Parsers and Generated Fields | Integrations | LogScale Documentation

Skip to content

LogScale Documentation Full Library Knowledge Base Release Notes Integrations Query Examples Training API GraphQL API Search Archives Contacting Support

Parsers and Generated Fields

Tag Fields Created by Parser zscaler-internetaccess

#Cps.version
#Vendor
#ecs.version
#event.dataset
#event.kind
#event.module
#event.outcome
#observer.type

Fields Identified by Parser zscaler-internetaccess

Source Field	CPS Field	Description	Mapping
Vendor.datetime, Vendor.time	@timestamp	Event timestamp	Parsed from datetime fields using multiple format patterns
Vendor.clt_sip, Vendor.csip, Vendor.ClientIP	client.address	Client address	Mapped from various vendor IP/address fields based on sourcetype
client.address	client.domain	Client domain	Set when client.address doesn't match IP CIDR patterns
client.address	client.ip	Client IP address	Set when client.address matches IP CIDR patterns
Vendor.clt_sport	client.port	Client port	Copied from Vendor.clt_sport
Vendor.srv_dip, Vendor.cdip, Vendor.serverip, Vendor.destinationip	destination.address	Destination address	Mapped from various vendor IP/address fields based on sourcetype
Vendor.inbytes, Vendor.rxbytes	destination.bytes	Destination bytes	Mapped from various vendor byte fields based on sourcetype
destination.address, Vendor.hostname	destination.domain	Destination domain	Set when destination.address doesn't match IP CIDR patterns or copied from hostname
Vendor.destcountry	destination.geo.country_name	Destination country	Copied from Vendor.destcountry
destination.address	destination.ip	Destination IP address	Set when destination.address matches IP CIDR patterns
Vendor.srv_dport, Vendor.sdport, Vendor.cdport, Vendor.destinationport	destination.port	Destination port	Mapped from various vendor port fields based on sourcetype
Vendor.dns_resp	dns.answers[0].data	DNS response data	Copied from Vendor.dns_resp
Vendor.dns_req	dns.question.name	DNS query name	Copied from Vendor.dns_req
Vendor.dns_reqtype	dns.question.type	DNS query type	Copied from Vendor.dns_reqtype
None	ecs.version	ECS schema version	Static value: 9.2.0
Vendor.action	event.action	Action taken	Copied from Vendor.action and converted to lowercase
Vendor.sourcetype	event.category[]	Event category array	Array populated based on sourcetype conditions
Vendor.sourcetype	event.dataset	Dataset classification	Set based on sourcetype mapping
Vendor.recordid	event.id	Event identifier	Copied from Vendor.recordid
Vendor.threatname	event.kind	Event kind classification	Static value: event, changed to alert when threatname present
None	event.module	Event module identifier	Static value: zia
@rawstring	event.original	Original event data	Set to @rawstring for first event in multi-event logs
@rawstring	event.original.hash.sha256	Hash of original event	SHA256 hash of @rawstring for multi-event logs
Vendor.result, Vendor.action	event.outcome	Event outcome	Set based on Vendor.result matching patterns and action types
Vendor.reason	event.reason	Reason for the event	Copied from Vendor.reason
Vendor.riskscore	event.risk_score	Risk score	Copied from Vendor.riskscore
Vendor.severity	event.severity	Event severity level	Mapped from Vendor.severity using severity mapping logic
Vendor.sourcetype, Vendor.action, Vendor.threatname	event.type[]	Event type array	Array populated based on conditions and actions
Vendor.filesource	file.directory	File directory	Copied from Vendor.filesource
Vendor.filesubtype, Vendor.upload_filesubtype, Vendor.filetypename	file.extension	File extension	Conditionally set from download or upload file extension based on availability
Vendor.bamd5, Vendor.filemd5	file.hash.md5	File MD5 hash	Copied from various vendor MD5 fields, converted to lowercase, excludes "none" values
Vendor.lastmodtime	file.mtime	File modification time	Parsed from Vendor.lastmodtime when present
