Connect this data source on your own, using the Hunters platform.
TL;DR
Supported data types | 3rd party detection | Hunters detection | IOC search | Search | Table name | Log format | Collection method |
|---|---|---|---|---|---|---|---|
ZPA Audit Logs | ✅ | zscaler_zpa_audit | NDJSON | S3 | |||
ZPA Browser Access Logs | ✅ | ✅ | zscaler_zpa_browser_access | NDJSON | S3 | ||
ZPA User Activity Logs | ✅ | ✅ | zscaler_zpa_user_activity | NDJSON | S3 | ||
ZPA User Status Logs | ✅ | zscaler_zpa_user_status | NDJSON | S3 |
Overview
Zscaler Private Access (ZPA) is a cloud-native zero trust network access (ZTNA) solution that securely connects users to private applications without exposing them to the internet. Unlike traditional VPNs, ZPA provides seamless, least-privileged access based on identity and context, ensuring that users can only reach authorized applications. It eliminates network attack surfaces by keeping applications invisible to unauthorized users, reducing the risk of lateral movement and cyber threats. With its cloud-delivered model, ZPA offers scalable, secure remote access to applications hosted in data centers or cloud environments.
Supported data types
ZPA Audit Logs
Table name: zscaler_zpa_audit
Zscaler Private Access (ZPA) Audit logs provide detailed records of user access and administrative activities within the Zscaler Zero Trust Network Access (ZTNA) solution. These logs capture information such as user login/logout events, application access requests, policy enforcement actions, and configuration changes.
Learn more here.
ZPA Browser Access Logs
Table name: zscaler_zpa_browser_access
Zscaler Private Access (ZPA) Browser Access logs provide detailed records of user interactions and activities within browser-based applications accessed through the ZPA solution. These logs capture information such as user login/logout events, application access requests, session metadata, and any security-related events or alerts.
Learn more here.
ZPA User Activity Logs
Table name: zscaler_zpa_user_activity
Zscaler Private Access (ZPA) User Activity logs provide detailed records of user interactions and activities within the ZPA solution. These logs capture information such as user login/logout events, application access requests, session metadata, and any security-related events or alerts.
Learn more here.
ZPA User Status Logs
Table name: zscaler_zpa_user_status
Zscaler Private Access (ZPA) User Status logs provide detailed records of user status and activity within the ZPA solution. These logs capture information such as user login/logout events, session establishment and termination events, user authentication status, and any errors or warnings encountered during user interactions with the ZPA platform.
Learn more here.
Send data to Hunters
The Zscaler logs should be exported to an S3 bucket and from there ingested into Hunters. To do so you'll need to complete the following steps:
- Direct logs to an on-premise syslog server, such as fluentD
- Direct logs from the on-premise syslog server to an AWS S3 bucket
- Connect the S3 bucket with Hunters
When ingesting multiple Zscaler data types, the separation between data types should take place during the log exporting phase on the vendor side and each data type should get a different prefix.
To connect Zscaler Private Access logs:
Follow this guide to set up the Zscaler Log Streaming Service to export logs to an on-premise syslog server, such as fluentD.
Export logs from your syslog server to an AWS S3 bucket. See this guide for more information.
Once the export is completed and the logs are collected to S3, follow the steps in this section.
Expected format
The expected format of the logs is the NDJSON format as exported by Zscaler. It is recommended to log the full schema, however any subset of the fields can be shared and ingested.
