Change log for ZSCALER_INTERNET_ACCESS

Date Changes
2024-06-21 Enhancement:
- Corrected the malformed structure of "log_event.preaction" and "log_event.postaction".
2024-06-17 Enhancement:
- Added support for key-value logs.
- Added support for a new pattern of JSON logs.
- Added support for a new pattern of CSV logs.
- Mapped "event_id" to "metadata.product_log_id".
- Mapped "time_stamp" to "metadata.event_timestamp".
- Mapped "type" to "metadata.product_event_type".
- Changed mapping of "log_event_csip" from "additional.fields" to "principal.ip".
- Changed mapping of "log_event_sdip" from "additional.fields" to "principal.ip".
- Changed mapping of "log_event_tsip" from "security_result.detection_fields" to "intermediary.ip".
- Changed mapping of "log_event_duration" from "additional.fields" to "network.session_duration.seconds".
- Changed mapping of "log_event_durationms" from "network.session_duration.seconds" to "additional.fields".
- Mapped "requestsize" to "network.sent_bytes".
- Mapped "protocol" to "network.application_protocol".
- Mapped "responsesize" to "network.received_bytes".
- Mapped "requestmethod" to "network.http.method".
- Mapped "refererURL" to "network.http.referral_url".
- Mapped "status" to "network.http.response_code".
- Mapped "useragent" to "network.http.user_agent" and "network.http.parsed_user_agent".
- Mapped "serverip" to "target.ip".
- Mapped "hostname" to "target.hostname".
- Mapped "clientpublicIP" to "principal.ip".
- Mapped "ClientIP" to "principal.ip".
- Mapped "appname" to "principal.application".
- Mapped "devicehostname" to "principal.hostname".
- Mapped "deviceowner" to "principal.user.user_display_name".
- Mapped "threatname" to "security_result.threat_name".
- Mapped "pagerisk" to "security_result.detection_fields".
- Mapped "threatseverity" to "security_result.severity_details".
- Mapped "filetype" to "target.resource.attribute.labels".
- Mapped "appclass", "dlpengine", "dlpdictionaries", "bwthrottle", "contenttype", "unscannabletype", and "transactionsize" to "additional.fields".
- Mapped "urlcategory", "threatcategory", "urlsupercategory", "urlclass", "threatclass", "fileclass", "keyprotectiontype", and "tag" to "security_result.category_details".
2024-04-29 Enhancement:
- Corrected the malformed structure of "log_event.preaction" and "log_event.postaction".
- Mapped "log_event.preaction.id" to "principal.resource.product_object_id".
- Mapped "log_event.preaction.id" to "principal.resource.name".
- Mapped all nested fields inside "log_event.preaction" to "principal.resource.attribute.labels".
- Mapped all nested fields inside "log_event.postaction" to "principal.resource.attribute.labels".
2024-04-05 Enhancement:
- Mapped "log_event.time" to "metadata.event_timestamp".
2024-03-08 Enhancement:
- Added support for new pattern of CSV logs.
- Mapped "application_protocol" to "network.application_protocol".
- Mapped "url" to "target.url".
- Mapped "received_bytes" to "network.received_bytes".
- Mapped "sent_bytes" to "network.sent_bytes".
- Mapped "url_class", "url_category", and "content_type" to "security_result.detection_fields".
- Mapped "department" to "principal.user.department".
- Mapped "locationname" to "principal.location.name".
- Mapped "user_office_id" to "principal.user.attribute.labels".
- Mapped "dst_ip" to "target.ip" and "target.asset.ip".
- Mapped "method" to "network.http.method".
- Mapped "response_code" to "network.http.response_code".
- Mapped "user_agent" to "network.http.user_agent".
- Mapped "referal_url" to "network.http.refferal_url".
- Mapped "device_owner" to "principal.user.user_display_name".
- Mapped "device_hostname" to "principal.hostname" and "principal.asset.hostname".
