Key Missing Fields for Web Traffic Logs - TLS Inspection Status

[SimSama]

As the title suggests, we need a dictionary field that indicates whether a traffic log was decrypted and inspected or not.

SIEM providers are furiously writing log parsers for various 3rd party security products. While the prospect of a centralized common event schema like OCSF is a nice idea, it is still behind the needs of many security products.

I haven't had time to compile a list but I'll work on it.

Primary Example:

Web Traffic logs from Zscaler.

The ssldecrypted field - Indicates whether the transaction was SSL inspected or not Example: Yes|No

I propose an additional field tls_inspection_status -> Display Name: TLS Inspection Status Type: String

This should be sufficiently generic for most firewall vendors, where they can map a given field indicating that a session flow was decrypted or not and normalize that to a standard OCSF field.

Note: Zscaler is just an example showing other common web traffic log fields of interest, I'm not suggesting we adhere to their schema or create attributes for all their fields.

I couldn't find other names in the dictionary that approximated a match for tls inspection status.

Reference: https://help.zscaler.com/zia/nss-feed-output-format-web-logs

Thanks,