Rules (XIF)
/* ------------------------------------------
VM-Based NSS Modeling (Syslog CEF Records)
-----------------------------------------*/
[MODEL: dataset=zscaler_nssweblog_raw]
alter
xdm.alert.category = cs4,
xdm.alert.name = cs5,
xdm.alert.severity = to_string(cn1),
xdm.event.outcome_reason = reason,
xdm.event.type = ZscalerNSSWeblogURLClass,
xdm.network.application_protocol_category = cat,
xdm.network.http.content_type = contenttype,
xdm.network.http.domain = dhost,
xdm.network.http.method = requestMethod,
xdm.network.http.response_code = if(outcome = "100", XDM_CONST.HTTP_RSP_CODE_CONTINUE, outcome = "101", XDM_CONST.HTTP_RSP_CODE_SWITCHING_PROTOCOLS, outcome = "102", XDM_CONST.HTTP_RSP_CODE_PROCESSING, outcome = "103", XDM_CONST.HTTP_RSP_CODE_EARLY_HINTS, outcome = "200", XDM_CONST.HTTP_RSP_CODE_OK, outcome = "201", XDM_CONST.HTTP_RSP_CODE_CREATED, outcome = "202", XDM_CONST.HTTP_RSP_CODE_ACCEPTED, outcome = "203", XDM_CONST.HTTP_RSP_CODE_NON__AUTHORITATIVE_INFORMATION, outcome = "204", XDM_CONST.HTTP_RSP_CODE_NO_CONTENT, outcome = "205", XDM_CONST.HTTP_RSP_CODE_RESET_CONTENT, outcome = "206", XDM_CONST.HTTP_RSP_CODE_PARTIAL_CONTENT, outcome = "207", XDM_CONST.HTTP_RSP_CODE_MULTI__STATUS, outcome = "208", XDM_CONST.HTTP_RSP_CODE_ALREADY_REPORTED, outcome = "226", XDM_CONST.HTTP_RSP_CODE_IM_USED, outcome = "300", XDM_CONST.HTTP_RSP_CODE_MULTIPLE_CHOICES, outcome = "301", XDM_CONST.HTTP_RSP_CODE_MOVED_PERMANENTLY, outcome = "302", XDM_CONST.HTTP_RSP_CODE_FOUND, outcome = "303", XDM_CONST.HTTP_RSP_CODE_SEE_OTHER, outcome = "304", XDM_CONST.HTTP_RSP_CODE_NOT_MODIFIED, outcome = "305", XDM_CONST.HTTP_RSP_CODE_USE_PROXY, outcome = "307", XDM_CONST.HTTP_RSP_CODE_TEMPORARY_REDIRECT, outcome = "308", XDM_CONST.HTTP_RSP_CODE_PERMANENT_REDIRECT, outcome = "400", XDM_CONST.HTTP_RSP_CODE_BAD_REQUEST, outcome = "401", XDM_CONST.HTTP_RSP_CODE_UNAUTHORIZED, outcome = "402", XDM_CONST.HTTP_RSP_CODE_PAYMENT_REQUIRED, outcome = "403", XDM_CONST.HTTP_RSP_CODE_FORBIDDEN, outcome = "404", XDM_CONST.HTTP_RSP_CODE_NOT_FOUND, outcome = "405", XDM_CONST.HTTP_RSP_CODE_METHOD_NOT_ALLOWED, outcome = "406", XDM_CONST.HTTP_RSP_CODE_NOT_ACCEPTABLE, outcome = "407", XDM_CONST.HTTP_RSP_CODE_PROXY_AUTHENTICATION_REQUIRED, outcome = "408", XDM_CONST.HTTP_RSP_CODE_REQUEST_TIMEOUT, outcome = "409", XDM_CONST.HTTP_RSP_CODE_CONFLICT, outcome = "410", XDM_CONST.HTTP_RSP_CODE_GONE, outcome = "411", XDM_CONST.HTTP_RSP_CODE_LENGTH_REQUIRED, outcome = "412", XDM_CONST.HTTP_RSP_CODE_PRECONDITION_FAILED, outcome = "413", XDM_CONST.HTTP_RSP_CODE_CONTENT_TOO_LARGE, outcome = "414", XDM_CONST.HTTP_RSP_CODE_URI_TOO_LONG, outcome = "415", XDM_CONST.HTTP_RSP_CODE_UNSUPPORTED_MEDIA_TYPE, outcome = "416", XDM_CONST.HTTP_RSP_CODE_RANGE_NOT_SATISFIABLE, outcome = "417", XDM_CONST.HTTP_RSP_CODE_EXPECTATION_FAILED, outcome = "421", XDM_CONST.HTTP_RSP_CODE_MISDIRECTED_REQUEST, outcome = "422", XDM_CONST.HTTP_RSP_CODE_UNPROCESSABLE_CONTENT, outcome = "423", XDM_CONST.HTTP_RSP_CODE_LOCKED, outcome = "424", XDM_CONST.HTTP_RSP_CODE_FAILED_DEPENDENCY, outcome = "425", XDM_CONST.HTTP_RSP_CODE_TOO_EARLY, outcome = "426", XDM_CONST.HTTP_RSP_CODE_UPGRADE_REQUIRED, outcome = "428", XDM_CONST.HTTP_RSP_CODE_PRECONDITION_REQUIRED, outcome = "429", XDM_CONST.HTTP_RSP_CODE_TOO_MANY_REQUESTS, outcome = "431", XDM_CONST.HTTP_RSP_CODE_REQUEST_HEADER_FIELDS_TOO_LARGE, outcome = "451", XDM_CONST.HTTP_RSP_CODE_UNAVAILABLE_FOR_LEGAL_REASONS, outcome = "500", XDM_CONST.HTTP_RSP_CODE_INTERNAL_SERVER_ERROR, outcome = "501", XDM_CONST.HTTP_RSP_CODE_NOT_IMPLEMENTED, outcome = "502", XDM_CONST.HTTP_RSP_CODE_BAD_GATEWAY, outcome = "503", XDM_CONST.HTTP_RSP_CODE_SERVICE_UNAVAILABLE, outcome = "504", XDM_CONST.HTTP_RSP_CODE_GATEWAY_TIMEOUT, outcome = "505", XDM_CONST.HTTP_RSP_CODE_HTTP_VERSION_NOT_SUPPORTED, outcome = "506", XDM_CONST.HTTP_RSP_CODE_VARIANT_ALSO_NEGOTIATES, outcome = "507", XDM_CONST.HTTP_RSP_CODE_INSUFFICIENT_STORAGE, outcome = "508", XDM_CONST.HTTP_RSP_CODE_LOOP_DETECTED, outcome = "511", XDM_CONST.HTTP_RSP_CODE_NETWORK_AUTHENTICATION_REQUIRED, outcome = null, null, to_string(outcome)),
xdm.network.http.url = request,
xdm.network.http.url_category = cs2,
xdm.network.protocol_layers = arraycreate(coalesce(app, "")),
xdm.observer.action = act,
xdm.session_context_id = externalId,
xdm.source.host.hostname = devicehostname,
xdm.source.host.ipv4_addresses = if(is_ipv4(src) = TRUE, arraycreate(src)),
xdm.source.ipv4 = if(is_ipv4(sourceTranslatedAddress) = TRUE, sourceTranslatedAddress),
xdm.source.user_agent = requestClientApplication,
xdm.source.user.username = suser,
xdm.source.zone = spriv,
xdm.target.host.ipv4_addresses = if(is_ipv4(dst) = TRUE, arraycreate(dst)),
xdm.target.interface = destinationServiceName,
xdm.target.ipv4 = dst,
xdm.target.process.executable.file_type = fileType,
xdm.target.sent_bytes = to_integer(`in`),
xdm.source.port = to_integer(0),
xdm.target.port = to_integer(0),
xdm.network.ip_protocol = XDM_CONST.IP_PROTOCOL_TCP,
xdm.source.sent_bytes = to_integer(out);
[MODEL: dataset="zscaler_nssfwlog_raw"]
alter cs5=uppercase(cs5)
| alter
xdm.alert.category=cat,
xdm.alert.name=cs6,
xdm.alert.severity=cefSeverity,
xdm.event.duration=to_integer(cn1),
xdm.event.outcome_reason=reason,
xdm.event.type=cefName,
xdm.network.application_protocol=cs3,
xdm.network.http.url_category = if(cs5 contains "ABORTION", XDM_CONST.URL_CATEGORY_ABORTION, cs5 contains "DRUGS", XDM_CONST.URL_CATEGORY_ABUSED_DRUGS, cs5 contains "ADULT", XDM_CONST.URL_CATEGORY_ADULT, cs5 contains "ALCOHOL" or cs5 contains "TOBACCO", XDM_CONST.URL_CATEGORY_ALCOHOL_AND_TOBACCO, cs5 contains "AUCTIONS", XDM_CONST.URL_CATEGORY_AUCTIONS, cs5 contains "BUSINESS" or cs5 contains "ECONOMY", XDM_CONST.URL_CATEGORY_BUSINESS_AND_ECONOMY, cs5 contains "COMMAND AND CONTROL" or cs5 contains "C&C", XDM_CONST.URL_CATEGORY_COMMAND_AND_CONTROL, cs5 contains "COMPUTER" or cs5 contains "INTERNET", XDM_CONST.URL_CATEGORY_COMPUTER_AND_INTERNET_INFO, cs5 contains "CONTENT DELIVERY NETWORKS" or cs5 contains "CDN", XDM_CONST.URL_CATEGORY_CONTENT_DELIVERY_NETWORKS, cs5 contains "COPYRIGHT", XDM_CONST.URL_CATEGORY_COPYRIGHT_INFRINGEMENT, cs5 contains "CRYPTO", XDM_CONST.URL_CATEGORY_CRYPTOCURRENCY, cs5 contains "DATING", XDM_CONST.URL_CATEGORY_DATING, cs5 contains "DYNAMIC DNS", XDM_CONST.URL_CATEGORY_DYNAMIC_DNS, cs5 contains "EDUCATIONAL INSTITUTIONS", XDM_CONST.URL_CATEGORY_EDUCATIONAL_INSTITUTIONS, cs5 contains "ENTERTAINMENT" and cs5 contains "ARTS", XDM_CONST.URL_CATEGORY_ENTERTAINMENT_AND_ARTS, cs5 contains "EXTREMISM", XDM_CONST.URL_CATEGORY_EXTREMISM, cs5 contains "FINANCIAL" or cs5 contains "FINANCE", XDM_CONST.URL_CATEGORY_FINANCIAL_SERVICES, cs5 contains "GAMBLING", XDM_CONST.URL_CATEGORY_GAMBLING, cs5 contains "GAMES", XDM_CONST.URL_CATEGORY_GAMES, cs5 contains "GOVERNMENT", XDM_CONST.URL_CATEGORY_GOVERNMENT, cs5 contains "GRAYWARE", XDM_CONST.URL_CATEGORY_GRAYWARE, cs5 contains "HACKING", XDM_CONST.URL_CATEGORY_HACKING, cs5 contains "HEALTH" or cs5 contains "MEDICINE", XDM_CONST.URL_CATEGORY_HEALTH_AND_MEDICINE, cs5 contains "HOME" or cs5 contains "GARDEN", XDM_CONST.URL_CATEGORY_HOME_AND_GARDEN, cs5 contains "HUNTING" or cs5 contains "FISHING", XDM_CONST.URL_CATEGORY_HUNTING_AND_FISHING, cs5 contains "INSUFFICIENT CONTENT", XDM_CONST.URL_CATEGORY_INSUFFICIENT_CONTENT, cs5 contains "INTERNET COMMUNICATIONS" and cs5 contains "TELEPHONY", XDM_CONST.URL_CATEGORY_INTERNET_COMMUNICATIONS_AND_TELEPHONY, cs5 contains "PORTALS", XDM_CONST.URL_CATEGORY_INTERNET_PORTALS, cs5 contains "JOB", XDM_CONST.URL_CATEGORY_JOB_SEARCH, cs5 contains "LEGAL", XDM_CONST.URL_CATEGORY_LEGAL, cs5 contains "MALWARE", XDM_CONST.URL_CATEGORY_MALWARE, cs5 contains "MILITARY", XDM_CONST.URL_CATEGORY_MILITARY, cs5 contains "MOTOR VEHICLES", XDM_CONST.URL_CATEGORY_MOTOR_VEHICLES, cs5 contains "MUSIC", XDM_CONST.URL_CATEGORY_MUSIC, cs5 contains "DOMAIN" and cs5 contains "REGIST", XDM_CONST.URL_CATEGORY_NEWLY_REGISTERED_DOMAIN, cs5 contains "NEWS", XDM_CONST.URL_CATEGORY_NEWS, cs5 contains "NOT RESOLVED", XDM_CONST.URL_CATEGORY_NOT_RESOLVED, cs5 contains "NUDITY", XDM_CONST.URL_CATEGORY_NUDITY, cs5 contains "ONLINE STORAGE" and cs5 