dlpidentifier\":6646484838839026000,\"eedone\":\"Yes\",\"epochtime\":1578128400,\"fileclass\":\"Active Web Contents\",\"flow_type\":\"Direct\",\"forward_gateway_ip\":\"10.1.1.1\",\"forward_gateway_name\":\"FWD_1\",\"forward_type\":\"Direct\",\"hour\":22,\"is_sslexpiredca\":\"Yes\",\"is_sslselfsigned\":\"Yes\",\"is_ssluntrustedca\":\"Pass\",\"keyprotectiontype\":\"HSM Protection\",\"location\":\"Headquarters\",\"malwarecategory\":\"Adware\",\"malwareclass\":\"Sandbox\",\"minute\":55,\"mobappcategory\":\"Communication\",\"mobappname\":\"Amazon\",\"mobdevtype\":\"Google Android\",\"module\":\"Administration\",\"month\":\"Oct\",\"month_of_year\":10,\"nssserviceip\":\"192.168.2.200\",\"oapprulelabel\":\"5300295980\",\"obwclassname\":\"10831489\",\"ocip\":6200694987,\"ocpubip\":624054738,\"odevicehostname\":\"2168890624\",\"odevicename\":\"2175092224\",\"odeviceowner\":\"10831489\",\"odlpdict\":\"10831489\",\"odlpeng\":\"4094304256\",\"odlprulename\":\"6857275752\",\"ofwd_gw_name\":\"8794487099\",\"ologin\":\"4094304256\",\"ordr_rulename\":\"3399565100\",\"ourlcat\":\"7956407282\",\"ourlfilterrulelabel\":\"4951704103\",\"ozpa_app_seg_name\":\"7648246731\",\"externalsslpolicyreason\":\"Blocked\",\"productversion\":\"5.0.902.95524_04\",\"rdr_rulename\":\"FWD_Rule_1\",\"refererhost\":\"www.example.com for http://www.example.com/index.html\",\"reqheadersize\":300,\"reqdatasize\":1000,\"respheadersize\":500,\"respdatasize\":10000,\"riskscore\":10,\"ruletype\":\"File Type Control\",\"second\":48,\"srvcertchainvalpass\":\"Unknown\",\"srvcertvalidationtype\":\"EV (Extended Validation)\",\"srvcertvalidityperiod\":\"Short\",\"srvsslcipher\":\"SSL3_CK_RSA_NULL_MD5\",\"serversslsessreuse\":\"Unknown\",\"srvocspresult\":\"Good\",\"srvtlsversion\":\"SSL2\",\"srvwildcardcert\":\"Unknown\",\"ssldecrypted\":\"Yes\",\"throttlereqsize\":5,\"throttlerespsize\":7,\"totalsize\":11800,\"trafficredirectmethod\":\"DNAT (Destination Translation)\",\"unscannabletype\":\"Encrypted File\",\"upload_doctypename\":\"Corporate Finance\",\"upload_fileclass\":\"upload_fileclass\",\"upload_filetype\":\"RAR Files\",\"urlcatmethod\":\"Database A\",\"urlsubcat\":\"Entertainment\",\"urlsupercat\":\"Travel\",\"urlclass\":\"Bandwidth Loss\",\"useragentclass\":\"Firefox\",\"useragenttoken\":\"Google Chrome (0.x)\",\"userlocationname\":\"userlocationname\",\"year\":2023,\"ztunnelversion\":\"ZTUNNEL_1_0\",\"zpa_app_seg_name\":\"ZPA_test_app_segment\"}}", + "reason": "File Attachment Cautioned", + "timezone": "GMT", + "type": [ + "info" + ] + }, + "file": { + "extension": [ + "exe", + "rar" + ], + "hash": { + "md5": "196a3d797bfee07fe4596b69f4ce1141", + "sha256": "81ec78bc8298568bb5ea66d3c2972b670d0f7459b6cdbbcaacce90ab417ab15c" + }, + "name": [ + "nssfeed.txt", + "nssfeed.exe" + ], + "type": "file" + }, + "host": { + "hostname": "PC11NLPA:5F08D97BBF43257A8FB4BBF4061A38AE324EF734", + "name": "thinkpadsmith", + "os": { + "type": "ios", + "version": "Version 10.14.2 (Build 18C54)" + }, + "type": "Zscaler Client Connector" + }, + "http": { + "request": { + "bytes": 1300, + "method": "invalid", + "referrer": "www.example.com" + }, + "response": { + "bytes": 10500 + }, + "version": [ + "1.1", + "1" + ] + }, + "network": { + "protocol": "https" + }, + "organization": { + "name": "Zscaler" + }, + "related": { + "hash": [ + "154f149b1443fbfa8c121d13e5c019a1", + "196a3d797bfee07fe4596b69f4ce1141", + "81ec78bc8298568bb5ea66d3c2972b670d0f7459b6cdbbcaacce90ab417ab15c" + ], + "hosts": [ + "thinkpadsmith", + "PC11NLPA:5F08D97BBF43257A8FB4BBF4061A38AE324EF734" + ], + "ip": [ + "89.160.20.128", + "175.16.199.0", + "10.1.1.1", + "192.168.2.200", + "81.2.69.144", + "1.128.0.1" + ], + "user": [ + "jsmith", + "jdoe", + "jdoe@safemarch.com" + ] + }, + "rule": { + "name": [ + "File_Sharing_1", + "DLP_Rule_1", + "URL_Filtering_1", + "URL_Filtering_2" + ] + }, + "source": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.144", + "nat": { + "ip": "89.160.20.128" + }, + "port": 12345 + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "threat": { + "indicator": { + "name": "196a3d797bfee07fe4596b69f4ce1141" + } + }, + "tls": { + "cipher": "SSL3_CK_RSA_NULL_MD5" + }, + "url": { + "domain": "www.example.com", + "full": "https://www.example.com:443", + "original": "https://www.example.com:443", + "port": 443, + "scheme": "https" + }, + "user": { + "domain": "safemarch.com", + "email": "jdoe@safemarch.com", + "name": "jdoe" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "Other", + "original": "Mozilla/5.0" + }, + "zscaler_zia": { + "web": { + "action": "Allowed", + "alpn_protocol": "FTP", + "app": { + "class": "Administration", + "name": "Adobe Connect", + "risk_score": "1", + "rule_label": "File_Sharing_1" + }, + "bandwidth_class_name": "Entertainment", + "bandwidth_rule_name": "Office 365", + "bandwidth_throttle": "Yes", + "bypassed": { + "time": "2023-10-16T22:55:48.000Z", + "traffic": "1" + }, + "client": { + "cipher": "SSL3_CK_RSA_NULL_MD5", + "cipher_reuse": "Unknown", + "internet": { + "ip": "89.160.20.128" + }, + "ip": "81.2.69.144", + "public_ip": "175.16.199.0", + "source_port": 12345, + "ssl": { + "fail_count": 100, + "fail_reason": "Bad Record Mac" + }, + "tls_version": "SSL2" + }, + "cloud_name": "zscaler.net", + "company": "Zscaler", + "content_type": "application/vnd_apple_keynote", + "datacenter": { + "city": "Sa", + "country": "US", + "name": "CA Client Node DC" + }, + "day": "Mon", + "day_of_month": 16, + "department": "Sales", + "device": { + "appversion": "1.128.0.1", + "hostname": "THINKPADSMITH", + "model": "20L8S7WC09", + "name": "PC11NLPA:5F08D97BBF43257A8FB4BBF4061A38AE324EF734", + "os": { + "type": "iOS", + "version": "Version 10.14.2 (Build 18C54)" + }, + "owner": "jsmith", + "type": "Zscaler Client Connector" + }, + "df": { + "host": { + "head": "df_hosthead", + "name": "df_hostname" + } + }, + "dlp": { + "dictionaries": { + "hit_count": "4", + "name": "Credit Cards" + }, + "engine": "HIPAA", + "identifier": "6646484838839026000", + "md5": "154f149b1443fbfa8c121d13e5c019a1", + "rule": { + "name": "DLP_Rule_1" + } + }, + "eedone": "Yes", + "epochtime": "2020-01-04T09:00:00.000Z", + "external": { + "device": { + "id": "2345" + } + }, + "file": { + "class": "Active Web Contents", + "name": "nssfeed.txt", + "subtype": "exe", + "type": "RAR Files" + }, + "flow_type": "Direct", + "forward_gateway": { + "ip": "10.1.1.1", + "name": "FWD_1" + }, + "forward_type": "Direct", + "host": "mail.google.com", + "hour": 22, + "is_ssl_certificate_expired": "Yes", + "is_ssl_certificate_selfsigned": "Yes", + "is_ssl_certificate_untrusted": "Pass", + "key_protection_type": "HSM Protection", + "location": "Headquarters", + "login": "jdoe@safemarch.com", + "malware": { + "category": "Adware", + "class": "Sandbox" + }, + "md5_hash": "196a3d797bfee07fe4596b69f4ce1141", + "minute": 55, + "mobile": { + "application": { + "category": "Communication", + "name": "Amazon" + }, + "dev": { + "type": "Google Android" + } + }, + "module": "Administration", + "month": "Oct", + "month_of_year": 10, + "nss": { + "service": { + "ip": "192.168.2.200" + } + }, + "obfuscated": { + "app_rule_label": "5300295980", + "bendwidth": { + "class_name": "10831489" + }, + "client": { + "ip": "6200694987", + "public": { + "ip": "624054738" + } + }, + "device": { + "host_name": "2168890624", + "name": "2175092224", + "owner": "10831489" + }, + "dlp": { + "dictionaries": "10831489", + "engine": "4094304256", + "rule": { + "name": "6857275752" + } + }, + "forward_gateway_name": "8794487099", + "login": "4094304256", + "rule": { + "name": "3399565100" + }, + "url": { + "category": "7956407282", + "filter_rule_label": "4951704103" + }, + "zpa_app_segment": "7648246731" + }, + "policy": { + "reason": "Blocked" + }, + "product_version": "5.0.902.95524_04", + "prototype": "HTTPS", + "reason": "File Attachment Cautioned", + "record": { + "id": "123456780" + }, + "redirect_policy_name": "FWD_Rule_1", + "referer": { + "host": "www.example.com for http://www.example.com/index.html", + "name": "www.example.com" + }, + "request": { + "header_size": 300, + "method": "invalid", + "payload": 1000, + "size": 1300, + "version": "1.1" + }, + "response": { + "code": "100", + "header_size": 500, + "payload": 10000, + "size": 10500, + "version": "1" + }, + "risk": { + "score": 10.0 + }, + "rule": { + "name": "URL_Filtering_1", + "type": "File Type Control" + }, + "second": 48, + "server": { + "certificate": { + "validation": { + "period": "Short" + } + }, + "certificate_validation_chain": "Unknown", + "certificate_validation_type": "EV (Extended Validation)", + "cipher": "SSL3_CK_RSA_NULL_MD5", + "cipher_reuse": "Unknown", + "ip": "1.128.0.1", + "ocsp_result": "Good", + "tls_version": "SSL2", + "wildcard_certificate": "Unknown" + }, + "sha256": "81ec78bc8298568bb5ea66d3c2972b670d0f7459b6cdbbcaacce90ab417ab15c", + "ssl_decrypted": "Yes", + "threat": { + "name": "EICAR Test File", + "severity": "Critical (90–100)" + }, + "throttle": { + "request_size": 5, + "response_size": 7 + }, + "time": "2023-10-17T22:55:48.000Z", + "timezone": "GMT", + "total": { + "size": 11800 + }, + "traffic_redirect_method": "DNAT (Destination Translation)", + "unscannable": { + "type": "Encrypted File" + }, + "upload": { + "doc": { + "type_name": "Corporate Finance" + }, + "file": { + "class": "upload_fileclass", + "name": "nssfeed.exe", + "subtype": "rar", + "type": "RAR Files" + } + }, + "url": { + "category": { + "sub": "Entertainment", + "super": "Travel" + }, + "category_method": "Database A", + "class": "Bandwidth Loss", + "filter_rule_label": "URL_Filtering_2", + "name": "www.example.com:443" + }, + "user_agent": { + "class": "Firefox", + "name": "Mozilla/5.0", + "token": "Google Chrome (0.x)" + }, + "user_location_name": "userlocationname", + "year": 2023, + "z_tunnel_version": "ZTUNNEL_1_0", + "zpa_app_segment": "ZPA_test_app_segment" + } + } + }, + { + "@timestamp": "2023-10-18T23:55:48.000Z", + "cloud": { + "provider": "zscaler.net" + }, + "destination": { + "domain": "mail.google.com", + "ip": "1.128.0.2" + }, + "device": { + "id": "2346", + "model": { + "identifier": "20L8S7WC10" + } + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "allowed", + "category": [ + "web" + ], + "id": "123456781", + "kind": "event", + "original": "{\"sourcetype\":\"zscalernss-web\",\"event\":{\"time\":\"Mon Oct 18 23:55:48 2023\",\"cloudname\":\"zscaler.net\",\"host\":\"mail.google.com\",\"serverip\":\"1.128.0.2\",\"external_devid\":\"2346\",\"devicemodel\":\"20L8S7WC10\",\"action\":\"Allowed\",\"recordid\":123456781,\"reason\":\"File Attachment Cautioned\",\"threatseverity\":\"Critical (90–100)\",\"tz\":\"GMT\",\"filesubtype\":\"exe\",\"upload_filesubtype\":\"rar\",\"sha256\":\"81ec78bc8298568bb5ea66d3c2972b670d0f7459b6cdbbcaacce90ab417ab15c\",\"bamd5\":\"196a3d797bfee07fe4596b69f4ce1141\",\"filename\":\"nssfeed.txt\",\"upload_filename\":\"nssfeed.exe\",\"filetype\":\"RAR Files\",\"devicename\":\"PC11NLPA%3A5F08D97BBF43257A8FB4BBF4061A38AE324EF734\",\"devicehostname\":\"THINKPADSMITH\",\"deviceostype\":\"iOS\",\"deviceosversion\":\"Version 10.14.2 (Build 18C54)\",\"devicetype\":\"Zscaler Client Connector\",\"reqsize\":1300,\"reqmethod\":\"invalid\",\"b64referer\":\"d3d3LmV4YW1wbGUuY29t\",\"respsize\":10500,\"respcode\":\"100\",\"reqversion\":\"1.1\",\"respversion\":\"1\",\"proto\":\"SSL\",\"company\":\"Zscaler\",\"dlpmd5\":\"154f149b1443fbfa8c121d13e5c019a1\",\"apprulelabel\":\"File_Sharing_1\",\"dlprulename\":\"DLP_Rule_1\",\"rulelabel\":\"URL_Filtering_1\",\"urlfilterrulelabel\":\"URL_Filtering_2\",\"cltip\":\"81.2.69.144\",\"cltintip\":\"89.160.20.128\",\"cltsourceport\":12345,\"threatname\":\"EICAR Test File\",\"cltsslcipher\":\"SSL3_CK_RSA_NULL_MD5\",\"clttlsversion\":\"SSL2\",\"b64url\":\"d3d3LmV4YW1wbGUuY29tLmNvbS9wYXJhbXM/SWQ9MSZ0cz0yMDA2LTAxLTAyVDE1OjA0OjA1WjA3OjAwJnVzZXI9NjU3OTImdmVyc2lvbj0xMC4wLjE5MDQxLjEyNjY=\",\"useragent\":\"Mozilla/5.0\",\"login\":\"jdoe@safemarch.com\",\"applayerprotocol\":\"FTP\",\"appclass\":\"Administration\",\"appname\":\"Adobe Connect\",\"appriskscore\":\"1\",\"bandwidthclassname\":\"Entertainment\",\"bandwidthrulename\":\"Office 365\",\"bwthrottle\":\"Yes\",\"bypassedtime\":\"Mon Oct 16 22:55:48 2023\",\"bypassedtraffic\":\"1\",\"cltsslsessreuse\":\"Unknown\",\"cltpubip\":\"175.16.199.0\",\"cltsslfailcount\":100,\"cltsslfailreason\":\"Bad Record Mac\",\"contenttype\":\"application/vnd_apple_keynote\",\"datacentercity\":\"Sa\",\"datacentercountry\":\"US\",\"datacenter\":\"CA Client Node DC\",\"day\":\"Mon\",\"day_of_month\":16,\"dept\":\"Sales\",\"deviceappversion\":\"1.128.0.1\",\"deviceowner\":\"jsmith\",\"df_hosthead\":\"df_hosthead\",\"df_hostname\":\"df_hostname\",\"dlpdicthitcount\":\"4\",\"dlpdict\":\"Credit Cards\",\"dlpeng\":\"HIPAA\",\"dlpidentifier\":6646484838839026000,\"eedone\":\"Yes\",\"epochtime\":1578128400,\"fileclass\":\"Active Web Contents\",\"flow_type\":\"Direct\",\"forward_gateway_ip\":\"10.1.1.1\",\"forward_gateway_name\":\"FWD_1\",\"forward_type\":\"Direct\",\"hour\":22,\"is_sslexpiredca\":\"Yes\",\"is_sslselfsigned\":\"Yes\",\"is_ssluntrustedca\":\"Pass\",\"keyprotectiontype\":\"HSM Protection\",\"location\":\"Headquarters\",\"malwarecategory\":\"Adware\",\"malwareclass\":\"Sandbox\",\"minute\":55,\"mobappcategory\":\"Communication\",\"mobappname\":\"Amazon\",\"mobdevtype\":\"Google Android\",\"module\":\"Administration\",\"month\":\"Oct\",\"month_of_year\":10,\"nssserviceip\":\"192.168.2.200\",\"oapprulelabel\":\"5300295980\",\"obwclassname\":\"10831489\",\"ocip\":6200694987,\"ocpubip\":624054738,\"odevicehostname\":\"2168890624\",\"odevicename\":\"2175092224\",\"odeviceowner\":\"10831489\",\"odlpdict\":\"10831489\",\"odlpeng\":\"4094304256\",\"odlprulename\":\"6857275752\",\"ofwd_gw_name\":\"8794487099\",\"ologin\":\"4094304256\",\"ordr_rulename\":\"3399565100\",\"ourlcat\":\"7956407282\",\"ourlfilterrulelabel\":\"4951704103\",\"ozpa_app_seg_name\":\"7648246731\",\"externalsslpolicyreason\":\"Blocked\",\"productversion\":\"5.0.902.95524_04\",\"rdr_rulename\":\"FWD_Rule_1\",\"refererhost\":\"www.example.com for http://www.example.com/index.html\",\"reqheadersize\":300,\"reqdatasize\":1000,\"respheadersize\":500,\"respdatasize\":10000,\"riskscore\":10,\"ruletype\":\"File Type Control\",\"second\":48,\"srvcertchainvalpass\":\"Unknown\",\"srvcertvalidationtype\":\"EV (Extended Validation)\",\"srvcertvalidityperiod\":\"Short\",\"srvsslcipher\":\"SSL3_CK_RSA_NULL_MD5\",\"serversslsessreuse\":\"Unknown\",\"srvocspresult\":\"Good\",\"srvtlsversion\":\"SSL2\",\"srvwildcardcert\":\"Unknown\",\"ssldecrypted\":\"Yes\",\"throttlereqsize\":5,\"throttlerespsize\":7,\"totalsize\":11800,\"trafficredirectmethod\":\"DNAT (Destination Translation)\",\"unscannabletype\":\"Encrypted File\",\"upload_doctypename\":\"Corporate Finance\",\"upload_fileclass\":\"upload_fileclass\",\"upload_filetype\":\"RAR Files\",\"urlcatmethod\":\"Database A\",\"urlsubcat\":\"Entertainment\",\"urlsupercat\":\"Travel\",\"urlclass\":\"Bandwidth Loss\",\"useragentclass\":\"Firefox\",\"useragenttoken\":\"Google Chrome (0.x)\",\"userlocationname\":\"userlocationname\",\"year\":2023,\"ztunnelversion\":\"ZTUNNEL_1_0\",\"zpa_app_seg_name\":\"ZPA_test_app_segment\"}}", + "reason": "File Attachment Cautioned", + "timezone": "GMT", + "type": [ + "info" + ] + }, + "file": { + "extension": [ + "exe", + "rar" + ], + "hash": { + "md5": "196a3d797bfee07fe4596b69f4ce1141", + "sha256": "81ec78bc8298568bb5ea66d3c2972b670d0f7459b6cdbbcaacce90ab417ab15c" + }, + "name": [ + "nssfeed.txt", + "nssfeed.exe" + ], + "type": "file" + }, + "host": { + "hostname": "PC11NLPA:5F08D97BBF43257A8FB4BBF4061A38AE324EF734", + "name": "thinkpadsmith", + "os": { + "type": "ios", + "version": "Version 10.14.2 (Build 18C54)" + }, + "type": "Zscaler Client Connector" + }, + "http": { + "request": { + "bytes": 1300, + "method": "invalid", + "referrer": "www.example.com" + }, + "response": { + "bytes": 10500 + }, + "version": [ + "1.1", + "1" + ] + }, + "network": { + "protocol": "ssl" + }, + "organization": { + "name": "Zscaler" + }, + "related": { + "hash": [ + "154f149b1443fbfa8c121d13e5c019a1", + "196a3d797bfee07fe4596b69f4ce1141", + "81ec78bc8298568bb5ea66d3c2972b670d0f7459b6cdbbcaacce90ab417ab15c" + ], + "hosts": [ + "thinkpadsmith", + "PC11NLPA:5F08D97BBF43257A8FB4BBF4061A38AE324EF734" + ], + "ip": [ + "89.160.20.128", + "175.16.199.0", + "10.1.1.1", + "192.168.2.200", + "81.2.69.144", + "1.128.0.2" + ], + "user": [ + "jsmith", + "jdoe", + "jdoe@safemarch.com" + ] + }, + "rule": { + "name": [ + "File_Sharing_1", + "DLP_Rule_1", + "URL_Filtering_1", + "URL_Filtering_2" + ] + }, + "source": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.144", + "nat": { + "ip": "89.160.20.128" + }, + "port": 12345 + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "threat": { + "indicator": { + "name": "196a3d797bfee07fe4596b69f4ce1141" + } + }, + "tls": { + "cipher": "SSL3_CK_RSA_NULL_MD5" + }, + "url": { + "domain": "www.example.com.com", + "full": "https://www.example.com.com/params?Id=1&ts=2006-01-02T15:04:05Z07:00&user=65792&version=10.0.19041.1266", + "original": "https://www.example.com.com/params?Id=1&ts=2006-01-02T15:04:05Z07:00&user=65792&version=10.0.19041.1266", + "path": "/params", + "query": "Id=1&ts=2006-01-02T15:04:05Z07:00&user=65792&version=10.0.19041.1266", + "scheme": "https" + }, + "user": { + "domain": "safemarch.com", + "email": "jdoe@safemarch.com", + "name": "jdoe" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "Other", + "original": "Mozilla/5.0" + }, + "zscaler_zia": { + "web": { + "action": "Allowed", + "alpn_protocol": "FTP", + "app": { + "class": "Administration", + "name": "Adobe Connect", + "risk_score": "1", + "rule_label": "File_Sharing_1" + }, + "bandwidth_class_name": "Entertainment", + "bandwidth_rule_name": "Office 365", + "bandwidth_throttle": "Yes", + "bypassed": { + "time": "2023-10-16T22:55:48.000Z", + "traffic": "1" + }, + "client": { + "cipher": "SSL3_CK_RSA_NULL_MD5", + "cipher_reuse": "Unknown", + "internet": { + "ip": "89.160.20.128" + }, + "ip": "81.2.69.144", + "public_ip": "175.16.199.0", + "source_port": 12345, + "ssl": { + "fail_count": 100, + "fail_reason": "Bad Record Mac" + }, + "tls_version": "SSL2" + }, + "cloud_name": "zscaler.net", + "company": "Zscaler", + "content_type": "application/vnd_apple_keynote", + "datacenter": { + "city": "Sa", + "country": "US", + "name": "CA Client Node DC" + }, + "day": "Mon", + "day_of_month": 16, + "department": "Sales", + "device": { + "appversion": "1.128.0.1", + "hostname": "THINKPADSMITH", + "model": "20L8S7WC10", + "name": "PC11NLPA:5F08D97BBF43257A8FB4BBF4061A38AE324EF734", + "os": { + "type": "iOS", + "version": "Version 10.14.2 (Build 18C54)" + }, + "owner": "jsmith", + "type": "Zscaler Client Connector" + }, + "df": { + "host": { + "head": "df_hosthead", + "name": "df_hostname" + } + }, + "dlp": { + "dictionaries": { + "hit_count": "4", + "name": "Credit Cards" + }, + "engine": "HIPAA", + "identifier": "6646484838839026000", + "md5": "154f149b1443fbfa8c121d13e5c019a1", + "rule": { + "name": "DLP_Rule_1" + } + }, + "eedone": "Yes", + "epochtime": "2020-01-04T09:00:00.000Z", + "external": { + "device": { + "id": "2346" + } + }, + "file": { + "class": "Active Web Contents", + "name": "nssfeed.txt", + "subtype": "exe", + "type": "RAR Files" + }, + "flow_type": "Direct", + "forward_gateway": { + "ip": "10.1.1.1", + "name": "FWD_1" + }, + "forward_type": "Direct", + "host": "mail.google.com", + "hour": 22, + "is_ssl_certificate_expired": "Yes", + "is_ssl_certificate_selfsigned": "Yes", + "is_ssl_certificate_untrusted": "Pass", + "key_protection_type": "HSM Protection", + "location": "Headquarters", + "login": "jdoe@safemarch.com", + "malware": { + "category": "Adware", + "class": "Sandbox" + }, + "md5_hash": "196a3d797bfee07fe4596b69f4ce1141", + "minute": 55, + "mobile": { + "application": { + "category": "Communication", + "name": "Amazon" + }, + "dev": { + "type": "Google Android" + } + }, + "module": "Administration", + "month": "Oct", + "month_of_year": 10, + "nss": { + "service": { + "ip": "192.168.2.200" + } + }, + "obfuscated": { + "app_rule_label": "5300295980", + "bendwidth": { + "class_name": "10831489" + }, + "client": { + "ip": "6200694987", + "public": { + "ip": "624054738" + } + }, + "device": { + "host_name": "2168890624", + "name": "2175092224", + "owner": "10831489" + }, + "dlp": { + "dictionaries": "10831489", + "engine": "4094304256", + "rule": { + "name": "6857275752" + } + }, + "forward_gateway_name": "8794487099", + "login": "4094304256", + "rule": { + "name": "3399565100" + }, + "url": { + "category": "7956407282", + "filter_rule_label": "4951704103" + }, + "zpa_app_segment": "7648246731" + }, + "policy": { + "reason": "Blocked" + }, + "product_version": "5.0.902.95524_04", + "prototype": "SSL", + "reason": "File Attachment Cautioned", + "record": { + "id": "123456781" + }, + "redirect_policy_name": "FWD_Rule_1", + "referer": { + "host": "www.example.com for http://www.example.com/index.html", + "name": "www.example.com" + }, + "request": { + "header_size": 300, + "method": "invalid", + "payload": 1000, + "size": 1300, + "version": "1.1" + }, + "response": { + "code": "100", + "header_size": 500, + "payload": 10000, + "size": 10500, + "version": "1" + }, + "risk": { + "score": 10.0 + }, + "rule": { + "name": "URL_Filtering_1", + "type": "File Type Control" + }, + "second": 48, + "server": { + "certificate": { + "validation": { + "period": "Short" + } + }, + "certificate_validation_chain": "Unknown", + "certificate_validation_type": "EV (Extended Validation)", + "cipher": "SSL3_CK_RSA_NULL_MD5", + "cipher_reuse": "Unknown", + "ip": "1.128.0.2", + "ocsp_result": "Good", + "tls_version": "SSL2", + "wildcard_certificate": "Unknown" + }, + "sha256": "81ec78bc8298568bb5ea66d3c2972b670d0f7459b6cdbbcaacce90ab417ab15c", + "ssl_decrypted": "Yes", + "threat": { + "name": "EICAR Test File", + "severity": "Critical (90–100)" + }, + "throttle": { + "request_size": 5, + "response_size": 7 + }, + "time": "2023-10-18T23:55:48.000Z", + "timezone": "GMT", + "total": { + "size": 11800 + }, + "traffic_redirect_method": "DNAT (Destination Translation)", + "unscannable": { + "type": "Encrypted File" + }, + "upload": { + "doc": { + "type_name": "Corporate Finance" + }, + "file": { + "class": "upload_fileclass", + "name": "nssfeed.exe", + "subtype": "rar", + "type": "RAR Files" + } + }, + "url": { + "category": { + "sub": "Entertainment", + "super": "Travel" + }, + "category_method": "Database A", + "class": "Bandwidth Loss", + "filter_rule_label": "URL_Filtering_2", + "name": "www.example.com.com/params?Id=1&ts=2006-01-02T15:04:05Z07:00&user=65792&version=10.0.19041.1266" + }, + "user_agent": { + "class": "Firefox", + "name": "Mozilla/5.0", + "token": "Google Chrome (0.x)" + }, + "user_location_name": "userlocationname", + "year": 2023, + "z_tunnel_version": "ZTUNNEL_1_0", + "zpa_app_segment": "ZPA_test_app_segment" + } + } + }, + { + "@timestamp": "2023-10-18T23:55:48.000Z", + "cloud": { + "provider": "zscaler.net" + }, + "destination": { + "domain": "mail.google.com", + "ip": "1.128.0.2" + }, + "device": { + "id": "2346", + "model": { + "identifier": "20L8S7WC10" + } + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "allowed", + "category": [ + "web" + ], + "id": "123456781", + "kind": "event", + "original": "{\"sourcetype\":\"zscalernss-web\",\"event\":{\"time\":\"Mon Oct 18 23:55:48 2023\",\"cloudname\":\"zscaler.net\",\"host\":\"mail.google.com\",\"serverip\":\"1.128.0.2\",\"external_devid\":\"2346\",\"devicemodel\":\"20L8S7WC10\",\"action\":\"Allowed\",\"recordid\":123456781,\"reason\":\"File Attachment Cautioned\",\"threatseverity\":\"Critical (90–100)\",\"tz\":\"GMT\",\"filesubtype\":\"exe\",\"upload_filesubtype\":\"rar\",\"sha256\":\"81ec78bc8298568bb5ea66d3c2972b670d0f7459b6cdbbcaacce90ab417ab15c\",\"bamd5\":\"196a3d797bfee07fe4596b69f4ce1141\",\"filename\":\"nssfeed.txt\",\"upload_filename\":\"nssfeed.exe\",\"filetype\":\"RAR Files\",\"devicename\":\"PC11NLPA%3A5F08D97BBF43257A8FB4BBF4061A38AE324EF734\",\"devicehostname\":\"THINKPADSMITH\",\"deviceostype\":\"iOS\",\"deviceosversion\":\"Version 10.14.2 (Build 18C54)\",\"devicetype\":\"Zscaler Client Connector\",\"reqsize\":1300,\"reqmethod\":\"invalid\",\"b64referer\":\"d3d3LmV4YW1wbGUuY29t\",\"respsize\":10500,\"respcode\":\"100\",\"reqversion\":\"1.1\",\"respversion\":\"1\",\"proto\":\"SSL\",\"company\":\"Zscaler\",\"dlpmd5\":\"154f149b1443fbfa8c121d13e5c019a1\",\"apprulelabel\":\"File_Sharing_1\",\"dlprulename\":\"DLP_Rule_1\",\"rulelabel\":\"URL_Filtering_1\",\"urlfilterrulelabel\":\"URL_Filtering_2\",\"cltip\":\"81.2.69.144\",\"cltintip\":\"89.160.20.128\",\"cltsourceport\":12345,\"threatname\":\"EICAR Test File\",\"cltsslcipher\":\"SSL3_CK_RSA_NULL_MD5\",\"clttlsversion\":\"SSL2\",\"b64url\":\"d3d3LnlvdXR1YmUuY29tL2FwaS9zdGF0cy9hYmNkP2FmbXQ9MjUxJmJhdD0zMzAuMDE3OjAuOTY6MSZiaD0zMzAuMDE3OjEyMS4yNjQmYndlPTMzMC4wMTc6NzQ1ODYwMSZid209MzMwLjAxNzoyNDA3NzU0OjAuODQ0JmM9V0VCJmNicj1FZGdlIENocm9taXVtJmNicnZlcj0xMTUuMC4wLjAmY2w9NjU1Mzk5OTU2JmNtdD0zMzAuMDE3OjMyOC44MzcmY29zPVdpbmRvd3MmY29zdmVyPTEwLjAmY3BsYXRmb3JtPURFU0tUT1AmY3BsYXllcj1VTklQTEFZRVImY3BuPUZVQjczU1FXeFNIS0FEeHZKJmN2ZXI9Mi4yMDI0MDcyNC4wMy4wMCZkb2NpZD1XVmhHX3NOVkxhc0QmZWw9ZGV0YWlscGFnZSZmZXhwPXYxLDIzODQ4MjI1LDEzNzgwMiwxODYxNywyMDQxMjEsMjMwNTk2LDIyMjA5NywxNjIyOSwxMzMyMTIsMTQ2MjU5NTUsMTE2ODQzODEsNzIyMiwxNDIwNyw5ODU5LDEyMTc3LDk5NTQsMTE5Miw3OTEzLDE4MzEwLDI3Myw0MTQ3LDI4MTksMiwxNjM0NCwxNDI0LDE5MjA0LDk5NDgsMjE5Niw5OTk2LDE5LDIsMTA4Miw2OTUzLDEwMSwxNDAxLDk1NDIsMjQ3MSwzMjkyLDI3MTYsMTUzOCw3MjMsMjU3NSw5NTY3LDEzNzUsMzc2MSw0MTYyLDg2MTAsMTczLDIwMSwxMDQwNiwzMjEsMTQ4LDIsMzQzLDE3ODMsMTQsMTMyMiw1MCw2MjEsNzAyLDEwNjIsMTc2OSwxODIzLDg5NiwyMjkxLDI5MTIsNzU2OCwzNDImZm10PTM5OCZucz15dCZyZWZlcnJlcj1odHRwczovL3d3dy55b3V0dWJlLmNvbS93YXRjaD92PWlzYTkwXzY3YXMmc2RldGFpbD1ydjppc2E4OV82OGFkJnNlcT0xMyZzb3VyY2VpZD15dyZ2cHM9MzMwLjAxNzpQTA==\",\"useragent\":\"Mozilla/5.0\",\"login\":\"jdoe@safemarch.com\",\"applayerprotocol\":\"FTP\",\"appclass\":\"Administration\",\"appname\":\"Adobe Connect\",\"appriskscore\":\"1\",\"bandwidthclassname\":\"Entertainment\",\"bandwidthrulename\":\"Office 365\",\"bwthrottle\":\"Yes\",\"bypassedtime\":\"Mon Oct 16 22:55:48 2023\",\"bypassedtraffic\":\"1\",\"cltsslsessreuse\":\"Unknown\",\"cltpubip\":\"175.16.199.0\",\"cltsslfailcount\":100,\"cltsslfailreason\":\"Bad Record Mac\",\"contenttype\":\"application/vnd_apple_keynote\",\"datacentercity\":\"Sa\",\"datacentercountry\":\"US\",\"datacenter\":\"CA Client Node DC\",\"day\":\"Mon\",\"day_of_month\":16,\"dept\":\"Sales\",\"deviceappversion\":\"1.128.0.1\",\"deviceowner\":\"jsmith\",\"df_hosthead\":\"df_hosthead\",\"df_hostname\":\"df_hostname\",\"dlpdicthitcount\":\"4\",\"dlpdict\":\"Credit Cards\",\"dlpeng\":\"HIPAA\",\"dlpidentifier\":6646484838839026000,\"eedone\":\"Yes\",\"epochtime\":1578128400,\"fileclass\":\"Active Web Contents\",\"flow_type\":\"Direct\",\"forward_gateway_ip\":\"10.1.1.1\",\"forward_gateway_name\":\"FWD_1\",\"forward_type\":\"Direct\",\"hour\":22,\"is_sslexpiredca\":\"Yes\",\"is_sslselfsigned\":\"Yes\",\"is_ssluntrustedca\":\"Pass\",\"keyprotectiontype\":\"HSM Protection\",\"location\":\"Headquarters\",\"malwarecategory\":\"Adware\",\"malwareclass\":\"Sandbox\",\"minute\":55,\"mobappcategory\":\"Communication\",\"mobappname\":\"Amazon\",\"mobdevtype\":\"Google Android\",\"module\":\"Administration\",\"month\":\"Oct\",\"month_of_year\":10,\"nssserviceip\":\"192.168.2.200\",\"oapprulelabel\":\"5300295980\",\"obwclassname\":\"10831489\",\"ocip\":6200694987,\"ocpubip\":624054738,\"odevicehostname\":\"2168890624\",\"odevicename\":\"2175092224\",\"odeviceowner\":\"10831489\",\"odlpdict\":\"10831489\",\"odlpeng\":\"4094304256\",\"odlprulename\":\"6857275752\",\"ofwd_gw_name\":\"8794487099\",\"ologin\":\"4094304256\",\"ordr_rulename\":\"3399565100\",\"ourlcat\":\"7956407282\",\"ourlfilterrulelabel\":\"4951704103\",\"ozpa_app_seg_name\":\"7648246731\",\"externalsslpolicyreason\":\"Blocked\",\"productversion\":\"5.0.902.95524_04\",\"rdr_rulename\":\"FWD_Rule_1\",\"refererhost\":\"www.example.com for http://www.example.com/index.html\",\"reqheadersize\":300,\"reqdatasize\":1000,\"respheadersize\":500,\"respdatasize\":10000,\"riskscore\":10,\"ruletype\":\"File Type Control\",\"second\":48,\"srvcertchainvalpass\":\"Unknown\",\"srvcertvalidationtype\":\"EV (Extended Validation)\",\"srvcertvalidityperiod\":\"Short\",\"srvsslcipher\":\"SSL3_CK_RSA_NULL_MD5\",\"serversslsessreuse\":\"Unknown\",\"srvocspresult\":\"Good\",\"srvtlsversion\":\"SSL2\",\"srvwildcardcert\":\"Unknown\",\"ssldecrypted\":\"Yes\",\"throttlereqsize\":5,\"throttlerespsize\":7,\"totalsize\":11800,\"trafficredirectmethod\":\"DNAT (Destination Translation)\",\"unscannabletype\":\"Encrypted File\",\"upload_doctypename\":\"Corporate Finance\",\"upload_fileclass\":\"upload_fileclass\",\"upload_filetype\":\"RAR Files\",\"urlcatmethod\":\"Database A\",\"urlsubcat\":\"Entertainment\",\"urlsupercat\":\"Travel\",\"urlclass\":\"Bandwidth Loss\",\"useragentclass\":\"Firefox\",\"useragenttoken\":\"Google Chrome (0.x)\",\"userlocationname\":\"userlocationname\",\"year\":2023,\"ztunnelversion\":\"ZTUNNEL_1_0\",\"zpa_app_seg_name\":\"ZPA_test_app_segment\"}}", + "reason": "File Attachment Cautioned", + "timezone": "GMT", + "type": [ + "info" + ] + }, + "file": { + "extension": [ + "exe", + "rar" + ], + "hash": { + "md5": "196a3d797bfee07fe4596b69f4ce1141", + "sha256": "81ec78bc8298568bb5ea66d3c2972b670d0f7459b6cdbbcaacce90ab417ab15c" + }, + "name": [ + "nssfeed.txt", + "nssfeed.exe" + ], + "type": "file" + }, + "host": { + "hostname": "PC11NLPA:5F08D97BBF43257A8FB4BBF4061A38AE324EF734", + "name": "thinkpadsmith", + "os": { + "type": "ios", + "version": "Version 10.14.2 (Build 18C54)" + }, + "type": "Zscaler Client Connector" + }, + "http": { + "request": { + "bytes": 1300, + "method": "invalid", + "referrer": "www.example.com" + }, + "response": { + "bytes": 10500 + }, + "version": [ + "1.1", + "1" + ] + }, + "network": { + "protocol": "ssl" + }, + "organization": { + "name": "Zscaler" + }, + "related": { + "hash": [ + "154f149b1443fbfa8c121d13e5c019a1", + "196a3d797bfee07fe4596b69f4ce1141", + "81ec78bc8298568bb5ea66d3c2972b670d0f7459b6cdbbcaacce90ab417ab15c" + ], + "hosts": [ + "thinkpadsmith", + "PC11NLPA:5F08D97BBF43257A8FB4BBF4061A38AE324EF734" + ], + "ip": [ + "89.160.20.128", + "175.16.199.0", + "10.1.1.1", + "192.168.2.200", + "81.2.69.144", + "1.128.0.2" + ], + "user": [ + "jsmith", + "jdoe", + "jdoe@safemarch.com" + ] + }, + "rule": { + "name": [ + "File_Sharing_1", + "DLP_Rule_1", + "URL_Filtering_1", + "URL_Filtering_2" + ] + }, + "source": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.144", + "nat": { + "ip": "89.160.20.128" + }, + "port": 12345 + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "threat": { + "indicator": { + "name": "196a3d797bfee07fe4596b69f4ce1141" + } + }, + "tls": { + "cipher": "SSL3_CK_RSA_NULL_MD5" + }, + "url": { + "domain": "www.youtube.com", + "full": "https://www.youtube.com/api/stats/abcd?afmt=251&bat=330.017:0.96:1&bh=330.017:121.264&bwe=330.017:7458601&bwm=330.017:2407754:0.844&c=WEB&cbr=Edge Chromium&cbrver=115.0.0.0&cl=655399956&cmt=330.017:328.837&cos=Windows&cosver=10.0&cplatform=DESKTOP&cplayer=UNIPLAYER&cpn=FUB73SQWxSHKADxvJ&cver=2.20240724.03.00&docid=WVhG_sNVLasD&el=detailpage&fexp=v1,23848225,137802,18617,204121,230596,222097,16229,133212,14625955,11684381,7222,14207,9859,12177,9954,1192,7913,18310,273,4147,2819,2,16344,1424,19204,9948,2196,9996,19,2,1082,6953,101,1401,9542,2471,3292,2716,1538,723,2575,9567,1375,3761,4162,8610,173,201,10406,321,148,2,343,1783,14,1322,50,621,702,1062,1769,1823,896,2291,2912,7568,342&fmt=398&ns=yt&referrer=https://www.youtube.com/watch?v=isa90_67as&sdetail=rv:isa89_68ad&seq=13&sourceid=yw&vps=330.017:PL", + "original": "https://www.youtube.com/api/stats/abcd?afmt=251&bat=330.017:0.96:1&bh=330.017:121.264&bwe=330.017:7458601&bwm=330.017:2407754:0.844&c=WEB&cbr=Edge Chromium&cbrver=115.0.0.0&cl=655399956&cmt=330.017:328.837&cos=Windows&cosver=10.0&cplatform=DESKTOP&cplayer=UNIPLAYER&cpn=FUB73SQWxSHKADxvJ&cver=2.20240724.03.00&docid=WVhG_sNVLasD&el=detailpage&fexp=v1,23848225,137802,18617,204121,230596,222097,16229,133212,14625955,11684381,7222,14207,9859,12177,9954,1192,7913,18310,273,4147,2819,2,16344,1424,19204,9948,2196,9996,19,2,1082,6953,101,1401,9542,2471,3292,2716,1538,723,2575,9567,1375,3761,4162,8610,173,201,10406,321,148,2,343,1783,14,1322,50,621,702,1062,1769,1823,896,2291,2912,7568,342&fmt=398&ns=yt&referrer=https://www.youtube.com/watch?v=isa90_67as&sdetail=rv:isa89_68ad&seq=13&sourceid=yw&vps=330.017:PL", + "path": "/api/stats/abcd", + "query": "afmt=251&bat=330.017:0.96:1&bh=330.017:121.264&bwe=330.017:7458601&bwm=330.017:2407754:0.844&c=WEB&cbr=Edge Chromium&cbrver=115.0.0.0&cl=655399956&cmt=330.017:328.837&cos=Windows&cosver=10.0&cplatform=DESKTOP&cplayer=UNIPLAYER&cpn=FUB73SQWxSHKADxvJ&cver=2.20240724.03.00&docid=WVhG_sNVLasD&el=detailpage&fexp=v1,23848225,137802,18617,204121,230596,222097,16229,133212,14625955,11684381,7222,14207,9859,12177,9954,1192,7913,18310,273,4147,2819,2,16344,1424,19204,9948,2196,9996,19,2,1082,6953,101,1401,9542,2471,3292,2716,1538,723,2575,9567,1375,3761,4162,8610,173,201,10406,321,148,2,343,1783,14,1322,50,621,702,1062,1769,1823,896,2291,2912,7568,342&fmt=398&ns=yt&referrer=https://www.youtube.com/watch?v=isa90_67as&sdetail=rv:isa89_68ad&seq=13&sourceid=yw&vps=330.017:PL", + "scheme": "https" + }, + "user": { + "domain": "safemarch.com", + "email": "jdoe@safemarch.com", + "name": "jdoe" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "Other", + "original": "Mozilla/5.0" + }, + "zscaler_zia": { + "web": { + "action": "Allowed", + "alpn_protocol": "FTP", + "app": { + "class": "Administration", + "name": "Adobe Connect", + "risk_score": "1", + "rule_label": "File_Sharing_1" + }, + "bandwidth_class_name": "Entertainment", + "bandwidth_rule_name": "Office 365", + "bandwidth_throttle": "Yes", + "bypassed": { + "time": "2023-10-16T22:55:48.000Z", + "traffic": "1" + }, + "client": { + "cipher": "SSL3_CK_RSA_NULL_MD5", + "cipher_reuse": "Unknown", + "internet": { + "ip": "89.160.20.128" + }, + "ip": "81.2.69.144", + "public_ip": "175.16.199.0", + "source_port": 12345, + "ssl": { + "fail_count": 100, + "fail_reason": "Bad Record Mac" + }, + "tls_version": "SSL2" + }, + "cloud_name": "zscaler.net", + "company": "Zscaler", + "content_type": "application/vnd_apple_keynote", + "datacenter": { + "city": "Sa", + "country": "US", + "name": "CA Client Node DC" + }, + "day": "Mon", + "day_of_month": 16, + "department": "Sales", + "device": { + "appversion": "1.128.0.1", + "hostname": "THINKPADSMITH", + "model": "20L8S7WC10", + "name": "PC11NLPA:5F08D97BBF43257A8FB4BBF4061A38AE324EF734", + "os": { + "type": "iOS", + "version": "Version 10.14.2 (Build 18C54)" + }, + "owner": "jsmith", + "type": "Zscaler Client Connector" + }, + "df": { + "host": { + "head": "df_hosthead", + "name": "df_hostname" + } + }, + "dlp": { + "dictionaries": { + "hit_count": "4", + "name": "Credit Cards" + }, + "engine": "HIPAA", + "identifier": "6646484838839026000", + "md5": "154f149b1443fbfa8c121d13e5c019a1", + "rule": { + "name": "DLP_Rule_1" + } + }, + "eedone": "Yes", + "epochtime": "2020-01-04T09:00:00.000Z", + "external": { + "device": { + "id": "2346" + } + }, + "file": { + "class": "Active Web Contents", + "name": "nssfeed.txt", + "subtype": "exe", + "type": "RAR Files" + }, + "flow_type": "Direct", + "forward_gateway": { + "ip": "10.1.1.1", + "name": "FWD_1" + }, + "forward_type": "Direct", + "host": "mail.google.com", + "hour": 22, + "is_ssl_certificate_expired": "Yes", + "is_ssl_certificate_selfsigned": "Yes", + "is_ssl_certificate_untrusted": "Pass", + "key_protection_type": "HSM Protection", + "location": "Headquarters", + "login": "jdoe@safemarch.com", + "malware": { + "category": "Adware", + "class": "Sandbox" + }, + "md5_hash": "196a3d797bfee07fe4596b69f4ce1141", + "minute": 55, + "mobile": { + "application": { + "category": "Communication", + "name": "Amazon" + }, + "dev": { + "type": "Google Android" + } + }, + "module": "Administration", + "month": "Oct", + "month_of_year": 10, + "nss": { + "service": { + "ip": "192.168.2.200" + } + }, + "obfuscated": { + "app_rule_label": "5300295980", + "bendwidth": { + "class_name": "10831489" + }, + "client": { + "ip": "6200694987", + "public": { + "ip": "624054738" + } + }, + "device": { + "host_name": "2168890624", + "name": "2175092224", + "owner": "10831489" + }, + "dlp": { + "dictionaries": "10831489", + "engine": "4094304256", + "rule": { + "name": "6857275752" + } + }, + "forward_gateway_name": "8794487099", + "login": "4094304256", + "rule": { + "name": "3399565100" + }, + "url": { + "category": "7956407282", + "filter_rule_label": "4951704103" + }, + "zpa_app_segment": "7648246731" + }, + "policy": { + "reason": "Blocked" + }, + "product_version": "5.0.902.95524_04", + "prototype": "SSL", + "reason": "File Attachment Cautioned", + "record": { + "id": "123456781" + }, + "redirect_policy_name": "FWD_Rule_1", + "referer": { + "host": "www.example.com for http://www.example.com/index.html", + "name": "www.example.com" + }, + "request": { + "header_size": 300, + "method": "invalid", + "payload": 1000, + "size": 1300, + "version": "1.1" + }, + "response": { + "code": "100", + "header_size": 500, + "payload": 10000, + "size": 10500, + "version": "1" + }, + "risk": { + "score": 10.0 + }, + "rule": { + "name": "URL_Filtering_1", + "type": "File Type Control" + }, + "second": 48, + "server": { + "certificate": { + "validation": { + "period": "Short" + } + }, + "certificate_validation_chain": "Unknown", + "certificate_validation_type": "EV (Extended Validation)", + "cipher": "SSL3_CK_RSA_NULL_MD5", + "cipher_reuse": "Unknown", + "ip": "1.128.0.2", + "ocsp_result": "Good", + "tls_version": "SSL2", + "wildcard_certificate": "Unknown" + }, + "sha256": "81ec78bc8298568bb5ea66d3c2972b670d0f7459b6cdbbcaacce90ab417ab15c", + "ssl_decrypted": "Yes", + "threat": { + "name": "EICAR Test File", + "severity": "Critical (90–100)" + }, + "throttle": { + "request_size": 5, + "response_size": 7 + }, + "time": "2023-10-18T23:55:48.000Z", + "timezone": "GMT", + "total": { + "size": 11800 + }, + "traffic_redirect_method": "DNAT (Destination Translation)", + "unscannable": { + "type": "Encrypted File" + }, + "upload": { + "doc": { + "type_name": "Corporate Finance" + }, + "file": { + "class": "upload_fileclass", + "name": "nssfeed.exe", + "subtype": "rar", + "type": "RAR Files" + } + }, + "url": { + "category": { + "sub": "Entertainment", + "super": "Travel" + }, + "category_method": "Database A", + "class": "Bandwidth Loss", + "filter_rule_label": "URL_Filtering_2", + "name": "www.youtube.com/api/stats/abcd?afmt=251&bat=330.017:0.96:1&bh=330.017:121.264&bwe=330.017:7458601&bwm=330.017:2407754:0.844&c=WEB&cbr=Edge Chromium&cbrver=115.0.0.0&cl=655399956&cmt=330.017:328.837&cos=Windows&cosver=10.0&cplatform=DESKTOP&cplayer=UNIPLAYER&cpn=FUB73SQWxSHKADxvJ&cver=2.20240724.03.00&docid=WVhG_sNVLasD&el=detailpage&fexp=v1,23848225,137802,18617,204121,230596,222097,16229,133212,14625955,11684381,7222,14207,9859,12177,9954,1192,7913,18310,273,4147,2819,2,16344,1424,19204,9948,2196,9996,19,2,1082,6953,101,1401,9542,2471,3292,2716,1538,723,2575,9567,1375,3761,4162,8610,173,201,10406,321,148,2,343,1783,14,1322,50,621,702,1062,1769,1823,896,2291,2912,7568,342&fmt=398&ns=yt&referrer=https://www.youtube.com/watch?v=isa90_67as&sdetail=rv:isa89_68ad&seq=13&sourceid=yw&vps=330.017:PL" + }, + "user_agent": { + "class": "Firefox", + "name": "Mozilla/5.0", + "token": "Google Chrome (0.x)" + }, + "user_location_name": "userlocationname", + "year": 2023, + "z_tunnel_version": "ZTUNNEL_1_0", + "zpa_app_segment": "ZPA_test_app_segment" + } + } + }, + { + "@timestamp": "2023-10-20T22:55:48.000Z", + "cloud": { + "provider": "zscaler.net" + }, + "destination": { + "domain": "mail.google.com", + "ip": "1.128.0.4" + }, + "device": { + "id": "2347", + "model": { + "identifier": "20L8S7WC12" + } + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "allowed", + "category": [ + "web" + ], + "id": "123456782", + "kind": "event", + "original": "{\"sourcetype\":\"zscalernss-web\",\"event\":{\"time\":\"Mon Oct 20 22:55:48 2023\",\"cloudname\":\"zscaler.net\",\"host\":\"mail.google.com\",\"serverip\":\"1.128.0.4\",\"external_devid\":\"2347\",\"devicemodel\":\"20L8S7WC12\",\"action\":\"Allowed\",\"recordid\":123456782,\"reason\":\"File Attachment Cautioned\",\"threatseverity\":\"Critical (90–100)\",\"tz\":\"GMT\",\"filesubtype\":\"exe\",\"upload_filesubtype\":\"rar\",\"sha256\":\"81ec78bc8298568bb5ea66d3c2972b670d0f7459b6cdbbcaacce90ab417ab15c\",\"bamd5\":\"196a3d797bfee07fe4596b69f4ce1141\",\"filename\":\"nssfeed.txt\",\"upload_filename\":\"nssfeed.exe\",\"filetype\":\"RAR Files\",\"devicename\":\"device%5CrN%40me\",\"devicehostname\":\"THINKPADSMITH\",\"deviceostype\":\"iOS\",\"deviceosversion\":\"Version 10.14.2 (Build 18C54)\",\"devicetype\":\"Zscaler Client Connector\",\"reqsize\":1300,\"reqmethod\":\"invalid\",\"b64referer\":\"d3d3LmV4YW1wbGUuY29tL3NlYXJjaD9maWx0ZXJzPWd1aWQlM0ElMjI0MC1lbi1kaWElMjIrbGFuZyUzQSUyMmVuJTIyJmZvcm09UzAwJnE9aG93K3RvK3VzZStyZW1vdGUrZGVza3RvcCt0bytjb25uZWN0K3RvK2Erd2luZG93cysxMCtwYw==\",\"respsize\":10500,\"respcode\":\"100\",\"reqversion\":\"1.1\",\"respversion\":\"1\",\"proto\":\"HTTPS\",\"company\":\"Zscaler\",\"dlpmd5\":\"154f149b1443fbfa8c121d13e5c019a1\",\"apprulelabel\":\"File_Sharing_1\",\"dlprulename\":\"DLP_Rule_1\",\"rulelabel\":\"URL_Filtering_1\",\"urlfilterrulelabel\":\"URL_Filtering_2\",\"cltip\":\"81.2.69.144\",\"cltintip\":\"89.160.20.128\",\"cltsourceport\":12345,\"threatname\":\"EICAR Test File\",\"cltsslcipher\":\"SSL3_CK_RSA_NULL_MD5\",\"clttlsversion\":\"SSL2\",\"b64url\":\"d3d3LmV4YW1wbGUuY29tOjQ0Mw==\",\"useragent\":\"Mozilla/5.0\",\"login\":\"jdoe@safemarch.com\",\"applayerprotocol\":\"FTP\",\"appclass\":\"Administration\",\"appname\":\"Adobe Connect\",\"appriskscore\":\"1\",\"bandwidthclassname\":\"Entertainment\",\"bandwidthrulename\":\"Office 365\",\"bwthrottle\":\"Yes\",\"bypassedtime\":\"Mon Oct 16 22:55:48 2023\",\"bypassedtraffic\":\"1\",\"cltsslsessreuse\":\"Unknown\",\"cltpubip\":\"175.16.199.0\",\"cltsslfailcount\":100,\"cltsslfailreason\":\"Bad Record Mac\",\"contenttype\":\"application/vnd_apple_keynote\",\"datacentercity\":\"Sa\",\"datacentercountry\":\"US\",\"datacenter\":\"CA Client Node DC\",\"day\":\"Mon\",\"day_of_month\":16,\"dept\":\"Sales\",\"deviceappversion\":\"1.128.0.1\",\"deviceowner\":\"jsmith\",\"df_hosthead\":\"df_hosthead\",\"df_hostname\":\"df_hostname\",\"dlpdicthitcount\":\"4\",\"dlpdict\":\"Credit Cards\",\"dlpeng\":\"HIPAA\",\"dlpidentifier\":6646484838839026000,\"eedone\":\"Yes\",\"epochtime\":1578128400,\"fileclass\":\"Active Web Contents\",\"flow_type\":\"Direct\",\"forward_gateway_ip\":\"10.1.1.1\",\"forward_gateway_name\":\"FWD_1\",\"forward_type\":\"Direct\",\"hour\":22,\"is_sslexpiredca\":\"Yes\",\"is_sslselfsigned\":\"Yes\",\"is_ssluntrustedca\":\"Pass\",\"keyprotectiontype\":\"HSM Protection\",\"location\":\"Headquarters\",\"malwarecategory\":\"Adware\",\"malwareclass\":\"Sandbox\",\"minute\":55,\"mobappcategory\":\"Communication\",\"mobappname\":\"Amazon\",\"mobdevtype\":\"Google Android\",\"module\":\"Administration\",\"month\":\"Oct\",\"month_of_year\":10,\"nssserviceip\":\"192.168.2.200\",\"oapprulelabel\":\"5300295980\",\"obwclassname\":\"10831489\",\"ocip\":6200694987,\"ocpubip\":624054738,\"odevicehostname\":\"2168890624\",\"odevicename\":\"2175092224\",\"odeviceowner\":\"10831489\",\"odlpdict\":\"10831489\",\"odlpeng\":\"4094304256\",\"odlprulename\":\"6857275752\",\"ofwd_gw_name\":\"8794487099\",\"ologin\":\"4094304256\",\"ordr_rulename\":\"3399565100\",\"ourlcat\":\"7956407282\",\"ourlfilterrulelabel\":\"4951704103\",\"ozpa_app_seg_name\":\"7648246731\",\"externalsslpolicyreason\":\"Blocked\",\"productversion\":\"5.0.902.95524_04\",\"rdr_rulename\":\"FWD_Rule_1\",\"refererhost\":\"www.example.com for http://www.example.com/index.html\",\"reqheadersize\":300,\"reqdatasize\":1000,\"respheadersize\":500,\"respdatasize\":10000,\"riskscore\":10,\"ruletype\":\"File Type Control\",\"second\":48,\"srvcertchainvalpass\":\"Unknown\",\"srvcertvalidationtype\":\"EV (Extended Validation)\",\"srvcertvalidityperiod\":\"Short\",\"srvsslcipher\":\"SSL3_CK_RSA_NULL_MD5\",\"serversslsessreuse\":\"Unknown\",\"srvocspresult\":\"Good\",\"srvtlsversion\":\"SSL2\",\"srvwildcardcert\":\"Unknown\",\"ssldecrypted\":\"Yes\",\"throttlereqsize\":5,\"throttlerespsize\":7,\"totalsize\":11800,\"trafficredirectmethod\":\"DNAT (Destination Translation)\",\"unscannabletype\":\"Encrypted File\",\"upload_doctypename\":\"Corporate Finance\",\"upload_fileclass\":\"upload_fileclass\",\"upload_filetype\":\"RAR Files\",\"urlcatmethod\":\"Database A\",\"urlsubcat\":\"Entertainment\",\"urlsupercat\":\"Travel\",\"urlclass\":\"Bandwidth Loss\",\"useragentclass\":\"Firefox\",\"useragenttoken\":\"Google Chrome (0.x)\",\"userlocationname\":\"userlocationname\",\"year\":2023,\"ztunnelversion\":\"ZTUNNEL_1_0\",\"zpa_app_seg_name\":\"ZPA_test_app_segment\"}}", + "reason": "File Attachment Cautioned", + "timezone": "GMT", + "type": [ + "info" + ] + }, + "file": { + "extension": [ + "exe", + "rar" + ], + "hash": { + "md5": "196a3d797bfee07fe4596b69f4ce1141", + "sha256": "81ec78bc8298568bb5ea66d3c2972b670d0f7459b6cdbbcaacce90ab417ab15c" + }, + "name": [ + "nssfeed.txt", + "nssfeed.exe" + ], + "type": "file" + }, + "host": { + "hostname": "device\\rN@me", + "name": "thinkpadsmith", + "os": { + "type": "ios", + "version": "Version 10.14.2 (Build 18C54)" + }, + "type": "Zscaler Client Connector" + }, + "http": { + "request": { + "bytes": 1300, + "method": "invalid", + "referrer": "www.example.com/search?filters=guid%3A%2240-en-dia%22+lang%3A%22en%22&form=S00&q=how+to+use+remote+desktop+to+connect+to+a+windows+10+pc" + }, + "response": { + "bytes": 10500 + }, + "version": [ + "1.1", + "1" + ] + }, + "network": { + "protocol": "https" + }, + "organization": { + "name": "Zscaler" + }, + "related": { + "hash": [ + "154f149b1443fbfa8c121d13e5c019a1", + "196a3d797bfee07fe4596b69f4ce1141", + "81ec78bc8298568bb5ea66d3c2972b670d0f7459b6cdbbcaacce90ab417ab15c" + ], + "hosts": [ + "thinkpadsmith", + "device\\rN@me" + ], + "ip": [ + "89.160.20.128", + "175.16.199.0", + "10.1.1.1", + "192.168.2.200", + "81.2.69.144", + "1.128.0.4" + ], + "user": [ + "jsmith", + "jdoe", + "jdoe@safemarch.com" + ] + }, + "rule": { + "name": [ + "File_Sharing_1", + "DLP_Rule_1", + "URL_Filtering_1", + "URL_Filtering_2" + ] + }, + "source": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.144", + "nat": { + "ip": "89.160.20.128" + }, + "port": 12345 + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "threat": { + "indicator": { + "name": "196a3d797bfee07fe4596b69f4ce1141" + } + }, + "tls": { + "cipher": "SSL3_CK_RSA_NULL_MD5" + }, + "url": { + "domain": "www.example.com", + "full": "https://www.example.com:443", + "original": "https://www.example.com:443", + "port": 443, + "scheme": "https" + }, + "user": { + "domain": "safemarch.com", + "email": "jdoe@safemarch.com", + "name": "jdoe" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "Other", + "original": "Mozilla/5.0" + }, + "zscaler_zia": { + "web": { + "action": "Allowed", + "alpn_protocol": "FTP", + "app": { + "class": "Administration", + "name": "Adobe Connect", + "risk_score": "1", + "rule_label": "File_Sharing_1" + }, + "bandwidth_class_name": "Entertainment", + "bandwidth_rule_name": "Office 365", + "bandwidth_throttle": "Yes", + "bypassed": { + "time": "2023-10-16T22:55:48.000Z", + "traffic": "1" + }, + "client": { + "cipher": "SSL3_CK_RSA_NULL_MD5", + "cipher_reuse": "Unknown", + "internet": { + "ip": "89.160.20.128" + }, + "ip": "81.2.69.144", + "public_ip": "175.16.199.0", + "source_port": 12345, + "ssl": { + "fail_count": 100, + "fail_reason": "Bad Record Mac" + }, + "tls_version": "SSL2" + }, + "cloud_name": "zscaler.net", + "company": "Zscaler", + "content_type": "application/vnd_apple_keynote", + "datacenter": { + "city": "Sa", + "country": "US", + "name": "CA Client Node DC" + }, + "day": "Mon", + "day_of_month": 16, + "department": "Sales", + "device": { + "appversion": "1.128.0.1", + "hostname": "THINKPADSMITH", + "model": "20L8S7WC12", + "name": "device\\rN@me", + "os": { + "type": "iOS", + "version": "Version 10.14.2 (Build 18C54)" + }, + "owner": "jsmith", + "type": "Zscaler Client Connector" + }, + "df": { + "host": { + "head": "df_hosthead", + "name": "df_hostname" + } + }, + "dlp": { + "dictionaries": { + "hit_count": "4", + "name": "Credit Cards" + }, + "engine": "HIPAA", + "identifier": "6646484838839026000", + "md5": "154f149b1443fbfa8c121d13e5c019a1", + "rule": { + "name": "DLP_Rule_1" + } + }, + "eedone": "Yes", + "epochtime": "2020-01-04T09:00:00.000Z", + "external": { + "device": { + "id": "2347" + } + }, + "file": { + "class": "Active Web Contents", + "name": "nssfeed.txt", + "subtype": "exe", + "type": "RAR Files" + }, + "flow_type": "Direct", + "forward_gateway": { + "ip": "10.1.1.1", + "name": "FWD_1" + }, + "forward_type": "Direct", + "host": "mail.google.com", + "hour": 22, + "is_ssl_certificate_expired": "Yes", + "is_ssl_certificate_selfsigned": "Yes", + "is_ssl_certificate_untrusted": "Pass", + "key_protection_type": "HSM Protection", + "location": "Headquarters", + "login": "jdoe@safemarch.com", + "malware": { + "category": "Adware", + "class": "Sandbox" + }, + "md5_hash": "196a3d797bfee07fe4596b69f4ce1141", + "minute": 55, + "mobile": { + "application": { + "category": "Communication", + "name": "Amazon" + }, + "dev": { + "type": "Google Android" + } + }, + "module": "Administration", + "month": "Oct", + "month_of_year": 10, + "nss": { + "service": { + "ip": "192.168.2.200" + } + }, + "obfuscated": { + "app_rule_label": "5300295980", + "bendwidth": { + "class_name": "10831489" + }, + "client": { + "ip": "6200694987", + "public": { + "ip": "624054738" + } + }, + "device": { + "host_name": "2168890624", + "name": "2175092224", + "owner": "10831489" + }, + "dlp": { + "dictionaries": "10831489", + "engine": "4094304256", + "rule": { + "name": "6857275752" + } + }, + "forward_gateway_name": "8794487099", + "login": "4094304256", + "rule": { + "name": "3399565100" + }, + "url": { + "category": "7956407282", + "filter_rule_label": "4951704103" + }, + "zpa_app_segment": "7648246731" + }, + "policy": { + "reason": "Blocked" + }, + "product_version": "5.0.902.95524_04", + "prototype": "HTTPS", + "reason": "File Attachment Cautioned", + "record": { + "id": "123456782" + }, + "redirect_policy_name": "FWD_Rule_1", + "referer": { + "host": "www.example.com for http://www.example.com/index.html", + "name": "www.example.com/search?filters=guid%3A%2240-en-dia%22+lang%3A%22en%22&form=S00&q=how+to+use+remote+desktop+to+connect+to+a+windows+10+pc" + }, + "request": { + "header_size": 300, + "method": "invalid", + "payload": 1000, + "size": 1300, + "version": "1.1" + }, + "response": { + "code": "100", + "header_size": 500, + "payload": 10000, + "size": 10500, + "version": "1" + }, + "risk": { + "score": 10.0 + }, + "rule": { + "name": "URL_Filtering_1", + "type": "File Type Control" + }, + "second": 48, + "server": { + "certificate": { + "validation": { + "period": "Short" + } + }, + "certificate_validation_chain": "Unknown", + "certificate_validation_type": "EV (Extended Validation)", + "cipher": "SSL3_CK_RSA_NULL_MD5", + "cipher_reuse": "Unknown", + "ip": "1.128.0.4", + "ocsp_result": "Good", + "tls_version": "SSL2", + "wildcard_certificate": "Unknown" + }, + "sha256": "81ec78bc8298568bb5ea66d3c2972b670d0f7459b6cdbbcaacce90ab417ab15c", + "ssl_decrypted": "Yes", + "threat": { + "name": "EICAR Test File", + "severity": "Critical (90–100)" + }, + "throttle": { + "request_size": 5, + "response_size": 7 + }, + "time": "2023-10-20T22:55:48.000Z", + "timezone": "GMT", + "total": { + "size": 11800 + }, + "traffic_redirect_method": "DNAT (Destination Translation)", + "unscannable": { + "type": "Encrypted File" + }, + "upload": { + "doc": { + "type_name": "Corporate Finance" + }, + "file": { + "class": "upload_fileclass", + "name": "nssfeed.exe", + "subtype": "rar", + "type": "RAR Files" + } + }, + "url": { + "category": { + "sub": "Entertainment", + "super": "Travel" + }, + "category_method": "Database A", + "class": "Bandwidth Loss", + "filter_rule_label": "URL_Filtering_2", + "name": "www.example.com:443" + }, + "user_agent": { + "class": "Firefox", + "name": "Mozilla/5.0", + "token": "Google Chrome (0.x)" + }, + "user_location_name": "userlocationname", + "year": 2023, + "z_tunnel_version": "ZTUNNEL_1_0", + "zpa_app_segment": "ZPA_test_app_segment" + } + } + }, + { + "@timestamp": "2023-10-20T22:55:48.000Z", + "cloud": { + "provider": "zscaler.net" + }, + "destination": { + "domain": "mail.google.com", + "ip": "1.128.0.4" + }, + "device": { + "id": "2347", + "model": { + "identifier": "20L8S7WC12" + } + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "allowed", + "category": [ + "web" + ], + "id": "123456782", + "kind": "event", + "original": "{\"sourcetype\":\"zscalernss-web\",\"event\":{\"time\":\"Mon Oct 20 22:55:48 2023\",\"cloudname\":\"zscaler.net\",\"host\":\"mail.google.com\",\"serverip\":\"1.128.0.4\",\"external_devid\":\"2347\",\"devicemodel\":\"20L8S7WC12\",\"action\":\"Allowed\",\"recordid\":123456782,\"reason\":\"File Attachment Cautioned\",\"threatseverity\":\"Critical (90–100)\",\"tz\":\"GMT\",\"filesubtype\":\"exe\",\"upload_filesubtype\":\"rar\",\"sha256\":\"81ec78bc8298568bb5ea66d3c2972b670d0f7459b6cdbbcaacce90ab417ab15c\",\"bamd5\":\"196a3d797bfee07fe4596b69f4ce1141\",\"filename\":\"nssfeed%.txt\",\"upload_filename\":\"nssfeed%.exe\",\"filetype\":\"RAR Files\",\"devicename\":\"device%5CrN%40me\",\"devicehostname\":\"THINKPADSMITH\",\"deviceostype\":\"iOS\",\"deviceosversion\":\"Version 10.14.2 (Build 18C54)\",\"devicetype\":\"Zscaler Client Connector\",\"reqsize\":1300,\"reqmethod\":\"invalid\",\"b64referer\":\"d3d3LmV4YW1wbGUuY29tL3NlYXJjaD9maWx0ZXJzPWd1aWQlM0ElMjI0MC1lbi1kaWElMjIrbGFuZyUzQSUyMmVuJTIyJmZvcm09UzAwJnE9aG93K3RvK3VzZStyZW1vdGUrZGVza3RvcCt0bytjb25uZWN0K3RvK2Erd2luZG93cysxMCtwYw==\",\"respsize\":10500,\"respcode\":\"100\",\"reqversion\":\"1.1\",\"respversion\":\"1\",\"proto\":\"HTTPS\",\"company\":\"Zscaler\",\"dlpmd5\":\"154f149b1443fbfa8c121d13e5c019a1\",\"apprulelabel\":\"File_Sharing_1\",\"dlprulename\":\"DLP_Rule_1\",\"rulelabel\":\"URL_Filtering_1\",\"urlfilterrulelabel\":\"URL_Filtering_2\",\"cltip\":\"81.2.69.144\",\"cltintip\":\"89.160.20.128\",\"cltsourceport\":12345,\"threatname\":\"EICAR Test File\",\"cltsslcipher\":\"SSL3_CK_RSA_NULL_MD5\",\"clttlsversion\":\"SSL2\",\"b64url\":\"dC5jb3Vwb25zLmNvbS9iLnBocD90cmFuc2FjdGlvbklkPUkvdHNJZD09JmV2ZW50VHlwZT1FbGVtZW50SW5WaWV3JmVsZW1lbnROYW1lPVROX1NXQiZvYmplY3RzPXsibGlua1VybCI6Imh0dHBzOi8vd3d3LmNvdXBvbnMuY29tL2RhaWx5LXNhbGVzLzcyLWhvdXItY2xlYXJvdXQiLCJsaW5rVGV4dCI6IlVwJTIwdG8lMjA3MCUlMjBPRkYlMjB8JTIwNzItSG91ciUyMENsZWFyb3V0IiwidGV4dENvbG9yIjoiI0ZGRkZGRiIsInByb21vRW5kRGF0ZSI6bnVsbCwiY3VzdG9tRmllbGQxIjoiVXAlMjB0byUyMDcwJSUyME9GRiUyMHwlMjA3Mi1Ib3VyJTIwQ2xlYXJvdXQifSZsaW5rVXJsPWh0dHBzOi8vd3d3LmNvdXBvbnMuY29tL2RhaWx5LXNhbGVzLzcyLWhvdXItY2xlYXJvdXQmbGlua1RleHQ9VXAlMjB0byUyMDcwJSUyME9GRiUyMHwlMjA3Mi1Ib3VyJTIwQ2xlYXJvdXQmdGV4dENvbG9yPSNGRkZGRkYmcHJvbW9FbmREYXRlPSZjdXN0b21GaWVsZDE9VXAlMjB0byUyMDcwJSUyME9GRiUyMHwlMjA3Mi1Ib3VyJTIwQ2xlYXJvdXQmcGFnZUlkPSZ0aW1lc3RhbXA9MTcyNDY4Mjc3NzE5OA==\",\"useragent\":\"Mozilla/5.0\",\"login\":\"jdoe@safemarch.com\",\"applayerprotocol\":\"FTP\",\"appclass\":\"Administration\",\"appname\":\"Adobe Connect\",\"appriskscore\":\"1\",\"bandwidthclassname\":\"Entertainment\",\"bandwidthrulename\":\"Office 365\",\"bwthrottle\":\"Yes\",\"bypassedtime\":\"Mon Oct 16 22:55:48 2023\",\"bypassedtraffic\":\"1\",\"cltsslsessreuse\":\"Unknown\",\"cltpubip\":\"175.16.199.0\",\"cltsslfailcount\":100,\"cltsslfailreason\":\"Bad Record Mac\",\"contenttype\":\"application/vnd_apple_keynote\",\"datacentercity\":\"Sa\",\"datacentercountry\":\"US\",\"datacenter\":\"CA Client Node DC\",\"day\":\"Mon\",\"day_of_month\":16,\"dept\":\"Sales\",\"deviceappversion\":\"1.128.0.1\",\"deviceowner\":\"jsmith\",\"df_hosthead\":\"df_hosthead\",\"df_hostname\":\"df_hostname\",\"dlpdicthitcount\":\"4\",\"dlpdict\":\"Credit Cards\",\"dlpeng\":\"HIPAA\",\"dlpidentifier\":6646484838839026000,\"eedone\":\"Yes\",\"epochtime\":1578128400,\"fileclass\":\"Active Web Contents\",\"flow_type\":\"Direct\",\"forward_gateway_ip\":\"10.1.1.1\",\"forward_gateway_name\":\"FWD_1\",\"forward_type\":\"Direct\",\"hour\":22,\"is_sslexpiredca\":\"Yes\",\"is_sslselfsigned\":\"Yes\",\"is_ssluntrustedca\":\"Pass\",\"keyprotectiontype\":\"HSM Protection\",\"location\":\"Headquarters\",\"malwarecategory\":\"Adware\",\"malwareclass\":\"Sandbox\",\"minute\":55,\"mobappcategory\":\"Communication\",\"mobappname\":\"Amazon\",\"mobdevtype\":\"Google Android\",\"module\":\"Administration\",\"month\":\"Oct\",\"month_of_year\":10,\"nssserviceip\":\"192.168.2.200\",\"oapprulelabel\":\"5300295980\",\"obwclassname\":\"10831489\",\"ocip\":6200694987,\"ocpubip\":624054738,\"odevicehostname\":\"2168890624\",\"odevicename\":\"2175092224\",\"odeviceowner\":\"10831489\",\"odlpdict\":\"10831489\",\"odlpeng\":\"4094304256\",\"odlprulename\":\"6857275752\",\"ofwd_gw_name\":\"8794487099\",\"ologin\":\"4094304256\",\"ordr_rulename\":\"3399565100\",\"ourlcat\":\"7956407282\",\"ourlfilterrulelabel\":\"4951704103\",\"ozpa_app_seg_name\":\"7648246731\",\"externalsslpolicyreason\":\"Blocked\",\"productversion\":\"5.0.902.95524_04\",\"rdr_rulename\":\"FWD_Rule_1\",\"refererhost\":\"www.example.com for http://www.example.com/index.html\",\"reqheadersize\":300,\"reqdatasize\":1000,\"respheadersize\":500,\"respdatasize\":10000,\"riskscore\":10,\"ruletype\":\"File Type Control\",\"second\":48,\"srvcertchainvalpass\":\"Unknown\",\"srvcertvalidationtype\":\"EV (Extended Validation)\",\"srvcertvalidityperiod\":\"Short\",\"srvsslcipher\":\"SSL3_CK_RSA_NULL_MD5\",\"serversslsessreuse\":\"Unknown\",\"srvocspresult\":\"Good\",\"srvtlsversion\":\"SSL2\",\"srvwildcardcert\":\"Unknown\",\"ssldecrypted\":\"Yes\",\"throttlereqsize\":5,\"throttlerespsize\":7,\"totalsize\":11800,\"trafficredirectmethod\":\"DNAT (Destination Translation)\",\"unscannabletype\":\"Encrypted File\",\"upload_doctypename\":\"Corporate Finance\",\"upload_fileclass\":\"upload_fileclass\",\"upload_filetype\":\"RAR Files\",\"urlcatmethod\":\"Database A\",\"urlsubcat\":\"Entertainment\",\"urlsupercat\":\"Travel\",\"urlclass\":\"Bandwidth Loss\",\"useragentclass\":\"Firefox\",\"useragenttoken\":\"Google Chrome (0.x)\",\"userlocationname\":\"userlocationname\",\"year\":2023,\"ztunnelversion\":\"ZTUNNEL_1_0\",\"zpa_app_seg_name\":\"ZPA_test_app_segment\"}}", + "reason": "File Attachment Cautioned", + "timezone": "GMT", + "type": [ + "info" + ] + }, + "file": { + "extension": [ + "exe", + "rar" + ], + "hash": { + "md5": "196a3d797bfee07fe4596b69f4ce1141", + "sha256": "81ec78bc8298568bb5ea66d3c2972b670d0f7459b6cdbbcaacce90ab417ab15c" + }, + "name": [ + "nssfeed%.txt", + "nssfeed%.exe" + ], + "type": "file" + }, + "host": { + "hostname": "device\\rN@me", + "name": "thinkpadsmith", + "os": { + "type": "ios", + "version": "Version 10.14.2 (Build 18C54)" + }, + "type": "Zscaler Client Connector" + }, + "http": { + "request": { + "bytes": 1300, + "method": "invalid", + "referrer": "www.example.com/search?filters=guid%3A%2240-en-dia%22+lang%3A%22en%22&form=S00&q=how+to+use+remote+desktop+to+connect+to+a+windows+10+pc" + }, + "response": { + "bytes": 10500 + }, + "version": [ + "1.1", + "1" + ] + }, + "network": { + "protocol": "https" + }, + "organization": { + "name": "Zscaler" + }, + "related": { + "hash": [ + "154f149b1443fbfa8c121d13e5c019a1", + "196a3d797bfee07fe4596b69f4ce1141", + "81ec78bc8298568bb5ea66d3c2972b670d0f7459b6cdbbcaacce90ab417ab15c" + ], + "hosts": [ + "thinkpadsmith", + "device\\rN@me" + ], + "ip": [ + "89.160.20.128", + "175.16.199.0", + "10.1.1.1", + "192.168.2.200", + "81.2.69.144", + "1.128.0.4" + ], + "user": [ + "jsmith", + "jdoe", + "jdoe@safemarch.com" + ] + }, + "rule": { + "name": [ + "File_Sharing_1", + "DLP_Rule_1", + "URL_Filtering_1", + "URL_Filtering_2" + ] + }, + "source": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.144", + "nat": { + "ip": "89.160.20.128" + }, + "port": 12345 + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "threat": { + "indicator": { + "name": "196a3d797bfee07fe4596b69f4ce1141" + } + }, + "tls": { + "cipher": "SSL3_CK_RSA_NULL_MD5" + }, + "url": { + "domain": "t.coupons.com", + "extension": "php", + "fragment": "FFFFFF\",\"promoEndDate\":null,\"customField1\":\"Up%20to%2070%%20OFF%20|%2072-Hour%20Clearout\"}&linkUrl=https://www.coupons.com/daily-sales/72-hour-clearout&linkText=Up%20to%2070%%20OFF%20|%2072-Hour%20Clearout&textColor=#FFFFFF&promoEndDate=&customField1=Up%20to%2070%%20OFF%20|%2072-Hour%20Clearout&pageId=×tamp=1724682777198", + "full": "https://t.coupons.com/b.php?transactionId=I/tsId==&eventType=ElementInView&elementName=TN_SWB&objects={\"linkUrl\":\"https://www.coupons.com/daily-sales/72-hour-clearout\",\"linkText\":\"Up%20to%2070%%20OFF%20|%2072-Hour%20Clearout\",\"textColor\":\"#FFFFFF\",\"promoEndDate\":null,\"customField1\":\"Up%20to%2070%%20OFF%20|%2072-Hour%20Clearout\"}&linkUrl=https://www.coupons.com/daily-sales/72-hour-clearout&linkText=Up%20to%2070%%20OFF%20|%2072-Hour%20Clearout&textColor=#FFFFFF&promoEndDate=&customField1=Up%20to%2070%%20OFF%20|%2072-Hour%20Clearout&pageId=×tamp=1724682777198", + "original": "https://t.coupons.com/b.php?transactionId=I/tsId==&eventType=ElementInView&elementName=TN_SWB&objects={\"linkUrl\":\"https://www.coupons.com/daily-sales/72-hour-clearout\",\"linkText\":\"Up%20to%2070%%20OFF%20|%2072-Hour%20Clearout\",\"textColor\":\"#FFFFFF\",\"promoEndDate\":null,\"customField1\":\"Up%20to%2070%%20OFF%20|%2072-Hour%20Clearout\"}&linkUrl=https://www.coupons.com/daily-sales/72-hour-clearout&linkText=Up%20to%2070%%20OFF%20|%2072-Hour%20Clearout&textColor=#FFFFFF&promoEndDate=&customField1=Up%20to%2070%%20OFF%20|%2072-Hour%20Clearout&pageId=×tamp=1724682777198", + "path": "/b.php", + "query": "transactionId=I/tsId==&eventType=ElementInView&elementName=TN_SWB&objects={\"linkUrl\":\"https://www.coupons.com/daily-sales/72-hour-clearout\",\"linkText\":\"Up%20to%2070%%20OFF%20|%2072-Hour%20Clearout\",\"textColor\":\"", + "scheme": "https" + }, + "user": { + "domain": "safemarch.com", + "email": "jdoe@safemarch.com", + "name": "jdoe" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "Other", + "original": "Mozilla/5.0" + }, + "zscaler_zia": { + "web": { + "action": "Allowed", + "alpn_protocol": "FTP", + "app": { + "class": "Administration", + "name": "Adobe Connect", + "risk_score": "1", + "rule_label": "File_Sharing_1" + }, + "bandwidth_class_name": "Entertainment", + "bandwidth_rule_name": "Office 365", + "bandwidth_throttle": "Yes", + "bypassed": { + "time": "2023-10-16T22:55:48.000Z", + "traffic": "1" + }, + "client": { + "cipher": "SSL3_CK_RSA_NULL_MD5", + "cipher_reuse": "Unknown", + "internet": { + "ip": "89.160.20.128" + }, + "ip": "81.2.69.144", + "public_ip": "175.16.199.0", + "source_port": 12345, + "ssl": { + "fail_count": 100, + "fail_reason": "Bad Record Mac" + }, + "tls_version": "SSL2" + }, + "cloud_name": "zscaler.net", + "company": "Zscaler", + "content_type": "application/vnd_apple_keynote", + "datacenter": { + "city": "Sa", + "country": "US", + "name": "CA Client Node DC" + }, + "day": "Mon", + "day_of_month": 16, + "department": "Sales", + "device": { + "appversion": "1.128.0.1", + "hostname": "THINKPADSMITH", + "model": "20L8S7WC12", + "name": "device\\rN@me", + "os": { + "type": "iOS", + "version": "Version 10.14.2 (Build 18C54)" + }, + "owner": "jsmith", + "type": "Zscaler Client Connector" + }, + "df": { + "host": { + "head": "df_hosthead", + "name": "df_hostname" + } + }, + "dlp": { + "dictionaries": { + "hit_count": "4", + "name": "Credit Cards" + }, + "engine": "HIPAA", + "identifier": "6646484838839026000", + "md5": "154f149b1443fbfa8c121d13e5c019a1", + "rule": { + "name": "DLP_Rule_1" + } + }, + "eedone": "Yes", + "epochtime": "2020-01-04T09:00:00.000Z", + "external": { + "device": { + "id": "2347" + } + }, + "file": { + "class": "Active Web Contents", + "name": "nssfeed%.txt", + "subtype": "exe", + "type": "RAR Files" + }, + "flow_type": "Direct", + "forward_gateway": { + "ip": "10.1.1.1", + "name": "FWD_1" + }, + "forward_type": "Direct", + "host": "mail.google.com", + "hour": 22, + "is_ssl_certificate_expired": "Yes", + "is_ssl_certificate_selfsigned": "Yes", + "is_ssl_certificate_untrusted": "Pass", + "key_protection_type": "HSM Protection", + "location": "Headquarters", + "login": "jdoe@safemarch.com", + "malware": { + "category": "Adware", + "class": "Sandbox" + }, + "md5_hash": "196a3d797bfee07fe4596b69f4ce1141", + "minute": 55, + "mobile": { + "application": { + "category": "Communication", + "name": "Amazon" + }, + "dev": { + "type": "Google Android" + } + }, + "module": "Administration", + "month": "Oct", + "month_of_year": 10, + "nss": { + "service": { + "ip": "192.168.2.200" + } + }, + "obfuscated": { + "app_rule_label": "5300295980", + "bendwidth": { + "class_name": "10831489" + }, + "client": { + "ip": "6200694987", + "public": { + "ip": "624054738" + } + }, + "device": { + "host_name": "2168890624", + "name": "2175092224", + "owner": "10831489" + }, + "dlp": { + "dictionaries": "10831489", + "engine": "4094304256", + "rule": { + "name": "6857275752" + } + }, + "forward_gateway_name": "8794487099", + "login": "4094304256", + "rule": { + "name": "3399565100" + }, + "url": { + "category": "7956407282", + "filter_rule_label": "4951704103" + }, + "zpa_app_segment": "7648246731" + }, + "policy": { + "reason": "Blocked" + }, + "product_version": "5.0.902.95524_04", + "prototype": "HTTPS", + "reason": "File Attachment Cautioned", + "record": { + "id": "123456782" + }, + "redirect_policy_name": "FWD_Rule_1", + "referer": { + "host": "www.example.com for http://www.example.com/index.html", + "name": "www.example.com/search?filters=guid%3A%2240-en-dia%22+lang%3A%22en%22&form=S00&q=how+to+use+remote+desktop+to+connect+to+a+windows+10+pc" + }, + "request": { + "header_size": 300, + "method": "invalid", + "payload": 1000, + "size": 1300, + "version": "1.1" + }, + "response": { + "code": "100", + "header_size": 500, + "payload": 10000, + "size": 10500, + "version": "1" + }, + "risk": { + "score": 10.0 + }, + "rule": { + "name": "URL_Filtering_1", + "type": "File Type Control" + }, + "second": 48, + "server": { + "certificate": { + "validation": { + "period": "Short" + } + }, + "certificate_validation_chain": "Unknown", + "certificate_validation_type": "EV (Extended Validation)", + "cipher": "SSL3_CK_RSA_NULL_MD5", + "cipher_reuse": "Unknown", + "ip": "1.128.0.4", + "ocsp_result": "Good", + "tls_version": "SSL2", + "wildcard_certificate": "Unknown" + }, + "sha256": "81ec78bc8298568bb5ea66d3c2972b670d0f7459b6cdbbcaacce90ab417ab15c", + "ssl_decrypted": "Yes", + "threat": { + "name": "EICAR Test File", + "severity": "Critical (90–100)" + }, + "throttle": { + "request_size": 5, + "response_size": 7 + }, + "time": "2023-10-20T22:55:48.000Z", + "timezone": "GMT", + "total": { + "size": 11800 + }, + "traffic_redirect_method": "DNAT (Destination Translation)", + "unscannable": { + "type": "Encrypted File" + }, + "upload": { + "doc": { + "type_name": "Corporate Finance" + }, + "file": { + "class": "upload_fileclass", + "name": "nssfeed%.exe", + "subtype": "rar", + "type": "RAR Files" + } + }, + "url": { + "category": { + "sub": "Entertainment", + "super": "Travel" + }, + "category_method": "Database A", + "class": "Bandwidth Loss", + "filter_rule_label": "URL_Filtering_2", + "name": "t.coupons.com/b.php?transactionId=I/tsId==&eventType=ElementInView&elementName=TN_SWB&objects={\"linkUrl\":\"https://www.coupons.com/daily-sales/72-hour-clearout\",\"linkText\":\"Up%20to%2070%%20OFF%20|%2072-Hour%20Clearout\",\"textColor\":\"#FFFFFF\",\"promoEndDate\":null,\"customField1\":\"Up%20to%2070%%20OFF%20|%2072-Hour%20Clearout\"}&linkUrl=https://www.coupons.com/daily-sales/72-hour-clearout&linkText=Up%20to%2070%%20OFF%20|%2072-Hour%20Clearout&textColor=#FFFFFF&promoEndDate=&customField1=Up%20to%2070%%20OFF%20|%2072-Hour%20Clearout&pageId=×tamp=1724682777198" + }, + "user_agent": { + "class": "Firefox", + "name": "Mozilla/5.0", + "token": "Google Chrome (0.x)" + }, + "user_location_name": "userlocationname", + "year": 2023, + "z_tunnel_version": "ZTUNNEL_1_0", + "zpa_app_segment": "ZPA_test_app_segment" + } + } + }, + { + "@timestamp": "2023-10-20T22:55:48.000Z", + "cloud": { + "provider": "zscaler.net" + }, + "destination": { + "domain": "mail.google.com", + "ip": "1.128.0.4" + }, + "device": { + "id": "2347", + "model": { + "identifier": "20L8S7WC12" + } + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "allowed", + "category": [ + "web" + ], + "id": "123456782", + "kind": "event", + "original": "{\"sourcetype\":\"zscalernss-web\",\"event\":{\"time\":\"Mon Oct 20 22:55:48 2023\",\"cloudname\":\"zscaler.net\",\"host\":\"mail.google.com\",\"serverip\":\"1.128.0.4\",\"external_devid\":\"2347\",\"devicemodel\":\"20L8S7WC12\",\"action\":\"Allowed\",\"recordid\":123456782,\"reason\":\"File Attachment Cautioned\",\"threatseverity\":\"Critical (90–100)\",\"tz\":\"GMT\",\"filesubtype\":\"exe\",\"upload_filesubtype\":\"rar\",\"sha256\":\"81ec78bc8298568bb5ea66d3c2972b670d0f7459b6cdbbcaacce90ab417ab15c\",\"bamd5\":\"196a3d797bfee07fe4596b69f4ce1141\",\"filename\":\"nssfeed.txt\",\"upload_filename\":\"nssfeed.exe\",\"filetype\":\"RAR Files\",\"devicename\":\"device%5CrN%40me\",\"devicehostname\":\"THINKPADSMITH\",\"deviceostype\":\"iOS\",\"deviceosversion\":\"Version 10.14.2 (Build 18C54)\",\"devicetype\":\"Zscaler Client Connector\",\"reqsize\":1300,\"reqmethod\":\"invalid\",\"b64referer\":\"d3d3LmV4YW1wbGUuY29tL3NlYXJjaD9maWx0ZXJzPWd1aWQlM0ElMjI0MC1lbi1kaWElMjIrbGFuZyUzQSUyMmVuJTIyJmZvcm09UzAwJnE9aG93K3RvK3VzZStyZW1vdGUrZGVza3RvcCt0bytjb25uZWN0K3RvK2Erd2luZG93cysxMCtwYw==\",\"respsize\":10500,\"respcode\":\"100\",\"reqversion\":\"1.1\",\"respversion\":\"1\",\"proto\":\"HTTPS\",\"company\":\"Zscaler\",\"dlpmd5\":\"154f149b1443fbfa8c121d13e5c019a1\",\"apprulelabel\":\"File_Sharing_1\",\"dlprulename\":\"DLP_Rule_1\",\"rulelabel\":\"URL_Filtering_1\",\"urlfilterrulelabel\":\"URL_Filtering_2\",\"cltip\":\"81.2.69.144\",\"cltintip\":\"89.160.20.128\",\"cltsourceport\":12345,\"threatname\":\"EICAR Test File\",\"cltsslcipher\":\"SSL3_CK_RSA_NULL_MD5\",\"clttlsversion\":\"SSL2\",\"b64url\":\"ZXhhbXBsZS5jb20vP3BhcnRuZXI9MjcxJnNtYXJ0bWFwPTEmcmVkaXJlY3Q9aHR0cHM6Ly9leGFtcGxlLmNvbS9zZXR1aWQ/ZW50aXR5PTE0NSZjb2RlPSVfcmlk\",\"useragent\":\"Mozilla/5.0\",\"login\":\"jdoe\",\"applayerprotocol\":\"FTP\",\"appclass\":\"Administration\",\"appname\":\"Adobe Connect\",\"appriskscore\":\"1\",\"bandwidthclassname\":\"Entertainment\",\"bandwidthrulename\":\"Office 365\",\"bwthrottle\":\"Yes\",\"bypassedtime\":\"Mon Oct 16 22:55:48 2023\",\"bypassedtraffic\":\"1\",\"cltsslsessreuse\":\"Unknown\",\"cltpubip\":\"175.16.199.0\",\"cltsslfailcount\":100,\"cltsslfailreason\":\"Bad Record Mac\",\"contenttype\":\"application/vnd_apple_keynote\",\"datacentercity\":\"Sa\",\"datacentercountry\":\"US\",\"datacenter\":\"CA Client Node DC\",\"day\":\"Mon\",\"day_of_month\":16,\"dept\":\"Sales\",\"deviceappversion\":\"1.128.0.1\",\"deviceowner\":\"jsmith\",\"df_hosthead\":\"df_hosthead\",\"df_hostname\":\"df_hostname\",\"dlpdicthitcount\":\"4\",\"dlpdict\":\"Credit Cards\",\"dlpeng\":\"HIPAA\",\"dlpidentifier\":6646484838839026000,\"eedone\":\"Yes\",\"epochtime\":1578128400,\"fileclass\":\"Active Web Contents\",\"flow_type\":\"Direct\",\"forward_gateway_ip\":\"10.1.1.1\",\"forward_gateway_name\":\"FWD_1\",\"forward_type\":\"Direct\",\"hour\":22,\"is_sslexpiredca\":\"Yes\",\"is_sslselfsigned\":\"Yes\",\"is_ssluntrustedca\":\"Pass\",\"keyprotectiontype\":\"HSM Protection\",\"location\":\"Headquarters\",\"malwarecategory\":\"Adware\",\"malwareclass\":\"Sandbox\",\"minute\":55,\"mobappcategory\":\"Communication\",\"mobappname\":\"Amazon\",\"mobdevtype\":\"Google Android\",\"module\":\"Administration\",\"month\":\"Oct\",\"month_of_year\":10,\"nssserviceip\":\"192.168.2.200\",\"oapprulelabel\":\"5300295980\",\"obwclassname\":\"10831489\",\"ocip\":6200694987,\"ocpubip\":624054738,\"odevicehostname\":\"2168890624\",\"odevicename\":\"2175092224\",\"odeviceowner\":\"10831489\",\"odlpdict\":\"10831489\",\"odlpeng\":\"4094304256\",\"odlprulename\":\"6857275752\",\"ofwd_gw_name\":\"8794487099\",\"ologin\":\"4094304256\",\"ordr_rulename\":\"3399565100\",\"ourlcat\":\"7956407282\",\"ourlfilterrulelabel\":\"4951704103\",\"ozpa_app_seg_name\":\"7648246731\",\"externalsslpolicyreason\":\"Blocked\",\"productversion\":\"5.0.902.95524_04\",\"rdr_rulename\":\"FWD_Rule_1\",\"refererhost\":\"www.example.com for http://www.example.com/index.html\",\"reqheadersize\":300,\"reqdatasize\":1000,\"respheadersize\":500,\"respdatasize\":10000,\"riskscore\":10,\"ruletype\":\"File Type Control\",\"second\":48,\"srvcertchainvalpass\":\"Unknown\",\"srvcertvalidationtype\":\"EV (Extended Validation)\",\"srvcertvalidityperiod\":\"Short\",\"srvsslcipher\":\"SSL3_CK_RSA_NULL_MD5\",\"serversslsessreuse\":\"Unknown\",\"srvocspresult\":\"Good\",\"srvtlsversion\":\"SSL2\",\"srvwildcardcert\":\"Unknown\",\"ssldecrypted\":\"Yes\",\"throttlereqsize\":5,\"throttlerespsize\":7,\"totalsize\":11800,\"trafficredirectmethod\":\"DNAT (Destination Translation)\",\"unscannabletype\":\"Encrypted File\",\"upload_doctypename\":\"Corporate Finance\",\"upload_fileclass\":\"upload_fileclass\",\"upload_filetype\":\"RAR Files\",\"urlcatmethod\":\"Database A\",\"urlsubcat\":\"Entertainment\",\"urlsupercat\":\"Travel\",\"urlclass\":\"Bandwidth Loss\",\"useragentclass\":\"Firefox\",\"useragenttoken\":\"Google Chrome (0.x)\",\"userlocationname\":\"userlocationname\",\"year\":2023,\"ztunnelversion\":\"ZTUNNEL_1_0\",\"zpa_app_seg_name\":\"ZPA_test_app_segment\"}}", + "reason": "File Attachment Cautioned", + "timezone": "GMT", + "type": [ + "info" + ] + }, + "file": { + "extension": [ + "exe", + "rar" + ], + "hash": { + "md5": "196a3d797bfee07fe4596b69f4ce1141", + "sha256": "81ec78bc8298568bb5ea66d3c2972b670d0f7459b6cdbbcaacce90ab417ab15c" + }, + "name": [ + "nssfeed.txt", + "nssfeed.exe" + ], + "type": "file" + }, + "host": { + "hostname": "device\\rN@me", + "name": "thinkpadsmith", + "os": { + "type": "ios", + "version": "Version 10.14.2 (Build 18C54)" + }, + "type": "Zscaler Client Connector" + }, + "http": { + "request": { + "bytes": 1300, + "method": "invalid", + "referrer": "www.example.com/search?filters=guid%3A%2240-en-dia%22+lang%3A%22en%22&form=S00&q=how+to+use+remote+desktop+to+connect+to+a+windows+10+pc" + }, + "response": { + "bytes": 10500 + }, + "version": [ + "1.1", + "1" + ] + }, + "network": { + "protocol": "https" + }, + "organization": { + "name": "Zscaler" + }, + "related": { + "hash": [ + "154f149b1443fbfa8c121d13e5c019a1", + "196a3d797bfee07fe4596b69f4ce1141", + "81ec78bc8298568bb5ea66d3c2972b670d0f7459b6cdbbcaacce90ab417ab15c" + ], + "hosts": [ + "thinkpadsmith", + "device\\rN@me" + ], + "ip": [ + "89.160.20.128", + "175.16.199.0", + "10.1.1.1", + "192.168.2.200", + "81.2.69.144", + "1.128.0.4" + ], + "user": [ + "jsmith", + "jdoe" + ] + }, + "rule": { + "name": [ + "File_Sharing_1", + "DLP_Rule_1", + "URL_Filtering_1", + "URL_Filtering_2" + ] + }, + "source": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.144", + "nat": { + "ip": "89.160.20.128" + }, + "port": 12345 + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "threat": { + "indicator": { + "name": "196a3d797bfee07fe4596b69f4ce1141" + } + }, + "tls": { + "cipher": "SSL3_CK_RSA_NULL_MD5" + }, + "url": { + "domain": "example.com", + "full": "https://example.com/?partner=271&smartmap=1&redirect=https://example.com/setuid?entity=145&code=%_rid", + "original": "https://example.com/?partner=271&smartmap=1&redirect=https://example.com/setuid?entity=145&code=%_rid", + "path": "/", + "query": "partner=271&smartmap=1&redirect=https://example.com/setuid?entity=145&code=%_rid", + "scheme": "https" + }, + "user": { + "name": "jdoe" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "Other", + "original": "Mozilla/5.0" + }, + "zscaler_zia": { + "web": { + "action": "Allowed", + "alpn_protocol": "FTP", + "app": { + "class": "Administration", + "name": "Adobe Connect", + "risk_score": "1", + "rule_label": "File_Sharing_1" + }, + "bandwidth_class_name": "Entertainment", + "bandwidth_rule_name": "Office 365", + "bandwidth_throttle": "Yes", + "bypassed": { + "time": "2023-10-16T22:55:48.000Z", + "traffic": "1" + }, + "client": { + "cipher": "SSL3_CK_RSA_NULL_MD5", + "cipher_reuse": "Unknown", + "internet": { + "ip": "89.160.20.128" + }, + "ip": "81.2.69.144", + "public_ip": "175.16.199.0", + "source_port": 12345, + "ssl": { + "fail_count": 100, + "fail_reason": "Bad Record Mac" + }, + "tls_version": "SSL2" + }, + "cloud_name": "zscaler.net", + "company": "Zscaler", + "content_type": "application/vnd_apple_keynote", + "datacenter": { + "city": "Sa", + "country": "US", + "name": "CA Client Node DC" + }, + "day": "Mon", + "day_of_month": 16, + "department": "Sales", + "device": { + "appversion": "1.128.0.1", + "hostname": "THINKPADSMITH", + "model": "20L8S7WC12", + "name": "device\\rN@me", + "os": { + "type": "iOS", + "version": "Version 10.14.2 (Build 18C54)" + }, + "owner": "jsmith", + "type": "Zscaler Client Connector" + }, + "df": { + "host": { + "head": "df_hosthead", + "name": "df_hostname" + } + }, + "dlp": { + "dictionaries": { + "hit_count": "4", + "name": "Credit Cards" + }, + "engine": "HIPAA", + "identifier": "6646484838839026000", + "md5": "154f149b1443fbfa8c121d13e5c019a1", + "rule": { + "name": "DLP_Rule_1" + } + }, + "eedone": "Yes", + "epochtime": "2020-01-04T09:00:00.000Z", + "external": { + "device": { + "id": "2347" + } + }, + "file": { + "class": "Active Web Contents", + "name": "nssfeed.txt", + "subtype": "exe", + "type": "RAR Files" + }, + "flow_type": "Direct", + "forward_gateway": { + "ip": "10.1.1.1", + "name": "FWD_1" + }, + "forward_type": "Direct", + "host": "mail.google.com", + "hour": 22, + "is_ssl_certificate_expired": "Yes", + "is_ssl_certificate_selfsigned": "Yes", + "is_ssl_certificate_untrusted": "Pass", + "key_protection_type": "HSM Protection", + "location": "Headquarters", + "login": "jdoe", + "malware": { + "category": "Adware", + "class": "Sandbox" + }, + "md5_hash": "196a3d797bfee07fe4596b69f4ce1141", + "minute": 55, + "mobile": { + "application": { + "category": "Communication", + "name": "Amazon" + }, + "dev": { + "type": "Google Android" + } + }, + "module": "Administration", + "month": "Oct", + "month_of_year": 10, + "nss": { + "service": { + "ip": "192.168.2.200" + } + }, + "obfuscated": { + "app_rule_label": "5300295980", + "bendwidth": { + "class_name": "10831489" + }, + "client": { + "ip": "6200694987", + "public": { + "ip": "624054738" + } + }, + "device": { + "host_name": "2168890624", + "name": "2175092224", + "owner": "10831489" + }, + "dlp": { + "dictionaries": "10831489", + "engine": "4094304256", + "rule": { + "name": "6857275752" + } + }, + "forward_gateway_name": "8794487099", + "login": "4094304256", + "rule": { + "name": "3399565100" + }, + "url": { + "category": "7956407282", + "filter_rule_label": "4951704103" + }, + "zpa_app_segment": "7648246731" + }, + "policy": { + "reason": "Blocked" + }, + "product_version": "5.0.902.95524_04", + "prototype": "HTTPS", + "reason": "File Attachment Cautioned", + "record": { + "id": "123456782" + }, + "redirect_policy_name": "FWD_Rule_1", + "referer": { + "host": "www.example.com for http://www.example.com/index.html", + "name": "www.example.com/search?filters=guid%3A%2240-en-dia%22+lang%3A%22en%22&form=S00&q=how+to+use+remote+desktop+to+connect+to+a+windows+10+pc" + }, + "request": { + "header_size": 300, + "method": "invalid", + "payload": 1000, + "size": 1300, + "version": "1.1" + }, + "response": { + "code": "100", + "header_size": 500, + "payload": 10000, + "size": 10500, + "version": "1" + }, + "risk": { + "score": 10.0 + }, + "rule": { + "name": "URL_Filtering_1", + "type": "File Type Control" + }, + "second": 48, + "server": { + "certificate": { + "validation": { + "period": "Short" + } + }, + "certificate_validation_chain": "Unknown", + "certificate_validation_type": "EV (Extended Validation)", + "cipher": "SSL3_CK_RSA_NULL_MD5", + "cipher_reuse": "Unknown", + "ip": "1.128.0.4", + "ocsp_result": "Good", + "tls_version": "SSL2", + "wildcard_certificate": "Unknown" + }, + "sha256": "81ec78bc8298568bb5ea66d3c2972b670d0f7459b6cdbbcaacce90ab417ab15c", + "ssl_decrypted": "Yes", + "threat": { + "name": "EICAR Test File", + "severity": "Critical (90–100)" + }, + "throttle": { + "request_size": 5, + "response_size": 7 + }, + "time": "2023-10-20T22:55:48.000Z", + "timezone": "GMT", + "total": { + "size": 11800 + }, + "traffic_redirect_method": "DNAT (Destination Translation)", + "unscannable": { + "type": "Encrypted File" + }, + "upload": { + "doc": { + "type_name": "Corporate Finance" + }, + "file": { + "class": "upload_fileclass", + "name": "nssfeed.exe", + "subtype": "rar", + "type": "RAR Files" + } + }, + "url": { + "category": { + "sub": "Entertainment", + "super": "Travel" + }, + "category_method": "Database A", + "class": "Bandwidth Loss", + "filter_rule_label": "URL_Filtering_2", + "name": "example.com/?partner=271&smartmap=1&redirect=https://example.com/setuid?entity=145&code=%_rid" + }, + "user_agent": { + "class": "Firefox", + "name": "Mozilla/5.0", + "token": "Google Chrome (0.x)" + }, + "user_location_name": "userlocationname", + "year": 2023, + "z_tunnel_version": "ZTUNNEL_1_0", + "zpa_app_segment": "ZPA_test_app_segment" + } + } + }, { "@timestamp": "2023-10-16T22:55:48.000Z", "cloud": { diff --git a/packages/zscaler_zia/data_stream/web/agent/stream/http_endpoint.yml.hbs b/packages/zscaler_zia/data_stream/web/agent/stream/http_endpoint.yml.hbs index f691a1cfe90..e1ac58a6bb7 100644 --- a/packages/zscaler_zia/data_stream/web/agent/stream/http_endpoint.yml.hbs +++ b/packages/zscaler_zia/data_stream/web/agent/stream/http_endpoint.yml.hbs @@ -28,6 +28,12 @@ publisher_pipeline.disable_host: true {{#if ssl}} ssl: {{ssl}} {{/if}} +{{#if strict_fields}} +fields_under_root: true +fields: + _conf: + strict_fields: true +{{/if}} {{#if processors}} processors: {{processors}} diff --git a/packages/zscaler_zia/data_stream/web/agent/stream/tcp.yml.hbs b/packages/zscaler_zia/data_stream/web/agent/stream/tcp.yml.hbs index d8eb927edd6..2655bae4c06 100644 --- a/packages/zscaler_zia/data_stream/web/agent/stream/tcp.yml.hbs +++ b/packages/zscaler_zia/data_stream/web/agent/stream/tcp.yml.hbs @@ -18,6 +18,12 @@ publisher_pipeline.disable_host: true {{#if ssl}} ssl: {{ssl}} {{/if}} +{{#if strict_fields}} +fields_under_root: true +fields: + _conf: + strict_fields: true +{{/if}} {{#if processors}} processors: {{processors}} diff --git a/packages/zscaler_zia/data_stream/web/elasticsearch/ingest_pipeline/default.yml b/packages/zscaler_zia/data_stream/web/elasticsearch/ingest_pipeline/default.yml index ceffcf247cf..1d0051361d9 100644 --- a/packages/zscaler_zia/data_stream/web/elasticsearch/ingest_pipeline/default.yml +++ b/packages/zscaler_zia/data_stream/web/elasticsearch/ingest_pipeline/default.yml @@ -37,6 +37,30 @@ processors: tag: rename_resp_event target_field: json ignore_missing: true + - script: + params: + expect: + fields: action|appclass|applayerprotocol|appname|appriskscore|apprulelabel|b64referer|b64url|bamd5|bandwidthclassname|bandwidthrulename|bwthrottle|bypassedtime|bypassedtraffic|cloudname|cltintip|cltip|cltpubip|cltsourceport|cltsslcipher|cltsslfailcount|cltsslfailreason|cltsslsessreuse|clttlsversion|company|contenttype|datacenter|datacentercity|datacentercountry|day|day_of_month|dept|deviceappversion|devicehostname|devicemodel|devicename|deviceostype|deviceosversion|deviceowner|devicetype|df_hosthead|df_hostname|dlpdict|dlpdicthitcount|dlpeng|dlpidentifier|dlpmd5|dlprulename|eedone|epochtime|external_devid|externalsslpolicyreason|fileclass|filename|filesubtype|filetype|flow_type|forward_gateway_ip|forward_gateway_name|forward_type|host|hour|is_sslexpiredca|is_sslselfsigned|is_ssluntrustedca|keyprotectiontype|location|login|malwarecategory|malwareclass|minute|mobappcategory|mobappname|mobdevtype|module|month|month_of_year|nssserviceip|oapprulelabel|obwclassname|ocip|ocpubip|odevicehostname|odevicename|odeviceowner|odlpdict|odlpeng|odlprulename|ofwd_gw_name|ologin|ordr_rulename|ourlcat|ourlfilterrulelabel|ozpa_app_seg_name|productversion|proto|rdr_rulename|reason|recordid|refererhost|reqdatasize|reqheadersize|reqmethod|reqsize|reqversion|respcode|respdatasize|respheadersize|respsize|respversion|riskscore|rulelabel|ruletype|second|serverip|serversslsessreuse|sha256|srvcertchainvalpass|srvcertvalidationtype|srvcertvalidityperiod|srvocspresult|srvsslcipher|srvtlsversion|srvwildcardcert|ssldecrypted|threatname|threatseverity|throttlereqsize|throttlerespsize|time|totalsize|trafficredirectmethod|tz|unscannabletype|upload_doctypename|upload_fileclass|upload_filename|upload_filesubtype|upload_filetype|urlcatmethod|urlclass|urlfilterrulelabel|urlsubcat|urlsupercat|useragent|useragentclass|useragenttoken|userlocationname|year|zpa_app_seg_name|ztunnelversion + version: v9 + if: ctx.json != null && ctx._conf?.strict_fields == true + source: |- + if (ctx.resp?.version == null) { + def fields = []; + for (e in ctx.json.entrySet()) { + fields.add(e.getKey()); + } + Collections.sort(fields); + String signature = String.join("|", fields); + if (signature != params.expect.fields) { + ctx.error = ctx.error ?: [:]; + ctx.error.message = ctx.error.message ?: []; + ctx.error.message.add("field set mismatch: "+signature+" is not expected set of templated fields"); + } + } else if (ctx.resp.version != params.expect.version) { + ctx.error = ctx.error ?: [:]; + ctx.error.message = ctx.error.message ?: []; + ctx.error.message.add("template version mismatch: "+ctx.resp.version.toString()+" is not expected version"); + } - remove: field: resp tag: remove_resp @@ -1570,8 +1594,10 @@ processors: ignore_missing: true if: ctx.tags == null || !ctx.tags.contains('preserve_duplicate_custom_fields') - remove: - field: json - tag: remove_json + field: + - json + - _conf + tag: remove_unused ignore_missing: true - script: tag: script_to_drop_null_values diff --git a/packages/zscaler_zia/docs/README.md b/packages/zscaler_zia/docs/README.md index d6bf23222dd..47ab02b418b 100644 --- a/packages/zscaler_zia/docs/README.md +++ b/packages/zscaler_zia/docs/README.md @@ -121,12 +121,12 @@ See: [Zscaler Vendor documentation](https://help.zscaler.com/zia/adding-cloud-ns Zscaler Audit Log response format (v1): ``` -\{"sourcetype":"zscalernss-audit","event":\{"time":"%s{time}","recordid":"%d{recordid}","action":"%s{action}","category":"%s{category}","subcategory":"%s{subcategory}","resource":"%s{resource}","interface":"%s{interface}","adminid":"%s{adminid}","clientip":"%s{clientip}","result":"%s{result}","errorcode":"%s{errorcode}","auditlogtype":"%s{auditlogtype}","preaction":%s{preaction},"postaction":%s{postaction}\}\} +\{"version":"v1","sourcetype":"zscalernss-audit","event":\{"time":"%s{time}","recordid":"%d{recordid}","action":"%s{action}","category":"%s{category}","subcategory":"%s{subcategory}","resource":"%s{resource}","interface":"%s{interface}","adminid":"%s{adminid}","clientip":"%s{clientip}","result":"%s{result}","errorcode":"%s{errorcode}","auditlogtype":"%s{auditlogtype}","preaction":%s{preaction},"postaction":%s{postaction}\}\} ``` Sample Response: ```json -{"sourcetype":"zscalernss-audit","event":{"time":"Mon Oct 16 22:55:48 2023","recordid":"1234","action":"Activate","category":"DATA_LOSS_PREVENTION_RESOURCE","subcategory":"DLP_DICTIONARY","resource":"SSL Rule Name","interface":"API","adminid":"example@zscaler.com","clientip":"89.160.20.112","result":"SUCCESS","errorcode":"AUTHENTICATION_FAILED","auditlogtype":"ZIA Portal Audit Log","timezone":"UTC","preaction":{},"postaction":{}}} +{"version":"v1","sourcetype":"zscalernss-audit","event":{"time":"Mon Oct 16 22:55:48 2023","recordid":"1234","action":"Activate","category":"DATA_LOSS_PREVENTION_RESOURCE","subcategory":"DLP_DICTIONARY","resource":"SSL Rule Name","interface":"API","adminid":"example@zscaler.com","clientip":"89.160.20.112","result":"SUCCESS","errorcode":"AUTHENTICATION_FAILED","auditlogtype":"ZIA Portal Audit Log","timezone":"UTC","preaction":{},"postaction":{}}} ``` ### DNS Log @@ -138,12 +138,12 @@ See: [Zscaler Vendor documentation](https://help.zscaler.com/zia/nss-feed-output Zscaler DNS Log response format (v2): ``` -\{"sourcetype":"zscalernss-dns","event":\{"user":"%s{elogin}","department":"%s{edepartment}","location":"%s{elocation}","clt_sip":"%s{cip}","cloudname":"%s{cloudname}","company":"%s{company}","datacenter":"%s{datacenter}","datacentercity":"%s{datacentercity}","datacentercountry":"%s{datacentercountry}","day_of_month":"%02d{dd}","dept":"%s{dept}","deviceappversion":"%s{deviceappversion}","devicehostname":"%s{devicehostname}","devicemodel":"%s{devicemodel}","devicename":"%s{devicename}","deviceostype":"%s{deviceostype}","deviceosversion":"%s{deviceosversion}","deviceowner":"%s{deviceowner}","devicetype":"%s{devicetype}","dnsapp":"%s{dnsapp}","dnsappcat":"%s{dnsappcat}","dns_gateway_status":"%s{dnsgw_flags}","dns_gateway_rule":"%s{dnsgw_slot}","dns_gateway_server_protocol":"%s{dnsgw_srv_proto}","category":"%s{domcat}","durationms":"%d{durationms}","ecs_prefix":"%s{ecs_prefix}","ecs_slot":"%s{ecs_slot}","epochtime":"%d{epochtime}","error":"%s{error}","hour":"%02d{hh}","http_code":"%s{http_code}","istcp":"%d{istcp}","loc":"%s{location}","login":"%s{login}","minutes":"%02d{mm}","month":"%s{mon}","month_of_year":"%02d{mth}","odevicehostname":"%s{odevicehostname}","odevicename":"%s{odevicename}","odeviceowner":"%s{odeviceowner}","odomcat":"%s{odomcat}","protocol":"%s{protocol}","recordid":"%d{recordid}","dns_req":"%s{req}","reqaction":"%s{reqaction}","reqrulelabel":"%s{reqrulelabel}","dns_reqtype":"%s{reqtype}","dns_resp":"%s{res}","resaction":"%s{resaction}","respipcategory":"%s{respipcat}","resrulelabel":"%s{resrulelabel}","restype":"%s{restype}","srv_dip":"%s{sip}","srv_dport":"%d{sport}","second":"%02d{ss}","datetime":"%s{time}","tz":"%s{tz}","year":"%04d{yyyy}"\}\} +\{"version":"v1","sourcetype":"zscalernss-dns","event":\{"user":"%s{elogin}","department":"%s{edepartment}","location":"%s{elocation}","clt_sip":"%s{cip}","cloudname":"%s{cloudname}","company":"%s{company}","datacenter":"%s{datacenter}","datacentercity":"%s{datacentercity}","datacentercountry":"%s{datacentercountry}","day_of_month":"%02d{dd}","dept":"%s{dept}","deviceappversion":"%s{deviceappversion}","devicehostname":"%s{devicehostname}","devicemodel":"%s{devicemodel}","devicename":"%s{devicename}","deviceostype":"%s{deviceostype}","deviceosversion":"%s{deviceosversion}","deviceowner":"%s{deviceowner}","devicetype":"%s{devicetype}","dnsapp":"%s{dnsapp}","dnsappcat":"%s{dnsappcat}","dns_gateway_status":"%s{dnsgw_flags}","dns_gateway_rule":"%s{dnsgw_slot}","dns_gateway_server_protocol":"%s{dnsgw_srv_proto}","category":"%s{domcat}","durationms":"%d{durationms}","ecs_prefix":"%s{ecs_prefix}","ecs_slot":"%s{ecs_slot}","epochtime":"%d{epochtime}","error":"%s{error}","hour":"%02d{hh}","http_code":"%s{http_code}","istcp":"%d{istcp}","loc":"%s{location}","login":"%s{login}","minutes":"%02d{mm}","month":"%s{mon}","month_of_year":"%02d{mth}","odevicehostname":"%s{odevicehostname}","odevicename":"%s{odevicename}","odeviceowner":"%s{odeviceowner}","odomcat":"%s{odomcat}","protocol":"%s{protocol}","recordid":"%d{recordid}","dns_req":"%s{req}","reqaction":"%s{reqaction}","reqrulelabel":"%s{reqrulelabel}","dns_reqtype":"%s{reqtype}","dns_resp":"%s{res}","resaction":"%s{resaction}","respipcategory":"%s{respipcat}","resrulelabel":"%s{resrulelabel}","restype":"%s{restype}","srv_dip":"%s{sip}","srv_dport":"%d{sport}","second":"%02d{ss}","datetime":"%s{time}","tz":"%s{tz}","year":"%04d{yyyy}"\}\} ``` Sample Response: ```json -{"sourcetype":"zscalernss-dns","event":{"cloudname":"zscaler.net","datetime":"Mon Oct 16 22:55:48 2023","devicemodel":"VMware7,1","restype":"IPv4","dns_req":"mail.safemarch.com","dns_reqtype":"A record","error":"EMPTY_RESP","durationms":"1000","recordid":"45648954","tz":"GMT","devicename":"admin","devicehostname":"THINKPADSMITH","deviceostype":"Windows OS","deviceosversion":"Microsoft Windows 10 Enterprise;64 bit","devicetype":"Zscaler Client Connector","http_code":"100","dnsapp":"Google DNS","dns_gateway_server_protocol":"TCP","protocol":"TCP","company":"Zscaler","reqrulelabel":"RULE_1","resrulelabel":"RULE_RES","clt_sip":"81.2.69.192","srv_dip":"175.16.199.0","srv_dport":"1025","user":"jdoe1@safemarch.com","datacentercity":"Sa","datacentercountry":"US","datacenter":"CA Client Node DC","day":"Mon","day_of_month":"16","department":"EDept","dept":"Sales","deviceappversion":"4.3.0.18","deviceowner":"jsmith","dnsappcat":"Network Service","dns_gateway_rule":"DNS GATEWAY Rule 1","dns_gateway_status":"PRIMARY_SERVER_RESPONSE_PASS","category":"Professional Services","ecs_prefix":"192.168.0.0","ecs_slot":"ECS Slot #17","eedone":"Yes","epochtime":"1578128400","hour":"22","istcp":"1","loc":"Headquarters","location":"ELocation","login":"jdoe@safemarch.com","minutes":"55","month":"Oct","month_of_year":"10","oclientsourceip":"9960223283","odevicename":"2175092224","odeviceowner":"10831489","odomcat":"4951704103","odevicehostname":"2168890624","reqaction":"REQ_ALLOW","dns_resp":"www.example.com","respipcategory":"Adult Themes","resaction":"RES_Action","respipcat":"Adult Themes","second":"48","year":"2023"}} +{"version":"v1","sourcetype":"zscalernss-dns","event":{"cloudname":"zscaler.net","datetime":"Mon Oct 16 22:55:48 2023","devicemodel":"VMware7,1","restype":"IPv4","dns_req":"mail.safemarch.com","dns_reqtype":"A record","error":"EMPTY_RESP","durationms":"1000","recordid":"45648954","tz":"GMT","devicename":"admin","devicehostname":"THINKPADSMITH","deviceostype":"Windows OS","deviceosversion":"Microsoft Windows 10 Enterprise;64 bit","devicetype":"Zscaler Client Connector","http_code":"100","dnsapp":"Google DNS","dns_gateway_server_protocol":"TCP","protocol":"TCP","company":"Zscaler","reqrulelabel":"RULE_1","resrulelabel":"RULE_RES","clt_sip":"81.2.69.192","srv_dip":"175.16.199.0","srv_dport":"1025","user":"jdoe1@safemarch.com","datacentercity":"Sa","datacentercountry":"US","datacenter":"CA Client Node DC","day":"Mon","day_of_month":"16","department":"EDept","dept":"Sales","deviceappversion":"4.3.0.18","deviceowner":"jsmith","dnsappcat":"Network Service","dns_gateway_rule":"DNS GATEWAY Rule 1","dns_gateway_status":"PRIMARY_SERVER_RESPONSE_PASS","category":"Professional Services","ecs_prefix":"192.168.0.0","ecs_slot":"ECS Slot #17","eedone":"Yes","epochtime":"1578128400","hour":"22","istcp":"1","loc":"Headquarters","location":"ELocation","login":"jdoe@safemarch.com","minutes":"55","month":"Oct","month_of_year":"10","oclientsourceip":"9960223283","odevicename":"2175092224","odeviceowner":"10831489","odomcat":"4951704103","odevicehostname":"2168890624","reqaction":"REQ_ALLOW","dns_resp":"www.example.com","respipcategory":"Adult Themes","resaction":"RES_Action","respipcat":"Adult Themes","second":"48","year":"2023"}} ``` ### Endpoint DLP Log @@ -155,12 +155,12 @@ See: [Zscaler Vendor documentation](https://help.zscaler.com/zia/nss-feed-output Zscaler Endpoint DLP Log response format (v1): ``` -\{"sourcetype":"zscalernss-edlp","event":\{"actiontaken":"%s{actiontaken}","activitytype":"%s{activitytype}","additionalinfo":"%s{addinfo}","channel":"%s{channel}","confirmaction":"%s{confirmaction}","confirmjustification":"%s{confirmjust}","datacenter":"%s{datacenter}","datacentercity":"%s{datacentercity}","datacentercountry":"%s{datacentercountry}","day":"%s{day}","dd":"%02d{dd}","department":"%s{department}","deviceappversion":"%s{deviceappversion}","devicehostname":"%s{devicehostname}","devicemodel":"%s{devicemodel}","devicename":"%s{devicename}","deviceostype":"%s{deviceostype}","deviceosversion":"%s{deviceosversion}","deviceowner":"%s{deviceowner}","deviceplatform":"%s{deviceplatform}","devicetype":"%s{devicetype}","dlpdictcount":"%s{dlpcounts}","dlpdictnames":"%s{dlpdictnames}","dlpenginenames":"%s{dlpengnames}","dlpidentifier":"%llu{dlpidentifier}","dsttype":"%s{dsttype}","eventtime":"%s{eventtime}","expectedaction":"%s{expectedaction}","filedoctype":"%s{filedoctype}","filedstpath":"%s{filedstpath}","filemd5":"%s{filemd5}","filesha":"%s{filesha}","filesrcpath":"%s{filesrcpath}","filetypecategory":"%s{filetypecategory}","filetypename":"%s{filetypename}","hh":"%02d{hh}","itemdstname":"%s{itemdstname}","itemname":"%s{itemname}","itemsrcname":"%s{itemsrcname}","itemtype":"%s{itemtype}","logtype":"%s{logtype}","mm":"%02d{mm}","mon":"%s{mon}","mth":"%02d{mth}","numdlpdictids":"%u{numdlpdictids}","numdlpengineids":"%u{numdlpengids}","odepartment":"%s{odepartment}","odevicehostname":"%s{odevicehostname}","odevicename":"%s{odevicename}","odeviceowner":"%s{odeviceowner}","odlpdictnames":"%s{odlpdictnames}","odlpenginenames":"%s{odlpengnames}","ofiledstpath":"%s{ofiledstpath}","ofilesrcpath":"%s{ofilesrcpath}","oitemdstname":"%s{oitemdstname}","oitemname":"%s{oitemname}","oitemsrcname":"%s{oitemsrcname}","ootherrulelabels":"%s{ootherrulelabels}","otherrulelabels":"%s{otherrulelabels}","orulename":"%s{otriggeredrulelabel}","ouser":"%s{ouser}","recordid":"%llu{recordid}","feedtime":"%s{rtime}","scannedbytes":"%llu{scanned_bytes}","scantime":"%llu{scantime}","severity":"%s{severity}","srctype":"%s{srctype}","ss":"%02d{ss}","datetime":"%s{time}","rulename":"%s{triggeredrulelabel}","timezone":"%s{tz}","user":"%s{user}","yyyy":"%04d{yyyy}","zdpmode":"%s{zdpmode}"\}\} +\{"version":"v1","sourcetype":"zscalernss-edlp","event":\{"actiontaken":"%s{actiontaken}","activitytype":"%s{activitytype}","additionalinfo":"%s{addinfo}","channel":"%s{channel}","confirmaction":"%s{confirmaction}","confirmjustification":"%s{confirmjust}","datacenter":"%s{datacenter}","datacentercity":"%s{datacentercity}","datacentercountry":"%s{datacentercountry}","day":"%s{day}","dd":"%02d{dd}","department":"%s{department}","deviceappversion":"%s{deviceappversion}","devicehostname":"%s{devicehostname}","devicemodel":"%s{devicemodel}","devicename":"%s{devicename}","deviceostype":"%s{deviceostype}","deviceosversion":"%s{deviceosversion}","deviceowner":"%s{deviceowner}","deviceplatform":"%s{deviceplatform}","devicetype":"%s{devicetype}","dlpdictcount":"%s{dlpcounts}","dlpdictnames":"%s{dlpdictnames}","dlpenginenames":"%s{dlpengnames}","dlpidentifier":"%llu{dlpidentifier}","dsttype":"%s{dsttype}","eventtime":"%s{eventtime}","expectedaction":"%s{expectedaction}","filedoctype":"%s{filedoctype}","filedstpath":"%s{filedstpath}","filemd5":"%s{filemd5}","filesha":"%s{filesha}","filesrcpath":"%s{filesrcpath}","filetypecategory":"%s{filetypecategory}","filetypename":"%s{filetypename}","hh":"%02d{hh}","itemdstname":"%s{itemdstname}","itemname":"%s{itemname}","itemsrcname":"%s{itemsrcname}","itemtype":"%s{itemtype}","logtype":"%s{logtype}","mm":"%02d{mm}","mon":"%s{mon}","mth":"%02d{mth}","numdlpdictids":"%u{numdlpdictids}","numdlpengineids":"%u{numdlpengids}","odepartment":"%s{odepartment}","odevicehostname":"%s{odevicehostname}","odevicename":"%s{odevicename}","odeviceowner":"%s{odeviceowner}","odlpdictnames":"%s{odlpdictnames}","odlpenginenames":"%s{odlpengnames}","ofiledstpath":"%s{ofiledstpath}","ofilesrcpath":"%s{ofilesrcpath}","oitemdstname":"%s{oitemdstname}","oitemname":"%s{oitemname}","oitemsrcname":"%s{oitemsrcname}","ootherrulelabels":"%s{ootherrulelabels}","otherrulelabels":"%s{otherrulelabels}","orulename":"%s{otriggeredrulelabel}","ouser":"%s{ouser}","recordid":"%llu{recordid}","feedtime":"%s{rtime}","scannedbytes":"%llu{scanned_bytes}","scantime":"%llu{scantime}","severity":"%s{severity}","srctype":"%s{srctype}","ss":"%02d{ss}","datetime":"%s{time}","rulename":"%s{triggeredrulelabel}","timezone":"%s{tz}","user":"%s{user}","yyyy":"%04d{yyyy}","zdpmode":"%s{zdpmode}"\}\} ``` Sample Response: ```json -{ "sourcetype": "zscalernss-edlp", "event": { "actiontaken": "allow", "activitytype": "email_sent", "additionalinfo": "File already open by another application", "channel": "Network Drive Transfer", "confirmaction": "confirm", "confirmjustification": "My manager approved it", "datacenter": "Georgia", "datacentercity": "Atlanta", "datacentercountry": "US", "day": "Mon", "dd": "16", "department": "TempDept", "deviceappversion": "Ver-2199", "devicehostname": "Host", "devicemodel": "Model-2022", "devicename": "Dev 1", "deviceostype": "Windows", "deviceosversion": "Win-11", "deviceowner": "Administrator", "deviceplatform": "Windows", "devicetype": "WinUser", "dlpdictcount": "12|13", "dlpdictnames": "dlp: dlp discription|dlp1: dlp discription1|dlp2: dlp discription2", "dlpenginenames": "dlpengine", "dlpidentifier": "12", "dsttype": "personal_cloud_storage", "eventtime": "Mon Oct 16 22:55:48 2023", "expectedaction": "block", "filedoctype": "Medical", "filedstpath": "dest_path", "filemd5": "938c2cc0dcc05f2b68c4287040cfcf71", "filesha": "076085239f3a10b8f387c4e5d4261abf8d109aa641be35a8d4ed2d775eb09612", "filesrcpath": "source_path", "filetypecategory": "PLS File (pls)", "filetypename": "exe64", "hh": "22", "itemdstname": "nanolog", "itemname": "endpoint_dlp", "itemsrcname": "endpoint", "itemtype": "email_attachment", "logtype": "dlp_incident", "mm": "55", "mon": "Oct", "mth": "10", "numdlpdictids": "8", "numdlpengineids": "12", "recordid": "2", "feedtime": "Mon Oct 16 22:55:48 2023", "scannedbytes": "290812", "scantime": "1210", "severity": "High Severity", "srctype": "network_share", "ss": "48", "datetime": "Mon Oct 16 22:55:48 2023", "rulename": "configured_rule", "timezone": "GMT", "user": "TempUser", "yyyy": "2023", "zdpmode": "block mode", "odepartment": "4094304256", "odevicehostname": "4094304255", "odevicename": "4094304251", "odeviceowner": "4094304226", "odlpdictnames": "4094304456", "odlpenginenames": "4094364256", "ofiledstpath": "4094304296", "ofilesrcpath": "4094304206", "oitemdstname": "409430476", "oitemname": "40943042567", "oitemsrcname": "4094305256", "ootherrulelabels": "4036304256", "orulename": "40943049956", "ouser": "40943042569", "otherrulelabels": "9094304256" } } +{"version":"v1","sourcetype":"zscalernss-edlp","event":{"actiontaken":"allow","activitytype":"email_sent","additionalinfo":"File already open by another application","channel":"Network Drive Transfer","confirmaction":"confirm","confirmjustification":"My manager approved it","datacenter":"Georgia","datacentercity":"Atlanta","datacentercountry":"US","day":"Mon","dd":"16","department":"TempDept","deviceappversion":"Ver-2199","devicehostname":"Host","devicemodel":"Model-2022","devicename":"Dev 1","deviceostype":"Windows","deviceosversion":"Win-11","deviceowner":"Administrator","deviceplatform":"Windows","devicetype":"WinUser","dlpdictcount":"12|13","dlpdictnames":"dlp: dlp discription|dlp1: dlp discription1|dlp2: dlp discription2","dlpenginenames":"dlpengine","dlpidentifier":"12","dsttype":"personal_cloud_storage","eventtime":"Mon Oct 16 22:55:48 2023","expectedaction":"block","filedoctype":"Medical","filedstpath":"dest_path","filemd5":"938c2cc0dcc05f2b68c4287040cfcf71","filesha":"076085239f3a10b8f387c4e5d4261abf8d109aa641be35a8d4ed2d775eb09612","filesrcpath":"source_path","filetypecategory":"PLS File (pls)","filetypename":"exe64","hh":"22","itemdstname":"nanolog","itemname":"endpoint_dlp","itemsrcname":"endpoint","itemtype":"email_attachment","logtype":"dlp_incident","mm":"55","mon":"Oct","mth":"10","numdlpdictids":"8","numdlpengineids":"12","recordid":"2","feedtime":"Mon Oct 16 22:55:48 2023","scannedbytes":"290812","scantime":"1210","severity":"High Severity","srctype":"network_share","ss":"48","datetime":"Mon Oct 16 22:55:48 2023","rulename":"configured_rule","timezone":"GMT","user":"TempUser","yyyy":"2023","zdpmode":"block mode","odepartment":"4094304256","odevicehostname":"4094304255","odevicename":"4094304251","odeviceowner":"4094304226","odlpdictnames":"4094304456","odlpenginenames":"4094364256","ofiledstpath":"4094304296","ofilesrcpath":"4094304206","oitemdstname":"409430476","oitemname":"40943042567","oitemsrcname":"4094305256","ootherrulelabels":"4036304256","orulename":"40943049956","ouser":"40943042569","otherrulelabels":"9094304256" } } ``` ### Firewall Log @@ -172,12 +172,12 @@ See: [Zscaler Vendor documentation](https://help.zscaler.com/zia/nss-feed-output Zscaler Firewall Log response format (v2): ``` -\{"sourcetype":"zscalernss-fw","event":\{"datetime":"%s{time}","outbytes":"%ld{outbytes}","cltdomain":"%s{cdfqdn}","destcountry":"%s{destcountry}","cdip":"%s{cdip}","sdip":"%s{sdip}","cdport":"%d{cdport}","sdport":"%d{sdport}","devicemodel":"%s{devicemodel}","action":"%s{action}","duration":"%d{duration}","recordid":"%d{recordid}","tz":"%s{tz}","devicename":"%s{devicename}","devicehostname":"%s{devicehostname}","deviceostype":"%s{deviceostype}","deviceosversion":"%s{deviceosversion}","nwapp":"%s{nwapp}","nwsvc":"%s{nwsvc}","proto":"%s{ipproto}","ipsrulelabel":"%s{ipsrulelabel}","dnatrulelabel":"%s{dnatrulelabel}","rdr_rulename":"%s{rdr_rulename}","rule":"%s{rulelabel}","rulelabel":"%s{erulelabel}","inbytes":"%ld{inbytes}","srcipcountry":"%s{srcip_country}","csip":"%s{csip}","ssip":"%s{ssip}","csport":"%d{csport}","ssport":"%d{ssport}","user":"%s{elogin}","aggregate":"%s{aggregate}","bypassed_session":"%d{bypassed_session}","bypass_time":"%s{bypass_etime}","datacentercity":"%s{datacentercity}","datacentercountry":"%s{datacentercountry}","datacenter":"%s{datacenter}","day_of_month":"%02d{dd}","department":"%s{edepartment}","dept":"%s{dept}","deviceappversion":"%s{deviceappversion}","deviceowner":"%s{deviceowner}","avgduration":"%d{avgduration}","durationms":"%d{durationms}","epochtime":"%d{epochtime}","external_deviceid":"%s{external_deviceid}","flow_type":"%s{flow_type}","forward_gateway_name":"%s{fwd_gw_name}","hour":"%02d{hh}","ipcat":"%s{ipcat}","ips_custom_signature":"%d{ips_custom_signature}","location":"%s{location}","locationname":"%s{elocation}","login":"%s{login}","minute":"%02d{mm}","month":"%s{mon}","month_of_year":"%02d{mth}","dnat":"%s{dnat}","odevicename":"%s{odevicename}","odeviceowner":"%s{odeviceowner}","ofwd_gw_name":"%s{ofwd_gw_name}","odevicehostname":"%s{odevicehostname}","oipcat":"%s{oipcat}","oipsrulelabel":"%s{oipsrulelabel}","ordr_rulename":"%s{ordr_rulename}","orulelabel":"%s{orulelabel}","ozpa_app_seg_name":"%s{ozpa_app_seg_name}","second":"%02d{ss}","numsessions":"%d{numsessions}","stateful":"%s{stateful}","threat_name":"%s{threatname}","threatcat":"%s{threatcat}","threatname":"%s{ethreatname}","tsip":"%s{tsip}","tuntype":"%s{ttype}","year":"%04d{yyyy}","ztunnelversion":"%s{ztunnelversion}","zpa_app_seg_name":"%s{zpa_app_seg_name}"\}\} +\{"version":"v2","sourcetype":"zscalernss-fw","event":\{"datetime":"%s{time}","outbytes":"%ld{outbytes}","cltdomain":"%s{cdfqdn}","destcountry":"%s{destcountry}","cdip":"%s{cdip}","sdip":"%s{sdip}","cdport":"%d{cdport}","sdport":"%d{sdport}","devicemodel":"%s{devicemodel}","action":"%s{action}","duration":"%d{duration}","recordid":"%d{recordid}","tz":"%s{tz}","devicename":"%s{devicename}","devicehostname":"%s{devicehostname}","deviceostype":"%s{deviceostype}","deviceosversion":"%s{deviceosversion}","nwapp":"%s{nwapp}","nwsvc":"%s{nwsvc}","proto":"%s{ipproto}","ipsrulelabel":"%s{ipsrulelabel}","dnatrulelabel":"%s{dnatrulelabel}","rdr_rulename":"%s{rdr_rulename}","rule":"%s{rulelabel}","rulelabel":"%s{erulelabel}","inbytes":"%ld{inbytes}","srcipcountry":"%s{srcip_country}","csip":"%s{csip}","ssip":"%s{ssip}","csport":"%d{csport}","ssport":"%d{ssport}","user":"%s{elogin}","aggregate":"%s{aggregate}","bypassed_session":"%d{bypassed_session}","bypass_time":"%s{bypass_etime}","datacentercity":"%s{datacentercity}","datacentercountry":"%s{datacentercountry}","datacenter":"%s{datacenter}","day_of_month":"%02d{dd}","department":"%s{edepartment}","dept":"%s{dept}","deviceappversion":"%s{deviceappversion}","deviceowner":"%s{deviceowner}","avgduration":"%d{avgduration}","durationms":"%d{durationms}","epochtime":"%d{epochtime}","external_deviceid":"%s{external_deviceid}","flow_type":"%s{flow_type}","forward_gateway_name":"%s{fwd_gw_name}","hour":"%02d{hh}","ipcat":"%s{ipcat}","ips_custom_signature":"%d{ips_custom_signature}","location":"%s{location}","locationname":"%s{elocation}","login":"%s{login}","minute":"%02d{mm}","month":"%s{mon}","month_of_year":"%02d{mth}","dnat":"%s{dnat}","odevicename":"%s{odevicename}","odeviceowner":"%s{odeviceowner}","ofwd_gw_name":"%s{ofwd_gw_name}","odevicehostname":"%s{odevicehostname}","oipcat":"%s{oipcat}","oipsrulelabel":"%s{oipsrulelabel}","ordr_rulename":"%s{ordr_rulename}","orulelabel":"%s{orulelabel}","ozpa_app_seg_name":"%s{ozpa_app_seg_name}","second":"%02d{ss}","numsessions":"%d{numsessions}","stateful":"%s{stateful}","threat_name":"%s{threatname}","threatcat":"%s{threatcat}","threatname":"%s{ethreatname}","tsip":"%s{tsip}","tuntype":"%s{ttype}","year":"%04d{yyyy}","ztunnelversion":"%s{ztunnelversion}","zpa_app_seg_name":"%s{zpa_app_seg_name}"\}\} ``` Sample Response: ```json -{"sourcetype":"zscalernss-fw","event":{"datetime":"Mon Oct 16 22:55:48 2023","cltdomain":"www.example.com","cdip":"2a02:cf40::","outbytes":"10000","cdport":"22","destcountry":"USA","devicemodel":"20L8S7WC08","sdip":"67.43.156.0","duration":"600","sdport":"443","tz":"GMT","action":"Blocked","devicehostname":"THINKPADSMITH","recordid":"123456","deviceosversion":"Version 10.14.2 (Build 18C54)","devicename":"admin","nwsvc":"HTTP","deviceostype":"iOS","ipsrulelabel":"Default IPS Rule","nwapp":"Skype","rdr_rulename":"FWD_Rule_1","proto":"TCP","rulelabel":"rule1","dnatrulelabel":"DNAT_Rule_1","srcipcountry":"United States","rule":"Default_Firewall_Filtering_Rule","ssip":"1.128.0.0","inbytes":"10000","ssport":"22","csip":"0.0.0.0","aggregate":"Yes","csport":"25","bypass_time":"Mon Oct 16 22:55:48 2023","user":"jdoe%40safemarch.com","datacentercountry":"US","bypassed_session":"1","day":"Mon","datacentercity":"Sa","department":"sales","datacenter":"CA Client Node DC","deviceappversion":"2.0.0.120","day_of_month":"16","avgduration":"600","dept":"Sales","eedone":"Yes","deviceowner":"jsmith","external_deviceid":"1234","durationms":"600","forward_gateway_name":"FWD_1","epochtime":"1578128400","ipcat":"Finance","flow_type":"Direct","location":"Headquarters","hour":"22","login":"jdo%40safemarch.com","ips_custom_signature":"0","month":"Oct","locationname":"Headquarters","dnat":"Yes","minute":"55","odevicename":"2175092224","month_of_year":"10","ofwd_gw_name":"8794487099","ocsip":"9960223283","oipcat":"5300295980","odeviceowner":"10831489","odnatlabel":"7956407282","odevicehostname":"2168890624","orulelabel":"624054738","oipsrulelabel":"6200694987","second":"48","ordr_rulename":"3399565100","stateful":"Yes","ozpa_app_seg_name":"7648246731","threatcat":"Botnet Callback","numsessions":"5","tsip":"89.160.20.128","threat_name":"Linux.Backdoor.Tsunami","year":"2023","threatname":"Linux.Backdoor","zpa_app_seg_name":"ZPA_test_app_segment","tuntype":"L2 tunnel","ztunnelversion":"ZTUNNEL_1_0"}} +{"version":"v2","sourcetype":"zscalernss-fw","event":{"datetime":"Mon Oct 16 22:55:48 2023","cltdomain":"www.example.com","cdip":"2a02:cf40::","outbytes":"10000","cdport":"22","destcountry":"USA","devicemodel":"20L8S7WC08","sdip":"67.43.156.0","duration":"600","sdport":"443","tz":"GMT","action":"Blocked","devicehostname":"THINKPADSMITH","recordid":"123456","deviceosversion":"Version 10.14.2 (Build 18C54)","devicename":"admin","nwsvc":"HTTP","deviceostype":"iOS","ipsrulelabel":"Default IPS Rule","nwapp":"Skype","rdr_rulename":"FWD_Rule_1","proto":"TCP","rulelabel":"rule1","dnatrulelabel":"DNAT_Rule_1","srcipcountry":"United States","rule":"Default_Firewall_Filtering_Rule","ssip":"1.128.0.0","inbytes":"10000","ssport":"22","csip":"0.0.0.0","aggregate":"Yes","csport":"25","bypass_time":"Mon Oct 16 22:55:48 2023","user":"jdoe%40safemarch.com","datacentercountry":"US","bypassed_session":"1","day":"Mon","datacentercity":"Sa","department":"sales","datacenter":"CA Client Node DC","deviceappversion":"2.0.0.120","day_of_month":"16","avgduration":"600","dept":"Sales","eedone":"Yes","deviceowner":"jsmith","external_deviceid":"1234","durationms":"600","forward_gateway_name":"FWD_1","epochtime":"1578128400","ipcat":"Finance","flow_type":"Direct","location":"Headquarters","hour":"22","login":"jdo%40safemarch.com","ips_custom_signature":"0","month":"Oct","locationname":"Headquarters","dnat":"Yes","minute":"55","odevicename":"2175092224","month_of_year":"10","ofwd_gw_name":"8794487099","ocsip":"9960223283","oipcat":"5300295980","odeviceowner":"10831489","odnatlabel":"7956407282","odevicehostname":"2168890624","orulelabel":"624054738","oipsrulelabel":"6200694987","second":"48","ordr_rulename":"3399565100","stateful":"Yes","ozpa_app_seg_name":"7648246731","threatcat":"Botnet Callback","numsessions":"5","tsip":"89.160.20.128","threat_name":"Linux.Backdoor.Tsunami","year":"2023","threatname":"Linux.Backdoor","zpa_app_seg_name":"ZPA_test_app_segment","tuntype":"L2 tunnel","ztunnelversion":"ZTUNNEL_1_0"}} ``` ### Tunnel Log @@ -190,24 +190,24 @@ See: [Zscaler Vendor documentation]( https://help.zscaler.com/zia/nss-feed-outpu Zscaler Tunnel Log response formats (v2): - Tunnel Event: ``` - \{"sourcetype":"zscalernss-tunnel","event":\{"datetime":"%s{datetime}","day":"%s{day}","dd":"%02d{dd}","destinationip":"%s{destvip}","event":"%s{event}","eventreason":"%s{eventreason}","hh":"%02d{hh}","locationname":"%s{locationname}","mm":"%02d{mm}","mon":"%s{mon}","mth":"%02d{mth}","olocationname":"%s{olocationname}","ovpncredentialname":"%s{ovpncredentialname}","recordid":"%d{recordid}","sourceip":"%s{sourceip}","sourceport":"%d{srcport}","ss":"%02d{ss}","Recordtype":"%s{tunnelactionname}","tunneltype":"%s{tunneltype}","timezone":"%s{tz}","user":"%s{vpncredentialname}","yyyy":"%04d{yyyy}"\}\} + \{"version":"v2","sourcetype":"zscalernss-tunnel","event":\{"datetime":"%s{datetime}","day":"%s{day}","dd":"%02d{dd}","destinationip":"%s{destvip}","event":"%s{event}","eventreason":"%s{eventreason}","hh":"%02d{hh}","locationname":"%s{locationname}","mm":"%02d{mm}","mon":"%s{mon}","mth":"%02d{mth}","olocationname":"%s{olocationname}","ovpncredentialname":"%s{ovpncredentialname}","recordid":"%d{recordid}","sourceip":"%s{sourceip}","sourceport":"%d{srcport}","ss":"%02d{ss}","Recordtype":"%s{tunnelactionname}","tunneltype":"%s{tunneltype}","timezone":"%s{tz}","user":"%s{vpncredentialname}","yyyy":"%04d{yyyy}"\}\} ``` - Sample Event: ``` - \{"sourcetype":"zscalernss-tunnel","event":\{"datetime":"%s{datetime}","day":"%s{day}","dd":"%02d{dd}","destinationip":"%s{destvip}","dpdrec":"%d{dpdrec}","hh":"%02d{hh}","locationname":"%s{locationname}","mm":"%02d{mm}","mon":"%s{mon}","mth":"%02d{mth}","olocationname":"%s{olocationname}","ovpncredentialname":"%s{ovpncredentialname}","recordid":"%d{recordid}","rxbytes":"%lu{rxbytes}","rxpackets":"%d{rxpackets}","sourceip":"%s{sourceip}","sourceport":"%d{srcport}","ss":"%02d{ss}","Recordtype":"%s{tunnelactionname}","tunneltype":"%s{tunneltype}","txbytes":"%lu{txbytes}","txpackets":"%d{txpackets}","timezone":"%s{tz}","user":"%s{vpncredentialname}","yyyy":"%04d{yyyy}"\}\} + \{"version":"v2","sourcetype":"zscalernss-tunnel","event":\{"datetime":"%s{datetime}","day":"%s{day}","dd":"%02d{dd}","destinationip":"%s{destvip}","dpdrec":"%d{dpdrec}","hh":"%02d{hh}","locationname":"%s{locationname}","mm":"%02d{mm}","mon":"%s{mon}","mth":"%02d{mth}","olocationname":"%s{olocationname}","ovpncredentialname":"%s{ovpncredentialname}","recordid":"%d{recordid}","rxbytes":"%lu{rxbytes}","rxpackets":"%d{rxpackets}","sourceip":"%s{sourceip}","sourceport":"%d{srcport}","ss":"%02d{ss}","Recordtype":"%s{tunnelactionname}","tunneltype":"%s{tunneltype}","txbytes":"%lu{txbytes}","txpackets":"%d{txpackets}","timezone":"%s{tz}","user":"%s{vpncredentialname}","yyyy":"%04d{yyyy}"\}\} ``` - IKE Phase 1 ``` - \{"sourcetype":"zscalernss-tunnel","event":\{"algo":"%s{algo}","authentication":"%s{authentication}","authtype":"%s{authtype}","datetime":"%s{datetime}","day":"%s{day}","dd":"%02d{dd}","destinationip":"%s{destvip}","destinationport":"%d{dstport}","hh":"%02d{hh}","ikeversion":"%d{ikeversion}","lifetime":"%d{lifetime}","locationname":"%s{locationname}","mm":"%02d{mm}","mon":"%s{mon}","mth":"%02d{mth}","olocationname":"%s{olocationname}","ovpncredentialname":"%s{ovpncredentialname}","recordid":"%d{recordid}","sourceip":"%s{sourceip}","spi_in":"%lu{spi_in}","spi_out":"%lu{spi_out}","sourceport":"%d{srcport}","ss":"%02d{ss}","Recordtype":"%s{tunnelactionname}","tunneltype":"IPSEC IKEV %d{ikeversion}","timezone":"%s{tz}","vendorname":"%s{vendorname}","user":"%s{vpncredentialname}","yyyy":"%04d{yyyy}"\}\} + \{"version":"v2","sourcetype":"zscalernss-tunnel","event":\{"algo":"%s{algo}","authentication":"%s{authentication}","authtype":"%s{authtype}","datetime":"%s{datetime}","day":"%s{day}","dd":"%02d{dd}","destinationip":"%s{destvip}","destinationport":"%d{dstport}","hh":"%02d{hh}","ikeversion":"%d{ikeversion}","lifetime":"%d{lifetime}","locationname":"%s{locationname}","mm":"%02d{mm}","mon":"%s{mon}","mth":"%02d{mth}","olocationname":"%s{olocationname}","ovpncredentialname":"%s{ovpncredentialname}","recordid":"%d{recordid}","sourceip":"%s{sourceip}","spi_in":"%lu{spi_in}","spi_out":"%lu{spi_out}","sourceport":"%d{srcport}","ss":"%02d{ss}","Recordtype":"%s{tunnelactionname}","tunneltype":"IPSEC IKEV %d{ikeversion}","timezone":"%s{tz}","vendorname":"%s{vendorname}","user":"%s{vpncredentialname}","yyyy":"%04d{yyyy}"\}\} ``` - IKE Phase 2 ``` - \{"sourcetype":"zscalernss-tunnel","event":\{"algo":"%s{algo}","authentication":"%s{authentication}","authtype":"%s{authtype}","datetime":"%s{datetime}","day":"%s{day}","dd":"%02d{dd}","destinationipend":"%s{destipend}","destinationipstart":"%s{destipstart}","destinationportstart":"%d{destportstart}","destinationip":"%s{destvip}","hh":"%02d{hh}","ikeversion":"%d{ikeversion}","lifebytes":"%d{lifebytes}","lifetime":"%d{lifetime}","locationname":"%s{locationname}","mm":"%02d{mm}","mon":"%s{mon}","mth":"%02d{mth}","olocationname":"%s{olocationname}","ovpncredentialname":"%s{ovpncredentialname}","protocol":"%s{protocol}","recordid":"%d{recordid}","sourceip":"%s{sourceip}","spi":"%d{spi}","srcipend":"%s{srcipend}","srcipstart":"%s{srcipstart}","sourceportstart":"%d{srcportstart}","ss":"%02d{ss}","Recordtype":"%s{tunnelactionname}","tunnelprotocol":"%s{tunnelprotocol}","tunneltype":"IPSEC IKEV %d{ikeversion}","timezone":"%s{tz}","user":"%s{vpncredentialname}","yyyy":"%04d{yyyy}"\}\} + \{"version":"v2","sourcetype":"zscalernss-tunnel","event":\{"algo":"%s{algo}","authentication":"%s{authentication}","authtype":"%s{authtype}","datetime":"%s{datetime}","day":"%s{day}","dd":"%02d{dd}","destinationipend":"%s{destipend}","destinationipstart":"%s{destipstart}","destinationportstart":"%d{destportstart}","destinationip":"%s{destvip}","hh":"%02d{hh}","ikeversion":"%d{ikeversion}","lifebytes":"%d{lifebytes}","lifetime":"%d{lifetime}","locationname":"%s{locationname}","mm":"%02d{mm}","mon":"%s{mon}","mth":"%02d{mth}","olocationname":"%s{olocationname}","ovpncredentialname":"%s{ovpncredentialname}","protocol":"%s{protocol}","recordid":"%d{recordid}","sourceip":"%s{sourceip}","spi":"%d{spi}","srcipend":"%s{srcipend}","srcipstart":"%s{srcipstart}","sourceportstart":"%d{srcportstart}","ss":"%02d{ss}","Recordtype":"%s{tunnelactionname}","tunnelprotocol":"%s{tunnelprotocol}","tunneltype":"IPSEC IKEV %d{ikeversion}","timezone":"%s{tz}","user":"%s{vpncredentialname}","yyyy":"%04d{yyyy}"\}\} ``` Sample Response: ```json -{"sourcetype":"zscalernss-tunnel","event":{"datetime":"Mon Oct 16 22:55:48 2023","destinationip":"67.43.156.1","destinationport":"500","recordid":"111234","timezone":"GMT","sourceip":"67.43.156.0","sourceport":"500","user":"jdoe@safemarch.com","authentication":"HMAC_MD5","authtype":"PSKEY","day":"Mon","dd":"16","algo":"DES_CBC","hh":"22","ikeversion":"IKE_VERSION_2","lifetime":"86400","locationname":"Headquarters","mm":"55","mon":"Oct","mth":"10","olocationname":"2168890624","ovpncredentialname":"4094304256","ss":"48","spi_in":"None","spi_out":"None","Recordtype":"None","vendorname":"CISCO","yyyy":"2023"}} +{"version":"v2","sourcetype":"zscalernss-tunnel","event":{"datetime":"Mon Oct 16 22:55:48 2023","destinationip":"67.43.156.1","destinationport":"500","recordid":"111234","timezone":"GMT","sourceip":"67.43.156.0","sourceport":"500","user":"jdoe@safemarch.com","authentication":"HMAC_MD5","authtype":"PSKEY","day":"Mon","dd":"16","algo":"DES_CBC","hh":"22","ikeversion":"IKE_VERSION_2","lifetime":"86400","locationname":"Headquarters","mm":"55","mon":"Oct","mth":"10","olocationname":"2168890624","ovpncredentialname":"4094304256","ss":"48","spi_in":"None","spi_out":"None","Recordtype":"None","vendorname":"CISCO","yyyy":"2023"}} ``` ### Web Log diff --git a/packages/zscaler_zia/manifest.yml b/packages/zscaler_zia/manifest.yml index d67c1bf4bfd..c2ba1bc16b5 100644 --- a/packages/zscaler_zia/manifest.yml +++ b/packages/zscaler_zia/manifest.yml @@ -1,7 +1,7 @@ format_version: "3.2.3" name: zscaler_zia title: Zscaler Internet Access -version: "3.11.0" +version: "3.12.0" description: Collect logs from Zscaler Internet Access (ZIA) with Elastic Agent. type: integration categories: @@ -108,6 +108,12 @@ policy_templates: # yvgJ38BRsFOtkRuAGSf6ZUwTO8JJRRIFnpUzXflAnGivK9M13D5GEQMmIl6U9Pvk # sxSmbIUfc2SGJGCJD4I= # -----END CERTIFICATE----- + - name: strict_fields + type: bool + title: Require Strict Field/Version Check + description: Whether to check for template version mismatch. + required: false + show_user: false title: Collect Zscaler Internet Access logs via TCP input description: Collecting Zscaler Internet Access logs via TCP input. - type: http_endpoint @@ -165,6 +171,12 @@ policy_templates: required: false show_user: false secret: true + - name: strict_fields + type: bool + title: Require Strict Field/Version Check + description: Whether to check for template version mismatch. + required: false + show_user: false - type: cel title: Collect Zscaler Internet Access logs via API description: Collecting Zscaler Internet Access logs via API. From 05c57c7d04f9608278ff06f23d0afafcc233726c Mon Sep 17 00:00:00 2001 From: Dan Kortschak Date: Wed, 21 May 2025 07:29:58 +0930 Subject: [PATCH 2/8] address pr comment - wip Needs syntax to link directly to the noted version. --- .../audit/elasticsearch/ingest_pipeline/default.yml | 6 ++++-- .../dns/elasticsearch/ingest_pipeline/default.yml | 6 ++++-- .../elasticsearch/ingest_pipeline/default.yml | 6 ++++-- .../elasticsearch/ingest_pipeline/default.yml | 12 +++++++----- .../tunnel/elasticsearch/ingest_pipeline/default.yml | 6 ++++-- .../web/elasticsearch/ingest_pipeline/default.yml | 6 ++++-- 6 files changed, 27 insertions(+), 15 deletions(-) diff --git a/packages/zscaler_zia/data_stream/audit/elasticsearch/ingest_pipeline/default.yml b/packages/zscaler_zia/data_stream/audit/elasticsearch/ingest_pipeline/default.yml index bf626911bd0..18337e309c6 100644 --- a/packages/zscaler_zia/data_stream/audit/elasticsearch/ingest_pipeline/default.yml +++ b/packages/zscaler_zia/data_stream/audit/elasticsearch/ingest_pipeline/default.yml @@ -39,6 +39,8 @@ processors: ignore_missing: true - script: params: + pkg_version: 3.12.0 + data_stream: audit-log expect: fields: action|adminid|auditlogtype|category|clientip|errorcode|interface|postaction|preaction|recordid|resource|result|subcategory|time|timezone version: v1 @@ -54,12 +56,12 @@ processors: if (signature != params.expect.fields) { ctx.error = ctx.error ?: [:]; ctx.error.message = ctx.error.message ?: []; - ctx.error.message.add("field set mismatch: "+signature+" is not expected set of templated fields"); + ctx.error.message.add("field set mismatch: "+signature+" is not expected set of templated fields (see https://www.elastic.co/docs/reference/integrations/zscaler_zia#"+params.data_stream+")"); } } else if (ctx.resp.version != params.expect.version) { ctx.error = ctx.error ?: [:]; ctx.error.message = ctx.error.message ?: []; - ctx.error.message.add("template version mismatch: "+ctx.resp.version.toString()+" is not expected version"); + ctx.error.message.add("template version mismatch: "+ctx.resp.version.toString()+" is not expected version (see https://www.elastic.co/docs/reference/integrations/zscaler_zia#"+params.data_stream+")"); } - remove: field: resp diff --git a/packages/zscaler_zia/data_stream/dns/elasticsearch/ingest_pipeline/default.yml b/packages/zscaler_zia/data_stream/dns/elasticsearch/ingest_pipeline/default.yml index 81e041e1a63..e4e924b2cf5 100644 --- a/packages/zscaler_zia/data_stream/dns/elasticsearch/ingest_pipeline/default.yml +++ b/packages/zscaler_zia/data_stream/dns/elasticsearch/ingest_pipeline/default.yml @@ -39,6 +39,8 @@ processors: ignore_missing: true - script: params: + pkg_version: 3.12.0 + data_stream: dns-log expect: fields: category|cloudname|clt_sip|company|datacenter|datacentercity|datacentercountry|datetime|day|day_of_month|department|dept|deviceappversion|devicehostname|devicemodel|devicename|deviceostype|deviceosversion|deviceowner|devicetype|dns_gateway_rule|dns_gateway_server_protocol|dns_gateway_status|dns_req|dns_reqtype|dns_resp|dnsapp|dnsappcat|durationms|ecs_prefix|ecs_slot|eedone|epochtime|error|hour|http_code|istcp|loc|location|login|minutes|month|month_of_year|oclientsourceip|odevicehostname|odevicename|odeviceowner|odomcat|protocol|recordid|reqaction|reqrulelabel|resaction|respipcat|respipcategory|resrulelabel|restype|second|srv_dip|srv_dport|tz|user|year version: v2 @@ -54,12 +56,12 @@ processors: if (signature != params.expect.fields) { ctx.error = ctx.error ?: [:]; ctx.error.message = ctx.error.message ?: []; - ctx.error.message.add("field set mismatch: "+signature+" is not expected set of templated fields"); + ctx.error.message.add("field set mismatch: "+signature+" is not expected set of templated fields (see https://www.elastic.co/docs/reference/integrations/zscaler_zia#"+params.data_stream+")"); } } else if (ctx.resp.version != params.expect.version) { ctx.error = ctx.error ?: [:]; ctx.error.message = ctx.error.message ?: []; - ctx.error.message.add("template version mismatch: "+ctx.resp.version.toString()+" is not expected version"); + ctx.error.message.add("template version mismatch: "+ctx.resp.version.toString()+" is not expected version (see https://www.elastic.co/docs/reference/integrations/zscaler_zia#"+params.data_stream+")"); } - remove: field: resp diff --git a/packages/zscaler_zia/data_stream/endpoint_dlp/elasticsearch/ingest_pipeline/default.yml b/packages/zscaler_zia/data_stream/endpoint_dlp/elasticsearch/ingest_pipeline/default.yml index 685ad29c18a..a2ba9a3f7e7 100644 --- a/packages/zscaler_zia/data_stream/endpoint_dlp/elasticsearch/ingest_pipeline/default.yml +++ b/packages/zscaler_zia/data_stream/endpoint_dlp/elasticsearch/ingest_pipeline/default.yml @@ -39,6 +39,8 @@ processors: ignore_missing: true - script: params: + pkg_version: 3.12.0 + data_stream: endpoint-dlp-log expect: fields: actiontaken|activitytype|additionalinfo|channel|confirmaction|confirmjustification|datacenter|datacentercity|datacentercountry|datetime|day|dd|department|deviceappversion|devicehostname|devicemodel|devicename|deviceostype|deviceosversion|deviceowner|deviceplatform|devicetype|dlpdictcount|dlpdictnames|dlpenginenames|dlpidentifier|dsttype|eventtime|expectedaction|feedtime|filedoctype|filedstpath|filemd5|filesha|filesrcpath|filetypecategory|filetypename|hh|itemdstname|itemname|itemsrcname|itemtype|logtype|mm|mon|mth|numdlpdictids|numdlpengineids|odepartment|odevicehostname|odevicename|odeviceowner|odlpdictnames|odlpenginenames|ofiledstpath|ofilesrcpath|oitemdstname|oitemname|oitemsrcname|ootherrulelabels|orulename|otherrulelabels|ouser|recordid|rulename|scannedbytes|scantime|severity|srctype|ss|timezone|user|yyyy|zdpmode version: v1 @@ -54,12 +56,12 @@ processors: if (signature != params.expect.fields) { ctx.error = ctx.error ?: [:]; ctx.error.message = ctx.error.message ?: []; - ctx.error.message.add("field set mismatch: "+signature+" is not expected set of templated fields"); + ctx.error.message.add("field set mismatch: "+signature+" is not expected set of templated fields (see https://www.elastic.co/docs/reference/integrations/zscaler_zia#endpoint-dlp-log)"); } } else if (ctx.resp.version != params.expect.version) { ctx.error = ctx.error ?: [:]; ctx.error.message = ctx.error.message ?: []; - ctx.error.message.add("template version mismatch: "+ctx.resp.version.toString()+" is not expected version"); + ctx.error.message.add("template version mismatch: "+ctx.resp.version.toString()+" is not expected version (see https://www.elastic.co/docs/reference/integrations/zscaler_zia#endpoint-dlp-log)"); } - remove: field: resp diff --git a/packages/zscaler_zia/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml b/packages/zscaler_zia/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml index b6f068c89bb..2b98227b26e 100644 --- a/packages/zscaler_zia/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml +++ b/packages/zscaler_zia/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml @@ -45,6 +45,8 @@ processors: ignore_missing: true - script: params: + pkg_version: 3.12.0 + data_stream: firewall-log expect: fields: action|aggregate|avgduration|bypass_time|bypassed_session|cdip|cdport|cltdomain|csip|csport|datacenter|datacentercity|datacentercountry|datetime|day|day_of_month|department|dept|destcountry|deviceappversion|devicehostname|devicemodel|devicename|deviceostype|deviceosversion|deviceowner|dnat|dnatrulelabel|duration|durationms|eedone|epochtime|external_deviceid|flow_type|forward_gateway_name|hour|inbytes|ipcat|ips_custom_signature|ipsrulelabel|location|locationname|login|minute|month|month_of_year|numsessions|nwapp|nwsvc|ocsip|odevicehostname|odevicename|odeviceowner|odnatlabel|ofwd_gw_name|oipcat|oipsrulelabel|ordr_rulename|orulelabel|outbytes|ozpa_app_seg_name|proto|rdr_rulename|recordid|rule|rulelabel|sdip|sdport|second|srcipcountry|ssip|ssport|stateful|threat_name|threatcat|threatname|tsip|tuntype|tz|user|year|zpa_app_seg_name|ztunnelversion version: v2 @@ -60,12 +62,12 @@ processors: if (signature != params.expect.fields) { ctx.error = ctx.error ?: [:]; ctx.error.message = ctx.error.message ?: []; - ctx.error.message.add("field set mismatch: "+signature+" is not expected set of templated fields"); + ctx.error.message.add("field set mismatch: "+signature+" is not expected set of templated fields (see https://www.elastic.co/docs/reference/integrations/zscaler_zia#"+params.data_stream+")"); } - } else if (ctx.resp?.version != params.expect.version) { - ctx.error = ctx.error ?: [:]; - ctx.error.message = ctx.error.message ?: []; - ctx.error.message.add("template version mismatch: "+ctx.resp?.version.toString()+" is not expected version"); + } else if (ctx.resp.version != params.expect.version) { + ctx.error = ctx.error ?: [:]; + ctx.error.message = ctx.error.message ?: []; + ctx.error.message.add("template version mismatch: "+ctx.resp.version.toString()+" is not expected version (see https://www.elastic.co/docs/reference/integrations/zscaler_zia#"+params.data_stream+")"); } - remove: field: resp diff --git a/packages/zscaler_zia/data_stream/tunnel/elasticsearch/ingest_pipeline/default.yml b/packages/zscaler_zia/data_stream/tunnel/elasticsearch/ingest_pipeline/default.yml index 1e6732225b8..929b97f897c 100644 --- a/packages/zscaler_zia/data_stream/tunnel/elasticsearch/ingest_pipeline/default.yml +++ b/packages/zscaler_zia/data_stream/tunnel/elasticsearch/ingest_pipeline/default.yml @@ -39,6 +39,8 @@ processors: ignore_missing: true - script: params: + pkg_version: 3.12.0 + data_stream: tunnel-log expect: fields: "Recordtype|datetime|day|dd|destinationip|event|eventreason|hh|locationname|mm|mon|mth|olocationname|ovpncredentialname|recordid|sourceip|sourceport|ss|timezone|tunneltype|user|yyyy": true @@ -58,12 +60,12 @@ processors: if (params.expect.fields[signature] != true) { ctx.error = ctx.error ?: [:]; ctx.error.message = ctx.error.message ?: []; - ctx.error.message.add("field set mismatch: "+signature+" is not expected set of templated fields"); + ctx.error.message.add("field set mismatch: "+signature+" is not expected set of templated fields (see https://www.elastic.co/docs/reference/integrations/zscaler_zia#"+params.data_stream+")"); } } else if (ctx.resp.version != params.expect.version) { ctx.error = ctx.error ?: [:]; ctx.error.message = ctx.error.message ?: []; - ctx.error.message.add("template version mismatch: "+ctx.resp.version.toString()+" is not expected version"); + ctx.error.message.add("template version mismatch: "+ctx.resp.version.toString()+" is not expected version (see https://www.elastic.co/docs/reference/integrations/zscaler_zia#"+params.data_stream+")"); } - remove: field: resp diff --git a/packages/zscaler_zia/data_stream/web/elasticsearch/ingest_pipeline/default.yml b/packages/zscaler_zia/data_stream/web/elasticsearch/ingest_pipeline/default.yml index 1d0051361d9..9ea2a203556 100644 --- a/packages/zscaler_zia/data_stream/web/elasticsearch/ingest_pipeline/default.yml +++ b/packages/zscaler_zia/data_stream/web/elasticsearch/ingest_pipeline/default.yml @@ -39,6 +39,8 @@ processors: ignore_missing: true - script: params: + pkg_version: 3.12.0 + data_stream: web-log expect: fields: action|appclass|applayerprotocol|appname|appriskscore|apprulelabel|b64referer|b64url|bamd5|bandwidthclassname|bandwidthrulename|bwthrottle|bypassedtime|bypassedtraffic|cloudname|cltintip|cltip|cltpubip|cltsourceport|cltsslcipher|cltsslfailcount|cltsslfailreason|cltsslsessreuse|clttlsversion|company|contenttype|datacenter|datacentercity|datacentercountry|day|day_of_month|dept|deviceappversion|devicehostname|devicemodel|devicename|deviceostype|deviceosversion|deviceowner|devicetype|df_hosthead|df_hostname|dlpdict|dlpdicthitcount|dlpeng|dlpidentifier|dlpmd5|dlprulename|eedone|epochtime|external_devid|externalsslpolicyreason|fileclass|filename|filesubtype|filetype|flow_type|forward_gateway_ip|forward_gateway_name|forward_type|host|hour|is_sslexpiredca|is_sslselfsigned|is_ssluntrustedca|keyprotectiontype|location|login|malwarecategory|malwareclass|minute|mobappcategory|mobappname|mobdevtype|module|month|month_of_year|nssserviceip|oapprulelabel|obwclassname|ocip|ocpubip|odevicehostname|odevicename|odeviceowner|odlpdict|odlpeng|odlprulename|ofwd_gw_name|ologin|ordr_rulename|ourlcat|ourlfilterrulelabel|ozpa_app_seg_name|productversion|proto|rdr_rulename|reason|recordid|refererhost|reqdatasize|reqheadersize|reqmethod|reqsize|reqversion|respcode|respdatasize|respheadersize|respsize|respversion|riskscore|rulelabel|ruletype|second|serverip|serversslsessreuse|sha256|srvcertchainvalpass|srvcertvalidationtype|srvcertvalidityperiod|srvocspresult|srvsslcipher|srvtlsversion|srvwildcardcert|ssldecrypted|threatname|threatseverity|throttlereqsize|throttlerespsize|time|totalsize|trafficredirectmethod|tz|unscannabletype|upload_doctypename|upload_fileclass|upload_filename|upload_filesubtype|upload_filetype|urlcatmethod|urlclass|urlfilterrulelabel|urlsubcat|urlsupercat|useragent|useragentclass|useragenttoken|userlocationname|year|zpa_app_seg_name|ztunnelversion version: v9 @@ -54,12 +56,12 @@ processors: if (signature != params.expect.fields) { ctx.error = ctx.error ?: [:]; ctx.error.message = ctx.error.message ?: []; - ctx.error.message.add("field set mismatch: "+signature+" is not expected set of templated fields"); + ctx.error.message.add("field set mismatch: "+signature+" is not expected set of templated fields (see https://www.elastic.co/docs/reference/integrations/zscaler_zia#"+params.data_stream+")"); } } else if (ctx.resp.version != params.expect.version) { ctx.error = ctx.error ?: [:]; ctx.error.message = ctx.error.message ?: []; - ctx.error.message.add("template version mismatch: "+ctx.resp.version.toString()+" is not expected version"); + ctx.error.message.add("template version mismatch: "+ctx.resp.version.toString()+" is not expected version (see https://www.elastic.co/docs/reference/integrations/zscaler_zia#"+params.data_stream+")"); } - remove: field: resp From 9e9b3769231ab257951aa12cea765104c93786eb Mon Sep 17 00:00:00 2001 From: Dan Kortschak Date: Wed, 21 May 2025 08:03:44 +0930 Subject: [PATCH 3/8] update expectations --- .../test-web-http-endpoint.log-expected.json | 6 ++++-- .../test/pipeline/test-web.log-expected.json | 21 ++++++++++++------- 2 files changed, 18 insertions(+), 9 deletions(-) diff --git a/packages/zscaler_zia/data_stream/web/_dev/test/pipeline/test-web-http-endpoint.log-expected.json b/packages/zscaler_zia/data_stream/web/_dev/test/pipeline/test-web-http-endpoint.log-expected.json index 75941dbf9ac..8f6707dfbe9 100644 --- a/packages/zscaler_zia/data_stream/web/_dev/test/pipeline/test-web-http-endpoint.log-expected.json +++ b/packages/zscaler_zia/data_stream/web/_dev/test/pipeline/test-web-http-endpoint.log-expected.json @@ -38,10 +38,11 @@ "id": "123456789", "kind": "event", "original": "{\"sourcetype\":\"zscalernss-web\",\"event\":{\"time\":\"Mon Oct 16 22:55:48 2023\",\"cloudname\":\"zscaler.net\",\"host\":\"mail.google.com\",\"serverip\":\"81.2.69.142\",\"external_devid\":\"1234\",\"devicemodel\":\"20L8S7WC08\",\"action\":\"Allowed\",\"recordid\":\"123456789\",\"reason\":\"File Attachment Cautioned\",\"threatseverity\":\"Critical (90–100)\",\"tz\":\"GMT\",\"filesubtype\":\"rar\",\"upload_filesubtype\":\"rar\",\"sha256\":\"81ec78bc8298568bb5ea66d3c2972b670d0f7459b6cdbbcaacce90ab417ab15c\",\"bamd5\":\"196a3d797bfee07fe4596b69f4ce1141\",\"filename\":\"nssfeed.txt\",\"upload_filename\":\"nssfeed.exe\",\"filetype\":\"RAR Files\",\"devicename\":\"PC11NLPA:5F08D97BBF43257A8FB4BBF4061A38AE324EF734\",\"devicehostname\":\"THINKPADSMITH\",\"deviceostype\":\"iOS\",\"deviceosversion\":\"Version 10.14.2 (Build 18C54)\",\"devicetype\":\"Zscaler Client Connector\",\"reqsize\":\"1300\",\"reqmethod\":\"invalid\",\"b64referer\":\"d3d3LmV4YW1wbGUuY29t\",\"respsize\":\"10500\",\"respcode\":\"100\",\"reqversion\":\"1.1\",\"respversion\":\"1\",\"proto\":\"HTTP\",\"company\":\"Zscaler\",\"dlpmd5\":\"154f149b1443fbfa8c121d13e5c019a1\",\"apprulelabel\":\"File_Sharing_1\",\"dlprulename\":\"DLP_Rule_1\",\"rulelabel\":\"URL_Filtering_1\",\"urlfilterrulelabel\":\"URL_Filtering_1\",\"cltip\":\"81.2.69.142\",\"cltintip\":\"81.2.69.142\",\"cltsourceport\":\"1235\",\"threatname\":\"EICAR Test File\",\"cltsslcipher\":\"SSL3_CK_RSA_NULL_MD5\",\"clttlsversion\":\"SSL2\",\"b64url\":\"d3d3LnRyeXRoaXNlbmNvZGV1cmwuY29tL2luZGV4\",\"useragent\":\"Mozilla/5.0\",\"login\":\"jdoe@safemarch.com\",\"applayerprotocol\":\"FTP\",\"appclass\":\"Administration\",\"appname\":\"Adobe Connect\",\"appriskscore\":\"None\",\"bandwidthclassname\":\"Entertainment\",\"bandwidthrulename\":\"Office 365\",\"bwthrottle\":\"Yes\",\"bypassedtime\":\"Mon Oct 16 22:55:48 2023\",\"bypassedtraffic\":\"0\",\"cltsslsessreuse\":\"Unknown\",\"cltpubip\":\"81.2.69.142\",\"cltsslfailcount\":\"100\",\"cltsslfailreason\":\"Bad Record Mac\",\"contenttype\":\"application/vnd_apple_keynote\",\"datacentercity\":\"Sa\",\"datacentercountry\":\"US\",\"datacenter\":\"CA Client Node DC\",\"day\":\"Mon\",\"day_of_month\":\"16\",\"dept\":\"Sales\",\"deviceappversion\":\"81.2.69.142\",\"deviceowner\":\"jsmith\",\"df_hosthead\":\"df_hosthead\",\"df_hostname\":\"df_hostname\",\"dlpdicthitcount\":\"4\",\"dlpdict\":\"Credit Cards\",\"dlpeng\":\"HIPAA\",\"dlpidentifier\":\"6646484838839026000\",\"eedone\":\"Yes\",\"epochtime\":\"1578128400\",\"fileclass\":\"Active Web Contents\",\"flow_type\":\"Direct\",\"forward_gateway_ip\":\"10.1.1.1\",\"forward_gateway_name\":\"FWD_1\",\"forward_type\":\"Direct\",\"hour\":\"22\",\"is_sslexpiredca\":\"Yes\",\"is_sslselfsigned\":\"Yes\",\"is_ssluntrustedca\":\"Pass\",\"keyprotectiontype\":\"HSM Protection\",\"location\":\"Headquarters\",\"malwarecategory\":\"Adware\",\"malwareclass\":\"Sandbox\",\"minute\":\"55\",\"mobappcategory\":\"Communication\",\"mobappname\":\"Amazon\",\"mobdevtype\":\"Google Android\",\"module\":\"Administration\",\"month\":\"Oct\",\"month_of_year\":\"10\",\"nssserviceip\":\"192.168.2.200\",\"oapprulelabel\":\"5300295980\",\"obwclassname\":\"10831489\",\"ocip\":\"6200694987\",\"ocpubip\":\"624054738\",\"odevicehostname\":\"2168890624\",\"odevicename\":\"2175092224\",\"odeviceowner\":\"10831489\",\"odlpdict\":\"10831489\",\"odlpeng\":\"4094304256\",\"odlprulename\":\"6857275752\",\"ofwd_gw_name\":\"8794487099\",\"ologin\":\"4094304256\",\"ordr_rulename\":\"3399565100\",\"ourlcat\":\"7956407282\",\"ourlfilterrulelabel\":\"4951704103\",\"ozpa_app_seg_name\":\"7648246731\",\"externalsslpolicyreason\":\"Blocked\",\"productversion\":\"5.0.902.95524_04\",\"rdr_rulename\":\"FWD_Rule_1\",\"refererhost\":\"www.example.com for http://www.example.com/index.html\",\"reqheadersize\":\"300\",\"reqdatasize\":\"1000\",\"respheadersize\":\"500\",\"respdatasize\":\"10000\",\"riskscore\":\"10\",\"ruletype\":\"File Type Control\",\"second\":\"48\",\"srvcertchainvalpass\":\"Unknown\",\"srvcertvalidationtype\":\"EV (Extended Validation)\",\"srvcertvalidityperiod\":\"Short\",\"srvsslcipher\":\"SSL3_CK_RSA_NULL_MD5\",\"serversslsessreuse\":\"Unknown\",\"srvocspresult\":\"Good\",\"srvtlsversion\":\"SSL2\",\"srvwildcardcert\":\"Unknown\",\"ssldecrypted\":\"Yes\",\"throttlereqsize\":\"5\",\"throttlerespsize\":\"7\",\"totalsize\":\"11800\",\"trafficredirectmethod\":\"DNAT (Destination Translation)\",\"unscannabletype\":\"Encrypted File\",\"upload_doctypename\":\"Corporate Finance\",\"upload_fileclass\":\"upload_fileclass\",\"upload_filetype\":\"RAR Files\",\"urlcatmethod\":\"Database A\",\"urlsubcat\":\"Entertainment\",\"urlsupercat\":\"Travel\",\"urlclass\":\"Bandwidth Loss\",\"useragentclass\":\"Firefox\",\"useragenttoken\":\"Google Chrome (0.x)\",\"userlocationname\":\"userlocationname\",\"year\":\"2023\",\"ztunnelversion\":\"ZTUNNEL_1_0\",\"zpa_app_seg_name\":\"ZPA_test_app_segment\"}}", + "outcome": "success", "reason": "File Attachment Cautioned", "timezone": "GMT", "type": [ - "info" + "access" ] }, "file": { @@ -462,10 +463,11 @@ "id": "123456789", "kind": "event", "original": "{\"sourcetype\":\"zscalernss-web\",\"event\":{\"time\":\"Mon Oct 16 22:55:48 2023\",\"cloudname\":\"zscaler.net\",\"host\":\"mail.google.com\",\"serverip\":\"81.2.69.142\",\"external_devid\":\"1234\",\"devicemodel\":\"20L8S7WC08\",\"action\":\"Blocked\",\"recordid\":\"123456789\",\"reason\":\"File Attachment Cautioned\",\"threatseverity\":\"Critical (90–100)\",\"tz\":\"GMT\",\"filesubtype\":\"rar\",\"upload_filesubtype\":\"rar\",\"sha256\":\"81ec78bc8298568bb5ea66d3c2972b670d0f7459b6cdbbcaacce90ab417ab15c\",\"bamd5\":\"196a3d797bfee07fe4596b69f4ce1141\",\"filename\":\"nssfeed.txt\",\"upload_filename\":\"nssfeed.exe\",\"filetype\":\"RAR Files\",\"devicename\":\"PC11NLPA:5F08D97BBF43257A8FB4BBF4061A38AE324EF734\",\"devicehostname\":\"THINKPADSMITH\",\"deviceostype\":\"iOS\",\"deviceosversion\":\"Version 