Some sections in this article include table pagination. Use the Search function in those tables to find your desired field.

The SaaS Security Nanolog Streaming Service (NSS) feed specifies the data from the SaaS Security logs that the NSS sends to the security information and event management (SIEM) system. You can configure an NSS feed by including one or more fields. The fields and their values display in the NSS feed output.

"Wed Aug 17 15:35:15 2022","7132869149011804161","pthalla","sp-new-tenant","admin@zslr.onmicrosoft.com","p_dept","SHAREPOINT","sanity2022-08-16 14-03.pdf","/sites/tanya/Shared%20Documents/Activity","01565bf41f1cb993d69334f409835293","malpdf","Quarantine Malware","None","None","None","Unknown URL","Tue Aug 16 14:03:13 2022","537","435"

The following tables display information about the SaaS Security log fields and possible values for those fields.

Fields that support obfuscation are documented in the following tables with the prefix o (e.g., %s{ofileid}). To obfuscate a field, manually add the prefix o before the field name in the Feed Output Format in the ZIA Admin Portal.

Public Cloud Storage

Field

Description

Example

%02d{dd}

The day of the month (1–31)

%02d{hh}

Hours (0–23)

%02d{mm}

Minutes (0–59)

%02d{mth}

The month of the year

%02d{ss}

Seconds (0–59)

%04d{yyyy}

Year

2023

%d{bucketid}

The bucket ID

%d{dlpidentifier}

The DLP identifier. Whenever a DLP rule is hit, and the appropriate alert is configured, an email containing this ID is sent to your auditors.

6646484838839025669

%d{epochtime}

The time of the incident in epoch format

1578128400

%d{numcollab}

The number of collaborators

1 to 10 of 53

Page 1 of 6

Collaboration

Field

Description

Example

%02d{dd}

The day of the month (1–31)

%02d{hh}

Hours (0–23)

%02d{mm}

Minutes (0–59)

%02d{mth}

The month of the year

%02d{ss}

Seconds (0–59)

%04d{yyyy}

Year

2023

%d{dlpidentifier}

The DLP identifier. Whenever a DLP rule is hit, and the appropriate alert is configured, an email containing this ID is sent to your auditors.

6646484838839025669

%d{epochtime}

The time of the incident in epoch format

1578128400

%d{recordid}

The unique record identifier for each log

%s{any_incident}

Indicates whether the transaction was an incident or not

Yes|No

1 to 10 of 52

Page 1 of 6

CRM

Field

Description

Example

%02d{dd}

The day of the month (1–31)

%02d{hh}

Hours (0–23)

%02d{mm}

Minutes (0–59)

%02d{mth}

The month of the year

%02d{ss}

Seconds (0–59)

%04d{yyyy}

Year

2023

%d{dlpidentifier}

The DLP identifier. Whenever a DLP rule is hit, and the appropriate alert is configured, an email containing this ID is sent to your auditors.

6646484838839025669

%d{epochtime}

The time of the incident in epoch format

1578128400

%d{filesize}

The size of the file in bytes

4061912

%d{num_external_collab}

The number of external collaborators

1 to 10 of 62

Page 1 of 7

Email

Field

Description

Example

%02d{dd}

The day of the month (1–31)

%02d{hh}

Hours (0–23)

%02d{mm}

Minutes (0–59)

%02d{mth}

The month of the year

%02d{ss}

Seconds (0–59)

%04d{yyyy}

Year

2023

%d{companyid}

The numeric ID given to a company by Zscaler

98210

%d{dlpidentifier}

The DLP identifier. Whenever a DLP rule is hit, and the appropriate alert is configured, an email containing this ID is sent to your auditors.

6646484838839025669

%d{epochtime}

The time of the incident in epoch format

1578128400

%d{filedownloadtimems}

The download time (in milliseconds) of the suspicious file detected by SaaS Security API

1 to 10 of 60

Page 1 of 6

File

Field

Description

Example

%02d{dd}

The day of the month (1–31)

%02d{hh}

Hours (0–23)

%02d{mm}

Minutes (0–59)

%02d{mth}

The month of the year

%02d{ss}

Seconds (0–59)

%04d{yyyy}

Year

2023

%d{dlpidentifier}

The DLP identifier. Whenever a DLP rule is hit, and the appropriate alert is configured, an email containing this ID is sent to your auditors.