contains "BACKUP", XDM_CONST.URL_CATEGORY_ONLINE_STORAGE_AND_BACKUP, cs5 contains "PARKED", XDM_CONST.URL_CATEGORY_PARKED, cs5 contains "PEER TO PEER", XDM_CONST.URL_CATEGORY_PEER_TO_PEER, cs5 contains "PERSONAL SITES" or cs5 contains "BLOG", XDM_CONST.URL_CATEGORY_PERSONAL_SITES_AND_BLOGS, cs5 contains "PHILOSOPHY" or cs5 contains "POLITICAL ADVOCACY", XDM_CONST.URL_CATEGORY_PHILOSOPHY_AND_POLITICAL_ADVOCACY, cs5 contains "PHISHING", XDM_CONST.URL_CATEGORY_PHISHING, cs5 contains "PRIVATE IP ADDRESSES", XDM_CONST.URL_CATEGORY_PRIVATE_IP_ADDRESSES, cs5 contains "PROXY" or cs5 contains "ANONYMIZERS", XDM_CONST.URL_CATEGORY_PROXY_AVOIDANCE_AND_ANONYMIZERS, cs5 contains "QUESTIONABLE", XDM_CONST.URL_CATEGORY_QUESTIONABLE, cs5 contains "REAL ESTATE", XDM_CONST.URL_CATEGORY_REAL_ESTATE, cs5 contains "HOBBIES" or cs5 contains "RECREATION", XDM_CONST.URL_CATEGORY_RECREATION_AND_HOBBIES, cs5 contains "REFERENCE", XDM_CONST.URL_CATEGORY_REFERENCE_AND_RESEARCH, cs5 contains "RELIGION", XDM_CONST.URL_CATEGORY_RELIGION, cs5 contains "SEARCH ENGINES", XDM_CONST.URL_CATEGORY_SEARCH_ENGINES, cs5 contains "SEX EDUCATION", XDM_CONST.URL_CATEGORY_SEX_EDUCATION, cs5 contains "SHAREWARE" and cs5 contains "FREEWARE", XDM_CONST.URL_CATEGORY_SHAREWARE_AND_FREEWARE, cs5 contains "SHOPPING", XDM_CONST.URL_CATEGORY_SHOPPING, cs5 contains "SOCIAL_NETWORK", XDM_CONST.URL_CATEGORY_SOCIAL_NETWORKING, cs5 contains "SOCIETY", XDM_CONST.URL_CATEGORY_SOCIETY, cs5 contains "SPORTS", XDM_CONST.URL_CATEGORY_SPORTS, cs5 contains "STOCK", XDM_CONST.URL_CATEGORY_STOCK_ADVICE_AND_TOOLS, cs5 contains "MEDIA" and cs5 contains "STREAM", XDM_CONST.URL_CATEGORY_STREAMING_MEDIA, cs5 contains "INTIMATE APPAREL", XDM_CONST.URL_CATEGORY_SWIMSUITS_AND_INTIMATE_APPAREL, cs5 contains "TRAINING" and cs5 contains "Sport", XDM_CONST.URL_CATEGORY_TRAINING_AND_TOOLS, cs5 contains "TRANSLATION", XDM_CONST.URL_CATEGORY_TRANSLATION, cs5 contains "TRAVEL", XDM_CONST.URL_CATEGORY_TRAVEL, cs5 contains "UNKNOWN", XDM_CONST.URL_CATEGORY_UNKNOWN, cs5 contains "WEAPONS", XDM_CONST.URL_CATEGORY_WEAPONS, cs5 contains "ADVERTISING", XDM_CONST.URL_CATEGORY_WEB_ADVERTISEMENTS, cs5 contains "WEB HOST", XDM_CONST.URL_CATEGORY_WEB_HOSTING, cs5 contains "WEBMAIL", XDM_CONST.URL_CATEGORY_WEB_BASED_EMAIL, to_string(cs5)),
xdm.network.ip_protocol=if(proto="0",XDM_CONST.IP_PROTOCOL_HOPOPT, proto="1",XDM_CONST.IP_PROTOCOL_ICMP, proto="2",XDM_CONST.IP_PROTOCOL_IGMP, proto="3",XDM_CONST.IP_PROTOCOL_GGP, proto="4",XDM_CONST.IP_PROTOCOL_IP, proto="5",XDM_CONST.IP_PROTOCOL_ST, proto="6",XDM_CONST.IP_PROTOCOL_TCP, proto="7",XDM_CONST.IP_PROTOCOL_CBT, proto="8",XDM_CONST.IP_PROTOCOL_EGP, proto="9",XDM_CONST.IP_PROTOCOL_IGP, proto="10",XDM_CONST.IP_PROTOCOL_BBN_RCC_MON, proto="11",XDM_CONST.IP_PROTOCOL_NVP_II, proto="12",XDM_CONST.IP_PROTOCOL_PUP, proto="13",XDM_CONST.IP_PROTOCOL_ARGUS, proto="14",XDM_CONST.IP_PROTOCOL_EMCON, proto="15",XDM_CONST.IP_PROTOCOL_XNET, proto="16",XDM_CONST.IP_PROTOCOL_CHAOS, proto="17",XDM_CONST.IP_PROTOCOL_UDP, proto="18",XDM_CONST.IP_PROTOCOL_MUX, proto="19",XDM_CONST.IP_PROTOCOL_DCN_MEAS, proto="20",XDM_CONST.IP_PROTOCOL_HMP, proto="21",XDM_CONST.IP_PROTOCOL_PRM, proto="22",XDM_CONST.IP_PROTOCOL_XNS_IDP, proto="23",XDM_CONST.IP_PROTOCOL_TRUNK_1, proto="24",XDM_CONST.IP_PROTOCOL_TRUNK_2, proto="25",XDM_CONST.IP_PROTOCOL_LEAF_1, proto="26",XDM_CONST.IP_PROTOCOL_LEAF_2, proto="27",XDM_CONST.IP_PROTOCOL_RDP, proto="28",XDM_CONST.IP_PROTOCOL_IRTP, proto="29",XDM_CONST.IP_PROTOCOL_ISO_TP4, proto="30",XDM_CONST.IP_PROTOCOL_NETBLT, proto="31",XDM_CONST.IP_PROTOCOL_MFE_NSP, proto="32",XDM_CONST.IP_PROTOCOL_MERIT_INP, proto="33",XDM_CONST.IP_PROTOCOL_DCCP, proto="34",XDM_CONST.IP_PROTOCOL_3PC, proto="35",XDM_CONST.IP_PROTOCOL_IDPR, proto="36",XDM_CONST.IP_PROTOCOL_XTP, proto="37",XDM_CONST.IP_PROTOCOL_DDP, proto="38",XDM_CONST.IP_PROTOCOL_IDPR_CMTP, proto="39",XDM_CONST.IP_PROTOCOL_TP, proto="40",XDM_CONST.IP_PROTOCOL_IL, proto="41",XDM_CONST.IP_PROTOCOL_IPV6, proto="42",XDM_CONST.IP_PROTOCOL_SDRP, proto="43",XDM_CONST.IP_PROTOCOL_IPV6_ROUTE, proto="44",XDM_CONST.IP_PROTOCOL_IPV6_FRAG, proto="45",XDM_CONST.IP_PROTOCOL_IDRP, proto="46",XDM_CONST.IP_PROTOCOL_RSVP, proto="47",XDM_CONST.IP_PROTOCOL_GRE, proto="48",XDM_CONST.IP_PROTOCOL_DSR, proto="49",XDM_CONST.IP_PROTOCOL_BNA, proto="50",XDM_CONST.IP_PROTOCOL_ESP, proto="51",XDM_CONST.IP_PROTOCOL_AH, proto="52",XDM_CONST.IP_PROTOCOL_I_NLSP, proto="53",XDM_CONST.IP_PROTOCOL_SWIPE, proto="54",XDM_CONST.IP_PROTOCOL_NARP, proto="55",XDM_CONST.IP_PROTOCOL_MOBILE, proto="56",XDM_CONST.IP_PROTOCOL_TLSP, proto="57",XDM_CONST.IP_PROTOCOL_SKIP, proto="58",XDM_CONST.IP_PROTOCOL_IPV6_ICMP, proto="59",XDM_CONST.IP_PROTOCOL_IPV6_NONXT, proto="60",XDM_CONST.IP_PROTOCOL_IPV6_OPTS, proto="62",XDM_CONST.IP_PROTOCOL_CFTP, proto="64",XDM_CONST.IP_PROTOCOL_SAT_EXPAK, proto="65",XDM_CONST.IP_PROTOCOL_KRYPTOLAN, proto="66",XDM_CONST.IP_PROTOCOL_RVD, proto="67",XDM_CONST.IP_PROTOCOL_IPPC, proto="69",XDM_CONST.IP_PROTOCOL_SAT_MON, proto="70",XDM_CONST.IP_PROTOCOL_VISA, proto="71",XDM_CONST.IP_PROTOCOL_IPCV, proto="72",XDM_CONST.IP_PROTOCOL_CPNX, proto="73",XDM_CONST.IP_PROTOCOL_CPHB, proto="74",XDM_CONST.IP_PROTOCOL_WSN, proto="75",XDM_CONST.IP_PROTOCOL_PVP, proto="76",XDM_CONST.IP_PROTOCOL_BR_SAT_MON, proto="77",XDM_CONST.IP_PROTOCOL_SUN_ND, proto="78",XDM_CONST.IP_PROTOCOL_WB_MON, proto="79",XDM_CONST.IP_PROTOCOL_WB_EXPAK, proto="80",XDM_CONST.IP_PROTOCOL_ISO_IP, proto="81",XDM_CONST.IP_PROTOCOL_VMTP, proto="82",XDM_CONST.IP_PROTOCOL_SECURE_VMTP, proto="83",XDM_CONST.IP_PROTOCOL_VINES, proto="84",XDM_CONST.IP_PROTOCOL_TTP, proto="85",XDM_CONST.IP_PROTOCOL_NSFNET_IGP, proto="86",XDM_CONST.IP_PROTOCOL_DGP, proto="87",XDM_CONST.IP_PROTOCOL_TCF, proto="88",XDM_CONST.IP_PROTOCOL_EIGRP, proto="89",XDM_CONST.IP_PROTOCOL_OSPFIGP, proto="90",XDM_CONST.IP_PROTOCOL_SPRITE_RPC, proto="91",XDM_CONST.IP_PROTOCOL_LARP, proto="92",XDM_CONST.IP_PROTOCOL_MTP, proto="93",XDM_CONST.IP_PROTOCOL_AX25, proto="94",XDM_CONST.IP_PROTOCOL_IPIP, proto="95",XDM_CONST.IP_PROTOCOL_MICP, proto="96",XDM_CONST.IP_PROTOCOL_SCC_SP, proto="97",XDM_CONST.IP_PROTOCOL_ETHERIP, proto="98",XDM_CONST.IP_PROTOCOL_ENCAP, proto="100",XDM_CONST.IP_PROTOCOL_GMTP, proto="101",XDM_CONST.IP_PROTOCOL_IFMP, proto="102",XDM_CONST.IP_PROTOCOL_PNNI, proto="103",XDM_CONST.IP_PROTOCOL_PIM, proto="104",XDM_CONST.IP_PROTOCOL_ARIS, proto="105",XDM_CONST.IP_PROTOCOL_SCPS, proto="106",XDM_CONST.IP_PROTOCOL_QNX, proto="107",XDM_CONST.IP_PROTOCOL_AN, proto="108",XDM_CONST.IP_PROTOCOL_IPCOMP, proto="109",XDM_CONST.IP_PROTOCOL_SNP, proto="110",XDM_CONST.IP_PROTOCOL_COMPAQ_PEER, proto="111",XDM_CONST.IP_PROTOCOL_IPX_IN_IP, proto="112",XDM_CONST.IP_PROTOCOL_VRRP, proto="113",XDM_CONST.IP_PROTOCOL_PGM, proto="115",XDM_CONST.IP_PROTOCOL_L2TP, proto="116",XDM_CONST.IP_PROTOCOL_DDX, proto="117",XDM_CONST.IP_PROTOCOL_IATP, proto="118",XDM_CONST.IP_PROTOCOL_STP, proto="119",XDM_CONST.IP_PROTOCOL_SRP, proto="120",XDM_CONST.IP_PROTOCOL_UTI, proto="121",XDM_CONST.IP_PROTOCOL_SMP, proto="122",XDM_CONST.IP_PROTOCOL_SM, proto="123",XDM_CONST.IP_PROTOCOL_PTP, proto="124",XDM_CONST.IP_PROTOCOL_ISIS, proto="125",XDM_CONST.IP_PROTOCOL_FIRE, proto="126",XDM_CONST.IP_PROTOCOL_CRTP, proto="127",XDM_CONST.IP_PROTOCOL_CRUDP, proto="128",XDM_CONST.IP_PROTOCOL_SSCOPMCE, proto="129",XDM_CONST.IP_PROTOCOL_IPLT, proto="130",XDM_CONST.IP_PROTOCOL_SPS, proto="131",XDM_CONST.IP_PROTOCOL_PIPE, proto="132",XDM_CONST.IP_PROTOCOL_SCTP, proto="133",XDM_CONST.IP_PROTOCOL_FC, proto="134",XDM_CONST.IP_PROTOCOL_RSVP_E2E_IGNORE, proto="135",XDM_CONST.IP_PROTOCOL_MOBILITY, proto="136",XDM_CONST.IP_PROTOCOL_UDPLITE, proto="137",XDM_CONST.IP_PROTOCOL_MPLS_IN_IP, proto="138",XDM_CONST.IP_PROTOCOL_MANET, proto="139",XDM_CONST.IP_PROTOCOL_HIP, proto="140",XDM_CONST.IP_PROTOCOL_SHIM6, proto="141",XDM_CONST.IP_PROTOCOL_WESP, proto="142",XDM_CONST.IP_PROTOCOL_ROHC, proto="255",XDM_CONST.IP_PROTOCOL_RESERVED,to_string(proto)),
xdm.network.rule=cs2,
xdm.observer.action=act,
xdm.observer.content_version=cefVersion,
xdm.source.host.ipv4_addresses=if(is_ipv4(sourceTranslatedAddress) = TRUE, arraycreate(sourceTranslatedAddress)),
xdm.source.ipv4=if(is_ipv4(src) = TRUE, src),
xdm.source.port=to_integer(spt),
xdm.source.sent_bytes=to_integer(out),
xdm.source.user.groups=arraycreate(spriv),
xdm.source.user.username=suser,
xdm.target.host.ipv4_addresses=if(is_ipv4(destinationTranslatedAddress) = TRUE, arraycreate(destinationTranslatedAddress)),
xdm.target.ipv4=if(is_ipv4(dst) = TRUE, dst),
xdm.target.location.country=destCountry,
xdm.target.port=to_integer(dpt),
xdm.target.sent_bytes=to_integer(`in`);
/* ---------------------------------
Cloud NSS Modeling (JSON Records)
--------------------------------*/
[MODEL: dataset="zscaler_cloudnss_raw"]
/* --------------------------------------------------------------------------------
Cloud NSS DNS Logs (https://help.zscaler.com/zia/nss-feed-output-format-dns-logs)
-------------------------------------------------------------------------------*/
filter sourcetype = "zscalernss-dns"
| alter // extract data
user = _raw_log -> user, // The login name in email address format
department = _raw_log -> department, // the user's department
location = replace(_raw_log -> location, "%20", " "), // The gateway location or sub-location of the source
reqaction = _raw_log -> reqaction, // The name of the action that was applied to the DNS request
resaction = _raw_log -> resaction, // The name of the action that was applied to the DNS response
reqrulelabel = _raw_log -> reqrulelabel, // The name of the rule that was applied to the DNS request
resrulelabel = _raw_log -> resrulelabel, // The name of the rule that was applied to the DNS response
dns_reqtype = _raw_log -> dns_reqtype, // The DNS request type
dns_req = _raw_log -> dns_req, // The Fully Qualified Domain Name (FQDN) in the DNS request
dns_resp = _raw_log -> dns_resp, // The name of the rule that was applied to the DNS response
srv_dport = to_integer(_raw_log -> srv_dport), // The server port of the request
durationms = to_integer(_raw_log -> durationms), // The duration of the DNS request in milliseconds
clt_sip = _raw_log -> clt_sip, // The IP address of the user. This can be the internal IP address if it is visible (e.g., traffic sent through a GRE tunnel or an internal IP address indicated using XFF). Otherwise, it's the client's internet (NATed Public) IP address.
srv_dip = _raw_log -> srv_dip, // The server IP address of the request
category = coalesce(_raw_log -> category, _raw_log -> domcat), // The URL Category of the FQDN in the DNS request
respipcategory = _raw_log -> respipcategory, // The URL Category of the FQDN in the DNS response
deviceowner = _raw_log -> deviceowner, // The owner of the device
devicehostname = _raw_log -> devicehostname // The host name of the device
| alter // post extraction processing
normalized_dns_record_type = if(dns_reqtype = "A", XDM_CONST.DNS_RECORD_TYPE_A, dns_reqtype = "AAAA", XDM_CONST.DNS_RECORD_TYPE_AAAA, dns_reqtype = "AFSDB", XDM_CONST.DNS_RECORD_TYPE_AFSDB, dns_reqtype = "APL", XDM_CONST.DNS_RECORD_TYPE_APL, dns_reqtype = "CAA", XDM_CONST.DNS_RECORD_TYPE_CAA, dns_reqtype = "CDNSKEY", XDM_CONST.DNS_RECORD_TYPE_CDNSKEY, dns_reqtype = "CDS", XDM_CONST.DNS_RECORD_TYPE_CDS, dns_reqtype = "CERT", XDM_CONST.DNS_RECORD_TYPE_CERT, dns_reqtype = "CNAME", XDM_CONST.DNS_RECORD_TYPE_CNAME, dns_reqtype = "CSYNC", XDM_CONST.DNS_RECORD_TYPE_CSYNC, dns_reqtype = "DHCID", XDM_CONST.DNS_RECORD_TYPE_DHCID, dns_reqtype = "DLV", XDM_CONST.DNS_RECORD_TYPE_DLV, dns_reqtype = "DNAME", XDM_CONST.DNS_RECORD_TYPE_DNAME, dns_reqtype = "DNSKEY", XDM_CONST.DNS_RECORD_TYPE_DNSKEY, dns_reqtype = "DS", XDM_CONST.DNS_RECORD_TYPE_DS, dns_reqtype = "EUI48", XDM_CONST.DNS_RECORD_TYPE_EUI48, dns_reqtype = "EUI64", XDM_CONST.DNS_RECORD_TYPE_EUI64, dns_reqtype = "HINFO", XDM_CONST.DNS_RECORD_TYPE_HINFO, dns_reqtype = "HIP", XDM_CONST.DNS_RECORD_TYPE_HIP, dns_reqtype = "HTTPS", XDM_CONST.DNS_RECORD_TYPE_HTTPS, dns_reqtype = "IPSECKEY", XDM_CONST.DNS_RECORD_TYPE_IPSECKEY, dns_reqtype = "KEY", XDM_CONST.DNS_RECORD_TYPE_KEY, dns_reqtype = "KX", XDM_CONST.DNS_RECORD_TYPE_KX, dns_reqtype = "LOC", XDM_CONST.DNS_RECORD_TYPE_LOC, dns_reqtype = "MX", XDM_CONST.DNS_RECORD_TYPE_MX, dns_reqtype = "NAPTR", XDM_CONST.DNS_RECORD_TYPE_NAPTR, dns_reqtype = "NS", XDM_CONST.DNS_RECORD_TYPE_NS, dns_reqtype = "NSEC", XDM_CONST.DNS_RECORD_TYPE_NSEC, dns_reqtype = "NSEC3", XDM_CONST.DNS_RECORD_TYPE_NSEC3, dns_reqtype = "NSEC3PARAM", XDM_CONST.DNS_RECORD_TYPE_NSEC3PARAM, dns_reqtype = "OPENPGPKEY", XDM_CONST.DNS_RECORD_TYPE_OPENPGPKEY, dns_reqtype = "PTR", XDM_CONST.DNS_RECORD_TYPE_PTR, dns_reqtype = "RRSIG", XDM_CONST.DNS_RECORD_TYPE_RRSIG, dns_reqtype = "RP", XDM_CONST.DNS_RECORD_TYPE_RP, dns_reqtype = "SIG", XDM_CONST.DNS_RECORD_TYPE_SIG, dns_reqtype = "SMIMEA", XDM_CONST.DNS_RECORD_TYPE_SMIMEA, dns_reqtype = "SOA", XDM_CONST.DNS_RECORD_TYPE_SOA, dns_reqtype = "SRV", XDM_CONST.DNS_RECORD_TYPE_SRV, dns_reqtype = "SSHFP", XDM_CONST.DNS_RECORD_TYPE_SSHFP, dns_reqtype = "SVCB", XDM_CONST.DNS_RECORD_TYPE_SVCB, dns_reqtype = "TA", XDM_CONST.DNS_RECORD_TYPE_TA, dns_reqtype = "TKEY", XDM_CONST.DNS_RECORD_TYPE_TKEY, dns_reqtype = "TLSA", XDM_CONST.DNS_RECORD_TYPE_TLSA, dns_reqtype = "TSIG", XDM_CONST.DNS_RECORD_TYPE_TSIG, dns_reqtype = "TXT", XDM_CONST.DNS_RECORD_TYPE_TXT, dns_reqtype = "URI", XDM_CONST.DNS_RECORD_TYPE_URI, dns_reqtype = "ZONEMD", XDM_CONST.DNS_RECORD_TYPE_ZONEMD, dns_reqtype),
client_ipv4 = if(clt_sip ~= "\.", clt_sip),
client_ipv6 = if(clt_sip ~= "\:", clt_sip),
server_ipv4 = if(srv_dip ~= "\.", srv_dip),
server_ipv6 = if(srv_dip ~= "\:", srv_dip),
url_category = coalesce(respipcategory, category)
| call zscaler_nss_map_url_category // map url category to enum values
| alter // XDM mapping
xdm.event.duration = durationms,
xdm.event.outcome = if(reqaction ~= "(?i)BLOC", XDM_CONST.OUTCOME_FAILED, resaction ~= "(?i)ALLOW", XDM_CONST.OUTCOME_SUCCESS, reqaction ~= "(?i)ALLOW" and resaction ~= "(?i)BLOC", XDM_CONST.OUTCOME_PARTIAL),
xdm.event.type = sourcetype,
xdm.network.dns.dns_question.name = dns_req,
xdm.network.dns.dns_question.type = normalized_dns_record_type,
xdm.network.dns.dns_resource_record.name = dns_req,
xdm.network.dns.dns_resource_record.type = normalized_dns_record_type,
xdm.network.dns.dns_resource_record.value = dns_resp,
xdm.network.dns.response_code = if(dns_resp = "NOERROR", XDM_CONST.DNS_RESPONSE_CODE_NO_ERROR, dns_resp = "FORMERR", XDM_CONST.DNS_RESPONSE_CODE_FORMAT_ERROR, dns_resp = "SERVFAIL", XDM_CONST.DNS_RESPONSE_CODE_SERVER_FAILURE, dns_resp = "NXDOMAIN", XDM_CONST.DNS_RESPONSE_CODE_NON_EXISTENT_DOMAIN, dns_resp = "NOTIMP", XDM_CONST.DNS_RESPONSE_CODE_NOT_IMPLEMENTED, dns_resp ~= "REFUSED", XDM_CONST.DNS_RESPONSE_CODE_QUERY_REFUSED, dns_resp ~= "YXDOMAIN", XDM_CONST.DNS_RESPONSE_CODE_NAME_EXISTS_WHEN_IT_SHOULD_NOT, dns_resp = "YXRRSET", XDM_CONST.DNS_RESPONSE_CODE_RR_SET_EXISTS_WHEN_IT_SHOULD_NOT, dns_resp = "NXRRSET", XDM_CONST.DNS_RESPONSE_CODE_RR_SET_THAT_SHOULD_EXIST_DOES_NOT, dns_resp = "NOTAUTH", XDM_CONST.DNS_RESPONSE_CODE_SERVER_NOT_AUTHORITATIVE_FOR_ZONE, dns_resp = "NOTZONE", XDM_CONST.DNS_RESPONSE_CODE_NAME_NOT_CONTAINED_IN_ZONE, dns_resp = "BADVERS", XDM_CONST.DNS_RESPONSE_CODE_BAD_OPT_VERSION, dns_resp = "BADSIG", XDM_CONST.DNS_RESPONSE_CODE_TSIG_SIGNATURE_FAILURE, dns_resp = "BADKEY", XDM_CONST.DNS_RESPONSE_CODE_KEY_NOT_RECOGNIZED, dns_resp = "BADTIME", XDM_CONST.DNS_RESPONSE_CODE_SIGNATURE_OUT_OF_TIME_WINDOW, dns_resp = "BADMODE", XDM_CONST.DNS_RESPONSE_CODE_BAD_TKEY_MODE, dns_resp = "BADNAME", XDM_CONST.DNS_RESPONSE_CODE_DUPLICATE_KEY_NAME, dns_resp = "BADALG", XDM_CONST.DNS_RESPONSE_CODE_ALGORITHM_NOT_SUPPORTED, dns_resp = "BADTRUNC", XDM_CONST.DNS_RESPONSE_CODE_BAD_TRUNCATION, dns_resp ~= "[A-Z_]+", dns_resp, dns_resp ~= "[\.\:]+", XDM_CONST.DNS_RESPONSE_CODE_NO_ERROR),
xdm.network.rule = arraystring(arrayfilter(arraydistinct(arraycreate(reqrulelabel, resrulelabel)), "@element" != "None"), ";"),
xdm.observer.action = resaction,
xdm.observer.name = location,
xdm.source.host.hostname = devicehostname,
xdm.source.host.ipv4_addresses = if(client_ipv4 != null, arraycreate(client_ipv4)),
xdm.source.host.ipv6_addresses = if(client_ipv6 != null, arraycreate(client_ipv6)),
xdm.source.ipv4 = client_ipv4,
xdm.source.ipv6 = client_ipv6,
