Zscaler Internet Access Modeling Rule

Modeling Rule

Zscaler Internet Access

Details

IDzscaler_internet_access_modeling_rule
From Version8.11.0
TagsZscaler Internet Access

Rules (XIF)

/* ------------------------------------------
   VM-Based NSS  Modeling (Syslog CEF Records)
   -----------------------------------------*/
[MODEL: dataset=zscaler_nssweblog_raw]
alter 
	xdm.alert.category = cs4,
	xdm.alert.name = cs5,
	xdm.alert.severity = to_string(cn1),
	xdm.event.outcome_reason = reason,
	xdm.event.type = ZscalerNSSWeblogURLClass,
	xdm.network.application_protocol_category = cat,
	xdm.network.http.content_type = contenttype,
	xdm.network.http.domain = dhost,
	xdm.network.http.method = requestMethod,
	xdm.network.http.response_code = if(outcome = "100", XDM_CONST.HTTP_RSP_CODE_CONTINUE, outcome = "101", XDM_CONST.HTTP_RSP_CODE_SWITCHING_PROTOCOLS, outcome = "102", XDM_CONST.HTTP_RSP_CODE_PROCESSING, outcome = "103", XDM_CONST.HTTP_RSP_CODE_EARLY_HINTS, outcome = "200", XDM_CONST.HTTP_RSP_CODE_OK, outcome = "201", XDM_CONST.HTTP_RSP_CODE_CREATED, outcome = "202", XDM_CONST.HTTP_RSP_CODE_ACCEPTED, outcome = "203", XDM_CONST.HTTP_RSP_CODE_NON__AUTHORITATIVE_INFORMATION, outcome = "204", XDM_CONST.HTTP_RSP_CODE_NO_CONTENT, outcome = "205", XDM_CONST.HTTP_RSP_CODE_RESET_CONTENT, outcome = "206", XDM_CONST.HTTP_RSP_CODE_PARTIAL_CONTENT, outcome = "207", XDM_CONST.HTTP_RSP_CODE_MULTI__STATUS, outcome = "208", XDM_CONST.HTTP_RSP_CODE_ALREADY_REPORTED, outcome = "226", XDM_CONST.HTTP_RSP_CODE_IM_USED, outcome = "300", XDM_CONST.HTTP_RSP_CODE_MULTIPLE_CHOICES, outcome = "301", XDM_CONST.HTTP_RSP_CODE_MOVED_PERMANENTLY, outcome = "302", XDM_CONST.HTTP_RSP_CODE_FOUND, outcome = "303", XDM_CONST.HTTP_RSP_CODE_SEE_OTHER, outcome = "304", XDM_CONST.HTTP_RSP_CODE_NOT_MODIFIED, outcome = "305", XDM_CONST.HTTP_RSP_CODE_USE_PROXY, outcome = "307", XDM_CONST.HTTP_RSP_CODE_TEMPORARY_REDIRECT, outcome = "308", XDM_CONST.HTTP_RSP_CODE_PERMANENT_REDIRECT, outcome = "400", XDM_CONST.HTTP_RSP_CODE_BAD_REQUEST, outcome = "401", XDM_CONST.HTTP_RSP_CODE_UNAUTHORIZED, outcome = "402", XDM_CONST.HTTP_RSP_CODE_PAYMENT_REQUIRED, outcome = "403", XDM_CONST.HTTP_RSP_CODE_FORBIDDEN, outcome = "404", XDM_CONST.HTTP_RSP_CODE_NOT_FOUND, outcome = "405", XDM_CONST.HTTP_RSP_CODE_METHOD_NOT_ALLOWED, outcome = "406", XDM_CONST.HTTP_RSP_CODE_NOT_ACCEPTABLE, outcome = "407", XDM_CONST.HTTP_RSP_CODE_PROXY_AUTHENTICATION_REQUIRED, outcome = "408", XDM_CONST.HTTP_RSP_CODE_REQUEST_TIMEOUT, outcome = "409", XDM_CONST.HTTP_RSP_CODE_CONFLICT, outcome = "410", XDM_CONST.HTTP_RSP_CODE_GONE, outcome = "411", XDM_CONST.HTTP_RSP_CODE_LENGTH_REQUIRED, outcome = "412", XDM_CONST.HTTP_RSP_CODE_PRECONDITION_FAILED, outcome = "413", XDM_CONST.HTTP_RSP_CODE_CONTENT_TOO_LARGE, outcome = "414", XDM_CONST.HTTP_RSP_CODE_URI_TOO_LONG, outcome = "415", XDM_CONST.HTTP_RSP_CODE_UNSUPPORTED_MEDIA_TYPE, outcome = "416", XDM_CONST.HTTP_RSP_CODE_RANGE_NOT_SATISFIABLE, outcome = "417", XDM_CONST.HTTP_RSP_CODE_EXPECTATION_FAILED, outcome = "421", XDM_CONST.HTTP_RSP_CODE_MISDIRECTED_REQUEST, outcome = "422", XDM_CONST.HTTP_RSP_CODE_UNPROCESSABLE_CONTENT, outcome = "423", XDM_CONST.HTTP_RSP_CODE_LOCKED, outcome = "424", XDM_CONST.HTTP_RSP_CODE_FAILED_DEPENDENCY, outcome = "425", XDM_CONST.HTTP_RSP_CODE_TOO_EARLY, outcome = "426", XDM_CONST.HTTP_RSP_CODE_UPGRADE_REQUIRED, outcome = "428", XDM_CONST.HTTP_RSP_CODE_PRECONDITION_REQUIRED, outcome = "429", XDM_CONST.HTTP_RSP_CODE_TOO_MANY_REQUESTS, outcome = "431", XDM_CONST.HTTP_RSP_CODE_REQUEST_HEADER_FIELDS_TOO_LARGE, outcome = "451", XDM_CONST.HTTP_RSP_CODE_UNAVAILABLE_FOR_LEGAL_REASONS, outcome = "500", XDM_CONST.HTTP_RSP_CODE_INTERNAL_SERVER_ERROR, outcome = "501", XDM_CONST.HTTP_RSP_CODE_NOT_IMPLEMENTED, outcome = "502", XDM_CONST.HTTP_RSP_CODE_BAD_GATEWAY, outcome = "503", XDM_CONST.HTTP_RSP_CODE_SERVICE_UNAVAILABLE, outcome = "504", XDM_CONST.HTTP_RSP_CODE_GATEWAY_TIMEOUT, outcome = "505", XDM_CONST.HTTP_RSP_CODE_HTTP_VERSION_NOT_SUPPORTED, outcome = "506", XDM_CONST.HTTP_RSP_CODE_VARIANT_ALSO_NEGOTIATES, outcome = "507", XDM_CONST.HTTP_RSP_CODE_INSUFFICIENT_STORAGE, outcome = "508", XDM_CONST.HTTP_RSP_CODE_LOOP_DETECTED, outcome = "511", XDM_CONST.HTTP_RSP_CODE_NETWORK_AUTHENTICATION_REQUIRED, outcome = null, null, to_string(outcome)),
	xdm.network.http.url = request,
	xdm.network.http.url_category = cs2,
	xdm.network.protocol_layers = arraycreate(coalesce(app, "")),
	xdm.observer.action = act,
	xdm.session_context_id = externalId,
	xdm.source.host.hostname = devicehostname,
	xdm.source.host.ipv4_addresses = if(is_ipv4(src) = TRUE, arraycreate(src)),
	xdm.source.ipv4 = if(is_ipv4(sourceTranslatedAddress) = TRUE, sourceTranslatedAddress),
	xdm.source.user_agent = requestClientApplication,
	xdm.source.user.username = suser,
	xdm.source.zone = spriv,
	xdm.target.host.ipv4_addresses = if(is_ipv4(dst) = TRUE, arraycreate(dst)),
	xdm.target.interface = destinationServiceName,
	xdm.target.ipv4 = dst,
	xdm.target.process.executable.file_type = fileType,
	xdm.target.sent_bytes = to_integer(`in`),
    xdm.source.port = to_integer(0),
    xdm.target.port = to_integer(0),
    xdm.network.ip_protocol = XDM_CONST.IP_PROTOCOL_TCP,
	xdm.source.sent_bytes = to_integer(out);

