Collect Netskope web proxy logs
Supported in:
This parser handles both CEF and non-CEF formatted Netskope web proxy logs. It extracts fields, performs data transformations (for example, converting timestamps or merging fields), maps them to the UDM, and adds Netskope-specific metadata. The parser uses conditional logic to handle different log formats and field availability, enriching the UDM with relevant network, security, and application details.
Before you begin
- Ensure that you have a Google Security Operations instance.
- Ensure that you have privileged access to Netskope.
- Ensure that you have a configured Log Shipper module.
- Ensure that you have a Google SecOps service account key (reach out to the Google SecOps team to get a service account with the following scopes: https://www.googleapis.com/auth/malachite-ingestion).
Get Google SecOps customer ID
- Sign in to the Google SecOps console.
- Go to SIEM Settings > Profile.
- Copy and save the Customer ID from the Organization Details section.
Configure the Netskope Tenant in CE
- Go to Settings > General.
- Toggle the Log Shipper switch to ON
- In Settings, go to Netskope Tenants.
- If no tenants are configured, click Add Tenant.
- Enter the following values:
- Name: provide a memorable name for your tenant.
- Tenant Name: enter the real name of your Netskope tenant.
- V2 API Token: enter your Netskope API token.
- Alert Filters: add the web proxy alerts you would like to ingest.
- Initial Range: enter the amount of historical data you would like to ingest (in days).
- Click Save.
Configure the Netskope CLS plugin
- Go to Settings > Plugins.
- Search for and select the Netskope (CLS) box to open the plugin creation page.
- Enter the following details:
- Configuration Name: enter a memorable name for this plugin.
- Tenant: select the tenant you created in the previous step from the list.
- Click Next.
- Update the Event Type list as needed.
- Initial Range: enter the amount of historical data you would like to ingest (in hours).
- Click Save.
Configure a Google SecOps plugin in Netskope
- Go to Settings > Plugins.
- Search for and select the Chronicle (CLS) box to open the plugin creation page.
- Enter the following details:
- Configuration Name: enter a name for this plugin.
- Mapping: leave the default selection.
- Toggle ON
When enabled logs will be transformed using the selected mapping file. - Click Next.
- Region: select the region of your Google SecOps.
- Custom Region URL: optional setting that is required only if Custom Region was selected in the previous step.
- Service Account Key: enter the JSON key provided by Google SecOps.
- Customer ID: enter the customer ID of your Google SecOps tenant.
- Click Save.
Configure a Log Shipper Business Rule for Google SecOps
- Go to Log Shipper > Business Rules.
- By default, there is a business rule that filters all alerts and events.
- If you want to filter out any specific type of alert, or event, click Create New Rule and configure a new business rule by adding the rule name and filter.
- Click Save.
Configure Log Shipper SIEM Mappings for Google SecOps
- Go to Log Shipper > SIEM Mappings
- Click Add SIEM Mapping.
- Enter the following details:
- Source Configuration: select Netskope CLS plugin.
- Destination Configuration: select the Google SecOps plugin.
- Business Rule: select the rule you created earlier.
- Click Save.
Validate pulling and workflow of Events and Alerts in Netskope
- Go to Logging in Netskope Cloud Exchange.
- Search for the pulled logs.
- In Logging, search for ingested events & alerts with the filter message contains ingested.
- The ingested logs will be filtered.
