Skip to content

Zscaler DNS

Zscaler DNS

About

By using sophisticated machine learning techniques, the Zscaler service can detect DNS tunneling occurring in your network. You can create granular rules to control DNS tunnels as part of your DNS Control policy. You can also analyze and visualize your DNS tunnels and network applications. The service logs all detected DNS tunnels and network apps in DNS Insights. You can also view the most commonly encountered tunnels and apps in the DNS Overview dashboard.

Product Details

Vendor URL: Zscaler DNS

Product Type: DNS

Product Tier: Tier I

Integration Method: Custom

Log Guide: Sample Logs by Log Type

Parser Details

Log Format: JSON

Expected Normalization Rate: near 100%

Data Label: ZSCALER_DNS

UDM Fields (list of all UDM fields leveraged in the Parser):

Log File Field UDM Field
DNS metadata.product_name
Zscaler metadata.vendor_name
DNS network.application_protocol
event.srv_dip target.ip
event.srv_dport target.port
event.devicehostname principal.asset.hostname
event.clt_sip principal.ip
event.deviceowner principal.user.userid
event.location principal.location.name
event.department principal.user.department
Enumerated DNS questions dns_questions.type
event.dns_req dns_questions.name
event.durationms dns_answers.ttl
event.respipcategory dns_answers.data
ALLOW or BLOCK security_result.action
event.category security_result.category_details
event.reqrulelabel security_result.rule_name

Product Event Types

Event UDM Event Classification
all events GENERIC_EVENT
srv_dport = 53 NETWORK_DNS

Log Sample

{"sourcetype":"zscalernss-dns","event":{"reqrulelabel":"Default Firewall DNS Rule","dns_req":"subdomain.domain.com","category":"Finance","resrulelabel":"None","clt_sip":"10.0.0.210","srv_dip":"10.1.2.3","respipcategory":"Other","deviceowner":"userid","resaction":"Allow","dns_reqtype":"A","srv_dport":"53","datetime":"Sat Jul 16 00:05:53 2022","user":"userid","department":"Technology%20Services","location":"an office","reqaction":"Allow","dns_resp":"NXDOMAIN","durationms":"34000","devicehostname":"hostname"}}

Sample Parsing

metadata.event_type = "NETWORK_DNS"
metadata.vendor_name = "Zscaler"
metadata.product_name = "DNS"
principal.hostname = "hostname"
principal.user.userid = "userid"
principal.user.department = "Technology Services"
principal.ip = "10.0.0.10"
principal.location.name = "an office"
principal.asset.hostname = "hostname"
principal.asset.ip = "10.0.0.10"
target.ip = "10.1.2.3"
target.port = 53
target.asset.ip = "10.1.2.3"
security_result.rule_name = "Default Firewall DNS Rule"
security_result.action = "ALLOW"
network.application_protocol = "DNS"
network.dns.questions.name = "subdomain.domain.com"
network.dns.questions.type = 1
network.dns.answers.ttl = 34000
network.dns.answers.data = "Other"

Parser Alerting

This product currently does not have any Parser-based Alerting