[Zscaler ZIA] Add dynamic ECS mapping as well as resolve the issue relate to User Agent and NA fields. (#5420)

* Add support for dynamic ECS mapping as well as resolve the issue related to the user agent field and fields that contain a NA value * Update Changelog Entry * Update ReadMe

Author: ashaka-elastic

packages/zscaler_zia/_dev/build/build.yml

@@ -1,3 +1,4 @@
 dependencies:
  ecs:
- reference: git@8.6
+ reference: git@v8.6.0
+ import_mappings: true

packages/zscaler_zia/_dev/build/docs/README.md

@@ -52,6 +52,8 @@ The log message is expected to be in JSON format. The data is mapped to ECS fiel
 
 **Please make sure to use the given response formats for NSS and Cloud NSS Feeds.**
 
+Note: Please make sure to use latest version of given response formats.
+
 ## Compatibility
 
 This package has been tested against `Zscaler Internet Access version 6.1`
@@ -64,7 +66,7 @@ This package has been tested against `Zscaler Internet Access version 6.1`
 
 See: [Zscaler Vendor documentation](https://help.zscaler.com/zia/about-alerts)
 
-Zscaler response format: 
+Zscaler response format (v1): 
 ```
 <%d{syslogid}>%s{Monthname} %2d{Dayofmonth} %02d{Hour}:%02d{Minutes}:%02d{Seconds} [%s{Deviceip}] ZscalerNSS: %s{Eventinfo}\n
 ```
@@ -81,7 +83,7 @@ Sample Response:
 
 See: [Zscaler Vendor documentation](https://help.zscaler.com/zia/nss-feed-output-format-dns-logs)
 
-Zscaler response format: 
+Zscaler response format (v1): 
 ```
 \{ "sourcetype" : "zscalernss-dns", "event" :\{"datetime":"%s{time}","user":"%s{elogin}","department":"%s{edepartment}","location":"%s{elocation}","reqaction":"%s{reqaction}","resaction":"%s{resaction}","reqrulelabel":"%s{reqrulelabel}","resrulelabel":"%s{resrulelabel}","dns_reqtype":"%s{reqtype}","dns_req":"%s{req}","dns_resp":"%s{res}","srv_dport":"%d{sport}","durationms":"%d{durationms}","clt_sip":"%s{cip}","srv_dip":"%s{sip}","category":"%s{domcat}","deviceowner":"%s{deviceowner}","devicehostname":"%s{devicehostname}"\}\}
 ```
@@ -98,7 +100,7 @@ Sample Response:
 
 See: [Zscaler Vendor documentation](https://help.zscaler.com/zia/nss-feed-output-format-firewall-logs)
 
-Zscaler response format: 
+Zscaler response format (v1): 
 ```
 \{ "sourcetype" : "zscalernss-fw", "event" :\{"datetime":"%s{time}","user":"%s{elogin}","department":"%s{edepartment}","locationname":"%s{elocation}","cdport":"%d{cdport}","csport":"%d{csport}","sdport":"%d{sdport}","ssport":"%d{ssport}","csip":"%s{csip}","cdip":"%s{cdip}","ssip":"%s{ssip}","sdip":"%s{sdip}","tsip":"%s{tsip}","tunsport":"%d{tsport}","tuntype":"%s{ttype}","action":"%s{action}","dnat":"%s{dnat}","stateful":"%s{stateful}","aggregate":"%s{aggregate}","nwsvc":"%s{nwsvc}","nwapp":"%s{nwapp}","proto":"%s{ipproto}","ipcat":"%s{ipcat}","destcountry":"%s{destcountry}","avgduration":"%d{avgduration}","rulelabel":"%s{erulelabel}","inbytes":"%ld{inbytes}","outbytes":"%ld{outbytes}","duration":"%d{duration}","durationms":"%d{durationms}","numsessions":"%d{numsessions}","ipsrulelabel":"%s{ipsrulelabel}","threatcat":"%s{threatcat}","threatname":"%s{ethreatname}","deviceowner":"%s{deviceowner}","devicehostname":"%s{devicehostname}"\}\}
 ```
@@ -115,7 +117,7 @@ Sample Response:
 
 See: [Zscaler Vendor documentation]( https://help.zscaler.com/zia/nss-feed-output-format-tunnel-logs)
 
