Change log for ZSCALER_ZPA
| Date | Changes |
|---|---|
| 2025-11-14 | - target.hostname: Modified mapping for the `Host` raw log field. When the value is an IP address, it is now mapped to `target.ip` and no longer to `target.hostname` and `target.asset.hostname`. When the value is not an IP address, it remains mapped to `target.hostname` and `target.asset.hostname`.
|
| 2025-10-30 | Modified the value mapping logic for the `security_result.action` UDM field to correct an issue where events were too often marked as `BLOCK`. - security_result.action: Removed the condition that set the value of `security_result.action` UDM field based on the value of `ConnectionStatus` raw log field. - security_result.action: Modified the codition to set the value of `security_result.action` UDM field based on the value of `InternalReason` raw log field. The value of `security_result.action` UDM field set to `BLOCK` only if the value of `InternalReason` raw log field is one of the following: `BRK_MT_SETUP_FAIL_NO_POLICY_FOUND`, `BRK_MT_SETUP_FAIL_REJECTED_BY_POLICY`, or `BRK_MT_SETUP_FAIL_SAML_EXPIRED`. The value of `security_result.action` UDM field set to `ALLOW` for all other values of `InternalReason` raw log field. |
| 2025-05-08 | - Promoted ZSCALER_ZPA Premium parser to default. You can see full details in the parser configuration page - https://cloud.google.com/chronicle/docs/ingestion/default-parsers/ingest-zscaler-logs
|