search

elastic / integrations

Elastic Integrations
https://www.elastic.co/integrations
Other
23 stars 435 forks source link

[Zscaler ZIA] Expanding support for new event types and fields #9232

Open jamiehynds opened 8 months ago

jamiehynds commented 8 months ago

Since we initially shipped our Zscaler ZIA integration, several fields have been added to their Web logs that we need to support. Our current response format for Web logs that we require users to set is:

\{ "sourcetype" : "zscalernss-web", "event" :\{"time":"%s{time}","login":"%s{login}","proto":"%s{proto}","eurl":"%s{eurl}","action":"%s{action}","appname":"%s{appname}","appclass":"%s{appclass}","reqsize":"%d{reqsize}","respsize":"%d{respsize}","stime":"%d{stime}","ctime":"%d{ctime}","urlclass":"%s{urlclass}","urlsupercat":"%s{urlsupercat}","urlcat":"%s{urlcat}","malwarecat":"%s{malwarecat}","threatname":"%s{threatname}","riskscore":"%d{riskscore}","dlpeng":"%s{dlpeng}","dlpdict":"%s{dlpdict}","location":"%s{location}","dept":"%s{dept}","cip":"%s{cip}","sip":"%s{sip}","reqmethod":"%s{reqmethod}","respcode":"%s{respcode}","eua":"%s{eua}","ereferer":"%s{ereferer}","ruletype":"%s{ruletype}","rulelabel":"%s{rulelabel}","contenttype":"%s{contenttype}","unscannabletype":"%s{unscannabletype}","deviceowner":"%s{deviceowner}","devicehostname":"%s{devicehostname}"\}\}

The following categories and relevant fields need to be added to our custom response format and adjustment to our pipeline to ensure correct ECS mappings. We also need to ensure any categories we currently support, include all the relevant fields produced by Zscaler. Relevant documentation from Zscaler is available here: https://help.zscaler.com/zia/nss-feed-output-format-web-logs

elasticmachine commented 8 months ago

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)

jamiehynds commented 5 months ago

Sample values provided by a user:

%s{bwclassname}, "General Surfing"
%s{app_risk_score}, "1"
%s{dlprulename}, "DLP_Rule_1"
%s{fileclass}, "Archive Files"
%s{filetype}, "ZIP"
%s{filename}, "nssfeed.txt"
%s{filesubtype}, "rar"
%s{upload_fileclass}, "Archive Files"
%s{upload_filetype}, "ZIP"
%s{upload_filename}, "nssfeed.txt"
%s{upload_filesubtype}, "rar"
%s{upload_doctypename}, "Court Form"
%s{reason}, "Not allowed to browse this category"
%s{urlfilterrulelabel}, "URL_Filtering_1"
%s{apprulelabel}, "File_Sharing_1"
%s{threatseverity}, "99"
%s{malwareclass}, "Sandbox"