Parsers and Generated Fields
Tag Fields Created by Parser zscaler-privateaccess
#Cps.version
#Vendor
#ecs.version
#event.dataset
#event.kind
#event.module
#event.outcome
#observer.type
Fields Identified by Parser zscaler-privateaccess
| Source Field | CPS Field | Description | Mapping |
|---|---|---|---|
| Vendor.LogTimestamp, Vendor.ModifiedTime, Vendor.CreationTime | @timestamp | Event timestamp | Parsed from timestamp fields using parseTimestamp() |
| source.address | client.address | Client network address | Copied from source.address |
| Vendor.TotalBytesTx, Vendor.ZENTotalBytesTxClient | client.bytes | Total bytes sent by client | Copied from source.bytes |
| source.domain | client.domain | Client domain name | Copied from source.domain |
| Vendor.City | client.geo.city_name | Client's city name | Copied from source.geo.city_name |
| Vendor.CountryCode, Vendor.ClientCountryCode | client.geo.country_iso_code | Client's country code | Copied from source.geo.country_iso_code |
| Vendor.Latitude, Vendor.ClientLatitude | client.geo.location.lat | Client's latitude coordinate | Copied from source.geo.location.lat |
| Vendor.Longitude, Vendor.ClientLongitude | client.geo.location.lon | Client's longitude coordinate | Copied from source.geo.location.lon |
| source.ip | client.ip | Client's IP address | Copied from source.ip |
| Vendor.ClientPrivateIp | client.nat.ip | Client's NAT IP address | Copied from source.nat.ip |
| Vendor.ClientPort, Vendor.ClientPublicPort | client.port | Client's port number | Copied from source.port |
| Vendor.Destination, Vendor.Domain, Vendor.Host | destination.address | Destination network address | Extracted from vendor fields with address normalization |
| Vendor.ZENTotalBytesRxClient | destination.bytes | Total bytes received at destination | Copied from field |
| destination.address | destination.domain | Destination domain name | Extracted when destination.address is not IP |
| destination.address | destination.ip | Destination IP address | Extracted when destination.address is IP |
| Vendor.ServerPort, Vendor.ApplicationPort | destination.port | Destination port number | Copied from field |
| None | ecs.version | ECS schema version | Static value: 9.1.0 |
| Vendor.AuditOperationType | event.action | Type of action performed | Copied from field |
| None | event.category[] | Event categorization | Array populated based on dataset and conditions |
| Vendor.CreationTime | event.created | Event creation timestamp | Copied from field |
| Vendor.sourcetype | event.dataset | Dataset identifier | Determined from sourcetype or field analysis |
| Vendor.TimestampUnAuthentication, Vendor.TimestampResponseTransmitFinish, Vendor.TimestampConnectionEnd | event.end | Event end time | Copied from timestamp fields |
| Vendor.RequestID | event.id | Unique event identifier | Copied from field |
| None | event.kind | Event kind classification | Static value based on dataset |
| None | event.module | Module identifier | Static value: zpa |
| Vendor.AuditOldValue | event.original | Original event data | Copied from field |
| Various status fields | event.outcome | Event outcome | Determined from status codes and conditions |
| Vendor.InternalReason, Vendor.ConnectionReason | event.reason | Reason for event | Copied from field |
| Vendor.TimestampAuthentication, Vendor.TimestampRequestReceiveStart, Vendor.TimestampConnectionStart | event.start | Event start time | Copied from timestamp fields |
| None | event.type[] | Event type classification | Array populated based on conditions |
| Vendor.AuditNewValue.id, Vendor.AuditOldValue.id | group.id | Group identifier | Copied from audit value fields |
| Vendor.AuditNewValue.name, Vendor.AuditOldValue.name | group.name | Group name | Copied from audit value fields |
| Vendor.CPUUtilization | host.cpu.usage | CPU utilization as decimal | Copied from field with percentage conversion |
| Vendor.CountryCode | host.geo.country_iso_code | Host country code | Copied from field |
| Vendor.Latitude | host.geo.location.lat | Host latitude | Copied from field |
| Vendor.Longitude | host.geo.location.lon | Host longitude | Copied from field |
