Collect Netskope web proxy logs

This parser handles both CEF and non-CEF formatted Netskope web proxy logs. It extracts fields, performs data transformations (for example, converting timestamps or merging fields), maps them to the UDM, and adds Netskope-specific metadata. The parser uses conditional logic to handle different log formats and field availability, enriching the UDM with relevant network, security, and application details.

Before you begin

• Ensure that you have a Google Security Operations instance.
• Ensure that you have privileged access to Netskope.
• Ensure that you have a configured Log Shipper module.
• Ensure that you have a Google SecOps service account key (reach out to the Google SecOps team to get a service account with the following scopes: https://www.googleapis.com/auth/malachite-ingestion).

Get Google SecOps customer ID

1. Sign in to the Google SecOps console.
2. Go to SIEM Settings > Profile.
3. Copy and save the Customer IDfrom the Organization Detailssection.

Configure the Netskope Tenant in CE

1. Go to Settings > General.
2. Toggle the Log Shipperswitch to ON
3. In Settings, go to Netskope Tenants.
4. If no tenants are configured, click Add Tenant.
5. Enter the following values:
   • Name: provide a memorable name for your tenant.
   • Tenant Name: enter the real name of your Netskope tenant.
   • V2 API Token: enter your Netskope API token.
   • Alert Filters: add the web proxy alerts you would like to ingest.
   • Initial Range: enter the amount of historical data you would like to ingest (in days).
   • Click Save.

Configure the Netskope CLS plugin

1. Go to Settings > Plugins.
2. Search for and select the Netskope (CLS)box to open the plugin creation page.
3. Enter the following details:
   • Configuration Name: enter a memorable name for this plugin.
   • Tenant: select the tenant you created in the previous step from the list.
   • Click Next.
   • Update the Event Typelist as needed.
   • Initial Range: enter the amount of historical data you would like to ingest (in hours).
   • Click Save.

Configure a Google SecOps plugin in Netskope

1. Go to Settings > Plugins.
2. Search for and selectthe Chronicle (CLS)box to open the plugin creation page.
3. Enter the following details:
   • Configuration Name: enter a name for this plugin.
   • Mapping: leave the defaultselection.
   • Toggle ON When enabled logs will be transformed using the selected mapping file .
   • Click Next.
   • Region: select the region of your Google SecOps.
   • Custom Region URL: optional setting that is required only if Custom Regionwas selected in the previous step.
   • Service Account Key: enter the JSON key provided by Google SecOps.
   • Customer ID: enter the customer ID of your Google SecOps tenant.
   • Click Save.

Configure a Log Shipper Business Rule for Google SecOps

1. Go to Log Shipper > Business Rules.
2. By default, there is a business rule that filters all alerts and events.
3. If you want to filter out any specific type of alert, or event, click Create New Ruleand configure a new business rule by adding the rule name and filter.
4. Click Save.

Configure Log Shipper SIEM Mappings for Google SecOps

1. Go to Log Shipper > SIEM Mappings
2. Click Add SIEM Mapping.
3. Enter the following details:
   • Source Configuration: select Netskope CLS plugin.
   • Destination Configuration: select the Google SecOps plugin.
   • Business Rule: select the rule you created earlier.
   • Click Save.

Validate pulling and workflow of Events and Alerts in Netskope

1. Go to Loggingin Netskope Cloud Exchange.
2. Search for the pulled logs.
3. In Logging, search for ingested events & alerts with the filter message contains ingested.
4. The ingested logs will be filtered.

