Zscaler Private Access
Overview
The Zscaler Private Access (ZPA) service enables organizations to provide access to internal applications and services while ensuring the security of their networks. ZPA is an easier to deploy, more cost-effective, and more secure alternative to VPNs. Unlike VPNs, which require users to connect to your network to access your enterprise applications, ZPA allows you to give users policy-based secure access only to the internal apps they need to get their work done. With ZPA, application access does not require network access.
Warning
Important note - This format is currently in beta. We highly value your feedback to improve its performance.
- Vendor: Zscaler
- Supported environment: SaaS
- Detection based on: Telemetry
- Supported application or feature: Traffic, Web, VPN
Supported logs
This integration can ingest the following logs:
User Activity logsUser Status LogsApp Connector Status LogsBrowser Access LogsAppProtection LogsAudit logs
Configure
This section will guide you on how to forward Zscaler ZPA events to Sekoia.io.
Create the intake
Go to the intake page and create a new intake from the Zscaler ZPAformat.
Forward events to the Sekoia Forwarder using the LSS service
Prerequisites
You must have a Sekoia Forwarder instance running in your infrastructure. This forwarder must be reachable from one of your App Connector
Configure the forwarding
- Go to
Configuration & Control>Private Infrastructure>Log Receivers
- Click on
Addto create a new log receiver
- Give your new log receiver a Name and a description, then specify the
PortandPublic addressof the sekoia forwarder inside your infrastructure
- Choose the Log Type you want to forward and select the
jsonLog Template. Keep the default Log format
- Save your log receiver, you will need to create a new receiver for each of the log type you want to forward, you have to make them point to the same forwarder/port
Forward logs to Sekoia.io
For more information on forwarding logs to Sekoia.io using the Sekoia Forwarder, see Syslog Forwarding
Event Categories
The following table lists the data source offered by this integration.
| Data Source | Description |
|---|---|
Network device logs |
Zscaler ZPA can monitor the network traffic to internal applications |
Web logs |
Zscaler ZPA monitors access to internal web applications |
Web application firewall logs |
Using AppProtection Zscaler ZPA can monitor web threat and triggers alerts based on protection policies |
Authentication logs |
Zscaler ZPA authenticate the user and devices trying to access internal applications |
In details, the following table denotes the type of events produced by this integration.
| Name | Values |
|---|---|
| Kind | alert |
| Category | `` |
| Type | `` |
Transformed Events Samples after Ingestion
This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the built-in detection rules and hunting activities in the events page. Understanding these transformations is essential for analysts to create effective detection mechanisms with custom detection rules and to leverage the full potential of the collected data.
{
"message": "{\"LogTimestamp\": \"Wed Jul 3 05:17:22 2019\",\"Customer\": \"Safe March\",\"SessionID\": \"8A64Qwj9zCkfYDGJVoUZ\",\"SessionType\": \"ZPN_ASSISTANT_BROKER_CONTROL\",\"SessionStatus\": \"ZPN_STATUS_AUTHENTICATED\",\"Version\": \"19.20.3\",\"Platform\": \"el7\",\"ZEN\": \"US-NY-8179\",\"Connector\": \"connector.test.corp\",\"ConnectorGroup\": \"Azure App Connectors\",\"PrivateIP\": \"10.0.0.4\",\"PublicIP\": \"192.0.2.2\",\"Latitude\": 47.000000,\"Longitude\": -122.000000,\"CountryCode\": \"\",\"TimestampAuthentication\": \"2019-06-27T05:05:23.348Z\",\"TimestampUnAuthentication\": \"\",\"CPUUtilization\": 1,\"MemUtilization\": 20,\"ServiceCount\": 2,\"InterfaceDefRoute\": \"eth0\",\"DefRouteGW\": \"10.0.0.1\",\"PrimaryDNSResolver\": \"168.63.129.16\",\"HostStartTime\": \"1513229995\",\"ConnectorStartTime\": \"1555920005\",\"NumOfInterfaces\": 2,\"BytesRxInterface\": 319831966346,\"PacketsRxInterface\": 1617569938,\"ErrorsRxInterface\": 0,\"DiscardsRxInterface\": 0,\"BytesTxInterface\": 192958782635,\"PacketsTxInterface\": 1797471190,\"ErrorsTxInterface\": 0,\"DiscardsTxInterface\": 0,\"TotalBytesRx\": 10902554,\"TotalBytesTx\": 48931771, \"MicroTenantID\": \"145257480799129312\"}",
"event": {
"action": "Session status",
"category": [
"session"
],
"dataset": "app-connector-status",
"outcome": "success",
"type": [
"info"
]
},
"@timestamp": "2019-07-03T05:17:22Z",
"cloud": {
"account": {
"id": "145257480799129312"
}
},
"destination": {
"bytes": 10902554
},
"host": {
"name": "connector.test.corp",
"os": {
"type": "el7"
}
},
"observer": {
"hostname": "US-NY-8179",
"product": "Private Access",
"type": "cloud",
"vendor": "Zscaler"
},
"organization": {
"name": "Safe March"
},
"related": {
"hosts": [
"US-NY-8179"
],
"ip": [
"10.0.0.4",
"192.0.2.2"
]
},
"source": {
"address": "192.0.2.2",
"bytes": 48931771,
"geo": {
"location": {
"lat": 47.0,
"lon": -122.0
}
},
"ip": "192.0.2.2",
"nat": {
"ip": "10.0.0.4"
}
},
"zscaler": {
"zpa": {
"app_connector": {
"group_name": "Azure App Connectors",
"version": "19.20.3"
}
}
}
}
{
"message": "{\"LogTimestamp\": \"Tue Feb 17 14:28:57 2026\",\"Customer\": \"Test Corp\",\"SessionID\": \"\",\"SessionType\": \"ZPN_ASSISTANT_BROKER_LOG\",\"SessionStatus\": \"ZPN_STATUS_AUTHENTICATED\",\"Version\": \"\",\"Platform\": \"\",\"ZEN\": \"BETA-DE-8578\",\"Connector\": \"connector.test.corp\",\"ConnectorGroup\": \"Test\",\"PrivateIP\": \"\",\"PublicIP\": \"192.0.2.1\",\"Latitude\": 0.000000,\"Longitude\": 0.000000,\"CountryCode\": \"\",\"TimestampAuthentication\": \"2026-02-17T14:28:57.679Z\",\"TimestampUnAuthentication\": \"\",\"CPUUtilization\": 0,\"MemUtilization\": 0,\"ServiceCount\": 0,\"InterfaceDefRoute\": \"\",\"DefRouteGW\": \"\",\"PrimaryDNSResolver\": \"\",\"HostStartTime\": \"0\",\"ConnectorStartTime\": \"0\",\"NumOfInterfaces\": 0,\"BytesRxInterface\": 0,\"PacketsRxInterface\": 0,\"ErrorsRxInterface\": 0,\"DiscardsRxInterface\": 0,\"BytesTxInterface\": 0,\"PacketsTxInterface\": 0,\"ErrorsTxInterface\": 0,\"DiscardsTxInterface\": 0,\"TotalBytesRx\": 1104942,\"TotalBytesTx\": 261877,\"MicroTenantID\": \"0\"}",
"event": {
"action": "Session status",
"category": [
"session"
],
"dataset": "app-connector-status",
"outcome": "success",
"type": [
"info"
]
},
"@timestamp": "2026-02-17T14:28:57Z",
"cloud": {
"account": {
"id": "0"
}
},
"destination": {
"bytes": 1104942
},
"host": {
"name": "connector.test.corp"
},
"observer": {
"hostname": "BETA-DE-8578",
"product": "Private Access",
"type": "cloud",
"vendor": "Zscaler"
},
"organization": {
"name": "Test Corp"
},
"related": {
"hosts": [
"BETA-DE-8578"
],
"ip": [
"192.0.2.1"
]
},
"source": {
"address": "192.0.2.1",
"bytes": 261877,
"ip": "192.0.2.1"
},
"zscaler": {
"zpa": {
"app_connector": {
"group_name": "Test"
}
}
}
}
{
"message": "{\"LogTimestamp\": \"Fri Sep 16 16:34:18 2022\",\"Customer\": \"SafemarchTestUser\", \"ConnectionID\": \"cg698XMrXoY9OfjUSURh,EUtFPDqC5AzvQpL+DjAV\", \"UserID\": \"testuser@test.corp\", \"AssistantID\": \"test-key-1650457413478\", \"ExchangeSequenceIndex\": 0, \"TimestampRequestReceiveStart\": 1663346058860810, \"TimestampRequestReceiveHeaderFinish\": 1663346058860833, \"TimestampRequestReceiveFinish\": 1663346058861590, \"TimestampRequestTransmitStart\": 0, \"TimestampRequestTransmitFinish\": 0, \"TimestampResponseReceiveFinish\": 1663346058866909, \"TimestampResponseTransmitStart\": 0, \"TimestampResponseTransmitFinish\": 1663346058866941, \"TotalTimeRequestReceive\": 0, \"TotalTimeRequestTransmit\": 0, \"TotalTimeResponseReceive\": 58, \"TotalTimeResponseTransmit\": 0, \"Domain\": \"test.corp\", \"Method\": \"GET\", \"Protocol\": \"1.1\", \"ProtocolVersion\": \"\", \"ContentType\": \"\", \"ContentEncoding\": \"\", \"TransferEncoding\": \"\", \"Host\": \"test.corp\", \"Destination\": \"test.corp\", \"OriginDomain\": \"\", \"URL\": \"/\", \"UserAgent\": \"curl/7.68.0\", \"HTTPError\": \"success\", \"ClientPublicIp\": \"192.0.2.1\", \"ClientPort\": 0, \"UpgradeHeaderPresent\": 0, \"StatusCode\": 301, \"RequestHdrSize\": 42, \"ResponseHdrSize\": 210, \"RequestBodySize\": 0, \"ResponseBodySize\": 0, \"Application\": 145254438888544148, \"ApplicationGroup\": 145254438888544129, \"InspectionPolicy\": 145254438888543730, \"InspectionProfile\": 145254438888538683, \"ParanoiaLevel\": 4, \"InspectionControlsHitCount\": 0, \"InspectionRuleProcessingTime\": 0, \"InspectionReqHeadersProcessingTime\": 736, \"InspectionReqBodyProcessingTime\": 973, \"InspectionRespHeadersProcessingTime\": 29, \"InspectionRespBodyProcessingTime\": 2, \"CertificateId\": 145254438888538207, \"DoubleEncryption\": 1, \"SSLInspection\": 1, \"TotalBytesProcessed\": 0}",
"event": {
"action": "Inspect",
"category": [
"network"
],
"dataset": "appprotection",
"outcome": "success",
"type": [
"info"
]
},
"@timestamp": "2022-09-16T16:34:18Z",
"destination": {
"address": "test.corp",
"domain": "test.corp",
"subdomain": "test"
},
"host": {
"name": "test.corp"
},
"http": {
"request": {
"body": {
"bytes": 0
},
"bytes": 42,
"method": "GET"
},
"response": {
"body": {
"bytes": 0
},
"bytes": 210,
"status_code": 301
},
"version": "1.1"
},
"network": {
"bytes": 0,
"protocol": "1.1"
},
"observer": {
"product": "Private Access",
"type": "cloud",
"vendor": "Zscaler"
},
"organization": {
"name": "SafemarchTestUser"
},
"related": {
"hosts": [
"test.corp"
],
"ip": [
"192.0.2.1"
],
"user": [
"testuser@test.corp"
]
},
"service": {
"name": "145254438888544148"
},
"source": {
"address": "192.0.2.1",
"ip": "192.0.2.1"
},
"url": {
"domain": "test.corp",
"original": "/",
"path": "/"
},
"user": {
"name": "testuser@test.corp"
},
"user_agent": {
"device": {
"name": "Other"
},
"name": "curl",
"original": "curl/7.68.0",
"os": {
"name": "Other"
},
"version": "7.68.0"
},
"zscaler": {
"zpa": {
"app_group_name": "145254438888544129",
"inspection": {
"controls_hit_count": 0,