xdm.source.user.ou = department,
xdm.source.user.username = coalesce(user, deviceowner),
xdm.target.host.ipv4_addresses = if(server_ipv4 != null, arraycreate(server_ipv4)),
xdm.target.host.ipv6_addresses = if(server_ipv6 != null, arraycreate(server_ipv6)),
xdm.target.ipv4 = server_ipv4,
xdm.target.ipv6 = server_ipv6,
xdm.target.port = srv_dport;
/* ------------------------------------------------------------------------------------------------
Cloud NSS Admin Audit Logs (https://help.zscaler.com/zia/nss-feed-output-format-admin-audit-logs)
-----------------------------------------------------------------------------------------------*/
filter sourcetype = "zscalernss-audit"
| alter // extract data
action = _raw_log -> action, // The action performed by the admin in the ZIA Admin Portal
adminid = _raw_log -> adminid, // The admin's login ID
auditlogtype = _raw_log -> auditlogtype, // The Admin Audit log type
clientip = _raw_log -> clientip, // The source IP address for the admin
errorcode = _raw_log -> errorcode, // An optional field that exists only if the result is a failure
preaction = _raw_log -> preaction, // Data before any policy or configuration changes
postaction = _raw_log -> postaction, // Data after any policy or configuration changes
recordid = _raw_log -> recordid, // The unique record identifier for each log
resource = _raw_log -> resource, // The specific location within a sub-category
result = _raw_log -> result // The outcome of an action
| alter // post extraction processing
adminid_domain = arrayindex(regextract(adminid, "@(.+)$"), -1),
client_ipv4 = if(clientip ~= "\.", clientip),
client_ipv6 = if(clientip ~= "\:", clientip)
| alter // XDM Mappings
xdm.event.id = to_string(recordid),
xdm.event.operation_sub_type = action,
xdm.event.outcome = if(result = "SUCCESS", XDM_CONST.OUTCOME_SUCCESS, result ~= "FAIL" or (errorcode != null and errorcode != "" and errorcode != "None"), XDM_CONST.OUTCOME_FAILED, to_string(result)),
xdm.event.outcome_reason = if(errorcode != "None", errorcode),
xdm.event.type = sourcetype,
xdm.source.application.name = auditlogtype,
xdm.source.host.ipv4_addresses = if(client_ipv4 != null, arraycreate(client_ipv4)),
xdm.source.host.ipv6_addresses = if(client_ipv6 != null, arraycreate(client_ipv6)),
xdm.source.ipv4 = client_ipv4,
xdm.source.ipv6 = client_ipv6,
xdm.source.user.domain = adminid_domain,
xdm.source.user.username = adminid,
xdm.target.resource.type = resource,
xdm.target.resource_before.value = coalesce(to_json_string(preaction), to_string(preaction)),
xdm.target.resource.value = coalesce(to_json_string(postaction), to_string(postaction));
/* --------------------------------------------------------------------------------
Cloud NSS Web Logs (https://help.zscaler.com/zia/nss-feed-output-format-web-logs)
-------------------------------------------------------------------------------*/
filter sourcetype = "zscalernss-web"
| alter // extract data
application_protocol = coalesce(_raw_log -> protocol, _raw_log -> proto), // The protocol type of the transaction
client_device_hostname = _raw_log -> devicehostname,// The hostname of the device
client_ip = coalesce(_raw_log -> ClientIP, _raw_log -> cip), // The IP address of the user. It can be the internal IP address if it's visible (e.g., traffic sent through a GRE tunnel or an internal IP address indicated using XFF). Otherwise, same as %s{cintip}.
client_public_ip = coalesce(_raw_log -> clientpublicIP, _raw_log -> cpubip), // The client public IP address
client_source_port = to_integer(_raw_log -> clt_sport), // The client source port
client_tls_version = _raw_log -> clienttlsversion, // The TLS version used for communication between the client and Zscaler
cloud_application_name = _raw_log -> appname, // The name of the cloud application
device_os_type = _raw_log -> deviceostype, // The OS type of the device
device_os_version = _raw_log -> deviceosversion, // The OS version the device uses
dlp_incident_id = to_string(_raw_log -> dlpidentifier), // The unique identifier of the DLP incident
dlp_rule_name = _raw_log -> dlprulename, // The name of the DLP rule applied to the transaction. Applies only to Allow rules, not Block.
event_id = to_string(coalesce(_raw_log -> event_id, _raw_log -> recordid)), // The unique record identifier for each log
external_device_id = _raw_log -> external_devid, // The external device ID that associates a user’s device with the mobile device management (MDM) solution
file_scannable_type = _raw_log -> filetype, // The type of file downloaded during the transaction
file_unscannable_type = _raw_log -> unscannabletype, // The unscannable file type: Encrypted or password-protected (e.g., GZIP, PDF) Unscannable (e.g., corrupt archive) Undetectable (unable to determine the file type, based on multiple methods)
gateway_location_name = replace(_raw_log -> location, "%20", " "), // The gateway location or sub-location of the source.
gateway_ip = _raw_log -> fwd_gw_ip, // The IP address of the gateway used
http_content_type = _raw_log -> contenttype, // The name of the content type
http_host = coalesce(_raw_log -> hostname, _raw_log -> host), // The destination hostname. If present, the host value in the HTTP request line populates this field. If the host value in the HTTP request line is not present, the host header is used.
http_referer = coalesce(_raw_log -> refererURL, _raw_log -> referer), // The HTTP referer URL
http_method = coalesce(_raw_log -> requestmethod, _raw_log -> reqmethod), // The HTTP request method
http_request_size = to_integer(coalesce(_raw_log -> requestsize, _raw_log -> reqdatasize)), // The size of the HTTP request payload, excluding the headers, in bytes
http_status = coalesce(_raw_log -> status, _raw_log -> respcode), // The HTTP response code sent to the client. The service generates a 403-Forbidden response for blocked transactions.
http_response_size = to_integer(coalesce(_raw_log -> responsesize, _raw_log -> respdatasize)), // The size of the HTTP response payload, excluding the headers, in bytes
http_url = _raw_log -> url, // The destination URL. It excludes the protocol identifier (e.g., http:// or https://).
http_user_agent = replace(coalesce(_raw_log -> useragent, _raw_log -> ua), "%20", " "), // The full user agent string for both known and unknown agents. The user agent string contains browser and system information that the destination server can use to provide appropriate content.
policy_action = _raw_log -> action, // The action that the service took on the transaction
policy_application_rule = _raw_log -> apprulelabel, // The name of the rule that was applied to the application
policy_reason = _raw_log -> reason, // The action that the service took and the policy that was applied, if the transaction was blocked
policy_redirect_rule = _raw_log -> rdr_rulename, // The name of the redirect/forwarding policy
policy_transaction_rule = _raw_log -> rulelabel, // The name of the rule that was applied to the transaction. Applies only to Block rules, not Allow.
policy_url_filter_rule = _raw_log -> urlfilterrulelabel, // The name of the rule that was applied to the URL filter
sandbox_file_md5 = _raw_log -> bamd5, // The MD5 hash of the malware file that was detected in the transaction, or the MD5 of the file that was sent for analysis to the Sandbox engine
sandbox_file_sha256 = _raw_log -> ["sha256"], // The hash of identical files
server_ip = coalesce(_raw_log -> serverip, _raw_log -> sip), // The destination server IP address. This displays 0.0.0.0 if the request was blocked.
server_tls_version = _raw_log -> srvtlsversion, // The TLS/SSL version used for communication between the ZIA Public Service Edge and the server
threat_category = coalesce(_raw_log -> threatcategory, _raw_log -> malwarecat), // Adware, Benign, Trojan, Sandbox Adware, Sandbox Anonymizer, Sandbox Malware The full list is under the Threat Category filter on the Web Insights page (Analytics > Web Insights).The Threat Category Sent for Analysis is equivalent to “Submitted to Sandbox” in the SIEM output. Additionally, Other Virus is equivalent to "Virus" for backward compatibility.
threat_name = _raw_log -> threatname, // The name of the threat that was detected in the transaction, if any
threat_severity = _raw_log -> threatseverity, // The severity of the threat that was detected in the transaction, if any. The severity relates to the Page Risk Index score. For example, if the value of %d{riskscore} is between 90 and 100, then the value of %s{threatseverity} is Critical. Scale is: Critical (90–100) High (75–89) Medium (46–74) Low (1–45) None (0).
url_sub_category = coalesce(_raw_log -> urlcategory, _raw_log -> urlcat), // The category of the destination URL
url_super_category = coalesce(_raw_log -> urlsupercategory, _raw_log -> urlsupercat), // The super category of the destination URL
user = coalesce(_raw_log -> user, _raw_log -> login), // The user's login name in email address format
user_department = replace(coalesce(_raw_log -> department, _raw_log -> dept), "%20", " ") // The department of the user
| alter // post extraction processing
client_ipv4 = if(client_ip ~= "\.", client_ip),
client_ipv6 = if(client_ip ~= ":", client_ip),
client_public_ipv4 = if(client_public_ip ~= "\.", client_public_ip),
client_public_ipv6 = if(client_public_ip ~= ":", client_public_ip),
gateway_ipv4 = if(gateway_ip ~= "\.", gateway_ip),
gateway_ipv6 = if(gateway_ip ~= "\.", gateway_ip),
server_ipv4 = if(server_ip ~= "\.", server_ip),
server_ipv6 = if(server_ip ~= ":", server_ip),
url_category = if(url_super_category != "User-defined", url_super_category, url_sub_category),
user_domain = arrayindex(regextract(user, "@(.+)$"), 0),
device_os = arraystring(arraycreate(device_os_type, device_os_version), " "),
os_upper = uppercase(device_os_type)
| call zscaler_nss_map_url_category // map url category
| alter // XDM mapping
xdm.alert.original_alert_id = dlp_incident_id,
xdm.alert.original_threat_name = if(threat_name != "None", threat_name),
xdm.alert.severity = threat_severity,
xdm.alert.subcategory = if(threat_category != "None", threat_category),
xdm.event.id = event_id,
xdm.event.outcome = if(policy_action ~= "(?i)Allowed", XDM_CONST.OUTCOME_SUCCESS, policy_action ~= "(?i)Blocked", XDM_CONST.OUTCOME_FAILED, policy_action),
xdm.event.outcome_reason = policy_reason,
xdm.event.type = sourcetype,
xdm.intermediate.host.hostname = gateway_location_name,
xdm.intermediate.host.ipv4_addresses = if(gateway_ipv4 != null, arraycreate(gateway_ipv4)),
xdm.intermediate.host.ipv6_addresses = if(gateway_ipv6 != null, arraycreate(gateway_ipv6)),
xdm.intermediate.ipv4 = gateway_ipv4,
xdm.intermediate.ipv6 = gateway_ipv6,
xdm.network.application_protocol = application_protocol,
xdm.network.http.content_type = http_content_type,
xdm.network.http.domain = http_host,
xdm.network.http.method = if(http_method = "GET", XDM_CONST.HTTP_METHOD_GET, http_method = "POST", XDM_CONST.HTTP_METHOD_POST,http_method = "PUT", XDM_CONST.HTTP_METHOD_PUT, http_method = "PATCH", XDM_CONST.HTTP_METHOD_PATCH, http_method = "OPTIONS", XDM_CONST.HTTP_METHOD_OPTIONS, http_method = "HEAD", XDM_CONST.HTTP_METHOD_HEAD, http_method = "ACL", XDM_CONST.HTTP_METHOD_ACL, http_method = "BASELINE_CONTROL", XDM_CONST.HTTP_METHOD_BASELINE_CONTROL, http_method = "BIND", XDM_CONST.HTTP_METHOD_BIND, http_method = "CHECKIN", XDM_CONST.HTTP_METHOD_CHECKIN, http_method = "CHECKOUT", XDM_CONST.HTTP_METHOD_CHECKOUT, http_method = "CONNECT", XDM_CONST.HTTP_METHOD_CONNECT, http_method = "COPY", XDM_CONST.HTTP_METHOD_COPY, http_method = "DELETE", XDM_CONST.HTTP_METHOD_DELETE, http_method = "LABEL", XDM_CONST.HTTP_METHOD_LABEL, http_method = "LINK", XDM_CONST.HTTP_METHOD_LINK, http_method = "LOCK", XDM_CONST.HTTP_METHOD_LOCK, http_method = "MERGE", XDM_CONST.HTTP_METHOD_MERGE, http_method = "MKACTIVITY", XDM_CONST.HTTP_METHOD_MKACTIVITY, http_method = "MKCALENDAR", XDM_CONST.HTTP_METHOD_MKCALENDAR, http_method = "MKCOL", XDM_CONST.HTTP_METHOD_MKCOL, http_method = "MKREDIRECTREF", XDM_CONST.HTTP_METHOD_MKREDIRECTREF, http_method = "MKWORKSPACE", XDM_CONST.HTTP_METHOD_MKWORKSPACE, http_method = "MOVE", XDM_CONST.HTTP_METHOD_MOVE, http_method = "ORDERPATCH", XDM_CONST.HTTP_METHOD_ORDERPATCH, http_method = "PRI", XDM_CONST.HTTP_METHOD_PRI, http_method = "PROPFIND", XDM_CONST.HTTP_METHOD_PROPFIND, http_method = "PROPPATCH", XDM_CONST.HTTP_METHOD_PROPPATCH, http_method = "REBIND", XDM_CONST.HTTP_METHOD_REBIND, http_method = "REPORT", XDM_CONST.HTTP_METHOD_REPORT, http_method = "SEARCH", XDM_CONST.HTTP_METHOD_SEARCH, http_method = "TRACE", XDM_CONST.HTTP_METHOD_TRACE, http_method = "UNBIND", XDM_CONST.HTTP_METHOD_UNBIND, http_method = "UNCHECKOUT", XDM_CONST.HTTP_METHOD_UNCHECKOUT, http_method = "UNLINK", XDM_CONST.HTTP_METHOD_UNLINK, http_method = "UNLOCK", XDM_CONST.HTTP_METHOD_UNLOCK, http_method = "UPDATE", XDM_CONST.HTTP_METHOD_UPDATE, http_method = "UPDATEREDIRECTREF", XDM_CONST.HTTP_METHOD_UPDATEREDIRECTREF, http_method = "VERSION_CONTROL", XDM_CONST.HTTP_METHOD_VERSION_CONTROL, to_string(http_method)),
xdm.network.http.referrer = if(http_referer != "None", http_referer),
xdm.network.http.response_code = if(http_status = "200", XDM_CONST.HTTP_RSP_CODE_OK, http_status = "201", XDM_CONST.HTTP_RSP_CODE_CREATED, http_status = "302", XDM_CONST.HTTP_RSP_CODE_FOUND, http_status = "401", XDM_CONST.HTTP_RSP_CODE_UNAUTHORIZED, http_status = "403", XDM_CONST.HTTP_RSP_CODE_FORBIDDEN, http_status = "404", XDM_CONST.HTTP_RSP_CODE_NOT_FOUND, http_status = "500", XDM_CONST.HTTP_RSP_CODE_INTERNAL_SERVER_ERROR, http_status = "501", XDM_CONST.HTTP_RSP_CODE_NOT_IMPLEMENTED, http_status = "502", XDM_CONST.HTTP_RSP_CODE_BAD_GATEWAY, http_status = "503", XDM_CONST.HTTP_RSP_CODE_SERVICE_UNAVAILABLE, http_status = "504", XDM_CONST.HTTP_RSP_CODE_GATEWAY_TIMEOUT, http_status = "505", XDM_CONST.HTTP_RSP_CODE_HTTP_VERSION_NOT_SUPPORTED, http_status = "506", XDM_CONST.HTTP_RSP_CODE_VARIANT_ALSO_NEGOTIATES, http_status = "507", XDM_CONST.HTTP_RSP_CODE_INSUFFICIENT_STORAGE, http_status = "508", XDM_CONST.HTTP_RSP_CODE_LOOP_DETECTED, http_status = "511", XDM_CONST.HTTP_RSP_CODE_NETWORK_AUTHENTICATION_REQUIRED, http_status = "100", XDM_CONST.HTTP_RSP_CODE_CONTINUE, http_status = "101", XDM_CONST.HTTP_RSP_CODE_SWITCHING_PROTOCOLS, http_status = "102", XDM_CONST.HTTP_RSP_CODE_PROCESSING, http_status = "103", XDM_CONST.HTTP_RSP_CODE_EARLY_HINTS, http_status = "202", XDM_CONST.HTTP_RSP_CODE_ACCEPTED, http_status = "203", XDM_CONST.HTTP_RSP_CODE_NON__AUTHORITATIVE_INFORMATION, http_status = "204", XDM_CONST.HTTP_RSP_CODE_NO_CONTENT, http_status = "205", XDM_CONST.HTTP_RSP_CODE_RESET_CONTENT, http_status = "206", XDM_CONST.HTTP_RSP_CODE_PARTIAL_CONTENT, http_status = "207", XDM_CONST.HTTP_RSP_CODE_MULTI__STATUS, http_status = "208", XDM_CONST.HTTP_RSP_CODE_ALREADY_REPORTED, http_status = "226", XDM_CONST.HTTP_RSP_CODE_IM_USED, http_status = "300", XDM_CONST.HTTP_RSP_CODE_MULTIPLE_CHOICES, http_status = "301", XDM_CONST.HTTP_RSP_CODE_MOVED_PERMANENTLY, http_status = "303", XDM_CONST.HTTP_RSP_CODE_SEE_OTHER, http_status = "304", XDM_CONST.HTTP_RSP_CODE_NOT_MODIFIED, http_status = "305", XDM_CONST.HTTP_RSP_CODE_USE_PROXY, http_status = "307", XDM_CONST.HTTP_RSP_CODE_TEMPORARY_REDIRECT, http_status = "308", XDM_CONST.HTTP_RSP_CODE_PERMANENT_REDIRECT, http_status = "400", XDM_CONST.HTTP_RSP_CODE_BAD_REQUEST, http_status = "402", XDM_CONST.HTTP_RSP_CODE_PAYMENT_REQUIRED, http_status = "405", XDM_CONST.HTTP_RSP_CODE_METHOD_NOT_ALLOWED, http_status = "406", XDM_CONST.HTTP_RSP_CODE_NOT_ACCEPTABLE, http_status = "407", XDM_CONST.HTTP_RSP_CODE_PROXY_AUTHENTICATION_REQUIRED, http_status = "408", XDM_CONST.HTTP_RSP_CODE_REQUEST_TIMEOUT, http_status = "409", XDM_CONST.HTTP_RSP_CODE_CONFLICT, http_status = "410", XDM_CONST.HTTP_RSP_CODE_GONE, http_status = "411", XDM_CONST.HTTP_RSP_CODE_LENGTH_REQUIRED, http_status = "412", XDM_CONST.HTTP_RSP_CODE_PRECONDITION_FAILED, http_status = "413", XDM_CONST.HTTP_RSP_CODE_CONTENT_TOO_LARGE, http_status = "414", XDM_CONST.HTTP_RSP_CODE_URI_TOO_LONG, http_status = "415", XDM_CONST.HTTP_RSP_CODE_UNSUPPORTED_MEDIA_TYPE, http_status = "416", XDM_CONST.HTTP_RSP_CODE_RANGE_NOT_SATISFIABLE, http_status = "417", XDM_CONST.HTTP_RSP_CODE_EXPECTATION_FAILED, http_status = "421", XDM_CONST.HTTP_RSP_CODE_MISDIRECTED_REQUEST, http_status = "422", XDM_CONST.HTTP_RSP_CODE_UNPROCESSABLE_CONTENT, http_status = "423", XDM_CONST.HTTP_RSP_CODE_LOCKED, http_status = "424", XDM_CONST.HTTP_RSP_CODE_FAILED_DEPENDENCY, http_status = "425", XDM_CONST.HTTP_RSP_CODE_TOO_EARLY, http_status = "426", XDM_CONST.HTTP_RSP_CODE_UPGRADE_REQUIRED, http_status = "428", XDM_CONST.HTTP_RSP_CODE_PRECONDITION_REQUIRED, http_status = "429", XDM_CONST.HTTP_RSP_CODE_TOO_MANY_REQUESTS, http_status = "431", XDM_CONST.HTTP_RSP_CODE_REQUEST_HEADER_FIELDS_TOO_LARGE, http_status = "451", XDM_CONST.HTTP_RSP_CODE_UNAVAILABLE_FOR_LEGAL_REASONS, http_status),
