Merge branch 'master' into sam.fraser/ECT-5370-creates-events

Author: fraseriver

rum_react/CHANGELOG.md

@@ -1,5 +1,11 @@
 # CHANGELOG - React
 
+## 3.0.0
+
+**_Added_**:
+
+* Add documentation for the TanStack Router integration
+
 ## 2.0.0
 
 * Add documentation for the RUM React integration plugin

rum_react/README.md

@@ -134,6 +134,29 @@ const router = createBrowserRouter([
 ReactDOM.createRoot(document.getElementById('root')).render(<RouterProvider router={router} />)
 ```
 
+## TanStack Router integration
+
+[TanStack Router][14] is a typesafe router for React. To track route changes with the Datadog RUM Browser SDK, first initialize the `reactPlugin` with the `router: true` option, then replace `createRouter` from `@tanstack/react-router` with its equivalent from `@datadog/browser-rum-react/tanstack-router`. Example:
+
+```javascript
+import { RouterProvider } from '@tanstack/react-router'
+import { datadogRum } from '@datadog/browser-rum'
+import { reactPlugin } from '@datadog/browser-rum-react'
+// Use "createRouter" from @datadog/browser-rum-react/tanstack-router instead of @tanstack/react-router:
+import { createRouter } from '@datadog/browser-rum-react/tanstack-router'
+
+datadogRum.init({
+  ...
+  plugins: [reactPlugin({ router: true })],
+})
+
+const router = createRouter({ routeTree })
+
+ReactDOM.createRoot(document.getElementById('root')).render(<RouterProvider router={router} />)
+```
+
+RUM creates a new view on every path change. The view name uses the route's `fullPath` template, so navigating to `/posts/42` is reported as `/posts/$postId`. Catch-all (splat) segments are replaced with the matched path, so `/files/$` with `_splat = "path/to/file"` becomes `/files/path/to/file`. Query string changes do not create a new view.
+
 ## Go further with Datadog React integration
 
 ### Traces
@@ -171,3 +194,4 @@ Additional helpful documentation, links, and articles:
 [11]: https://docs.datadoghq.com/real_user_monitoring/generate_metrics
 [12]: https://docs.datadoghq.com/help/
 [13]: https://www.datadoghq.com/blog/datadog-rum-react-components/
+[14]: https://tanstack.com/router/latest

zabbix/manifest.json

@@ -34,7 +34,7 @@
         "spec": "assets/configuration/spec.yaml"
       },
       "events": {
-        "creates_events": false
+        "creates_events": true
       },
       "metrics": {
         "prefix": "zabbix.",
@@ -48,4 +48,4 @@
       "auto_install": true
     }
   }
-}
+}

zscaler/CHANGELOG.md

@@ -1,5 +1,68 @@
 # CHANGELOG - ZScaler
 
+## 2.1.0 / 2026-05-04
+
+**Added**
+
+* Added OCSF 1.5.0 normalization for every `zscalernss-*` log type. Each
+  log routes through exactly one OCSF sub-pipeline based on sourcetype
+  (and, for CASB, severity):
+
+  * `zscalernss-web` → HTTP Activity [4002]
+  * `zscalernss-fw` → Network Activity [4001]
+  * `zscalernss-dns` → DNS Activity [4003]
+  * `zscalernss-tunnel` → Tunnel Activity [4014]
+  * `zscalernss-emaildlp` → Data Security Finding [2006]
+  * `zscalernss-endpointdlp` → Data Security Finding [2006]
+  * `zscalernss-casb` (with severity) → Data Security Finding [2006] (CASB DLP)
+  * `zscalernss-casb` (no severity) → File Hosting Activity [6006]
+  * `zscalernss-audit` (`LOGIN` / `AUTH`) → Authentication [3002]
+  * `zscalernss-audit` (`USER_MANAGEMENT` / `ROLE_MANAGEMENT`) → Account Change [3001]
+  * `zscalernss-audit` (any other category) → API Activity [6003]
+  * everything else → Base Event [0]
+
+**Changed**
+
+* Pre-OCSF firewall protocol mapper now reads from both
+  `zscaler.proto` (the documented NSS feed field) and
+  `zscaler.ipproto`.
+
+* Account Change postaction handling: removed
+  `zscaler.resource → ocsf.user.name` (`resource` is the role name for
+  `ROLE_MANAGEMENT` events, not a user). Replaced with
+  `postaction.name` / `postaction.roleName` and `postaction.email`
+  mappings for both `USER_MANAGEMENT` and `ROLE_MANAGEMENT` branches.
+
+* Authentication: `zscaler.recordid` now maps to `ocsf.metadata.uid`
+  instead of `ocsf.session.uid` (recordid doesn't persist across a
+  login session).
+
+* Endpoint DLP `data_security.detection_system_id` corrected from
+  `Endpoint` / `1` (EDR) to `Data Loss Prevention` / `2`. EDR is a
+  different OCSF detection system; Endpoint DLP is DLP.
+
+* `zscalernss-fw` Network Activity filter admits
+  `ipsrulelabel:None` / `threatname:None` placeholder values — the
+  documented Zscaler firewall feed populates these placeholders on
+  non-threat policy events too.
+
+* Several existing pre-OCSF `attribute-remapper`s flipped from
+  `preserveSource: false` to `preserveSource: true` (e.g. `clt_sip` →
+  `network.client.ip`, `srv_dip` → `network.destination.ip`,
+  `dns_req` → `dns.question.name`) so the OCSF sub-pipelines can still
+  read the original `zscaler.*` fields. No existing attribute paths
+  were deleted.
+
+**Removed**
+
+* Previous synthetic `zscalernss-alert` handling: the pre-pipeline that
+  fabricated a `sourcetype` from `alertId`, the pre-OCSF `Alert`
+  description-grok, and the OCSF "ZIA Alert" sub-pipeline. Real Zscaler
+  "alerts" are NSS DLP / CASB logs identified by severity, which now
+  route to Data Security Finding [2006]; web / fw traffic stays in
+  HTTP Activity [4002] / Network Activity [4001] regardless of
+  severity, with no synthetic Detection Finding [2004] sub-pipeline.
+
 ## 2.0.0 / 2025-08-27
 
 **Changed**: