Parsers and Generated Fields
Tag Fields Created by Parser zscaler-privateaccess
#Cps.version
#Vendor
#ecs.version
#event.dataset
#event.kind
#event.module
#event.outcome
#observer.type
Fields Identified by Parser zscaler-privateaccess
| Source Field | CPS Field |
|---|---|
| Vendor.TotalBytesRx | client.bytes |
| Vendor.City | client.geo.city_name |
| Vendor.ClientCountryCode | client.geo.country_iso_code |
| Vendor.CountryCode | client.geo.country_iso_code |
| Vendor.ClientLatitude | client.geo.location.lat |
| Vendor.Latitude | client.geo.location.lat |
| Vendor.ClientLongitude | client.geo.location.lon |
| Vendor.Longitude | client.geo.location.lon |
| Vendor.AuditNewValue.remoteIP; | client.ip |
| Vendor.AuditOldValue.remoteIP; | client.ip |
| Vendor.ClientPublicIP | client.ip |
| Vendor.ClientPublicIp | client.ip |
| Vendor.PublicIP | client.ip |
| Vendor.DefRouteGW | client.nat.ip |
| Vendor.ClientPort | client.port |
| Vendor.ClientPublicPort | client.port |
| Vendor.AuditOperationType | event.action |
| Vendor.RequestID | event.id |
| Vendor.ConnectionReason | event.reason |
| Vendor.InternalReason | event.reason |
| Vendor.AuditNewValue.id | group.id |
| Vendor.AuditOldValue.id | group.id |
| Vendor.AuditNewValue.name | group.name |
| Vendor.AuditOldValue.name | group.name |
| Vendor.CPUUtilization | host.cpu.usage |
| Vendor.Host; | host.ip[0] |
| Vendor.Platform | host.os.platform |
| Vendor.RequestBodySize | http.request.body.bytes |
| Vendor.RequestSize | http.request.body.bytes |
| Vendor.Method | http.request.method |
| Vendor.ResponseBodySize | http.response.body.bytes |
| Vendor.ResponseSize | http.response.body.bytes |
| Vendor.StatusCode | http.response.status_code |
| Vendor.ProtocolVersion | http.version |
| Vendor.TotalBytesProcessed | network.bytes |
| Vendor.AuditNewValue.cityCountry | observer.geo.city_name |
| Vendor.AuditOldValue.cityCountry | observer.geo.city_name |
| Vendor.AuditNewValue.location; | observer.geo.country_name |
| Vendor.AuditOldValue.location; | observer.geo.country_name |
| Vendor.AuditNewValue.latitude | observer.geo.location.lat |
| Vendor.AuditOldValue.latitude | observer.geo.location.lat |
| Vendor.Latitude | observer.geo.location.lat |
| Vendor.AuditNewValue.longitude | observer.geo.location.lon |
| Vendor.AuditOldValue.longitude | observer.geo.location.lon |
| Vendor.Longitude | observer.geo.location.lon |
| Vendor.PublicIP | observer.ip[0] |
| Vendor.PrivateIP | observer.ip[1] |
| Vendor.Platform | observer.os.platform |
| Vendor.CustomerID | organization.id |
| Vendor.Customer | organization.name |
| Vendor.Version | package.version |
| Vendor.AuditNewValue.domainOrIpAddress | server.address |
| Vendor.AuditOldValue.domainOrIpAddress | server.address |
| Vendor.TotalBytesTx | server.bytes |
| Vendor.ZENCountryCode | server.geo.country_iso_code |
| Vendor.ZENLatitude | server.geo.location.lat |
| Vendor.ZENLongitude | server.geo.location.lon |
| Vendor.ServerIP | server.ip |
| server.address; | server.ip |
| Vendor.ApplicationPort | server.port |
| Vendor.ServerPort | server.port |
| Vendor.ModifiedBy | user.id |
| Vendor.NameID | user.name |
| Vendor.User | user.name |
| Vendor.Username | user.name |
| Vendor.AuditNewValue.email | user.target.email |
| Vendor.AuditOldValue.email | user.target.email |
| Vendor.AuditNewValue.id | user.target.id |
| Vendor.AuditOldValue.id | user.target.id |
| Vendor.AuditNewValue.name; | user.target.name |
| Vendor.AuditOldValue.name; | user.target.name |
| Vendor.AuditNewValue.roles[0].name | user.target.roles[0] |
| Vendor.AuditNewValue.roles[1].name | user.target.roles[1] |
| Vendor.AuditNewValue.roles[2].name | user.target.roles[2] |
| Vendor.AuditNewValue.roles[3].name | user.target.roles[3] |
| Vendor.AuditNewValue.roles[4].name; | user.target.roles[4] |
| Vendor.UserAgent | user_agent.original |
| Vendor.AuditNewValue.subjectAlternateNames | x509.alternative_names |
| Vendor.AuditOldValue.subjectAlternateNames | x509.alternative_names |
| Vendor.AuditNewValue.commonName | x509.issuer.common_name |
| Vendor.AuditNewValue.commonName; | x509.issuer.common_name |
| Vendor.AuditOldValue.commonName | x509.issuer.common_name |
| Vendor.AuditOldValue.commonName; | x509.issuer.common_name |
| Vendor.CertificateCN | x509.issuer.common_name |
| Vendor.AuditNewValue.issuedTo; | x509.issuer.distinguished_name |
| Vendor.AuditOldValue.issuedTo; | x509.issuer.distinguished_name |
| Vendor.AuditNewValue.expirationTimeInSeconds | x509.not_after |
| Vendor.AuditOldValue.expirationTimeInSeconds | x509.not_after |
| Vendor.AuditNewValue.creationTimeInSeconds | x509.not_before |
| Vendor.AuditOldValue.creationTimeInSeconds | x509.not_before |
Tag Fields Created by Parser zscaler-zpa-app-connector-status-json
#Cps.version
#Vendor
#ecs.version
#event.dataset
#event.kind
#event.module
#event.outcome
#observer.type
Fields Identified by Parser zscaler-zpa-app-connector-status-json
| Source Field | CPS Field |
|---|---|
| Vendor.TotalBytesRx | client.bytes |
| Vendor.DefRouteGW | client.nat.ip |
| Vendor.CPUUtilization | host.cpu.usage |
| Vendor.Latitude | observer.geo.location.lat |
| Vendor.Longitude | observer.geo.location.lon |
| Vendor.PublicIP | observer.ip[0] |
| Vendor.PrivateIP | observer.ip[1] |
| Vendor.Platform | observer.os.platform |
| Vendor.Customer | organization.name |
| Vendor.Version | package.version |
| Vendor.TotalBytesTx | server.bytes |
Tag Fields Created by Parser zscaler-zpa-app-protection-json
#Cps.version
#Vendor
#ecs.version
#event.dataset
#event.kind
#event.module
#event.outcome
#observer.type
Fields Identified by Parser zscaler-zpa-app-protection-json
| Source Field | CPS Field |
|---|---|
| Vendor.ClientPublicIp | client.ip |
| Vendor.ClientPort | client.port |
| Vendor.Host; | host.ip[0] |
| Vendor.RequestBodySize | http.request.body.bytes |
| Vendor.Method | http.request.method |
| Vendor.ResponseBodySize | http.response.body.bytes |
| Vendor.StatusCode | http.response.status_code |
| Vendor.ProtocolVersion | http.version |
| Vendor.TotalBytesProcessed | network.bytes |
| Vendor.Customer | organization.name |
| Vendor.UserAgent | user_agent.original |
Tag Fields Created by Parser zscaler-zpa-audit-json
#Cps.version
#Vendor
#ecs.version
#event.dataset
#event.kind
#event.module
#event.outcome
#observer.type
Fields Identified by Parser zscaler-zpa-audit-json
| Source Field | CPS Field |
|---|---|
| Vendor.AuditNewValue.remoteIP; | client.ip |
| Vendor.AuditOldValue.remoteIP; | client.ip |
| Vendor.AuditOperationType | event.action |
| Vendor.RequestID | event.id |
| Vendor.AuditNewValue.id | group.id |
| Vendor.AuditOldValue.id | group.id |
| Vendor.AuditNewValue.name | group.name |
| Vendor.AuditOldValue.name | group.name |
| Vendor.AuditNewValue.cityCountry | observer.geo.city_name |
| Vendor.AuditOldValue.cityCountry | observer.geo.city_name |
| Vendor.AuditNewValue.location; | observer.geo.country_name |
| Vendor.AuditOldValue.location; | observer.geo.country_name |
| Vendor.AuditNewValue.latitude | observer.geo.location.lat |
| Vendor.AuditOldValue.latitude | observer.geo.location.lat |
| Vendor.AuditNewValue.longitude | observer.geo.location.lon |
| Vendor.AuditOldValue.longitude | observer.geo.location.lon |
| Vendor.CustomerID | organization.id |
| Vendor.AuditNewValue.domainOrIpAddress | server.address |
| Vendor.AuditOldValue.domainOrIpAddress | server.address |