[MODEL: dataset="zscaler_nssfwlog_raw"]
alter cs5=uppercase(cs5)
| alter
	xdm.alert.category=cat,
	xdm.alert.name=cs6,
	xdm.alert.severity=cefSeverity,
	xdm.event.duration=to_integer(cn1),
	xdm.event.outcome_reason=reason,
	xdm.event.type=cefName,
	xdm.network.application_protocol=cs3,
	xdm.network.http.url_category = if(cs5 contains "ABORTION", XDM_CONST.URL_CATEGORY_ABORTION, cs5 contains "DRUGS", XDM_CONST.URL_CATEGORY_ABUSED_DRUGS, cs5 contains "ADULT", XDM_CONST.URL_CATEGORY_ADULT, cs5 contains "ALCOHOL" or cs5 contains "TOBACCO", XDM_CONST.URL_CATEGORY_ALCOHOL_AND_TOBACCO, cs5 contains "AUCTIONS", XDM_CONST.URL_CATEGORY_AUCTIONS, cs5 contains "BUSINESS" or cs5 contains "ECONOMY", XDM_CONST.URL_CATEGORY_BUSINESS_AND_ECONOMY, cs5 contains "COMMAND AND CONTROL" or cs5 contains "C&C", XDM_CONST.URL_CATEGORY_COMMAND_AND_CONTROL, cs5 contains "COMPUTER" or cs5 contains "INTERNET", XDM_CONST.URL_CATEGORY_COMPUTER_AND_INTERNET_INFO, cs5 contains "CONTENT DELIVERY NETWORKS" or cs5 contains "CDN", XDM_CONST.URL_CATEGORY_CONTENT_DELIVERY_NETWORKS, cs5 contains "COPYRIGHT", XDM_CONST.URL_CATEGORY_COPYRIGHT_INFRINGEMENT, cs5 contains "CRYPTO", XDM_CONST.URL_CATEGORY_CRYPTOCURRENCY, cs5 contains "DATING", XDM_CONST.URL_CATEGORY_DATING, cs5 contains "DYNAMIC DNS", XDM_CONST.URL_CATEGORY_DYNAMIC_DNS, cs5 contains "EDUCATIONAL INSTITUTIONS", XDM_CONST.URL_CATEGORY_EDUCATIONAL_INSTITUTIONS, cs5 contains "ENTERTAINMENT" and cs5 contains "ARTS", XDM_CONST.URL_CATEGORY_ENTERTAINMENT_AND_ARTS, cs5 contains "EXTREMISM", XDM_CONST.URL_CATEGORY_EXTREMISM, cs5 contains "FINANCIAL" or cs5 contains "FINANCE", XDM_CONST.URL_CATEGORY_FINANCIAL_SERVICES, cs5 contains "GAMBLING", XDM_CONST.URL_CATEGORY_GAMBLING, cs5 contains "GAMES", XDM_CONST.URL_CATEGORY_GAMES, cs5 contains "GOVERNMENT", XDM_CONST.URL_CATEGORY_GOVERNMENT, cs5 contains "GRAYWARE", XDM_CONST.URL_CATEGORY_GRAYWARE, cs5 contains "HACKING", XDM_CONST.URL_CATEGORY_HACKING, cs5 contains "HEALTH" or cs5 contains "MEDICINE", XDM_CONST.URL_CATEGORY_HEALTH_AND_MEDICINE, cs5 contains "HOME" or cs5 contains "GARDEN", XDM_CONST.URL_CATEGORY_HOME_AND_GARDEN, cs5 contains "HUNTING" or cs5 contains "FISHING", XDM_CONST.URL_CATEGORY_HUNTING_AND_FISHING, cs5 contains "INSUFFICIENT CONTENT", XDM_CONST.URL_CATEGORY_INSUFFICIENT_CONTENT, cs5 contains "INTERNET COMMUNICATIONS" and cs5 contains "TELEPHONY", XDM_CONST.URL_CATEGORY_INTERNET_COMMUNICATIONS_AND_TELEPHONY, cs5 contains "PORTALS", XDM_CONST.URL_CATEGORY_INTERNET_PORTALS, cs5 contains "JOB", XDM_CONST.URL_CATEGORY_JOB_SEARCH, cs5 contains "LEGAL", XDM_CONST.URL_CATEGORY_LEGAL, cs5 contains "MALWARE", XDM_CONST.URL_CATEGORY_MALWARE, cs5 contains "MILITARY", XDM_CONST.URL_CATEGORY_MILITARY, cs5 contains "MOTOR VEHICLES", XDM_CONST.URL_CATEGORY_MOTOR_VEHICLES, cs5 contains "MUSIC", XDM_CONST.URL_CATEGORY_MUSIC, cs5 contains "DOMAIN" and cs5 contains "REGIST", XDM_CONST.URL_CATEGORY_NEWLY_REGISTERED_DOMAIN, cs5 contains "NEWS", XDM_CONST.URL_CATEGORY_NEWS, cs5 contains "NOT RESOLVED", XDM_CONST.URL_CATEGORY_NOT_RESOLVED, cs5 contains "NUDITY", XDM_CONST.URL_CATEGORY_NUDITY, cs5 contains "ONLINE STORAGE" and cs5 contains "BACKUP", XDM_CONST.URL_CATEGORY_ONLINE_STORAGE_AND_BACKUP, cs5 contains "PARKED", XDM_CONST.URL_CATEGORY_PARKED, cs5 contains "PEER TO PEER", XDM_CONST.URL_CATEGORY_PEER_TO_PEER, cs5 contains "PERSONAL SITES" or cs5 contains "BLOG", XDM_CONST.URL_CATEGORY_PERSONAL_SITES_AND_BLOGS, cs5 contains "PHILOSOPHY" or cs5 contains "POLITICAL ADVOCACY", XDM_CONST.URL_CATEGORY_PHILOSOPHY_AND_POLITICAL_ADVOCACY, cs5 contains "PHISHING", XDM_CONST.URL_CATEGORY_PHISHING, cs5 contains "PRIVATE IP ADDRESSES", XDM_CONST.URL_CATEGORY_PRIVATE_IP_ADDRESSES, cs5 contains "PROXY" or cs5 contains "ANONYMIZERS", XDM_CONST.URL_CATEGORY_PROXY_AVOIDANCE_AND_ANONYMIZERS, cs5 contains "QUESTIONABLE", XDM_CONST.URL_CATEGORY_QUESTIONABLE, cs5 contains "REAL ESTATE", XDM_CONST.URL_CATEGORY_REAL_ESTATE, cs5 contains "HOBBIES" or cs5 contains "RECREATION", XDM_CONST.URL_CATEGORY_RECREATION_AND_HOBBIES, cs5 contains "REFERENCE", XDM_CONST.URL_CATEGORY_REFERENCE_AND_RESEARCH, cs5 contains "RELIGION", XDM_CONST.URL_CATEGORY_RELIGION, cs5 contains "SEARCH ENGINES", XDM_CONST.URL_CATEGORY_SEARCH_ENGINES, cs5 contains "SEX EDUCATION", XDM_CONST.URL_CATEGORY_SEX_EDUCATION, cs5 contains "SHAREWARE" and cs5 contains "FREEWARE", XDM_CONST.URL_CATEGORY_SHAREWARE_AND_FREEWARE, cs5 contains "SHOPPING", XDM_CONST.URL_CATEGORY_SHOPPING, cs5 contains "SOCIAL_NETWORK", XDM_CONST.URL_CATEGORY_SOCIAL_NETWORKING, cs5 contains "SOCIETY", XDM_CONST.URL_CATEGORY_SOCIETY, cs5 contains "SPORTS", XDM_CONST.URL_CATEGORY_SPORTS, cs5 contains "STOCK", XDM_CONST.URL_CATEGORY_STOCK_ADVICE_AND_TOOLS, cs5 contains "MEDIA" and cs5 contains "STREAM", XDM_CONST.URL_CATEGORY_STREAMING_MEDIA, cs5 contains "INTIMATE APPAREL", XDM_CONST.URL_CATEGORY_SWIMSUITS_AND_INTIMATE_APPAREL, cs5 contains "TRAINING" and cs5 contains "Sport", XDM_CONST.URL_CATEGORY_TRAINING_AND_TOOLS, cs5 contains "TRANSLATION", XDM_CONST.URL_CATEGORY_TRANSLATION, cs5 contains "TRAVEL", XDM_CONST.URL_CATEGORY_TRAVEL, cs5 contains "UNKNOWN", XDM_CONST.URL_CATEGORY_UNKNOWN, cs5 contains "WEAPONS", XDM_CONST.URL_CATEGORY_WEAPONS, cs5 contains "ADVERTISING", XDM_CONST.URL_CATEGORY_WEB_ADVERTISEMENTS, cs5 contains "WEB HOST", XDM_CONST.URL_CATEGORY_WEB_HOSTING, cs5 contains "WEBMAIL", XDM_CONST.URL_CATEGORY_WEB_BASED_EMAIL, to_string(cs5)),
	xdm.network.ip_protocol=if(proto="0",XDM_CONST.IP_PROTOCOL_HOPOPT, proto="1",XDM_CONST.IP_PROTOCOL_ICMP, proto="2",XDM_CONST.IP_PROTOCOL_IGMP, proto="3",XDM_CONST.IP_PROTOCOL_GGP, proto="4",XDM_CONST.IP_PROTOCOL_IP, proto="5",XDM_CONST.IP_PROTOCOL_ST, proto="6",XDM_CONST.IP_PROTOCOL_TCP, proto="7",XDM_CONST.IP_PROTOCOL_CBT, proto="8",XDM_CONST.IP_PROTOCOL_EGP, proto="9",XDM_CONST.IP_PROTOCOL_IGP, proto="10",XDM_CONST.IP_PROTOCOL_BBN_RCC_MON, proto="11",XDM_CONST.IP_PROTOCOL_NVP_II, proto="12",XDM_CONST.IP_PROTOCOL_PUP, proto="13",XDM_CONST.IP_PROTOCOL_ARGUS, proto="14",XDM_CONST.IP_PROTOCOL_EMCON, proto="15",XDM_CONST.IP_PROTOCOL_XNET, proto="16",XDM_CONST.IP_PROTOCOL_CHAOS, proto="17",XDM_CONST.IP_PROTOCOL_UDP, proto="18",XDM_CONST.IP_PROTOCOL_MUX, proto="19",XDM_CONST.IP_PROTOCOL_DCN_MEAS, proto="20",XDM_CONST.IP_PROTOCOL_HMP, proto="21",XDM_CONST.IP_PROTOCOL_PRM, proto="22",XDM_CONST.IP_PROTOCOL_XNS_IDP, proto="23",XDM_CONST.IP_PROTOCOL_TRUNK_1, proto="24",XDM_CONST.IP_PROTOCOL_TRUNK_2, proto="25",XDM_CONST.IP_PROTOCOL_LEAF_1, proto="26",XDM_CONST.IP_PROTOCOL_LEAF_2, proto="27",XDM_CONST.IP_PROTOCOL_RDP, proto="28",XDM_CONST.IP_PROTOCOL_IRTP, proto="29",XDM_CONST.IP_PROTOCOL_ISO_TP4, proto="30",XDM_CONST.IP_PROTOCOL_NETBLT, proto="31",XDM_CONST.IP_PROTOCOL_MFE_NSP, proto="32",XDM_CONST.IP_PROTOCOL_MERIT_INP, proto="33",XDM_CONST.IP_PROTOCOL_DCCP, proto="34",XDM_CONST.IP_PROTOCOL_3PC, proto="35",XDM_CONST.IP_PROTOCOL_IDPR, proto="36",XDM_CONST.IP_PROTOCOL_XTP, proto="37",XDM_CONST.IP_PROTOCOL_DDP, proto="38",XDM_CONST.IP_PROTOCOL_IDPR_CMTP, proto="39",XDM_CONST.IP_PROTOCOL_TP, proto="40",XDM_CONST.IP_PROTOCOL_IL, proto="41",XDM_CONST.IP_PROTOCOL_IPV6, proto="42",XDM_CONST.IP_PROTOCOL_SDRP, proto="43",XDM_CONST.IP_PROTOCOL_IPV6_ROUTE, proto="44",XDM_CONST.IP_PROTOCOL_IPV6_FRAG, proto="45",XDM_CONST.IP_PROTOCOL_IDRP, proto="46",XDM_CONST.IP_PROTOCOL_RSVP, proto="47",XDM_CONST.IP_PROTOCOL_GRE, proto="48",XDM_CONST.IP_PROTOCOL_DSR, proto="49",XDM_CONST.IP_PROTOCOL_BNA, proto="50",XDM_CONST.IP_PROTOCOL_ESP, proto="51",XDM_CONST.IP_PROTOCOL_AH, proto="52",XDM_CONST.IP_PROTOCOL_I_NLSP, proto="53",XDM_CONST.IP_PROTOCOL_SWIPE, proto="54",XDM_CONST.IP_PROTOCOL_NARP, proto="55",XDM_CONST.IP_PROTOCOL_MOBILE, proto="56",XDM_CONST.IP_PROTOCOL_TLSP, proto="57",XDM_CONST.IP_PROTOCOL_SKIP, proto="58",XDM_CONST.IP_PROTOCOL_IPV6_ICMP, proto="59",XDM_CONST.IP_PROTOCOL_IPV6_NONXT, proto="60",XDM_CONST.IP_PROTOCOL_IPV6_OPTS, proto="62",XDM_CONST.IP_PROTOCOL_CFTP, proto="64",XDM_CONST.IP_PROTOCOL_SAT_EXPAK, proto="65",XDM_CONST.IP_PROTOCOL_KRYPTOLAN, proto="66",XDM_CONST.IP_PROTOCOL_RVD, proto="67",XDM_CONST.IP_PROTOCOL_IPPC, proto="69",XDM_CONST.IP_PROTOCOL_SAT_MON, proto="70",XDM_CONST.IP_PROTOCOL_VISA, proto="71",XDM_CONST.IP_PROTOCOL_IPCV, proto="72",XDM_CONST.IP_PROTOCOL_CPNX, proto="73",XDM_CONST.IP_PROTOCOL_CPHB, proto="74",XDM_CONST.IP_PROTOCOL_WSN, proto="75",XDM_CONST.IP_PROTOCOL_PVP, proto="76",XDM_CONST.IP_PROTOCOL_BR_SAT_MON, proto="77",XDM_CONST.IP_PROTOCOL_SUN_ND, proto="78",XDM_CONST.IP_PROTOCOL_WB_MON, proto="79",XDM_CONST.IP_PROTOCOL_WB_EXPAK, proto="80",XDM_CONST.IP_PROTOCOL_ISO_IP, proto="81",XDM_CONST.IP_PROTOCOL_VMTP, proto="82",XDM_CONST.IP_PROTOCOL_SECURE_VMTP, proto="83",XDM_CONST.IP_PROTOCOL_VINES, proto="84",XDM_CONST.IP_PROTOCOL_TTP, proto="85",XDM_CONST.IP_PROTOCOL_NSFNET_IGP, proto="86",XDM_CONST.IP_PROTOCOL_DGP, proto="87",XDM_CONST.IP_PROTOCOL_TCF, proto="88",XDM_CONST.IP_PROTOCOL_EIGRP, proto="89",XDM_CONST.IP_PROTOCOL_OSPFIGP, proto="90",XDM_CONST.IP_PROTOCOL_SPRITE_RPC, proto="91",XDM_CONST.IP_PROTOCOL_LARP, proto="92",XDM_CONST.IP_PROTOCOL_MTP, proto="93",XDM_CONST.IP_PROTOCOL_AX25, proto="94",XDM_CONST.IP_PROTOCOL_IPIP, proto="95",XDM_CONST.IP_PROTOCOL_MICP, proto="96",XDM_CONST.IP_PROTOCOL_SCC_SP, proto="97",XDM_CONST.IP_PROTOCOL_ETHERIP, proto="98",XDM_CONST.IP_PROTOCOL_ENCAP, proto="100",XDM_CONST.IP_PROTOCOL_GMTP, proto="101",XDM_CONST.IP_PROTOCOL_IFMP, proto="102",XDM_CONST.IP_PROTOCOL_PNNI, proto="103",XDM_CONST.IP_PROTOCOL_PIM, proto="104",XDM_CONST.IP_PROTOCOL_ARIS, proto="105",XDM_CONST.IP_PROTOCOL_SCPS, proto="106",XDM_CONST.IP_PROTOCOL_QNX, proto="107",XDM_CONST.IP_PROTOCOL_AN, proto="108",XDM_CONST.IP_PROTOCOL_IPCOMP, proto="109",XDM_CONST.IP_PROTOCOL_SNP, proto="110",XDM_CONST.IP_PROTOCOL_COMPAQ_PEER, proto="111",XDM_CONST.IP_PROTOCOL_IPX_IN_IP, proto="112",XDM_CONST.IP_PROTOCOL_VRRP, proto="113",XDM_CONST.IP_PROTOCOL_PGM, proto="115",XDM_CONST.IP_PROTOCOL_L2TP, proto="116",XDM_CONST.IP_PROTOCOL_DDX, proto="117",XDM_CONST.IP_PROTOCOL_IATP, proto="118",XDM_CONST.IP_PROTOCOL_STP, proto="119",XDM_CONST.IP_PROTOCOL_SRP, proto="120",XDM_CONST.IP_PROTOCOL_UTI, proto="121",XDM_CONST.IP_PROTOCOL_SMP, proto="122",XDM_CONST.IP_PROTOCOL_SM, proto="123",XDM_CONST.IP_PROTOCOL_PTP, proto="124",XDM_CONST.IP_PROTOCOL_ISIS, proto="125",XDM_CONST.IP_PROTOCOL_FIRE, proto="126",XDM_CONST.IP_PROTOCOL_CRTP, proto="127",XDM_CONST.IP_PROTOCOL_CRUDP, proto="128",XDM_CONST.IP_PROTOCOL_SSCOPMCE, proto="129",XDM_CONST.IP_PROTOCOL_IPLT, proto="130",XDM_CONST.IP_PROTOCOL_SPS, proto="131",XDM_CONST.IP_PROTOCOL_PIPE, proto="132",XDM_CONST.IP_PROTOCOL_SCTP, proto="133",XDM_CONST.IP_PROTOCOL_FC, proto="134",XDM_CONST.IP_PROTOCOL_RSVP_E2E_IGNORE, proto="135",XDM_CONST.IP_PROTOCOL_MOBILITY, proto="136",XDM_CONST.IP_PROTOCOL_UDPLITE, proto="137",XDM_CONST.IP_PROTOCOL_MPLS_IN_IP, proto="138",XDM_CONST.IP_PROTOCOL_MANET, proto="139",XDM_CONST.IP_PROTOCOL_HIP, proto="140",XDM_CONST.IP_PROTOCOL_SHIM6, proto="141",XDM_CONST.IP_PROTOCOL_WESP, proto="142",XDM_CONST.IP_PROTOCOL_ROHC, proto="255",XDM_CONST.IP_PROTOCOL_RESERVED,to_string(proto)),
	xdm.network.rule=cs2,
	xdm.observer.action=act,
	xdm.observer.content_version=cefVersion,
	xdm.source.host.ipv4_addresses=if(is_ipv4(sourceTranslatedAddress) = TRUE, arraycreate(sourceTranslatedAddress)),
	xdm.source.ipv4=if(is_ipv4(src) = TRUE, src),
	xdm.source.port=to_integer(spt),
	xdm.source.sent_bytes=to_integer(out),
	xdm.source.user.groups=arraycreate(spriv),
	xdm.source.user.username=suser,
	xdm.target.host.ipv4_addresses=if(is_ipv4(destinationTranslatedAddress) = TRUE, arraycreate(destinationTranslatedAddress)),
	xdm.target.ipv4=if(is_ipv4(dst) = TRUE, dst),
	xdm.target.location.country=destCountry,
	xdm.target.port=to_integer(dpt),
	xdm.target.sent_bytes=to_integer(`in`);