-Zscaler response format:
+Zscaler response format (v1):
 - Tunnel Event:
  ```
  \{ "sourcetype" : "zscalernss-tunnel", "event" : \{"datetime":"%s{datetime}","Recordtype":"%s{tunnelactionname}","tunneltype":"%s{tunneltype}","user":"%s{vpncredentialname}","location":"%s{elocationname}","sourceip":"%s{sourceip}","destinationip":"%s{destvip}","sourceport":"%d{srcport}","event":"%s{event}","eventreason":"%s{eventreason}","recordid":"%d{recordid}"\}\}
@@ -147,14 +149,14 @@ Sample Response:
 ![Escape feed setup image](../img/escape_feed.png?raw=true) 
 See: [Zscaler Vendor documentation](https://help.zscaler.com/zia/nss-feed-output-format-web-logs)
 
-Zscaler response format: 
+Zscaler response format (v2): 
 ```
-\{ "sourcetype" : "zscalernss-web", "event" :\{"time":"%s{time}","login":"%s{login}","proto":"%s{proto}","eurl":"%s{eurl}","action":"%s{action}","appname":"%s{appname}","appclass":"%s{appclass}","reqsize":"%d{reqsize}","respsize":"%d{respsize}","stime":"%d{stime}","ctime":"%d{ctime}","urlclass":"%s{urlclass}","urlsupercat":"%s{urlsupercat}","urlcat":"%s{urlcat}","malwarecat":"%s{malwarecat}","threatname":"%s{threatname}","riskscore":"%d{riskscore}","dlpeng":"%s{dlpeng}","dlpdict":"%s{dlpdict}","location":"%s{location}","dept":"%s{dept}","cip":"%s{cip}","sip":"%s{sip}","reqmethod":"%s{reqmethod}","respcode":"%s{respcode}","ua":"%s{ua}","ereferer":"%s{ereferer}","ruletype":"%s{ruletype}","rulelabel":"%s{rulelabel}","contenttype":"%s{contenttype}","unscannabletype":"%s{unscannabletype}","deviceowner":"%s{deviceowner}","devicehostname":"%s{devicehostname}"\}\}
+\{ "sourcetype" : "zscalernss-web", "event" :\{"time":"%s{time}","login":"%s{login}","proto":"%s{proto}","eurl":"%s{eurl}","action":"%s{action}","appname":"%s{appname}","appclass":"%s{appclass}","reqsize":"%d{reqsize}","respsize":"%d{respsize}","stime":"%d{stime}","ctime":"%d{ctime}","urlclass":"%s{urlclass}","urlsupercat":"%s{urlsupercat}","urlcat":"%s{urlcat}","malwarecat":"%s{malwarecat}","threatname":"%s{threatname}","riskscore":"%d{riskscore}","dlpeng":"%s{dlpeng}","dlpdict":"%s{dlpdict}","location":"%s{location}","dept":"%s{dept}","cip":"%s{cip}","sip":"%s{sip}","reqmethod":"%s{reqmethod}","respcode":"%s{respcode}","eua":"%s{eua}","ereferer":"%s{ereferer}","ruletype":"%s{ruletype}","rulelabel":"%s{rulelabel}","contenttype":"%s{contenttype}","unscannabletype":"%s{unscannabletype}","deviceowner":"%s{deviceowner}","devicehostname":"%s{devicehostname}"\}\}
 ```
 
 Sample Response: 
 ```json
-{ "sourcetype" : "zscalernss-web", "event" :{"time":"Fri Dec 17 07:04:57 2021","login":"test@example.com","proto":"HTTP_PROXY","eurl":"browser.events.data.msn.com:443","action":"Blocked","appname":"General Browsing","appclass":"General Browsing","reqsize":"600","respsize":"65","stime":"0","ctime":"0","urlclass":"Business Use","urlsupercat":"Information Technology","urlcat":"Web Search","malwarecat":"None","threatname":"None","riskscore":"0","dlpeng":"None","dlpdict":"None","location":"Test DB","dept":"Unknown","cip":"81.2.69.193","sip":"81.2.69.145","reqmethod":"CONNECT","respcode":"200","ua":"Windows Microsoft Windows 10 Pro ZTunnel/1.0","ereferer":"None","ruletype":"FwFilter","rulelabel":"Zscaler Proxy Traffic","contenttype":"Other","unscannabletype":"None","deviceowner":"administrator1","devicehostname":"TestMachine35"}}
