zscaler/deception
Vendor | Zscaler, Inc. |
Author | CrowdStrike |
Version | 1.2.0 |
Minimum LogScale Version | 1.82.0 |
Deception is used to deploy lures throughout customer network of various types (fake AD servers/DB servers/fake password files/fake browser cookies etc) and of an attacker breaches customer network, these lures come across as lowest hanging fruits to the attacker.
And as the attackers engage with them, that generates a high fidelity alert, that can be sent to the SIEM. This package adds high value security data to LogScale to correlate with FLTR data.
The parser normalizes data to a common schema based on CrowdStrike Parsing Standard (CPS) 1.0. This schema allows you to search the data without knowing the data specifically, and just knowing the common schema instead. It also allows you to combine the data more easily with other data sources which conform to the same schema.
Breaking Changes
This update includes parser changes, which means that data ingested after upgrade will not be backwards compatible with logs ingested with the previous version.
Updating to version 1.0.0 or newer will therefore result in issues with existing queries in for example dashboards or alerts created prior to this version.
See CrowdStrike Parsing Standard (CPS) 1.0 for more details on the new parser schema.
Follow the CPS Migration to update your queries to use the fields and tags that are available in data parsed with version 1.0.0.
Installing the Package in LogScale
Find the repository where you want to send the events, or Creating a Repository or View.
Navigate to your repository in the LogScale interface, click Settings and then on the left.
Click (i.e. zscaler/deception).
and install the LogScale package forWhen the package has finished installing, click
on the left still under the .In the right panel, click zscaler-deception to the token.
to create a new token for each parser. Give the token an appropriate name (e.g. the name of the log it will collect logs from), and assign the parserBefore leaving this page, view the ingest token and copy it to your clipboard — to save it temporarily elsewhere.
Now that you have a repository set up in LogScale along with an ingest token you're ready to send logs to LogScale.
Configurations and Sending the Logs to LogScale
Install the package in the LogScale repository, and create an ingest token assign the parser. as described above.
In the Zscaler Deception console add a new Syslog integration and configure it with your LogScale Collector's IP address, TCP port.
Configure LogScale Collector as Syslog Receiver as described in the documentation, Syslog Receiver to forward logs to your LogScale repository.
Note that events might be truncated if they exceed the default limit of 2048 bytes and the limit should be increased to 1MB (maxEventSize: 1048576)
Verify Data is Arriving in LogScale
Once you have completed the above steps the data should be arriving in your LogScale repository.
You can verify this by doing a simple search for
#Vendor = "zscaler" |
#event.module="deception"
to see the events.
Package Contents Explained
This package parses incoming data, and normalizing the data as part of that parsing. The parser normalizes the data to CrowdStrike Parsing Standard (CPS) 1.0 schema based on OpenTelemetry standards, while still preserving the original data.
If you want to search using the original field names and values, you can access those in the fields whose names are prefixed with the word Vendor. Fields which are not prefixed with Vendor are standard fields which are either based on the schema (e.g. source.ip) or on LogScale conventions (e.g. @rawstring).
The fields which the parser currently maps the data to, are chosen based on what seems the most relevant, and will potentially be expanded in the future. But the parser won't necessarily normalize every field that has potential to be normalized.