Parsers and Generated Fields
Tag Fields Created by Parser zscaler-internetaccess
#Cps.version
#Vendor
#ecs.version
#event.dataset
#event.kind
#event.module
#event.outcome
#observer.type
Fields Identified by Parser zscaler-internetaccess
| Vendor Field | CPS Field | Description |
|---|---|---|
| message | @rawstring | |
| `dns.answers[]` | Array | Vendor.dns_resp |
| `event.category[]` | Array | Vendor.sourcetype |
| `event.type[]` | Array | Vendor.sourcetype, Vendor.action, Vendor.threatname |
| `http.request.referrer` | Base64 | Vendor.refererURL |
| `url.original` | Base64 | Vendor.url |
| `client.port` | Copied | Vendor.clt_sport |
| `destination.domain` | Copied | Vendor.hostname |
| `destination.geo.country_name` | Copied | Vendor.destcountry |
| `dns.question.name` | Copied | Vendor.dns_req |
| `dns.question.type` | Copied | Vendor.dns_reqtype |
| `event.action` | Copied | Vendor.action |
| `event.id` | Copied | Vendor.recordid |
| `event.reason` | Copied | Vendor.reason |
| `event.risk_score` | Copied | Vendor.riskscore |
| `file.directory` | Copied | Vendor.filesource |
| `file.hash.md5` | Copied | Vendor.bamd5, Vendor.filemd5 |
| `file.name` | Copied | Vendor.filename |
| `file.owner` | Copied | Vendor.owner |
| `file.type` | Copied | Vendor.filetype |
| `group.name` | Copied | Vendor.company |
| `host.hostname` | Copied | Vendor.devicehostname |
| `host.name` | Copied | Vendor.devicehostname |
| `http.request.bytes` | Copied | Vendor.requestsize |
| `http.request.method` | Copied | Vendor.requestmethod |
| `http.request.mime_type` | Copied | Vendor.contenttype |
| `http.response.bytes` | Copied | Vendor.responsesize |
| `http.response.status_code` | Copied | Vendor.status |
| `network.application` | Copied | Vendor.nwapp |
| `network.transport` | Copied | Vendor.proto |
| `network.type` | Copied | Vendor.tunneltype |
| `rule.ruleset` | Copied | Vendor.ruletype |
| `source.geo.name` | Copied | Vendor.location |
| `url.domain` | Copied | Vendor.hostname |
| `url.full` | Copied | Vendor.fullurl |
| `url.path` | Extracted | Vendor.url |
| `user.domain` | Extracted | Vendor.user, Vendor.elogin, Vendor.login, Vendor.adminid |
| `user.name` | Extracted | Vendor.user, Vendor.elogin, Vendor.login, Vendor.adminid |
| `destination.bytes` | Mapped | Vendor.inbytes, Vendor.rxbytes |
| `destination.ip` | Mapped | Vendor.srv_dip, Vendor.sdip, Vendor.serverip, Vendor.destinationip |
| `destination.port` | Mapped | Vendor.srv_dport, Vendor.sdport, Vendor.destinationport |
| `event.severity` | Mapped | Vendor.severity |
| `file.extension` | Mapped | Vendor.filesubtype, Vendor.filetypename |
| `network.protocol` | Mapped | Vendor.protocol, Vendor.nwsvc |
| `rule.name` | Mapped | Vendor.rulelabel, Vendor.rulename, Vendor.policy, Vendor.threatname |
| `source.bytes` | Mapped | Vendor.outbytes, Vendor.txbytes |
| `source.ip` | Mapped | Vendor.clt_sip, Vendor.csip, Vendor.ClientIP, Vendor.sourceip, Vendor.clientip |
| `source.port` | Mapped | Vendor.csport, Vendor.sourceport, Vendor.clt_sport |
| `@timestamp` | Parsed | Vendor.datetime, Vendor.time |
| `file.mtime` | Parsed | Vendor.lastmodtime |
| `event.original.hash.sha256` | SHA256 | @rawstring |
| `event.dataset` | Set | Vendor.sourcetype |
| `event.original` | Set | @rawstring |
| `event.outcome` | Set | Vendor.result |
| `network.direction` | Set | Vendor.policydirection |
| `source.nat.ip` | Set | Vendor.ClientIP, Vendor.clientpublicIP |
| `user.email` | Set | Vendor.user, Vendor.elogin, Vendor.login, Vendor.adminid |
| `ecs.version` | Static | None |
| `event.kind` | Static | Vendor.threatname |
| `event.module` | Static | None |
| `user_agent.original` | URL | Vendor.useragent |
| Vendor.clt_sport | client.port | |
| Vendor.inbytes | destination.bytes | |
| Vendor.rxbytes | destination.bytes | |
| Vendor.destcountry | destination.geo.country_name | |
| Vendor.destinationip | destination.ip | |
| Vendor.sdip | destination.ip | |
| Vendor.serverip | destination.ip | |
| Vendor.srv_dip | destination.ip | |
| Vendor.destinationport | destination.port | |
| Vendor.sdport | destination.port | |
| Vendor.srv_dport | destination.port | |
| Vendor.dns_req | dns.question.name | |
| Vendor.dns_reqtype | dns.question.type | |
| Vendor.action | event.action | |
| Vendor.actiontaken | event.action | |
| Vendor.event | event.action | |
| Vendor.recordid | event.id | |
| Vendor.eventreason | event.reason | |
| Vendor.reason | event.reason | |
| Vendor.riskscore | event.risk_score | |
| Vendor.filesource | file.directory | |
| Vendor.filesubtype | file.extension | |
| Vendor.filetypename | file.extension | |
| Vendor.filename | file.name | |
| Vendor.owner | file.owner | |
| Vendor.filetype | file.type | |
| Vendor.company | group.name | |
| Vendor.requestsize | http.request.bytes | |
| Vendor.requestmethod | http.request.method | |
| Vendor.contenttype | http.request.mime_type | |
| Vendor.refererURL | http.request.referrer | |
| Vendor.responsesize | http.response.bytes | |
| Vendor.status | http.response.status_code | |
| Vendor.nwapp | network.application | |
| Vendor.policy | rule.name | |
| Vendor.rulelabel | rule.name | |
| Vendor.rulename | rule.name | |
| Vendor.threatname | rule.name | |
| Vendor.ruletype | rule.ruleset | |
| Vendor.outbytes | source.bytes | |
| Vendor.txbytes | source.bytes | |
| Vendor.location | source.geo.name | |
| Vendor.ClientIP | source.ip | |
| Vendor.clientip | source.ip | |
| Vendor.clt_sip | source.ip | |
| Vendor.csip | source.ip | |
| Vendor.sourceip | source.ip | |
| Vendor.csport | source.port | |
| Vendor.sourceport | source.port | |
| Vendor.hostname | url.domain | |
| Vendor.fullurl | url.full | |
| Vendor.url | url.original |