Change log for ZSCALER_INTERNET_ACCESS
| Date | Changes |
|---|---|
| 2024-06-21 | Enhancement:
- Corrected the malformed structure of "log_event.preaction" and "log_event.postaction". |
| 2024-06-17 | Enhancement:
- Added support for key-value logs. - Added support for a new pattern of JSON logs. - Added support for a new pattern of CSV logs. - Mapped "event_id" to "metadata.product_log_id". - Mapped "time_stamp" to "metadata.event_timestamp". - Mapped "type" to "metadata.product_event_type". - Changed mapping of "log_event_csip" from "additional.fields" to "principal.ip". - Changed mapping of "log_event_sdip" from "additional.fields" to "principal.ip". - Changed mapping of "log_event_tsip" from "security_result.detection_fields" to "intermediary.ip". - Changed mapping of "log_event_duration" from "additional.fields" to "network.session_duration.seconds". - Changed mapping of "log_event_durationms" from "network.session_duration.seconds" to "additional.fields". - Mapped "requestsize" to "network.sent_bytes". - Mapped "protocol" to "network.application_protocol". - Mapped "responsesize" to "network.received_bytes". - Mapped "requestmethod" to "network.http.method". - Mapped "refererURL" to "network.http.referral_url". - Mapped "status" to "network.http.response_code". - Mapped "useragent" to "network.http.user_agent" and "network.http.parsed_user_agent". - Mapped "serverip" to "target.ip". - Mapped "hostname" to "target.hostname". - Mapped "clientpublicIP" to "principal.ip". - Mapped "ClientIP" to "principal.ip". - Mapped "appname" to "principal.application". - Mapped "devicehostname" to "principal.hostname". - Mapped "deviceowner" to "principal.user.user_display_name". - Mapped "threatname" to "security_result.threat_name". - Mapped "pagerisk" to "security_result.detection_fields". - Mapped "threatseverity" to "security_result.severity_details". - Mapped "filetype" to "target.resource.attribute.labels". - Mapped "appclass", "dlpengine", "dlpdictionaries", "bwthrottle", "contenttype", "unscannabletype", and "transactionsize" to "additional.fields". - Mapped "urlcategory", "threatcategory", "urlsupercategory", "urlclass", "threatclass", "fileclass", "keyprotectiontype", and "tag" to "security_result.category_details". |
| 2024-04-29 | Enhancement:
- Corrected the malformed structure of "log_event.preaction" and "log_event.postaction". - Mapped "log_event.preaction.id" to "principal.resource.product_object_id". - Mapped "log_event.preaction.id" to "principal.resource.name". - Mapped all nested fields inside "log_event.preaction" to "principal.resource.attribute.labels". - Mapped all nested fields inside "log_event.postaction" to "principal.resource.attribute.labels". |
| 2024-04-05 | Enhancement:
- Mapped "log_event.time" to "metadata.event_timestamp". |
| 2024-03-08 | Enhancement:
- Added support for new pattern of CSV logs. - Mapped "application_protocol" to "network.application_protocol". - Mapped "url" to "target.url". - Mapped "received_bytes" to "network.received_bytes". - Mapped "sent_bytes" to "network.sent_bytes". - Mapped "url_class", "url_category", and "content_type" to "security_result.detection_fields". - Mapped "department" to "principal.user.department". - Mapped "locationname" to "principal.location.name". - Mapped "user_office_id" to "principal.user.attribute.labels". - Mapped "dst_ip" to "target.ip" and "target.asset.ip". - Mapped "method" to "network.http.method". - Mapped "response_code" to "network.http.response_code". - Mapped "user_agent" to "network.http.user_agent". - Mapped "referal_url" to "network.http.refferal_url". - Mapped "device_owner" to "principal.user.user_display_name". - Mapped "device_hostname" to "principal.hostname" and "principal.asset.hostname". |
| 2024-02-22 | Enhancement:
- Added Grok patterns to parse "csv_data" and "json_data" from the new format of logs. - Added a new layout for new format of CSV logs. - Mapped "log_event_adminid" to "principal.user.userid". - Added a new Grok pattern to parse "timestamp" from "timestamp_column". |
| 2024-02-07 | Enhancement:
- Added a Grok pattern to extract "kv_data" from the field "description". - Added a Grok pattern to extract "EventType" and "channel" from "text". - Mapped "alertId" to "security_result.rule_id". - Mapped "company" to "principal.user.company_name". - Mapped "User" to "user.userid". - Mapped "User" to "user.email_addresses". - Mapped "log_event" to "metadata.product_event_type". - Mapped "ruleName" to "security_result.rule_name". - Mapped "status" to "security_result.summary". - Mapped "version" to "metadata.product_version". - Mapped "ziaUrl" to "target.url". - Mapped "AlertType" to "security_result.description". - Mapped "IndexedBy" to "principal.hostname". - Mapped "alias" to "additional.fields". - Mapped "channel" to "additional.fields". - Mapped "createTime" to "security_result.detection_fields". - Mapped "endTime" to "security_result.detection_fields". - Mapped "startTime" to "security_result.detection_fields". - Mapped "Activitycount" to "security_result.detection_fields". - Mapped "EventType" to "security_result.detection_fields". |
| 2023-12-07 | Enhancement:
- Handled new set of ingested logs. - Mapped "log_event.clientip" to "principal.ip". - Mapped "log_event.adminid" to "principal.user.email_addresses". - Mapped "log_event.category" to "security_result.category_details". - Mapped "log_event.result" to "security_result.summary". - Added a Grok pattern to handle new set of logs. - Mapped "prin_ip" to "principal.ip". - Mapped "desc" to "security_result.description". - Matched "ts" using date block. |
| 2023-10-26 | Enhancement:
- Modified JSON key name using "gsub" function from "event" to "log_event". - Added a new Grok pattern to support XML logs. - Mapped "version" to "metadata.product_version". - Mapped "host" to "principal.hostname". - Added a JSON filter to support JSON logs. - Mapped "log_event.action" to "security_result.action_details". - Mapped "log_event.ipcat" to "security_result.category_details". - Mapped "sourcetype" to "security_result.about.resource.name". - Mapped "log_event.department" to "target.user.department". - Mapped "log_event.nwapp" to "target.application". - Mapped "log_event.devicehostname" to "principal.hostname". - Mapped "log_event.ssip" to "principal.ip". - Mapped "log_event.ssport" to "principal.port". - Mapped "log_event.cdip" to "target.ip". - Mapped "log_event.cdport" to "target.port". - Mapped "log_event.proto" to "network.ip_protocol". - Mapped "log_event.locationname" to "principal.location.name". - Mapped "log_event.user" to "principal.user.email_addresses". - Mapped "log_event.deviceowner" to "principal.user.user_display_name". - Mapped "log_event.rulelabel" to "security_result.rule_labels". - Mapped "log_event.tsip", "log_event.numsessions", "log_event.ipsrulelabel", "log_event.threatname", and "log_event.threatcat" to "security_result.detection_fields". - Mapped "log_event.tuntype", "log_event.csport", "log_event.csip", "log_event.sdip", "log_event.sdport", "log_event.dnat", "log_event.aggregate", "log_event.stateful", "log_event.avgduration", "log_event.duration", and "log_event.nwsvc" to "additional.fields". - Mapped "log_event.durationms" to "network.session_duration.seconds". - Mapped "log_event.inbytes" to "network.received_bytes". - Mapped "log_event.outbytes" to "network.sent_bytes". - Mapped "log_event.destcountry" to "target.location.country_or_region". |
| 2023-08-18 | - Newly created parser.
|