From 1fb5746488bfcc1e7f63889ecfd4811d72bdd121 Mon Sep 17 00:00:00 2001 From: Krishna Chaitanya Reddy Burri Date: Wed, 28 Aug 2024 08:32:46 +0530 Subject: [PATCH] zscaler_zia: Remove department field and fix parsing errors in web logs (#10874) Remove `department` field and fix parsing errors in web logs. The `department` value is already being ingested from `dept` field. This PR removes the hex-encoded `department` field in favour of `dept` due to noticed improper hex-encoding in fields prefixed with `e` [here](https://github.com/elastic/integrations/pull/10855#issue-2481310988). Remove `urldecode` processor on parsing urls causing parsing errors. The `b64url` field is already being decoded by `script` processor. Also adds `on_failure` clause on `urldecode` processors to continue pipeline execution to prevent parsing errors on hex-encoded values to stop running rest of the pipeline. --- .../zscaler_zia/_dev/build/docs/README.md | 6 +- packages/zscaler_zia/changelog.yml | 5 + .../test/pipeline/test-web-http-endpoint.log | 4 +- .../test-web-http-endpoint.log-expected.json | 4 +- .../web/_dev/test/pipeline/test-web.log | 12 +- .../test/pipeline/test-web.log-expected.json | 852 +++++++++++++++++- .../elasticsearch/ingest_pipeline/default.yml | 62 +- packages/zscaler_zia/docs/README.md | 6 +- packages/zscaler_zia/manifest.yml | 2 +- 9 files changed, 917 insertions(+), 36 deletions(-) diff --git a/packages/zscaler_zia/_dev/build/docs/README.md b/packages/zscaler_zia/_dev/build/docs/README.md index 63df6c548b2..8e2ce7ba447 100644 --- a/packages/zscaler_zia/_dev/build/docs/README.md +++ b/packages/zscaler_zia/_dev/build/docs/README.md @@ -214,14 +214,14 @@ Sample Response: ![Escape feed setup image](../img/escape_feed.png?raw=true) See: [Zscaler Vendor documentation](https://help.zscaler.com/zia/nss-feed-output-format-web-logs) -Zscaler Web Log response format (v8): +Zscaler Web Log response format (v9): ``` -\{"version":"v8","sourcetype":"zscalernss-web","event":\{"time":"%s{time}","cloudname":"%s{cloudname}","host":"%s{ehost}","serverip":"%s{sip}","external_devid":"%s{external_devid}","devicemodel":"%s{devicemodel}","action":"%s{action}","recordid":"%d{recordid}","reason":"%s{reason}","threatseverity":"%s{threatseverity}","tz":"%s{tz}","filesubtype":"%s{filesubtype}","upload_filesubtype":"%s{upload_filesubtype}","sha256":"%s{sha256}","bamd5":"%s{bamd5}","filename":"%s{efilename}","upload_filename":"%s{eupload_filename}","filetype":"%s{filetype}","devicename":"%s{edevicename}","devicehostname":"%s{devicehostname}","deviceostype":"%s{deviceostype}","deviceosversion":"%s{deviceosversion}","devicetype":"%s{devicetype}","reqsize":"%d{reqsize}","reqmethod":"%s{reqmethod}","b64referer":"%s{b64referer}","respsize":"%d{respsize}","respcode":"%s{respcode}","reqversion":"%s{reqversion}","respversion":"%s{respversion}","proto":"%s{proto}","company":"%s{company}","dlpmd5":"%s{dlpmd5}","apprulelabel":"%s{eapprulelabel}","dlprulename":"%s{dlprulename}","rulelabel":"%s{erulelabel}","urlfilterrulelabel":"%s{eurlfilterrulelabel}","cltip":"%s{cip}","cltintip":"%s{cintip}","cltsourceport":"%d{clt_sport}","threatname":"%s{threatname}","cltsslcipher":"%s{clientsslcipher}","clttlsversion":"%s{clienttlsversion}","b64url":"%s{b64url}","useragent":"%s{eua}","login":"%s{elogin}","applayerprotocol":"%s{alpnprotocol}","appclass":"%s{appclass}","appname":"%s{appname}","appriskscore":"%s{app_risk_score}","bandwidthclassname":"%s{bwclassname}","bandwidthrulename":"%s{bwrulename}","bwthrottle":"%s{bwthrottle}","bypassedtime":"%s{bypassed_etime}","bypassedtraffic":"%d{bypassed_traffic}","cltsslsessreuse":"%s{clientsslsessreuse}","cltpubip":"%s{cpubip}","cltsslfailcount":"%d{cltsslfailcount}","cltsslfailreason":"%s{cltsslfailreason}","contenttype":"%s{contenttype}","datacentercity":"%s{datacentercity}","datacentercountry":"%s{datacentercountry}","datacenter":"%s{datacenter}","day":"%s{day}","day_of_month":"%02d{dd}","dept":"%s{dept}","deviceappversion":"%s{deviceappversion}","deviceowner":"%s{deviceowner}","df_hosthead":"%s{df_hosthead}","df_hostname":"%s{df_hostname}","dlpdicthitcount":"%s{dlpdicthitcount}","dlpdict":"%s{dlpdict}","dlpeng":"%s{dlpeng}","dlpidentifier":"%d{dlpidentifier}","eedone":"%s{eedone}","epochtime":"%d{epochtime}","fileclass":"%s{fileclass}","flow_type":"%s{flow_type}","forward_gateway_ip":"%s{fwd_gw_ip}","forward_gateway_name":"%s{fwd_gw_name}","forward_type":"%s{fwd_type}","hour":"%02d{hh}","is_sslexpiredca":"%s{is_sslexpiredca}","is_sslselfsigned":"%s{is_sslselfsigned}","is_ssluntrustedca":"%s{is_ssluntrustedca}","keyprotectiontype":"%s{keyprotectiontype}","location":"%s{elocation}","department":"%s{edepartment}","malwarecategory":"%s{malwarecat}","malwareclass":"%s{malwareclass}","minute":"%02d{mm}","mobappcategory":"%s{mobappcat}","mobappname":"%s{emobappname}","mobdevtype":"%s{mobdevtype}","module":"%s{module}","month":"%s{mon}","month_of_year":"%02d{mth}","nssserviceip":"%s{nsssvcip}","oapprulelabel":"%s{oapprulelabel}","obwclassname":"%s{obwclassname}","ocip":"%d{ocip}","ocpubip":"%d{ocpubip}","odevicehostname":"%s{odevicehostname}","odevicename":"%s{odevicename}","odeviceowner":"%s{odeviceowner}","odlpdict":"%s{odlpdict}","odlpeng":"%s{odlpeng}","odlprulename":"%s{odlprulename}","ofwd_gw_name":"%s{ofwd_gw_name}","ologin":"%s{ologin}","ordr_rulename":"%s{ordr_rulename}","ourlcat":"%s{ourlcat}","ourlfilterrulelabel":"%s{ourlfilterrulelabel}","ozpa_app_seg_name":"%s{ozpa_app_seg_name}","externalsslpolicyreason":"%s{externalspr}","productversion":"%s{productversion}","rdr_rulename":"%s{rdr_rulename}","refererhost":"%s{erefererhost}","reqheadersize":"%d{reqhdrsize}","reqdatasize":"%d{reqdatasize}","respheadersize":"%d{resphdrsize}","respdatasize":"%d{respdatasize}","riskscore":"%d{riskscore}","ruletype":"%s{ruletype}","second":"%02d{ss}","srvcertchainvalpass":"%s{srvcertchainvalpass}","srvcertvalidationtype":"%s{srvcertvalidationtype}","srvcertvalidityperiod":"%s{srvcertvalidityperiod}","srvsslcipher":"%s{srvsslcipher}","serversslsessreuse":"%s{serversslsessreuse}","srvocspresult":"%s{srvocspresult}","srvtlsversion":"%s{srvtlsversion}","srvwildcardcert":"%s{srvwildcardcert}","ssldecrypted":"%s{ssldecrypted}","throttlereqsize":"%d{throttlereqsize}","throttlerespsize":"%d{throttlerespsize}","totalsize":"%d{totalsize}","trafficredirectmethod":"%s{trafficredirectmethod}","unscannabletype":"%s{unscannabletype}","upload_doctypename":"%s{upload_doctypename}","upload_fileclass":"%s{upload_fileclass}","upload_filetype":"%s{upload_filetype}","urlcatmethod":"%s{urlcatmethod}","urlsubcat":"%s{urlcat}","urlsupercat":"%s{urlsupercat}","urlclass":"%s{urlclass}","useragentclass":"%s{uaclass}","useragenttoken":"%s{ua_token}","userlocationname":"%s{euserlocationname}","year":"%04d{yyyy}","ztunnelversion":"%s{ztunnelversion}","zpa_app_seg_name":"%s{zpa_app_seg_name}"\}\} +\{"version":"v9","sourcetype":"zscalernss-web","event":\{"time":"%s{time}","cloudname":"%s{cloudname}","host":"%s{ehost}","serverip":"%s{sip}","external_devid":"%s{external_devid}","devicemodel":"%s{devicemodel}","action":"%s{action}","recordid":"%d{recordid}","reason":"%s{reason}","threatseverity":"%s{threatseverity}","tz":"%s{tz}","filesubtype":"%s{filesubtype}","upload_filesubtype":"%s{upload_filesubtype}","sha256":"%s{sha256}","bamd5":"%s{bamd5}","filename":"%s{efilename}","upload_filename":"%s{eupload_filename}","filetype":"%s{filetype}","devicename":"%s{edevicename}","devicehostname":"%s{devicehostname}","deviceostype":"%s{deviceostype}","deviceosversion":"%s{deviceosversion}","devicetype":"%s{devicetype}","reqsize":"%d{reqsize}","reqmethod":"%s{reqmethod}","b64referer":"%s{b64referer}","respsize":"%d{respsize}","respcode":"%s{respcode}","reqversion":"%s{reqversion}","respversion":"%s{respversion}","proto":"%s{proto}","company":"%s{company}","dlpmd5":"%s{dlpmd5}","apprulelabel":"%s{eapprulelabel}","dlprulename":"%s{dlprulename}","rulelabel":"%s{erulelabel}","urlfilterrulelabel":"%s{eurlfilterrulelabel}","cltip":"%s{cip}","cltintip":"%s{cintip}","cltsourceport":"%d{clt_sport}","threatname":"%s{threatname}","cltsslcipher":"%s{clientsslcipher}","clttlsversion":"%s{clienttlsversion}","b64url":"%s{b64url}","useragent":"%s{eua}","login":"%s{elogin}","applayerprotocol":"%s{alpnprotocol}","appclass":"%s{appclass}","appname":"%s{appname}","appriskscore":"%s{app_risk_score}","bandwidthclassname":"%s{bwclassname}","bandwidthrulename":"%s{bwrulename}","bwthrottle":"%s{bwthrottle}","bypassedtime":"%s{bypassed_etime}","bypassedtraffic":"%d{bypassed_traffic}","cltsslsessreuse":"%s{clientsslsessreuse}","cltpubip":"%s{cpubip}","cltsslfailcount":"%d{cltsslfailcount}","cltsslfailreason":"%s{cltsslfailreason}","contenttype":"%s{contenttype}","datacentercity":"%s{datacentercity}","datacentercountry":"%s{datacentercountry}","datacenter":"%s{datacenter}","day":"%s{day}","day_of_month":"%02d{dd}","dept":"%s{dept}","deviceappversion":"%s{deviceappversion}","deviceowner":"%s{deviceowner}","df_hosthead":"%s{df_hosthead}","df_hostname":"%s{df_hostname}","dlpdicthitcount":"%s{dlpdicthitcount}","dlpdict":"%s{dlpdict}","dlpeng":"%s{dlpeng}","dlpidentifier":"%d{dlpidentifier}","eedone":"%s{eedone}","epochtime":"%d{epochtime}","fileclass":"%s{fileclass}","flow_type":"%s{flow_type}","forward_gateway_ip":"%s{fwd_gw_ip}","forward_gateway_name":"%s{fwd_gw_name}","forward_type":"%s{fwd_type}","hour":"%02d{hh}","is_sslexpiredca":"%s{is_sslexpiredca}","is_sslselfsigned":"%s{is_sslselfsigned}","is_ssluntrustedca":"%s{is_ssluntrustedca}","keyprotectiontype":"%s{keyprotectiontype}","location":"%s{elocation}","malwarecategory":"%s{malwarecat}","malwareclass":"%s{malwareclass}","minute":"%02d{mm}","mobappcategory":"%s{mobappcat}","mobappname":"%s{emobappname}","mobdevtype":"%s{mobdevtype}","module":"%s{module}","month":"%s{mon}","month_of_year":"%02d{mth}","nssserviceip":"%s{nsssvcip}","oapprulelabel":"%s{oapprulelabel}","obwclassname":"%s{obwclassname}","ocip":"%d{ocip}","ocpubip":"%d{ocpubip}","odevicehostname":"%s{odevicehostname}","odevicename":"%s{odevicename}","odeviceowner":"%s{odeviceowner}","odlpdict":"%s{odlpdict}","odlpeng":"%s{odlpeng}","odlprulename":"%s{odlprulename}","ofwd_gw_name":"%s{ofwd_gw_name}","ologin":"%s{ologin}","ordr_rulename":"%s{ordr_rulename}","ourlcat":"%s{ourlcat}","ourlfilterrulelabel":"%s{ourlfilterrulelabel}","ozpa_app_seg_name":"%s{ozpa_app_seg_name}","externalsslpolicyreason":"%s{externalspr}","productversion":"%s{productversion}","rdr_rulename":"%s{rdr_rulename}","refererhost":"%s{erefererhost}","reqheadersize":"%d{reqhdrsize}","reqdatasize":"%d{reqdatasize}","respheadersize":"%d{resphdrsize}","respdatasize":"%d{respdatasize}","riskscore":"%d{riskscore}","ruletype":"%s{ruletype}","second":"%02d{ss}","srvcertchainvalpass":"%s{srvcertchainvalpass}","srvcertvalidationtype":"%s{srvcertvalidationtype}","srvcertvalidityperiod":"%s{srvcertvalidityperiod}","srvsslcipher":"%s{srvsslcipher}","serversslsessreuse":"%s{serversslsessreuse}","srvocspresult":"%s{srvocspresult}","srvtlsversion":"%s{srvtlsversion}","srvwildcardcert":"%s{srvwildcardcert}","ssldecrypted":"%s{ssldecrypted}","throttlereqsize":"%d{throttlereqsize}","throttlerespsize":"%d{throttlerespsize}","totalsize":"%d{totalsize}","trafficredirectmethod":"%s{trafficredirectmethod}","unscannabletype":"%s{unscannabletype}","upload_doctypename":"%s{upload_doctypename}","upload_fileclass":"%s{upload_fileclass}","upload_filetype":"%s{upload_filetype}","urlcatmethod":"%s{urlcatmethod}","urlsubcat":"%s{urlcat}","urlsupercat":"%s{urlsupercat}","urlclass":"%s{urlclass}","useragentclass":"%s{uaclass}","useragenttoken":"%s{ua_token}","userlocationname":"%s{euserlocationname}","year":"%04d{yyyy}","ztunnelversion":"%s{ztunnelversion}","zpa_app_seg_name":"%s{zpa_app_seg_name}"\}\} ``` Sample Response: ```json -{"version":"v8","sourcetype":"zscalernss-web","event":{"time":"Mon Oct 16 22:55:48 2023","cloudname":"zscaler.net","host":"mail.google.com","serverip":"1.128.0.0","external_devid":"1234","devicemodel":"20L8S7WC08","action":"Allowed","recordid":123456789,"reason":"File Attachment Cautioned","threatseverity":"Critical (90–100)","tz":"GMT","filesubtype":"exe","upload_filesubtype":"rar","sha256":"81ec78bc8298568bb5ea66d3c2972b670d0f7459b6cdbbcaacce90ab417ab15c","bamd5":"196a3d797bfee07fe4596b69f4ce1141","filename":"nssfeed.txt","upload_filename":"nssfeed.exe","filetype":"RAR Files","devicename":"PC11NLPA%3A5F08D97BBF43257A8FB4BBF4061A38AE324EF734","devicehostname":"THINKPADSMITH","deviceostype":"iOS","deviceosversion":"Version 10.14.2 (Build 18C54)","devicetype":"Zscaler Client Connector","reqsize":1300,"reqmethod":"invalid","b64referer":"d3d3LmV4YW1wbGUuY29tL3NlYXJjaD9maWx0ZXJzPWd1aWQ6IjQwLWVuLWRpYSIgbGFuZzoiZW4iJmZvcm09UzAwJnE9aG93IHRvIHVzZSByZW1vdGUgZGVza3RvcCB0byBjb25uZWN0IHRvIGEgd2luZG93cyAxMCBwYw==","respsize":10500,"respcode":"100","reqversion":"1.1","respversion":"1","proto":"HTTP","company":"Zscaler","dlpmd5":"154f149b1443fbfa8c121d13e5c019a1","apprulelabel":"File_Sharing_1","dlprulename":"DLP_Rule_1","rulelabel":"URL_Filtering_1","urlfilterrulelabel":"URL_Filtering_2","cltip":"81.2.69.144","cltintip":"89.160.20.128","cltsourceport":12345,"threatname":"EICAR Test File","cltsslcipher":"SSL3_CK_RSA_NULL_MD5","clttlsversion":"SSL2","b64url":"d3d3LnRyeXRoaXNlbmNvZGV1cmwuY29tL3BhcmFtcz9JZD0xJnRzPTIwMDYtMDEtMDJUMTU6MDQ6MDVaMDc6MDAmdXNlcj02NTc5MiZ2ZXJzaW9uPTEwLjAuMTkwNDEuMTI2Ng==","useragent":"Mozilla/5.0","login":"jdoe@safemarch.com","applayerprotocol":"FTP","appclass":"Administration","appname":"Adobe Connect","appriskscore":"1","bandwidthclassname":"Entertainment","bandwidthrulename":"Office 365","bwthrottle":"Yes","bypassedtime":"Mon Oct 16 22:55:48 2023","bypassedtraffic":"1","cltsslsessreuse":"Unknown","cltpubip":"175.16.199.0","cltsslfailcount":100,"cltsslfailreason":"Bad Record Mac","contenttype":"application/vnd_apple_keynote","datacentercity":"Sa","datacentercountry":"US","datacenter":"CA Client Node DC","day":"Mon","day_of_month":16,"dept":"Sales","deviceappversion":"1.128.0.0","deviceowner":"jsmith","df_hosthead":"df_hosthead","df_hostname":"df_hostname","dlpdicthitcount":"4","dlpdict":"Credit Cards","dlpeng":"HIPAA","dlpidentifier":6646484838839026000,"eedone":"Yes","epochtime":1578128400,"fileclass":"Active Web Contents","flow_type":"Direct","forward_gateway_ip":"10.1.1.1","forward_gateway_name":"FWD_1","forward_type":"Direct","hour":22,"is_sslexpiredca":"Yes","is_sslselfsigned":"Yes","is_ssluntrustedca":"Pass","keyprotectiontype":"HSM Protection","location":"Headquarters","department":"Department%5CrN%40me","malwarecategory":"Adware","malwareclass":"Sandbox","minute":55,"mobappcategory":"Communication","mobappname":"Amazon","mobdevtype":"Google Android","module":"Administration","month":"Oct","month_of_year":10,"nssserviceip":"192.168.2.200","oapprulelabel":"5300295980","obwclassname":"10831489","ocip":6200694987,"ocpubip":624054738,"odevicehostname":"2168890624","odevicename":"2175092224","odeviceowner":"10831489","odlpdict":"10831489","odlpeng":"4094304256","odlprulename":"6857275752","ofwd_gw_name":"8794487099","ologin":"4094304256","ordr_rulename":"3399565100","ourlcat":"7956407282","ourlfilterrulelabel":"4951704103","ozpa_app_seg_name":"7648246731","externalsslpolicyreason":"Blocked","productversion":"5.0.902.95524_04","rdr_rulename":"FWD_Rule_1","refererhost":"www.example.com for http://www.example.com/index.html","reqheadersize":300,"reqdatasize":1000,"respheadersize":500,"respdatasize":10000,"riskscore":10,"ruletype":"File Type Control","second":48,"srvcertchainvalpass":"Unknown","srvcertvalidationtype":"EV (Extended Validation)","srvcertvalidityperiod":"Short","srvsslcipher":"SSL3_CK_RSA_NULL_MD5","serversslsessreuse":"Unknown","srvocspresult":"Good","srvtlsversion":"SSL2","srvwildcardcert":"Unknown","ssldecrypted":"Yes","throttlereqsize":5,"throttlerespsize":7,"totalsize":11800,"trafficredirectmethod":"DNAT (Destination Translation)","unscannabletype":"Encrypted File","upload_doctypename":"Corporate Finance","upload_fileclass":"upload_fileclass","upload_filetype":"RAR Files","urlcatmethod":"Database A","urlsubcat":"Entertainment","urlsupercat":"Travel","urlclass":"Bandwidth Loss","useragentclass":"Firefox","useragenttoken":"Google Chrome (0.x)","userlocationname":"userlocationname","year":2023,"ztunnelversion":"ZTUNNEL_1_0","zpa_app_seg_name":"ZPA_test_app_segment"}} +{"version":"v9","sourcetype":"zscalernss-web","event":{"time":"Mon Oct 16 22:55:48 2023","cloudname":"zscaler.net","host":"mail.google.com","serverip":"1.128.0.0","external_devid":"1234","devicemodel":"20L8S7WC08","action":"Allowed","recordid":123456789,"reason":"File Attachment Cautioned","threatseverity":"Critical (90–100)","tz":"GMT","filesubtype":"exe","upload_filesubtype":"rar","sha256":"81ec78bc8298568bb5ea66d3c2972b670d0f7459b6cdbbcaacce90ab417ab15c","bamd5":"196a3d797bfee07fe4596b69f4ce1141","filename":"nssfeed.txt","upload_filename":"nssfeed.exe","filetype":"RAR Files","devicename":"PC11NLPA%3A5F08D97BBF43257A8FB4BBF4061A38AE324EF734","devicehostname":"THINKPADSMITH","deviceostype":"iOS","deviceosversion":"Version 10.14.2 (Build 18C54)","devicetype":"Zscaler Client Connector","reqsize":1300,"reqmethod":"invalid","b64referer":"d3d3LmV4YW1wbGUuY29tL3NlYXJjaD9maWx0ZXJzPWd1aWQ6IjQwLWVuLWRpYSIgbGFuZzoiZW4iJmZvcm09UzAwJnE9aG93IHRvIHVzZSByZW1vdGUgZGVza3RvcCB0byBjb25uZWN0IHRvIGEgd2luZG93cyAxMCBwYw==","respsize":10500,"respcode":"100","reqversion":"1.1","respversion":"1","proto":"HTTP","company":"Zscaler","dlpmd5":"154f149b1443fbfa8c121d13e5c019a1","apprulelabel":"File_Sharing_1","dlprulename":"DLP_Rule_1","rulelabel":"URL_Filtering_1","urlfilterrulelabel":"URL_Filtering_2","cltip":"81.2.69.144","cltintip":"89.160.20.128","cltsourceport":12345,"threatname":"EICAR Test File","cltsslcipher":"SSL3_CK_RSA_NULL_MD5","clttlsversion":"SSL2","b64url":"d3d3LnRyeXRoaXNlbmNvZGV1cmwuY29tL3BhcmFtcz9JZD0xJnRzPTIwMDYtMDEtMDJUMTU6MDQ6MDVaMDc6MDAmdXNlcj02NTc5MiZ2ZXJzaW9uPTEwLjAuMTkwNDEuMTI2Ng==","useragent":"Mozilla/5.0","login":"jdoe@safemarch.com","applayerprotocol":"FTP","appclass":"Administration","appname":"Adobe Connect","appriskscore":"1","bandwidthclassname":"Entertainment","bandwidthrulename":"Office 365","bwthrottle":"Yes","bypassedtime":"Mon Oct 16 22:55:48 2023","bypassedtraffic":"1","cltsslsessreuse":"Unknown","cltpubip":"175.16.199.0","cltsslfailcount":100,"cltsslfailreason":"Bad Record Mac","contenttype":"application/vnd_apple_keynote","datacentercity":"Sa","datacentercountry":"US","datacenter":"CA Client Node DC","day":"Mon","day_of_month":16,"dept":"Sales","deviceappversion":"1.128.0.0","deviceowner":"jsmith","df_hosthead":"df_hosthead","df_hostname":"df_hostname","dlpdicthitcount":"4","dlpdict":"Credit Cards","dlpeng":"HIPAA","dlpidentifier":6646484838839026000,"eedone":"Yes","epochtime":1578128400,"fileclass":"Active Web Contents","flow_type":"Direct","forward_gateway_ip":"10.1.1.1","forward_gateway_name":"FWD_1","forward_type":"Direct","hour":22,"is_sslexpiredca":"Yes","is_sslselfsigned":"Yes","is_ssluntrustedca":"Pass","keyprotectiontype":"HSM Protection","location":"Headquarters","malwarecategory":"Adware","malwareclass":"Sandbox","minute":55,"mobappcategory":"Communication","mobappname":"Amazon","mobdevtype":"Google Android","module":"Administration","month":"Oct","month_of_year":10,"nssserviceip":"192.168.2.200","oapprulelabel":"5300295980","obwclassname":"10831489","ocip":6200694987,"ocpubip":624054738,"odevicehostname":"2168890624","odevicename":"2175092224","odeviceowner":"10831489","odlpdict":"10831489","odlpeng":"4094304256","odlprulename":"6857275752","ofwd_gw_name":"8794487099","ologin":"4094304256","ordr_rulename":"3399565100","ourlcat":"7956407282","ourlfilterrulelabel":"4951704103","ozpa_app_seg_name":"7648246731","externalsslpolicyreason":"Blocked","productversion":"5.0.902.95524_04","rdr_rulename":"FWD_Rule_1","refererhost":"www.example.com for http://www.example.com/index.html","reqheadersize":300,"reqdatasize":1000,"respheadersize":500,"respdatasize":10000,"riskscore":10,"ruletype":"File Type Control","second":48,"srvcertchainvalpass":"Unknown","srvcertvalidationtype":"EV (Extended Validation)","srvcertvalidityperiod":"Short","srvsslcipher":"SSL3_CK_RSA_NULL_MD5","serversslsessreuse":"Unknown","srvocspresult":"Good","srvtlsversion":"SSL2","srvwildcardcert":"Unknown","ssldecrypted":"Yes","throttlereqsize":5,"throttlerespsize":7,"totalsize":11800,"trafficredirectmethod":"DNAT (Destination Translation)","unscannabletype":"Encrypted File","upload_doctypename":"Corporate Finance","upload_fileclass":"upload_fileclass","upload_filetype":"RAR Files","urlcatmethod":"Database A","urlsubcat":"Entertainment","urlsupercat":"Travel","urlclass":"Bandwidth Loss","useragentclass":"Firefox","useragenttoken":"Google Chrome (0.x)","userlocationname":"userlocationname","year":2023,"ztunnelversion":"ZTUNNEL_1_0","zpa_app_seg_name":"ZPA_test_app_segment"}} ``` ### Enabling the integration in Elastic: diff --git a/packages/zscaler_zia/changelog.yml b/packages/zscaler_zia/changelog.yml index 62fd136766c..b8783670bf3 100644 --- a/packages/zscaler_zia/changelog.yml +++ b/packages/zscaler_zia/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "3.2.3" + changes: + - description: Remove department field and add on_failure clauses. + type: bugfix + link: https://github.com/elastic/integrations/pull/10874 - version: "3.2.2" changes: - description: Sanitize unwanted characters in firewall. diff --git a/packages/zscaler_zia/data_stream/web/_dev/test/pipeline/test-web-http-endpoint.log b/packages/zscaler_zia/data_stream/web/_dev/test/pipeline/test-web-http-endpoint.log index 98f0cb09878..c40d5717740 100644 --- a/packages/zscaler_zia/data_stream/web/_dev/test/pipeline/test-web-http-endpoint.log +++ b/packages/zscaler_zia/data_stream/web/_dev/test/pipeline/test-web-http-endpoint.log @@ -1,2 +1,2 @@ -{"version":"v8","sourcetype":"zscalernss-web","event":{"time":"Mon Oct 16 22:55:48 2023","cloudname":"zscaler.net","host":"mail.google.com","serverip":"81.2.69.142","external_devid":"1234","devicemodel":"20L8S7WC08","action":"Allowed","recordid":"123456789","reason":"File Attachment Cautioned","threatseverity":"Critical (90–100)","tz":"GMT","filesubtype":"rar","upload_filesubtype":"rar","sha256":"81ec78bc8298568bb5ea66d3c2972b670d0f7459b6cdbbcaacce90ab417ab15c","bamd5":"196a3d797bfee07fe4596b69f4ce1141","filename":"nssfeed.txt","upload_filename":"nssfeed.exe","filetype":"RAR Files","devicename":"PC11NLPA:5F08D97BBF43257A8FB4BBF4061A38AE324EF734","devicehostname":"THINKPADSMITH","deviceostype":"iOS","deviceosversion":"Version 10.14.2 (Build 18C54)","devicetype":"Zscaler Client Connector","reqsize":"1300","reqmethod":"invalid","b64referer":"d3d3LmV4YW1wbGUuY29t","respsize":"10500","respcode":"100","reqversion":"1.1","respversion":"1","proto":"HTTP","company":"Zscaler","dlpmd5":"154f149b1443fbfa8c121d13e5c019a1","apprulelabel":"File_Sharing_1","dlprulename":"DLP_Rule_1","rulelabel":"URL_Filtering_1","urlfilterrulelabel":"URL_Filtering_1","cltip":"81.2.69.142","cltintip":"81.2.69.142","cltsourceport":"1235","threatname":"EICAR Test File","cltsslcipher":"SSL3_CK_RSA_NULL_MD5","clttlsversion":"SSL2","b64url":"d3d3LnRyeXRoaXNlbmNvZGV1cmwuY29tL2luZGV4","useragent":"Mozilla/5.0","login":"jdoe@safemarch.com","applayerprotocol":"FTP","appclass":"Administration","appname":"Adobe Connect","appriskscore":"None","bandwidthclassname":"Entertainment","bandwidthrulename":"Office 365","bwthrottle":"Yes","bypassedtime":"Mon Oct 16 22:55:48 2023","bypassedtraffic":"0","cltsslsessreuse":"Unknown","cltpubip":"81.2.69.142","cltsslfailcount":"100","cltsslfailreason":"Bad Record Mac","contenttype":"application/vnd_apple_keynote","datacentercity":"Sa","datacentercountry":"US","datacenter":"CA Client Node DC","day":"Mon","day_of_month":"16","dept":"Sales","deviceappversion":"81.2.69.142","deviceowner":"jsmith","df_hosthead":"df_hosthead","df_hostname":"df_hostname","dlpdicthitcount":"4","dlpdict":"Credit Cards","dlpeng":"HIPAA","dlpidentifier":"6646484838839026000","eedone":"Yes","epochtime":"1578128400","fileclass":"Active Web Contents","flow_type":"Direct","forward_gateway_ip":"10.1.1.1","forward_gateway_name":"FWD_1","forward_type":"Direct","hour":"22","is_sslexpiredca":"Yes","is_sslselfsigned":"Yes","is_ssluntrustedca":"Pass","keyprotectiontype":"HSM Protection","location":"Headquarters","malwarecategory":"Adware","malwareclass":"Sandbox","minute":"55","mobappcategory":"Communication","mobappname":"Amazon","mobdevtype":"Google Android","module":"Administration","month":"Oct","month_of_year":"10","nssserviceip":"192.168.2.200","oapprulelabel":"5300295980","obwclassname":"10831489","ocip":"6200694987","ocpubip":"624054738","odevicehostname":"2168890624","odevicename":"2175092224","odeviceowner":"10831489","odlpdict":"10831489","odlpeng":"4094304256","odlprulename":"6857275752","ofwd_gw_name":"8794487099","ologin":"4094304256","ordr_rulename":"3399565100","ourlcat":"7956407282","ourlfilterrulelabel":"4951704103","ozpa_app_seg_name":"7648246731","externalsslpolicyreason":"Blocked","productversion":"5.0.902.95524_04","rdr_rulename":"FWD_Rule_1","refererhost":"www.example.com for http://www.example.com/index.html","reqheadersize":"300","reqdatasize":"1000","respheadersize":"500","respdatasize":"10000","riskscore":"10","ruletype":"File Type Control","second":"48","srvcertchainvalpass":"Unknown","srvcertvalidationtype":"EV (Extended Validation)","srvcertvalidityperiod":"Short","srvsslcipher":"SSL3_CK_RSA_NULL_MD5","serversslsessreuse":"Unknown","srvocspresult":"Good","srvtlsversion":"SSL2","srvwildcardcert":"Unknown","ssldecrypted":"Yes","throttlereqsize":"5","throttlerespsize":"7","totalsize":"11800","trafficredirectmethod":"DNAT (Destination Translation)","unscannabletype":"Encrypted File","upload_doctypename":"Corporate Finance","upload_fileclass":"upload_fileclass","upload_filetype":"RAR Files","urlcatmethod":"Database A","urlsubcat":"Entertainment","urlsupercat":"Travel","urlclass":"Bandwidth Loss","useragentclass":"Firefox","useragenttoken":"Google Chrome (0.x)","userlocationname":"userlocationname","year":"2023","ztunnelversion":"ZTUNNEL_1_0","zpa_app_seg_name":"ZPA_test_app_segment"}} -{"version":"v8","sourcetype":"zscalernss-web","event":{"time":"Mon Oct 16 22:55:48 2023","cloudname":"zscaler.net","host":"mail.google.com","serverip":"81.2.69.142","external_devid":"1234","devicemodel":"20L8S7WC08","action":"Blocked","recordid":"123456789","reason":"File Attachment Cautioned","threatseverity":"Critical (90–100)","tz":"GMT","filesubtype":"rar","upload_filesubtype":"rar","sha256":"81ec78bc8298568bb5ea66d3c2972b670d0f7459b6cdbbcaacce90ab417ab15c","bamd5":"196a3d797bfee07fe4596b69f4ce1141","filename":"nssfeed.txt","upload_filename":"nssfeed.exe","filetype":"RAR Files","devicename":"PC11NLPA:5F08D97BBF43257A8FB4BBF4061A38AE324EF734","devicehostname":"THINKPADSMITH","deviceostype":"iOS","deviceosversion":"Version 10.14.2 (Build 18C54)","devicetype":"Zscaler Client Connector","reqsize":"1300","reqmethod":"invalid","b64referer":"d3d3LmV4YW1wbGUuY29t","respsize":"10500","respcode":"100","reqversion":"1.1","respversion":"1","proto":"HTTP","company":"Zscaler","dlpmd5":"154f149b1443fbfa8c121d13e5c019a1","apprulelabel":"File_Sharing_1","dlprulename":"DLP_Rule_1","rulelabel":"URL_Filtering_1","urlfilterrulelabel":"URL_Filtering_1","cltip":"81.2.69.142","cltintip":"81.2.69.142","cltsourceport":"1235","threatname":"EICAR Test File","cltsslcipher":"SSL3_CK_RSA_NULL_MD5","clttlsversion":"SSL2","b64url":"d3d3LnRyeXRoaXNlbmNvZGV1cmwuY29tL2luZGV4","useragent":"Mozilla/5.0","login":"jdoe@safemarch.com","applayerprotocol":"FTP","appclass":"Administration","appname":"Adobe