UDM Mapping Table

Log Field	UDM Mapping	Logic
applicationType	security_result.detection_fields[].key : "applicationType" security_result.detection_fields[].value : applicationType	Directly mapped from the corresponding CEF field.
appcategory	security_result.category_details[] : appcategory	Directly mapped from the corresponding CEF field.
browser	security_result.detection_fields[].key : "browser" security_result.detection_fields[].value : browser	Directly mapped from the corresponding CEF field.
c-ip	principal.asset.ip[] : c-ip principal.ip[] : c-ip	Directly mapped from the corresponding JSON field.
cci	security_result.detection_fields[].key : "cci" security_result.detection_fields[].value : cci	Directly mapped from the corresponding CEF field.
ccl	security_result.confidence : Derived value security_result.confidence_details : ccl	security_result.confidence is derived based on the value of ccl : "excellent" or "high" maps to HIGH_CONFIDENCE , "medium" maps to MEDIUM_CONFIDENCE , "low" or "poor" maps to LOW_CONFIDENCE , and "unknown" or "not_defined" maps to UNKNOWN_CONFIDENCE . security_result.confidence_details is directly mapped from ccl .
clientBytes	network.sent_bytes : clientBytes	Directly mapped from the corresponding CEF field.
cs-access-method	additional.fields[].key : "accessMethod" additional.fields[].value.string_value : cs-access-method	Directly mapped from the corresponding JSON field.
cs-app	additional.fields[].key : "x-cs-app" additional.fields[].value.string_value : cs-app principal.application : cs-app	Directly mapped from the corresponding JSON field.
cs-app-activity	additional.fields[].key : "x-cs-app-activity" additional.fields[].value.string_value : cs-app-activity	Directly mapped from the corresponding JSON field.
cs-app-category	additional.fields[].key : "x-cs-app-category" additional.fields[].value.string_value : cs-app-category	Directly mapped from the corresponding JSON field.
cs-app-cci	additional.fields[].key : "x-cs-app-cci" additional.fields[].value.string_value : cs-app-cci	Directly mapped from the corresponding JSON field.
cs-app-ccl	additional.fields[].key : "x-cs-app-ccl" additional.fields[].value.string_value : cs-app-ccl	Directly mapped from the corresponding JSON field.
cs-app-from-user	additional.fields[].key : "x-cs-app-from-user" additional.fields[].value.string_value : cs-app-from-user principal.user.email_addresses[] : cs-app-from-user	Directly mapped from the corresponding JSON field.
cs-app-instance-id	additional.fields[].key : "x-cs-app-instance-id" additional.fields[].value.string_value : cs-app-instance-id	Directly mapped from the corresponding JSON field.
cs-app-object-name	additional.fields[].key : "x-cs-app-object-name" additional.fields[].value.string_value : cs-app-object-name	Directly mapped from the corresponding JSON field.
cs-app-object-type	additional.fields[].key : "x-cs-app-object-type" additional.fields[].value.string_value : cs-app-object-type	Directly mapped from the corresponding JSON field.
cs-app-suite	additional.fields[].key : "x-cs-app-suite" additional.fields[].value.string_value : cs-app-suite	Directly mapped from the corresponding JSON field.
cs-app-tags	additional.fields[].key : "x-cs-app-tags" additional.fields[].value.string_value : cs-app-tags	Directly mapped from the corresponding JSON field.
cs-bytes	network.sent_bytes : cs-bytes	Directly mapped from the corresponding JSON field.
cs-content-type	additional.fields[].key : "sc-content-type" additional.fields[].value.string_value : cs-content-type	Directly mapped from the corresponding JSON field.
cs-dns	target.asset.hostname[] : cs-dns target.hostname : cs-dns	Directly mapped from the corresponding JSON field.
cs-host	target.asset.hostname[] : cs-host target.hostname : cs-host	Directly mapped from the corresponding JSON field.
cs-method	network.http.method : cs-method	Directly mapped from the corresponding JSON field.