"policy": "145254438888543730",
"profile": "145254438888538683"
},
"paranoia_level": "4"
}
}
}
{
"message": "{\"ModifiedTime\": \"2020-07-13T20:53:10.000Z\",\"CreationTime\":\"2020-07-13T20:53:10.000Z\",\"ModifiedBy\":11223344556677889,\"RequestID\":\"a12aa12a-1234-aab1-123ab123456a\",\"AuditOldValue\":\"\",\"AuditNewValue\":{\"id\":\"98765432100123456\",\"name\":\"app1.test.com\",\"applicationId\":\"12312312312312300\",\"applicationPort\":\"443\",\"applicationProtocol\":\"HTTPS\",\"certificateId\":\"10203040506070809\",\"domain\":\"app1.test.com\",\"enabled\":\"true\",\"hidden\":\"false\",\"path\":\"/\",\"portal\":\"false\",\"trustUntrustedCert\":\"true\"},\"AuditOperationType\":\"Create\",\"ObjectType\":\"Browser Access\",\"ObjectName\":\"app1.test.com\",\"ObjectID\":98765432100123456,\"CustomerID\":12345678901234567,\"ModifiedByUser\":\"zpaadmin@test.com\", \"ClientAuditUpdate\":\"0\"}",
"event": {
"action": "Create",
"category": [
"configuration"
],
"dataset": "audit",
"outcome": "success",
"type": [
"creation"
]
},
"@timestamp": "2020-07-13T20:53:10Z",
"observer": {
"product": "Private Access",
"type": "cloud",
"vendor": "Zscaler"
},
"related": {
"user": [
"zpaadmin@test.com"
]
},
"user": {
"name": "zpaadmin@test.com"
},
"zscaler": {
"zpa": {
"audit": {
"new_value": "{\"applicationId\":\"12312312312312300\",\"applicationPort\":\"443\",\"applicationProtocol\":\"HTTPS\",\"certificateId\":\"10203040506070809\",\"domain\":\"app1.test.com\",\"enabled\":\"true\",\"hidden\":\"false\",\"id\":\"98765432100123456\",\"name\":\"app1.test.com\",\"path\":\"/\",\"portal\":\"false\",\"trustUntrustedCert\":\"true\"}",
"operation_type": "Create"
},
"object": {
"id": "98765432100123456",
"name": "app1.test.com",
"type": "Browser Access"
}
}
}
}
{
"message": "{\"ModifiedTime\":\"\",\"CreationTime\":\"2026-02-11T11:19:51.000Z\",\"ModifiedBy\":72060231147847697,\"RequestID\":\"d3af8c3a-1279-4a5d-8071-be9f4ec06c24\",\"SessionID\":\"drchh5slvpj6mhxvv0hkftqu\",\"AuditOldValue\":\"\",\"AuditNewValue\":\"\",\"AuditOperationType\":\"Sign Out\",\"ObjectType\":\"Authentication\",\"ObjectName\":\"72060231147847697\",\"ObjectID\":72060231147847697,\"CustomerID\":72060231147847680,\"User\":\"Admin@example.com\",\"ClientAuditUpdate\":0}",
"event": {
"action": "Sign Out",
"category": [
"authentication"
],
"dataset": "audit",
"outcome": "success",
"type": [
"end"
]
},
"@timestamp": "2026-02-11T11:19:51Z",
"observer": {
"product": "Private Access",
"type": "cloud",
"vendor": "Zscaler"
},
"related": {
"user": [
"Admin@example.com"
]
},
"user": {
"name": "Admin@example.com"
},
"zscaler": {
"zpa": {
"audit": {
"operation_type": "Sign Out"
},
"object": {
"id": "72060231147847697",
"name": "72060231147847697",
"type": "Authentication"
}
}
}
}
{
"message": "{\"ModifiedTime\":\"2026-02-11T10:49:18.000Z\",\"CreationTime\":\"2026-02-11T10:49:18.000Z\",\"ModifiedBy\":72060231147847697,\"RequestID\":\"822d0c54-c14f-4078-b5b5-d92fb04cd3a2\",\"SessionID\":\"1ax18zeic1es010iajmkkhxcid\",\"AuditOldValue\":\"\",\"AuditNewValue\":\"{\\\"id\\\":\\\"14502\\\",\\\"commonName\\\":\\\"72060231147847680-zpabeta.zpa-customer.com\\\\/newcer\\\",\\\"certificate\\\":\\\"-----BEGIN CERTIFICATE-----XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX-----END CERTIFICATE-----\\\",\\\"issuedBy\\\":\\\"O=Zscaler,OU=Private Access,CN=72060231147847680-zpabeta.zpa-customer.com\\\\/newcer\\\",\\\"issuedTo\\\":\\\"O=Zscaler,OU=Private Access,CN=72060231147847680-zpabeta.zpa-customer.com\\\\/newcer\\\",\\\"serialNo\\\":\\\"250371527085282490163632033189348609407\\\",\\\"creationTimeInSeconds\\\":\\\"1770720558\\\",\\\"expirationTimeInSeconds\\\":\\\"2716886958\\\",\\\"allowSigning\\\":\\\"true\\\",\\\"csr\\\":\\\"-----BEGIN CERTIFICATE REQUEST-----XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX-----END CERTIFICATE REQUEST-----\\\",\\\"description\\\":\\\"a new cert\\\",\\\"name\\\":\\\"newcer\\\",\\\"zrsaencryptedprivatekey\\\":\\\"-----BEGIN AES ENCRYPTED PRIVATE KEY-----XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX-----END AES ENCRYPTED PRIVATE KEY-----\\\",\\\"zrsaencryptedsessionkey\\\":\\\"-----BEGIN ENCRYPTED AES SESSION KEY----------END ENCRYPTED AES SESSION KEY-----\\\"}\",\"AuditOperationType\":\"Create\",\"ObjectType\":\"Enrollment Certificate\",\"ObjectName\":\"newcer\",\"ObjectID\":14502,\"CustomerID\":72060231147847680,\"User\":\"Admin@example.com\",\"ClientAuditUpdate\":0}",
"event": {
"action": "Create",
"category": [
"configuration"
],
"dataset": "audit",
"outcome": "success",
"type": [
"creation"
]
},
"@timestamp": "2026-02-11T10:49:18Z",
"observer": {
"product": "Private Access",
"type": "cloud",
"vendor": "Zscaler"
},
"related": {
"user": [
"Admin@example.com"
]
},
"user": {
"name": "Admin@example.com"
},
"zscaler": {
"zpa": {
"audit": {
"new_value": "{\"allowSigning\":\"true\",\"certificate\":\"-----BEGIN CERTIFICATE-----XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX-----END CERTIFICATE-----\",\"commonName\":\"72060231147847680-zpabeta.zpa-customer.com\\\\/newcer\",\"creationTimeInSeconds\":\"1770720558\",\"csr\":\"-----BEGIN CERTIFICATE REQUEST-----XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX-----END CERTIFICATE REQUEST-----\",\"description\":\"a new cert\",\"expirationTimeInSeconds\":\"2716886958\",\"id\":\"14502\",\"issuedBy\":\"O=Zscaler,OU=Private Access,CN=72060231147847680-zpabeta.zpa-customer.com\\\\/newcer\",\"issuedTo\":\"O=Zscaler,OU=Private Access,CN=72060231147847680-zpabeta.zpa-customer.com\\\\/newcer\",\"name\":\"newcer\",\"serialNo\":\"250371527085282490163632033189348609407\",\"zrsaencryptedprivatekey\":\"-----BEGIN AES ENCRYPTED PRIVATE KEY-----XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX-----END AES ENCRYPTED PRIVATE KEY-----\",\"zrsaencryptedsessionkey\":\"-----BEGIN ENCRYPTED AES SESSION KEY----------END ENCRYPTED AES SESSION KEY-----\"}",
"operation_type": "Create"
},
"object": {
"id": "14502",
"name": "newcer",
"type": "Enrollment Certificate"
}
}
}
}
{
"message": "{\"ModifiedTime\":\"\",\"CreationTime\":\"2026-02-12T08:22:08.000Z\",\"ModifiedBy\":72060231147847697,\"RequestID\":\"69c1bf1d-c2b7-4008-a9e0-2903af7e8fe3\",\"SessionID\":\"18tjuegja4bz4qtop9ihznnyq\",\"AuditOldValue\":\"\",\"AuditNewValue\":\"{\\\"loginAttempt\\\":\\\"2026-02-12 08:22:08 UTC\\\",\\\"remoteIP\\\":\\\"192.0.2.1\\\"}\",\"AuditOperationType\":\"Sign In\",\"ObjectType\":\"Authentication\",\"ObjectName\":\"Admin@example.com\",\"ObjectID\":72060231147847697,\"CustomerID\":72060231147847680,\"User\":\"Admin@example.com\",\"ClientAuditUpdate\":0}",
"event": {
"action": "Sign In",
"category": [
"authentication"
],
"dataset": "audit",
"outcome": "success",
"type": [
"start"
]
},
"@timestamp": "2026-02-12T08:22:08Z",
"observer": {
"product": "Private Access",
"type": "cloud",
"vendor": "Zscaler"
},
"related": {
"user": [
"Admin@example.com"
]
},
"user": {
"name": "Admin@example.com"
},
"zscaler": {
"zpa": {
"audit": {
"new_value": "{\"loginAttempt\":\"2026-02-12 08:22:08 UTC\",\"remoteIP\":\"192.0.2.1\"}",
"operation_type": "Sign In"
},
"object": {
"id": "72060231147847697",
"name": "Admin@example.com",
"type": "Authentication"
}
}
}
}
{
"message": "{\"ModifiedTime\":\"\",\"CreationTime\":\"2026-02-16T15:20:30.000Z\",\"ModifiedBy\":72060231147847697,\"RequestID\":\"74973292-1a68-4b0d-ae54-0951b4e4ad2e\",\"SessionID\":\"hkjxqbb7109z1l0s5r82ddy4f\",\"AuditOldValue\":\"\",\"AuditNewValue\":\"\",\"AuditOperationType\":\"Session Time Out\",\"ObjectType\":\"Authentication\",\"ObjectName\":\"\",\"ObjectID\":72060231147847697,\"CustomerID\":72060231147847680,\"User\":\"Admin@example.com\",\"ClientAuditUpdate\":0}",
"event": {
"action": "Session Time Out",
"category": [
"session"
],
"dataset": "audit",
"outcome": "success",
"type": [
"end"
]
},
"@timestamp": "2026-02-16T15:20:30Z",
"observer": {
"product": "Private Access",
"type": "cloud",
"vendor": "Zscaler"
},
"related": {
"user": [
"Admin@example.com"
]
},
"user": {
"name": "Admin@example.com"
},
"zscaler": {
"zpa": {
"audit": {
"operation_type": "Session Time Out"
},
"object": {
"id": "72060231147847697",
"type": "Authentication"
}
}
}
}
{
"message": "{\"ModifiedTime\":\"2026-02-17T13:43:30.000Z\",\"CreationTime\":\"2026-02-17T13:43:30.000Z\",\"ModifiedBy\":72060231147847697,\"RequestID\":\"8f3ac930-c287-430e-8d13-b6737c74db88\",\"SessionID\":\"knxlbmr791nzrsmvyxfbohoz\",\"AuditOldValue\":\"{\\\"policyType\\\":\\\"Access Policy\\\",\\\"name\\\":\\\"Allow Internal Application Group\\\",\\\"description\\\":\\\"\\\",\\\"action\\\":\\\"ALLOW\\\",\\\"conditions\\\":[{\\\"criteria\\\":[{\\\"name\\\":\\\"Internal Application Group\\\",\\\"id\\\":\\\"72060231147847684\\\",\\\"type\\\":\\\"Segment Group\\\"}],\\\"operator\\\":\\\"OR\\\"},{\\\"criteria\\\":[{\\\"name\\\":\\\"AU\\\",\\\"id\\\":\\\"AU\\\",\\\"type\\\":\\\"Country Code\\\"}],\\\"operator\\\":\\\"OR\\\"}],\\\"status\\\":\\\"enabled\\\"}\",\"AuditNewValue\":\"{\\\"policyType\\\":\\\"Access Policy\\\",\\\"name\\\":\\\"Allow Internal Application Group\\\",\\\"description\\\":\\\"\\\",\\\"action\\\":\\\"ALLOW\\\",\\\"conditions\\\":[{\\\"criteria\\\":[{\\\"name\\\":\\\"Internal Application Group\\\",\\\"id\\\":\\\"72060231147847684\\\",\\\"type\\\":\\\"Segment Group\\\"}],\\\"operator\\\":\\\"OR\\\"}],\\\"status\\\":\\\"enabled\\\"}\",\"AuditOperationType\":\"Update\",\"ObjectType\":\"Policy\",\"ObjectName\":\"Allow Internal Application Group\",\"ObjectID\":72060231147847686,\"CustomerID\":72060231147847680,\"User\":\"Admin@example.com\",\"ClientAuditUpdate\":0}",
"event": {
"action": "Update",
"category": [
"configuration"
],
"dataset": "audit",
"outcome": "success",
"type": [
"change"
]
},
"@timestamp": "2026-02-17T13:43:30Z",
"observer": {
"product": "Private Access",
"type": "cloud",
"vendor": "Zscaler"
},
"related": {
"user": [
"Admin@example.com"
]
},
"user": {
"name": "Admin@example.com"
},
"zscaler": {
"zpa": {
"audit": {
"new_value": "{\"action\":\"ALLOW\",\"conditions\":[{\"criteria\":[{\"id\":\"72060231147847684\",\"name\":\"Internal Application Group\",\"type\":\"Segment Group\"}],\"operator\":\"OR\"}],\"description\":\"\",\"name\":\"Allow Internal Application Group\",\"policyType\":\"Access Policy\",\"status\":\"enabled\"}",
"old_value": "{\"action\":\"ALLOW\",\"conditions\":[{\"criteria\":[{\"id\":\"72060231147847684\",\"name\":\"Internal Application Group\",\"type\":\"Segment Group\"}],\"operator\":\"OR\"},{\"criteria\":[{\"id\":\"AU\",\"name\":\"AU\",\"type\":\"Country Code\"}],\"operator\":\"OR\"}],\"description\":\"\",\"name\":\"Allow Internal Application Group\",\"policyType\":\"Access Policy\",\"status\":\"enabled\"}",
"operation_type": "Update"
},
"object": {
"id": "72060231147847686",
"name": "Allow Internal Application Group",
"type": "Policy"
}
}
}
}
{
"message": "{\"ModifiedTime\":\"2026-02-17T13:43:37.000Z\",\"CreationTime\":\"2026-02-17T13:43:37.000Z\",\"ModifiedBy\":72060231147847697,\"RequestID\":\"68ddfa82-3dc9-4429-aaee-1f8f42550f65\",\"SessionID\":\"knxlbmr791nzrsmvyxfbohoz\",\"AuditOldValue\":\"{\\\"policyType\\\":\\\"Access Policy\\\",\\\"policyDescription\\\":\\\"The rules in this policy set are executed first.\\\",\\\"ruleOrders\\\":{\\\"allow everything\\\":3}}\",\"AuditNewValue\":\"{\\\"policyType\\\":\\\"Access Policy\\\",\\\"policyDescription\\\":\\\"The rules in this policy set are executed first.\\\",\\\"ruleOrders\\\":{\\\"allow everything\\\":2}}\",\"AuditOperationType\":\"Delete\",\"ObjectType\":\"PolicyReOrder\",\"ObjectName\":\"Access Policy\",\"ObjectID\":0,\"CustomerID\":72060231147847680,\"User\":\"Admin@example.com\",\"ClientAuditUpdate\":0}",
"event": {
"action": "Delete",
"category": [
"configuration"
],
"dataset": "audit",
"outcome": "success",
"type": [
"deletion"
]
},
"@timestamp": "2026-02-17T13:43:37Z",
"observer": {
"product": "Private Access",
"type": "cloud",
"vendor": "Zscaler"
},
"related": {
"user": [
"Admin@example.com"
]
},
"user": {
"name": "Admin@example.com"
},
"zscaler": {
"zpa": {
"audit": {
"new_value": "{\"policyDescription\":\"The rules in this policy set are executed first.\",\"policyType\":\"Access Policy\",\"ruleOrders\":{\"allow everything\":2}}",
"old_value": "{\"policyDescription\":\"The rules in this policy set are executed first.\",\"policyType\":\"Access Policy\",\"ruleOrders\":{\"allow everything\":3}}",
"operation_type": "Delete"
},
"object": {
"id": "0",
"name": "Access Policy",
"type": "PolicyReOrder"
}
}
}
}
{
"message": "{\"LogTimestamp\":\"Wed Jul 3 05:12:25 2019\",\"ConnectionID\":\"\",\"Exporter\":\"unset\",\"TimestampRequestReceiveStart\":\"2019-07-03T05:12:25.723Z\",\"TimestampRequestReceiveHeaderFinish\":\"2019-07-03T05:12:25.723Z\",\"TimestampRequestReceiveFinish\":\"2019-07-03T05:12:25.723Z\",\"TimestampRequestTransmitStart\":\"2019-07-03T05:12:25.790Z\",\"TimestampRequestTransmitFinish\":\"2019-07-03T05:12:25.790Z\",\"TimestampResponseReceiveStart\":\"2019-07-03T05:12:25.791Z\",\"TimestampResponseReceiveFinish\":\"2019-07-03T05:12:25.791Z\",\"TimestampResponseTransmitStart\":\"2019-07-03T05:12:25.791Z\",\"TimestampResponseTransmitFinish\":\"2019-07-03T05:12:25.791Z\",\"TotalTimeRequestReceive\":127,\"TotalTimeRequestTransmit\":21,\"TotalTimeResponseReceive\":73,\"TotalTimeResponseTransmit\":13,\"TotalTimeConnectionSetup\":66995,\"TotalTimeServerResponse\":1349,\"Method\":\"GET\",\"Protocol\":\"HTTPS\",\"Host\":\"test.corp\",\"URL\":\"/speeddial-18.0.99-82-gd7ba322-dirty/media/HelveticaNeueLTStd-Regular.762cbf85.woff\",\"UserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.1.1 Safari/605.1.15\",\"XFF\":\"\",\"NameID\":\"admin@example.com\",\"StatusCode\":304,\"RequestSize\":615,\"ResponseSize\":331,\"ApplicationPort\":443,\"ClientPublicIp\":\"192.0.2.1\",\"ClientPublicPort\":50042,\"ClientPrivateIp\":\"\",\"Customer\":\"ANZ Team/zdemo in beta\",\"ConnectionStatus\":\"\",\"ConnectionReason\":\"\",\"Origin\":\"https://example.com\",\"CorsToken\":\"token_created\"}",
"event": {
"action": "Web access",
"category": [
"web"
],
"dataset": "browser-access",
"outcome": "success",
"type": [
"access"
]
},
"@timestamp": "2019-07-03T05:12:25Z",
"destination": {
"address": "test.corp",
"domain": "test.corp",
"port": 443,
"subdomain": "test"
},
"host": {
"name": "test.corp"
},
"http": {
"request": {
"bytes": 615,
"method": "GET"
},
"response": {
"bytes": 331,
"status_code": 304
}
},
"network": {
"protocol": "HTTPS"
},
"observer": {
"product": "Private Access",
"type": "cloud",
"vendor": "Zscaler"
},
"organization": {
"name": "ANZ Team/zdemo in beta"
},
"related": {
"hosts": [
"test.corp"
],
"ip": [
"192.0.2.1"
],
"user": [
"admin@example.com"
]
},
"source": {
"address": "192.0.2.1",
"ip": "192.0.2.1",
"port": 50042
},
"url": {
"domain": "test.corp",
"original": "/speeddial-18.0.99-82-gd7ba322-dirty/media/HelveticaNeueLTStd-Regular.762cbf85.woff",
"path": "/speeddial-18.0.99-82-gd7ba322-dirty/media/HelveticaNeueLTStd-Regular.762cbf85.woff",
"port": 443,
"scheme": "https"
},
"user": {
"name": "admin@example.com"
},
"user_agent": {
"device": {
"name": "Mac"
},
"name": "Safari",
"original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.1.1 Safari/605.1.15",
"os": {
"name": "Mac OS X",
"version": "10.14.5"
},
"version": "12.1.1"
}
}
{
"message": "{\"LogTimestamp\": \"Fri May 31 17:35:42 2019\",\"Customer\": \"ANZ Team/zdemo in beta\",\"SessionID\": \"SqyZIMkg0JTj7EABsvwA\",\"ConnectionID\": \"SqyZIMkg0JTj7EABsvwA,Q+EjXGdrvbF2lPiBbedm\",\"InternalReason\": \"\",\"ConnectionStatus\": \"active\",\"IPProtocol\": 6,\"DoubleEncryption\": 0,\"Username\": \"TestUser\",\"ServicePort\": 10011,\"ClientPublicIP\": \"192.0.2.100\",\"ClientPrivateIP\": \"\",\"ClientLatitude\": 45.000000,\"ClientLongitude\": -119.000000,\"ClientCountryCode\": \"US\",\"ClientZEN\": \"broker1b.pdx2\",\"Policy\": \"ANZ Lab Apps_1\",\"Connector\": \"connector.test.corp\",\"ConnectorZEN\": \"broker1b.pdx2\",\"ConnectorIP\": \"192.0.2.2\",\"ConnectorPort\": 60266,\"Host\": \"endpoint.test.corp\",\"Application\": \"ANZ Lab Apps\",\"AppGroup\": \"ANZ Lab Apps\",\"Server\": \"0\",\"ServerIP\": \"192.0.2.1\",\"ServerPort\": 10011,\"PolicyProcessingTime\": 28,\"CAProcessingTime\": 1330,\"ConnectorZENSetupTime\": 191017,\"ConnectionSetupTime\": 192397,\"ServerSetupTime\": 465,\"AppLearnTime\": 0,\"TimestampConnectionStart\": \"2019-05-30T08:20:42.230Z\",\"TimestampConnectionEnd\": \"\",\"TimestampCATx\": \"2019-05-30T08:20:42.230Z\",\"TimestampCARx\": \"2019-05-30T08:20:42.231Z\",\"TimestampAppLearnStart\": \"\",\"TimestampZENFirstRxClient\": \"2019-05-30T08:20:42.424Z\",\"TimestampZENFirstTxClient\": \"\",\"TimestampZENLastRxClient\": \"2019-05-31T17:34:27.348Z\",\"TimestampZENLastTxClient\": \"\",\"TimestampConnectorZENSetupComplete\": \"2019-05-30T08:20:42.422Z\",\"TimestampZENFirstRxConnector\": \"\",\"TimestampZENFirstTxConnector\": \"2019-05-30T08:20:42.424Z\",\"TimestampZENLastRxConnector\": \"\",\"TimestampZENLastTxConnector\": \"2019-05-31T17:34:27.348Z\",\"ZENTotalBytesRxClient\": 2406926,\"ZENBytesRxClient\": 7115,\"ZENTotalBytesTxClient\": 0,\"ZENBytesTxClient\": 0,\"ZENTotalBytesRxConnector\": 0,\"ZENBytesRxConnector\": 0,\"ZENTotalBytesTxConnector\": 2406926,\"ZENBytesTxConnector\": 7115,\"Idp\": \"iam.test.corp\", \"ClientToClient\": \"0\", \"ClientCity\": \"San Jose\", \"MicroTenantID\": \"145257480799129312\", \"AppMicrotenantID\": \"145257480799129312\", \"Platform\": \"windows\", \"Hostname\": \"DESKTOP-P669MN4\", \"PRAApprovalID\": \"15787\", \"PRACapabilityPolicyID\": \"72057597259256663\", \"PRAConsoleType\": \"SSH\", \"PRACredentialUserName\": \"SafemarchUser\", \"PRACredentialLoginType\": \"Username-Password\", \"PRACredentialPolicyID\": \"72057597259256964\", \"PRAConnectionID\": \"$b381e220-fb0f-4dc5-9c2a-e3e0fb2e5efb\", \"PRAErrorStatus\": \"Upstream Error\", \"PRAFileTransferList\": {\"file_list\":[{\"name\":\"/d546509ab6670f9ff31783ed72875dfc0f37fa2b666bd5870eecaaed2ebea4a8.elf\",\"action\":\"Upload\",\"status\":\"Inspection denied upload\",\"start_ts\":1704225544,\"end_ts\":1704225547,\"inspected\":\"True\",\"file_type\":\"elf\",\"md5\":\"4DDE761681684D7EDAD4E5E1FFDB940B\",\"inspection_verdict\":{\"code\": 200,\"message\": \"response OK\",\"virusName\": \"iot.trojan.gafgyt.botnet\",\"virusType\": \"Virus\",\"fileType\": \"elf\",\"md5\": \"4DDE761681684D7EDAD4E5E1FFDB940B\",\"sandboxSubmission\": \"Virus\"},\"inspection_time\":\"less than 1 second\"},{\"name\":\"/4ce39251817198bbec7b84782507394e7d68bfe3a79b89be363f0c1e05558ef1.zip\",\"action\":\"Upload\",\"status\":\"Inspection denied upload\",\"start_ts\":1704225552,\"end_ts\":1704225557,\"inspected\":\"True\",\"file_type\":\"zip\",\"md5\":\"F5F7995BACD88A4BCF2D69DF063184AB\",\"inspection_verdict\":{\"code\": 200,\"message\": \"File not submitted to Sandbox\",\"fileType\": \"zip\",\"md5\": \"F5F7995BACD88A4BCF2D69DF063184AB\",\"sandboxSubmission\": \"File not Submitted to Sandbox\"},\"inspection_time\":\"less than 1 second\"},{\"name\":\"/4ce39251817198bbec7b84782507394e7d68bfe3a79b89be363f0c1e05558ef1.xlsx\",\"action\":\"Upload\",\"status\":\"Inspection denied upload\",\"start_ts\":1704225568,\"end_ts\":1704225573,\"inspected\":\"True\",\"file_type\":\"xlsx\",\"md5\":\"FF43FB09E69439FCD3DD8196F5BCE11F\",\"inspection_verdict\":{\"code\": 200,\"message\": \"response OK\",\"virusName\": \"xls.downloader.qakbot\",\"virusType\": \"Sandbox Malware\",\"fileType\": \"xlsx\",\"md5\": \"FF43FB09E69439FCD3DD8196F5BCE11F\",\"sandboxSubmission\": \"Sandbox Malware\"},\"inspection_time\":\"less than 1 second\"},{\"name\":\"/Populate_Existing_Flags_And_Overrides.xlsx\",\"action\":\"Upload\",\"status\":\"Success\",\"start_ts\":1704225591,\"end_ts\":1704225593,\"inspected\":\"True\",\"file_type\":\"xlsx\",\"md5\":\"D1A0596352BE4A1260B0419C7046F8FA\",\"inspection_verdict\":{\"code\": 200,\"message\": \"No active content found. File not suspicious\",\"fileType\": \"xlsx\",\"md5\": \"D1A0596352BE4A1260B0419C7046F8FA\",\"sandboxSubmission\": \"File not Submitted to Sandbox\"},\"inspection_time\":\"less than 1 second\"}]}, \"PRARecordingStatus\": \"Available\", \"PRASharedUserList\": {\"shared_user_list\":[{\"name\":\"lisa@example.com\"}]}, \"PRASessionType\": \"PRA\", \"PRASharedMode\": \"control\"}",
"event": {
"action": "User activity",
"category": [
"network"
],
"dataset": "user-activity",
"outcome": "success",
"type": [
"info"
]
},
"@timestamp": "2019-05-31T17:35:42Z",
"cloud": {
"account": {
"id": "145257480799129312"
}
},
"destination": {
"address": "endpoint.test.corp",
"domain": "endpoint.test.corp",
"ip": "192.0.2.1",
"port": 10011,
"subdomain": "endpoint.test"
},
"host": {
"name": "connector.test.corp",
"os": {
"type": "windows"
}
},
"network": {
"iana_number": "6"
},
"observer": {
"hostname": "broker1b.pdx2",
"product": "Private Access",
"type": "cloud",
"vendor": "Zscaler"
},
"organization": {
"name": "ANZ Team/zdemo in beta"
},
"related": {
"hosts": [
"broker1b.pdx2",
"endpoint.test.corp"
],
"ip": [
"192.0.2.1",
"192.0.2.100"
],
"user": [
"TestUser"
]
},
"service": {
"name": "ANZ Lab Apps"
},
"source": {
"address": "192.0.2.100",
"geo": {
"city_name": "San Jose",
"country_iso_code": "US",
"location": {
"lat": 45.0,
"lon": -119.0
}
},
"ip": "192.0.2.100"
},
"url": {
"domain": "endpoint.test.corp",
"subdomain": "endpoint.test"
},
"user": {
"domain": "iam.test.corp",
"name": "TestUser"
},
"zscaler": {
"zpa": {
"access_policy_name": "ANZ Lab Apps_1",
"app_connector": {
"ip": "192.0.2.2",
"name": "connector.test.corp",
"port": 60266,
"zen": "broker1b.pdx2"
},
"app_group_name": "ANZ Lab Apps"
}
}
}
{
"message": "{\"LogTimestamp\": \"Fri May 31 17:34:48 2019\",\"Customer\": \"ANZ Team/zdemo in beta\",\"Username\": \"TestUser\",\"SessionID\": \"cKgzUERSLl09Y+ytH8v5\",\"SessionStatus\": \"ZPN_STATUS_AUTHENTICATED\",\"Version\": \"19.12.0-36-g87dad18\",\"ZEN\": \"broker1b.pdx2\",\"CertificateCN\": \"slogger1b.pdx2.zpabeta.net\",\"PrivateIP\": \"\",\"PublicIP\": \"192.0.2.1\",\"Latitude\": 45.000000,\"Longitude\": -119.000000,\"CountryCode\": \"US\",\"TimestampAuthentication\": \"2019-05-29T21:18:38.000Z\",\"TimestampUnAuthentication\": \"\",\"TotalBytesRx\": 31274866,\"TotalBytesTx\": 25424152,\"Idp\": \"iam.test.corp\",\"Hostname\": \"endpoint.test.corp\",\"Platform\": \"windows\",\"ClientType\": \"zpn_client_type_zapp\",\"TrustedNetworks\": \"TN1_stc1\",\"TrustedNetworksNames\": \"145248739,466947538\",\"SAMLAttributes\": \"myname:jdoe,myemail:jdoe@example.com\",\"PosturesHit\": \"sm-posture1,sm-posture2\",\"PosturesMisses\": \"sm-posture11,sm-posture12\",\"ZENLatitude\": 47.000000,\"ZENLongitude\": -122.000000,\"ZENCountryCode\": \"\", \"FQDNRegistered\": \"0\",\"FQDNRegisteredError\": \"\",\"City\": \"San Jose\", \"MicroTenantID\": \"145257480799129312\"}",
"event": {
"action": "Session status",
"category": [
"session"
],
"dataset": "user-status",
"outcome": "success",
"type": [
"info"
]
},
"@timestamp": "2019-05-31T17:34:48Z",
"cloud": {
"account": {
"id": "145257480799129312"
}
},
"destination": {
"bytes": 31274866
},
"host": {
"name": "endpoint.test.corp",
"os": {
"type": "windows"
}
},
"observer": {
"hostname": "broker1b.pdx2",
"product": "Private Access",
"type": "cloud",
"vendor": "Zscaler"
},
"organization": {
"name": "ANZ Team/zdemo in beta"
},
"related": {
"hosts": [
"broker1b.pdx2"
],
"ip": [
"192.0.2.1"
],
"user": [
"TestUser"
]
},
"source": {
"address": "192.0.2.1",
"bytes": 25424152,
"geo": {
"city_name": "San Jose",
"country_iso_code": "US",
"location": {
"lat": 45.0,
"lon": -119.0
}
},
"ip": "192.0.2.1"
},
"tls": {
"client": {
"x509": {
"subject": {
"common_name": "slogger1b.pdx2.zpabeta.net"
}
}
}
},
"user": {
"domain": "iam.test.corp",
"name": "TestUser"
},
"zscaler": {
"zpa": {
"client_connector_version": "19.12.0-36-g87dad18",
"client_type": "zpn_client_type_zapp",
"trusted_networks": {
"ids": [
"TN1_stc1"
],
"names": [
"145248739",
"466947538"
]
}
}
}
}
Extracted Fields
The following table lists the fields that are extracted, normalized under the ECS format, analyzed and indexed by the parser. It should be noted that infered fields are not listed.
| Name | Type | Description |
|---|---|---|
@timestamp |
date |
Date/time when the event originated. |
cloud.account.id |
keyword |
The cloud account or organization id. |
destination.bytes |
long |
Bytes sent from the destination to the source. |
destination.domain |
keyword |
The domain name of the destination. |
destination.ip |
ip |
IP address of the destination. |
destination.port |
long |
Port of the destination. |
event.action |
keyword |
The action captured by the event. |
event.category |
keyword |
Event category. The second categorization field in the hierarchy. |
event.dataset |
keyword |
Name of the dataset. |
event.kind |
keyword |
The kind of the event. The highest categorization field in the hierarchy. |
event.outcome |
keyword |
The outcome of the event. The lowest level categorization field in the hierarchy. |
event.reason |
keyword |
Reason why this event happened, according to the source |
event.type |
keyword |
Event type. The third categorization field in the hierarchy. |
host.name |
keyword |
Name of the host. |
host.os.type |
keyword |
Which commercial OS family (one of: linux, macos, unix or windows). |
http.request.body.bytes |
long |
Size in bytes of the request body. |
http.request.bytes |
long |
Total size in bytes of the request (body and headers). |
http.request.method |
keyword |
HTTP request method. |
http.response.body.bytes |
long |
Size in bytes of the response body. |
http.response.bytes |
long |
Total size in bytes of the response (body and headers). |
http.response.status_code |
long |
HTTP response status code. |
http.version |
keyword |
HTTP version. |
network.bytes |
long |
Total bytes transferred in both directions. |
network.iana_number |
keyword |
IANA Protocol Number. |
network.protocol |
keyword |
Application protocol name. |
observer.hostname |
keyword |
Hostname of the observer. |
observer.product |
keyword |
The product name of the observer. |
observer.type |
keyword |
The type of the observer the data is coming from. |
observer.vendor |
keyword |
Vendor name of the observer. |
organization.name |
keyword |
Organization name. |
service.name |
keyword |
Name of the service. |
source.bytes |
long |
Bytes sent from the source to the destination. |
source.geo.city_name |
keyword |
City name. |
source.geo.country_iso_code |
keyword |
Country ISO code. |
source.ip |
ip |
IP address of the source. |
source.nat.ip |
ip |
Source NAT ip |
source.port |
long |
Port of the source. |
tls.client.x509.subject.common_name |
keyword |
List of common names (CN) of subject. |
url.domain |
keyword |
Domain of the url. |
url.original |
wildcard |
Unmodified original url as seen in the event source. |
url.path |
wildcard |
Path of the request, such as "/search". |
url.scheme |
keyword |
Scheme of the url. |
user.domain |
keyword |
Name of the directory the user is a member of. |
user.name |
keyword |
Short name or login of the user. |
user_agent.original |
keyword |
Unparsed user_agent string. |
zscaler.zpa.access_policy_name |
text |
The access policy rule name |
zscaler.zpa.app_connector.group_name |
text |
The App Connector group name |
zscaler.zpa.app_connector.ip |
ip |
The source IP address of the App Connector |
zscaler.zpa.app_connector.name |
text |
The App Connector name |
zscaler.zpa.app_connector.port |
number |
The source port of the App Connector |
zscaler.zpa.app_connector.version |
text |
The App Connector package version |
zscaler.zpa.app_connector.zen |
text |
The ZPA Public Service Edge that sent the request from the App Connector |
zscaler.zpa.app_group_name |
text |
The application group name |
zscaler.zpa.audit.new_value |
text |
The new value that was changed if the action type is create, sign in, or update. If the modified object is policy related, the value depends on the policy type. |
zscaler.zpa.audit.old_value |
text |
The previous value that was changed if the action type is delete, sign out, or update. If the modified object is policy related, the value depends on the policy type. |
zscaler.zpa.audit.operation_type |
text |
The action performed. |
| The expected values for this field: | ||
| Create | ||
| Client Session Revoked | ||
| Delete | ||
| Download | ||
| Sign In | ||
| Sign In Failure | ||
| Sign Out | ||
| Update | ||
zscaler.zpa.client_connector_version |
text |
The Zscaler Client Connector version |
zscaler.zpa.client_type |
text |
The client type for the request (i.e., Zscaler Client Connector, ZPA LSS, or Web Browser) |
zscaler.zpa.inspection.controls_hit_count |
number |
The number of AppProtection control hits |
zscaler.zpa.inspection.policy |
text |
The AppProtection policy |
zscaler.zpa.inspection.profile |
text |
The AppProtection profile |
zscaler.zpa.object.id |
text |
The ID associated with the object name |
zscaler.zpa.object.name |
text |
The name of the object. This corresponds to the Resource Name in the Audit Log page. |
zscaler.zpa.object.type |
text |
The location within the ZPA Admin Portal where the Action was performed. This corresponds to the Resource Type on the Audit Log page. |
zscaler.zpa.paranoia_level |
text |
The OWASP Predefined Paranoia Level |
zscaler.zpa.posture.hit |
text |
The posture profiles that the Zscaler Client Connector verified for this device |
zscaler.zpa.posture.miss |
text |
The posture profiles that the Zscaler Client Connector failed to verify for this device |
zscaler.zpa.trusted_networks.ids |
text |
The unique IDs for the trusted networks that the Zscaler Client Connector has determined for this device |
zscaler.zpa.trusted_networks.names |
text |
The names for the trusted networks that the Zscaler Client Connector has determined for this device |
For more information on the Intake Format, please find the code of the Parser, Smart Descriptions, and Supported Events here.
Detection section
The following section provides information for those who wish to learn more about the detection capabilities enabled by collecting this intake. It includes details about the built-in rule catalog, event categories, and ECS fields extracted from raw events. This is essential for users aiming to create custom detection rules, perform hunting activities, or pivot in the events page.
Event Categories
The following table lists the data source offered by this integration.
| Data Source | Description |
|---|---|
Network device logs |
Zscaler ZPA can monitor the network traffic to internal applications |
Web logs |
Zscaler ZPA monitors access to internal web applications |
Web application firewall logs |
Using AppProtection Zscaler ZPA can monitor web threat and triggers alerts based on protection policies |
Authentication logs |
Zscaler ZPA authenticate the user and devices trying to access internal applications |
In details, the following table denotes the type of events produced by this integration.
| Name | Values |
|---|---|
| Kind | alert |
| Category | `` |
| Type | `` |
Transformed Events Samples after Ingestion
This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the built-in detection rules and hunting activities in the events page. Understanding these transformations is essential for analysts to create effective detection mechanisms with custom detection rules and to leverage the full potential of the collected data.
{
"message": "{\"LogTimestamp\": \"Wed Jul 3 05:17:22 2019\",\"Customer\": \"Safe March\",\"SessionID\": \"8A64Qwj9zCkfYDGJVoUZ\",\"SessionType\": \"ZPN_ASSISTANT_BROKER_CONTROL\",\"SessionStatus\": \"ZPN_STATUS_AUTHENTICATED\",\"Version\": \"19.20.3\",\"Platform\": \"el7\",\"ZEN\": \"US-NY-8179\",\"Connector\": \"connector.test.corp\",\"ConnectorGroup\": \"Azure App Connectors\",\"PrivateIP\": \"10.0.0.4\",\"PublicIP\": \"192.0.2.2\",\"Latitude\": 47.000000,\"Longitude\": -122.000000,\"CountryCode\": \"\",\"TimestampAuthentication\": \"2019-06-27T05:05:23.348Z\",\"TimestampUnAuthentication\": \"\",\"CPUUtilization\": 1,\"MemUtilization\": 20,\"ServiceCount\": 2,\"InterfaceDefRoute\": \"eth0\",\"DefRouteGW\": \"10.0.0.1\",\"PrimaryDNSResolver\": \"168.63.129.16\",\"HostStartTime\": \"1513229995\",\"ConnectorStartTime\": \"1555920005\",\"NumOfInterfaces\": 2,\"BytesRxInterface\": 319831966346,\"PacketsRxInterface\": 1617569938,\"ErrorsRxInterface\": 0,\"DiscardsRxInterface\": 0,\"BytesTxInterface\": 192958782635,\"PacketsTxInterface\": 1797471190,\"ErrorsTxInterface\": 0,\"DiscardsTxInterface\": 0,\"TotalBytesRx\": 10902554,\"TotalBytesTx\": 48931771, \"MicroTenantID\": \"145257480799129312\"}",
"event": {
"action": "Session status",
"category": [
"session"
],
"dataset": "app-connector-status",
"outcome": "success",
"type": [
"info"
]
},
"@timestamp": "2019-07-03T05:17:22Z",
"cloud": {
"account": {
"id": "145257480799129312"
}
},
"destination": {
"bytes": 10902554
},
"host": {
"name": "connector.test.corp",
"os": {
"type": "el7"
}
},
"observer": {
"hostname": "US-NY-8179",
"product": "Private Access",
"type": "cloud",
"vendor": "Zscaler"
},
"organization": {
"name": "Safe March"
},
"related": {
"hosts": [
"US-NY-8179"
],
"ip": [
"10.0.0.4",
"192.0.2.2"
]
},
"source": {
"address": "192.0.2.2",
"bytes": 48931771,
"geo": {
"location": {
"lat": 47.0,
"lon": -122.0
}
},
"ip": "192.0.2.2",
"nat": {
"ip": "10.0.0.4"
}
},
"zscaler": {
"zpa": {
"app_connector": {
"group_name": "Azure App Connectors",
"version": "19.20.3"
}
}
}
}
{
"message": "{\"LogTimestamp\": \"Tue Feb 17 14:28:57 2026\",\"Customer\": \"Test Corp\",\"SessionID\": \"\",\"SessionType\": \"ZPN_ASSISTANT_BROKER_LOG\",\"SessionStatus\": \"ZPN_STATUS_AUTHENTICATED\",\"Version\": \"\",\"Platform\": \"\",\"ZEN\": \"BETA-DE-8578\",\"Connector\": \"connector.test.corp\",\"ConnectorGroup\": \"Test\",\"PrivateIP\": \"\",\"PublicIP\": \"192.0.2.1\",\"Latitude\": 0.000000,\"Longitude\": 0.000000,\"CountryCode\": \"\",\"TimestampAuthentication\": \"2026-02-17T14:28:57.679Z\",\"TimestampUnAuthentication\": \"\",\"CPUUtilization\": 0,\"MemUtilization\": 0,\"ServiceCount\": 0,\"InterfaceDefRoute\": \"\",\"DefRouteGW\": \"\",\"PrimaryDNSResolver\": \"\",\"HostStartTime\": \"0\",\"ConnectorStartTime\": \"0\",\"NumOfInterfaces\": 0,\"BytesRxInterface\": 0,\"PacketsRxInterface\": 0,\"ErrorsRxInterface\": 0,\"DiscardsRxInterface\": 0,\"BytesTxInterface\": 0,\"PacketsTxInterface\": 0,\"ErrorsTxInterface\": 0,\"DiscardsTxInterface\": 0,\"TotalBytesRx\": 1104942,\"TotalBytesTx\": 261877,\"MicroTenantID\": \"0\"}",
"event": {
"action": "Session status",
"category": [
"session"
],
"dataset": "app-connector-status",
"outcome": "success",
"type": [
"info"
]
},
"@timestamp": "2026-02-17T14:28:57Z",
"cloud": {
"account": {
"id": "0"
}
},
"destination": {
"bytes": 1104942
},
"host": {
"name": "connector.test.corp"
},
"observer": {
"hostname": "BETA-DE-8578",
"product": "Private Access",
"type": "cloud",
"vendor": "Zscaler"
},
"organization": {
"name": "Test Corp"
},
"related": {
"hosts": [
"BETA-DE-8578"
],
"ip": [
"192.0.2.1"
]
},
"source": {
"address": "192.0.2.1",
"bytes": 261877,
"ip": "192.0.2.1"
},
"zscaler": {
"zpa": {
"app_connector": {
"group_name": "Test"
}
}
}
}
{
"message": "{\"LogTimestamp\": \"Fri Sep 16 16:34:18 2022\",\"Customer\": \"SafemarchTestUser\", \"ConnectionID\": \"cg698XMrXoY9OfjUSURh,EUtFPDqC5AzvQpL+DjAV\", \"UserID\": \"testuser@test.corp\", \"AssistantID\": \"test-key-1650457413478\", \"ExchangeSequenceIndex\": 0, \"TimestampRequestReceiveStart\": 1663346058860810, \"TimestampRequestReceiveHeaderFinish\": 1663346058860833, \"TimestampRequestReceiveFinish\": 1663346058861590, \"TimestampRequestTransmitStart\": 0, \"TimestampRequestTransmitFinish\": 0, \"TimestampResponseReceiveFinish\": 1663346058866909, \"TimestampResponseTransmitStart\": 0, \"TimestampResponseTransmitFinish\": 1663346058866941, \"TotalTimeRequestReceive\": 0, \"TotalTimeRequestTransmit\": 0, \"TotalTimeResponseReceive\": 58, \"TotalTimeResponseTransmit\": 0, \"Domain\": \"test.corp\", \"Method\": \"GET\", \"Protocol\": \"1.1\", \"ProtocolVersion\": \"\", \"ContentType\": \"\", \"ContentEncoding\": \"\", \"TransferEncoding\": \"\", \"Host\": \"test.corp\", \"Destination\": \"test.corp\", \"OriginDomain\": \"\", \"URL\": \"/\", \"UserAgent\": \"curl/7.68.0\", \"HTTPError\": \"success\", \"ClientPublicIp\": \"192.0.2.1\", \"ClientPort\": 0, \"UpgradeHeaderPresent\": 0, \"StatusCode\": 301, \"RequestHdrSize\": 42, \"ResponseHdrSize\": 210, \"RequestBodySize\": 0, \"ResponseBodySize\": 0, \"Application\": 145254438888544148, \"ApplicationGroup\": 145254438888544129, \"InspectionPolicy\": 145254438888543730, \"InspectionProfile\": 145254438888538683, \"ParanoiaLevel\": 4, \"InspectionControlsHitCount\": 0, \"InspectionRuleProcessingTime\": 0, \"InspectionReqHeadersProcessingTime\": 736, \"InspectionReqBodyProcessingTime\": 973, \"InspectionRespHeadersProcessingTime\": 29, \"InspectionRespBodyProcessingTime\": 2, \"CertificateId\": 145254438888538207, \"DoubleEncryption\": 1, \"SSLInspection\": 1, \"TotalBytesProcessed\": 0}",
"event": {
"action": "Inspect",
"category": [
"network"
],
"dataset": "appprotection",
"outcome": "success",
"type": [
"info"
]
},
"@timestamp": "2022-09-16T16:34:18Z",
"destination": {
"address": "test.corp",
"domain": "test.corp",
"subdomain": "test"
},
"host": {
"name": "test.corp"
},
"http": {
"request": {
"body": {
"bytes": 0
},
"bytes": 42,
"method": "GET"
},
"response": {
"body": {
"bytes": 0
},
"bytes": 210,
"status_code": 301
},
"version": "1.1"
},
"network": {
"bytes": 0,
"protocol": "1.1"
},
"observer": {
"product": "Private Access",
"type": "cloud",
"vendor": "Zscaler"
},
"organization": {
"name": "SafemarchTestUser"
},
"related": {
"hosts": [
"test.corp"
],
"ip": [
"192.0.2.1"
],
"user": [
"testuser@test.corp"
]
},
"service": {
"name": "145254438888544148"
},
"source": {
"address": "192.0.2.1",
"ip": "192.0.2.1"
},
"url": {
"domain": "test.corp",
"original": "/",
"path": "/"
},
"user": {
"name": "testuser@test.corp"
},
"user_agent": {
"device": {
"name": "Other"
},
"name": "curl",
"original": "curl/7.68.0",
"os": {
"name": "Other"
},
"version": "7.68.0"
},
"zscaler": {
"zpa": {
"app_group_name": "145254438888544129",
"inspection": {
"controls_hit_count": 0,
"policy": "145254438888543730",
"profile": "145254438888538683"
},
"paranoia_level": "4"
}
}
}
{
"message": "{\"ModifiedTime\": \"2020-07-13T20:53:10.000Z\",\"CreationTime\":\"2020-07-13T20:53:10.000Z\",\"ModifiedBy\":11223344556677889,\"RequestID\":\"a12aa12a-1234-aab1-123ab123456a\",\"AuditOldValue\":\"\",\"AuditNewValue\":{\"id\":\"98765432100123456\",\"name\":\"app1.test.com\",\"applicationId\":\"12312312312312300\",\"applicationPort\":\"443\",\"applicationProtocol\":\"HTTPS\",\"certificateId\":\"10203040506070809\",\"domain\":\"app1.test.com\",\"enabled\":\"true\",\"hidden\":\"false\",\"path\":\"/\",\"portal\":\"false\",\"trustUntrustedCert\":\"true\"},\"AuditOperationType\":\"Create\",\"ObjectType\":\"Browser Access\",\"ObjectName\":\"app1.test.com\",\"ObjectID\":98765432100123456,\"CustomerID\":12345678901234567,\"ModifiedByUser\":\"zpaadmin@test.com\", \"ClientAuditUpdate\":\"0\"}",
"event": {
"action": "Create",
"category": [
"configuration"
],
"dataset": "audit",
"outcome": "success",
"type": [
"creation"
]
},
"@timestamp": "2020-07-13T20:53:10Z",
"observer": {
"product": "Private Access",
"type": "cloud",
"vendor": "Zscaler"
},
"related": {
"user": [
"zpaadmin@test.com"
]
},
"user": {
"name": "zpaadmin@test.com"
