JSON Output format string for Zscaler NSS

Hi All,
Working with the the team on something, and managed to generate a JSON output format for NSS-Web. Sharing here for posterity.

BLOB (no new lines) - paste this in as NSS Custom String:

[{"action":"%s{action}","appclass":"%s{appclass}","appname":"%s{appname}","bwclassname":"%s{bwclassname}","bwrulename":"%s{bwrulename}","bwthrottle":"%s{bwthrottle}","ClientIP":"%s{cip}","clientpublicIP":"%s{cintip}","clientsslcipher":"%s{clientsslcipher}","clientsslsessreuse":"%s{clientsslsessreuse}","clienttlsversion":"%s{clienttlsversion}","clienttranstime":"%d{ctime}","contenttype":"%s{contenttype}","contenttype__1":"%s{contenttype}","department":"%s{dept}","dept":"%s{dept}","deviceappversion":"%s{deviceappversion}","devicemodel":"%s{devicemodel}","devicename":"%s{devicename}","devicename__1":"%s{devicename}","deviceostype":"%s{deviceostype}","deviceostype__1":"%s{deviceostype}","deviceosversion":"%s{deviceosversion}","deviceplatform":"%s{deviceplatform}","dlpdicthitcount":"%s{dlpdicthitcount}","dlpdictionaries":"%s{dlpdict}","dlpengine":"%s{dlpeng}","dlpidentifier":"%d{dlpidentifier}","dlpmd5":"%s{dlpmd5}","ehost":"%s{ehost}","epochtime":"%d{epochtime}","ereferer":"%s{ereferer}","event_id":"%d{recordid}","fileclass":"%s{fileclass}","filename":"%s{filename}","filesubtype":"%s{filesubtype}","filetype":"%s{filetype}","hostname":"%s{ehost}","location":"%s{location}","md5":"%s{bamd5}","mobappcat":"%s{mobappcat}","mobappname":"%s{mobappname}","mobdevtype":"%s{mobdevtype}","module":"%s{module}","ologin":"%s{ologin}","pagerisk":"%d{riskscore}","product":"NSS","productversion":"%s{productversion}","protocol":"%s{proto}","reason":"%s{reason}","refererURL":"%s{ereferer}","reqdatasize":"%d{reqdatasize}","reqhdrsize":"%d{reqhdrsize}","requestmethod":"%s{reqmethod}","requestsize":"%d{reqsize}","respdatasize":"%d{respdatasize}","resphdrsize":"%d{resphdrsize}","responsesize":"%d{respsize}","respsize":"%d{respsize}","respversion":"%s{respversion}","rulelabel":"%s{rulelabel}","ruletype":"%s{ruletype}","serverip":"%s{sip}","serversslsessreuse":"%s{serversslsessreuse}","servertranstime":"%d{stime}","srvcertchainvalpass":"%s{srvcertchainvalpass}","srvcertvalidationtype":"%s{srvcertvalidationtype}","srvcertvalidityperiod":"%s{srvcertvalidityperiod}","srvocspresult":"%s{srvocspresult}","srvsslcipher":"%s{srvsslcipher}","srvtlsversion":"%s{srvtlsversion}","srvwildcardcert":"%s{srvwildcardcert}","status":"%s{respcode}","threatcategory":"%s{malwarecat}","threatclass":"%s{malwareclass}","threatname":"%s{threatname}","throttlereqsize":"%d{throttlereqsize}","throttlerespsize":"%d{throttlerespsize}","trafficredirectmethod":"%s{trafficredirectmethod}","transactionsize":"%d{totalsize}","tz":"%s{tz}","ua_token":"%s{ua_token}","uaclass":"%s{uaclass}","url":"%s{eurl}","urlcategory":"%s{urlcat}","urlclass":"%s{urlclass}","urlsupercategory":"%s{urlsupercat}","user":"%s{login}","useragent":"%s{ua}”,”vendor”:”Zscaler”}]

Pretty/readable JSON:

