zscaler/internet-access Dashboards | Integrations | LogScale Documentation

Skip to content

LogScale Documentation Full Library Knowledge Base Release Notes Integrations Training API GraphQL API Contacting Support

zscaler/internet-access Dashboards

Web - Threat Activity

Widget	Description	Type
Top Blocked DLP Dictionaries	Displays a pie chart of a user's top blocked DLP dictionaries. Hide Query Show Query logscale `#event.dataset = "zia.web" \| user.email =~ wildcard(?Username, ignoreCase=true) \| event.action = "blocked" \| Vendor.dlpdictionaries!="None" \| top(Vendor.dlpdictionaries)`	`Pie Chart`
Top CrowdStrike IOC Hits by Threat Actor	Displays a chart of top CrowdStrike IOC hits by threat actor and limits results to the first 10 entries. Hide Query Show Query logscale `#event.dataset = "zia.web" \| ioc:lookup(field=destination.ip, type=ip_address, confidenceThreshold=Unverified, strict=true) \| ioc.detected=true \| case { ioc[0].labels=Actor* \| regex("^Actor\/(?<iocActor>\w+)\W+", field=ioc[0].labels, strict=false) ; * \| iocActor:="None Listed" ; } \| rename(iocActor, as="IOC.Actor") \| timechart(IOC.Actor, limit=10)`	`Time Chart`
CrowdStrike IOC Enrichment on Destination Domain	Displays a table of CrowdStrike IOC enrichment data regarding the destination domain and associated data (user email, IOC domain, etc) then limits results to the first 1000 entries. Hide Query Show Query logscale #event.dataset = "zia.web" \| user.email=~wildcard(?Username, ignoreCase=true) \| regex("^(?<Vendor.domain>.?)(\/\|$)", field=Vendor.url, strict=false) \| ioc:lookup(field=Vendor.domain, type=domain, confidenceThreshold=Unverified, strict=true) \| case { ioc[0].labels=Actor \| regex("^Actor\/(?<iocActor>\w+)\W+", field=ioc[0].labels, strict=false) ; * \| iocActor:="None Listed" ; } \| replace(",", with="\n", field=ioc[0].labels, as="IOC.Details") \| rename(Continent, as="IOC.Continent") \| rename(ioc[0].indicator, as="IOC.Domain") \| rename(ioc[0].malicious_confidence, as="IOC.Confidence") \| rename(iocActor, as="IOC.Actor") \| table([@timestamp, user.email, source.ip, IOC.Domain, IOC.Confidence, IOC.Actor, IOC.Details], limit=1000)	`Table`
Top Vendor Threat Names	Displays a chart of the top 10 vendor threat names. Hide Query Show Query logscale `#event.dataset = "zia.web" \| user.email=~wildcard(?Username, ignoreCase=true) \| Vendor.threatname!="None" \| timechart(Vendor.threatname, limit=10)`	`Time Chart`
Top CrowdStrike IOCs by Confidence	Displays a pie chart of top CrowdStrike IOCs by confidence. Hide Query Show Query logscale `#event.dataset = "zia.web" \| user.email=~wildcard(?Username, ignoreCase=true) \| ioc:lookup(field=destination.ip, type=ip_address, confidenceThreshold=Unverified, strict=true) \| replace(",", with="\n", field=ioc[0].labels, as="IOC.Details") \| rename(ioc[0].malicious_confidence, as="IOC.Confidence") \| top(IOC.Confidence)`	`Pie Chart`
Top Blocked DLP Engines	Displays a pie chart of top blocked DLP engines. Hide Query Show Query logscale `#event.dataset = "zia.web" \| user.email =~ wildcard(?Username, ignoreCase=true) \| event.action = "blocked" \| Vendor.dlpengine != "None" \| top(Vendor.dlpengine)`	`Pie Chart`
