Change log for ZSCALER_WEBPROXY
Date | Changes |
---|---|
2024-11-28 | Enhancement:
- If "deviceowner" is in ["","Unknown","None", "NA"], then mapped "principal.user.userid" as "Unknown". |
2024-11-07 | Enhancement:
- Mapped "event_info.urlsupercategory" and "event_info.urlcategory" to "security_result.category_details". - Mapped "event_info.appname" to "principal.application". - Mapped "event_info.reason" to "security_result.description". - Mapped "event_info.upload_filename", "event_info.upload_filesubtype", "event_info.upload_fileclass", "event_info.unscannabletype", "event_info.upload_filetype" to "additional.fields". - Mapped "event_info.event_id" to "metadata.product_log_id". |
2024-10-30 | Enhancement:
- Fixed the timezone for "Europe/Paris". |
2024-10-23 | Enhancement:
- Modified the Grok pattern to support "HTTP" and "WEBSOCKET_SSL" logs. |
2024-10-1 | Enhancement:
- Added support to parse the unparsed logs. |
2024-09-23 | Enhancement:
- Changed the mapping of "srcPostNAT" from "target.ip" to "src.net_ip". |
2024-09-02 | Enhancement:
- Added support to parse unparsed logs. |
2024-06-25 | Enhancement:
- Added support to handle unparsed SYSLOG + KV logs. - Mapped "ssldecrypted" and "sslexternalspr" to "security_result.detection_fields". |
2024-06-24 | Enhancement:
- Added "not_json_log" check before parsing the CEF format logs. |
2024-06-10 | Enhancement:
- Mapped "urlhost" to "target.hostname" and "target.asset.hostname". |
2024-05-29 | Enhancement:
- Added support to parse a new pattern of CSV logs. |
2024-05-28 | Enhancement:
- Added conditional check for the "timezone" for "metadata.event_timestamp". - Mapped "unscannable_type" to "additional.fields". - Mapped "upload_filetype" to "target.file.mime_type". |
2024-05-20 | Bug-Fix:
- Corrected mapped "event_info.datetime" to "metadata.event_timestamp". - Added support to parse the malformed JSON logs. |
2024-05-06 | Enhancement:
- Added a Grok pattern to parse a new logtype. |
2024-04-18 | Enhancement:
- Added conditional check for "rt". - Mapped "ua" to "network.http.user_agent". - Mapped "reqsize" to "network.sent_bytes". - Mapped "respsize" to "network.received_bytes". - Mapped "datacentercountry" to "principal.location.country_or_region". - Mapped "datacentercity" to "principal.location.city". - Mapped "sip" to "principal.ip" and "principal.asset.ip". - Mapped "cip" to "target.ip" and "target.asset.ip". |
2024-03-28 | Enhancement:
- Mapped "fileclass", "urlClass" to "additional.fields". - Mapped "urlCat", "urlSuperCat" to "security_result.category_details". - Mapped "filetype" to "target.file.mime_type". |
2024-03-26 | Enhancement:
Updated the Grok expression to make the "intermediary_ip" optional and add support for extra space. |
2024-02-09 | Enhancement:
- Added a CSV block to parse the dropping logs. |
2024-01-27 | Bug-Fix -
- Added support for Google Drive event logs which are getting dropped. - Mapped "application" to "principal.application". - Mapped "column2" to "principal.user.department". - Mapped "column4", "column5", "column6", "column15" to "security_result.detection_fields". - Mapped "column6" to "principal.user.userid". - Mapped "column18" to "target.user.userid". - Mapped "column14" to "security_result.action_details". - Mapped "column16" to "security_result.rule_name". - Mapped "column17" to "security_result.severity". - Mapped "column8" to "target.resource.name". - Mapped "column7" to "target.resource.product_object_id". - Mapped "column1", "column9", "column10", "column12" to "target.resource.attribute.labels". |
2024-01-13 | Enhancement -
