Display Count of Distinct Locations

Track unique access locations

This is a query example for the Total Distinct Locations widget in the Web - User Investigation dashboard of the zscaler/internet-access package.

Query

flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 1[/Filter/] 2[/Filter/] 3{{Aggregate}} result{{Result Set}} repo --> 1 1 --> 2 2 --> 3 3 --> result
logscale
#event.dataset = "zia.web"
| user.email=~wildcard(*, ignoreCase=true)
| count("Vendor.location", distinct=true)

Introduction

This widget is used to count the number of unique locations from which users are accessing resources in Zscaler Internet Access.

In this widget, the count() function calculates the number of distinct locations, while the wildcard() function ensures comprehensive email address matching.

Example incoming data might look like this:

@timestamp#Cps.version#Vendor#ecs.version#error#event.dataset#event.kind#event.module#event.outcome#repo#type@error@error_msg@error_msg[0]@event_parsed@id@ingesttimestamp@rawstring@timestamp.nanos@timezoneParser.versionVendor.RecordtypeVendor.actionVendor.actiontakenVendor.adminidVendor.algoVendor.applicationnameVendor.auditlogtypeVendor.authenticationVendor.authtypeVendor.categoryVendor.channelVendor.clientipVendor.companyVendor.datetimeVendor.deptVendor.destinationipVendor.destinationipendVendor.destinationipstartVendor.destinationportVendor.destinationportstartVendor.dlpdictcountVendor.dlpdictnamesVendor.dlpenginenamesVendor.errorcodeVendor.filedownloadtimemsVendor.filemd5Vendor.filenameVendor.filescantimemsVendor.filesourceVendor.filetypenameVendor.fullurlVendor.ikeversionVendor.interfaceVendor.itemdstnameVendor.lastmodtimeVendor.lifebytesVendor.lifetimeVendor.locationVendor.loginVendor.policyVendor.policydirectionVendor.protocolVendor.recordidVendor.resourceVendor.resultVendor.rulenameVendor.severityVendor.sourceipVendor.sourceportVendor.sourceportstartVendor.sourcetypeVendor.spiVendor.spi_inVendor.spi_outVendor.srcipendVendor.srcipstartVendor.subcategoryVendor.tenantVendor.threatnameVendor.timeVendor.tunnelprotocolVendor.tunneltypeVendor.userdestination.addressdestination.ipdestination.portevent.actionevent.category[0]event.category[1]event.category[2]event.idevent.severityevent.type[0]file.directoryfile.extensionfile.hash.md5file.namegroup.namenetwork.directionnetwork.typerule.namesource.addresssource.geo.namesource.ipsource.porturl.fullurl.pathuser.domainuser.emailuser.name
2026-02-10T06:02:221.1.0zscaler9.2.0truezia.casbalertzia auto-dashboard-querieszscaler-internetaccesstrueError parsing timestamp. errormsg="Text '2026-02-10T06:02:21.304Z' could not be parsed at index 0" zone=""Error parsing timestamp. errormsg="Text '2026-02-10T06:02:21.304Z' could not be parsed at index 0" zone=""falseRG0lMmagN4Hpu0YtU49sDAs0_3_4_17707033422026-02-10T06:02:22{"sourcetype":"zscalernss-casb","event":{"threatname":"Win32.Emotet","fullurl":"/images/products/electronics/phone-2024.jpg","dlpenginenames":"Credit Card","datetime":"2026-02-10T06:02:21.304Z","filename":"svchost.exe","recordid":"f47ac10b-58cc-4372-a567-0e02b2c3d479","policy":"Corporate Data Protection","dept":"IT","filescantimems":"0","dlpdictnames":"Credit Cards,SSN","company":"Acme Corporation","dlpdictcount":"123400","applicationname":"Salesforce","filesource":"OneDrive","login":"phishing@malicious-domain.com","tenant":"Production","filedownloadtimems":"1","filemd5":"a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0","lastmodtime":"2026-02-10T06:02:21.304Z"}}0Z4.0.0     Salesforce      Acme Corporation2026-02-10T06:02:21.304ZIT     123400Credit Cards,SSNCredit Card 1a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0svchost.exe0OneDrive /images/products/electronics/phone-2024.jpg   2026-02-10T06:02:21.304Z   phishing@malicious-domain.comCorporate Data Protection  f47ac10b-58cc-4372-a567-0e02b2c3d479       zscalernss-casb      ProductionWin32.Emotet        authenticationfilethreatf47ac10b-58cc-4372-a567-0e02b2c3d479 indicatorOneDrive a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0svchost.exeAcme Corporation  Win32.Emotet    /images/products/electronics/phone-2024.jpg/images/products/electronics/phone-2024.jpgmalicious-domain.comphishing@malicious-domain.comphishing