10.14.2 (Build 18C54)\",\"devicetype\":\"Zscaler Client Connector\",\"reqsize\":\"1300\",\"reqmethod\":\"invalid\",\"b64referer\":\"d3d3LmV4YW1wbGUuY29t\",\"respsize\":\"10500\",\"respcode\":\"100\",\"reqversion\":\"1.1\",\"respversion\":\"1\",\"proto\":\"HTTP\",\"company\":\"Zscaler\",\"dlpmd5\":\"154f149b1443fbfa8c121d13e5c019a1\",\"apprulelabel\":\"File_Sharing_1\",\"dlprulename\":\"DLP_Rule_1\",\"rulelabel\":\"URL_Filtering_1\",\"urlfilterrulelabel\":\"URL_Filtering_1\",\"cltip\":\"81.2.69.142\",\"cltintip\":\"81.2.69.142\",\"cltsourceport\":\"1235\",\"threatname\":\"EICAR Test File\",\"cltsslcipher\":\"SSL3_CK_RSA_NULL_MD5\",\"clttlsversion\":\"SSL2\",\"b64url\":\"d3d3LnRyeXRoaXNlbmNvZGV1cmwuY29tL2luZGV4\",\"useragent\":\"Mozilla/5.0\",\"login\":\"jdoe@safemarch.com\",\"applayerprotocol\":\"FTP\",\"appclass\":\"Administration\",\"appname\":\"Adobe Connect\",\"appriskscore\":\"None\",\"bandwidthclassname\":\"Entertainment\",\"bandwidthrulename\":\"Office 365\",\"bwthrottle\":\"Yes\",\"bypassedtime\":\"Mon Oct 16 22:55:48 2023\",\"bypassedtraffic\":\"1\",\"cltsslsessreuse\":\"Unknown\",\"cltpubip\":\"81.2.69.142\",\"cltsslfailcount\":\"100\",\"cltsslfailreason\":\"Bad Record Mac\",\"contenttype\":\"application/vnd_apple_keynote\",\"datacentercity\":\"Sa\",\"datacentercountry\":\"US\",\"datacenter\":\"CA Client Node DC\",\"day\":\"Mon\",\"day_of_month\":\"16\",\"dept\":\"Sales\",\"deviceappversion\":\"81.2.69.142\",\"deviceowner\":\"jsmith\",\"df_hosthead\":\"df_hosthead\",\"df_hostname\":\"df_hostname\",\"dlpdicthitcount\":\"4\",\"dlpdict\":\"Credit Cards\",\"dlpeng\":\"HIPAA\",\"dlpidentifier\":\"6646484838839026000\",\"eedone\":\"Yes\",\"epochtime\":\"1578128400\",\"fileclass\":\"Active Web Contents\",\"flow_type\":\"Direct\",\"forward_gateway_ip\":\"10.1.1.1\",\"forward_gateway_name\":\"FWD_1\",\"forward_type\":\"Direct\",\"hour\":\"22\",\"is_sslexpiredca\":\"Yes\",\"is_sslselfsigned\":\"Yes\",\"is_ssluntrustedca\":\"Pass\",\"keyprotectiontype\":\"HSM Protection\",\"location\":\"Headquarters\",\"malwarecategory\":\"Adware\",\"malwareclass\":\"Sandbox\",\"minute\":\"55\",\"mobappcategory\":\"Communication\",\"mobappname\":\"Amazon\",\"mobdevtype\":\"Google Android\",\"module\":\"Administration\",\"month\":\"Oct\",\"month_of_year\":\"10\",\"nssserviceip\":\"192.168.2.200\",\"oapprulelabel\":\"5300295980\",\"obwclassname\":\"10831489\",\"ocip\":\"6200694987\",\"ocpubip\":\"624054738\",\"odevicehostname\":\"2168890624\",\"odevicename\":\"2175092224\",\"odeviceowner\":\"10831489\",\"odlpdict\":\"10831489\",\"odlpeng\":\"4094304256\",\"odlprulename\":\"6857275752\",\"ofwd_gw_name\":\"8794487099\",\"ologin\":\"4094304256\",\"ordr_rulename\":\"3399565100\",\"ourlcat\":\"7956407282\",\"ourlfilterrulelabel\":\"4951704103\",\"ozpa_app_seg_name\":\"7648246731\",\"externalsslpolicyreason\":\"Blocked\",\"productversion\":\"5.0.902.95524_04\",\"rdr_rulename\":\"FWD_Rule_1\",\"refererhost\":\"www.example.com for http://www.example.com/index.html\",\"reqheadersize\":\"300\",\"reqdatasize\":\"1000\",\"respheadersize\":\"500\",\"respdatasize\":\"10000\",\"riskscore\":\"10\",\"ruletype\":\"File Type Control\",\"second\":\"48\",\"srvcertchainvalpass\":\"Unknown\",\"srvcertvalidationtype\":\"EV (Extended Validation)\",\"srvcertvalidityperiod\":\"Short\",\"srvsslcipher\":\"SSL3_CK_RSA_NULL_MD5\",\"serversslsessreuse\":\"Unknown\",\"srvocspresult\":\"Good\",\"srvtlsversion\":\"SSL2\",\"srvwildcardcert\":\"Unknown\",\"ssldecrypted\":\"Yes\",\"throttlereqsize\":\"5\",\"throttlerespsize\":\"7\",\"totalsize\":\"11800\",\"trafficredirectmethod\":\"DNAT (Destination Translation)\",\"unscannabletype\":\"Encrypted File\",\"upload_doctypename\":\"Corporate Finance\",\"upload_fileclass\":\"upload_fileclass\",\"upload_filetype\":\"RAR Files\",\"urlcatmethod\":\"Database A\",\"urlsubcat\":\"Entertainment\",\"urlsupercat\":\"Travel\",\"urlclass\":\"Bandwidth Loss\",\"useragentclass\":\"Firefox\",\"useragenttoken\":\"Google Chrome (0.x)\",\"userlocationname\":\"userlocationname\",\"year\":\"2023\",\"ztunnelversion\":\"ZTUNNEL_1_0\",\"zpa_app_seg_name\":\"ZPA_test_app_segment\"}}", + "outcome": "failure", "reason": "File Attachment Cautioned", "timezone": "GMT", "type": [ - "info" + "access" ] }, "file": { diff --git a/packages/zscaler_zia/data_stream/web/_dev/test/pipeline/test-web.log-expected.json b/packages/zscaler_zia/data_stream/web/_dev/test/pipeline/test-web.log-expected.json index 3dfe05a9514..546529507c4 100644 --- a/packages/zscaler_zia/data_stream/web/_dev/test/pipeline/test-web.log-expected.json +++ b/packages/zscaler_zia/data_stream/web/_dev/test/pipeline/test-web.log-expected.json @@ -26,10 +26,11 @@ "id": "123456789", "kind": "event", "original": "{\"sourcetype\":\"zscalernss-web\",\"event\":{\"time\":\"Mon Oct 16 22:55:48 2023\",\"cloudname\":\"zscaler.net\",\"host\":\"mail.google.com\",\"serverip\":\"1.128.0.0\",\"external_devid\":\"1234\",\"devicemodel\":\"20L8S7WC08\",\"action\":\"Allowed\",\"recordid\":123456789,\"reason\":\"File Attachment Cautioned\",\"threatseverity\":\"Critical (90–100)\",\"tz\":\"GMT\",\"filesubtype\":\"exe\",\"upload_filesubtype\":\"rar\",\"sha256\":\"81ec78bc8298568bb5ea66d3c2972b670d0f7459b6cdbbcaacce90ab417ab15c\",\"bamd5\":\"196a3d797bfee07fe4596b69f4ce1141\",\"filename\":\"nssfeed.txt\",\"upload_filename\":\"nssfeed.exe\",\"filetype\":\"RAR Files\",\"devicename\":\"PC11NLPA%3A5F08D97BBF43257A8FB4BBF4061A38AE324EF734\",\"devicehostname\":\"THINKPADSMITH\",\"deviceostype\":\"iOS\",\"deviceosversion\":\"Version 10.14.2 (Build 18C54)\",\"devicetype\":\"Zscaler Client Connector\",\"reqsize\":1300,\"reqmethod\":\"invalid\",\"b64referer\":\"d3d3LmV4YW1wbGUuY29t\",\"respsize\":10500,\"respcode\":\"100\",\"reqversion\":\"1.1\",\"respversion\":\"1\",\"proto\":\"HTTP\",\"company\":\"Zscaler\",\"dlpmd5\":\"154f149b1443fbfa8c121d13e5c019a1\",\"apprulelabel\":\"File_Sharing_1\",\"dlprulename\":\"DLP_Rule_1\",\"rulelabel\":\"URL_Filtering_1\",\"urlfilterrulelabel\":\"URL_Filtering_2\",\"cltip\":\"81.2.69.144\",\"cltintip\":\"89.160.20.128\",\"cltsourceport\":12345,\"threatname\":\"EICAR Test File\",\"cltsslcipher\":\"SSL3_CK_RSA_NULL_MD5\",\"clttlsversion\":\"SSL2\",\"b64url\":\"d3d3LnRyeXRoaXNlbmNvZGV1cmwuY29tOjQ0My9pbmRleD9xdGltZT0yMDIzLTA0LTEyVDIzOjIwOjUwLjUyWg==\",\"useragent\":\"Mozilla/5.0\",\"login\":\"jdoe@safemarch.com\",\"applayerprotocol\":\"FTP\",\"appclass\":\"Administration\",\"appname\":\"Adobe Connect\",\"appriskscore\":\"1\",\"bandwidthclassname\":\"Entertainment\",\"bandwidthrulename\":\"Office 365\",\"bwthrottle\":\"Yes\",\"bypassedtime\":\"Mon Oct 16 22:55:48 2023\",\"bypassedtraffic\":\"1\",\"cltsslsessreuse\":\"Unknown\",\"cltpubip\":\"175.16.199.0\",\"cltsslfailcount\":100,\"cltsslfailreason\":\"Bad Record Mac\",\"contenttype\":\"application/vnd_apple_keynote\",\"datacentercity\":\"Sa\",\"datacentercountry\":\"US\",\"datacenter\":\"CA Client Node DC\",\"day\":\"Mon\",\"day_of_month\":16,\"dept\":\"Sales\",\"deviceappversion\":\"1.128.0.0\",\"deviceowner\":\"jsmith\",\"df_hosthead\":\"df_hosthead\",\"df_hostname\":\"df_hostname\",\"dlpdicthitcount\":\"4\",\"dlpdict\":\"Credit Cards\",\"dlpeng\":\"HIPAA\",\"dlpidentifier\":6646484838839026000,\"eedone\":\"Yes\",\"epochtime\":1578128400,\"fileclass\":\"Active Web Contents\",\"flow_type\":\"Direct\",\"forward_gateway_ip\":\"10.1.1.1\",\"forward_gateway_name\":\"FWD_1\",\"forward_type\":\"Direct\",\"hour\":22,\"is_sslexpiredca\":\"Yes\",\"is_sslselfsigned\":\"Yes\",\"is_ssluntrustedca\":\"Pass\",\"keyprotectiontype\":\"HSM Protection\",\"location\":\"Headquarters\",\"malwarecategory\":\"Adware\",\"malwareclass\":\"Sandbox\",\"minute\":55,\"mobappcategory\":\"Communication\",\"mobappname\":\"Amazon\",\"mobdevtype\":\"Google Android\",\"module\":\"Administration\",\"month\":\"Oct\",\"month_of_year\":10,\"nssserviceip\":\"192.168.2.200\",\"oapprulelabel\":\"5300295980\",\"obwclassname\":\"10831489\",\"ocip\":6200694987,\"ocpubip\":624054738,\"odevicehostname\":\"2168890624\",\"odevicename\":\"2175092224\",\"odeviceowner\":\"10831489\",\"odlpdict\":\"10831489\",\"odlpeng\":\"4094304256\",\"odlprulename\":\"6857275752\",\"ofwd_gw_name\":\"8794487099\",\"ologin\":\"4094304256\",\"ordr_rulename\":\"3399565100\",\"ourlcat\":\"7956407282\",\"ourlfilterrulelabel\":\"4951704103\",\"ozpa_app_seg_name\":\"7648246731\",\"externalsslpolicyreason\":\"Blocked\",\"productversion\":\"5.0.902.95524_04\",\"rdr_rulename\":\"FWD_Rule_1\",\"refererhost\":\"www.example.com for http://www.example.com/index.html\",\"reqheadersize\":300,\"reqdatasize\":1000,\"respheadersize\":500,\"respdatasize\":10000,\"riskscore\":10,\"ruletype\":\"File Type Control\",\"second\":48,\"srvcertchainvalpass\":\"Unknown\",\"srvcertvalidationtype\":\"EV (Extended Validation)\",\"srvcertvalidityperiod\":\"Short\",\"srvsslcipher\":\"SSL3_CK_RSA_NULL_MD5\",\"serversslsessreuse\":\"Unknown\",\"srvocspresult\":\"Good\",\"srvtlsversion\":\"SSL2\",\"srvwildcardcert\":\"Unknown\",\"ssldecrypted\":\"Yes\",\"throttlereqsize\":5,\"throttlerespsize\":7,\"totalsize\":11800,\"trafficredirectmethod\":\"DNAT (Destination Translation)\",\"unscannabletype\":\"Encrypted File\",\"upload_doctypename\":\"Corporate Finance\",\"upload_fileclass\":\"upload_fileclass\",\"upload_filetype\":\"RAR Files\",\"urlcatmethod\":\"Database A\",\"urlsubcat\":\"Entertainment\",\"urlsupercat\":\"Travel\",\"urlclass\":\"Bandwidth Loss\",\"useragentclass\":\"Firefox\",\"useragenttoken\":\"Google Chrome (0.x)\",\"userlocationname\":\"userlocationname\",\"year\":2023,\"ztunnelversion\":\"ZTUNNEL_1_0\",\"zpa_app_seg_name\":\"ZPA_test_app_segment\"}}", + "outcome": "success", "reason": "File Attachment Cautioned", "timezone": "GMT", "type": [ - "info" + "access" ] }, "file": { @@ -446,10 +447,11 @@ "id": "123456780", "kind": "event", "original": "{\"sourcetype\":\"zscalernss-web\",\"event\":{\"time\":\"Mon Oct 17 22:55:48 2023\",\"cloudname\":\"zscaler.net\",\"host\":\"mail.google.com\",\"serverip\":\"1.128.0.1\",\"external_devid\":\"2345\",\"devicemodel\":\"20L8S7WC09\",\"action\":\"Allowed\",\"recordid\":123456780,\"reason\":\"File Attachment Cautioned\",\"threatseverity\":\"Critical (90–100)\",\"tz\":\"GMT\",\"filesubtype\":\"exe\",\"upload_filesubtype\":\"rar\",\"sha256\":\"81ec78bc8298568bb5ea66d3c2972b670d0f7459b6cdbbcaacce90ab417ab15c\",\"bamd5\":\"196a3d797bfee07fe4596b69f4ce1141\",\"filename\":\"nssfeed.txt\",\"upload_filename\":\"nssfeed.exe\",\"filetype\":\"RAR Files\",\"devicename\":\"PC11NLPA%3A5F08D97BBF43257A8FB4BBF4061A38AE324EF734\",\"devicehostname\":\"THINKPADSMITH\",\"deviceostype\":\"iOS\",\"deviceosversion\":\"Version 10.14.2 (Build 18C54)\",\"devicetype\":\"Zscaler Client Connector\",\"reqsize\":1300,\"reqmethod\":\"invalid\",\"b64referer\":\"d3d3LmV4YW1wbGUuY29t\",\"respsize\":10500,\"respcode\":\"100\",\"reqversion\":\"1.1\",\"respversion\":\"1\",\"proto\":\"HTTPS\",\"company\":\"Zscaler\",\"dlpmd5\":\"154f149b1443fbfa8c121d13e5c019a1\",\"apprulelabel\":\"File_Sharing_1\",\"dlprulename\":\"DLP_Rule_1\",\"rulelabel\":\"URL_Filtering_1\",\"urlfilterrulelabel\":\"URL_Filtering_2\",\"cltip\":\"81.2.69.144\",\"cltintip\":\"89.160.20.128\",\"cltsourceport\":12345,\"threatname\":\"EICAR Test File\",\"cltsslcipher\":\"SSL3_CK_RSA_NULL_MD5\",\"clttlsversion\":\"SSL2\",\"b64url\":\"d3d3LmV4YW1wbGUuY29tOjQ0Mw==\",\"useragent\":\"Mozilla/5.0\",\"login\":\"jdoe@safemarch.com\",\"applayerprotocol\":\"FTP\",\"appclass\":\"Administration\",\"appname\":\"Adobe Connect\",\"appriskscore\":\"1\",\"bandwidthclassname\":\"Entertainment\",\"bandwidthrulename\":\"Office 365\",\"bwthrottle\":\"Yes\",\"bypassedtime\":\"Mon Oct 16 22:55:48 2023\",\"bypassedtraffic\":\"1\",\"cltsslsessreuse\":\"Unknown\",\"cltpubip\":\"175.16.199.0\",\"cltsslfailcount\":100,\"cltsslfailreason\":\"Bad Record Mac\",\"contenttype\":\"application/vnd_apple_keynote\",\"datacentercity\":\"Sa\",\"datacentercountry\":\"US\",\"datacenter\":\"CA Client Node DC\",\"day\":\"Mon\",\"day_of_month\":16,\"dept\":\"Sales\",\"deviceappversion\":\"1.128.0.1\",\"deviceowner\":\"jsmith\",\"df_hosthead\":\"df_hosthead\",\"df_hostname\":\"df_hostname\",\"dlpdicthitcount\":\"4\",\"dlpdict\":\"Credit Cards\",\"dlpeng\":\"HIPAA\",\"dlpidentifier\":6646484838839026000,\"eedone\":\"Yes\",\"epochtime\":1578128400,\"fileclass\":\"Active Web Contents\",\"flow_type\":\"Direct\",\"forward_gateway_ip\":\"10.1.1.1\",\"forward_gateway_name\":\"FWD_1\",\"forward_type\":\"Direct\",\"hour\":22,\"is_sslexpiredca\":\"Yes\",\"is_sslselfsigned\":\"Yes\",\"is_ssluntrustedca\":\"Pass\",\"keyprotectiontype\":\"HSM Protection\",\"location\":\"Headquarters\",\"malwarecategory\":\"Adware\",\"malwareclass\":\"Sandbox\",\"minute\":55,\"mobappcategory\":\"Communication\",\"mobappname\":\"Amazon\",\"mobdevtype\":\"Google Android\",\"module\":\"Administration\",\"month\":\"Oct\",\"month_of_year\":10,\"nssserviceip\":\"192.168.2.200\",\"oapprulelabel\":\"5300295980\",\"obwclassname\":\"10831489\",\"ocip\":6200694987,\"ocpubip\":624054738,\"odevicehostname\":\"2168890624\",\"odevicename\":\"2175092224\",\"odeviceowner\":\"10831489\",\"odlpdict\":\"10831489\",\"odlpeng\":\"4094304256\",\"odlprulename\":\"6857275752\",\"ofwd_gw_name\":\"8794487099\",\"ologin\":\"4094304256\",\"ordr_rulename\":\"3399565100\",\"ourlcat\":\"7956407282\",\"ourlfilterrulelabel\":\"4951704103\",\"ozpa_app_seg_name\":\"7648246731\",\"externalsslpolicyreason\":\"Blocked\",\"productversion\":\"5.0.902.95524_04\",\"rdr_rulename\":\"FWD_Rule_1\",\"refererhost\":\"www.example.com for http://www.example.com/index.html\",\"reqheadersize\":300,\"reqdatasize\":1000,\"respheadersize\":500,\"respdatasize\":10000,\"riskscore\":10,\"ruletype\":\"File Type Control\",\"second\":48,\"srvcertchainvalpass\":\"Unknown\",\"srvcertvalidationtype\":\"EV (Extended Validation)\",\"srvcertvalidityperiod\":\"Short\",\"srvsslcipher\":\"SSL3_CK_RSA_NULL_MD5\",\"serversslsessreuse\":\"Unknown\",\"srvocspresult\":\"Good\",\"srvtlsversion\":\"SSL2\",\"srvwildcardcert\":\"Unknown\",\"ssldecrypted\":\"Yes\",\"throttlereqsize\":5,\"throttlerespsize\":7,\"totalsize\":11800,\"trafficredirectmethod\":\"DNAT (Destination Translation)\",\"unscannabletype\":\"Encrypted File\",\"upload_doctypename\":\"Corporate Finance\",\"upload_fileclass\":\"upload_fileclass\",\"upload_filetype\":\"RAR Files\",\"urlcatmethod\":\"Database A\",\"urlsubcat\":\"Entertainment\",\"urlsupercat\":\"Travel\",\"urlclass\":\"Bandwidth Loss\",\"useragentclass\":\"Firefox\",\"useragenttoken\":\"Google Chrome (0.x)\",\"userlocationname\":\"userlocationname\",\"year\":2023,\"ztunnelversion\":\"ZTUNNEL_1_0\",\"zpa_app_seg_name\":\"ZPA_test_app_segment\"}}", + "outcome": "success", "reason": "File Attachment Cautioned", "timezone": "GMT", "type": [ - "info" + "access" ] }, "file": { @@ -864,10 +866,11 @@ "id": "123456781", "kind": "event", "original": "{\"sourcetype\":\"zscalernss-web\",\"event\":{\"time\":\"Mon Oct 18 23:55:48 2023\",\"cloudname\":\"zscaler.net\",\"host\":\"mail.google.com\",\"serverip\":\"1.128.0.2\",\"external_devid\":\"2346\",\"devicemodel\":\"20L8S7WC10\",\"action\":\"Allowed\",\"recordid\":123456781,\"reason\":\"File Attachment Cautioned\",\"threatseverity\":\"Critical (90–100)\",\"tz\":\"GMT\",\"filesubtype\":\"exe\",\"upload_filesubtype\":\"rar\",\"sha256\":\"81ec78bc8298568bb5ea66d3c2972b670d0f7459b6cdbbcaacce90ab417ab15c\",\"bamd5\":\"196a3d797bfee07fe4596b69f4ce1141\",\"filename\":\"nssfeed.txt\",\"upload_filename\":\"nssfeed.exe\",\"filetype\":\"RAR Files\",\"devicename\":\"PC11NLPA%3A5F08D97BBF43257A8FB4BBF4061A38AE324EF734\",\"devicehostname\":\"THINKPADSMITH\",\"deviceostype\":\"iOS\",\"deviceosversion\":\"Version 10.14.2 (Build 18C54)\",\"devicetype\":\"Zscaler Client Connector\",\"reqsize\":1300,\"reqmethod\":\"invalid\",\"b64referer\":\"d3d3LmV4YW1wbGUuY29t\",\"respsize\":10500,\"respcode\":\"100\",\"reqversion\":\"1.1\",\"respversion\":\"1\",\"proto\":\"SSL\",\"company\":\"Zscaler\",\"dlpmd5\":\"154f149b1443fbfa8c121d13e5c019a1\",\"apprulelabel\":\"File_Sharing_1\",\"dlprulename\":\"DLP_Rule_1\",\"rulelabel\":\"URL_Filtering_1\",\"urlfilterrulelabel\":\"URL_Filtering_2\",\"cltip\":\"81.2.69.144\",\"cltintip\":\"89.160.20.128\",\"cltsourceport\":12345,\"threatname\":\"EICAR Test File\",\"cltsslcipher\":\"SSL3_CK_RSA_NULL_MD5\",\"clttlsversion\":\"SSL2\",\"b64url\":\"d3d3LmV4YW1wbGUuY29tLmNvbS9wYXJhbXM/SWQ9MSZ0cz0yMDA2LTAxLTAyVDE1OjA0OjA1WjA3OjAwJnVzZXI9NjU3OTImdmVyc2lvbj0xMC4wLjE5MDQxLjEyNjY=\",\"useragent\":\"Mozilla/5.0\",\"login\":\"jdoe@safemarch.com\",\"applayerprotocol\":\"FTP\",\"appclass\":\"Administration\",\"appname\":\"Adobe Connect\",\"appriskscore\":\"1\",\"bandwidthclassname\":\"Entertainment\",\"bandwidthrulename\":\"Office 365\",\"bwthrottle\":\"Yes\",\"bypassedtime\":\"Mon Oct 16 22:55:48 2023\",\"bypassedtraffic\":\"1\",\"cltsslsessreuse\":\"Unknown\",\"cltpubip\":\"175.16.199.0\",\"cltsslfailcount\":100,\"cltsslfailreason\":\"Bad Record Mac\",\"contenttype\":\"application/vnd_apple_keynote\",\"datacentercity\":\"Sa\",\"datacentercountry\":\"US\",\"datacenter\":\"CA Client Node DC\",\"day\":\"Mon\",\"day_of_month\":16,\"dept\":\"Sales\",\"deviceappversion\":\"1.128.0.1\",\"deviceowner\":\"jsmith\",\"df_hosthead\":\"df_hosthead\",\"df_hostname\":\"df_hostname\",\"dlpdicthitcount\":\"4\",\"dlpdict\":\"Credit Cards\",\"dlpeng\":\"HIPAA\",\"dlpidentifier\":6646484838839026000,\"eedone\":\"Yes\",\"epochtime\":1578128400,\"fileclass\":\"Active Web Contents\",\"flow_type\":\"Direct\",\"forward_gateway_ip\":\"10.1.1.1\",\"forward_gateway_name\":\"FWD_1\",\"forward_type\":\"Direct\",\"hour\":22,\"is_sslexpiredca\":\"Yes\",\"is_sslselfsigned\":\"Yes\",\"is_ssluntrustedca\":\"Pass\",\"keyprotectiontype\":\"HSM Protection\",\"location\":\"Headquarters\",\"malwarecategory\":\"Adware\",\"malwareclass\":\"Sandbox\",\"minute\":55,\"mobappcategory\":\"Communication\",\"mobappname\":\"Amazon\",\"mobdevtype\":\"Google Android\",\"module\":\"Administration\",\"month\":\"Oct\",\"month_of_year\":10,\"nssserviceip\":\"192.168.2.200\",\"oapprulelabel\":\"5300295980\",\"obwclassname\":\"10831489\",\"ocip\":6200694987,\"ocpubip\":624054738,\"odevicehostname\":\"2168890624\",\"odevicename\":\"2175092224\",\"odeviceowner\":\"10831489\",\"odlpdict\":\"10831489\",\"odlpeng\":\"4094304256\",\"odlprulename\":\"6857275752\",\"ofwd_gw_name\":\"8794487099\",\"ologin\":\"4094304256\",\"ordr_rulename\":\"3399565100\",\"ourlcat\":\"7956407282\",\"ourlfilterrulelabel\":\"4951704103\",\"ozpa_app_seg_name\":\"7648246731\",\"externalsslpolicyreason\":\"Blocked\",\"productversion\":\"5.0.902.95524_04\",\"rdr_rulename\":\"FWD_Rule_1\",\"refererhost\":\"www.example.com for http://www.example.com/index.html\",\"reqheadersize\":300,\"reqdatasize\":1000,\"respheadersize\":500,\"respdatasize\":10000,\"riskscore\":10,\"ruletype\":\"File Type Control\",\"second\":48,\"srvcertchainvalpass\":\"Unknown\",\"srvcertvalidationtype\":\"EV (Extended Validation)\",\"srvcertvalidityperiod\":\"Short\",\"srvsslcipher\":\"SSL3_CK_RSA_NULL_MD5\",\"serversslsessreuse\":\"Unknown\",\"srvocspresult\":\"Good\",\"srvtlsversion\":\"SSL2\",\"srvwildcardcert\":\"Unknown\",\"ssldecrypted\":\"Yes\",\"throttlereqsize\":5,\"throttlerespsize\":7,\"totalsize\":11800,\"trafficredirectmethod\":\"DNAT (Destination Translation)\",\"unscannabletype\":\"Encrypted File\",\"upload_doctypename\":\"Corporate Finance\",\"upload_fileclass\":\"upload_fileclass\",\"upload_filetype\":\"RAR Files\",\"urlcatmethod\":\"Database A\",\"urlsubcat\":\"Entertainment\",\"urlsupercat\":\"Travel\",\"urlclass\":\"Bandwidth Loss\",\"useragentclass\":\"Firefox\",\"useragenttoken\":\"Google Chrome (0.x)\",\"userlocationname\":\"userlocationname\",\"year\":2023,\"ztunnelversion\":\"ZTUNNEL_1_0\",\"zpa_app_seg_name\":\"ZPA_test_app_segment\"}}", + "outcome": "success", "reason": "File Attachment Cautioned", "timezone": "GMT", "type": [ - "info" + "access" ] }, "file": { @@ -1283,10 +1286,11 @@ "id": "123456781", "kind": "event", "original": "{\"sourcetype\":\"zscalernss-web\",\"event\":{\"time\":\"Mon Oct 18 23:55:48 2023\",\"cloudname\":\"zscaler.net\",\"host\":\"mail.google.com\",\"serverip\":\"1.128.0.2\",\"external_devid\":\"2346\",\"devicemodel\":\"20L8S7WC10\",\"action\":\"Allowed\",\"recordid\":123456781,\"reason\":\"File Attachment Cautioned\",\"threatseverity\":\"Critical (90–100)\",\"tz\":\"GMT\",\"filesubtype\":\"exe\",\"upload_filesubtype\":\"rar\",\"sha256\":\"81ec78bc8298568bb5ea66d3c2972b670d0f7459b6cdbbcaacce90ab417ab15c\",\"bamd5\":\"196a3d797bfee07fe4596b69f4ce1141\",\"filename\":\"nssfeed.txt\",\"upload_filename\":\"nssfeed.exe\",\"filetype\":\"RAR Files\",\"devicename\":\"PC11NLPA%3A5F08D97BBF43257A8FB4BBF4061A38AE324EF734\",\"devicehostname\":\"THINKPADSMITH\",\"deviceostype\":\"iOS\",\"deviceosversion\":\"Version 10.14.2 (Build 18C54)\",\"devicetype\":\"Zscaler Client Connector\",\"reqsize\":1300,\"reqmethod\":\"invalid\",\"b64referer\":\"d3d3LmV4YW1wbGUuY29t\",\"respsize\":10500,\"respcode\":\"100\",\"reqversion\":\"1.1\",\"respversion\":\"1\",\"proto\":\"SSL\",\"company\":\"Zscaler\",\"dlpmd5\":\"154f149b1443fbfa8c121d13e5c019a1\",\"apprulelabel\":\"File_Sharing_1\",\"dlprulename\":\"DLP_Rule_1\",\"rulelabel\":\"URL_Filtering_1\",\"urlfilterrulelabel\":\"URL_Filtering_2\",\"cltip\":\"81.2.69.144\",\"cltintip\":\"89.160.20.128\",\"cltsourceport\":12345,\"threatname\":\"EICAR Test File\",\"cltsslcipher\":\"SSL3_CK_RSA_NULL_MD5\",\"clttlsversion\":\"SSL2\",\"b64url\":\"d3d3LnlvdXR1YmUuY29tL2FwaS9zdGF0cy9hYmNkP2FmbXQ9MjUxJmJhdD0zMzAuMDE3OjAuOTY6MSZiaD0zMzAuMDE3OjEyMS4yNjQmYndlPTMzMC4wMTc6NzQ1ODYwMSZid209MzMwLjAxNzoyNDA3NzU0OjAuODQ0JmM9V0VCJmNicj1FZGdlIENocm9taXVtJmNicnZlcj0xMTUuMC4wLjAmY2w9NjU1Mzk5OTU2JmNtdD0zMzAuMDE3OjMyOC44MzcmY29zPVdpbmRvd3MmY29zdmVyPTEwLjAmY3BsYXRmb3JtPURFU0tUT1AmY3BsYXllcj1VTklQTEFZRVImY3BuPUZVQjczU1FXeFNIS0FEeHZKJmN2ZXI9Mi4yMDI0MDcyNC4wMy4wMCZkb2NpZD1XVmhHX3NOVkxhc0QmZWw9ZGV0YWlscGFnZSZmZXhwPXYxLDIzODQ4MjI1LDEzNzgwMiwxODYxNywyMDQxMjEsMjMwNTk2LDIyMjA5NywxNjIyOSwxMzMyMTIsMTQ2MjU5NTUsMTE2ODQzODEsNzIyMiwxNDIwNyw5ODU5LDEyMTc3LDk5NTQsMTE5Miw3OTEzLDE4MzEwLDI3Myw0MTQ3LDI4MTksMiwxNjM0NCwxNDI0LDE5MjA0LDk5NDgsMjE5Niw5OTk2LDE5LDIsMTA4Miw2OTUzLDEwMSwxNDAxLDk1NDIsMjQ3MSwzMjkyLDI3MTYsMTUzOCw3MjMsMjU3NSw5NTY3LDEzNzUsMzc2MSw0MTYyLDg2MTAsMTczLDIwMSwxMDQwNiwzMjEsMTQ4LDIsMzQzLDE3ODMsMTQsMTMyMiw1MCw2MjEsNzAyLDEwNjIsMTc2OSwxODIzLDg5NiwyMjkxLDI5MTIsNzU2OCwzNDImZm10PTM5OCZucz15dCZyZWZlcnJlcj1odHRwczovL3d3dy55b3V0dWJlLmNvbS93YXRjaD92PWlzYTkwXzY3YXMmc2RldGFpbD1ydjppc2E4OV82OGFkJnNlcT0xMyZzb3VyY2VpZD15dyZ2cHM9MzMwLjAxNzpQTA==\",\"useragent\":\"Mozilla/5.0\",\"login\":\"jdoe@safemarch.com\",\"applayerprotocol\":\"FTP\",\"appclass\":\"Administration\",\"appname\":\"Adobe Connect\",\"appriskscore\":\"1\",\"bandwidthclassname\":\"Entertainment\",\"bandwidthrulename\":\"Office 365\",\"bwthrottle\":\"Yes\",\"bypassedtime\":\"Mon Oct 16 22:55:48 2023\",\"bypassedtraffic\":\"1\",\"cltsslsessreuse\":\"Unknown\",\"cltpubip\":\"175.16.199.0\",\"cltsslfailcount\":100,\"cltsslfailreason\":\"Bad Record Mac\",\"contenttype\":\"application/vnd_apple_keynote\",\"datacentercity\":\"Sa\",\"datacentercountry\":\"US\",\"datacenter\":\"CA Client Node DC\",\"day\":\"Mon\",\"day_of_month\":16,\"dept\":\"Sales\",\"deviceappversion\":\"1.128.0.1\",\"deviceowner\":\"jsmith\",\"df_hosthead\":\"df_hosthead\",\"df_hostname\":\"df_hostname\",\"dlpdicthitcount\":\"4\",\"dlpdict\":\"Credit Cards\",\"dlpeng\":\"HIPAA\",\"dlpidentifier\":6646484838839026000,\"eedone\":\"Yes\",\"epochtime\":1578128400,\"fileclass\":\"Active Web Contents\",\"flow_type\":\"Direct\",\"forward_gateway_ip\":\"10.1.1.1\",\"forward_gateway_name\":\"FWD_1\",\"forward_type\":\"Direct\",\"hour\":22,\"is_sslexpiredca\":\"Yes\",\"is_sslselfsigned\":\"Yes\",\"is_ssluntrustedca\":\"Pass\",\"keyprotectiontype\":\"HSM Protection\",\"location\":\"Headquarters\",\"malwarecategory\":\"Adware\",\"malwareclass\":\"Sandbox\",\"minute\":55,\"mobappcategory\":\"Communication\",\"mobappname\":\"Amazon\",\"mobdevtype\":\"Google Android\",\"module\":\"Administration\",\"month\":\"Oct\",\"month_of_year\":10,\"nssserviceip\":\"192.168.2.200\",\"oapprulelabel\":\"5300295980\",\"obwclassname\":\"10831489\",\"ocip\":6200694987,\"ocpubip\":624054738,\"odevicehostname\":\"2168890624\",\"odevicename\":\"2175092224\",\"odeviceowner\":\"10831489\",\"odlpdict\":\"10831489\",\"odlpeng\":\"4094304256\",\"odlprulename\":\"6857275752\",\"ofwd_gw_name\":\"8794487099\",\"ologin\":\"4094304256\",\"ordr_rulename\":\"3399565100\",\"ourlcat\":\"7956407282\",\"ourlfilterrulelabel\":\"4951704103\",\"ozpa_app_seg_name\":\"7648246731\",\"externalsslpolicyreason\":\"Blocked\",\"productversion\":\"5.0.902.95524_04\",\"rdr_rulename\":\"FWD_Rule_1\",\"refererhost\":\"www.example.com for http://www.example.com/index.html\",\"reqheadersize\":300,\"reqdatasize\":1000,\"respheadersize\":500,\"respdatasize\":10000,\"riskscore\":10,\"ruletype\":\"File Type Control\",\"second\":48,\"srvcertchainvalpass\":\"Unknown\",\"srvcertvalidationtype\":\"EV (Extended Validation)\",\"srvcertvalidityperiod\":\"Short\",\"srvsslcipher\":\"SSL3_CK_RSA_NULL_MD5\",\"serversslsessreuse\":\"Unknown\",\"srvocspresult\":\"Good\",\"srvtlsversion\":\"SSL2\",\"srvwildcardcert\":\"Unknown\",\"ssldecrypted\":\"Yes\",\"throttlereqsize\":5,\"throttlerespsize\":7,\"totalsize\":11800,\"trafficredirectmethod\":\"DNAT (Destination Translation)\",\"unscannabletype\":\"Encrypted File\",\"upload_doctypename\":\"Corporate Finance\",\"upload_fileclass\":\"upload_fileclass\",\"upload_filetype\":\"RAR Files\",\"urlcatmethod\":\"Database A\",\"urlsubcat\":\"Entertainment\",\"urlsupercat\":\"Travel\",\"urlclass\":\"Bandwidth Loss\",\"useragentclass\":\"Firefox\",\"useragenttoken\":\"Google Chrome (0.x)\",\"userlocationname\":\"userlocationname\",\"year\":2023,\"ztunnelversion\":\"ZTUNNEL_1_0\",\"zpa_app_seg_name\":\"ZPA_test_app_segment\"}}", + "outcome": "success", "reason": "File Attachment Cautioned", "timezone": "GMT", "type": [ - "info" + "access" ] }, "file": { @@ -1702,10 +1706,11 @@ "id": "123456782", "kind": "event", "original": "{\"sourcetype\":\"zscalernss-web\",\"event\":{\"time\":\"Mon Oct 20 22:55:48 2023\",\"cloudname\":\"zscaler.net\",\"host\":\"mail.google.com\",\"serverip\":\"1.128.0.4\",\"external_devid\":\"2347\",\"devicemodel\":\"20L8S7WC12\",\"action\":\"Allowed\",\"recordid\":123456782,\"reason\":\"File Attachment Cautioned\",\"threatseverity\":\"Critical (90–100)\",\"tz\":\"GMT\",\"filesubtype\":\"exe\",\"upload_filesubtype\":\"rar\",\"sha256\":\"81ec78bc8298568bb5ea66d3c2972b670d0f7459b6cdbbcaacce90ab417ab15c\",\"bamd5\":\"196a3d797bfee07fe4596b69f4ce1141\",\"filename\":\"nssfeed.txt\",\"upload_filename\":\"nssfeed.exe\",\"filetype\":\"RAR Files\",\"devicename\":\"device%5CrN%40me\",\"devicehostname\":\"THINKPADSMITH\",\"deviceostype\":\"iOS\",\"deviceosversion\":\"Version 10.14.2 (Build 18C54)\",\"devicetype\":\"Zscaler Client Connector\",\"reqsize\":1300,\"reqmethod\":\"invalid\",\"b64referer\":\"d3d3LmV4YW1wbGUuY29tL3NlYXJjaD9maWx0ZXJzPWd1aWQlM0ElMjI0MC1lbi1kaWElMjIrbGFuZyUzQSUyMmVuJTIyJmZvcm09UzAwJnE9aG93K3RvK3VzZStyZW1vdGUrZGVza3RvcCt0bytjb25uZWN0K3RvK2Erd2luZG93cysxMCtwYw==\",\"respsize\":10500,\"respcode\":\"100\",\"reqversion\":\"1.1\",\"respversion\":\"1\",\"proto\":\"HTTPS\",\"company\":\"Zscaler\",\"dlpmd5\":\"154f149b1443fbfa8c121d13e5c019a1\",\"apprulelabel\":\"File_Sharing_1\",\"dlprulename\":\"DLP_Rule_1\",\"rulelabel\":\"URL_Filtering_1\",\"urlfilterrulelabel\":\"URL_Filtering_2\",\"cltip\":\"81.2.69.144\",\"cltintip\":\"89.160.20.128\",\"cltsourceport\":12345,\"threatname\":\"EICAR Test File\",\"cltsslcipher\":\"SSL3_CK_RSA_NULL_MD5\",\"clttlsversion\":\"SSL2\",\"b64url\":\"d3d3LmV4YW1wbGUuY29tOjQ0Mw==\",\"useragent\":\"Mozilla/5.0\",\"login\":\"jdoe@safemarch.com\",\"applayerprotocol\":\"FTP\",\"appclass\":\"Administration\",\"appname\":\"Adobe Connect\",\"appriskscore\":\"1\",\"bandwidthclassname\":\"Entertainment\",\"bandwidthrulename\":\"Office 365\",\"bwthrottle\":\"Yes\",\"bypassedtime\":\"Mon Oct 16 22:55:48 2023\",\"bypassedtraffic\":\"1\",\"cltsslsessreuse\":\"Unknown\",\"cltpubip\":\"175.16.199.0\",\"cltsslfailcount\":100,\"cltsslfailreason\":\"Bad Record Mac\",\"contenttype\":\"application/vnd_apple_keynote\",\"datacentercity\":\"Sa\",\"datacentercountry\":\"US\",\"datacenter\":\"CA Client Node DC\",\"day\":\"Mon\",\"day_of_month\":16,\"dept\":\"Sales\",\"deviceappversion\":\"1.128.0.1\",\"deviceowner\":\"jsmith\",\"df_hosthead\":\"df_hosthead\",\"df_hostname\":\"df_hostname\",\"dlpdicthitcount\":\"4\",\"dlpdict\":\"Credit Cards\",\"dlpeng\":\"HIPAA\",\"dlpidentifier\":6646484838839026000,\"eedone\":\"Yes\",\"epochtime\":1578128400,\"fileclass\":\"Active