+{ "sourcetype" : "zscalernss-web", "event" :{"time":"Fri Dec 17 07:04:57 2021","login":"test@example.com","proto":"HTTP_PROXY","eurl":"browser.events.data.msn.com:443","action":"Blocked","appname":"General Browsing","appclass":"General Browsing","reqsize":"600","respsize":"65","stime":"0","ctime":"0","urlclass":"Business Use","urlsupercat":"Information Technology","urlcat":"Web Search","malwarecat":"None","threatname":"None","riskscore":"0","dlpeng":"None","dlpdict":"None","location":"Test DB","dept":"Unknown","cip":"81.2.69.193","sip":"81.2.69.145","reqmethod":"CONNECT","respcode":"200","eua":"Windows%20Microsoft%20Windows%2010%20Pro%20ZTunnel%2F1.0","ereferer":"None","ruletype":"FwFilter","rulelabel":"Zscaler Proxy Traffic","contenttype":"Other","unscannabletype":"None","deviceowner":"administrator1","devicehostname":"TestMachine35"}}
 ```
 
 Caveats:

packages/zscaler_zia/_dev/deploy/docker/docker-compose.yml

@@ -1,37 +1,37 @@
 version: "2.3"
 services:
  zscaler-zia-alerts-tcp:
- image: docker.elastic.co/observability/stream:v0.8.0
+ image: docker.elastic.co/observability/stream:v0.10.0
  volumes:
  - ./sample_logs:/sample_logs:ro
  entrypoint: /bin/bash
  command: -c "/stream log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9010 -p=tcp /sample_logs/alerts.log"
  zscaler-zia-dns-tcp:
- image: docker.elastic.co/observability/stream:v0.8.0
+ image: docker.elastic.co/observability/stream:v0.10.0
  volumes:
  - ./sample_logs:/sample_logs:ro
  entrypoint: /bin/bash
  command: -c "/stream log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9011 -p=tcp /sample_logs/dns.log"
  zscaler-zia-firewall-tcp:
- image: docker.elastic.co/observability/stream:v0.8.0
+ image: docker.elastic.co/observability/stream:v0.10.0
  volumes:
  - ./sample_logs:/sample_logs:ro
  entrypoint: /bin/bash
  command: -c "/stream log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9012 -p=tcp /sample_logs/firewall.log"
  zscaler-zia-tunnel-tcp:
- image: docker.elastic.co/observability/stream:v0.8.0
+ image: docker.elastic.co/observability/stream:v0.10.0
  volumes:
  - ./sample_logs:/sample_logs:ro
  entrypoint: /bin/bash
  command: -c "/stream log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9013 -p=tcp /sample_logs/tunnel.log"
  zscaler-zia-web-tcp:
- image: docker.elastic.co/observability/stream:v0.8.0
+ image: docker.elastic.co/observability/stream:v0.10.0
  volumes:
  - ./sample_logs:/sample_logs:ro
  entrypoint: /bin/bash
  command: -c "/stream log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9014 -p=tcp /sample_logs/web.log"
  zscaler-zia-dns-http-endpoint:
- image: docker.elastic.co/observability/stream:v0.8.0
+ image: docker.elastic.co/observability/stream:v0.10.0
  volumes:
  - ./sample_logs:/sample_logs:ro
  environment:
@@ -40,7 +40,7 @@ services:
  - STREAM_WEBHOOK_HEADER=Content-Type=application/ndjson
  command: log --start-signal=SIGHUP --delay=5s /sample_logs/dns-http_endpoint.log
  zscaler-zia-firewall-http-endpoint:
- image: docker.elastic.co/observability/stream:v0.8.0
+ image: docker.elastic.co/observability/stream:v0.10.0
  volumes:
  - ./sample_logs:/sample_logs:ro
  environment:
@@ -49,7 +49,7 @@ services:
  - STREAM_WEBHOOK_HEADER=Content-Type=application/ndjson
  command: log --start-signal=SIGHUP --delay=5s /sample_logs/firewall-http_endpoint.log
  zscaler-zia-tunnel-http-endpoint:
- image: docker.elastic.co/observability/stream:v0.8.0
+ image: docker.elastic.co/observability/stream:v0.10.0
  volumes:
  - ./sample_logs:/sample_logs:ro
  environment:
@@ -58,7 +58,7 @@ services:
  - STREAM_WEBHOOK_HEADER=Content-Type=application/ndjson
  command: log --start-signal=SIGHUP --delay=5s /sample_logs/tunnel-http_endpoint.log
  zscaler-zia-web-http-endpoint:
- image: docker.elastic.co/observability/stream:v0.8.0
+ image: docker.elastic.co/observability/stream:v0.10.0
  volumes:
  - ./sample_logs:/sample_logs:ro
  environment:

packages/zscaler_zia/_dev/deploy/docker/sample_logs/web-http_endpoint.log

@@ -1 +1 @@
-{ "sourcetype" : "zscalernss-web", "event" :{"time":"2021-12-31 08:08:08","login":"test@example.com","proto":"HTTP_PROXY","eurl":"www.example.com","action":"Blocked","appname":"General Browsing","appclass":"General Browsing","reqsize":"600","respsize":"65","stime":"0","ctime":"0","urlclass":"Business Use","urlsupercat":"Information Technology","urlcat":"Web Search","malwarecat":"None","threatname":"None","riskscore":"0","dlpeng":"None","dlpdict":"None","location":"Test DB","dept":"Unknown","cip":"1.128.3.4","sip":"1.128.3.4","reqmethod":"CONNECT","respcode":"200","ua":"Windows Microsoft Windows 10 Pro ZTunnel/1.0","ereferer":"None","ruletype":"FwFilter","rulelabel":"Zscaler Proxy Traffic","contenttype":"Other","unscannabletype":"None","deviceowner":"administrator1","devicehostname":"TestMachine35"}}
+{ "sourcetype" : "zscalernss-web", "event" :{"time":"2021-12-31 08:08:08","login":"test@example.com","proto":"HTTP_PROXY","eurl":"www.example.com","action":"Blocked","appname":"General Browsing","appclass":"General Browsing","reqsize":"600","respsize":"65","stime":"0","ctime":"0","urlclass":"Business Use","urlsupercat":"Information Technology","urlcat":"Web Search","malwarecat":"None","threatname":"None","riskscore":"0","dlpeng":"None","dlpdict":"None","location":"Test DB","dept":"Unknown","cip":"1.128.3.4","sip":"1.128.3.4","reqmethod":"CONNECT","respcode":"200","eua":"Windows Microsoft Windows 10 Pro ZTunnel/1.0","ereferer":"None","ruletype":"FwFilter","rulelabel":"Zscaler Proxy Traffic","contenttype":"Other","unscannabletype":"None","deviceowner":"administrator1","devicehostname":"TestMachine35"}}

packages/zscaler_zia/_dev/deploy/docker/sample_logs/web.log

@@ -1,5 +1,5 @@
-{ "sourcetype" : "zscalernss-web", "event" :{"time":"Fri Dec 17 07:04:57 2021","login":"test@example.com","proto":"HTTP_PROXY","eurl":"www.example.com","action":"Blocked","appname":"General Browsing","appclass":"General Browsing","reqsize":"600","respsize":"65","stime":"0","ctime":"0","urlclass":"Business Use","urlsupercat":"Information Technology","urlcat":"Web Search","malwarecat":"None","threatname":"None","riskscore":"0","dlpeng":"None","dlpdict":"None","location":"Test DB","dept":"Unknown","cip":"81.2.69.193","sip":"81.2.69.145","reqmethod":"CONNECT","respcode":"200","ua":"Windows Microsoft Windows 10 Pro ZTunnel/1.0","ereferer":"None","ruletype":"FwFilter","rulelabel":"Zscaler Proxy Traffic","contenttype":"Other","unscannabletype":"None","deviceowner":"administrator1","devicehostname":"TestMachine35"}}
-{ "sourcetype" : "zscalernss-web", "event" :{"time":"Fri Dec 17 07:06:18 2021","login":"test@example.com","proto":"HTTPS","eurl":"www.example.com.com/join/","action":"Blocked","appname":"General Browsing","appclass":"General Browsing","reqsize":"218","respsize":"14230","stime":"0","ctime":"0","urlclass":"Business Use","urlsupercat":"Business and Economy","urlcat":"Corporate Marketing","malwarecat":"None","threatname":"None","riskscore":"0","dlpeng":"None","dlpdict":"None","location":"Test DB","dept":"Unknown","cip":"81.2.69.193","sip":"89.160.20.156","reqmethod":"POST","respcode":"403","ua":"Microsoft-Delivery-Optimization/10.0","ereferer":"None","ruletype":"SSLPol","rulelabel":"SSL_1","contenttype":"Other","unscannabletype":"None","deviceowner":"administrator1","devicehostname":"TestMachine35"}}