2026-02-10T06:02:221.1.0zscaler9.2.0 zia.auditeventziasuccessauto-dashboard-querieszscaler-internetaccess    CcdZtVsyi1yvhvYT6sRMG6EV_3_3_17707033422026-02-10T06:02:22{"event":{"clientip":"192.168.2.143","resource":"Firewall Rule","recordid":"6ba7b810-9dad-11d1-80b4-00c04fd430c8","result":"SUCCESS","auditlogtype":"Admin Audit","adminid":"admin@evil-site.net","subcategory":"Firewall Policy","interface":"UI","action":"Create","postaction":{},"preaction":{},"category":"Policy","time":"2026-02-10T06:02:22.099Z","errorcode":"ERR_001"},"sourcetype":"zscalernss-audit"}0Z4.0.0 Create admin@evil-site.net  Admin Audit  Policy 192.168.2.143           ERR_001        UI         6ba7b810-9dad-11d1-80b4-00c04fd430c8Firewall RuleSUCCESS     zscalernss-audit     Firewall Policy  2026-02-10T06:02:22.099Z      Createconfiguration  6ba7b810-9dad-11d1-80b4-00c04fd430c8 creation          192.168.2.143   evil-site.netadmin@evil-site.netadmin
2026-02-10T06:02:231.1.0zscaler9.2.0 zia.edlpeventzia auto-dashboard-querieszscaler-internetaccess    tDcWan7CVbbOjUEvJaqdrD33_2_4_17707033432026-02-10T06:02:23{"sourcetype":"zscalernss-edlp","event":{"severity":"High","itemdstname":"explorer.exe","filemd5":"9f8e7d6c5b4a3f2e1d0c9b8a7f6e5d4c3b2a1f0e9d8c7b6a5f4e3d2c1b0a9f8e7d6c5b4a3f2e1d0c9b8a7f6e5d4c3b2a1f0","dlpdictnames":"PII,PHI","dept":"HR","filetypename":"PDF","dlpdictcount":"456700","login":"support@suspicious-portal.org","rulename":"Block Malware","recordid":"3d6f4e2a-8b9c-4f1e-a2d5-7c8e9f0a1b2c","actiontaken":"Allow","datetime":"2026-02-10T06:02:22.873Z","dlpenginenames":"SSN","channel":"Email"}}0Z4.0.0  Allow       Email  2026-02-10T06:02:22.873ZHR     456700PII,PHISSN  9f8e7d6c5b4a3f2e1d0c9b8a7f6e5d4c3b2a1f0e9d8c7b6a5f4e3d2c1b0a9f8e7d6c5b4a3f2e1d0c9b8a7f6e5d4c3b2a1f0   PDF   explorer.exe    support@suspicious-portal.org   3d6f4e2a-8b9c-4f1e-a2d5-7c8e9f0a1b2c  Block MalwareHigh   zscalernss-edlp               Allowfilenetwork 3d6f4e2a-8b9c-4f1e-a2d5-7c8e9f0a1b2c70allowed PDF9f8e7d6c5b4a3f2e1d0c9b8a7f6e5d4c3b2a1f0e9d8c7b6a5f4e3d2c1b0a9f8e7d6c5b4a3f2e1d0c9b8a7f6e5d4c3b2a1f0    Block Malware      suspicious-portal.orgsupport@suspicious-portal.orgsupport
2026-02-10T06:02:241.1.0zscaler9.2.0 zia.tunneleventzia auto-dashboard-querieszscaler-internetaccess    M0pQsDX2VvpH4yfoFvePp1gB_2_16_17707033442026-02-10T06:02:24{"sourcetype":"zscalernss-tunnel","event":{"sourceip":"192.168.0.87","destinationportstart":"567800","lifebytes":"5372846913","protocol":"HTTP","datetime":"2026-02-10T06:02:23.647Z","authtype":"PSK","ikeversion":"2","destinationipstart":"192.168.2.16","sourceportstart":"234500","spi":"3847562891","srcipend":"192.168.4.198","destinationipend":"192.168.0.234","sourceport":"789300","location":"Seattle","Recordtype":"ike_phase2","srcipstart":"192.168.1.54","tunnelprotocol":"ESP","user":"adamsb","policydirection":"Inbound","recordid":"9e8d7c6b-5a4f-4e3d-2c1b-0a9f8e7d6c5b","lifetime":"4","tunneltype":"IPSEC IKEV 1","destinationip":"192.168.3.211","authentication":"SHA256","algo":"AES-256"}}0Z4.0.0ike_phase2   AES-256  SHA256PSK    2026-02-10T06:02:23.647Z 192.168.3.211192.168.0.234192.168.2.16 567800           2   53728469134Seattle  InboundHTTP9e8d7c6b-5a4f-4e3d-2c1b-0a9f8e7d6c5b    192.168.0.87789300234500zscalernss-tunnel3847562891  192.168.4.198192.168.1.54    ESPIPSEC IKEV 1adamsb192.168.3.211192.168.3.211  network  9e8d7c6b-5a4f-4e3d-2c1b-0a9f8e7d6c5b       inboundipsec ikev 1 192.168.0.87Seattle192.168.0.87789300    adamsb
2026-02-10T06:02:251.1.0zscaler9.2.0 zia.tunneleventzia auto-dashboard-querieszscaler-internetaccess    M0pQsDX2VvpH4yfoFvePp1gB_2_17_17707033452026-02-10T06:02:25{"event":{"Recordtype":"ike_phase1","destinationip":"192.168.1.178","algo":"AES-192","location":"Munich","authentication":"SHA1","sourceport":"890100","datetime":"2026-02-10T06:02:24.417Z","lifetime":"13","spi_in":"2947183746","ikeversion":"2","authtype":"Certificate","tunneltype":"IPSEC IKEV 1","user":"andersonk","destinationport":"345600","sourceip":"192.168.3.45","recordid":"1a2b3c4d-5e6f-4a7b-8c9d-0e1f2a3b4c5d","spi_out":"1928374655"},"sourcetype":"zscalernss-tunnel"}0Z4.0.0ike_phase1   AES-192  SHA1Certificate    2026-02-10T06:02:24.417Z 192.168.1.178  345600            2    13Munich    1a2b3c4d-5e6f-4a7b-8c9d-0e1f2a3b4c5d    192.168.3.45890100 zscalernss-tunnel 29471837461928374655       IPSEC IKEV 1andersonk192.168.1.178192.168.1.178345600 network  1a2b3c4d-5e6f-4a7b-8c9d-0e1f2a3b4c5d       unknownipsec ikev 1 192.168.3.45Munich192.168.3.45890100    andersonk