Web Contents\",\"flow_type\":\"Direct\",\"forward_gateway_ip\":\"10.1.1.1\",\"forward_gateway_name\":\"FWD_1\",\"forward_type\":\"Direct\",\"hour\":22,\"is_sslexpiredca\":\"Yes\",\"is_sslselfsigned\":\"Yes\",\"is_ssluntrustedca\":\"Pass\",\"keyprotectiontype\":\"HSM Protection\",\"location\":\"Headquarters\",\"malwarecategory\":\"Adware\",\"malwareclass\":\"Sandbox\",\"minute\":55,\"mobappcategory\":\"Communication\",\"mobappname\":\"Amazon\",\"mobdevtype\":\"Google Android\",\"module\":\"Administration\",\"month\":\"Oct\",\"month_of_year\":10,\"nssserviceip\":\"192.168.2.200\",\"oapprulelabel\":\"5300295980\",\"obwclassname\":\"10831489\",\"ocip\":6200694987,\"ocpubip\":624054738,\"odevicehostname\":\"2168890624\",\"odevicename\":\"2175092224\",\"odeviceowner\":\"10831489\",\"odlpdict\":\"10831489\",\"odlpeng\":\"4094304256\",\"odlprulename\":\"6857275752\",\"ofwd_gw_name\":\"8794487099\",\"ologin\":\"4094304256\",\"ordr_rulename\":\"3399565100\",\"ourlcat\":\"7956407282\",\"ourlfilterrulelabel\":\"4951704103\",\"ozpa_app_seg_name\":\"7648246731\",\"externalsslpolicyreason\":\"Blocked\",\"productversion\":\"5.0.902.95524_04\",\"rdr_rulename\":\"FWD_Rule_1\",\"refererhost\":\"www.example.com for http://www.example.com/index.html\",\"reqheadersize\":300,\"reqdatasize\":1000,\"respheadersize\":500,\"respdatasize\":10000,\"riskscore\":10,\"ruletype\":\"File Type Control\",\"second\":48,\"srvcertchainvalpass\":\"Unknown\",\"srvcertvalidationtype\":\"EV (Extended Validation)\",\"srvcertvalidityperiod\":\"Short\",\"srvsslcipher\":\"SSL3_CK_RSA_NULL_MD5\",\"serversslsessreuse\":\"Unknown\",\"srvocspresult\":\"Good\",\"srvtlsversion\":\"SSL2\",\"srvwildcardcert\":\"Unknown\",\"ssldecrypted\":\"Yes\",\"throttlereqsize\":5,\"throttlerespsize\":7,\"totalsize\":11800,\"trafficredirectmethod\":\"DNAT (Destination Translation)\",\"unscannabletype\":\"Encrypted File\",\"upload_doctypename\":\"Corporate Finance\",\"upload_fileclass\":\"upload_fileclass\",\"upload_filetype\":\"RAR Files\",\"urlcatmethod\":\"Database A\",\"urlsubcat\":\"Entertainment\",\"urlsupercat\":\"Travel\",\"urlclass\":\"Bandwidth Loss\",\"useragentclass\":\"Firefox\",\"useragenttoken\":\"Google Chrome (0.x)\",\"userlocationname\":\"userlocationname\",\"year\":2023,\"ztunnelversion\":\"ZTUNNEL_1_0\",\"zpa_app_seg_name\":\"ZPA_test_app_segment\"}}", + "outcome": "success", "reason": "File Attachment Cautioned", "timezone": "GMT", "type": [ - "info" + "access" ] }, "file": { @@ -2120,10 +2125,11 @@ "id": "123456782", "kind": "event", "original": "{\"sourcetype\":\"zscalernss-web\",\"event\":{\"time\":\"Mon Oct 20 22:55:48 2023\",\"cloudname\":\"zscaler.net\",\"host\":\"mail.google.com\",\"serverip\":\"1.128.0.4\",\"external_devid\":\"2347\",\"devicemodel\":\"20L8S7WC12\",\"action\":\"Allowed\",\"recordid\":123456782,\"reason\":\"File Attachment Cautioned\",\"threatseverity\":\"Critical (90–100)\",\"tz\":\"GMT\",\"filesubtype\":\"exe\",\"upload_filesubtype\":\"rar\",\"sha256\":\"81ec78bc8298568bb5ea66d3c2972b670d0f7459b6cdbbcaacce90ab417ab15c\",\"bamd5\":\"196a3d797bfee07fe4596b69f4ce1141\",\"filename\":\"nssfeed%.txt\",\"upload_filename\":\"nssfeed%.exe\",\"filetype\":\"RAR Files\",\"devicename\":\"device%5CrN%40me\",\"devicehostname\":\"THINKPADSMITH\",\"deviceostype\":\"iOS\",\"deviceosversion\":\"Version 10.14.2 (Build 18C54)\",\"devicetype\":\"Zscaler Client Connector\",\"reqsize\":1300,\"reqmethod\":\"invalid\",\"b64referer\":\"d3d3LmV4YW1wbGUuY29tL3NlYXJjaD9maWx0ZXJzPWd1aWQlM0ElMjI0MC1lbi1kaWElMjIrbGFuZyUzQSUyMmVuJTIyJmZvcm09UzAwJnE9aG93K3RvK3VzZStyZW1vdGUrZGVza3RvcCt0bytjb25uZWN0K3RvK2Erd2luZG93cysxMCtwYw==\",\"respsize\":10500,\"respcode\":\"100\",\"reqversion\":\"1.1\",\"respversion\":\"1\",\"proto\":\"HTTPS\",\"company\":\"Zscaler\",\"dlpmd5\":\"154f149b1443fbfa8c121d13e5c019a1\",\"apprulelabel\":\"File_Sharing_1\",\"dlprulename\":\"DLP_Rule_1\",\"rulelabel\":\"URL_Filtering_1\",\"urlfilterrulelabel\":\"URL_Filtering_2\",\"cltip\":\"81.2.69.144\",\"cltintip\":\"89.160.20.128\",\"cltsourceport\":12345,\"threatname\":\"EICAR Test File\",\"cltsslcipher\":\"SSL3_CK_RSA_NULL_MD5\",\"clttlsversion\":\"SSL2\",\"b64url\":\"dC5jb3Vwb25zLmNvbS9iLnBocD90cmFuc2FjdGlvbklkPUkvdHNJZD09JmV2ZW50VHlwZT1FbGVtZW50SW5WaWV3JmVsZW1lbnROYW1lPVROX1NXQiZvYmplY3RzPXsibGlua1VybCI6Imh0dHBzOi8vd3d3LmNvdXBvbnMuY29tL2RhaWx5LXNhbGVzLzcyLWhvdXItY2xlYXJvdXQiLCJsaW5rVGV4dCI6IlVwJTIwdG8lMjA3MCUlMjBPRkYlMjB8JTIwNzItSG91ciUyMENsZWFyb3V0IiwidGV4dENvbG9yIjoiI0ZGRkZGRiIsInByb21vRW5kRGF0ZSI6bnVsbCwiY3VzdG9tRmllbGQxIjoiVXAlMjB0byUyMDcwJSUyME9GRiUyMHwlMjA3Mi1Ib3VyJTIwQ2xlYXJvdXQifSZsaW5rVXJsPWh0dHBzOi8vd3d3LmNvdXBvbnMuY29tL2RhaWx5LXNhbGVzLzcyLWhvdXItY2xlYXJvdXQmbGlua1RleHQ9VXAlMjB0byUyMDcwJSUyME9GRiUyMHwlMjA3Mi1Ib3VyJTIwQ2xlYXJvdXQmdGV4dENvbG9yPSNGRkZGRkYmcHJvbW9FbmREYXRlPSZjdXN0b21GaWVsZDE9VXAlMjB0byUyMDcwJSUyME9GRiUyMHwlMjA3Mi1Ib3VyJTIwQ2xlYXJvdXQmcGFnZUlkPSZ0aW1lc3RhbXA9MTcyNDY4Mjc3NzE5OA==\",\"useragent\":\"Mozilla/5.0\",\"login\":\"jdoe@safemarch.com\",\"applayerprotocol\":\"FTP\",\"appclass\":\"Administration\",\"appname\":\"Adobe Connect\",\"appriskscore\":\"1\",\"bandwidthclassname\":\"Entertainment\",\"bandwidthrulename\":\"Office 365\",\"bwthrottle\":\"Yes\",\"bypassedtime\":\"Mon Oct 16 22:55:48 2023\",\"bypassedtraffic\":\"1\",\"cltsslsessreuse\":\"Unknown\",\"cltpubip\":\"175.16.199.0\",\"cltsslfailcount\":100,\"cltsslfailreason\":\"Bad Record Mac\",\"contenttype\":\"application/vnd_apple_keynote\",\"datacentercity\":\"Sa\",\"datacentercountry\":\"US\",\"datacenter\":\"CA Client Node DC\",\"day\":\"Mon\",\"day_of_month\":16,\"dept\":\"Sales\",\"deviceappversion\":\"1.128.0.1\",\"deviceowner\":\"jsmith\",\"df_hosthead\":\"df_hosthead\",\"df_hostname\":\"df_hostname\",\"dlpdicthitcount\":\"4\",\"dlpdict\":\"Credit Cards\",\"dlpeng\":\"HIPAA\",\"dlpidentifier\":6646484838839026000,\"eedone\":\"Yes\",\"epochtime\":1578128400,\"fileclass\":\"Active Web Contents\",\"flow_type\":\"Direct\",\"forward_gateway_ip\":\"10.1.1.1\",\"forward_gateway_name\":\"FWD_1\",\"forward_type\":\"Direct\",\"hour\":22,\"is_sslexpiredca\":\"Yes\",\"is_sslselfsigned\":\"Yes\",\"is_ssluntrustedca\":\"Pass\",\"keyprotectiontype\":\"HSM Protection\",\"location\":\"Headquarters\",\"malwarecategory\":\"Adware\",\"malwareclass\":\"Sandbox\",\"minute\":55,\"mobappcategory\":\"Communication\",\"mobappname\":\"Amazon\",\"mobdevtype\":\"Google Android\",\"module\":\"Administration\",\"month\":\"Oct\",\"month_of_year\":10,\"nssserviceip\":\"192.168.2.200\",\"oapprulelabel\":\"5300295980\",\"obwclassname\":\"10831489\",\"ocip\":6200694987,\"ocpubip\":624054738,\"odevicehostname\":\"2168890624\",\"odevicename\":\"2175092224\",\"odeviceowner\":\"10831489\",\"odlpdict\":\"10831489\",\"odlpeng\":\"4094304256\",\"odlprulename\":\"6857275752\",\"ofwd_gw_name\":\"8794487099\",\"ologin\":\"4094304256\",\"ordr_rulename\":\"3399565100\",\"ourlcat\":\"7956407282\",\"ourlfilterrulelabel\":\"4951704103\",\"ozpa_app_seg_name\":\"7648246731\",\"externalsslpolicyreason\":\"Blocked\",\"productversion\":\"5.0.902.95524_04\",\"rdr_rulename\":\"FWD_Rule_1\",\"refererhost\":\"www.example.com for http://www.example.com/index.html\",\"reqheadersize\":300,\"reqdatasize\":1000,\"respheadersize\":500,\"respdatasize\":10000,\"riskscore\":10,\"ruletype\":\"File Type Control\",\"second\":48,\"srvcertchainvalpass\":\"Unknown\",\"srvcertvalidationtype\":\"EV (Extended Validation)\",\"srvcertvalidityperiod\":\"Short\",\"srvsslcipher\":\"SSL3_CK_RSA_NULL_MD5\",\"serversslsessreuse\":\"Unknown\",\"srvocspresult\":\"Good\",\"srvtlsversion\":\"SSL2\",\"srvwildcardcert\":\"Unknown\",\"ssldecrypted\":\"Yes\",\"throttlereqsize\":5,\"throttlerespsize\":7,\"totalsize\":11800,\"trafficredirectmethod\":\"DNAT (Destination Translation)\",\"unscannabletype\":\"Encrypted File\",\"upload_doctypename\":\"Corporate Finance\",\"upload_fileclass\":\"upload_fileclass\",\"upload_filetype\":\"RAR Files\",\"urlcatmethod\":\"Database A\",\"urlsubcat\":\"Entertainment\",\"urlsupercat\":\"Travel\",\"urlclass\":\"Bandwidth Loss\",\"useragentclass\":\"Firefox\",\"useragenttoken\":\"Google Chrome (0.x)\",\"userlocationname\":\"userlocationname\",\"year\":2023,\"ztunnelversion\":\"ZTUNNEL_1_0\",\"zpa_app_seg_name\":\"ZPA_test_app_segment\"}}", + "outcome": "success", "reason": "File Attachment Cautioned", "timezone": "GMT", "type": [ - "info" + "access" ] }, "file": { @@ -2541,10 +2547,11 @@ "id": "123456782", "kind": "event", "original": "{\"sourcetype\":\"zscalernss-web\",\"event\":{\"time\":\"Mon Oct 20 22:55:48 2023\",\"cloudname\":\"zscaler.net\",\"host\":\"mail.google.com\",\"serverip\":\"1.128.0.4\",\"external_devid\":\"2347\",\"devicemodel\":\"20L8S7WC12\",\"action\":\"Allowed\",\"recordid\":123456782,\"reason\":\"File Attachment Cautioned\",\"threatseverity\":\"Critical (90–100)\",\"tz\":\"GMT\",\"filesubtype\":\"exe\",\"upload_filesubtype\":\"rar\",\"sha256\":\"81ec78bc8298568bb5ea66d3c2972b670d0f7459b6cdbbcaacce90ab417ab15c\",\"bamd5\":\"196a3d797bfee07fe4596b69f4ce1141\",\"filename\":\"nssfeed.txt\",\"upload_filename\":\"nssfeed.exe\",\"filetype\":\"RAR Files\",\"devicename\":\"device%5CrN%40me\",\"devicehostname\":\"THINKPADSMITH\",\"deviceostype\":\"iOS\",\"deviceosversion\":\"Version 10.14.2 (Build 18C54)\",\"devicetype\":\"Zscaler Client Connector\",\"reqsize\":1300,\"reqmethod\":\"invalid\",\"b64referer\":\"d3d3LmV4YW1wbGUuY29tL3NlYXJjaD9maWx0ZXJzPWd1aWQlM0ElMjI0MC1lbi1kaWElMjIrbGFuZyUzQSUyMmVuJTIyJmZvcm09UzAwJnE9aG93K3RvK3VzZStyZW1vdGUrZGVza3RvcCt0bytjb25uZWN0K3RvK2Erd2luZG93cysxMCtwYw==\",\"respsize\":10500,\"respcode\":\"100\",\"reqversion\":\"1.1\",\"respversion\":\"1\",\"proto\":\"HTTPS\",\"company\":\"Zscaler\",\"dlpmd5\":\"154f149b1443fbfa8c121d13e5c019a1\",\"apprulelabel\":\"File_Sharing_1\",\"dlprulename\":\"DLP_Rule_1\",\"rulelabel\":\"URL_Filtering_1\",\"urlfilterrulelabel\":\"URL_Filtering_2\",\"cltip\":\"81.2.69.144\",\"cltintip\":\"89.160.20.128\",\"cltsourceport\":12345,\"threatname\":\"EICAR Test File\",\"cltsslcipher\":\"SSL3_CK_RSA_NULL_MD5\",\"clttlsversion\":\"SSL2\",\"b64url\":\"ZXhhbXBsZS5jb20vP3BhcnRuZXI9MjcxJnNtYXJ0bWFwPTEmcmVkaXJlY3Q9aHR0cHM6Ly9leGFtcGxlLmNvbS9zZXR1aWQ/ZW50aXR5PTE0NSZjb2RlPSVfcmlk\",\"useragent\":\"Mozilla/5.0\",\"login\":\"jdoe\",\"applayerprotocol\":\"FTP\",\"appclass\":\"Administration\",\"appname\":\"Adobe Connect\",\"appriskscore\":\"1\",\"bandwidthclassname\":\"Entertainment\",\"bandwidthrulename\":\"Office 365\",\"bwthrottle\":\"Yes\",\"bypassedtime\":\"Mon Oct 16 22:55:48 2023\",\"bypassedtraffic\":\"1\",\"cltsslsessreuse\":\"Unknown\",\"cltpubip\":\"175.16.199.0\",\"cltsslfailcount\":100,\"cltsslfailreason\":\"Bad Record Mac\",\"contenttype\":\"application/vnd_apple_keynote\",\"datacentercity\":\"Sa\",\"datacentercountry\":\"US\",\"datacenter\":\"CA Client Node DC\",\"day\":\"Mon\",\"day_of_month\":16,\"dept\":\"Sales\",\"deviceappversion\":\"1.128.0.1\",\"deviceowner\":\"jsmith\",\"df_hosthead\":\"df_hosthead\",\"df_hostname\":\"df_hostname\",\"dlpdicthitcount\":\"4\",\"dlpdict\":\"Credit Cards\",\"dlpeng\":\"HIPAA\",\"dlpidentifier\":6646484838839026000,\"eedone\":\"Yes\",\"epochtime\":1578128400,\"fileclass\":\"Active Web Contents\",\"flow_type\":\"Direct\",\"forward_gateway_ip\":\"10.1.1.1\",\"forward_gateway_name\":\"FWD_1\",\"forward_type\":\"Direct\",\"hour\":22,\"is_sslexpiredca\":\"Yes\",\"is_sslselfsigned\":\"Yes\",\"is_ssluntrustedca\":\"Pass\",\"keyprotectiontype\":\"HSM Protection\",\"location\":\"Headquarters\",\"malwarecategory\":\"Adware\",\"malwareclass\":\"Sandbox\",\"minute\":55,\"mobappcategory\":\"Communication\",\"mobappname\":\"Amazon\",\"mobdevtype\":\"Google Android\",\"module\":\"Administration\",\"month\":\"Oct\",\"month_of_year\":10,\"nssserviceip\":\"192.168.2.200\",\"oapprulelabel\":\"5300295980\",\"obwclassname\":\"10831489\",\"ocip\":6200694987,\"ocpubip\":624054738,\"odevicehostname\":\"2168890624\",\"odevicename\":\"2175092224\",\"odeviceowner\":\"10831489\",\"odlpdict\":\"10831489\",\"odlpeng\":\"4094304256\",\"odlprulename\":\"6857275752\",\"ofwd_gw_name\":\"8794487099\",\"ologin\":\"4094304256\",\"ordr_rulename\":\"3399565100\",\"ourlcat\":\"7956407282\",\"ourlfilterrulelabel\":\"4951704103\",\"ozpa_app_seg_name\":\"7648246731\",\"externalsslpolicyreason\":\"Blocked\",\"productversion\":\"5.0.902.95524_04\",\"rdr_rulename\":\"FWD_Rule_1\",\"refererhost\":\"www.example.com for http://www.example.com/index.html\",\"reqheadersize\":300,\"reqdatasize\":1000,\"respheadersize\":500,\"respdatasize\":10000,\"riskscore\":10,\"ruletype\":\"File Type Control\",\"second\":48,\"srvcertchainvalpass\":\"Unknown\",\"srvcertvalidationtype\":\"EV (Extended Validation)\",\"srvcertvalidityperiod\":\"Short\",\"srvsslcipher\":\"SSL3_CK_RSA_NULL_MD5\",\"serversslsessreuse\":\"Unknown\",\"srvocspresult\":\"Good\",\"srvtlsversion\":\"SSL2\",\"srvwildcardcert\":\"Unknown\",\"ssldecrypted\":\"Yes\",\"throttlereqsize\":5,\"throttlerespsize\":7,\"totalsize\":11800,\"trafficredirectmethod\":\"DNAT (Destination Translation)\",\"unscannabletype\":\"Encrypted File\",\"upload_doctypename\":\"Corporate Finance\",\"upload_fileclass\":\"upload_fileclass\",\"upload_filetype\":\"RAR Files\",\"urlcatmethod\":\"Database A\",\"urlsubcat\":\"Entertainment\",\"urlsupercat\":\"Travel\",\"urlclass\":\"Bandwidth Loss\",\"useragentclass\":\"Firefox\",\"useragenttoken\":\"Google Chrome (0.x)\",\"userlocationname\":\"userlocationname\",\"year\":2023,\"ztunnelversion\":\"ZTUNNEL_1_0\",\"zpa_app_seg_name\":\"ZPA_test_app_segment\"}}", + "outcome": "success", "reason": "File Attachment Cautioned", "timezone": "GMT", "type": [ - "info" + "access" ] }, "file": { From 4a4826471e7ea140804644327b1df17aafd8396e Mon Sep 17 00:00:00 2001 From: Dan Kortschak Date: Thu, 22 May 2025 11:33:40 +0930 Subject: [PATCH 4/8] add versioned links Still wip; the links are to raw MD and are not direct to the affected data stream. --- .../audit/elasticsearch/ingest_pipeline/default.yml | 4 ++-- .../data_stream/dns/elasticsearch/ingest_pipeline/default.yml | 4 ++-- .../endpoint_dlp/elasticsearch/ingest_pipeline/default.yml | 4 ++-- .../firewall/elasticsearch/ingest_pipeline/default.yml | 4 ++-- .../tunnel/elasticsearch/ingest_pipeline/default.yml | 4 ++-- .../data_stream/web/elasticsearch/ingest_pipeline/default.yml | 4 ++-- 6 files changed, 12 insertions(+), 12 deletions(-) diff --git a/packages/zscaler_zia/data_stream/audit/elasticsearch/ingest_pipeline/default.yml b/packages/zscaler_zia/data_stream/audit/elasticsearch/ingest_pipeline/default.yml index 18337e309c6..076a8f3a407 100644 --- a/packages/zscaler_zia/data_stream/audit/elasticsearch/ingest_pipeline/default.yml +++ b/packages/zscaler_zia/data_stream/audit/elasticsearch/ingest_pipeline/default.yml @@ -56,12 +56,12 @@ processors: if (signature != params.expect.fields) { ctx.error = ctx.error ?: [:]; ctx.error.message = ctx.error.message ?: []; - ctx.error.message.add("field set mismatch: "+signature+" is not expected set of templated fields (see https://www.elastic.co/docs/reference/integrations/zscaler_zia#"+params.data_stream+")"); + ctx.error.message.add("field set mismatch: "+signature+" is not expected set of templated fields (see https://epr.elastic.co/package/zscaler_zia/"+params.pkg_version+"/docs/README.md)"); } } else if (ctx.resp.version != params.expect.version) { ctx.error = ctx.error ?: [:]; ctx.error.message = ctx.error.message ?: []; - ctx.error.message.add("template version mismatch: "+ctx.resp.version.toString()+" is not expected version (see https://www.elastic.co/docs/reference/integrations/zscaler_zia#"+params.data_stream+")"); + ctx.error.message.add("template version mismatch: "+ctx.resp.version.toString()+" is not expected version (see https://epr.elastic.co/package/zscaler_zia/"+params.pkg_version+"/docs/README.md)"); } - remove: field: resp diff --git a/packages/zscaler_zia/data_stream/dns/elasticsearch/ingest_pipeline/default.yml b/packages/zscaler_zia/data_stream/dns/elasticsearch/ingest_pipeline/default.yml index e4e924b2cf5..180ae14f848 100644 --- a/packages/zscaler_zia/data_stream/dns/elasticsearch/ingest_pipeline/default.yml +++ b/packages/zscaler_zia/data_stream/dns/elasticsearch/ingest_pipeline/default.yml @@ -56,12 +56,12 @@ processors: if (signature != params.expect.fields) { ctx.error = ctx.error ?: [:]; ctx.error.message = ctx.error.message ?: []; - ctx.error.message.add("field set mismatch: "+signature+" is not expected set of templated fields (see https://www.elastic.co/docs/reference/integrations/zscaler_zia#"+params.data_stream+")"); + ctx.error.message.add("field set mismatch: "+signature+" is not expected set of templated fields (see https://epr.elastic.co/package/zscaler_zia/"+params.pkg_version+"/docs/README.md)"); } } else if (ctx.resp.version != params.expect.version) { ctx.error = ctx.error ?: [:]; ctx.error.message = ctx.error.message ?: []; - ctx.error.message.add("template version mismatch: "+ctx.resp.version.toString()+" is not expected version (see https://www.elastic.co/docs/reference/integrations/zscaler_zia#"+params.data_stream+")"); + ctx.error.message.add("template version mismatch: "+ctx.resp.version.toString()+" is not expected version (see https://epr.elastic.co/package/zscaler_zia/"+params.pkg_version+"/docs/README.md)"); } - remove: field: resp diff --git a/packages/zscaler_zia/data_stream/endpoint_dlp/elasticsearch/ingest_pipeline/default.yml b/packages/zscaler_zia/data_stream/endpoint_dlp/elasticsearch/ingest_pipeline/default.yml index a2ba9a3f7e7..1100c6b3b17 100644 --- a/packages/zscaler_zia/data_stream/endpoint_dlp/elasticsearch/ingest_pipeline/default.yml +++ b/packages/zscaler_zia/data_stream/endpoint_dlp/elasticsearch/ingest_pipeline/default.yml @@ -56,12 +56,12 @@ processors: if (signature != params.expect.fields) { ctx.error = ctx.error ?: [:]; ctx.error.message = ctx.error.message ?: []; - ctx.error.message.add("field set mismatch: "+signature+" is not expected set of templated fields (see https://www.elastic.co/docs/reference/integrations/zscaler_zia#endpoint-dlp-log)"); + ctx.error.message.add("field set mismatch: "+signature+" is not expected set of templated fields (see https://epr.elastic.co/package/zscaler_zia/"+params.pkg_version+"/docs/README.md)"); } } else if (ctx.resp.version != params.expect.version) { ctx.error = ctx.error ?: [:]; ctx.error.message = ctx.error.message ?: []; - ctx.error.message.add("template version mismatch: "+ctx.resp.version.toString()+" is not expected version (see https://www.elastic.co/docs/reference/integrations/zscaler_zia#endpoint-dlp-log)"); + ctx.error.message.add("template version mismatch: "+ctx.resp.version.toString()+" is not expected version (see https://epr.elastic.co/package/zscaler_zia/"+params.pkg_version+"/docs/README.md)"); } - remove: field: resp diff --git a/packages/zscaler_zia/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml b/packages/zscaler_zia/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml index 2b98227b26e..1395551c8eb 100644 --- a/packages/zscaler_zia/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml +++ b/packages/zscaler_zia/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml @@ -62,12 +62,12 @@ processors: if (signature != params.expect.fields) { ctx.error = ctx.error ?: [:]; ctx.error.message = ctx.error.message ?: []; - ctx.error.message.add("field set mismatch: "+signature+" is not expected set of templated fields (see https://www.elastic.co/docs/reference/integrations/zscaler_zia#"+params.data_stream+")"); + ctx.error.message.add("field set mismatch: "+signature+" is not expected set of templated fields (see https://epr.elastic.co/package/zscaler_zia/"+params.pkg_version+"/docs/README.md)"); } } else if (ctx.resp.version != params.expect.version) { ctx.error = ctx.error ?: [:]; ctx.error.message = ctx.error.message ?: []; - ctx.error.message.add("template version mismatch: "+ctx.resp.version.toString()+" is not expected version (see https://www.elastic.co/docs/reference/integrations/zscaler_zia#"+params.data_stream+")"); + ctx.error.message.add("template version mismatch: "+ctx.resp.version.toString()+" is not expected version (see https://epr.elastic.co/package/zscaler_zia/"+params.pkg_version+"/docs/README.md)"); } - remove: field: resp diff --git a/packages/zscaler_zia/data_stream/tunnel/elasticsearch/ingest_pipeline/default.yml b/packages/zscaler_zia/data_stream/tunnel/elasticsearch/ingest_pipeline/default.yml index 929b97f897c..623205695e3 100644 --- a/packages/zscaler_zia/data_stream/tunnel/elasticsearch/ingest_pipeline/default.yml +++ b/packages/zscaler_zia/data_stream/tunnel/elasticsearch/ingest_pipeline/default.yml @@ -60,12 +60,12 @@ processors: if (params.expect.fields[signature] != true) { ctx.error = ctx.error ?: [:]; ctx.error.message = ctx.error.message ?: []; - ctx.error.message.add("field set mismatch: "+signature+" is not expected set of templated fields (see https://www.elastic.co/docs/reference/integrations/zscaler_zia#"+params.data_stream+")"); + ctx.error.message.add("field set mismatch: "+signature+" is not expected set of templated fields (see https://epr.elastic.co/package/zscaler_zia/"+params.pkg_version+"/docs/README.md)"); } } else if (ctx.resp.version != params.expect.version) { ctx.error = ctx.error ?: [:]; ctx.error.message = ctx.error.message ?: []; - ctx.error.message.add("template version mismatch: "+ctx.resp.version.toString()+" is not expected version (see https://www.elastic.co/docs/reference/integrations/zscaler_zia#"+params.data_stream+")"); + ctx.error.message.add("template version mismatch: "+ctx.resp.version.toString()+" is not expected version (see https://epr.elastic.co/package/zscaler_zia/"+params.pkg_version+"/docs/README.md)"); } - remove: field: resp diff --git a/packages/zscaler_zia/data_stream/web/elasticsearch/ingest_pipeline/default.yml b/packages/zscaler_zia/data_stream/web/elasticsearch/ingest_pipeline/default.yml index 9ea2a203556..cd33ff09cf8 100644 --- a/packages/zscaler_zia/data_stream/web/elasticsearch/ingest_pipeline/default.yml +++ b/packages/zscaler_zia/data_stream/web/elasticsearch/ingest_pipeline/default.yml @@ -56,12 +56,12 @@ processors: if (signature != params.expect.fields) { ctx.error = ctx.error ?: [:]; ctx.error.message = ctx.error.message ?: []; - ctx.error.message.add("field set mismatch: "+signature+" is not expected set of templated fields (see https://www.elastic.co/docs/reference/integrations/zscaler_zia#"+params.data_stream+")"); + ctx.error.message.add("field set mismatch: "+signature+" is not expected set of templated fields (see https://epr.elastic.co/package/zscaler_zia/"+params.pkg_version+"/docs/README.md)"); } } else if (ctx.resp.version != params.expect.version) { ctx.error = ctx.error ?: [:]; ctx.error.message = ctx.error.message ?: []; - ctx.error.message.add("template version mismatch: "+ctx.resp.version.toString()+" is not expected version (see https://www.elastic.co/docs/reference/integrations/zscaler_zia#"+params.data_stream+")"); + ctx.error.message.add("template version mismatch: "+ctx.resp.version.toString()+" is not expected version (see https://epr.elastic.co/package/zscaler_zia/"+params.pkg_version+"/docs/README.md)"); } - remove: field: resp From 451811bb3deb9329e67605676076817d52d843e8 Mon Sep 17 00:00:00 2001 From: Dan Kortschak Date: Thu, 22 May 2025 15:04:42 +0930 Subject: [PATCH 5/8] add protective comment/tags and use data_stream param --- .../audit/elasticsearch/ingest_pipeline/default.yml | 5 +++-- .../dns/elasticsearch/ingest_pipeline/default.yml | 5 +++-- .../endpoint_dlp/elasticsearch/ingest_pipeline/default.yml | 5 +++-- .../firewall/elasticsearch/ingest_pipeline/default.yml | 5 +++-- .../tunnel/elasticsearch/ingest_pipeline/default.yml | 5 +++-- .../web/elasticsearch/ingest_pipeline/default.yml | 5 +++-- packages/zscaler_zia/manifest.yml | 3 +++ 7 files changed, 21 insertions(+), 12 deletions(-) diff --git a/packages/zscaler_zia/data_stream/audit/elasticsearch/ingest_pipeline/default.yml b/packages/zscaler_zia/data_stream/audit/elasticsearch/ingest_pipeline/default.yml index 076a8f3a407..ed18aca8235 100644 --- a/packages/zscaler_zia/data_stream/audit/elasticsearch/ingest_pipeline/default.yml +++ b/packages/zscaler_zia/data_stream/audit/elasticsearch/ingest_pipeline/default.yml @@ -38,6 +38,7 @@ processors: target_field: json ignore_missing: true - script: + tag: check_template_version params: pkg_version: 3.12.0 data_stream: audit-log @@ -56,12 +57,12 @@ processors: if (signature != params.expect.fields) { ctx.error = ctx.error ?: [:]; ctx.error.message = ctx.error.message ?: []; - ctx.error.message.add("field set mismatch: "+signature+" is not expected set of templated fields (see https://epr.elastic.co/package/zscaler_zia/"+params.pkg_version+"/docs/README.md)"); + ctx.error.message.add("field set mismatch: "+signature+" is not expected set of templated fields (see "+params.data_stream+" in https://epr.elastic.co/package/zscaler_zia/"+params.pkg_version+"/docs/README.md)"); } } else if (ctx.resp.version != params.expect.version) { ctx.error = ctx.error ?: [:]; ctx.error.message = ctx.error.message ?: []; - ctx.error.message.add("template version mismatch: "+ctx.resp.version.toString()+" is not expected version (see https://epr.elastic.co/package/zscaler_zia/"+params.pkg_version+"/docs/README.md)"); + ctx.error.message.add("template version mismatch: "+ctx.resp.version.toString()+" is not expected version (see "+params.data_stream+" in https://epr.elastic.co/package/zscaler_zia/"+params.pkg_version+"/docs/README.md)"); } - remove: field: resp diff --git a/packages/zscaler_zia/data_stream/dns/elasticsearch/ingest_pipeline/default.yml b/packages/zscaler_zia/data_stream/dns/elasticsearch/ingest_pipeline/default.yml index 180ae14f848..0baf6838e38 100644 --- a/packages/zscaler_zia/data_stream/dns/elasticsearch/ingest_pipeline/default.yml +++ b/packages/zscaler_zia/data_stream/dns/elasticsearch/ingest_pipeline/default.yml @@ -38,6 +38,7 @@ processors: target_field: json ignore_missing: true - script: + tag: check_template_version params: pkg_version: 3.12.0 data_stream: dns-log @@ -56,12 +57,12 @@ processors: if (signature != params.expect.fields) { ctx.error = ctx.error ?: [:]; ctx.error.message = ctx.error.message ?: []; - ctx.error.message.add("field set mismatch: "+signature+" is not expected set of templated fields (see https://epr.elastic.co/package/zscaler_zia/"+params.pkg_version+"/docs/README.md)"); + ctx.error.message.add("field set mismatch: "+signature+" is not expected set of templated fields (see "+params.data_stream+" https://epr.elastic.co/package/zscaler_zia/"+params.pkg_version+"/docs/README.md)"); } } else if (ctx.resp.version != params.expect.version) { ctx.error = ctx.error ?: [:]; ctx.error.message = ctx.error.message ?: []; - ctx.error.message.add("template version mismatch: "+ctx.resp.version.toString()+" is not expected version (see https://epr.elastic.co/package/zscaler_zia/"+params.pkg_version+"/docs/README.md)"); + ctx.error.message.add("template version mismatch: "+ctx.resp.version.toString()+" is not expected version (see "+params.data_stream+" https://epr.elastic.co/package/zscaler_zia/"+params.pkg_version+"/docs/README.md)"); } - remove: field: resp diff --git a/packages/zscaler_zia/data_stream/endpoint_dlp/elasticsearch/ingest_pipeline/default.yml b/packages/zscaler_zia/data_stream/endpoint_dlp/elasticsearch/ingest_pipeline/default.yml index 1100c6b3b17..25b54a40331 100644 --- a/packages/zscaler_zia/data_stream/endpoint_dlp/elasticsearch/ingest_pipeline/default.yml +++ b/packages/zscaler_zia/data_stream/endpoint_dlp/elasticsearch/ingest_pipeline/default.yml @@ -38,6 +38,7 @@ processors: target_field: json ignore_missing: true - script: + tag: check_template_version params: pkg_version: 3.12.0 data_stream: endpoint-dlp-log @@ -56,12 +57,12 @@ processors: if (signature != params.expect.fields) { ctx.error = ctx.error ?: [:]; ctx.error.message = ctx.error.message ?: []; - ctx.error.message.add("field set mismatch: "+signature+" is not expected set of templated fields (see https://epr.elastic.co/package/zscaler_zia/"+params.pkg_version+"/docs/README.md)"); + ctx.error.message.add("field set mismatch: "+signature+" is not expected set of templated fields (see "+params.data_stream+" https://epr.elastic.co/package/zscaler_zia/"+params.pkg_version+"/docs/README.md)"); } } else if (ctx.resp.version != params.expect.version) { ctx.error = ctx.error ?: [:]; ctx.error.message = ctx.error.message ?: []; - ctx.error.message.add("template version mismatch: "+ctx.resp.version.toString()+" is not expected version (see https://epr.elastic.co/package/zscaler_zia/"+params.pkg_version+"/docs/README.md)"); + ctx.error.message.add("template