Zscaler Internet Access

Collect logs from Zscaler Internet Access (ZIA) with Elastic Agent.

Version
3.3.0 (View all)
Compatible Kibana version(s)
8.13.0 or higher
Supported Serverless project types

Security
Observability
Subscription level
Basic
Level of support
Elastic

This integration is for Zscaler Internet Access logs ZIA. It can be used to receive logs sent by NSS log server on respective TCP ports, and Sandbox Report using API.

The log message is expected to be in JSON format. The data is mapped to ECS fields where applicable and the remaining fields are written under zscaler_zia.<data-stream-name>.*.

Requirements

Elastic Agent must be installed. For more information, refer to the link here.

Installing and managing an Elastic Agent:

You have a few options for installing and managing an Elastic Agent:

With this approach, you install Elastic Agent and use Fleet in Kibana to define, configure, and manage your agents in a central location. We recommend using Fleet management because it makes the management and upgrade of your agents considerably easier.

Install Elastic Agent in standalone mode (advanced users):

With this approach, you install Elastic Agent and manually configure the agent locally on the system where it’s installed. You are responsible for managing and upgrading the agents. This approach is reserved for advanced users only.

Install Elastic Agent in a containerized environment:

You can run Elastic Agent inside a container, either with Fleet Server or standalone. Docker images for all versions of Elastic Agent are available from the Elastic Docker registry, and we provide deployment manifests for running on Kubernetes.

There are some minimum requirements for running Elastic Agent and for more information, refer to the link here.

This module has been tested against the Zscaler Internet Access version 6.1 and API version v1.

To collect data from Zscaler ZIA Sandbox Report API, follow the below steps:

  1. Go to the Zscaler ZIA Portal and Login by entering an email address and password.
  2. Configure OAuth 2.0 for Okta or Microsoft Entra ID for generating OAuth2.0 Credentials.
  3. Add OAuth2.0 Authorization Server.

Steps for setting up NSS Feeds

  1. Enable the integration with the TCP input.
  2. Configure the Zscaler NSS Server and NSS Feeds to send logs to the Elastic Agent that is running this integration. See Add NSS Server and Add NSS Feeds. Use the IP address hostname of the Elastic Agent as the 'NSS Feed SIEM IP Address/FQDN', and use the listening port of the Elastic Agent as the 'SIEM TCP Port' on the Add NSS Feed configuration screen. To configure Zscaler NSS Server and NSS Feeds follow the following steps.
    • In the ZIA Admin Portal, add an NSS Server.
      • Log in to the ZIA Admin Portal using your admin account. If you're unable to log in, contact Support.
      • Add an NSS server. Refer to Adding NSS Servers to set up an Add NSS Server for Web and/or Firewall.
      • Verify that the state of the NSS Server is healthy.
        • In the ZIA Admin Portal, go to Administration > Nanolog Streaming Service > NSS Servers.
        • In the State column, confirm that the state of the NSS server is healthy.
    • In the ZIA Admin Portal, add an NSS Feed.
      • Refer to Add NSS Feeds and select the type of feed you want to configure. The following fields require specific inputs:
        • SIEM IP Address: Enter the IP address of the Elastic agent you’ll be assigning the Zscaler integration to.
        • SIEM TCP Port: Enter the port number, depending on the logs associated with the NSS Feed. You will need to create an NSS Feed for each log type.
          • Alerts: 9010
          • Audit: 9029
          • DNS: 9011
          • Endpoint DLP: 9023
          • Firewall: 9012
          • Tunnel: 9013
          • Web: 9014
        • Feed Output Type: Select Custom in Feed output type and paste the appropriate response format in Feed output format as follows:

Steps for setting up Cloud NSS Feeds

  1. Enable the integration with the HTTP Endpoint input.
  2. Configure the Zscaler Cloud NSS Feeds to send logs to the Elastic Agent that is running this integration. Provide API URL to send logs to the Elastic Agent. To configure Zscaler Cloud NSS Feeds follow the following steps.
    • In the ZIA Admin Portal, add a Cloud NSS Feed.
      • Log in to the ZIA Admin Portal using your admin account.
      • Add a Cloud NSS Feed. See to Add Cloud NSS Feed.
        • In the ZIA Admin Portal, go to Administration > Nanolog Streaming Service > Cloud NSS Feeds.
        • Give Feed Name, change status to Enabled.
        • Select NSS Type.
        • Change SIEM Type to other.
        • Add an API URL.
        • Default ports:
          • Audit: 9562
          • DNS: 9556
          • Endpoint DLP: 9561
          • Firewall: 9557
          • Tunnel: 9558
          • Web: 9559
        • Select JSON as feed output type.
        • Add same custom header along with its value on both the side for additional security.
  3. Repeat step 2 for each log type.

Please make sure to use the given response formats for NSS and Cloud NSS Feeds.

Note: Please make sure to use latest version of given response formats.

Documentation and configuration

Alerts

  • Default port (NSS Feed): 9010

See: Zscaler Vendor documentation

Zscaler Alerts response format (v1):

<%d{syslogid}>%s{Monthname} %2d{Dayofmonth} %02d{Hour}:%02d{Minutes}:%02d{Seconds} [%s{Deviceip}] ZscalerNSS: %s{Eventinfo}\n

Sample Response:

<114>Dec 10 14:04:28 [175.16.199.1] ZscalerNSS: Zscaler cloud configuration connection to  175.16.199.1:443 lost and unavailable for the past 2325.00 minutes

Audit Log

  • Default port (NSS Feed): 9029
  • Default port (Cloud NSS Feed): 9562

See: Zscaler Vendor documentation

Zscaler Audit Log response format (v1):

\{"sourcetype":"zscalernss-audit","event":\{"time":"%s{time}","recordid":"%d{recordid}","action":"%s{action}","category":"%s{category}","subcategory":"%s{subcategory}","resource":"%s{resource}","interface":"%s{interface}","adminid":"%s{adminid}","clientip":"%s{clientip}","result":"%s{result}","errorcode":"%s{errorcode}","auditlogtype":"%s{auditlogtype}","preaction":%s{preaction},"postaction":%s{postaction}\}\}

Sample Response:

{"sourcetype":"zscalernss-audit","event":{"time":"Mon Oct 16 22:55:48 2023","recordid":"1234","action":"Activate","category":"DATA_LOSS_PREVENTION_RESOURCE","subcategory":"DLP_DICTIONARY","resource":"SSL Rule Name","interface":"API","adminid":"example@zscaler.com","clientip":"89.160.20.112","result":"SUCCESS","errorcode":"AUTHENTICATION_FAILED","auditlogtype":"ZIA Portal Audit Log","timezone":"UTC","preaction":{},"postaction":{}}}

DNS Log

  • Default port (NSS Feed): 9011
  • Default port (Cloud NSS Feed): 9556

See: Zscaler Vendor documentation

Zscaler DNS Log response format (v2):

\{"sourcetype":"zscalernss-dns","event":\{"user":"%s{elogin}","department":"%s{edepartment}","location":"%s{elocation}","clt_sip":"%s{cip}","cloudname":"%s{cloudname}","company":"%s{company}","datacenter":"%s{datacenter}","datacentercity":"%s{datacentercity}","datacentercountry":"%s{datacentercountry}","day_of_month":"%02d{dd}","dept":"%s{dept}","deviceappversion":"%s{deviceappversion}","devicehostname":"%s{devicehostname}","devicemodel":"%s{devicemodel}","devicename":"%s{devicename}","deviceostype":"%s{deviceostype}","deviceosversion":"%s{deviceosversion}","deviceowner":"%s{deviceowner}","devicetype":"%s{devicetype}","dnsapp":"%s{dnsapp}","dnsappcat":"%s{dnsappcat}","dns_gateway_status":"%s{dnsgw_flags}","dns_gateway_rule":"%s{dnsgw_slot}","dns_gateway_server_protocol":"%s{dnsgw_srv_proto}","category":"%s{domcat}","durationms":"%d{durationms}","ecs_prefix":"%s{ecs_prefix}","ecs_slot":"%s{ecs_slot}","epochtime":"%d{epochtime}","error":"%s{error}","hour":"%02d{hh}","http_code":"%s{http_code}","istcp":"%d{istcp}","loc":"%s{location}","login":"%s{login}","minutes":"%02d{mm}","month":"%s{mon}","month_of_year":"%02d{mth}","odevicehostname":"%s{odevicehostname}","odevicename":"%s{odevicename}","odeviceowner":"%s{odeviceowner}","odomcat":"%s{odomcat}","protocol":"%s{protocol}","recordid":"%d{recordid}","dns_req":"%s{req}","reqaction":"%s{reqaction}","reqrulelabel":"%s{reqrulelabel}","dns_reqtype":"%s{reqtype}","dns_resp":"%s{res}","resaction":"%s{resaction}","respipcategory":"%s{respipcat}","resrulelabel":"%s{resrulelabel}","restype":"%s{restype}","srv_dip":"%s{sip}","srv_dport":"%d{sport}","second":"%02d{ss}","datetime":"%s{time}","tz":"%s{tz}","year":"%04d{yyyy}"\}\}

Sample Response:

{"sourcetype":"zscalernss-dns","event":{"cloudname":"zscaler.net","datetime":"Mon Oct 16 22:55:48 2023","devicemodel":"VMware7,1","restype":"IPv4","dns_req":"mail.safemarch.com","dns_reqtype":"A record","error":"EMPTY_RESP","durationms":"1000","recordid":"45648954","tz":"GMT","devicename":"admin","devicehostname":"THINKPADSMITH","deviceostype":"Windows OS","deviceosversion":"Microsoft Windows 10 Enterprise;64 bit","devicetype":"Zscaler Client Connector","http_code":"100","dnsapp":"Google DNS","dns_gateway_server_protocol":"TCP","protocol":"TCP","company":"Zscaler","reqrulelabel":"RULE_1","resrulelabel":"RULE_RES","clt_sip":"81.2.69.192","srv_dip":"175.16.199.0","srv_dport":"1025","user":"jdoe1@safemarch.com","datacentercity":"Sa","datacentercountry":"US","datacenter":"CA Client Node DC","day":"Mon","day_of_month":"16","department":"EDept","dept":"Sales","deviceappversion":"4.3.0.18","deviceowner":"jsmith","dnsappcat":"Network Service","dns_gateway_rule":"DNS GATEWAY Rule 1","dns_gateway_status":"PRIMARY_SERVER_RESPONSE_PASS","category":"Professional Services","ecs_prefix":"192.168.0.0","ecs_slot":"ECS Slot #17","eedone":"Yes","epochtime":"1578128400","hour":"22","istcp":"1","loc":"Headquarters","location":"ELocation","login":"jdoe@safemarch.com","minutes":"55","month":"Oct","month_of_year":"10","oclientsourceip":"9960223283","odevicename":"2175092224","odeviceowner":"10831489","odomcat":"4951704103","odevicehostname":"2168890624","reqaction":"REQ_ALLOW","dns_resp":"www.example.com","respipcategory":"Adult Themes","resaction":"RES_Action","respipcat":"Adult Themes","second":"48","year":"2023"}}

Endpoint DLP Log

  • Default port (NSS Feed): 9023
  • Default port (Cloud NSS Feed): 9561

See: Zscaler Vendor documentation

Zscaler Endpoint DLP Log response format (v1):

\{"sourcetype":"zscalernss-edlp","event":\{"actiontaken":"%s{actiontaken}","activitytype":"%s{activitytype}","additionalinfo":"%s{addinfo}","channel":"%s{channel}","confirmaction":"%s{confirmaction}","confirmjustification":"%s{confirmjust}","datacenter":"%s{datacenter}","datacentercity":"%s{datacentercity}","datacentercountry":"%s{datacentercountry}","day":"%s{day}","dd":"%02d{dd}","department":"%s{department}","deviceappversion":"%s{deviceappversion}","devicehostname":"%s{devicehostname}","devicemodel":"%s{devicemodel}","devicename":"%s{devicename}","deviceostype":"%s{deviceostype}","deviceosversion":"%s{deviceosversion}","deviceowner":"%s{deviceowner}","deviceplatform":"%s{deviceplatform}","devicetype":"%s{devicetype}","dlpdictcount":"%s{dlpcounts}","dlpdictnames":"%s{dlpdictnames}","dlpenginenames":"%s{dlpengnames}","dlpidentifier":"%llu{dlpidentifier}","dsttype":"%s{dsttype}","eventtime":"%s{eventtime}","expectedaction":"%s{expectedaction}","filedoctype":"%s{filedoctype}","filedstpath":"%s{filedstpath}","filemd5":"%s{filemd5}","filesha":"%s{filesha}","filesrcpath":"%s{filesrcpath}","filetypecategory":"%s{filetypecategory}","filetypename":"%s{filetypename}","hh":"%02d{hh}","itemdstname":"%s{itemdstname}","itemname":"%s{itemname}","itemsrcname":"%s{itemsrcname}","itemtype":"%s{itemtype}","logtype":"%s{logtype}","mm":"%02d{mm}","mon":"%s{mon}","mth":"%02d{mth}","numdlpdictids":"%u{numdlpdictids}","numdlpengineids":"%u{numdlpengids}","odepartment":"%s{odepartment}","odevicehostname":"%s{odevicehostname}","odevicename":"%s{odevicename}","odeviceowner":"%s{odeviceowner}","odlpdictnames":"%s{odlpdictnames}","odlpenginenames":"%s{odlpengnames}","ofiledstpath":"%s{ofiledstpath}","ofilesrcpath":"%s{ofilesrcpath}","oitemdstname":"%s{oitemdstname}","oitemname":"%s{oitemname}","oitemsrcname":"%s{oitemsrcname}","ootherrulelabels":"%s{ootherrulelabels}","otherrulelabels":"%s{otherrulelabels}","orulename":"%s{otriggeredrulelabel}","ouser":"%s{ouser}","recordid":"%llu{recordid}","feedtime":"%s{rtime}","scannedbytes":"%llu{scanned_bytes}","scantime":"%llu{scantime}","severity":"%s{severity}","srctype":"%s{srctype}","ss":"%02d{ss}","datetime":"%s{time}","rulename":"%s{triggeredrulelabel}","timezone":"%s{tz}","user":"%s{user}","yyyy":"%04d{yyyy}","zdpmode":"%s{zdpmode}"\}\}

Sample Response:

{ "sourcetype": "zscalernss-edlp", "event": { "actiontaken": "allow", "activitytype": "email_sent", "additionalinfo": "File already open by another application", "channel": "Network Drive Transfer", "confirmaction": "confirm", "confirmjustification": "My manager approved it", "datacenter": "Georgia", "datacentercity": "Atlanta", "datacentercountry": "US", "day": "Mon", "dd": "16", "department": "TempDept", "deviceappversion": "Ver-2199", "devicehostname": "Host", "devicemodel": "Model-2022", "devicename": "Dev 1", "deviceostype": "Windows", "deviceosversion": "Win-11", "deviceowner": "Administrator", "deviceplatform": "Windows", "devicetype": "WinUser", "dlpdictcount": "12|13", "dlpdictnames": "dlp: dlp discription|dlp1: dlp discription1|dlp2: dlp discription2", "dlpenginenames": "dlpengine", "dlpidentifier": "12", "dsttype": "personal_cloud_storage", "eventtime": "Mon Oct 16 22:55:48 2023", "expectedaction": "block", "filedoctype": "Medical", "filedstpath": "dest_path", "filemd5": "938c2cc0dcc05f2b68c4287040cfcf71", "filesha": "076085239f3a10b8f387c4e5d4261abf8d109aa641be35a8d4ed2d775eb09612", "filesrcpath": "source_path", "filetypecategory": "PLS File (pls)", "filetypename": "exe64", "hh": "22", "itemdstname": "nanolog", "itemname": "endpoint_dlp", "itemsrcname": "endpoint", "itemtype": "email_attachment", "logtype": "dlp_incident", "mm": "55", "mon": "Oct", "mth": "10", "numdlpdictids": "8", "numdlpengineids": "12", "recordid": "2", "feedtime": "Mon Oct 16 22:55:48 2023", "scannedbytes": "290812", "scantime": "1210", "severity": "High Severity", "srctype": "network_share", "ss": "48", "datetime": "Mon Oct 16 22:55:48 2023", "rulename": "configured_rule", "timezone": "GMT", "user": "TempUser", "yyyy": "2023", "zdpmode": "block mode", "odepartment": "4094304256", "odevicehostname": "4094304255", "odevicename": "4094304251", "odeviceowner": "4094304226", "odlpdictnames": "4094304456", "odlpenginenames": "4094364256", "ofiledstpath": "4094304296", "ofilesrcpath": "4094304206", "oitemdstname": "409430476", "oitemname": "40943042567", "oitemsrcname": "4094305256", "ootherrulelabels": "4036304256", "orulename": "40943049956", "ouser": "40943042569", "otherrulelabels": "9094304256" } }

Firewall Log

  • Default port (NSS Feed): 9012
  • Default port (Cloud NSS Feed): 9557

See: Zscaler Vendor documentation

Zscaler Firewall Log response format (v2):

\{"sourcetype":"zscalernss-fw","event":\{"datetime":"%s{time}","outbytes":"%ld{outbytes}","cltdomain":"%s{cdfqdn}","destcountry":"%s{destcountry}","cdip":"%s{cdip}","sdip":"%s{sdip}","cdport":"%d{cdport}","sdport":"%d{sdport}","devicemodel":"%s{devicemodel}","action":"%s{action}","duration":"%d{duration}","recordid":"%d{recordid}","tz":"%s{tz}","devicename":"%s{devicename}","devicehostname":"%s{devicehostname}","deviceostype":"%s{deviceostype}","deviceosversion":"%s{deviceosversion}","nwapp":"%s{nwapp}","nwsvc":"%s{nwsvc}","proto":"%s{ipproto}","ipsrulelabel":"%s{ipsrulelabel}","dnatrulelabel":"%s{dnatrulelabel}","rdr_rulename":"%s{rdr_rulename}","rule":"%s{rulelabel}","rulelabel":"%s{erulelabel}","inbytes":"%ld{inbytes}","srcipcountry":"%s{srcip_country}","csip":"%s{csip}","ssip":"%s{ssip}","csport":"%d{csport}","ssport":"%d{ssport}","user":"%s{elogin}","aggregate":"%s{aggregate}","bypassed_session":"%d{bypassed_session}","bypass_time":"%s{bypass_etime}","datacentercity":"%s{datacentercity}","datacentercountry":"%s{datacentercountry}","datacenter":"%s{datacenter}","day_of_month":"%02d{dd}","department":"%s{edepartment}","dept":"%s{dept}","deviceappversion":"%s{deviceappversion}","deviceowner":"%s{deviceowner}","avgduration":"%d{avgduration}","durationms":"%d{durationms}","epochtime":"%d{epochtime}","external_deviceid":"%s{external_deviceid}","flow_type":"%s{flow_type}","forward_gateway_name":"%s{fwd_gw_name}","hour":"%02d{hh}","ipcat":"%s{ipcat}","ips_custom_signature":"%d{ips_custom_signature}","location":"%s{location}","locationname":"%s{elocation}","login":"%s{login}","minute":"%02d{mm}","month":"%s{mon}","month_of_year":"%02d{mth}","dnat":"%s{dnat}","odevicename":"%s{odevicename}","odeviceowner":"%s{odeviceowner}","ofwd_gw_name":"%s{ofwd_gw_name}","odevicehostname":"%s{odevicehostname}","oipcat":"%s{oipcat}","oipsrulelabel":"%s{oipsrulelabel}","ordr_rulename":"%s{ordr_rulename}","orulelabel":"%s{orulelabel}","ozpa_app_seg_name":"%s{ozpa_app_seg_name}","second":"%02d{ss}","numsessions":"%d{numsessions}","stateful":"%s{stateful}","threat_name":"%s{threatname}","threatcat":"%s{threatcat}","threatname":"%s{ethreatname}","tsip":"%s{tsip}","tuntype":"%s{ttype}","year":"%04d{yyyy}","ztunnelversion":"%s{ztunnelversion}","zpa_app_seg_name":"%s{zpa_app_seg_name}"\}\}

Sample Response:

{"sourcetype":"zscalernss-fw","event":{"datetime":"Mon Oct 16 22:55:48 2023","cltdomain":"www.example.com","cdip":"2a02:cf40::","outbytes":"10000","cdport":"22","destcountry":"USA","devicemodel":"20L8S7WC08","sdip":"67.43.156.0","duration":"600","sdport":"443","tz":"GMT","action":"Blocked","devicehostname":"THINKPADSMITH","recordid":"123456","deviceosversion":"Version 10.14.2 (Build 18C54)","devicename":"admin","nwsvc":"HTTP","deviceostype":"iOS","ipsrulelabel":"Default IPS Rule","nwapp":"Skype","rdr_rulename":"FWD_Rule_1","proto":"TCP","rulelabel":"rule1","dnatrulelabel":"DNAT_Rule_1","srcipcountry":"United States","rule":"Default_Firewall_Filtering_Rule","ssip":"1.128.0.0","inbytes":"10000","ssport":"22","csip":"0.0.0.0","aggregate":"Yes","csport":"25","bypass_time":"Mon Oct 16 22:55:48 2023","user":"jdoe%40safemarch.com","datacentercountry":"US","bypassed_session":"1","day":"Mon","datacentercity":"Sa","department":"sales","datacenter":"CA Client Node DC","deviceappversion":"2.0.0.120","day_of_month":"16","avgduration":"600","dept":"Sales","eedone":"Yes","deviceowner":"jsmith","external_deviceid":"1234","durationms":"600","forward_gateway_name":"FWD_1","epochtime":"1578128400","ipcat":"Finance","flow_type":"Direct","location":"Headquarters","hour":"22","login":"jdo%40safemarch.com","ips_custom_signature":"0","month":"Oct","locationname":"Headquarters","dnat":"Yes","minute":"55","odevicename":"2175092224","month_of_year":"10","ofwd_gw_name":"8794487099","ocsip":"9960223283","oipcat":"5300295980","odeviceowner":"10831489","odnatlabel":"7956407282","odevicehostname":"2168890624","orulelabel":"624054738","oipsrulelabel":"6200694987","second":"48","ordr_rulename":"3399565100","stateful":"Yes","ozpa_app_seg_name":"7648246731","threatcat":"Botnet Callback","numsessions":"5","tsip":"89.160.20.128","threat_name":"Linux.Backdoor.Tsunami","year":"2023","threatname":"Linux.Backdoor","zpa_app_seg_name":"ZPA_test_app_segment","tuntype":"L2 tunnel","ztunnelversion":"ZTUNNEL_1_0"}}

Tunnel Log

  • Default port (NSS Feed): 9013
  • Default port (Cloud NSS Feed): 9558

See: Zscaler Vendor documentation

Zscaler Tunnel Log response formats (v2):

  • Tunnel Event:
    \{"sourcetype":"zscalernss-tunnel","event":\{"datetime":"%s{datetime}","day":"%s{day}","dd":"%02d{dd}","destinationip":"%s{destvip}","event":"%s{event}","eventreason":"%s{eventreason}","hh":"%02d{hh}","locationname":"%s{locationname}","mm":"%02d{mm}","mon":"%s{mon}","mth":"%02d{mth}","olocationname":"%s{olocationname}","ovpncredentialname":"%s{ovpncredentialname}","recordid":"%d{recordid}","sourceip":"%s{sourceip}","sourceport":"%d{srcport}","ss":"%02d{ss}","Recordtype":"%s{tunnelactionname}","tunneltype":"%s{tunneltype}","timezone":"%s{tz}","user":"%s{vpncredentialname}","yyyy":"%04d{yyyy}"\}\}
  • Sample Event:
    \{"sourcetype":"zscalernss-tunnel","event":\{"datetime":"%s{datetime}","day":"%s{day}","dd":"%02d{dd}","destinationip":"%s{destvip}","dpdrec":"%d{dpdrec}","hh":"%02d{hh}","locationname":"%s{locationname}","mm":"%02d{mm}","mon":"%s{mon}","mth":"%02d{mth}","olocationname":"%s{olocationname}","ovpncredentialname":"%s{ovpncredentialname}","recordid":"%d{recordid}","rxbytes":"%lu{rxbytes}","rxpackets":"%d{rxpackets}","sourceip":"%s{sourceip}","sourceport":"%d{srcport}","ss":"%02d{ss}","Recordtype":"%s{tunnelactionname}","tunneltype":"%s{tunneltype}","txbytes":"%lu{txbytes}","txpackets":"%d{txpackets}","timezone":"%s{tz}","user":"%s{vpncredentialname}","yyyy":"%04d{yyyy}"\}\}
  • IKE Phase 1
    \{"sourcetype":"zscalernss-tunnel","event":\{"algo":"%s{algo}","authentication":"%s{authentication}","authtype":"%s{authtype}","datetime":"%s{datetime}","day":"%s{day}","dd":"%02d{dd}","destinationip":"%s{destvip}","destinationport":"%d{dstport}","hh":"%02d{hh}","ikeversion":"%d{ikeversion}","lifetime":"%d{lifetime}","locationname":"%s{locationname}","mm":"%02d{mm}","mon":"%s{mon}","mth":"%02d{mth}","olocationname":"%s{olocationname}","ovpncredentialname":"%s{ovpncredentialname}","recordid":"%d{recordid}","sourceip":"%s{sourceip}","spi_in":"%lu{spi_in}","spi_out":"%lu{spi_out}","sourceport":"%d{srcport}","ss":"%02d{ss}","Recordtype":"%s{tunnelactionname}","tunneltype":"IPSEC IKEV %d{ikeversion}","timezone":"%s{tz}","vendorname":"%s{vendorname}","user":"%s{vpncredentialname}","yyyy":"%04d{yyyy}"\}\}
  • IKE Phase 2
    \{"sourcetype":"zscalernss-tunnel","event":\{"algo":"%s{algo}","authentication":"%s{authentication}","authtype":"%s{authtype}","datetime":"%s{datetime}","day":"%s{day}","dd":"%02d{dd}","destinationipend":"%s{destipend}","destinationipstart":"%s{destipstart}","destinationportstart":"%d{destportstart}","destinationip":"%s{destvip}","hh":"%02d{hh}","ikeversion":"%d{ikeversion}","lifebytes":"%d{lifebytes}","lifetime":"%d{lifetime}","locationname":"%s{locationname}","mm":"%02d{mm}","mon":"%s{mon}","mth":"%02d{mth}","olocationname":"%s{olocationname}","ovpncredentialname":"%s{ovpncredentialname}","protocol":"%s{protocol}","recordid":"%d{recordid}","sourceip":"%s{sourceip}","spi":"%d{spi}","srcipend":"%s{srcipend}","srcipstart":"%s{srcipstart}","sourceportstart":"%d{srcportstart}","ss":"%02d{ss}","Recordtype":"%s{tunnelactionname}","tunnelprotocol":"%s{tunnelprotocol}","tunneltype":"IPSEC IKEV %d{ikeversion}","timezone":"%s{tz}","user":"%s{vpncredentialname}","yyyy":"%04d{yyyy}"\}\}

Sample Response:

{"sourcetype":"zscalernss-tunnel","event":{"datetime":"Mon Oct 16 22:55:48 2023","destinationip":"67.43.156.1","destinationport":"500","recordid":"111234","timezone":"GMT","sourceip":"67.43.156.0","sourceport":"500","user":"jdoe@safemarch.com","authentication":"HMAC_MD5","authtype":"PSKEY","day":"Mon","dd":"16","algo":"DES_CBC","hh":"22","ikeversion":"IKE_VERSION_2","lifetime":"86400","locationname":"Headquarters","mm":"55","mon":"Oct","mth":"10","olocationname":"2168890624","ovpncredentialname":"4094304256","ss":"48","spi_in":"None","spi_out":"None","Recordtype":"None","vendorname":"CISCO","yyyy":"2023"}}

Web Log

  • Default port (NSS Feed): 9014
  • Default port (Cloud NSS Feed): 9559
  • Add characters " and \ in feed escape character while configuring Web Log.