| server.address; | server.ip |
| Vendor.ModifiedBy | user.id |
| Vendor.User | user.name |
| Vendor.AuditNewValue.email | user.target.email |
| Vendor.AuditOldValue.email | user.target.email |
| Vendor.AuditNewValue.id | user.target.id |
| Vendor.AuditOldValue.id | user.target.id |
| Vendor.AuditNewValue.name; | user.target.name |
| Vendor.AuditOldValue.name; | user.target.name |
| Vendor.AuditNewValue.roles[0].name | user.target.roles[0] |
| Vendor.AuditNewValue.roles[1].name | user.target.roles[1] |
| Vendor.AuditNewValue.roles[2].name | user.target.roles[2] |
| Vendor.AuditNewValue.roles[3].name | user.target.roles[3] |
| Vendor.AuditNewValue.roles[4].name; | user.target.roles[4] |
| Vendor.AuditNewValue.subjectAlternateNames | x509.alternative_names |
| Vendor.AuditOldValue.subjectAlternateNames | x509.alternative_names |
| Vendor.AuditNewValue.commonName | x509.issuer.common_name |
| Vendor.AuditNewValue.commonName; | x509.issuer.common_name |
| Vendor.AuditOldValue.commonName | x509.issuer.common_name |
| Vendor.AuditOldValue.commonName; | x509.issuer.common_name |
| Vendor.AuditNewValue.issuedTo; | x509.issuer.distinguished_name |
| Vendor.AuditOldValue.issuedTo; | x509.issuer.distinguished_name |
| Vendor.AuditNewValue.expirationTimeInSeconds | x509.not_after |
| Vendor.AuditOldValue.expirationTimeInSeconds | x509.not_after |
| Vendor.AuditNewValue.creationTimeInSeconds | x509.not_before |
| Vendor.AuditOldValue.creationTimeInSeconds | x509.not_before |
Tag Fields Created by Parser zscaler-zpa-browser-access-json
#Cps.version
#Vendor
#ecs.version
#event.dataset
#event.kind
#event.module
#event.outcome
#observer.type
Fields Identified by Parser zscaler-zpa-browser-access-json
| Source Field | CPS Field |
|---|---|
| Vendor.ClientPublicIp | client.ip |
| Vendor.ClientPublicPort | client.port |
| Vendor.ConnectionReason | event.reason |
| Vendor.RequestSize | http.request.body.bytes |
| Vendor.Method | http.request.method |
| Vendor.ResponseSize | http.response.body.bytes |
| Vendor.StatusCode | http.response.status_code |
| Vendor.Customer | organization.name |
| Vendor.ApplicationPort | server.port |
| Vendor.NameID | user.name |
Tag Fields Created by Parser zscaler-zpa-user-activity-json
#Cps.version
#Vendor
#ecs.version
#event.dataset
#event.kind
#event.module
#event.outcome
#observer.type
Fields Identified by Parser zscaler-zpa-user-activity-json
| Source Field | CPS Field |
|---|---|
| Vendor.ClientCountryCode | client.geo.country_iso_code |
| Vendor.ClientLatitude | client.geo.location.lat |
| Vendor.ClientLongitude | client.geo.location.lon |
| Vendor.ClientPublicIP | client.ip |
| Vendor.InternalReason | event.reason |
| Vendor.Host; | host.ip[0] |
| Vendor.Customer | organization.name |
| Vendor.ServerIP | server.ip |
| Vendor.ServerPort | server.port |
| Vendor.Username | user.name |
Tag Fields Created by Parser zscaler-zpa-user-status-json
#Cps.version
#Vendor
#ecs.version
#event.dataset
#event.kind
#event.module
#event.outcome
#observer.type
Fields Identified by Parser zscaler-zpa-user-status-json
| Source Field | CPS Field |
|---|---|
| Vendor.TotalBytesRx | client.bytes |
| Vendor.City | client.geo.city_name |
| Vendor.CountryCode | client.geo.country_iso_code |
| Vendor.Latitude | client.geo.location.lat |
| Vendor.Longitude | client.geo.location.lon |
| Vendor.PublicIP | client.ip |
| Vendor.Platform | host.os.platform |
| Vendor.Customer | organization.name |
| Vendor.TotalBytesTx | server.bytes |
| Vendor.ZENCountryCode | server.geo.country_iso_code |
| Vendor.ZENLatitude | server.geo.location.lat |
| Vendor.ZENLongitude | server.geo.location.lon |
| Vendor.Username | user.name |
| Vendor.CertificateCN | x509.issuer.common_name |