Change log for ZSCALER_WEBPROXY
| Date | Changes |
|---|---|
| 2024-02-09 | Enhancement -
- Added a CSV block to parse the dropping logs. |
| 2024-01-27 | Bug-Fix -
- Added support for Google Drive event logs which are getting dropped. - Mapped "application" to "principal.application". - Mapped "column2" to "principal.user.department". - Mapped "column4", "column5", "column6", "column15" to "security_result.detection_fields". - Mapped "column6" to "principal.user.userid". - Mapped "column18" to "target.user.userid". - Mapped "column14" to "security_result.action_details". - Mapped "column16" to "security_result.rule_name". - Mapped "column17" to "security_result.severity". - Mapped "column8" to "target.resource.name". - Mapped "column7" to "target.resource.product_object_id". - Mapped "column1", "column9", "column10", "column12" to "target.resource.attribute.labels". |
| 2024-01-13 | Enhancement -
- Added "on_error" check to handle parsing error. |
| 2023-12-18 | Enhancement -
- Handled unparsing CSV logs. |
| 2023-11-20 | Enhancement -
- Modified Grok patterns to parse new fields. - Mapped "filename" to "event.idm.read_only_udm.target.file.full_path". - Mapped "hash" to "event.idm.read_only_udm.target.file.md5" |
| 2023-11-15 | Bug-Fix -
- Parsed 'devTime' with timezone and mapped to 'metadata.event_timestamp'. |
| 2023-10-11 | Bug-Fix:
- Added new grok pattern to parse failing logs. Enhancement: - Added a new Grok pattern to parse new KV data type logs. - For a new KV data type, renamed the following fields: - "reqMethod", "respCode", "sip", "dip", "proto", "responseSize", "reqSize", "appName", "appClass", "contenttype", "referer" to "requestmethod", "status", "client_ip", "target_ip", "protocol", "responsesize", "requestsize, "appname", "appclass", "content_type", and "refererURL", respectively. - Mapped "ua" to "network.http.parsed_user_agent". |
| 2023-09-15 | Bug-Fix -
- Parsed 'devTime' with timezone and mapped to 'metadata.event_timestamp'. |
| 2023-08-28 | Enhancement - Added supported for JSON logs.
- "event.protocol" mapped to "network.application_protocol". - "event.deviceowner" mapped to "principal.user.userid". - "event.md5" mapped to "principal.process.file.md5". - "event.sha256" mapped to "principal.process.file.sha256". - "event.department" mapped to "principal.user.department". - "event.devicehostname" mapped to "principal.hostname". - "event.user" mapped to "principal.user.userid". |
| 2023-06-15 | Enhancement - Mapped "policy" to "security_result.rule_name".
|
| 2023-01-09 | Enhancement - Mapped "md5" to "principal.process.file.md5".
|
| 2022-12-26 | Enhancement - Mapped the fields 'srcBytes' and 'dstBytes' to 'network.sent_bytes' and 'network.received_bytes' respectively.
|
| 2022-09-05 | Enhancement - Added following mappings for CEF format logs:
- Mapped the field 'action' to 'security_result.action' and 'security_result.action_details'. - Mapped the field 'cn1' to 'security_result.severity'. - Mapped the field 'cs2' to 'security_result.category_details'. - Mapped the field 'cat' to 'security_result.category_details'. - Mapped the field 'malwarecat' to 'security_result.category_details'. - Mapped the field 'cs5' to 'security_result.threat_name'. - Mapped the field 'dhost' to 'target.hostname'. - Mapped the field 'in' to 'network.received_bytes'. - Mapped the field 'out' to 'network.sent_bytes'. - Mapped the field 'outcome' to 'network.http.response_code'. - Mapped the field 'proto' to 'network.application_protocol'. - Mapped the field 'requestClientApplication' to 'network.http.user_agent'. - Mapped the field 'requestMethod' to 'network.http.method'. - Mapped the field 'requestContext' to 'network.http.referral_url'. - Mapped the field 'src' to 'principal.ip'. - Mapped the field 'suser' to 'principal.user.userid'. - Mapped the field 'ZscalerNSSWeblogURLClass' to 'additional.fields[n]'. - Mapped the field 'cs1' to 'additional.fields[n]'. - Mapped the field 'request' to 'target.url'. - Mapped the field 'dst' to 'target.ip'. - Mapped the field 'dport' and 'dpt' to 'target.port'. - Mapped the field 'spt' to 'principal.port'. - Mapped the field 'rt' to 'metadata.event_timestamp'. - Mapped the field 'externalId' to 'metadata.product_log_id'. |
| 2022-06-20 | Enhancement - Mapped 'metadata.product_name' to 'Zscaler Web Proxy' for logs that do not contain the field 'product'.
Added conditional check for the field 'url' mapped to UDM field 'target.port'. |
| 2022-05-31 | Enhancement-Added grok pattern for failing SIEM logs in csv format that were
dropped with error. |