Display Top User Agents

Track most frequently used browser types

This is a query example for the Top User Agents widget in the Web - User Investigation dashboard of the zscaler/internet-access package.

Query

flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 1[/Filter/] 2[/Filter/] 3[/Filter/] 4{{Aggregate}} result{{Result Set}} repo --> 1 1 --> 2 2 --> 3 3 --> 4 4 --> result
logscale
#event.dataset = "zia.web"
| user.email=~wildcard(*, ignoreCase=true)
| event.action="allowed"
| top(user_agent.original, limit=100)

Introduction

This widget is used to identify and rank the most frequently used user agents in allowed web traffic from Zscaler Internet Access logs.

In this widget, the top() function ranks user agents by frequency of use, while the wildcard() function ensures comprehensive email address matching.

Example incoming data might look like this:

@timestamp#Cps.version#Vendor#ecs.version#error#event.dataset#event.kind#event.module#event.outcome#repo#type@error@error_msg@error_msg[0]@event_parsed@id@ingesttimestamp@rawstring@timestamp.nanos@timezoneParser.versionVendor.RecordtypeVendor.actionVendor.actiontakenVendor.adminidVendor.algoVendor.applicationnameVendor.auditlogtypeVendor.authenticationVendor.authtypeVendor.categoryVendor.channelVendor.clientipVendor.companyVendor.datetimeVendor.deptVendor.destinationipVendor.destinationipendVendor.destinationipstartVendor.destinationportVendor.destinationportstartVendor.dlpdictcountVendor.dlpdictnamesVendor.dlpenginenamesVendor.errorcodeVendor.filedownloadtimemsVendor.filemd5Vendor.filenameVendor.filescantimemsVendor.filesourceVendor.filetypenameVendor.fullurlVendor.ikeversionVendor.interfaceVendor.itemdstnameVendor.lastmodtimeVendor.lifebytesVendor.lifetimeVendor.locationVendor.loginVendor.policyVendor.policydirectionVendor.protocolVendor.recordidVendor.resourceVendor.resultVendor.rulenameVendor.severityVendor.sourceipVendor.sourceportVendor.sourceportstartVendor.sourcetypeVendor.spiVendor.spi_inVendor.spi_outVendor.srcipendVendor.srcipstartVendor.subcategoryVendor.tenantVendor.threatnameVendor.timeVendor.tunnelprotocolVendor.tunneltypeVendor.userdestination.addressdestination.ipdestination.portevent.actionevent.category[0]event.category[1]event.category[2]event.idevent.severityevent.type[0]file.directoryfile.extensionfile.hash.md5file.namegroup.namenetwork.directionnetwork.typerule.namesource.addresssource.geo.namesource.ipsource.porturl.fullurl.pathuser.domainuser.emailuser.name
2026-02-10T06:02:221.1.0zscaler9.2.0truezia.casbalertzia auto-dashboard-querieszscaler-internetaccesstrueError parsing timestamp. errormsg="Text '2026-02-10T06:02:21.304Z' could not be parsed at index 0" zone=""Error parsing timestamp. errormsg="Text '2026-02-10T06:02:21.304Z' could not be parsed at index 0" zone=""falseRG0lMmagN4Hpu0YtU49sDAs0_3_4_17707033422026-02-10T06:02:22{"sourcetype":"zscalernss-casb","event":{"threatname":"Win32.Emotet","fullurl":"/images/products/electronics/phone-2024.jpg","dlpenginenames":"Credit Card","datetime":"2026-02-10T06:02:21.304Z","filename":"svchost.exe","recordid":"f47ac10b-58cc-4372-a567-0e02b2c3d479","policy":"Corporate Data Protection","dept":"IT","filescantimems":"0","dlpdictnames":"Credit Cards,SSN","company":"Acme Corporation","dlpdictcount":"123400","applicationname":"Salesforce","filesource":"OneDrive","login":"phishing@malicious-domain.com","tenant":"Production","filedownloadtimems":"1","filemd5":"a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0","lastmodtime":"2026-02-10T06:02:21.304Z"}}0Z4.0.0     Salesforce      Acme Corporation2026-02-10T06:02:21.304ZIT     123400Credit Cards,SSNCredit Card 1a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0svchost.exe0OneDrive /images/products/electronics/phone-2024.jpg   2026-02-10T06:02:21.304Z   phishing@malicious-domain.comCorporate Data Protection  f47ac10b-58cc-4372-a567-0e02b2c3d479       zscalernss-casb      ProductionWin32.Emotet        authenticationfilethreatf47ac10b-58cc-4372-a567-0e02b2c3d479 indicatorOneDrive a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0svchost.exeAcme Corporation  Win32.Emotet    /images/products/electronics/phone-2024.jpg/images/products/electronics/phone-2024.jpgmalicious-domain.comphishing@malicious-domain.comphishing
