Display Actions by Traffic Volume

Track action types and traffic volume over time

This is a query example for the Actions Over Time by Volume widget in the Web - User Investigation dashboard of the zscaler/internet-access package.

Query

flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 1[/Filter/] 2[/Filter/] 3[/Filter/] 4{{Aggregate}} result{{Result Set}} repo --> 1 1 --> 2 2 --> 3 3 --> 4 4 --> result
logscale
#event.dataset = "zia.web"
| user.email=~wildcard(*, ignoreCase=true)
| http.request.bytes!=0
| timechart(event.action, function=sum(http.request.bytes))

Introduction

This widget is used to visualize the distribution of actions (allowed, blocked, cautioned) and their associated traffic volumes in Zscaler Internet Access web traffic over time.

In this widget, the timeChart() function tracks action types and their traffic volumes over time, while the wildcard() function ensures comprehensive email address matching.

Example incoming data might look like this:

@timestamp#Cps.version#Vendor#ecs.version#error#event.dataset#event.kind#event.module#event.outcome#repo#type@error@error_msg@error_msg[0]@event_parsed@id@ingesttimestamp@rawstring@timestamp.nanos@timezoneParser.versionVendor.RecordtypeVendor.actionVendor.actiontakenVendor.adminidVendor.algoVendor.applicationnameVendor.auditlogtypeVendor.authenticationVendor.authtypeVendor.categoryVendor.channelVendor.clientipVendor.companyVendor.datetimeVendor.deptVendor.destinationipVendor.destinationipendVendor.destinationipstartVendor.destinationportVendor.destinationportstartVendor.dlpdictcountVendor.dlpdictnamesVendor.dlpenginenamesVendor.errorcodeVendor.filedownloadtimemsVendor.filemd5Vendor.filenameVendor.filescantimemsVendor.filesourceVendor.filetypenameVendor.fullurlVendor.ikeversionVendor.interfaceVendor.itemdstnameVendor.lastmodtimeVendor.lifebytesVendor.lifetimeVendor.locationVendor.loginVendor.policyVendor.policydirectionVendor.protocolVendor.recordidVendor.resourceVendor.resultVendor.rulenameVendor.severityVendor.sourceipVendor.sourceportVendor.sourceportstartVendor.sourcetypeVendor.spiVendor.spi_inVendor.spi_outVendor.srcipendVendor.srcipstartVendor.subcategoryVendor.tenantVendor.threatnameVendor.timeVendor.tunnelprotocolVendor.tunneltypeVendor.userdestination.addressdestination.ipdestination.portevent.actionevent.category[0]event.category[1]event.category[2]event.idevent.severityevent.type[0]file.directoryfile.extensionfile.hash.md5file.namegroup.namenetwork.directionnetwork.typerule.namesource.addresssource.geo.namesource.ipsource.porturl.fullurl.pathuser.domainuser.emailuser.name
2026-02-10T06:02:221.1.0zscaler9.2.0truezia.casbalertzia auto-dashboard-querieszscaler-internetaccesstrueError parsing timestamp. errormsg="Text '2026-02-10T06:02:21.304Z' could not be parsed at index 0" zone=""Error parsing timestamp. errormsg="Text '2026-02-10T06:02:21.304Z' could not be parsed at index 0" zone=""falseRG0lMmagN4Hpu0YtU49sDAs0_3_4_17707033422026-02-10T06:02:22{"sourcetype":"zscalernss-casb","event":{"threatname":"Win32.Emotet","fullurl":"/images/products/electronics/phone-2024.jpg","dlpenginenames":"Credit Card","datetime":"2026-02-10T06:02:21.304Z","filename":"svchost.exe","recordid":"f47ac10b-58cc-4372-a567-0e02b2c3d479","policy":"Corporate Data Protection","dept":"IT","filescantimems":"0","dlpdictnames":"Credit Cards,SSN","company":"Acme Corporation","dlpdictcount":"123400","applicationname":"Salesforce","filesource":"OneDrive","login":"phishing@malicious-domain.com","tenant":"Production","filedownloadtimems":"1","filemd5":"a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0","lastmodtime":"2026-02-10T06:02:21.304Z"}}0Z4.0.0     Salesforce      Acme Corporation2026-02-10T06:02:21.304ZIT     123400Credit Cards,SSNCredit Card 1a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0svchost.exe0OneDrive /images/products/electronics/phone-2024.jpg   2026-02-10T06:02:21.304Z   phishing@malicious-domain.comCorporate Data Protection  f47ac10b-58cc-4372-a567-0e02b2c3d479       zscalernss-casb      ProductionWin32.Emotet        authenticationfilethreatf47ac10b-58cc-4372-a567-0e02b2c3d479 indicatorOneDrive a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0svchost.exeAcme Corporation  Win32.Emotet    /images/products/electronics/phone-2024.jpg/images/products/electronics/phone-2024.jpgmalicious-domain.comphishing@malicious-domain.comphishing
