Zscaler VPN¶
About¶
Zscaler Private Access (ZPA) is a cloud-delivered, zero trust network access (ZTNA) service that provides secure access to all private applications, without the need for a remote access VPN. ZPA delivers a zero trust model by using the Zscaler security cloud to deliver scalable remote and local access to enterprise apps while never placing users on the network. ZPA uses micro-encrypted TLS tunnels and cloud-enforced business policies to create a secure segment of one between an authorized user and a specific named application. ZPA’s unique service-initiated architecture, in which App Connector connects outbound to the ZPA Public Service Edge (formerly Zscaler Enforcement Node) makes both the network and applications invisible to the internet. This model creates an isolated environment around each application rather than the network. This eliminates lateral movement and opportunity for ransomware spreads.
Product Details¶
Vendor URL: Zscaler VPN
Product Type: VPN
Product Tier: Tier III
Integration Method: Custom
Integration URL: Zscaler VPN - Cyderes Documentation
Log Guide: Sample Logs by Log Type
Parser Details¶
Log Format: Syslog and JSON
Expected Normalization Rate: 90-100%
Data Label: ZSCALER_VPN
UDM Fields (list of all UDM fields leveraged in the Parser):
| Log File Field | UDM Field |
|---|---|
| header_intermediary_host | intermediary.hostname |
| ConnectorIP | intermediary.ip |
| ConnectorPort | intermediary.port |
| Policy | metadata.description |
| SessionStatus | metadata.event_type |
| SessionStatus | metadata.product_event_type |
| IPProtocol | network.ip_protocol |
| tagCountry | principal.asset.location.country_or_region |
| PrivateIP | principal.ip |
| PublicIP | principal.ip |
| CountryCode | principal.location.country_or_region |
| ServicePort | principal.port |
| Username | principal.user.email_addresses |
| Username | principal.user.user_display_name |
| Username | principal.user.userid |
| Policy | security_result.rule_name |
| Application | target.application |
| Hostname | target.hostname |
| ServerIP | target.ip |
| ServerPort | target.port |
Product Event Types¶
| Event | UDM Event Classification |
|---|---|
| all others | GENERIC_EVENT |
| APP_NOT_REACHABLE | NETWORK_CONNECTION |
| AST_MT_SETUP_TIMEOUT_CANNOT_CONN_TO_SERVER | NETWORK_CONNECTION |
| BRK_MT_SETUP_FAIL_NO_POLICY_FOUND | NETWORK_CONNECTION |
| BRK_MT_SETUP_FAIL_REJECTED_BY_POLICY | NETWORK_CONNECTION |
| BRK_MT_SETUP_FAIL_SAML_EXPIRED | NETWORK_CONNECTION |
| BRK_MT_TERMINATED | NETWORK_CONNECTION |
| INVALID_DOMAIN | NETWORK_CONNECTION |
| MT_CLOSED_TLS_CONN_GONE_CLIENT_CLOSED | NETWORK_CONNECTION |
| NO_CONNECTOR_AVAILABLE | NETWORK_CONNECTION |
| ZPN_STATUS_AUTHENTICATED | USER_LOGIN |
| ZPN_STATUS_DISCONNECTED | USER_LOGOUT |
Log Sample¶
Fri Nov 19 15:05:09 2021 User Activity zpa: ,DOMAIN Corporation,redacted,redacted,redacted,BRK_MT_TERMINATED,close,6,0,john.doe@domain.com,50949,10.10.10.72,10.10.0.16,51.000000,-1.000000,US,EU-US,Allow Internal Application Group,America RHEL-1,US-9,10.10.10.51,57682,website.domain.com,Domain Controllers DOMAIN.COM,Internal Application Group,0,10.10.10.6,50949,52,6685,2021-11-19T15:04:58.525Z,2021-11-19T15:05:09.583Z,2021-11-19T15:04:58.525Z,2021-11-19T15:04:58.573Z,,2021-11-19T15:04:58.723Z,2021-11-19T15:04:58.705Z,2021-11-19T15:05:08.986Z,2021-11-19T15:04:58.805Z,2021-11-19T15:04:58.620Z,2021-11-19T15:04:58.705Z,2021-11-19T15:04:58.620Z,2021-11-19T15:04:58.805Z,2021-11-19T15:04:58.723Z,462,248,472,472,472,472,462,462,Zscaler Private Access 2.0 USERS
Sample Parsing¶
metadata.event_timestamp = "2021-11-19T15:05:09Z"
metadata.event_type = "NETWORK_CONNECTION"
metadata.vendor_name = "Zscaler"
metadata.product_name = "Zscaler Private Access"
metadata.product_event_type = "BRK_MT_TERMINATED"
metadata.description = "Allow Internal Application Group"
metadata.ingested_timestamp = "2021-11-19T15:05:30.727844Z"
principal.user.userid = "john.doe@domain.com"
principal.user.email_addresses = "john.doe@domain.com"
principal.ip = "10.10.10.72"
principal.ip = "10.10.0.16"
principal.port = 50949
principal.location.country_or_region = "US"
target.hostname = "website.domain.com"
target.ip = "10.10.10.6"
target.port = 50949
target.application = "Domain Controllers DOMAIN.COM"
target.asset.ip = "10.10.10.6"
intermediary.ip = "10.10.10.51"
intermediary.port = 57682
security_result.rule_name = "Allow Internal Application Group"
security_result.summary = "Client closed app TLS connection"
security_result.description = "The connection from the a ZPA Private Service Edge to a ZPA Public Service Edge (formerly ZEN) was terminated, resulting in the public Service Edge terminating all application sessions for that Connector."
network.ip_protocol = "TCP"
Parser Alerting¶
This product currently does not have any Parser-based Alerting
Rules¶
Coming Soon