cs-referer	network.http.referral_url : cs-referer	Directly mapped from the corresponding JSON field.
cs-uri	additional.fields[].key : "cs-uri" additional.fields[].value.string_value : cs-uri	Directly mapped from the corresponding JSON field.
cs-uri-path	additional.fields[].key : "x-cs-uri-path" additional.fields[].value.string_value : cs-uri-path	Directly mapped from the corresponding JSON field.
cs-uri-port	additional.fields[].key : "cs-uri-port" additional.fields[].value.string_value : cs-uri-port	Directly mapped from the corresponding JSON field.
cs-uri-scheme	network.application_protocol : cs-uri-scheme	Directly mapped from the corresponding JSON field after converting to uppercase.
cs-user-agent	network.http.parsed_user_agent : Parsed user agent network.http.user_agent : cs-user-agent	network.http.parsed_user_agent is derived by parsing the cs-user-agent field using the "parseduseragent" filter.
cs-username	principal.user.userid : cs-username	Directly mapped from the corresponding JSON field.
date	metadata.event_timestamp.seconds : Epoch seconds from date and time fields metadata.event_timestamp.nanos : 0	The date and time are combined and converted to epoch seconds and nanoseconds. Nanoseconds are set to 0.
device	intermediary.hostname : device	Directly mapped from the corresponding CEF field.
dst	target.ip[] : dst	Directly mapped from the corresponding CEF field.
dst_country	target.location.country_or_region : dst_country	Directly mapped from the corresponding grokked field.
dst_ip	target.asset.ip[] : dst_ip target.ip[] : dst_ip	Directly mapped from the corresponding grokked field.
dst_location	target.location.city : dst_location	Directly mapped from the corresponding grokked field.
dst_region	target.location.state : dst_region	Directly mapped from the corresponding grokked field.
dst_zip	Not mapped	This field is not mapped to the UDM.
duser	target.user.email_addresses[] : duser target.user.user_display_name : duser	Directly mapped from the corresponding CEF field.
dvchost	about.hostname : dvchost target.asset.hostname[] : dvchost target.hostname : dvchost	Directly mapped from the corresponding CEF field.
event_timestamp	metadata.event_timestamp.seconds : event_timestamp	Directly mapped from the corresponding grokked field.
hostname	target.asset.hostname[] : hostname target.hostname : hostname	Directly mapped from the corresponding CEF field.
IncidentID	security_result.detection_fields[].key : "IncidentID" security_result.detection_fields[].value : IncidentID	Directly mapped from the corresponding CEF field.
intermediary	intermediary : intermediary	Directly mapped from the corresponding CEF field.
md5	target.file.md5 : md5	Directly mapped from the corresponding CEF field.
message	Various UDM fields	The message field is parsed based on whether it contains "CEF". If it does, it's treated as a CEF log. Otherwise, it's parsed as either a space-delimited string or JSON. See the "Parsing Logic" section for details.
mime_type1	Not mapped	This field is not mapped to the UDM.
mime_type2	Not mapped	This field is not mapped to the UDM.
mwDetectionEngine	additional.fields[].key : "mwDetectionEngine" additional.fields[].value.string_value : mwDetectionEngine	Directly mapped from the corresponding CEF field.
mwType	metadata.description : mwType	Directly mapped from the corresponding CEF field.
os	principal.platform : Derived value	The platform is derived from the os field: "Windows" maps to WINDOWS , "MAC" maps to MAC , and "LINUX" maps to LINUX .
page	network.http.referral_url : page	Directly mapped from the corresponding CEF field.
port	Not mapped	This field is not mapped to the UDM.
referer	network.http.referral_url : referer	Directly mapped from the corresponding CEF field.
requestClientApplication	network.http.parsed_user_agent : Parsed user agent network.http.user_agent : requestClientApplication	network.http.parsed_user_agent is derived by parsing the requestClientApplication field using the "parseduseragent" filter.