2026-02-10T06:02:221.1.0zscaler9.2.0 zia.auditeventziasuccessauto-dashboard-querieszscaler-internetaccess    CcdZtVsyi1yvhvYT6sRMG6EV_3_3_17707033422026-02-10T06:02:22{"event":{"clientip":"192.168.2.143","resource":"Firewall Rule","recordid":"6ba7b810-9dad-11d1-80b4-00c04fd430c8","result":"SUCCESS","auditlogtype":"Admin Audit","adminid":"admin@evil-site.net","subcategory":"Firewall Policy","interface":"UI","action":"Create","postaction":{},"preaction":{},"category":"Policy","time":"2026-02-10T06:02:22.099Z","errorcode":"ERR_001"},"sourcetype":"zscalernss-audit"}0Z4.0.0 Create admin@evil-site.net  Admin Audit  Policy 192.168.2.143           ERR_001        UI         6ba7b810-9dad-11d1-80b4-00c04fd430c8Firewall RuleSUCCESS     zscalernss-audit     Firewall Policy  2026-02-10T06:02:22.099Z      Createconfiguration  6ba7b810-9dad-11d1-80b4-00c04fd430c8 creation          192.168.2.143   evil-site.netadmin@evil-site.netadmin
2026-02-10T06:02:231.1.0zscaler9.2.0 zia.edlpeventzia auto-dashboard-querieszscaler-internetaccess    tDcWan7CVbbOjUEvJaqdrD33_2_4_17707033432026-02-10T06:02:23{"sourcetype":"zscalernss-edlp","event":{"severity":"High","itemdstname":"explorer.exe","filemd5":"9f8e7d6c5b4a3f2e1d0c9b8a7f6e5d4c3b2a1f0e9d8c7b6a5f4e3d2c1b0a9f8e7d6c5b4a3f2e1d0c9b8a7f6e5d4c3b2a1f0","dlpdictnames":"PII,PHI","dept":"HR","filetypename":"PDF","dlpdictcount":"456700","login":"support@suspicious-portal.org","rulename":"Block Malware","recordid":"3d6f4e2a-8b9c-4f1e-a2d5-7c8e9f0a1b2c","actiontaken":"Allow","datetime":"2026-02-10T06:02:22.873Z","dlpenginenames":"SSN","channel":"Email"}}0Z4.0.0  Allow       Email  2026-02-10T06:02:22.873ZHR     456700PII,PHISSN  9f8e7d6c5b4a3f2e1d0c9b8a7f6e5d4c3b2a1f0e9d8c7b6a5f4e3d2c1b0a9f8e7d6c5b4a3f2e1d0c9b8a7f6e5d4c3b2a1f0   PDF   explorer.exe    support@suspicious-portal.org   3d6f4e2a-8b9c-4f1e-a2d5-7c8e9f0a1b2c  Block MalwareHigh   zscalernss-edlp               Allowfilenetwork 3d6f4e2a-8b9c-4f1e-a2d5-7c8e9f0a1b2c70allowed PDF9f8e7d6c5b4a3f2e1d0c9b8a7f6e5d4c3b2a1f0e9d8c7b6a5f4e3d2c1b0a9f8e7d6c5b4a3f2e1d0c9b8a7f6e5d4c3b2a1f0    Block Malware      suspicious-portal.orgsupport@suspicious-portal.orgsupport
2026-02-10T06:02:241.1.0zscaler9.2.0 zia.tunneleventzia auto-dashboard-querieszscaler-internetaccess    M0pQsDX2VvpH4yfoFvePp1gB_2_16_17707033442026-02-10T06:02:24{"sourcetype":"zscalernss-tunnel","event":{"sourceip":"192.168.0.87","destinationportstart":"567800","lifebytes":"5372846913","protocol":"HTTP","datetime":"2026-02-10T06:02:23.647Z","authtype":"PSK","ikeversion":"2","destinationipstart":"192.168.2.16","sourceportstart":"234500","spi":"3847562891","srcipend":"192.168.4.198","destinationipend":"192.168.0.234","sourceport":"789300","location":"Seattle","Recordtype":"ike_phase2","srcipstart":"192.168.1.54","tunnelprotocol":"ESP","user":"adamsb","policydirection":"Inbound","recordid":"9e8d7c6b-5a4f-4e3d-2c1b-0a9f8e7d6c5b","lifetime":"4","tunneltype":"IPSEC IKEV 1","destinationip":"192.168.3.211","authentication":"SHA256","algo":"AES-256"}}0Z4.0.0ike_phase2   AES-256  SHA256PSK    2026-02-10T06:02:23.647Z 192.168.3.211192.168.0.234192.168.2.16 567800           2   53728469134Seattle  InboundHTTP9e8d7c6b-5a4f-4e3d-2c1b-0a9f8e7d6c5b    192.168.0.87789300234500zscalernss-tunnel3847562891  192.168.4.198192.168.1.54    ESPIPSEC IKEV 1adamsb192.168.3.211192.168.3.211  network  9e8d7c6b-5a4f-4e3d-2c1b-0a9f8e7d6c5b       inboundipsec ikev 1 192.168.0.87Seattle192.168.0.87789300    adamsb
2026-02-10T06:02:251.1.0zscaler9.2.0 zia.tunneleventzia auto-dashboard-querieszscaler-internetaccess    M0pQsDX2VvpH4yfoFvePp1gB_2_17_17707033452026-02-10T06:02:25{"event":{"Recordtype":"ike_phase1","destinationip":"192.168.1.178","algo":"AES-192","location":"Munich","authentication":"SHA1","sourceport":"890100","datetime":"2026-02-10T06:02:24.417Z","lifetime":"13","spi_in":"2947183746","ikeversion":"2","authtype":"Certificate","tunneltype":"IPSEC IKEV 1","user":"andersonk","destinationport":"345600","sourceip":"192.168.3.45","recordid":"1a2b3c4d-5e6f-4a7b-8c9d-0e1f2a3b4c5d","spi_out":"1928374655"},"sourcetype":"zscalernss-tunnel"}0Z4.0.0ike_phase1   AES-192  SHA1Certificate    2026-02-10T06:02:24.417Z 192.168.1.178  345600            2    13Munich    1a2b3c4d-5e6f-4a7b-8c9d-0e1f2a3b4c5d    192.168.3.45890100 zscalernss-tunnel 29471837461928374655       IPSEC IKEV 1andersonk192.168.1.178192.168.1.178345600 network  1a2b3c4d-5e6f-4a7b-8c9d-0e1f2a3b4c5d       unknownipsec ikev 1 192.168.3.45Munich192.168.3.45890100    andersonk