xdm.network.http.url = http_url,
xdm.network.rule = arraystring(arrayfilter(arraycreate(policy_transaction_rule, policy_application_rule, policy_redirect_rule, policy_url_filter_rule, dlp_rule_name), "@element" != "None"), " "),
xdm.network.tls.protocol_version = arraystring(arraydistinct(arraycreate(client_tls_version, server_tls_version)), ","),
xdm.observer.action = policy_action,
xdm.observer.name = gateway_location_name,
xdm.source.host.device_id = external_device_id,
xdm.source.ipv4 = client_ipv4,
xdm.source.ipv6 = client_ipv6,
xdm.source.host.os = device_os,
xdm.source.host.os_family = if(os_upper contains "WINDOWS", XDM_CONST.OS_FAMILY_WINDOWS, os_upper contains "MAC", XDM_CONST.OS_FAMILY_MACOS, os_upper contains "LINUX", XDM_CONST.OS_FAMILY_LINUX, os_upper contains "ANDROID", XDM_CONST.OS_FAMILY_ANDROID, os_upper contains "IOS", XDM_CONST.OS_FAMILY_IOS, os_upper contains "UBUNTU", XDM_CONST.OS_FAMILY_UBUNTU, os_upper contains "DEBIAN", XDM_CONST.OS_FAMILY_DEBIAN, os_upper contains "FEDORA", XDM_CONST.OS_FAMILY_FEDORA, os_upper contains "CENTOS", XDM_CONST.OS_FAMILY_CENTOS, os_upper contains "CHROME", XDM_CONST.OS_FAMILY_CHROMEOS, os_upper contains "SOLARIS", XDM_CONST.OS_FAMILY_SOLARIS, os_upper contains "SCADA", XDM_CONST.OS_FAMILY_SCADA, os_upper),
xdm.source.host.hostname = client_device_hostname,
xdm.source.host.ipv4_addresses = arraydistinct(arraycreate(client_ipv4, client_public_ipv4)),
xdm.source.host.ipv4_public_addresses = arraycreate(client_public_ipv4),
xdm.source.host.ipv6_addresses = arraydistinct(arraycreate(client_ipv6, client_public_ipv6)),
xdm.source.host.ipv6_public_addresses = arraycreate(client_public_ipv6),
xdm.source.port = client_source_port,
xdm.source.sent_bytes = http_request_size,
xdm.source.user_agent = if(http_user_agent != "Unkown", http_user_agent),
xdm.source.user.domain = user_domain,
xdm.source.user.ou = user_department,
xdm.source.user.username = user,
xdm.target.application.name = cloud_application_name,
xdm.target.file.file_type = arraystring(arraydistinct(arrayfilter(arraycreate(file_scannable_type, file_unscannable_type), "@element" != "None")), ","),
xdm.target.file.md5 = sandbox_file_md5,
xdm.target.file.sha256 = sandbox_file_sha256,
xdm.target.host.ipv4_addresses = arraycreate(server_ipv4),
xdm.target.host.ipv4_public_addresses = arraycreate(server_ipv4),
xdm.target.host.ipv6_addresses = arraycreate(server_ipv6),
xdm.target.host.ipv6_public_addresses = arraycreate(server_ipv6),
xdm.target.ipv4 = server_ipv4,
xdm.target.ipv6 = server_ipv6,
xdm.target.sent_bytes = http_response_size,
xdm.target.url = http_url;
/* -------------------------------------------------------------------------------------
Cloud NSS FW Logs (https://help.zscaler.com/zia/nss-feed-output-format-firewall-logs)
------------------------------------------------------------------------------------*/
filter sourcetype ="zscalernss-fw"
| alter src_ipv4 = if(_raw_log -> csip ~= "\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}", _raw_log -> csip, null),
dest_ipv4 = if(_raw_log -> cdip ~= "\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}", _raw_log -> cdip, null),
src_ipv6 = if(_raw_log -> csip ~= "[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}", _raw_log -> csip, null),
dest_ipv6 = if(_raw_log -> cdip ~= "[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}", _raw_log -> cdip, null),
proto = uppercase(_raw_log -> proto),
url_category = uppercase(_raw_log -> ipcat),
os = lowercase(_raw_log -> deviceostype),
user = coalesce(_raw_log -> user,_raw_log -> login)
| alter
xdm.event.type = sourcetype,
xdm.source.user.upn = user,
xdm.source.user.domain = arrayindex(split(user, "@"),-1),
xdm.target.port = to_integer(_raw_log -> cdport),
xdm.source.port = to_integer(_raw_log -> csport),
xdm.source.ipv4 = src_ipv4,
xdm.source.ipv6 = src_ipv6,
xdm.target.ipv4 = dest_ipv4,
xdm.target.ipv6 = dest_ipv6,
xdm.observer.action = _raw_log -> action,
xdm.source.application.name = _raw_log -> nwapp,
xdm.network.ip_protocol = if(proto="HOPOPT",XDM_CONST.IP_PROTOCOL_HOPOPT, proto="ICMP",XDM_CONST.IP_PROTOCOL_ICMP, proto="IGMP",XDM_CONST.IP_PROTOCOL_IGMP, proto="GGP",XDM_CONST.IP_PROTOCOL_GGP, proto="IP",XDM_CONST.IP_PROTOCOL_IP, proto="ST",XDM_CONST.IP_PROTOCOL_ST, proto="TCP",XDM_CONST.IP_PROTOCOL_TCP, proto="CBT",XDM_CONST.IP_PROTOCOL_CBT, proto="EGP",XDM_CONST.IP_PROTOCOL_EGP, proto="IGP",XDM_CONST.IP_PROTOCOL_IGP, proto="BBN_RCC_MON",XDM_CONST.IP_PROTOCOL_BBN_RCC_MON, proto="NVP_II",XDM_CONST.IP_PROTOCOL_NVP_II, proto="PUP",XDM_CONST.IP_PROTOCOL_PUP, proto="ARGUS",XDM_CONST.IP_PROTOCOL_ARGUS, proto="EMCON",XDM_CONST.IP_PROTOCOL_EMCON, proto="XNET",XDM_CONST.IP_PROTOCOL_XNET, proto="CHAOS",XDM_CONST.IP_PROTOCOL_CHAOS, proto="UDP",XDM_CONST.IP_PROTOCOL_UDP, proto="MUX",XDM_CONST.IP_PROTOCOL_MUX, proto="DCN_MEAS",XDM_CONST.IP_PROTOCOL_DCN_MEAS, proto="HMP",XDM_CONST.IP_PROTOCOL_HMP, proto="PRM",XDM_CONST.IP_PROTOCOL_PRM, proto="XNS_IDP",XDM_CONST.IP_PROTOCOL_XNS_IDP, proto="TRUNK_1",XDM_CONST.IP_PROTOCOL_TRUNK_1, proto="TRUNK_2",XDM_CONST.IP_PROTOCOL_TRUNK_2, proto="LEAF_1",XDM_CONST.IP_PROTOCOL_LEAF_1, proto="LEAF_2",XDM_CONST.IP_PROTOCOL_LEAF_2, proto="RDP",XDM_CONST.IP_PROTOCOL_RDP, proto="IRTP",XDM_CONST.IP_PROTOCOL_IRTP, proto="ISO_TP4",XDM_CONST.IP_PROTOCOL_ISO_TP4, proto="NETBLT",XDM_CONST.IP_PROTOCOL_NETBLT, proto="MFE_NSP",XDM_CONST.IP_PROTOCOL_MFE_NSP, proto="MERIT_INP",XDM_CONST.IP_PROTOCOL_MERIT_INP, proto="DCCP",XDM_CONST.IP_PROTOCOL_DCCP, proto="3PC",XDM_CONST.IP_PROTOCOL_3PC, proto="IDPR",XDM_CONST.IP_PROTOCOL_IDPR, proto="XTP",XDM_CONST.IP_PROTOCOL_XTP, proto="DDP",XDM_CONST.IP_PROTOCOL_DDP, proto="IDPR_CMTP",XDM_CONST.IP_PROTOCOL_IDPR_CMTP, proto="TP",XDM_CONST.IP_PROTOCOL_TP, proto="IL",XDM_CONST.IP_PROTOCOL_IL, proto="IPV6",XDM_CONST.IP_PROTOCOL_IPV6, proto="SDRP",XDM_CONST.IP_PROTOCOL_SDRP, proto="IPV6_ROUTE",XDM_CONST.IP_PROTOCOL_IPV6_ROUTE, proto="IPV6_FRAG",XDM_CONST.IP_PROTOCOL_IPV6_FRAG, proto="IDRP",XDM_CONST.IP_PROTOCOL_IDRP, proto="RSVP",XDM_CONST.IP_PROTOCOL_RSVP, proto="GRE",XDM_CONST.IP_PROTOCOL_GRE, proto="DSR",XDM_CONST.IP_PROTOCOL_DSR, proto="BNA",XDM_CONST.IP_PROTOCOL_BNA, proto="ESP",XDM_CONST.IP_PROTOCOL_ESP, proto="AH",XDM_CONST.IP_PROTOCOL_AH, proto="I_NLSP",XDM_CONST.IP_PROTOCOL_I_NLSP, proto="SWIPE",XDM_CONST.IP_PROTOCOL_SWIPE, proto="NARP",XDM_CONST.IP_PROTOCOL_NARP, proto="MOBILE",XDM_CONST.IP_PROTOCOL_MOBILE, proto="TLSP",XDM_CONST.IP_PROTOCOL_TLSP, proto="SKIP",XDM_CONST.IP_PROTOCOL_SKIP, proto="IPV6_ICMP",XDM_CONST.IP_PROTOCOL_IPV6_ICMP, proto="IPV6_NONXT",XDM_CONST.IP_PROTOCOL_IPV6_NONXT, proto="IPV6_OPTS",XDM_CONST.IP_PROTOCOL_IPV6_OPTS, proto="CFTP",XDM_CONST.IP_PROTOCOL_CFTP, proto="SAT_EXPAK",XDM_CONST.IP_PROTOCOL_SAT_EXPAK, proto="KRYPTOLAN",XDM_CONST.IP_PROTOCOL_KRYPTOLAN, proto="RVD",XDM_CONST.IP_PROTOCOL_RVD, proto="IPPC",XDM_CONST.IP_PROTOCOL_IPPC, proto="SAT_MON",XDM_CONST.IP_PROTOCOL_SAT_MON, proto="VISA",XDM_CONST.IP_PROTOCOL_VISA, proto="IPCV",XDM_CONST.IP_PROTOCOL_IPCV, proto="CPNX",XDM_CONST.IP_PROTOCOL_CPNX, proto="CPHB",XDM_CONST.IP_PROTOCOL_CPHB, proto="WSN",XDM_CONST.IP_PROTOCOL_WSN, proto="PVP",XDM_CONST.IP_PROTOCOL_PVP, proto="BR_SAT_MON",XDM_CONST.IP_PROTOCOL_BR_SAT_MON, proto="SUN_ND",XDM_CONST.IP_PROTOCOL_SUN_ND, proto="WB_MON",XDM_CONST.IP_PROTOCOL_WB_MON, proto="WB_EXPAK",XDM_CONST.IP_PROTOCOL_WB_EXPAK, proto="ISO_IP",XDM_CONST.IP_PROTOCOL_ISO_IP, proto="VMTP",XDM_CONST.IP_PROTOCOL_VMTP, proto="SECURE_VMTP",XDM_CONST.IP_PROTOCOL_SECURE_VMTP, proto="VINES",XDM_CONST.IP_PROTOCOL_VINES, proto="TTP",XDM_CONST.IP_PROTOCOL_TTP, proto="NSFNET_IGP",XDM_CONST.IP_PROTOCOL_NSFNET_IGP, proto="DGP",XDM_CONST.IP_PROTOCOL_DGP, proto="TCF",XDM_CONST.IP_PROTOCOL_TCF, proto="EIGRP",XDM_CONST.IP_PROTOCOL_EIGRP, proto="OSPFIGP",XDM_CONST.IP_PROTOCOL_OSPFIGP, proto="SPRITE_RPC",XDM_CONST.IP_PROTOCOL_SPRITE_RPC, proto="LARP",XDM_CONST.IP_PROTOCOL_LARP, proto="MTP",XDM_CONST.IP_PROTOCOL_MTP, proto="AX25",XDM_CONST.IP_PROTOCOL_AX25, proto="IPIP",XDM_CONST.IP_PROTOCOL_IPIP, proto="MICP",XDM_CONST.IP_PROTOCOL_MICP, proto="SCC_SP",XDM_CONST.IP_PROTOCOL_SCC_SP, proto="ETHERIP",XDM_CONST.IP_PROTOCOL_ETHERIP, proto="ENCAP",XDM_CONST.IP_PROTOCOL_ENCAP, proto="GMTP",XDM_CONST.IP_PROTOCOL_GMTP, proto="IFMP",XDM_CONST.IP_PROTOCOL_IFMP, proto="PNNI",XDM_CONST.IP_PROTOCOL_PNNI, proto="PIM",XDM_CONST.IP_PROTOCOL_PIM, proto="ARIS",XDM_CONST.IP_PROTOCOL_ARIS, proto="SCPS",XDM_CONST.IP_PROTOCOL_SCPS, proto="QNX",XDM_CONST.IP_PROTOCOL_QNX, proto="AN",XDM_CONST.IP_PROTOCOL_AN, proto="IPCOMP",XDM_CONST.IP_PROTOCOL_IPCOMP, proto="COMPAQ_PEER",XDM_CONST.IP_PROTOCOL_COMPAQ_PEER, proto="IPX_IN_IP",XDM_CONST.IP_PROTOCOL_IPX_IN_IP, proto="VRRP",XDM_CONST.IP_PROTOCOL_VRRP, proto="PGM",XDM_CONST.IP_PROTOCOL_PGM, proto="L2TP",XDM_CONST.IP_PROTOCOL_L2TP, proto="DDX",XDM_CONST.IP_PROTOCOL_DDX, proto="IATP",XDM_CONST.IP_PROTOCOL_IATP, proto="STP",XDM_CONST.IP_PROTOCOL_STP, proto="SRP",XDM_CONST.IP_PROTOCOL_SRP, proto="UTI",XDM_CONST.IP_PROTOCOL_UTI, proto="SMP",XDM_CONST.IP_PROTOCOL_SMP, proto="SM",XDM_CONST.IP_PROTOCOL_SM, proto="PTP",XDM_CONST.IP_PROTOCOL_PTP, proto="ISIS",XDM_CONST.IP_PROTOCOL_ISIS, proto="FIRE",XDM_CONST.IP_PROTOCOL_FIRE, proto="CRTP",XDM_CONST.IP_PROTOCOL_CRTP, proto="CRUDP",XDM_CONST.IP_PROTOCOL_CRUDP, proto="SSCOPMCE",XDM_CONST.IP_PROTOCOL_SSCOPMCE, proto="IPLT",XDM_CONST.IP_PROTOCOL_IPLT, proto="SPS",XDM_CONST.IP_PROTOCOL_SPS, proto="PIPE",XDM_CONST.IP_PROTOCOL_PIPE, proto="SCTP",XDM_CONST.IP_PROTOCOL_SCTP, proto="FC",XDM_CONST.IP_PROTOCOL_FC, proto="RSVP_E2E_IGNORE",XDM_CONST.IP_PROTOCOL_RSVP_E2E_IGNORE, proto="MOBILITY",XDM_CONST.IP_PROTOCOL_MOBILITY, proto="UDPLITE",XDM_CONST.IP_PROTOCOL_UDPLITE, proto="MPLS_IN_IP",XDM_CONST.IP_PROTOCOL_MPLS_IN_IP, proto = null, null, to_string(proto)),