Connect","appriskscore":"None","bandwidthclassname":"Entertainment","bandwidthrulename":"Office 365","bwthrottle":"Yes","bypassedtime":"Mon Oct 16 22:55:48 2023","bypassedtraffic":"1","cltsslsessreuse":"Unknown","cltpubip":"81.2.69.142","cltsslfailcount":"100","cltsslfailreason":"Bad Record Mac","contenttype":"application/vnd_apple_keynote","datacentercity":"Sa","datacentercountry":"US","datacenter":"CA Client Node DC","day":"Mon","day_of_month":"16","dept":"Sales","deviceappversion":"81.2.69.142","deviceowner":"jsmith","df_hosthead":"df_hosthead","df_hostname":"df_hostname","dlpdicthitcount":"4","dlpdict":"Credit Cards","dlpeng":"HIPAA","dlpidentifier":"6646484838839026000","eedone":"Yes","epochtime":"1578128400","fileclass":"Active Web Contents","flow_type":"Direct","forward_gateway_ip":"10.1.1.1","forward_gateway_name":"FWD_1","forward_type":"Direct","hour":"22","is_sslexpiredca":"Yes","is_sslselfsigned":"Yes","is_ssluntrustedca":"Pass","keyprotectiontype":"HSM Protection","location":"Headquarters","malwarecategory":"Adware","malwareclass":"Sandbox","minute":"55","mobappcategory":"Communication","mobappname":"Amazon","mobdevtype":"Google Android","module":"Administration","month":"Oct","month_of_year":"10","nssserviceip":"192.168.2.200","oapprulelabel":"5300295980","obwclassname":"10831489","ocip":"6200694987","ocpubip":"624054738","odevicehostname":"2168890624","odevicename":"2175092224","odeviceowner":"10831489","odlpdict":"10831489","odlpeng":"4094304256","odlprulename":"6857275752","ofwd_gw_name":"8794487099","ologin":"4094304256","ordr_rulename":"3399565100","ourlcat":"7956407282","ourlfilterrulelabel":"4951704103","ozpa_app_seg_name":"7648246731","externalsslpolicyreason":"Blocked","productversion":"5.0.902.95524_04","rdr_rulename":"FWD_Rule_1","refererhost":"www.example.com for http://www.example.com/index.html","reqheadersize":"300","reqdatasize":"1000","respheadersize":"500","respdatasize":"10000","riskscore":"10","ruletype":"File Type Control","second":"48","srvcertchainvalpass":"Unknown","srvcertvalidationtype":"EV (Extended Validation)","srvcertvalidityperiod":"Short","srvsslcipher":"SSL3_CK_RSA_NULL_MD5","serversslsessreuse":"Unknown","srvocspresult":"Good","srvtlsversion":"SSL2","srvwildcardcert":"Unknown","ssldecrypted":"Yes","throttlereqsize":"5","throttlerespsize":"7","totalsize":"11800","trafficredirectmethod":"DNAT (Destination Translation)","unscannabletype":"Encrypted File","upload_doctypename":"Corporate Finance","upload_fileclass":"upload_fileclass","upload_filetype":"RAR Files","urlcatmethod":"Database A","urlsubcat":"Entertainment","urlsupercat":"Travel","urlclass":"Bandwidth Loss","useragentclass":"Firefox","useragenttoken":"Google Chrome (0.x)","userlocationname":"userlocationname","year":"2023","ztunnelversion":"ZTUNNEL_1_0","zpa_app_seg_name":"ZPA_test_app_segment"}} +{"version":"v9","sourcetype":"zscalernss-web","event":{"time":"Mon Oct 16 22:55:48 2023","cloudname":"zscaler.net","host":"mail.google.com","serverip":"81.2.69.142","external_devid":"1234","devicemodel":"20L8S7WC08","action":"Allowed","recordid":"123456789","reason":"File Attachment Cautioned","threatseverity":"Critical (90–100)","tz":"GMT","filesubtype":"rar","upload_filesubtype":"rar","sha256":"81ec78bc8298568bb5ea66d3c2972b670d0f7459b6cdbbcaacce90ab417ab15c","bamd5":"196a3d797bfee07fe4596b69f4ce1141","filename":"nssfeed.txt","upload_filename":"nssfeed.exe","filetype":"RAR Files","devicename":"PC11NLPA:5F08D97BBF43257A8FB4BBF4061A38AE324EF734","devicehostname":"THINKPADSMITH","deviceostype":"iOS","deviceosversion":"Version 10.14.2 (Build 18C54)","devicetype":"Zscaler Client Connector","reqsize":"1300","reqmethod":"invalid","b64referer":"d3d3LmV4YW1wbGUuY29t","respsize":"10500","respcode":"100","reqversion":"1.1","respversion":"1","proto":"HTTP","company":"Zscaler","dlpmd5":"154f149b1443fbfa8c121d13e5c019a1","apprulelabel":"File_Sharing_1","dlprulename":"DLP_Rule_1","rulelabel":"URL_Filtering_1","urlfilterrulelabel":"URL_Filtering_1","cltip":"81.2.69.142","cltintip":"81.2.69.142","cltsourceport":"1235","threatname":"EICAR Test File","cltsslcipher":"SSL3_CK_RSA_NULL_MD5","clttlsversion":"SSL2","b64url":"d3d3LnRyeXRoaXNlbmNvZGV1cmwuY29tL2luZGV4","useragent":"Mozilla/5.0","login":"jdoe@safemarch.com","applayerprotocol":"FTP","appclass":"Administration","appname":"Adobe Connect","appriskscore":"None","bandwidthclassname":"Entertainment","bandwidthrulename":"Office 365","bwthrottle":"Yes","bypassedtime":"Mon Oct 16 22:55:48 2023","bypassedtraffic":"0","cltsslsessreuse":"Unknown","cltpubip":"81.2.69.142","cltsslfailcount":"100","cltsslfailreason":"Bad Record Mac","contenttype":"application/vnd_apple_keynote","datacentercity":"Sa","datacentercountry":"US","datacenter":"CA Client Node DC","day":"Mon","day_of_month":"16","dept":"Sales","deviceappversion":"81.2.69.142","deviceowner":"jsmith","df_hosthead":"df_hosthead","df_hostname":"df_hostname","dlpdicthitcount":"4","dlpdict":"Credit Cards","dlpeng":"HIPAA","dlpidentifier":"6646484838839026000","eedone":"Yes","epochtime":"1578128400","fileclass":"Active Web Contents","flow_type":"Direct","forward_gateway_ip":"10.1.1.1","forward_gateway_name":"FWD_1","forward_type":"Direct","hour":"22","is_sslexpiredca":"Yes","is_sslselfsigned":"Yes","is_ssluntrustedca":"Pass","keyprotectiontype":"HSM Protection","location":"Headquarters","malwarecategory":"Adware","malwareclass":"Sandbox","minute":"55","mobappcategory":"Communication","mobappname":"Amazon","mobdevtype":"Google Android","module":"Administration","month":"Oct","month_of_year":"10","nssserviceip":"192.168.2.200","oapprulelabel":"5300295980","obwclassname":"10831489","ocip":"6200694987","ocpubip":"624054738","odevicehostname":"2168890624","odevicename":"2175092224","odeviceowner":"10831489","odlpdict":"10831489","odlpeng":"4094304256","odlprulename":"6857275752","ofwd_gw_name":"8794487099","ologin":"4094304256","ordr_rulename":"3399565100","ourlcat":"7956407282","ourlfilterrulelabel":"4951704103","ozpa_app_seg_name":"7648246731","externalsslpolicyreason":"Blocked","productversion":"5.0.902.95524_04","rdr_rulename":"FWD_Rule_1","refererhost":"www.example.com for http://www.example.com/index.html","reqheadersize":"300","reqdatasize":"1000","respheadersize":"500","respdatasize":"10000","riskscore":"10","ruletype":"File Type Control","second":"48","srvcertchainvalpass":"Unknown","srvcertvalidationtype":"EV (Extended Validation)","srvcertvalidityperiod":"Short","srvsslcipher":"SSL3_CK_RSA_NULL_MD5","serversslsessreuse":"Unknown","srvocspresult":"Good","srvtlsversion":"SSL2","srvwildcardcert":"Unknown","ssldecrypted":"Yes","throttlereqsize":"5","throttlerespsize":"7","totalsize":"11800","trafficredirectmethod":"DNAT (Destination Translation)","unscannabletype":"Encrypted File","upload_doctypename":"Corporate Finance","upload_fileclass":"upload_fileclass","upload_filetype":"RAR Files","urlcatmethod":"Database A","urlsubcat":"Entertainment","urlsupercat":"Travel","urlclass":"Bandwidth Loss","useragentclass":"Firefox","useragenttoken":"Google Chrome (0.x)","userlocationname":"userlocationname","year":"2023","ztunnelversion":"ZTUNNEL_1_0","zpa_app_seg_name":"ZPA_test_app_segment"}} +{"version":"v9","sourcetype":"zscalernss-web","event":{"time":"Mon Oct 16 22:55:48 2023","cloudname":"zscaler.net","host":"mail.google.com","serverip":"81.2.69.142","external_devid":"1234","devicemodel":"20L8S7WC08","action":"Blocked","recordid":"123456789","reason":"File Attachment Cautioned","threatseverity":"Critical (90–100)","tz":"GMT","filesubtype":"rar","upload_filesubtype":"rar","sha256":"81ec78bc8298568bb5ea66d3c2972b670d0f7459b6cdbbcaacce90ab417ab15c","bamd5":"196a3d797bfee07fe4596b69f4ce1141","filename":"nssfeed.txt","upload_filename":"nssfeed.exe","filetype":"RAR Files","devicename":"PC11NLPA:5F08D97BBF43257A8FB4BBF4061A38AE324EF734","devicehostname":"THINKPADSMITH","deviceostype":"iOS","deviceosversion":"Version 10.14.2 (Build 18C54)","devicetype":"Zscaler Client Connector","reqsize":"1300","reqmethod":"invalid","b64referer":"d3d3LmV4YW1wbGUuY29t","respsize":"10500","respcode":"100","reqversion":"1.1","respversion":"1","proto":"HTTP","company":"Zscaler","dlpmd5":"154f149b1443fbfa8c121d13e5c019a1","apprulelabel":"File_Sharing_1","dlprulename":"DLP_Rule_1","rulelabel":"URL_Filtering_1","urlfilterrulelabel":"URL_Filtering_1","cltip":"81.2.69.142","cltintip":"81.2.69.142","cltsourceport":"1235","threatname":"EICAR Test File","cltsslcipher":"SSL3_CK_RSA_NULL_MD5","clttlsversion":"SSL2","b64url":"d3d3LnRyeXRoaXNlbmNvZGV1cmwuY29tL2luZGV4","useragent":"Mozilla/5.0","login":"jdoe@safemarch.com","applayerprotocol":"FTP","appclass":"Administration","appname":"Adobe Connect","appriskscore":"None","bandwidthclassname":"Entertainment","bandwidthrulename":"Office 365","bwthrottle":"Yes","bypassedtime":"Mon Oct 16 22:55:48 2023","bypassedtraffic":"1","cltsslsessreuse":"Unknown","cltpubip":"81.2.69.142","cltsslfailcount":"100","cltsslfailreason":"Bad Record Mac","contenttype":"application/vnd_apple_keynote","datacentercity":"Sa","datacentercountry":"US","datacenter":"CA Client Node DC","day":"Mon","day_of_month":"16","dept":"Sales","deviceappversion":"81.2.69.142","deviceowner":"jsmith","df_hosthead":"df_hosthead","df_hostname":"df_hostname","dlpdicthitcount":"4","dlpdict":"Credit Cards","dlpeng":"HIPAA","dlpidentifier":"6646484838839026000","eedone":"Yes","epochtime":"1578128400","fileclass":"Active Web Contents","flow_type":"Direct","forward_gateway_ip":"10.1.1.1","forward_gateway_name":"FWD_1","forward_type":"Direct","hour":"22","is_sslexpiredca":"Yes","is_sslselfsigned":"Yes","is_ssluntrustedca":"Pass","keyprotectiontype":"HSM Protection","location":"Headquarters","malwarecategory":"Adware","malwareclass":"Sandbox","minute":"55","mobappcategory":"Communication","mobappname":"Amazon","mobdevtype":"Google Android","module":"Administration","month":"Oct","month_of_year":"10","nssserviceip":"192.168.2.200","oapprulelabel":"5300295980","obwclassname":"10831489","ocip":"6200694987","ocpubip":"624054738","odevicehostname":"2168890624","odevicename":"2175092224","odeviceowner":"10831489","odlpdict":"10831489","odlpeng":"4094304256","odlprulename":"6857275752","ofwd_gw_name":"8794487099","ologin":"4094304256","ordr_rulename":"3399565100","ourlcat":"7956407282","ourlfilterrulelabel":"4951704103","ozpa_app_seg_name":"7648246731","externalsslpolicyreason":"Blocked","productversion":"5.0.902.95524_04","rdr_rulename":"FWD_Rule_1","refererhost":"www.example.com for http://www.example.com/index.html","reqheadersize":"300","reqdatasize":"1000","respheadersize":"500","respdatasize":"10000","riskscore":"10","ruletype":"File Type Control","second":"48","srvcertchainvalpass":"Unknown","srvcertvalidationtype":"EV (Extended Validation)","srvcertvalidityperiod":"Short","srvsslcipher":"SSL3_CK_RSA_NULL_MD5","serversslsessreuse":"Unknown","srvocspresult":"Good","srvtlsversion":"SSL2","srvwildcardcert":"Unknown","ssldecrypted":"Yes","throttlereqsize":"5","throttlerespsize":"7","totalsize":"11800","trafficredirectmethod":"DNAT (Destination Translation)","unscannabletype":"Encrypted File","upload_doctypename":"Corporate Finance","upload_fileclass":"upload_fileclass","upload_filetype":"RAR Files","urlcatmethod":"Database A","urlsubcat":"Entertainment","urlsupercat":"Travel","urlclass":"Bandwidth Loss","useragentclass":"Firefox","useragenttoken":"Google Chrome (0.x)","userlocationname":"userlocationname","year":"2023","ztunnelversion":"ZTUNNEL_1_0","zpa_app_seg_name":"ZPA_test_app_segment"}} diff --git a/packages/zscaler_zia/data_stream/web/_dev/test/pipeline/test-web-http-endpoint.log-expected.json b/packages/zscaler_zia/data_stream/web/_dev/test/pipeline/test-web-http-endpoint.log-expected.json index 3b9b1db3871..a4fb864cebe 100644 --- a/packages/zscaler_zia/data_stream/web/_dev/test/pipeline/test-web-http-endpoint.log-expected.json +++ b/packages/zscaler_zia/data_stream/web/_dev/test/pipeline/test-web-http-endpoint.log-expected.json @@ -37,7 +37,7 @@ ], "id": "123456789", "kind": "event", - "original": "{\"version\":\"v8\",\"sourcetype\":\"zscalernss-web\",\"event\":{\"time\":\"Mon Oct 16 22:55:48 2023\",\"cloudname\":\"zscaler.net\",\"host\":\"mail.google.com\",\"serverip\":\"81.2.69.142\",\"external_devid\":\"1234\",\"devicemodel\":\"20L8S7WC08\",\"action\":\"Allowed\",\"recordid\":\"123456789\",\"reason\":\"File Attachment Cautioned\",\"threatseverity\":\"Critical (90–100)\",\"tz\":\"GMT\",\"filesubtype\":\"rar\",\"upload_filesubtype\":\"rar\",\"sha256\":\"81ec78bc8298568bb5ea66d3c2972b670d0f7459b6cdbbcaacce90ab417ab15c\",\"bamd5\":\"196a3d797bfee07fe4596b69f4ce1141\",\"filename\":\"nssfeed.txt\",\"upload_filename\":\"nssfeed.exe\",\"filetype\":\"RAR Files\",\"devicename\":\"PC11NLPA:5F08D97BBF43257A8FB4BBF4061A38AE324EF734\",\"devicehostname\":\"THINKPADSMITH\",\"deviceostype\":\"iOS\",\"deviceosversion\":\"Version 10.14.2 (Build 18C54)\",\"devicetype\":\"Zscaler Client Connector\",\"reqsize\":\"1300\",\"reqmethod\":\"invalid\",\"b64referer\":\"d3d3LmV4YW1wbGUuY29t\",\"respsize\":\"10500\",\"respcode\":\"100\",\"reqversion\":\"1.1\",\"respversion\":\"1\",\"proto\":\"HTTP\",\"company\":\"Zscaler\",\"dlpmd5\":\"154f149b1443fbfa8c121d13e5c019a1\",\"apprulelabel\":\"File_Sharing_1\",\"dlprulename\":\"DLP_Rule_1\",\"rulelabel\":\"URL_Filtering_1\",\"urlfilterrulelabel\":\"URL_Filtering_1\",\"cltip\":\"81.2.69.142\",\"cltintip\":\"81.2.69.142\",\"cltsourceport\":\"1235\",\"threatname\":\"EICAR Test File\",\"cltsslcipher\":\"SSL3_CK_RSA_NULL_MD5\",\"clttlsversion\":\"SSL2\",\"b64url\":\"d3d3LnRyeXRoaXNlbmNvZGV1cmwuY29tL2luZGV4\",\"useragent\":\"Mozilla/5.0\",\"login\":\"jdoe@safemarch.com\",\"applayerprotocol\":\"FTP\",\"appclass\":\"Administration\",\"appname\":\"Adobe Connect\",\"appriskscore\":\"None\",\"bandwidthclassname\":\"Entertainment\",\"bandwidthrulename\":\"Office 365\",\"bwthrottle\":\"Yes\",\"bypassedtime\":\"Mon Oct 16 22:55:48 2023\",\"bypassedtraffic\":\"0\",\"cltsslsessreuse\":\"Unknown\",\"cltpubip\":\"81.2.69.142\",\"cltsslfailcount\":\"100\",\"cltsslfailreason\":\"Bad Record Mac\",\"contenttype\":\"application/vnd_apple_keynote\",\"datacentercity\":\"Sa\",\"datacentercountry\":\"US\",\"datacenter\":\"CA Client Node DC\",\"day\":\"Mon\",\"day_of_month\":\"16\",\"dept\":\"Sales\",\"deviceappversion\":\"81.2.69.142\",\"deviceowner\":\"jsmith\",\"df_hosthead\":\"df_hosthead\",\"df_hostname\":\"df_hostname\",\"dlpdicthitcount\":\"4\",\"dlpdict\":\"Credit Cards\",\"dlpeng\":\"HIPAA\",\"dlpidentifier\":\"6646484838839026000\",\"eedone\":\"Yes\",\"epochtime\":\"1578128400\",\"fileclass\":\"Active Web Contents\",\"flow_type\":\"Direct\",\"forward_gateway_ip\":\"10.1.1.1\",\"forward_gateway_name\":\"FWD_1\",\"forward_type\":\"Direct\",\"hour\":\"22\",\"is_sslexpiredca\":\"Yes\",\"is_sslselfsigned\":\"Yes\",\"is_ssluntrustedca\":\"Pass\",\"keyprotectiontype\":\"HSM Protection\",\"location\":\"Headquarters\",\"malwarecategory\":\"Adware\",\"malwareclass\":\"Sandbox\",\"minute\":\"55\",\"mobappcategory\":\"Communication\",\"mobappname\":\"Amazon\",\"mobdevtype\":\"Google Android\",\"module\":\"Administration\",\"month\":\"Oct\",\"month_of_year\":\"10\",\"nssserviceip\":\"192.168.2.200\",\"oapprulelabel\":\"5300295980\",\"obwclassname\":\"10831489\",\"ocip\":\"6200694987\",\"ocpubip\":\"624054738\",\"odevicehostname\":\"2168890624\",\"odevicename\":\"2175092224\",\"odeviceowner\":\"10831489\",\"odlpdict\":\"10831489\",\"odlpeng\":\"4094304256\",\"odlprulename\":\"6857275752\",\"ofwd_gw_name\":\"8794487099\",\"ologin\":\"4094304256\",\"ordr_rulename\":\"3399565100\",\"ourlcat\":\"7956407282\",\"ourlfilterrulelabel\":\"4951704103\",\"ozpa_app_seg_name\":\"7648246731\",\"externalsslpolicyreason\":\"Blocked\",\"productversion\":\"5.0.902.95524_04\",\"rdr_rulename\":\"FWD_Rule_1\",\"refererhost\":\"www.example.com for http://www.example.com/index.html\",\"reqheadersize\":\"300\",\"reqdatasize\":\"1000\",\"respheadersize\":\"500\",\"respdatasize\":\"10000\",\"riskscore\":\"10\",\"ruletype\":\"File Type Control\",\"second\":\"48\",\"srvcertchainvalpass\":\"Unknown\",\"srvcertvalidationtype\":\"EV (Extended Validation)\",\"srvcertvalidityperiod\":\"Short\",\"srvsslcipher\":\"SSL3_CK_RSA_NULL_MD5\",\"serversslsessreuse\":\"Unknown\",\"srvocspresult\":\"Good\",\"srvtlsversion\":\"SSL2\",\"srvwildcardcert\":\"Unknown\",\"ssldecrypted\":\"Yes\",\"throttlereqsize\":\"5\",\"throttlerespsize\":\"7\",\"totalsize\":\"11800\",\"trafficredirectmethod\":\"DNAT (Destination Translation)\",\"unscannabletype\":\"Encrypted File\",\"upload_doctypename\":\"Corporate Finance\",\"upload_fileclass\":\"upload_fileclass\",\"upload_filetype\":\"RAR Files\",\"urlcatmethod\":\"Database A\",\"urlsubcat\":\"Entertainment\",\"urlsupercat\":\"Travel\",\"urlclass\":\"Bandwidth Loss\",\"useragentclass\":\"Firefox\",\"useragenttoken\":\"Google Chrome (0.x)\",\"userlocationname\":\"userlocationname\",\"year\":\"2023\",\"ztunnelversion\":\"ZTUNNEL_1_0\",\"zpa_app_seg_name\":\"ZPA_test_app_segment\"}}", + "original": "{\"version\":\"v9\",\"sourcetype\":\"zscalernss-web\",\"event\":{\"time\":\"Mon Oct 16 22:55:48 2023\",\"cloudname\":\"zscaler.net\",\"host\":\"mail.google.com\",\"serverip\":\"81.2.69.142\",\"external_devid\":\"1234\",\"devicemodel\":\"20L8S7WC08\",\"action\":\"Allowed\",\"recordid\":\"123456789\",\"reason\":\"File Attachment Cautioned\",\"threatseverity\":\"Critical (90–100)\",\"tz\":\"GMT\",\"filesubtype\":\"rar\",\"upload_filesubtype\":\"rar\",\"sha256\":\"81ec78bc8298568bb5ea66d3c2972b670d0f7459b6cdbbcaacce90ab417ab15c\",\"bamd5\":\"196a3d797bfee07fe4596b69f4ce1141\",\"filename\":\"nssfeed.txt\",\"upload_filename\":\"nssfeed.exe\",\"filetype\":\"RAR Files\",\"devicename\":\"PC11NLPA:5F08D97BBF43257A8FB4BBF4061A38AE324EF734\",\"devicehostname\":\"THINKPADSMITH\",\"deviceostype\":\"iOS\",\"deviceosversion\":\"Version 10.14.2 (Build 18C54)\",\"devicetype\":\"Zscaler Client Connector\",\"reqsize\":\"1300\",\"reqmethod\":\"invalid\",\"b64referer\":\"d3d3LmV4YW1wbGUuY29t\",\"respsize\":\"10500\",\"respcode\":\"100\",\"reqversion\":\"1.1\",\"respversion\":\"1\",\"proto\":\"HTTP\",\"company\":\"Zscaler\",\"dlpmd5\":\"154f149b1443fbfa8c121d13e5c019a1\",\"apprulelabel\":\"File_Sharing_1\",\"dlprulename\":\"DLP_Rule_1\",\"rulelabel\":\"URL_Filtering_1\",\"urlfilterrulelabel\":\"URL_Filtering_1\",\"cltip\":\"81.2.69.142\",\"cltintip\":\"81.2.69.142\",\"cltsourceport\":\"1235\",\"threatname\":\"EICAR Test File\",\"cltsslcipher\":\"SSL3_CK_RSA_NULL_MD5\",\"clttlsversion\":\"SSL2\",\"b64url\":\"d3d3LnRyeXRoaXNlbmNvZGV1cmwuY29tL2luZGV4\",\"useragent\":\"Mozilla/5.0\",\"login\":\"jdoe@safemarch.com\",\"applayerprotocol\":\"FTP\",\"appclass\":\"Administration\",\"appname\":\"Adobe Connect\",\"appriskscore\":\"None\",\"bandwidthclassname\":\"Entertainment\",\"bandwidthrulename\":\"Office 365\",\"bwthrottle\":\"Yes\",\"bypassedtime\":\"Mon Oct 16 22:55:48 2023\",\"bypassedtraffic\":\"0\",\"cltsslsessreuse\":\"Unknown\",\"cltpubip\":\"81.2.69.142\",\"cltsslfailcount\":\"100\",\"cltsslfailreason\":\"Bad Record Mac\",\"contenttype\":\"application/vnd_apple_keynote\",\"datacentercity\":\"Sa\",\"datacentercountry\":\"US\",\"datacenter\":\"CA Client Node DC\",\"day\":\"Mon\",\"day_of_month\":\"16\",\"dept\":\"Sales\",\"deviceappversion\":\"81.2.69.142\",\"deviceowner\":\"jsmith\",\"df_hosthead\":\"df_hosthead\",\"df_hostname\":\"df_hostname\",\"dlpdicthitcount\":\"4\",\"dlpdict\":\"Credit Cards\",\"dlpeng\":\"HIPAA\",\"dlpidentifier\":\"6646484838839026000\",\"eedone\":\"Yes\",\"epochtime\":\"1578128400\",\"fileclass\":\"Active Web Contents\",\"flow_type\":\"Direct\",\"forward_gateway_ip\":\"10.1.1.1\",\"forward_gateway_name\":\"FWD_1\",\"forward_type\":\"Direct\",\"hour\":\"22\",\"is_sslexpiredca\":\"Yes\",\"is_sslselfsigned\":\"Yes\",\"is_ssluntrustedca\":\"Pass\",\"keyprotectiontype\":\"HSM Protection\",\"location\":\"Headquarters\",\"malwarecategory\":\"Adware\",\"malwareclass\":\"Sandbox\",\"minute\":\"55\",\"mobappcategory\":\"Communication\",\"mobappname\":\"Amazon\",\"mobdevtype\":\"Google Android\",\"module\":\"Administration\",\"month\":\"Oct\",\"month_of_year\":\"10\",\"nssserviceip\":\"192.168.2.200\",\"oapprulelabel\":\"5300295980\",\"obwclassname\":\"10831489\",\"ocip\":\"6200694987\",\"ocpubip\":\"624054738\",\"odevicehostname\":\"2168890624\",\"odevicename\":\"2175092224\",\"odeviceowner\":\"10831489\",\"odlpdict\":\"10831489\",\"odlpeng\":\"4094304256\",\"odlprulename\":\"6857275752\",\"ofwd_gw_name\":\"8794487099\",\"ologin\":\"4094304256\",\"ordr_rulename\":\"3399565100\",\"ourlcat\":\"7956407282\",\"ourlfilterrulelabel\":\"4951704103\",\"ozpa_app_seg_name\":\"7648246731\",\"externalsslpolicyreason\":\"Blocked\",\"productversion\":\"5.0.902.95524_04\",\"rdr_rulename\":\"FWD_Rule_1\",\"refererhost\":\"www.example.com for http://www.example.com/index.html\",\"reqheadersize\":\"300\",\"reqdatasize\":\"1000\",\"respheadersize\":\"500\",\"respdatasize\":\"10000\",\"riskscore\":\"10\",\"ruletype\":\"File Type Control\",\"second\":\"48\",\"srvcertchainvalpass\":\"Unknown\",\"srvcertvalidationtype\":\"EV (Extended Validation)\",\"srvcertvalidityperiod\":\"Short\",\"srvsslcipher\":\"SSL3_CK_RSA_NULL_MD5\",\"serversslsessreuse\":\"Unknown\",\"srvocspresult\":\"Good\",\"srvtlsversion\":\"SSL2\",\"srvwildcardcert\":\"Unknown\",\"ssldecrypted\":\"Yes\",\"throttlereqsize\":\"5\",\"throttlerespsize\":\"7\",\"totalsize\":\"11800\",\"trafficredirectmethod\":\"DNAT (Destination Translation)\",\"unscannabletype\":\"Encrypted File\",\"upload_doctypename\":\"Corporate Finance\",\"upload_fileclass\":\"upload_fileclass\",\"upload_filetype\":\"RAR Files\",\"urlcatmethod\":\"Database A\",\"urlsubcat\":\"Entertainment\",\"urlsupercat\":\"Travel\",\"urlclass\":\"Bandwidth Loss\",\"useragentclass\":\"Firefox\",\"useragenttoken\":\"Google Chrome (0.x)\",\"userlocationname\":\"userlocationname\",\"year\":\"2023\",\"ztunnelversion\":\"ZTUNNEL_1_0\",\"zpa_app_seg_name\":\"ZPA_test_app_segment\"}}", "reason": "File Attachment Cautioned", "timezone": "GMT", "type": [ @@ -461,7 +461,7 @@ ], "id": "123456789", "kind": "event", - "original": "{\"version\":\"v8\",\"sourcetype\":\"zscalernss-web\",\"event\":{\"time\":\"Mon Oct 16 22:55:48 2023\",\"cloudname\":\"zscaler.net\",\"host\":\"mail.google.com\",\"serverip\":\"81.2.69.142\",\"external_devid\":\"1234\",\"devicemodel\":\"20L8S7WC08\",\"action\":\"Blocked\",\"recordid\":\"123456789\",\"reason\":\"File Attachment Cautioned\",\"threatseverity\":\"Critical (90–100)\",\"tz\":\"GMT\",\"filesubtype\":\"rar\",\"upload_filesubtype\":\"rar\",\"sha256\":\"81ec78bc8298568bb5ea66d3c2972b670d0f7459b6cdbbcaacce90ab417ab15c\",\"bamd5\":\"196a3d797bfee07fe4596b69f4ce1141\",\"filename\":\"nssfeed.txt\",\"upload_filename\":\"nssfeed.exe\",\"filetype\":\"RAR Files\",\"devicename\":\"PC11NLPA:5F08D97BBF43257A8FB4BBF4061A38AE324EF734\",\"devicehostname\":\"THINKPADSMITH\",\"deviceostype\":\"iOS\",\"deviceosversion\":\"Version 10.14.2 (Build 18C54)\",\"devicetype\":\"Zscaler Client Connector\",\"reqsize\":\"1300\",\"reqmethod\":\"invalid\",\"b64referer\":\"d3d3LmV4YW1wbGUuY29t\",\"respsize\":\"10500\",\"respcode\":\"100\",\"reqversion\":\"1.1\",\"respversion\":\"1\",\"proto\":\"HTTP\",\"company\":\"Zscaler\",\"dlpmd5\":\"154f149b1443fbfa8c121d13e5c019a1\",\"apprulelabel\":\"File_Sharing_1\",\"dlprulename\":\"DLP_Rule_1\",\"rulelabel\":\"URL_Filtering_1\",\"urlfilterrulelabel\":\"URL_Filtering_1\",\"cltip\":\"81.2.69.142\",\"cltintip\":\"81.2.69.142\",\"cltsourceport\":\"1235\",\"threatname\":\"EICAR Test File\",\"cltsslcipher\":\"SSL3_CK_RSA_NULL_MD5\",\"clttlsversion\":\"SSL2\",\"b64url\":\"d3d3LnRyeXRoaXNlbmNvZGV1cmwuY29tL2luZGV4\",\"useragent\":\"Mozilla/5.0\",\"login\":\"jdoe@safemarch.com\",\"applayerprotocol\":\"FTP\",\"appclass\":\"Administration\",\"appname\":\"Adobe Connect\",\"appriskscore\":\"None\",\"bandwidthclassname\":\"Entertainment\",\"bandwidthrulename\":\"Office 365\",\"bwthrottle\":\"Yes\",\"bypassedtime\":\"Mon Oct 16 22:55:48 2023\",\"bypassedtraffic\":\"1\",\"cltsslsessreuse\":\"Unknown\",\"cltpubip\":\"81.2.69.142\",\"cltsslfailcount\":\"100\",\"cltsslfailreason\":\"Bad Record Mac\",\"contenttype\":\"application/vnd_apple_keynote\",\"datacentercity\":\"Sa\",\"datacentercountry\":\"US\",\"datacenter\":\"CA Client Node DC\",\"day\":\"Mon\",\"day_of_month\":\"16\",\"dept\":\"Sales\",\"deviceappversion\":\"81.2.69.142\",\"deviceowner\":\"jsmith\",\"df_hosthead\":\"df_hosthead\",\"df_hostname\":\"df_hostname\",\"dlpdicthitcount\":\"4\",\"dlpdict\":\"Credit Cards\",\"dlpeng\":\"HIPAA\",\"dlpidentifier\":\"6646484838839026000\",\"eedone\":\"Yes\",\"epochtime\":\"1578128400\",\"fileclass\":\"Active Web Contents\",\"flow_type\":\"Direct\",\"forward_gateway_ip\":\"10.1.1.1\",\"forward_gateway_name\":\"FWD_1\",\"forward_type\":\"Direct\",\"hour\":\"22\",\"is_sslexpiredca\":\"Yes\",\"is_sslselfsigned\":\"Yes\",\"is_ssluntrustedca\":\"Pass\",\"keyprotectiontype\":\"HSM Protection\",\"location\":\"Headquarters\",\"malwarecategory\":\"Adware\",\"malwareclass\":\"Sandbox\",\"minute\":\"55\",\"mobappcategory\":\"Communication\",\"mobappname\":\"Amazon\",\"mobdevtype\":\"Google Android\",\"module\":\"Administration\",\"month\":\"Oct\",\"month_of_year\":\"10\",\"nssserviceip\":\"192.168.2.200\",\"oapprulelabel\":\"5300295980\",\"obwclassname\":\"10831489\",\"ocip\":\"6200694987\",\"ocpubip\":\"624054738\",\"odevicehostname\":\"2168890624\",\"odevicename\":\"2175092224\",\"odeviceowner\":\"10831489\",\"odlpdict\":\"10831489\",\"odlpeng\":\"4094304256\",\"odlprulename\":\"6857275752\",\"ofwd_gw_name\":\"8794487099\",\"ologin\":\"4094304256\",\"ordr_rulename\":\"3399565100\",\"ourlcat\":\"7956407282\",\"ourlfilterrulelabel\":\"4951704103\",\"ozpa_app_seg_name\":\"7648246731\",\"externalsslpolicyreason\":\"Blocked\",\"productversion\":\"5.0.902.95524_04\",\"rdr_rulename\":\"FWD_Rule_1\",\"refererhost\":\"www.example.com for http://www.example.com/index.html\",\"reqheadersize\":\"300\",\"reqdatasize\":\"1000\",\"respheadersize\":\"500\",\"respdatasize\":\"10000\",\"riskscore\":\"10\",\"ruletype\":\"File Type Control\",\"second\":\"48\",\"srvcertchainvalpass\":\"Unknown\",\"srvcertvalidationtype\":\"EV (Extended Validation)\",\"srvcertvalidityperiod\":\"Short\",\"srvsslcipher\":\"SSL3_CK_RSA_NULL_MD5\",\"serversslsessreuse\":\"Unknown\",\"srvocspresult\":\"Good\",\"srvtlsversion\":\"SSL2\",\"srvwildcardcert\":\"Unknown\",\"ssldecrypted\":\"Yes\",\"throttlereqsize\":\"5\",\"throttlerespsize\":\"7\",\"totalsize\":\"11800\",\"trafficredirectmethod\":\"DNAT (Destination Translation)\",\"unscannabletype\":\"Encrypted File\",\"upload_doctypename\":\"Corporate Finance\",\"upload_fileclass\":\"upload_fileclass\",\"upload_filetype\":\"RAR Files\",\"urlcatmethod\":\"Database A\",\"urlsubcat\":\"Entertainment\",\"urlsupercat\":\"Travel\",\"urlclass\":\"Bandwidth Loss\",\"useragentclass\":\"Firefox\",\"useragenttoken\":\"Google Chrome (0.x)\",\"userlocationname\":\"userlocationname\",\"year\":\"2023\",\"ztunnelversion\":\"ZTUNNEL_1_0\",\"zpa_app_seg_name\":\"ZPA_test_app_segment\"}}", + "original": "{\"version\":\"v9\",\"sourcetype\":\"zscalernss-web\",\"event\":{\"time\":\"Mon Oct 16 22:55:48 2023\",\"cloudname\":\"zscaler.net\",\"host\":\"mail.google.com\",\"serverip\":\"81.2.69.142\",\"external_devid\":\"1234\",\"devicemodel\":\"20L8S7WC08\",\"action\":\"Blocked\",\"recordid\":\"123456789\",\"reason\":\"File Attachment Cautioned\",\"threatseverity\":\"Critical (90–100)\",\"tz\":\"GMT\",\"filesubtype\":\"rar\",\"upload_filesubtype\":\"rar\",\"sha256\":\"81ec78bc8298568bb5ea66d3c2972b670d0f7459b6cdbbcaacce90ab417ab15c\",\"bamd5\":\"196a3d797bfee07fe4596b69f4ce1141\",\"filename\":\"nssfeed.txt\",\"upload_filename\":\"nssfeed.exe\",\"filetype\":\"RAR Files\",\"devicename\":\"PC11NLPA:5F08D97BBF43257A8FB4BBF4061A38AE324EF734\",\"devicehostname\":\"THINKPADSMITH\",\"deviceostype\":\"iOS\",\"deviceosversion\":\"Version 10.14.2 (Build 18C54)\",\"devicetype\":\"Zscaler Client Connector\",\"reqsize\":\"1300\",\"reqmethod\":\"invalid\",\"b64referer\":\"d3d3LmV4YW1wbGUuY29t\",\"respsize\":\"10500\",\"respcode\":\"100\",\"reqversion\":\"1.1\",\"respversion\":\"1\",\"proto\":\"HTTP\",\"company\":\"Zscaler\",\"dlpmd5\":\"154f149b1443fbfa8c121d13e5c019a1\",\"apprulelabel\":\"File_Sharing_1\",\"dlprulename\":\"DLP_Rule_1\",\"rulelabel\":\"URL_Filtering_1\",\"urlfilterrulelabel\":\"URL_Filtering_1\",\"cltip\":\"81.2.69.142\",\"cltintip\":\"81.2.69.142\",\"cltsourceport\":\"1235\",\"threatname\":\"EICAR Test File\",\"cltsslcipher\":\"SSL3_CK_RSA_NULL_MD5\",\"clttlsversion\":\"SSL2\",\"b64url\":\"d3d3LnRyeXRoaXNlbmNvZGV1cmwuY29tL2luZGV4\",\"useragent\":\"Mozilla/5.0\",\"login\":\"jdoe@safemarch.com\",\"applayerprotocol\":\"FTP\",\"appclass\":\"Administration\",\"appname\":\"Adobe Connect\",\"appriskscore\":\"None\",\"bandwidthclassname\":\"Entertainment\",\"bandwidthrulename\":\"Office 365\",\"bwthrottle\":\"Yes\",\"bypassedtime\":\"Mon Oct 16 22:55:48 2023\",\"bypassedtraffic\":\"1\",\"cltsslsessreuse\":\"Unknown\",\"cltpubip\":\"81.2.69.142\",\"cltsslfailcount\":\"100\",\"cltsslfailreason\":\"Bad Record Mac\",\"contenttype\":\"application/vnd_apple_keynote\",\"datacentercity\":\"Sa\",\"datacentercountry\":\"US\",\"datacenter\":\"CA Client Node DC\",\"day\":\"Mon\",\"day_of_month\":\"16\",\"dept\":\"Sales\",\"deviceappversion\":\"81.2.69.142\",\"deviceowner\":\"jsmith\",\"df_hosthead\":\"df_hosthead\",\"df_hostname\":\"df_hostname\",\"dlpdicthitcount\":\"4\",\"dlpdict\":\"Credit Cards\",\"dlpeng\":\"HIPAA\",\"dlpidentifier\":\"6646484838839026000\",\"eedone\":\"Yes\",\"epochtime\":\"1578128400\",\"fileclass\":\"Active Web Contents\",\"flow_type\":\"Direct\",\"forward_gateway_ip\":\"10.1.1.1\",\"forward_gateway_name\":\"FWD_1\",\"forward_type\":\"Direct\",\"hour\":\"22\",\"is_sslexpiredca\":\"Yes\",\"is_sslselfsigned\":\"Yes\",\"is_ssluntrustedca\":\"Pass\",\"keyprotectiontype\":\"HSM Protection\",\"location\":\"Headquarters\",\"malwarecategory\":\"Adware\",\"malwareclass\":\"Sandbox\",\"minute\":\"55\",\"mobappcategory\":\"Communication\",\"mobappname\":\"Amazon\",\"mobdevtype\":\"Google Android\",\"module\":\"Administration\",\"month\":\"Oct\",\"month_of_year\":\"10\",\"nssserviceip\":\"192.168.2.200\",\"oapprulelabel\":\"5300295980\",\"obwclassname\":\"10831489\",\"ocip\":\"6200694987\",\"ocpubip\":\"624054738\",\"odevicehostname\":\"2168890624\",\"odevicename\":\"2175092224\",\"odeviceowner\":\"10831489\",\"odlpdict\":\"10831489\",\"odlpeng\":\"4094304256\",\"odlprulename\":\"6857275752\",\"ofwd_gw_name\":\"8794487099\",\"ologin\":\"4094304256\",\"ordr_rulename\":\"3399565100\",\"ourlcat\":\"7956407282\",\"ourlfilterrulelabel\":\"4951704103\",\"ozpa_app_seg_name\":\"7648246731\",\"externalsslpolicyreason\":\"Blocked\",\"productversion\":\"5.0.902.95524_04\",\"rdr_rulename\":\"FWD_Rule_1\",\"refererhost\":\"www.example.com for http://www.example.com/index.html\",\"reqheadersize\":\"300\",\"reqdatasize\":\"1000\",\"respheadersize\":\"500\",\"respdatasize\":\"10000\",\"riskscore\":\"10\",\"ruletype\":\"File Type Control\",\"second\":\"48\",\"srvcertchainvalpass\":\"Unknown\",\"srvcertvalidationtype\":\"EV (Extended Validation)\",\"srvcertvalidityperiod\":\"Short\",\"srvsslcipher\":\"SSL3_CK_RSA_NULL_MD5\",\"serversslsessreuse\":\"Unknown\",\"srvocspresult\":\"Good\",\"srvtlsversion\":\"SSL2\",\"srvwildcardcert\":\"Unknown\",\"ssldecrypted\":\"Yes\",\"throttlereqsize\":\"5\",\"throttlerespsize\":\"7\",\"totalsize\":\"11800\",\"trafficredirectmethod\":\"DNAT (Destination Translation)\",\"unscannabletype\":\"Encrypted File\",\"upload_doctypename\":\"Corporate Finance\",\"upload_fileclass\":\"upload_fileclass\",\"upload_filetype\":\"RAR Files\",\"urlcatmethod\":\"Database A\",\"urlsubcat\":\"Entertainment\",\"urlsupercat\":\"Travel\",\"urlclass\":\"Bandwidth Loss\",\"useragentclass\":\"Firefox\",\"useragenttoken\":\"Google Chrome (0.x)\",\"userlocationname\":\"userlocationname\",\"year\":\"2023\",\"ztunnelversion\":\"ZTUNNEL_1_0\",\"zpa_app_seg_name\":\"ZPA_test_app_segment\"}}", "reason": "File Attachment Cautioned", "timezone": "GMT", "type": [ diff --git a/packages/zscaler_zia/data_stream/web/_dev/test/pipeline/test-web.log b/packages/zscaler_zia/data_stream/web/_dev/test/pipeline/test-web.log index b3f89a9c703..877e9728c6c 100644 --- a/packages/zscaler_zia/data_stream/web/_dev/test/pipeline/test-web.log +++ b/packages/zscaler_zia/data_stream/web/_dev/test/pipeline/test-web.log @@ -1,5 +1,7 @@ -{"version":"v8","sourcetype":"zscalernss-web","event":{"time":"Mon Oct 16 22:55:48 2023","cloudname":"zscaler.net","host":"mail.google.com","serverip":"1.128.0.0","external_devid":"1234","devicemodel":"20L8S7WC08","action":"Allowed","recordid":123456789,"reason":"File Attachment Cautioned","threatseverity":"Critical (90–100)","tz":"GMT","filesubtype":"exe","upload_filesubtype":"rar","sha256":"81ec78bc8298568bb5ea66d3c2972b670d0f7459b6cdbbcaacce90ab417ab15c","bamd5":"196a3d797bfee07fe4596b69f4ce1141","filename":"nssfeed.txt","upload_filename":"nssfeed.exe","filetype":"RAR Files","devicename":"PC11NLPA%3A5F08D97BBF43257A8FB4BBF4061A38AE324EF734","devicehostname":"THINKPADSMITH","deviceostype":"iOS","deviceosversion":"Version 10.14.2 (Build 18C54)","devicetype":"Zscaler Client Connector","reqsize":1300,"reqmethod":"invalid","b64referer":"d3d3LmV4YW1wbGUuY29t","respsize":10500,"respcode":"100","reqversion":"1.1","respversion":"1","proto":"HTTP","company":"Zscaler","dlpmd5":"154f149b1443fbfa8c121d13e5c019a1","apprulelabel":"File_Sharing_1","dlprulename":"DLP_Rule_1","rulelabel":"URL_Filtering_1","urlfilterrulelabel":"URL_Filtering_2","cltip":"81.2.69.144","cltintip":"89.160.20.128","cltsourceport":12345,"threatname":"EICAR Test File","cltsslcipher":"SSL3_CK_RSA_NULL_MD5","clttlsversion":"SSL2","b64url":"d3d3LnRyeXRoaXNlbmNvZGV1cmwuY29tOjQ0My9pbmRleD9xdGltZT0yMDIzLTA0LTEyVDIzOjIwOjUwLjUyWg==","useragent":"Mozilla/5.0","login":"jdoe@safemarch.com","applayerprotocol":"FTP","appclass":"Administration","appname":"Adobe Connect","appriskscore":"1","bandwidthclassname":"Entertainment","bandwidthrulename":"Office 365","bwthrottle":"Yes","bypassedtime":"Mon Oct 16 22:55:48 2023","bypassedtraffic":"1","cltsslsessreuse":"Unknown","cltpubip":"175.16.199.0","cltsslfailcount":100,"cltsslfailreason":"Bad Record Mac","contenttype":"application/vnd_apple_keynote","datacentercity":"Sa","datacentercountry":"US","datacenter":"CA Client Node DC","day":"Mon","day_of_month":16,"dept":"Sales","deviceappversion":"1.128.0.0","deviceowner":"jsmith","df_hosthead":"df_hosthead","df_hostname":"df_hostname","dlpdicthitcount":"4","dlpdict":"Credit Cards","dlpeng":"HIPAA","dlpidentifier":6646484838839026000,"eedone":"Yes","epochtime":1578128400,"fileclass":"Active Web Contents","flow_type":"Direct","forward_gateway_ip":"10.1.1.1","forward_gateway_name":"FWD_1","forward_type":"Direct","hour":22,"is_sslexpiredca":"Yes","is_sslselfsigned":"Yes","is_ssluntrustedca":"Pass","keyprotectiontype":"HSM Protection","location":"Headquarters","malwarecategory":"Adware","malwareclass":"Sandbox","minute":55,"mobappcategory":"Communication","mobappname":"Amazon","mobdevtype":"Google Android","module":"Administration","month":"Oct","month_of_year":10,"nssserviceip":"192.168.2.200","oapprulelabel":"5300295980","obwclassname":"10831489","ocip":6200694987,"ocpubip":624054738,"odevicehostname":"2168890624","odevicename":"2175092224","odeviceowner":"10831489","odlpdict":"10831489","odlpeng":"4094304256","odlprulename":"6857275752","ofwd_gw_name":"8794487099","ologin":"4094304256","ordr_rulename":"3399565100","ourlcat":"7956407282","ourlfilterrulelabel":"4951704103","ozpa_app_seg_name":"7648246731","externalsslpolicyreason":"Blocked","productversion":"5.0.902.95524_04","rdr_rulename":"FWD_Rule_1","refererhost":"www.example.com for http://www.example.com/index.html","reqheadersize":300,"reqdatasize":1000,"respheadersize":500,"respdatasize":10000,"riskscore":10,"ruletype":"File Type Control","second":48,"srvcertchainvalpass":"Unknown","srvcertvalidationtype":"EV (Extended Validation)","srvcertvalidityperiod":"Short","srvsslcipher":"SSL3_CK_RSA_NULL_MD5","serversslsessreuse":"Unknown","srvocspresult":"Good","srvtlsversion":"SSL2","srvwildcardcert":"Unknown","ssldecrypted":"Yes","throttlereqsize":5,"throttlerespsize":7,"totalsize":11800,"trafficredirectmethod":"DNAT (Destination Translation)","unscannabletype":"Encrypted File","upload_doctypename":"Corporate Finance","upload_fileclass":"upload_fileclass","upload_filetype":"RAR Files","urlcatmethod":"Database A","urlsubcat":"Entertainment","urlsupercat":"Travel","urlclass":"Bandwidth Loss","useragentclass":"Firefox","useragenttoken":"Google Chrome (0.x)","userlocationname":"userlocationname","year":2023,"ztunnelversion":"ZTUNNEL_1_0","zpa_app_seg_name":"ZPA_test_app_segment"}} -{"version":"v8","sourcetype":"zscalernss-web","event":{"time":"Mon Oct 17 22:55:48 2023","cloudname":"zscaler.net","host":"mail.google.com","serverip":"1.128.0.1","external_devid":"2345","devicemodel":"20L8S7WC09","action":"Allowed","recordid":123456780,"reason":"File Attachment Cautioned","threatseverity":"Critical (90–100)","tz":"GMT","filesubtype":"exe","upload_filesubtype":"rar","sha256":"81ec78bc8298568bb5ea66d3c2972b670d0f7459b6cdbbcaacce90ab417ab15c","bamd5":"196a3d797bfee07fe4596b69f4ce1141","filename":"nssfeed.txt","upload_filename":"nssfeed.exe","filetype":"RAR Files","devicename":"PC11NLPA%3A5F08D97BBF43257A8FB4BBF4061A38AE324EF734","devicehostname":"THINKPADSMITH","deviceostype":"iOS","deviceosversion":"Version 10.14.2 (Build 18C54)","devicetype":"Zscaler Client Connector","reqsize":1300,"reqmethod":"invalid","b64referer":"d3d3LmV4YW1wbGUuY29t","respsize":10500,"respcode":"100","reqversion":"1.1","respversion":"1","proto":"HTTPS","company":"Zscaler","dlpmd5":"154f149b1443fbfa8c121d13e5c019a1","apprulelabel":"File_Sharing_1","dlprulename":"DLP_Rule_1","rulelabel":"URL_Filtering_1","urlfilterrulelabel":"URL_Filtering_2","cltip":"81.2.69.144","cltintip":"89.160.20.128","cltsourceport":12345,"threatname":"EICAR Test File","cltsslcipher":"SSL3_CK_RSA_NULL_MD5","clttlsversion":"SSL2","b64url":"d3d3LmV4YW1wbGUuY29tOjQ0Mw==","useragent":"Mozilla/5.0","login":"jdoe@safemarch.com","applayerprotocol":"FTP","appclass":"Administration","appname":"Adobe Connect","appriskscore":"1","bandwidthclassname":"Entertainment","bandwidthrulename":"Office 365","bwthrottle":"Yes","bypassedtime":"Mon Oct 16 22:55:48 2023","bypassedtraffic":"1","cltsslsessreuse":"Unknown","cltpubip":"175.16.199.0","cltsslfailcount":100,"cltsslfailreason":"Bad Record Mac","contenttype":"application/vnd_apple_keynote","datacentercity":"Sa","datacentercountry":"US","datacenter":"CA Client Node DC","day":"Mon","day_of_month":16,"dept":"Sales","deviceappversion":"1.128.0.1","deviceowner":"jsmith","df_hosthead":"df_hosthead","df_hostname":"df_hostname","dlpdicthitcount":"4","dlpdict":"Credit Cards","dlpeng":"HIPAA","dlpidentifier":6646484838839026000,"eedone":"Yes","epochtime":1578128400,"fileclass":"Active Web Contents","flow_type":"Direct","forward_gateway_ip":"10.1.1.1","forward_gateway_name":"FWD_1","forward_type":"Direct","hour":22,"is_sslexpiredca":"Yes","is_sslselfsigned":"Yes","is_ssluntrustedca":"Pass","keyprotectiontype":"HSM Protection","location":"Headquarters","malwarecategory":"Adware","malwareclass":"Sandbox","minute":55,"mobappcategory":"Communication","mobappname":"Amazon","mobdevtype":"Google Android","module":"Administration","month":"Oct","month_of_year":10,"nssserviceip":"192.168.2.200","oapprulelabel":"5300295980","obwclassname":"10831489","ocip":6200694987,"ocpubip":624054738,"odevicehostname":"2168890624","odevicename":"2175092224","odeviceowner":"10831489","odlpdict":"10831489","odlpeng":"4094304256","odlprulename":"6857275752","ofwd_gw_name":"8794487099","ologin":"4094304256","ordr_rulename":"3399565100","ourlcat":"7956407282","ourlfilterrulelabel":"4951704103","ozpa_app_seg_name":"7648246731","externalsslpolicyreason":"Blocked","productversion":"5.0.902.95524_04","rdr_rulename":"FWD_Rule_1","refererhost":"www.example.com for http://www.example.com/index.html","reqheadersize":300,"reqdatasize":1000,"respheadersize":500,"respdatasize":10000,"riskscore":10,"ruletype":"File Type Control","second":48,"srvcertchainvalpass":"Unknown","srvcertvalidationtype":"EV (Extended Validation)","srvcertvalidityperiod":"Short","srvsslcipher":"SSL3_CK_RSA_NULL_MD5","serversslsessreuse":"Unknown","srvocspresult":"Good","srvtlsversion":"SSL2","srvwildcardcert":"Unknown","ssldecrypted":"Yes","throttlereqsize":5,"throttlerespsize":7,"totalsize":11800,"trafficredirectmethod":"DNAT (Destination Translation)","unscannabletype":"Encrypted File","upload_doctypename":"Corporate Finance","upload_fileclass":"upload_fileclass","upload_filetype":"RAR Files","urlcatmethod":"Database A","urlsubcat":"Entertainment","urlsupercat":"Travel","urlclass":"Bandwidth Loss","useragentclass":"Firefox","useragenttoken":"Google Chrome (0.x)","userlocationname":"userlocationname","year":2023,"ztunnelversion":"ZTUNNEL_1_0","zpa_app_seg_name":"ZPA_test_app_segment"}} -{"version":"v8","sourcetype":"zscalernss-web","event":{"time":"Mon Oct 18 23:55:48 2023","cloudname":"zscaler.net","host":"mail.google.com","serverip":"1.128.0.2","external_devid":"2346","devicemodel":"20L8S7WC10","action":"Allowed","recordid":123456781,"reason":"File Attachment Cautioned","threatseverity":"Critical (90–100)","tz":"GMT","filesubtype":"exe","upload_filesubtype":"rar","sha256":"81ec78bc8298568bb5ea66d3c2972b670d0f7459b6cdbbcaacce90ab417ab15c","bamd5":"196a3d797bfee07fe4596b69f4ce1141","filename":"nssfeed.txt","upload_filename":"nssfeed.exe","filetype":"RAR Files","devicename":"PC11NLPA%3A5F08D97BBF43257A8FB4BBF4061A38AE324EF734","devicehostname":"THINKPADSMITH","deviceostype":"iOS","deviceosversion":"Version 10.14.2 (Build 18C54)","devicetype":"Zscaler Client Connector","reqsize":1300,"reqmethod":"invalid","b64referer":"d3d3LmV4YW1wbGUuY29t","respsize":10500,"respcode":"100","reqversion":"1.1","respversion":"1","proto":"SSL","company":"Zscaler","dlpmd5":"154f149b1443fbfa8c121d13e5c019a1","apprulelabel":"File_Sharing_1","dlprulename":"DLP_Rule_1","rulelabel":"URL_Filtering_1","urlfilterrulelabel":"URL_Filtering_2","cltip":"81.2.69.144","cltintip":"89.160.20.128","cltsourceport":12345,"threatname":"EICAR Test File","cltsslcipher":"SSL3_CK_RSA_NULL_MD5","clttlsversion":"SSL2","b64url":"d3d3LmV4YW1wbGUuY29tLmNvbS9wYXJhbXM/SWQ9MSZ0cz0yMDA2LTAxLTAyVDE1OjA0OjA1WjA3OjAwJnVzZXI9NjU3OTImdmVyc2lvbj0xMC4wLjE5MDQxLjEyNjY=","useragent":"Mozilla/5.0","login":"jdoe@safemarch.com","applayerprotocol":"FTP","appclass":"Administration","appname":"Adobe Connect","appriskscore":"1","bandwidthclassname":"Entertainment","bandwidthrulename":"Office 365","bwthrottle":"Yes","bypassedtime":"Mon Oct 16 22:55:48 2023","bypassedtraffic":"1","cltsslsessreuse":"Unknown","cltpubip":"175.16.199.0","cltsslfailcount":100,"cltsslfailreason":"Bad Record Mac","contenttype":"application/vnd_apple_keynote","datacentercity":"Sa","datacentercountry":"US","datacenter":"CA Client Node DC","day":"Mon","day_of_month":16,"dept":"Sales","deviceappversion":"1.128.0.1","deviceowner":"jsmith","df_hosthead":"df_hosthead","df_hostname":"df_hostname","dlpdicthitcount":"4","dlpdict":"Credit Cards","dlpeng":"HIPAA","dlpidentifier":6646484838839026000,"eedone":"Yes","epochtime":1578128400,"fileclass":"Active Web Contents","flow_type":"Direct","forward_gateway_ip":"10.1.1.1","forward_gateway_name":"FWD_1","forward_type":"Direct","hour":22,"is_sslexpiredca":"Yes","is_sslselfsigned":"Yes","is_ssluntrustedca":"Pass","keyprotectiontype":"HSM Protection","location":"Headquarters","malwarecategory":"Adware","malwareclass":"Sandbox","minute":55,"mobappcategory":"Communication","mobappname":"Amazon","mobdevtype":"Google Android","module":"Administration","month":"Oct","month_of_year":10,"nssserviceip":"192.168.2.200","oapprulelabel":"5300295980","obwclassname":"10831489","ocip":6200694987,"ocpubip":624054738,"odevicehostname":"2168890624","odevicename":"2175092224","odeviceowner":"10831489","odlpdict":"10831489","odlpeng":"4094304256","odlprulename":"6857275752","ofwd_gw_name":"8794487099","ologin":"4094304256","ordr_rulename":"3399565100","ourlcat":"7956407282","ourlfilterrulelabel":"4951704103","ozpa_app_seg_name":"7648246731","externalsslpolicyreason":"Blocked","productversion":"5.0.902.95524_04","rdr_rulename":"FWD_Rule_1","refererhost":"www.example.com for http://www.example.com/index.html","reqheadersize":300,"reqdatasize":1000,"respheadersize":500,"respdatasize":10000,"riskscore":10,"ruletype":"File Type Control","second":48,"srvcertchainvalpass":"Unknown","srvcertvalidationtype":"EV (Extended Validation)","srvcertvalidityperiod":"Short","srvsslcipher":"SSL3_CK_RSA_NULL_MD5","serversslsessreuse":"Unknown","srvocspresult":"Good","srvtlsversion":"SSL2","srvwildcardcert":"Unknown","ssldecrypted":"Yes","throttlereqsize":5,"throttlerespsize":7,"totalsize":11800,"trafficredirectmethod":"DNAT (Destination Translation)","unscannabletype":"Encrypted File","upload_doctypename":"Corporate Finance","upload_fileclass":"upload_fileclass","upload_filetype":"RAR Files","urlcatmethod":"Database A","urlsubcat":"Entertainment","urlsupercat":"Travel","urlclass":"Bandwidth Loss","useragentclass":"Firefox","useragenttoken":"Google Chrome (0.x)","userlocationname":"userlocationname","year":2023,"ztunnelversion":"ZTUNNEL_1_0","zpa_app_seg_name":"ZPA_test_app_segment"}} -{"version":"v8","sourcetype":"zscalernss-web","event":{"time":"Mon Oct 18 23:55:48 2023","cloudname":"zscaler.net","host":"mail.google.com","serverip":"1.128.0.2","external_devid":"2346","devicemodel":"20L8S7WC10","action":"Allowed","recordid":123456781,"reason":"File Attachment Cautioned","threatseverity":"Critical (90–100)","tz":"GMT","filesubtype":"exe","upload_filesubtype":"rar","sha256":"81ec78bc8298568bb5ea66d3c2972b670d0f7459b6cdbbcaacce90ab417ab15c","bamd5":"196a3d797bfee07fe4596b69f4ce1141","filename":"nssfeed.txt","upload_filename":"nssfeed.exe","filetype":"RAR Files","devicename":"PC11NLPA%3A5F08D97BBF43257A8FB4BBF4061A38AE324EF734","devicehostname":"THINKPADSMITH","deviceostype":"iOS","deviceosversion":"Version 10.14.2 (Build 18C54)","devicetype":"Zscaler Client Connector","reqsize":1300,"reqmethod":"invalid","b64referer":"d3d3LmV4YW1wbGUuY29t","respsize":10500,"respcode":"100","reqversion":"1.1","respversion":"1","proto":"SSL","company":"Zscaler","dlpmd5":"154f149b1443fbfa8c121d13e5c019a1","apprulelabel":"File_Sharing_1","dlprulename":"DLP_Rule_1","rulelabel":"URL_Filtering_1","urlfilterrulelabel":"URL_Filtering_2","cltip":"81.2.69.144","cltintip":"89.160.20.128","cltsourceport":12345,"threatname":"EICAR Test File","cltsslcipher":"SSL3_CK_RSA_NULL_MD5","clttlsversion":"SSL2","b64url":"d3d3LnlvdXR1YmUuY29tL2FwaS9zdGF0cy9hYmNkP2FmbXQ9MjUxJmJhdD0zMzAuMDE3OjAuOTY6MSZiaD0zMzAuMDE3OjEyMS4yNjQmYndlPTMzMC4wMTc6NzQ1ODYwMSZid209MzMwLjAxNzoyNDA3NzU0OjAuODQ0JmM9V0VCJmNicj1FZGdlIENocm9taXVtJmNicnZlcj0xMTUuMC4wLjAmY2w9NjU1Mzk5OTU2JmNtdD0zMzAuMDE3OjMyOC44MzcmY29zPVdpbmRvd3MmY29zdmVyPTEwLjAmY3BsYXRmb3JtPURFU0tUT1AmY3BsYXllcj1VTklQTEFZRVImY3BuPUZVQjczU1FXeFNIS0FEeHZKJmN2ZXI9Mi4yMDI0MDcyNC4wMy4wMCZkb2NpZD1XVmhHX3NOVkxhc0QmZWw9ZGV0YWlscGFnZSZmZXhwPXYxLDIzODQ4MjI1LDEzNzgwMiwxODYxNywyMDQxMjEsMjMwNTk2LDIyMjA5NywxNjIyOSwxMzMyMTIsMTQ2MjU5NTUsMTE2ODQzODEsNzIyMiwxNDIwNyw5ODU5LDEyMTc3LDk5NTQsMTE5Miw3OTEzLDE4MzEwLDI3Myw0MTQ3LDI4MTksMiwxNjM0NCwxNDI0LDE5MjA0LDk5NDgsMjE5Niw5OTk2LDE5LDIsMTA4Miw2OTUzLDEwMSwxNDAxLDk1NDIsMjQ3MSwzMjkyLDI3MTYsMTUzOCw3MjMsMjU3NSw5NTY3LDEzNzUsMzc2MSw0MTYyLDg2MTAsMTczLDIwMSwxMDQwNiwzMjEsMTQ4LDIsMzQzLDE3ODMsMTQsMTMyMiw1MCw2MjEsNzAyLDEwNjIsMTc2OSwxODIzLDg5NiwyMjkxLDI5MTIsNzU2OCwzNDImZm10PTM5OCZucz15dCZyZWZlcnJlcj1odHRwczovL3d3dy55b3V0dWJlLmNvbS93YXRjaD92PWlzYTkwXzY3YXMmc2RldGFpbD1ydjppc2E4OV82OGFkJnNlcT0xMyZzb3VyY2VpZD15dyZ2cHM9MzMwLjAxNzpQTA==","useragent":"Mozilla/5.0","login":"jdoe@safemarch.com","applayerprotocol":"FTP","appclass":"Administration","appname":"Adobe Connect","appriskscore":"1","bandwidthclassname":"Entertainment","bandwidthrulename":"Office 365","bwthrottle":"Yes","bypassedtime":"Mon Oct 16 22:55:48 2023","bypassedtraffic":"1","cltsslsessreuse":"Unknown","cltpubip":"175.16.199.0","cltsslfailcount":100,"cltsslfailreason":"Bad Record Mac","contenttype":"application/vnd_apple_keynote","datacentercity":"Sa","datacentercountry":"US","datacenter":"CA Client Node DC","day":"Mon","day_of_month":16,"dept":"Sales","deviceappversion":"1.128.0.1","deviceowner":"jsmith","df_hosthead":"df_hosthead","df_hostname":"df_hostname","dlpdicthitcount":"4","dlpdict":"Credit Cards","dlpeng":"HIPAA","dlpidentifier":6646484838839026000,"eedone":"Yes","epochtime":1578128400,"fileclass":"Active Web Contents","flow_type":"Direct","forward_gateway_ip":"10.1.1.1","forward_gateway_name":"FWD_1","forward_type":"Direct","hour":22,"is_sslexpiredca":"Yes","is_sslselfsigned":"Yes","is_ssluntrustedca":"Pass","keyprotectiontype":"HSM Protection","location":"Headquarters","malwarecategory":"Adware","malwareclass":"Sandbox","minute":55,"mobappcategory":"Communication","mobappname":"Amazon","mobdevtype":"Google Android","module":"Administration","month":"Oct","month_of_year":10,"nssserviceip":"192.168.2.200","oapprulelabel":"5300295980","obwclassname":"10831489","ocip":6200694987,"ocpubip":624054738,"odevicehostname":"2168890624","odevicename":"2175092224","odeviceowner":"10831489","odlpdict":"10831489","odlpeng":"4094304256","odlprulename":"6857275752","ofwd_gw_name":"8794487099","ologin":"4094304256","ordr_rulename":"3399565100","ourlcat":"7956407282","ourlfilterrulelabel":"4951704103","ozpa_app_seg_name":"7648246731","externalsslpolicyreason":"Blocked","productversion":"5.0.902.95524_04","rdr_rulename":"FWD_Rule_1","refererhost":"www.example.com for http://www.example.com/index.html","reqheadersize":300,"reqdatasize":1000,"respheadersize":500,"respdatasize":10000,"riskscore":10,"ruletype":"File Type Control","second":48,"srvcertchainvalpass":"Unknown","srvcertvalidationtype":"EV (Extended Validation)","srvcertvalidityperiod":"Short","srvsslcipher":"SSL3_CK_RSA_NULL_MD5","serversslsessreuse":"Unknown","srvocspresult":"Good","srvtlsversion":"SSL2","srvwildcardcert":"Unknown","ssldecrypted":"Yes","throttlereqsize":5,"throttlerespsize":7,"totalsize":11800,"trafficredirectmethod":"DNAT (Destination Translation)","unscannabletype":"Encrypted File","upload_doctypename":"Corporate Finance","upload_fileclass":"upload_fileclass","upload_filetype":"RAR Files","urlcatmethod":"Database A","urlsubcat":"Entertainment","urlsupercat":"Travel","urlclass":"Bandwidth Loss","useragentclass":"Firefox","useragenttoken":"Google Chrome (0.x)","userlocationname":"userlocationname","year":2023,"ztunnelversion":"ZTUNNEL_1_0","zpa_app_seg_name":"ZPA_test_app_segment"}} -{"version":"v8","sourcetype":"zscalernss-web","event":{"time":"Mon Oct 20 22:55:48 2023","cloudname":"zscaler.net","host":"mail.google.com","serverip":"1.128.0.4","external_devid":"2347","devicemodel":"20L8S7WC12","action":"Allowed","recordid":123456782,"reason":"File Attachment Cautioned","threatseverity":"Critical (90–100)","tz":"GMT","filesubtype":"exe","upload_filesubtype":"rar","sha256":"81ec78bc8298568bb5ea66d3c2972b670d0f7459b6cdbbcaacce90ab417ab15c","bamd5":"196a3d797bfee07fe4596b69f4ce1141","filename":"nssfeed.txt","upload_filename":"nssfeed.exe","filetype":"RAR Files","devicename":"device%5CrN%40me","devicehostname":"THINKPADSMITH","deviceostype":"iOS","deviceosversion":"Version 10.14.2 (Build 18C54)","devicetype":"Zscaler Client Connector","reqsize":1300,"reqmethod":"invalid","b64referer":"d3d3LmV4YW1wbGUuY29tL3NlYXJjaD9maWx0ZXJzPWd1aWQlM0ElMjI0MC1lbi1kaWElMjIrbGFuZyUzQSUyMmVuJTIyJmZvcm09UzAwJnE9aG93K3RvK3VzZStyZW1vdGUrZGVza3RvcCt0bytjb25uZWN0K3RvK2Erd2luZG93cysxMCtwYw==","respsize":10500,"respcode":"100","reqversion":"1.1","respversion":"1","proto":"HTTPS","company":"Zscaler","dlpmd5":"154f149b1443fbfa8c121d13e5c019a1","apprulelabel":"File_Sharing_1","dlprulename":"DLP_Rule_1","rulelabel":"URL_Filtering_1","urlfilterrulelabel":"URL_Filtering_2","cltip":"81.2.69.144","cltintip":"89.160.20.128","cltsourceport":12345,"threatname":"EICAR Test File","cltsslcipher":"SSL3_CK_RSA_NULL_MD5","clttlsversion":"SSL2","b64url":"d3d3LmV4YW1wbGUuY29tOjQ0Mw==","useragent":"Mozilla/5.0","login":"jdoe@safemarch.com","applayerprotocol":"FTP","appclass":"Administration","appname":"Adobe Connect","appriskscore":"1","bandwidthclassname":"Entertainment","bandwidthrulename":"Office 365","bwthrottle":"Yes","bypassedtime":"Mon Oct 16 22:55:48 2023","bypassedtraffic":"1","cltsslsessreuse":"Unknown","cltpubip":"175.16.199.0","cltsslfailcount":100,"cltsslfailreason":"Bad Record Mac","contenttype":"application/vnd_apple_keynote","datacentercity":"Sa","datacentercountry":"US","datacenter":"CA Client Node DC","day":"Mon","day_of_month":16,"dept":"Sales","deviceappversion":"1.128.0.1","deviceowner":"jsmith","df_hosthead":"df_hosthead","df_hostname":"df_hostname","dlpdicthitcount":"4","dlpdict":"Credit Cards","dlpeng":"HIPAA","dlpidentifier":6646484838839026000,"eedone":"Yes","epochtime":1578128400,"fileclass":"Active Web Contents","flow_type":"Direct","forward_gateway_ip":"10.1.1.1","forward_gateway_name":"FWD_1","forward_type":"Direct","hour":22,"is_sslexpiredca":"Yes","is_sslselfsigned":"Yes","is_ssluntrustedca":"Pass","keyprotectiontype":"HSM Protection","location":"Headquarters","department":"Department%5CrN%40me","malwarecategory":"Adware","malwareclass":"Sandbox","minute":55,"mobappcategory":"Communication","mobappname":"Amazon","mobdevtype":"Google Android","module":"Administration","month":"Oct","month_of_year":10,"nssserviceip":"192.168.2.200","oapprulelabel":"5300295980","obwclassname":"10831489","ocip":6200694987,"ocpubip":624054738,"odevicehostname":"2168890624","odevicename":"2175092224","odeviceowner":"10831489","odlpdict":"10831489","odlpeng":"4094304256","odlprulename":"6857275752","ofwd_gw_name":"8794487099","ologin":"4094304256","ordr_rulename":"3399565100","ourlcat":"7956407282","ourlfilterrulelabel":"4951704103","ozpa_app_seg_name":"7648246731","externalsslpolicyreason":"Blocked","productversion":"5.0.902.95524_04","rdr_rulename":"FWD_Rule_1","refererhost":"www.example.com for http://www.example.com/index.html","reqheadersize":300,"reqdatasize":1000,"respheadersize":500,"respdatasize":10000,"riskscore":10,"ruletype":"File Type Control","second":48,"srvcertchainvalpass":"Unknown","srvcertvalidationtype":"EV (Extended Validation)","srvcertvalidityperiod":"Short","srvsslcipher":"SSL3_CK_RSA_NULL_MD5","serversslsessreuse":"Unknown","srvocspresult":"Good","srvtlsversion":"SSL2","srvwildcardcert":"Unknown","ssldecrypted":"Yes","throttlereqsize":5,"throttlerespsize":7,"totalsize":11800,"trafficredirectmethod":"DNAT (Destination Translation)","unscannabletype":"Encrypted File","upload_doctypename":"Corporate Finance","upload_fileclass":"upload_fileclass","upload_filetype":"RAR Files","urlcatmethod":"Database A","urlsubcat":"Entertainment","urlsupercat":"Travel","urlclass":"Bandwidth Loss","useragentclass":"Firefox","useragenttoken":"Google Chrome (0.x)","userlocationname":"userlocationname","year":2023,"ztunnelversion":"ZTUNNEL_1_0","zpa_app_seg_name":"ZPA_test_app_segment"}} +{"version":"v9","sourcetype":"zscalernss-web","event":{"time":"Mon Oct 16 22:55:48 2023","cloudname":"zscaler.net","host":"mail.google.com","serverip":"1.128.0.0","external_devid":"1234","devicemodel":"20L8S7WC08","action":"Allowed","recordid":123456789,"reason":"File Attachment Cautioned","threatseverity":"Critical (90–100)","tz":"GMT","filesubtype":"exe","upload_filesubtype":"rar","sha256":"81ec78bc8298568bb5ea66d3c2972b670d0f7459b6cdbbcaacce90ab417ab15c","bamd5":"196a3d797bfee07fe4596b69f4ce1141","filename":"nssfeed.txt","upload_filename":"nssfeed.exe","filetype":"RAR Files","devicename":"PC11NLPA%3A5F08D97BBF43257A8FB4BBF4061A38AE324EF734","devicehostname":"THINKPADSMITH","deviceostype":"iOS","deviceosversion":"Version 10.14.2 (Build 18C54)","devicetype":"Zscaler Client Connector","reqsize":1300,"reqmethod":"invalid","b64referer":"d3d3LmV4YW1wbGUuY29t","respsize":10500,"respcode":"100","reqversion":"1.1","respversion":"1","proto":"HTTP","company":"Zscaler","dlpmd5":"154f149b1443fbfa8c121d13e5c019a1","apprulelabel":"File_Sharing_1","dlprulename":"DLP_Rule_1","rulelabel":"URL_Filtering_1","urlfilterrulelabel":"URL_Filtering_2","cltip":"81.2.69.144","cltintip":"89.160.20.128","cltsourceport":12345,"threatname":"EICAR Test File","cltsslcipher":"SSL3_CK_RSA_NULL_MD5","clttlsversion":"SSL2","b64url":"d3d3LnRyeXRoaXNlbmNvZGV1cmwuY29tOjQ0My9pbmRleD9xdGltZT0yMDIzLTA0LTEyVDIzOjIwOjUwLjUyWg==","useragent":"Mozilla/5.0","login":"jdoe@safemarch.com","applayerprotocol":"FTP","appclass":"Administration","appname":"Adobe Connect","appriskscore":"1","bandwidthclassname":"Entertainment","bandwidthrulename":"Office 365","bwthrottle":"Yes","bypassedtime":"Mon Oct 16 22:55:48 2023","bypassedtraffic":"1","cltsslsessreuse":"Unknown","cltpubip":"175.16.199.0","cltsslfailcount":100,"cltsslfailreason":"Bad Record Mac","contenttype":"application/vnd_apple_keynote","datacentercity":"Sa","datacentercountry":"US","datacenter":"CA Client Node DC","day":"Mon","day_of_month":16,"dept":"Sales","deviceappversion":"1.128.0.0","deviceowner":"jsmith","df_hosthead":"df_hosthead","df_hostname":"df_hostname","dlpdicthitcount":"4","dlpdict":"Credit Cards","dlpeng":"HIPAA","dlpidentifier":6646484838839026000,"eedone":"Yes","epochtime":1578128400,"fileclass":"Active Web Contents","flow_type":"Direct","forward_gateway_ip":"10.1.1.1","forward_gateway_name":"FWD_1","forward_type":"Direct","hour":22,"is_sslexpiredca":"Yes","is_sslselfsigned":"Yes","is_ssluntrustedca":"Pass","keyprotectiontype":"HSM Protection","location":"Headquarters","malwarecategory":"Adware","malwareclass":"Sandbox","minute":55,"mobappcategory":"Communication","mobappname":"Amazon","mobdevtype":"Google Android","module":"Administration","month":"Oct","month_of_year":10,"nssserviceip":"192.168.2.200","oapprulelabel":"5300295980","obwclassname":"10831489","ocip":6200694987,"ocpubip":624054738,"odevicehostname":"2168890624","odevicename":"2175092224","odeviceowner":"10831489","odlpdict":"10831489","odlpeng":"4094304256","odlprulename":"6857275752","ofwd_gw_name":"8794487099","ologin":"4094304256","ordr_rulename":"3399565100","ourlcat":"7956407282","ourlfilterrulelabel":"4951704103","ozpa_app_seg_name":"7648246731","externalsslpolicyreason":"Blocked","productversion":"5.0.902.95524_04","rdr_rulename":"FWD_Rule_1","refererhost":"www.example.com for http://www.example.com/index.html","reqheadersize":300,"reqdatasize":1000,"respheadersize":500,"respdatasize":10000,"riskscore":10,"ruletype":"File Type Control","second":48,"srvcertchainvalpass":"Unknown","srvcertvalidationtype":"EV (Extended Validation)","srvcertvalidityperiod":"Short","srvsslcipher":"SSL3_CK_RSA_NULL_MD5","serversslsessreuse":"Unknown","srvocspresult":"Good","srvtlsversion":"SSL2","srvwildcardcert":"Unknown","ssldecrypted":"Yes","throttlereqsize":5,"throttlerespsize":7,"totalsize":11800,"trafficredirectmethod":"DNAT (Destination Translation)","unscannabletype":"Encrypted File","upload_doctypename":"Corporate Finance","upload_fileclass":"upload_fileclass","upload_filetype":"RAR Files","urlcatmethod":"Database A","urlsubcat":"Entertainment","urlsupercat":"Travel","urlclass":"Bandwidth Loss","useragentclass":"Firefox","useragenttoken":"Google Chrome (0.x)","userlocationname":"userlocationname","year":2023,"ztunnelversion":"ZTUNNEL_1_0","zpa_app_seg_name":"ZPA_test_app_segment"}} +{"version":"v9","sourcetype":"zscalernss-web","event":{"time":"Mon Oct 17 22:55:48 2023","cloudname":"zscaler.net","host":"mail.google.com","serverip":"1.128.0.1","external_devid":"2345","devicemodel":"20L8S7WC09","action":"Allowed","recordid":123456780,"reason":"File Attachment Cautioned","threatseverity":"Critical (90–100)","tz":"GMT","filesubtype":"exe","upload_filesubtype":"rar","sha256":"81ec78bc8298568bb5ea66d3c2972b670d0f7459b6cdbbcaacce90ab417ab15c","bamd5":"196a3d797bfee07fe4596b69f4ce1141","filename":"nssfeed.txt","upload_filename":"nssfeed.exe","filetype":"RAR Files","devicename":"PC11NLPA%3A5F08D97BBF43257A8FB4BBF4061A38AE324EF734","devicehostname":"THINKPADSMITH","deviceostype":"iOS","deviceosversion":"Version 10.14.2 (Build 18C54)","devicetype":"Zscaler Client Connector","reqsize":1300,"reqmethod":"invalid","b64referer":"d3d3LmV4YW1wbGUuY29t","respsize":10500,"respcode":"100","reqversion":"1.1","respversion":"1","proto":"HTTPS","company":"Zscaler","dlpmd5":"154f149b1443fbfa8c121d13e5c019a1","apprulelabel":"File_Sharing_1","dlprulename":"DLP_Rule_1","rulelabel":"URL_Filtering_1","urlfilterrulelabel":"URL_Filtering_2","cltip":"81.2.69.144","cltintip":"89.160.20.128","cltsourceport":12345,"threatname":"EICAR Test File","cltsslcipher":"SSL3_CK_RSA_NULL_MD5","clttlsversion":"SSL2","b64url":"d3d3LmV4YW1wbGUuY29tOjQ0Mw==","useragent":"Mozilla/5.0","login":"jdoe@safemarch.com","applayerprotocol":"FTP","appclass":"Administration","appname":"Adobe Connect","appriskscore":"1","bandwidthclassname":"Entertainment","bandwidthrulename":"Office 365","bwthrottle":"Yes","bypassedtime":"Mon Oct 16 22:55:48 2023","bypassedtraffic":"1","cltsslsessreuse":"Unknown","cltpubip":"175.16.199.0","cltsslfailcount":100,"cltsslfailreason":"Bad Record Mac","contenttype":"application/vnd_apple_keynote","datacentercity":"Sa","datacentercountry":"US","datacenter":"CA Client Node DC","day":"Mon","day_of_month":16,"dept":"Sales","deviceappversion":"1.128.0.1","deviceowner":"jsmith","df_hosthead":"df_hosthead","df_hostname":"df_hostname","dlpdicthitcount":"4","dlpdict":"Credit Cards","dlpeng":"HIPAA","dlpidentifier":6646484838839026000,"eedone":"Yes","epochtime":1578128400,"fileclass":"Active Web Contents","flow_type":"Direct","forward_gateway_ip":"10.1.1.1","forward_gateway_name":"FWD_1","forward_type":"Direct","hour":22,"is_sslexpiredca":"Yes","is_sslselfsigned":"Yes","is_ssluntrustedca":"Pass","keyprotectiontype":"HSM Protection","location":"Headquarters","malwarecategory":"Adware","malwareclass":"Sandbox","minute":55,"mobappcategory":"Communication","mobappname":"Amazon","mobdevtype":"Google Android","module":"Administration","month":"Oct","month_of_year":10,"nssserviceip":"192.168.2.200","oapprulelabel":"5300295980","obwclassname":"10831489","ocip":6200694987,"ocpubip":624054738,"odevicehostname":"2168890624","odevicename":"2175092224","odeviceowner":"10831489","odlpdict":"10831489","odlpeng":"4094304256","odlprulename":"6857275752","ofwd_gw_name":"8794487099","ologin":"4094304256","ordr_rulename":"3399565100","ourlcat":"7956407282","ourlfilterrulelabel":"4951704103","ozpa_app_seg_name":"7648246731","externalsslpolicyreason":"Blocked","productversion":"5.0.902.95524_04","rdr_rulename":"FWD_Rule_1","refererhost":"www.example.com for http://www.example.com/index.html","reqheadersize":300,"reqdatasize":1000,"respheadersize":500,"respdatasize":10000,"riskscore":10,"ruletype":"File Type Control","second":48,"srvcertchainvalpass":"Unknown","srvcertvalidationtype":"EV (Extended Validation)","srvcertvalidityperiod":"Short","srvsslcipher":"SSL3_CK_RSA_NULL_MD5","serversslsessreuse":"Unknown","srvocspresult":"Good","srvtlsversion":"SSL2","srvwildcardcert":"Unknown","ssldecrypted":"Yes","throttlereqsize":5,"throttlerespsize":7,"totalsize":11800,"trafficredirectmethod":"DNAT (Destination Translation)","unscannabletype":"Encrypted File","upload_doctypename":"Corporate Finance","upload_fileclass":"upload_fileclass","upload_filetype":"RAR Files","urlcatmethod":"Database A","urlsubcat":"Entertainment","urlsupercat":"Travel","urlclass":"Bandwidth Loss","useragentclass":"Firefox","useragenttoken":"Google Chrome (0.x)","userlocationname":"userlocationname","year":2023,"ztunnelversion":"ZTUNNEL_1_0","zpa_app_seg_name":"ZPA_test_app_segment"}} +{"version":"v9","sourcetype":"zscalernss-web","event":{"time":"Mon Oct 18 23:55:48 2023","cloudname":"zscaler.net","host":"mail.google.com","serverip":"1.128.0.2","external_devid":"2346","devicemodel":"20L8S7WC10","action":"Allowed","recordid":123456781,"reason":"File Attachment Cautioned","threatseverity":"Critical (90–100)","tz":"GMT","filesubtype":"exe","upload_filesubtype":"rar","sha256":"81ec78bc8298568bb5ea66d3c2972b670d0f7459b6cdbbcaacce90ab417ab15c","bamd5":"196a3d797bfee07fe4596b69f4ce1141","filename":"nssfeed.txt","upload_filename":"nssfeed.exe","filetype":"RAR Files","devicename":"PC11NLPA%3A5F08D97BBF43257A8FB4BBF4061A38AE324EF734","devicehostname":"THINKPADSMITH","deviceostype":"iOS","deviceosversion":"Version 10.14.2 (Build 18C54)","devicetype":"Zscaler Client Connector","reqsize":1300,"reqmethod":"invalid","b64referer":"d3d3LmV4YW1wbGUuY29t","respsize":10500,"respcode":"100","reqversion":"1.1","respversion":"1","proto":"SSL","company":"Zscaler","dlpmd5":"154f149b1443fbfa8c121d13e5c019a1","apprulelabel":"File_Sharing_1","dlprulename":"DLP_Rule_1","rulelabel":"URL_Filtering_1","urlfilterrulelabel":"URL_Filtering_2","cltip":"81.2.69.144","cltintip":"89.160.20.128","cltsourceport":12345,"threatname":"EICAR Test File","cltsslcipher":"SSL3_CK_RSA_NULL_MD5","clttlsversion":"SSL2","b64url":"d3d3LmV4YW1wbGUuY29tLmNvbS9wYXJhbXM/SWQ9MSZ0cz0yMDA2LTAxLTAyVDE1OjA0OjA1WjA3OjAwJnVzZXI9NjU3OTImdmVyc2lvbj0xMC4wLjE5MDQxLjEyNjY=","useragent":"Mozilla/5.0","login":"jdoe@safemarch.com","applayerprotocol":"FTP","appclass":"Administration","appname":"Adobe Connect","appriskscore":"1","bandwidthclassname":"Entertainment","bandwidthrulename":"Office 365","bwthrottle":"Yes","bypassedtime":"Mon Oct 16 22:55:48 2023","bypassedtraffic":"1","cltsslsessreuse":"Unknown","cltpubip":"175.16.199.0","cltsslfailcount":100,"cltsslfailreason":"Bad Record Mac","contenttype":"application/vnd_apple_keynote","datacentercity":"Sa","datacentercountry":"US","datacenter":"CA Client Node DC","day":"Mon","day_of_month":16,"dept":"Sales","deviceappversion":"1.128.0.1","deviceowner":"jsmith","df_hosthead":"df_hosthead","df_hostname":"df_hostname","dlpdicthitcount":"4","dlpdict":"Credit Cards","dlpeng":"HIPAA","dlpidentifier":6646484838839026000,"eedone":"Yes","epochtime":1578128400,"fileclass":"Active Web Contents","flow_type":"Direct","forward_gateway_ip":"10.1.1.1","forward_gateway_name":"FWD_1","forward_type":"Direct","hour":22,"is_sslexpiredca":"Yes","is_sslselfsigned":"Yes","is_ssluntrustedca":"Pass","keyprotectiontype":"HSM Protection","location":"Headquarters","malwarecategory":"Adware","malwareclass":"Sandbox","minute":55,"mobappcategory":"Communication","mobappname":"Amazon","mobdevtype":"Google Android","module":"Administration","month":"Oct","month_of_year":10,"nssserviceip":"192.168.2.200","oapprulelabel":"5300295980","obwclassname":"10831489","ocip":6200694987,"ocpubip":624054738,"odevicehostname":"2168890624","odevicename":"2175092224","odeviceowner":"10831489","odlpdict":"10831489","odlpeng":"4094304256","odlprulename":"6857275752","ofwd_gw_name":"8794487099","ologin":"4094304256","ordr_rulename":"3399565100","ourlcat":"7956407282","ourlfilterrulelabel":"4951704103","ozpa_app_seg_name":"7648246731","externalsslpolicyreason":"Blocked","productversion":"5.0.902.95524_04","rdr_rulename":"FWD_Rule_1","refererhost":"www.example.com for http://www.example.com/index.html","reqheadersize":300,"reqdatasize":1000,"respheadersize":500,"respdatasize":10000,"riskscore":10,"ruletype":"File Type Control","second":48,"srvcertchainvalpass":"Unknown","srvcertvalidationtype":"EV (Extended Validation)","srvcertvalidityperiod":"Short","srvsslcipher":"SSL3_CK_RSA_NULL_MD5","serversslsessreuse":"Unknown","srvocspresult":"Good","srvtlsversion":"SSL2","srvwildcardcert":"Unknown","ssldecrypted":"Yes","throttlereqsize":5,"throttlerespsize":7,"totalsize":11800,"trafficredirectmethod":"DNAT (Destination Translation)","unscannabletype":"Encrypted File","upload_doctypename":"Corporate Finance","upload_fileclass":"upload_fileclass","upload_filetype":"RAR Files","urlcatmethod":"Database A","urlsubcat":"Entertainment","urlsupercat":"Travel","urlclass":"Bandwidth Loss","useragentclass":"Firefox","useragenttoken":"Google Chrome (0.x)","userlocationname":"userlocationname","year":2023,"ztunnelversion":"ZTUNNEL_1_0","zpa_app_seg_name":"ZPA_test_app_segment"}} +{"version":"v9","sourcetype":"zscalernss-web","event":{"time":"Mon Oct 18 23:55:48 2023","cloudname":"zscaler.net","host":"mail.google.com","serverip":"1.128.0.2","external_devid":"2346","devicemodel":"20L8S7WC10","action":"Allowed","recordid":123456781,"reason":"File Attachment Cautioned","threatseverity":"Critical (90–100)","tz":"GMT","filesubtype":"exe","upload_filesubtype":"rar","sha256":"81ec78bc8298568bb5ea66d3c2972b670d0f7459b6cdbbcaacce90ab417ab15c","bamd5":"196a3d797bfee07fe4596b69f4ce1141","filename":"nssfeed.txt","upload_filename":"nssfeed.exe","filetype":"RAR Files","devicename":"PC11NLPA%3A5F08D97BBF43257A8FB4BBF4061A38AE324EF734","devicehostname":"THINKPADSMITH","deviceostype":"iOS","deviceosversion":"Version 10.14.2 (Build 18C54)","devicetype":"Zscaler Client Connector","reqsize":1300,"reqmethod":"invalid","b64referer":"d3d3LmV4YW1wbGUuY29t","respsize":10500,"respcode":"100","reqversion":"1.1","respversion":"1","proto":"SSL","company":"Zscaler","dlpmd5":"154f149b1443fbfa8c121d13e5c019a1","apprulelabel":"File_Sharing_1","dlprulename":"DLP_Rule_1","rulelabel":"URL_Filtering_1","urlfilterrulelabel":"URL_Filtering_2","cltip":"81.2.69.144","cltintip":"89.160.20.128","cltsourceport":12345,"threatname":"EICAR Test File","cltsslcipher":"SSL3_CK_RSA_NULL_MD5","clttlsversion":"SSL2","b64url":"d3d3LnlvdXR1YmUuY29tL2FwaS9zdGF0cy9hYmNkP2FmbXQ9MjUxJmJhdD0zMzAuMDE3OjAuOTY6MSZiaD0zMzAuMDE3OjEyMS4yNjQmYndlPTMzMC4wMTc6NzQ1ODYwMSZid209MzMwLjAxNzoyNDA3NzU0OjAuODQ0JmM9V0VCJmNicj1FZGdlIENocm9taXVtJmNicnZlcj0xMTUuMC4wLjAmY2w9NjU1Mzk5OTU2JmNtdD0zMzAuMDE3OjMyOC44MzcmY29zPVdpbmRvd3MmY29zdmVyPTEwLjAmY3BsYXRmb3JtPURFU0tUT1AmY3BsYXllcj1VTklQTEFZRVImY3BuPUZVQjczU1FXeFNIS0FEeHZKJmN2ZXI9Mi4yMDI0MDcyNC4wMy4wMCZkb2NpZD1XVmhHX3NOVkxhc0QmZWw9ZGV0YWlscGFnZSZmZXhwPXYxLDIzODQ4MjI1LDEzNzgwMiwxODYxNywyMDQxMjEsMjMwNTk2LDIyMjA5NywxNjIyOSwxMzMyMTIsMTQ2MjU5NTUsMTE2ODQzODEsNzIyMiwxNDIwNyw5ODU5LDEyMTc3LDk5NTQsMTE5Miw3OTEzLDE4MzEwLDI3Myw0MTQ3LDI4MTksMiwxNjM0NCwxNDI0LDE5MjA0LDk5NDgsMjE5Niw5OTk2LDE5LDIsMTA4Miw2OTUzLDEwMSwxNDAxLDk1NDIsMjQ3MSwzMjkyLDI3MTYsMTUzOCw3MjMsMjU3NSw5NTY3LDEzNzUsMzc2MSw0MTYyLDg2MTAsMTczLDIwMSwxMDQwNiwzMjEsMTQ4LDIsMzQzLDE3ODMsMTQsMTMyMiw1MCw2MjEsNzAyLDEwNjIsMTc2OSwxODIzLDg5NiwyMjkxLDI5MTIsNzU2OCwzNDImZm10PTM5OCZucz15dCZyZWZlcnJlcj1odHRwczovL3d3dy55b3V0dWJlLmNvbS93YXRjaD92PWlzYTkwXzY3YXMmc2RldGFpbD1ydjppc2E4OV82OGFkJnNlcT0xMyZzb3VyY2VpZD15dyZ2cHM9MzMwLjAxNzpQTA==","useragent":"Mozilla/5.0","login":"jdoe@safemarch.com","applayerprotocol":"FTP","appclass":"Administration","appname":"Adobe Connect","appriskscore":"1","bandwidthclassname":"Entertainment","bandwidthrulename":"Office 365","bwthrottle":"Yes","bypassedtime":"Mon Oct 16 22:55:48 2023","bypassedtraffic":"1","cltsslsessreuse":"Unknown","cltpubip":"175.16.199.0","cltsslfailcount":100,"cltsslfailreason":"Bad Record Mac","contenttype":"application/vnd_apple_keynote","datacentercity":"Sa","datacentercountry":"US","datacenter":"CA Client Node DC","day":"Mon","day_of_month":16,"dept":"Sales","deviceappversion":"1.128.0.1","deviceowner":"jsmith","df_hosthead":"df_hosthead","df_hostname":"df_hostname","dlpdicthitcount":"4","dlpdict":"Credit Cards","dlpeng":"HIPAA","dlpidentifier":6646484838839026000,"eedone":"Yes","epochtime":1578128400,"fileclass":"Active Web Contents","flow_type":"Direct","forward_gateway_ip":"10.1.1.1","forward_gateway_name":"FWD_1","forward_type":"Direct","hour":22,"is_sslexpiredca":"Yes","is_sslselfsigned":"Yes","is_ssluntrustedca":"Pass","keyprotectiontype":"HSM Protection","location":"Headquarters","malwarecategory":"Adware","malwareclass":"Sandbox","minute":55,"mobappcategory":"Communication","mobappname":"Amazon","mobdevtype":"Google Android","module":"Administration","month":"Oct","month_of_year":10,"nssserviceip":"192.168.2.200","oapprulelabel":"5300295980","obwclassname":"10831489","ocip":6200694987,"ocpubip":624054738,"odevicehostname":"2168890624","odevicename":"2175092224","odeviceowner":"10831489","odlpdict":"10831489","odlpeng":"4094304256","odlprulename":"6857275752","ofwd_gw_name":"8794487099","ologin":"4094304256","ordr_rulename":"3399565100","ourlcat":"7956407282","ourlfilterrulelabel":"4951704103","ozpa_app_seg_name":"7648246731","externalsslpolicyreason":"Blocked","productversion":"5.0.902.95524_04","rdr_rulename":"FWD_Rule_1","refererhost":"www.example.com for http://www.example.com/index.html","reqheadersize":300,"reqdatasize":1000,"respheadersize":500,"respdatasize":10000,"riskscore":10,"ruletype":"File Type Control","second":48,"srvcertchainvalpass":"Unknown","srvcertvalidationtype":"EV (Extended Validation)","srvcertvalidityperiod":"Short","srvsslcipher":"SSL3_CK_RSA_NULL_MD5","serversslsessreuse":"Unknown","srvocspresult":"Good","srvtlsversion":"SSL2","srvwildcardcert":"Unknown","ssldecrypted":"Yes","throttlereqsize":5,"throttlerespsize":7,"totalsize":11800,"trafficredirectmethod":"DNAT (Destination Translation)","unscannabletype":"Encrypted File","upload_doctypename":"Corporate Finance","upload_fileclass":"upload_fileclass","upload_filetype":"RAR Files","urlcatmethod":"Database A","urlsubcat":"Entertainment","urlsupercat":"Travel","urlclass":"Bandwidth Loss","useragentclass":"Firefox","useragenttoken":"Google Chrome (0.x)","userlocationname":"userlocationname","year":2023,"ztunnelversion":"ZTUNNEL_1_0","zpa_app_seg_name":"ZPA_test_app_segment"}} +{"version":"v9","sourcetype":"zscalernss-web","event":{"time":"Mon Oct 20 22:55:48 2023","cloudname":"zscaler.net","host":"mail.google.com","serverip":"1.128.0.4","external_devid":"2347","devicemodel":"20L8S7WC12","action":"Allowed","recordid":123456782,"reason":"File Attachment Cautioned","threatseverity":"Critical (90–100)","tz":"GMT","filesubtype":"exe","upload_filesubtype":"rar","sha256":"81ec78bc8298568bb5ea66d3c2972b670d0f7459b6cdbbcaacce90ab417ab15c","bamd5":"196a3d797bfee07fe4596b69f4ce1141","filename":"nssfeed.txt","upload_filename":"nssfeed.exe","filetype":"RAR Files","devicename":"device%5CrN%40me","devicehostname":"THINKPADSMITH","deviceostype":"iOS","deviceosversion":"Version 10.14.2 (Build 18C54)","devicetype":"Zscaler Client Connector","reqsize":1300,"reqmethod":"invalid","b64referer":"d3d3LmV4YW1wbGUuY29tL3NlYXJjaD9maWx0ZXJzPWd1aWQlM0ElMjI0MC1lbi1kaWElMjIrbGFuZyUzQSUyMmVuJTIyJmZvcm09UzAwJnE9aG93K3RvK3VzZStyZW1vdGUrZGVza3RvcCt0bytjb25uZWN0K3RvK2Erd2luZG93cysxMCtwYw==","respsize":10500,"respcode":"100","reqversion":"1.1","respversion":"1","proto":"HTTPS","company":"Zscaler","dlpmd5":"154f149b1443fbfa8c121d13e5c019a1","apprulelabel":"File_Sharing_1","dlprulename":"DLP_Rule_1","rulelabel":"URL_Filtering_1","urlfilterrulelabel":"URL_Filtering_2","cltip":"81.2.69.144","cltintip":"89.160.20.128","cltsourceport":12345,"threatname":"EICAR Test File","cltsslcipher":"SSL3_CK_RSA_NULL_MD5","clttlsversion":"SSL2","b64url":"d3d3LmV4YW1wbGUuY29tOjQ0Mw==","useragent":"Mozilla/5.0","login":"jdoe@safemarch.com","applayerprotocol":"FTP","appclass":"Administration","appname":"Adobe Connect","appriskscore":"1","bandwidthclassname":"Entertainment","bandwidthrulename":"Office 365","bwthrottle":"Yes","bypassedtime":"Mon Oct 16 22:55:48 2023","bypassedtraffic":"1","cltsslsessreuse":"Unknown","cltpubip":"175.16.199.0","cltsslfailcount":100,"cltsslfailreason":"Bad Record Mac","contenttype":"application/vnd_apple_keynote","datacentercity":"Sa","datacentercountry":"US","datacenter":"CA Client Node DC","day":"Mon","day_of_month":16,"dept":"Sales","deviceappversion":"1.128.0.1","deviceowner":"jsmith","df_hosthead":"df_hosthead","df_hostname":"df_hostname","dlpdicthitcount":"4","dlpdict":"Credit Cards","dlpeng":"HIPAA","dlpidentifier":6646484838839026000,"eedone":"Yes","epochtime":1578128400,"fileclass":"Active Web Contents","flow_type":"Direct","forward_gateway_ip":"10.1.1.1","forward_gateway_name":"FWD_1","forward_type":"Direct","hour":22,"is_sslexpiredca":"Yes","is_sslselfsigned":"Yes","is_ssluntrustedca":"Pass","keyprotectiontype":"HSM Protection","location":"Headquarters","malwarecategory":"Adware","malwareclass":"Sandbox","minute":55,"mobappcategory":"Communication","mobappname":"Amazon","mobdevtype":"Google Android","module":"Administration","month":"Oct","month_of_year":10,"nssserviceip":"192.168.2.200","oapprulelabel":"5300295980","obwclassname":"10831489","ocip":6200694987,"ocpubip":624054738,"odevicehostname":"2168890624","odevicename":"2175092224","odeviceowner":"10831489","odlpdict":"10831489","odlpeng":"4094304256","odlprulename":"6857275752","ofwd_gw_name":"8794487099","ologin":"4094304256","ordr_rulename":"3399565100","ourlcat":"7956407282","ourlfilterrulelabel":"4951704103","ozpa_app_seg_name":"7648246731","externalsslpolicyreason":"Blocked","productversion":"5.0.902.95524_04","rdr_rulename":"FWD_Rule_1","refererhost":"www.example.com for http://www.example.com/index.html","reqheadersize":300,"reqdatasize":1000,"respheadersize":500,"respdatasize":10000,"riskscore":10,"ruletype":"File Type Control","second":48,"srvcertchainvalpass":"Unknown","srvcertvalidationtype":"EV (Extended Validation)","srvcertvalidityperiod":"Short","srvsslcipher":"SSL3_CK_RSA_NULL_MD5","serversslsessreuse":"Unknown","srvocspresult":"Good","srvtlsversion":"SSL2","srvwildcardcert":"Unknown","ssldecrypted":"Yes","throttlereqsize":5,"throttlerespsize":7,"totalsize":11800,"trafficredirectmethod":"DNAT (Destination Translation)","unscannabletype":"Encrypted File","upload_doctypename":"Corporate Finance","upload_fileclass":"upload_fileclass","upload_filetype":"RAR Files","urlcatmethod":"Database A","urlsubcat":"Entertainment","urlsupercat":"Travel","urlclass":"Bandwidth Loss","useragentclass":"Firefox","useragenttoken":"Google Chrome (0.x)","userlocationname":"userlocationname","year":2023,"ztunnelversion":"ZTUNNEL_1_0","zpa_app_seg_name":"ZPA_test_app_segment"}} +{"version":"v9","sourcetype":"zscalernss-web","event":{"time":"Mon Oct 20 22:55:48 2023","cloudname":"zscaler.net","host":"mail.google.com","serverip":"1.128.0.4","external_devid":"2347","devicemodel":"20L8S7WC12","action":"Allowed","recordid":123456782,"reason":"File Attachment Cautioned","threatseverity":"Critical (90–100)","tz":"GMT","filesubtype":"exe","upload_filesubtype":"rar","sha256":"81ec78bc8298568bb5ea66d3c2972b670d0f7459b6cdbbcaacce90ab417ab15c","bamd5":"196a3d797bfee07fe4596b69f4ce1141","filename":"nssfeed.txt","upload_filename":"nssfeed.exe","filetype":"RAR Files","devicename":"device%5CrN%40me","devicehostname":"THINKPADSMITH","deviceostype":"iOS","deviceosversion":"Version 10.14.2 (Build 18C54)","devicetype":"Zscaler Client Connector","reqsize":1300,"reqmethod":"invalid","b64referer":"d3d3LmV4YW1wbGUuY29tL3NlYXJjaD9maWx0ZXJzPWd1aWQlM0ElMjI0MC1lbi1kaWElMjIrbGFuZyUzQSUyMmVuJTIyJmZvcm09UzAwJnE9aG93K3RvK3VzZStyZW1vdGUrZGVza3RvcCt0bytjb25uZWN0K3RvK2Erd2luZG93cysxMCtwYw==","respsize":10500,"respcode":"100","reqversion":"1.1","respversion":"1","proto":"HTTPS","company":"Zscaler","dlpmd5":"154f149b1443fbfa8c121d13e5c019a1","apprulelabel":"File_Sharing_1","dlprulename":"DLP_Rule_1","rulelabel":"URL_Filtering_1","urlfilterrulelabel":"URL_Filtering_2","cltip":"81.2.69.144","cltintip":"89.160.20.128","cltsourceport":12345,"threatname":"EICAR Test File","cltsslcipher":"SSL3_CK_RSA_NULL_MD5","clttlsversion":"SSL2","b64url":"dC5jb3Vwb25zLmNvbS9iLnBocD90cmFuc2FjdGlvbklkPUkvdHNJZD09JmV2ZW50VHlwZT1FbGVtZW50SW5WaWV3JmVsZW1lbnROYW1lPVROX1NXQiZvYmplY3RzPXsibGlua1VybCI6Imh0dHBzOi8vd3d3LmNvdXBvbnMuY29tL2RhaWx5LXNhbGVzLzcyLWhvdXItY2xlYXJvdXQiLCJsaW5rVGV4dCI6IlVwJTIwdG8lMjA3MCUlMjBPRkYlMjB8JTIwNzItSG91ciUyMENsZWFyb3V0IiwidGV4dENvbG9yIjoiI0ZGRkZGRiIsInByb21vRW5kRGF0ZSI6bnVsbCwiY3VzdG9tRmllbGQxIjoiVXAlMjB0byUyMDcwJSUyME9GRiUyMHwlMjA3Mi1Ib3VyJTIwQ2xlYXJvdXQifSZsaW5rVXJsPWh0dHBzOi8vd3d3LmNvdXBvbnMuY29tL2RhaWx5LXNhbGVzLzcyLWhvdXItY2xlYXJvdXQmbGlua1RleHQ9VXAlMjB0byUyMDcwJSUyME9GRiUyMHwlMjA3Mi1Ib3VyJTIwQ2xlYXJvdXQmdGV4dENvbG9yPSNGRkZGRkYmcHJvbW9FbmREYXRlPSZjdXN0b21GaWVsZDE9VXAlMjB0byUyMDcwJSUyME9GRiUyMHwlMjA3Mi1Ib3VyJTIwQ2xlYXJvdXQmcGFnZUlkPSZ0aW1lc3RhbXA9MTcyNDY4Mjc3NzE5OA==","useragent":"Mozilla/5.0","login":"jdoe@safemarch.com","applayerprotocol":"FTP","appclass":"Administration","appname":"Adobe Connect","appriskscore":"1","bandwidthclassname":"Entertainment","bandwidthrulename":"Office 365","bwthrottle":"Yes","bypassedtime":"Mon Oct 16 22:55:48 2023","bypassedtraffic":"1","cltsslsessreuse":"Unknown","cltpubip":"175.16.199.0","cltsslfailcount":100,"cltsslfailreason":"Bad Record Mac","contenttype":"application/vnd_apple_keynote","datacentercity":"Sa","datacentercountry":"US","datacenter":"CA Client Node DC","day":"Mon","day_of_month":16,"dept":"Sales","deviceappversion":"1.128.0.1","deviceowner":"jsmith","df_hosthead":"df_hosthead","df_hostname":"df_hostname","dlpdicthitcount":"4","dlpdict":"Credit Cards","dlpeng":"HIPAA","dlpidentifier":6646484838839026000,"eedone":"Yes","epochtime":1578128400,"fileclass":"Active Web Contents","flow_type":"Direct","forward_gateway_ip":"10.1.1.1","forward_gateway_name":"FWD_1","forward_type":"Direct","hour":22,"is_sslexpiredca":"Yes","is_sslselfsigned":"Yes","is_ssluntrustedca":"Pass","keyprotectiontype":"HSM Protection","location":"Headquarters","malwarecategory":"Adware","malwareclass":"Sandbox","minute":55,"mobappcategory":"Communication","mobappname":"Amazon","mobdevtype":"Google Android","module":"Administration","month":"Oct","month_of_year":10,"nssserviceip":"192.168.2.200","oapprulelabel":"5300295980","obwclassname":"10831489","ocip":6200694987,"ocpubip":624054738,"odevicehostname":"2168890624","odevicename":"2175092224","odeviceowner":"10831489","odlpdict":"10831489","odlpeng":"4094304256","odlprulename":"6857275752","ofwd_gw_name":"8794487099","ologin":"4094304256","ordr_rulename":"3399565100","ourlcat":"7956407282","ourlfilterrulelabel":"4951704103","ozpa_app_seg_name":"7648246731","externalsslpolicyreason":"Blocked","productversion":"5.0.902.95524_04","rdr_rulename":"FWD_Rule_1","refererhost":"www.example.com for http://www.example.com/index.html","reqheadersize":300,"reqdatasize":1000,"respheadersize":500,"respdatasize":10000,"riskscore":10,"ruletype":"File Type Control","second":48,"srvcertchainvalpass":"Unknown","srvcertvalidationtype":"EV (Extended Validation)","srvcertvalidityperiod":"Short","srvsslcipher":"SSL3_CK_RSA_NULL_MD5","serversslsessreuse":"Unknown","srvocspresult":"Good","srvtlsversion":"SSL2","srvwildcardcert":"Unknown","ssldecrypted":"Yes","throttlereqsize":5,"throttlerespsize":7,"totalsize":11800,"trafficredirectmethod":"DNAT (Destination Translation)","unscannabletype":"Encrypted File","upload_doctypename":"Corporate