Zscaler
Use the IBM Security QRadar Custom Properties for Zscaler Content Extension to closely monitor your Zscaler deployment.
Important: To avoid content errors in this content extension, keep the associated DSMs
up to date. DSMs are updated as a part of the automatic updates. If automatic updates are not
enabled, download the most recent version of the associated DSMs from IBM® Fix Central (https://www.ibm.com/support/fixcentral).
IBM Security QRadar Custom Properties for Zscaler Content Extension 1.0.1
The following table shows the custom properties in IBM Security QRadar Custom Properties for Zscaler Content Extension 1.0.1.
| Name | Optimized | Capture Group | Regex |
|---|---|---|---|
| Referrer URL | Yes | 1 | referer=([^\t\^]+) |
| Response Code | No | 1 | respcode=(\d+) |
IBM Security QRadar Custom Properties for Zscaler Content Extension 1.0.0
The following table shows the custom properties in IBM Security QRadar Custom Properties for Zscaler Content Extension 1.0.0.
| Name | Optimized | Capture Group | Regex |
|---|---|---|---|
| Application | Yes | 1 | appname=([^\t\^]+) |
| Application Classification | No | 1 | appclass=([^\t\^]+) |
| Application Protocol | No | 1 | appproto=([^\t\^]+) |
| BytesReceived | Yes | 1 | dstBytes=(\d+) |
| BytesSent | Yes | 1 | srcBytes=(\d+) |
| DLP Dictionary | No | 1 | dlpdict=([^\t\^]+) |
| DLP Engine | No | 1 | dlpeng=([^\t\^]+) |
| File Classification | No | 1 | fileclass=([^\t\^]+) |
| File Type | No | 1 | filetype=([^\t\^]+) |
| Hostname | Yes | 1 | hostname=([^\t\^]+) |
| Method | No | 1 | reqmethod=([^\t\^]+) |
| Referrer URL | No | 1 | referer=([^\t\^]+) |
| Response Code | No | 1 | respcode=(\d+) |
| Risk Score | No | 1 | riskscore=(\d+) |
| Role | Yes | 1 | role=([^\t\^]+) |
| Threat Classification | Yes | 1 | malwareclass=([^\t\^]+) |
| Threat Name | Yes | 1 | threatname=([^\t\^]+) |
| Threat Type | No | 1 | malwaretype=([^\t\^]+) |
| URL | Yes | 1 | url=([^\t\^]+) |
| URL Classification | No | 1 | urlclass=([^\t\^]+) |
| URL Super Category | No | 1 | urlsupercategory=([^\t\^]+) |
| User Agent | No | 1 | useragent=([^\t\^]+) |
| Web Category | Yes | 1 | urlcategory=([^\t\^]+) |