xdm.network.http.url_category = if(url_category contains "ABORTION", XDM_CONST.URL_CATEGORY_ABORTION, url_category contains "DRUGS", XDM_CONST.URL_CATEGORY_ABUSED_DRUGS, url_category contains "ADULT", XDM_CONST.URL_CATEGORY_ADULT, url_category contains "ALCOHOL" or url_category contains "TOBACCO", XDM_CONST.URL_CATEGORY_ALCOHOL_AND_TOBACCO, url_category contains "AUCTIONS", XDM_CONST.URL_CATEGORY_AUCTIONS, url_category contains "BUSINESS" or url_category contains "ECONOMY", XDM_CONST.URL_CATEGORY_BUSINESS_AND_ECONOMY, url_category contains "COMMAND AND CONTROL" or url_category contains "C&C", XDM_CONST.URL_CATEGORY_COMMAND_AND_CONTROL, url_category contains "COMPUTER" or url_category contains "INTERNET", XDM_CONST.URL_CATEGORY_COMPUTER_AND_INTERNET_INFO, url_category contains "CONTENT DELIVERY NETWORKS" or url_category contains "CDN", XDM_CONST.URL_CATEGORY_CONTENT_DELIVERY_NETWORKS, url_category contains "COPYRIGHT", XDM_CONST.URL_CATEGORY_COPYRIGHT_INFRINGEMENT, url_category contains "CRYPTO", XDM_CONST.URL_CATEGORY_CRYPTOCURRENCY, url_category contains "DATING", XDM_CONST.URL_CATEGORY_DATING, url_category contains "DYNAMIC DNS", XDM_CONST.URL_CATEGORY_DYNAMIC_DNS, url_category contains "EDUCATIONAL INSTITUTIONS", XDM_CONST.URL_CATEGORY_EDUCATIONAL_INSTITUTIONS, url_category contains "ENTERTAINMENT" and url_category contains "ARTS", XDM_CONST.URL_CATEGORY_ENTERTAINMENT_AND_ARTS, url_category contains "EXTREMISM", XDM_CONST.URL_CATEGORY_EXTREMISM, url_category contains "FINANCIAL" or url_category contains "FINANCE", XDM_CONST.URL_CATEGORY_FINANCIAL_SERVICES, url_category contains "GAMBLING", XDM_CONST.URL_CATEGORY_GAMBLING, url_category contains "GAMES", XDM_CONST.URL_CATEGORY_GAMES, url_category contains "GOVERNMENT", XDM_CONST.URL_CATEGORY_GOVERNMENT, url_category contains "GRAYWARE", XDM_CONST.URL_CATEGORY_GRAYWARE, url_category contains "HACKING", XDM_CONST.URL_CATEGORY_HACKING, url_category contains "HEALTH" or url_category contains "MEDICINE", XDM_CONST.URL_CATEGORY_HEALTH_AND_MEDICINE, url_category contains "HOME" or url_category contains "GARDEN", XDM_CONST.URL_CATEGORY_HOME_AND_GARDEN, url_category contains "HUNTING" or url_category contains "FISHING", XDM_CONST.URL_CATEGORY_HUNTING_AND_FISHING, url_category contains "INSUFFICIENT CONTENT", XDM_CONST.URL_CATEGORY_INSUFFICIENT_CONTENT, url_category contains "INTERNET COMMUNICATIONS" and url_category contains "TELEPHONY", XDM_CONST.URL_CATEGORY_INTERNET_COMMUNICATIONS_AND_TELEPHONY, url_category contains "INTERNET PORTALS", XDM_CONST.URL_CATEGORY_INTERNET_PORTALS, url_category contains "JOB", XDM_CONST.URL_CATEGORY_JOB_SEARCH, url_category contains "LEGAL", XDM_CONST.URL_CATEGORY_LEGAL, url_category contains "MALWARE", XDM_CONST.URL_CATEGORY_MALWARE, url_category contains "MILITARY", XDM_CONST.URL_CATEGORY_MILITARY, url_category contains "MOTOR VEHICLES", XDM_CONST.URL_CATEGORY_MOTOR_VEHICLES, url_category contains "MUSIC", XDM_CONST.URL_CATEGORY_MUSIC, url_category contains "DOMAIN" and url_category contains "REGIST", XDM_CONST.URL_CATEGORY_NEWLY_REGISTERED_DOMAIN, url_category contains "NEWS", XDM_CONST.URL_CATEGORY_NEWS, url_category contains "NOT RESOLVED", XDM_CONST.URL_CATEGORY_NOT_RESOLVED, url_category contains "NUDITY", XDM_CONST.URL_CATEGORY_NUDITY, url_category contains "ONLINE STORAGE" and url_category contains "BACKUP", XDM_CONST.URL_CATEGORY_ONLINE_STORAGE_AND_BACKUP, url_category contains "PARKED", XDM_CONST.URL_CATEGORY_PARKED, url_category contains "PEER TO PEER", XDM_CONST.URL_CATEGORY_PEER_TO_PEER, url_category contains "PERSONAL SITES" or url_category contains "BLOG", XDM_CONST.URL_CATEGORY_PERSONAL_SITES_AND_BLOGS, url_category contains "PHILOSOPHY" or url_category contains "POLITICAL ADVOCACY", XDM_CONST.URL_CATEGORY_PHILOSOPHY_AND_POLITICAL_ADVOCACY, url_category contains "PHISHING", XDM_CONST.URL_CATEGORY_PHISHING, url_category contains "PRIVATE IP ADDRESSES", XDM_CONST.URL_CATEGORY_PRIVATE_IP_ADDRESSES, url_category contains "PROXY" or url_category contains "ANONYMIZERS", XDM_CONST.URL_CATEGORY_PROXY_AVOIDANCE_AND_ANONYMIZERS, url_category contains "QUESTIONABLE", XDM_CONST.URL_CATEGORY_QUESTIONABLE, url_category contains "REAL ESTATE", XDM_CONST.URL_CATEGORY_REAL_ESTATE, url_category contains "HOBBIES" or url_category contains "RECREATION", XDM_CONST.URL_CATEGORY_RECREATION_AND_HOBBIES, url_category contains "REFERENCE", XDM_CONST.URL_CATEGORY_REFERENCE_AND_RESEARCH, url_category contains "RELIGION", XDM_CONST.URL_CATEGORY_RELIGION, url_category contains "SEARCH ENGINES", XDM_CONST.URL_CATEGORY_SEARCH_ENGINES, url_category contains "SEX EDUCATION", XDM_CONST.URL_CATEGORY_SEX_EDUCATION, url_category contains "SHAREWARE" and url_category contains "FREEWARE", XDM_CONST.URL_CATEGORY_SHAREWARE_AND_FREEWARE, url_category contains "SHOPPING", XDM_CONST.URL_CATEGORY_SHOPPING, url_category contains "SOCIAL_NETWORK", XDM_CONST.URL_CATEGORY_SOCIAL_NETWORKING, url_category contains "SOCIETY", XDM_CONST.URL_CATEGORY_SOCIETY, url_category contains "SPORTS", XDM_CONST.URL_CATEGORY_SPORTS, url_category contains "STOCK", XDM_CONST.URL_CATEGORY_STOCK_ADVICE_AND_TOOLS, url_category contains "MEDIA" and url_category contains "STREAM", XDM_CONST.URL_CATEGORY_STREAMING_MEDIA, url_category contains "INTIMATE APPAREL", XDM_CONST.URL_CATEGORY_SWIMSUITS_AND_INTIMATE_APPAREL, url_category contains "TRAINING" and url_category contains "Sport", XDM_CONST.URL_CATEGORY_TRAINING_AND_TOOLS, url_category contains "TRANSLATION", XDM_CONST.URL_CATEGORY_TRANSLATION, url_category contains "TRAVEL", XDM_CONST.URL_CATEGORY_TRAVEL, url_category contains "UNKNOWN", XDM_CONST.URL_CATEGORY_UNKNOWN, url_category contains "WEAPONS", XDM_CONST.URL_CATEGORY_WEAPONS, url_category contains "WEB ADVERTISEMENTS", XDM_CONST.URL_CATEGORY_WEB_ADVERTISEMENTS, url_category contains "WEB HOSTING", XDM_CONST.URL_CATEGORY_WEB_HOSTING, url_category contains "WEB BASED EMAIL", XDM_CONST.URL_CATEGORY_WEB_BASED_EMAIL, url_category),
xdm.network.rule = replex(_raw_log -> rulelabel,"\%20"," "),
xdm.target.sent_bytes = to_integer(_raw_log -> inbytes),
xdm.source.sent_bytes = to_integer(_raw_log -> outbytes),
xdm.event.duration = to_integer(_raw_log -> durationms),
xdm.alert.original_threat_name = _raw_log -> threatname,
xdm.source.host.hostname = coalesce(_raw_log -> devicehostname, _raw_log -> devicename),
xdm.target.host.fqdn = _raw_log -> cdfqdn,
xdm.alert.subcategory = _raw_log -> threatcat,
xdm.source.agent.version = _raw_log -> deviceappversion,
xdm.alert.severity = uppercase(_raw_log -> threat_severity),
xdm.target.host.os = concat(os," ",_raw_log -> deviceosversion),
xdm.target.host.os_family = if(os contains "windows", XDM_CONST.OS_FAMILY_WINDOWS, os contains "mac", XDM_CONST.OS_FAMILY_MACOS, os contains "linux", XDM_CONST.OS_FAMILY_LINUX, os contains "android", XDM_CONST.OS_FAMILY_ANDROID, os contains "ios", XDM_CONST.OS_FAMILY_IOS, os contains "ubuntu", XDM_CONST.OS_FAMILY_UBUNTU, os contains "debian", XDM_CONST.OS_FAMILY_DEBIAN, os contains "fedora", XDM_CONST.OS_FAMILY_FEDORA, os contains "centos", XDM_CONST.OS_FAMILY_CENTOS, os contains "chrome", XDM_CONST.OS_FAMILY_CHROMEOS, os contains "solaris", XDM_CONST.OS_FAMILY_SOLARIS, os contains "scada", XDM_CONST.OS_FAMILY_SCADA),
xdm.target.location.country = _raw_log -> destcountry,
xdm.source.location.country = _raw_log -> srcip_country,
xdm.network.application_protocol_category = _raw_log -> nwsvc;
[RULE: zscaler_nss_map_url_category]
/* This rule maps a url category value from url_category field to xdm.network.http.url_category.