- Added "on_error" check to handle parsing error. |
2023-12-18 | Enhancement -
- Handled unparsing CSV logs. |
2023-11-20 | Enhancement -
- Modified Grok patterns to parse new fields. - Mapped "filename" to "event.idm.read_only_udm.target.file.full_path". - Mapped "hash" to "event.idm.read_only_udm.target.file.md5" |
2023-11-15 | Bug-Fix -
- Parsed 'devTime' with timezone and mapped to 'metadata.event_timestamp'. |
2023-10-11 | Bug-Fix:
- Added new grok pattern to parse failing logs. Enhancement: - Added a new Grok pattern to parse new KV data type logs. - For a new KV data type, renamed the following fields: - "reqMethod", "respCode", "sip", "dip", "proto", "responseSize", "reqSize", "appName", "appClass", "contenttype", "referer" to "requestmethod", "status", "client_ip", "target_ip", "protocol", "responsesize", "requestsize, "appname", "appclass", "content_type", and "refererURL", respectively. - Mapped "ua" to "network.http.parsed_user_agent". |
2023-09-15 | Bug-Fix -
- Parsed 'devTime' with timezone and mapped to 'metadata.event_timestamp'. |
2023-08-28 | Enhancement - Added supported for JSON logs.
- "event.protocol" mapped to "network.application_protocol". - "event.deviceowner" mapped to "principal.user.userid". - "event.md5" mapped to "principal.process.file.md5". - "event.sha256" mapped to "principal.process.file.sha256". - "event.department" mapped to "principal.user.department". - "event.devicehostname" mapped to "principal.hostname". - "event.user" mapped to "principal.user.userid". |
2023-06-15 | Enhancement - Mapped "policy" to "security_result.rule_name".
|
2023-01-09 | Enhancement - Mapped "md5" to "principal.process.file.md5".
|
2022-12-26 | Enhancement - Mapped the fields 'srcBytes' and 'dstBytes' to 'network.sent_bytes' and 'network.received_bytes' respectively.
|
2022-09-05 | Enhancement - Added following mappings for CEF format logs:
- Mapped the field 'action' to 'security_result.action' and 'security_result.action_details'. - Mapped the field 'cn1' to 'security_result.severity'. - Mapped the field 'cs2' to 'security_result.category_details'. - Mapped the field 'cat' to 'security_result.category_details'. - Mapped the field 'malwarecat' to 'security_result.category_details'. - Mapped the field 'cs5' to 'security_result.threat_name'. - Mapped the field 'dhost' to 'target.hostname'. - Mapped the field 'in' to 'network.received_bytes'. - Mapped the field 'out' to 'network.sent_bytes'. - Mapped the field 'outcome' to 'network.http.response_code'. - Mapped the field 'proto' to 'network.application_protocol'. - Mapped the field 'requestClientApplication' to 'network.http.user_agent'. - Mapped the field 'requestMethod' to 'network.http.method'. - Mapped the field 'requestContext' to 'network.http.referral_url'. - Mapped the field 'src' to 'principal.ip'. - Mapped the field 'suser' to 'principal.user.userid'. - Mapped the field 'ZscalerNSSWeblogURLClass' to 'additional.fields[n]'. - Mapped the field 'cs1' to 'additional.fields[n]'. - Mapped the field 'request' to 'target.url'. - Mapped the field 'dst' to 'target.ip'. - Mapped the field 'dport' and 'dpt' to 'target.port'. - Mapped the field 'spt' to 'principal.port'. - Mapped the field 'rt' to 'metadata.event_timestamp'. - Mapped the field 'externalId' to 'metadata.product_log_id'. |
2022-06-20 | Enhancement - Mapped 'metadata.product_name' to 'Zscaler Web Proxy' for logs that do not contain the field 'product'.
Added conditional check for the field 'url' mapped to UDM field 'target.port'. |
2022-05-31 | Enhancement-Added grok pattern for failing SIEM logs in csv format that were
dropped with error. |