Collect Zscaler Webproxy logs
Supported in:
This document describes how you can export Zscaler Webproxy logs by setting up a Google Security Operations feed and how log fields map to Google SecOps Unified Data Model (UDM) fields.
For more information, see Data ingestion to Google SecOps overview.
A typical deployment consists of Zscaler Webproxy and the Google SecOps Webhook feed configured to send logs to Google SecOps. Each customer deployment can differ and might be more complex.
The deployment contains the following components:
Zscaler Webproxy: The platform from which you collect logs.
Google SecOps feed: The Google SecOps feed that fetches logs from Zscaler Webproxy and writes logs to Google SecOps.
Google SecOps: Retains and analyzes the logs.
An ingestion label identifies the parser which normalizes raw log data to structured UDM format. The information in this document applies to the parser with the ZSCALER_WEBPROXY ingestion label.
Before you begin
Ensure you have the following prerequisites:
- Access to Zscaler Internet Access console. For more information, see Secure Internet and SaaS Access ZIA Help.
- Zscaler Webproxy 2024 or later
- All systems in the deployment architecture are configured with the UTC time zone.
- The API key which is needed to complete feed setup in Google Security Operations. For more information, see Setting up API keys.
Set up feeds
There are two different entry points to set up feeds in the Google SecOps platform:
- SIEM Settings > Feeds
- Content Hub > Content Packs
Set up feeds from SIEM Settings > Feeds
To configure multiple feeds for different log types within this product family, see Configure feeds by product.
To configure a single feed, follow these steps:
- Go to SIEM Settings > Feeds.
- Click Add New Feed.
- On the next page, click Configure a single feed.
- In the Feed name field, enter a name for the feed; for example, Zscaler Webproxy Logs.
- Select Webhook as the Source Type.
- Select Zscaler as the Log Type.
- Click Next.
- Optional: Enter values for the following input parameters:
- Split delimiter: The delimiter that is used to separate the logs lines. Leave blank if a delimiter is not used.
- Asset namespace: The asset namespace.
- Ingestion labels: The label to be applied to the events from this feed.
- Click Next.
- Review your new feed configuration, and then click Submit.
- Click Generate Secret Key to generate a secret key to authenticate this feed.
Set up feeds from the Content Hub
Specify values for the following fields:
- Split delimiter: The delimiter that is used to separate log lines, such as
\n.
Advanced options
- Feed Name: A prepopulated value that identifies the feed.
- Source Type: Method used to collect logs into Google SecOps.
- Asset namespace: The asset namespace.
- Ingestion labels: The label applied to the events from this feed.
- Click Next.
- Review the feed configuration in the Finalize screen, and then click Submit.
- Click Generate Secret Key to generate a secret key to authenticate this feed.
Set up Zscaler Webproxy
- In the Zscaler Internet Access console, click Administration > Nanolog Streaming Service > Cloud NSS Feeds and then click Add Cloud NSS Feed.
- The Add Cloud NSS Feed window appears. In the Add Cloud NSS Feed window, enter the details.
- Enter a name for the feed in the Feed Name field.
- Select NSS for Web in NSS Type.
- Select the status from the Status list to activate or deactivate the NSS feed.
- Keep the value in the SIEM Rate drop-down as Unlimited. To suppress the output stream due to licensing or other constraints, change the value.
- Select Other in the SIEM Type list.
- Select Disabled in the OAuth 2.0 Authentication list.
- Enter a size limit for an individual HTTP request payload to the SIEM's best practice in Max Batch Size. For example, 512 KB.
Enter the HTTPS URL of the Chronicle API endpoint in the API URL in the following format:
https://<CHRONICLE_REGION>-chronicle.googleapis.com/v1alpha/projects/<GOOGLE_PROJECT_NUMBER>/locations/<LOCATION>/instances/<CUSTOMER_ID>/feeds/<FEED_ID>:importPushLogsCHRONICLE_REGION: Region where your Chronicle instance is hosted. For example, US.GOOGLE_PROJECT_NUMBER: BYOP project number. Obtain this from C4.LOCATION: Chronicle region. For example, US.CUSTOMER_ID: Chronicle customer ID. Obtain from C4.FEED_ID: Feed ID shown on Feed UI on the new webhook created- Sample API URL:
https://us-chronicle.googleapis.com/v1alpha/projects/12345678910/locations/US/instances/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/feeds/yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyyyyyyy:importPushLogsClick Add HTTP Header, and then add HTTP headers in the following format:
Header 1: Key1:X-goog-api-keyand Value1: API Key generated on Google Cloud BYOP's API Credentials.Header 2: Key2:X-Webhook-Access-Keyand Value2: API secret key generated on webhook's "SECRET KEY".