Finance","upload_fileclass":"upload_fileclass","upload_filetype":"RAR Files","urlcatmethod":"Database A","urlsubcat":"Entertainment","urlsupercat":"Travel","urlclass":"Bandwidth Loss","useragentclass":"Firefox","useragenttoken":"Google Chrome (0.x)","userlocationname":"userlocationname","year":2023,"ztunnelversion":"ZTUNNEL_1_0","zpa_app_seg_name":"ZPA_test_app_segment"}} +{"version":"v9","sourcetype":"zscalernss-web","event":{"time":"Mon Oct 20 22:55:48 2023","cloudname":"zscaler.net","host":"mail.google.com","serverip":"1.128.0.4","external_devid":"2347","devicemodel":"20L8S7WC12","action":"Allowed","recordid":123456782,"reason":"File Attachment Cautioned","threatseverity":"Critical (90–100)","tz":"GMT","filesubtype":"exe","upload_filesubtype":"rar","sha256":"81ec78bc8298568bb5ea66d3c2972b670d0f7459b6cdbbcaacce90ab417ab15c","bamd5":"196a3d797bfee07fe4596b69f4ce1141","filename":"nssfeed.txt","upload_filename":"nssfeed.exe","filetype":"RAR Files","devicename":"device%5CrN%40me","devicehostname":"THINKPADSMITH","deviceostype":"iOS","deviceosversion":"Version 10.14.2 (Build 18C54)","devicetype":"Zscaler Client Connector","reqsize":1300,"reqmethod":"invalid","b64referer":"d3d3LmV4YW1wbGUuY29tL3NlYXJjaD9maWx0ZXJzPWd1aWQlM0ElMjI0MC1lbi1kaWElMjIrbGFuZyUzQSUyMmVuJTIyJmZvcm09UzAwJnE9aG93K3RvK3VzZStyZW1vdGUrZGVza3RvcCt0bytjb25uZWN0K3RvK2Erd2luZG93cysxMCtwYw==","respsize":10500,"respcode":"100","reqversion":"1.1","respversion":"1","proto":"HTTPS","company":"Zscaler","dlpmd5":"154f149b1443fbfa8c121d13e5c019a1","apprulelabel":"File_Sharing_1","dlprulename":"DLP_Rule_1","rulelabel":"URL_Filtering_1","urlfilterrulelabel":"URL_Filtering_2","cltip":"81.2.69.144","cltintip":"89.160.20.128","cltsourceport":12345,"threatname":"EICAR Test File","cltsslcipher":"SSL3_CK_RSA_NULL_MD5","clttlsversion":"SSL2","b64url":"ZXhhbXBsZS5jb20vP3BhcnRuZXI9MjcxJnNtYXJ0bWFwPTEmcmVkaXJlY3Q9aHR0cHM6Ly9leGFtcGxlLmNvbS9zZXR1aWQ/ZW50aXR5PTE0NSZjb2RlPSVfcmlk","useragent":"Mozilla/5.0","login":"jdoe@safemarch.com","applayerprotocol":"FTP","appclass":"Administration","appname":"Adobe Connect","appriskscore":"1","bandwidthclassname":"Entertainment","bandwidthrulename":"Office 365","bwthrottle":"Yes","bypassedtime":"Mon Oct 16 22:55:48 2023","bypassedtraffic":"1","cltsslsessreuse":"Unknown","cltpubip":"175.16.199.0","cltsslfailcount":100,"cltsslfailreason":"Bad Record Mac","contenttype":"application/vnd_apple_keynote","datacentercity":"Sa","datacentercountry":"US","datacenter":"CA Client Node DC","day":"Mon","day_of_month":16,"dept":"Sales","deviceappversion":"1.128.0.1","deviceowner":"jsmith","df_hosthead":"df_hosthead","df_hostname":"df_hostname","dlpdicthitcount":"4","dlpdict":"Credit Cards","dlpeng":"HIPAA","dlpidentifier":6646484838839026000,"eedone":"Yes","epochtime":1578128400,"fileclass":"Active Web Contents","flow_type":"Direct","forward_gateway_ip":"10.1.1.1","forward_gateway_name":"FWD_1","forward_type":"Direct","hour":22,"is_sslexpiredca":"Yes","is_sslselfsigned":"Yes","is_ssluntrustedca":"Pass","keyprotectiontype":"HSM Protection","location":"Headquarters","malwarecategory":"Adware","malwareclass":"Sandbox","minute":55,"mobappcategory":"Communication","mobappname":"Amazon","mobdevtype":"Google Android","module":"Administration","month":"Oct","month_of_year":10,"nssserviceip":"192.168.2.200","oapprulelabel":"5300295980","obwclassname":"10831489","ocip":6200694987,"ocpubip":624054738,"odevicehostname":"2168890624","odevicename":"2175092224","odeviceowner":"10831489","odlpdict":"10831489","odlpeng":"4094304256","odlprulename":"6857275752","ofwd_gw_name":"8794487099","ologin":"4094304256","ordr_rulename":"3399565100","ourlcat":"7956407282","ourlfilterrulelabel":"4951704103","ozpa_app_seg_name":"7648246731","externalsslpolicyreason":"Blocked","productversion":"5.0.902.95524_04","rdr_rulename":"FWD_Rule_1","refererhost":"www.example.com for http://www.example.com/index.html","reqheadersize":300,"reqdatasize":1000,"respheadersize":500,"respdatasize":10000,"riskscore":10,"ruletype":"File Type Control","second":48,"srvcertchainvalpass":"Unknown","srvcertvalidationtype":"EV (Extended Validation)","srvcertvalidityperiod":"Short","srvsslcipher":"SSL3_CK_RSA_NULL_MD5","serversslsessreuse":"Unknown","srvocspresult":"Good","srvtlsversion":"SSL2","srvwildcardcert":"Unknown","ssldecrypted":"Yes","throttlereqsize":5,"throttlerespsize":7,"totalsize":11800,"trafficredirectmethod":"DNAT (Destination Translation)","unscannabletype":"Encrypted File","upload_doctypename":"Corporate Finance","upload_fileclass":"upload_fileclass","upload_filetype":"RAR Files","urlcatmethod":"Database A","urlsubcat":"Entertainment","urlsupercat":"Travel","urlclass":"Bandwidth Loss","useragentclass":"Firefox","useragenttoken":"Google Chrome (0.x)","userlocationname":"userlocationname","year":2023,"ztunnelversion":"ZTUNNEL_1_0","zpa_app_seg_name":"ZPA_test_app_segment"}} \ No newline at end of file diff --git a/packages/zscaler_zia/data_stream/web/_dev/test/pipeline/test-web.log-expected.json b/packages/zscaler_zia/data_stream/web/_dev/test/pipeline/test-web.log-expected.json index 807aa718edd..8aa98a42859 100644 --- a/packages/zscaler_zia/data_stream/web/_dev/test/pipeline/test-web.log-expected.json +++ b/packages/zscaler_zia/data_stream/web/_dev/test/pipeline/test-web.log-expected.json @@ -25,7 +25,7 @@ ], "id": "123456789", "kind": "event", - "original": "{\"version\":\"v8\",\"sourcetype\":\"zscalernss-web\",\"event\":{\"time\":\"Mon Oct 16 22:55:48 2023\",\"cloudname\":\"zscaler.net\",\"host\":\"mail.google.com\",\"serverip\":\"1.128.0.0\",\"external_devid\":\"1234\",\"devicemodel\":\"20L8S7WC08\",\"action\":\"Allowed\",\"recordid\":123456789,\"reason\":\"File Attachment Cautioned\",\"threatseverity\":\"Critical (90–100)\",\"tz\":\"GMT\",\"filesubtype\":\"exe\",\"upload_filesubtype\":\"rar\",\"sha256\":\"81ec78bc8298568bb5ea66d3c2972b670d0f7459b6cdbbcaacce90ab417ab15c\",\"bamd5\":\"196a3d797bfee07fe4596b69f4ce1141\",\"filename\":\"nssfeed.txt\",\"upload_filename\":\"nssfeed.exe\",\"filetype\":\"RAR Files\",\"devicename\":\"PC11NLPA%3A5F08D97BBF43257A8FB4BBF4061A38AE324EF734\",\"devicehostname\":\"THINKPADSMITH\",\"deviceostype\":\"iOS\",\"deviceosversion\":\"Version 10.14.2 (Build 18C54)\",\"devicetype\":\"Zscaler Client Connector\",\"reqsize\":1300,\"reqmethod\":\"invalid\",\"b64referer\":\"d3d3LmV4YW1wbGUuY29t\",\"respsize\":10500,\"respcode\":\"100\",\"reqversion\":\"1.1\",\"respversion\":\"1\",\"proto\":\"HTTP\",\"company\":\"Zscaler\",\"dlpmd5\":\"154f149b1443fbfa8c121d13e5c019a1\",\"apprulelabel\":\"File_Sharing_1\",\"dlprulename\":\"DLP_Rule_1\",\"rulelabel\":\"URL_Filtering_1\",\"urlfilterrulelabel\":\"URL_Filtering_2\",\"cltip\":\"81.2.69.144\",\"cltintip\":\"89.160.20.128\",\"cltsourceport\":12345,\"threatname\":\"EICAR Test File\",\"cltsslcipher\":\"SSL3_CK_RSA_NULL_MD5\",\"clttlsversion\":\"SSL2\",\"b64url\":\"d3d3LnRyeXRoaXNlbmNvZGV1cmwuY29tOjQ0My9pbmRleD9xdGltZT0yMDIzLTA0LTEyVDIzOjIwOjUwLjUyWg==\",\"useragent\":\"Mozilla/5.0\",\"login\":\"jdoe@safemarch.com\",\"applayerprotocol\":\"FTP\",\"appclass\":\"Administration\",\"appname\":\"Adobe Connect\",\"appriskscore\":\"1\",\"bandwidthclassname\":\"Entertainment\",\"bandwidthrulename\":\"Office 365\",\"bwthrottle\":\"Yes\",\"bypassedtime\":\"Mon Oct 16 22:55:48 2023\",\"bypassedtraffic\":\"1\",\"cltsslsessreuse\":\"Unknown\",\"cltpubip\":\"175.16.199.0\",\"cltsslfailcount\":100,\"cltsslfailreason\":\"Bad Record Mac\",\"contenttype\":\"application/vnd_apple_keynote\",\"datacentercity\":\"Sa\",\"datacentercountry\":\"US\",\"datacenter\":\"CA Client Node DC\",\"day\":\"Mon\",\"day_of_month\":16,\"dept\":\"Sales\",\"deviceappversion\":\"1.128.0.0\",\"deviceowner\":\"jsmith\",\"df_hosthead\":\"df_hosthead\",\"df_hostname\":\"df_hostname\",\"dlpdicthitcount\":\"4\",\"dlpdict\":\"Credit Cards\",\"dlpeng\":\"HIPAA\",\"dlpidentifier\":6646484838839026000,\"eedone\":\"Yes\",\"epochtime\":1578128400,\"fileclass\":\"Active Web Contents\",\"flow_type\":\"Direct\",\"forward_gateway_ip\":\"10.1.1.1\",\"forward_gateway_name\":\"FWD_1\",\"forward_type\":\"Direct\",\"hour\":22,\"is_sslexpiredca\":\"Yes\",\"is_sslselfsigned\":\"Yes\",\"is_ssluntrustedca\":\"Pass\",\"keyprotectiontype\":\"HSM Protection\",\"location\":\"Headquarters\",\"malwarecategory\":\"Adware\",\"malwareclass\":\"Sandbox\",\"minute\":55,\"mobappcategory\":\"Communication\",\"mobappname\":\"Amazon\",\"mobdevtype\":\"Google Android\",\"module\":\"Administration\",\"month\":\"Oct\",\"month_of_year\":10,\"nssserviceip\":\"192.168.2.200\",\"oapprulelabel\":\"5300295980\",\"obwclassname\":\"10831489\",\"ocip\":6200694987,\"ocpubip\":624054738,\"odevicehostname\":\"2168890624\",\"odevicename\":\"2175092224\",\"odeviceowner\":\"10831489\",\"odlpdict\":\"10831489\",\"odlpeng\":\"4094304256\",\"odlprulename\":\"6857275752\",\"ofwd_gw_name\":\"8794487099\",\"ologin\":\"4094304256\",\"ordr_rulename\":\"3399565100\",\"ourlcat\":\"7956407282\",\"ourlfilterrulelabel\":\"4951704103\",\"ozpa_app_seg_name\":\"7648246731\",\"externalsslpolicyreason\":\"Blocked\",\"productversion\":\"5.0.902.95524_04\",\"rdr_rulename\":\"FWD_Rule_1\",\"refererhost\":\"www.example.com for http://www.example.com/index.html\",\"reqheadersize\":300,\"reqdatasize\":1000,\"respheadersize\":500,\"respdatasize\":10000,\"riskscore\":10,\"ruletype\":\"File Type Control\",\"second\":48,\"srvcertchainvalpass\":\"Unknown\",\"srvcertvalidationtype\":\"EV (Extended Validation)\",\"srvcertvalidityperiod\":\"Short\",\"srvsslcipher\":\"SSL3_CK_RSA_NULL_MD5\",\"serversslsessreuse\":\"Unknown\",\"srvocspresult\":\"Good\",\"srvtlsversion\":\"SSL2\",\"srvwildcardcert\":\"Unknown\",\"ssldecrypted\":\"Yes\",\"throttlereqsize\":5,\"throttlerespsize\":7,\"totalsize\":11800,\"trafficredirectmethod\":\"DNAT (Destination Translation)\",\"unscannabletype\":\"Encrypted File\",\"upload_doctypename\":\"Corporate Finance\",\"upload_fileclass\":\"upload_fileclass\",\"upload_filetype\":\"RAR Files\",\"urlcatmethod\":\"Database A\",\"urlsubcat\":\"Entertainment\",\"urlsupercat\":\"Travel\",\"urlclass\":\"Bandwidth Loss\",\"useragentclass\":\"Firefox\",\"useragenttoken\":\"Google Chrome (0.x)\",\"userlocationname\":\"userlocationname\",\"year\":2023,\"ztunnelversion\":\"ZTUNNEL_1_0\",\"zpa_app_seg_name\":\"ZPA_test_app_segment\"}}", + "original": "{\"version\":\"v9\",\"sourcetype\":\"zscalernss-web\",\"event\":{\"time\":\"Mon Oct 16 22:55:48 2023\",\"cloudname\":\"zscaler.net\",\"host\":\"mail.google.com\",\"serverip\":\"1.128.0.0\",\"external_devid\":\"1234\",\"devicemodel\":\"20L8S7WC08\",\"action\":\"Allowed\",\"recordid\":123456789,\"reason\":\"File Attachment Cautioned\",\"threatseverity\":\"Critical (90–100)\",\"tz\":\"GMT\",\"filesubtype\":\"exe\",\"upload_filesubtype\":\"rar\",\"sha256\":\"81ec78bc8298568bb5ea66d3c2972b670d0f7459b6cdbbcaacce90ab417ab15c\",\"bamd5\":\"196a3d797bfee07fe4596b69f4ce1141\",\"filename\":\"nssfeed.txt\",\"upload_filename\":\"nssfeed.exe\",\"filetype\":\"RAR Files\",\"devicename\":\"PC11NLPA%3A5F08D97BBF43257A8FB4BBF4061A38AE324EF734\",\"devicehostname\":\"THINKPADSMITH\",\"deviceostype\":\"iOS\",\"deviceosversion\":\"Version 10.14.2 (Build 18C54)\",\"devicetype\":\"Zscaler Client Connector\",\"reqsize\":1300,\"reqmethod\":\"invalid\",\"b64referer\":\"d3d3LmV4YW1wbGUuY29t\",\"respsize\":10500,\"respcode\":\"100\",\"reqversion\":\"1.1\",\"respversion\":\"1\",\"proto\":\"HTTP\",\"company\":\"Zscaler\",\"dlpmd5\":\"154f149b1443fbfa8c121d13e5c019a1\",\"apprulelabel\":\"File_Sharing_1\",\"dlprulename\":\"DLP_Rule_1\",\"rulelabel\":\"URL_Filtering_1\",\"urlfilterrulelabel\":\"URL_Filtering_2\",\"cltip\":\"81.2.69.144\",\"cltintip\":\"89.160.20.128\",\"cltsourceport\":12345,\"threatname\":\"EICAR Test File\",\"cltsslcipher\":\"SSL3_CK_RSA_NULL_MD5\",\"clttlsversion\":\"SSL2\",\"b64url\":\"d3d3LnRyeXRoaXNlbmNvZGV1cmwuY29tOjQ0My9pbmRleD9xdGltZT0yMDIzLTA0LTEyVDIzOjIwOjUwLjUyWg==\",\"useragent\":\"Mozilla/5.0\",\"login\":\"jdoe@safemarch.com\",\"applayerprotocol\":\"FTP\",\"appclass\":\"Administration\",\"appname\":\"Adobe Connect\",\"appriskscore\":\"1\",\"bandwidthclassname\":\"Entertainment\",\"bandwidthrulename\":\"Office 365\",\"bwthrottle\":\"Yes\",\"bypassedtime\":\"Mon Oct 16 22:55:48 2023\",\"bypassedtraffic\":\"1\",\"cltsslsessreuse\":\"Unknown\",\"cltpubip\":\"175.16.199.0\",\"cltsslfailcount\":100,\"cltsslfailreason\":\"Bad Record Mac\",\"contenttype\":\"application/vnd_apple_keynote\",\"datacentercity\":\"Sa\",\"datacentercountry\":\"US\",\"datacenter\":\"CA Client Node DC\",\"day\":\"Mon\",\"day_of_month\":16,\"dept\":\"Sales\",\"deviceappversion\":\"1.128.0.0\",\"deviceowner\":\"jsmith\",\"df_hosthead\":\"df_hosthead\",\"df_hostname\":\"df_hostname\",\"dlpdicthitcount\":\"4\",\"dlpdict\":\"Credit Cards\",\"dlpeng\":\"HIPAA\",\"dlpidentifier\":6646484838839026000,\"eedone\":\"Yes\",\"epochtime\":1578128400,\"fileclass\":\"Active Web Contents\",\"flow_type\":\"Direct\",\"forward_gateway_ip\":\"10.1.1.1\",\"forward_gateway_name\":\"FWD_1\",\"forward_type\":\"Direct\",\"hour\":22,\"is_sslexpiredca\":\"Yes\",\"is_sslselfsigned\":\"Yes\",\"is_ssluntrustedca\":\"Pass\",\"keyprotectiontype\":\"HSM Protection\",\"location\":\"Headquarters\",\"malwarecategory\":\"Adware\",\"malwareclass\":\"Sandbox\",\"minute\":55,\"mobappcategory\":\"Communication\",\"mobappname\":\"Amazon\",\"mobdevtype\":\"Google Android\",\"module\":\"Administration\",\"month\":\"Oct\",\"month_of_year\":10,\"nssserviceip\":\"192.168.2.200\",\"oapprulelabel\":\"5300295980\",\"obwclassname\":\"10831489\",\"ocip\":6200694987,\"ocpubip\":624054738,\"odevicehostname\":\"2168890624\",\"odevicename\":\"2175092224\",\"odeviceowner\":\"10831489\",\"odlpdict\":\"10831489\",\"odlpeng\":\"4094304256\",\"odlprulename\":\"6857275752\",\"ofwd_gw_name\":\"8794487099\",\"ologin\":\"4094304256\",\"ordr_rulename\":\"3399565100\",\"ourlcat\":\"7956407282\",\"ourlfilterrulelabel\":\"4951704103\",\"ozpa_app_seg_name\":\"7648246731\",\"externalsslpolicyreason\":\"Blocked\",\"productversion\":\"5.0.902.95524_04\",\"rdr_rulename\":\"FWD_Rule_1\",\"refererhost\":\"www.example.com for http://www.example.com/index.html\",\"reqheadersize\":300,\"reqdatasize\":1000,\"respheadersize\":500,\"respdatasize\":10000,\"riskscore\":10,\"ruletype\":\"File Type Control\",\"second\":48,\"srvcertchainvalpass\":\"Unknown\",\"srvcertvalidationtype\":\"EV (Extended Validation)\",\"srvcertvalidityperiod\":\"Short\",\"srvsslcipher\":\"SSL3_CK_RSA_NULL_MD5\",\"serversslsessreuse\":\"Unknown\",\"srvocspresult\":\"Good\",\"srvtlsversion\":\"SSL2\",\"srvwildcardcert\":\"Unknown\",\"ssldecrypted\":\"Yes\",\"throttlereqsize\":5,\"throttlerespsize\":7,\"totalsize\":11800,\"trafficredirectmethod\":\"DNAT (Destination Translation)\",\"unscannabletype\":\"Encrypted File\",\"upload_doctypename\":\"Corporate Finance\",\"upload_fileclass\":\"upload_fileclass\",\"upload_filetype\":\"RAR Files\",\"urlcatmethod\":\"Database A\",\"urlsubcat\":\"Entertainment\",\"urlsupercat\":\"Travel\",\"urlclass\":\"Bandwidth Loss\",\"useragentclass\":\"Firefox\",\"useragenttoken\":\"Google Chrome (0.x)\",\"userlocationname\":\"userlocationname\",\"year\":2023,\"ztunnelversion\":\"ZTUNNEL_1_0\",\"zpa_app_seg_name\":\"ZPA_test_app_segment\"}}", "reason": "File Attachment Cautioned", "timezone": "GMT", "type": [ @@ -445,7 +445,7 @@ ], "id": "123456780", "kind": "event", - "original": "{\"version\":\"v8\",\"sourcetype\":\"zscalernss-web\",\"event\":{\"time\":\"Mon Oct 17 22:55:48 2023\",\"cloudname\":\"zscaler.net\",\"host\":\"mail.google.com\",\"serverip\":\"1.128.0.1\",\"external_devid\":\"2345\",\"devicemodel\":\"20L8S7WC09\",\"action\":\"Allowed\",\"recordid\":123456780,\"reason\":\"File Attachment Cautioned\",\"threatseverity\":\"Critical (90–100)\",\"tz\":\"GMT\",\"filesubtype\":\"exe\",\"upload_filesubtype\":\"rar\",\"sha256\":\"81ec78bc8298568bb5ea66d3c2972b670d0f7459b6cdbbcaacce90ab417ab15c\",\"bamd5\":\"196a3d797bfee07fe4596b69f4ce1141\",\"filename\":\"nssfeed.txt\",\"upload_filename\":\"nssfeed.exe\",\"filetype\":\"RAR Files\",\"devicename\":\"PC11NLPA%3A5F08D97BBF43257A8FB4BBF4061A38AE324EF734\",\"devicehostname\":\"THINKPADSMITH\",\"deviceostype\":\"iOS\",\"deviceosversion\":\"Version 10.14.2 (Build 18C54)\",\"devicetype\":\"Zscaler Client Connector\",\"reqsize\":1300,\"reqmethod\":\"invalid\",\"b64referer\":\"d3d3LmV4YW1wbGUuY29t\",\"respsize\":10500,\"respcode\":\"100\",\"reqversion\":\"1.1\",\"respversion\":\"1\",\"proto\":\"HTTPS\",\"company\":\"Zscaler\",\"dlpmd5\":\"154f149b1443fbfa8c121d13e5c019a1\",\"apprulelabel\":\"File_Sharing_1\",\"dlprulename\":\"DLP_Rule_1\",\"rulelabel\":\"URL_Filtering_1\",\"urlfilterrulelabel\":\"URL_Filtering_2\",\"cltip\":\"81.2.69.144\",\"cltintip\":\"89.160.20.128\",\"cltsourceport\":12345,\"threatname\":\"EICAR Test File\",\"cltsslcipher\":\"SSL3_CK_RSA_NULL_MD5\",\"clttlsversion\":\"SSL2\",\"b64url\":\"d3d3LmV4YW1wbGUuY29tOjQ0Mw==\",\"useragent\":\"Mozilla/5.0\",\"login\":\"jdoe@safemarch.com\",\"applayerprotocol\":\"FTP\",\"appclass\":\"Administration\",\"appname\":\"Adobe Connect\",\"appriskscore\":\"1\",\"bandwidthclassname\":\"Entertainment\",\"bandwidthrulename\":\"Office 365\",\"bwthrottle\":\"Yes\",\"bypassedtime\":\"Mon Oct 16 22:55:48 2023\",\"bypassedtraffic\":\"1\",\"cltsslsessreuse\":\"Unknown\",\"cltpubip\":\"175.16.199.0\",\"cltsslfailcount\":100,\"cltsslfailreason\":\"Bad Record Mac\",\"contenttype\":\"application/vnd_apple_keynote\",\"datacentercity\":\"Sa\",\"datacentercountry\":\"US\",\"datacenter\":\"CA Client Node DC\",\"day\":\"Mon\",\"day_of_month\":16,\"dept\":\"Sales\",\"deviceappversion\":\"1.128.0.1\",\"deviceowner\":\"jsmith\",\"df_hosthead\":\"df_hosthead\",\"df_hostname\":\"df_hostname\",\"dlpdicthitcount\":\"4\",\"dlpdict\":\"Credit Cards\",\"dlpeng\":\"HIPAA\",\"dlpidentifier\":6646484838839026000,\"eedone\":\"Yes\",\"epochtime\":1578128400,\"fileclass\":\"Active Web Contents\",\"flow_type\":\"Direct\",\"forward_gateway_ip\":\"10.1.1.1\",\"forward_gateway_name\":\"FWD_1\",\"forward_type\":\"Direct\",\"hour\":22,\"is_sslexpiredca\":\"Yes\",\"is_sslselfsigned\":\"Yes\",\"is_ssluntrustedca\":\"Pass\",\"keyprotectiontype\":\"HSM Protection\",\"location\":\"Headquarters\",\"malwarecategory\":\"Adware\",\"malwareclass\":\"Sandbox\",\"minute\":55,\"mobappcategory\":\"Communication\",\"mobappname\":\"Amazon\",\"mobdevtype\":\"Google Android\",\"module\":\"Administration\",\"month\":\"Oct\",\"month_of_year\":10,\"nssserviceip\":\"192.168.2.200\",\"oapprulelabel\":\"5300295980\",\"obwclassname\":\"10831489\",\"ocip\":6200694987,\"ocpubip\":624054738,\"odevicehostname\":\"2168890624\",\"odevicename\":\"2175092224\",\"odeviceowner\":\"10831489\",\"odlpdict\":\"10831489\",\"odlpeng\":\"4094304256\",\"odlprulename\":\"6857275752\",\"ofwd_gw_name\":\"8794487099\",\"ologin\":\"4094304256\",\"ordr_rulename\":\"3399565100\",\"ourlcat\":\"7956407282\",\"ourlfilterrulelabel\":\"4951704103\",\"ozpa_app_seg_name\":\"7648246731\",\"externalsslpolicyreason\":\"Blocked\",\"productversion\":\"5.0.902.95524_04\",\"rdr_rulename\":\"FWD_Rule_1\",\"refererhost\":\"www.example.com for http://www.example.com/index.html\",\"reqheadersize\":300,\"reqdatasize\":1000,\"respheadersize\":500,\"respdatasize\":10000,\"riskscore\":10,\"ruletype\":\"File Type Control\",\"second\":48,\"srvcertchainvalpass\":\"Unknown\",\"srvcertvalidationtype\":\"EV (Extended Validation)\",\"srvcertvalidityperiod\":\"Short\",\"srvsslcipher\":\"SSL3_CK_RSA_NULL_MD5\",\"serversslsessreuse\":\"Unknown\",\"srvocspresult\":\"Good\",\"srvtlsversion\":\"SSL2\",\"srvwildcardcert\":\"Unknown\",\"ssldecrypted\":\"Yes\",\"throttlereqsize\":5,\"throttlerespsize\":7,\"totalsize\":11800,\"trafficredirectmethod\":\"DNAT (Destination Translation)\",\"unscannabletype\":\"Encrypted File\",\"upload_doctypename\":\"Corporate Finance\",\"upload_fileclass\":\"upload_fileclass\",\"upload_filetype\":\"RAR Files\",\"urlcatmethod\":\"Database A\",\"urlsubcat\":\"Entertainment\",\"urlsupercat\":\"Travel\",\"urlclass\":\"Bandwidth Loss\",\"useragentclass\":\"Firefox\",\"useragenttoken\":\"Google Chrome (0.x)\",\"userlocationname\":\"userlocationname\",\"year\":2023,\"ztunnelversion\":\"ZTUNNEL_1_0\",\"zpa_app_seg_name\":\"ZPA_test_app_segment\"}}", + "original": "{\"version\":\"v9\",\"sourcetype\":\"zscalernss-web\",\"event\":{\"time\":\"Mon Oct 17 22:55:48 2023\",\"cloudname\":\"zscaler.net\",\"host\":\"mail.google.com\",\"serverip\":\"1.128.0.1\",\"external_devid\":\"2345\",\"devicemodel\":\"20L8S7WC09\",\"action\":\"Allowed\",\"recordid\":123456780,\"reason\":\"File Attachment Cautioned\",\"threatseverity\":\"Critical (90–100)\",\"tz\":\"GMT\",\"filesubtype\":\"exe\",\"upload_filesubtype\":\"rar\",\"sha256\":\"81ec78bc8298568bb5ea66d3c2972b670d0f7459b6cdbbcaacce90ab417ab15c\",\"bamd5\":\"196a3d797bfee07fe4596b69f4ce1141\",\"filename\":\"nssfeed.txt\",\"upload_filename\":\"nssfeed.exe\",\"filetype\":\"RAR Files\",\"devicename\":\"PC11NLPA%3A5F08D97BBF43257A8FB4BBF4061A38AE324EF734\",\"devicehostname\":\"THINKPADSMITH\",\"deviceostype\":\"iOS\",\"deviceosversion\":\"Version 10.14.2 (Build 18C54)\",\"devicetype\":\"Zscaler Client Connector\",\"reqsize\":1300,\"reqmethod\":\"invalid\",\"b64referer\":\"d3d3LmV4YW1wbGUuY29t\",\"respsize\":10500,\"respcode\":\"100\",\"reqversion\":\"1.1\",\"respversion\":\"1\",\"proto\":\"HTTPS\",\"company\":\"Zscaler\",\"dlpmd5\":\"154f149b1443fbfa8c121d13e5c019a1\",\"apprulelabel\":\"File_Sharing_1\",\"dlprulename\":\"DLP_Rule_1\",\"rulelabel\":\"URL_Filtering_1\",\"urlfilterrulelabel\":\"URL_Filtering_2\",\"cltip\":\"81.2.69.144\",\"cltintip\":\"89.160.20.128\",\"cltsourceport\":12345,\"threatname\":\"EICAR Test File\",\"cltsslcipher\":\"SSL3_CK_RSA_NULL_MD5\",\"clttlsversion\":\"SSL2\",\"b64url\":\"d3d3LmV4YW1wbGUuY29tOjQ0Mw==\",\"useragent\":\"Mozilla/5.0\",\"login\":\"jdoe@safemarch.com\",\"applayerprotocol\":\"FTP\",\"appclass\":\"Administration\",\"appname\":\"Adobe Connect\",\"appriskscore\":\"1\",\"bandwidthclassname\":\"Entertainment\",\"bandwidthrulename\":\"Office 365\",\"bwthrottle\":\"Yes\",\"bypassedtime\":\"Mon Oct 16 22:55:48 2023\",\"bypassedtraffic\":\"1\",\"cltsslsessreuse\":\"Unknown\",\"cltpubip\":\"175.16.199.0\",\"cltsslfailcount\":100,\"cltsslfailreason\":\"Bad Record Mac\",\"contenttype\":\"application/vnd_apple_keynote\",\"datacentercity\":\"Sa\",\"datacentercountry\":\"US\",\"datacenter\":\"CA Client Node DC\",\"day\":\"Mon\",\"day_of_month\":16,\"dept\":\"Sales\",\"deviceappversion\":\"1.128.0.1\",\"deviceowner\":\"jsmith\",\"df_hosthead\":\"df_hosthead\",\"df_hostname\":\"df_hostname\",\"dlpdicthitcount\":\"4\",\"dlpdict\":\"Credit Cards\",\"dlpeng\":\"HIPAA\",\"dlpidentifier\":6646484838839026000,\"eedone\":\"Yes\",\"epochtime\":1578128400,\"fileclass\":\"Active Web Contents\",\"flow_type\":\"Direct\",\"forward_gateway_ip\":\"10.1.1.1\",\"forward_gateway_name\":\"FWD_1\",\"forward_type\":\"Direct\",\"hour\":22,\"is_sslexpiredca\":\"Yes\",\"is_sslselfsigned\":\"Yes\",\"is_ssluntrustedca\":\"Pass\",\"keyprotectiontype\":\"HSM Protection\",\"location\":\"Headquarters\",\"malwarecategory\":\"Adware\",\"malwareclass\":\"Sandbox\",\"minute\":55,\"mobappcategory\":\"Communication\",\"mobappname\":\"Amazon\",\"mobdevtype\":\"Google Android\",\"module\":\"Administration\",\"month\":\"Oct\",\"month_of_year\":10,\"nssserviceip\":\"192.168.2.200\",\"oapprulelabel\":\"5300295980\",\"obwclassname\":\"10831489\",\"ocip\":6200694987,\"ocpubip\":624054738,\"odevicehostname\":\"2168890624\",\"odevicename\":\"2175092224\",\"odeviceowner\":\"10831489\",\"odlpdict\":\"10831489\",\"odlpeng\":\"4094304256\",\"odlprulename\":\"6857275752\",\"ofwd_gw_name\":\"8794487099\",\"ologin\":\"4094304256\",\"ordr_rulename\":\"3399565100\",\"ourlcat\":\"7956407282\",\"ourlfilterrulelabel\":\"4951704103\",\"ozpa_app_seg_name\":\"7648246731\",\"externalsslpolicyreason\":\"Blocked\",\"productversion\":\"5.0.902.95524_04\",\"rdr_rulename\":\"FWD_Rule_1\",\"refererhost\":\"www.example.com for http://www.example.com/index.html\",\"reqheadersize\":300,\"reqdatasize\":1000,\"respheadersize\":500,\"respdatasize\":10000,\"riskscore\":10,\"ruletype\":\"File Type Control\",\"second\":48,\"srvcertchainvalpass\":\"Unknown\",\"srvcertvalidationtype\":\"EV (Extended Validation)\",\"srvcertvalidityperiod\":\"Short\",\"srvsslcipher\":\"SSL3_CK_RSA_NULL_MD5\",\"serversslsessreuse\":\"Unknown\",\"srvocspresult\":\"Good\",\"srvtlsversion\":\"SSL2\",\"srvwildcardcert\":\"Unknown\",\"ssldecrypted\":\"Yes\",\"throttlereqsize\":5,\"throttlerespsize\":7,\"totalsize\":11800,\"trafficredirectmethod\":\"DNAT (Destination Translation)\",\"unscannabletype\":\"Encrypted File\",\"upload_doctypename\":\"Corporate Finance\",\"upload_fileclass\":\"upload_fileclass\",\"upload_filetype\":\"RAR Files\",\"urlcatmethod\":\"Database A\",\"urlsubcat\":\"Entertainment\",\"urlsupercat\":\"Travel\",\"urlclass\":\"Bandwidth Loss\",\"useragentclass\":\"Firefox\",\"useragenttoken\":\"Google Chrome (0.x)\",\"userlocationname\":\"userlocationname\",\"year\":2023,\"ztunnelversion\":\"ZTUNNEL_1_0\",\"zpa_app_seg_name\":\"ZPA_test_app_segment\"}}", "reason": "File Attachment Cautioned", "timezone": "GMT", "type": [ @@ -863,7 +863,7 @@ ], "id": "123456781", "kind": "event", - "original": "{\"version\":\"v8\",\"sourcetype\":\"zscalernss-web\",\"event\":{\"time\":\"Mon Oct 18 23:55:48 2023\",\"cloudname\":\"zscaler.net\",\"host\":\"mail.google.com\",\"serverip\":\"1.128.0.2\",\"external_devid\":\"2346\",\"devicemodel\":\"20L8S7WC10\",\"action\":\"Allowed\",\"recordid\":123456781,\"reason\":\"File Attachment Cautioned\",\"threatseverity\":\"Critical (90–100)\",\"tz\":\"GMT\",\"filesubtype\":\"exe\",\"upload_filesubtype\":\"rar\",\"sha256\":\"81ec78bc8298568bb5ea66d3c2972b670d0f7459b6cdbbcaacce90ab417ab15c\",\"bamd5\":\"196a3d797bfee07fe4596b69f4ce1141\",\"filename\":\"nssfeed.txt\",\"upload_filename\":\"nssfeed.exe\",\"filetype\":\"RAR Files\",\"devicename\":\"PC11NLPA%3A5F08D97BBF43257A8FB4BBF4061A38AE324EF734\",\"devicehostname\":\"THINKPADSMITH\",\"deviceostype\":\"iOS\",\"deviceosversion\":\"Version 10.14.2 (Build 18C54)\",\"devicetype\":\"Zscaler Client Connector\",\"reqsize\":1300,\"reqmethod\":\"invalid\",\"b64referer\":\"d3d3LmV4YW1wbGUuY29t\",\"respsize\":10500,\"respcode\":\"100\",\"reqversion\":\"1.1\",\"respversion\":\"1\",\"proto\":\"SSL\",\"company\":\"Zscaler\",\"dlpmd5\":\"154f149b1443fbfa8c121d13e5c019a1\",\"apprulelabel\":\"File_Sharing_1\",\"dlprulename\":\"DLP_Rule_1\",\"rulelabel\":\"URL_Filtering_1\",\"urlfilterrulelabel\":\"URL_Filtering_2\",\"cltip\":\"81.2.69.144\",\"cltintip\":\"89.160.20.128\",\"cltsourceport\":12345,\"threatname\":\"EICAR Test File\",\"cltsslcipher\":\"SSL3_CK_RSA_NULL_MD5\",\"clttlsversion\":\"SSL2\",\"b64url\":\"d3d3LmV4YW1wbGUuY29tLmNvbS9wYXJhbXM/SWQ9MSZ0cz0yMDA2LTAxLTAyVDE1OjA0OjA1WjA3OjAwJnVzZXI9NjU3OTImdmVyc2lvbj0xMC4wLjE5MDQxLjEyNjY=\",\"useragent\":\"Mozilla/5.0\",\"login\":\"jdoe@safemarch.com\",\"applayerprotocol\":\"FTP\",\"appclass\":\"Administration\",\"appname\":\"Adobe Connect\",\"appriskscore\":\"1\",\"bandwidthclassname\":\"Entertainment\",\"bandwidthrulename\":\"Office 365\",\"bwthrottle\":\"Yes\",\"bypassedtime\":\"Mon Oct 16 22:55:48 2023\",\"bypassedtraffic\":\"1\",\"cltsslsessreuse\":\"Unknown\",\"cltpubip\":\"175.16.199.0\",\"cltsslfailcount\":100,\"cltsslfailreason\":\"Bad Record Mac\",\"contenttype\":\"application/vnd_apple_keynote\",\"datacentercity\":\"Sa\",\"datacentercountry\":\"US\",\"datacenter\":\"CA Client Node DC\",\"day\":\"Mon\",\"day_of_month\":16,\"dept\":\"Sales\",\"deviceappversion\":\"1.128.0.1\",\"deviceowner\":\"jsmith\",\"df_hosthead\":\"df_hosthead\",\"df_hostname\":\"df_hostname\",\"dlpdicthitcount\":\"4\",\"dlpdict\":\"Credit