Add OCSF normalization pipeline for Zscaler Private Access

[jbfeldman-dd]

What does this PR do?

Adds OCSF normalization to the Zscaler Private Access log pipeline, mapping all ZPA log types to their corresponding OCSF classes:

• Authentication [3002] — audit-logs (sign-in/sign-out events) and user-status
• Network Activity [4001] — user-activity and microsegmentation
• HTTP Activity [4002] — app-protection and browser-access
• Device Inventory Info [5001] — app-connector-status, private-service-edge-status, private-cloud-controller-status
• API Activity [6003] — audit-logs CRUD operations (Create, Update, Delete, Download)

Also includes:

• Test expectations for all 8 log samples validated by the OCSF validator (100% required field coverage)

Motivation

Enable OCSF-normalized security telemetry for Zscaler Private Access logs, supporting standardized cross-vendor analysis in Datadog.

🤖 Generated with Claude Code, edited by humans

[dd-octo-sts]

Validation Report

All 21 validations passed.

Show details

Validation	Description	Status
agent-reqs	Verify check versions match the Agent requirements file	✅
ci	Validate CI configuration and code coverage settings	✅
codeowners	Validate every integration has a CODEOWNERS entry	✅
config	Validate default configuration files against spec.yaml	✅
dep	Verify dependency pins are consistent and Agent-compatible	✅
http	Validate integrations use the HTTP wrapper correctly	✅
imports	Validate check imports do not use deprecated modules	✅
integration-style	Validate check code style conventions	✅
jmx-metrics	Validate JMX metrics definition files and config	✅
labeler	Validate PR labeler config matches integration directories	✅
legacy-signature	Validate no integration uses the legacy Agent check signature	✅
license-headers	Validate Python files have proper license headers	✅
licenses	Validate third-party license attribution list	✅
metadata	Validate metadata.csv metric definitions	✅
models	Validate configuration data models match spec.yaml	✅
openmetrics	Validate OpenMetrics integrations disable the metric limit	✅
package	Validate Python package metadata and naming	✅
qa-label	Validate the pull request declares whether it needs QA for the next Agent release	✅
readmes	Validate README files have required sections	✅
saved-views	Validate saved view JSON file structure and fields	✅
version	Validate version consistency between package and changelog	✅

View full run

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 58ee1f7cc9

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Map edge/controller names into device inventory

When this shared Device Inventory pipeline handles private-service-edge-status or private-cloud-controller-status (the filter includes both services), the configured log formats populate ServiceEdge/PrivateCloudController rather than Connector (see zscaler_private_access/README.md lines 123 and 143). Because this remapper only reads Connector, those OCSF events lose ocsf.device.name; include the service-specific name fields (and the matching group fields) or split the pipeline per service.

Useful? React with 👍 / 👎.