Select Web Logs in the Log Types list.
Select JSON in the Feed Output Type list.
Set Feed Escape Character to
, \ ".To add a new field to the Feed Output Format, select Custom in the Feed Output Type list.
Copy-paste the Feed Output Format and add new fields. Ensure the key names match the actual field names.
Following is the default Feed Output Format:
\{ "sourcetype" : "zscalernss-web", "event" : \{"datetime":"%d{yy}-%02d{mth}-%02d{dd} %02d{hh}:%02d{mm}:%02d{ss}","reason":"%s{reason}","event_id":"%d{recordid}","protocol":"%s{proto}","action":"%s{action}","transactionsize":"%d{totalsize}","responsesize":"%d{respsize}","requestsize":"%d{reqsize}","urlcategory":"%s{urlcat}","serverip":"%s{sip}","requestmethod":"%s{reqmethod}","refererURL":"%s{ereferer}","useragent":"%s{eua}","product":"NSS","location":"%s{elocation}","ClientIP":"%s{cip}","status":"%s{respcode}","user":"%s{elogin}","url":"%s{eurl}","vendor":"Zscaler","hostname":"%s{ehost}","clientpublicIP":"%s{cintip}","threatcategory":"%s{malwarecat}","threatname":"%s{threatname}","filetype":"%s{filetype}","appname":"%s{appname}","pagerisk":"%d{riskscore}","threatseverity":"%s{threatseverity}","department":"%s{edepartment}","urlsupercategory":"%s{urlsupercat}","appclass":"%s{appclass}","dlpengine":"%s{dlpeng}","urlclass":"%s{urlclass}","threatclass":"%s{malwareclass}","dlpdictionaries":"%s{dlpdict}","fileclass":"%s{fileclass}","bwthrottle":"%s{bwthrottle}","contenttype":"%s{contenttype}","unscannabletype":"%s{unscannabletype}","deviceowner":"%s{deviceowner}","devicehostname":"%s{devicehostname}","keyprotectiontype":"%s{keyprotectiontype}"\}\}Select the timezone for the Time field in the output file in the Timezone list. By default, the timezone is set to your organization's time zone.
Review the configured settings.
Click Save to test connectivity. If the connection is successful, a green tick accompanied by the message Test Connectivity Successful: OK (200) appears.
For more information about Google SecOps feeds, see Google SecOps feeds documentation. For information about requirements for each feed type, see Feed configuration by type.
If you encounter issues when you create feeds, contact Google SecOps support.
Supported Zscaler Webproxy log formats
The Zscaler Webproxy parser supports logs in JSON format.
Supported Zscaler Webproxy Sample Logs
JSON
{ "event": { "ClientIP": "198.51.100.0", "action": "Allowed", "appclass": "Sales and Marketing", "appname": "Trend Micro", "bwthrottle": "NO", "clientpublicIP": "198.51.100.1", "contenttype": "Other", "datetime": "2024-05-06 10:56:04", "department": "Mid-Continent%20Companies", "devicehostname": "dummyhostname", "deviceowner": "dummydeviceowner", "dlpdictionaries": "None", "dlpengine": "None", "event_id": "7365838693731467265", "fileclass": "None", "filetype": "None", "hostname": "dummyhostname.com", "keyprotectiontype": "N/A", "location": "Road%20Warrior", "pagerisk": "0", "product": "NSS", "protocol": "HTTP_PROXY", "reason": "Allowed", "refererURL": "None", "requestmethod": "CONNECT", "requestsize": "606", "responsesize": "65", "serverip": "198.51.10.2", "status": "200", "threatcategory": "None", "threatclass": "None", "threatname": "None", "threatseverity": "None", "transactionsize": "671", "unscannabletype": "None", "url": "dummyurl.com:443", "urlcategory": "SSL - DNI - Bypass", "urlclass": "Bandwidth Loss", "urlsupercategory": "User-defined", "user": "abc@xyz.com", "useragent": "dummyuseragent", "vendor": "Zscaler" }, "sourcetype": "zscalernss-web" }
Field mapping reference
The following table lists the log fields of the ZSCALER_WEBPROXY log type and their corresponding UDM fields.