UDM Mapping Table
| Log Field | UDM Mapping | Logic |
|---|---|---|
applicationType |
security_result.detection_fields[].key: "applicationType"security_result.detection_fields[].value: applicationType |
Directly mapped from the corresponding CEF field. |
appcategory |
security_result.category_details[]: appcategory |
Directly mapped from the corresponding CEF field. |
browser |
security_result.detection_fields[].key: "browser"security_result.detection_fields[].value: browser |
Directly mapped from the corresponding CEF field. |
c-ip |
principal.asset.ip[]: c-ipprincipal.ip[]: c-ip |
Directly mapped from the corresponding JSON field. |
cci |
security_result.detection_fields[].key: "cci"security_result.detection_fields[].value: cci |
Directly mapped from the corresponding CEF field. |
ccl |
security_result.confidence: Derived valuesecurity_result.confidence_details: ccl |
security_result.confidence is derived based on the value of ccl: "excellent" or "high" maps to HIGH_CONFIDENCE, "medium" maps to MEDIUM_CONFIDENCE, "low" or "poor" maps to LOW_CONFIDENCE, and "unknown" or "not_defined" maps to UNKNOWN_CONFIDENCE.security_result.confidence_details is directly mapped from ccl. |
clientBytes |
network.sent_bytes: clientBytes |
Directly mapped from the corresponding CEF field. |
cs-access-method |
additional.fields[].key: "accessMethod"additional.fields[].value.string_value: cs-access-method |
Directly mapped from the corresponding JSON field. |
cs-app |
additional.fields[].key: "x-cs-app"additional.fields[].value.string_value: cs-appprincipal.application: cs-app |
Directly mapped from the corresponding JSON field. |
cs-app-activity |
additional.fields[].key: "x-cs-app-activity"additional.fields[].value.string_value: cs-app-activity |
Directly mapped from the corresponding JSON field. |
cs-app-category |
additional.fields[].key: "x-cs-app-category"additional.fields[].value.string_value: cs-app-category |
Directly mapped from the corresponding JSON field. |
cs-app-cci |
additional.fields[].key: "x-cs-app-cci"additional.fields[].value.string_value: cs-app-cci |
Directly mapped from the corresponding JSON field. |
cs-app-ccl |
additional.fields[].key: "x-cs-app-ccl"additional.fields[].value.string_value: cs-app-ccl |
Directly mapped from the corresponding JSON field. |
cs-app-from-user |
additional.fields[].key: "x-cs-app-from-user"additional.fields[].value.string_value: cs-app-from-userprincipal.user.email_addresses[]: cs-app-from-user |
Directly mapped from the corresponding JSON field. |
cs-app-instance-id |
additional.fields[].key: "x-cs-app-instance-id"additional.fields[].value.string_value: cs-app-instance-id |
Directly mapped from the corresponding JSON field. |
cs-app-object-name |
additional.fields[].key: "x-cs-app-object-name"additional.fields[].value.string_value: cs-app-object-name |
Directly mapped from the corresponding JSON field. |
cs-app-object-type |
additional.fields[].key: "x-cs-app-object-type"additional.fields[].value.string_value: cs-app-object-type |
Directly mapped from the corresponding JSON field. |
cs-app-suite |
additional.fields[].key: "x-cs-app-suite"additional.fields[].value.string_value: cs-app-suite |
Directly mapped from the corresponding JSON field. |
cs-app-tags |
additional.fields[].key: "x-cs-app-tags"additional.fields[].value.string_value: cs-app-tags |
Directly mapped from the corresponding JSON field. |
cs-bytes |
network.sent_bytes: cs-bytes |
Directly mapped from the corresponding JSON field. |
cs-content-type |
additional.fields[].key: "sc-content-type"additional.fields[].value.string_value: cs-content-type |
Directly mapped from the corresponding JSON field. |
cs-dns |
target.asset.hostname[]: cs-dnstarget.hostname: cs-dns |
Directly mapped from the corresponding JSON field. |
cs-host |
target.asset.hostname[]: cs-hosttarget.hostname: cs-host |
Directly mapped from the corresponding JSON field. |
cs-method |
network.http.method: cs-method |
Directly mapped from the corresponding JSON field. |
cs-referer |
network.http.referral_url: cs-referer |
Directly mapped from the corresponding JSON field. |
cs-uri |
additional.fields[].key: "cs-uri"additional.fields[].value.string_value: cs-uri |
Directly mapped from the corresponding JSON field. |
cs-uri-path |
additional.fields[].key: "x-cs-uri-path"additional.fields[].value.string_value: cs-uri-path |
Directly mapped from the corresponding JSON field. |
cs-uri-port |
additional.fields[].key: "cs-uri-port"additional.fields[].value.string_value: cs-uri-port |
Directly mapped from the corresponding JSON field. |
cs-uri-scheme |
network.application_protocol: cs-uri-scheme |
Directly mapped from the corresponding JSON field after converting to uppercase. |
cs-user-agent |
network.http.parsed_user_agent: Parsed user agentnetwork.http.user_agent: cs-user-agent |
network.http.parsed_user_agent is derived by parsing the cs-user-agent field using the "parseduseragent" filter. |
cs-username |
principal.user.userid: cs-username |
Directly mapped from the corresponding JSON field. |
date |
metadata.event_timestamp.seconds: Epoch seconds from date and time fieldsmetadata.event_timestamp.nanos: 0 |
The date and time are combined and converted to epoch seconds and nanoseconds. Nanoseconds are set to 0. |
device |
intermediary.hostname: device |
Directly mapped from the corresponding CEF field. |
dst |
target.ip[]: dst |
Directly mapped from the corresponding CEF field. |
dst_country |
target.location.country_or_region: dst_country |
Directly mapped from the corresponding grokked field. |
dst_ip |
target.asset.ip[]: dst_iptarget.ip[]: dst_ip |
Directly mapped from the corresponding grokked field. |
dst_location |
target.location.city: dst_location |
Directly mapped from the corresponding grokked field. |
dst_region |
target.location.state: dst_region |
Directly mapped from the corresponding grokked field. |
dst_zip |
Not mapped | This field is not mapped to the UDM. |
duser |
target.user.email_addresses[]: dusertarget.user.user_display_name: duser |
Directly mapped from the corresponding CEF field. |
dvchost |
about.hostname: dvchosttarget.asset.hostname[]: dvchosttarget.hostname: dvchost |
Directly mapped from the corresponding CEF field. |
event_timestamp |
metadata.event_timestamp.seconds: event_timestamp |
Directly mapped from the corresponding grokked field. |
hostname |
target.asset.hostname[]: hostnametarget.hostname: hostname |
Directly mapped from the corresponding CEF field. |
IncidentID |
security_result.detection_fields[].key: "IncidentID"security_result.detection_fields[].value: IncidentID |
Directly mapped from the corresponding CEF field. |
intermediary |
intermediary: intermediary |
Directly mapped from the corresponding CEF field. |
md5 |
target.file.md5: md5 |
Directly mapped from the corresponding CEF field. |
message |
Various UDM fields | The message field is parsed based on whether it contains "CEF". If it does, it's treated as a CEF log. Otherwise, it's parsed as either a space-delimited string or JSON. See the "Parsing Logic" section for details. |
mime_type1 |
Not mapped | This field is not mapped to the UDM. |
mime_type2 |
Not mapped | This field is not mapped to the UDM. |
mwDetectionEngine |
additional.fields[].key: "mwDetectionEngine"additional.fields[].value.string_value: mwDetectionEngine |
Directly mapped from the corresponding CEF field. |
mwType |
metadata.description: mwType |
Directly mapped from the corresponding CEF field. |
os |
principal.platform: Derived value |
The platform is derived from the os field: "Windows" maps to WINDOWS, "MAC" maps to MAC, and "LINUX" maps to LINUX. |
page |
network.http.referral_url: page |
Directly mapped from the corresponding CEF field. |
port |
Not mapped | This field is not mapped to the UDM. |
referer |
network.http.referral_url: referer |
Directly mapped from the corresponding CEF field. |
requestClientApplication |
network.http.parsed_user_agent: Parsed user agentnetwork.http.user_agent: requestClientApplication |
network.http.parsed_user_agent is derived by parsing the requestClientApplication field using the "parseduseragent" filter. |
request_method |
network.http.method: request_method |
Directly mapped from the corresponding grokked field. |
request_protocol |
Not mapped | This field is not mapped to the UDM. |
rs-status |
additional.fields[].key: "rs-status"additional.fields[].value.string_value: rs-statusnetwork.http.response_code: rs-status |
Directly mapped from the corresponding JSON field. |
s-ip |
target.asset.ip[]: s-iptarget.ip[]: s-ip |
Directly mapped from the corresponding JSON field. |
sc-bytes |
network.received_bytes: sc-bytes |
Directly mapped from the corresponding JSON field. |
sc-content-type |
additional.fields[].key: "sc-content-type"additional.fields[].value.string_value: sc-content-type |
Directly mapped from the corresponding JSON field. |
sc-status |
network.http.response_code: sc-status |
Directly mapped from the corresponding JSON field. |
serverBytes |
network.received_bytes: serverBytes |
Directly mapped from the corresponding CEF field. |
sha256 |
target.file.sha256: sha256 |
Directly mapped from the corresponding CEF field. |
src |
principal.ip[]: src |
Directly mapped from the corresponding CEF field. |
src_country |
principal.location.country_or_region: src_country |
Directly mapped from the corresponding grokked field. |
src_ip |
principal.asset.ip[]: src_ipprincipal.ip[]: src_ip |
Directly mapped from the corresponding grokked field. |
src_latitude |
Not mapped | This field is not mapped to the UDM. |
src_location |
principal.location.city: src_location |
Directly mapped from the corresponding grokked field. |
src_longitude |
Not mapped | This field is not mapped to the UDM. |
src_region |
principal.location.state: src_region |
Directly mapped from the corresponding grokked field. |
src_zip |
Not mapped | This field is not mapped to the UDM. |
suser |
principal.user.user_display_name: suser |
Directly mapped from the corresponding CEF field. |
target_host |
target.asset.hostname[]: target_hosttarget.hostname: target_host |
Directly mapped from the corresponding grokked field. |
time |
metadata.event_timestamp.seconds: Epoch seconds from date and time fieldsmetadata.event_timestamp.nanos: 0 |
The date and time are combined and converted to epoch seconds and nanoseconds. Nanoseconds are set to 0. |
timestamp |
metadata.event_timestamp.seconds: timestamp |
Directly mapped from the corresponding CEF field. |
ts |
metadata.event_timestamp.seconds: Epoch seconds from tsmetadata.event_timestamp.nanos: 0 |
The timestamp is converted to epoch seconds and nanoseconds. Nanoseconds are set to 0. |
url |
target.url: url |
Directly mapped from the corresponding CEF field. |
user_agent |
network.http.parsed_user_agent: Parsed user agentnetwork.http.user_agent: user_agent |
network.http.parsed_user_agent is derived by parsing the user_agent field using the "parseduseragent" filter. |
user_ip |
Not mapped | This field is not mapped to the UDM. |
user_key |
principal.user.email_addresses[]: user_key |
Directly mapped from the corresponding grokked field. |
version |
Not mapped | This field is not mapped to the UDM. |
x-c-browser |
additional.fields[].key: "x-c-browser"additional.fields[].value.string_value: x-c-browser |
Directly mapped from the corresponding JSON field. |
x-c-browser-version |
additional.fields[].key: "x-c-browser-version"additional.fields[].value.string_value: x-c-browser-version |
Directly mapped from the corresponding JSON field. |
x-c-country |
principal.location.country_or_region: x-c-country |
Directly mapped from the corresponding JSON field. |
x-c-device |
additional.fields[].key: "x-c-device"additional.fields[].value.string_value: x-c-device |
Directly mapped from the corresponding JSON field. |
x-c-latitude |
principal.location.region_coordinates.latitude: x-c-latitude |
Directly mapped from the corresponding JSON field. |
x-c-local-time |
security_result.detection_fields[].key: "x-c-local-time"security_result.detection_fields[].value: x-c-local-time |
Directly mapped from the corresponding JSON field. |
x-c-location |
principal.location.name: x-c-location |
Directly mapped from the corresponding JSON field. |
x-c-longitude |
principal.location.region_coordinates.longitude: x-c-longitude |
Directly mapped from the corresponding JSON field. |
x-c-os |
principal.platform: Derived value |
The platform is derived from the x-c-os field: "Windows" maps to WINDOWS, "MAC" maps to MAC, and "LINUX" maps to LINUX. |
x-c-region |
principal.location.state: x-c-region |
Directly mapped from the corresponding JSON field. |
x-c-zipcode |
additional.fields[].key: "x-c-zipcode"additional.fields[].value.string_value: x-c-zipcode |
Directly mapped from the corresponding JSON field. |
x-category |
additional.fields[].key: "x-category"additional.fields[].value.string_value: x-category |
Directly mapped from the corresponding JSON field. |
x-category-id |
additional.fields[].key: "x-category-id"additional.fields[].value.string_value: x-category-id |
Directly mapped from the corresponding JSON field. |
x-cs-access-method |
additional.fields[].key: "accessMethod"additional.fields[].value.string_value: x-cs-access-method |
Directly mapped from the corresponding JSON field. |
x-cs-app |
principal.application: x-cs-appadditional.fields[].key: "x-cs-app"additional.fields[].value.string_value: x-cs-app |
Directly mapped from the corresponding JSON field. |
x-cs-app-activity |
additional.fields[].key: "x-cs-app-activity"additional.fields[].value.string_value: x-cs-app-activity |
Directly mapped from the corresponding JSON field. |
x-cs-app-category |
additional.fields[].key: "x-cs-app-category"additional.fields[].value.string_value: x-cs-app-category |
Directly mapped from the corresponding JSON field. |
x-cs-app-cci |
additional.fields[].key: "x-cs-app-cci"additional.fields[].value.string_value: x-cs-app-cci |
Directly mapped from the corresponding JSON field. |
x-cs-app-from-user |
additional.fields[].key: "x-cs-app-from-user"additional.fields[].value.string_value: x-cs-app-from-user |
Directly mapped from the corresponding JSON field. |
x-cs-app-object-id |
additional.fields[].key: "x-cs-app-object-id"additional.fields[].value.string_value: x-cs-app-object-id |
Directly mapped from the corresponding JSON field. |
x-cs-app-object-name |
additional.fields[].key: "x-cs-app-object-name"additional.fields[].value.string_value: x-cs-app-object-name |
Directly mapped from the corresponding JSON field. |
x-cs-app-object-type |
additional.fields[].key: "x-cs-app-object-type"additional.fields[].value.string_value: x-cs-app-object-type |
Directly mapped from the corresponding JSON field. |
x-cs-app-suite |
additional.fields[].key: "x-cs-app-suite"additional.fields[].value.string_value: x-cs-app-suite |
Directly mapped from the corresponding JSON field. |
x-cs-app-tags |
additional.fields[].key: "x-cs-app-tags"additional.fields[].value.string_value: x-cs-app-tags |
Directly mapped from the corresponding JSON field. |
x-cs-app-to-user |
additional.fields[].key: "x-cs-app-to-user"additional.fields[].value.string_value: x-cs-app-to-user |
Directly mapped from the corresponding JSON field. |
x-cs-dst-ip |
security_result.detection_fields[].key: "x-cs-dst-ip"security_result.detection_fields[].value: x-cs-dst-iptarget.asset.ip[]: x-cs-dst-iptarget.ip[]: x-cs-dst-ip |
Directly mapped from the corresponding JSON field. |
x-cs-dst-port |
security_result.detection_fields[].key: "x-cs-dst-port"security_result.detection_fields[].value: x-cs-dst-porttarget.port: x-cs-dst-port |
Directly mapped from the corresponding JSON field. |
x-cs-http-version |
security_result.detection_fields[].key: "x-cs-http-version"security_result.detection_fields[].value: x-cs-http-version |
Directly mapped from the corresponding JSON field. |
x-cs-page-id |
additional.fields[].key: "x-cs-page-id"additional.fields[].value.string_value: x-cs-page-id |
Directly mapped from the corresponding JSON field. |
x-cs-session-id |
network.session_id: x-cs-session-id |
Directly mapped from the corresponding JSON field. |
x-cs-site |
additional.fields[].key: "x-cs-site"additional.fields[].value.string_value: x-cs-site |
Directly mapped from the corresponding JSON field. |
x-cs-sni |
network.tls.client.server_name: x-cs-sni |
Directly mapped from the corresponding JSON field. |
x-cs-src-ip |
principal.asset.ip[]: x-cs-src-ipprincipal.ip[]: x-cs-src-ipsecurity_result.detection_fields[].key: "x-cs-src-ip"security_result.detection_fields[].value: x-cs-src-ip |
Directly mapped from the corresponding JSON field. |
x-cs-src-ip-egress |
principal.asset.ip[]: x-cs-src-ip-egressprincipal.ip[]: x-cs-src-ip-egresssecurity_result.detection_fields[].key: "x-cs-src-ip-egress"security_result.detection_fields[].value: x-cs-src-ip-egress |
Directly mapped from the corresponding JSON field. |
x-cs-src-port |
principal.port: x-cs-src-portsecurity_result.detection_fields[].key: "x-cs-src-port"security_result.detection_fields[].value: x-cs-src-port |
Directly mapped from the corresponding JSON field. |
x-cs-ssl-cipher |
network.tls.cipher: x-cs-ssl-cipher |
Directly mapped from the corresponding JSON field. |
x-cs-ssl-fronting-error |
security_result.detection_fields[].key: "x-cs-ssl-fronting-error"security_result.detection_fields[].value: x-cs-ssl-fronting-error |
Directly mapped from the corresponding JSON field. |
x-cs-ssl-handshake-error |
security_result.detection_fields[].key: "x-cs-ssl-handshake-error"security_result.detection_fields[].value: x-cs-ssl-handshake-error |
Directly mapped from the corresponding JSON field. |
x-cs-ssl-ja3 |
network.tls.client.ja3: x-cs-ssl-ja3 |
Directly mapped from the corresponding JSON field. |
x-cs-ssl-version |
network.tls.version: x-cs-ssl-version |
Directly mapped from the corresponding JSON field. |
x-cs-timestamp |
metadata.event_timestamp.seconds: x-cs-timestamp |
Directly mapped from the corresponding JSON field. |
x-cs-traffic-type |
additional.fields[].key: "trafficType"additional.fields[].value.string_value: x-cs-traffic-type |
Directly mapped from the corresponding JSON field. |
x-cs-tunnel-src-ip |
security_result.detection_fields[].key: "x-cs-tunnel-src-ip"security_result.detection_fields[].value: x-cs-tunnel-src-ip |
Directly mapped from the corresponding JSON field. |
x-cs-uri-path |
additional.fields[].key: "x-cs-uri-path"additional.fields[].value.string_value: x-cs-uri-path |
Directly mapped from the corresponding JSON field. |
x-cs-url |
target.url: x-cs-url |
Directly mapped from the corresponding JSON field. |
x-cs-userip |
security_result.detection_fields[].key: "x-cs-userip"security_result.detection_fields[].value: x-cs-userip |
Directly mapped from the corresponding JSON field. |
x-other-category |
security_result.category_details[]: x-other-category |
Directly mapped from the corresponding JSON field. |
x-other-category-id |
security_result.detection_fields[].key: "x-other-category-id"security_result.detection_fields[].value: x-other-category-id |
Directly mapped from the corresponding JSON field. |
x-policy-action |
security_result.action: Derived valuesecurity_result.action_details: x-policy-action |
security_result.action is derived by converting x-policy-action to uppercase. If the uppercase value is "ALLOW" or "BLOCK", it's used directly. Otherwise, it's not mapped.security_result.action_details is directly mapped from x-policy-action. |
x-policy-dst-host |
security_result.detection_fields[].key: "x-policy-dst-host"security_result.detection_fields[].value: x-policy-dst-host |
Directly mapped from the corresponding JSON field. |
x-policy-dst-host-source |
security_result.detection_fields[].key: "x-policy-dst-host-source"security_result.detection_fields[].value: x-policy-dst-host-source |
Directly mapped from the corresponding JSON field. |
x-policy-dst-ip |
security_result.detection_fields[].key: "x-policy-dst-ip"security_result.detection_fields[].value: x-policy-dst-ip |
Directly mapped from the corresponding JSON field. |
x-policy-name |
security_result.rule_name: x-policy-name |
Directly mapped from the corresponding JSON field. |
x-policy-src-ip |
security_result.detection_fields[].key: "x-policy-src-ip"security_result.detection_fields[].value: x-policy-src-ip |
Directly mapped from the corresponding JSON field. |
x-r-cert-enddate |
network.tls.server.certificate.not_after.seconds: Epoch seconds from x-r-cert-enddate |
The date is converted to epoch seconds. |
x-r-cert-expired |
additional.fields[].key: "x-r-cert-expired"additional.fields[].value.string_value: x-r-cert-expired |
Directly mapped from the corresponding JSON field. |
x-r-cert-incomplete-chain |
additional.fields[].key: "x-r-cert-incomplete-chain"additional.fields[].value.string_value: x-r-cert-incomplete-chain |
Directly mapped from the corresponding JSON field. |
x-r-cert-issuer-cn |
network.tls.server.certificate.issuer: x-r-cert-issuer-cn |
Directly mapped from the corresponding JSON field. |
x-r-cert-mismatch |
additional.fields[].key: "x-r-cert-mismatch"additional.fields[].value.string_value: x-r-cert-mismatch |
Directly mapped from the corresponding JSON field. |
x-r-cert-revoked |
additional.fields[].key: "x-r-cert-revoked"additional.fields[].value.string_value: x-r-cert-revoked |
Directly mapped from the corresponding JSON field. |
x-r-cert-self-signed |
additional.fields[].key: "x-r-cert-self-signed"additional.fields[].value.string_value: x-r-cert-self-signed |
Directly mapped from the corresponding JSON field. |
x-r-cert-startdate |
network.tls.server.certificate.not_before.seconds: Epoch seconds from x-r-cert-startdate |
The date is converted to epoch seconds. |
x-r-cert-subject-cn |
network.tls.server.certificate.subject: x-r-cert-subject-cn |
Directly mapped from the corresponding JSON field. |
x-r-cert-untrusted-root |
additional.fields[].key: "x-r-cert-untrusted-root"additional.fields[].value.string_value: x-r-cert-untrusted-root |
Directly mapped from the corresponding JSON field. |
x-r-cert-valid |
additional.fields[].key: "x-r-cert-valid"additional.fields[].value.string_value: x-r-cert-valid |
Directly mapped from the corresponding JSON field. |
x-request-id |
additional.fields[].key: "requestId"additional.fields[].value.string_value: x-request-id |
Directly mapped from the corresponding JSON field. |
x-rs-file-category |
additional.fields[].key: "x-rs-file-category"additional.fields[].value.string_value: x-rs-file-category |
Directly mapped from the corresponding JSON field. |
x-rs-file-type |
additional.fields[].key: "x-rs-file-type"additional.fields[].value.string_value: x-rs-file-type |
Directly mapped from the corresponding JSON field. |
x-s-country |
target.location.country_or_region: x-s-country |
Directly mapped from the corresponding JSON field. |
x-s-dp-name |
additional.fields[].key: "x-s-dp-name"additional.fields[].value.string_value: x-s-dp-name |
Directly mapped from the corresponding JSON field. |
x-s-latitude |
target.location.region_coordinates.latitude: x-s-latitude |
Directly mapped from the corresponding JSON field. |
x-s-location |
target.location.name: x-s-location |
Directly mapped from the corresponding JSON field. |
x-s-longitude |
target.location.region_coordinates.longitude: x-s-longitude |
Directly mapped from the corresponding JSON field. |
x-s-region |
target.location.state: x-s-region |
Directly mapped from the corresponding JSON field. |
x-s-zipcode |
additional.fields[].key: "x-s-zipcode"additional.fields[].value.string_value: x-s-zipcode |
Directly mapped from the corresponding JSON field. |
x-sr-ssl-cipher |
security_result.detection_fields[].key: "x-sr-ssl-cipher"security_result.detection_fields[].value: x-sr-ssl-cipher |
Directly mapped from the corresponding JSON field. |
x-sr-ssl-client-certificate-error |
security_result.detection_fields[].key: "x-sr-ssl-client-certificate-error"security_result.detection_fields[].value: x-sr-ssl-client-certificate-error |
Directly mapped from the corresponding JSON field. |
x-sr-ssl-engine-action |
security_result.detection_fields[].key: "x-sr-ssl-engine-action"security_result.detection_fields[].value: x-sr-ssl-engine-action |
Directly mapped from the corresponding JSON field. |
x-sr-ssl-engine-action-reason |
security_result.detection_fields[].key: "x-sr-ssl-engine-action-reason"security_result.detection_fields[].value: x-sr-ssl-engine-action-reason |
Directly mapped from the corresponding JSON field. |
x-sr-ssl-handshake-error |
security_result.detection_fields[].key: "x-sr-ssl-handshake-error"security_result.detection_fields[].value: x-sr-ssl-handshake-error |
Directly mapped from the corresponding JSON field. |
x-sr-ssl-ja3s |
network.tls.server.ja3s: x-sr-ssl-ja3s |
Directly mapped from the corresponding JSON field. |
x-sr-ssl-malformed-ssl |
security_result.detection_fields[].key: "x-sr-ssl-malformed-ssl"security_result.detection_fields[].value: x-sr-ssl-malformed-ssl |
Directly mapped from the corresponding JSON field. |
x-sr-ssl-version |
security_result.detection_fields[].key: "x-sr-ssl-version"security_result.detection_fields[].value: x-sr-ssl-version |
Directly mapped from the corresponding JSON field. |
x-s-custom-signing-ca-error |
security_result.detection_fields[].key: "x-s-custom-signing-ca-error"security_result.detection_fields[].value: x-s-custom-signing-ca-error |
Directly mapped from the corresponding JSON field. |
x-ssl-bypass |
security_result.detection_fields[].key: "SSL BYPASS"security_result.detection_fields[].value: x-ssl-bypass or x-ssl-bypass-reason |
If x-ssl-bypass is "Yes" and x-ssl-bypass-reason is present, the value of x-ssl-bypass-reason is used. Otherwise, the value of x-ssl-bypass is used. |
x-ssl-policy-action |
security_result.detection_fields[].key: "x-ssl-policy-action"security_result.detection_fields[].value: x-ssl-policy-action |
Directly mapped from the corresponding JSON field. |
x-ssl-policy-categories |
security_result.category_details[]: x-ssl-policy-categories |
Directly mapped from the corresponding JSON field. |
x-ssl-policy-dst-host |
security_result.detection_fields[].key: "x-ssl-policy-dst-host"security_result.detection_fields[].value: x-ssl-policy-dst-host |
Directly mapped from the corresponding JSON field. |
x-ssl-policy-dst-host-source |
security_result.detection_fields[].key: "x-ssl-policy-dst-host-source"security_result.detection_fields[].value: x-ssl-policy-dst-host-source |
Directly mapped from the corresponding JSON field. |
x-ssl-policy-dst-ip |
security_result.detection_fields[].key: "x-ssl-policy-dst-ip"security_result.detection_fields[].value: x-ssl-policy-dst-ip |
Directly mapped from the corresponding JSON field. |
x-ssl-policy-name |
security_result.rule_name: x-ssl-policy-name |
Directly mapped from the corresponding JSON field. |
x-ssl-policy-src-ip |
security_result.detection_fields[].key: "x-ssl-policy-src-ip"security_result.detection_fields[].value: x-ssl-policy-src-ip |
Directly mapped from the corresponding JSON field. |
x-sr-dst-ip |
security_result.detection_fields[].key: "x-sr-dst-ip"security_result.detection_fields[].value: x-sr-dst-ip |
Directly mapped from the corresponding JSON field. |
x-sr-dst-port |
security_result.detection_fields[].key: "x-sr-dst-port"security_result.detection_fields[].value: x-sr-dst-port |
Directly mapped from the corresponding JSON field. |
x-type |
additional.fields[].key: "xType"additional.fields[].value.string_value: x-type |
Directly mapped from the corresponding JSON field. |
x-transaction-id |
additional.fields[].key: "transactionId"additional.fields[].value.string_value: x-transaction-id |
Directly mapped from the corresponding JSON field. |
| N/A | metadata.vendor_name: "Netskope" |
Hardcoded value in the parser. |
| N/A | metadata.product_name: "Netskope Webproxy" |
Set to "Netskope Webproxy" if not already present. |
| N/A | metadata.log_type: "NETSKOPE_WEBPROXY" |
Hardcoded value in the parser. |
Changes
2024-06-04
- Added Grok to handle unparsed logs.
- Mapped "url" to "target.url".
- Mapped "appSessionId" to "network.session_id".
- Mapped "page" to "network.http.referral_url".
- Mapped "appcategory" to "security_result.category_details".
- Mapped "clientBytes" to "network.sent_bytes".
- Mapped "serverBytes" to "network.received_bytes".
- Mapped "ccl" to "security_result.confidence_details".
- Mapped "IncidentID", "applicationType", "browser", and "cci" to "security_result.detection_fields".
2024-04-22
- Mapped "x-cs-app-ccl","x-cs-app-instance-id","x-cs-app-tags" ,"x-cs-app-instance-name" ,"x-cs-app-instance-tag", "x-cs-app-to-user","x-cs-app-object-id" and "x-cs-app-from-user" to "additional.fields".
2024-02-26
- Changed mapping of "cs-bytes" from "network.received_bytes" to "network.sent_bytes".
- Changed mapping of "sc-bytes" from "network.sent_bytes" to "network.received_bytes".
- Mapped "x-cs-app-object-name" to "additional.fields".
- Mapped "x-cs-app-from-user" to "principal.user.email_addresses".
2023-12-22
- If "cs-dns" value is "null", changed "cs-host" mapping from "principal.hostname" to "target.hostname".
- Changed "cs-dns" mapping from "principal.hostname" to "target.hostname".
- If "sc-status" value is "null", mapped "rs-status" to "network.http.response_code".
- Mapped "x-cs-app" to "principal.application".
- Mapped "x-cs-src-ip-egress" to "principal.ip".
2023-12-08
- Added on_error check to parse the failing logs.
- Set "metadata.vendor_name" to "Netskope" and "metadata.product_name" to "Netskope Webproxy".
- Added conditional check for "src_region", "src_country", "src_location", "dst_region", "dst_country", "dst_location" before mapping.
2023-10-09
- Mapped "dvchost" to "target.hostname" if "target.hostname" is not present.
- Added a null check prior mapping "requestClientApplication".
2023-09-12
- Mapped "x-cs-dst-ip" to "target.ip".
- Mapped "x-cs-src-ip" to "principal.ip".
- Mapped "x-cs-src-port" to "principal.port".
- Mapped "x-cs-dst-port" to "target.port".
- Added on_error check for date filter.
- Added conditional checks before mapping "metadata.event_type".
2023-08-28
- Mapped "cs-uri" to "additional.fields".
- Mapped "cs-uri-port" to "additional.fields".
- Mapped "x-s-zipcode" to "additional.fields".
- Mapped "x-c-zipcode" to "additional.fields".
- Mapped "x-cs-site" to "additional.fields".
- Mapped "x-category" to "additional.fields".
- Mapped "x-sr-ssl-version" to "security_result.detection_fields".
- Mapped "x-sr-ssl-cipher" to "security_result.detection_fields".
- Mapped "x-cs-src-ip-egress" to "security_result.detection_fields".
- Mapped "x-cs-userip" to "security_result.detection_fields".
- Mapped "x-cs-url" to "target.url".
- Mapped "x-cs-uri-path" to "additional.fields".
- Mapped "x-cs-app-cci" to "additional.fields".
- Mapped "x-cs-app-object-type" to "additional.fields".
- Mapped "x-rs-file-type" to "additional.fields".
- Mapped "x-rs-file-category" to "additional.fields".
2023-08-17
- Added support for new JSON type log format.
2023-06-22
- Added support for new SYSLOG+JSON type log format.
2023-05-30
- Mapped "duser" to "target.user.email_addresses".
- Mapped "requestClientApplication" to "network.http.parsed_user_agent".
2023-02-03
- Mapped "Domain" to "principal.administrative_domain".
2023-01-09
- Added conditional checks for mapping different event_type based on required parameters present.
- Parsed different formats of "rt".
2022-04-06
- Enhancement-Added mappings for new fields
- md5, mwDetectionEngine, mwProfile, mwType mapped to udm.