Change log for ZSCALER_CASB
| Date | Changes |
|---|---|
| 2026-01-06 | - Updated the field mapping for the Zscaler CASB parser. Please refer to the parser documentation page for information regarding the updated UDM mappings - https://docs.cloud.google.com/chronicle/docs/ingestion/default-parsers/zscaler-casb#udm_mapping_delta
|
| 2025-11-28 | - principal.user.department: Newly mapped `departmentname` raw log field with `principal.user.department` UDM field.
- target.user.userid: Newly mapped `extusername` raw log field with `target.user.userid` UDM field. - target.file.file_type: Newly mapped `filetype` raw log field with `target.file.file_type` UDM field, if the `filetype` raw log value contains `ppt` or `pdf`. - additional.fields[filetype]: Newly mapped `filetype` raw log field with `additional.fields[filetype]` UDM field, if the `filetype` raw log value does not contain `ppt` or `pdf`. - additional.fields[download_time]: Newly mapped `download_time` raw log field with `additional.fields[download_time]` UDM field. - additional.fields[runid]: Newly mapped `runid` raw log field with `additional.fields[runid]` UDM field. - additional.fields[scan_time]: Newly mapped `scan_time` raw log field with `additional.fields[scan_time]` UDM field. - additional.fields[scanid]: Newly mapped `scanid` raw log field with `additional.fields[scanid]` UDM field. - additional.fields[file_doctype]: Newly mapped `file_doctype` raw log field with `additional.fields[file_doctype]` UDM field. - additional.fields[filesha]: Newly mapped `filesha` raw log field with `additional.fields[filesha]` UDM field. - additional.fields[sender_type]: Newly mapped `sender_type` raw log field with `additional.fields[sender_type]` UDM field. - security_result.detection_fields[last_edit_user]: Newly mapped `last_edit_user` raw log field with `security_result.detection_fields[last_edit_user]` UDM field. - security_result.detection_fields[last_share_user]: Newly mapped `last_share_user` raw log field with `security_result.detection_fields[last_share_user]` UDM field. - security_result.detection_fields[last_shared_on]: Newly mapped `last_shared_on` raw log field with `security_result.detection_fields[last_shared_on]` UDM field. - security_result.detection_fields[botname]: Newly mapped `botname` raw log field with `security_result.detection_fields[botname]` UDM field. - security_result.detection_fields[dlpengnames]: Newly mapped `dlpengnames` raw log field with `security_result.detection_fields[dlpengnames]` UDM field. - security_result.detection_fields[extcollab_groups]: Newly mapped `extcollab_groups` raw log field with `security_result.detection_fields[extcollab_groups]` UDM field. - security_result.detection_fields[intcollab_groups]: Newly mapped `intcollab_groups` raw log field with `security_result.detection_fields[intcollab_groups]` UDM field. - security_result.detection_fields[oextcollab_groups]: Newly mapped `oextcollab_groups` raw log field with `security_result.detection_fields[oextcollab_groups]` UDM field. - security_result.detection_fields[ointcollab_groups]: Newly mapped `ointcollab_groups` raw log field with `security_result.detection_fields[ointcollab_groups]` UDM field. - security_result.detection_fields[dlpdictcnts]: Newly mapped `dlpdictcnts` raw log field with `security_result.detection_fields[dlpdictcnts]` UDM field. |
| 2025-06-04 | - Updated the parser to handle logs where the 'RESPCODE' raw field has a 'NA' value.
|
| 2025-06-04 | - Updated the parser to handle logs where the 'RESPCODE' raw field has a 'NA' value.
|
| 2025-04-30 | - Promoted ZSCALER_CASB Premium parser to default. You can see full details in the parser configuration page - https://cloud.google.com/chronicle/docs/ingestion/default-parsers/ingest-zscaler-logs
|