Cards\",\"dlpeng\":\"HIPAA\",\"dlpidentifier\":6646484838839026000,\"eedone\":\"Yes\",\"epochtime\":1578128400,\"fileclass\":\"Active Web Contents\",\"flow_type\":\"Direct\",\"forward_gateway_ip\":\"10.1.1.1\",\"forward_gateway_name\":\"FWD_1\",\"forward_type\":\"Direct\",\"hour\":22,\"is_sslexpiredca\":\"Yes\",\"is_sslselfsigned\":\"Yes\",\"is_ssluntrustedca\":\"Pass\",\"keyprotectiontype\":\"HSM Protection\",\"location\":\"Headquarters\",\"malwarecategory\":\"Adware\",\"malwareclass\":\"Sandbox\",\"minute\":55,\"mobappcategory\":\"Communication\",\"mobappname\":\"Amazon\",\"mobdevtype\":\"Google Android\",\"module\":\"Administration\",\"month\":\"Oct\",\"month_of_year\":10,\"nssserviceip\":\"192.168.2.200\",\"oapprulelabel\":\"5300295980\",\"obwclassname\":\"10831489\",\"ocip\":6200694987,\"ocpubip\":624054738,\"odevicehostname\":\"2168890624\",\"odevicename\":\"2175092224\",\"odeviceowner\":\"10831489\",\"odlpdict\":\"10831489\",\"odlpeng\":\"4094304256\",\"odlprulename\":\"6857275752\",\"ofwd_gw_name\":\"8794487099\",\"ologin\":\"4094304256\",\"ordr_rulename\":\"3399565100\",\"ourlcat\":\"7956407282\",\"ourlfilterrulelabel\":\"4951704103\",\"ozpa_app_seg_name\":\"7648246731\",\"externalsslpolicyreason\":\"Blocked\",\"productversion\":\"5.0.902.95524_04\",\"rdr_rulename\":\"FWD_Rule_1\",\"refererhost\":\"www.example.com for http://www.example.com/index.html\",\"reqheadersize\":300,\"reqdatasize\":1000,\"respheadersize\":500,\"respdatasize\":10000,\"riskscore\":10,\"ruletype\":\"File Type Control\",\"second\":48,\"srvcertchainvalpass\":\"Unknown\",\"srvcertvalidationtype\":\"EV (Extended Validation)\",\"srvcertvalidityperiod\":\"Short\",\"srvsslcipher\":\"SSL3_CK_RSA_NULL_MD5\",\"serversslsessreuse\":\"Unknown\",\"srvocspresult\":\"Good\",\"srvtlsversion\":\"SSL2\",\"srvwildcardcert\":\"Unknown\",\"ssldecrypted\":\"Yes\",\"throttlereqsize\":5,\"throttlerespsize\":7,\"totalsize\":11800,\"trafficredirectmethod\":\"DNAT (Destination Translation)\",\"unscannabletype\":\"Encrypted File\",\"upload_doctypename\":\"Corporate Finance\",\"upload_fileclass\":\"upload_fileclass\",\"upload_filetype\":\"RAR Files\",\"urlcatmethod\":\"Database A\",\"urlsubcat\":\"Entertainment\",\"urlsupercat\":\"Travel\",\"urlclass\":\"Bandwidth Loss\",\"useragentclass\":\"Firefox\",\"useragenttoken\":\"Google Chrome (0.x)\",\"userlocationname\":\"userlocationname\",\"year\":2023,\"ztunnelversion\":\"ZTUNNEL_1_0\",\"zpa_app_seg_name\":\"ZPA_test_app_segment\"}}", + "original": "{\"version\":\"v9\",\"sourcetype\":\"zscalernss-web\",\"event\":{\"time\":\"Mon Oct 18 23:55:48 2023\",\"cloudname\":\"zscaler.net\",\"host\":\"mail.google.com\",\"serverip\":\"1.128.0.2\",\"external_devid\":\"2346\",\"devicemodel\":\"20L8S7WC10\",\"action\":\"Allowed\",\"recordid\":123456781,\"reason\":\"File Attachment Cautioned\",\"threatseverity\":\"Critical (90–100)\",\"tz\":\"GMT\",\"filesubtype\":\"exe\",\"upload_filesubtype\":\"rar\",\"sha256\":\"81ec78bc8298568bb5ea66d3c2972b670d0f7459b6cdbbcaacce90ab417ab15c\",\"bamd5\":\"196a3d797bfee07fe4596b69f4ce1141\",\"filename\":\"nssfeed.txt\",\"upload_filename\":\"nssfeed.exe\",\"filetype\":\"RAR Files\",\"devicename\":\"PC11NLPA%3A5F08D97BBF43257A8FB4BBF4061A38AE324EF734\",\"devicehostname\":\"THINKPADSMITH\",\"deviceostype\":\"iOS\",\"deviceosversion\":\"Version 10.14.2 (Build 18C54)\",\"devicetype\":\"Zscaler Client Connector\",\"reqsize\":1300,\"reqmethod\":\"invalid\",\"b64referer\":\"d3d3LmV4YW1wbGUuY29t\",\"respsize\":10500,\"respcode\":\"100\",\"reqversion\":\"1.1\",\"respversion\":\"1\",\"proto\":\"SSL\",\"company\":\"Zscaler\",\"dlpmd5\":\"154f149b1443fbfa8c121d13e5c019a1\",\"apprulelabel\":\"File_Sharing_1\",\"dlprulename\":\"DLP_Rule_1\",\"rulelabel\":\"URL_Filtering_1\",\"urlfilterrulelabel\":\"URL_Filtering_2\",\"cltip\":\"81.2.69.144\",\"cltintip\":\"89.160.20.128\",\"cltsourceport\":12345,\"threatname\":\"EICAR Test File\",\"cltsslcipher\":\"SSL3_CK_RSA_NULL_MD5\",\"clttlsversion\":\"SSL2\",\"b64url\":\"d3d3LmV4YW1wbGUuY29tLmNvbS9wYXJhbXM/SWQ9MSZ0cz0yMDA2LTAxLTAyVDE1OjA0OjA1WjA3OjAwJnVzZXI9NjU3OTImdmVyc2lvbj0xMC4wLjE5MDQxLjEyNjY=\",\"useragent\":\"Mozilla/5.0\",\"login\":\"jdoe@safemarch.com\",\"applayerprotocol\":\"FTP\",\"appclass\":\"Administration\",\"appname\":\"Adobe Connect\",\"appriskscore\":\"1\",\"bandwidthclassname\":\"Entertainment\",\"bandwidthrulename\":\"Office 365\",\"bwthrottle\":\"Yes\",\"bypassedtime\":\"Mon Oct 16 22:55:48 2023\",\"bypassedtraffic\":\"1\",\"cltsslsessreuse\":\"Unknown\",\"cltpubip\":\"175.16.199.0\",\"cltsslfailcount\":100,\"cltsslfailreason\":\"Bad Record Mac\",\"contenttype\":\"application/vnd_apple_keynote\",\"datacentercity\":\"Sa\",\"datacentercountry\":\"US\",\"datacenter\":\"CA Client Node DC\",\"day\":\"Mon\",\"day_of_month\":16,\"dept\":\"Sales\",\"deviceappversion\":\"1.128.0.1\",\"deviceowner\":\"jsmith\",\"df_hosthead\":\"df_hosthead\",\"df_hostname\":\"df_hostname\",\"dlpdicthitcount\":\"4\",\"dlpdict\":\"Credit Cards\",\"dlpeng\":\"HIPAA\",\"dlpidentifier\":6646484838839026000,\"eedone\":\"Yes\",\"epochtime\":1578128400,\"fileclass\":\"Active Web Contents\",\"flow_type\":\"Direct\",\"forward_gateway_ip\":\"10.1.1.1\",\"forward_gateway_name\":\"FWD_1\",\"forward_type\":\"Direct\",\"hour\":22,\"is_sslexpiredca\":\"Yes\",\"is_sslselfsigned\":\"Yes\",\"is_ssluntrustedca\":\"Pass\",\"keyprotectiontype\":\"HSM Protection\",\"location\":\"Headquarters\",\"malwarecategory\":\"Adware\",\"malwareclass\":\"Sandbox\",\"minute\":55,\"mobappcategory\":\"Communication\",\"mobappname\":\"Amazon\",\"mobdevtype\":\"Google Android\",\"module\":\"Administration\",\"month\":\"Oct\",\"month_of_year\":10,\"nssserviceip\":\"192.168.2.200\",\"oapprulelabel\":\"5300295980\",\"obwclassname\":\"10831489\",\"ocip\":6200694987,\"ocpubip\":624054738,\"odevicehostname\":\"2168890624\",\"odevicename\":\"2175092224\",\"odeviceowner\":\"10831489\",\"odlpdict\":\"10831489\",\"odlpeng\":\"4094304256\",\"odlprulename\":\"6857275752\",\"ofwd_gw_name\":\"8794487099\",\"ologin\":\"4094304256\",\"ordr_rulename\":\"3399565100\",\"ourlcat\":\"7956407282\",\"ourlfilterrulelabel\":\"4951704103\",\"ozpa_app_seg_name\":\"7648246731\",\"externalsslpolicyreason\":\"Blocked\",\"productversion\":\"5.0.902.95524_04\",\"rdr_rulename\":\"FWD_Rule_1\",\"refererhost\":\"www.example.com for http://www.example.com/index.html\",\"reqheadersize\":300,\"reqdatasize\":1000,\"respheadersize\":500,\"respdatasize\":10000,\"riskscore\":10,\"ruletype\":\"File Type Control\",\"second\":48,\"srvcertchainvalpass\":\"Unknown\",\"srvcertvalidationtype\":\"EV (Extended Validation)\",\"srvcertvalidityperiod\":\"Short\",\"srvsslcipher\":\"SSL3_CK_RSA_NULL_MD5\",\"serversslsessreuse\":\"Unknown\",\"srvocspresult\":\"Good\",\"srvtlsversion\":\"SSL2\",\"srvwildcardcert\":\"Unknown\",\"ssldecrypted\":\"Yes\",\"throttlereqsize\":5,\"throttlerespsize\":7,\"totalsize\":11800,\"trafficredirectmethod\":\"DNAT (Destination Translation)\",\"unscannabletype\":\"Encrypted File\",\"upload_doctypename\":\"Corporate Finance\",\"upload_fileclass\":\"upload_fileclass\",\"upload_filetype\":\"RAR Files\",\"urlcatmethod\":\"Database A\",\"urlsubcat\":\"Entertainment\",\"urlsupercat\":\"Travel\",\"urlclass\":\"Bandwidth Loss\",\"useragentclass\":\"Firefox\",\"useragenttoken\":\"Google Chrome (0.x)\",\"userlocationname\":\"userlocationname\",\"year\":2023,\"ztunnelversion\":\"ZTUNNEL_1_0\",\"zpa_app_seg_name\":\"ZPA_test_app_segment\"}}", "reason": "File Attachment Cautioned", "timezone": "GMT", "type": [ @@ -1282,7 +1282,7 @@ ], "id": "123456781", "kind": "event", - "original": "{\"version\":\"v8\",\"sourcetype\":\"zscalernss-web\",\"event\":{\"time\":\"Mon Oct 18 23:55:48 2023\",\"cloudname\":\"zscaler.net\",\"host\":\"mail.google.com\",\"serverip\":\"1.128.0.2\",\"external_devid\":\"2346\",\"devicemodel\":\"20L8S7WC10\",\"action\":\"Allowed\",\"recordid\":123456781,\"reason\":\"File Attachment Cautioned\",\"threatseverity\":\"Critical (90–100)\",\"tz\":\"GMT\",\"filesubtype\":\"exe\",\"upload_filesubtype\":\"rar\",\"sha256\":\"81ec78bc8298568bb5ea66d3c2972b670d0f7459b6cdbbcaacce90ab417ab15c\",\"bamd5\":\"196a3d797bfee07fe4596b69f4ce1141\",\"filename\":\"nssfeed.txt\",\"upload_filename\":\"nssfeed.exe\",\"filetype\":\"RAR Files\",\"devicename\":\"PC11NLPA%3A5F08D97BBF43257A8FB4BBF4061A38AE324EF734\",\"devicehostname\":\"THINKPADSMITH\",\"deviceostype\":\"iOS\",\"deviceosversion\":\"Version 10.14.2 (Build 18C54)\",\"devicetype\":\"Zscaler Client Connector\",\"reqsize\":1300,\"reqmethod\":\"invalid\",\"b64referer\":\"d3d3LmV4YW1wbGUuY29t\",\"respsize\":10500,\"respcode\":\"100\",\"reqversion\":\"1.1\",\"respversion\":\"1\",\"proto\":\"SSL\",\"company\":\"Zscaler\",\"dlpmd5\":\"154f149b1443fbfa8c121d13e5c019a1\",\"apprulelabel\":\"File_Sharing_1\",\"dlprulename\":\"DLP_Rule_1\",\"rulelabel\":\"URL_Filtering_1\",\"urlfilterrulelabel\":\"URL_Filtering_2\",\"cltip\":\"81.2.69.144\",\"cltintip\":\"89.160.20.128\",\"cltsourceport\":12345,\"threatname\":\"EICAR Test File\",\"cltsslcipher\":\"SSL3_CK_RSA_NULL_MD5\",\"clttlsversion\":\"SSL2\",\"b64url\":\"d3d3LnlvdXR1YmUuY29tL2FwaS9zdGF0cy9hYmNkP2FmbXQ9MjUxJmJhdD0zMzAuMDE3OjAuOTY6MSZiaD0zMzAuMDE3OjEyMS4yNjQmYndlPTMzMC4wMTc6NzQ1ODYwMSZid209MzMwLjAxNzoyNDA3NzU0OjAuODQ0JmM9V0VCJmNicj1FZGdlIENocm9taXVtJmNicnZlcj0xMTUuMC4wLjAmY2w9NjU1Mzk5OTU2JmNtdD0zMzAuMDE3OjMyOC44MzcmY29zPVdpbmRvd3MmY29zdmVyPTEwLjAmY3BsYXRmb3JtPURFU0tUT1AmY3BsYXllcj1VTklQTEFZRVImY3BuPUZVQjczU1FXeFNIS0FEeHZKJmN2ZXI9Mi4yMDI0MDcyNC4wMy4wMCZkb2NpZD1XVmhHX3NOVkxhc0QmZWw9ZGV0YWlscGFnZSZmZXhwPXYxLDIzODQ4MjI1LDEzNzgwMiwxODYxNywyMDQxMjEsMjMwNTk2LDIyMjA5NywxNjIyOSwxMzMyMTIsMTQ2MjU5NTUsMTE2ODQzODEsNzIyMiwxNDIwNyw5ODU5LDEyMTc3LDk5NTQsMTE5Miw3OTEzLDE4MzEwLDI3Myw0MTQ3LDI4MTksMiwxNjM0NCwxNDI0LDE5MjA0LDk5NDgsMjE5Niw5OTk2LDE5LDIsMTA4Miw2OTUzLDEwMSwxNDAxLDk1NDIsMjQ3MSwzMjkyLDI3MTYsMTUzOCw3MjMsMjU3NSw5NTY3LDEzNzUsMzc2MSw0MTYyLDg2MTAsMTczLDIwMSwxMDQwNiwzMjEsMTQ4LDIsMzQzLDE3ODMsMTQsMTMyMiw1MCw2MjEsNzAyLDEwNjIsMTc2OSwxODIzLDg5NiwyMjkxLDI5MTIsNzU2OCwzNDImZm10PTM5OCZucz15dCZyZWZlcnJlcj1odHRwczovL3d3dy55b3V0dWJlLmNvbS93YXRjaD92PWlzYTkwXzY3YXMmc2RldGFpbD1ydjppc2E4OV82OGFkJnNlcT0xMyZzb3VyY2VpZD15dyZ2cHM9MzMwLjAxNzpQTA==\",\"useragent\":\"Mozilla/5.0\",\"login\":\"jdoe@safemarch.com\",\"applayerprotocol\":\"FTP\",\"appclass\":\"Administration\",\"appname\":\"Adobe Connect\",\"appriskscore\":\"1\",\"bandwidthclassname\":\"Entertainment\",\"bandwidthrulename\":\"Office 365\",\"bwthrottle\":\"Yes\",\"bypassedtime\":\"Mon Oct 16 22:55:48 2023\",\"bypassedtraffic\":\"1\",\"cltsslsessreuse\":\"Unknown\",\"cltpubip\":\"175.16.199.0\",\"cltsslfailcount\":100,\"cltsslfailreason\":\"Bad Record Mac\",\"contenttype\":\"application/vnd_apple_keynote\",\"datacentercity\":\"Sa\",\"datacentercountry\":\"US\",\"datacenter\":\"CA Client Node DC\",\"day\":\"Mon\",\"day_of_month\":16,\"dept\":\"Sales\",\"deviceappversion\":\"1.128.0.1\",\"deviceowner\":\"jsmith\",\"df_hosthead\":\"df_hosthead\",\"df_hostname\":\"df_hostname\",\"dlpdicthitcount\":\"4\",\"dlpdict\":\"Credit Cards\",\"dlpeng\":\"HIPAA\",\"dlpidentifier\":6646484838839026000,\"eedone\":\"Yes\",\"epochtime\":1578128400,\"fileclass\":\"Active Web Contents\",\"flow_type\":\"Direct\",\"forward_gateway_ip\":\"10.1.1.1\",\"forward_gateway_name\":\"FWD_1\",\"forward_type\":\"Direct\",\"hour\":22,\"is_sslexpiredca\":\"Yes\",\"is_sslselfsigned\":\"Yes\",\"is_ssluntrustedca\":\"Pass\",\"keyprotectiontype\":\"HSM Protection\",\"location\":\"Headquarters\",\"malwarecategory\":\"Adware\",\"malwareclass\":\"Sandbox\",\"minute\":55,\"mobappcategory\":\"Communication\",\"mobappname\":\"Amazon\",\"mobdevtype\":\"Google Android\",\"module\":\"Administration\",\"month\":\"Oct\",\"month_of_year\":10,\"nssserviceip\":\"192.168.2.200\",\"oapprulelabel\":\"5300295980\",\"obwclassname\":\"10831489\",\"ocip\":6200694987,\"ocpubip\":624054738,\"odevicehostname\":\"2168890624\",\"odevicename\":\"2175092224\",\"odeviceowner\":\"10831489\",\"odlpdict\":\"10831489\",\"odlpeng\":\"4094304256\",\"odlprulename\":\"6857275752\",\"ofwd_gw_name\":\"8794487099\",\"ologin\":\"4094304256\",\"ordr_rulename\":\"3399565100\",\"ourlcat\":\"7956407282\",\"ourlfilterrulelabel\":\"4951704103\",\"ozpa_app_seg_name\":\"7648246731\",\"externalsslpolicyreason\":\"Blocked\",\"productversion\":\"5.0.902.95524_04\",\"rdr_rulename\":\"FWD_Rule_1\",\"refererhost\":\"www.example.com for http://www.example.com/index.html\",\"reqheadersize\":300,\"reqdatasize\":1000,\"respheadersize\":500,\"respdatasize\":10000,\"riskscore\":10,\"ruletype\":\"File Type Control\",\"second\":48,\"srvcertchainvalpass\":\"Unknown\",\"srvcertvalidationtype\":\"EV (Extended Validation)\",\"srvcertvalidityperiod\":\"Short\",\"srvsslcipher\":\"SSL3_CK_RSA_NULL_MD5\",\"serversslsessreuse\":\"Unknown\",\"srvocspresult\":\"Good\",\"srvtlsversion\":\"SSL2\",\"srvwildcardcert\":\"Unknown\",\"ssldecrypted\":\"Yes\",\"throttlereqsize\":5,\"throttlerespsize\":7,\"totalsize\":11800,\"trafficredirectmethod\":\"DNAT (Destination Translation)\",\"unscannabletype\":\"Encrypted File\",\"upload_doctypename\":\"Corporate Finance\",\"upload_fileclass\":\"upload_fileclass\",\"upload_filetype\":\"RAR Files\",\"urlcatmethod\":\"Database A\",\"urlsubcat\":\"Entertainment\",\"urlsupercat\":\"Travel\",\"urlclass\":\"Bandwidth Loss\",\"useragentclass\":\"Firefox\",\"useragenttoken\":\"Google Chrome (0.x)\",\"userlocationname\":\"userlocationname\",\"year\":2023,\"ztunnelversion\":\"ZTUNNEL_1_0\",\"zpa_app_seg_name\":\"ZPA_test_app_segment\"}}", + "original": "{\"version\":\"v9\",\"sourcetype\":\"zscalernss-web\",\"event\":{\"time\":\"Mon Oct 18 23:55:48 2023\",\"cloudname\":\"zscaler.net\",\"host\":\"mail.google.com\",\"serverip\":\"1.128.0.2\",\"external_devid\":\"2346\",\"devicemodel\":\"20L8S7WC10\",\"action\":\"Allowed\",\"recordid\":123456781,\"reason\":\"File Attachment Cautioned\",\"threatseverity\":\"Critical (90–100)\",\"tz\":\"GMT\",\"filesubtype\":\"exe\",\"upload_filesubtype\":\"rar\",\"sha256\":\"81ec78bc8298568bb5ea66d3c2972b670d0f7459b6cdbbcaacce90ab417ab15c\",\"bamd5\":\"196a3d797bfee07fe4596b69f4ce1141\",\"filename\":\"nssfeed.txt\",\"upload_filename\":\"nssfeed.exe\",\"filetype\":\"RAR Files\",\"devicename\":\"PC11NLPA%3A5F08D97BBF43257A8FB4BBF4061A38AE324EF734\",\"devicehostname\":\"THINKPADSMITH\",\"deviceostype\":\"iOS\",\"deviceosversion\":\"Version 10.14.2 (Build 18C54)\",\"devicetype\":\"Zscaler Client Connector\",\"reqsize\":1300,\"reqmethod\":\"invalid\",\"b64referer\":\"d3d3LmV4YW1wbGUuY29t\",\"respsize\":10500,\"respcode\":\"100\",\"reqversion\":\"1.1\",\"respversion\":\"1\",\"proto\":\"SSL\",\"company\":\"Zscaler\",\"dlpmd5\":\"154f149b1443fbfa8c121d13e5c019a1\",\"apprulelabel\":\"File_Sharing_1\",\"dlprulename\":\"DLP_Rule_1\",\"rulelabel\":\"URL_Filtering_1\",\"urlfilterrulelabel\":\"URL_Filtering_2\",\"cltip\":\"81.2.69.144\",\"cltintip\":\"89.160.20.128\",\"cltsourceport\":12345,\"threatname\":\"EICAR Test File\",\"cltsslcipher\":\"SSL3_CK_RSA_NULL_MD5\",\"clttlsversion\":\"SSL2\",\"b64url\":\"d3d3LnlvdXR1YmUuY29tL2FwaS9zdGF0cy9hYmNkP2FmbXQ9MjUxJmJhdD0zMzAuMDE3OjAuOTY6MSZiaD0zMzAuMDE3OjEyMS4yNjQmYndlPTMzMC4wMTc6NzQ1ODYwMSZid209MzMwLjAxNzoyNDA3NzU0OjAuODQ0JmM9V0VCJmNicj1FZGdlIENocm9taXVtJmNicnZlcj0xMTUuMC4wLjAmY2w9NjU1Mzk5OTU2JmNtdD0zMzAuMDE3OjMyOC44MzcmY29zPVdpbmRvd3MmY29zdmVyPTEwLjAmY3BsYXRmb3JtPURFU0tUT1AmY3BsYXllcj1VTklQTEFZRVImY3BuPUZVQjczU1FXeFNIS0FEeHZKJmN2ZXI9Mi4yMDI0MDcyNC4wMy4wMCZkb2NpZD1XVmhHX3NOVkxhc0QmZWw9ZGV0YWlscGFnZSZmZXhwPXYxLDIzODQ4MjI1LDEzNzgwMiwxODYxNywyMDQxMjEsMjMwNTk2LDIyMjA5NywxNjIyOSwxMzMyMTIsMTQ2MjU5NTUsMTE2ODQzODEsNzIyMiwxNDIwNyw5ODU5LDEyMTc3LDk5NTQsMTE5Miw3OTEzLDE4MzEwLDI3Myw0MTQ3LDI4MTksMiwxNjM0NCwxNDI0LDE5MjA0LDk5NDgsMjE5Niw5OTk2LDE5LDIsMTA4Miw2OTUzLDEwMSwxNDAxLDk1NDIsMjQ3MSwzMjkyLDI3MTYsMTUzOCw3MjMsMjU3NSw5NTY3LDEzNzUsMzc2MSw0MTYyLDg2MTAsMTczLDIwMSwxMDQwNiwzMjEsMTQ4LDIsMzQzLDE3ODMsMTQsMTMyMiw1MCw2MjEsNzAyLDEwNjIsMTc2OSwxODIzLDg5NiwyMjkxLDI5MTIsNzU2OCwzNDImZm10PTM5OCZucz15dCZyZWZlcnJlcj1odHRwczovL3d3dy55b3V0dWJlLmNvbS93YXRjaD92PWlzYTkwXzY3YXMmc2RldGFpbD1ydjppc2E4OV82OGFkJnNlcT0xMyZzb3VyY2VpZD15dyZ2cHM9MzMwLjAxNzpQTA==\",\"useragent\":\"Mozilla/5.0\",\"login\":\"jdoe@safemarch.com\",\"applayerprotocol\":\"FTP\",\"appclass\":\"Administration\",\"appname\":\"Adobe Connect\",\"appriskscore\":\"1\",\"bandwidthclassname\":\"Entertainment\",\"bandwidthrulename\":\"Office 365\",\"bwthrottle\":\"Yes\",\"bypassedtime\":\"Mon Oct 16 22:55:48 2023\",\"bypassedtraffic\":\"1\",\"cltsslsessreuse\":\"Unknown\",\"cltpubip\":\"175.16.199.0\",\"cltsslfailcount\":100,\"cltsslfailreason\":\"Bad Record Mac\",\"contenttype\":\"application/vnd_apple_keynote\",\"datacentercity\":\"Sa\",\"datacentercountry\":\"US\",\"datacenter\":\"CA Client Node DC\",\"day\":\"Mon\",\"day_of_month\":16,\"dept\":\"Sales\",\"deviceappversion\":\"1.128.0.1\",\"deviceowner\":\"jsmith\",\"df_hosthead\":\"df_hosthead\",\"df_hostname\":\"df_hostname\",\"dlpdicthitcount\":\"4\",\"dlpdict\":\"Credit Cards\",\"dlpeng\":\"HIPAA\",\"dlpidentifier\":6646484838839026000,\"eedone\":\"Yes\",\"epochtime\":1578128400,\"fileclass\":\"Active Web Contents\",\"flow_type\":\"Direct\",\"forward_gateway_ip\":\"10.1.1.1\",\"forward_gateway_name\":\"FWD_1\",\"forward_type\":\"Direct\",\"hour\":22,\"is_sslexpiredca\":\"Yes\",\"is_sslselfsigned\":\"Yes\",\"is_ssluntrustedca\":\"Pass\",\"keyprotectiontype\":\"HSM Protection\",\"location\":\"Headquarters\",\"malwarecategory\":\"Adware\",\"malwareclass\":\"Sandbox\",\"minute\":55,\"mobappcategory\":\"Communication\",\"mobappname\":\"Amazon\",\"mobdevtype\":\"Google Android\",\"module\":\"Administration\",\"month\":\"Oct\",\"month_of_year\":10,\"nssserviceip\":\"192.168.2.200\",\"oapprulelabel\":\"5300295980\",\"obwclassname\":\"10831489\",\"ocip\":6200694987,\"ocpubip\":624054738,\"odevicehostname\":\"2168890624\",\"odevicename\":\"2175092224\",\"odeviceowner\":\"10831489\",\"odlpdict\":\"10831489\",\"odlpeng\":\"4094304256\",\"odlprulename\":\"6857275752\",\"ofwd_gw_name\":\"8794487099\",\"ologin\":\"4094304256\",\"ordr_rulename\":\"3399565100\",\"ourlcat\":\"7956407282\",\"ourlfilterrulelabel\":\"4951704103\",\"ozpa_app_seg_name\":\"7648246731\",\"externalsslpolicyreason\":\"Blocked\",\"productversion\":\"5.0.902.95524_04\",\"rdr_rulename\":\"FWD_Rule_1\",\"refererhost\":\"www.example.com for http://www.example.com/index.html\",\"reqheadersize\":300,\"reqdatasize\":1000,\"respheadersize\":500,\"respdatasize\":10000,\"riskscore\":10,\"ruletype\":\"File Type Control\",\"second\":48,\"srvcertchainvalpass\":\"Unknown\",\"srvcertvalidationtype\":\"EV (Extended Validation)\",\"srvcertvalidityperiod\":\"Short\",\"srvsslcipher\":\"SSL3_CK_RSA_NULL_MD5\",\"serversslsessreuse\":\"Unknown\",\"srvocspresult\":\"Good\",\"srvtlsversion\":\"SSL2\",\"srvwildcardcert\":\"Unknown\",\"ssldecrypted\":\"Yes\",\"throttlereqsize\":5,\"throttlerespsize\":7,\"totalsize\":11800,\"trafficredirectmethod\":\"DNAT (Destination Translation)\",\"unscannabletype\":\"Encrypted File\",\"upload_doctypename\":\"Corporate Finance\",\"upload_fileclass\":\"upload_fileclass\",\"upload_filetype\":\"RAR Files\",\"urlcatmethod\":\"Database A\",\"urlsubcat\":\"Entertainment\",\"urlsupercat\":\"Travel\",\"urlclass\":\"Bandwidth Loss\",\"useragentclass\":\"Firefox\",\"useragenttoken\":\"Google Chrome (0.x)\",\"userlocationname\":\"userlocationname\",\"year\":2023,\"ztunnelversion\":\"ZTUNNEL_1_0\",\"zpa_app_seg_name\":\"ZPA_test_app_segment\"}}", "reason": "File Attachment Cautioned", "timezone": "GMT", "type": [ @@ -1701,7 +1701,7 @@ ], "id": "123456782", "kind": "event", - "original": "{\"version\":\"v8\",\"sourcetype\":\"zscalernss-web\",\"event\":{\"time\":\"Mon Oct 20 22:55:48 2023\",\"cloudname\":\"zscaler.net\",\"host\":\"mail.google.com\",\"serverip\":\"1.128.0.4\",\"external_devid\":\"2347\",\"devicemodel\":\"20L8S7WC12\",\"action\":\"Allowed\",\"recordid\":123456782,\"reason\":\"File Attachment Cautioned\",\"threatseverity\":\"Critical (90–100)\",\"tz\":\"GMT\",\"filesubtype\":\"exe\",\"upload_filesubtype\":\"rar\",\"sha256\":\"81ec78bc8298568bb5ea66d3c2972b670d0f7459b6cdbbcaacce90ab417ab15c\",\"bamd5\":\"196a3d797bfee07fe4596b69f4ce1141\",\"filename\":\"nssfeed.txt\",\"upload_filename\":\"nssfeed.exe\",\"filetype\":\"RAR Files\",\"devicename\":\"device%5CrN%40me\",\"devicehostname\":\"THINKPADSMITH\",\"deviceostype\":\"iOS\",\"deviceosversion\":\"Version 10.14.2 (Build 18C54)\",\"devicetype\":\"Zscaler Client Connector\",\"reqsize\":1300,\"reqmethod\":\"invalid\",\"b64referer\":\"d3d3LmV4YW1wbGUuY29tL3NlYXJjaD9maWx0ZXJzPWd1aWQlM0ElMjI0MC1lbi1kaWElMjIrbGFuZyUzQSUyMmVuJTIyJmZvcm09UzAwJnE9aG93K3RvK3VzZStyZW1vdGUrZGVza3RvcCt0bytjb25uZWN0K3RvK2Erd2luZG93cysxMCtwYw==\",\"respsize\":10500,\"respcode\":\"100\",\"reqversion\":\"1.1\",\"respversion\":\"1\",\"proto\":\"HTTPS\",\"company\":\"Zscaler\",\"dlpmd5\":\"154f149b1443fbfa8c121d13e5c019a1\",\"apprulelabel\":\"File_Sharing_1\",\"dlprulename\":\"DLP_Rule_1\",\"rulelabel\":\"URL_Filtering_1\",\"urlfilterrulelabel\":\"URL_Filtering_2\",\"cltip\":\"81.2.69.144\",\"cltintip\":\"89.160.20.128\",\"cltsourceport\":12345,\"threatname\":\"EICAR Test File\",\"cltsslcipher\":\"SSL3_CK_RSA_NULL_MD5\",\"clttlsversion\":\"SSL2\",\"b64url\":\"d3d3LmV4YW1wbGUuY29tOjQ0Mw==\",\"useragent\":\"Mozilla/5.0\",\"login\":\"jdoe@safemarch.com\",\"applayerprotocol\":\"FTP\",\"appclass\":\"Administration\",\"appname\":\"Adobe Connect\",\"appriskscore\":\"1\",\"bandwidthclassname\":\"Entertainment\",\"bandwidthrulename\":\"Office 365\",\"bwthrottle\":\"Yes\",\"bypassedtime\":\"Mon Oct 16 22:55:48 2023\",\"bypassedtraffic\":\"1\",\"cltsslsessreuse\":\"Unknown\",\"cltpubip\":\"175.16.199.0\",\"cltsslfailcount\":100,\"cltsslfailreason\":\"Bad Record Mac\",\"contenttype\":\"application/vnd_apple_keynote\",\"datacentercity\":\"Sa\",\"datacentercountry\":\"US\",\"datacenter\":\"CA Client Node DC\",\"day\":\"Mon\",\"day_of_month\":16,\"dept\":\"Sales\",\"deviceappversion\":\"1.128.0.1\",\"deviceowner\":\"jsmith\",\"df_hosthead\":\"df_hosthead\",\"df_hostname\":\"df_hostname\",\"dlpdicthitcount\":\"4\",\"dlpdict\":\"Credit Cards\",\"dlpeng\":\"HIPAA\",\"dlpidentifier\":6646484838839026000,\"eedone\":\"Yes\",\"epochtime\":1578128400,\"fileclass\":\"Active Web Contents\",\"flow_type\":\"Direct\",\"forward_gateway_ip\":\"10.1.1.1\",\"forward_gateway_name\":\"FWD_1\",\"forward_type\":\"Direct\",\"hour\":22,\"is_sslexpiredca\":\"Yes\",\"is_sslselfsigned\":\"Yes\",\"is_ssluntrustedca\":\"Pass\",\"keyprotectiontype\":\"HSM Protection\",\"location\":\"Headquarters\",\"department\":\"Department%5CrN%40me\",\"malwarecategory\":\"Adware\",\"malwareclass\":\"Sandbox\",\"minute\":55,\"mobappcategory\":\"Communication\",\"mobappname\":\"Amazon\",\"mobdevtype\":\"Google Android\",\"module\":\"Administration\",\"month\":\"Oct\",\"month_of_year\":10,\"nssserviceip\":\"192.168.2.200\",\"oapprulelabel\":\"5300295980\",\"obwclassname\":\"10831489\",\"ocip\":6200694987,\"ocpubip\":624054738,\"odevicehostname\":\"2168890624\",\"odevicename\":\"2175092224\",\"odeviceowner\":\"10831489\",\"odlpdict\":\"10831489\",\"odlpeng\":\"4094304256\",\"odlprulename\":\"6857275752\",\"ofwd_gw_name\":\"8794487099\",\"ologin\":\"4094304256\",\"ordr_rulename\":\"3399565100\",\"ourlcat\":\"7956407282\",\"ourlfilterrulelabel\":\"4951704103\",\"ozpa_app_seg_name\":\"7648246731\",\"externalsslpolicyreason\":\"Blocked\",\"productversion\":\"5.0.902.95524_04\",\"rdr_rulename\":\"FWD_Rule_1\",\"refererhost\":\"www.example.com for http://www.example.com/index.html\",\"reqheadersize\":300,\"reqdatasize\":1000,\"respheadersize\":500,\"respdatasize\":10000,\"riskscore\":10,\"ruletype\":\"File Type Control\",\"second\":48,\"srvcertchainvalpass\":\"Unknown\",\"srvcertvalidationtype\":\"EV (Extended Validation)\",\"srvcertvalidityperiod\":\"Short\",\"srvsslcipher\":\"SSL3_CK_RSA_NULL_MD5\",\"serversslsessreuse\":\"Unknown\",\"srvocspresult\":\"Good\",\"srvtlsversion\":\"SSL2\",\"srvwildcardcert\":\"Unknown\",\"ssldecrypted\":\"Yes\",\"throttlereqsize\":5,\"throttlerespsize\":7,\"totalsize\":11800,\"trafficredirectmethod\":\"DNAT (Destination Translation)\",\"unscannabletype\":\"Encrypted File\",\"upload_doctypename\":\"Corporate Finance\",\"upload_fileclass\":\"upload_fileclass\",\"upload_filetype\":\"RAR Files\",\"urlcatmethod\":\"Database A\",\"urlsubcat\":\"Entertainment\",\"urlsupercat\":\"Travel\",\"urlclass\":\"Bandwidth Loss\",\"useragentclass\":\"Firefox\",\"useragenttoken\":\"Google Chrome (0.x)\",\"userlocationname\":\"userlocationname\",\"year\":2023,\"ztunnelversion\":\"ZTUNNEL_1_0\",\"zpa_app_seg_name\":\"ZPA_test_app_segment\"}}", + "original": "{\"version\":\"v9\",\"sourcetype\":\"zscalernss-web\",\"event\":{\"time\":\"Mon Oct 20 22:55:48 2023\",\"cloudname\":\"zscaler.net\",\"host\":\"mail.google.com\",\"serverip\":\"1.128.0.4\",\"external_devid\":\"2347\",\"devicemodel\":\"20L8S7WC12\",\"action\":\"Allowed\",\"recordid\":123456782,\"reason\":\"File Attachment Cautioned\",\"threatseverity\":\"Critical (90–100)\",\"tz\":\"GMT\",\"filesubtype\":\"exe\",\"upload_filesubtype\":\"rar\",\"sha256\":\"81ec78bc8298568bb5ea66d3c2972b670d0f7459b6cdbbcaacce90ab417ab15c\",\"bamd5\":\"196a3d797bfee07fe4596b69f4ce1141\",\"filename\":\"nssfeed.txt\",\"upload_filename\":\"nssfeed.exe\",\"filetype\":\"RAR Files\",\"devicename\":\"device%5CrN%40me\",\"devicehostname\":\"THINKPADSMITH\",\"deviceostype\":\"iOS\",\"deviceosversion\":\"Version 10.14.2 (Build 18C54)\",\"devicetype\":\"Zscaler Client Connector\",\"reqsize\":1300,\"reqmethod\":\"invalid\",\"b64referer\":\"d3d3LmV4YW1wbGUuY29tL3NlYXJjaD9maWx0ZXJzPWd1aWQlM0ElMjI0MC1lbi1kaWElMjIrbGFuZyUzQSUyMmVuJTIyJmZvcm09UzAwJnE9aG93K3RvK3VzZStyZW1vdGUrZGVza3RvcCt0bytjb25uZWN0K3RvK2Erd2luZG93cysxMCtwYw==\",\"respsize\":10500,\"respcode\":\"100\",\"reqversion\":\"1.1\",\"respversion\":\"1\",\"proto\":\"HTTPS\",\"company\":\"Zscaler\",\"dlpmd5\":\"154f149b1443fbfa8c121d13e5c019a1\",\"apprulelabel\":\"File_Sharing_1\",\"dlprulename\":\"DLP_Rule_1\",\"rulelabel\":\"URL_Filtering_1\",\"urlfilterrulelabel\":\"URL_Filtering_2\",\"cltip\":\"81.2.69.144\",\"cltintip\":\"89.160.20.128\",\"cltsourceport\":12345,\"threatname\":\"EICAR Test File\",\"cltsslcipher\":\"SSL3_CK_RSA_NULL_MD5\",\"clttlsversion\":\"SSL2\",\"b64url\":\"d3d3LmV4YW1wbGUuY29tOjQ0Mw==\",\"useragent\":\"Mozilla/5.0\",\"login\":\"jdoe@safemarch.com\",\"applayerprotocol\":\"FTP\",\"appclass\":\"Administration\",\"appname\":\"Adobe Connect\",\"appriskscore\":\"1\",\"bandwidthclassname\":\"Entertainment\",\"bandwidthrulename\":\"Office 365\",\"bwthrottle\":\"Yes\",\"bypassedtime\":\"Mon Oct 16 22:55:48 2023\",\"bypassedtraffic\":\"1\",\"cltsslsessreuse\":\"Unknown\",\"cltpubip\":\"175.16.199.0\",\"cltsslfailcount\":100,\"cltsslfailreason\":\"Bad Record Mac\",\"contenttype\":\"application/vnd_apple_keynote\",\"datacentercity\":\"Sa\",\"datacentercountry\":\"US\",\"datacenter\":\"CA Client Node DC\",\"day\":\"Mon\",\"day_of_month\":16,\"dept\":\"Sales\",\"deviceappversion\":\"1.128.0.1\",\"deviceowner\":\"jsmith\",\"df_hosthead\":\"df_hosthead\",\"df_hostname\":\"df_hostname\",\"dlpdicthitcount\":\"4\",\"dlpdict\":\"Credit Cards\",\"dlpeng\":\"HIPAA\",\"dlpidentifier\":6646484838839026000,\"eedone\":\"Yes\",\"epochtime\":1578128400,\"fileclass\":\"Active Web Contents\",\"flow_type\":\"Direct\",\"forward_gateway_ip\":\"10.1.1.1\",\"forward_gateway_name\":\"FWD_1\",\"forward_type\":\"Direct\",\"hour\":22,\"is_sslexpiredca\":\"Yes\",\"is_sslselfsigned\":\"Yes\",\"is_ssluntrustedca\":\"Pass\",\"keyprotectiontype\":\"HSM Protection\",\"location\":\"Headquarters\",\"malwarecategory\":\"Adware\",\"malwareclass\":\"Sandbox\",\"minute\":55,\"mobappcategory\":\"Communication\",\"mobappname\":\"Amazon\",\"mobdevtype\":\"Google