CrowdStrike IOC Enrichment on Server IP	Displays a table of CrowdStrike IOC enrichment instances and server IPs and limits results to the first 1000 entries. Hide Query Show Query logscale #event.dataset = "zia.web" \| user.email=~wildcard(?Username, ignoreCase=true) \| ioc:lookup(field=destination.ip, type=ip_address, confidenceThreshold=Unverified, strict=true) \| ipLocation(ioc[0].indicator) \| case { ioc[0].labels=Actor* \| regex("^Actor\/(?<iocActor>\w+)\W+", field=ioc[0].labels, strict=false) ; * \| iocActor:="None Listed" ; } \| replace(",", with="\n", field=ioc[0].labels, as="IOC.Details") \| rename(Continent, as="IOC.Continent") \| rename(ioc[0].indicator, as="IOC.IP") \| rename(ioc[0].malicious_confidence, as="IOC.Confidence") \| rename(iocActor, as="IOC.Actor") \| rename(ioc[0].indicator.country, as="IOC.Country") \| table([@timestamp, user.email, source.ip, IOC.IP, IOC.Confidence, IOC.Country, IOC.Actor, IOC.Details], limit=1000)	`Table`
Top CrowdStrike IOCs by Country	Displays a pie chart of the top CrowdStrike IOCs by country. Hide Query Show Query logscale `#event.dataset = "zia.web" \| user.email=~wildcard(?Username, ignoreCase=true) \| ioc:lookup(field=destination.ip, type=ip_address, confidenceThreshold=Unverified, strict=true) \| ipLocation(ioc[0].indicator) \| rename(ioc[0].indicator.country, as="IOC.Country") \| top(IOC.Country)`	`Pie Chart`
Top Threat Name	Displays a pie chart of the top threat names via username and user email. Hide Query Show Query logscale `#event.dataset = "zia.web" \| user.email =~ wildcard(?Username, ignoreCase=true) \| Vendor.threatname != "None" \| top(Vendor.threatname)`	`Pie Chart`
Top Vendor Categories to Threat Names	Displays a flow chart of top vendor categories to threat names. Hide Query Show Query logscale `#event.dataset = "zia.web" \| user.email=~wildcard(?Username, ignoreCase=true) \| Vendor.threatname!="None" \| top([Vendor.urlcategory, Vendor.threatname]) \| sankey(source=Vendor.urlcategory, target=Vendor.threatname)`	`Sankey`

Web - User Investigation

Widget	Description	Type
Top Blocked DLP Dictionaries	Displays a pie chart of a user's top blocked DLP dictionaries. Hide Query Show Query logscale `#event.dataset = "zia.web" \| user.email =~ wildcard(?Username, ignoreCase=true) \| event.action = "blocked" \| Vendor.dlpdictionaries!="None" \| top(Vendor.dlpdictionaries)`	`Pie Chart`
Top Users by Volume	Displays a chart of top users by volume using user email data, then limits the results to the first 10 entries. Hide Query Show Query logscale `#event.dataset = "zia.web" \| user.email=~wildcard(?Username, ignoreCase=true) \| timechart(user.email, function=sum(Vendor.requestsize), limit=10)`	`Time Chart`
Top CrowdStrike IOC Hits by Threat Actor	Displays a chart of top CrowdStrike IOC hits by threat actor and limits results to the first 10 entries. Hide Query Show Query logscale `#event.dataset = "zia.web" \| ioc:lookup(field=destination.ip, type=ip_address, confidenceThreshold=Unverified, strict=true) \| ioc.detected=true \| case { ioc[0].labels=Actor* \| regex("^Actor\/(?<iocActor>\w+)\W+", field=ioc[0].labels, strict=false) ; * \| iocActor:="None Listed" ; } \| rename(iocActor, as="IOC.Actor") \| timechart(IOC.Actor, limit=10)`	`Time Chart`
Total Distinct Users	Displays the number of total distinct users and their email addresses. Hide Query Show Query logscale `#event.dataset = "zia.web" \| user.email=~wildcard(?Username, ignoreCase=true) \| count(user.email, distinct=true)`	`Single Value`
CrowdStrike IOC Enrichment on Destination Domain	Displays a table of CrowdStrike IOC enrichment data regarding the destination domain and associated data (user email, IOC domain, etc) then limits results to the first 1000 entries. Hide Query Show Query logscale #event.dataset = "zia.web" \| user.email=~wildcard(?Username, ignoreCase=true) \| regex("^(?<Vendor.domain>.?)(\/\|$)", field=Vendor.url, strict=false) \| ioc:lookup(field=Vendor.domain, type=domain, confidenceThreshold=Unverified, strict=true) \| case { ioc[0].labels=Actor \| regex("^Actor\/(?<iocActor>\w+)\W+", field=ioc[0].labels, strict=false) ; * \| iocActor:="None Listed" ; } \| replace(",", with="\n", field=ioc[0].labels, as="IOC.Details") \| rename(Continent, as="IOC.Continent") \| rename(ioc[0].indicator, as="IOC.Domain") \| rename(ioc[0].malicious_confidence, as="IOC.Confidence") \| rename(iocActor, as="IOC.Actor") \| table([@timestamp, user.email, source.ip, IOC.Domain, IOC.Confidence, IOC.Actor, IOC.Details], limit=1000)	`Table`
Top Allowed Domains	Displays a user's top allowed domains based on their email address. Hide Query Show Query logscale `#event.dataset = "zia.web" \| user.email=~wildcard(?Username, ignoreCase=true) \| regex("^(?<Vendor.domain>.*?)(\/\|$)", field=Vendor.url, strict=false) \| event.action="allowed" \| top([Vendor.domain])`	`Table`
Top Allowed Super Categories	Displays a chart of top allowed super categories by user email, and limits results to the first 10 entries. Hide Query Show Query logscale `#event.dataset = "zia.web" \| user.email=~wildcard(?Username, ignoreCase=true) \| event.action="allowed" \| timechart(Vendor.urlsupercategory, limit=10)`	`Time Chart`
Top Blocked Domains	Displays a list of a users top blocked domains by username and email address. Hide Query Show Query logscale `#event.dataset = "zia.web" \| user.email=~wildcard(?Username, ignoreCase=true) \| regex("^(?<Vendor.domain>.*?)(\/\|$)", field=Vendor.url, strict=false) \| event.action="blocked" \| top([Vendor.domain])`	`Table`
Top Vendor Threat Names	Displays a chart of the top 10 vendor threat names. Hide Query Show Query logscale `#event.dataset = "zia.web" \| user.email=~wildcard(?Username, ignoreCase=true) \| Vendor.threatname!="None" \| timechart(Vendor.threatname, limit=10)`	`Time Chart`
Top Application Names	Displays a pie chart of top applications names. Hide Query Show Query logscale `#event.dataset = "zia.web" \| user.email=~wildcard(?Username, ignoreCase=true) \| top(Vendor.appname)`	`Pie Chart`
Top Blocked Super Categories	Displays a chart of top blocked super categories over time then limits results to the first 10 entries. Hide Query Show Query logscale `#event.dataset = "zia.web" \| user.email=~wildcard(?Username, ignoreCase=true) \| event.action="blocked" \| timechart(Vendor.urlsupercategory, limit=10)`	`Time Chart`
Top User Agents	Displays a list of top user agents by user email address and limits the results to the first 100 entries. Hide Query Show Query logscale `#event.dataset = "zia.web" \| user.email=~wildcard(?Username, ignoreCase=true) \| event.action="allowed" \| top(Vendor.useragent, limit=100)`	`Table`
Top CrowdStrike IOCs by Confidence	Displays a pie chart of top CrowdStrike IOCs by confidence. Hide Query Show Query logscale `#event.dataset = "zia.web" \| user.email=~wildcard(?Username, ignoreCase=true) \| ioc:lookup(field=destination.ip, type=ip_address, confidenceThreshold=Unverified, strict=true) \| replace(",", with="\n", field=ioc[0].labels, as="IOC.Details") \| rename(ioc[0].malicious_confidence, as="IOC.Confidence") \| top(IOC.Confidence)`	`Pie Chart`