2026-02-10T06:02:221.1.0zscaler9.2.0 zia.auditeventziasuccessauto-dashboard-querieszscaler-internetaccess    CcdZtVsyi1yvhvYT6sRMG6EV_3_3_17707033422026-02-10T06:02:22{"event":{"clientip":"192.168.2.143","resource":"Firewall Rule","recordid":"6ba7b810-9dad-11d1-80b4-00c04fd430c8","result":"SUCCESS","auditlogtype":"Admin Audit","adminid":"admin@evil-site.net","subcategory":"Firewall Policy","interface":"UI","action":"Create","postaction":{},"preaction":{},"category":"Policy","time":"2026-02-10T06:02:22.099Z","errorcode":"ERR_001"},"sourcetype":"zscalernss-audit"}0Z4.0.0 Create admin@evil-site.net  Admin Audit  Policy 192.168.2.143           ERR_001        UI         6ba7b810-9dad-11d1-80b4-00c04fd430c8Firewall RuleSUCCESS     zscalernss-audit     Firewall Policy  2026-02-10T06:02:22.099Z      Createconfiguration  6ba7b810-9dad-11d1-80b4-00c04fd430c8 creation          192.168.2.143   evil-site.netadmin@evil-site.netadmin
2026-02-10T06:02:231.1.0zscaler9.2.0 zia.edlpeventzia auto-dashboard-querieszscaler-internetaccess    tDcWan7CVbbOjUEvJaqdrD33_2_4_17707033432026-02-10T06:02:23{"sourcetype":"zscalernss-edlp","event":{"severity":"High","itemdstname":"explorer.exe","filemd5":"9f8e7d6c5b4a3f2e1d0c9b8a7f6e5d4c3b2a1f0e9d8c7b6a5f4e3d2c1b0a9f8e7d6c5b4a3f2e1d0c9b8a7f6e5d4c3b2a1f0","dlpdictnames":"PII,PHI","dept":"HR","filetypename":"PDF","dlpdictcount":"456700","login":"support@suspicious-portal.org","rulename":"Block Malware","recordid":"3d6f4e2a-8b9c-4f1e-a2d5-7c8e9f0a1b2c","actiontaken":"Allow","datetime":"2026-02-10T06:02:22.873Z","dlpenginenames":"SSN","channel":"Email"}}0Z4.0.0  Allow       Email  2026-02-10T06:02:22.873ZHR     456700PII,PHISSN  9f8e7d6c5b4a3f2e1d0c9b8a7f6e5d4c3b2a1f0e9d8c7b6a5f4e3d2c1b0a9f8e7d6c5b4a3f2e1d0c9b8a7f6e5d4c3b2a1f0   PDF   explorer.exe    support@suspicious-portal.org   3d6f4e2a-8b9c-4f1e-a2d5-7c8e9f0a1b2c  Block MalwareHigh   zscalernss-edlp               Allowfilenetwork 3d6f4e2a-8b9c-4f1e-a2d5-7c8e9f0a1b2c70allowed PDF9f8e7d6c5b4a3f2e1d0c9b8a7f6e5d4c3b2a1f0e9d8c7b6a5f4e3d2c1b0a9f8e7d6c5b4a3f2e1d0c9b8a7f6e5d4c3b2a1f0    Block Malware      suspicious-portal.orgsupport@suspicious-portal.orgsupport
2026-02-10T06:02:241.1.0zscaler9.2.0 zia.tunneleventzia auto-dashboard-querieszscaler-internetaccess    M0pQsDX2VvpH4yfoFvePp1gB_2_16_17707033442026-02-10T06:02:24{"sourcetype":"zscalernss-tunnel","event":{"sourceip":"192.168.0.87","destinationportstart":"567800","lifebytes":"5372846913","protocol":"HTTP","datetime":"2026-02-10T06:02:23.647Z","authtype":"PSK","ikeversion":"2","destinationipstart":"192.168.2.16","sourceportstart":"234500","spi":"3847562891","srcipend":"192.168.4.198","destinationipend":"192.168.0.234","sourceport":"789300","location":"Seattle","Recordtype":"ike_phase2","srcipstart":"192.168.1.54","tunnelprotocol":"ESP","user":"adamsb","policydirection":"Inbound","recordid":"9e8d7c6b-5a4f-4e3d-2c1b-0a9f8e7d6c5b","lifetime":"4","tunneltype":"IPSEC IKEV 1","destinationip":"192.168.3.211","authentication":"SHA256","algo":"AES-256"}}0Z4.0.0ike_phase2   AES-256  SHA256PSK    2026-02-10T06:02:23.647Z 192.168.3.211192.168.0.234192.168.2.16 567800           2   53728469134Seattle  InboundHTTP9e8d7c6b-5a4f-4e3d-2c1b-0a9f8e7d6c5b    192.168.0.87789300234500zscalernss-tunnel3847562891  192.168.4.198192.168.1.54    ESPIPSEC IKEV 1adamsb192.168.3.211192.168.3.211  network  9e8d7c6b-5a4f-4e3d-2c1b-0a9f8e7d6c5b       inboundipsec ikev 1 192.168.0.87Seattle192.168.0.87789300    adamsb
2026-02-10T06:02:251.1.0zscaler9.2.0 zia.tunneleventzia auto-dashboard-querieszscaler-internetaccess    M0pQsDX2VvpH4yfoFvePp1gB_2_17_17707033452026-02-10T06:02:25{"event":{"Recordtype":"ike_phase1","destinationip":"192.168.1.178","algo":"AES-192","location":"Munich","authentication":"SHA1","sourceport":"890100","datetime":"2026-02-10T06:02:24.417Z","lifetime":"13","spi_in":"2947183746","ikeversion":"2","authtype":"Certificate","tunneltype":"IPSEC IKEV 1","user":"andersonk","destinationport":"345600","sourceip":"192.168.3.45","recordid":"1a2b3c4d-5e6f-4a7b-8c9d-0e1f2a3b4c5d","spi_out":"1928374655"},"sourcetype":"zscalernss-tunnel"}0Z4.0.0ike_phase1   AES-192  SHA1Certificate    2026-02-10T06:02:24.417Z 192.168.1.178  345600            2    13Munich    1a2b3c4d-5e6f-4a7b-8c9d-0e1f2a3b4c5d    192.168.3.45890100 zscalernss-tunnel 29471837461928374655       IPSEC IKEV 1andersonk192.168.1.178192.168.1.178345600 network  1a2b3c4d-5e6f-4a7b-8c9d-0e1f2a3b4c5d       unknownipsec ikev 1 192.168.3.45Munich192.168.3.45890100    andersonk