},
"zscaler": {
"zpa": {
"audit": {
"new_value": "{\"applicationId\":\"12312312312312300\",\"applicationPort\":\"443\",\"applicationProtocol\":\"HTTPS\",\"certificateId\":\"10203040506070809\",\"domain\":\"app1.test.com\",\"enabled\":\"true\",\"hidden\":\"false\",\"id\":\"98765432100123456\",\"name\":\"app1.test.com\",\"path\":\"/\",\"portal\":\"false\",\"trustUntrustedCert\":\"true\"}",
"operation_type": "Create"
},
"object": {
"id": "98765432100123456",
"name": "app1.test.com",
"type": "Browser Access"
}
}
}
}
{
"message": "{\"ModifiedTime\":\"\",\"CreationTime\":\"2026-02-11T11:19:51.000Z\",\"ModifiedBy\":72060231147847697,\"RequestID\":\"d3af8c3a-1279-4a5d-8071-be9f4ec06c24\",\"SessionID\":\"drchh5slvpj6mhxvv0hkftqu\",\"AuditOldValue\":\"\",\"AuditNewValue\":\"\",\"AuditOperationType\":\"Sign Out\",\"ObjectType\":\"Authentication\",\"ObjectName\":\"72060231147847697\",\"ObjectID\":72060231147847697,\"CustomerID\":72060231147847680,\"User\":\"Admin@example.com\",\"ClientAuditUpdate\":0}",
"event": {
"action": "Sign Out",
"category": [
"authentication"
],
"dataset": "audit",
"outcome": "success",
"type": [
"end"
]
},
"@timestamp": "2026-02-11T11:19:51Z",
"observer": {
"product": "Private Access",
"type": "cloud",
"vendor": "Zscaler"
},
"related": {
"user": [
"Admin@example.com"
]
},
"user": {
"name": "Admin@example.com"
},
"zscaler": {
"zpa": {
"audit": {
"operation_type": "Sign Out"
},
"object": {
"id": "72060231147847697",
"name": "72060231147847697",
"type": "Authentication"
}
}
}
}
{
"message": "{\"ModifiedTime\":\"2026-02-11T10:49:18.000Z\",\"CreationTime\":\"2026-02-11T10:49:18.000Z\",\"ModifiedBy\":72060231147847697,\"RequestID\":\"822d0c54-c14f-4078-b5b5-d92fb04cd3a2\",\"SessionID\":\"1ax18zeic1es010iajmkkhxcid\",\"AuditOldValue\":\"\",\"AuditNewValue\":\"{\\\"id\\\":\\\"14502\\\",\\\"commonName\\\":\\\"72060231147847680-zpabeta.zpa-customer.com\\\\/newcer\\\",\\\"certificate\\\":\\\"-----BEGIN CERTIFICATE-----XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX-----END CERTIFICATE-----\\\",\\\"issuedBy\\\":\\\"O=Zscaler,OU=Private Access,CN=72060231147847680-zpabeta.zpa-customer.com\\\\/newcer\\\",\\\"issuedTo\\\":\\\"O=Zscaler,OU=Private Access,CN=72060231147847680-zpabeta.zpa-customer.com\\\\/newcer\\\",\\\"serialNo\\\":\\\"250371527085282490163632033189348609407\\\",\\\"creationTimeInSeconds\\\":\\\"1770720558\\\",\\\"expirationTimeInSeconds\\\":\\\"2716886958\\\",\\\"allowSigning\\\":\\\"true\\\",\\\"csr\\\":\\\"-----BEGIN CERTIFICATE REQUEST-----XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX-----END CERTIFICATE REQUEST-----\\\",\\\"description\\\":\\\"a new cert\\\",\\\"name\\\":\\\"newcer\\\",\\\"zrsaencryptedprivatekey\\\":\\\"-----BEGIN AES ENCRYPTED PRIVATE KEY-----XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX-----END AES ENCRYPTED PRIVATE KEY-----\\\",\\\"zrsaencryptedsessionkey\\\":\\\"-----BEGIN ENCRYPTED AES SESSION KEY----------END ENCRYPTED AES SESSION KEY-----\\\"}\",\"AuditOperationType\":\"Create\",\"ObjectType\":\"Enrollment Certificate\",\"ObjectName\":\"newcer\",\"ObjectID\":14502,\"CustomerID\":72060231147847680,\"User\":\"Admin@example.com\",\"ClientAuditUpdate\":0}",
"event": {
"action": "Create",
"category": [
"configuration"
],
"dataset": "audit",
"outcome": "success",
"type": [
"creation"
]
},
"@timestamp": "2026-02-11T10:49:18Z",
"observer": {
"product": "Private Access",
"type": "cloud",
"vendor": "Zscaler"
},
"related": {
"user": [
"Admin@example.com"
]
},
"user": {
"name": "Admin@example.com"
},
"zscaler": {
"zpa": {
"audit": {
"new_value": "{\"allowSigning\":\"true\",\"certificate\":\"-----BEGIN CERTIFICATE-----XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX-----END CERTIFICATE-----\",\"commonName\":\"72060231147847680-zpabeta.zpa-customer.com\\\\/newcer\",\"creationTimeInSeconds\":\"1770720558\",\"csr\":\"-----BEGIN CERTIFICATE REQUEST-----XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX-----END CERTIFICATE REQUEST-----\",\"description\":\"a new cert\",\"expirationTimeInSeconds\":\"2716886958\",\"id\":\"14502\",\"issuedBy\":\"O=Zscaler,OU=Private Access,CN=72060231147847680-zpabeta.zpa-customer.com\\\\/newcer\",\"issuedTo\":\"O=Zscaler,OU=Private Access,CN=72060231147847680-zpabeta.zpa-customer.com\\\\/newcer\",\"name\":\"newcer\",\"serialNo\":\"250371527085282490163632033189348609407\",\"zrsaencryptedprivatekey\":\"-----BEGIN AES ENCRYPTED PRIVATE KEY-----XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX-----END AES ENCRYPTED PRIVATE KEY-----\",\"zrsaencryptedsessionkey\":\"-----BEGIN ENCRYPTED AES SESSION KEY----------END ENCRYPTED AES SESSION KEY-----\"}",
"operation_type": "Create"
},
"object": {
"id": "14502",
"name": "newcer",
"type": "Enrollment Certificate"
}
}
}
}
{
"message": "{\"ModifiedTime\":\"\",\"CreationTime\":\"2026-02-12T08:22:08.000Z\",\"ModifiedBy\":72060231147847697,\"RequestID\":\"69c1bf1d-c2b7-4008-a9e0-2903af7e8fe3\",\"SessionID\":\"18tjuegja4bz4qtop9ihznnyq\",\"AuditOldValue\":\"\",\"AuditNewValue\":\"{\\\"loginAttempt\\\":\\\"2026-02-12 08:22:08 UTC\\\",\\\"remoteIP\\\":\\\"192.0.2.1\\\"}\",\"AuditOperationType\":\"Sign In\",\"ObjectType\":\"Authentication\",\"ObjectName\":\"Admin@example.com\",\"ObjectID\":72060231147847697,\"CustomerID\":72060231147847680,\"User\":\"Admin@example.com\",\"ClientAuditUpdate\":0}",
"event": {
"action": "Sign In",
"category": [
"authentication"
],
"dataset": "audit",
"outcome": "success",
"type": [
"start"
]
},
"@timestamp": "2026-02-12T08:22:08Z",
"observer": {
"product": "Private Access",
"type": "cloud",
"vendor": "Zscaler"
},
"related": {
"user": [
"Admin@example.com"
]
},
"user": {
"name": "Admin@example.com"
},
"zscaler": {
"zpa": {
"audit": {
"new_value": "{\"loginAttempt\":\"2026-02-12 08:22:08 UTC\",\"remoteIP\":\"192.0.2.1\"}",
"operation_type": "Sign In"
},
"object": {
"id": "72060231147847697",
"name": "Admin@example.com",
"type": "Authentication"
}
}
}
}
{
"message": "{\"ModifiedTime\":\"\",\"CreationTime\":\"2026-02-16T15:20:30.000Z\",\"ModifiedBy\":72060231147847697,\"RequestID\":\"74973292-1a68-4b0d-ae54-0951b4e4ad2e\",\"SessionID\":\"hkjxqbb7109z1l0s5r82ddy4f\",\"AuditOldValue\":\"\",\"AuditNewValue\":\"\",\"AuditOperationType\":\"Session Time Out\",\"ObjectType\":\"Authentication\",\"ObjectName\":\"\",\"ObjectID\":72060231147847697,\"CustomerID\":72060231147847680,\"User\":\"Admin@example.com\",\"ClientAuditUpdate\":0}",
"event": {
"action": "Session Time Out",
"category": [
"session"
],
"dataset": "audit",
"outcome": "success",
"type": [
"end"
]
},
"@timestamp": "2026-02-16T15:20:30Z",
"observer": {
"product": "Private Access",
"type": "cloud",
"vendor": "Zscaler"
},
"related": {
"user": [
"Admin@example.com"
]
},
"user": {
"name": "Admin@example.com"
},
"zscaler": {
"zpa": {
"audit": {
"operation_type": "Session Time Out"
},
"object": {
"id": "72060231147847697",
"type": "Authentication"
}
}
}
}
{
"message": "{\"ModifiedTime\":\"2026-02-17T13:43:30.000Z\",\"CreationTime\":\"2026-02-17T13:43:30.000Z\",\"ModifiedBy\":72060231147847697,\"RequestID\":\"8f3ac930-c287-430e-8d13-b6737c74db88\",\"SessionID\":\"knxlbmr791nzrsmvyxfbohoz\",\"AuditOldValue\":\"{\\\"policyType\\\":\\\"Access Policy\\\",\\\"name\\\":\\\"Allow Internal Application Group\\\",\\\"description\\\":\\\"\\\",\\\"action\\\":\\\"ALLOW\\\",\\\"conditions\\\":[{\\\"criteria\\\":[{\\\"name\\\":\\\"Internal Application Group\\\",\\\"id\\\":\\\"72060231147847684\\\",\\\"type\\\":\\\"Segment Group\\\"}],\\\"operator\\\":\\\"OR\\\"},{\\\"criteria\\\":[{\\\"name\\\":\\\"AU\\\",\\\"id\\\":\\\"AU\\\",\\\"type\\\":\\\"Country Code\\\"}],\\\"operator\\\":\\\"OR\\\"}],\\\"status\\\":\\\"enabled\\\"}\",\"AuditNewValue\":\"{\\\"policyType\\\":\\\"Access Policy\\\",\\\"name\\\":\\\"Allow Internal Application Group\\\",\\\"description\\\":\\\"\\\",\\\"action\\\":\\\"ALLOW\\\",\\\"conditions\\\":[{\\\"criteria\\\":[{\\\"name\\\":\\\"Internal Application Group\\\",\\\"id\\\":\\\"72060231147847684\\\",\\\"type\\\":\\\"Segment Group\\\"}],\\\"operator\\\":\\\"OR\\\"}],\\\"status\\\":\\\"enabled\\\"}\",\"AuditOperationType\":\"Update\",\"ObjectType\":\"Policy\",\"ObjectName\":\"Allow Internal Application Group\",\"ObjectID\":72060231147847686,\"CustomerID\":72060231147847680,\"User\":\"Admin@example.com\",\"ClientAuditUpdate\":0}",
"event": {
"action": "Update",
"category": [
"configuration"
],
"dataset": "audit",
"outcome": "success",
"type": [
"change"
]
},
"@timestamp": "2026-02-17T13:43:30Z",
"observer": {
"product": "Private Access",
"type": "cloud",
"vendor": "Zscaler"
},
"related": {
"user": [
"Admin@example.com"
]
},
"user": {
"name": "Admin@example.com"
},
"zscaler": {
"zpa": {
"audit": {
"new_value": "{\"action\":\"ALLOW\",\"conditions\":[{\"criteria\":[{\"id\":\"72060231147847684\",\"name\":\"Internal Application Group\",\"type\":\"Segment Group\"}],\"operator\":\"OR\"}],\"description\":\"\",\"name\":\"Allow Internal Application Group\",\"policyType\":\"Access Policy\",\"status\":\"enabled\"}",
"old_value": "{\"action\":\"ALLOW\",\"conditions\":[{\"criteria\":[{\"id\":\"72060231147847684\",\"name\":\"Internal Application Group\",\"type\":\"Segment Group\"}],\"operator\":\"OR\"},{\"criteria\":[{\"id\":\"AU\",\"name\":\"AU\",\"type\":\"Country Code\"}],\"operator\":\"OR\"}],\"description\":\"\",\"name\":\"Allow Internal Application Group\",\"policyType\":\"Access Policy\",\"status\":\"enabled\"}",
"operation_type": "Update"
},
"object": {
"id": "72060231147847686",
"name": "Allow Internal Application Group",
"type": "Policy"
}
