Collect Netskope web proxy logs

Supported in:

This parser handles both CEF and non-CEF formatted Netskope web proxy logs. It extracts fields, performs data transformations (for example, converting timestamps or merging fields), maps them to the UDM, and adds Netskope-specific metadata. The parser uses conditional logic to handle different log formats and field availability, enriching the UDM with relevant network, security, and application details.

Before you begin

  • Ensure that you have a Google Security Operations instance.
  • Ensure that you have privileged access to Netskope.
  • Ensure that you have a configured Log Shipper module.
  • Ensure that you have a Google SecOps service account key (reach out to the Google SecOps team to get a service account with the following scopes: https://www.googleapis.com/auth/malachite-ingestion).

Get Google SecOps customer ID

  1. Sign in to the Google SecOps console.
  2. Go to SIEM Settings > Profile.
  3. Copy and save the Customer ID from the Organization Details section.

Configure the Netskope Tenant in CE

  1. Go to Settings > General.
  2. Toggle the Log Shipper switch to ON
  3. In Settings, go to Netskope Tenants.
  4. If no tenants are configured, click Add Tenant.
  5. Enter the following values:
    • Name: provide a memorable name for your tenant.
    • Tenant Name: enter the real name of your Netskope tenant.
    • V2 API Token: enter your Netskope API token.
    • Alert Filters: add the web proxy alerts you would like to ingest.
    • Initial Range: enter the amount of historical data you would like to ingest (in days).
    • Click Save.

Configure the Netskope CLS plugin

  1. Go to Settings > Plugins.
  2. Search for and select the Netskope (CLS) box to open the plugin creation page.
  3. Enter the following details:
    • Configuration Name: enter a memorable name for this plugin.
    • Tenant: select the tenant you created in the previous step from the list.
    • Click Next.
    • Update the Event Type list as needed.
    • Initial Range: enter the amount of historical data you would like to ingest (in hours).
    • Click Save.

Configure a Google SecOps plugin in Netskope

  1. Go to Settings > Plugins.
  2. Search for and select the Chronicle (CLS) box to open the plugin creation page.
  3. Enter the following details:
    • Configuration Name: enter a name for this plugin.
    • Mapping: leave the default selection.
    • Toggle ON When enabled logs will be transformed using the selected mapping file.
    • Click Next.
    • Region: select the region of your Google SecOps.
    • Custom Region URL: optional setting that is required only if Custom Region was selected in the previous step.
    • Service Account Key: enter the JSON key provided by Google SecOps.
    • Customer ID: enter the customer ID of your Google SecOps tenant.
    • Click Save.

Configure a Log Shipper Business Rule for Google SecOps

  1. Go to Log Shipper > Business Rules.
  2. By default, there is a business rule that filters all alerts and events.
  3. If you want to filter out any specific type of alert, or event, click Create New Rule and configure a new business rule by adding the rule name and filter.
  4. Click Save.

Configure Log Shipper SIEM Mappings for Google SecOps

  1. Go to Log Shipper > SIEM Mappings
  2. Click Add SIEM Mapping.
  3. Enter the following details:
    • Source Configuration: select Netskope CLS plugin.
    • Destination Configuration: select the Google SecOps plugin.
    • Business Rule: select the rule you created earlier.
    • Click Save.

Validate pulling and workflow of Events and Alerts in Netskope

  1. Go to Logging in Netskope Cloud Exchange.
  2. Search for the pulled logs.
  3. In Logging, search for ingested events & alerts with the filter message contains ingested.
  4. The ingested logs will be filtered.

UDM Mapping Table

Log Field UDM Mapping Logic
applicationType security_result.detection_fields[].key: "applicationType"
security_result.detection_fields[].value: applicationType		 Directly mapped from the corresponding CEF field.
appcategory security_result.category_details[]: appcategory Directly mapped from the corresponding CEF field.
browser security_result.detection_fields[].key: "browser"
security_result.detection_fields[].value: browser		 Directly mapped from the corresponding CEF field.
c-ip principal.asset.ip[]: c-ip
principal.ip[]: c-ip		 Directly mapped from the corresponding JSON field.
cci security_result.detection_fields[].key: "cci"
security_result.detection_fields[].value: cci		 Directly mapped from the corresponding CEF field.
ccl security_result.confidence: Derived value
security_result.confidence_details: ccl		 security_result.confidence is derived based on the value of ccl: "excellent" or "high" maps to HIGH_CONFIDENCE, "medium" maps to MEDIUM_CONFIDENCE, "low" or "poor" maps to LOW_CONFIDENCE, and "unknown" or "not_defined" maps to UNKNOWN_CONFIDENCE.
security_result.confidence_details is directly mapped from ccl.
clientBytes network.sent_bytes: clientBytes Directly mapped from the corresponding CEF field.
cs-access-method additional.fields[].key: "accessMethod"
additional.fields[].value.string_value: cs-access-method		 Directly mapped from the corresponding JSON field.
cs-app additional.fields[].key: "x-cs-app"
additional.fields[].value.string_value: cs-app
principal.application: cs-app		 Directly mapped from the corresponding JSON field.
cs-app-activity additional.fields[].key: "x-cs-app-activity"
additional.fields[].value.string_value: cs-app-activity		 Directly mapped from the corresponding JSON field.
cs-app-category additional.fields[].key: "x-cs-app-category"
additional.fields[].value.string_value: cs-app-category		 Directly mapped from the corresponding JSON field.
cs-app-cci additional.fields[].key: "x-cs-app-cci"
additional.fields[].value.string_value: cs-app-cci		 Directly mapped from the corresponding JSON field.
cs-app-ccl additional.fields[].key: "x-cs-app-ccl"
additional.fields[].value.string_value: cs-app-ccl		 Directly mapped from the corresponding JSON field.
cs-app-from-user additional.fields[].key: "x-cs-app-from-user"
additional.fields[].value.string_value: cs-app-from-user
principal.user.email_addresses[]: cs-app-from-user		 Directly mapped from the corresponding JSON field.
cs-app-instance-id additional.fields[].key: "x-cs-app-instance-id"
additional.fields[].value.string_value: cs-app-instance-id		 Directly mapped from the corresponding JSON field.
cs-app-object-name additional.fields[].key: "x-cs-app-object-name"
additional.fields[].value.string_value: cs-app-object-name		 Directly mapped from the corresponding JSON field.
cs-app-object-type additional.fields[].key: "x-cs-app-object-type"
additional.fields[].value.string_value: cs-app-object-type		 Directly mapped from the corresponding JSON field.
cs-app-suite additional.fields[].key: "x-cs-app-suite"
additional.fields[].value.string_value: cs-app-suite		 Directly mapped from the corresponding JSON field.
cs-app-tags additional.fields[].key: "x-cs-app-tags"
additional.fields[].value.string_value: cs-app-tags		 Directly mapped from the corresponding JSON field.
cs-bytes network.sent_bytes: cs-bytes Directly mapped from the corresponding JSON field.
cs-content-type additional.fields[].key: "sc-content-type"
additional.fields[].value.string_value: cs-content-type		 Directly mapped from the corresponding JSON field.
cs-dns target.asset.hostname[]: cs-dns
target.hostname: cs-dns		 Directly mapped from the corresponding JSON field.
cs-host target.asset.hostname[]: cs-host
target.hostname: cs-host		 Directly mapped from the corresponding JSON field.
cs-method network.http.method: cs-method Directly mapped from the corresponding JSON field.
cs-referer network.http.referral_url: cs-referer Directly mapped from the corresponding JSON field.
cs-uri additional.fields[].key: "cs-uri"
additional.fields[].value.string_value: cs-uri		 Directly mapped from the corresponding JSON field.
cs-uri-path additional.fields[].key: "x-cs-uri-path"
additional.fields[].value.string_value: cs-uri-path		 Directly mapped from the corresponding JSON field.
cs-uri-port additional.fields[].key: "cs-uri-port"
additional.fields[].value.string_value: cs-uri-port		 Directly mapped from the corresponding JSON field.
cs-uri-scheme network.application_protocol: cs-uri-scheme Directly mapped from the corresponding JSON field after converting to uppercase.
cs-user-agent network.http.parsed_user_agent: Parsed user agent
network.http.user_agent: cs-user-agent		 network.http.parsed_user_agent is derived by parsing the cs-user-agent field using the "parseduseragent" filter.
cs-username principal.user.userid: cs-username Directly mapped from the corresponding JSON field.
date metadata.event_timestamp.seconds: Epoch seconds from date and time fields
metadata.event_timestamp.nanos: 0		 The date and time are combined and converted to epoch seconds and nanoseconds. Nanoseconds are set to 0.
device intermediary.hostname: device Directly mapped from the corresponding CEF field.
dst target.ip[]: dst Directly mapped from the corresponding CEF field.
dst_country target.location.country_or_region: dst_country Directly mapped from the corresponding grokked field.
dst_ip target.asset.ip[]: dst_ip
target.ip[]: dst_ip		 Directly mapped from the corresponding grokked field.
dst_location target.location.city: dst_location Directly mapped from the corresponding grokked field.
dst_region target.location.state: dst_region Directly mapped from the corresponding grokked field.
dst_zip Not mapped This field is not mapped to the UDM.
duser target.user.email_addresses[]: duser
target.user.user_display_name: duser		 Directly mapped from the corresponding CEF field.
dvchost about.hostname: dvchost
target.asset.hostname[]: dvchost
target.hostname: dvchost		 Directly mapped from the corresponding CEF field.
event_timestamp metadata.event_timestamp.seconds: event_timestamp Directly mapped from the corresponding grokked field.
hostname target.asset.hostname[]: hostname
target.hostname: hostname		 Directly mapped from the corresponding CEF field.
IncidentID security_result.detection_fields[].key: "IncidentID"
security_result.detection_fields[].value: IncidentID		 Directly mapped from the corresponding CEF field.
intermediary intermediary: intermediary Directly mapped from the corresponding CEF field.
md5 target.file.md5: md5 Directly mapped from the corresponding CEF field.
message Various UDM fields The message field is parsed based on whether it contains "CEF". If it does, it's treated as a CEF log. Otherwise, it's parsed as either a space-delimited string or JSON. See the "Parsing Logic" section for details.
mime_type1 Not mapped This field is not mapped to the UDM.
mime_type2 Not mapped This field is not mapped to the UDM.
mwDetectionEngine additional.fields[].key: "mwDetectionEngine"
additional.fields[].value.string_value: mwDetectionEngine		 Directly mapped from the corresponding CEF field.
mwType metadata.description: mwType Directly mapped from the corresponding CEF field.
os principal.platform: Derived value The platform is derived from the os field: "Windows" maps to WINDOWS, "MAC" maps to MAC, and "LINUX" maps to LINUX.
page network.http.referral_url: page Directly mapped from the corresponding CEF field.
port Not mapped This field is not mapped to the UDM.
referer network.http.referral_url: referer Directly mapped from the corresponding CEF field.
requestClientApplication network.http.parsed_user_agent: Parsed user agent
network.http.user_agent: requestClientApplication		 network.http.parsed_user_agent is derived by parsing the requestClientApplication field using the "parseduseragent" filter.
request_method network.http.method: request_method Directly mapped from the corresponding grokked field.
request_protocol Not mapped This field is not mapped to the UDM.
rs-status additional.fields[].key: "rs-status"
additional.fields[].value.string_value: rs-status
network.http.response_code: rs-status		 Directly mapped from the corresponding JSON field.
s-ip target.asset.ip[]: s-ip
target.ip[]: s-ip		 Directly mapped from the corresponding JSON field.
sc-bytes network.received_bytes: sc-bytes Directly mapped from the corresponding JSON field.
sc-content-type additional.fields[].key: "sc-content-type"
additional.fields[].value.string_value: sc-content-type		 Directly mapped from the corresponding JSON field.
sc-status network.http.response_code: sc-status Directly mapped from the corresponding JSON field.
serverBytes network.received_bytes: serverBytes Directly mapped from the corresponding CEF field.
sha256 target.file.sha256: sha256 Directly mapped from the corresponding CEF field.
src principal.ip[]: src Directly mapped from the corresponding CEF field.
src_country principal.location.country_or_region: src_country Directly mapped from the corresponding grokked field.
src_ip principal.asset.ip[]: src_ip
principal.ip[]: src_ip		 Directly mapped from the corresponding grokked field.
src_latitude Not mapped This field is not mapped to the UDM.
src_location principal.location.city: src_location Directly mapped from the corresponding grokked field.
src_longitude Not mapped This field is not mapped to the UDM.
src_region principal.location.state: src_region Directly mapped from the corresponding grokked field.
src_zip Not mapped This field is not mapped to the UDM.
suser principal.user.user_display_name: suser Directly mapped from the corresponding CEF field.
target_host target.asset.hostname[]: target_host
target.hostname: target_host		 Directly mapped from the corresponding grokked field.
time metadata.event_timestamp.seconds: Epoch seconds from date and time fields
metadata.event_timestamp.nanos: 0		 The date and time are combined and converted to epoch seconds and nanoseconds. Nanoseconds are set to 0.
timestamp metadata.event_timestamp.seconds: timestamp Directly mapped from the corresponding CEF field.
ts metadata.event_timestamp.seconds: Epoch seconds from ts
metadata.event_timestamp.nanos: 0		 The timestamp is converted to epoch seconds and nanoseconds. Nanoseconds are set to 0.
url target.url: url Directly mapped from the corresponding CEF field.
user_agent network.http.parsed_user_agent: Parsed user agent
network.http.user_agent: user_agent		 network.http.parsed_user_agent is derived by parsing the user_agent field using the "parseduseragent" filter.
user_ip Not mapped This field is not mapped to the UDM.
user_key principal.user.email_addresses[]: user_key Directly mapped from the corresponding grokked field.
version Not mapped This field is not mapped to the UDM.
x-c-browser additional.fields[].key: "x-c-browser"
additional.fields[].value.string_value: x-c-browser		 Directly mapped from the corresponding JSON field.
x-c-browser-version additional.fields[].key: "x-c-browser-version"
additional.fields[].value.string_value: x-c-browser-version		 Directly mapped from the corresponding JSON field.
x-c-country principal.location.country_or_region: x-c-country Directly mapped from the corresponding JSON field.
x-c-device additional.fields[].key: "x-c-device"
additional.fields[].value.string_value: x-c-device		 Directly mapped from the corresponding JSON field.
x-c-latitude principal.location.region_coordinates.latitude: x-c-latitude Directly mapped from the corresponding JSON field.
x-c-local-time security_result.detection_fields[].key: "x-c-local-time"
security_result.detection_fields[].value: x-c-local-time		 Directly mapped from the corresponding JSON field.
x-c-location principal.location.name: x-c-location Directly mapped from the corresponding JSON field.
x-c-longitude principal.location.region_coordinates.longitude: x-c-longitude Directly mapped from the corresponding JSON field.
x-c-os principal.platform: Derived value The platform is derived from the x-c-os field: "Windows" maps to WINDOWS, "MAC" maps to MAC, and "LINUX" maps to LINUX.
x-c-region principal.location.state: x-c-region Directly mapped from the corresponding JSON field.
x-c-zipcode additional.fields[].key: "x-c-zipcode"
additional.fields[].value.string_value: x-c-zipcode		 Directly mapped from the corresponding JSON field.
x-category additional.fields[].key: "x-category"
additional.fields[].value.string_value: x-category		 Directly mapped from the corresponding JSON field.
x-category-id additional.fields[].key: "x-category-id"
additional.fields[].value.string_value: x-category-id		 Directly mapped from the corresponding JSON field.
x-cs-access-method additional.fields[].key: "accessMethod"
additional.fields[].value.string_value: x-cs-access-method		 Directly mapped from the corresponding JSON field.
x-cs-app principal.application: x-cs-app
additional.fields[].key: "x-cs-app"
additional.fields[].value.string_value: x-cs-app		 Directly mapped from the corresponding JSON field.
x-cs-app-activity additional.fields[].key: "x-cs-app-activity"
additional.fields[].value.string_value: x-cs-app-activity		 Directly mapped from the corresponding JSON field.
x-cs-app-category additional.fields[].key: "x-cs-app-category"
additional.fields[].value.string_value: x-cs-app-category		 Directly mapped from the corresponding JSON field.
x-cs-app-cci additional.fields[].key: "x-cs-app-cci"
additional.fields[].value.string_value: x-cs-app-cci		 Directly mapped from the corresponding JSON field.
x-cs-app-from-user additional.fields[].key: "x-cs-app-from-user"
additional.fields[].value.string_value: x-cs-app-from-user		 Directly mapped from the corresponding JSON field.
x-cs-app-object-id additional.fields[].key: "x-cs-app-object-id"
additional.fields[].value.string_value: x-cs-app-object-id		 Directly mapped from the corresponding JSON field.
x-cs-app-object-name additional.fields[].key: "x-cs-app-object-name"
additional.fields[].value.string_value: x-cs-app-object-name		 Directly mapped from the corresponding JSON field.
x-cs-app-object-type additional.fields[].key: "x-cs-app-object-type"
additional.fields[].value.string_value: x-cs-app-object-type		 Directly mapped from the corresponding JSON field.
x-cs-app-suite additional.fields[].key: "x-cs-app-suite"
additional.fields[].value.string_value: x-cs-app-suite		 Directly mapped from the corresponding JSON field.
x-cs-app-tags additional.fields[].key: "x-cs-app-tags"
additional.fields[].value.string_value: x-cs-app-tags		 Directly mapped from the corresponding JSON field.
x-cs-app-to-user additional.fields[].key: "x-cs-app-to-user"
additional.fields[].value.string_value: x-cs-app-to-user		 Directly mapped from the corresponding JSON field.
x-cs-dst-ip security_result.detection_fields[].key: "x-cs-dst-ip"
security_result.detection_fields[].value: x-cs-dst-ip
target.asset.ip[]: x-cs-dst-ip
target.ip[]: x-cs-dst-ip		 Directly mapped from the corresponding JSON field.
x-cs-dst-port security_result.detection_fields[].key: "x-cs-dst-port"
security_result.detection_fields[].value: x-cs-dst-port
target.port: x-cs-dst-port		 Directly mapped from the corresponding JSON field.
x-cs-http-version security_result.detection_fields[].key: "x-cs-http-version"
security_result.detection_fields[].value: x-cs-http-version		 Directly mapped from the corresponding JSON field.
x-cs-page-id additional.fields[].key: "x-cs-page-id"
additional.fields[].value.string_value: x-cs-page-id		 Directly mapped from the corresponding JSON field.
x-cs-session-id network.session_id: x-cs-session-id Directly mapped from the corresponding JSON field.
x-cs-site additional.fields[].key: "x-cs-site"
additional.fields[].value.string_value: x-cs-site		 Directly mapped from the corresponding JSON field.
x-cs-sni network.tls.client.server_name: x-cs-sni Directly mapped from the corresponding JSON field.
x-cs-src-ip principal.asset.ip[]: x-cs-src-ip
principal.ip[]: x-cs-src-ip
security_result.detection_fields[].key: "x-cs-src-ip"
security_result.detection_fields[].value: x-cs-src-ip		 Directly mapped from the corresponding JSON field.
x-cs-src-ip-egress principal.asset.ip[]: x-cs-src-ip-egress
principal.ip[]: x-cs-src-ip-egress
security_result.detection_fields[].key: "x-cs-src-ip-egress"
security_result.detection_fields[].value: x-cs-src-ip-egress		 Directly mapped from the corresponding JSON field.
x-cs-src-port principal.port: x-cs-src-port
security_result.detection_fields[].key: "x-cs-src-port"
security_result.detection_fields[].value: x-cs-src-port		 Directly mapped from the corresponding JSON field.
x-cs-ssl-cipher network.tls.cipher: x-cs-ssl-cipher Directly mapped from the corresponding JSON field.
x-cs-ssl-fronting-error security_result.detection_fields[].key: "x-cs-ssl-fronting-error"
security_result.detection_fields[].value: x-cs-ssl-fronting-error		 Directly mapped from the corresponding JSON field.
x-cs-ssl-handshake-error security_result.detection_fields[].key: "x-cs-ssl-handshake-error"
security_result.detection_fields[].value: x-cs-ssl-handshake-error		 Directly mapped from the corresponding JSON field.
x-cs-ssl-ja3 network.tls.client.ja3: x-cs-ssl-ja3 Directly mapped from the corresponding JSON field.
x-cs-ssl-version network.tls.version: x-cs-ssl-version Directly mapped from the corresponding JSON field.
x-cs-timestamp metadata.event_timestamp.seconds: x-cs-timestamp Directly mapped from the corresponding JSON field.
x-cs-traffic-type additional.fields[].key: "trafficType"
additional.fields[].value.string_value: x-cs-traffic-type		 Directly mapped from the corresponding JSON field.
x-cs-tunnel-src-ip security_result.detection_fields[].key: "x-cs-tunnel-src-ip"
security_result.detection_fields[].value: x-cs-tunnel-src-ip		 Directly mapped from the corresponding JSON field.
x-cs-uri-path additional.fields[].key: "x-cs-uri-path"
additional.fields[].value.string_value: x-cs-uri-path		 Directly mapped from the corresponding JSON field.
x-cs-url target.url: x-cs-url Directly mapped from the corresponding JSON field.
x-cs-userip security_result.detection_fields[].key: "x-cs-userip"
security_result.detection_fields[].value: x-cs-userip		 Directly mapped from the corresponding JSON field.
x-other-category security_result.category_details[]: x-other-category Directly mapped from the corresponding JSON field.
x-other-category-id security_result.detection_fields[].key: "x-other-category-id"
security_result.detection_fields[].value: x-other-category-id		 Directly mapped from the corresponding JSON field.
x-policy-action security_result.action: Derived value
security_result.action_details: x-policy-action		 security_result.action is derived by converting x-policy-action to uppercase. If the uppercase value is "ALLOW" or "BLOCK", it's used directly. Otherwise, it's not mapped.
security_result.action_details is directly mapped from x-policy-action.
x-policy-dst-host security_result.detection_fields[].key: "x-policy-dst-host"
security_result.detection_fields[].value: x-policy-dst-host		 Directly mapped from the corresponding JSON field.
x-policy-dst-host-source security_result.detection_fields[].key: "x-policy-dst-host-source"
security_result.detection_fields[].value: x-policy-dst-host-source		 Directly mapped from the corresponding JSON field.
x-policy-dst-ip security_result.detection_fields[].key: "x-policy-dst-ip"
security_result.detection_fields[].value: x-policy-dst-ip		 Directly mapped from the corresponding JSON field.
x-policy-name security_result.rule_name: x-policy-name Directly mapped from the corresponding JSON field.
x-policy-src-ip security_result.detection_fields[].key: "x-policy-src-ip"
security_result.detection_fields[].value: x-policy-src-ip		 Directly mapped from the corresponding JSON field.
x-r-cert-enddate network.tls.server.certificate.not_after.seconds: Epoch seconds from x-r-cert-enddate The date is converted to epoch seconds.
x-r-cert-expired additional.fields[].key: "x-r-cert-expired"
additional.fields[].value.string_value: x-r-cert-expired		 Directly mapped from the corresponding JSON field.
x-r-cert-incomplete-chain additional.fields[].key: "x-r-cert-incomplete-chain"
additional.fields[].value.string_value: x-r-cert-incomplete-chain		 Directly mapped from the corresponding JSON field.
x-r-cert-issuer-cn network.tls.server.certificate.issuer: x-r-cert-issuer-cn Directly mapped from the corresponding JSON field.
x-r-cert-mismatch additional.fields[].key: "x-r-cert-mismatch"
additional.fields[].value.string_value: x-r-cert-mismatch		 Directly mapped from the corresponding JSON field.
x-r-cert-revoked additional.fields[].key: "x-r-cert-revoked"
additional.fields[].value.string_value: x-r-cert-revoked		 Directly mapped from the corresponding JSON field.
x-r-cert-self-signed additional.fields[].key: "x-r-cert-self-signed"
additional.fields[].value.string_value: x-r-cert-self-signed		 Directly mapped from the corresponding JSON field.
x-r-cert-startdate network.tls.server.certificate.not_before.seconds: Epoch seconds from x-r-cert-startdate The date is converted to epoch seconds.
x-r-cert-subject-cn network.tls.server.certificate.subject: x-r-cert-subject-cn Directly mapped from the corresponding JSON field.
x-r-cert-untrusted-root additional.fields[].key: "x-r-cert-untrusted-root"
additional.fields[].value.string_value: x-r-cert-untrusted-root		 Directly mapped from the corresponding JSON field.
x-r-cert-valid additional.fields[].key: "x-r-cert-valid"
additional.fields[].value.string_value: x-r-cert-valid		 Directly mapped from the corresponding JSON field.
x-request-id additional.fields[].key: "requestId"
additional.fields[].value.string_value: x-request-id		 Directly mapped from the corresponding JSON field.
x-rs-file-category additional.fields[].key: "x-rs-file-category"
additional.fields[].value.string_value: x-rs-file-category		 Directly mapped from the corresponding JSON field.
x-rs-file-type additional.fields[].key: "x-rs-file-type"
additional.fields[].value.string_value: x-rs-file-type		 Directly mapped from the corresponding JSON field.
x-s-country target.location.country_or_region: x-s-country Directly mapped from the corresponding JSON field.
x-s-dp-name additional.fields[].key: "x-s-dp-name"
additional.fields[].value.string_value: x-s-dp-name		 Directly mapped from the corresponding JSON field.
x-s-latitude target.location.region_coordinates.latitude: x-s-latitude Directly mapped from the corresponding JSON field.
x-s-location target.location.name: x-s-location Directly mapped from the corresponding JSON field.
x-s-longitude target.location.region_coordinates.longitude: x-s-longitude Directly mapped from the corresponding JSON field.
x-s-region target.location.state: x-s-region Directly mapped from the corresponding JSON field.
x-s-zipcode additional.fields[].key: "x-s-zipcode"
additional.fields[].value.string_value: x-s-zipcode		 Directly mapped from the corresponding JSON field.
x-sr-ssl-cipher security_result.detection_fields[].key: "x-sr-ssl-cipher"
security_result.detection_fields[].value: x-sr-ssl-cipher		 Directly mapped from the corresponding JSON field.
x-sr-ssl-client-certificate-error security_result.detection_fields[].key: "x-sr-ssl-client-certificate-error"
security_result.detection_fields[].value: x-sr-ssl-client-certificate-error		 Directly mapped from the corresponding JSON field.
x-sr-ssl-engine-action security_result.detection_fields[].key: "x-sr-ssl-engine-action"
security_result.detection_fields[].value: x-sr-ssl-engine-action		 Directly mapped from the corresponding JSON field.
x-sr-ssl-engine-action-reason security_result.detection_fields[].key: "x-sr-ssl-engine-action-reason"
security_result.detection_fields[].value: x-sr-ssl-engine-action-reason		 Directly mapped from the corresponding JSON field.
x-sr-ssl-handshake-error security_result.detection_fields[].key: "x-sr-ssl-handshake-error"
security_result.detection_fields[].value: x-sr-ssl-handshake-error		 Directly mapped from the corresponding JSON field.
x-sr-ssl-ja3s network.tls.server.ja3s: x-sr-ssl-ja3s Directly mapped from the corresponding JSON field.
x-sr-ssl-malformed-ssl security_result.detection_fields[].key: "x-sr-ssl-malformed-ssl"
security_result.detection_fields[].value: x-sr-ssl-malformed-ssl		 Directly mapped from the corresponding JSON field.
x-sr-ssl-version security_result.detection_fields[].key: "x-sr-ssl-version"
security_result.detection_fields[].value: x-sr-ssl-version		 Directly mapped from the corresponding JSON field.
x-s-custom-signing-ca-error security_result.detection_fields[].key: "x-s-custom-signing-ca-error"
security_result.detection_fields[].value: x-s-custom-signing-ca-error		 Directly mapped from the corresponding JSON field.
x-ssl-bypass security_result.detection_fields[].key: "SSL BYPASS"
security_result.detection_fields[].value: x-ssl-bypass or x-ssl-bypass-reason		 If x-ssl-bypass is "Yes" and x-ssl-bypass-reason is present, the value of x-ssl-bypass-reason is used. Otherwise, the value of x-ssl-bypass is used.
x-ssl-policy-action security_result.detection_fields[].key: "x-ssl-policy-action"
security_result.detection_fields[].value: x-ssl-policy-action		 Directly mapped from the corresponding JSON field.
x-ssl-policy-categories security_result.category_details[]: x-ssl-policy-categories Directly mapped from the corresponding JSON field.
x-ssl-policy-dst-host security_result.detection_fields[].key: "x-ssl-policy-dst-host"
security_result.detection_fields[].value: x-ssl-policy-dst-host		 Directly mapped from the corresponding JSON field.
x-ssl-policy-dst-host-source security_result.detection_fields[].key: "x-ssl-policy-dst-host-source"
security_result.detection_fields[].value: x-ssl-policy-dst-host-source		 Directly mapped from the corresponding JSON field.
x-ssl-policy-dst-ip security_result.detection_fields[].key: "x-ssl-policy-dst-ip"
security_result.detection_fields[].value: x-ssl-policy-dst-ip		 Directly mapped from the corresponding JSON field.
x-ssl-policy-name security_result.rule_name: x-ssl-policy-name Directly mapped from the corresponding JSON field.
x-ssl-policy-src-ip security_result.detection_fields[].key: "x-ssl-policy-src-ip"
security_result.detection_fields[].value: x-ssl-policy-src-ip		 Directly mapped from the corresponding JSON field.
x-sr-dst-ip security_result.detection_fields[].key: "x-sr-dst-ip"
security_result.detection_fields[].value: x-sr-dst-ip		 Directly mapped from the corresponding JSON field.
x-sr-dst-port security_result.detection_fields[].key: "x-sr-dst-port"
security_result.detection_fields[].value: x-sr-dst-port		 Directly mapped from the corresponding JSON field.
x-type additional.fields[].key: "xType"
additional.fields[].value.string_value: x-type		 Directly mapped from the corresponding JSON field.
x-transaction-id additional.fields[].key: "transactionId"
additional.fields[].value.string_value: x-transaction-id		 Directly mapped from the corresponding JSON field.
N/A metadata.vendor_name: "Netskope" Hardcoded value in the parser.
N/A metadata.product_name: "Netskope Webproxy" Set to "Netskope Webproxy" if not already present.
N/A metadata.log_type: "NETSKOPE_WEBPROXY" Hardcoded value in the parser.

Need more help? Get answers from Community members and Google SecOps professionals.