Step-by-Step

  1. Starting with the source repository events.

  2. flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 1[/Filter/] 2[/Filter/] 3[/Filter/] 4{{Aggregate}} result{{Result Set}} repo --> 1 1 --> 2 2 --> 3 3 --> 4 4 --> result style 1 fill:#ff0000,stroke-width:4px,stroke:#000;
    logscale
    #event.dataset = "zia.web"

    Filters events where the #event.dataset field equals zia.web.

  3. flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 1[/Filter/] 2[/Filter/] 3[/Filter/] 4{{Aggregate}} result{{Result Set}} repo --> 1 1 --> 2 2 --> 3 3 --> 4 4 --> result style 2 fill:#ff0000,stroke-width:4px,stroke:#000;
    logscale
    | user.email=~wildcard(*, ignoreCase=true)

    Matches any email address in the user.email field using the wildcard() function. The ignoreCase parameter set to true ensures case-insensitive matching.

  4. flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 1[/Filter/] 2[/Filter/] 3[/Filter/] 4{{Aggregate}} result{{Result Set}} repo --> 1 1 --> 2 2 --> 3 3 --> 4 4 --> result style 3 fill:#ff0000,stroke-width:4px,stroke:#000;
    logscale
    | http.request.bytes!=0

    Filters events where the http.request.bytes field is not equal to zero.

  5. flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 1[/Filter/] 2[/Filter/] 3[/Filter/] 4{{Aggregate}} result{{Result Set}} repo --> 1 1 --> 2 2 --> 3 3 --> 4 4 --> result style 4 fill:#ff0000,stroke-width:4px,stroke:#000;
    logscale
    | timechart(event.action, function=sum(http.request.bytes))

    Creates a timechart showing the sum of bytes for each action type from the event.action field. The timeChart() function automatically groups the data into time buckets and returns the sum in a _sum field and the timestamp in a _bucket field.

  6. Event Result set.

Summary and Results

The widget is used to monitor the volume of web traffic associated with different action types (allowed, blocked, cautioned) over time.

This widget is useful to understand traffic patterns and identify potential anomalies in the volume of allowed or blocked traffic.

Sample output from the incoming example data:

_bucket_sumevent.action
1770703200000281233cautioned
17707023000000cautioned
17707023000000allowed
1770703200000296824allowed
1770703200000314072blocked

The output shows the total bytes (_sum) for each action type (event.action) within specific time periods (_bucket).