Zscaler
Use the IBM® QRadar® Custom Properties for Zscaler Content Extension to closely monitor your Zscaler deployment.
Important: To avoid content errors in this content extension, keep the associated DSMs
up to date. DSMs are updated as part of the automatic updates. If automatic updates are not enabled,
download the most recent version of the associated DSMs from IBM Fix Central
(https://www.ibm.com/support/fixcentral).
IBM Security QRadar Custom Properties for Zscaler Content Extension 1.0.1
The following table shows the custom properties in IBM Security QRadar Custom Properties for Zscaler Content Extension 1.0.1.
| Name | Optimized | Capture Group | Regex |
|---|---|---|---|
| Referrer URL | Yes | 1 | referer=([^\t\^]+) |
| Response Code | No | 1 | respcode=(\d+) |
IBM Security QRadar Custom Properties for Zscaler Content Extension 1.0.0
The following table shows the custom properties in IBM Security QRadar Custom Properties for Zscaler Content Extension 1.0.0.
| Name | Optimized | Capture Group | Regex |
|---|---|---|---|
| Application | Yes | 1 | appname=([^\t\^]+) |
| Application Classification | No | 1 | appclass=([^\t\^]+) |
| Application Protocol | No | 1 | appproto=([^\t\^]+) |
| BytesReceived | Yes | 1 | dstBytes=(\d+) |
| BytesSent | Yes | 1 | srcBytes=(\d+) |
| DLP Dictionary | No | 1 | dlpdict=([^\t\^]+) |
| DLP Engine | No | 1 | dlpeng=([^\t\^]+) |
| File Classification | No | 1 | fileclass=([^\t\^]+) |
| File Type | No | 1 | filetype=([^\t\^]+) |
| Hostname | Yes | 1 | hostname=([^\t\^]+) |
| Method | No | 1 | reqmethod=([^\t\^]+) |
| Referrer URL | No | 1 | referer=([^\t\^]+) |
| Response Code | No | 1 | respcode=(\d+) |
| Risk Score | No | 1 | riskscore=(\d+) |
| Role | Yes | 1 | role=([^\t\^]+) |
| Threat Classification | Yes | 1 | malwareclass=([^\t\^]+) |
| Threat Name | Yes | 1 | threatname=([^\t\^]+) |
| Threat Type | No | 1 | malwaretype=([^\t\^]+) |
| URL | Yes | 1 | url=([^\t\^]+) |
| URL Classification | No | 1 | urlclass=([^\t\^]+) |
| URL Super Category | No | 1 | urlsupercategory=([^\t\^]+) |
| User Agent | No | 1 | useragent=([^\t\^]+) |
| Web Category | Yes | 1 | urlcategory=([^\t\^]+) |