Connect this data source on your own, using the Hunters platform.
TL;DR
Data Types | 3rd party detection | Hunters detection | IOC search | Search | Table name | Log format | Collection method |
|---|---|---|---|---|---|---|---|
Zscaler Deception Logs | ✅ | ✅ | ✅ | zscaler_deception_logs | nested-json-json | S3 |
Overview
Zscaler (NASDAQ: ZS) is a pioneering American cloud-based cybersecurity company, founded in 2007 and headquartered in San Jose, California, that provides specialized "zero trust" security services. It offers a cloud-native platform, the Zscaler Zero Trust Exchange, that acts as an intelligent, secure switchboard, routing user traffic through a global network of over 150 data centers to protect data and applications from modern cyber threats without relying on traditional, on-premises firewalls or VPNs. Key products include Zscaler Internet Access (ZIA) for secure browsing and Zscaler Private Access (ZPA) for secure application access, serving over 40% of the Forbes Global 2000 by securely connecting users, devices, and applications in any location
Supported data types
Zscaler Deception Logs
Overview:
Zscaler Deception logs integration seamlessly transmits high-fidelity threat data in real-time to SIEM, SOAR, and analytics platforms, enhancing visibility into post-compromise activity like lateral movement. By configuring Syslog or API-based connectors, organizations can enrich security workflows, enabling automatic isolation of attackers and accelerated incident response within a Zero Trust architecture. The integration allows filtering, log forwarding to specific consoles, and centralized monitoring of decoy interactions, turning reconnaissance attempts into actionable intelligences.
Table name: zscaler_deception_logs
Send data to Hunters
Hunters supports the ingestion of Zscaler Deception Logs via an intermediary AWS S3 bucket.
To connect Zscaler Deception Logs:
Export your logs from Zscaler Deception Logs to an AWS S3 bucket.
Once the export is completed and the logs are collected to S3, follow the steps in this section.
Expected format
Logs are expected in Nested-json-json:
{"time":1700000000000,"log_source":"event","event":{"attacker.id":"account-id-1","attacker.name":"service-account-1","credtheft.access_list":"%v84","credtheft.access_mask":"0x10","credtheft.event_id":"1234","credtheft.handle_id":"0x0","credtheft.object_name":"object-guid-1","credtheft.object_server":"DS","credtheft.object_type":"user","credtheft.operation_type":"Object Access","credtheft.properties":["line1","line2"],"credtheft.subject_domain_name":"domain1","credtheft.subject_logon_id":"0x14B1C1593","credtheft.subject_user_name":"service-account-1","credtheft.subject_user_sid":"S-1-5-21-0000000000-0000000000-0000000000-1001","credtheft.system_time":"2020-01-15T10:00:00.000Z","credtheft.trigger_properties":["Service-Principal-Name","Admin-Count"],"decoy.ad.asrep_roastable":true,"decoy.ad.can_password_expire":false,"decoy.ad.ou":"ou-value","decoy.ad.profile_path":"\\\\fileserver\\share","decoy.appliance.id":"appliance-id-1","decoy.appliance.name":"APPLIANCE-1","decoy.client.id":"client-id-1","decoy.client.name":"client-name-1","decoy.group":"Active Directory","decoy.id":"decoy-id-1","decoy.name":"decoy-name-1","decoy.type":"credtheft","kill_chain_phase":"Privilege Escalation","sub_type":"honeypot-buster","timestamp":"2020-01-15T10:00:37Z","type":"credtheft","attacker.threat_parse_ids":["credtheft_honeypotbuster"],"attacker.score":100,"mitre_ids":["T1087.002"],"severity":"high","score":100,"threat_parse_ids":["credtheft_honeypotbuster"],"is_itdr":false,"whitelisted":false,"id":"2020-01-15T10:00:37Z-v3-00000000-0000-0000-0000-000000000001"}}