Zscaler is a cloud-based security platform that provides users with protection from online threats. The platform uses a multi-tenant architecture to deliver security as a service (SaaS). Netwitness now integrates with Zscaler ZIA and Zscaler ZPA to collect, parse and alert on realtime logs. This integration is supported from 11.5 and higher versions.
Zscalar Internet Access (ZIA)
Zscaler Internet Access (ZIA) is a cloud native security service edge (SSE) solution that builds on a decade of secure web gateway leadership. It replaces legacy network security solutions to stop advanced attacks and prevent data loss with a comprehensive zero trust approach. ZIA sits between your users and the internet, inspecting every byte of traffic inline across multiple security techniques, even within SSL. Netwitness uses Zscaler’s Nanolog Streaming Service (NSS) to capture the logs.
Various log types supported are:
- Weblogs
- Tunnel
- Firewall
- DNS
- SAAS Security
- SAAS Security Activity
An example Zscaler-Tunnel log is given below:
ZSCALERZIA: { "sourcetype" : "zscalernss-tunnel", "event" : {"datetime":"Tue Jan 17 17:59:14 2023","Recordtype":"Tunnel Event","tunneltype":"IPSec IKEv1","user":"ipsec@dev-abc.com","location":"Ipsec","sourceip":"10.10.10.10","destinationip":"20.20.20.20","sourceport":"4500","event":"IPsec tunnel is down","eventreason":"Lifetime Expired","recordid":"1234567890123456789"}}
The above log is collected and parsed at Netwitness using zscalerzia log parser.
Zscaler Private Access (ZPA)
The Zscaler Private Access (ZPA) enables organizations to provide access to internal applications and services while ensuring the security of their networks. ZPA is an easier to deploy, more cost-effective, and more secure alternative to VPNs. Unlike VPNs, which require users to connect to your network to access your enterprise applications, ZPA allows you to give users policy-based secure access only to the internal apps they need to get their work done. With ZPA, application access does not require network access. Netwitness captures ZPA via Zscaler’s log streaming service.
Netwitness collects the below listed logs from ZPA:
- User Activity
- User Status
- App Connector Status
- Private Service Edge Status
- Browser Access
- Audit Logs
- App Connector Metrics
- Private Service Edge Metrics
An example of Zscaler-User Status log is given below:
ZSCALERZPA: {"LogTimestamp": "2023-01-20T09:55:50.464Z","Customer": " ABCGroup","Username": "someone@ABCgroup.info","SessionID": "ABC+DEFghijkl9Ts95np","SessionStatus": "ZPN_STATUS_AUTHENTICATED","PrivateIP": "10.10.10.10","PublicIP": "1.2.3.4","CountryCode": "","TimestampAuthentication": "2023-01-20T06:23:49.994Z","TimestampUnAuthentication": "","Idp": "ABC PingFed User","Hostname": "Unknown_Host","Platform": "windows","ClientType": "zpn_client_type_zapp","TrustedNetworks": ["72077116811772498"],"Posture**bleep**": ["72077116811771943","72077116811771945","72077116811772006","72077116811772007","72077116811772008","72077116811772087","72077116811772088","72077116811772118","72077116811772476","72077116811772992"],"PosturesMiss": ["72077116811771950","72077116811772109","72077116811772456","72077116811772607","72077116811772714","72077116811772954","72077116811772956"],"FQDNRegisteredError": "FQDNMATCH"}
The above log is collected and parsed at Netwitness using zscalerzpa log parser.
Additional Resources
Zscaler ZIA Event Source Log Configuration Guide - NetWitness Community - 695832
Zscaler ZPA Event Source Log Configuration Guide - NetWitness Community - 695831
https://help.zscaler.com/zia/understanding-nanolog-streaming-service
https://help.zscaler.com/zpa/about-log-streaming-service
