Skip to content

Zscaler CASB

Zscaler CASB

About

Zscaler delivers multimode CASB as a service along with SWG, ZTNA, and more as part of our comprehensive Zscaler Zero Trust Exchange platform to help you eliminate point products, reduce IT complexity, and inspect traffic in a single pass. Your administrators simply configure one automated policy for consistent security across all cloud data channels.

Product Details

Vendor URL: Zscaler CASB

Product Type: CASB

Product Tier: Tier I

Integration Method: Custom

Log Guide: Sample Logs by Log Type

Parser Details

Log Format: JSON

Expected Normalization Rate: near 100%

Data Label: ZSCALER_CASB

UDM Fields (list of all UDM fields leveraged in the Parser):

Log File Field UDM Field
CASB metadata.product_name
Zscaler metadata.vendor_name
event.recordid metadata.product_log_id
event.filename target.file.names
event.filesource target.file.full_path
event.filemd5 target.file.md5
event.login principal.user.userid
event.tenant principal.location.name
event.applicationname principal.asset.software
event.dept principal.user.department
event.rule_name security_result.policy
event.threatname security_result.threat_name

Product Event Types

Event UDM Event Classification
all events GENERIC_EVENT

Log Sample

{ "sourcetype" : "zscalernss-casb", "event" :{"recordid":"7120REDACTED688706","company":"CompanyName, Inc","tenant":"Company_Prod_SharePoint","login":"john.doe@company-domain","dept":"Technology Services","applicationname":"SHAREPOINT","filename":"filename.xlsx","filesource":"/sites/Shared%20Documents/General","filemd5":"None","threatname":"None","policy":"None","dlpdictnames":"None","dlpdictcount":"None","dlpenginenames":"None","fullurl":"Unknown URL","lastmodtime":"Fri Jul 15 13:45:11 2022","filescantimems":"356","filedownloadtimems":"232"}}

Sample Parsing

metadata.product_log_id = "7120REDACTED88706"
metadata.event_type = "GENERIC_EVENT"
metadata.vendor_name = "Zscaler"
metadata.product_name = "CASB"
principal.user.userid = "john.doe@company-domain.com"
principal.user.department = "Technology Services"
principal.location.name = "Company_Prod_SharePoint"
principal.asset.software.name = "SHAREPOINT"
target.file.full_path = "/sites/Shared%20Documents/General"
target.file.names = "filename.xlsx"
security_result.threat_name = "None"

Parser Alerting

This product currently does not have any Parser-based Alerting