2024-02-22 Enhancement:
- Added Grok patterns to parse "csv_data" and "json_data" from the new format of logs.
- Added a new layout for new format of CSV logs.
- Mapped "log_event_adminid" to "principal.user.userid".
- Added a new Grok pattern to parse "timestamp" from "timestamp_column".
2024-02-07 Enhancement:
- Added a Grok pattern to extract "kv_data" from the field "description".
- Added a Grok pattern to extract "EventType" and "channel" from "text".
- Mapped "alertId" to "security_result.rule_id".
- Mapped "company" to "principal.user.company_name".
- Mapped "User" to "user.userid".
- Mapped "User" to "user.email_addresses".
- Mapped "log_event" to "metadata.product_event_type".
- Mapped "ruleName" to "security_result.rule_name".
- Mapped "status" to "security_result.summary".
- Mapped "version" to "metadata.product_version".
- Mapped "ziaUrl" to "target.url".
- Mapped "AlertType" to "security_result.description".
- Mapped "IndexedBy" to "principal.hostname".
- Mapped "alias" to "additional.fields".
- Mapped "channel" to "additional.fields".
- Mapped "createTime" to "security_result.detection_fields".
- Mapped "endTime" to "security_result.detection_fields".
- Mapped "startTime" to "security_result.detection_fields".
- Mapped "Activitycount" to "security_result.detection_fields".
- Mapped "EventType" to "security_result.detection_fields".
2023-12-07 Enhancement:
- Handled new set of ingested logs.
- Mapped "log_event.clientip" to "principal.ip".
- Mapped "log_event.adminid" to "principal.user.email_addresses".
- Mapped "log_event.category" to "security_result.category_details".
- Mapped "log_event.result" to "security_result.summary".
- Added a Grok pattern to handle new set of logs.
- Mapped "prin_ip" to "principal.ip".
- Mapped "desc" to "security_result.description".
- Matched "ts" using date block.
2023-10-26 Enhancement:
- Modified JSON key name using "gsub" function from "event" to "log_event".
- Added a new Grok pattern to support XML logs.
- Mapped "version" to "metadata.product_version".
- Mapped "host" to "principal.hostname".
- Added a JSON filter to support JSON logs.
- Mapped "log_event.action" to "security_result.action_details".
- Mapped "log_event.ipcat" to "security_result.category_details".
- Mapped "sourcetype" to "security_result.about.resource.name".
- Mapped "log_event.department" to "target.user.department".
- Mapped "log_event.nwapp" to "target.application".
- Mapped "log_event.devicehostname" to "principal.hostname".
- Mapped "log_event.ssip" to "principal.ip".
- Mapped "log_event.ssport" to "principal.port".
- Mapped "log_event.cdip" to "target.ip".
- Mapped "log_event.cdport" to "target.port".
- Mapped "log_event.proto" to "network.ip_protocol".
- Mapped "log_event.locationname" to "principal.location.name".
- Mapped "log_event.user" to "principal.user.email_addresses".
- Mapped "log_event.deviceowner" to "principal.user.user_display_name".
- Mapped "log_event.rulelabel" to "security_result.rule_labels".
- Mapped "log_event.tsip", "log_event.numsessions", "log_event.ipsrulelabel", "log_event.threatname", and "log_event.threatcat" to "security_result.detection_fields".
- Mapped "log_event.tuntype", "log_event.csport", "log_event.csip", "log_event.sdip", "log_event.sdport", "log_event.dnat", "log_event.aggregate", "log_event.stateful", "log_event.avgduration", "log_event.duration", and "log_event.nwsvc" to "additional.fields".
- Mapped "log_event.durationms" to "network.session_duration.seconds".
- Mapped "log_event.inbytes" to "network.received_bytes".
- Mapped "log_event.outbytes" to "network.sent_bytes".
- Mapped "log_event.destcountry" to "target.location.country_or_region".
2023-08-18 - Newly created parser.