Zscaler WebProxy¶
About¶
Zscaler operates the world's largest security-as-a-service (SaaS) cloud platform to provide the industry's only 100% cloud-delivered web and mobile security solution. The highly scalable, global, multi-cloud infrastructure features three key components: the Zscaler Central Authority, ZIA Public Service Edges (formerly Zscaler Enforcement Nodes or ZENs), and Nanolog clusters.
Product Details¶
Product Type: SaaS
Product Tier: Tier III
Integration URL: Zscaler WebProxy Technical Documentation
Integration Method: Custom
Log Guide: Log Format
Parser Details¶
Log Format: JSON, Syslog
Expected Normalization Rate: 99%-100%
Data Label: ZSCALER_WEBPROXY
UDM Fields (list of all UDM fields leveraged in the Parser):
| Log File Field | UDM Field |
|---|---|
| action | security_result.action |
| appclass | security_result.detection_fields |
| appname | security_result.detection_fields |
| ClientIP | principal.ip |
| clientpublicIP | principal.nat_ip |
| datetime | metadata.event_timestamp |
| department | principal.user.department |
| devicehostname | principal.hostname |
| deviceowner | about.user.userid |
| event_id | metadata.product_log_id |
| filetype | security_result.detection_fields |
| hostname | target.hostname |
| pagerisk | security_result.detection_fields |
| protocol | network.application_protocol |
| reason | security_result.description |
| refererURL | network.http.referral_url |
| requestmethod | network.http.method |
| requestsize | network.sent_bytes |
| responsesize | network.received_bytes |
| serverip | target.ip |
| sourcetype | principal.application |
| status | network.http.response_code |
| url | target.url |
| urlcategory | security_result.category_details |
| urlclass | security_result.detection_fields |
| urlsupercategory | security_result.category_details |
| user | principal.user.email_addresses |
| useragent | network.http.user_agent |
Product Event Types¶
| Event | UDM Event Classification |
|---|---|
| zscalernss-web | NETWORK_HTTP |
| Private Access | NETWORK_CONNECTION |
| all others | GENERIC_EVENT |
Log Sample¶
{ "sourcetype" : "zscalernss-web", "event" : {"datetime":"2023-04-24 20:47:05","reason":"Allowed","event_id":"7176737558490578946","protocol":"HTTPS","action":"Allowed","transactionsize":"5504","responsesize":"1374","requestsize":"4130","urlcategory":"Internet Services","serverip":"10.233.185.113","clienttranstime":"168","requestmethod":"POST","refererURL":"drive.google.com/","useragent":"Mozilla/5.0%20(Macintosh;%20Intel%20Mac%20OS%20X%2010.15;%20rv:107.0)%20Gecko/20100101%20Firefox/107.0","product":"NSS","location":"Location1","ClientIP":"10.0.0.52","status":"200","user":"first.last@domain.com","url":"hostname2/log?format=json&hasfast=true&authuser=0","vendor":"Zscaler","hostname":"hostname2","clientpublicIP":"10.7.0.199","threatcategory":"None","threatname":"None","filetype":"GZIP","appname":"Google Play","pagerisk":"0","department":"DigitalSolutions","urlsupercategory":"Internet Communication","appclass":"Mobile App Download","dlpengine":"None","urlclass":"Business Use","threatclass":"None","dlpdictionaries":"None","fileclass":"Archive Files","bwthrottle":"NO","servertranstime":"24","contenttype":"text/plain","unscannabletype":"None","deviceowner":"username1","devicehostname":"hostname1"}}
Sample Parsing¶
metadata.event_timestamp = "2023-04-24 20:47:05"
metadata.vendor_name = "Zscaler"
metadata.product_name = "WebProxy"
metadata.event_type = "NETWORK_HTTP"
metadata.product_log_id = "1234567890"
principal.hostname = "hostname1"
principal.user.email_addresses = "first.last@domain.com"
principal.ip = "10.0.0.52"
principal.nat_ip = "10.7.0.199"
principal.application = "zscalernss-web"
target.hostname = "hostname2"
target.ip = "10.233.185.113"
target.url = "hostname2/log?format=json&hasfast=true&authuser=0"
about.user.userid = "username1"
security_result.category_details = "Internet Services"
security_result.category_details = "Internet Communication"
security_result.detection_fields[0].key = "appclass"
security_result.detection_fields[0].value = "Mobile App Download"
security_result.detection_fields[1].key = "appname"
security_result.detection_fields[1].value = "Google Play"
security_result.detection_fields[2].key = "filetype"
security_result.detection_fields[2].value = "GZIP"
security_result.detection_fields[3].key = "pagerisk"
security_result.detection_fields[3].value = "0"
security_result.detection_fields[4].key = "urlclass"
security_result.detection_fields[4].value = "Business Use"
security_result.description = "Allowed"
security_result.action = "ALLOW"
network.sent_bytes = "4130"
network.received_bytes = "1374"
network.application_protocol = "HTTPS"
network.http.method = "POST"
network.http.referral_url = "drive.google.com/"
network.http.user_agent = "Mozilla/5.0%20(Macintosh;%20Intel%20Mac%20OS%20X%2010.15;%20rv:107.0)%20Gecko/20100101%20Firefox/107.0"
network.http.response_code = "200"
Rules¶
Coming Soon