/* ---------------------------------
   Cloud NSS Modeling (JSON Records)
   --------------------------------*/
[MODEL: dataset="zscaler_cloudnss_raw"]
/* --------------------------------------------------------------------------------
   Cloud NSS DNS Logs (https://help.zscaler.com/zia/nss-feed-output-format-dns-logs)
   -------------------------------------------------------------------------------*/
filter sourcetype = "zscalernss-dns"
| alter // extract data 
	user = _raw_log -> user, // The login name in email address format
	department = _raw_log -> department, // the user's department
	location = replace(_raw_log -> location, "%20", " "), // The gateway location or sub-location of the source
	reqaction = _raw_log -> reqaction, // The name of the action that was applied to the DNS request
	resaction = _raw_log -> resaction, // The name of the action that was applied to the DNS response
	reqrulelabel = _raw_log -> reqrulelabel, // The name of the rule that was applied to the DNS request
	resrulelabel = _raw_log -> resrulelabel, // The name of the rule that was applied to the DNS response
	dns_reqtype = _raw_log -> dns_reqtype, // The DNS request type
	dns_req = _raw_log -> dns_req, // The Fully Qualified Domain Name (FQDN) in the DNS request
	dns_resp = _raw_log -> dns_resp, // The name of the rule that was applied to the DNS response
	srv_dport = to_integer(_raw_log -> srv_dport), // The server port of the request
	durationms = to_integer(_raw_log -> durationms), // The duration of the DNS request in milliseconds
	clt_sip = _raw_log -> clt_sip, // The IP address of the user. This can be the internal IP address if it is visible (e.g., traffic sent through a GRE tunnel or an internal IP address indicated using XFF). Otherwise, it's the client's internet (NATed Public) IP address.
	srv_dip = _raw_log -> srv_dip, // The server IP address of the request
	category = coalesce(_raw_log -> category, _raw_log -> domcat), // The URL Category of the FQDN in the DNS request
	respipcategory = _raw_log -> respipcategory, // The URL Category of the FQDN in the DNS response
	deviceowner = _raw_log -> deviceowner, // The owner of the device
	devicehostname = _raw_log -> devicehostname // The host name of the device
| alter // post extraction processing 
	normalized_dns_record_type = if(dns_reqtype = "A", XDM_CONST.DNS_RECORD_TYPE_A, dns_reqtype = "AAAA", XDM_CONST.DNS_RECORD_TYPE_AAAA, dns_reqtype = "AFSDB", XDM_CONST.DNS_RECORD_TYPE_AFSDB, dns_reqtype = "APL", XDM_CONST.DNS_RECORD_TYPE_APL, dns_reqtype = "CAA", XDM_CONST.DNS_RECORD_TYPE_CAA, dns_reqtype = "CDNSKEY", XDM_CONST.DNS_RECORD_TYPE_CDNSKEY, dns_reqtype = "CDS", XDM_CONST.DNS_RECORD_TYPE_CDS, dns_reqtype = "CERT", XDM_CONST.DNS_RECORD_TYPE_CERT, dns_reqtype = "CNAME", XDM_CONST.DNS_RECORD_TYPE_CNAME, dns_reqtype = "CSYNC", XDM_CONST.DNS_RECORD_TYPE_CSYNC, dns_reqtype = "DHCID", XDM_CONST.DNS_RECORD_TYPE_DHCID, dns_reqtype = "DLV", XDM_CONST.DNS_RECORD_TYPE_DLV, dns_reqtype = "DNAME", XDM_CONST.DNS_RECORD_TYPE_DNAME, dns_reqtype = "DNSKEY", XDM_CONST.DNS_RECORD_TYPE_DNSKEY, dns_reqtype = "DS", XDM_CONST.DNS_RECORD_TYPE_DS, dns_reqtype = "EUI48", XDM_CONST.DNS_RECORD_TYPE_EUI48, dns_reqtype = "EUI64", XDM_CONST.DNS_RECORD_TYPE_EUI64, dns_reqtype = "HINFO", XDM_CONST.DNS_RECORD_TYPE_HINFO, dns_reqtype = "HIP", XDM_CONST.DNS_RECORD_TYPE_HIP, dns_reqtype = "HTTPS", XDM_CONST.DNS_RECORD_TYPE_HTTPS, dns_reqtype = "IPSECKEY", XDM_CONST.DNS_RECORD_TYPE_IPSECKEY, dns_reqtype = "KEY", XDM_CONST.DNS_RECORD_TYPE_KEY, dns_reqtype = "KX", XDM_CONST.DNS_RECORD_TYPE_KX, dns_reqtype = "LOC", XDM_CONST.DNS_RECORD_TYPE_LOC, dns_reqtype = "MX", XDM_CONST.DNS_RECORD_TYPE_MX, dns_reqtype = "NAPTR", XDM_CONST.DNS_RECORD_TYPE_NAPTR, dns_reqtype = "NS", XDM_CONST.DNS_RECORD_TYPE_NS, dns_reqtype = "NSEC", XDM_CONST.DNS_RECORD_TYPE_NSEC, dns_reqtype = "NSEC3", XDM_CONST.DNS_RECORD_TYPE_NSEC3, dns_reqtype = "NSEC3PARAM", XDM_CONST.DNS_RECORD_TYPE_NSEC3PARAM, dns_reqtype = "OPENPGPKEY", XDM_CONST.DNS_RECORD_TYPE_OPENPGPKEY, dns_reqtype = "PTR", XDM_CONST.DNS_RECORD_TYPE_PTR, dns_reqtype = "RRSIG", XDM_CONST.DNS_RECORD_TYPE_RRSIG, dns_reqtype = "RP", XDM_CONST.DNS_RECORD_TYPE_RP, dns_reqtype = "SIG", XDM_CONST.DNS_RECORD_TYPE_SIG, dns_reqtype = "SMIMEA", XDM_CONST.DNS_RECORD_TYPE_SMIMEA, dns_reqtype = "SOA", XDM_CONST.DNS_RECORD_TYPE_SOA, dns_reqtype = "SRV", XDM_CONST.DNS_RECORD_TYPE_SRV, dns_reqtype = "SSHFP", XDM_CONST.DNS_RECORD_TYPE_SSHFP, dns_reqtype = "SVCB", XDM_CONST.DNS_RECORD_TYPE_SVCB, dns_reqtype = "TA", XDM_CONST.DNS_RECORD_TYPE_TA, dns_reqtype = "TKEY", XDM_CONST.DNS_RECORD_TYPE_TKEY, dns_reqtype = "TLSA", XDM_CONST.DNS_RECORD_TYPE_TLSA, dns_reqtype = "TSIG", XDM_CONST.DNS_RECORD_TYPE_TSIG, dns_reqtype = "TXT", XDM_CONST.DNS_RECORD_TYPE_TXT, dns_reqtype = "URI", XDM_CONST.DNS_RECORD_TYPE_URI, dns_reqtype = "ZONEMD", XDM_CONST.DNS_RECORD_TYPE_ZONEMD, dns_reqtype),
	client_ipv4 = if(clt_sip ~= "\.", clt_sip),
	client_ipv6 = if(clt_sip ~= "\:", clt_sip),
	server_ipv4 = if(srv_dip ~= "\.", srv_dip),
	server_ipv6 = if(srv_dip ~= "\:", srv_dip),
	url_category = coalesce(respipcategory, category)
| call zscaler_nss_map_url_category // map url category to enum values 
| alter // XDM mapping
	xdm.event.duration = durationms,
	xdm.event.outcome = if(reqaction ~= "(?i)BLOC", XDM_CONST.OUTCOME_FAILED, resaction ~= "(?i)ALLOW", XDM_CONST.OUTCOME_SUCCESS, reqaction ~= "(?i)ALLOW" and resaction ~= "(?i)BLOC", XDM_CONST.OUTCOME_PARTIAL),
	xdm.event.type = sourcetype,
	xdm.network.dns.dns_question.name = dns_req,
	xdm.network.dns.dns_question.type = normalized_dns_record_type,
	xdm.network.dns.dns_resource_record.name = dns_req, 
	xdm.network.dns.dns_resource_record.type = normalized_dns_record_type,
	xdm.network.dns.dns_resource_record.value = dns_resp, 
	xdm.network.dns.response_code = if(dns_resp = "NOERROR", XDM_CONST.DNS_RESPONSE_CODE_NO_ERROR, dns_resp = "FORMERR", XDM_CONST.DNS_RESPONSE_CODE_FORMAT_ERROR, dns_resp = "SERVFAIL", XDM_CONST.DNS_RESPONSE_CODE_SERVER_FAILURE, dns_resp = "NXDOMAIN", XDM_CONST.DNS_RESPONSE_CODE_NON_EXISTENT_DOMAIN, dns_resp = "NOTIMP", XDM_CONST.DNS_RESPONSE_CODE_NOT_IMPLEMENTED, dns_resp ~= "REFUSED", XDM_CONST.DNS_RESPONSE_CODE_QUERY_REFUSED, dns_resp ~= "YXDOMAIN", XDM_CONST.DNS_RESPONSE_CODE_NAME_EXISTS_WHEN_IT_SHOULD_NOT, dns_resp = "YXRRSET", XDM_CONST.DNS_RESPONSE_CODE_RR_SET_EXISTS_WHEN_IT_SHOULD_NOT, dns_resp = "NXRRSET", XDM_CONST.DNS_RESPONSE_CODE_RR_SET_THAT_SHOULD_EXIST_DOES_NOT, dns_resp = "NOTAUTH", XDM_CONST.DNS_RESPONSE_CODE_SERVER_NOT_AUTHORITATIVE_FOR_ZONE, dns_resp = "NOTZONE", XDM_CONST.DNS_RESPONSE_CODE_NAME_NOT_CONTAINED_IN_ZONE, dns_resp = "BADVERS", XDM_CONST.DNS_RESPONSE_CODE_BAD_OPT_VERSION, dns_resp = "BADSIG", XDM_CONST.DNS_RESPONSE_CODE_TSIG_SIGNATURE_FAILURE, dns_resp = "BADKEY", XDM_CONST.DNS_RESPONSE_CODE_KEY_NOT_RECOGNIZED, dns_resp = "BADTIME", XDM_CONST.DNS_RESPONSE_CODE_SIGNATURE_OUT_OF_TIME_WINDOW, dns_resp = "BADMODE", XDM_CONST.DNS_RESPONSE_CODE_BAD_TKEY_MODE, dns_resp = "BADNAME", XDM_CONST.DNS_RESPONSE_CODE_DUPLICATE_KEY_NAME, dns_resp = "BADALG", XDM_CONST.DNS_RESPONSE_CODE_ALGORITHM_NOT_SUPPORTED, dns_resp = "BADTRUNC", XDM_CONST.DNS_RESPONSE_CODE_BAD_TRUNCATION, dns_resp ~= "[A-Z_]+", dns_resp, dns_resp ~= "[\.\:]+", XDM_CONST.DNS_RESPONSE_CODE_NO_ERROR),
	xdm.network.rule = arraystring(arrayfilter(arraydistinct(arraycreate(reqrulelabel, resrulelabel)), "@element" != "None"), ";"),
	xdm.observer.action = resaction, 
	xdm.observer.name = location,
	xdm.source.host.hostname = devicehostname,
	xdm.source.host.ipv4_addresses = if(client_ipv4 != null, arraycreate(client_ipv4)),
	xdm.source.host.ipv6_addresses = if(client_ipv6 != null, arraycreate(client_ipv6)),
	xdm.source.ipv4 = client_ipv4,
	xdm.source.ipv6 = client_ipv6,
	xdm.source.user.ou = department,
	xdm.source.user.username = coalesce(user, deviceowner),
	xdm.target.host.ipv4_addresses = if(server_ipv4 != null, arraycreate(server_ipv4)),
	xdm.target.host.ipv6_addresses = if(server_ipv6 != null, arraycreate(server_ipv6)),
	xdm.target.ipv4 = server_ipv4,
	xdm.target.ipv6 = server_ipv6,
	xdm.target.port = srv_dport;