See: Zscaler Vendor documentation

Zscaler Web Log response format (v9):

\{"version":"v9","sourcetype":"zscalernss-web","event":\{"time":"%s{time}","cloudname":"%s{cloudname}","host":"%s{ehost}","serverip":"%s{sip}","external_devid":"%s{external_devid}","devicemodel":"%s{devicemodel}","action":"%s{action}","recordid":"%d{recordid}","reason":"%s{reason}","threatseverity":"%s{threatseverity}","tz":"%s{tz}","filesubtype":"%s{filesubtype}","upload_filesubtype":"%s{upload_filesubtype}","sha256":"%s{sha256}","bamd5":"%s{bamd5}","filename":"%s{efilename}","upload_filename":"%s{eupload_filename}","filetype":"%s{filetype}","devicename":"%s{edevicename}","devicehostname":"%s{devicehostname}","deviceostype":"%s{deviceostype}","deviceosversion":"%s{deviceosversion}","devicetype":"%s{devicetype}","reqsize":"%d{reqsize}","reqmethod":"%s{reqmethod}","b64referer":"%s{b64referer}","respsize":"%d{respsize}","respcode":"%s{respcode}","reqversion":"%s{reqversion}","respversion":"%s{respversion}","proto":"%s{proto}","company":"%s{company}","dlpmd5":"%s{dlpmd5}","apprulelabel":"%s{eapprulelabel}","dlprulename":"%s{dlprulename}","rulelabel":"%s{erulelabel}","urlfilterrulelabel":"%s{eurlfilterrulelabel}","cltip":"%s{cip}","cltintip":"%s{cintip}","cltsourceport":"%d{clt_sport}","threatname":"%s{threatname}","cltsslcipher":"%s{clientsslcipher}","clttlsversion":"%s{clienttlsversion}","b64url":"%s{b64url}","useragent":"%s{eua}","login":"%s{elogin}","applayerprotocol":"%s{alpnprotocol}","appclass":"%s{appclass}","appname":"%s{appname}","appriskscore":"%s{app_risk_score}","bandwidthclassname":"%s{bwclassname}","bandwidthrulename":"%s{bwrulename}","bwthrottle":"%s{bwthrottle}","bypassedtime":"%s{bypassed_etime}","bypassedtraffic":"%d{bypassed_traffic}","cltsslsessreuse":"%s{clientsslsessreuse}","cltpubip":"%s{cpubip}","cltsslfailcount":"%d{cltsslfailcount}","cltsslfailreason":"%s{cltsslfailreason}","contenttype":"%s{contenttype}","datacentercity":"%s{datacentercity}","datacentercountry":"%s{datacentercountry}","datacenter":"%s{datacenter}","day":"%s{day}","day_of_month":"%02d{dd}","dept":"%s{dept}","deviceappversion":"%s{deviceappversion}","deviceowner":"%s{deviceowner}","df_hosthead":"%s{df_hosthead}","df_hostname":"%s{df_hostname}","dlpdicthitcount":"%s{dlpdicthitcount}","dlpdict":"%s{dlpdict}","dlpeng":"%s{dlpeng}","dlpidentifier":"%d{dlpidentifier}","eedone":"%s{eedone}","epochtime":"%d{epochtime}","fileclass":"%s{fileclass}","flow_type":"%s{flow_type}","forward_gateway_ip":"%s{fwd_gw_ip}","forward_gateway_name":"%s{fwd_gw_name}","forward_type":"%s{fwd_type}","hour":"%02d{hh}","is_sslexpiredca":"%s{is_sslexpiredca}","is_sslselfsigned":"%s{is_sslselfsigned}","is_ssluntrustedca":"%s{is_ssluntrustedca}","keyprotectiontype":"%s{keyprotectiontype}","location":"%s{elocation}","malwarecategory":"%s{malwarecat}","malwareclass":"%s{malwareclass}","minute":"%02d{mm}","mobappcategory":"%s{mobappcat}","mobappname":"%s{emobappname}","mobdevtype":"%s{mobdevtype}","module":"%s{module}","month":"%s{mon}","month_of_year":"%02d{mth}","nssserviceip":"%s{nsssvcip}","oapprulelabel":"%s{oapprulelabel}","obwclassname":"%s{obwclassname}","ocip":"%d{ocip}","ocpubip":"%d{ocpubip}","odevicehostname":"%s{odevicehostname}","odevicename":"%s{odevicename}","odeviceowner":"%s{odeviceowner}","odlpdict":"%s{odlpdict}","odlpeng":"%s{odlpeng}","odlprulename":"%s{odlprulename}","ofwd_gw_name":"%s{ofwd_gw_name}","ologin":"%s{ologin}","ordr_rulename":"%s{ordr_rulename}","ourlcat":"%s{ourlcat}","ourlfilterrulelabel":"%s{ourlfilterrulelabel}","ozpa_app_seg_name":"%s{ozpa_app_seg_name}","externalsslpolicyreason":"%s{externalspr}","productversion":"%s{productversion}","rdr_rulename":"%s{rdr_rulename}","refererhost":"%s{erefererhost}","reqheadersize":"%d{reqhdrsize}","reqdatasize":"%d{reqdatasize}","respheadersize":"%d{resphdrsize}","respdatasize":"%d{respdatasize}","riskscore":"%d{riskscore}","ruletype":"%s{ruletype}","second":"%02d{ss}","srvcertchainvalpass":"%s{srvcertchainvalpass}","srvcertvalidationtype":"%s{srvcertvalidationtype}","srvcertvalidityperiod":"%s{srvcertvalidityperiod}","srvsslcipher":"%s{srvsslcipher}","serversslsessreuse":"%s{serversslsessreuse}","srvocspresult":"%s{srvocspresult}","srvtlsversion":"%s{srvtlsversion}","srvwildcardcert":"%s{srvwildcardcert}","ssldecrypted":"%s{ssldecrypted}","throttlereqsize":"%d{throttlereqsize}","throttlerespsize":"%d{throttlerespsize}","totalsize":"%d{totalsize}","trafficredirectmethod":"%s{trafficredirectmethod}","unscannabletype":"%s{unscannabletype}","upload_doctypename":"%s{upload_doctypename}","upload_fileclass":"%s{upload_fileclass}","upload_filetype":"%s{upload_filetype}","urlcatmethod":"%s{urlcatmethod}","urlsubcat":"%s{urlcat}","urlsupercat":"%s{urlsupercat}","urlclass":"%s{urlclass}","useragentclass":"%s{uaclass}","useragenttoken":"%s{ua_token}","userlocationname":"%s{euserlocationname}","year":"%04d{yyyy}","ztunnelversion":"%s{ztunnelversion}","zpa_app_seg_name":"%s{zpa_app_seg_name}"\}\}

Sample Response:

{"version":"v9","sourcetype":"zscalernss-web","event":{"time":"Mon Oct 16 22:55:48 2023","cloudname":"zscaler.net","host":"mail.google.com","serverip":"1.128.0.0","external_devid":"1234","devicemodel":"20L8S7WC08","action":"Allowed","recordid":123456789,"reason":"File Attachment Cautioned","threatseverity":"Critical (90–100)","tz":"GMT","filesubtype":"exe","upload_filesubtype":"rar","sha256":"81ec78bc8298568bb5ea66d3c2972b670d0f7459b6cdbbcaacce90ab417ab15c","bamd5":"196a3d797bfee07fe4596b69f4ce1141","filename":"nssfeed.txt","upload_filename":"nssfeed.exe","filetype":"RAR Files","devicename":"PC11NLPA%3A5F08D97BBF43257A8FB4BBF4061A38AE324EF734","devicehostname":"THINKPADSMITH","deviceostype":"iOS","deviceosversion":"Version 10.14.2 (Build 18C54)","devicetype":"Zscaler Client Connector","reqsize":1300,"reqmethod":"invalid","b64referer":"d3d3LmV4YW1wbGUuY29tL3NlYXJjaD9maWx0ZXJzPWd1aWQ6IjQwLWVuLWRpYSIgbGFuZzoiZW4iJmZvcm09UzAwJnE9aG93IHRvIHVzZSByZW1vdGUgZGVza3RvcCB0byBjb25uZWN0IHRvIGEgd2luZG93cyAxMCBwYw==","respsize":10500,"respcode":"100","reqversion":"1.1","respversion":"1","proto":"HTTP","company":"Zscaler","dlpmd5":"154f149b1443fbfa8c121d13e5c019a1","apprulelabel":"File_Sharing_1","dlprulename":"DLP_Rule_1","rulelabel":"URL_Filtering_1","urlfilterrulelabel":"URL_Filtering_2","cltip":"81.2.69.144","cltintip":"89.160.20.128","cltsourceport":12345,"threatname":"EICAR Test File","cltsslcipher":"SSL3_CK_RSA_NULL_MD5","clttlsversion":"SSL2","b64url":"d3d3LnRyeXRoaXNlbmNvZGV1cmwuY29tL3BhcmFtcz9JZD0xJnRzPTIwMDYtMDEtMDJUMTU6MDQ6MDVaMDc6MDAmdXNlcj02NTc5MiZ2ZXJzaW9uPTEwLjAuMTkwNDEuMTI2Ng==","useragent":"Mozilla/5.0","login":"jdoe@safemarch.com","applayerprotocol":"FTP","appclass":"Administration","appname":"Adobe Connect","appriskscore":"1","bandwidthclassname":"Entertainment","bandwidthrulename":"Office 365","bwthrottle":"Yes","bypassedtime":"Mon Oct 16 22:55:48 2023","bypassedtraffic":"1","cltsslsessreuse":"Unknown","cltpubip":"175.16.199.0","cltsslfailcount":100,"cltsslfailreason":"Bad Record Mac","contenttype":"application/vnd_apple_keynote","datacentercity":"Sa","datacentercountry":"US","datacenter":"CA Client Node DC","day":"Mon","day_of_month":16,"dept":"Sales","deviceappversion":"1.128.0.0","deviceowner":"jsmith","df_hosthead":"df_hosthead","df_hostname":"df_hostname","dlpdicthitcount":"4","dlpdict":"Credit Cards","dlpeng":"HIPAA","dlpidentifier":6646484838839026000,"eedone":"Yes","epochtime":1578128400,"fileclass":"Active Web Contents","flow_type":"Direct","forward_gateway_ip":"10.1.1.1","forward_gateway_name":"FWD_1","forward_type":"Direct","hour":22,"is_sslexpiredca":"Yes","is_sslselfsigned":"Yes","is_ssluntrustedca":"Pass","keyprotectiontype":"HSM Protection","location":"Headquarters","malwarecategory":"Adware","malwareclass":"Sandbox","minute":55,"mobappcategory":"Communication","mobappname":"Amazon","mobdevtype":"Google Android","module":"Administration","month":"Oct","month_of_year":10,"nssserviceip":"192.168.2.200","oapprulelabel":"5300295980","obwclassname":"10831489","ocip":6200694987,"ocpubip":624054738,"odevicehostname":"2168890624","odevicename":"2175092224","odeviceowner":"10831489","odlpdict":"10831489","odlpeng":"4094304256","odlprulename":"6857275752","ofwd_gw_name":"8794487099","ologin":"4094304256","ordr_rulename":"3399565100","ourlcat":"7956407282","ourlfilterrulelabel":"4951704103","ozpa_app_seg_name":"7648246731","externalsslpolicyreason":"Blocked","productversion":"5.0.902.95524_04","rdr_rulename":"FWD_Rule_1","refererhost":"www.example.com for http://www.example.com/index.html","reqheadersize":300,"reqdatasize":1000,"respheadersize":500,"respdatasize":10000,"riskscore":10,"ruletype":"File Type Control","second":48,"srvcertchainvalpass":"Unknown","srvcertvalidationtype":"EV (Extended Validation)","srvcertvalidityperiod":"Short","srvsslcipher":"SSL3_CK_RSA_NULL_MD5","serversslsessreuse":"Unknown","srvocspresult":"Good","srvtlsversion":"SSL2","srvwildcardcert":"Unknown","ssldecrypted":"Yes","throttlereqsize":5,"throttlerespsize":7,"totalsize":11800,"trafficredirectmethod":"DNAT (Destination Translation)","unscannabletype":"Encrypted File","upload_doctypename":"Corporate Finance","upload_fileclass":"upload_fileclass","upload_filetype":"RAR Files","urlcatmethod":"Database A","urlsubcat":"Entertainment","urlsupercat":"Travel","urlclass":"Bandwidth Loss","useragentclass":"Firefox","useragenttoken":"Google Chrome (0.x)","userlocationname":"userlocationname","year":2023,"ztunnelversion":"ZTUNNEL_1_0","zpa_app_seg_name":"ZPA_test_app_segment"}}

Enabling the integration in Elastic:

  1. In Kibana go to Management > Integrations.
  2. In "Search for integrations" search bar, type Zscaler ZIA.
  3. Click on the "Zscaler ZIA" integration from the search results.
  4. Click on the "Add Zscaler ZIA" button to add the integration.
  5. Configure all required integration parameters, including URL, Client ID, Client Secret, Scope, Token URL, Details and MD5, to enable data collection for Zscaler ZIA API. For TCP and HTTP Endpoint data collection, provide parameters such as listen address and listen port.
  6. Save the integration.

Caveats:

  • To ensure that URLs are processed correctly, logs which have a network.protocol value that is not http or https will be implicitly converted to https for the purposes of URL parsing. The original value of network.protocol will be preserved.

Logs reference

alerts

This is the alerts dataset.

Example

An example event for alerts looks as following:

{
    "@timestamp": "2024-12-10T13:40:32.000Z",
    "agent": {
        "ephemeral_id": "9c123331-181f-42a0-af82-70e49ce7aaa1",
        "id": "7a8d18bc-b73c-424e-a30b-120ddeb66eeb",
        "name": "docker-fleet-agent",
        "type": "filebeat",
        "version": "8.13.0"
    },
    "data_stream": {
        "dataset": "zscaler_zia.alerts",
        "namespace": "ep",
        "type": "logs"
    },
    "destination": {
        "address": "81.2.69.193",
        "ip": "81.2.69.193",
        "port": 9012
    },
    "ecs": {
        "version": "8.11.0"
    },
    "elastic_agent": {
        "id": "7a8d18bc-b73c-424e-a30b-120ddeb66eeb",
        "snapshot": false,
        "version": "8.13.0"
    },
    "event": {
        "agent_id_status": "verified",
        "dataset": "zscaler_zia.alerts",
        "ingested": "2024-07-04T11:58:59Z"
    },
    "input": {
        "type": "tcp"
    },
    "log": {
        "source": {
            "address": "192.168.243.6:40328"
        },
        "syslog": {
            "priority": 114
        }
    },
    "message": "ZscalerNSS: SIEM Feed connection \"DNS Logs Feed\" to 81.2.69.193:9012 lost and unavailable for the past 2440.00 minutes",
    "related": {
        "ip": [
            "81.2.69.193"
        ]
    },
    "tags": [
        "forwarded",
        "zscaler_zia-alerts"
    ],
    "zscaler_zia": {
        "alerts": {
            "connection_lost_minutes": 2440,
            "log_feed_name": "DNS Logs Feed"
        }
    }
}

Exported fields

FieldDescriptionType
@timestamp
Event timestamp.
date
data_stream.dataset
Data stream dataset.
constant_keyword
data_stream.namespace
Data stream namespace.
constant_keyword
data_stream.type
Data stream type.
constant_keyword
event.dataset
Event dataset.
constant_keyword
event.module
Event module.
constant_keyword
input.type
Type of Filebeat input.
keyword
log.offset
Log offset.
long
log.source.address
Source address from which the log event was read / sent from.
keyword
zscaler_zia.alerts.connection_lost_minutes
Amount of time after loosing connection to a server in Minutes.
double
zscaler_zia.alerts.destination.address
keyword
zscaler_zia.alerts.destination.ip
ip
zscaler_zia.alerts.destination.port
long
zscaler_zia.alerts.log_feed_name
Name of the NSS log feed.
keyword
zscaler_zia.alerts.log_syslog_priority
long
zscaler_zia.alerts.message
keyword
zscaler_zia.alerts.timestamp
date

audit

This is the audit dataset.