Android\",\"module\":\"Administration\",\"month\":\"Oct\",\"month_of_year\":10,\"nssserviceip\":\"192.168.2.200\",\"oapprulelabel\":\"5300295980\",\"obwclassname\":\"10831489\",\"ocip\":6200694987,\"ocpubip\":624054738,\"odevicehostname\":\"2168890624\",\"odevicename\":\"2175092224\",\"odeviceowner\":\"10831489\",\"odlpdict\":\"10831489\",\"odlpeng\":\"4094304256\",\"odlprulename\":\"6857275752\",\"ofwd_gw_name\":\"8794487099\",\"ologin\":\"4094304256\",\"ordr_rulename\":\"3399565100\",\"ourlcat\":\"7956407282\",\"ourlfilterrulelabel\":\"4951704103\",\"ozpa_app_seg_name\":\"7648246731\",\"externalsslpolicyreason\":\"Blocked\",\"productversion\":\"5.0.902.95524_04\",\"rdr_rulename\":\"FWD_Rule_1\",\"refererhost\":\"www.example.com for http://www.example.com/index.html\",\"reqheadersize\":300,\"reqdatasize\":1000,\"respheadersize\":500,\"respdatasize\":10000,\"riskscore\":10,\"ruletype\":\"File Type Control\",\"second\":48,\"srvcertchainvalpass\":\"Unknown\",\"srvcertvalidationtype\":\"EV (Extended Validation)\",\"srvcertvalidityperiod\":\"Short\",\"srvsslcipher\":\"SSL3_CK_RSA_NULL_MD5\",\"serversslsessreuse\":\"Unknown\",\"srvocspresult\":\"Good\",\"srvtlsversion\":\"SSL2\",\"srvwildcardcert\":\"Unknown\",\"ssldecrypted\":\"Yes\",\"throttlereqsize\":5,\"throttlerespsize\":7,\"totalsize\":11800,\"trafficredirectmethod\":\"DNAT (Destination Translation)\",\"unscannabletype\":\"Encrypted File\",\"upload_doctypename\":\"Corporate Finance\",\"upload_fileclass\":\"upload_fileclass\",\"upload_filetype\":\"RAR Files\",\"urlcatmethod\":\"Database A\",\"urlsubcat\":\"Entertainment\",\"urlsupercat\":\"Travel\",\"urlclass\":\"Bandwidth Loss\",\"useragentclass\":\"Firefox\",\"useragenttoken\":\"Google Chrome (0.x)\",\"userlocationname\":\"userlocationname\",\"year\":2023,\"ztunnelversion\":\"ZTUNNEL_1_0\",\"zpa_app_seg_name\":\"ZPA_test_app_segment\"}}", "reason": "File Attachment Cautioned", "timezone": "GMT", "type": [ @@ -1876,7 +1876,7 @@ }, "day": "Mon", "day_of_month": 16, - "department": "Department\\rN@me", + "department": "Sales", "device": { "appversion": "1.128.0.1", "hostname": "THINKPADSMITH", @@ -2093,6 +2093,846 @@ "zpa_app_segment": "ZPA_test_app_segment" } } + }, + { + "@timestamp": "2023-10-20T22:55:48.000Z", + "cloud": { + "provider": "zscaler.net" + }, + "destination": { + "domain": "mail.google.com", + "ip": "1.128.0.4" + }, + "device": { + "id": "2347", + "model": { + "identifier": "20L8S7WC12" + } + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "allowed", + "category": [ + "web" + ], + "id": "123456782", + "kind": "event", + "original": "{\"version\":\"v9\",\"sourcetype\":\"zscalernss-web\",\"event\":{\"time\":\"Mon Oct 20 22:55:48 2023\",\"cloudname\":\"zscaler.net\",\"host\":\"mail.google.com\",\"serverip\":\"1.128.0.4\",\"external_devid\":\"2347\",\"devicemodel\":\"20L8S7WC12\",\"action\":\"Allowed\",\"recordid\":123456782,\"reason\":\"File Attachment Cautioned\",\"threatseverity\":\"Critical (90–100)\",\"tz\":\"GMT\",\"filesubtype\":\"exe\",\"upload_filesubtype\":\"rar\",\"sha256\":\"81ec78bc8298568bb5ea66d3c2972b670d0f7459b6cdbbcaacce90ab417ab15c\",\"bamd5\":\"196a3d797bfee07fe4596b69f4ce1141\",\"filename\":\"nssfeed.txt\",\"upload_filename\":\"nssfeed.exe\",\"filetype\":\"RAR Files\",\"devicename\":\"device%5CrN%40me\",\"devicehostname\":\"THINKPADSMITH\",\"deviceostype\":\"iOS\",\"deviceosversion\":\"Version 10.14.2 (Build 18C54)\",\"devicetype\":\"Zscaler Client Connector\",\"reqsize\":1300,\"reqmethod\":\"invalid\",\"b64referer\":\"d3d3LmV4YW1wbGUuY29tL3NlYXJjaD9maWx0ZXJzPWd1aWQlM0ElMjI0MC1lbi1kaWElMjIrbGFuZyUzQSUyMmVuJTIyJmZvcm09UzAwJnE9aG93K3RvK3VzZStyZW1vdGUrZGVza3RvcCt0bytjb25uZWN0K3RvK2Erd2luZG93cysxMCtwYw==\",\"respsize\":10500,\"respcode\":\"100\",\"reqversion\":\"1.1\",\"respversion\":\"1\",\"proto\":\"HTTPS\",\"company\":\"Zscaler\",\"dlpmd5\":\"154f149b1443fbfa8c121d13e5c019a1\",\"apprulelabel\":\"File_Sharing_1\",\"dlprulename\":\"DLP_Rule_1\",\"rulelabel\":\"URL_Filtering_1\",\"urlfilterrulelabel\":\"URL_Filtering_2\",\"cltip\":\"81.2.69.144\",\"cltintip\":\"89.160.20.128\",\"cltsourceport\":12345,\"threatname\":\"EICAR Test File\",\"cltsslcipher\":\"SSL3_CK_RSA_NULL_MD5\",\"clttlsversion\":\"SSL2\",\"b64url\":\"dC5jb3Vwb25zLmNvbS9iLnBocD90cmFuc2FjdGlvbklkPUkvdHNJZD09JmV2ZW50VHlwZT1FbGVtZW50SW5WaWV3JmVsZW1lbnROYW1lPVROX1NXQiZvYmplY3RzPXsibGlua1VybCI6Imh0dHBzOi8vd3d3LmNvdXBvbnMuY29tL2RhaWx5LXNhbGVzLzcyLWhvdXItY2xlYXJvdXQiLCJsaW5rVGV4dCI6IlVwJTIwdG8lMjA3MCUlMjBPRkYlMjB8JTIwNzItSG91ciUyMENsZWFyb3V0IiwidGV4dENvbG9yIjoiI0ZGRkZGRiIsInByb21vRW5kRGF0ZSI6bnVsbCwiY3VzdG9tRmllbGQxIjoiVXAlMjB0byUyMDcwJSUyME9GRiUyMHwlMjA3Mi1Ib3VyJTIwQ2xlYXJvdXQifSZsaW5rVXJsPWh0dHBzOi8vd3d3LmNvdXBvbnMuY29tL2RhaWx5LXNhbGVzLzcyLWhvdXItY2xlYXJvdXQmbGlua1RleHQ9VXAlMjB0byUyMDcwJSUyME9GRiUyMHwlMjA3Mi1Ib3VyJTIwQ2xlYXJvdXQmdGV4dENvbG9yPSNGRkZGRkYmcHJvbW9FbmREYXRlPSZjdXN0b21GaWVsZDE9VXAlMjB0byUyMDcwJSUyME9GRiUyMHwlMjA3Mi1Ib3VyJTIwQ2xlYXJvdXQmcGFnZUlkPSZ0aW1lc3RhbXA9MTcyNDY4Mjc3NzE5OA==\",\"useragent\":\"Mozilla/5.0\",\"login\":\"jdoe@safemarch.com\",\"applayerprotocol\":\"FTP\",\"appclass\":\"Administration\",\"appname\":\"Adobe Connect\",\"appriskscore\":\"1\",\"bandwidthclassname\":\"Entertainment\",\"bandwidthrulename\":\"Office 365\",\"bwthrottle\":\"Yes\",\"bypassedtime\":\"Mon Oct 16 22:55:48 2023\",\"bypassedtraffic\":\"1\",\"cltsslsessreuse\":\"Unknown\",\"cltpubip\":\"175.16.199.0\",\"cltsslfailcount\":100,\"cltsslfailreason\":\"Bad Record Mac\",\"contenttype\":\"application/vnd_apple_keynote\",\"datacentercity\":\"Sa\",\"datacentercountry\":\"US\",\"datacenter\":\"CA Client Node DC\",\"day\":\"Mon\",\"day_of_month\":16,\"dept\":\"Sales\",\"deviceappversion\":\"1.128.0.1\",\"deviceowner\":\"jsmith\",\"df_hosthead\":\"df_hosthead\",\"df_hostname\":\"df_hostname\",\"dlpdicthitcount\":\"4\",\"dlpdict\":\"Credit Cards\",\"dlpeng\":\"HIPAA\",\"dlpidentifier\":6646484838839026000,\"eedone\":\"Yes\",\"epochtime\":1578128400,\"fileclass\":\"Active Web Contents\",\"flow_type\":\"Direct\",\"forward_gateway_ip\":\"10.1.1.1\",\"forward_gateway_name\":\"FWD_1\",\"forward_type\":\"Direct\",\"hour\":22,\"is_sslexpiredca\":\"Yes\",\"is_sslselfsigned\":\"Yes\",\"is_ssluntrustedca\":\"Pass\",\"keyprotectiontype\":\"HSM Protection\",\"location\":\"Headquarters\",\"malwarecategory\":\"Adware\",\"malwareclass\":\"Sandbox\",\"minute\":55,\"mobappcategory\":\"Communication\",\"mobappname\":\"Amazon\",\"mobdevtype\":\"Google Android\",\"module\":\"Administration\",\"month\":\"Oct\",\"month_of_year\":10,\"nssserviceip\":\"192.168.2.200\",\"oapprulelabel\":\"5300295980\",\"obwclassname\":\"10831489\",\"ocip\":6200694987,\"ocpubip\":624054738,\"odevicehostname\":\"2168890624\",\"odevicename\":\"2175092224\",\"odeviceowner\":\"10831489\",\"odlpdict\":\"10831489\",\"odlpeng\":\"4094304256\",\"odlprulename\":\"6857275752\",\"ofwd_gw_name\":\"8794487099\",\"ologin\":\"4094304256\",\"ordr_rulename\":\"3399565100\",\"ourlcat\":\"7956407282\",\"ourlfilterrulelabel\":\"4951704103\",\"ozpa_app_seg_name\":\"7648246731\",\"externalsslpolicyreason\":\"Blocked\",\"productversion\":\"5.0.902.95524_04\",\"rdr_rulename\":\"FWD_Rule_1\",\"refererhost\":\"www.example.com for http://www.example.com/index.html\",\"reqheadersize\":300,\"reqdatasize\":1000,\"respheadersize\":500,\"respdatasize\":10000,\"riskscore\":10,\"ruletype\":\"File Type Control\",\"second\":48,\"srvcertchainvalpass\":\"Unknown\",\"srvcertvalidationtype\":\"EV (Extended Validation)\",\"srvcertvalidityperiod\":\"Short\",\"srvsslcipher\":\"SSL3_CK_RSA_NULL_MD5\",\"serversslsessreuse\":\"Unknown\",\"srvocspresult\":\"Good\",\"srvtlsversion\":\"SSL2\",\"srvwildcardcert\":\"Unknown\",\"ssldecrypted\":\"Yes\",\"throttlereqsize\":5,\"throttlerespsize\":7,\"totalsize\":11800,\"trafficredirectmethod\":\"DNAT (Destination Translation)\",\"unscannabletype\":\"Encrypted File\",\"upload_doctypename\":\"Corporate Finance\",\"upload_fileclass\":\"upload_fileclass\",\"upload_filetype\":\"RAR Files\",\"urlcatmethod\":\"Database A\",\"urlsubcat\":\"Entertainment\",\"urlsupercat\":\"Travel\",\"urlclass\":\"Bandwidth Loss\",\"useragentclass\":\"Firefox\",\"useragenttoken\":\"Google Chrome (0.x)\",\"userlocationname\":\"userlocationname\",\"year\":2023,\"ztunnelversion\":\"ZTUNNEL_1_0\",\"zpa_app_seg_name\":\"ZPA_test_app_segment\"}}", + "reason": "File Attachment Cautioned", + "timezone": "GMT", + "type": [ + "info" + ] + }, + "file": { + "extension": [ + "exe", + "rar" + ], + "hash": { + "md5": "196a3d797bfee07fe4596b69f4ce1141", + "sha256": "81ec78bc8298568bb5ea66d3c2972b670d0f7459b6cdbbcaacce90ab417ab15c" + }, + "name": [ + "nssfeed.txt", + "nssfeed.exe" + ], + "type": "file" + }, + "host": { + "hostname": "device\\rN@me", + "name": "thinkpadsmith", + "os": { + "type": "ios", + "version": "Version 10.14.2 (Build 18C54)" + }, + "type": "Zscaler Client Connector" + }, + "http": { + "request": { + "bytes": 1300, + "method": "invalid", + "referrer": "www.example.com/search?filters=guid%3A%2240-en-dia%22+lang%3A%22en%22&form=S00&q=how+to+use+remote+desktop+to+connect+to+a+windows+10+pc" + }, + "response": { + "bytes": 10500 + }, + "version": [ + "1.1", + "1" + ] + }, + "network": { + "protocol": "https" + }, + "organization": { + "name": "Zscaler" + }, + "related": { + "hash": [ + "154f149b1443fbfa8c121d13e5c019a1", + "196a3d797bfee07fe4596b69f4ce1141", + "81ec78bc8298568bb5ea66d3c2972b670d0f7459b6cdbbcaacce90ab417ab15c" + ], + "hosts": [ + "thinkpadsmith", + "device\\rN@me" + ], + "ip": [ + "89.160.20.128", + "175.16.199.0", + "10.1.1.1", + "192.168.2.200", + "81.2.69.144", + "1.128.0.4" + ], + "user": [ + "jsmith", + "jdoe", + "jdoe@safemarch.com" + ] + }, + "rule": { + "name": [ + "File_Sharing_1", + "DLP_Rule_1", + "URL_Filtering_1", + "URL_Filtering_2" + ] + }, + "source": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.144", + "nat": { + "ip": "89.160.20.128" + }, + "port": 12345 + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "threat": { + "indicator": { + "name": "196a3d797bfee07fe4596b69f4ce1141" + } + }, + "tls": { + "cipher": "SSL3_CK_RSA_NULL_MD5" + }, + "url": { + "domain": "t.coupons.com", + "extension": "php", + "fragment": "FFFFFF\",\"promoEndDate\":null,\"customField1\":\"Up%20to%2070%%20OFF%20|%2072-Hour%20Clearout\"}&linkUrl=https://www.coupons.com/daily-sales/72-hour-clearout&linkText=Up%20to%2070%%20OFF%20|%2072-Hour%20Clearout&textColor=#FFFFFF&promoEndDate=&customField1=Up%20to%2070%%20OFF%20|%2072-Hour%20Clearout&pageId=×tamp=1724682777198", + "full": "https://t.coupons.com/b.php?transactionId=I/tsId==&eventType=ElementInView&elementName=TN_SWB&objects={\"linkUrl\":\"https://www.coupons.com/daily-sales/72-hour-clearout\",\"linkText\":\"Up%20to%2070%%20OFF%20|%2072-Hour%20Clearout\",\"textColor\":\"#FFFFFF\",\"promoEndDate\":null,\"customField1\":\"Up%20to%2070%%20OFF%20|%2072-Hour%20Clearout\"}&linkUrl=https://www.coupons.com/daily-sales/72-hour-clearout&linkText=Up%20to%2070%%20OFF%20|%2072-Hour%20Clearout&textColor=#FFFFFF&promoEndDate=&customField1=Up%20to%2070%%20OFF%20|%2072-Hour%20Clearout&pageId=×tamp=1724682777198", + "original": "https://t.coupons.com/b.php?transactionId=I/tsId==&eventType=ElementInView&elementName=TN_SWB&objects={\"linkUrl\":\"https://www.coupons.com/daily-sales/72-hour-clearout\",\"linkText\":\"Up%20to%2070%%20OFF%20|%2072-Hour%20Clearout\",\"textColor\":\"#FFFFFF\",\"promoEndDate\":null,\"customField1\":\"Up%20to%2070%%20OFF%20|%2072-Hour%20Clearout\"}&linkUrl=https://www.coupons.com/daily-sales/72-hour-clearout&linkText=Up%20to%2070%%20OFF%20|%2072-Hour%20Clearout&textColor=#FFFFFF&promoEndDate=&customField1=Up%20to%2070%%20OFF%20|%2072-Hour%20Clearout&pageId=×tamp=1724682777198", + "path": "/b.php", + "query": "transactionId=I/tsId==&eventType=ElementInView&elementName=TN_SWB&objects={\"linkUrl\":\"https://www.coupons.com/daily-sales/72-hour-clearout\",\"linkText\":\"Up%20to%2070%%20OFF%20|%2072-Hour%20Clearout\",\"textColor\":\"", + "scheme": "https" + }, + "user": { + "domain": "safemarch.com", + "email": "jdoe@safemarch.com", + "name": "jdoe" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "Other", + "original": "Mozilla/5.0" + }, + "zscaler_zia": { + "web": { + "action": "Allowed", + "alpn_protocol": "FTP", + "app": { + "class": "Administration", + "name": "Adobe Connect", + "risk_score": "1", + "rule_label": "File_Sharing_1" + }, + "bandwidth_class_name": "Entertainment", + "bandwidth_rule_name": "Office 365", + "bandwidth_throttle": "Yes", + "bypassed": { + "time": "2023-10-16T22:55:48.000Z", + "traffic": "1" + }, + "client": { + "cipher": "SSL3_CK_RSA_NULL_MD5", + "cipher_reuse": "Unknown", + "internet": { + "ip": "89.160.20.128" + }, + "ip": "81.2.69.144", + "public_ip": "175.16.199.0", + "source_port": 12345, + "ssl": { + "fail_count": 100, + "fail_reason": "Bad Record Mac" + }, + "tls_version": "SSL2" + }, + "cloud_name": "zscaler.net", + "company": "Zscaler", + "content_type": "application/vnd_apple_keynote", + "datacenter": { + "city": "Sa", + "country": "US", + "name": "CA Client Node DC" + }, + "day": "Mon", + "day_of_month": 16, + "department": "Sales", + "device": { + "appversion": "1.128.0.1", + "hostname": "THINKPADSMITH", + "model": "20L8S7WC12", + "name": "device\\rN@me", + "os": { + "type": "iOS", + "version": "Version 10.14.2 (Build 18C54)" + }, + "owner": "jsmith", + "type": "Zscaler Client Connector" + }, + "df": { + "host": { + "head": "df_hosthead", + "name": "df_hostname" + } + }, + "dlp": { + "dictionaries": { + "hit_count": "4", + "name": "Credit Cards" + }, + "engine": "HIPAA", + "identifier": "6646484838839026000", + "md5": "154f149b1443fbfa8c121d13e5c019a1", + "rule": { + "name": "DLP_Rule_1" + } + }, + "eedone": "Yes", + "epochtime": "2020-01-04T09:00:00.000Z", + "external": { + "device": { + "id": "2347" + } + }, + "file": { + "class": "Active Web Contents", + "name": "nssfeed.txt", + "subtype": "exe", + "type": "RAR Files" + }, + "flow_type": "Direct", + "forward_gateway": { + "ip": "10.1.1.1", + "name": "FWD_1" + }, + "forward_type": "Direct", + "host": "mail.google.com", + "hour": 22, + "is_ssl_certificate_expired": "Yes", + "is_ssl_certificate_selfsigned": "Yes", + "is_ssl_certificate_untrusted": "Pass", + "key_protection_type": "HSM Protection", + "location": "Headquarters", + "login": "jdoe@safemarch.com", + "malware": { + "category": "Adware", + "class": "Sandbox" + }, + "md5_hash": "196a3d797bfee07fe4596b69f4ce1141", + "minute": 55, + "mobile": { + "application": { + "category": "Communication", + "name": "Amazon" + }, + "dev": { + "type": "Google Android" + } + }, + "module": "Administration", + "month": "Oct", + "month_of_year": 10, + "nss": { + "service": { + "ip": "192.168.2.200" + } + }, + "obfuscated": { + "app_rule_label": "5300295980", + "bendwidth": { + "class_name": "10831489" + }, + "client": { + "ip": "6200694987", + "public": { + "ip": "624054738" + } + }, + "device": { + "host_name": "2168890624", + "name": "2175092224", + "owner": "10831489" + }, + "dlp": { + "dictionaries": "10831489", + "engine": "4094304256", + "rule": { + "name": "6857275752" + } + }, + "forward_gateway_name": "8794487099", + "login": "4094304256", + "rule": { + "name": "3399565100" + }, + "url": { + "category": "7956407282", + "filter_rule_label": "4951704103" + }, + "zpa_app_segment": "7648246731" + }, + "policy": { + "reason": "Blocked" + }, + "product_version": "5.0.902.95524_04", + "prototype": "HTTPS", + "reason": "File Attachment Cautioned", + "record": { + "id": "123456782" + }, + "redirect_policy_name": "FWD_Rule_1", + "referer": { + "host": "www.example.com for http://www.example.com/index.html", + "name": "www.example.com/search?filters=guid%3A%2240-en-dia%22+lang%3A%22en%22&form=S00&q=how+to+use+remote+desktop+to+connect+to+a+windows+10+pc" + }, + "request": { + "header_size": 300, + "method": "invalid", + "payload": 1000, + "size": 1300, + "version": "1.1" + }, + "response": { + "code": "100", + "header_size": 500, + "payload": 10000, + "size": 10500, + "version": "1" + }, + "risk": { + "score": 10.0 + }, + "rule": { + "name": "URL_Filtering_1", + "type": "File Type Control" + }, + "second": 48, + "server": { + "certificate": { + "validation": { + "period": "Short" + } + }, + "certificate_validation_chain": "Unknown", + "certificate_validation_type": "EV (Extended Validation)", + "cipher": "SSL3_CK_RSA_NULL_MD5", + "cipher_reuse": "Unknown", + "ip": "1.128.0.4", + "ocsp_result": "Good", + "tls_version": "SSL2", + "wildcard_certificate": "Unknown" + }, + "sha256": "81ec78bc8298568bb5ea66d3c2972b670d0f7459b6cdbbcaacce90ab417ab15c", + "ssl_decrypted": "Yes", + "threat": { + "name": "EICAR Test File", + "severity": "Critical (90–100)" + }, + "throttle": { + "request_size": 5, + "response_size": 7 + }, + "time": "2023-10-20T22:55:48.000Z", + "timezone": "GMT", + "total": { + "size": 11800 + }, + "traffic_redirect_method": "DNAT (Destination Translation)", + "unscannable": { + "type": "Encrypted File" + }, + "upload": { + "doc": { + "type_name": "Corporate Finance" + }, + "file": { + "class": "upload_fileclass", + "name": "nssfeed.exe", + "subtype": "rar", + "type": "RAR Files" + } + }, + "url": { + "category": { + "sub": "Entertainment", + "super": "Travel" + }, + "category_method": "Database A", + "class": "Bandwidth Loss", + "filter_rule_label": "URL_Filtering_2", + "name": "t.coupons.com/b.php?transactionId=I/tsId==&eventType=ElementInView&elementName=TN_SWB&objects={\"linkUrl\":\"https://www.coupons.com/daily-sales/72-hour-clearout\",\"linkText\":\"Up%20to%2070%%20OFF%20|%2072-Hour%20Clearout\",\"textColor\":\"#FFFFFF\",\"promoEndDate\":null,\"customField1\":\"Up%20to%2070%%20OFF%20|%2072-Hour%20Clearout\"}&linkUrl=https://www.coupons.com/daily-sales/72-hour-clearout&linkText=Up%20to%2070%%20OFF%20|%2072-Hour%20Clearout&textColor=#FFFFFF&promoEndDate=&customField1=Up%20to%2070%%20OFF%20|%2072-Hour%20Clearout&pageId=×tamp=1724682777198" + }, + "user_agent": { + "class": "Firefox", + "name": "Mozilla/5.0", + "token": "Google Chrome (0.x)" + }, + "user_location_name": "userlocationname", + "year": 2023, + "z_tunnel_version": "ZTUNNEL_1_0", + "zpa_app_segment": "ZPA_test_app_segment" + } + } + }, + { + "@timestamp": "2023-10-20T22:55:48.000Z", + "cloud": { + "provider": "zscaler.net" + }, + "destination": { + "domain": "mail.google.com", + "ip": "1.128.0.4" + }, + "device": { + "id": "2347", + "model": { + "identifier": "20L8S7WC12" + } + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "allowed", + "category": [ + "web" + ], + "id": "123456782", + "kind": "event", + "original": "{\"version\":\"v9\",\"sourcetype\":\"zscalernss-web\",\"event\":{\"time\":\"Mon Oct 20 22:55:48 2023\",\"cloudname\":\"zscaler.net\",\"host\":\"mail.google.com\",\"serverip\":\"1.128.0.4\",\"external_devid\":\"2347\",\"devicemodel\":\"20L8S7WC12\",\"action\":\"Allowed\",\"recordid\":123456782,\"reason\":\"File Attachment Cautioned\",\"threatseverity\":\"Critical (90–100)\",\"tz\":\"GMT\",\"filesubtype\":\"exe\",\"upload_filesubtype\":\"rar\",\"sha256\":\"81ec78bc8298568bb5ea66d3c2972b670d0f7459b6cdbbcaacce90ab417ab15c\",\"bamd5\":\"196a3d797bfee07fe4596b69f4ce1141\",\"filename\":\"nssfeed.txt\",\"upload_filename\":\"nssfeed.exe\",\"filetype\":\"RAR Files\",\"devicename\":\"device%5CrN%40me\",\"devicehostname\":\"THINKPADSMITH\",\"deviceostype\":\"iOS\",\"deviceosversion\":\"Version 10.14.2 (Build 18C54)\",\"devicetype\":\"Zscaler Client Connector\",\"reqsize\":1300,\"reqmethod\":\"invalid\",\"b64referer\":\"d3d3LmV4YW1wbGUuY29tL3NlYXJjaD9maWx0ZXJzPWd1aWQlM0ElMjI0MC1lbi1kaWElMjIrbGFuZyUzQSUyMmVuJTIyJmZvcm09UzAwJnE9aG93K3RvK3VzZStyZW1vdGUrZGVza3RvcCt0bytjb25uZWN0K3RvK2Erd2luZG93cysxMCtwYw==\",\"respsize\":10500,\"respcode\":\"100\",\"reqversion\":\"1.1\",\"respversion\":\"1\",\"proto\":\"HTTPS\",\"company\":\"Zscaler\",\"dlpmd5\":\"154f149b1443fbfa8c121d13e5c019a1\",\"apprulelabel\":\"File_Sharing_1\",\"dlprulename\":\"DLP_Rule_1\",\"rulelabel\":\"URL_Filtering_1\",\"urlfilterrulelabel\":\"URL_Filtering_2\",\"cltip\":\"81.2.69.144\",\"cltintip\":\"89.160.20.128\",\"cltsourceport\":12345,\"threatname\":\"EICAR Test File\",\"cltsslcipher\":\"SSL3_CK_RSA_NULL_MD5\",\"clttlsversion\":\"SSL2\",\"b64url\":\"ZXhhbXBsZS5jb20vP3BhcnRuZXI9MjcxJnNtYXJ0bWFwPTEmcmVkaXJlY3Q9aHR0cHM6Ly9leGFtcGxlLmNvbS9zZXR1aWQ/ZW50aXR5PTE0NSZjb2RlPSVfcmlk\",\"useragent\":\"Mozilla/5.0\",\"login\":\"jdoe@safemarch.com\",\"applayerprotocol\":\"FTP\",\"appclass\":\"Administration\",\"appname\":\"Adobe Connect\",\"appriskscore\":\"1\",\"bandwidthclassname\":\"Entertainment\",\"bandwidthrulename\":\"Office 365\",\"bwthrottle\":\"Yes\",\"bypassedtime\":\"Mon Oct 16 22:55:48 2023\",\"bypassedtraffic\":\"1\",\"cltsslsessreuse\":\"Unknown\",\"cltpubip\":\"175.16.199.0\",\"cltsslfailcount\":100,\"cltsslfailreason\":\"Bad Record Mac\",\"contenttype\":\"application/vnd_apple_keynote\",\"datacentercity\":\"Sa\",\"datacentercountry\":\"US\",\"datacenter\":\"CA Client Node DC\",\"day\":\"Mon\",\"day_of_month\":16,\"dept\":\"Sales\",\"deviceappversion\":\"1.128.0.1\",\"deviceowner\":\"jsmith\",\"df_hosthead\":\"df_hosthead\",\"df_hostname\":\"df_hostname\",\"dlpdicthitcount\":\"4\",\"dlpdict\":\"Credit Cards\",\"dlpeng\":\"HIPAA\",\"dlpidentifier\":6646484838839026000,\"eedone\":\"Yes\",\"epochtime\":1578128400,\"fileclass\":\"Active Web Contents\",\"flow_type\":\"Direct\",\"forward_gateway_ip\":\"10.1.1.1\",\"forward_gateway_name\":\"FWD_1\",\"forward_type\":\"Direct\",\"hour\":22,\"is_sslexpiredca\":\"Yes\",\"is_sslselfsigned\":\"Yes\",\"is_ssluntrustedca\":\"Pass\",\"keyprotectiontype\":\"HSM Protection\",\"location\":\"Headquarters\",\"malwarecategory\":\"Adware\",\"malwareclass\":\"Sandbox\",\"minute\":55,\"mobappcategory\":\"Communication\",\"mobappname\":\"Amazon\",\"mobdevtype\":\"Google Android\",\"module\":\"Administration\",\"month\":\"Oct\",\"month_of_year\":10,\"nssserviceip\":\"192.168.2.200\",\"oapprulelabel\":\"5300295980\",\"obwclassname\":\"10831489\",\"ocip\":6200694987,\"ocpubip\":624054738,\"odevicehostname\":\"2168890624\",\"odevicename\":\"2175092224\",\"odeviceowner\":\"10831489\",\"odlpdict\":\"10831489\",\"odlpeng\":\"4094304256\",\"odlprulename\":\"6857275752\",\"ofwd_gw_name\":\"8794487099\",\"ologin\":\"4094304256\",\"ordr_rulename\":\"3399565100\",\"ourlcat\":\"7956407282\",\"ourlfilterrulelabel\":\"4951704103\",\"ozpa_app_seg_name\":\"7648246731\",\"externalsslpolicyreason\":\"Blocked\",\"productversion\":\"5.0.902.95524_04\",\"rdr_rulename\":\"FWD_Rule_1\",\"refererhost\":\"www.example.com for http://www.example.com/index.html\",\"reqheadersize\":300,\"reqdatasize\":1000,\"respheadersize\":500,\"respdatasize\":10000,\"riskscore\":10,\"ruletype\":\"File Type Control\",\"second\":48,\"srvcertchainvalpass\":\"Unknown\",\"srvcertvalidationtype\":\"EV (Extended Validation)\",\"srvcertvalidityperiod\":\"Short\",\"srvsslcipher\":\"SSL3_CK_RSA_NULL_MD5\",\"serversslsessreuse\":\"Unknown\",\"srvocspresult\":\"Good\",\"srvtlsversion\":\"SSL2\",\"srvwildcardcert\":\"Unknown\",\"ssldecrypted\":\"Yes\",\"throttlereqsize\":5,\"throttlerespsize\":7,\"totalsize\":11800,\"trafficredirectmethod\":\"DNAT (Destination Translation)\",\"unscannabletype\":\"Encrypted File\",\"upload_doctypename\":\"Corporate Finance\",\"upload_fileclass\":\"upload_fileclass\",\"upload_filetype\":\"RAR Files\",\"urlcatmethod\":\"Database A\",\"urlsubcat\":\"Entertainment\",\"urlsupercat\":\"Travel\",\"urlclass\":\"Bandwidth Loss\",\"useragentclass\":\"Firefox\",\"useragenttoken\":\"Google Chrome (0.x)\",\"userlocationname\":\"userlocationname\",\"year\":2023,\"ztunnelversion\":\"ZTUNNEL_1_0\",\"zpa_app_seg_name\":\"ZPA_test_app_segment\"}}", + "reason": "File Attachment Cautioned", + "timezone": "GMT", + "type": [ + "info" + ] + }, + "file": { + "extension": [ + "exe", + "rar" + ], + "hash": { + "md5": "196a3d797bfee07fe4596b69f4ce1141", + "sha256": "81ec78bc8298568bb5ea66d3c2972b670d0f7459b6cdbbcaacce90ab417ab15c" + }, + "name": [ + "nssfeed.txt", + "nssfeed.exe" + ], + "type": "file" + }, + "host": { + "hostname": "device\\rN@me", + "name": "thinkpadsmith", + "os": { + "type": "ios", + "version": "Version 10.14.2 (Build 18C54)" + }, + "type": "Zscaler Client Connector" + }, + "http": { + "request": { + "bytes": 1300, + "method": "invalid", + "referrer": "www.example.com/search?filters=guid%3A%2240-en-dia%22+lang%3A%22en%22&form=S00&q=how+to+use+remote+desktop+to+connect+to+a+windows+10+pc" + }, + "response": { + "bytes": 10500 + }, + "version": [ + "1.1", + "1" + ] + }, + "network": { + "protocol": "https" + }, + "organization": { + "name": "Zscaler" + }, + "related": { + "hash": [ + "154f149b1443fbfa8c121d13e5c019a1", + "196a3d797bfee07fe4596b69f4ce1141", + "81ec78bc8298568bb5ea66d3c2972b670d0f7459b6cdbbcaacce90ab417ab15c" + ], + "hosts": [ + "thinkpadsmith", + "device\\rN@me" + ], + "ip": [ + "89.160.20.128", + "175.16.199.0", + "10.1.1.1", + "192.168.2.200", + "81.2.69.144", + "1.128.0.4" + ], + "user": [ + "jsmith", + "jdoe", + "jdoe@safemarch.com" + ] + }, + "rule": { + "name": [ + "File_Sharing_1", + "DLP_Rule_1", + "URL_Filtering_1", + "URL_Filtering_2" + ] + }, + "source": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.144", + "nat": { + "ip": "89.160.20.128" + }, + "port": 12345 + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "threat": { + "indicator": { + "name": "196a3d797bfee07fe4596b69f4ce1141" + } + }, + "tls": { + "cipher": "SSL3_CK_RSA_NULL_MD5" + }, + "url": { + "domain": "example.com", + "full": "https://example.com/?partner=271&smartmap=1&redirect=https://example.com/setuid?entity=145&code=%_rid", + "original": "https://example.com/?partner=271&smartmap=1&redirect=https://example.com/setuid?entity=145&code=%_rid", + "path": "/", + "query": "partner=271&smartmap=1&redirect=https://example.com/setuid?entity=145&code=%_rid", + "scheme": "https" + }, + "user": { + "domain": "safemarch.com", + "email": "jdoe@safemarch.com", + "name": "jdoe" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "Other", + "original": "Mozilla/5.0" + }, + "zscaler_zia": { + "web": { + "action": "Allowed", + "alpn_protocol": "FTP", + "app": { + "class": "Administration", + "name": "Adobe Connect", + "risk_score": "1", + "rule_label": "File_Sharing_1" + }, + "bandwidth_class_name": "Entertainment", + "bandwidth_rule_name": "Office 365", + "bandwidth_throttle": "Yes", + "bypassed": { + "time": "2023-10-16T22:55:48.000Z", + "traffic": "1" + }, + "client": { + "cipher": "SSL3_CK_RSA_NULL_MD5", + "cipher_reuse": "Unknown", + "internet": { + "ip": "89.160.20.128" + }, + "ip": "81.2.69.144", + "public_ip": "175.16.199.0", + "source_port": 12345, + "ssl": { + "fail_count": 100, + "fail_reason": "Bad Record Mac" + }, + "tls_version": "SSL2" + }, + "cloud_name": "zscaler.net", + "company": "Zscaler", + "content_type": "application/vnd_apple_keynote", + "datacenter": { + "city": "Sa", + "country": "US", + "name": "CA Client Node DC" + }, + "day": "Mon", + "day_of_month": 16, + "department": "Sales", + "device": { + "appversion": "1.128.0.1", + "hostname": "THINKPADSMITH", + "model": "20L8S7WC12", + "name": "device\\rN@me", + "os": { + "type": "iOS", + "version": "Version 10.14.2 (Build 18C54)" + }, + "owner": "jsmith", + "type": "Zscaler Client Connector" + }, + "df": { + "host": { + "head": "df_hosthead", + "name": "df_hostname" + } + }, + "dlp": { + "dictionaries": { + "hit_count": "4", + "name": "Credit Cards" + }, + "engine": "HIPAA", + "identifier": "6646484838839026000", + "md5": "154f149b1443fbfa8c121d13e5c019a1", + "rule": { + "name": "DLP_Rule_1" + } + }, + "eedone": "Yes", + "epochtime": "2020-01-04T09:00:00.000Z", + "external": { + "device": { + "id": "2347" + } + }, + "file": { + "class": "Active