/* ------------------------------------------------------------------------------------------------
   Cloud NSS Admin Audit Logs (https://help.zscaler.com/zia/nss-feed-output-format-admin-audit-logs)
   -----------------------------------------------------------------------------------------------*/
filter sourcetype = "zscalernss-audit"
| alter // extract data
	action = _raw_log -> action, // The action performed by the admin in the ZIA Admin Portal
	adminid = _raw_log -> adminid, // The admin's login ID
	auditlogtype = _raw_log -> auditlogtype, // The Admin Audit log type
	clientip = _raw_log -> clientip, // The source IP address for the admin
	errorcode = _raw_log -> errorcode, // An optional field that exists only if the result is a failure
	preaction = _raw_log -> preaction, // Data before any policy or configuration changes
	postaction = _raw_log -> postaction, // Data after any policy or configuration changes
	recordid = _raw_log -> recordid, // The unique record identifier for each log
	resource = _raw_log -> resource, // The specific location within a sub-category
	result = _raw_log -> result // The outcome of an action
| alter // post extraction processing 
	adminid_domain = arrayindex(regextract(adminid, "@(.+)$"), -1),
	client_ipv4 = if(clientip ~= "\.", clientip),
	client_ipv6 = if(clientip ~= "\:", clientip)
| alter // XDM Mappings
	xdm.event.id = to_string(recordid),
	xdm.event.operation_sub_type = action,
	xdm.event.outcome = if(result = "SUCCESS", XDM_CONST.OUTCOME_SUCCESS, result ~= "FAIL" or (errorcode != null and errorcode != "" and errorcode != "None"), XDM_CONST.OUTCOME_FAILED, to_string(result)),
	xdm.event.outcome_reason = if(errorcode != "None", errorcode),
	xdm.event.type = sourcetype,
	xdm.source.application.name = auditlogtype,
	xdm.source.host.ipv4_addresses = if(client_ipv4 != null, arraycreate(client_ipv4)),
	xdm.source.host.ipv6_addresses = if(client_ipv6 != null, arraycreate(client_ipv6)),
	xdm.source.ipv4 = client_ipv4,
	xdm.source.ipv6 = client_ipv6,
	xdm.source.user.domain = adminid_domain,
	xdm.source.user.username = adminid,
	xdm.target.resource.type = resource, 
	xdm.target.resource_before.value = coalesce(to_json_string(preaction), to_string(preaction)),
	xdm.target.resource.value = coalesce(to_json_string(postaction), to_string(postaction));

