Skip to content

Zscaler VPN

Zscaler VPN

About

Zscaler Private Access (ZPA) is a cloud-delivered, zero trust network access (ZTNA) service that provides secure access to all private applications, without the need for a remote access VPN. ZPA delivers a zero trust model by using the Zscaler security cloud to deliver scalable remote and local access to enterprise apps while never placing users on the network. ZPA uses micro-encrypted TLS tunnels and cloud-enforced business policies to create a secure segment of one between an authorized user and a specific named application. ZPA’s unique service-initiated architecture, in which App Connector connects outbound to the ZPA Public Service Edge (formerly Zscaler Enforcement Node) makes both the network and applications invisible to the internet. This model creates an isolated environment around each application rather than the network. This eliminates lateral movement and opportunity for ransomware spreads.

Product Details

Vendor URL: Zscaler VPN

Product Type: VPN

Product Tier: Tier III

Integration Method: Custom

Integration URL: Zscaler VPN - Cyderes Documentation

Log Guide: Sample Logs by Log Type

Parser Details

Log Format: Syslog and JSON

Expected Normalization Rate: 90-100%

Data Label: ZSCALER_VPN

UDM Fields (list of all UDM fields leveraged in the Parser):

Log File Field UDM Field
header_intermediary_host intermediary.hostname
ConnectorIP intermediary.ip
ConnectorPort intermediary.port
Policy metadata.description
SessionStatus metadata.event_type
SessionStatus metadata.product_event_type
IPProtocol network.ip_protocol
tagCountry principal.asset.location.country_or_region
PrivateIP principal.ip
PublicIP principal.ip
CountryCode principal.location.country_or_region
ServicePort principal.port
Username principal.user.email_addresses
Username principal.user.user_display_name
Username principal.user.userid
Policy security_result.rule_name
Application target.application
Hostname target.hostname
ServerIP target.ip
ServerPort target.port

Product Event Types

Event UDM Event Classification
all others GENERIC_EVENT
APP_NOT_REACHABLE NETWORK_CONNECTION
AST_MT_SETUP_TIMEOUT_CANNOT_CONN_TO_SERVER NETWORK_CONNECTION
BRK_MT_SETUP_FAIL_NO_POLICY_FOUND NETWORK_CONNECTION
BRK_MT_SETUP_FAIL_REJECTED_BY_POLICY NETWORK_CONNECTION
BRK_MT_SETUP_FAIL_SAML_EXPIRED NETWORK_CONNECTION
BRK_MT_TERMINATED NETWORK_CONNECTION
INVALID_DOMAIN NETWORK_CONNECTION
MT_CLOSED_TLS_CONN_GONE_CLIENT_CLOSED NETWORK_CONNECTION
NO_CONNECTOR_AVAILABLE NETWORK_CONNECTION
ZPN_STATUS_AUTHENTICATED USER_LOGIN
ZPN_STATUS_DISCONNECTED USER_LOGOUT

Log Sample

Fri Nov 19 15:05:09 2021 User Activity zpa: ,DOMAIN Corporation,redacted,redacted,redacted,BRK_MT_TERMINATED,close,6,0,john.doe@domain.com,50949,10.10.10.72,10.10.0.16,51.000000,-1.000000,US,EU-US,Allow Internal Application Group,America RHEL-1,US-9,10.10.10.51,57682,website.domain.com,Domain Controllers DOMAIN.COM,Internal Application Group,0,10.10.10.6,50949,52,6685,2021-11-19T15:04:58.525Z,2021-11-19T15:05:09.583Z,2021-11-19T15:04:58.525Z,2021-11-19T15:04:58.573Z,,2021-11-19T15:04:58.723Z,2021-11-19T15:04:58.705Z,2021-11-19T15:05:08.986Z,2021-11-19T15:04:58.805Z,2021-11-19T15:04:58.620Z,2021-11-19T15:04:58.705Z,2021-11-19T15:04:58.620Z,2021-11-19T15:04:58.805Z,2021-11-19T15:04:58.723Z,462,248,472,472,472,472,462,462,Zscaler Private Access 2.0 USERS

Sample Parsing

metadata.event_timestamp = "2021-11-19T15:05:09Z"
metadata.event_type = "NETWORK_CONNECTION"
metadata.vendor_name = "Zscaler"
metadata.product_name = "Zscaler Private Access"
metadata.product_event_type = "BRK_MT_TERMINATED"
metadata.description = "Allow Internal Application Group"
metadata.ingested_timestamp = "2021-11-19T15:05:30.727844Z"
principal.user.userid = "john.doe@domain.com"
principal.user.email_addresses = "john.doe@domain.com"
principal.ip = "10.10.10.72"
principal.ip = "10.10.0.16"
principal.port = 50949
principal.location.country_or_region = "US"
target.hostname = "website.domain.com"
target.ip = "10.10.10.6"
target.port = 50949
target.application = "Domain Controllers DOMAIN.COM"
target.asset.ip = "10.10.10.6"
intermediary.ip = "10.10.10.51"
intermediary.port = 57682
security_result.rule_name = "Allow Internal Application Group"
security_result.summary = "Client closed app TLS connection"
security_result.description = "The connection from the a ZPA Private Service Edge to a ZPA Public Service Edge (formerly ZEN) was terminated, resulting in the public Service Edge terminating all application sessions for that Connector."
network.ip_protocol = "TCP"

Parser Alerting

This product currently does not have any Parser-based Alerting

Rules

Coming Soon