| Log field | UDM mapping | Logic |
|---|---|---|
|
metadata.vendor_name |
The metadata.vendor_name UDM field is set to Zscaler. |
|
metadata.event_type |
If the ClientIP log field value is not empty and the serverip log field value is not empty and the proto log field value contain one of the following values, then the metadata.event_type UDM field is set to NETWORK_HTTP.
ClientIP log field value is not empty and the serverip log field value is not empty, then the metadata.event_type UDM field is set to NETWORK_CONNECTION.Else, if the user log field value is not empty or the deviceowner log field value is not empty, then the metadata.event_type UDM field is set to USER_UNCATEGORIZED.Else, the metadata.event_type UDM field is set to GENERIC_EVENT. |
|
metadata.product_name |
The metadata.product_name UDM field is set to Web Proxy. |
sourcetype |
additional.fields[sourcetype] |
|
datetime |
metadata.event_timestamp |
|
tz |
additional.fields[tz] |
|
ss |
additional.fields[ss] |
|
mm |
additional.fields[mm] |
|
hh |
additional.fields[hh] |
|
dd |
additional.fields[dd] |
|
mth |
additional.fields[mth] |
|
yyyy |
additional.fields[yyyy] |
|
mon |
additional.fields[mon] |
|
day |
additional.fields[day] |
|
department |
principal.user.department |
|
b64dept |
principal.user.department |
|
edepartment |
principal.user.department |
|
user |
principal.user.email_addresses |
|
user |
principal.user.userid |
The EMAILLOCALPART field is extracted from user log field using the Grok pattern, and the EMAILLOCALPART log field is mapped to the principal.user.userid UDM field. |
b64login |
principal.user.email_addresses |
|
elogin |
principal.user.email_addresses |
|
ologin |
additional.fields[ologin] |
|
cloudname |
principal.user.attribute.labels[cloudname] |
|
company |
principal.user.company_name |
|
throttlereqsize |
security_result.detection_fields[throttlereqsize] |
|
throttlerespsize |
security_result.detection_fields[throttlerespsize] |
|
bwthrottle |
security_result.detection_fields[bwthrottle] |
|
|
security_result.category |
If the bwthrottle log field value is equal to Yes, then the security_result.category UDM field is set to POLICY_VIOLATION. |
bwclassname |
security_result.detection_fields[bwclassname] |
|
obwclassname |
security_result.detection_fields[obwclassname] |
|
bwrulename |
security_result.rule_name |
|
appname |
target.application |
|
appclass |
target.security_result.detection_fields[appclass] |
|
module |
target.security_result.detection_fields[module] |
|
app_risk_score |
target.security_result.risk_score |
If the app_risk_score log field value matches the regular expression pattern [0-9]+, then the app_risk_score log field is mapped to the security_result.risk_score UDM field. |
datacenter |
target.location.name |
|
datacentercity |
target.location.city |
|
datacentercountry |
target.location.country_or_region |
|
dlpdictionaries |
security_result.detection_fields[dlpdictionaries] |
|
odlpdict |
security_result.detection_fields[odlpdict] |
|
dlpdicthitcount |
security_result.detection_fields[dlpdicthitcount] |
|
dlpengine |
security_result.detection_fields[dlpengine] |
|
odlpeng |
security_result.detection_fields[odlpeng] |
|
dlpidentifier |
security_result.detection_fields[dlpidentifier] |
|
dlpmd5 |
security_result.detection_fields[dlpmd5] |
|
dlprulename |
security_result.rule_name |
|
odlprulename |
security_result.detection_fields[odlprulename] |
|
fileclass |
additional.fields[fileclass] |
|
filetype |
target.file.mime_type |
|
filename |
target.file.full_path |
|
b64filename |
target.file.full_path |
|
efilename |
target.file.full_path |
|
filesubtype |
additional.fields[filesubtype] |
|
upload_fileclass |
additional.fields[upload_fileclass] |
|
upload_filetype |
target.file.mime_type |
