Change log for ZSCALER_WEBPROXY

Date Changes
2024-11-28 Enhancement:
- If "deviceowner" is in ["","Unknown","None", "NA"], then mapped "principal.user.userid" as "Unknown".
2024-11-07 Enhancement:
- Mapped "event_info.urlsupercategory" and "event_info.urlcategory" to "security_result.category_details".
- Mapped "event_info.appname" to "principal.application".
- Mapped "event_info.reason" to "security_result.description".
- Mapped "event_info.upload_filename", "event_info.upload_filesubtype", "event_info.upload_fileclass", "event_info.unscannabletype", "event_info.upload_filetype" to "additional.fields".
- Mapped "event_info.event_id" to "metadata.product_log_id".
2024-10-30 Enhancement:
- Fixed the timezone for "Europe/Paris".
2024-10-23 Enhancement:
- Modified the Grok pattern to support "HTTP" and "WEBSOCKET_SSL" logs.
2024-10-1 Enhancement:
- Added support to parse the unparsed logs.
2024-09-23 Enhancement:
- Changed the mapping of "srcPostNAT" from "target.ip" to "src.net_ip".
2024-09-02 Enhancement:
- Added support to parse unparsed logs.
2024-06-25 Enhancement:
- Added support to handle unparsed SYSLOG + KV logs.
- Mapped "ssldecrypted" and "sslexternalspr" to "security_result.detection_fields".
2024-06-24 Enhancement:
- Added "not_json_log" check before parsing the CEF format logs.
2024-06-10 Enhancement:
- Mapped "urlhost" to "target.hostname" and "target.asset.hostname".
2024-05-29 Enhancement:
- Added support to parse a new pattern of CSV logs.
2024-05-28 Enhancement:
- Added conditional check for the "timezone" for "metadata.event_timestamp".
- Mapped "unscannable_type" to "additional.fields".
- Mapped "upload_filetype" to "target.file.mime_type".
2024-05-20 Bug-Fix:
- Corrected mapped "event_info.datetime" to "metadata.event_timestamp".
- Added support to parse the malformed JSON logs.
2024-05-06 Enhancement:
- Added a Grok pattern to parse a new logtype.
2024-04-18 Enhancement:
- Added conditional check for "rt".
- Mapped "ua" to "network.http.user_agent".
- Mapped "reqsize" to "network.sent_bytes".
- Mapped "respsize" to "network.received_bytes".
- Mapped "datacentercountry" to "principal.location.country_or_region".
- Mapped "datacentercity" to "principal.location.city".
- Mapped "sip" to "principal.ip" and "principal.asset.ip".
- Mapped "cip" to "target.ip" and "target.asset.ip".
2024-03-28 Enhancement:
- Mapped "fileclass", "urlClass" to "additional.fields".
- Mapped "urlCat", "urlSuperCat" to "security_result.category_details".
- Mapped "filetype" to "target.file.mime_type".
2024-03-26 Enhancement:
Updated the Grok expression to make the "intermediary_ip" optional and
add support for extra space.
2024-02-09 Enhancement:
- Added a CSV block to parse the dropping logs.
2024-01-27 Bug-Fix -
- Added support for Google Drive event logs which are getting dropped.
- Mapped "application" to "principal.application".
- Mapped "column2" to "principal.user.department".
- Mapped "column4", "column5", "column6", "column15" to "security_result.detection_fields".
- Mapped "column6" to "principal.user.userid".
- Mapped "column18" to "target.user.userid".
- Mapped "column14" to "security_result.action_details".
- Mapped "column16" to "security_result.rule_name".
- Mapped "column17" to "security_result.severity".
- Mapped "column8" to "target.resource.name".
- Mapped "column7" to "target.resource.product_object_id".
- Mapped "column1", "column9", "column10", "column12" to "target.resource.attribute.labels".
2024-01-13 Enhancement -
- Added "on_error" check to handle parsing error.