Step-by-Step

  1. Starting with the source repository events.

  2. flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 1[/Filter/] 2[/Filter/] 3[/Filter/] 4{{Aggregate}} result{{Result Set}} repo --> 1 1 --> 2 2 --> 3 3 --> 4 4 --> result style 1 fill:#ff0000,stroke-width:4px,stroke:#000;
    logscale
    #event.dataset = "zia.web"

    Filters events where the #event.dataset field equals zia.web.

  3. flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 1[/Filter/] 2[/Filter/] 3[/Filter/] 4{{Aggregate}} result{{Result Set}} repo --> 1 1 --> 2 2 --> 3 3 --> 4 4 --> result style 2 fill:#ff0000,stroke-width:4px,stroke:#000;
    logscale
    | user.email=~wildcard(*, ignoreCase=true)

    Matches any email address in the user.email field using the wildcard() function. The ignoreCase parameter set to true ensures case-insensitive matching.

  4. flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 1[/Filter/] 2[/Filter/] 3[/Filter/] 4{{Aggregate}} result{{Result Set}} repo --> 1 1 --> 2 2 --> 3 3 --> 4 4 --> result style 3 fill:#ff0000,stroke-width:4px,stroke:#000;
    logscale
    | event.action="allowed"

    Filters events where the event.action field equals allowed.

  5. flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 1[/Filter/] 2[/Filter/] 3[/Filter/] 4{{Aggregate}} result{{Result Set}} repo --> 1 1 --> 2 2 --> 3 3 --> 4 4 --> result style 4 fill:#ff0000,stroke-width:4px,stroke:#000;
    logscale
    | top(user_agent.original, limit=100)

    Finds the most frequent values in the user_agent.original field, and returns the results in a _count field. The limit parameter restricts the output to 100 entries.

  6. Event Result set.

Summary and Results

The widget is used to monitor which browsers and client applications are most frequently used to access web resources through Zscaler Internet Access.

This widget is useful to understand client application usage patterns and identify potentially unauthorized or outdated browsers.

Sample output from the incoming example data:

_countuser_agent.original
1Mozilla/5.0 (iPad; CPU OS 15_2 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/97.0.4692.84 Mobile/15E148 Safari/604.1
1Mozilla/5.0 (iPhone; CPU iPhone OS 15_2_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.0 Mobile/15E148 Safari/604.1
1Mozilla/5.0 (Android 12; Mobile; rv:96.0) Gecko/96.0 Firefox/96.0
1Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36 Edg/96.0.1054.62
1Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36 OPR/82.0.4227.50

The output shows the frequency count (_count) for each user agent string (user_agent.original), sorted by most frequently used.