[

  {

    "action": "%s{action}”,

    "appclass": "%s{appclass}”,

    "appname": "%s{appname}”,

    "bwclassname": "%s{bwclassname}”,

    "bwrulename": "%s{bwrulename}”,

    "bwthrottle": "%s{bwthrottle}”,

    "ClientIP": "%s{cip}”,

    "clientpublicIP": "%s{cintip}”,

    "clientsslcipher": "%s{clientsslcipher}”,

    "clientsslsessreuse": "%s{clientsslsessreuse}”,

    "clienttlsversion": "%s{clienttlsversion}”,

    "clienttranstime": "%d{ctime}”,

    "contenttype": "%s{contenttype}”,

    "dept": "%s{dept}”,

    "deviceappversion": "%s{deviceappversion}”,

    "devicemodel": "%s{devicemodel}”,

    "devicename": "%s{devicename}”,

    "deviceostype": "%s{deviceostype}”,

    "deviceosversion": "%s{deviceosversion}”,

    "deviceplatform": "%s{deviceplatform}”,

    "dlpdicthitcount": "%s{dlpdicthitcount}”,

    "dlpdictionaries": "%s{dlpdict}”,

    "dlpengine": "%s{dlpeng}”,

    "dlpidentifier": "%d{dlpidentifier}”,

    "dlpmd5": "%s{dlpmd5}”,

    "ehost": "%s{ehost}”,

    "epochtime": "%d{epochtime}”,

    "ereferer": "%s{ereferer}”,

    "event_id": "%d{recordid}”,

    "fileclass": "%s{fileclass}”,

    "filename": "%s{filename}”,

    "filesubtype": "%s{filesubtype}”,

    "filetype": "%s{filetype}”,

    "hostname": "%s{ehost}”,

    "location": "%s{location}”,

    "md5": "%s{bamd5}”,

    "mobappcat": "%s{mobappcat}”,

    "mobappname": "%s{mobappname}”,

    "mobdevtype": "%s{mobdevtype}”,

    "module": "%s{module}”,

    "ologin": "%s{ologin}”,

    "pagerisk": "%d{riskscore}”,

    "product": β€œNSS”,

    "productversion": "%s{productversion}”,

    "protocol": "%s{proto}”,

    "reason": "%s{reason}”,

    "refererURL": "%s{ereferer}”,

    "reqdatasize": "%d{reqdatasize}”,

    "reqhdrsize": "%d{reqhdrsize}”,

    "requestmethod": "%s{reqmethod}”,

    "requestsize": "%d{reqsize}”,

    "respdatasize": "%d{respdatasize}”,

    "resphdrsize": "%d{resphdrsize}”,

    "responsesize": "%d{respsize}”,

    "respsize": "%d{respsize}”,

    "respversion": "%s{respversion}”,

    "rulelabel": "%s{rulelabel}”,

    "ruletype": "%s{ruletype}”,

    "serverip": "%s{sip}”,

    "serversslsessreuse": "%s{serversslsessreuse}”,

    "servertranstime": "%d{stime}”,

    "srvcertchainvalpass": "%s{srvcertchainvalpass}”,

    "srvcertvalidationtype": "%s{srvcertvalidationtype}”,

    "srvcertvalidityperiod": "%s{srvcertvalidityperiod}”,

    "srvocspresult": "%s{srvocspresult}”,

    "srvsslcipher": "%s{srvsslcipher}”,

    "srvtlsversion": "%s{srvtlsversion}”,

    "srvwildcardcert": "%s{srvwildcardcert}”,

    "status": "%s{respcode}”,

    "threatcategory": "%s{malwarecat}”,

    "threatclass": "%s{malwareclass}”,

    "threatname": "%s{threatname}”,

    "throttlereqsize": "%d{throttlereqsize}”,

    "throttlerespsize": "%d{throttlerespsize}”,

    "trafficredirectmethod": "%s{trafficredirectmethod}”,

    "transactionsize": "%d{totalsize}”,

    "tz": "%s{tz}”,

    "ua_token": "%s{ua_token}”,

    "uaclass": "%s{uaclass}”,

    "url": "%s{eurl}”,

    "urlcategory": "%s{urlcat}”,

    "urlclass": "%s{urlclass}”,

    "urlsupercategory": "%s{urlsupercat}”,

    "user": "%s{login}”,

    "useragent": "%s{ua}”,

    "vendor": β€œZscaler”

  }

]
2 Likes