/* --------------------------------------------------------------------------------
   Cloud NSS Web Logs (https://help.zscaler.com/zia/nss-feed-output-format-web-logs)
   -------------------------------------------------------------------------------*/
filter sourcetype = "zscalernss-web" 
| alter // extract data
	application_protocol = coalesce(_raw_log -> protocol, _raw_log -> proto), // The protocol type of the transaction
	client_device_hostname = _raw_log -> devicehostname,// The hostname of the device
	client_ip = coalesce(_raw_log -> ClientIP, _raw_log -> cip), // The IP address of the user. It can be the internal IP address if it's visible (e.g., traffic sent through a GRE tunnel or an internal IP address indicated using XFF). Otherwise, same as %s{cintip}.
	client_public_ip = coalesce(_raw_log -> clientpublicIP, _raw_log -> cpubip), // The client public IP address
	client_source_port = to_integer(_raw_log -> clt_sport), // The client source port
	client_tls_version = _raw_log -> clienttlsversion, // The TLS version used for communication between the client and Zscaler
	cloud_application_name = _raw_log -> appname, // The name of the cloud application
	device_os_type = _raw_log -> deviceostype, // The OS type of the device
	device_os_version = _raw_log -> deviceosversion, // The OS version the device uses
	dlp_incident_id = to_string(_raw_log -> dlpidentifier), // The unique identifier of the DLP incident
	dlp_rule_name = _raw_log -> dlprulename, // The name of the DLP rule applied to the transaction. Applies only to Allow rules, not Block. 
	event_id = to_string(coalesce(_raw_log -> event_id, _raw_log -> recordid)), // The unique record identifier for each log
	external_device_id = _raw_log -> external_devid, // The external device ID that associates a user’s device with the mobile device management (MDM) solution
	file_scannable_type = _raw_log -> filetype, // The type of file downloaded during the transaction
	file_unscannable_type = _raw_log -> unscannabletype, // The unscannable file type: Encrypted or password-protected (e.g., GZIP, PDF) Unscannable (e.g., corrupt archive) Undetectable (unable to determine the file type, based on multiple methods)
	gateway_location_name = replace(_raw_log -> location, "%20", " "), // The gateway location or sub-location of the source.
	gateway_ip = _raw_log -> fwd_gw_ip, // The IP address of the gateway used
	http_content_type = _raw_log -> contenttype, // The name of the content type
	http_host = coalesce(_raw_log -> hostname, _raw_log -> host), // The destination hostname. If present, the host value in the HTTP request line populates this field. If the host value in the HTTP request line is not present, the host header is used.
	http_referer = coalesce(_raw_log -> refererURL, _raw_log -> referer), // The HTTP referer URL
	http_method = coalesce(_raw_log -> requestmethod, _raw_log -> reqmethod), // The HTTP request method
	http_request_size = to_integer(coalesce(_raw_log -> requestsize, _raw_log -> reqdatasize)), // The size of the HTTP request payload, excluding the headers, in bytes
	http_status = coalesce(_raw_log -> status, _raw_log -> respcode), // The HTTP response code sent to the client. The service generates a 403-Forbidden response for blocked transactions.
	http_response_size = to_integer(coalesce(_raw_log -> responsesize, _raw_log -> respdatasize)), // The size of the HTTP response payload, excluding the headers, in bytes
	http_url = _raw_log -> url, // The destination URL. It excludes the protocol identifier (e.g., http:// or https://).
	http_user_agent = replace(coalesce(_raw_log -> useragent, _raw_log -> ua), "%20", " "), // The full user agent string for both known and unknown agents. The user agent string contains browser and system information that the destination server can use to provide appropriate content.
	policy_action = _raw_log -> action, // The action that the service took on the transaction
	policy_application_rule = _raw_log -> apprulelabel, // The name of the rule that was applied to the application
	policy_reason = _raw_log -> reason, // The action that the service took and the policy that was applied, if the transaction was blocked
	policy_redirect_rule = _raw_log -> rdr_rulename, // The name of the redirect/forwarding policy
	policy_transaction_rule = _raw_log -> rulelabel, // The name of the rule that was applied to the transaction. Applies only to Block rules, not Allow.
	policy_url_filter_rule = _raw_log -> urlfilterrulelabel, // The name of the rule that was applied to the URL filter
	sandbox_file_md5 = _raw_log -> bamd5, // The MD5 hash of the malware file that was detected in the transaction, or the MD5 of the file that was sent for analysis to the Sandbox engine
	sandbox_file_sha256 = _raw_log -> ["sha256"], // The hash of identical files
	server_ip = coalesce(_raw_log -> serverip, _raw_log -> sip), // The destination server IP address. This displays 0.0.0.0 if the request was blocked.
	server_tls_version = _raw_log -> srvtlsversion, // The TLS/SSL version used for communication between the ZIA Public Service Edge and the server
	threat_category = coalesce(_raw_log -> threatcategory, _raw_log -> malwarecat), // Adware, Benign, Trojan, Sandbox Adware, Sandbox Anonymizer, Sandbox Malware The full list is under the Threat Category filter on the Web Insights page (Analytics > Web Insights).The Threat Category Sent for Analysis is equivalent to “Submitted to Sandbox” in the SIEM output. Additionally, Other Virus is equivalent to "Virus" for backward compatibility.
	threat_name = _raw_log -> threatname, // The name of the threat that was detected in the transaction, if any
	threat_severity = _raw_log -> threatseverity, // The severity of the threat that was detected in the transaction, if any. The severity relates to the Page Risk Index score. For example, if the value of %d{riskscore} is between 90 and 100, then the value of %s{threatseverity} is Critical. Scale is: Critical (90–100) High (75–89) Medium (46–74) Low (1–45) None (0).
	url_sub_category = coalesce(_raw_log -> urlcategory, _raw_log -> urlcat), // The category of the destination URL
	url_super_category = coalesce(_raw_log -> urlsupercategory, _raw_log -> urlsupercat), // The super category of the destination URL
	user = coalesce(_raw_log -> user, _raw_log -> login), // The user's login name in email address format
	user_department = replace(coalesce(_raw_log -> department, _raw_log -> dept), "%20", " ") // The department of the user
| alter // post extraction processing 
	client_ipv4 = if(client_ip ~= "\.",  client_ip),
	client_ipv6 = if(client_ip ~= ":",  client_ip),
	client_public_ipv4 = if(client_public_ip ~= "\.",  client_public_ip),
	client_public_ipv6 = if(client_public_ip ~= ":",  client_public_ip),
	gateway_ipv4 = if(gateway_ip ~= "\.",  gateway_ip),
	gateway_ipv6 = if(gateway_ip ~= "\.",  gateway_ip),
    server_ipv4 = if(server_ip ~= "\.",  server_ip),
    server_ipv6 = if(server_ip ~= ":",  server_ip),
	url_category = if(url_super_category != "User-defined", url_super_category, url_sub_category),
	user_domain = arrayindex(regextract(user, "@(.+)$"), 0),
	device_os = arraystring(arraycreate(device_os_type, device_os_version), " "),
	os_upper = uppercase(device_os_type)
| call zscaler_nss_map_url_category // map url category 
| alter // XDM mapping 
	xdm.alert.original_alert_id = dlp_incident_id,
	xdm.alert.original_threat_name = if(threat_name != "None", threat_name),
	xdm.alert.severity = threat_severity,
	xdm.alert.subcategory = if(threat_category != "None", threat_category),
	xdm.event.id = event_id,
	xdm.event.outcome = if(policy_action ~= "(?i)Allowed", XDM_CONST.OUTCOME_SUCCESS, policy_action ~= "(?i)Blocked", XDM_CONST.OUTCOME_FAILED, policy_action),
	xdm.event.outcome_reason = policy_reason,
	xdm.event.type = sourcetype,
	xdm.intermediate.host.hostname = gateway_location_name,
	xdm.intermediate.host.ipv4_addresses = if(gateway_ipv4 != null, arraycreate(gateway_ipv4)),
	xdm.intermediate.host.ipv6_addresses = if(gateway_ipv6 != null, arraycreate(gateway_ipv6)),
	xdm.intermediate.ipv4 = gateway_ipv4,
	xdm.intermediate.ipv6 = gateway_ipv6,
	xdm.network.application_protocol = application_protocol,
	xdm.network.http.content_type = http_content_type,
	xdm.network.http.domain = http_host,
	xdm.network.http.method = if(http_method = "GET", XDM_CONST.HTTP_METHOD_GET, http_method = "POST", XDM_CONST.HTTP_METHOD_POST,http_method = "PUT", XDM_CONST.HTTP_METHOD_PUT, http_method = "PATCH", XDM_CONST.HTTP_METHOD_PATCH, http_method = "OPTIONS", XDM_CONST.HTTP_METHOD_OPTIONS, http_method = "HEAD", XDM_CONST.HTTP_METHOD_HEAD, http_method = "ACL", XDM_CONST.HTTP_METHOD_ACL, http_method = "BASELINE_CONTROL", XDM_CONST.HTTP_METHOD_BASELINE_CONTROL, http_method = "BIND", XDM_CONST.HTTP_METHOD_BIND, http_method = "CHECKIN", XDM_CONST.HTTP_METHOD_CHECKIN, http_method = "CHECKOUT", XDM_CONST.HTTP_METHOD_CHECKOUT, http_method = "CONNECT", XDM_CONST.HTTP_METHOD_CONNECT, http_method = "COPY", XDM_CONST.HTTP_METHOD_COPY, http_method = "DELETE", XDM_CONST.HTTP_METHOD_DELETE, http_method = "LABEL", XDM_CONST.HTTP_METHOD_LABEL, http_method = "LINK", XDM_CONST.HTTP_METHOD_LINK, http_method = "LOCK", XDM_CONST.HTTP_METHOD_LOCK, http_method = "MERGE", XDM_CONST.HTTP_METHOD_MERGE, http_method = "MKACTIVITY", XDM_CONST.HTTP_METHOD_MKACTIVITY, http_method = "MKCALENDAR", XDM_CONST.HTTP_METHOD_MKCALENDAR, http_method = "MKCOL", XDM_CONST.HTTP_METHOD_MKCOL, http_method = "MKREDIRECTREF", XDM_CONST.HTTP_METHOD_MKREDIRECTREF, http_method = "MKWORKSPACE", XDM_CONST.HTTP_METHOD_MKWORKSPACE, http_method = "MOVE", XDM_CONST.HTTP_METHOD_MOVE,  http_method = "ORDERPATCH", XDM_CONST.HTTP_METHOD_ORDERPATCH,   http_method = "PRI", XDM_CONST.HTTP_METHOD_PRI, http_method = "PROPFIND", XDM_CONST.HTTP_METHOD_PROPFIND, http_method = "PROPPATCH", XDM_CONST.HTTP_METHOD_PROPPATCH,  http_method = "REBIND", XDM_CONST.HTTP_METHOD_REBIND, http_method = "REPORT", XDM_CONST.HTTP_METHOD_REPORT, http_method = "SEARCH", XDM_CONST.HTTP_METHOD_SEARCH, http_method = "TRACE", XDM_CONST.HTTP_METHOD_TRACE, http_method = "UNBIND", XDM_CONST.HTTP_METHOD_UNBIND, http_method = "UNCHECKOUT", XDM_CONST.HTTP_METHOD_UNCHECKOUT, http_method = "UNLINK", XDM_CONST.HTTP_METHOD_UNLINK, http_method = "UNLOCK", XDM_CONST.HTTP_METHOD_UNLOCK, http_method = "UPDATE", XDM_CONST.HTTP_METHOD_UPDATE, http_method = "UPDATEREDIRECTREF", XDM_CONST.HTTP_METHOD_UPDATEREDIRECTREF, http_method = "VERSION_CONTROL", XDM_CONST.HTTP_METHOD_VERSION_CONTROL, to_string(http_method)),
	xdm.network.http.referrer = if(http_referer != "None", http_referer),
    xdm.network.http.response_code = if(http_status = "200", XDM_CONST.HTTP_RSP_CODE_OK, http_status = "201", XDM_CONST.HTTP_RSP_CODE_CREATED, http_status = "302", XDM_CONST.HTTP_RSP_CODE_FOUND, http_status = "401", XDM_CONST.HTTP_RSP_CODE_UNAUTHORIZED, http_status = "403", XDM_CONST.HTTP_RSP_CODE_FORBIDDEN, http_status = "404", XDM_CONST.HTTP_RSP_CODE_NOT_FOUND, http_status = "500", XDM_CONST.HTTP_RSP_CODE_INTERNAL_SERVER_ERROR, http_status = "501", XDM_CONST.HTTP_RSP_CODE_NOT_IMPLEMENTED, http_status = "502", XDM_CONST.HTTP_RSP_CODE_BAD_GATEWAY, http_status = "503", XDM_CONST.HTTP_RSP_CODE_SERVICE_UNAVAILABLE, http_status = "504", XDM_CONST.HTTP_RSP_CODE_GATEWAY_TIMEOUT, http_status = "505", XDM_CONST.HTTP_RSP_CODE_HTTP_VERSION_NOT_SUPPORTED, http_status = "506", XDM_CONST.HTTP_RSP_CODE_VARIANT_ALSO_NEGOTIATES, http_status = "507", XDM_CONST.HTTP_RSP_CODE_INSUFFICIENT_STORAGE, http_status = "508", XDM_CONST.HTTP_RSP_CODE_LOOP_DETECTED, http_status = "511", XDM_CONST.HTTP_RSP_CODE_NETWORK_AUTHENTICATION_REQUIRED, http_status = "100", XDM_CONST.HTTP_RSP_CODE_CONTINUE, http_status = "101", XDM_CONST.HTTP_RSP_CODE_SWITCHING_PROTOCOLS, http_status = "102", XDM_CONST.HTTP_RSP_CODE_PROCESSING, http_status = "103", XDM_CONST.HTTP_RSP_CODE_EARLY_HINTS, http_status = "202", XDM_CONST.HTTP_RSP_CODE_ACCEPTED, http_status = "203", XDM_CONST.HTTP_RSP_CODE_NON__AUTHORITATIVE_INFORMATION, http_status = "204", XDM_CONST.HTTP_RSP_CODE_NO_CONTENT, http_status = "205", XDM_CONST.HTTP_RSP_CODE_RESET_CONTENT, http_status = "206", XDM_CONST.HTTP_RSP_CODE_PARTIAL_CONTENT, http_status = "207", XDM_CONST.HTTP_RSP_CODE_MULTI__STATUS, http_status = "208", XDM_CONST.HTTP_RSP_CODE_ALREADY_REPORTED, http_status = "226", XDM_CONST.HTTP_RSP_CODE_IM_USED, http_status = "300", XDM_CONST.HTTP_RSP_CODE_MULTIPLE_CHOICES, http_status = "301", XDM_CONST.HTTP_RSP_CODE_MOVED_PERMANENTLY, http_status = "303", XDM_CONST.HTTP_RSP_CODE_SEE_OTHER, http_status = "304", XDM_CONST.HTTP_RSP_CODE_NOT_MODIFIED, http_status = "305", XDM_CONST.HTTP_RSP_CODE_USE_PROXY, http_status = "307", XDM_CONST.HTTP_RSP_CODE_TEMPORARY_REDIRECT, http_status = "308", XDM_CONST.HTTP_RSP_CODE_PERMANENT_REDIRECT, http_status = "400", XDM_CONST.HTTP_RSP_CODE_BAD_REQUEST, http_status = "402", XDM_CONST.HTTP_RSP_CODE_PAYMENT_REQUIRED, http_status = "405", XDM_CONST.HTTP_RSP_CODE_METHOD_NOT_ALLOWED, http_status = "406", XDM_CONST.HTTP_RSP_CODE_NOT_ACCEPTABLE, http_status = "407", XDM_CONST.HTTP_RSP_CODE_PROXY_AUTHENTICATION_REQUIRED, http_status = "408", XDM_CONST.HTTP_RSP_CODE_REQUEST_TIMEOUT, http_status = "409", XDM_CONST.HTTP_RSP_CODE_CONFLICT, http_status = "410", XDM_CONST.HTTP_RSP_CODE_GONE, http_status = "411", XDM_CONST.HTTP_RSP_CODE_LENGTH_REQUIRED, http_status = "412", XDM_CONST.HTTP_RSP_CODE_PRECONDITION_FAILED, http_status = "413", XDM_CONST.HTTP_RSP_CODE_CONTENT_TOO_LARGE, http_status = "414", XDM_CONST.HTTP_RSP_CODE_URI_TOO_LONG, http_status = "415", XDM_CONST.HTTP_RSP_CODE_UNSUPPORTED_MEDIA_TYPE, http_status = "416", XDM_CONST.HTTP_RSP_CODE_RANGE_NOT_SATISFIABLE, http_status = "417", XDM_CONST.HTTP_RSP_CODE_EXPECTATION_FAILED, http_status = "421", XDM_CONST.HTTP_RSP_CODE_MISDIRECTED_REQUEST, http_status = "422", XDM_CONST.HTTP_RSP_CODE_UNPROCESSABLE_CONTENT, http_status = "423", XDM_CONST.HTTP_RSP_CODE_LOCKED, http_status = "424", XDM_CONST.HTTP_RSP_CODE_FAILED_DEPENDENCY, http_status = "425", XDM_CONST.HTTP_RSP_CODE_TOO_EARLY, http_status = "426", XDM_CONST.HTTP_RSP_CODE_UPGRADE_REQUIRED, http_status = "428", XDM_CONST.HTTP_RSP_CODE_PRECONDITION_REQUIRED, http_status = "429", XDM_CONST.HTTP_RSP_CODE_TOO_MANY_REQUESTS, http_status = "431", XDM_CONST.HTTP_RSP_CODE_REQUEST_HEADER_FIELDS_TOO_LARGE, http_status = "451", XDM_CONST.HTTP_RSP_CODE_UNAVAILABLE_FOR_LEGAL_REASONS, http_status),
	xdm.network.http.url = http_url,
	xdm.network.rule = arraystring(arrayfilter(arraycreate(policy_transaction_rule, policy_application_rule, policy_redirect_rule, policy_url_filter_rule, dlp_rule_name), "@element" != "None"), " "),
	xdm.network.tls.protocol_version = arraystring(arraydistinct(arraycreate(client_tls_version, server_tls_version)), ","),
	xdm.observer.action = policy_action,
	xdm.observer.name = gateway_location_name,
	xdm.source.host.device_id = external_device_id,
	xdm.source.ipv4 = client_ipv4,
	xdm.source.ipv6 = client_ipv6,
	xdm.source.host.os = device_os,
	xdm.source.host.os_family = if(os_upper contains "WINDOWS", XDM_CONST.OS_FAMILY_WINDOWS, os_upper contains "MAC", XDM_CONST.OS_FAMILY_MACOS, os_upper contains "LINUX", XDM_CONST.OS_FAMILY_LINUX, os_upper contains "ANDROID", XDM_CONST.OS_FAMILY_ANDROID, os_upper contains "IOS", XDM_CONST.OS_FAMILY_IOS, os_upper contains "UBUNTU", XDM_CONST.OS_FAMILY_UBUNTU, os_upper contains "DEBIAN", XDM_CONST.OS_FAMILY_DEBIAN, os_upper contains "FEDORA", XDM_CONST.OS_FAMILY_FEDORA, os_upper contains "CENTOS", XDM_CONST.OS_FAMILY_CENTOS, os_upper contains "CHROME", XDM_CONST.OS_FAMILY_CHROMEOS, os_upper contains "SOLARIS", XDM_CONST.OS_FAMILY_SOLARIS, os_upper contains "SCADA", XDM_CONST.OS_FAMILY_SCADA, os_upper),
	xdm.source.host.hostname = client_device_hostname,
	xdm.source.host.ipv4_addresses = arraydistinct(arraycreate(client_ipv4, client_public_ipv4)),
	xdm.source.host.ipv4_public_addresses = arraycreate(client_public_ipv4),
	xdm.source.host.ipv6_addresses = arraydistinct(arraycreate(client_ipv6, client_public_ipv6)),
	xdm.source.host.ipv6_public_addresses = arraycreate(client_public_ipv6),
	xdm.source.port = client_source_port,
	xdm.source.sent_bytes = http_request_size,
	xdm.source.user_agent = if(http_user_agent != "Unkown", http_user_agent),
	xdm.source.user.domain = user_domain,
	xdm.source.user.ou = user_department,
	xdm.source.user.username = user,
	xdm.target.application.name = cloud_application_name,
	xdm.target.file.file_type = arraystring(arraydistinct(arrayfilter(arraycreate(file_scannable_type, file_unscannable_type), "@element" != "None")), ","),
	xdm.target.file.md5 = sandbox_file_md5,
	xdm.target.file.sha256 = sandbox_file_sha256,
	xdm.target.host.ipv4_addresses = arraycreate(server_ipv4),
	xdm.target.host.ipv4_public_addresses = arraycreate(server_ipv4),
	xdm.target.host.ipv6_addresses = arraycreate(server_ipv6),
	xdm.target.host.ipv6_public_addresses = arraycreate(server_ipv6),
	xdm.target.ipv4 = server_ipv4,
	xdm.target.ipv6 = server_ipv6,
	xdm.target.sent_bytes = http_response_size,
	xdm.target.url = http_url;