Example

An example event for audit looks as following:

{
    "@timestamp": "2023-10-16T22:55:48.000Z",
    "agent": {
        "ephemeral_id": "8fbed883-d7e9-41ab-99d8-6fef7131d443",
        "id": "7a8d18bc-b73c-424e-a30b-120ddeb66eeb",
        "name": "docker-fleet-agent",
        "type": "filebeat",
        "version": "8.13.0"
    },
    "data_stream": {
        "dataset": "zscaler_zia.audit",
        "namespace": "ep",
        "type": "logs"
    },
    "ecs": {
        "version": "8.11.0"
    },
    "elastic_agent": {
        "id": "7a8d18bc-b73c-424e-a30b-120ddeb66eeb",
        "snapshot": false,
        "version": "8.13.0"
    },
    "error": {
        "code": "AUTHENTICATION_FAILED"
    },
    "event": {
        "action": "activate",
        "agent_id_status": "verified",
        "category": [
            "configuration"
        ],
        "dataset": "zscaler_zia.audit",
        "id": "1234",
        "ingested": "2024-07-04T12:01:12Z",
        "kind": "event",
        "outcome": "success",
        "timezone": "UTC",
        "type": [
            "change"
        ]
    },
    "input": {
        "type": "http_endpoint"
    },
    "related": {
        "ip": [
            "89.160.20.112"
        ],
        "user": [
            "example",
            "example@zscaler.com"
        ]
    },
    "rule": {
        "category": "DLP_DICTIONARY",
        "name": "SSL Rule Name",
        "ruleset": "DATA_LOSS_PREVENTION_RESOURCE"
    },
    "source": {
        "geo": {
            "city_name": "Linköping",
            "continent_name": "Europe",
            "country_iso_code": "SE",
            "country_name": "Sweden",
            "location": {
                "lat": 58.4167,
                "lon": 15.6167
            },
            "region_iso_code": "SE-E",
            "region_name": "Östergötland County"
        },
        "ip": "89.160.20.112"
    },
    "tags": [
        "forwarded",
        "zscaler_zia-audit"
    ],
    "user": {
        "domain": "zscaler.com",
        "email": "example@zscaler.com",
        "name": "example"
    },
    "zscaler_zia": {
        "audit": {
            "audit_log_type": "ZIA Portal Audit Log",
            "interface": "API",
            "result": "SUCCESS"
        }
    }
}

Exported fields

FieldDescriptionType
@timestamp
Event timestamp.
date
data_stream.dataset
Data stream dataset.
constant_keyword
data_stream.namespace
Data stream namespace.
constant_keyword
data_stream.type
Data stream type.
constant_keyword
event.dataset
Event dataset.
constant_keyword
event.module
Event module.
constant_keyword
input.type
Type of Filebeat input.
keyword
log.offset
Log offset.
long
log.source.address
Source address from which the log event was read / sent from.
keyword
zscaler_zia.audit.action
The action performed by the admin in the ZIA Admin Portal.
keyword
zscaler_zia.audit.admin_id
The admin's login ID.
keyword
zscaler_zia.audit.audit_log_type
The Admin Audit log type.
keyword
zscaler_zia.audit.category
The location in the ZIA Admin Portal where the action was performed.
keyword
zscaler_zia.audit.client_ip
The source IP address for the admin.
ip
zscaler_zia.audit.error_code
An optional field that exists only if the result is a failure.
keyword
zscaler_zia.audit.interface
The means by which the user performs their actions.
keyword
zscaler_zia.audit.post_action
Data after any policy or configuration changes.
flattened
zscaler_zia.audit.pre_action
Data before any policy or configuration changes.
flattened
zscaler_zia.audit.record.id
The unique record identifier for each log.
keyword
zscaler_zia.audit.resource
The specific location within a sub-category.
keyword
zscaler_zia.audit.result
The outcome of an action.
keyword
zscaler_zia.audit.sub_category
The sub-location in the ZIA Admin Portal where the action was performed.
keyword
zscaler_zia.audit.time
The time and date of the transaction.
date
zscaler_zia.audit.timezone
The time zone.
keyword

dns

This is the dns dataset.

Example

An example event for dns looks as following:

{
    "@timestamp": "2021-12-17T07:27:54.000Z",
    "agent": {
        "ephemeral_id": "6dac0cbb-768a-4dc4-a476-6bf881ed6755",
        "id": "7a8d18bc-b73c-424e-a30b-120ddeb66eeb",
        "name": "docker-fleet-agent",
        "type": "filebeat",
        "version": "8.13.0"
    },
    "data_stream": {
        "dataset": "zscaler_zia.dns",
        "namespace": "ep",
        "type": "logs"
    },
    "destination": {
        "geo": {
            "city_name": "Linköping",
            "continent_name": "Europe",
            "country_iso_code": "SE",
            "country_name": "Sweden",
            "location": {
                "lat": 58.4167,
                "lon": 15.6167
            },
            "region_iso_code": "SE-E",
            "region_name": "Östergötland County"
        },
        "ip": "89.160.20.156"
    },
    "dns": {
        "answers": [
            {
                "data": "Some response string"
            }
        ],
        "question": {
            "name": "example.com",
            "type": "Some type"
        }
    },
    "ecs": {
        "version": "8.11.0"
    },
    "elastic_agent": {
        "id": "7a8d18bc-b73c-424e-a30b-120ddeb66eeb",
        "snapshot": false,
        "version": "8.13.0"
    },
    "event": {
        "agent_id_status": "verified",
        "category": [
            "network"
        ],
        "dataset": "zscaler_zia.dns",
        "duration": 123456000000,
        "ingested": "2024-07-04T12:03:18Z",
        "kind": "event",
        "timezone": "UTC",
        "type": [
            "info"
        ]
    },
    "host": {
        "name": "machine9000"
    },
    "input": {
        "type": "tcp"
    },
    "log": {
        "source": {
            "address": "192.168.243.6:52614"
        }
    },
    "network": {
        "protocol": "dns"
    },
    "related": {
        "hosts": [
            "machine9000"
        ],
        "ip": [
            "89.160.20.112",
            "89.160.20.156"
        ],
        "user": [
            "Owner77",
            "some_user",
            "some_user@example.com"
        ]
    },
    "rule": {
        "name": [
            "Access Blocked"
        ]
    },
    "source": {
        "geo": {
            "city_name": "Linköping",
            "continent_name": "Europe",
            "country_iso_code": "SE",
            "country_name": "Sweden",
            "location": {
                "lat": 58.4167,
                "lon": 15.6167
            },
            "region_iso_code": "SE-E",
            "region_name": "Östergötland County"
        },
        "ip": "89.160.20.112",
        "port": 8080
    },
    "tags": [
        "forwarded",
        "zscaler_zia-dns"
    ],
    "user": {
        "domain": "example.com",
        "email": "some_user@example.com",
        "name": "some_user"
    },
    "zscaler_zia": {
        "dns": {
            "department": "Unknown",
            "device": {
                "owner": "Owner77"
            },
            "dom": {
                "category": "Professional Services"
            },
            "location": "TestLoc DB",
            "request": {
                "action": "REQ_ALLOW"
            },
            "response": {
                "action": "Some Response Action"
            }
        }
    }
}

Exported fields

FieldDescriptionType
@timestamp
Event timestamp.
date
data_stream.dataset
Data stream dataset.
constant_keyword
data_stream.namespace
Data stream namespace.
constant_keyword
data_stream.type
Data stream type.
constant_keyword
event.dataset
Event dataset.
constant_keyword
event.module
Event module.
constant_keyword
input.type
Type of Filebeat input.
keyword
log.offset
Log offset.
long
log.source.address
Source address from which the log event was read / sent from.
keyword
zscaler_zia.dns.client.ip
The IP address of the user.
ip
zscaler_zia.dns.cloud.name
The Zscaler cloud name.
keyword
zscaler_zia.dns.company
The company name.
keyword
zscaler_zia.dns.datacenter.city
The city where the data center is located.
keyword
zscaler_zia.dns.datacenter.country
The country where the data center is located.
keyword
zscaler_zia.dns.datacenter.name
The name of the data center.
keyword
zscaler_zia.dns.day
The day of the week.
keyword
zscaler_zia.dns.day_of_month
The day of the month.
long
zscaler_zia.dns.department
keyword
zscaler_zia.dns.dept
The department.
keyword
zscaler_zia.dns.device.appversion
The app version that the device uses.
keyword
zscaler_zia.dns.device.hostname
The host name of the device.
keyword
zscaler_zia.dns.device.model
The model of the device.
keyword
zscaler_zia.dns.device.name
The name of the device.
keyword
zscaler_zia.dns.device.os.type
The OS type of the device.
keyword
zscaler_zia.dns.device.os.version
The OS version that the device uses.
keyword
zscaler_zia.dns.device.owner
The owner of the device.
keyword
zscaler_zia.dns.device.type
The type of device.
keyword
zscaler_zia.dns.dns.category
The DNS tunnel or network application category.
keyword
zscaler_zia.dns.dns.gateway.rule
The name of the DNS Gateway rule.
keyword
zscaler_zia.dns.dns.gateway.server_protocol
The DNS Gateway server protocol.
keyword
zscaler_zia.dns.dns.gateway.status
Flags indicating the DNS Gateway status for the transaction.
keyword
zscaler_zia.dns.dns.type
The type of DNS tunnel or network application.
keyword
zscaler_zia.dns.dom.category
The URL Category of the FQDN in the DNS request.
keyword
zscaler_zia.dns.duration.milliseconds
The duration of the DNS request in milliseconds.
long
zscaler_zia.dns.ecs.prefix
The EDNS Client Subnet (ECS) prefix used in the DNS request.
keyword
zscaler_zia.dns.ecs.slot
The name of the EDNS Client Subnet (ECS) rule that was applied to the DNS transaction.
keyword
zscaler_zia.dns.eedone
Indicates if the characters specified in the Feed Escape Character field of the NSS configuration page were hex encoded.
keyword
zscaler_zia.dns.epochtime
The epoch time of the transaction.
date
zscaler_zia.dns.error
The DNS error code.
keyword
zscaler_zia.dns.hour
Hours.
long
zscaler_zia.dns.http_code
The HTTP return code.
keyword
zscaler_zia.dns.istcp
Indicates if the DNS transaction uses TCP.
keyword
zscaler_zia.dns.loc
The gateway location or sub-location of the source.
keyword
zscaler_zia.dns.location
keyword
zscaler_zia.dns.login
The login name in email address format.
keyword
zscaler_zia.dns.minutes
Minutes.
long
zscaler_zia.dns.month
The name of the month.
keyword
zscaler_zia.dns.month_of_year
The month of the year.
long
zscaler_zia.dns.obfuscated.client_source_ip
The obfuscated version of the client source IP address.
keyword
zscaler_zia.dns.obfuscated.device.name
The obfuscated version of the name of the device.
keyword
zscaler_zia.dns.obfuscated.device.owner
The obfuscated version of the owner of the device.
keyword
zscaler_zia.dns.obfuscated.dom.category
The obfuscated version of the FQDN in the DNS request.
keyword
zscaler_zia.dns.obfuscated.host_name
The obfuscated version of the host name of the device.
keyword
zscaler_zia.dns.protocol
The protocol type.
keyword
zscaler_zia.dns.record.id
The unique record identifier for each log.
keyword
zscaler_zia.dns.request.action
The name of the action that was applied to the DNS request.
keyword
zscaler_zia.dns.request.name
The Fully Qualified Domain Name (FQDN) in the DNS request.
keyword
zscaler_zia.dns.request.rule.label
The name of the rule that was applied to the DNS request.
keyword
zscaler_zia.dns.request.type
The DNS request type.
keyword
zscaler_zia.dns.response.action
The name of the action that was applied to the DNS response.
keyword
zscaler_zia.dns.response.category
The URL Category of the FQDN in the DNS response.
keyword
zscaler_zia.dns.response.ip
The resolved IP in the DNS response.
ip
zscaler_zia.dns.response.name
The NAME in the DNS response.
keyword
zscaler_zia.dns.response.rule.label
The name of the rule that was applied to the DNS response.
keyword
zscaler_zia.dns.response.type
The DNS response type.
keyword
zscaler_zia.dns.second
Seconds.
long
zscaler_zia.dns.server.ip
The server IP address of the request.
ip
zscaler_zia.dns.server.port
The server port of the request.
long
zscaler_zia.dns.time
The time and date of the transaction.
date
zscaler_zia.dns.timezone
The time zone. This is the same as the time zone you specified when you configured the NSS feed.
keyword
zscaler_zia.dns.user
keyword
zscaler_zia.dns.year
Year.
long

endpoint_dlp

This is the endpoint_dlp dataset.

