Zscaler DNS¶
About¶
By using sophisticated machine learning techniques, the Zscaler service can detect DNS tunneling occurring in your network. You can create granular rules to control DNS tunnels as part of your DNS Control policy. You can also analyze and visualize your DNS tunnels and network applications. The service logs all detected DNS tunnels and network apps in DNS Insights. You can also view the most commonly encountered tunnels and apps in the DNS Overview dashboard.
Product Details¶
Vendor URL: Zscaler DNS
Product Type: DNS
Product Tier: Tier I
Integration Method: Custom
Log Guide: Sample Logs by Log Type
Parser Details¶
Log Format: JSON
Expected Normalization Rate: near 100%
Data Label: ZSCALER_DNS
UDM Fields (list of all UDM fields leveraged in the Parser):
| Log File Field | UDM Field |
|---|---|
| DNS | metadata.product_name |
| Zscaler | metadata.vendor_name |
| DNS | network.application_protocol |
| event.srv_dip | target.ip |
| event.srv_dport | target.port |
| event.devicehostname | principal.asset.hostname |
| event.clt_sip | principal.ip |
| event.deviceowner | principal.user.userid |
| event.location | principal.location.name |
| event.department | principal.user.department |
| Enumerated DNS questions | dns_questions.type |
| event.dns_req | dns_questions.name |
| event.durationms | dns_answers.ttl |
| event.respipcategory | dns_answers.data |
| ALLOW or BLOCK | security_result.action |
| event.category | security_result.category_details |
| event.reqrulelabel | security_result.rule_name |
Product Event Types¶
| Event | UDM Event Classification |
|---|---|
| all events | GENERIC_EVENT |
| srv_dport = 53 | NETWORK_DNS |
Log Sample¶
{"sourcetype":"zscalernss-dns","event":{"reqrulelabel":"Default Firewall DNS Rule","dns_req":"subdomain.domain.com","category":"Finance","resrulelabel":"None","clt_sip":"10.0.0.210","srv_dip":"10.1.2.3","respipcategory":"Other","deviceowner":"userid","resaction":"Allow","dns_reqtype":"A","srv_dport":"53","datetime":"Sat Jul 16 00:05:53 2022","user":"userid","department":"Technology%20Services","location":"an office","reqaction":"Allow","dns_resp":"NXDOMAIN","durationms":"34000","devicehostname":"hostname"}}
Sample Parsing¶
metadata.event_type = "NETWORK_DNS"
metadata.vendor_name = "Zscaler"
metadata.product_name = "DNS"
principal.hostname = "hostname"
principal.user.userid = "userid"
principal.user.department = "Technology Services"
principal.ip = "10.0.0.10"
principal.location.name = "an office"
principal.asset.hostname = "hostname"
principal.asset.ip = "10.0.0.10"
target.ip = "10.1.2.3"
target.port = 53
target.asset.ip = "10.1.2.3"
security_result.rule_name = "Default Firewall DNS Rule"
security_result.action = "ALLOW"
network.application_protocol = "DNS"
network.dns.questions.name = "subdomain.domain.com"
network.dns.questions.type = 1
network.dns.answers.ttl = 34000
network.dns.answers.data = "Other"
Parser Alerting¶
This product currently does not have any Parser-based Alerting
Rules¶
Coming Soon