request_method	network.http.method : request_method	Directly mapped from the corresponding grokked field.
request_protocol	Not mapped	This field is not mapped to the UDM.
rs-status	additional.fields[].key : "rs-status" additional.fields[].value.string_value : rs-status network.http.response_code : rs-status	Directly mapped from the corresponding JSON field.
s-ip	target.asset.ip[] : s-ip target.ip[] : s-ip	Directly mapped from the corresponding JSON field.
sc-bytes	network.received_bytes : sc-bytes	Directly mapped from the corresponding JSON field.
sc-content-type	additional.fields[].key : "sc-content-type" additional.fields[].value.string_value : sc-content-type	Directly mapped from the corresponding JSON field.
sc-status	network.http.response_code : sc-status	Directly mapped from the corresponding JSON field.
serverBytes	network.received_bytes : serverBytes	Directly mapped from the corresponding CEF field.
sha256	target.file.sha256 : sha256	Directly mapped from the corresponding CEF field.
src	principal.ip[] : src	Directly mapped from the corresponding CEF field.
src_country	principal.location.country_or_region : src_country	Directly mapped from the corresponding grokked field.
src_ip	principal.asset.ip[] : src_ip principal.ip[] : src_ip	Directly mapped from the corresponding grokked field.
src_latitude	Not mapped	This field is not mapped to the UDM.
src_location	principal.location.city : src_location	Directly mapped from the corresponding grokked field.
src_longitude	Not mapped	This field is not mapped to the UDM.
src_region	principal.location.state : src_region	Directly mapped from the corresponding grokked field.
src_zip	Not mapped	This field is not mapped to the UDM.
suser	principal.user.user_display_name : suser	Directly mapped from the corresponding CEF field.
target_host	target.asset.hostname[] : target_host target.hostname : target_host	Directly mapped from the corresponding grokked field.
time	metadata.event_timestamp.seconds : Epoch seconds from date and time fields metadata.event_timestamp.nanos : 0	The date and time are combined and converted to epoch seconds and nanoseconds. Nanoseconds are set to 0.
timestamp	metadata.event_timestamp.seconds : timestamp	Directly mapped from the corresponding CEF field.
ts	metadata.event_timestamp.seconds : Epoch seconds from ts metadata.event_timestamp.nanos : 0	The timestamp is converted to epoch seconds and nanoseconds. Nanoseconds are set to 0.
url	target.url : url	Directly mapped from the corresponding CEF field.
user_agent	network.http.parsed_user_agent : Parsed user agent network.http.user_agent : user_agent	network.http.parsed_user_agent is derived by parsing the user_agent field using the "parseduseragent" filter.
user_ip	Not mapped	This field is not mapped to the UDM.
user_key	principal.user.email_addresses[] : user_key	Directly mapped from the corresponding grokked field.
version	Not mapped	This field is not mapped to the UDM.
x-c-browser	additional.fields[].key : "x-c-browser" additional.fields[].value.string_value : x-c-browser	Directly mapped from the corresponding JSON field.
x-c-browser-version	additional.fields[].key : "x-c-browser-version" additional.fields[].value.string_value : x-c-browser-version	Directly mapped from the corresponding JSON field.
x-c-country	principal.location.country_or_region : x-c-country	Directly mapped from the corresponding JSON field.
x-c-device	additional.fields[].key : "x-c-device" additional.fields[].value.string_value : x-c-device	Directly mapped from the corresponding JSON field.
x-c-latitude	principal.location.region_coordinates.latitude : x-c-latitude	Directly mapped from the corresponding JSON field.
x-c-local-time	security_result.detection_fields[].key : "x-c-local-time" security_result.detection_fields[].value : x-c-local-time	Directly mapped from the corresponding JSON field.