If the filetype log field value is equal to None and the upload_filetype log field value is not equal to None, then the upload_filetype log field is mapped to the target.file.mime_type UDM field. |
upload_filename |
target.file.full_path |
If the filename log field value is equal to None and the upload_filename log field value is not equal to None, then the upload_filename log field is mapped to the target.file.full_path UDM field.Else, if the filename log field value is not equal to None and the upload_filename log field value is not equal to None, then the upload_filename log field is mapped to the target.resource.attribute.labels[upload_filename] UDM field. |
b64upload_filename |
target.file.full_path |
|
eupload_filename |
target.file.full_path |
|
upload_filesubtype |
additional.fields[upload_filesubtype] |
|
upload_doctypename |
additional.fields[upload_doctypename] |
|
unscannabletype |
security_result.detection_fields[unscannabletype] |
|
rdr_rulename |
intermediary.security_result.rule_name |
|
b64rdr_rulename |
intermediary.security_result.rule_name |
|
|
intermediary.resource.resource_type |
If the rdr_rulename log field value is not empty, then the intermediary.resource.resource_type UDM field is set to GATEWAY. |
ordr_rulename |
additional.fields[ordr_rulename] |
|
fwd_type |
intermediary.resource.attribute.labels[fwd_type] |
|
fwd_gw_name |
intermediary.resource.name |
|
b64fwd_gw_name |
intermediary.resource.name |
|
ofwd_gw_name |
security_result.detection_fields[ofwd_gw_name] |
|
fwd_gw_ip |
intermediary.ip |
|
zpa_app_seg_name |
additional.fields[zpa_app_seg_name] |
|
b64zpa_app_seg_name |
additional.fields[zpa_app_seg_name] |
|
ozpa_app_seg_name |
additional.fields[ozpa_app_seg_name] |
|
reqdatasize |
additional.fields[reqdatasize] |
|
reqhdrsize |
additional.fields[reqhdrsize] |
|
requestsize |
network.sent_bytes |
|
respdatasize |
additional.fields[respdatasize] |
|
resphdrsize |
additional.fields[resphdrsize] |
|
responsesize |
network.received_bytes |
|
transactionsize |
additional.fields[transactionsize] |
|
contenttype |
additional.fields[contenttype] |
|
df_hosthead |
security_result.detection_fields[df_hosthead] |
|
df_hostname |
security_result.detection_fields[df_hostname] |
|
hostname |
target.hostnametarget.asset.hostname |
|
b64host |
target.hostnametarget.asset.hostname |
|
ehost |
target.hostnametarget.asset.hostname |
|
refererURL |
network.http.referral_url |
|
b64referer |
network.http.referral_url |
|
ereferer |
network.http.referral_url |
|
erefererpath |
additional.fields[erefererpath] |
|
refererhost |
additional.fields[refererhost] |
|
erefererhost |
additional.fields[refererhost] |
|
requestmethod |
network.http.method |
|
reqversion |
additional.fields[reqversion] |
|
status |
network.http.response_code |
|
respversion |
additional.fields[respversion] |
|
ua_token |
additional.fields[ua_token] |
|
useragent |
network.http.user_agent |
|
b64ua |
network.http.user_agent |
|
eua |
network.http.user_agent |
|
useragent |
network.http.parsed_user_agent |
|
b64ua |
network.http.parsed_user_agent |
|
eua |
network.http.parsed_user_agent |
|
uaclass |
additional.fields[uaclass] |
|
url |
target.url |
|
b64url |
target.url |
|
eurl |
target.url |
|
eurlpath |
additional.fields[eurlpath] |
|
mobappname |
additional.fields[mobappname] |
|
b64mobappname |
additional.fields[mobappname] |
|
emobappname |
additional.fields[mobappname] |
|
mobappcat |
additional.fields[mobappcat] |
|
mobdevtype |
additional.fields[mobdevtype] |
|
clt_sport |
principal.port |
|
ClientIP |
principal.ip |
|
ocip |
security_result.detection_fields[ocip] |
|
cpubip |
additional.fields[cpubip] |
|
ocpubip |
additional.fields[ocpubip] |
|
clientpublicIP |
principal.nat_ip |
|
serverip |
target.ip |
|
|
network.application_protocol |
If the protocol log field value contain one of the following values, then the network.application_protocol UDM field is set to HTTP.
