Zscaler CASB¶
About¶
Zscaler delivers multimode CASB as a service along with SWG, ZTNA, and more as part of our comprehensive Zscaler Zero Trust Exchange platform to help you eliminate point products, reduce IT complexity, and inspect traffic in a single pass. Your administrators simply configure one automated policy for consistent security across all cloud data channels.
Product Details¶
Vendor URL: Zscaler CASB
Product Type: CASB
Product Tier: Tier I
Integration Method: Custom
Log Guide: Sample Logs by Log Type
Parser Details¶
Log Format: JSON
Expected Normalization Rate: near 100%
Data Label: ZSCALER_CASB
UDM Fields (list of all UDM fields leveraged in the Parser):
Log File Field | UDM Field |
---|---|
CASB | metadata.product_name |
Zscaler | metadata.vendor_name |
event.recordid | metadata.product_log_id |
event.filename | target.file.names |
event.filesource | target.file.full_path |
event.filemd5 | target.file.md5 |
event.login | principal.user.userid |
event.tenant | principal.location.name |
event.applicationname | principal.asset.software |
event.dept | principal.user.department |
event.rule_name | security_result.policy |
event.threatname | security_result.threat_name |
Product Event Types¶
Event | UDM Event Classification |
---|---|
all events | GENERIC_EVENT |
Log Sample¶
{ "sourcetype" : "zscalernss-casb", "event" :{"recordid":"7120REDACTED688706","company":"CompanyName, Inc","tenant":"Company_Prod_SharePoint","login":"john.doe@company-domain","dept":"Technology Services","applicationname":"SHAREPOINT","filename":"filename.xlsx","filesource":"/sites/Shared%20Documents/General","filemd5":"None","threatname":"None","policy":"None","dlpdictnames":"None","dlpdictcount":"None","dlpenginenames":"None","fullurl":"Unknown URL","lastmodtime":"Fri Jul 15 13:45:11 2022","filescantimems":"356","filedownloadtimems":"232"}}
Sample Parsing¶
metadata.product_log_id = "7120REDACTED88706"
metadata.event_type = "GENERIC_EVENT"
metadata.vendor_name = "Zscaler"
metadata.product_name = "CASB"
principal.user.userid = "john.doe@company-domain.com"
principal.user.department = "Technology Services"
principal.location.name = "Company_Prod_SharePoint"
principal.asset.software.name = "SHAREPOINT"
target.file.full_path = "/sites/Shared%20Documents/General"
target.file.names = "filename.xlsx"
security_result.threat_name = "None"
Parser Alerting¶
This product currently does not have any Parser-based Alerting