ZPA Audit Sample
{"ModifiedTime":"","CreationTime":"2022-12-14T02:02:21.000Z","ModifiedBy":216194546549169892,"RequestID":"8f543913-9dbd-4e9c-98da-ef18c9b3f9e6","SessionID":"qb9inclt65v0phq27km7154u","AuditOldValue":"","AuditNewValue":"","AuditOperationType":"Session Time Out","ObjectType":"Authentication","ObjectName":"","ObjectID":0,"CustomerID":216197686549169152,"User":"michael@org.com","ClientAuditUpdate":0}
ZPA User Status Sample
{"LogTimestamp":"Wed Dec 14 00:29:59 2022","Customer":"CUSTOMER","Username":"user@org.com","SessionID":"SESSION","SessionStatus":"ZPN_STATUS_AUTHENTICATED","Version":"3.6.1.30","ZEN":"ZEN1234","CertificateCN":"CERT","PrivateIP":"192.168.10.9","PublicIP":"8.8.8.8","Latitude":32.0,"Longitude":44.0,"CountryCode":"US","TimestampAuthentication":"2022-12-14T00:02:00.000Z","TimestampUnAuthentication":"","TotalBytesRx":1234,"TotalBytesTx":4321,"Idp":"User SSO","Hostname":"Michael's MacBook Pro","Platform":"mac","ClientType":"zpn_client_type_zapp","TrustedNetworks":[],"TrustedNetworksNames":[],"SAMLAttributes":"{\"FirstName\":[\"Michael\"],\"LastName\":[\"Koko\"],\"Email\":[\"user@org.com\"],\"DepartmentName\":[\"Sales\"],\"manager\":[\"Shoko koko\"],\"userType\":[\"Freelancer\"],\"acl\":[\"acl\"],\"division\":[\"Sales\"],\"prodAccess\":[\"No\"]}","PosturesHit":["1234"],"PosturesMiss":["5432"],"ZENLatitude":0.0,"ZENLongitude":0.0,"ZENCountryCode":"","FQDNRegistered":"0","FQDNRegisteredError":""}
ZPA Browser Access Sample
{"LogTimestamp":"Mon Dec 12 13:26:04 2022","ConnectionID":"","Exporter":"unset","TimestampRequestReceiveStart":"2022-12-12T13:26:04.166Z","TimestampRequestReceiveHeaderFinish":"2022-12-12T13:26:04.166Z","TimestampRequestReceiveFinish":"2022-12-12T13:26:04.166Z","TimestampRequestTransmitStart":"2022-12-12T13:26:04.645Z","TimestampRequestTransmitFinish":"2022-12-12T13:26:04.645Z","TimestampResponseReceiveStart":"2022-12-12T13:26:04.989Z","TimestampResponseReceiveFinish":"2022-12-12T13:26:04.989Z","TimestampResponseTransmitStart":"2022-12-12T13:26:04.989Z","TimestampResponseTransmitFinish":"2022-12-12T13:26:04.989Z","TotalTimeRequestReceive":51,"TotalTimeRequestTransmit":1,"TotalTimeResponseReceive":48,"TotalTimeResponseTransmit":18,"TotalTimeConnectionSetup":179271,"TotalTimeServerResponse":343619,"Method":"GET","Protocol":"HTTPS","Host":"zscaler.orgcloud.com","URL":"/michael-22.283.1/js/main.61a6e53b.chunk.js","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36","XFF":"","NameID":"check@cloud.org.com","StatusCode":200,"RequestSize":847,"ResponseSize":7236,"ApplicationPort":443,"ClientPublicIp":"1.1.1.1","ClientPublicPort":30503,"ClientPrivateIp":"","Customer":"org","ConnectionStatus":"","ConnectionReason":"","Origin":"","CorsToken":""}
ZPA User Activity Sample
{"LogTimestamp":"Wed Dec 14 00:00:00 2022","Customer":"customer","SessionID":"123","ConnectionID":"234/,567","InternalReason":"OPEN_OR_ACTIVE_CONNECTION","ConnectionStatus":"open","IPProtocol":6,"DoubleEncryption":0,"Username":"username","ServicePort":443,"ClientPublicIP":"1.1.1.1","ClientPrivateIP":"2.2.2.2","ClientLatitude":35.0,"ClientLongitude":-120.0,"ClientCountryCode":"US","ClientZEN":"US","Policy":"policy","Connector":"connector","ConnectorZEN":"US-CA","ConnectorIP":"1.1.1.1","ConnectorPort":43928,"Host":"host","Application":"app","AppGroup":"appgroup","Server":"0","ServerIP":"2.2.2.2","ServerPort":443,"PolicyProcessingTime":29,"ServerSetupTime":1,"TimestampConnectionStart":"2022-12-13T23:59:59.998Z","TimestampConnectionEnd":"","TimestampCATx":"","TimestampCARx":"2022-12-13T23:59:59.998Z","TimestampAppLearnStart":"","TimestampZENFirstRxClient":"","TimestampZENFirstTxClient":"","TimestampZENLastRxClient":"","TimestampZENLastTxClient":"","TimestampConnectorZENSetupComplete":"2022-12-14T00:00:00.019Z","TimestampZENFirstRxConnector":"","TimestampZENFirstTxConnector":"2022-12-14T00:00:00.019Z","TimestampZENLastRxConnector":"","TimestampZENLastTxConnector":"2022-12-14T00:00:00.019Z","ZENTotalBytesRxClient":517,"ZENBytesRxClient":517,"ZENTotalBytesTxClient":0,"ZENBytesTxClient":0,"ZENTotalBytesRxConnector":0,"ZENBytesRxConnector":0,"ZENTotalBytesTxConnector":0,"ZENBytesTxConnector":0,"Idp":"User SSO","ClientToClient":"0"}