protocol log field value contain one of the following values, then the network.application_protocol UDM field is set to HTTPS.
network.application_protocol UDM field is set to UNKNOWN_APPLICATION_PROTOCOL. |
alpnprotocol |
additional.fields[alpnprotocol] |
|
trafficredirectmethod |
intermediary.resource.attribute.labels[trafficredirectmethod] |
|
location |
principal.location.name |
|
elocation |
principal.location.name |
|
userlocationname |
principal.location.name |
If the userlocationname log field value is not equal to None, then the userlocationname log field is mapped to the principal.location.name UDM field. |
b64userlocationname |
principal.location.name |
|
euserlocationname |
principal.location.name |
|
rulelabel |
security_result.rule_name |
If the action log field value is equal to Blocked, then the rulelabel log field is mapped to the security_result.rule_name UDM field. |
b64rulelabel |
security_result.rule_name |
|
erulelabel |
security_result.rule_name |
|
ruletype |
security_result.rule_type |
|
reason |
security_result.description |
If the action log field value is equal to Blocked, then the reason log field is mapped to the security_result.description UDM field. |
action |
security_result.action_details |
|
|
security_result.action |
If the action log field value is equal to Allowed, then the security_result.action UDM field is set to ALLOW.Else, if the action log field value is equal to Blocked, then the security_result.action UDM field is set to BLOCK. |
urlfilterrulelabel |
security_result.rule_name |
|
b64urlfilterrulelabel |
security_result.rule_name |
|
eurlfilterrulelabel |
security_result.rule_name |
|
ourlfilterrulelabel |
security_result.detection_fields[ourlfilterrulelabel] |
|
apprulelabel |
target.security_result.rule_name |
|
b64apprulelabel |
target.security_result.rule_name |
|
oapprulelabel |
security_result.detection_fields[oapprulelabel] |
|
bamd5 |
target.file.md5 |
|
sha256 |
target.file.sha256 |
|
ssldecrypted |
security_result.detection_fields[ssldecrypted] |
|
externalspr |
security_result.about.artifact.last_https_certificate.extension.certificate_policies |
|
keyprotectiontype |
security_result.about.artifact.last_https_certificate.extension.key_usage |
|
clientsslcipher |
network.tls.client.supported_ciphers |
|
clienttlsversion |
network.tls.version |
|
clientsslsessreuse |
security_result.detection_fields[clientsslsessreuse] |
|
cltsslfailreason |
security_result.detection_fields[cltsslfailreason] |
|
cltsslfailcount |
security_result.detection_fields[cltsslfailcount] |
|
srvsslcipher |
network.tls.cipher |
|
srvtlsversion |
security_result.detection_fields[srvtlsversion] |
|
srvocspresult |
security_result.detection_fields[srvocspresult] |
|
srvcertchainvalpass |
security_result.detection_fields[srvcertchainvalpass] |
|
srvwildcardcert |
security_result.detection_fields[srvwildcardcert] |
|
serversslsessreuse |
security_result.detection_fields[server_ssl_sess_reuse] |
|
srvcertvalidationtype |
security_result.detection_fields[srvcertvalidationtype] |
|
srvcertvalidityperiod |
security_result.detection_fields[srvcertvalidityperiod] |
|
is_ssluntrustedca |
security_result.detection_fields[is_ssluntrustedca] |
|
is_sslselfsigned |
security_result.detection_fields[is_sslselfsigned] |
|
is_sslexpiredca |
security_result.detection_fields[is_sslexpiredca] |
|
pagerisk |
security_result.risk_score |
|
|
security_result.severity |
If the pagerisk log field value is greater than or equal to 90 and the pagerisk log field value is less than or equal to 100, then the security_result.severity UDM field is set to CRITICAL.If the pagerisk log field value is greater than or equal to 75 and the pagerisk log field value is less than or equal to 89, then the security_result.severity UDM field is set to HIGH.If the pagerisk log field value is greater than or equal to 46 and the pagerisk log field value is less than or equal to 74, then the security_result.severity UDM field is set to MEDIUM.If the pagerisk log field value is greater than or equal to 1 and the pagerisk log field value &is less than or equal to 45, then the security_result.severity UDM field is set to LOW.If the pagerisk log field value is equal to 0, then the security_result.severity UDM field is set to NONE. |