Top Blocked DLP Engines	Displays a pie chart of top blocked DLP engines. Hide Query Show Query logscale `#event.dataset = "zia.web" \| user.email =~ wildcard(?Username, ignoreCase=true) \| event.action = "blocked" \| Vendor.dlpengine != "None" \| top(Vendor.dlpengine)`	`Pie Chart`
Top Protocols	Displays a pie chart of top network protocols. Hide Query Show Query logscale `#event.dataset = "zia.web" \| user.email=~wildcard(?Username, ignoreCase=true) \| top(network.protocol)`	`Pie Chart`
CrowdStrike IOC Enrichment on Server IP	Displays a table of CrowdStrike IOC enrichment instances and server IPs and limits results to the first 1000 entries. Hide Query Show Query logscale #event.dataset = "zia.web" \| user.email=~wildcard(?Username, ignoreCase=true) \| ioc:lookup(field=destination.ip, type=ip_address, confidenceThreshold=Unverified, strict=true) \| ipLocation(ioc[0].indicator) \| case { ioc[0].labels=Actor* \| regex("^Actor\/(?<iocActor>\w+)\W+", field=ioc[0].labels, strict=false) ; * \| iocActor:="None Listed" ; } \| replace(",", with="\n", field=ioc[0].labels, as="IOC.Details") \| rename(Continent, as="IOC.Continent") \| rename(ioc[0].indicator, as="IOC.IP") \| rename(ioc[0].malicious_confidence, as="IOC.Confidence") \| rename(iocActor, as="IOC.Actor") \| rename(ioc[0].indicator.country, as="IOC.Country") \| table([@timestamp, user.email, source.ip, IOC.IP, IOC.Confidence, IOC.Country, IOC.Actor, IOC.Details], limit=1000)	`Table`
Top Allowed Categories to Domains	Displays a flow chart of top allowed URL categories and vendor domains, then limits results to the first 20 entries. Hide Query Show Query logscale `#event.dataset = "zia.web" \| user.email=~wildcard(?Username, ignoreCase=true) \| regex("^(?<Vendor.domain>.*?)(\/\|$)", field=Vendor.url, strict=false) \| event.action="allowed" \| top([Vendor.urlcategory, Vendor.domain], limit=20) \| sankey(source="Vendor.urlcategory", target="Vendor.domain")`	`Sankey`
Top Allowed Categories	Displays a table of top allowed URL categories by user email. Hide Query Show Query logscale `#event.dataset = "zia.web" \| user.email=~wildcard(?Username, ignoreCase=true) \| event.action="allowed" \| top(Vendor.urlcategory)`	`Table`
Top CrowdStrike IOCs by Country	Displays a pie chart of the top CrowdStrike IOCs by country. Hide Query Show Query logscale `#event.dataset = "zia.web" \| user.email=~wildcard(?Username, ignoreCase=true) \| ioc:lookup(field=destination.ip, type=ip_address, confidenceThreshold=Unverified, strict=true) \| ipLocation(ioc[0].indicator) \| rename(ioc[0].indicator.country, as="IOC.Country") \| top(IOC.Country)`	`Pie Chart`
Top Blocked Categories to Domains	Displays a flowchart of top blocked categories by domain name. Hide Query Show Query logscale `#event.dataset = "zia.web" \| user.email=~wildcard(?Username, ignoreCase=true) \| event.action="blocked" \| regex("^(?<Vendor.domain>.*?)(\/\|$)", field=Vendor.url, strict=false) \| top([Vendor.urlcategory, Vendor.domain]) \| sankey(source="Vendor.urlcategory", target="Vendor.domain")`	`Sankey`
Top Application Classes	Displays a pie chart of top application classes using Zscaler data. Hide Query Show Query logscale `#event.dataset = "zia.web" \| user.email=~wildcard(?Username, ignoreCase=true) \| top(Vendor.appclass)`	`Pie Chart`