| Vendor.Hostname | host.hostname | System hostname | Copied from field with lowercase transformation |
| Vendor.PublicIP, Vendor.PrivateIP | host.ip[] | Host IP addresses | Array populated from IP fields |
| Vendor.Connector, Vendor.PrivateCloudController, Vendor.ServiceEdge, Vendor.PrivateSE | host.name | Host name | Copied from field |
| Vendor.TotalBytesTx, Vendor.TransmittedBytesToPublicSE, Vendor.TransmittedBytesToPrivateSE, Vendor.BytesTxInterface | host.network.egress.bytes | Host outbound network bytes | Calculated from vendor fields |
| Vendor.PacketsTxInterface | host.network.egress.packets | Host outbound network packets | Copied from field |
| Vendor.TotalBytesRx, Vendor.ReceivedBytesFromPublicSE, Vendor.ReceivedBytesFromPrivateSE, Vendor.BytesRxInterface | host.network.ingress.bytes | Host inbound network bytes | Calculated from vendor fields |
| Vendor.PacketsRxInterface | host.network.ingress.packets | Host inbound network packets | Copied from field |
| Vendor.Platform | host.os.platform | Operating system platform | Copied from field |
| Vendor.HostUpTime | host.uptime | Host uptime in seconds | Copied from field |
| Vendor.RequestBodySize | http.request.body.bytes | HTTP request body size | Copied from field |
| Vendor.RequestHdrSize, Vendor.RequestBodySize, Vendor.RequestSize | http.request.bytes | Total HTTP request bytes | Calculated from header and body sizes |
| Vendor.Method | http.request.method | HTTP request method | Copied from field |
| Vendor.ResponseBodySize | http.response.body.bytes | HTTP response body size | Copied from field |
| Vendor.ResponseHdrSize, Vendor.ResponseBodySize, Vendor.ResponseSize | http.response.bytes | Total HTTP response bytes | Calculated from header and body sizes |
| Vendor.ContentType | http.response.mime_type | HTTP response content type | Copied from field |
| Vendor.StatusCode | http.response.status_code | HTTP response status code | Copied from field |
| Vendor.ProtocolVersion | http.version | HTTP version | Copied from field |
| Vendor.Application | network.application | Network application name | Copied from field with lowercase transformation |
| Multiple vendor byte fields | network.bytes | Total network bytes | Calculated from various byte fields |
| Vendor.XFF | network.forwarded_ip | Forwarded IP address | Copied from field |
| Vendor.IPProtocol | network.iana_number | IANA protocol number | Copied from field |
| Vendor.Protocol, Vendor.InspectionProtocolConfig | network.protocol | Network protocol | Copied from field with lowercase transformation |
| network.iana_number | network.transport | Transport protocol | Determined from IANA number |
| Vendor.AuditNewValue.cityCountry, Vendor.AuditOldValue.cityCountry | observer.geo.city_name | Observer city | Copied from audit value fields |
| Vendor.CountryCode, Vendor.ZENCountryCode | observer.geo.country_iso_code | Observer country code | Copied from field |
| Vendor.AuditNewValue.location, Vendor.AuditOldValue.location | observer.geo.country_name | Observer country name | Copied from audit value fields |
| Vendor.Latitude, Vendor.ZENLatitude | observer.geo.location.lat | Observer latitude | Copied from field |
| Vendor.Longitude, Vendor.ZENLongitude | observer.geo.location.lon | Observer longitude | Copied from field |
| Vendor.PublicIP | observer.ip[] | Observer IP addresses | Array populated from IP fields |
| Vendor.Connector, Vendor.Exporter, Vendor.ClientZEN, Vendor.ZEN, Vendor.PrivateCloudController, Vendor.ServiceEdge, Vendor.PrivateSE | observer.name | Observer name | Copied from field |
| Vendor.Platform | observer.os.platform | Observer OS platform | Copied from field |
| Vendor.Version | observer.version | Observer version | Copied from field |
| Vendor.CustomerID | organization.id | Organization identifier | Copied from field |
| Vendor.Customer | organization.name | Organization name | Copied from field |
| Vendor.InspectionPolicy, Vendor.Policy | rule.name | Security rule name | Copied from field |
| Vendor.InspectionProfile | rule.ruleset | Security rule set | Copied from field |