Vendor.filename, Vendor.upload_filename	file.name	File name	Conditionally set using coalesce function from download or upload filename
Vendor.owner	file.owner	File owner	Copied from Vendor.owner
Vendor.filetype, Vendor.upload_filetype	file.type	File type	Conditionally set from download or upload file type based on availability
Vendor.company	group.name	Group name	Copied from Vendor.company
Vendor.devicehostname	host.hostname	Host hostname	Copied from Vendor.devicehostname and converted to lowercase
Vendor.devicehostname	host.name	Host name	Copied from Vendor.devicehostname and converted to lowercase
Vendor.requestsize	http.request.bytes	HTTP request size	Copied from Vendor.requestsize
Vendor.requestmethod	http.request.method	HTTP request method	Copied from Vendor.requestmethod
Vendor.contenttype	http.request.mime_type	HTTP request MIME type	Copied from Vendor.contenttype
Vendor.refererURL	http.request.referrer	HTTP referrer URL	Base64 decoded from Vendor.refererURL
Vendor.responsesize	http.response.bytes	HTTP response size	Copied from Vendor.responsesize
Vendor.status	http.response.status_code	HTTP response status code	Copied from Vendor.status when not wildcard or "NA"
Vendor.nwapp	network.application	Network application	Copied from Vendor.nwapp
Vendor.policydirection	network.direction	Network direction	Set based on Vendor.policydirection pattern matching
Vendor.protocol, Vendor.nwsvc	network.protocol	Network protocol	Mapped from various vendor protocol fields and converted to lowercase
Vendor.proto	network.transport	Network transport protocol	Copied from Vendor.proto and converted to lowercase
Vendor.tunneltype	network.type	Network type	Copied from Vendor.tunneltype and converted to lowercase
Vendor.rulelabel, Vendor.rulename, Vendor.policy, Vendor.threatname	rule.name	Rule name	Mapped from various vendor rule/threat fields
Vendor.ruletype	rule.ruleset	Rule set	Copied from Vendor.ruletype
Vendor.srv_dip, Vendor.cdip, Vendor.serverip	server.address	Server address	Mapped from various vendor IP/address fields based on sourcetype
server.address	server.domain	Server domain	Set when server.address doesn't match IP CIDR patterns
server.address	server.ip	Server IP address	Set when server.address matches IP CIDR patterns
Vendor.clt_sip, Vendor.csip, Vendor.ClientIP, Vendor.sourceip	source.address	Source address	Mapped from various vendor IP/address fields based on sourcetype
Vendor.outbytes, Vendor.txbytes	source.bytes	Source bytes	Mapped from various vendor byte fields based on sourcetype
source.address	source.domain	Source domain	Set when source.address doesn't match IP CIDR patterns
Vendor.location	source.geo.name	Source geographic location	Copied from Vendor.location
source.address	source.ip	Source IP address	Set when source.address matches IP CIDR patterns
Vendor.ClientIP, Vendor.clientpublicIP	source.nat.ip	Source NAT IP	Set when source.ip differs from clientpublicIP
Vendor.csport, Vendor.sourceport, Vendor.clt_sport	source.port	Source port	Mapped from various vendor port fields based on sourcetype
Vendor.hostname	url.domain	URL domain	Copied from Vendor.hostname
Vendor.fullurl	url.full	Full URL	Copied from Vendor.fullurl
Vendor.url	url.original	Original URL	Base64 decoded from Vendor.url
Vendor.url	url.path	URL path	Extracted from URL parsing
Vendor.user, Vendor.elogin, Vendor.login, Vendor.adminid	user.domain	User domain	Extracted from user email domain part and converted to lowercase
Vendor.user, Vendor.elogin, Vendor.login, Vendor.adminid	user.email	User email address	Set only when valid email format detected, converted to lowercase
Vendor.user, Vendor.elogin, Vendor.login, Vendor.adminid	user.name	Username	Extracted from user email or copied using coalesce function
Vendor.useragent	user_agent.original	User agent string	URL decoded from Vendor.useragent

Enter search term