If there is a match to one of the predefined enum values, it is mapped to the enum, otherwise,
it is just converted to uppercase and mapped as is.
usage prerequisite: init a field "url_category" with the url category value. */
alter url_category = uppercase(url_category)
| alter xdm.network.http.url_category = if(url_category contains "ABORTION", XDM_CONST.URL_CATEGORY_ABORTION, url_category contains "DRUGS", XDM_CONST.URL_CATEGORY_ABUSED_DRUGS, url_category contains "ADULT", XDM_CONST.URL_CATEGORY_ADULT, url_category contains "ALCOHOL" or url_category contains "TOBACCO", XDM_CONST.URL_CATEGORY_ALCOHOL_AND_TOBACCO, url_category contains "AUCTIONS", XDM_CONST.URL_CATEGORY_AUCTIONS, url_category contains "BUSINESS" or url_category contains "ECONOMY", XDM_CONST.URL_CATEGORY_BUSINESS_AND_ECONOMY, url_category contains "COMMAND AND CONTROL" or url_category contains "C&C", XDM_CONST.URL_CATEGORY_COMMAND_AND_CONTROL, url_category contains "COMPUTER" or url_category contains "INTERNET", XDM_CONST.URL_CATEGORY_COMPUTER_AND_INTERNET_INFO, url_category contains "CONTENT DELIVERY NETWORKS" or url_category contains "CDN", XDM_CONST.URL_CATEGORY_CONTENT_DELIVERY_NETWORKS, url_category contains "COPYRIGHT", XDM_CONST.URL_CATEGORY_COPYRIGHT_INFRINGEMENT, url_category contains "CRYPTO", XDM_CONST.URL_CATEGORY_CRYPTOCURRENCY, url_category contains "DATING", XDM_CONST.URL_CATEGORY_DATING, url_category contains "DYNAMIC DNS", XDM_CONST.URL_CATEGORY_DYNAMIC_DNS, url_category contains "EDUCATIONAL INSTITUTIONS", XDM_CONST.URL_CATEGORY_EDUCATIONAL_INSTITUTIONS, url_category contains "ENTERTAINMENT" and url_category contains "ARTS", XDM_CONST.URL_CATEGORY_ENTERTAINMENT_AND_ARTS, url_category contains "EXTREMISM", XDM_CONST.URL_CATEGORY_EXTREMISM, url_category contains "FINANCIAL" or url_category contains "FINANCE", XDM_CONST.URL_CATEGORY_FINANCIAL_SERVICES, url_category contains "GAMBLING", XDM_CONST.URL_CATEGORY_GAMBLING, url_category contains "GAMES", XDM_CONST.URL_CATEGORY_GAMES, url_category contains "GOVERNMENT", XDM_CONST.URL_CATEGORY_GOVERNMENT, url_category contains "GRAYWARE", XDM_CONST.URL_CATEGORY_GRAYWARE, url_category contains "HACKING", XDM_CONST.URL_CATEGORY_HACKING, url_category contains "HEALTH" or url_category contains "MEDICINE", XDM_CONST.URL_CATEGORY_HEALTH_AND_MEDICINE, url_category contains "HOME" or url_category contains "GARDEN", XDM_CONST.URL_CATEGORY_HOME_AND_GARDEN, url_category contains "HUNTING" or url_category contains "FISHING", XDM_CONST.URL_CATEGORY_HUNTING_AND_FISHING, url_category contains "INSUFFICIENT CONTENT", XDM_CONST.URL_CATEGORY_INSUFFICIENT_CONTENT, url_category contains "INTERNET COMMUNICATIONS" and url_category contains "TELEPHONY", XDM_CONST.URL_CATEGORY_INTERNET_COMMUNICATIONS_AND_TELEPHONY, url_category contains "INTERNET PORTALS", XDM_CONST.URL_CATEGORY_INTERNET_PORTALS, url_category contains "JOB", XDM_CONST.URL_CATEGORY_JOB_SEARCH, url_category contains "LEGAL", XDM_CONST.URL_CATEGORY_LEGAL, url_category contains "MALWARE", XDM_CONST.URL_CATEGORY_MALWARE, url_category contains "MILITARY", XDM_CONST.URL_CATEGORY_MILITARY, url_category contains "MOTOR VEHICLES", XDM_CONST.URL_CATEGORY_MOTOR_VEHICLES, url_category contains "MUSIC", XDM_CONST.URL_CATEGORY_MUSIC, url_category contains "DOMAIN" and url_category contains "REGIST", XDM_CONST.URL_CATEGORY_NEWLY_REGISTERED_DOMAIN, url_category contains "NEWS", XDM_CONST.URL_CATEGORY_NEWS, url_category contains "NOT RESOLVED", XDM_CONST.URL_CATEGORY_NOT_RESOLVED, url_category contains "NUDITY", XDM_CONST.URL_CATEGORY_NUDITY, url_category contains "ONLINE STORAGE" and url_category contains "BACKUP", XDM_CONST.URL_CATEGORY_ONLINE_STORAGE_AND_BACKUP, url_category contains "PARKED", XDM_CONST.URL_CATEGORY_PARKED, url_category contains "PEER TO PEER", XDM_CONST.URL_CATEGORY_PEER_TO_PEER, url_category contains "PERSONAL SITES" or url_category contains "BLOG", XDM_CONST.URL_CATEGORY_PERSONAL_SITES_AND_BLOGS, url_category contains "PHILOSOPHY" or url_category contains "POLITICAL ADVOCACY", XDM_CONST.URL_CATEGORY_PHILOSOPHY_AND_POLITICAL_ADVOCACY, url_category contains "PHISHING", XDM_CONST.URL_CATEGORY_PHISHING, url_category contains "PRIVATE IP ADDRESSES", XDM_CONST.URL_CATEGORY_PRIVATE_IP_ADDRESSES, url_category contains "PROXY" or url_category contains "ANONYMIZERS", XDM_CONST.URL_CATEGORY_PROXY_AVOIDANCE_AND_ANONYMIZERS, url_category contains "QUESTIONABLE", XDM_CONST.URL_CATEGORY_QUESTIONABLE, url_category contains "REAL ESTATE", XDM_CONST.URL_CATEGORY_REAL_ESTATE, url_category contains "HOBBIES" or url_category contains "RECREATION", XDM_CONST.URL_CATEGORY_RECREATION_AND_HOBBIES, url_category contains "REFERENCE", XDM_CONST.URL_CATEGORY_REFERENCE_AND_RESEARCH, url_category contains "RELIGION", XDM_CONST.URL_CATEGORY_RELIGION, url_category contains "SEARCH ENGINES", XDM_CONST.URL_CATEGORY_SEARCH_ENGINES, url_category contains "SEX EDUCATION", XDM_CONST.URL_CATEGORY_SEX_EDUCATION, url_category contains "SHAREWARE" and url_category contains "FREEWARE", XDM_CONST.URL_CATEGORY_SHAREWARE_AND_FREEWARE, url_category contains "SHOPPING", XDM_CONST.URL_CATEGORY_SHOPPING, url_category contains "SOCIAL_NETWORK", XDM_CONST.URL_CATEGORY_SOCIAL_NETWORKING, url_category contains "SOCIETY", XDM_CONST.URL_CATEGORY_SOCIETY, url_category contains "SPORTS", XDM_CONST.URL_CATEGORY_SPORTS, url_category contains "STOCK", XDM_CONST.URL_CATEGORY_STOCK_ADVICE_AND_TOOLS, url_category contains "MEDIA" and url_category contains "STREAM", XDM_CONST.URL_CATEGORY_STREAMING_MEDIA, url_category contains "INTIMATE APPAREL", XDM_CONST.URL_CATEGORY_SWIMSUITS_AND_INTIMATE_APPAREL, url_category contains "TRAINING" and url_category contains "Sport", XDM_CONST.URL_CATEGORY_TRAINING_AND_TOOLS, url_category contains "TRANSLATION", XDM_CONST.URL_CATEGORY_TRANSLATION, url_category contains "TRAVEL", XDM_CONST.URL_CATEGORY_TRAVEL, url_category contains "UNKNOWN", XDM_CONST.URL_CATEGORY_UNKNOWN, url_category contains "WEAPONS", XDM_CONST.URL_CATEGORY_WEAPONS, url_category contains "WEB ADVERTISEMENTS", XDM_CONST.URL_CATEGORY_WEB_ADVERTISEMENTS, url_category contains "WEB HOSTING", XDM_CONST.URL_CATEGORY_WEB_HOSTING, url_category contains "WEB BASED EMAIL", XDM_CONST.URL_CATEGORY_WEB_BASED_EMAIL, url_category);