| destination.address | server.address | Server network address | Copied from destination.address |
| destination.bytes, Vendor.TotalBytesRx | server.bytes | Server bytes transmitted | Copied from destination.bytes |
| destination.domain | server.domain | Server domain name | Copied from destination.domain |
| destination.ip | server.ip | Server IP address | Copied from destination.ip |
| destination.port | server.port | Server port number | Copied from destination.port |
| Vendor.Application | service.name | Service name | Copied from field |
| Vendor.PrivateCloudController | service.node.name | Service node name | Copied from field |
| Vendor.Version | service.version | Service version | Copied from field |
| Vendor.ClientPublicIp, Vendor.PublicIP, Vendor.AuditOldValue.remoteIP, Vendor.AuditNewValue.remoteIP | source.address | Source network address | Extracted from vendor fields with address normalization |
| Vendor.ZENTotalBytesTxClient, Vendor.TotalBytesTx | source.bytes | Source bytes transmitted | Copied from field |
| source.address | source.domain | Source domain name | Extracted when source.address is not IP |
| Vendor.City | source.geo.city_name | Source city name | Copied from field |
| Vendor.CountryCode, Vendor.ClientCountryCode | source.geo.country_iso_code | Source country code | Copied from field |
| Vendor.Latitude, Vendor.ClientLatitude | source.geo.location.lat | Source latitude | Copied from field |
| Vendor.Longitude, Vendor.ClientLongitude | source.geo.location.lon | Source longitude | Copied from field |
| source.address | source.ip | Source IP address | Extracted when source.address is IP |
| Vendor.ClientPrivateIp, Vendor.PrivateIP | source.nat.ip | Source NAT IP address | Copied from field |
| Vendor.ClientPort, Vendor.ClientPublicPort | source.port | Source port number | Copied from field |
| Vendor.AuditNewValue.subjectAlternateNames, Vendor.AuditOldValue.subjectAlternateNames | tls.client.x509.alternative_names[] | Certificate alternative names | Array from audit value fields |
| Vendor.AuditNewValue.commonName, Vendor.AuditOldValue.commonName | tls.client.x509.issuer.common_name[] | Certificate issuer common name | Array populated from certificate fields |
| Vendor.AuditNewValue.issuedTo, Vendor.AuditOldValue.issuedTo | tls.client.x509.issuer.distinguished_name | Certificate distinguished name | Copied from audit value fields |
| Vendor.AuditNewValue.expirationTimeInSeconds, Vendor.AuditOldValue.expirationTimeInSeconds | tls.client.x509.not_after | Certificate expiration time | Copied from audit value fields |
| Vendor.AuditNewValue.creationTimeInSeconds, Vendor.AuditOldValue.creationTimeInSeconds | tls.client.x509.not_before | Certificate creation time | Copied from audit value fields |
| Vendor.CertificateCN | tls.client.x509.subject.common_name[] | Certificate subject common name | Array populated from certificate field |
| url.full | url.domain | URL domain component | Extracted from url.full using parseUrl() |
| Vendor.Protocol, Vendor.Host, Vendor.URL | url.full | Complete URL | Formatted from protocol, host, and URL fields |
| Vendor.URL | url.original | Original URL path | Copied from field |
| Vendor.UserID, Vendor.User, Vendor.NameID | user.email | User email address | Copied from field when contains @ symbol |
| Vendor.ModifiedBy, Vendor.NameID | user.id | User identifier | Copied from field |
| Vendor.Username, Vendor.User, Vendor.NameID | user.name | Username | Copied from field |
| Vendor.AuditNewValue.email, Vendor.AuditOldValue.email | user.target.email | Target user email | Copied from audit value fields |
| Vendor.AuditNewValue.id, Vendor.AuditOldValue.id | user.target.id | Target user ID | Copied from audit value fields |
| Vendor.AuditNewValue.displayName, Vendor.AuditOldValue.displayName | user.target.name | Target user name | Copied from audit value fields |
| Vendor.AuditNewValue.roles[], Vendor.AuditOldValue.roles[] | user.target.roles[] | Target user roles | Array from audit value role fields using objectArray:eval |
| Vendor.UserAgent | user_agent.original | Original user agent string | Copied from field |