Web Contents", + "name": "nssfeed.txt", + "subtype": "exe", + "type": "RAR Files" + }, + "flow_type": "Direct", + "forward_gateway": { + "ip": "10.1.1.1", + "name": "FWD_1" + }, + "forward_type": "Direct", + "host": "mail.google.com", + "hour": 22, + "is_ssl_certificate_expired": "Yes", + "is_ssl_certificate_selfsigned": "Yes", + "is_ssl_certificate_untrusted": "Pass", + "key_protection_type": "HSM Protection", + "location": "Headquarters", + "login": "jdoe@safemarch.com", + "malware": { + "category": "Adware", + "class": "Sandbox" + }, + "md5_hash": "196a3d797bfee07fe4596b69f4ce1141", + "minute": 55, + "mobile": { + "application": { + "category": "Communication", + "name": "Amazon" + }, + "dev": { + "type": "Google Android" + } + }, + "module": "Administration", + "month": "Oct", + "month_of_year": 10, + "nss": { + "service": { + "ip": "192.168.2.200" + } + }, + "obfuscated": { + "app_rule_label": "5300295980", + "bendwidth": { + "class_name": "10831489" + }, + "client": { + "ip": "6200694987", + "public": { + "ip": "624054738" + } + }, + "device": { + "host_name": "2168890624", + "name": "2175092224", + "owner": "10831489" + }, + "dlp": { + "dictionaries": "10831489", + "engine": "4094304256", + "rule": { + "name": "6857275752" + } + }, + "forward_gateway_name": "8794487099", + "login": "4094304256", + "rule": { + "name": "3399565100" + }, + "url": { + "category": "7956407282", + "filter_rule_label": "4951704103" + }, + "zpa_app_segment": "7648246731" + }, + "policy": { + "reason": "Blocked" + }, + "product_version": "5.0.902.95524_04", + "prototype": "HTTPS", + "reason": "File Attachment Cautioned", + "record": { + "id": "123456782" + }, + "redirect_policy_name": "FWD_Rule_1", + "referer": { + "host": "www.example.com for http://www.example.com/index.html", + "name": "www.example.com/search?filters=guid%3A%2240-en-dia%22+lang%3A%22en%22&form=S00&q=how+to+use+remote+desktop+to+connect+to+a+windows+10+pc" + }, + "request": { + "header_size": 300, + "method": "invalid", + "payload": 1000, + "size": 1300, + "version": "1.1" + }, + "response": { + "code": "100", + "header_size": 500, + "payload": 10000, + "size": 10500, + "version": "1" + }, + "risk": { + "score": 10.0 + }, + "rule": { + "name": "URL_Filtering_1", + "type": "File Type Control" + }, + "second": 48, + "server": { + "certificate": { + "validation": { + "period": "Short" + } + }, + "certificate_validation_chain": "Unknown", + "certificate_validation_type": "EV (Extended Validation)", + "cipher": "SSL3_CK_RSA_NULL_MD5", + "cipher_reuse": "Unknown", + "ip": "1.128.0.4", + "ocsp_result": "Good", + "tls_version": "SSL2", + "wildcard_certificate": "Unknown" + }, + "sha256": "81ec78bc8298568bb5ea66d3c2972b670d0f7459b6cdbbcaacce90ab417ab15c", + "ssl_decrypted": "Yes", + "threat": { + "name": "EICAR Test File", + "severity": "Critical (90–100)" + }, + "throttle": { + "request_size": 5, + "response_size": 7 + }, + "time": "2023-10-20T22:55:48.000Z", + "timezone": "GMT", + "total": { + "size": 11800 + }, + "traffic_redirect_method": "DNAT (Destination Translation)", + "unscannable": { + "type": "Encrypted File" + }, + "upload": { + "doc": { + "type_name": "Corporate Finance" + }, + "file": { + "class": "upload_fileclass", + "name": "nssfeed.exe", + "subtype": "rar", + "type": "RAR Files" + } + }, + "url": { + "category": { + "sub": "Entertainment", + "super": "Travel" + }, + "category_method": "Database A", + "class": "Bandwidth Loss", + "filter_rule_label": "URL_Filtering_2", + "name": "example.com/?partner=271&smartmap=1&redirect=https://example.com/setuid?entity=145&code=%_rid" + }, + "user_agent": { + "class": "Firefox", + "name": "Mozilla/5.0", + "token": "Google Chrome (0.x)" + }, + "user_location_name": "userlocationname", + "year": 2023, + "z_tunnel_version": "ZTUNNEL_1_0", + "zpa_app_segment": "ZPA_test_app_segment" + } + } } ] } \ No newline at end of file diff --git a/packages/zscaler_zia/data_stream/web/elasticsearch/ingest_pipeline/default.yml b/packages/zscaler_zia/data_stream/web/elasticsearch/ingest_pipeline/default.yml index 8f56e1dc39e..cdf73afde1e 100644 --- a/packages/zscaler_zia/data_stream/web/elasticsearch/ingest_pipeline/default.yml +++ b/packages/zscaler_zia/data_stream/web/elasticsearch/ingest_pipeline/default.yml @@ -121,6 +121,10 @@ processors: tag: urldecode_apprulelabel target_field: zscaler_zia.web.app.rule_label ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - append: field: rule.name tag: append_zscaler_zia_web_app_rule_label_into_rule_name @@ -361,6 +365,10 @@ processors: tag: urldecode_devicename target_field: zscaler_zia.web.device.name ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - set: field: host.hostname tag: set_host_hostname_from_web_device_name @@ -531,6 +539,10 @@ processors: tag: urldecode_filename target_field: zscaler_zia.web.file.name ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - append: field: file.name tag: append_zscaler_zia_web_file_name_into_file_name @@ -593,6 +605,10 @@ processors: tag: urldecode_host target_field: zscaler_zia.web.host ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - set: field: destination.domain tag: set_destination_domain_from_web_host @@ -634,16 +650,19 @@ processors: tag: urldecode_location target_field: zscaler_zia.web.location ignore_missing: true - - urldecode: - field: json.department - tag: urldecode_department - target_field: zscaler_zia.web.department - ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - urldecode: field: json.login tag: urldecode_login target_field: zscaler_zia.web.login ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - set: field: user.email tag: set_user_email_from_web_login @@ -723,6 +742,10 @@ processors: tag: urldecode_mobappname target_field: zscaler_zia.web.mobile.application.name ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - rename: field: json.mobdevtype tag: rename_mobdevtype @@ -902,6 +925,10 @@ processors: tag: urldecode_refererhost target_field: zscaler_zia.web.referer.host ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - script: description: Decode referer tag: decode_b64referer @@ -1046,6 +1073,10 @@ processors: tag: urldecode_rulelabel target_field: zscaler_zia.web.rule.name ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - append: field: rule.name tag: append_zscaler_zia_web_rule_name_into_rule_name @@ -1280,6 +1311,10 @@ processors: tag: urldecode_upload_filename target_field: zscaler_zia.web.upload.file.name ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - append: field: file.name tag: append_zscaler_zia_web_upload_file_name_into_file_name @@ -1327,6 +1362,10 @@ processors: tag: urldecode_urlfilterrulelabel target_field: zscaler_zia.web.url.filter_rule_label ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - append: field: rule.name tag: append_zscaler_zia_web_url_filter_rule_label_into_rule_name @@ -1373,15 +1412,6 @@ processors: field: url.full value: '{{{url.original}}}' if: ctx.url?.original != null && ctx.url.original != '' - - urldecode: - field: url.original - ignore_missing: true - tag: urldecode_url_original - if: ctx.url?.original != null && ctx.url.original != '' - on_failure: - - append: - field: error.message - value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - rename: field: json.useragentclass tag: rename_useragentclass @@ -1417,6 +1447,10 @@ processors: tag: urldecode_userlocationname target_field: zscaler_zia.web.user_location_name ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - convert: field: json.year tag: convert_year_to_long diff --git a/packages/zscaler_zia/docs/README.md b/packages/zscaler_zia/docs/README.md index 1696f01addf..c7179fbe9f8 100644 --- a/packages/zscaler_zia/docs/README.md +++ b/packages/zscaler_zia/docs/README.md @@ -214,14 +214,14 @@ Sample Response: ![Escape feed setup image](../img/escape_feed.png?raw=true) See: [Zscaler Vendor documentation](https://help.zscaler.com/zia/nss-feed-output-format-web-logs) -Zscaler Web Log response format (v8): +Zscaler Web Log response format (v9): ``` -\{"version":"v8","sourcetype":"zscalernss-web","event":\{"time":"%s{time}","cloudname":"%s{cloudname}","host":"%s{ehost}","serverip":"%s{sip}","external_devid":"%s{external_devid}","devicemodel":"%s{devicemodel}","action":"%s{action}","recordid":"%d{recordid}","reason":"%s{reason}","threatseverity":"%s{threatseverity}","tz":"%s{tz}","filesubtype":"%s{filesubtype}","upload_filesubtype":"%s{upload_filesubtype}","sha256":"%s{sha256}","bamd5":"%s{bamd5}","filename":"%s{efilename}","upload_filename":"%s{eupload_filename}","filetype":"%s{filetype}","devicename":"%s{edevicename}","devicehostname":"%s{devicehostname}","deviceostype":"%s{deviceostype}","deviceosversion":"%s{deviceosversion}","devicetype":"%s{devicetype}","reqsize":"%d{reqsize}","reqmethod":"%s{reqmethod}","b64referer":"%s{b64referer}","respsize":"%d{respsize}","respcode":"%s{respcode}","reqversion":"%s{reqversion}","respversion":"%s{respversion}","proto":"%s{proto}","company":"%s{company}","dlpmd5":"%s{dlpmd5}","apprulelabel":"%s{eapprulelabel}","dlprulename":"%s{dlprulename}","rulelabel":"%s{erulelabel}","urlfilterrulelabel":"%s{eurlfilterrulelabel}","cltip":"%s{cip}","cltintip":"%s{cintip}","cltsourceport":"%d{clt_sport}","threatname":"%s{threatname}","cltsslcipher":"%s{clientsslcipher}","clttlsversion":"%s{clienttlsversion}","b64url":"%s{b64url}","useragent":"%s{eua}","login":"%s{elogin}","applayerprotocol":"%s{alpnprotocol}","appclass":"%s{appclass}","appname":"%s{appname}","appriskscore":"%s{app_risk_score}","bandwidthclassname":"%s{bwclassname}","bandwidthrulename":"%s{bwrulename}","bwthrottle":"%s{bwthrottle}","bypassedtime":"%s{bypassed_etime}","bypassedtraffic":"%d{bypassed_traffic}","cltsslsessreuse":"%s{clientsslsessreuse}","cltpubip":"%s{cpubip}","cltsslfailcount":"%d{cltsslfailcount}","cltsslfailreason":"%s{cltsslfailreason}","contenttype":"%s{contenttype}","datacentercity":"%s{datacentercity}","datacentercountry":"%s{datacentercountry}","datacenter":"%s{datacenter}","day":"%s{day}","day_of_month":"%02d{dd}","dept":"%s{dept}","deviceappversion":"%s{deviceappversion}","deviceowner":"%s{deviceowner}","df_hosthead":"%s{df_hosthead}","df_hostname":"%s{df_hostname}","dlpdicthitcount":"%s{dlpdicthitcount}","dlpdict":"%s{dlpdict}","dlpeng":"%s{dlpeng}","dlpidentifier":"%d{dlpidentifier}","eedone":"%s{eedone}","epochtime":"%d{epochtime}","fileclass":"%s{fileclass}","flow_type":"%s{flow_type}","forward_gateway_ip":"%s{fwd_gw_ip}","forward_gateway_name":"%s{fwd_gw_name}","forward_type":"%s{fwd_type}","hour":"%02d{hh}","is_sslexpiredca":"%s{is_sslexpiredca}","is_sslselfsigned":"%s{is_sslselfsigned}","is_ssluntrustedca":"%s{is_ssluntrustedca}","keyprotectiontype":"%s{keyprotectiontype}","location":"%s{elocation}","department":"%s{edepartment}","malwarecategory":"%s{malwarecat}","malwareclass":"%s{malwareclass}","minute":"%02d{mm}","mobappcategory":"%s{mobappcat}","mobappname":"%s{emobappname}","mobdevtype":"%s{mobdevtype}","module":"%s{module}","month":"%s{mon}","month_of_year":"%02d{mth}","nssserviceip":"%s{nsssvcip}","oapprulelabel":"%s{oapprulelabel}","obwclassname":"%s{obwclassname}","ocip":"%d{ocip}","ocpubip":"%d{ocpubip}","odevicehostname":"%s{odevicehostname}","odevicename":"%s{odevicename}","odeviceowner":"%s{odeviceowner}","odlpdict":"%s{odlpdict}","odlpeng":"%s{odlpeng}","odlprulename":"%s{odlprulename}","ofwd_gw_name":"%s{ofwd_gw_name}","ologin":"%s{ologin}","ordr_rulename":"%s{ordr_rulename}","ourlcat":"%s{ourlcat}","ourlfilterrulelabel":"%s{ourlfilterrulelabel}","ozpa_app_seg_name":"%s{ozpa_app_seg_name}","externalsslpolicyreason":"%s{externalspr}","productversion":"%s{productversion}","rdr_rulename":"%s{rdr_rulename}","refererhost":"%s{erefererhost}","reqheadersize":"%d{reqhdrsize}","reqdatasize":"%d{reqdatasize}","respheadersize":"%d{resphdrsize}","respdatasize":"%d{respdatasize}","riskscore":"%d{riskscore}","ruletype":"%s{ruletype}","second":"%02d{ss}","srvcertchainvalpass":"%s{srvcertchainvalpass}","srvcertvalidationtype":"%s{srvcertvalidationtype}","srvcertvalidityperiod":"%s{srvcertvalidityperiod}","srvsslcipher":"%s{srvsslcipher}","serversslsessreuse":"%s{serversslsessreuse}","srvocspresult":"%s{srvocspresult}","srvtlsversion":"%s{srvtlsversion}","srvwildcardcert":"%s{srvwildcardcert}","ssldecrypted":"%s{ssldecrypted}","throttlereqsize":"%d{throttlereqsize}","throttlerespsize":"%d{throttlerespsize}","totalsize":"%d{totalsize}","trafficredirectmethod":"%s{trafficredirectmethod}","unscannabletype":"%s{unscannabletype}","upload_doctypename":"%s{upload_doctypename}","upload_fileclass":"%s{upload_fileclass}","upload_filetype":"%s{upload_filetype}","urlcatmethod":"%s{urlcatmethod}","urlsubcat":"%s{urlcat}","urlsupercat":"%s{urlsupercat}","urlclass":"%s{urlclass}","useragentclass":"%s{uaclass}","useragenttoken":"%s{ua_token}","userlocationname":"%s{euserlocationname}","year":"%04d{yyyy}","ztunnelversion":"%s{ztunnelversion}","zpa_app_seg_name":"%s{zpa_app_seg_name}"\}\} +\{"version":"v9","sourcetype":"zscalernss-web","event":\{"time":"%s{time}","cloudname":"%s{cloudname}","host":"%s{ehost}","serverip":"%s{sip}","external_devid":"%s{external_devid}","devicemodel":"%s{devicemodel}","action":"%s{action}","recordid":"%d{recordid}","reason":"%s{reason}","threatseverity":"%s{threatseverity}","tz":"%s{tz}","filesubtype":"%s{filesubtype}","upload_filesubtype":"%s{upload_filesubtype}","sha256":"%s{sha256}","bamd5":"%s{bamd5}","filename":"%s{efilename}","upload_filename":"%s{eupload_filename}","filetype":"%s{filetype}","devicename":"%s{edevicename}","devicehostname":"%s{devicehostname}","deviceostype":"%s{deviceostype}","deviceosversion":"%s{deviceosversion}","devicetype":"%s{devicetype}","reqsize":"%d{reqsize}","reqmethod":"%s{reqmethod}","b64referer":"%s{b64referer}","respsize":"%d{respsize}","respcode":"%s{respcode}","reqversion":"%s{reqversion}","respversion":"%s{respversion}","proto":"%s{proto}","company":"%s{company}","dlpmd5":"%s{dlpmd5}","apprulelabel":"%s{eapprulelabel}","dlprulename":"%s{dlprulename}","rulelabel":"%s{erulelabel}","urlfilterrulelabel":"%s{eurlfilterrulelabel}","cltip":"%s{cip}","cltintip":"%s{cintip}","cltsourceport":"%d{clt_sport}","threatname":"%s{threatname}","cltsslcipher":"%s{clientsslcipher}","clttlsversion":"%s{clienttlsversion}","b64url":"%s{b64url}","useragent":"%s{eua}","login":"%s{elogin}","applayerprotocol":"%s{alpnprotocol}","appclass":"%s{appclass}","appname":"%s{appname}","appriskscore":"%s{app_risk_score}","bandwidthclassname":"%s{bwclassname}","bandwidthrulename":"%s{bwrulename}","bwthrottle":"%s{bwthrottle}","bypassedtime":"%s{bypassed_etime}","bypassedtraffic":"%d{bypassed_traffic}","cltsslsessreuse":"%s{clientsslsessreuse}","cltpubip":"%s{cpubip}","cltsslfailcount":"%d{cltsslfailcount}","cltsslfailreason":"%s{cltsslfailreason}","contenttype":"%s{contenttype}","datacentercity":"%s{datacentercity}","datacentercountry":"%s{datacentercountry}","datacenter":"%s{datacenter}","day":"%s{day}","day_of_month":"%02d{dd}","dept":"%s{dept}","deviceappversion":"%s{deviceappversion}","deviceowner":"%s{deviceowner}","df_hosthead":"%s{df_hosthead}","df_hostname":"%s{df_hostname}","dlpdicthitcount":"%s{dlpdicthitcount}","dlpdict":"%s{dlpdict}","dlpeng":"%s{dlpeng}","dlpidentifier":"%d{dlpidentifier}","eedone":"%s{eedone}","epochtime":"%d{epochtime}","fileclass":"%s{fileclass}","flow_type":"%s{flow_type}","forward_gateway_ip":"%s{fwd_gw_ip}","forward_gateway_name":"%s{fwd_gw_name}","forward_type":"%s{fwd_type}","hour":"%02d{hh}","is_sslexpiredca":"%s{is_sslexpiredca}","is_sslselfsigned":"%s{is_sslselfsigned}","is_ssluntrustedca":"%s{is_ssluntrustedca}","keyprotectiontype":"%s{keyprotectiontype}","location":"%s{elocation}","malwarecategory":"%s{malwarecat}","malwareclass":"%s{malwareclass}","minute":"%02d{mm}","mobappcategory":"%s{mobappcat}","mobappname":"%s{emobappname}","mobdevtype":"%s{mobdevtype}","module":"%s{module}","month":"%s{mon}","month_of_year":"%02d{mth}","nssserviceip":"%s{nsssvcip}","oapprulelabel":"%s{oapprulelabel}","obwclassname":"%s{obwclassname}","ocip":"%d{ocip}","ocpubip":"%d{ocpubip}","odevicehostname":"%s{odevicehostname}","odevicename":"%s{odevicename}","odeviceowner":"%s{odeviceowner}","odlpdict":"%s{odlpdict}","odlpeng":"%s{odlpeng}","odlprulename":"%s{odlprulename}","ofwd_gw_name":"%s{ofwd_gw_name}","ologin":"%s{ologin}","ordr_rulename":"%s{ordr_rulename}","ourlcat":"%s{ourlcat}","ourlfilterrulelabel":"%s{ourlfilterrulelabel}","ozpa_app_seg_name":"%s{ozpa_app_seg_name}","externalsslpolicyreason":"%s{externalspr}","productversion":"%s{productversion}","rdr_rulename":"%s{rdr_rulename}","refererhost":"%s{erefererhost}","reqheadersize":"%d{reqhdrsize}","reqdatasize":"%d{reqdatasize}","respheadersize":"%d{resphdrsize}","respdatasize":"%d{respdatasize}","riskscore":"%d{riskscore}","ruletype":"%s{ruletype}","second":"%02d{ss}","srvcertchainvalpass":"%s{srvcertchainvalpass}","srvcertvalidationtype":"%s{srvcertvalidationtype}","srvcertvalidityperiod":"%s{srvcertvalidityperiod}","srvsslcipher":"%s{srvsslcipher}","serversslsessreuse":"%s{serversslsessreuse}","srvocspresult":"%s{srvocspresult}","srvtlsversion":"%s{srvtlsversion}","srvwildcardcert":"%s{srvwildcardcert}","ssldecrypted":"%s{ssldecrypted}","throttlereqsize":"%d{throttlereqsize}","throttlerespsize":"%d{throttlerespsize}","totalsize":"%d{totalsize}","trafficredirectmethod":"%s{trafficredirectmethod}","unscannabletype":"%s{unscannabletype}","upload_doctypename":"%s{upload_doctypename}","upload_fileclass":"%s{upload_fileclass}","upload_filetype":"%s{upload_filetype}","urlcatmethod":"%s{urlcatmethod}","urlsubcat":"%s{urlcat}","urlsupercat":"%s{urlsupercat}","urlclass":"%s{urlclass}","useragentclass":"%s{uaclass}","useragenttoken":"%s{ua_token}","userlocationname":"%s{euserlocationname}","year":"%04d{yyyy}","ztunnelversion":"%s{ztunnelversion}","zpa_app_seg_name":"%s{zpa_app_seg_name}"\}\} ``` Sample Response: ```json -{"version":"v8","sourcetype":"zscalernss-web","event":{"time":"Mon Oct 16 22:55:48 2023","cloudname":"zscaler.net","host":"mail.google.com","serverip":"1.128.0.0","external_devid":"1234","devicemodel":"20L8S7WC08","action":"Allowed","recordid":123456789,"reason":"File Attachment Cautioned","threatseverity":"Critical (90–100)","tz":"GMT","filesubtype":"exe","upload_filesubtype":"rar","sha256":"81ec78bc8298568bb5ea66d3c2972b670d0f7459b6cdbbcaacce90ab417ab15c","bamd5":"196a3d797bfee07fe4596b69f4ce1141","filename":"nssfeed.txt","upload_filename":"nssfeed.exe","filetype":"RAR Files","devicename":"PC11NLPA%3A5F08D97BBF43257A8FB4BBF4061A38AE324EF734","devicehostname":"THINKPADSMITH","deviceostype":"iOS","deviceosversion":"Version 10.14.2 (Build 18C54)","devicetype":"Zscaler Client Connector","reqsize":1300,"reqmethod":"invalid","b64referer":"d3d3LmV4YW1wbGUuY29tL3NlYXJjaD9maWx0ZXJzPWd1aWQ6IjQwLWVuLWRpYSIgbGFuZzoiZW4iJmZvcm09UzAwJnE9aG93IHRvIHVzZSByZW1vdGUgZGVza3RvcCB0byBjb25uZWN0IHRvIGEgd2luZG93cyAxMCBwYw==","respsize":10500,"respcode":"100","reqversion":"1.1","respversion":"1","proto":"HTTP","company":"Zscaler","dlpmd5":"154f149b1443fbfa8c121d13e5c019a1","apprulelabel":"File_Sharing_1","dlprulename":"DLP_Rule_1","rulelabel":"URL_Filtering_1","urlfilterrulelabel":"URL_Filtering_2","cltip":"81.2.69.144","cltintip":"89.160.20.128","cltsourceport":12345,"threatname":"EICAR Test File","cltsslcipher":"SSL3_CK_RSA_NULL_MD5","clttlsversion":"SSL2","b64url":"d3d3LnRyeXRoaXNlbmNvZGV1cmwuY29tL3BhcmFtcz9JZD0xJnRzPTIwMDYtMDEtMDJUMTU6MDQ6MDVaMDc6MDAmdXNlcj02NTc5MiZ2ZXJzaW9uPTEwLjAuMTkwNDEuMTI2Ng==","useragent":"Mozilla/5.0","login":"jdoe@safemarch.com","applayerprotocol":"FTP","appclass":"Administration","appname":"Adobe Connect","appriskscore":"1","bandwidthclassname":"Entertainment","bandwidthrulename":"Office 365","bwthrottle":"Yes","bypassedtime":"Mon Oct 16 22:55:48 2023","bypassedtraffic":"1","cltsslsessreuse":"Unknown","cltpubip":"175.16.199.0","cltsslfailcount":100,"cltsslfailreason":"Bad Record Mac","contenttype":"application/vnd_apple_keynote","datacentercity":"Sa","datacentercountry":"US","datacenter":"CA Client Node DC","day":"Mon","day_of_month":16,"dept":"Sales","deviceappversion":"1.128.0.0","deviceowner":"jsmith","df_hosthead":"df_hosthead","df_hostname":"df_hostname","dlpdicthitcount":"4","dlpdict":"Credit Cards","dlpeng":"HIPAA","dlpidentifier":6646484838839026000,"eedone":"Yes","epochtime":1578128400,"fileclass":"Active Web Contents","flow_type":"Direct","forward_gateway_ip":"10.1.1.1","forward_gateway_name":"FWD_1","forward_type":"Direct","hour":22,"is_sslexpiredca":"Yes","is_sslselfsigned":"Yes","is_ssluntrustedca":"Pass","keyprotectiontype":"HSM Protection","location":"Headquarters","department":"Department%5CrN%40me","malwarecategory":"Adware","malwareclass":"Sandbox","minute":55,"mobappcategory":"Communication","mobappname":"Amazon","mobdevtype":"Google Android","module":"Administration","month":"Oct","month_of_year":10,"nssserviceip":"192.168.2.200","oapprulelabel":"5300295980","obwclassname":"10831489","ocip":6200694987,"ocpubip":624054738,"odevicehostname":"2168890624","odevicename":"2175092224","odeviceowner":"10831489","odlpdict":"10831489","odlpeng":"4094304256","odlprulename":"6857275752","ofwd_gw_name":"8794487099","ologin":"4094304256","ordr_rulename":"3399565100","ourlcat":"7956407282","ourlfilterrulelabel":"4951704103","ozpa_app_seg_name":"7648246731","externalsslpolicyreason":"Blocked","productversion":"5.0.902.95524_04","rdr_rulename":"FWD_Rule_1","refererhost":"www.example.com for http://www.example.com/index.html","reqheadersize":300,"reqdatasize":1000,"respheadersize":500,"respdatasize":10000,"riskscore":10,"ruletype":"File Type Control","second":48,"srvcertchainvalpass":"Unknown","srvcertvalidationtype":"EV (Extended Validation)","srvcertvalidityperiod":"Short","srvsslcipher":"SSL3_CK_RSA_NULL_MD5","serversslsessreuse":"Unknown","srvocspresult":"Good","srvtlsversion":"SSL2","srvwildcardcert":"Unknown","ssldecrypted":"Yes","throttlereqsize":5,"throttlerespsize":7,"totalsize":11800,"trafficredirectmethod":"DNAT (Destination Translation)","unscannabletype":"Encrypted File","upload_doctypename":"Corporate Finance","upload_fileclass":"upload_fileclass","upload_filetype":"RAR Files","urlcatmethod":"Database A","urlsubcat":"Entertainment","urlsupercat":"Travel","urlclass":"Bandwidth Loss","useragentclass":"Firefox","useragenttoken":"Google Chrome (0.x)","userlocationname":"userlocationname","year":2023,"ztunnelversion":"ZTUNNEL_1_0","zpa_app_seg_name":"ZPA_test_app_segment"}} +{"version":"v9","sourcetype":"zscalernss-web","event":{"time":"Mon Oct 16 22:55:48 2023","cloudname":"zscaler.net","host":"mail.google.com","serverip":"1.128.0.0","external_devid":"1234","devicemodel":"20L8S7WC08","action":"Allowed","recordid":123456789,"reason":"File Attachment Cautioned","threatseverity":"Critical (90–100)","tz":"GMT","filesubtype":"exe","upload_filesubtype":"rar","sha256":"81ec78bc8298568bb5ea66d3c2972b670d0f7459b6cdbbcaacce90ab417ab15c","bamd5":"196a3d797bfee07fe4596b69f4ce1141","filename":"nssfeed.txt","upload_filename":"nssfeed.exe","filetype":"RAR Files","devicename":"PC11NLPA%3A5F08D97BBF43257A8FB4BBF4061A38AE324EF734","devicehostname":"THINKPADSMITH","deviceostype":"iOS","deviceosversion":"Version 10.14.2 (Build 18C54)","devicetype":"Zscaler Client Connector","reqsize":1300,"reqmethod":"invalid","b64referer":"d3d3LmV4YW1wbGUuY29tL3NlYXJjaD9maWx0ZXJzPWd1aWQ6IjQwLWVuLWRpYSIgbGFuZzoiZW4iJmZvcm09UzAwJnE9aG93IHRvIHVzZSByZW1vdGUgZGVza3RvcCB0byBjb25uZWN0IHRvIGEgd2luZG93cyAxMCBwYw==","respsize":10500,"respcode":"100","reqversion":"1.1","respversion":"1","proto":"HTTP","company":"Zscaler","dlpmd5":"154f149b1443fbfa8c121d13e5c019a1","apprulelabel":"File_Sharing_1","dlprulename":"DLP_Rule_1","rulelabel":"URL_Filtering_1","urlfilterrulelabel":"URL_Filtering_2","cltip":"81.2.69.144","cltintip":"89.160.20.128","cltsourceport":12345,"threatname":"EICAR Test File","cltsslcipher":"SSL3_CK_RSA_NULL_MD5","clttlsversion":"SSL2","b64url":"d3d3LnRyeXRoaXNlbmNvZGV1cmwuY29tL3BhcmFtcz9JZD0xJnRzPTIwMDYtMDEtMDJUMTU6MDQ6MDVaMDc6MDAmdXNlcj02NTc5MiZ2ZXJzaW9uPTEwLjAuMTkwNDEuMTI2Ng==","useragent":"Mozilla/5.0","login":"jdoe@safemarch.com","applayerprotocol":"FTP","appclass":"Administration","appname":"Adobe Connect","appriskscore":"1","bandwidthclassname":"Entertainment","bandwidthrulename":"Office 365","bwthrottle":"Yes","bypassedtime":"Mon Oct 16 22:55:48 2023","bypassedtraffic":"1","cltsslsessreuse":"Unknown","cltpubip":"175.16.199.0","cltsslfailcount":100,"cltsslfailreason":"Bad Record Mac","contenttype":"application/vnd_apple_keynote","datacentercity":"Sa","datacentercountry":"US","datacenter":"CA Client Node DC","day":"Mon","day_of_month":16,"dept":"Sales","deviceappversion":"1.128.0.0","deviceowner":"jsmith","df_hosthead":"df_hosthead","df_hostname":"df_hostname","dlpdicthitcount":"4","dlpdict":"Credit Cards","dlpeng":"HIPAA","dlpidentifier":6646484838839026000,"eedone":"Yes","epochtime":1578128400,"fileclass":"Active Web Contents","flow_type":"Direct","forward_gateway_ip":"10.1.1.1","forward_gateway_name":"FWD_1","forward_type":"Direct","hour":22,"is_sslexpiredca":"Yes","is_sslselfsigned":"Yes","is_ssluntrustedca":"Pass","keyprotectiontype":"HSM Protection","location":"Headquarters","malwarecategory":"Adware","malwareclass":"Sandbox","minute":55,"mobappcategory":"Communication","mobappname":"Amazon","mobdevtype":"Google Android","module":"Administration","month":"Oct","month_of_year":10,"nssserviceip":"192.168.2.200","oapprulelabel":"5300295980","obwclassname":"10831489","ocip":6200694987,"ocpubip":624054738,"odevicehostname":"2168890624","odevicename":"2175092224","odeviceowner":"10831489","odlpdict":"10831489","odlpeng":"4094304256","odlprulename":"6857275752","ofwd_gw_name":"8794487099","ologin":"4094304256","ordr_rulename":"3399565100","ourlcat":"7956407282","ourlfilterrulelabel":"4951704103","ozpa_app_seg_name":"7648246731","externalsslpolicyreason":"Blocked","productversion":"5.0.902.95524_04","rdr_rulename":"FWD_Rule_1","refererhost":"www.example.com for http://www.example.com/index.html","reqheadersize":300,"reqdatasize":1000,"respheadersize":500,"respdatasize":10000,"riskscore":10,"ruletype":"File Type Control","second":48,"srvcertchainvalpass":"Unknown","srvcertvalidationtype":"EV (Extended Validation)","srvcertvalidityperiod":"Short","srvsslcipher":"SSL3_CK_RSA_NULL_MD5","serversslsessreuse":"Unknown","srvocspresult":"Good","srvtlsversion":"SSL2","srvwildcardcert":"Unknown","ssldecrypted":"Yes","throttlereqsize":5,"throttlerespsize":7,"totalsize":11800,"trafficredirectmethod":"DNAT (Destination Translation)","unscannabletype":"Encrypted File","upload_doctypename":"Corporate Finance","upload_fileclass":"upload_fileclass","upload_filetype":"RAR Files","urlcatmethod":"Database A","urlsubcat":"Entertainment","urlsupercat":"Travel","urlclass":"Bandwidth Loss","useragentclass":"Firefox","useragenttoken":"Google Chrome (0.x)","userlocationname":"userlocationname","year":2023,"ztunnelversion":"ZTUNNEL_1_0","zpa_app_seg_name":"ZPA_test_app_segment"}} ``` ### Enabling the integration in Elastic: diff --git a/packages/zscaler_zia/manifest.yml b/packages/zscaler_zia/manifest.yml index b02b0e9795d..814cf24c8db 100644 --- a/packages/zscaler_zia/manifest.yml +++ b/packages/zscaler_zia/manifest.yml @@ -1,7 +1,7 @@ format_version: "3.0.3" name: zscaler_zia title: Zscaler Internet Access -version: "3.2.2" +version: "3.2.3" description: Collect logs from Zscaler Internet Access (ZIA) with Elastic Agent. type: integration categories: