Change log for ZSCALER_DECEPTION

Date	Changes
2025-08-12	- Promoted ZSCALER_DECEPTION Premium parser to default. You can see full details in the parser configuration page - https://cloud.google.com/chronicle/docs/ingestion/default-parsers/ingest-zscaler-logs - This version will have an RC period - we encourage you to opt-in and make the required adjustments before it'll be automatically promoted to Default - Enhancements for `recon` event: - `src.artifact.ip`: Mapped `abuseip.ipAddress` raw log field with `src.artifact.ip` UDM field - `src.artifact.location.country_or_region`: Mapped `abuseip.countryCode` raw log field with `src.artifact.location.country_or_region` UDM field - `src.artifact.last_seen_time`: Mapped `abuseip.lastReportedAt` raw log field with `src.artifact.last_seen_time` UDM field - `additional.fields[decoy_appliance_name]`: Mapped `decoy.appliance.name` raw log field with `additional.fields[decoy_appliance_name]` UDM field - `target.user.product_object_id`: Mapped `decoy.client.id` raw log field with `target.user.product_object_id` UDM field - `target.user.user_display_name`: Mapped `decoy.client.name` raw log field with `target.user.user_display_name` UDM field - `additional.fields[decoy_network_name]`: Mapped `decoy.network_name` raw log field with `additional.fields[decoy_network_name]` UDM field - `security_result.rule_set`: Mapped `decoy.recon.dataset` raw log field with `security_result.rule_set` UDM field - `security_result.rule_labels[decoy_recon_dataset_type]`: Mapped `decoy.recon.dataset_type` raw log field with `security_result.rule_labels[decoy_recon_dataset_type]` UDM field - `target.resource.resource_subtype`: Mapped `decoy.type` raw log field with `target.resource.resource_subtype` UDM field - `target.resource.product_object_id`: Mapped `decoy.id` raw log field with `target.resource.product_object_id` UDM field - `target.resource.name`: Mapped `decoy.name` raw log field with `target.resource.name` UDM field - `principal.network.http.user_agent`: Mapped `recon.user_agent.string` raw log field with `principal.network.http.user_agent` UDM field - `principal.security_result.detection_fields[attacker_threat_parse_ids]`: Mapped `attacker.threat_parse_ids` raw log field with `principal.security_result.detection_fields[attacker_threat_parse_ids]` UDM field - `principal.network.http.method`: Mapped `recon.method` raw log field with `principal.network.http.method` UDM field - `principal.network.application_protocol`: Mapped `recon.scheme` raw log field with `principal.network.application_protocol` UDM field - `principal.network.http.response_code`: Mapped `recon.status` raw log field with `principal.network.http.response_code` UDM field - `metadata.event_type`: Mapping for `metadata.event_type` has been updated from `NETWORK_HTTP` to `NETWORK_CONNECTION`

Date

Changes

2025-08-12

- Promoted ZSCALER_DECEPTION Premium parser to default. You can see full details in the parser configuration page - https://cloud.google.com/chronicle/docs/ingestion/default-parsers/ingest-zscaler-logs
- This version will have an RC period - we encourage you to opt-in and make the required adjustments before it'll be automatically promoted to Default
- Enhancements for `recon` event:
- `src.artifact.ip`: Mapped `abuseip.ipAddress` raw log field with `src.artifact.ip` UDM field
- `src.artifact.location.country_or_region`: Mapped `abuseip.countryCode` raw log field with `src.artifact.location.country_or_region` UDM field
- `src.artifact.last_seen_time`: Mapped `abuseip.lastReportedAt` raw log field with `src.artifact.last_seen_time` UDM field
- `additional.fields[decoy_appliance_name]`: Mapped `decoy.appliance.name` raw log field with `additional.fields[decoy_appliance_name]` UDM field
- `target.user.product_object_id`: Mapped `decoy.client.id` raw log field with `target.user.product_object_id` UDM field
- `target.user.user_display_name`: Mapped `decoy.client.name` raw log field with `target.user.user_display_name` UDM field
- `additional.fields[decoy_network_name]`: Mapped `decoy.network_name` raw log field with `additional.fields[decoy_network_name]` UDM field
- `security_result.rule_set`: Mapped `decoy.recon.dataset` raw log field with `security_result.rule_set` UDM field
- `security_result.rule_labels[decoy_recon_dataset_type]`: Mapped `decoy.recon.dataset_type` raw log field with `security_result.rule_labels[decoy_recon_dataset_type]` UDM field
- `target.resource.resource_subtype`: Mapped `decoy.type` raw log field with `target.resource.resource_subtype` UDM field
- `target.resource.product_object_id`: Mapped `decoy.id` raw log field with `target.resource.product_object_id` UDM field
- `target.resource.name`: Mapped `decoy.name` raw log field with `target.resource.name` UDM field
- `principal.network.http.user_agent`: Mapped `recon.user_agent.string` raw log field with `principal.network.http.user_agent` UDM field
- `principal.security_result.detection_fields[attacker_threat_parse_ids]`: Mapped `attacker.threat_parse_ids` raw log field with `principal.security_result.detection_fields[attacker_threat_parse_ids]` UDM field
- `principal.network.http.method`: Mapped `recon.method` raw log field with `principal.network.http.method` UDM field
- `principal.network.application_protocol`: Mapped `recon.scheme` raw log field with `principal.network.application_protocol` UDM field
- `principal.network.http.response_code`: Mapped `recon.status` raw log field with `principal.network.http.response_code` UDM field
- `metadata.event_type`: Mapping for `metadata.event_type` has been updated from `NETWORK_HTTP` to `NETWORK_CONNECTION`