/* -------------------------------------------------------------------------------------
   Cloud NSS FW Logs (https://help.zscaler.com/zia/nss-feed-output-format-firewall-logs)
   ------------------------------------------------------------------------------------*/
filter sourcetype ="zscalernss-fw"
| alter src_ipv4 = if(_raw_log -> csip ~= "\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}", _raw_log -> csip, null),
        dest_ipv4 = if(_raw_log -> cdip ~= "\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}", _raw_log -> cdip, null),
        src_ipv6 = if(_raw_log -> csip ~= "[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}", _raw_log -> csip, null),
        dest_ipv6 = if(_raw_log -> cdip ~= "[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}", _raw_log -> cdip, null),
        proto = uppercase(_raw_log -> proto),
        url_category = uppercase(_raw_log -> ipcat),
        os = lowercase(_raw_log -> deviceostype),
        user = coalesce(_raw_log -> user,_raw_log -> login)
| alter 
        xdm.event.type = sourcetype,
        xdm.source.user.upn = user,
        xdm.source.user.domain = arrayindex(split(user, "@"),-1),
        xdm.target.port = to_integer(_raw_log -> cdport),
        xdm.source.port = to_integer(_raw_log -> csport),
        xdm.source.ipv4 = src_ipv4,
        xdm.source.ipv6 = src_ipv6,
        xdm.target.ipv4 = dest_ipv4,
        xdm.target.ipv6 = dest_ipv6,
        xdm.observer.action = _raw_log -> action,
        xdm.source.application.name = _raw_log -> nwapp,
        xdm.network.ip_protocol = if(proto="HOPOPT",XDM_CONST.IP_PROTOCOL_HOPOPT, proto="ICMP",XDM_CONST.IP_PROTOCOL_ICMP, proto="IGMP",XDM_CONST.IP_PROTOCOL_IGMP, proto="GGP",XDM_CONST.IP_PROTOCOL_GGP, proto="IP",XDM_CONST.IP_PROTOCOL_IP, proto="ST",XDM_CONST.IP_PROTOCOL_ST, proto="TCP",XDM_CONST.IP_PROTOCOL_TCP, proto="CBT",XDM_CONST.IP_PROTOCOL_CBT, proto="EGP",XDM_CONST.IP_PROTOCOL_EGP, proto="IGP",XDM_CONST.IP_PROTOCOL_IGP, proto="BBN_RCC_MON",XDM_CONST.IP_PROTOCOL_BBN_RCC_MON, proto="NVP_II",XDM_CONST.IP_PROTOCOL_NVP_II, proto="PUP",XDM_CONST.IP_PROTOCOL_PUP, proto="ARGUS",XDM_CONST.IP_PROTOCOL_ARGUS, proto="EMCON",XDM_CONST.IP_PROTOCOL_EMCON, proto="XNET",XDM_CONST.IP_PROTOCOL_XNET, proto="CHAOS",XDM_CONST.IP_PROTOCOL_CHAOS, proto="UDP",XDM_CONST.IP_PROTOCOL_UDP, proto="MUX",XDM_CONST.IP_PROTOCOL_MUX, proto="DCN_MEAS",XDM_CONST.IP_PROTOCOL_DCN_MEAS, proto="HMP",XDM_CONST.IP_PROTOCOL_HMP, proto="PRM",XDM_CONST.IP_PROTOCOL_PRM, proto="XNS_IDP",XDM_CONST.IP_PROTOCOL_XNS_IDP, proto="TRUNK_1",XDM_CONST.IP_PROTOCOL_TRUNK_1, proto="TRUNK_2",XDM_CONST.IP_PROTOCOL_TRUNK_2, proto="LEAF_1",XDM_CONST.IP_PROTOCOL_LEAF_1, proto="LEAF_2",XDM_CONST.IP_PROTOCOL_LEAF_2, proto="RDP",XDM_CONST.IP_PROTOCOL_RDP, proto="IRTP",XDM_CONST.IP_PROTOCOL_IRTP, proto="ISO_TP4",XDM_CONST.IP_PROTOCOL_ISO_TP4, proto="NETBLT",XDM_CONST.IP_PROTOCOL_NETBLT, proto="MFE_NSP",XDM_CONST.IP_PROTOCOL_MFE_NSP, proto="MERIT_INP",XDM_CONST.IP_PROTOCOL_MERIT_INP, proto="DCCP",XDM_CONST.IP_PROTOCOL_DCCP, proto="3PC",XDM_CONST.IP_PROTOCOL_3PC, proto="IDPR",XDM_CONST.IP_PROTOCOL_IDPR, proto="XTP",XDM_CONST.IP_PROTOCOL_XTP, proto="DDP",XDM_CONST.IP_PROTOCOL_DDP, proto="IDPR_CMTP",XDM_CONST.IP_PROTOCOL_IDPR_CMTP, proto="TP",XDM_CONST.IP_PROTOCOL_TP, proto="IL",XDM_CONST.IP_PROTOCOL_IL, proto="IPV6",XDM_CONST.IP_PROTOCOL_IPV6, proto="SDRP",XDM_CONST.IP_PROTOCOL_SDRP, proto="IPV6_ROUTE",XDM_CONST.IP_PROTOCOL_IPV6_ROUTE, proto="IPV6_FRAG",XDM_CONST.IP_PROTOCOL_IPV6_FRAG, proto="IDRP",XDM_CONST.IP_PROTOCOL_IDRP, proto="RSVP",XDM_CONST.IP_PROTOCOL_RSVP, proto="GRE",XDM_CONST.IP_PROTOCOL_GRE, proto="DSR",XDM_CONST.IP_PROTOCOL_DSR, proto="BNA",XDM_CONST.IP_PROTOCOL_BNA, proto="ESP",XDM_CONST.IP_PROTOCOL_ESP, proto="AH",XDM_CONST.IP_PROTOCOL_AH, proto="I_NLSP",XDM_CONST.IP_PROTOCOL_I_NLSP, proto="SWIPE",XDM_CONST.IP_PROTOCOL_SWIPE, proto="NARP",XDM_CONST.IP_PROTOCOL_NARP, proto="MOBILE",XDM_CONST.IP_PROTOCOL_MOBILE, proto="TLSP",XDM_CONST.IP_PROTOCOL_TLSP, proto="SKIP",XDM_CONST.IP_PROTOCOL_SKIP, proto="IPV6_ICMP",XDM_CONST.IP_PROTOCOL_IPV6_ICMP, proto="IPV6_NONXT",XDM_CONST.IP_PROTOCOL_IPV6_NONXT, proto="IPV6_OPTS",XDM_CONST.IP_PROTOCOL_IPV6_OPTS, proto="CFTP",XDM_CONST.IP_PROTOCOL_CFTP, proto="SAT_EXPAK",XDM_CONST.IP_PROTOCOL_SAT_EXPAK, proto="KRYPTOLAN",XDM_CONST.IP_PROTOCOL_KRYPTOLAN, proto="RVD",XDM_CONST.IP_PROTOCOL_RVD, proto="IPPC",XDM_CONST.IP_PROTOCOL_IPPC, proto="SAT_MON",XDM_CONST.IP_PROTOCOL_SAT_MON, proto="VISA",XDM_CONST.IP_PROTOCOL_VISA, proto="IPCV",XDM_CONST.IP_PROTOCOL_IPCV, proto="CPNX",XDM_CONST.IP_PROTOCOL_CPNX, proto="CPHB",XDM_CONST.IP_PROTOCOL_CPHB, proto="WSN",XDM_CONST.IP_PROTOCOL_WSN, proto="PVP",XDM_CONST.IP_PROTOCOL_PVP, proto="BR_SAT_MON",XDM_CONST.IP_PROTOCOL_BR_SAT_MON, proto="SUN_ND",XDM_CONST.IP_PROTOCOL_SUN_ND, proto="WB_MON",XDM_CONST.IP_PROTOCOL_WB_MON, proto="WB_EXPAK",XDM_CONST.IP_PROTOCOL_WB_EXPAK, proto="ISO_IP",XDM_CONST.IP_PROTOCOL_ISO_IP, proto="VMTP",XDM_CONST.IP_PROTOCOL_VMTP, proto="SECURE_VMTP",XDM_CONST.IP_PROTOCOL_SECURE_VMTP, proto="VINES",XDM_CONST.IP_PROTOCOL_VINES, proto="TTP",XDM_CONST.IP_PROTOCOL_TTP, proto="NSFNET_IGP",XDM_CONST.IP_PROTOCOL_NSFNET_IGP, proto="DGP",XDM_CONST.IP_PROTOCOL_DGP, proto="TCF",XDM_CONST.IP_PROTOCOL_TCF, proto="EIGRP",XDM_CONST.IP_PROTOCOL_EIGRP, proto="OSPFIGP",XDM_CONST.IP_PROTOCOL_OSPFIGP, proto="SPRITE_RPC",XDM_CONST.IP_PROTOCOL_SPRITE_RPC, proto="LARP",XDM_CONST.IP_PROTOCOL_LARP, proto="MTP",XDM_CONST.IP_PROTOCOL_MTP, proto="AX25",XDM_CONST.IP_PROTOCOL_AX25, proto="IPIP",XDM_CONST.IP_PROTOCOL_IPIP, proto="MICP",XDM_CONST.IP_PROTOCOL_MICP, proto="SCC_SP",XDM_CONST.IP_PROTOCOL_SCC_SP, proto="ETHERIP",XDM_CONST.IP_PROTOCOL_ETHERIP, proto="ENCAP",XDM_CONST.IP_PROTOCOL_ENCAP, proto="GMTP",XDM_CONST.IP_PROTOCOL_GMTP, proto="IFMP",XDM_CONST.IP_PROTOCOL_IFMP, proto="PNNI",XDM_CONST.IP_PROTOCOL_PNNI, proto="PIM",XDM_CONST.IP_PROTOCOL_PIM, proto="ARIS",XDM_CONST.IP_PROTOCOL_ARIS, proto="SCPS",XDM_CONST.IP_PROTOCOL_SCPS, proto="QNX",XDM_CONST.IP_PROTOCOL_QNX, proto="AN",XDM_CONST.IP_PROTOCOL_AN, proto="IPCOMP",XDM_CONST.IP_PROTOCOL_IPCOMP, proto="COMPAQ_PEER",XDM_CONST.IP_PROTOCOL_COMPAQ_PEER, proto="IPX_IN_IP",XDM_CONST.IP_PROTOCOL_IPX_IN_IP, proto="VRRP",XDM_CONST.IP_PROTOCOL_VRRP, proto="PGM",XDM_CONST.IP_PROTOCOL_PGM, proto="L2TP",XDM_CONST.IP_PROTOCOL_L2TP, proto="DDX",XDM_CONST.IP_PROTOCOL_DDX, proto="IATP",XDM_CONST.IP_PROTOCOL_IATP, proto="STP",XDM_CONST.IP_PROTOCOL_STP, proto="SRP",XDM_CONST.IP_PROTOCOL_SRP, proto="UTI",XDM_CONST.IP_PROTOCOL_UTI, proto="SMP",XDM_CONST.IP_PROTOCOL_SMP, proto="SM",XDM_CONST.IP_PROTOCOL_SM, proto="PTP",XDM_CONST.IP_PROTOCOL_PTP, proto="ISIS",XDM_CONST.IP_PROTOCOL_ISIS, proto="FIRE",XDM_CONST.IP_PROTOCOL_FIRE, proto="CRTP",XDM_CONST.IP_PROTOCOL_CRTP, proto="CRUDP",XDM_CONST.IP_PROTOCOL_CRUDP, proto="SSCOPMCE",XDM_CONST.IP_PROTOCOL_SSCOPMCE, proto="IPLT",XDM_CONST.IP_PROTOCOL_IPLT, proto="SPS",XDM_CONST.IP_PROTOCOL_SPS, proto="PIPE",XDM_CONST.IP_PROTOCOL_PIPE, proto="SCTP",XDM_CONST.IP_PROTOCOL_SCTP, proto="FC",XDM_CONST.IP_PROTOCOL_FC, proto="RSVP_E2E_IGNORE",XDM_CONST.IP_PROTOCOL_RSVP_E2E_IGNORE, proto="MOBILITY",XDM_CONST.IP_PROTOCOL_MOBILITY, proto="UDPLITE",XDM_CONST.IP_PROTOCOL_UDPLITE, proto="MPLS_IN_IP",XDM_CONST.IP_PROTOCOL_MPLS_IN_IP, proto = null, null, to_string(proto)),
        xdm.network.http.url_category = if(url_category contains "ABORTION", XDM_CONST.URL_CATEGORY_ABORTION, url_category contains "DRUGS", XDM_CONST.URL_CATEGORY_ABUSED_DRUGS, url_category contains "ADULT", XDM_CONST.URL_CATEGORY_ADULT, url_category contains "ALCOHOL" or url_category contains "TOBACCO", XDM_CONST.URL_CATEGORY_ALCOHOL_AND_TOBACCO, url_category contains "AUCTIONS", XDM_CONST.URL_CATEGORY_AUCTIONS, url_category contains "BUSINESS" or url_category contains "ECONOMY", XDM_CONST.URL_CATEGORY_BUSINESS_AND_ECONOMY, url_category contains "COMMAND AND CONTROL" or url_category contains "C&C", XDM_CONST.URL_CATEGORY_COMMAND_AND_CONTROL, url_category contains "COMPUTER" or url_category contains "INTERNET", XDM_CONST.URL_CATEGORY_COMPUTER_AND_INTERNET_INFO, url_category contains "CONTENT DELIVERY NETWORKS" or url_category contains "CDN", XDM_CONST.URL_CATEGORY_CONTENT_DELIVERY_NETWORKS, url_category contains "COPYRIGHT", XDM_CONST.URL_CATEGORY_COPYRIGHT_INFRINGEMENT, url_category contains "CRYPTO", XDM_CONST.URL_CATEGORY_CRYPTOCURRENCY, url_category contains "DATING", XDM_CONST.URL_CATEGORY_DATING, url_category contains "DYNAMIC DNS", XDM_CONST.URL_CATEGORY_DYNAMIC_DNS, url_category contains "EDUCATIONAL INSTITUTIONS", XDM_CONST.URL_CATEGORY_EDUCATIONAL_INSTITUTIONS, url_category contains "ENTERTAINMENT" and url_category contains "ARTS", XDM_CONST.URL_CATEGORY_ENTERTAINMENT_AND_ARTS, url_category contains "EXTREMISM", XDM_CONST.URL_CATEGORY_EXTREMISM, url_category contains "FINANCIAL" or url_category contains "FINANCE", XDM_CONST.URL_CATEGORY_FINANCIAL_SERVICES, url_category contains "GAMBLING", XDM_CONST.URL_CATEGORY_GAMBLING, url_category contains "GAMES", XDM_CONST.URL_CATEGORY_GAMES, url_category contains "GOVERNMENT", XDM_CONST.URL_CATEGORY_GOVERNMENT, url_category contains "GRAYWARE", XDM_CONST.URL_CATEGORY_GRAYWARE, url_category contains "HACKING", XDM_CONST.URL_CATEGORY_HACKING, url_category contains "HEALTH" or url_category contains "MEDICINE", XDM_CONST.URL_CATEGORY_HEALTH_AND_MEDICINE, url_category contains "HOME" or url_category contains "GARDEN", XDM_CONST.URL_CATEGORY_HOME_AND_GARDEN, url_category contains "HUNTING" or url_category contains "FISHING", XDM_CONST.URL_CATEGORY_HUNTING_AND_FISHING, url_category contains "INSUFFICIENT CONTENT", XDM_CONST.URL_CATEGORY_INSUFFICIENT_CONTENT, url_category contains "INTERNET COMMUNICATIONS" and url_category contains "TELEPHONY", XDM_CONST.URL_CATEGORY_INTERNET_COMMUNICATIONS_AND_TELEPHONY, url_category contains "INTERNET PORTALS", XDM_CONST.URL_CATEGORY_INTERNET_PORTALS, url_category contains "JOB", XDM_CONST.URL_CATEGORY_JOB_SEARCH, url_category contains "LEGAL", XDM_CONST.URL_CATEGORY_LEGAL, url_category contains "MALWARE", XDM_CONST.URL_CATEGORY_MALWARE, url_category contains "MILITARY", XDM_CONST.URL_CATEGORY_MILITARY, url_category contains "MOTOR VEHICLES", XDM_CONST.URL_CATEGORY_MOTOR_VEHICLES, url_category contains "MUSIC", XDM_CONST.URL_CATEGORY_MUSIC, url_category contains "DOMAIN" and url_category contains "REGIST", XDM_CONST.URL_CATEGORY_NEWLY_REGISTERED_DOMAIN, url_category contains "NEWS", XDM_CONST.URL_CATEGORY_NEWS, url_category contains "NOT RESOLVED", XDM_CONST.URL_CATEGORY_NOT_RESOLVED, url_category contains "NUDITY", XDM_CONST.URL_CATEGORY_NUDITY, url_category contains "ONLINE STORAGE" and url_category contains "BACKUP", XDM_CONST.URL_CATEGORY_ONLINE_STORAGE_AND_BACKUP, url_category contains "PARKED", XDM_CONST.URL_CATEGORY_PARKED, url_category contains "PEER TO PEER", XDM_CONST.URL_CATEGORY_PEER_TO_PEER, url_category contains "PERSONAL SITES" or url_category contains "BLOG", XDM_CONST.URL_CATEGORY_PERSONAL_SITES_AND_BLOGS, url_category contains "PHILOSOPHY" or url_category contains "POLITICAL ADVOCACY", XDM_CONST.URL_CATEGORY_PHILOSOPHY_AND_POLITICAL_ADVOCACY, url_category contains "PHISHING", XDM_CONST.URL_CATEGORY_PHISHING, url_category contains "PRIVATE IP ADDRESSES", XDM_CONST.URL_CATEGORY_PRIVATE_IP_ADDRESSES, url_category contains "PROXY" or url_category contains "ANONYMIZERS", XDM_CONST.URL_CATEGORY_PROXY_AVOIDANCE_AND_ANONYMIZERS, url_category contains "QUESTIONABLE", XDM_CONST.URL_CATEGORY_QUESTIONABLE, url_category contains "REAL ESTATE", XDM_CONST.URL_CATEGORY_REAL_ESTATE, url_category contains "HOBBIES" or url_category contains "RECREATION", XDM_CONST.URL_CATEGORY_RECREATION_AND_HOBBIES, url_category contains "REFERENCE", XDM_CONST.URL_CATEGORY_REFERENCE_AND_RESEARCH, url_category contains "RELIGION", XDM_CONST.URL_CATEGORY_RELIGION, url_category contains "SEARCH ENGINES", XDM_CONST.URL_CATEGORY_SEARCH_ENGINES, url_category contains "SEX EDUCATION", XDM_CONST.URL_CATEGORY_SEX_EDUCATION, url_category contains "SHAREWARE" and url_category contains "FREEWARE", XDM_CONST.URL_CATEGORY_SHAREWARE_AND_FREEWARE, url_category contains "SHOPPING", XDM_CONST.URL_CATEGORY_SHOPPING, url_category contains "SOCIAL_NETWORK", XDM_CONST.URL_CATEGORY_SOCIAL_NETWORKING, url_category contains "SOCIETY", XDM_CONST.URL_CATEGORY_SOCIETY, url_category contains "SPORTS", XDM_CONST.URL_CATEGORY_SPORTS, url_category contains "STOCK", XDM_CONST.URL_CATEGORY_STOCK_ADVICE_AND_TOOLS, url_category contains "MEDIA" and url_category contains "STREAM", XDM_CONST.URL_CATEGORY_STREAMING_MEDIA, url_category contains "INTIMATE APPAREL", XDM_CONST.URL_CATEGORY_SWIMSUITS_AND_INTIMATE_APPAREL, url_category contains "TRAINING" and url_category contains "Sport", XDM_CONST.URL_CATEGORY_TRAINING_AND_TOOLS, url_category contains "TRANSLATION", XDM_CONST.URL_CATEGORY_TRANSLATION, url_category contains "TRAVEL", XDM_CONST.URL_CATEGORY_TRAVEL, url_category contains "UNKNOWN", XDM_CONST.URL_CATEGORY_UNKNOWN, url_category contains "WEAPONS", XDM_CONST.URL_CATEGORY_WEAPONS, url_category contains "WEB ADVERTISEMENTS", XDM_CONST.URL_CATEGORY_WEB_ADVERTISEMENTS, url_category contains "WEB HOSTING", XDM_CONST.URL_CATEGORY_WEB_HOSTING, url_category contains "WEB BASED EMAIL", XDM_CONST.URL_CATEGORY_WEB_BASED_EMAIL, url_category),
        xdm.network.rule = replex(_raw_log -> rulelabel,"\%20"," "),
        xdm.target.sent_bytes = to_integer(_raw_log -> inbytes),
        xdm.source.sent_bytes = to_integer(_raw_log -> outbytes),
        xdm.event.duration = to_integer(_raw_log -> durationms),
        xdm.alert.original_threat_name = _raw_log -> threatname,
        xdm.source.host.hostname = coalesce(_raw_log -> devicehostname, _raw_log -> devicename),
        xdm.target.host.fqdn = _raw_log -> cdfqdn,
        xdm.alert.subcategory = _raw_log -> threatcat,
        xdm.source.agent.version = _raw_log -> deviceappversion,
        xdm.alert.severity = uppercase(_raw_log -> threat_severity),
        xdm.target.host.os = concat(os," ",_raw_log -> deviceosversion),
        xdm.target.host.os_family = if(os contains "windows", XDM_CONST.OS_FAMILY_WINDOWS, os contains "mac", XDM_CONST.OS_FAMILY_MACOS, os contains "linux", XDM_CONST.OS_FAMILY_LINUX, os contains "android", XDM_CONST.OS_FAMILY_ANDROID, os contains "ios", XDM_CONST.OS_FAMILY_IOS, os contains "ubuntu", XDM_CONST.OS_FAMILY_UBUNTU, os contains "debian", XDM_CONST.OS_FAMILY_DEBIAN, os contains "fedora", XDM_CONST.OS_FAMILY_FEDORA, os contains "centos", XDM_CONST.OS_FAMILY_CENTOS, os contains "chrome", XDM_CONST.OS_FAMILY_CHROMEOS, os contains "solaris", XDM_CONST.OS_FAMILY_SOLARIS, os contains "scada", XDM_CONST.OS_FAMILY_SCADA),
        xdm.target.location.country = _raw_log -> destcountry,
        xdm.source.location.country = _raw_log -> srcip_country,
        xdm.network.application_protocol_category = _raw_log -> nwsvc;