2023-12-18 Enhancement -
- Handled unparsing CSV logs.
2023-11-20 Enhancement -
- Modified Grok patterns to parse new fields.
- Mapped "filename" to "event.idm.read_only_udm.target.file.full_path".
- Mapped "hash" to "event.idm.read_only_udm.target.file.md5"
2023-11-15 Bug-Fix -
- Parsed 'devTime' with timezone and mapped to 'metadata.event_timestamp'.
2023-10-11 Bug-Fix:
- Added new grok pattern to parse failing logs.
Enhancement:
- Added a new Grok pattern to parse new KV data type logs.
- For a new KV data type, renamed the following fields:
- "reqMethod", "respCode", "sip", "dip", "proto", "responseSize", "reqSize", "appName", "appClass", "contenttype", "referer" to "requestmethod", "status", "client_ip", "target_ip", "protocol", "responsesize", "requestsize, "appname", "appclass", "content_type", and "refererURL", respectively.
- Mapped "ua" to "network.http.parsed_user_agent".
2023-09-15 Bug-Fix -
- Parsed 'devTime' with timezone and mapped to 'metadata.event_timestamp'.
2023-08-28 Enhancement - Added supported for JSON logs.
- "event.protocol" mapped to "network.application_protocol".
- "event.deviceowner" mapped to "principal.user.userid".
- "event.md5" mapped to "principal.process.file.md5".
- "event.sha256" mapped to "principal.process.file.sha256".
- "event.department" mapped to "principal.user.department".
- "event.devicehostname" mapped to "principal.hostname".
- "event.user" mapped to "principal.user.userid".
2023-06-15 Enhancement - Mapped "policy" to "security_result.rule_name".
2023-01-09 Enhancement - Mapped "md5" to "principal.process.file.md5".
2022-12-26 Enhancement - Mapped the fields 'srcBytes' and 'dstBytes' to 'network.sent_bytes' and 'network.received_bytes' respectively.
2022-09-05 Enhancement - Added following mappings for CEF format logs:
- Mapped the field 'action' to 'security_result.action' and 'security_result.action_details'.
- Mapped the field 'cn1' to 'security_result.severity'.
- Mapped the field 'cs2' to 'security_result.category_details'.
- Mapped the field 'cat' to 'security_result.category_details'.
- Mapped the field 'malwarecat' to 'security_result.category_details'.
- Mapped the field 'cs5' to 'security_result.threat_name'.
- Mapped the field 'dhost' to 'target.hostname'.
- Mapped the field 'in' to 'network.received_bytes'.
- Mapped the field 'out' to 'network.sent_bytes'.
- Mapped the field 'outcome' to 'network.http.response_code'.
- Mapped the field 'proto' to 'network.application_protocol'.
- Mapped the field 'requestClientApplication' to 'network.http.user_agent'.
- Mapped the field 'requestMethod' to 'network.http.method'.
- Mapped the field 'requestContext' to 'network.http.referral_url'.
- Mapped the field 'src' to 'principal.ip'.
- Mapped the field 'suser' to 'principal.user.userid'.
- Mapped the field 'ZscalerNSSWeblogURLClass' to 'additional.fields[n]'.
- Mapped the field 'cs1' to 'additional.fields[n]'.
- Mapped the field 'request' to 'target.url'.
- Mapped the field 'dst' to 'target.ip'.
- Mapped the field 'dport' and 'dpt' to 'target.port'.
- Mapped the field 'spt' to 'principal.port'.
- Mapped the field 'rt' to 'metadata.event_timestamp'.
- Mapped the field 'externalId' to 'metadata.product_log_id'.
2022-06-20 Enhancement - Mapped 'metadata.product_name' to 'Zscaler Web Proxy' for logs that do not contain the field 'product'.
Added conditional check for the field 'url' mapped to UDM field 'target.port'.
2022-05-31 Enhancement-Added grok pattern for failing SIEM logs in csv format that were
dropped with error.