Example

An example event for endpoint_dlp looks as following:

{
    "@timestamp": "2023-10-16T22:55:48.000Z",
    "agent": {
        "ephemeral_id": "8455a4fe-aa90-48fd-9136-5bbf8e89473d",
        "id": "7a8d18bc-b73c-424e-a30b-120ddeb66eeb",
        "name": "docker-fleet-agent",
        "type": "filebeat",
        "version": "8.13.0"
    },
    "data_stream": {
        "dataset": "zscaler_zia.endpoint_dlp",
        "namespace": "ep",
        "type": "logs"
    },
    "device": {
        "model": {
            "identifier": "Model-2022"
        }
    },
    "ecs": {
        "version": "8.11.0"
    },
    "elastic_agent": {
        "id": "7a8d18bc-b73c-424e-a30b-120ddeb66eeb",
        "snapshot": false,
        "version": "8.13.0"
    },
    "event": {
        "action": "allow",
        "agent_id_status": "verified",
        "category": [
            "intrusion_detection"
        ],
        "dataset": "zscaler_zia.endpoint_dlp",
        "id": "2",
        "ingested": "2024-07-04T12:05:26Z",
        "kind": "alert",
        "timezone": "GMT",
        "type": [
            "allowed"
        ]
    },
    "file": {
        "hash": {
            "md5": "938c2cc0dcc05f2b68c4287040cfcf71",
            "sha256": "076085239f3a10b8f387c4e5d4261abf8d109aa641be35a8d4ed2d775eb09612"
        },
        "path": "dest_path",
        "type": "file"
    },
    "host": {
        "hostname": "Dev 1",
        "name": "host",
        "os": {
            "platform": "Windows",
            "version": "Win-11"
        },
        "type": "WinUser"
    },
    "input": {
        "type": "http_endpoint"
    },
    "related": {
        "hash": [
            "938c2cc0dcc05f2b68c4287040cfcf71",
            "076085239f3a10b8f387c4e5d4261abf8d109aa641be35a8d4ed2d775eb09612"
        ],
        "hosts": [
            "host",
            "Dev 1"
        ],
        "user": [
            "Administrator",
            "TempUser"
        ]
    },
    "rule": {
        "name": [
            "configured_rule"
        ]
    },
    "tags": [
        "forwarded",
        "zscaler_zia-endpoint_dlp"
    ],
    "user": {
        "name": "TempUser"
    },
    "zscaler_zia": {
        "endpoint_dlp": {
            "activity_type": "email_sent",
            "additional_info": "File already open by another application",
            "channel": "Network Drive Transfer",
            "confirm_action": "confirm",
            "confirm_just": "My manager approved it",
            "datacenter": {
                "city": "Atlanta",
                "country": "US",
                "name": "Georgia"
            },
            "day": "Mon",
            "day_of_month": 16,
            "department": "TempDept",
            "destination_type": "personal_cloud_storage",
            "device": {
                "appversion": "Ver-2199",
                "os": {
                    "type": "Windows"
                },
                "owner": "Administrator"
            },
            "dictionary": {
                "id": 8
            },
            "dictionary_names": [
                "[dlp]"
            ],
            "engine": {
                "id": 12
            },
            "engine_names": [
                "dlpengine"
            ],
            "event_time": "2023-10-16T22:55:48.000Z",
            "expected_action": "block",
            "feed_time": "2023-10-16T22:55:48.000Z",
            "file": {
                "doc_type": "Medical",
                "source_path": "source_path",
                "type": {
                    "name": "exe64"
                },
                "type_category": "PLS File (pls)"
            },
            "hour": 22,
            "identifier": "12",
            "item": {
                "destination_name": "nanolog",
                "name": "endpoint_dlp",
                "source_name": "endpoint",
                "type": "email_attachment"
            },
            "log_type": "dlp_incident",
            "minute": 55,
            "month": "Oct",
            "month_of_year": 10,
            "scan_time": 1210,
            "scanned_bytes": 290812,
            "second": 48,
            "severity": "High Severity",
            "source_type": "network_share",
            "timezone": "GMT",
            "year": 2023,
            "zdp_mode": "block mode"
        }
    }
}

Exported fields

FieldDescriptionType
@timestamp
Event timestamp.
date
data_stream.dataset
Data stream dataset.
constant_keyword
data_stream.namespace
Data stream namespace.
constant_keyword
data_stream.type
Data stream type.
constant_keyword
event.dataset
Event dataset.
constant_keyword
event.module
Event module.
constant_keyword
input.type
Type of Filebeat input.
keyword
log.offset
Log offset.
long
log.source.address
Source address from which the log event was read / sent from.
keyword
zscaler_zia.endpoint_dlp.action_taken
The action taken by Zscaler Data Protection.
keyword
zscaler_zia.endpoint_dlp.activity_type
The activity type.
keyword
zscaler_zia.endpoint_dlp.additional_info
Additional information.
keyword
zscaler_zia.endpoint_dlp.channel
The channel.
keyword
zscaler_zia.endpoint_dlp.confirm_action
The confirmation action by the user.
keyword
zscaler_zia.endpoint_dlp.confirm_just
The confirmation action justification by the user.
keyword
zscaler_zia.endpoint_dlp.counts
The number of hits for each of the DLP dictionaries.
long
zscaler_zia.endpoint_dlp.datacenter.city
The city where the data center is located.
keyword
zscaler_zia.endpoint_dlp.datacenter.country
The country where the data center is located.
keyword
zscaler_zia.endpoint_dlp.datacenter.name
The name of the data center.
keyword
zscaler_zia.endpoint_dlp.day
The day of the week.
keyword
zscaler_zia.endpoint_dlp.day_of_month
The day of the month.
long
zscaler_zia.endpoint_dlp.department
The name of the department.
keyword
zscaler_zia.endpoint_dlp.destination_type
The destination type.
keyword
zscaler_zia.endpoint_dlp.device.appversion
The device application version.
keyword
zscaler_zia.endpoint_dlp.device.hostname
The device host name.
keyword
zscaler_zia.endpoint_dlp.device.model
The device model.
keyword
zscaler_zia.endpoint_dlp.device.name
The device name.
keyword
zscaler_zia.endpoint_dlp.device.os.type
The device OS type.
keyword
zscaler_zia.endpoint_dlp.device.os.version
The device OS version.
keyword
zscaler_zia.endpoint_dlp.device.owner
The device owner.
keyword
zscaler_zia.endpoint_dlp.device.platform
The device platform.
keyword
zscaler_zia.endpoint_dlp.device.type
The device type.
keyword
zscaler_zia.endpoint_dlp.dictionary.id
The number of DLP dictionaries hit.
long
zscaler_zia.endpoint_dlp.dictionary_names
The DLP dictionary names.
keyword
zscaler_zia.endpoint_dlp.engine.id
The number of DLP engines hit.
long
zscaler_zia.endpoint_dlp.engine_names
The DLP engine names.
keyword
zscaler_zia.endpoint_dlp.event_time
The event time.
date
zscaler_zia.endpoint_dlp.expected_action
The expected action by ZDP.
keyword
zscaler_zia.endpoint_dlp.feed_time
The feed time.
date
zscaler_zia.endpoint_dlp.file.destination_path
The file destination path.
keyword
zscaler_zia.endpoint_dlp.file.doc_type
The file document type.
keyword
zscaler_zia.endpoint_dlp.file.md5
The file MD5 hash.
keyword
zscaler_zia.endpoint_dlp.file.sha256
The file SHA256 hash.
keyword
zscaler_zia.endpoint_dlp.file.source_path
The file source path.
keyword
zscaler_zia.endpoint_dlp.file.type.name
The file type.
keyword
zscaler_zia.endpoint_dlp.file.type_category
The file type category.
keyword
zscaler_zia.endpoint_dlp.hour
Hours.
long
zscaler_zia.endpoint_dlp.identifier
The unique DLP identifier.
keyword
zscaler_zia.endpoint_dlp.item.destination_name
The item destination name.
keyword
zscaler_zia.endpoint_dlp.item.name
The item name.
keyword
zscaler_zia.endpoint_dlp.item.source_name
The item source name.
keyword
zscaler_zia.endpoint_dlp.item.type
The item type.
keyword
zscaler_zia.endpoint_dlp.log_type
The type of record.
keyword
zscaler_zia.endpoint_dlp.minute
Minutes.
long
zscaler_zia.endpoint_dlp.month
The name of the month.
keyword
zscaler_zia.endpoint_dlp.month_of_year
The month of the year.
long
zscaler_zia.endpoint_dlp.obfuscated.department
The obfuscated version of the department name.
keyword
zscaler_zia.endpoint_dlp.obfuscated.device.hostname
The obfuscated version of the device host name.
keyword
zscaler_zia.endpoint_dlp.obfuscated.device.name
The obfuscated version of the device name.
keyword
zscaler_zia.endpoint_dlp.obfuscated.device.owner
The obfuscated version of the device owner.
keyword
zscaler_zia.endpoint_dlp.obfuscated.dlp.dictionary_names
The obfuscated version of the DLP dictionary names.
keyword
zscaler_zia.endpoint_dlp.obfuscated.dlp.engine_names
The obfuscated version of the DLP engine names.
keyword
zscaler_zia.endpoint_dlp.obfuscated.file.destination_path
The obfuscated version of the file destination path.
keyword
zscaler_zia.endpoint_dlp.obfuscated.file.source_path
The obfuscated version of the file source path.
keyword
zscaler_zia.endpoint_dlp.obfuscated.item.destination_names
The obfuscated version of the item destination name.
keyword
zscaler_zia.endpoint_dlp.obfuscated.item.name
The obfuscated version of the item name.
keyword
zscaler_zia.endpoint_dlp.obfuscated.item.source_names
The obfuscated version of the item source name.
keyword
zscaler_zia.endpoint_dlp.obfuscated.other_rule_labels
The obfuscated version of the other rule labels.
keyword
zscaler_zia.endpoint_dlp.obfuscated.triggered_rule_label
The obfuscated version of the triggered DLP rule.
keyword
zscaler_zia.endpoint_dlp.obfuscated.user
The obfuscated version of the username.
keyword
zscaler_zia.endpoint_dlp.other_rule_labels
The labels of other rules that were triggered.
keyword
zscaler_zia.endpoint_dlp.record.id
The unique record identifier.
keyword
zscaler_zia.endpoint_dlp.scan_time
The scan time in milliseconds.
long
zscaler_zia.endpoint_dlp.scanned_bytes
The scanned item size in bytes.
long
zscaler_zia.endpoint_dlp.second
Seconds.
long
zscaler_zia.endpoint_dlp.severity
The severity of the event.
keyword
zscaler_zia.endpoint_dlp.source_type
The source type.
keyword
zscaler_zia.endpoint_dlp.time
The log time.
date
zscaler_zia.endpoint_dlp.timezone
The time zone.
keyword
zscaler_zia.endpoint_dlp.triggered_rule_label
The DLP rule that was triggered.
keyword
zscaler_zia.endpoint_dlp.user
The username.
keyword
zscaler_zia.endpoint_dlp.year
Year.
long
zscaler_zia.endpoint_dlp.zdp_mode
The ZDP mode.
keyword

firewall

This is the firewall dataset.

Example

An example event for firewall looks as following:

{
    "@timestamp": "2022-12-31T02:22:22.000Z",
    "agent": {
        "ephemeral_id": "e9bfb284-65f1-4d68-8a50-004b259d481f",
        "id": "c484a04a-ca60-4ebd-a941-425901026a2c",
        "name": "elastic-agent-76313",
        "type": "filebeat",
        "version": "8.13.0"
    },
    "data_stream": {
        "dataset": "zscaler_zia.firewall",
        "namespace": "35906",
        "type": "logs"
    },
    "destination": {
        "bytes": 0,
        "ip": "0.0.0.0",
        "port": [
            120,
            0
        ]
    },
    "ecs": {
        "version": "8.11.0"
    },
    "elastic_agent": {
        "id": "c484a04a-ca60-4ebd-a941-425901026a2c",
        "snapshot": false,
        "version": "8.13.0"
    },
    "event": {
        "action": "outofrange",
        "agent_id_status": "verified",
        "category": [
            "network"
        ],
        "dataset": "zscaler_zia.firewall",
        "duration": 0,
        "ingested": "2024-11-01T08:59:18Z",
        "kind": "event",
        "timezone": "UTC",
        "type": [
            "info"
        ]
    },
    "input": {
        "type": "http_endpoint"
    },
    "network": {
        "application": "notavailable",
        "bytes": 0,
        "transport": "ip"
    },
    "observer": {
        "product": "ZIA",
        "type": "firewall",
        "vendor": "Zscaler"
    },
    "related": {
        "ip": [
            "0.0.0.0"
        ]
    },
    "source": {
        "bytes": 0,
        "ip": "0.0.0.0",
        "nat": {
            "ip": "0.0.0.0"
        },
        "port": [
            0
        ]
    },
    "tags": [
        "forwarded",
        "zscaler_zia-firewall"
    ],
    "zscaler_zia": {
        "firewall": {
            "aggregate": "No",
            "client": {
                "destination": {
                    "ip": "0.0.0.0"
                },
                "source": {
                    "ip": "0.0.0.0"
                }
            },
            "department": "Unknown",
            "duration": {
                "average_duration": 0,
                "seconds": 0
            },
            "ip_category": "Other",
            "location_name": "Unknown",
            "nat": "No",
            "server": {
                "destination": {
                    "ip": "0.0.0.0"
                },
                "source": {
                    "ip": "0.0.0.0"
                }
            },
            "session": {
                "count": 1
            },
            "stateful": "Yes",
            "tunnel": {
                "ip": "0.0.0.0",
                "type": "OutOfRange"
            }
        }
    }
}

