Syslog Zscaler Nano - V 2.0 Web Log Events
Vendor Documentation
Classification
Rule Name | Rule Type | Common Event | Classification |
|---|---|---|---|
V 2.0 Web Log Events | Base Rule | General WEB Information | Information |
Mapping with LogRhythm Schema
Device Key in Log Message | LogRhythm Schema | Data Type | Schema Description |
N/A | N/A | N/A | Time and date of the transaction. This excludes the time zone. |
recordid | N/A | N/A | Unique record identifier for each log. |
login | <login> | Text/String | User's login name in email address format. |
N/A | <domainorigin> | Text/String | N/A |
dname | <dname> | Text/String | N/A |
dip | <dip> | IP Address | N/A |
sip | <sip> | IP Address | The destination server IP address. Displays 0.0.0.0 if the request was blocked. |
natPublicIp | <dnatip> | IP Address | N/A |
url | <url> | Text/String | The destination URL. It excludes the protocol identifier, such as http:// or https://. |
ua | <useragent> | Text/String | The full user agent string for both known and unknown agents. The user agent string contains browser and system information that the destination server can use to provide appropriate content. |
module | N/A | N/A | N/A |
proto | <protname> | Text/String | Protocol type of the transaction. |
action | <action> | Text/String | Action that the service took on the transaction. |
reason | <reason> | Text/String | Action that the service took and the policy that was applied, if the transaction was blocked. |
appname | <objectname> | Text/String | Cloud application name. |
appclass | <object> | Text/String | The web application class of the application that was accessed. Equivalent to module. |
filetype | N/A | N/A | Type of file associated with the transaction. |
reqsize | N/A | N/A | Request size in bytes . |
responseSize | N/A | N/A | N/A |
totalsize | <size> | Number | Total size, in bytes, of the HTTP transaction; sum of the total request size and total response size. |
sTime | N/A | N/A | N/A |
cTime | N/A | N/A | N/A |
malwarecat | N/A | N/A | The category of malware that was detected in the transaction, if any. Also indicates if a file was submitted to the Sandbox engine for analysis and the result of the analysis. |
malwareclass | N/A | N/A | The class of malware that was detected in the transaction, if any. |
threatname | <threatname> | Text/String | The name of the threat that was detected in the transaction, if any. |
riskscore | <severity> | Number | The Page Risk Index score of the destination URL. The service computes risk for each page by weighing several factors, including page locations, reputation of destination, and content that may look suspicious. The range is 0 - 100, from the lowest to the highest risk. |
dlpeng | N/A | N/A | The DLP engine that was matched, if any. |
dlpdict | N/A | N/A | The DLP dictionaries that were matched, if any. |
location | N/A | N/A | Gateway location or sublocation of the source. |
dept | <vendorinfo> | Text/String | Department of the user. |
reqmethod | <command> | Text/String | HTTP request method. |
respcode | <responsecode> | Number | The HTTP response code sent to the client. The service generates a "403-Forbidden" response for blocked transactions. |
respversion | <version> | Number | HTTP response version. |
urlclass | N/A | N/A | Class of the destination URL. |
urlsupercat | N/A | N/A | Super category of the destination URL. |
urlcat | N/A | N/A | Category of the destination URL. |
referer | N/A | N/A | HTTP referer URL. |
contenttype | <objecttype> | Text/String | The content type name. We display a reduced version of the string (e.g. We will display "Flash" instead of "application/x-shockwave-flash"). |
unscannabletype | N/A | N/A | N/A |
devicehostname | <sname> | Text/String | Device host name. |
deviceowner | <login> | Text/String | Device owner. |