x-c-location	principal.location.name : x-c-location	Directly mapped from the corresponding JSON field.
x-c-longitude	principal.location.region_coordinates.longitude : x-c-longitude	Directly mapped from the corresponding JSON field.
x-c-os	principal.platform : Derived value	The platform is derived from the x-c-os field: "Windows" maps to WINDOWS , "MAC" maps to MAC , and "LINUX" maps to LINUX .
x-c-region	principal.location.state : x-c-region	Directly mapped from the corresponding JSON field.
x-c-zipcode	additional.fields[].key : "x-c-zipcode" additional.fields[].value.string_value : x-c-zipcode	Directly mapped from the corresponding JSON field.
x-category	additional.fields[].key : "x-category" additional.fields[].value.string_value : x-category	Directly mapped from the corresponding JSON field.
x-category-id	additional.fields[].key : "x-category-id" additional.fields[].value.string_value : x-category-id	Directly mapped from the corresponding JSON field.
x-cs-access-method	additional.fields[].key : "accessMethod" additional.fields[].value.string_value : x-cs-access-method	Directly mapped from the corresponding JSON field.
x-cs-app	principal.application : x-cs-app additional.fields[].key : "x-cs-app" additional.fields[].value.string_value : x-cs-app	Directly mapped from the corresponding JSON field.
x-cs-app-activity	additional.fields[].key : "x-cs-app-activity" additional.fields[].value.string_value : x-cs-app-activity	Directly mapped from the corresponding JSON field.
x-cs-app-category	additional.fields[].key : "x-cs-app-category" additional.fields[].value.string_value : x-cs-app-category	Directly mapped from the corresponding JSON field.
x-cs-app-cci	additional.fields[].key : "x-cs-app-cci" additional.fields[].value.string_value : x-cs-app-cci	Directly mapped from the corresponding JSON field.
x-cs-app-from-user	additional.fields[].key : "x-cs-app-from-user" additional.fields[].value.string_value : x-cs-app-from-user	Directly mapped from the corresponding JSON field.
x-cs-app-object-id	additional.fields[].key : "x-cs-app-object-id" additional.fields[].value.string_value : x-cs-app-object-id	Directly mapped from the corresponding JSON field.
x-cs-app-object-name	additional.fields[].key : "x-cs-app-object-name" additional.fields[].value.string_value : x-cs-app-object-name	Directly mapped from the corresponding JSON field.
x-cs-app-object-type	additional.fields[].key : "x-cs-app-object-type" additional.fields[].value.string_value : x-cs-app-object-type	Directly mapped from the corresponding JSON field.
x-cs-app-suite	additional.fields[].key : "x-cs-app-suite" additional.fields[].value.string_value : x-cs-app-suite	Directly mapped from the corresponding JSON field.
x-cs-app-tags	additional.fields[].key : "x-cs-app-tags" additional.fields[].value.string_value : x-cs-app-tags	Directly mapped from the corresponding JSON field.
x-cs-app-to-user	additional.fields[].key : "x-cs-app-to-user" additional.fields[].value.string_value : x-cs-app-to-user	Directly mapped from the corresponding JSON field.
x-cs-dst-ip	security_result.detection_fields[].key : "x-cs-dst-ip" security_result.detection_fields[].value : x-cs-dst-ip target.asset.ip[] : x-cs-dst-ip target.ip[] : x-cs-dst-ip	Directly mapped from the corresponding JSON field.
x-cs-dst-port	security_result.detection_fields[].key : "x-cs-dst-port" security_result.detection_fields[].value : x-cs-dst-port target.port : x-cs-dst-port	Directly mapped from the corresponding JSON field.
x-cs-http-version	security_result.detection_fields[].key : "x-cs-http-version" security_result.detection_fields[].value : x-cs-http-version	Directly mapped from the corresponding JSON field.
x-cs-page-id	additional.fields[].key : "x-cs-page-id" additional.fields[].value.string_value : x-cs-page-id	Directly mapped from the corresponding JSON field.
