Parsers and Generated Fields
Tag Fields Created by Parser zscaler-privateaccess
#Cps.version
#Vendor
#ecs.version
#event.dataset
#event.kind
#event.module
#event.outcome
#observer.type
Fields Identified by Parser zscaler-privateaccess
| Vendor Field | CPS Field | Description |
|---|---|---|
| `event.category[]` | Array | None |
| `event.type[]` | Array | None |
| `host.ip[]` | Array | Vendor.PublicIP, Vendor.PrivateIP |
| `observer.ip[]` | Array | Vendor.PublicIP |
| `tls.client.x509.alternative_names[]` | Array | Vendor.AuditNewValue.subjectAlternateNames, Vendor.AuditOldValue.subjectAlternateNames |
| `tls.client.x509.issuer.common_name[]` | Array | Vendor.AuditNewValue.commonName, Vendor.AuditOldValue.commonName |
| `tls.client.x509.subject.common_name[]` | Array | Vendor.CertificateCN |
| `user.target.roles[]` | Array | Vendor.AuditNewValue.roles[], Vendor.AuditOldValue.roles[] |
| `host.network.egress.bytes` | Calculated | Vendor.TotalBytesTx, Vendor.TransmittedBytesToPublicSE, Vendor.TransmittedBytesToPrivateSE, Vendor.BytesTxInterface |
| `host.network.ingress.bytes` | Calculated | Vendor.TotalBytesRx, Vendor.ReceivedBytesFromPublicSE, Vendor.ReceivedBytesFromPrivateSE, Vendor.BytesRxInterface |
| `http.request.bytes` | Calculated | Vendor.RequestHdrSize, Vendor.RequestBodySize, Vendor.RequestSize |
| `http.response.bytes` | Calculated | Vendor.ResponseHdrSize, Vendor.ResponseBodySize, Vendor.ResponseSize |
| `network.bytes` | Calculated | Multiple vendor byte fields |
| `client.address` | Copied | source.address |
| `client.bytes` | Copied | Vendor.TotalBytesTx, Vendor.ZENTotalBytesTxClient |
| `client.domain` | Copied | source.domain |
| `client.geo.city_name` | Copied | Vendor.City |
| `client.geo.country_iso_code` | Copied | Vendor.CountryCode, Vendor.ClientCountryCode |
| `client.geo.location.lat` | Copied | Vendor.Latitude, Vendor.ClientLatitude |
| `client.geo.location.lon` | Copied | Vendor.Longitude, Vendor.ClientLongitude |
| `client.ip` | Copied | source.ip |
| `client.nat.ip` | Copied | Vendor.ClientPrivateIp |
| `client.port` | Copied | Vendor.ClientPort, Vendor.ClientPublicPort |
| `destination.bytes` | Copied | Vendor.ZENTotalBytesRxClient |
| `destination.port` | Copied | Vendor.ServerPort, Vendor.ApplicationPort |
| `event.action` | Copied | Vendor.AuditOperationType |
| `event.created` | Copied | Vendor.CreationTime |
| `event.end` | Copied | Vendor.TimestampUnAuthentication, Vendor.TimestampResponseTransmitFinish, Vendor.TimestampConnectionEnd |
| `event.id` | Copied | Vendor.RequestID |
| `event.original` | Copied | Vendor.AuditOldValue |
| `event.reason` | Copied | Vendor.InternalReason, Vendor.ConnectionReason |
| `event.start` | Copied | Vendor.TimestampAuthentication, Vendor.TimestampRequestReceiveStart, Vendor.TimestampConnectionStart |
| `group.id` | Copied | Vendor.AuditNewValue.id, Vendor.AuditOldValue.id |
| `group.name` | Copied | Vendor.AuditNewValue.name, Vendor.AuditOldValue.name |
| `host.cpu.usage` | Copied | Vendor.CPUUtilization |
| `host.geo.country_iso_code` | Copied | Vendor.CountryCode |
| `host.geo.location.lat` | Copied | Vendor.Latitude |
| `host.geo.location.lon` | Copied | Vendor.Longitude |
| `host.hostname` | Copied | Vendor.Hostname |
| `host.name` | Copied | Vendor.Connector, Vendor.PrivateCloudController, Vendor.ServiceEdge, Vendor.PrivateSE |
| `host.network.egress.packets` | Copied | Vendor.PacketsTxInterface |
| `host.network.ingress.packets` | Copied | Vendor.PacketsRxInterface |
| `host.os.platform` | Copied | Vendor.Platform |
| `host.uptime` | Copied | Vendor.HostUpTime |
| `http.request.body.bytes` | Copied | Vendor.RequestBodySize |
| `http.request.method` | Copied | Vendor.Method |
| `http.response.body.bytes` | Copied | Vendor.ResponseBodySize |
| `http.response.mime_type` | Copied | Vendor.ContentType |
| `http.response.status_code` | Copied | Vendor.StatusCode |
| `http.version` | Copied | Vendor.ProtocolVersion |
| `network.application` | Copied | Vendor.Application |
| `network.forwarded_ip` | Copied | Vendor.XFF |
| `network.iana_number` | Copied | Vendor.IPProtocol |
| `network.protocol` | Copied | Vendor.Protocol, Vendor.InspectionProtocolConfig |
| `observer.geo.city_name` | Copied | Vendor.AuditNewValue.cityCountry, Vendor.AuditOldValue.cityCountry |
| `observer.geo.country_iso_code` | Copied | Vendor.CountryCode, Vendor.ZENCountryCode |
| `observer.geo.country_name` | Copied | Vendor.AuditNewValue.location, Vendor.AuditOldValue.location |
| `observer.geo.location.lat` | Copied | Vendor.Latitude, Vendor.ZENLatitude |
| `observer.geo.location.lon` | Copied | Vendor.Longitude, Vendor.ZENLongitude |
| `observer.name` | Copied | Vendor.Connector, Vendor.Exporter, Vendor.ClientZEN, Vendor.ZEN, Vendor.PrivateCloudController, Vendor.ServiceEdge, Vendor.PrivateSE |
| `observer.os.platform` | Copied | Vendor.Platform |
| `observer.version` | Copied | Vendor.Version |
| `organization.id` | Copied | Vendor.CustomerID |
| `organization.name` | Copied | Vendor.Customer |
| `rule.name` | Copied | Vendor.InspectionPolicy, Vendor.Policy |
| `rule.ruleset` | Copied | Vendor.InspectionProfile |
| `server.address` | Copied | destination.address |
| `server.bytes` | Copied | destination.bytes, Vendor.TotalBytesRx |
| `server.domain` | Copied | destination.domain |
| `server.ip` | Copied | destination.ip |
| `server.port` | Copied | destination.port |
| `service.name` | Copied | Vendor.Application |
| `service.node.name` | Copied | Vendor.PrivateCloudController |
| `service.version` | Copied | Vendor.Version |
| `source.bytes` | Copied | Vendor.ZENTotalBytesTxClient, Vendor.TotalBytesTx |
| `source.geo.city_name` | Copied | Vendor.City |
| `source.geo.country_iso_code` | Copied | Vendor.CountryCode, Vendor.ClientCountryCode |
| `source.geo.location.lat` | Copied | Vendor.Latitude, Vendor.ClientLatitude |
| `source.geo.location.lon` | Copied | Vendor.Longitude, Vendor.ClientLongitude |
| `source.nat.ip` | Copied | Vendor.ClientPrivateIp, Vendor.PrivateIP |
| `source.port` | Copied | Vendor.ClientPort, Vendor.ClientPublicPort |
| `tls.client.x509.issuer.distinguished_name` | Copied | Vendor.AuditNewValue.issuedTo, Vendor.AuditOldValue.issuedTo |
| `tls.client.x509.not_after` | Copied | Vendor.AuditNewValue.expirationTimeInSeconds, Vendor.AuditOldValue.expirationTimeInSeconds |
| `tls.client.x509.not_before` | Copied | Vendor.AuditNewValue.creationTimeInSeconds, Vendor.AuditOldValue.creationTimeInSeconds |
| `url.original` | Copied | Vendor.URL |
| `user.email` | Copied | Vendor.UserID, Vendor.User, Vendor.NameID |
| `user.id` | Copied | Vendor.ModifiedBy, Vendor.NameID |
| `user.name` | Copied | Vendor.Username, Vendor.User, Vendor.NameID |
| `user.target.email` | Copied | Vendor.AuditNewValue.email, Vendor.AuditOldValue.email |
| `user.target.id` | Copied | Vendor.AuditNewValue.id, Vendor.AuditOldValue.id |
| `user.target.name` | Copied | Vendor.AuditNewValue.displayName, Vendor.AuditOldValue.displayName |
