I'm working on ingesting zscaler zia logs and I'm trying to understand the mapping. I'm looking at the following websites:
Zscaler Internet Access | Elastic docs for what happens inside Elastic/Kibana and NSS Feed Output Format: DNS Logs | Zscaler as well as NSS Feed Output Format: Firewall Logs | Zscaler for what zscaler is sending. The problem is while the docs from elastic show the format of the document inside Elastic, it does NOT say which zscaler fields are mapped to which elastic fields. Some you can make an educated guess, but not all are readily apparent.
For example, the zscaler firewall log has csip and ssip (for client source IP and server source ip) but I'm not sure which gets mapped to source.ip in elastic. Or does that become an array where both are mapped?