x-cs-session-id	network.session_id : x-cs-session-id	Directly mapped from the corresponding JSON field.
x-cs-site	additional.fields[].key : "x-cs-site" additional.fields[].value.string_value : x-cs-site	Directly mapped from the corresponding JSON field.
x-cs-sni	network.tls.client.server_name : x-cs-sni	Directly mapped from the corresponding JSON field.
x-cs-src-ip	principal.asset.ip[] : x-cs-src-ip principal.ip[] : x-cs-src-ip security_result.detection_fields[].key : "x-cs-src-ip" security_result.detection_fields[].value : x-cs-src-ip	Directly mapped from the corresponding JSON field.
x-cs-src-ip-egress	principal.asset.ip[] : x-cs-src-ip-egress principal.ip[] : x-cs-src-ip-egress security_result.detection_fields[].key : "x-cs-src-ip-egress" security_result.detection_fields[].value : x-cs-src-ip-egress	Directly mapped from the corresponding JSON field.
x-cs-src-port	principal.port : x-cs-src-port security_result.detection_fields[].key : "x-cs-src-port" security_result.detection_fields[].value : x-cs-src-port	Directly mapped from the corresponding JSON field.
x-cs-ssl-cipher	network.tls.cipher : x-cs-ssl-cipher	Directly mapped from the corresponding JSON field.
x-cs-ssl-fronting-error	security_result.detection_fields[].key : "x-cs-ssl-fronting-error" security_result.detection_fields[].value : x-cs-ssl-fronting-error	Directly mapped from the corresponding JSON field.
x-cs-ssl-handshake-error	security_result.detection_fields[].key : "x-cs-ssl-handshake-error" security_result.detection_fields[].value : x-cs-ssl-handshake-error	Directly mapped from the corresponding JSON field.
x-cs-ssl-ja3	network.tls.client.ja3 : x-cs-ssl-ja3	Directly mapped from the corresponding JSON field.
x-cs-ssl-version	network.tls.version : x-cs-ssl-version	Directly mapped from the corresponding JSON field.
x-cs-timestamp	metadata.event_timestamp.seconds : x-cs-timestamp	Directly mapped from the corresponding JSON field.
x-cs-traffic-type	additional.fields[].key : "trafficType" additional.fields[].value.string_value : x-cs-traffic-type	Directly mapped from the corresponding JSON field.
x-cs-tunnel-src-ip	security_result.detection_fields[].key : "x-cs-tunnel-src-ip" security_result.detection_fields[].value : x-cs-tunnel-src-ip	Directly mapped from the corresponding JSON field.
x-cs-uri-path	additional.fields[].key : "x-cs-uri-path" additional.fields[].value.string_value : x-cs-uri-path	Directly mapped from the corresponding JSON field.
x-cs-url	target.url : x-cs-url	Directly mapped from the corresponding JSON field.
x-cs-userip	security_result.detection_fields[].key : "x-cs-userip" security_result.detection_fields[].value : x-cs-userip	Directly mapped from the corresponding JSON field.
x-other-category	security_result.category_details[] : x-other-category	Directly mapped from the corresponding JSON field.
x-other-category-id	security_result.detection_fields[].key : "x-other-category-id" security_result.detection_fields[].value : x-other-category-id	Directly mapped from the corresponding JSON field.
x-policy-action	security_result.action : Derived value security_result.action_details : x-policy-action	security_result.action is derived by converting x-policy-action to uppercase. If the uppercase value is "ALLOW" or "BLOCK", it's used directly. Otherwise, it's not mapped. security_result.action_details is directly mapped from x-policy-action .
x-policy-dst-host	security_result.detection_fields[].key : "x-policy-dst-host" security_result.detection_fields[].value : x-policy-dst-host	Directly mapped from the corresponding JSON field.
x-policy-dst-host-source	security_result.detection_fields[].key : "x-policy-dst-host-source" security_result.detection_fields[].value : x-policy-dst-host-source	Directly mapped from the corresponding JSON field.
x-policy-dst-ip	security_result.detection_fields[].key : "x-policy-dst-ip" security_result.detection_fields[].value : x-policy-dst-ip	Directly mapped from the corresponding JSON field.
