Zscaler VPN
About
Zscaler Private Access (ZPA) is a cloud-delivered, zero trust network access (ZTNA) service that provides secure access to all private applications, without the need for a remote access VPN. ZPA delivers a zero trust model by using the Zscaler security cloud to deliver scalable remote and local access to enterprise apps while never placing users on the network. ZPA uses micro-encrypted TLS tunnels and cloud-enforced business policies to create a secure segment of one between an authorized user and a specific named application. ZPA’s unique service-initiated architecture, in which App Connector connects outbound to the ZPA Public Service Edge (formerly Zscaler Enforcement Node) makes both the network and applications invisible to the internet. This model creates an isolated environment around each application rather than the network. This eliminates lateral movement and opportunity for ransomware spreads.
Product Details
Vendor URL: Zscaler VPN
Product Type: VPN
product tier : Tier III
Integration Method: Custom
Integration URL: Zscaler VPN – Cyderes Documentation
Log Guide: Sample Logs by Log Type
Parser Details
Log Format: Syslog and JSON
expect normalization rate : 90 – 100 %
Data Label: ZSCALER_VPN
UDM Fields (list of all UDM fields leveraged in the Parser):
| Log File Field | UDM Field |
|---|---|
| header_intermediary_host | intermediary.hostname |
| connectorip | intermediary.ip |
| ConnectorPort | intermediary.port |
| policy | metadata.description |
| SessionStatus | metadata.event_type |
| SessionStatus | metadata.product_event_type |
| IPProtocol | network.ip_protocol |
| tagcountry | principal.asset.location.country_or_region |
| PrivateIP | principal.ip |
| PublicIP | principal.ip |
| CountryCode | principal.location.country_or_region |
| ServicePort | principal.port |
| Username | principal.user.email_addresses |
| Username | principal.user.user_display_name |
| Username | principal.user.userid |
| policy | security_result.rule_name |
| application | target.application |
| Hostname | target.hostname |
| serverip | target.ip |
| ServerPort | target.port |
Product Event Types
| Event | UDM Event Classification |
|---|---|
| all others | GENERIC_EVENT |
| app_not_reachable | NETWORK_CONNECTION |
| AST_MT_SETUP_TIMEOUT_CANNOT_CONN_TO_SERVER | NETWORK_CONNECTION |
| BRK_MT_SETUP_FAIL_NO_POLICY_FOUND | NETWORK_CONNECTION |
| BRK_MT_SETUP_FAIL_REJECTED_BY_POLICY | NETWORK_CONNECTION |
| BRK_MT_SETUP_FAIL_SAML_EXPIRED | NETWORK_CONNECTION |
| BRK_MT_TERMINATED | NETWORK_CONNECTION |
| INVALID_DOMAIN | NETWORK_CONNECTION |
| MT_CLOSED_TLS_CONN_GONE_CLIENT_CLOSED | NETWORK_CONNECTION |
| NO_CONNECTOR_AVAILABLE | NETWORK_CONNECTION |
| ZPN_STATUS_AUTHENTICATED | USER_LOGIN |
| ZPN_STATUS_DISCONNECTED | USER_LOGOUT |
Log Sample
Fri Nov 19 15:05:09 2021 User Activity zpa: ,DOMAIN Corporation,redacted,redacted,redacted,BRK_MT_TERMINATED,close,6,0,john.doe@domain.com,50949,10.10.10.72,10.10.0.16,51.000000,-1.000000,US,EU-US,Allow Internal application Group,America RHEL-1,US-9,10.10.10.51,57682,website.domain.com,Domain Controllers DOMAIN.COM,Internal application Group,0,10.10.10.6,50949,52,6685,2021-11-19T15:04:58.525Z,2021-11-19T15:05:09.583Z,2021-11-19T15:04:58.525Z,2021-11-19T15:04:58.573Z,,2021-11-19T15:04:58.723Z,2021-11-19T15:04:58.705Z,2021-11-19T15:05:08.986Z,2021-11-19T15:04:58.805Z,2021-11-19T15:04:58.620Z,2021-11-19T15:04:58.705Z,2021-11-19T15:04:58.620Z,2021-11-19T15:04:58.805Z,2021-11-19T15:04:58.723Z,462,248,472,472,472,472,462,462,Zscaler Private Access 2.0 USERS
Sample Parsing
metadata.event_timestamp = "2021-11-19T15:05:09Z"
metadata.event_type = "NETWORK_CONNECTION"
metadata.vendor_name = "Zscaler"
metadata.product_name = "Zscaler Private Access"
metadata.product_event_type = "BRK_MT_TERMINATED"
metadata.description = "Allow Internal application Group"
metadata.ingested_timestamp = "2021-11-19T15:05:30.727844Z"
principal.user.userid = "john.doe@domain.com"
principal.user.email_addresses = "john.doe@domain.com"
principal.ip = "10.10.10.72"
principal.ip = "10.10.0.16"
principal.port = 50949
principal.location.country_or_region = "US"
target.hostname = "website.domain.com"
target.ip = "10.10.10.6"
target.port = 50949
target.application = "Domain Controllers DOMAIN.COM"
target.asset.ip = "10.10.10.6"
intermediary.ip = "10.10.10.51"
intermediary.port = 57682
security_result.rule_name = "Allow Internal application Group"
security_result.summary = "Client closed app TLS connection"
security_result.description = "The connection from the a ZPA Private Service Edge to a ZPA Public Service Edge (formerly ZEN) was terminated, resulting in the public Service Edge terminating all application sessions for that Connector."
network.ip_protocol = "TCP"
Parser Alerting
This product currently does not have any Parser-based Alerting
rule
Coming Soon
© Copyright notes
The copyright of the article belongs to the author, please do not reprint without permission.
Related posts
No comments...