Exported fields

FieldDescriptionType
@timestamp
Event timestamp.
date
data_stream.dataset
Data stream dataset.
constant_keyword
data_stream.namespace
Data stream namespace.
constant_keyword
data_stream.type
Data stream type.
constant_keyword
event.dataset
Event dataset.
constant_keyword
event.module
Event module.
constant_keyword
input.type
Type of Filebeat input.
keyword
log.offset
Log offset.
long
log.source.address
Source address from which the log event was read / sent from.
keyword
zscaler_zia.firewall.action
The action that the service took on the transaction.
keyword
zscaler_zia.firewall.aggregate
Indicates whether the Firewall session is aggregated.
keyword
zscaler_zia.firewall.bypassed.session
Indicates whether the traffic bypassed the Zscaler Client Connector.
keyword
zscaler_zia.firewall.bypassed.time
The date and time when the traffic bypassed the Zscaler Client Connector.
date
zscaler_zia.firewall.bytes_in
The number of bytes sent from the server to the client.
long
zscaler_zia.firewall.client.destination.ip
The client destination IP address.
ip
zscaler_zia.firewall.client.destination.port
The client destination port.
long
zscaler_zia.firewall.client.domain
The client destination FDQN.
keyword
zscaler_zia.firewall.client.source.ip
The client source IP address.
ip
zscaler_zia.firewall.client.source.port
The client source port.
long
zscaler_zia.firewall.datacenter.city
The city where the data center is located.
keyword
zscaler_zia.firewall.datacenter.country
The country where the data center is located.
keyword
zscaler_zia.firewall.datacenter.name
The name of the data center.
keyword
zscaler_zia.firewall.day
The day of the week.
keyword
zscaler_zia.firewall.day_of_month
The day of the month.
long
zscaler_zia.firewall.department
keyword
zscaler_zia.firewall.dept
The department of the user.
keyword
zscaler_zia.firewall.destination.country
The abbreviated code of the country of the destination IP address.
keyword
zscaler_zia.firewall.device.appversion
The app version that the device app uses.
keyword
zscaler_zia.firewall.device.hostname
The host name of the device.
keyword
zscaler_zia.firewall.device.model
The model of the device.
keyword
zscaler_zia.firewall.device.name
The name of the device.
keyword
zscaler_zia.firewall.device.os.type
The OS type of the device.
keyword
zscaler_zia.firewall.device.os.version
The OS version that the device uses.
keyword
zscaler_zia.firewall.device.owner
The owner of the device.
keyword
zscaler_zia.firewall.duration.average_duration
The average session duration, in milliseconds, if the sessions were aggregated.
long
zscaler_zia.firewall.duration.milliseconds
The session or request duration in milliseconds.
long
zscaler_zia.firewall.duration.seconds
The session or request duration in seconds.
long
zscaler_zia.firewall.eedone
Indicates if the characters specified in the Feed Escape Character field of the NSS feed configuration page were hex encoded.
keyword
zscaler_zia.firewall.epochtime
The epoch time of the transaction.
date
zscaler_zia.firewall.external_device_id
The external device ID that associates a user’s device with the mobile device management (MDM) solution.
keyword
zscaler_zia.firewall.flow_type
The flow type of the transaction.
keyword
zscaler_zia.firewall.forward_gateway_name
The name of the gateway defined in a forwarding rule.
keyword
zscaler_zia.firewall.hour
Hours.
long
zscaler_zia.firewall.ip_category
The URL category that corresponds to the server IP address.
keyword
zscaler_zia.firewall.ip_protocol
The type of IP protocol.
keyword
zscaler_zia.firewall.ips.custom_signature
Indicates if a custom IPS signature rule was applied.
keyword
zscaler_zia.firewall.ips.rule_label
The name of the IPS policy that was applied to the Firewall session.
keyword
zscaler_zia.firewall.location
The name of the location from which the session was initiated.
keyword
zscaler_zia.firewall.location_name
keyword
zscaler_zia.firewall.login
The user's login name in email address format.
keyword
zscaler_zia.firewall.minutes
Minutes.
long
zscaler_zia.firewall.month
The name of the month.
keyword
zscaler_zia.firewall.month_of_year
The month of the year.
long
zscaler_zia.firewall.nat
Indicates if the destination NAT policy was applied.
keyword
zscaler_zia.firewall.nat_rule_label
The name of the destination NAT policy that was applied.
keyword
zscaler_zia.firewall.network.application
The network application that was accessed.
keyword
zscaler_zia.firewall.network.service
The network service that was used.
keyword
zscaler_zia.firewall.obfuscated.client_source_ip
The obfuscated version of the client source IP address.
keyword
zscaler_zia.firewall.obfuscated.device.name
The obfuscated version of the name of the device.
keyword
zscaler_zia.firewall.obfuscated.device.owner
The obfuscated version of the owner of the device.
keyword
zscaler_zia.firewall.obfuscated.forward_gateway_name
The obfuscated version of the gateway defined in a forwarding rule.
keyword
zscaler_zia.firewall.obfuscated.host_name
The obfuscated version of the host name of the device.
keyword
zscaler_zia.firewall.obfuscated.ip.category
The obfuscated version of the URL category that corresponds to the server IP address.
keyword
zscaler_zia.firewall.obfuscated.ips_rule_label
The obfuscated version of the name of the IPS policy that was applied to the Firewall session.
keyword
zscaler_zia.firewall.obfuscated.nat_label
The obfuscated version of the name of the destination NAT policy that was applied.
keyword
zscaler_zia.firewall.obfuscated.redirect_policy_name
The obfuscated version of the name of the redirect/forwarding policy.
keyword
zscaler_zia.firewall.obfuscated.rule_label
The obfuscated version of the name of the rule that was applied to the transaction.
keyword
zscaler_zia.firewall.obfuscated.zpa_app_segment
The obfuscated version of the ZPA application segment.
keyword
zscaler_zia.firewall.out_bytes
The number of bytes sent from the client to the server.
long
zscaler_zia.firewall.record.id
The record ID.
keyword
zscaler_zia.firewall.redirect_policy_name
The name of the redirect/forwarding policy.
keyword
zscaler_zia.firewall.rule
The name of the rule that was applied to the transaction.
keyword
zscaler_zia.firewall.rule_label
keyword
zscaler_zia.firewall.second
Seconds.
long
zscaler_zia.firewall.server.destination.ip
The server destination IP address.
ip
zscaler_zia.firewall.server.destination.port
The server destination port.
long
zscaler_zia.firewall.server.source.ip
The server source IP address.
ip
zscaler_zia.firewall.server.source.port
The server source port.
long
zscaler_zia.firewall.session.count
The number of sessions that were aggregated.
long
zscaler_zia.firewall.source_ip_country
The traffic's source country, which is determined by the client IP address location.
keyword
zscaler_zia.firewall.stateful
Indicates if the Firewall session is stateful.
keyword
zscaler_zia.firewall.threat.category
The category of the threat in the Firewall session by the IPS engine.
keyword
zscaler_zia.firewall.threat.name
keyword
zscaler_zia.firewall.threat_name
The name of the threat detected in the Firewall session by the IPS engine.
keyword
zscaler_zia.firewall.time
The time and date of the transaction.
date
zscaler_zia.firewall.timezone
The time zone.
keyword
zscaler_zia.firewall.tunnel.ip
The tunnel IP address of the client (source).
ip
zscaler_zia.firewall.tunnel.type
The traffic forwarding method used to send the traffic to the Firewall.
keyword
zscaler_zia.firewall.user
keyword
zscaler_zia.firewall.year
Year.
long
zscaler_zia.firewall.z_tunnel_version
The Z-Tunnel version.
keyword
zscaler_zia.firewall.zpa_app_segment
The name of the Zscaler Private Access (ZPA) application segment.
keyword

sandbox_report

This is the sandbox_report dataset.

Example

An example event for sandbox_report looks as following:

{
    "@timestamp": "2024-07-04T12:08:18.143Z",
    "agent": {
        "ephemeral_id": "d12fe3a6-bd2e-4729-9303-bdbbc18f187e",
        "id": "7a8d18bc-b73c-424e-a30b-120ddeb66eeb",
        "name": "docker-fleet-agent",
        "type": "filebeat",
        "version": "8.13.0"
    },
    "data_stream": {
        "dataset": "zscaler_zia.sandbox_report",
        "namespace": "ep",
        "type": "logs"
    },
    "ecs": {
        "version": "8.11.0"
    },
    "elastic_agent": {
        "id": "7a8d18bc-b73c-424e-a30b-120ddeb66eeb",
        "snapshot": false,
        "version": "8.13.0"
    },
    "event": {
        "action": "completed",
        "agent_id_status": "verified",
        "category": [
            "malware"
        ],
        "dataset": "zscaler_zia.sandbox_report",
        "duration": 454557000000,
        "ingested": "2024-07-04T12:08:30Z",
        "kind": "alert",
        "original": "{\"Classification\":{\"Category\":\"MALWARE_BOTNET\",\"DetectedMalware\":\"\",\"Max Score\":100,\"Score\":86,\"Type\":\"MALICIOUS\"},\"FileProperties\":{\"DigitalCerificate\":\"\",\"FileSize\":9810,\"FileType\":\"CMD\",\"Issuer\":\"\",\"MD5\":\"8350ded6d39df158e51d6cfbe36fb012\",\"RootCA\":\"\",\"SHA1\":\"f4dd1d176975c70ba8963ebc654a78a6e345cfb6\",\"SSDeep\":\"192:+cgNT7Zj4tvl2Drc+gEakjqBT1W431lXXH1TR8J:InZjevl2Drc+gEakmBT44rXVR8J\",\"Sha256\":\"aff2d40828597fbf482753bec73cc9fc2714484262258875cc23c7d5a7372cee\"},\"Summary\":{\"Analysis\":\"0\",\"Category\":\"SCRIPT\",\"Duration\":454557,\"FileType\":\"CMD\",\"StartTime\":1509567511,\"Status\":\"COMPLETED\",\"TimeUnit\":\"ms\",\"Url\":\"\"},\"SystemSummary\":{\"Risk\":\"LOW\",\"Signature\":\"Allocates memory within range which is reserved for system DLLs\",\"SignatureSources\":[\"\",\"76F90000 page execute and read and write\"]}}",
        "risk_score": 86,
        "start": "2017-11-01T20:18:31.000Z",
        "type": [
            "info"
        ]
    },
    "file": {
        "hash": {
            "md5": "8350ded6d39df158e51d6cfbe36fb012",
            "sha1": "f4dd1d176975c70ba8963ebc654a78a6e345cfb6",
            "sha256": "aff2d40828597fbf482753bec73cc9fc2714484262258875cc23c7d5a7372cee",
            "ssdeep": "192:+cgNT7Zj4tvl2Drc+gEakjqBT1W431lXXH1TR8J:InZjevl2Drc+gEakmBT44rXVR8J"
        },
        "size": 9810
    },
    "input": {
        "type": "cel"
    },
    "related": {
        "hash": [
            "8350ded6d39df158e51d6cfbe36fb012",
            "f4dd1d176975c70ba8963ebc654a78a6e345cfb6",
            "aff2d40828597fbf482753bec73cc9fc2714484262258875cc23c7d5a7372cee",
            "192:+cgNT7Zj4tvl2Drc+gEakjqBT1W431lXXH1TR8J:InZjevl2Drc+gEakmBT44rXVR8J"
        ]
    },
    "tags": [
        "preserve_original_event",
        "preserve_duplicate_custom_fields",
        "forwarded",
        "zscaler_zia-sandbox_report"
    ],
    "threat": {
        "indicator": {
            "type": "file"
        }
    },
    "zscaler_zia": {
        "sandbox_report": {
            "classification": {
                "category": "MALWARE_BOTNET",
                "max_score": 100,
                "score": 86,
                "type": "MALICIOUS"
            },
            "file_properties": {
                "file_size": 9810,
                "file_type": "CMD",
                "md5": "8350ded6d39df158e51d6cfbe36fb012",
                "sha1": "f4dd1d176975c70ba8963ebc654a78a6e345cfb6",
                "sha256": "aff2d40828597fbf482753bec73cc9fc2714484262258875cc23c7d5a7372cee",
                "ssdeep": "192:+cgNT7Zj4tvl2Drc+gEakjqBT1W431lXXH1TR8J:InZjevl2Drc+gEakmBT44rXVR8J"
            },
            "summary": {
                "analysis": "0",
                "category": "SCRIPT",
                "duration": 454557,
                "file": {
                    "type": "CMD"
                },
                "start_time": "2017-11-01T20:18:31.000Z",
                "status": "COMPLETED",
                "time_unit": "ms"
            },
            "system_summary": {
                "risk": "LOW",
                "signature": "Allocates memory within range which is reserved for system DLLs",
                "signature_sources": [
                    "76F90000 page execute and read and write"
                ]
            }
        }
    }
}

Exported fields

FieldDescriptionType
@timestamp
Event timestamp.
date
data_stream.dataset
Data stream dataset.
constant_keyword
data_stream.namespace
Data stream namespace.
constant_keyword
data_stream.type
Data stream type.
constant_keyword
event.dataset
Event dataset.
constant_keyword
event.module
Event module.
constant_keyword
input.type
Type of Filebeat input.
keyword
log.offset
Log offset.
long
zscaler_zia.sandbox_report.classification.category
keyword
zscaler_zia.sandbox_report.classification.detected_malware
keyword
zscaler_zia.sandbox_report.classification.max_score
double
zscaler_zia.sandbox_report.classification.score
double
zscaler_zia.sandbox_report.classification.type
keyword
zscaler_zia.sandbox_report.exploit.risk
keyword
zscaler_zia.sandbox_report.exploit.signature
keyword
zscaler_zia.sandbox_report.exploit.signature_sources
keyword
zscaler_zia.sandbox_report.file_properties.digital_cerificate
keyword
zscaler_zia.sandbox_report.file_properties.file_size
long
zscaler_zia.sandbox_report.file_properties.file_type
keyword
zscaler_zia.sandbox_report.file_properties.issuer
keyword
zscaler_zia.sandbox_report.file_properties.md5
keyword
zscaler_zia.sandbox_report.file_properties.root_ca
keyword
zscaler_zia.sandbox_report.file_properties.sha1
keyword
zscaler_zia.sandbox_report.file_properties.sha256
keyword
zscaler_zia.sandbox_report.file_properties.ssdeep
keyword
zscaler_zia.sandbox_report.networking.risk
keyword
zscaler_zia.sandbox_report.networking.signature
keyword
zscaler_zia.sandbox_report.networking.signature_sources
keyword
zscaler_zia.sandbox_report.origin.country
keyword
zscaler_zia.sandbox_report.origin.language
keyword
zscaler_zia.sandbox_report.origin.risk
keyword
zscaler_zia.sandbox_report.persistence.risk
keyword
zscaler_zia.sandbox_report.persistence.signature
keyword
zscaler_zia.sandbox_report.persistence.signature_sources
keyword
zscaler_zia.sandbox_report.security_bypass.risk
keyword
zscaler_zia.sandbox_report.security_bypass.signature
keyword
zscaler_zia.sandbox_report.security_bypass.signature_sources
keyword
zscaler_zia.sandbox_report.stealth.risk
keyword
zscaler_zia.sandbox_report.stealth.signature
keyword
zscaler_zia.sandbox_report.stealth.signature_sources
keyword
zscaler_zia.sandbox_report.summary.analysis
keyword
zscaler_zia.sandbox_report.summary.category
keyword
zscaler_zia.sandbox_report.summary.duration
long
zscaler_zia.sandbox_report.summary.file.type
keyword
zscaler_zia.sandbox_report.summary.start_time
date
zscaler_zia.sandbox_report.summary.start_time_unix
date
zscaler_zia.sandbox_report.summary.status
keyword
zscaler_zia.sandbox_report.summary.time_unit
keyword
zscaler_zia.sandbox_report.summary.url
keyword
zscaler_zia.sandbox_report.system_summary.risk
keyword
zscaler_zia.sandbox_report.system_summary.signature
keyword
zscaler_zia.sandbox_report.system_summary.signature_sources
keyword

tunnel

This is the tunnel dataset.