threatseverity |
security_result.severity_details |
If the pagerisk log field value is not empty and the threatseverity log field value is not empty, then the security_result.severity_details UDM field is set to %{pagerisk} - %{threatseverity}.Else, if the threatseverity log field value is not empty, then the threatseverity log field is mapped to the security_result.severity_details UDM field. |
activity |
additional.fields[activity] |
|
is_dst_cntry_risky |
additional.fields[is_dst_cntry_risky] |
|
is_src_cntry_risky |
additional.fields[is_src_cntry_risky] |
|
prompt_req |
additional.fields[prompt_req] |
|
srcip_country |
principal.ip_geo_artifact.location.country_or_region |
|
pcapid |
security_result.about.file.full_path |
|
all_dlprulenames |
security_result.rule_labels[all_dlprulenames] |
|
other_dlprulenames |
security_result.rule_labels[other_dlprulenames] |
|
trig_dlprulename |
security_result.rule_name |
|
dstip_country |
target.ip_geo_artifact.location.country_or_region |
|
srv_dport |
target.port |
|
inst_level2_name |
target.resource_ancestors.name |
|
inst_level3_name |
target.resource_ancestors.name |
|
inst_level2_id |
target.resource_ancestors.product_object_id |
|
inst_level3_id |
target.resource_ancestors.product_object_id |
|
inst_level2_type |
target.resource_ancestors.resource_subtype |
|
inst_level3_type |
target.resource_ancestors.resource_subtype |
|
|
target.resource_ancestors.resource_type |
If the inst_level2_type log field value matches the regular expression pattern organization then, the target.resource_ancestors.resource_type UDM field is set to CLOUD_ORGANIZATION. Else, if inst_level2_type log field value matches the regular expression pattern service then, the target.resource_ancestors.resource_type UDM field is set to BACKEND_SERVICE. Else, if inst_level2_type log field value matches the regular expression pattern policy then, the target.resource_ancestors.resource_type UDM field is set to ACCESS_POLICY. Else, if inst_level2_type log field value matches the regular expression pattern project then, the target.resource_ancestors.resource_type UDM field is set to CLOUD_PROJECT. Else, if inst_level2_type log field value matches the regular expression pattern cluster then, the target.resource_ancestors.resource_type UDM field is set to CLUSTER. Else, if inst_level2_type log field value matches the regular expression pattern container then, the target.resource_ancestors.resource_type UDM field is set to CONTAINER. Else, if inst_level2_type log field value matches the regular expression pattern pod then, the target.resource_ancestors.resource_type UDM field is set to POD. Else, if inst_level2_type log field value matches the regular expression pattern repository then, the target.resource_ancestors.resource_type UDM field is set to REPOSITORY.If the inst_level3_type log field value matches the regular expression pattern organization then, the target.resource_ancestors.resource_type UDM field is set to CLOUD_ORGANIZATION. Else, if inst_level3_type log field value matches the regular expression pattern service then, the target.resource_ancestors.resource_type UDM field is set to BACKEND_SERVICE. Else, if inst_level3_type log field value matches the regular expression pattern policy then, the target.resource_ancestors.resource_type UDM field is set to ACCESS_POLICY. Else, if inst_level3_type log field value matches the regular expression pattern project then, the target.resource_ancestors.resource_type UDM field is set to CLOUD_PROJECT. Else, if inst_level3_type log field value matches the regular expression pattern cluster then, the target.resource_ancestors.resource_type UDM field is set to CLUSTER. Else, if inst_level3_type log field value matches the regular expression pattern container then, the target.resource_ancestors.resource_type UDM field is set to CONTAINER. Else, if inst_level3_type log field value matches the regular expression pattern pod then, the target.resource_ancestors.resource_type UDM field is set to POD. Else, if inst_level3_type log field value matches the regular expression pattern repository then, the target.resource_ancestors.resource_type UDM field is set to REPOSITORY. |
