[Zscaler] integration - ua field, input that breaks the json format

[Androulakakis]

Hello,

There are several inputs that zscaler produces that contain the characters " or \ which will break the json format and result in a parsing error.

This happens when the user agent is not a standard browser.

Example outputs from Zscaler:

1. "ua" :"SophosUpdate/6.13.1014 SDDS/3.0 (t="b418847e-15a5-447e-ba86-a6bc3b88ee74" d="36838224-3a41-412a-9033-be8e5f9bd4d6" os="WIN_10_X64" osrel="2009 19042.1237")"
2. "ua" :"Name:C:\Program Files (x86)\ZohoMeeting\UnAttended\ZohoMeeting\ZohoURSService.exe,Version:1.0.0.96,Build:assist.zoho.com,OS:Windows 10 Enterprise 6.2.9200 ,Server:0,TimeStamp:Date:Apr 17 2018 @ 13:57:23(Windows 10 Enterprise 6.2.9200 ) APP:C:\Program Files (x86)\ZohoMeeting\UnAttended\ZohoMeeting\ZohoURSService.exe assist.zoho.com TimeStamp:Date:Apr 17 2018 @ 13:57:23 PCNAME:deleted"

Please advise the use of "eua" in https://github.com/elastic/integrations/tree/main/packages/zscaler_zia#readme
which will hex encode these characters as described here: https://help.zscaler.com/zia/nss-feed-output-format-web-logs

It would be beneficial to add a processor to decode this field afterwards.

Kind regards

[elasticmachine]

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

[ashaka-elastic]

@Androulakakis, we are looking into this issue.

[elasticmachine]

Package zscaler_zia - 2.7.1 containing this change is available at https://epr.elastic.co/search?package=zscaler_zia