[RULE: zscaler_nss_map_url_category]
/* This rule maps a url category value from url_category field to xdm.network.http.url_category. 
   If there is a match to one of the predefined enum values, it is mapped to the enum, otherwise, 
   it is just converted to uppercase and mapped as is.  
   usage prerequisite: init a field "url_category" with the url category value. */
alter url_category = uppercase(url_category)
| alter xdm.network.http.url_category = if(url_category contains "ABORTION", XDM_CONST.URL_CATEGORY_ABORTION, url_category contains "DRUGS", XDM_CONST.URL_CATEGORY_ABUSED_DRUGS, url_category contains "ADULT", XDM_CONST.URL_CATEGORY_ADULT, url_category contains "ALCOHOL" or url_category contains "TOBACCO", XDM_CONST.URL_CATEGORY_ALCOHOL_AND_TOBACCO, url_category contains "AUCTIONS", XDM_CONST.URL_CATEGORY_AUCTIONS, url_category contains "BUSINESS" or url_category contains "ECONOMY", XDM_CONST.URL_CATEGORY_BUSINESS_AND_ECONOMY, url_category contains "COMMAND AND CONTROL" or url_category contains "C&C", XDM_CONST.URL_CATEGORY_COMMAND_AND_CONTROL, url_category contains "COMPUTER" or url_category contains "INTERNET", XDM_CONST.URL_CATEGORY_COMPUTER_AND_INTERNET_INFO, url_category contains "CONTENT DELIVERY NETWORKS" or url_category contains "CDN", XDM_CONST.URL_CATEGORY_CONTENT_DELIVERY_NETWORKS, url_category contains "COPYRIGHT", XDM_CONST.URL_CATEGORY_COPYRIGHT_INFRINGEMENT, url_category contains "CRYPTO", XDM_CONST.URL_CATEGORY_CRYPTOCURRENCY, url_category contains "DATING", XDM_CONST.URL_CATEGORY_DATING, url_category contains "DYNAMIC DNS", XDM_CONST.URL_CATEGORY_DYNAMIC_DNS, url_category contains "EDUCATIONAL INSTITUTIONS", XDM_CONST.URL_CATEGORY_EDUCATIONAL_INSTITUTIONS, url_category contains "ENTERTAINMENT" and url_category contains "ARTS", XDM_CONST.URL_CATEGORY_ENTERTAINMENT_AND_ARTS, url_category contains "EXTREMISM", XDM_CONST.URL_CATEGORY_EXTREMISM, url_category contains "FINANCIAL" or url_category contains "FINANCE", XDM_CONST.URL_CATEGORY_FINANCIAL_SERVICES, url_category contains "GAMBLING", XDM_CONST.URL_CATEGORY_GAMBLING, url_category contains "GAMES", XDM_CONST.URL_CATEGORY_GAMES, url_category contains "GOVERNMENT", XDM_CONST.URL_CATEGORY_GOVERNMENT, url_category contains "GRAYWARE", XDM_CONST.URL_CATEGORY_GRAYWARE, url_category contains "HACKING", XDM_CONST.URL_CATEGORY_HACKING, url_category contains "HEALTH" or url_category contains "MEDICINE", XDM_CONST.URL_CATEGORY_HEALTH_AND_MEDICINE, url_category contains "HOME" or url_category contains "GARDEN", XDM_CONST.URL_CATEGORY_HOME_AND_GARDEN, url_category contains "HUNTING" or url_category contains "FISHING", XDM_CONST.URL_CATEGORY_HUNTING_AND_FISHING, url_category contains "INSUFFICIENT CONTENT", XDM_CONST.URL_CATEGORY_INSUFFICIENT_CONTENT, url_category contains "INTERNET COMMUNICATIONS" and url_category contains "TELEPHONY", XDM_CONST.URL_CATEGORY_INTERNET_COMMUNICATIONS_AND_TELEPHONY, url_category contains "INTERNET PORTALS", XDM_CONST.URL_CATEGORY_INTERNET_PORTALS, url_category contains "JOB", XDM_CONST.URL_CATEGORY_JOB_SEARCH, url_category contains "LEGAL", XDM_CONST.URL_CATEGORY_LEGAL, url_category contains "MALWARE", XDM_CONST.URL_CATEGORY_MALWARE, url_category contains "MILITARY", XDM_CONST.URL_CATEGORY_MILITARY, url_category contains "MOTOR VEHICLES", XDM_CONST.URL_CATEGORY_MOTOR_VEHICLES, url_category contains "MUSIC", XDM_CONST.URL_CATEGORY_MUSIC, url_category contains "DOMAIN" and url_category contains "REGIST", XDM_CONST.URL_CATEGORY_NEWLY_REGISTERED_DOMAIN, url_category contains "NEWS", XDM_CONST.URL_CATEGORY_NEWS, url_category contains "NOT RESOLVED", XDM_CONST.URL_CATEGORY_NOT_RESOLVED, url_category contains "NUDITY", XDM_CONST.URL_CATEGORY_NUDITY, url_category contains "ONLINE STORAGE" and url_category contains "BACKUP", XDM_CONST.URL_CATEGORY_ONLINE_STORAGE_AND_BACKUP, url_category contains "PARKED", XDM_CONST.URL_CATEGORY_PARKED, url_category contains "PEER TO PEER", XDM_CONST.URL_CATEGORY_PEER_TO_PEER, url_category contains "PERSONAL SITES" or url_category contains "BLOG", XDM_CONST.URL_CATEGORY_PERSONAL_SITES_AND_BLOGS, url_category contains "PHILOSOPHY" or url_category contains "POLITICAL ADVOCACY", XDM_CONST.URL_CATEGORY_PHILOSOPHY_AND_POLITICAL_ADVOCACY, url_category contains "PHISHING", XDM_CONST.URL_CATEGORY_PHISHING, url_category contains "PRIVATE IP ADDRESSES", XDM_CONST.URL_CATEGORY_PRIVATE_IP_ADDRESSES, url_category contains "PROXY" or url_category contains "ANONYMIZERS", XDM_CONST.URL_CATEGORY_PROXY_AVOIDANCE_AND_ANONYMIZERS, url_category contains "QUESTIONABLE", XDM_CONST.URL_CATEGORY_QUESTIONABLE, url_category contains "REAL ESTATE", XDM_CONST.URL_CATEGORY_REAL_ESTATE, url_category contains "HOBBIES" or url_category contains "RECREATION", XDM_CONST.URL_CATEGORY_RECREATION_AND_HOBBIES, url_category contains "REFERENCE", XDM_CONST.URL_CATEGORY_REFERENCE_AND_RESEARCH, url_category contains "RELIGION", XDM_CONST.URL_CATEGORY_RELIGION, url_category contains "SEARCH ENGINES", XDM_CONST.URL_CATEGORY_SEARCH_ENGINES, url_category contains "SEX EDUCATION", XDM_CONST.URL_CATEGORY_SEX_EDUCATION, url_category contains "SHAREWARE" and url_category contains "FREEWARE", XDM_CONST.URL_CATEGORY_SHAREWARE_AND_FREEWARE, url_category contains "SHOPPING", XDM_CONST.URL_CATEGORY_SHOPPING, url_category contains "SOCIAL_NETWORK", XDM_CONST.URL_CATEGORY_SOCIAL_NETWORKING, url_category contains "SOCIETY", XDM_CONST.URL_CATEGORY_SOCIETY, url_category contains "SPORTS", XDM_CONST.URL_CATEGORY_SPORTS, url_category contains "STOCK", XDM_CONST.URL_CATEGORY_STOCK_ADVICE_AND_TOOLS, url_category contains "MEDIA" and url_category contains "STREAM", XDM_CONST.URL_CATEGORY_STREAMING_MEDIA, url_category contains "INTIMATE APPAREL", XDM_CONST.URL_CATEGORY_SWIMSUITS_AND_INTIMATE_APPAREL, url_category contains "TRAINING" and url_category contains "Sport", XDM_CONST.URL_CATEGORY_TRAINING_AND_TOOLS, url_category contains "TRANSLATION", XDM_CONST.URL_CATEGORY_TRANSLATION, url_category contains "TRAVEL", XDM_CONST.URL_CATEGORY_TRAVEL, url_category contains "UNKNOWN", XDM_CONST.URL_CATEGORY_UNKNOWN, url_category contains "WEAPONS", XDM_CONST.URL_CATEGORY_WEAPONS, url_category contains "WEB ADVERTISEMENTS", XDM_CONST.URL_CATEGORY_WEB_ADVERTISEMENTS, url_category contains "WEB HOSTING", XDM_CONST.URL_CATEGORY_WEB_HOSTING, url_category contains "WEB BASED EMAIL", XDM_CONST.URL_CATEGORY_WEB_BASED_EMAIL, url_category);