| `user_agent.original` | Copied | Vendor.UserAgent |
| `event.dataset` | Determined | Vendor.sourcetype |
| `event.outcome` | Determined | Various status fields |
| `network.transport` | Determined | network.iana_number |
| `destination.address` | Extracted | Vendor.Destination, Vendor.Domain, Vendor.Host |
| `destination.domain` | Extracted | destination.address |
| `destination.ip` | Extracted | destination.address |
| `source.address` | Extracted | Vendor.ClientPublicIp, Vendor.PublicIP, Vendor.AuditOldValue.remoteIP, Vendor.AuditNewValue.remoteIP |
| `source.domain` | Extracted | source.address |
| `source.ip` | Extracted | source.address |
| `url.domain` | Extracted | url.full |
| `url.full` | Formatted | Vendor.Protocol, Vendor.Host, Vendor.URL |
| `@timestamp` | Parsed | Vendor.LogTimestamp, Vendor.ModifiedTime, Vendor.CreationTime |
| `ecs.version` | Static | None |
| `event.kind` | Static | None |
| `event.module` | Static | None |
| source.address | client.address | |
| source.bytes | client.bytes | |
| source.domain | client.domain | |
| source.geo.city_name | client.geo.city_name | |
| source.geo.country_iso_code | client.geo.country_iso_code | |
| source.geo.location.lat | client.geo.location.lat | |
| source.geo.location.lon | client.geo.location.lon | |
| source.ip | client.ip | |
| source.nat.ip | client.nat.ip | |
| source.port | client.port | |
| Vendor.ZENTotalBytesRxClient | destination.bytes | |
| Vendor.ApplicationPort | destination.port | |
| Vendor.ServerPort | destination.port | |
| Vendor.AuditOperationType | event.action | |
| Vendor.CreationTime | event.created | |
| Vendor.TimestampConnectionEnd | event.end | |
| Vendor.TimestampResponseTransmitFinish | event.end | |
| Vendor.TimestampUnAuthentication | event.end | |
| Vendor.RequestID | event.id | |
| Vendor.AuditOldValue | event.original | |
| Vendor.ConnectionReason | event.reason | |
| Vendor.InternalReason | event.reason | |
| Vendor.TimestampAuthentication | event.start | |
| Vendor.TimestampConnectionStart | event.start | |
| Vendor.TimestampRequestReceiveStart | event.start | |
| Vendor.AuditNewValue.id | group.id | |
| Vendor.AuditOldValue.id | group.id | |
| Vendor.AuditNewValue.name | group.name | |
| Vendor.AuditOldValue.name | group.name | |
| Vendor.CPUUtilization | host.cpu.usage | |
| Vendor.CountryCode | host.geo.country_iso_code | |
| Vendor.Latitude | host.geo.location.lat | |
| Vendor.Longitude | host.geo.location.lon | |
| Vendor.Connector | host.name | |
| Vendor.PrivateCloudController | host.name | |
| Vendor.PrivateSE | host.name | |
| Vendor.ServiceEdge | host.name | |
| host.hostname | host.name | |
| Vendor.BytesTxInterface | host.network.egress.bytes | |
| Vendor.TotalBytesTx | host.network.egress.bytes | |
| Vendor.TransmittedBytesToPublicSE | host.network.egress.bytes | |
| Vendor.PacketsTxInterface | host.network.egress.packets | |
| Vendor.BytesRxInterface | host.network.ingress.bytes | |
| Vendor.ReceivedBytesFromPublicSE | host.network.ingress.bytes | |
| Vendor.TotalBytesRx | host.network.ingress.bytes | |
| Vendor.PacketsRxInterface | host.network.ingress.packets | |
| Vendor.Platform | host.os.platform | |
| Vendor.HostUpTime | host.uptime | |
| Vendor.RequestBodySize | http.request.body.bytes | |
| Vendor.RequestHdrSize | http.request.bytes | |
| Vendor.RequestSize | http.request.bytes | |
| Vendor.Method | http.request.method | |
| Vendor.ResponseBodySize | http.response.body.bytes | |
| Vendor.ResponseHdrSize | http.response.bytes | |
| Vendor.ResponseSize | http.response.bytes | |
| Vendor.ContentType | http.response.mime_type | |
| Vendor.StatusCode | http.response.status_code | |
| Vendor.ProtocolVersion | http.version | |
| Vendor.TotalBytesRx | network.bytes | |
| Vendor.ZENTotalBytesTxClient | network.bytes | |
| host.network.ingress.bytes | network.bytes | |
| Vendor.XFF | network.forwarded_ip | |
| Vendor.IPProtocol | network.iana_number | |
| Vendor.AuditNewValue.cityCountry | observer.geo.city_name | |
| Vendor.AuditOldValue.cityCountry | observer.geo.city_name | |
| Vendor.CountryCode | observer.geo.country_iso_code | |
| Vendor.ZENCountryCode | observer.geo.country_iso_code | |
| Vendor.AuditNewValue.latitude | observer.geo.location.lat | |
| Vendor.AuditOldValue.latitude | observer.geo.location.lat | |
| Vendor.Latitude | observer.geo.location.lat | |
| Vendor.ZENLatitude | observer.geo.location.lat | |
| Vendor.AuditNewValue.longitude | observer.geo.location.lon | |
| Vendor.AuditOldValue.longitude | observer.geo.location.lon | |
| Vendor.Longitude | observer.geo.location.lon | |
| Vendor.ZENLongitude | observer.geo.location.lon | |
| Vendor.ClientZEN | observer.name | |
| Vendor.Connector | observer.name | |
| Vendor.Exporter | observer.name | |
| Vendor.PrivateCloudController | observer.name | |
| Vendor.PrivateSE | observer.name | |
| Vendor.ServiceEdge | observer.name | |
| Vendor.ZEN | observer.name | |
| Vendor.Platform | observer.os.platform | |
| Vendor.Version | observer.version | |
| Vendor.CustomerID | organization.id | |
| Vendor.Customer | organization.name | |
| Vendor.InspectionPolicy | rule.name | |
| Vendor.Policy | rule.name | |
| Vendor.InspectionProfile | rule.ruleset | |
| destination.address | server.address | |
| Vendor.TotalBytesRx | server.bytes | |
| destination.bytes | server.bytes | |
| destination.domain | server.domain | |
| destination.ip | server.ip | |
| destination.port | server.port | |
| Vendor.Application | service.name | |
| Vendor.PrivateCloudController | service.node.name | |
| Vendor.Version | service.version | |
| Vendor.TotalBytesTx | source.bytes | |
| Vendor.ZENTotalBytesTxClient | source.bytes | |
| Vendor.City | source.geo.city_name | |
| Vendor.ClientCountryCode | source.geo.country_iso_code | |
| Vendor.CountryCode | source.geo.country_iso_code | |
| Vendor.ClientLatitude | source.geo.location.lat | |
| Vendor.Latitude | source.geo.location.lat | |
| Vendor.ClientLongitude | source.geo.location.lon | |
| Vendor.Longitude | source.geo.location.lon | |
| Vendor.AuditOldValue.remoteIP | source.ip | |
| Vendor.ClientPrivateIp | source.nat.ip | |
| Vendor.PrivateIP | source.nat.ip | |
| Vendor.ClientPort | source.port | |
| Vendor.ClientPublicPort | source.port | |
| Vendor.AuditOldValue.expirationTimeInSeconds | tls.client.x509.not_after | |
| Vendor.AuditOldValue.creationTimeInSeconds | tls.client.x509.not_before | |
| Vendor.URL | url.original | |
| Vendor.NameID | user.email | |
| Vendor.UserID | user.email | |
| Vendor.ModifiedBy | user.id | |
| Vendor.Username | user.name | |
| Vendor.AuditNewValue.email | user.target.email | |
| Vendor.AuditOldValue.email | user.target.email | |
| Vendor.AuditNewValue.id | user.target.id | |
| Vendor.AuditOldValue.id | user.target.id | |
| Vendor.AuditNewValue.displayName | user.target.name | |
| Vendor.AuditOldValue.displayName | user.target.name | |
| roles.name | user.target.roles | |
| Vendor.UserAgent | user_agent.original |