inst_level1_name |
target.resource.name |
|
inst_level1_id |
target.resource.product_object_id |
|
inst_level1_type |
target.resource.resource_subtype |
|
|
target.resource.resource_type |
If the inst_level1_type log field value matches the regular expression pattern organization then, the target.resource.resource_type UDM field is set to CLOUD_ORGANIZATION. Else, if inst_level1_type log field value matches the regular expression pattern service then, the target.resource.resource_type UDM field is set to BACKEND_SERVICE. Else, if inst_level1_type log field value matches the regular expression pattern policy then, the target.resource.resource_type UDM field is set to ACCESS_POLICY. Else, if inst_level1_type log field value matches the regular expression pattern project then, the target.resource.resource_type UDM field is set to CLOUD_PROJECT. Else, if inst_level1_type log field value matches the regular expression pattern cluster then, the target.resource.resource_type UDM field is set to CLUSTER. Else, if inst_level1_type log field value matches the regular expression pattern container then, the target.resource.resource_type UDM field is set to CONTAINER. Else, if inst_level1_type log field value matches the regular expression pattern pod then, the target.resource.resource_type UDM field is set to POD. Else, if inst_level1_type log field value matches the regular expression pattern repository then, the target.resource.resource_type UDM field is set to REPOSITORY. |
app_status |
target.security_result.detection_fields[app_status] |
|
threatname |
security_result.threat_name |
|
b64threatname |
security_result.threat_name |
|
threatcategory |
security_result.associations.name |
|
threatclass |
security_result.associations.description |
|
urlclass |
security_result.detection_fields[urlclass] |
|
urlsupercategory |
security_result.category_details |
|
urlcategory |
security_result.category_details |
|
b64urlcat |
security_result.category_details |
|
ourlcat |
security_result.detection_fields[ourlcat] |
|
urlcatmethod |
security_result.detection_fields[urlcatmethod] |
|
bypassed_traffic |
security_result.detection_fields[bypassed_traffic] |
|
bypassed_etime |
security_result.detection_fields[bypassed_etime] |
|
deviceappversion |
additional.fields[deviceappversion] |
|
devicehostname |
principal.asset.hostname |
|
odevicehostname |
security_result.detection_fields[odevicehostname] |
|
devicemodel |
principal.asset.hardware.model |
|
devicename |
principal.asset.asset_id |
|
odevicename |
security_result.detection_fields[odevicename] |
|
|
principal.asset.platform_software.platform |
If the deviceostype log field value matches the regular expression pattern (?i)iOS, then the principal.asset.platform_software.platform UDM field is set to IOS.Else, if the deviceostype log field value matches the regular expression pattern (?i)Android, then the principal.asset.platform_software.platform UDM field is set to ANDROID.Else, if the deviceostype log field value matches the regular expression pattern (?i)Windows, then the principal.asset.platform_software.platform UDM field is set to WINDOWS.Else, if the deviceostype log field value matches the regular expression pattern (?i)MAC, then the principal.asset.platform_software.platform UDM field is set to MAC.Else, if the deviceostype log field value matches the regular expression pattern (?i)Other, then the principal.asset.platform_software.platform UDM field is set to UNKNOWN_PLATFORM. |
deviceosversion |
principal.asset.software.version |
|
deviceowner |
principal.asset.attribute.labels[deviceowner] |
|
odeviceowner |
security_result.detection_fields[odeviceowner] |
|
devicetype |
principal.asset.category |
|
external_devid |
additional.fields[external_devid] |
|
flow_type |
additional.fields[flow_type] |
|
ztunnelversion |
additional.fields[ztunnelversion] |
|
event_id |
metadata.product_log_id |
|
productversion |
metadata.product_version |
|
nsssvcip |
about.ip |
|
eedone |
additional.fields[eedone] |
Need more help? Get answers from Community members and Google SecOps professionals.