Cloud NSS bicep templates and format files generate extranrous data, driving up costs.

[ktb-jcm]

The bicep template at https://github.com/zscaler/microsoft-resources/blob/7d174e666cb7367b2a31120afe0492d1af4a2eec/microsoft-sentinel/zia-log-feeds/web/cloud-nss-web.bicep uses a transform KQL that projects many fields, regardless of whether they exist in the inbound data.

The result is extraneous data added to the AdditionalExtensions field in CommonSecurityLog of Microsoft Sentinel, up to nearly 2 kilobytes per record. For the innumerical, that means 14+ GB of ingest and storage for every 10 million logs.

Zscaler ticket 05737632 is open for this issue.

Solution would be an updated transform that logically projects only those fields where a value exists.