Top Threat Name	Displays a pie chart of the top threat names via username and user email. Hide Query Show Query logscale `#event.dataset = "zia.web" \| user.email =~ wildcard(?Username, ignoreCase=true) \| Vendor.threatname != "None" \| top(Vendor.threatname)`	`Pie Chart`
Top Blocked Categories	Displays a list top blocked categories based on a user's email address. Hide Query Show Query logscale `#event.dataset = "zia.web" \| user.email=~wildcard(?Username, ignoreCase=true) \| event.action="blocked" \| top(Vendor.urlcategory)`	`Table`
Request Methods	Displays a list of HTTP request methods by username and email. Hide Query Show Query logscale `#event.dataset = "zia.web" \| user.email=~wildcard(?Username, ignoreCase=true) \| timechart(http.request.method)`	`Time Chart`
Actions Over Time by Volume	Displays a list of user actions over time by volume based on user email. Hide Query Show Query logscale `#event.dataset = "zia.web" \| user.email=~wildcard(?Username, ignoreCase=true) \| Vendor.requestsize!=0 \| timechart(event.action, function=sum(Vendor.requestsize))`	`Time Chart`
Top Vendor Categories to Threat Names	Displays a flow chart of top vendor categories to threat names. Hide Query Show Query logscale `#event.dataset = "zia.web" \| user.email=~wildcard(?Username, ignoreCase=true) \| Vendor.threatname!="None" \| top([Vendor.urlcategory, Vendor.threatname]) \| sankey(source=Vendor.urlcategory, target=Vendor.threatname)`	`Sankey`
Total Distinct Locations	Displays the number of total distinct locations by username. Hide Query Show Query logscale `#event.dataset = "zia.web" \| user.email=~wildcard(?Username, ignoreCase=true) \| count("Vendor.location", distinct=true)`	`Single Value`

Web - Web Activity

Widget	Description	Type
Top Users by Volume	Displays a chart of top users by volume using user email data, then limits the results to the first 10 entries. Hide Query Show Query logscale `#event.dataset = "zia.web" \| user.email=~wildcard(?Username, ignoreCase=true) \| timechart(user.email, function=sum(Vendor.requestsize), limit=10)`	`Time Chart`
Total Distinct Users	Displays the number of total distinct users and their email addresses. Hide Query Show Query logscale `#event.dataset = "zia.web" \| user.email=~wildcard(?Username, ignoreCase=true) \| count(user.email, distinct=true)`	`Single Value`
Top Allowed Domains	Displays a user's top allowed domains based on their email address. Hide Query Show Query logscale `#event.dataset = "zia.web" \| user.email=~wildcard(?Username, ignoreCase=true) \| regex("^(?<Vendor.domain>.*?)(\/\|$)", field=Vendor.url, strict=false) \| event.action="allowed" \| top([Vendor.domain])`	`Table`
Top Allowed Super Categories	Displays a chart of top allowed super categories by user email, and limits results to the first 10 entries. Hide Query Show Query logscale `#event.dataset = "zia.web" \| user.email=~wildcard(?Username, ignoreCase=true) \| event.action="allowed" \| timechart(Vendor.urlsupercategory, limit=10)`	`Time Chart`
Top Blocked Domains	Displays a list of a users top blocked domains by username and email address. Hide Query Show Query logscale `#event.dataset = "zia.web" \| user.email=~wildcard(?Username, ignoreCase=true) \| regex("^(?<Vendor.domain>.*?)(\/\|$)", field=Vendor.url, strict=false) \| event.action="blocked" \| top([Vendor.domain])`	`Table`
Top Application Names	Displays a pie chart of top applications names. Hide Query Show Query logscale `#event.dataset = "zia.web" \| user.email=~wildcard(?Username, ignoreCase=true) \| top(Vendor.appname)`	`Pie Chart`
