Zscaler events
Zscaler logs are mapped to the following FortiNDR Cloud event types. Events from Zscaler can be identified by source="Zscaler".
DNS
| answers |
Zscaler provides a single answer. |
| qtype |
This is derived from qtype_name, so it may be missing for unexpected values. |
| rcode |
This is derived from rcode_name, so it may be missing for unexpected values. |
| rcode_name |
Zscaler also uses this as an error field, so it may contain unexpected values that are passed through. |
| src.ip |
|
Flow
| dst.ip |
|
| dst.ip_bytes |
|
| dst.port |
|
| duration |
|
| proto |
The values are mostly passed through from Zscaler. Some values will match and others will not. |
| service |
The values are mostly passed through from Zscaler. Some values will match and others will not. |
| src.ip |
|
| src.ip_bytes |
|
| src.port |
|
| total_ip_bytes |
|
| upload_percent |
|
HTTP
| headers.content_type |
Zscaler may be translating some values into human-readable forms (for example, Flash). |
| method |
Zscaler provides a value of CONNECT for HTTPS. |
| referrer |
Zscaler does not provide the scheme (for example., http://). |
| request_len |
|
| response_len |
|
| src.ip |
|
| status_code |
|
| uri |
|
| user_agent |
|
SSL
Every HTTPS request will have both an HTTP and SSL event. SSL events are only available for HTTPS. Also, Zscaler documentation suggests that it can be configured to intercept SSL. In that case, the cipher and version field represents the server, which may be different from the values for the client.
| cipher |
Zscaler values are passed through without conversion. |
| dst.ip |
|
| src.ip |
|
| server_name |
|
| server_name_indication |
|
| version |
Zscaler values are converted, but unexpected values will be passed through. |