}
}
}
{
"message": "{\"ModifiedTime\":\"2026-02-17T13:43:37.000Z\",\"CreationTime\":\"2026-02-17T13:43:37.000Z\",\"ModifiedBy\":72060231147847697,\"RequestID\":\"68ddfa82-3dc9-4429-aaee-1f8f42550f65\",\"SessionID\":\"knxlbmr791nzrsmvyxfbohoz\",\"AuditOldValue\":\"{\\\"policyType\\\":\\\"Access Policy\\\",\\\"policyDescription\\\":\\\"The rules in this policy set are executed first.\\\",\\\"ruleOrders\\\":{\\\"allow everything\\\":3}}\",\"AuditNewValue\":\"{\\\"policyType\\\":\\\"Access Policy\\\",\\\"policyDescription\\\":\\\"The rules in this policy set are executed first.\\\",\\\"ruleOrders\\\":{\\\"allow everything\\\":2}}\",\"AuditOperationType\":\"Delete\",\"ObjectType\":\"PolicyReOrder\",\"ObjectName\":\"Access Policy\",\"ObjectID\":0,\"CustomerID\":72060231147847680,\"User\":\"Admin@example.com\",\"ClientAuditUpdate\":0}",
"event": {
"action": "Delete",
"category": [
"configuration"
],
"dataset": "audit",
"outcome": "success",
"type": [
"deletion"
]
},
"@timestamp": "2026-02-17T13:43:37Z",
"observer": {
"product": "Private Access",
"type": "cloud",
"vendor": "Zscaler"
},
"related": {
"user": [
"Admin@example.com"
]
},
"user": {
"name": "Admin@example.com"
},
"zscaler": {
"zpa": {
"audit": {
"new_value": "{\"policyDescription\":\"The rules in this policy set are executed first.\",\"policyType\":\"Access Policy\",\"ruleOrders\":{\"allow everything\":2}}",
"old_value": "{\"policyDescription\":\"The rules in this policy set are executed first.\",\"policyType\":\"Access Policy\",\"ruleOrders\":{\"allow everything\":3}}",
"operation_type": "Delete"
},
"object": {
"id": "0",
"name": "Access Policy",
"type": "PolicyReOrder"
}
}
}
}
{
"message": "{\"LogTimestamp\":\"Wed Jul 3 05:12:25 2019\",\"ConnectionID\":\"\",\"Exporter\":\"unset\",\"TimestampRequestReceiveStart\":\"2019-07-03T05:12:25.723Z\",\"TimestampRequestReceiveHeaderFinish\":\"2019-07-03T05:12:25.723Z\",\"TimestampRequestReceiveFinish\":\"2019-07-03T05:12:25.723Z\",\"TimestampRequestTransmitStart\":\"2019-07-03T05:12:25.790Z\",\"TimestampRequestTransmitFinish\":\"2019-07-03T05:12:25.790Z\",\"TimestampResponseReceiveStart\":\"2019-07-03T05:12:25.791Z\",\"TimestampResponseReceiveFinish\":\"2019-07-03T05:12:25.791Z\",\"TimestampResponseTransmitStart\":\"2019-07-03T05:12:25.791Z\",\"TimestampResponseTransmitFinish\":\"2019-07-03T05:12:25.791Z\",\"TotalTimeRequestReceive\":127,\"TotalTimeRequestTransmit\":21,\"TotalTimeResponseReceive\":73,\"TotalTimeResponseTransmit\":13,\"TotalTimeConnectionSetup\":66995,\"TotalTimeServerResponse\":1349,\"Method\":\"GET\",\"Protocol\":\"HTTPS\",\"Host\":\"test.corp\",\"URL\":\"/speeddial-18.0.99-82-gd7ba322-dirty/media/HelveticaNeueLTStd-Regular.762cbf85.woff\",\"UserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.1.1 Safari/605.1.15\",\"XFF\":\"\",\"NameID\":\"admin@example.com\",\"StatusCode\":304,\"RequestSize\":615,\"ResponseSize\":331,\"ApplicationPort\":443,\"ClientPublicIp\":\"192.0.2.1\",\"ClientPublicPort\":50042,\"ClientPrivateIp\":\"\",\"Customer\":\"ANZ Team/zdemo in beta\",\"ConnectionStatus\":\"\",\"ConnectionReason\":\"\",\"Origin\":\"https://example.com\",\"CorsToken\":\"token_created\"}",
"event": {
"action": "Web access",
"category": [
"web"
],
"dataset": "browser-access",
"outcome": "success",
"type": [
"access"
]
},
"@timestamp": "2019-07-03T05:12:25Z",
"destination": {
"address": "test.corp",
"domain": "test.corp",
"port": 443,
"subdomain": "test"
},
"host": {
"name": "test.corp"
},
"http": {
"request": {
"bytes": 615,
"method": "GET"
},
"response": {
"bytes": 331,
"status_code": 304
}
},
"network": {
"protocol": "HTTPS"
},
"observer": {
"product": "Private Access",
"type": "cloud",
"vendor": "Zscaler"
},
"organization": {
"name": "ANZ Team/zdemo in beta"
},
"related": {
"hosts": [
"test.corp"
],
"ip": [
"192.0.2.1"
],
"user": [
"admin@example.com"
]
},
"source": {
"address": "192.0.2.1",
"ip": "192.0.2.1",
"port": 50042
},
"url": {
"domain": "test.corp",
"original": "/speeddial-18.0.99-82-gd7ba322-dirty/media/HelveticaNeueLTStd-Regular.762cbf85.woff",
"path": "/speeddial-18.0.99-82-gd7ba322-dirty/media/HelveticaNeueLTStd-Regular.762cbf85.woff",
"port": 443,
"scheme": "https"
},
"user": {
"name": "admin@example.com"
},
"user_agent": {
"device": {
"name": "Mac"
},
"name": "Safari",
"original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.1.1 Safari/605.1.15",
"os": {
"name": "Mac OS X",
"version": "10.14.5"
},
"version": "12.1.1"
}
}
{
"message": "{\"LogTimestamp\": \"Fri May 31 17:35:42 2019\",\"Customer\": \"ANZ Team/zdemo in beta\",\"SessionID\": \"SqyZIMkg0JTj7EABsvwA\",\"ConnectionID\": \"SqyZIMkg0JTj7EABsvwA,Q+EjXGdrvbF2lPiBbedm\",\"InternalReason\": \"\",\"ConnectionStatus\": \"active\",\"IPProtocol\": 6,\"DoubleEncryption\": 0,\"Username\": \"TestUser\",\"ServicePort\": 10011,\"ClientPublicIP\": \"192.0.2.100\",\"ClientPrivateIP\": \"\",\"ClientLatitude\": 45.000000,\"ClientLongitude\": -119.000000,\"ClientCountryCode\": \"US\",\"ClientZEN\": \"broker1b.pdx2\",\"Policy\": \"ANZ Lab Apps_1\",\"Connector\": \"connector.test.corp\",\"ConnectorZEN\": \"broker1b.pdx2\",\"ConnectorIP\": \"192.0.2.2\",\"ConnectorPort\": 60266,\"Host\": \"endpoint.test.corp\",\"Application\": \"ANZ Lab Apps\",\"AppGroup\": \"ANZ Lab Apps\",\"Server\": \"0\",\"ServerIP\": \"192.0.2.1\",\"ServerPort\": 10011,\"PolicyProcessingTime\": 28,\"CAProcessingTime\": 1330,\"ConnectorZENSetupTime\": 191017,\"ConnectionSetupTime\": 192397,\"ServerSetupTime\": 465,\"AppLearnTime\": 0,\"TimestampConnectionStart\": \"2019-05-30T08:20:42.230Z\",\"TimestampConnectionEnd\": \"\",\"TimestampCATx\": \"2019-05-30T08:20:42.230Z\",\"TimestampCARx\": \"2019-05-30T08:20:42.231Z\",\"TimestampAppLearnStart\": \"\",\"TimestampZENFirstRxClient\": \"2019-05-30T08:20:42.424Z\",\"TimestampZENFirstTxClient\": \"\",\"TimestampZENLastRxClient\": \"2019-05-31T17:34:27.348Z\",\"TimestampZENLastTxClient\": \"\",\"TimestampConnectorZENSetupComplete\": \"2019-05-30T08:20:42.422Z\",\"TimestampZENFirstRxConnector\": \"\",\"TimestampZENFirstTxConnector\": \"2019-05-30T08:20:42.424Z\",\"TimestampZENLastRxConnector\": \"\",\"TimestampZENLastTxConnector\": \"2019-05-31T17:34:27.348Z\",\"ZENTotalBytesRxClient\": 2406926,\"ZENBytesRxClient\": 7115,\"ZENTotalBytesTxClient\": 0,\"ZENBytesTxClient\": 0,\"ZENTotalBytesRxConnector\": 0,\"ZENBytesRxConnector\": 0,\"ZENTotalBytesTxConnector\": 2406926,\"ZENBytesTxConnector\": 7115,\"Idp\": \"iam.test.corp\", \"ClientToClient\": \"0\", \"ClientCity\": \"San Jose\", \"MicroTenantID\": \"145257480799129312\", \"AppMicrotenantID\": \"145257480799129312\", \"Platform\": \"windows\", \"Hostname\": \"DESKTOP-P669MN4\", \"PRAApprovalID\": \"15787\", \"PRACapabilityPolicyID\": \"72057597259256663\", \"PRAConsoleType\": \"SSH\", \"PRACredentialUserName\": \"SafemarchUser\", \"PRACredentialLoginType\": \"Username-Password\", \"PRACredentialPolicyID\": \"72057597259256964\", \"PRAConnectionID\": \"$b381e220-fb0f-4dc5-9c2a-e3e0fb2e5efb\", \"PRAErrorStatus\": \"Upstream Error\", \"PRAFileTransferList\": {\"file_list\":[{\"name\":\"/d546509ab6670f9ff31783ed72875dfc0f37fa2b666bd5870eecaaed2ebea4a8.elf\",\"action\":\"Upload\",\"status\":\"Inspection denied upload\",\"start_ts\":1704225544,\"end_ts\":1704225547,\"inspected\":\"True\",\"file_type\":\"elf\",\"md5\":\"4DDE761681684D7EDAD4E5E1FFDB940B\",\"inspection_verdict\":{\"code\": 200,\"message\": \"response OK\",\"virusName\": \"iot.trojan.gafgyt.botnet\",\"virusType\": \"Virus\",\"fileType\": \"elf\",\"md5\": \"4DDE761681684D7EDAD4E5E1FFDB940B\",\"sandboxSubmission\": \"Virus\"},\"inspection_time\":\"less than 1 second\"},{\"name\":\"/4ce39251817198bbec7b84782507394e7d68bfe3a79b89be363f0c1e05558ef1.zip\",\"action\":\"Upload\",\"status\":\"Inspection denied upload\",\"start_ts\":1704225552,\"end_ts\":1704225557,\"inspected\":\"True\",\"file_type\":\"zip\",\"md5\":\"F5F7995BACD88A4BCF2D69DF063184AB\",\"inspection_verdict\":{\"code\": 200,\"message\": \"File not submitted to Sandbox\",\"fileType\": \"zip\",\"md5\": \"F5F7995BACD88A4BCF2D69DF063184AB\",\"sandboxSubmission\": \"File not Submitted to Sandbox\"},\"inspection_time\":\"less than 1 second\"},{\"name\":\"/4ce39251817198bbec7b84782507394e7d68bfe3a79b89be363f0c1e05558ef1.xlsx\",\"action\":\"Upload\",\"status\":\"Inspection denied upload\",\"start_ts\":1704225568,\"end_ts\":1704225573,\"inspected\":\"True\",\"file_type\":\"xlsx\",\"md5\":\"FF43FB09E69439FCD3DD8196F5BCE11F\",\"inspection_verdict\":{\"code\": 200,\"message\": \"response OK\",\"virusName\": \"xls.downloader.qakbot\",\"virusType\": \"Sandbox Malware\",\"fileType\": \"xlsx\",\"md5\": \"FF43FB09E69439FCD3DD8196F5BCE11F\",\"sandboxSubmission\": \"Sandbox Malware\"},\"inspection_time\":\"less than 1 second\"},{\"name\":\"/Populate_Existing_Flags_And_Overrides.xlsx\",\"action\":\"Upload\",\"status\":\"Success\",\"start_ts\":1704225591,\"end_ts\":1704225593,\"inspected\":\"True\",\"file_type\":\"xlsx\",\"md5\":\"D1A0596352BE4A1260B0419C7046F8FA\",\"inspection_verdict\":{\"code\": 200,\"message\": \"No active content found. File not suspicious\",\"fileType\": \"xlsx\",\"md5\": \"D1A0596352BE4A1260B0419C7046F8FA\",\"sandboxSubmission\": \"File not Submitted to Sandbox\"},\"inspection_time\":\"less than 1 second\"}]}, \"PRARecordingStatus\": \"Available\", \"PRASharedUserList\": {\"shared_user_list\":[{\"name\":\"lisa@example.com\"}]}, \"PRASessionType\": \"PRA\", \"PRASharedMode\": \"control\"}",
"event": {
"action": "User activity",
"category": [
"network"
],
"dataset": "user-activity",
"outcome": "success",