version mismatch: "+ctx.resp.version.toString()+" is not expected version (see "+params.data_stream+" https://epr.elastic.co/package/zscaler_zia/"+params.pkg_version+"/docs/README.md)"); } - remove: field: resp diff --git a/packages/zscaler_zia/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml b/packages/zscaler_zia/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml index 1395551c8eb..cd02ff584cb 100644 --- a/packages/zscaler_zia/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml +++ b/packages/zscaler_zia/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml @@ -44,6 +44,7 @@ processors: target_field: json ignore_missing: true - script: + tag: check_template_version params: pkg_version: 3.12.0 data_stream: firewall-log @@ -62,12 +63,12 @@ processors: if (signature != params.expect.fields) { ctx.error = ctx.error ?: [:]; ctx.error.message = ctx.error.message ?: []; - ctx.error.message.add("field set mismatch: "+signature+" is not expected set of templated fields (see https://epr.elastic.co/package/zscaler_zia/"+params.pkg_version+"/docs/README.md)"); + ctx.error.message.add("field set mismatch: "+signature+" is not expected set of templated fields (see "+params.data_stream+" https://epr.elastic.co/package/zscaler_zia/"+params.pkg_version+"/docs/README.md)"); } } else if (ctx.resp.version != params.expect.version) { ctx.error = ctx.error ?: [:]; ctx.error.message = ctx.error.message ?: []; - ctx.error.message.add("template version mismatch: "+ctx.resp.version.toString()+" is not expected version (see https://epr.elastic.co/package/zscaler_zia/"+params.pkg_version+"/docs/README.md)"); + ctx.error.message.add("template version mismatch: "+ctx.resp.version.toString()+" is not expected version (see "+params.data_stream+" https://epr.elastic.co/package/zscaler_zia/"+params.pkg_version+"/docs/README.md)"); } - remove: field: resp diff --git a/packages/zscaler_zia/data_stream/tunnel/elasticsearch/ingest_pipeline/default.yml b/packages/zscaler_zia/data_stream/tunnel/elasticsearch/ingest_pipeline/default.yml index 623205695e3..d333f7c8805 100644 --- a/packages/zscaler_zia/data_stream/tunnel/elasticsearch/ingest_pipeline/default.yml +++ b/packages/zscaler_zia/data_stream/tunnel/elasticsearch/ingest_pipeline/default.yml @@ -38,6 +38,7 @@ processors: target_field: json ignore_missing: true - script: + tag: check_template_version params: pkg_version: 3.12.0 data_stream: tunnel-log @@ -60,12 +61,12 @@ processors: if (params.expect.fields[signature] != true) { ctx.error = ctx.error ?: [:]; ctx.error.message = ctx.error.message ?: []; - ctx.error.message.add("field set mismatch: "+signature+" is not expected set of templated fields (see https://epr.elastic.co/package/zscaler_zia/"+params.pkg_version+"/docs/README.md)"); + ctx.error.message.add("field set mismatch: "+signature+" is not expected set of templated fields (see "+params.data_stream+" https://epr.elastic.co/package/zscaler_zia/"+params.pkg_version+"/docs/README.md)"); } } else if (ctx.resp.version != params.expect.version) { ctx.error = ctx.error ?: [:]; ctx.error.message = ctx.error.message ?: []; - ctx.error.message.add("template version mismatch: "+ctx.resp.version.toString()+" is not expected version (see https://epr.elastic.co/package/zscaler_zia/"+params.pkg_version+"/docs/README.md)"); + ctx.error.message.add("template version mismatch: "+ctx.resp.version.toString()+" is not expected version (see "+params.data_stream+" https://epr.elastic.co/package/zscaler_zia/"+params.pkg_version+"/docs/README.md)"); } - remove: field: resp diff --git a/packages/zscaler_zia/data_stream/web/elasticsearch/ingest_pipeline/default.yml b/packages/zscaler_zia/data_stream/web/elasticsearch/ingest_pipeline/default.yml index cd33ff09cf8..33c749ee067 100644 --- a/packages/zscaler_zia/data_stream/web/elasticsearch/ingest_pipeline/default.yml +++ b/packages/zscaler_zia/data_stream/web/elasticsearch/ingest_pipeline/default.yml @@ -38,6 +38,7 @@ processors: target_field: json ignore_missing: true - script: + tag: check_template_version params: pkg_version: 3.12.0 data_stream: web-log @@ -56,12 +57,12 @@ processors: if (signature != params.expect.fields) { ctx.error = ctx.error ?: [:]; ctx.error.message = ctx.error.message ?: []; - ctx.error.message.add("field set mismatch: "+signature+" is not expected set of templated fields (see https://epr.elastic.co/package/zscaler_zia/"+params.pkg_version+"/docs/README.md)"); + ctx.error.message.add("field set mismatch: "+signature+" is not expected set of templated fields (see "+params.data_stream+" https://epr.elastic.co/package/zscaler_zia/"+params.pkg_version+"/docs/README.md)"); } } else if (ctx.resp.version != params.expect.version) { ctx.error = ctx.error ?: [:]; ctx.error.message = ctx.error.message ?: []; - ctx.error.message.add("template version mismatch: "+ctx.resp.version.toString()+" is not expected version (see https://epr.elastic.co/package/zscaler_zia/"+params.pkg_version+"/docs/README.md)"); + ctx.error.message.add("template version mismatch: "+ctx.resp.version.toString()+" is not expected version (see "+params.data_stream+" https://epr.elastic.co/package/zscaler_zia/"+params.pkg_version+"/docs/README.md)"); } - remove: field: resp diff --git a/packages/zscaler_zia/manifest.yml b/packages/zscaler_zia/manifest.yml index c2ba1bc16b5..bf2f20e93da 100644 --- a/packages/zscaler_zia/manifest.yml +++ b/packages/zscaler_zia/manifest.yml @@ -1,6 +1,9 @@ format_version: "3.2.3" name: zscaler_zia title: Zscaler Internet Access +# When updating version, make sure the pkg_version parameter in +# the check_template_version script in ingest pipelines is +# updated to match. version: "3.12.0" description: Collect logs from Zscaler Internet Access (ZIA) with Elastic Agent. type: integration From d004c9a969af8af9af6634478ad2e3dd49c068e5 Mon Sep 17 00:00:00 2001 From: Dan Kortschak Date: Thu, 22 May 2025 18:20:22 +0930 Subject: [PATCH 6/8] address pr comment --- packages/zscaler_zia/_dev/build/docs/README.md | 4 ++-- packages/zscaler_zia/docs/README.md | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/packages/zscaler_zia/_dev/build/docs/README.md b/packages/zscaler_zia/_dev/build/docs/README.md index e848f9afc11..e22fc0b6e65 100644 --- a/packages/zscaler_zia/_dev/build/docs/README.md +++ b/packages/zscaler_zia/_dev/build/docs/README.md @@ -138,12 +138,12 @@ See: [Zscaler Vendor documentation](https://help.zscaler.com/zia/nss-feed-output Zscaler DNS Log response format (v2): ``` -\{"version":"v1","sourcetype":"zscalernss-dns","event":\{"user":"%s{elogin}","department":"%s{edepartment}","location":"%s{elocation}","clt_sip":"%s{cip}","cloudname":"%s{cloudname}","company":"%s{company}","datacenter":"%s{datacenter}","datacentercity":"%s{datacentercity}","datacentercountry":"%s{datacentercountry}","day_of_month":"%02d{dd}","dept":"%s{dept}","deviceappversion":"%s{deviceappversion}","devicehostname":"%s{devicehostname}","devicemodel":"%s{devicemodel}","devicename":"%s{devicename}","deviceostype":"%s{deviceostype}","deviceosversion":"%s{deviceosversion}","deviceowner":"%s{deviceowner}","devicetype":"%s{devicetype}","dnsapp":"%s{dnsapp}","dnsappcat":"%s{dnsappcat}","dns_gateway_status":"%s{dnsgw_flags}","dns_gateway_rule":"%s{dnsgw_slot}","dns_gateway_server_protocol":"%s{dnsgw_srv_proto}","category":"%s{domcat}","durationms":"%d{durationms}","ecs_prefix":"%s{ecs_prefix}","ecs_slot":"%s{ecs_slot}","epochtime":"%d{epochtime}","error":"%s{error}","hour":"%02d{hh}","http_code":"%s{http_code}","istcp":"%d{istcp}","loc":"%s{location}","login":"%s{login}","minutes":"%02d{mm}","month":"%s{mon}","month_of_year":"%02d{mth}","odevicehostname":"%s{odevicehostname}","odevicename":"%s{odevicename}","odeviceowner":"%s{odeviceowner}","odomcat":"%s{odomcat}","protocol":"%s{protocol}","recordid":"%d{recordid}","dns_req":"%s{req}","reqaction":"%s{reqaction}","reqrulelabel":"%s{reqrulelabel}","dns_reqtype":"%s{reqtype}","dns_resp":"%s{res}","resaction":"%s{resaction}","respipcategory":"%s{respipcat}","resrulelabel":"%s{resrulelabel}","restype":"%s{restype}","srv_dip":"%s{sip}","srv_dport":"%d{sport}","second":"%02d{ss}","datetime":"%s{time}","tz":"%s{tz}","year":"%04d{yyyy}"\}\} +\{"version":"v2","sourcetype":"zscalernss-dns","event":\{"user":"%s{elogin}","department":"%s{edepartment}","location":"%s{elocation}","clt_sip":"%s{cip}","cloudname":"%s{cloudname}","company":"%s{company}","datacenter":"%s{datacenter}","datacentercity":"%s{datacentercity}","datacentercountry":"%s{datacentercountry}","day_of_month":"%02d{dd}","dept":"%s{dept}","deviceappversion":"%s{deviceappversion}","devicehostname":"%s{devicehostname}","devicemodel":"%s{devicemodel}","devicename":"%s{devicename}","deviceostype":"%s{deviceostype}","deviceosversion":"%s{deviceosversion}","deviceowner":"%s{deviceowner}","devicetype":"%s{devicetype}","dnsapp":"%s{dnsapp}","dnsappcat":"%s{dnsappcat}","dns_gateway_status":"%s{dnsgw_flags}","dns_gateway_rule":"%s{dnsgw_slot}","dns_gateway_server_protocol":"%s{dnsgw_srv_proto}","category":"%s{domcat}","durationms":"%d{durationms}","ecs_prefix":"%s{ecs_prefix}","ecs_slot":"%s{ecs_slot}","epochtime":"%d{epochtime}","error":"%s{error}","hour":"%02d{hh}","http_code":"%s{http_code}","istcp":"%d{istcp}","loc":"%s{location}","login":"%s{login}","minutes":"%02d{mm}","month":"%s{mon}","month_of_year":"%02d{mth}","odevicehostname":"%s{odevicehostname}","odevicename":"%s{odevicename}","odeviceowner":"%s{odeviceowner}","odomcat":"%s{odomcat}","protocol":"%s{protocol}","recordid":"%d{recordid}","dns_req":"%s{req}","reqaction":"%s{reqaction}","reqrulelabel":"%s{reqrulelabel}","dns_reqtype":"%s{reqtype}","dns_resp":"%s{res}","resaction":"%s{resaction}","respipcategory":"%s{respipcat}","resrulelabel":"%s{resrulelabel}","restype":"%s{restype}","srv_dip":"%s{sip}","srv_dport":"%d{sport}","second":"%02d{ss}","datetime":"%s{time}","tz":"%s{tz}","year":"%04d{yyyy}"\}\} ``` Sample Response: ```json -{"version":"v1","sourcetype":"zscalernss-dns","event":{"cloudname":"zscaler.net","datetime":"Mon Oct 16 22:55:48 2023","devicemodel":"VMware7,1","restype":"IPv4","dns_req":"mail.safemarch.com","dns_reqtype":"A record","error":"EMPTY_RESP","durationms":"1000","recordid":"45648954","tz":"GMT","devicename":"admin","devicehostname":"THINKPADSMITH","deviceostype":"Windows OS","deviceosversion":"Microsoft Windows 10 Enterprise;64 bit","devicetype":"Zscaler Client Connector","http_code":"100","dnsapp":"Google DNS","dns_gateway_server_protocol":"TCP","protocol":"TCP","company":"Zscaler","reqrulelabel":"RULE_1","resrulelabel":"RULE_RES","clt_sip":"81.2.69.192","srv_dip":"175.16.199.0","srv_dport":"1025","user":"jdoe1@safemarch.com","datacentercity":"Sa","datacentercountry":"US","datacenter":"CA Client Node DC","day":"Mon","day_of_month":"16","department":"EDept","dept":"Sales","deviceappversion":"4.3.0.18","deviceowner":"jsmith","dnsappcat":"Network Service","dns_gateway_rule":"DNS GATEWAY Rule 1","dns_gateway_status":"PRIMARY_SERVER_RESPONSE_PASS","category":"Professional Services","ecs_prefix":"192.168.0.0","ecs_slot":"ECS Slot #17","eedone":"Yes","epochtime":"1578128400","hour":"22","istcp":"1","loc":"Headquarters","location":"ELocation","login":"jdoe@safemarch.com","minutes":"55","month":"Oct","month_of_year":"10","oclientsourceip":"9960223283","odevicename":"2175092224","odeviceowner":"10831489","odomcat":"4951704103","odevicehostname":"2168890624","reqaction":"REQ_ALLOW","dns_resp":"www.example.com","respipcategory":"Adult Themes","resaction":"RES_Action","respipcat":"Adult Themes","second":"48","year":"2023"}} +{"version":"v2","sourcetype":"zscalernss-dns","event":{"cloudname":"zscaler.net","datetime":"Mon Oct 16 22:55:48 2023","devicemodel":"VMware7,1","restype":"IPv4","dns_req":"mail.safemarch.com","dns_reqtype":"A record","error":"EMPTY_RESP","durationms":"1000","recordid":"45648954","tz":"GMT","devicename":"admin","devicehostname":"THINKPADSMITH","deviceostype":"Windows OS","deviceosversion":"Microsoft Windows 10 Enterprise;64 bit","devicetype":"Zscaler Client Connector","http_code":"100","dnsapp":"Google DNS","dns_gateway_server_protocol":"TCP","protocol":"TCP","company":"Zscaler","reqrulelabel":"RULE_1","resrulelabel":"RULE_RES","clt_sip":"81.2.69.192","srv_dip":"175.16.199.0","srv_dport":"1025","user":"jdoe1@safemarch.com","datacentercity":"Sa","datacentercountry":"US","datacenter":"CA Client Node DC","day":"Mon","day_of_month":"16","department":"EDept","dept":"Sales","deviceappversion":"4.3.0.18","deviceowner":"jsmith","dnsappcat":"Network Service","dns_gateway_rule":"DNS GATEWAY Rule 1","dns_gateway_status":"PRIMARY_SERVER_RESPONSE_PASS","category":"Professional Services","ecs_prefix":"192.168.0.0","ecs_slot":"ECS Slot #17","eedone":"Yes","epochtime":"1578128400","hour":"22","istcp":"1","loc":"Headquarters","location":"ELocation","login":"jdoe@safemarch.com","minutes":"55","month":"Oct","month_of_year":"10","oclientsourceip":"9960223283","odevicename":"2175092224","odeviceowner":"10831489","odomcat":"4951704103","odevicehostname":"2168890624","reqaction":"REQ_ALLOW","dns_resp":"www.example.com","respipcategory":"Adult Themes","resaction":"RES_Action","respipcat":"Adult Themes","second":"48","year":"2023"}} ``` ### Endpoint DLP Log diff --git a/packages/zscaler_zia/docs/README.md b/packages/zscaler_zia/docs/README.md index 47ab02b418b..b63d923e66c 100644 --- a/packages/zscaler_zia/docs/README.md +++ b/packages/zscaler_zia/docs/README.md @@ -138,12 +138,12 @@ See: [Zscaler Vendor documentation](https://help.zscaler.com/zia/nss-feed-output Zscaler DNS Log response format (v2): ``` -\{"version":"v1","sourcetype":"zscalernss-dns","event":\{"user":"%s{elogin}","department":"%s{edepartment}","location":"%s{elocation}","clt_sip":"%s{cip}","cloudname":"%s{cloudname}","company":"%s{company}","datacenter":"%s{datacenter}","datacentercity":"%s{datacentercity}","datacentercountry":"%s{datacentercountry}","day_of_month":"%02d{dd}","dept":"%s{dept}","deviceappversion":"%s{deviceappversion}","devicehostname":"%s{devicehostname}","devicemodel":"%s{devicemodel}","devicename":"%s{devicename}","deviceostype":"%s{deviceostype}","deviceosversion":"%s{deviceosversion}","deviceowner":"%s{deviceowner}","devicetype":"%s{devicetype}","dnsapp":"%s{dnsapp}","dnsappcat":"%s{dnsappcat}","dns_gateway_status":"%s{dnsgw_flags}","dns_gateway_rule":"%s{dnsgw_slot}","dns_gateway_server_protocol":"%s{dnsgw_srv_proto}","category":"%s{domcat}","durationms":"%d{durationms}","ecs_prefix":"%s{ecs_prefix}","ecs_slot":"%s{ecs_slot}","epochtime":"%d{epochtime}","error":"%s{error}","hour":"%02d{hh}","http_code":"%s{http_code}","istcp":"%d{istcp}","loc":"%s{location}","login":"%s{login}","minutes":"%02d{mm}","month":"%s{mon}","month_of_year":"%02d{mth}","odevicehostname":"%s{odevicehostname}","odevicename":"%s{odevicename}","odeviceowner":"%s{odeviceowner}","odomcat":"%s{odomcat}","protocol":"%s{protocol}","recordid":"%d{recordid}","dns_req":"%s{req}","reqaction":"%s{reqaction}","reqrulelabel":"%s{reqrulelabel}","dns_reqtype":"%s{reqtype}","dns_resp":"%s{res}","resaction":"%s{resaction}","respipcategory":"%s{respipcat}","resrulelabel":"%s{resrulelabel}","restype":"%s{restype}","srv_dip":"%s{sip}","srv_dport":"%d{sport}","second":"%02d{ss}","datetime":"%s{time}","tz":"%s{tz}","year":"%04d{yyyy}"\}\} +\{"version":"v2","sourcetype":"zscalernss-dns","event":\{"user":"%s{elogin}","department":"%s{edepartment}","location":"%s{elocation}","clt_sip":"%s{cip}","cloudname":"%s{cloudname}","company":"%s{company}","datacenter":"%s{datacenter}","datacentercity":"%s{datacentercity}","datacentercountry":"%s{datacentercountry}","day_of_month":"%02d{dd}","dept":"%s{dept}","deviceappversion":"%s{deviceappversion}","devicehostname":"%s{devicehostname}","devicemodel":"%s{devicemodel}","devicename":"%s{devicename}","deviceostype":"%s{deviceostype}","deviceosversion":"%s{deviceosversion}","deviceowner":"%s{deviceowner}","devicetype":"%s{devicetype}","dnsapp":"%s{dnsapp}","dnsappcat":"%s{dnsappcat}","dns_gateway_status":"%s{dnsgw_flags}","dns_gateway_rule":"%s{dnsgw_slot}","dns_gateway_server_protocol":"%s{dnsgw_srv_proto}","category":"%s{domcat}","durationms":"%d{durationms}","ecs_prefix":"%s{ecs_prefix}","ecs_slot":"%s{ecs_slot}","epochtime":"%d{epochtime}","error":"%s{error}","hour":"%02d{hh}","http_code":"%s{http_code}","istcp":"%d{istcp}","loc":"%s{location}","login":"%s{login}","minutes":"%02d{mm}","month":"%s{mon}","month_of_year":"%02d{mth}","odevicehostname":"%s{odevicehostname}","odevicename":"%s{odevicename}","odeviceowner":"%s{odeviceowner}","odomcat":"%s{odomcat}","protocol":"%s{protocol}","recordid":"%d{recordid}","dns_req":"%s{req}","reqaction":"%s{reqaction}","reqrulelabel":"%s{reqrulelabel}","dns_reqtype":"%s{reqtype}","dns_resp":"%s{res}","resaction":"%s{resaction}","respipcategory":"%s{respipcat}","resrulelabel":"%s{resrulelabel}","restype":"%s{restype}","srv_dip":"%s{sip}","srv_dport":"%d{sport}","second":"%02d{ss}","datetime":"%s{time}","tz":"%s{tz}","year":"%04d{yyyy}"\}\} ``` Sample Response: ```json -{"version":"v1","sourcetype":"zscalernss-dns","event":{"cloudname":"zscaler.net","datetime":"Mon Oct 16 22:55:48 2023","devicemodel":"VMware7,1","restype":"IPv4","dns_req":"mail.safemarch.com","dns_reqtype":"A record","error":"EMPTY_RESP","durationms":"1000","recordid":"45648954","tz":"GMT","devicename":"admin","devicehostname":"THINKPADSMITH","deviceostype":"Windows OS","deviceosversion":"Microsoft Windows 10 Enterprise;64 bit","devicetype":"Zscaler Client Connector","http_code":"100","dnsapp":"Google DNS","dns_gateway_server_protocol":"TCP","protocol":"TCP","company":"Zscaler","reqrulelabel":"RULE_1","resrulelabel":"RULE_RES","clt_sip":"81.2.69.192","srv_dip":"175.16.199.0","srv_dport":"1025","user":"jdoe1@safemarch.com","datacentercity":"Sa","datacentercountry":"US","datacenter":"CA Client Node DC","day":"Mon","day_of_month":"16","department":"EDept","dept":"Sales","deviceappversion":"4.3.0.18","deviceowner":"jsmith","dnsappcat":"Network Service","dns_gateway_rule":"DNS GATEWAY Rule 1","dns_gateway_status":"PRIMARY_SERVER_RESPONSE_PASS","category":"Professional Services","ecs_prefix":"192.168.0.0","ecs_slot":"ECS Slot #17","eedone":"Yes","epochtime":"1578128400","hour":"22","istcp":"1","loc":"Headquarters","location":"ELocation","login":"jdoe@safemarch.com","minutes":"55","month":"Oct","month_of_year":"10","oclientsourceip":"9960223283","odevicename":"2175092224","odeviceowner":"10831489","odomcat":"4951704103","odevicehostname":"2168890624","reqaction":"REQ_ALLOW","dns_resp":"www.example.com","respipcategory":"Adult Themes","resaction":"RES_Action","respipcat":"Adult Themes","second":"48","year":"2023"}} +{"version":"v2","sourcetype":"zscalernss-dns","event":{"cloudname":"zscaler.net","datetime":"Mon Oct 16 22:55:48 2023","devicemodel":"VMware7,1","restype":"IPv4","dns_req":"mail.safemarch.com","dns_reqtype":"A record","error":"EMPTY_RESP","durationms":"1000","recordid":"45648954","tz":"GMT","devicename":"admin","devicehostname":"THINKPADSMITH","deviceostype":"Windows OS","deviceosversion":"Microsoft Windows 10 Enterprise;64 bit","devicetype":"Zscaler Client Connector","http_code":"100","dnsapp":"Google DNS","dns_gateway_server_protocol":"TCP","protocol":"TCP","company":"Zscaler","reqrulelabel":"RULE_1","resrulelabel":"RULE_RES","clt_sip":"81.2.69.192","srv_dip":"175.16.199.0","srv_dport":"1025","user":"jdoe1@safemarch.com","datacentercity":"Sa","datacentercountry":"US","datacenter":"CA Client Node DC","day":"Mon","day_of_month":"16","department":"EDept","dept":"Sales","deviceappversion":"4.3.0.18","deviceowner":"jsmith","dnsappcat":"Network Service","dns_gateway_rule":"DNS GATEWAY Rule 1","dns_gateway_status":"PRIMARY_SERVER_RESPONSE_PASS","category":"Professional Services","ecs_prefix":"192.168.0.0","ecs_slot":"ECS Slot #17","eedone":"Yes","epochtime":"1578128400","hour":"22","istcp":"1","loc":"Headquarters","location":"ELocation","login":"jdoe@safemarch.com","minutes":"55","month":"Oct","month_of_year":"10","oclientsourceip":"9960223283","odevicename":"2175092224","odeviceowner":"10831489","odomcat":"4951704103","odevicehostname":"2168890624","reqaction":"REQ_ALLOW","dns_resp":"www.example.com","respipcategory":"Adult Themes","resaction":"RES_Action","respipcat":"Adult Themes","second":"48","year":"2023"}} ``` ### Endpoint DLP Log From a40b8d8534129435e9c353995cbecc6cbb9b2eb1 Mon Sep 17 00:00:00 2001 From: Dan Kortschak Date: Fri, 23 May 2025 06:07:51 +0930 Subject: [PATCH 7/8] make strict fields on by default --- packages/zscaler_zia/manifest.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/packages/zscaler_zia/manifest.yml b/packages/zscaler_zia/manifest.yml index bf2f20e93da..5bf507c6226 100644 --- a/packages/zscaler_zia/manifest.yml +++ b/packages/zscaler_zia/manifest.yml @@ -178,6 +178,7 @@ policy_templates: type: bool title: Require Strict Field/Version Check description: Whether to check for template version mismatch. + default: true required: false show_user: false - type: cel From 192b7a643de2602a6f98700d3a6913c0c12c1fc4 Mon Sep 17 00:00:00 2001 From: Dan Kortschak Date: Fri, 23 May 2025 09:25:15 +0930 Subject: [PATCH 8/8] disable strict fields for system tests --- .../data_stream/audit/_dev/test/system/test-default-config.yml | 1 + .../audit/_dev/test/system/test-http-endpoint-config.yml | 1 + .../dns/_dev/test/system/test-http-endpoint-config.yml | 1 + .../data_stream/dns/_dev/test/system/test-tcp-config.yml | 1 + .../endpoint_dlp/_dev/test/system/test-default-config.yml | 1 + .../endpoint_dlp/_dev/test/system/test-http-endpoint-config.yml | 1 + .../firewall/_dev/test/system/test-http-endpoint-config.yml | 1 + .../data_stream/firewall/_dev/test/system/test-tcp-config.yml | 1 + .../tunnel/_dev/test/system/test-http-endpoint-config.yml | 1 + .../data_stream/tunnel/_dev/test/system/test-tcp-config.yml | 1 + .../web/_dev/test/system/test-http-endpoint-config.yml | 1 + .../data_stream/web/_dev/test/system/test-tcp-config.yml | 1 + 12 files changed, 12 insertions(+) diff --git a/packages/zscaler_zia/data_stream/audit/_dev/test/system/test-default-config.yml b/packages/zscaler_zia/data_stream/audit/_dev/test/system/test-default-config.yml index 7f444806bc8..2a5b8ea9f04 100644 --- a/packages/zscaler_zia/data_stream/audit/_dev/test/system/test-default-config.yml +++ b/packages/zscaler_zia/data_stream/audit/_dev/test/system/test-default-config.yml @@ -2,6 +2,7 @@ service: zscaler-zia-audit-tcp service_notify_signal: SIGHUP vars: listen_address: 0.0.0.0 + strict_fields: false data_stream: vars: listen_port: 9029 diff --git a/packages/zscaler_zia/data_stream/audit/_dev/test/system/test-http-endpoint-config.yml b/packages/zscaler_zia/data_stream/audit/_dev/test/system/test-http-endpoint-config.yml index b8507d2508c..1de84dd45ce 100644 --- a/packages/zscaler_zia/data_stream/audit/_dev/test/system/test-http-endpoint-config.yml +++ b/packages/zscaler_zia/data_stream/audit/_dev/test/system/test-http-endpoint-config.yml @@ -3,6 +3,7 @@ service_notify_signal: SIGHUP input: http_endpoint vars: listen_address: 0.0.0.0 + strict_fields: false data_stream: vars: listen_port: 9562 diff --git a/packages/zscaler_zia/data_stream/dns/_dev/test/system/test-http-endpoint-config.yml b/packages/zscaler_zia/data_stream/dns/_dev/test/system/test-http-endpoint-config.yml index 12903b3519f..168cf012194 100644 --- a/packages/zscaler_zia/data_stream/dns/_dev/test/system/test-http-endpoint-config.yml +++ b/packages/zscaler_zia/data_stream/dns/_dev/test/system/test-http-endpoint-config.yml @@ -3,6 +3,7 @@ service_notify_signal: SIGHUP input: http_endpoint vars: listen_address: 0.0.0.0 + strict_fields: false data_stream: vars: listen_port: 9556 diff --git a/packages/zscaler_zia/data_stream/dns/_dev/test/system/test-tcp-config.yml b/packages/zscaler_zia/data_stream/dns/_dev/test/system/test-tcp-config.yml index e29f2af9b55..81cfc350150 100644 --- a/packages/zscaler_zia/data_stream/dns/_dev/test/system/test-tcp-config.yml +++ b/packages/zscaler_zia/data_stream/dns/_dev/test/system/test-tcp-config.yml @@ -3,6 +3,7 @@ service_notify_signal: SIGHUP input: tcp vars: listen_address: 0.0.0.0 + strict_fields: false data_stream: vars: listen_port: 9011 diff --git a/packages/zscaler_zia/data_stream/endpoint_dlp/_dev/test/system/test-default-config.yml b/packages/zscaler_zia/data_stream/endpoint_dlp/_dev/test/system/test-default-config.yml index 3bd9ea8b947..c7d8030d43e 100644 --- a/packages/zscaler_zia/data_stream/endpoint_dlp/_dev/test/system/test-default-config.yml +++ b/packages/zscaler_zia/data_stream/endpoint_dlp/_dev/test/system/test-default-config.yml @@ -2,6 +2,7 @@ service: zscaler-zia-endpoint-dlp-tcp service_notify_signal: SIGHUP vars: listen_address: 0.0.0.0 + strict_fields: false data_stream: vars: listen_port: 9023 diff --git a/packages/zscaler_zia/data_stream/endpoint_dlp/_dev/test/system/test-http-endpoint-config.yml b/packages/zscaler_zia/data_stream/endpoint_dlp/_dev/test/system/test-http-endpoint-config.yml index 1ac90c57b0e..4197a1a6d15 100644 --- a/packages/zscaler_zia/data_stream/endpoint_dlp/_dev/test/system/test-http-endpoint-config.yml +++ b/packages/zscaler_zia/data_stream/endpoint_dlp/_dev/test/system/test-http-endpoint-config.yml @@ -3,6 +3,7 @@ service_notify_signal: SIGHUP input: http_endpoint vars: listen_address: 0.0.0.0 + strict_fields: false data_stream: vars: listen_port: 9561 diff --git a/packages/zscaler_zia/data_stream/firewall/_dev/test/system/test-http-endpoint-config.yml b/packages/zscaler_zia/data_stream/firewall/_dev/test/system/test-http-endpoint-config.yml index 526ba935e16..845af6e0bfc 100644 --- a/packages/zscaler_zia/data_stream/firewall/_dev/test/system/test-http-endpoint-config.yml +++ b/packages/zscaler_zia/data_stream/firewall/_dev/test/system/test-http-endpoint-config.yml @@ -3,6 +3,7 @@ service_notify_signal: SIGHUP input: http_endpoint vars: listen_address: 0.0.0.0 + strict_fields: false data_stream: vars: listen_port: 9557 diff --git a/packages/zscaler_zia/data_stream/firewall/_dev/test/system/test-tcp-config.yml b/packages/zscaler_zia/data_stream/firewall/_dev/test/system/test-tcp-config.yml index 76d6f54075e..2250b3e1235 100644 --- a/packages/zscaler_zia/data_stream/firewall/_dev/test/system/test-tcp-config.yml +++ b/packages/zscaler_zia/data_stream/firewall/_dev/test/system/test-tcp-config.yml @@ -2,6 +2,7 @@ service: zscaler-zia-firewall-tcp service_notify_signal: SIGHUP vars: listen_address: 0.0.0.0 + strict_fields: false data_stream: vars: listen_port: 9012 diff --git a/packages/zscaler_zia/data_stream/tunnel/_dev/test/system/test-http-endpoint-config.yml b/packages/zscaler_zia/data_stream/tunnel/_dev/test/system/test-http-endpoint-config.yml index b0dc21cd523..909ef78c81c 100644 --- a/packages/zscaler_zia/data_stream/tunnel/_dev/test/system/test-http-endpoint-config.yml +++ b/packages/zscaler_zia/data_stream/tunnel/_dev/test/system/test-http-endpoint-config.yml @@ -3,6 +3,7 @@ service_notify_signal: SIGHUP input: http_endpoint vars: listen_address: 0.0.0.0 + strict_fields: false data_stream: vars: listen_port: 9558 diff --git a/packages/zscaler_zia/data_stream/tunnel/_dev/test/system/test-tcp-config.yml b/packages/zscaler_zia/data_stream/tunnel/_dev/test/system/test-tcp-config.yml index 3edb04d1f61..fdf9ae58b4d 100644 --- a/packages/zscaler_zia/data_stream/tunnel/_dev/test/system/test-tcp-config.yml +++ b/packages/zscaler_zia/data_stream/tunnel/_dev/test/system/test-tcp-config.yml @@ -2,6 +2,7 @@ service: zscaler-zia-tunnel-tcp service_notify_signal: SIGHUP vars: listen_address: 0.0.0.0 + strict_fields: false data_stream: vars: listen_port: 9013 diff --git a/packages/zscaler_zia/data_stream/web/_dev/test/system/test-http-endpoint-config.yml b/packages/zscaler_zia/data_stream/web/_dev/test/system/test-http-endpoint-config.yml index 20986f1efb8..22bd8885443 100644 --- a/packages/zscaler_zia/data_stream/web/_dev/test/system/test-http-endpoint-config.yml +++ b/packages/zscaler_zia/data_stream/web/_dev/test/system/test-http-endpoint-config.yml @@ -3,6 +3,7 @@ service_notify_signal: SIGHUP input: http_endpoint vars: listen_address: 0.0.0.0 + strict_fields: false data_stream: vars: listen_port: 9559 diff --git a/packages/zscaler_zia/data_stream/web/_dev/test/system/test-tcp-config.yml b/packages/zscaler_zia/data_stream/web/_dev/test/system/test-tcp-config.yml index b23cf14d7cd..9fc5ac15e60 100644 --- a/packages/zscaler_zia/data_stream/web/_dev/test/system/test-tcp-config.yml +++ b/packages/zscaler_zia/data_stream/web/_dev/test/system/test-tcp-config.yml @@ -2,6 +2,7 @@ service: zscaler-zia-web-tcp service_notify_signal: SIGHUP vars: listen_address: 0.0.0.0 + strict_fields: false data_stream: vars: listen_port: 9014