6646484838839025669

%d{epochlastmodtime}

The file modification time in epoch format

%d{epochtime}

The time of the incident in epoch format

1578128400

%d{filedownloadtimems}

The download time (in milliseconds) of the suspicious file detected by SaaS Security API

1 to 10 of 60

Page 1 of 6

ITSM

Field

Description

Example

%02d{dd}

The day of the month (1–31)

%02d{hh}

Hours (0–23)

%02d{mm}

Minutes (0–59)

%02d{mth}

The month of the year

%02d{ss}

Seconds (0–59)

%04d{yyyy}

Year

2023

%d{dlpidentifier}

The DLP identifier. Whenever a DLP rule is hit, and the appropriate alert is configured, an email containing this ID is sent to your auditors.

6646484838839025669

%d{epochtime}

The time of the incident in epoch format

1578128400

%d{filesize}

The size of the file in bytes

4061912

%d{num_external_collab}

The number of external collaborators

1 to 10 of 61

Page 1 of 7

Repository

Field

Description

Example

%02d{dd}

The day of the month (1–31)

%02d{hh}

Hours (0–23)

%02d{mm}

Minutes (0–59)

%02d{mth}

The month of the year

%02d{ss}

Seconds (0–59)

%04d{yyyy}

Year

2023

%d{dlpidentifier}

The DLP identifier. Whenever a DLP rule is hit, and the appropriate alert is configured, an email containing this ID is sent to your auditors.

6646484838839025669

%d{epochtime}

The time of the incident in epoch format

1578128400

%d{filesize}

The size of the file in bytes

4061912

%d{num_external_collab}

The number of external collaborators

1 to 10 of 54

Page 1 of 6

b64 Fields

A SIEM can have parsing issues whenever a string field has non-printable or delimiter characters. For that reason, the Zscaler service has URL encoding for URL fields like URL, Referer, and Hostname. There are several other fields that have the same parsing issue, but URL encoding is not suitable. Such fields are encoded using b64.

Turning on b64 encoding for all supported fields may result in approximately a 20% drop in performance.

The following fields have been added as b64 fields:

b64objectname
b64filename
b64hostname
b64fullurl
b64internal_collabnames
b64external_collabnames
b64filepath
b64internal_recptnames
b64external_recptnames
b64channel_hostname
b64sender
b64projectname
b64reponame
b64bucketname
b64bucketower
b64collabnames
b64filesource
b64owner
b64attchcomponentfilenames
b64attchcomponentfilesizes
b64attchcomponentfiletypes
b64attchcomponentmd5s
b64department
b64dlpdictnames
b64dlpenginenames
b64extownername
b64extrecptnames
b64intrecptnames
b64rulelabel
b64tenant
b64threatname

Hex-Encoded Fields

The Zscaler service hex encodes all non-printable ASCII characters that are in URLs when it sends logs to the NSS. Any URL character that is less than or equal to 0x20, or greater than or equal to 0x7F, is encoded as %HH. This ensures that your SIEM can parse the URLs that contain control characters. For example, a \n character in a URL is encoded as %0A, and a space is encoded as %20.

The following fields have been added as hex-encoded fields:

efilename
efilepath
efullurl
ehostname
einternal_collabnames
eexternal_collabnames
eobjectname
eprojectname
ereponame
ebucketname
ebucketowner
ecollabnames
efilesource
eowner
eattchcomponentfilenames
eattchcomponentfiletypes
edepartment
edlpdictnames
edlpenginenames
eextownername
eextrecptnames
eintrecptnames
ethreatname
esender

Secure Internet and SaaS Access (ZIA)

NSS Feed Output Format: SaaS Security Logs

Public Cloud Storage

Collaboration

CRM

Email

File

ITSM

Repository

b64 Fields

Hex-Encoded Fields

Was this article helpful? Click an icon below to submit feedback.

Secure Internet and SaaS Access (ZIA)

NSS Feed Output Format: SaaS Security Logs

Public Cloud Storage

Collaboration

CRM

Email

File

ITSM

Repository

b64 Fields

Hex-Encoded Fields

Was this article helpful? Click an icon below to submit feedback.

Related Articles