Example

An example event for tunnel looks as following:

{
    "@timestamp": "2021-12-30T11:20:12.000Z",
    "agent": {
        "ephemeral_id": "85f8a4ec-94a7-4111-9cab-36896851bb15",
        "id": "7a8d18bc-b73c-424e-a30b-120ddeb66eeb",
        "name": "docker-fleet-agent",
        "type": "filebeat",
        "version": "8.13.0"
    },
    "data_stream": {
        "dataset": "zscaler_zia.tunnel",
        "namespace": "ep",
        "type": "logs"
    },
    "destination": {
        "ip": "81.2.69.143"
    },
    "ecs": {
        "version": "8.11.0"
    },
    "elastic_agent": {
        "id": "7a8d18bc-b73c-424e-a30b-120ddeb66eeb",
        "snapshot": false,
        "version": "8.13.0"
    },
    "event": {
        "agent_id_status": "verified",
        "category": [
            "network"
        ],
        "dataset": "zscaler_zia.tunnel",
        "id": "1111111111111111111",
        "ingested": "2024-07-04T12:10:30Z",
        "kind": "event",
        "timezone": "UTC",
        "type": [
            "info"
        ]
    },
    "input": {
        "type": "tcp"
    },
    "log": {
        "source": {
            "address": "192.168.243.6:36470"
        }
    },
    "related": {
        "ip": [
            "81.2.69.143",
            "81.2.69.145"
        ]
    },
    "source": {
        "ip": "81.2.69.145",
        "port": 0
    },
    "tags": [
        "forwarded",
        "zscaler_zia-tunnel"
    ],
    "zscaler_zia": {
        "tunnel": {
            "action": {
                "type": "IPSec Phase2"
            },
            "authentication": {
                "algorithm": "HMAC-SHA-1"
            },
            "destination": {
                "end": {
                    "ip": "81.2.69.143"
                },
                "start": {
                    "ip": "81.2.69.143",
                    "port": 0
                }
            },
            "encryption": {
                "algorithm": "AES"
            },
            "ikeversion": "1",
            "life": {
                "bytes": 0,
                "time": 3600
            },
            "policy": {
                "protocol": "Any"
            },
            "protocol": "ESP",
            "source": {
                "end": {
                    "ip": "81.2.69.145"
                },
                "start": {
                    "ip": "81.2.69.145",
                    "port": 0
                }
            },
            "spi": "123456789",
            "type": "IPSEC IKEV 1",
            "user_ip": "81.2.69.145"
        }
    }
}

Exported fields

FieldDescriptionType
@timestamp
Event timestamp.
date
data_stream.dataset
Data stream dataset.
constant_keyword
data_stream.namespace
Data stream namespace.
constant_keyword
data_stream.type
Data stream type.
constant_keyword
event.dataset
Event dataset.
constant_keyword
event.module
Event module.
constant_keyword
input.type
Type of Filebeat input.
keyword
log.offset
Log offset.
long
log.source.address
Source address from which the log event was read / sent from.
keyword
zscaler_zia.tunnel.action.type
The action type.
keyword
zscaler_zia.tunnel.authentication.algorithm
The authentication algorithm.
keyword
zscaler_zia.tunnel.authentication.type
The authentication type.
keyword
zscaler_zia.tunnel.bytes.received
The bytes received in a 60-second sample window by Zscaler from the customer.
long
zscaler_zia.tunnel.bytes.sent
The bytes transmitted in a 60-second sample window from Zscaler to the customer.
long
zscaler_zia.tunnel.datetime
The date and time of the event.
date
zscaler_zia.tunnel.day
The day of the week.
keyword
zscaler_zia.tunnel.day_of_month
The day of the month.
long
zscaler_zia.tunnel.destination.end.ip
Phase 2 policy proposal - Destination IP end.
ip
zscaler_zia.tunnel.destination.port
The tunnel destination port.
long
zscaler_zia.tunnel.destination.start.ip
Phase 2 policy proposal - Destination IP start.
ip
zscaler_zia.tunnel.destination.start.port
Phase 2 policy proposal - Destination port start.
long
zscaler_zia.tunnel.destination.vip.address
The tunnel destination VIP address.
ip
zscaler_zia.tunnel.dpd_packets
The number of DPD packets received in a 60-second sample window.
long
zscaler_zia.tunnel.encryption.algorithm
The encryption algorithm.
keyword
zscaler_zia.tunnel.event
The tunnel status.
keyword
zscaler_zia.tunnel.event_reason
The reason for the tunnel status change.
keyword
zscaler_zia.tunnel.hour
Hours.
long
zscaler_zia.tunnel.ikeversion
The IKE version.
keyword
zscaler_zia.tunnel.life.bytes
Life bytes.
long
zscaler_zia.tunnel.life.time
The lifetime of IKE Phase 2 (seconds).
long
zscaler_zia.tunnel.locationname
The location name.
keyword
zscaler_zia.tunnel.minute
Minutes.
long
zscaler_zia.tunnel.month
The name of the month.
keyword
zscaler_zia.tunnel.month_of_year
The month of the year.
long
zscaler_zia.tunnel.obfuscated.location_name
The obfuscated version of the location name.
keyword
zscaler_zia.tunnel.obfuscated.vpn_credential_name
The obfuscated version of the VPN credential name for the IPSec tunnel.
keyword
zscaler_zia.tunnel.packets.received
The packets received in a 60-second sample window by Zscaler from the customer.
long
zscaler_zia.tunnel.packets.sent
The packets transmitted in a 60-second sample window from Zscaler to the customer.
long
zscaler_zia.tunnel.policy.protocol
Phase 2 policy proposal - Protocol.
keyword
zscaler_zia.tunnel.protocol
The IPSec tunnel protocol type.
keyword
zscaler_zia.tunnel.record.id
The unique record identifier for each log.
keyword
zscaler_zia.tunnel.second
Seconds.
long
zscaler_zia.tunnel.source.end.ip
Phase 2 policy proposal - Source IP end.
ip
zscaler_zia.tunnel.source.ip
The tunnel source IP address.
ip
zscaler_zia.tunnel.source.port
The tunnel source port.
long
zscaler_zia.tunnel.source.start.ip
Phase 2 policy proposal - Source IP start.
ip
zscaler_zia.tunnel.source.start.port
Phase 2 policy proposal - Source port start.
long
zscaler_zia.tunnel.spi
The Security Parameter Index.
keyword
zscaler_zia.tunnel.spi_in
The initiator cookie.
keyword
zscaler_zia.tunnel.spi_out
The responder cookie.
keyword
zscaler_zia.tunnel.timezone
The time zone.
keyword
zscaler_zia.tunnel.type
The tunnel type.
keyword
zscaler_zia.tunnel.user_ip
ip
zscaler_zia.tunnel.vendor.name
The vendor name of the edge device.
keyword
zscaler_zia.tunnel.vpn_credential_name
The VPN credential name for the IPSec tunnel.
keyword
zscaler_zia.tunnel.year
Year.
long

web

This is the web dataset.

Example

An example event for web looks as following:

{
    "@timestamp": "2021-12-31T08:08:08.000Z",
    "agent": {
        "ephemeral_id": "afba03f3-0a10-4b56-998d-0fd4aa4e71ea",
        "id": "6df0d50c-dafe-4616-9ed1-10519bfbda98",
        "name": "elastic-agent-86843",
        "type": "filebeat",
        "version": "8.15.0"
    },
    "data_stream": {
        "dataset": "zscaler_zia.web",
        "namespace": "65605",
        "type": "logs"
    },
    "ecs": {
        "version": "8.11.0"
    },
    "elastic_agent": {
        "id": "6df0d50c-dafe-4616-9ed1-10519bfbda98",
        "snapshot": false,
        "version": "8.15.0"
    },
    "event": {
        "action": "blocked",
        "agent_id_status": "verified",
        "category": [
            "web"
        ],
        "dataset": "zscaler_zia.web",
        "ingested": "2024-08-22T16:05:37Z",
        "kind": "event",
        "timezone": "UTC",
        "type": [
            "info"
        ]
    },
    "file": {
        "type": "file"
    },
    "host": {
        "name": "testmachine35"
    },
    "http": {
        "request": {
            "bytes": 600,
            "method": "CONNECT"
        },
        "response": {
            "bytes": 65
        }
    },
    "input": {
        "type": "http_endpoint"
    },
    "network": {
        "protocol": "http_proxy"
    },
    "related": {
        "hosts": [
            "testmachine35"
        ],
        "user": [
            "administrator1",
            "test",
            "test@example.com"
        ]
    },
    "rule": {
        "name": [
            "Zscaler Proxy Traffic"
        ]
    },
    "tags": [
        "forwarded",
        "zscaler_zia-web"
    ],
    "user": {
        "domain": "example.com",
        "email": "test@example.com",
        "name": "test"
    },
    "zscaler_zia": {
        "web": {
            "app": {
                "class": "General Browsing",
                "name": "General Browsing"
            },
            "content_type": "Other",
            "department": "Unknown",
            "device": {
                "owner": "administrator1"
            },
            "location": "Test DB",
            "response": {
                "code": "200"
            },
            "risk": {
                "score": 0
            },
            "rule": {
                "type": "FwFilter"
            },
            "url": {
                "category": {
                    "super": "Information Technology"
                },
                "class": "Business Use"
            }
        }
    }
}