x-policy-name	security_result.rule_name : x-policy-name	Directly mapped from the corresponding JSON field.
x-policy-src-ip	security_result.detection_fields[].key : "x-policy-src-ip" security_result.detection_fields[].value : x-policy-src-ip	Directly mapped from the corresponding JSON field.
x-r-cert-enddate	network.tls.server.certificate.not_after.seconds : Epoch seconds from x-r-cert-enddate	The date is converted to epoch seconds.
x-r-cert-expired	additional.fields[].key : "x-r-cert-expired" additional.fields[].value.string_value : x-r-cert-expired	Directly mapped from the corresponding JSON field.
x-r-cert-incomplete-chain	additional.fields[].key : "x-r-cert-incomplete-chain" additional.fields[].value.string_value : x-r-cert-incomplete-chain	Directly mapped from the corresponding JSON field.
x-r-cert-issuer-cn	network.tls.server.certificate.issuer : x-r-cert-issuer-cn	Directly mapped from the corresponding JSON field.
x-r-cert-mismatch	additional.fields[].key : "x-r-cert-mismatch" additional.fields[].value.string_value : x-r-cert-mismatch	Directly mapped from the corresponding JSON field.
x-r-cert-revoked	additional.fields[].key : "x-r-cert-revoked" additional.fields[].value.string_value : x-r-cert-revoked	Directly mapped from the corresponding JSON field.
x-r-cert-self-signed	additional.fields[].key : "x-r-cert-self-signed" additional.fields[].value.string_value : x-r-cert-self-signed	Directly mapped from the corresponding JSON field.
x-r-cert-startdate	network.tls.server.certificate.not_before.seconds : Epoch seconds from x-r-cert-startdate	The date is converted to epoch seconds.
x-r-cert-subject-cn	network.tls.server.certificate.subject : x-r-cert-subject-cn	Directly mapped from the corresponding JSON field.
x-r-cert-untrusted-root	additional.fields[].key : "x-r-cert-untrusted-root" additional.fields[].value.string_value : x-r-cert-untrusted-root	Directly mapped from the corresponding JSON field.
x-r-cert-valid	additional.fields[].key : "x-r-cert-valid" additional.fields[].value.string_value : x-r-cert-valid	Directly mapped from the corresponding JSON field.
x-request-id	additional.fields[].key : "requestId" additional.fields[].value.string_value : x-request-id	Directly mapped from the corresponding JSON field.
x-rs-file-category	additional.fields[].key : "x-rs-file-category" additional.fields[].value.string_value : x-rs-file-category	Directly mapped from the corresponding JSON field.
x-rs-file-type	additional.fields[].key : "x-rs-file-type" additional.fields[].value.string_value : x-rs-file-type	Directly mapped from the corresponding JSON field.
x-s-country	target.location.country_or_region : x-s-country	Directly mapped from the corresponding JSON field.
x-s-dp-name	additional.fields[].key : "x-s-dp-name" additional.fields[].value.string_value : x-s-dp-name	Directly mapped from the corresponding JSON field.
x-s-latitude	target.location.region_coordinates.latitude : x-s-latitude	Directly mapped from the corresponding JSON field.
x-s-location	target.location.name : x-s-location	Directly mapped from the corresponding JSON field.
x-s-longitude	target.location.region_coordinates.longitude : x-s-longitude	Directly mapped from the corresponding JSON field.
x-s-region	target.location.state : x-s-region	Directly mapped from the corresponding JSON field.
x-s-zipcode	additional.fields[].key : "x-s-zipcode" additional.fields[].value.string_value : x-s-zipcode	Directly mapped from the corresponding JSON field.
x-sr-ssl-cipher	security_result.detection_fields[].key : "x-sr-ssl-cipher" security_result.detection_fields[].value : x-sr-ssl-cipher	Directly mapped from the corresponding JSON field.
x-sr-ssl-client-certificate-error	security_result.detection_fields[].key : "x-sr-ssl-client-certificate-error" security_result.detection_fields[].value : x-sr-ssl-client-certificate-error	Directly mapped from the corresponding JSON field.