Step-by-Step

  1. Starting with the source repository events.

  2. flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 1[/Filter/] 2[/Filter/] 3{{Aggregate}} result{{Result Set}} repo --> 1 1 --> 2 2 --> 3 3 --> result style 1 fill:#ff0000,stroke-width:4px,stroke:#000;
    logscale
    #event.dataset = "zia.web"

    Filters events where the #event.dataset field equals zia.web.

  3. flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 1[/Filter/] 2[/Filter/] 3{{Aggregate}} result{{Result Set}} repo --> 1 1 --> 2 2 --> 3 3 --> result style 2 fill:#ff0000,stroke-width:4px,stroke:#000;
    logscale
    | user.email=~wildcard(*, ignoreCase=true)

    Matches any email address in the user.email field using the wildcard() function. The ignoreCase parameter set to true ensures case-insensitive matching.

  4. flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 1[/Filter/] 2[/Filter/] 3{{Aggregate}} result{{Result Set}} repo --> 1 1 --> 2 2 --> 3 3 --> result style 3 fill:#ff0000,stroke-width:4px,stroke:#000;
    logscale
    | count("Vendor.location", distinct=true)

    Counts the number of distinct values in the Vendor.location field, and returns the result in a _count field.

  5. Event Result set.

Summary and Results

The widget is used to monitor the total number of unique locations from which users are accessing web resources through Zscaler Internet Access.

This widget is useful to track geographic access patterns and identify potential security concerns related to unusual access locations.

Sample output from the incoming example data:

_count
25

The output shows the total number of unique locations (_count) found in the filtered web traffic data.