"type": [
"info"
]
},
"@timestamp": "2019-05-31T17:35:42Z",
"cloud": {
"account": {
"id": "145257480799129312"
}
},
"destination": {
"address": "endpoint.test.corp",
"domain": "endpoint.test.corp",
"ip": "192.0.2.1",
"port": 10011,
"subdomain": "endpoint.test"
},
"host": {
"name": "connector.test.corp",
"os": {
"type": "windows"
}
},
"network": {
"iana_number": "6"
},
"observer": {
"hostname": "broker1b.pdx2",
"product": "Private Access",
"type": "cloud",
"vendor": "Zscaler"
},
"organization": {
"name": "ANZ Team/zdemo in beta"
},
"related": {
"hosts": [
"broker1b.pdx2",
"endpoint.test.corp"
],
"ip": [
"192.0.2.1",
"192.0.2.100"
],
"user": [
"TestUser"
]
},
"service": {
"name": "ANZ Lab Apps"
},
"source": {
"address": "192.0.2.100",
"geo": {
"city_name": "San Jose",
"country_iso_code": "US",
"location": {
"lat": 45.0,
"lon": -119.0
}
},
"ip": "192.0.2.100"
},
"url": {
"domain": "endpoint.test.corp",
"subdomain": "endpoint.test"
},
"user": {
"domain": "iam.test.corp",
"name": "TestUser"
},
"zscaler": {
"zpa": {
"access_policy_name": "ANZ Lab Apps_1",
"app_connector": {
"ip": "192.0.2.2",
"name": "connector.test.corp",
"port": 60266,
"zen": "broker1b.pdx2"
},
"app_group_name": "ANZ Lab Apps"
}
}
}
{
"message": "{\"LogTimestamp\": \"Fri May 31 17:34:48 2019\",\"Customer\": \"ANZ Team/zdemo in beta\",\"Username\": \"TestUser\",\"SessionID\": \"cKgzUERSLl09Y+ytH8v5\",\"SessionStatus\": \"ZPN_STATUS_AUTHENTICATED\",\"Version\": \"19.12.0-36-g87dad18\",\"ZEN\": \"broker1b.pdx2\",\"CertificateCN\": \"slogger1b.pdx2.zpabeta.net\",\"PrivateIP\": \"\",\"PublicIP\": \"192.0.2.1\",\"Latitude\": 45.000000,\"Longitude\": -119.000000,\"CountryCode\": \"US\",\"TimestampAuthentication\": \"2019-05-29T21:18:38.000Z\",\"TimestampUnAuthentication\": \"\",\"TotalBytesRx\": 31274866,\"TotalBytesTx\": 25424152,\"Idp\": \"iam.test.corp\",\"Hostname\": \"endpoint.test.corp\",\"Platform\": \"windows\",\"ClientType\": \"zpn_client_type_zapp\",\"TrustedNetworks\": \"TN1_stc1\",\"TrustedNetworksNames\": \"145248739,466947538\",\"SAMLAttributes\": \"myname:jdoe,myemail:jdoe@example.com\",\"PosturesHit\": \"sm-posture1,sm-posture2\",\"PosturesMisses\": \"sm-posture11,sm-posture12\",\"ZENLatitude\": 47.000000,\"ZENLongitude\": -122.000000,\"ZENCountryCode\": \"\", \"FQDNRegistered\": \"0\",\"FQDNRegisteredError\": \"\",\"City\": \"San Jose\", \"MicroTenantID\": \"145257480799129312\"}",
"event": {
"action": "Session status",
"category": [
"session"
],
"dataset": "user-status",
"outcome": "success",
"type": [
"info"
]
},
"@timestamp": "2019-05-31T17:34:48Z",
"cloud": {
"account": {
"id": "145257480799129312"
}
},
"destination": {
"bytes": 31274866
},
"host": {
"name": "endpoint.test.corp",
"os": {
"type": "windows"
}
},
"observer": {
"hostname": "broker1b.pdx2",
"product": "Private Access",
"type": "cloud",
"vendor": "Zscaler"
},
"organization": {
"name": "ANZ Team/zdemo in beta"
},
"related": {
"hosts": [
"broker1b.pdx2"
],
"ip": [
"192.0.2.1"
],
"user": [
"TestUser"
]
},
"source": {
"address": "192.0.2.1",
"bytes": 25424152,
"geo": {
"city_name": "San Jose",
"country_iso_code": "US",
"location": {
"lat": 45.0,
"lon": -119.0
}
},
"ip": "192.0.2.1"
},
"tls": {
"client": {
"x509": {
"subject": {
"common_name": "slogger1b.pdx2.zpabeta.net"
}
}
}
},
"user": {
"domain": "iam.test.corp",
"name": "TestUser"
},
"zscaler": {
"zpa": {
"client_connector_version": "19.12.0-36-g87dad18",
"client_type": "zpn_client_type_zapp",
"trusted_networks": {
"ids": [
"TN1_stc1"
],
"names": [
"145248739",
"466947538"
]
}
}
}
}
Extracted Fields
The following table lists the fields that are extracted, normalized under the ECS format, analyzed and indexed by the parser. It should be noted that infered fields are not listed.
| Name | Type | Description |
|---|---|---|
@timestamp |
date |
Date/time when the event originated. |
cloud.account.id |
keyword |
The cloud account or organization id. |
destination.bytes |
long |
Bytes sent from the destination to the source. |
destination.domain |
keyword |
The domain name of the destination. |
destination.ip |
ip |
IP address of the destination. |
destination.port |
long |
Port of the destination. |
event.action |
keyword |
The action captured by the event. |
event.category |
keyword |
Event category. The second categorization field in the hierarchy. |
event.dataset |
keyword |
Name of the dataset. |
event.kind |
keyword |
The kind of the event. The highest categorization field in the hierarchy. |
event.outcome |
keyword |
The outcome of the event. The lowest level categorization field in the hierarchy. |
event.reason |
keyword |
Reason why this event happened, according to the source |
event.type |
keyword |
Event type. The third categorization field in the hierarchy. |
host.name |
keyword |
Name of the host. |
host.os.type |
keyword |
Which commercial OS family (one of: linux, macos, unix or windows). |
http.request.body.bytes |
long |
Size in bytes of the request body. |
http.request.bytes |
long |
Total size in bytes of the request (body and headers). |
http.request.method |
keyword |
HTTP request method. |
http.response.body.bytes |
long |
Size in bytes of the response body. |
http.response.bytes |
long |
Total size in bytes of the response (body and headers). |
http.response.status_code |
long |
HTTP response status code. |
http.version |
keyword |
HTTP version. |
network.bytes |
long |
Total bytes transferred in both directions. |
network.iana_number |
keyword |
IANA Protocol Number. |
network.protocol |
keyword |
Application protocol name. |
observer.hostname |
keyword |
Hostname of the observer. |
observer.product |
keyword |
The product name of the observer. |
observer.type |
keyword |
The type of the observer the data is coming from. |
observer.vendor |
keyword |
Vendor name of the observer. |
organization.name |
keyword |
Organization name. |
service.name |
keyword |
Name of the service. |
source.bytes |
long |
Bytes sent from the source to the destination. |
source.geo.city_name |
keyword |
City name. |
source.geo.country_iso_code |
keyword |
Country ISO code. |
source.ip |
ip |
IP address of the source. |
source.nat.ip |
ip |
Source NAT ip |
source.port |
long |
Port of the source. |
tls.client.x509.subject.common_name |
keyword |
List of common names (CN) of subject. |
url.domain |
keyword |
Domain of the url. |
url.original |
wildcard |
Unmodified original url as seen in the event source. |
url.path |
wildcard |
Path of the request, such as "/search". |
url.scheme |
keyword |
Scheme of the url. |
user.domain |
keyword |
Name of the directory the user is a member of. |
user.name |
keyword |
Short name or login of the user. |
user_agent.original |
keyword |
Unparsed user_agent string. |
zscaler.zpa.access_policy_name |
text |
The access policy rule name |
zscaler.zpa.app_connector.group_name |
text |
The App Connector group name |
zscaler.zpa.app_connector.ip |
ip |
The source IP address of the App Connector |
zscaler.zpa.app_connector.name |
text |
The App Connector name |
zscaler.zpa.app_connector.port |
number |
The source port of the App Connector |
zscaler.zpa.app_connector.version |
text |
The App Connector package version |
zscaler.zpa.app_connector.zen |
text |
The ZPA Public Service Edge that sent the request from the App Connector |
zscaler.zpa.app_group_name |
text |
The application group name |
zscaler.zpa.audit.new_value |
text |
The new value that was changed if the action type is create, sign in, or update. If the modified object is policy related, the value depends on the policy type. |
zscaler.zpa.audit.old_value |
text |
The previous value that was changed if the action type is delete, sign out, or update. If the modified object is policy related, the value depends on the policy type. |
zscaler.zpa.audit.operation_type |
text |
The action performed. |
| The expected values for this field: | ||
| Create | ||
| Client Session Revoked | ||
| Delete | ||
| Download | ||
| Sign In | ||
| Sign In Failure | ||
| Sign Out | ||
| Update | ||
zscaler.zpa.client_connector_version |
text |
The Zscaler Client Connector version |
zscaler.zpa.client_type |
text |
The client type for the request (i.e., Zscaler Client Connector, ZPA LSS, or Web Browser) |
zscaler.zpa.inspection.controls_hit_count |
number |
The number of AppProtection control hits |
zscaler.zpa.inspection.policy |
text |
The AppProtection policy |
zscaler.zpa.inspection.profile |
text |
The AppProtection profile |
zscaler.zpa.object.id |
text |
The ID associated with the object name |
zscaler.zpa.object.name |
text |
The name of the object. This corresponds to the Resource Name in the Audit Log page. |
zscaler.zpa.object.type |
text |
The location within the ZPA Admin Portal where the Action was performed. This corresponds to the Resource Type on the Audit Log page. |
zscaler.zpa.paranoia_level |
text |
The OWASP Predefined Paranoia Level |
zscaler.zpa.posture.hit |
text |
The posture profiles that the Zscaler Client Connector verified for this device |
zscaler.zpa.posture.miss |
text |
The posture profiles that the Zscaler Client Connector failed to verify for this device |
zscaler.zpa.trusted_networks.ids |
text |
The unique IDs for the trusted networks that the Zscaler Client Connector has determined for this device |
zscaler.zpa.trusted_networks.names |
text |
The names for the trusted networks that the Zscaler Client Connector has determined for this device |
For more information on the Intake Format, please find the code of the Parser, Smart Descriptions, and Supported Events here.