x-sr-ssl-engine-action	security_result.detection_fields[].key : "x-sr-ssl-engine-action" security_result.detection_fields[].value : x-sr-ssl-engine-action	Directly mapped from the corresponding JSON field.
x-sr-ssl-engine-action-reason	security_result.detection_fields[].key : "x-sr-ssl-engine-action-reason" security_result.detection_fields[].value : x-sr-ssl-engine-action-reason	Directly mapped from the corresponding JSON field.
x-sr-ssl-handshake-error	security_result.detection_fields[].key : "x-sr-ssl-handshake-error" security_result.detection_fields[].value : x-sr-ssl-handshake-error	Directly mapped from the corresponding JSON field.
x-sr-ssl-ja3s	network.tls.server.ja3s : x-sr-ssl-ja3s	Directly mapped from the corresponding JSON field.
x-sr-ssl-malformed-ssl	security_result.detection_fields[].key : "x-sr-ssl-malformed-ssl" security_result.detection_fields[].value : x-sr-ssl-malformed-ssl	Directly mapped from the corresponding JSON field.
x-sr-ssl-version	security_result.detection_fields[].key : "x-sr-ssl-version" security_result.detection_fields[].value : x-sr-ssl-version	Directly mapped from the corresponding JSON field.
x-s-custom-signing-ca-error	security_result.detection_fields[].key : "x-s-custom-signing-ca-error" security_result.detection_fields[].value : x-s-custom-signing-ca-error	Directly mapped from the corresponding JSON field.
x-ssl-bypass	security_result.detection_fields[].key : "SSL BYPASS" security_result.detection_fields[].value : x-ssl-bypass or x-ssl-bypass-reason	If x-ssl-bypass is "Yes" and x-ssl-bypass-reason is present, the value of x-ssl-bypass-reason is used. Otherwise, the value of x-ssl-bypass is used.
x-ssl-policy-action	security_result.detection_fields[].key : "x-ssl-policy-action" security_result.detection_fields[].value : x-ssl-policy-action	Directly mapped from the corresponding JSON field.
x-ssl-policy-categories	security_result.category_details[] : x-ssl-policy-categories	Directly mapped from the corresponding JSON field.
x-ssl-policy-dst-host	security_result.detection_fields[].key : "x-ssl-policy-dst-host" security_result.detection_fields[].value : x-ssl-policy-dst-host	Directly mapped from the corresponding JSON field.
x-ssl-policy-dst-host-source	security_result.detection_fields[].key : "x-ssl-policy-dst-host-source" security_result.detection_fields[].value : x-ssl-policy-dst-host-source	Directly mapped from the corresponding JSON field.
x-ssl-policy-dst-ip	security_result.detection_fields[].key : "x-ssl-policy-dst-ip" security_result.detection_fields[].value : x-ssl-policy-dst-ip	Directly mapped from the corresponding JSON field.
x-ssl-policy-name	security_result.rule_name : x-ssl-policy-name	Directly mapped from the corresponding JSON field.
x-ssl-policy-src-ip	security_result.detection_fields[].key : "x-ssl-policy-src-ip" security_result.detection_fields[].value : x-ssl-policy-src-ip	Directly mapped from the corresponding JSON field.
x-sr-dst-ip	security_result.detection_fields[].key : "x-sr-dst-ip" security_result.detection_fields[].value : x-sr-dst-ip	Directly mapped from the corresponding JSON field.
x-sr-dst-port	security_result.detection_fields[].key : "x-sr-dst-port" security_result.detection_fields[].value : x-sr-dst-port	Directly mapped from the corresponding JSON field.
x-type	additional.fields[].key : "xType" additional.fields[].value.string_value : x-type	Directly mapped from the corresponding JSON field.
x-transaction-id	additional.fields[].key : "transactionId" additional.fields[].value.string_value : x-transaction-id	Directly mapped from the corresponding JSON field.
N/A	metadata.vendor_name : "Netskope"	Hardcoded value in the parser.
N/A	metadata.product_name : "Netskope Webproxy"	Set to "Netskope Webproxy" if not already present.
N/A	metadata.log_type : "NETSKOPE_WEBPROXY"	Hardcoded value in the parser.

Need more help? Get answers from Community members and Google SecOps professionals.