-{ "sourcetype" : "zscalernss-web", "event" :{"time":"Fri Dec 17 07:05:35 2021","login":"test@example.com","proto":"HTTP_PROXY","eurl":"www.example.com","action":"Blocked","appname":"General Browsing","appclass":"General Browsing","reqsize":"600","respsize":"65","stime":"0","ctime":"0","urlclass":"Business Use","urlsupercat":"Information Technology","urlcat":"Web Search","malwarecat":"None","threatname":"None","riskscore":"0","dlpeng":"None","dlpdict":"None","location":"Test DB","dept":"Unknown","cip":"81.2.69.193","sip":"89.160.20.112","reqmethod":"CONNECT","respcode":"200","ua":"Windows Microsoft Windows 10 Pro ZTunnel/1.0","ereferer":"None","ruletype":"FwFilter","rulelabel":"Zscaler Proxy Traffic","contenttype":"Other","unscannabletype":"None","deviceowner":"administrator1","devicehostname":"TestMachine35"}}
-{ "sourcetype" : "zscalernss-web", "event" :{"time":"Fri Dec 17 07:05:35 2021","login":"test@example.com","proto":"HTTP_PROXY","eurl":"www.example.com","action":"Blocked","appname":"General Browsing","appclass":"General Browsing","reqsize":"555","respsize":"65","stime":"0","ctime":"0","urlclass":"Business Use","urlsupercat":"Information Technology","urlcat":"Web Search","malwarecat":"None","threatname":"None","riskscore":"0","dlpeng":"None","dlpdict":"None","location":"Test DB","dept":"Unknown","cip":"81.2.69.193","sip":"81.2.69.144","reqmethod":"CONNECT","respcode":"200","ua":"Windows Microsoft Windows 10 Pro ZTunnel/1.0","ereferer":"None","ruletype":"FwFilter","rulelabel":"Zscaler Proxy Traffic","contenttype":"Other","unscannabletype":"None","deviceowner":"administrator1","devicehostname":"TestMachine35"}}
-{ "sourcetype" : "zscalernss-web", "event" :{"time":"Fri Dec 17 07:37:28 2021","login":"test@example.com","proto":"HTTPS","eurl":"www.example.com.com/params?version=10.0.19041.1266&user=65792&Id=1","action":"Blocked","appname":"General Browsing","appclass":"General Browsing","reqsize":"297","respsize":"14135","stime":"0","ctime":"0","urlclass":"Business Use","urlsupercat":"Business and Economy","urlcat":"Corporate Marketing","malwarecat":"None","threatname":"None","riskscore":"0","dlpeng":"None","dlpdict":"None","location":"Test DB","dept":"Unknown","cip":"81.2.69.193","sip":"81.2.69.143","reqmethod":"GET","respcode":"403","ua":"Microsoft-Delivery-Optimization/10.0","ereferer":"None","ruletype":"FwFilter","rulelabel":"Access Blocked","contenttype":"Other","unscannabletype":"None","deviceowner":"administrator1","devicehostname":"TestMachine35"}}
+{ "sourcetype" : "zscalernss-web", "event" :{"time":"Fri Dec 17 07:04:57 2021","login":"test@example.com","proto":"HTTP_PROXY","eurl":"www.example.com","action":"Blocked","appname":"General Browsing","appclass":"General Browsing","reqsize":"600","respsize":"65","stime":"0","ctime":"0","urlclass":"Business Use","urlsupercat":"Information Technology","urlcat":"Web Search","malwarecat":"None","threatname":"None","riskscore":"0","dlpeng":"None","dlpdict":"None","location":"Test DB","dept":"Unknown","cip":"81.2.69.193","sip":"81.2.69.145","reqmethod":"CONNECT","respcode":"200","eua":"Windows Microsoft Windows 10 Pro ZTunnel/1.0","ereferer":"None","ruletype":"FwFilter","rulelabel":"Zscaler Proxy Traffic","contenttype":"Other","unscannabletype":"None","deviceowner":"administrator1","devicehostname":"TestMachine35"}}
+{ "sourcetype" : "zscalernss-web", "event" :{"time":"Fri Dec 17 07:06:18 2021","login":"test@example.com","proto":"HTTPS","eurl":"www.example.com.com/join/","action":"Blocked","appname":"General Browsing","appclass":"General Browsing","reqsize":"218","respsize":"14230","stime":"0","ctime":"0","urlclass":"Business Use","urlsupercat":"Business and Economy","urlcat":"Corporate Marketing","malwarecat":"None","threatname":"None","riskscore":"0","dlpeng":"None","dlpdict":"None","location":"Test DB","dept":"Unknown","cip":"81.2.69.193","sip":"89.160.20.156","reqmethod":"POST","respcode":"403","eua":"Microsoft-Delivery-Optimization/10.0","ereferer":"None","ruletype":"SSLPol","rulelabel":"SSL_1","contenttype":"Other","unscannabletype":"None","deviceowner":"administrator1","devicehostname":"TestMachine35"}}
+{ "sourcetype" : "zscalernss-web", "event" :{"time":"Fri Dec 17 07:05:35 2021","login":"test@example.com","proto":"HTTP_PROXY","eurl":"www.example.com","action":"Blocked","appname":"General Browsing","appclass":"General Browsing","reqsize":"600","respsize":"65","stime":"0","ctime":"0","urlclass":"Business Use","urlsupercat":"Information Technology","urlcat":"Web Search","malwarecat":"None","threatname":"None","riskscore":"0","dlpeng":"None","dlpdict":"None","location":"Test DB","dept":"Unknown","cip":"81.2.69.193","sip":"89.160.20.112","reqmethod":"CONNECT","respcode":"200","eua":"Windows Microsoft Windows 10 Pro ZTunnel/1.0","ereferer":"None","ruletype":"FwFilter","rulelabel":"Zscaler Proxy Traffic","contenttype":"Other","unscannabletype":"None","deviceowner":"administrator1","devicehostname":"TestMachine35"}}
+{ "sourcetype" : "zscalernss-web", "event" :{"time":"Fri Dec 17 07:05:35 2021","login":"test@example.com","proto":"HTTP_PROXY","eurl":"www.example.com","action":"Blocked","appname":"General Browsing","appclass":"General Browsing","reqsize":"555","respsize":"65","stime":"0","ctime":"0","urlclass":"Business Use","urlsupercat":"Information Technology","urlcat":"Web Search","malwarecat":"None","threatname":"None","riskscore":"0","dlpeng":"None","dlpdict":"None","location":"Test DB","dept":"Unknown","cip":"81.2.69.193","sip":"81.2.69.144","reqmethod":"CONNECT","respcode":"200","eua":"Windows Microsoft Windows 10 Pro ZTunnel/1.0","ereferer":"None","ruletype":"FwFilter","rulelabel":"Zscaler Proxy Traffic","contenttype":"Other","unscannabletype":"None","deviceowner":"administrator1","devicehostname":"TestMachine35"}}
+{ "sourcetype" : "zscalernss-web", "event" :{"time":"Fri Dec 17 07:37:28 2021","login":"test@example.com","proto":"HTTPS","eurl":"www.example.com.com/params?version=10.0.19041.1266&user=65792&Id=1","action":"Blocked","appname":"General Browsing","appclass":"General Browsing","reqsize":"297","respsize":"14135","stime":"0","ctime":"0","urlclass":"Business Use","urlsupercat":"Business and Economy","urlcat":"Corporate Marketing","malwarecat":"None","threatname":"None","riskscore":"0","dlpeng":"None","dlpdict":"None","location":"Test DB","dept":"Unknown","cip":"81.2.69.193","sip":"81.2.69.143","reqmethod":"GET","respcode":"403","eua":"Microsoft-Delivery-Optimization/10.0","ereferer":"None","ruletype":"FwFilter","rulelabel":"Access Blocked","contenttype":"Other","unscannabletype":"None","deviceowner":"administrator1","devicehostname":"TestMachine35"}}