Top Blocked Super Categories	Displays a chart of top blocked super categories over time then limits results to the first 10 entries. Hide Query Show Query logscale `#event.dataset = "zia.web" \| user.email=~wildcard(?Username, ignoreCase=true) \| event.action="blocked" \| timechart(Vendor.urlsupercategory, limit=10)`	`Time Chart`
Top User Agents	Displays a list of top user agents by user email address and limits the results to the first 100 entries. Hide Query Show Query logscale `#event.dataset = "zia.web" \| user.email=~wildcard(?Username, ignoreCase=true) \| event.action="allowed" \| top(Vendor.useragent, limit=100)`	`Table`
Top Protocols	Displays a pie chart of top network protocols. Hide Query Show Query logscale `#event.dataset = "zia.web" \| user.email=~wildcard(?Username, ignoreCase=true) \| top(network.protocol)`	`Pie Chart`
Top Allowed Categories to Domains	Displays a flow chart of top allowed URL categories and vendor domains, then limits results to the first 20 entries. Hide Query Show Query logscale `#event.dataset = "zia.web" \| user.email=~wildcard(?Username, ignoreCase=true) \| regex("^(?<Vendor.domain>.*?)(\/\|$)", field=Vendor.url, strict=false) \| event.action="allowed" \| top([Vendor.urlcategory, Vendor.domain], limit=20) \| sankey(source="Vendor.urlcategory", target="Vendor.domain")`	`Sankey`
Top Allowed Categories	Displays a table of top allowed URL categories by user email. Hide Query Show Query logscale `#event.dataset = "zia.web" \| user.email=~wildcard(?Username, ignoreCase=true) \| event.action="allowed" \| top(Vendor.urlcategory)`	`Table`
Top Blocked Categories to Domains	Displays a flowchart of top blocked categories by domain name. Hide Query Show Query logscale `#event.dataset = "zia.web" \| user.email=~wildcard(?Username, ignoreCase=true) \| event.action="blocked" \| regex("^(?<Vendor.domain>.*?)(\/\|$)", field=Vendor.url, strict=false) \| top([Vendor.urlcategory, Vendor.domain]) \| sankey(source="Vendor.urlcategory", target="Vendor.domain")`	`Sankey`
Top Application Classes	Displays a pie chart of top application classes using Zscaler data. Hide Query Show Query logscale `#event.dataset = "zia.web" \| user.email=~wildcard(?Username, ignoreCase=true) \| top(Vendor.appclass)`	`Pie Chart`
Top Blocked Categories	Displays a list top blocked categories based on a user's email address. Hide Query Show Query logscale `#event.dataset = "zia.web" \| user.email=~wildcard(?Username, ignoreCase=true) \| event.action="blocked" \| top(Vendor.urlcategory)`	`Table`
Request Methods	Displays a list of HTTP request methods by username and email. Hide Query Show Query logscale `#event.dataset = "zia.web" \| user.email=~wildcard(?Username, ignoreCase=true) \| timechart(http.request.method)`	`Time Chart`
Actions Over Time by Volume	Displays a list of user actions over time by volume based on user email. Hide Query Show Query logscale `#event.dataset = "zia.web" \| user.email=~wildcard(?Username, ignoreCase=true) \| Vendor.requestsize!=0 \| timechart(event.action, function=sum(Vendor.requestsize))`	`Time Chart`
Total Distinct Locations	Displays the number of total distinct locations by username. Hide Query Show Query logscale `#event.dataset = "zia.web" \| user.email=~wildcard(?Username, ignoreCase=true) \| count("Vendor.location", distinct=true)`	`Single Value`

Enter search term