Schema

zscaler_nssweblog_raw

Field Type Array?
ZscalerNSSWeblogURLClass string
act string
app string
cat string
cefName string
cefSeverity string
cefVersion string
cn1 string
contenttype string
cs2 string
cs3 string
cs4 string
cs5 string
cs6 string
destCountry string
destinationServiceName string
destinationTranslatedAddress string
devicehostname string
dhost string
dpt string
dst string
externalId string
fileType string
in string
out string
outcome string
proto string
reason string
request string
requestClientApplication string
requestMethod string
sourceTranslatedAddress string
spriv string
spt string
src string
suser string

zscaler_nssfwlog_raw

Field Type Array?
act string
cat string
cefName string
cefSeverity string
cefVersion string
cn1 int
cs2 string
cs3 string
cs5 string
cs6 string
destCountry string
destinationTranslatedAddress string
dpt int
dst string
in int
out int
proto string
reason string
sourceTranslatedAddress string
spriv string
spt int
src string
suser string

zscaler_cloudnss_raw

Field Type Array?
_raw_log string
dest_ipv4 string
dest_ipv6 string
os string
proto string
sourcetype string
src_ipv4 string
src_ipv6 string
url_category string
user string
Raw JSON
{
  "zscaler_nssweblog_raw": {
    "act": {
      "type": "string",
      "is_array": false
    },
    "app": {
      "type": "string",
      "is_array": false
    },
    "cat": {
      "type": "string",
      "is_array": false
    },
    "cefName": {
      "type": "string",
      "is_array": false
    },
    "cefSeverity": {
      "type": "string",
      "is_array": false
    },
    "cefVersion": {
      "type": "string",
      "is_array": false
    },
    "cn1": {
      "type": "string",
      "is_array": false
    },
    "contenttype": {
      "type": "string",
      "is_array": false
    },
    "cs2": {
      "type": "string",
      "is_array": false
    },
    "cs3": {
      "type": "string",
      "is_array": false
    },
    "cs4": {
      "type": "string",
      "is_array": false
    },
    "cs5": {
      "type": "string",
      "is_array": false
    },
    "cs6": {
      "type": "string",
      "is_array": false
    },
    "destCountry": {
      "type": "string",
      "is_array": false
    },
    "destinationServiceName": {
      "type": "string",
      "is_array": false
    },
    "destinationTranslatedAddress": {
      "type": "string",
      "is_array": false
    },
    "devicehostname": {
      "type": "string",
      "is_array": false
    },
    "dhost": {
      "type": "string",
      "is_array": false
    },
    "dpt": {
      "type": "string",
      "is_array": false
    },
    "dst": {
      "type": "string",
      "is_array": false
    },
    "externalId": {
      "type": "string",
      "is_array": false
    },
    "fileType": {
      "type": "string",
      "is_array": false
    },
    "in": {
      "type": "string",
      "is_array": false
    },
    "outcome": {
      "type": "string",
      "is_array": false
    },
    "out": {
      "type": "string",
      "is_array": false
    },
    "proto": {
      "type": "string",
      "is_array": false
    },
    "reason": {
      "type": "string",
      "is_array": false
    },
    "request": {
      "type": "string",
      "is_array": false
    },
    "requestClientApplication": {
      "type": "string",
      "is_array": false
    },
    "requestMethod": {
      "type": "string",
      "is_array": false
    },
    "sourceTranslatedAddress": {
      "type": "string",
      "is_array": false
    },
    "spriv": {
      "type": "string",
      "is_array": false
    },
    "src": {
      "type": "string",
      "is_array": false
    },
    "spt": {
      "type": "string",
      "is_array": false
    },
    "suser": {
      "type": "string",
      "is_array": false
    },
    "ZscalerNSSWeblogURLClass": {
      "type": "string",
      "is_array": false
    }
  },
  "zscaler_nssfwlog_raw": {
    "act": {
      "type": "string",
      "is_array": false
    },
    "cat": {
      "type": "string",
      "is_array": false
    },
    "cefName": {
      "type": "string",
      "is_array": false
    },
    "cefSeverity": {
      "type": "string",
      "is_array": false
    },
    "cefVersion": {
      "type": "string",
      "is_array": false
    },
    "cn1": {
      "type": "int",
      "is_array": false
    },
    "cs2": {
      "type": "string",
      "is_array": false
    },
    "cs3": {
      "type": "string",
      "is_array": false
    },
    "cs5": {
      "type": "string",
      "is_array": false
    },
    "cs6": {
      "type": "string",
      "is_array": false
    },
    "destCountry": {
      "type": "string",
      "is_array": false
    },
    "destinationTranslatedAddress": {
      "type": "string",
      "is_array": false
    },
    "dpt": {
      "type": "int",
      "is_array": false
    },
    "dst": {
      "type": "string",
      "is_array": false
    },
    "in": {
      "type": "int",
      "is_array": false
    },
    "out": {
      "type": "int",
      "is_array": false
    },
    "proto": {
      "type": "string",
      "is_array": false
    },
    "reason": {
      "type": "string",
      "is_array": false
    },
    "sourceTranslatedAddress": {
      "type": "string",
      "is_array": false
    },
    "spriv": {
      "type": "string",
      "is_array": false
    },
    "spt": {
      "type": "int",
      "is_array": false
    },
    "src": {
      "type": "string",
      "is_array": false
    },
    "suser": {
      "type": "string",
      "is_array": false
    }
  },
  "zscaler_cloudnss_raw": {
    "_raw_log": {
      "type": "string",
      "is_array": false
    },
    "sourcetype": {
      "type": "string",
      "is_array": false
    },
    "src_ipv4": {
      "type": "string",
      "is_array": false
    },
    "dest_ipv4": {
      "type": "string",
      "is_array": false
    },
    "src_ipv6": {
      "type": "string",
      "is_array": false
    },
    "dest_ipv6": {
      "type": "string",
      "is_array": false
    },
    "proto": {
      "type": "string",
      "is_array": false
    },
    "url_category": {
      "type": "string",
      "is_array": false
    },
    "os": {
      "type": "string",
      "is_array": false
    },
    "user": {
      "type": "string",
      "is_array": false
    }
  }
}