Parsers and Generated Fields
Tag Fields Created by Parser zscaler-privateaccess
#Cps.version
#Vendor
#ecs.version
#event.dataset
#event.kind
#event.module
#event.outcome
#observer.type
Fields Identified by Parser zscaler-privateaccess
| Vendor Field | CPS Field | Description |
|---|---|---|
| LogTimestamp | @timestamp | Timestamp parsing from log entry |
| TotalBytesRx | client.bytes | Total bytes received by client |
| Vendor.TotalBytesRx | client.bytes | |
| Vendor.TotalBytesTx | client.bytes | |
| Vendor.City | client.geo.city_name | |
| CountryCode | client.geo.country_iso_code | Client's country code |
| Vendor.ClientCountryCode | client.geo.country_iso_code | |
| Vendor.CountryCode | client.geo.country_iso_code | |
| Latitude | client.geo.location.lat | Client's latitude |
| Vendor.ClientLatitude | client.geo.location.lat | |
| Vendor.Latitude | client.geo.location.lat | |
| Longitude | client.geo.location.lon | Client's longitude |
| Vendor.ClientLongitude | client.geo.location.lon | |
| Vendor.Longitude | client.geo.location.lon | |
| PublicIP | client.ip | Client's public IP address |
| Vendor.ClientPublicIP | client.ip | |
| Vendor.ClientPublicIp | client.ip | |
| Vendor.PublicIP | client.ip | |
| DefRouteGW | client.nat.ip | Default route gateway IP |
| Vendor.DefRouteGW | client.nat.ip | |
| Vendor.ClientPort | client.port | |
| Vendor.ClientPublicPort | client.port | |
| AuditOperationType | event.action | Type of audit operation |
| Vendor.AuditOperationType | event.action | |
| RequestID | event.id | Request identifier |
| Vendor.RequestID | event.id | |
| InternalReason | event.reason | Reason for event outcome |
| Vendor.ConnectionReason | event.reason | |
| Vendor.InternalReason | event.reason | |
| Vendor.AuditNewValue.id | group.id | |
| Vendor.AuditOldValue.id | group.id | |
| Vendor.AuditNewValue.name | group.name | |
| Vendor.AuditOldValue.name | group.name | |
| CPUUtilization | host.cpu.usage | CPU utilization percentage |
| Vendor.CPUUtilization | host.cpu.usage | |
| Hostname | host.hostname | System hostname |
| Platform | host.os.platform | Operating system platform |
| Vendor.Platform | host.os.platform | |
| RequestSize | http.request.body.bytes | Size of HTTP request body |
| Vendor.RequestBodySize | http.request.body.bytes | |
| Vendor.RequestSize | http.request.body.bytes | |
| Method | http.request.method | HTTP request method |
| Vendor.Method | http.request.method | |
| ResponseSize | http.response.body.bytes | Size of HTTP response body |
| Vendor.ResponseBodySize | http.response.body.bytes | |
| Vendor.ResponseSize | http.response.body.bytes | |
| StatusCode | http.response.status_code | HTTP response status code |
| Vendor.StatusCode | http.response.status_code | |
| Vendor.ProtocolVersion | http.version | |
| Vendor.TotalBytesProcessed | network.bytes | |
| Vendor.TotalBytesTx | network.bytes | |
| Protocol | network.protocol | Network protocol used |
| Vendor.AuditNewValue.cityCountry | observer.geo.city_name | |
| Vendor.AuditOldValue.cityCountry | observer.geo.city_name | |
| Latitude | observer.geo.location.lat | Observer latitude |
| Vendor.AuditNewValue.latitude | observer.geo.location.lat | |
| Vendor.AuditOldValue.latitude | observer.geo.location.lat | |
| Vendor.Latitude | observer.geo.location.lat | |
| Longitude | observer.geo.location.lon | Observer longitude |
| Vendor.AuditNewValue.longitude | observer.geo.location.lon | |
| Vendor.AuditOldValue.longitude | observer.geo.location.lon | |
| Vendor.Longitude | observer.geo.location.lon | |
| PrivateIP | observer.ip[] | Observer private IP address |
| PublicIP | observer.ip[] | Observer public IP address |
| Platform | observer.os.platform | Observer operating system platform |
| Vendor.Platform | observer.os.platform | |
| CustomerID | organization.id | Customer organization ID |
| Vendor.CustomerID | organization.id | |
| Customer | organization.name | Customer organization name |
| Vendor.Customer | organization.name | |
| Vendor.Version | package.version | |
| Version | package.version | Software version |
| Host | server.address | Server hostname/address |
| Vendor.AuditNewValue.domainOrIpAddress | server.address | |
| Vendor.AuditOldValue.domainOrIpAddress | server.address | |
| TotalBytesTx | server.bytes | Total bytes transmitted by server |
| Vendor.TotalBytesTx | server.bytes | |
| Vendor.ZENCountryCode | server.geo.country_iso_code | |
| Vendor.ZENLatitude | server.geo.location.lat | |
| Vendor.ZENLongitude | server.geo.location.lon | |
| ServerIP | server.ip | Server IP address |
| Vendor.ServerIP | server.ip | |
| ServerPort | server.port | Server port number |
| Vendor.ApplicationPort | server.port | |
| Vendor.ServerPort | server.port | |
| CertificateCN | tls.client.x509.issuer.common_name[] | Certificate common name |
| Vendor.AuditNewValue.expirationTimeInSeconds | tls.client.x509.not_after | |
| Vendor.AuditOldValue.expirationTimeInSeconds | tls.client.x509.not_after | |
| Vendor.AuditNewValue.creationTimeInSeconds | tls.client.x509.not_before | |
| Vendor.AuditOldValue.creationTimeInSeconds | tls.client.x509.not_before | |
| ModifiedBy | user.id | User ID who modified the resource |
| Vendor.ModifiedBy | user.id | |
| User | user.name | Username who performed the action |
| Username | user.name | User associated with the event |
| Vendor.NameID | user.name | |
| Vendor.User | user.name | |
| Vendor.Username | user.name | |
| AuditNewValue.email | user.target.email | Target user email address |
| Vendor.AuditNewValue.email | user.target.email | |
| Vendor.AuditOldValue.email | user.target.email | |
| Vendor.AuditNewValue.id | user.target.id | |
| Vendor.AuditOldValue.id | user.target.id | |
| AuditNewValue.roles[].name | user.target.roles[] | Target user roles |
| UserAgent | user_agent.original | User agent string |
| Vendor.UserAgent | user_agent.original |