Exported fields

FieldDescriptionType
@timestamp
Event timestamp.
date
data_stream.dataset
Data stream dataset.
constant_keyword
data_stream.namespace
Data stream namespace.
constant_keyword
data_stream.type
Data stream type.
constant_keyword
event.dataset
Event dataset.
constant_keyword
event.module
Event module.
constant_keyword
input.type
Type of Filebeat input.
keyword
log.offset
Log offset.
long
log.source.address
Source address from which the log event was read / sent from.
keyword
zscaler_zia.web.action
The action that the service took on the transaction.
keyword
zscaler_zia.web.alpn_protocol
The Application-Layer Protocol Negotiation (ALPN) protocol.
keyword
zscaler_zia.web.app.class
The web application class of the application that was accessed.
keyword
zscaler_zia.web.app.name
The name of the cloud application.
keyword
zscaler_zia.web.app.risk_score
The computed or assigned risk index for the cloud application.
keyword
zscaler_zia.web.app.rule_label
The name of the rule that was applied to the application.
keyword
zscaler_zia.web.bandwidth_class_name
The name of the bandwidth class.
keyword
zscaler_zia.web.bandwidth_rule_name
The name of the bandwidth rule.
keyword
zscaler_zia.web.bandwidth_throttle
Indicates whether the transaction was throttled due to a configured bandwidth policy.
keyword
zscaler_zia.web.bypassed.time
The date and time when the traffic bypassed the Zscaler Client Connector.
date
zscaler_zia.web.bypassed.traffic
Indicates whether the traffic bypassed the Zscaler Client Connector or not.
keyword
zscaler_zia.web.client.cipher
The negotiated cipher suite for communication between the client and Zscaler.
keyword
zscaler_zia.web.client.cipher_reuse
Client cipher reuse information.
keyword
zscaler_zia.web.client.internet.ip
The client's Internet (NATed Public) IP address.
ip
zscaler_zia.web.client.ip
The IP address of the user.
ip
zscaler_zia.web.client.public_ip
The client public IP address.
ip
zscaler_zia.web.client.source_port
The client source port.
long
zscaler_zia.web.client.ssl.fail_count
The number of failed client SSL handshake attempts.
long
zscaler_zia.web.client.ssl.fail_reason
The reason for the client SSL handshake failure.
keyword
zscaler_zia.web.client.tls_version
The TLS version used for communication between the client and Zscaler.
keyword
zscaler_zia.web.cloud_name
The name of the Zscaler cloud.
keyword
zscaler_zia.web.company
The name of the company.
keyword
zscaler_zia.web.content_type
The name of the content type.
keyword
zscaler_zia.web.datacenter.city
The city where the data center is located.
keyword
zscaler_zia.web.datacenter.country
The country where the data center is located.
keyword
zscaler_zia.web.datacenter.name
The name of the data center.
keyword
zscaler_zia.web.day
The day of the week.
keyword
zscaler_zia.web.day_of_month
The day of the month.
long
zscaler_zia.web.department
The department of the user.
keyword
zscaler_zia.web.device.appversion
The app version the device uses.
keyword
zscaler_zia.web.device.hostname
The hostname of the device.
keyword
zscaler_zia.web.device.model
The model of the device.
keyword
zscaler_zia.web.device.name
The name of the device.
keyword
zscaler_zia.web.device.os.type
The OS type of the device.
keyword
zscaler_zia.web.device.os.version
The OS version the device uses.
keyword
zscaler_zia.web.device.owner
The owner of the device.
keyword
zscaler_zia.web.device.type
The type of device.
keyword
zscaler_zia.web.df.host.head
The field contains HTTP/S transactions that indicate domain fronting due to an FQDN mismatch between the request URL and the request's host header.
keyword
zscaler_zia.web.df.host.name
An optional field that contains the TLS connection's Server Name Indication (SNI).
keyword
zscaler_zia.web.dlp.dictionaries.hit_count
The number of hits for each of the dictionaries that were matched in the transaction.
keyword
zscaler_zia.web.dlp.dictionaries.name
The DLP dictionaries that were matched.
keyword
zscaler_zia.web.dlp.engine
The DLP engine that was matched.
keyword
zscaler_zia.web.dlp.identifier
The unique identifier of the DLP incident.
keyword
zscaler_zia.web.dlp.md5
The MD5 hash of the transaction.
keyword
zscaler_zia.web.dlp.rule.name
The name of the DLP rule applied to the transaction.
keyword
zscaler_zia.web.eedone
Indicates if the characters specified in the Feed Escape Character field of the NSS feed configuration page were hex encoded.
keyword
zscaler_zia.web.epochtime
The epoch time of the transaction.
date
zscaler_zia.web.external.device.id
The external device ID that associates a user’s device with the mobile device management (MDM) solution.
keyword
zscaler_zia.web.file.class
The class of file downloaded during the transaction.
keyword
zscaler_zia.web.file.name
The name of downloaded files during the transaction.
keyword
zscaler_zia.web.file.subtype
Applicable to the web traffic processed via Isolation.
keyword
zscaler_zia.web.file.type
The type of file downloaded during the transaction.
keyword
zscaler_zia.web.flow_type
The flow type of the transaction.
keyword
zscaler_zia.web.forward_gateway.ip
The IP address of the gateway used.
ip
zscaler_zia.web.forward_gateway.name
The name of the gateway defined in a forwarding rule.
keyword
zscaler_zia.web.forward_type
The type of forwarding method used.
keyword
zscaler_zia.web.host
The destination hostname.
keyword
zscaler_zia.web.hour
Hours.
long
zscaler_zia.web.is_ssl_certificate_expired
Indicates whether the certificate presented by the server is expired or not.
keyword
zscaler_zia.web.is_ssl_certificate_selfsigned
Indicates whether the certificate presented by the server to the ZIA Public Service Edge was self-signed.
keyword
zscaler_zia.web.is_ssl_certificate_untrusted
Indicates whether the server certificate is signed by a Zscaler-trusted certificate authority or not.
keyword
zscaler_zia.web.key_protection_type
Indicates whether an HSM Protection or a Software Protection intermediate CA certificate is used for the TLS interception.
keyword
zscaler_zia.web.location
The gateway location or sub-location of the source.
keyword
zscaler_zia.web.login
The user's login name in email address format.
keyword
zscaler_zia.web.malware.category
The category of malware that was detected in the transaction.
keyword
zscaler_zia.web.malware.class
The class of malware that was detected in the transaction.
keyword
zscaler_zia.web.md5_hash
The MD5 hash of the malware file that was detected in the transaction, or the MD5 of the file that was sent for analysis to the Sandbox engine.
keyword
zscaler_zia.web.minute
Minutes.
long
zscaler_zia.web.mobile.application.category
The category of the mobile app.
keyword
zscaler_zia.web.mobile.application.name
The name of the mobile app.
keyword
zscaler_zia.web.mobile.dev.type
The type of mobile device.
keyword
zscaler_zia.web.module
The web application class of the application that was accessed.
keyword
zscaler_zia.web.month
The name of the month.
keyword
zscaler_zia.web.month_of_year
The month of the year.
long
zscaler_zia.web.nss.service.ip
The service IP address of the NSS.
ip
zscaler_zia.web.obfuscated.app_rule_label
The obfuscated version of the name of the rule that was applied to the application.
keyword
zscaler_zia.web.obfuscated.bendwidth.class_name
The obfuscated version of the name of the bandwidth class.
keyword
zscaler_zia.web.obfuscated.client.ip
The obfuscated version of the IP address of the user.
keyword
zscaler_zia.web.obfuscated.client.public.ip
The obfuscated version of the client public IP address.
keyword
zscaler_zia.web.obfuscated.device.host_name
The obfuscated version of the hostname of the device.
keyword
zscaler_zia.web.obfuscated.device.name
The obfuscated version of the name of the device.
keyword
zscaler_zia.web.obfuscated.device.owner
The obfuscated version of the owner of the device.
keyword
zscaler_zia.web.obfuscated.dlp.dictionaries
The obfuscated version of the DLP dictionaries that were matched.
keyword
zscaler_zia.web.obfuscated.dlp.engine
The obfuscated version of the DLP engine that was matched.
keyword
zscaler_zia.web.obfuscated.dlp.rule.name
The obfuscated version of the name of the DLP rule that was applied.
keyword
zscaler_zia.web.obfuscated.forward_gateway_name
The obfuscated version of the gateway defined in a forwarding rule.
keyword
zscaler_zia.web.obfuscated.login
The obfuscated version of the user's login name.
keyword
zscaler_zia.web.obfuscated.rule.name
The obfuscated version of the name of the redirect/forwarding policy.
keyword
zscaler_zia.web.obfuscated.url.category
The obfuscated version of the category of the destination URL.
keyword
zscaler_zia.web.obfuscated.url.filter_rule_label
The obfuscated version of the name of the rule that was applied to the URL filter.
keyword
zscaler_zia.web.obfuscated.zpa_app_segment
The obfuscated version of the ZPA application segment.
keyword
zscaler_zia.web.policy.reason
The SSL policy reasons.
keyword
zscaler_zia.web.product_version
The current version of the product.
keyword
zscaler_zia.web.prototype
The protocol type of the transaction.
keyword
zscaler_zia.web.reason
The action that the service took and the policy that was applied.
keyword
zscaler_zia.web.record.id
The unique record identifier for each log.
keyword
zscaler_zia.web.redirect_policy_name
The name of the redirect/forwarding policy.
keyword
zscaler_zia.web.referer.host
The hostname of the referer URL.
keyword
zscaler_zia.web.referer.name
The HTTP referer URL.
keyword
zscaler_zia.web.request.header_size
The size of the HTTP request header in bytes.
long
zscaler_zia.web.request.method
The HTTP request method.
keyword
zscaler_zia.web.request.payload
The size of the HTTP request payload.
long
zscaler_zia.web.request.size
The request size in bytes.
long
zscaler_zia.web.request.version
The HTTP request version.
keyword
zscaler_zia.web.response.code
The HTTP response code sent to the client.
keyword
zscaler_zia.web.response.header_size
The size of the HTTP response header in bytes.
long
zscaler_zia.web.response.payload
The size of the HTTP response payload.
long
zscaler_zia.web.response.size
The total size of the HTTP response in bytes.
long
zscaler_zia.web.response.version
The HTTP response version.
keyword
zscaler_zia.web.risk.score
The Page Risk Index score of the destination URL.
double
zscaler_zia.web.rule.name
The name of the rule that was applied to the transaction.
keyword
zscaler_zia.web.rule.type
The type of policy.
keyword
zscaler_zia.web.second
Seconds.
long
zscaler_zia.web.server.certificate.validation.period
The expiration of the server certificate.
keyword
zscaler_zia.web.server.certificate_validation_chain
The validation of the certificate chain.
keyword
zscaler_zia.web.server.certificate_validation_type
The validation method of the server certificate.
keyword
zscaler_zia.web.server.cipher
The negotiated cipher suite for communication between Zscaler and the server.
keyword
zscaler_zia.web.server.cipher_reuse
Server cipher reuse information.
keyword
zscaler_zia.web.server.ip
The destination server IP address.
ip
zscaler_zia.web.server.ocsp_result
The OCSP result/certificate revocation result.
keyword
zscaler_zia.web.server.tls_version
The TLS/SSL version used for communication between the ZIA Public Service Edge and the server.
keyword
zscaler_zia.web.server.wildcard_certificate
The server wildcard certificate.
keyword
zscaler_zia.web.sha256
The hash of identical files.
keyword
zscaler_zia.web.ssl_decrypted
Indicates whether the transaction was SSL inspected or not.
keyword
zscaler_zia.web.threat.name
The name of the threat that was detected in the transaction.
keyword
zscaler_zia.web.threat.severity
The severity of the threat that was detected in the transaction.
keyword
zscaler_zia.web.throttle.request_size
The throttled transaction size in the Uplink direction (Upload) in bytes.
long
zscaler_zia.web.throttle.response_size
The throttled transaction size in the Downlink direction (Download) in bytes.
long
zscaler_zia.web.time
The time and date of the transaction.
date
zscaler_zia.web.timezone
The time zone.
keyword
zscaler_zia.web.total.size
The total size of the HTTP transaction in bytes.
long
zscaler_zia.web.traffic_redirect_method
The traffic forwarding method to ZIA Public Service Edges.
keyword
zscaler_zia.web.unscannable.type
The unscannable file type.
keyword
zscaler_zia.web.upload.doc.type_name
The type of document uploaded or downloaded during the transaction.
keyword
zscaler_zia.web.upload.file.class
The class of file uploaded during the transaction.
keyword
zscaler_zia.web.upload.file.name
The name of uploaded files during the transaction.
keyword
zscaler_zia.web.upload.file.subtype
The subtype of the uploaded file (extension name).
keyword
zscaler_zia.web.upload.file.type
The type of file uploaded during the transaction.
keyword
zscaler_zia.web.url.category.sub
The category of the destination URL.
keyword
zscaler_zia.web.url.category.super
The super category of the destination URL.
keyword
zscaler_zia.web.url.category_method
Refers to the source of the URL's category.
keyword
zscaler_zia.web.url.class
The class of the destination URL.
keyword
zscaler_zia.web.url.filter_rule_label
The name of the rule that was applied to the URL filter.
keyword
zscaler_zia.web.url.name
The destination URL.
keyword
zscaler_zia.web.user_agent.class
The user agent class.
keyword
zscaler_zia.web.user_agent.name
The full user agent string for both known and unknown agents.
keyword
zscaler_zia.web.user_agent.token
The user agent token.
keyword
zscaler_zia.web.user_location_name
Applicable to the web traffic processed via Isolation.
keyword
zscaler_zia.web.year
Year.
long
zscaler_zia.web.z_tunnel_version
The Z-Tunnel version.
keyword
zscaler_zia.web.zpa_app_segment
The name of the Zscaler Private Access (ZPA) application segment.
keyword

Changelog

VersionDetailsKibana version(s)

3.3.0

Bug fix View pull request
Fix source/destination ip mapping in firewall logs.

Enhancement View pull request
Add geoip processor to source and destination ip.

8.13.0 or higher

3.2.4

Bug fix View pull request
Improve data processing in the web pipeline.

8.13.0 or higher

3.2.3

Bug fix View pull request
Remove department field and add on_failure clauses.

8.13.0 or higher

3.2.2

Bug fix View pull request
Sanitize unwanted characters in firewall.

8.13.0 or higher

3.2.1

Bug fix View pull request
In web v8, use b64 fields to avoid encoding issues.

8.13.0 or higher

3.2.0

Enhancement View pull request
Add hex-encoded fields in web logs.

8.13.0 or higher

3.1.0

Enhancement View pull request
Remove url field from web logs.

8.13.0 or higher

3.0.4

Bug fix View pull request
Update response format version numbers.

8.13.0 or higher

3.0.3

Bug fix View pull request
Add eurl hex-encoded field for url parsing.

8.13.0 or higher

3.0.2

Bug fix View pull request
Fix url parsing in Web logs.

8.13.0 or higher

3.0.1

Bug fix View pull request
Update NSS Feed Screenshot with updated Feed Output Format of Web.

8.13.0 or higher

3.0.0

Enhancement View pull request
Add Audit data-stream.

Enhancement View pull request
Add Endpoint DLP data-stream.

Enhancement View pull request
Add Sandbox Report data-stream.

Enhancement View pull request
Add support for new fields for existing data streams.

8.13.0 or higher

2.20.2

Bug fix View pull request
Add additional condition for failure processor.

8.13.0 or higher

2.20.1

Bug fix View pull request
Prevent failure on not encoded URLs.

8.13.0 or higher

2.20.0

Enhancement View pull request
Removed import_mappings. Update the kibana constraint to ^8.13.0. Modified the field definitions to remove ECS fields made redundant by the ecs@mappings component template.

8.13.0 or higher

2.19.2

Bug fix View pull request
Include cintip field to web log template.

8.12.0 or higher

2.19.1

Bug fix View pull request
Fix mapping of source.ip and source.nat.ip

8.12.0 or higher

2.19.0

Enhancement View pull request
Set sensitive values as secret.

8.12.0 or higher

2.18.3

Bug fix View pull request
Remove ignore_failure clause in web events.

8.3.0 or higher

2.18.2

Bug fix View pull request
Fix mapping of user identities.

8.3.0 or higher

2.18.1

Enhancement View pull request
Changed owners

8.3.0 or higher

2.18.0

Enhancement View pull request
ECS version updated to 8.11.0.

8.3.0 or higher

2.17.0

Enhancement View pull request
Add question and answer names, and response data to relate.hosts and related.ip.

8.3.0 or higher

2.16.0

Enhancement View pull request
Improve 'event.original' check to avoid errors if set.

8.3.0 or higher

2.15.0

Enhancement View pull request
ECS version updated to 8.10.0.

8.3.0 or higher

2.14.0

Enhancement View pull request
The format_version in the package manifest changed from 2.11.0 to 3.0.0. Removed dotted YAML keys from package manifest. Added 'owner.type: elastic' to package manifest.

8.3.0 or higher

2.13.0

Enhancement View pull request
Add tags.yml file so that integration's dashboards and saved searches are tagged with "Security Solution" and displayed in the Security Solution UI.

8.3.0 or higher

2.12.0

Enhancement View pull request
Update package to ECS 8.9.0.

8.3.0 or higher

2.11.1

Bug fix View pull request
Update the mapping for user.name and host.name fields.

8.3.0 or higher

2.11.0

Enhancement View pull request
Ensure event.kind is correctly set for pipeline errors.

8.3.0 or higher

2.10.0

Enhancement View pull request
Update package to ECS 8.8.0.

8.3.0 or higher

2.9.0

Enhancement View pull request
Update package-spec version to 2.7.0.

8.3.0 or higher

2.8.0

Enhancement View pull request
Update package to ECS 8.7.0.

8.3.0 or higher

2.7.3

Enhancement View pull request
Map web login user details to ECS.

8.3.0 or higher

2.7.2

Enhancement View pull request
Added categories and/or subcategories.

2.7.1

Enhancement View pull request
Add support for dynamic ECS mapping.

Bug fix View pull request
Resolve the issue related to the user agent field.

Bug fix View pull request
Resolve the issue related to fields that contain a NA value.

8.3.0 or higher

2.7.0

Enhancement View pull request
Update package to ECS 8.6.0.

8.3.0 or higher

2.6.1

Bug fix View pull request
Remove duplicate fields.

8.3.0 or higher

2.6.0

Enhancement View pull request
Update Aggregation visualizations to Lens, Add an on_failure processor to the convert, geo_ip, uri_parts and date processors, remove unnecessary white spaces, mapped to related ecs field and convert double quotes to single quotes.

8.3.0 or higher

2.5.0

Enhancement View pull request
Update package to ECS 8.5.0.

8.3.0 or higher

2.4.1

Bug fix View pull request
Remap network.protocol to valid values for web data stream.

8.3.0 or higher

2.4.0

Enhancement View pull request
Update package to ECS 8.4.0

8.3.0 or higher

2.3.1

Enhancement View pull request
Updated the documentation links in README file

8.3.0 or higher

2.3.0

Bug fix View pull request
Fix issue related URI parts processor.

Enhancement View pull request
Added support for optionally configuring secret header and secret value for cloud NSS input.

8.3.0 or higher

2.2.0

Enhancement View pull request
Update package to ECS 8.3.0.

8.3.0 or higher

2.1.0

Enhancement View pull request
Make GA

8.3.0 or higher

2.0.0

Enhancement View pull request
Added input for Cloud NSS using HTTP Endpoint input type.

8.3.0 or higher

0.2.0

Enhancement View pull request
Update ECS to 8.2

0.1.3

Enhancement View pull request
Updated the image file reference in README file.

0.1.2

Enhancement View pull request
Add documentation for multi-fields.

0.1.1

Enhancement View pull request
Updated the README to describe the Zscaler ZIA setup process in detail.

0.1.0

Enhancement View pull request
Initial draft of the package.