Zscaler ZPA

ZPA is a cloud service that provides secure remote access to internal applications running on cloud or data center using a Zero Trust framework.

With ZPA, applications are never exposed to the internet, making them completely invisible to unauthorized users.

The service enables the applications to connect to users via inside-out connectivity rather than extending the network to them. ZPA provides a simple, secure, and effective way to access internal applications. Access is based on policies created by the IT administrator within the ZPA Admin Portal and hosted within the Zscaler cloud. On each user device, software called Zscaler Client Connector is installed. Zscaler Client Connector ensures the user's device posture and extends a secure microtunnel out to the Zscaler cloud when a user attempts to access an internal application.

The parser normalizes data to a common schema based on CrowdStrike Parsing Standard (CPS). This schema allows you to search the data without knowing the data specifically, and just knowing the common schema instead. It also allows you to combine the data more easily with other data sources which conform to the same schema.

Breaking Changes

This update includes parser changes, which means that data ingested after upgrade will not be backwards compatible with logs ingested with the previous version.

Updating to version 1.0.0 or newer will therefore result in issues with existing queries in for example dashboards or alerts created prior to this version.

See CrowdStrike Parsing Standard (CPS) for more details on the new parser schema.

Follow the CPS Migration to update your queries to use the fields and tags that are available in data parsed with version 1.0.0.

Installing the Package in LogScale

Find the repository where you want to send the Zscaler ZPA events, or Creating a Repository or View.

Navigate to your repository in the LogScale interface, click Settings and then Packages on the left.
Click Marketplace and install the LogScale package for Zscaler ZPA (i.e. zscaler/zpa).
When the package has finished installing, click Ingest tokens on the left still under the Settings.
In the right panel, click + Add Token to create a new token for each parser. Give the token an appropriate name (e.g. the name of the log it will collect logs from), and assign the parser to the token.
Figure 97. ZPA

Before leaving this page, view the ingest token and copy it to your clipboard — to save it temporarily elsewhere.
Now that you have a repository set up in LogScale along with an ingest token you're ready to send logs to LogScale.

Configurations and Sending the Logs to LogScale

To get logs from Zscaler ZPA into LogScale, use Zscaler Log Streaming Service (LSS)

Install the package in the LogScale repository, and create an ingest token for each of the ZPA parser which corresponds to the different ZPA log sources. as described above.
In the ZPA administration console add a new log receiver and configure it with your LogScale Collector's IP address, TCP port, and TLS encryption details (if required). More on the ZPA documentation. See Syslog via TLS for more infromation on configuring LogScale collector for TLS connections.
Verify that the TLS cert you provide is from a publicly trusted CA or the ZPA app connector (the ZS component that streams logs to the SIEM) must be updated to trust the private TLS cert being used.
Figure 98. ZPA
In the Log Stream tab, select the log type and JSON for log format. Keep default log stream content.
Figure 99. ZPA Logs
Configure LogScale Collector with TCP syslog receiver to ship logs to LogScale, see Sources & Examples.
Note that events might be truncated if they exceed the default limit of 2048 bytes and the limit should be increased to 1MB (maxEventSize: 1048576)

Note that, you can add any fields you would like to these formats, and they will be present and usable in LogScale, but they will only be mapped to the schema if you manually extend the parsers to handle those fields.

Expected log format used to generate logs:

App-Connector-Status

{"LogTimestamp": %j{LogTimestamp:time},"Customer": %j{Customer},"SessionID": %j{SessionID},"SessionType": %j{SessionType},"SessionStatus": %j{SessionStatus},"Version": %j{Version},"Platform": %j{Platform},"ZEN": %j{ZEN},"Connector": %j{Connector},"ConnectorGroup": %j{ConnectorGroup},"PrivateIP": %j{PrivateIP},"PublicIP": %j{PublicIP},"Latitude": %f{Latitude},"Longitude": %f{Longitude},"CountryCode": %j{CountryCode},"TimestampAuthentication": %j{TimestampAuthentication:iso8601},"TimestampUnAuthentication": %j{TimestampUnAuthentication:iso8601},"CPUUtilization": %d{CPUUtilization},"MemUtilization": %d{MemUtilization},"ServiceCount": %d{ServiceCount},"InterfaceDefRoute": %j{InterfaceDefRoute},"DefRouteGW": %j{DefRouteGW},"PrimaryDNSResolver": %j{PrimaryDNSResolver},"HostUpTime": %j{HostUpTime},"ConnectorUpTime": %j{ConnectorUpTime},"NumOfInterfaces": %d{NumOfInterfaces},"BytesRxInterface": %d{BytesRxInterface},"PacketsRxInterface": %d{PacketsRxInterface},"ErrorsRxInterface": %d{ErrorsRxInterface},"DiscardsRxInterface": %d{DiscardsRxInterface},"BytesTxInterface": %d{BytesTxInterface},"PacketsTxInterface": %d{PacketsTxInterface},"ErrorsTxInterface": %d{ErrorsTxInterface},"DiscardsTxInterface": %d{DiscardsTxInterface},"TotalBytesRx": %d{TotalBytesRx},"TotalBytesTx": %d{TotalBytesTx}}\n

AppProtection

{"LogTimestamp": %j{LogTimestamp:time},"Customer": %j{Customer}, "ConnectionID": %j{ConnectionID}, "UserID": %j{UserID}, "AssistantID": %j{AssistantID}, "ExchangeSequenceIndex": %d{ExchangeSequenceIndex}, "TimestampRequestReceiveStart": %d{TimestampRequestReceiveStart}, "TimestampRequestReceiveHeaderFinish": %d{TimestampRequestReceiveHeaderFinish}, "TimestampRequestReceiveFinish": %d{TimestampRequestReceiveFinish}, "TimestampRequestTransmitStart": %d{TimestampRequestTransmitStart}, "TimestampRequestTransmitFinish": %d{TimestampRequestTransmitFinish}, "TimestampResponseReceiveFinish": %d{TimestampResponseReceiveFinish}, "TimestampResponseTransmitStart": %d{TimestampResponseTransmitStart}, "TimestampResponseTransmitFinish": %d{TimestampResponseTransmitFinish}, "TotalTimeRequestReceive": %d{TotalTimeRequestReceive}, "TotalTimeRequestTransmit": %d{TotalTimeRequestTransmit}, "TotalTimeResponseReceive": %d{TotalTimeResponseReceive}, "TotalTimeResponseTransmit": %d{TotalTimeResponseTransmit}, "Domain": %j{Domain}, "Method": %j{Method}, "Protocol": %j{Protocol}, "ProtocolVersion": %j{ProtocolVersion}, "ContentType": %j{ContentType}, "ContentEncoding": %j{ContentEncoding}, "TransferEncoding": %j{TransferEncoding}, "Host": %j{Host}, "Destination": %j{Destination}, "OriginDomain": %j{OriginDomain}, "URL": %j{URL}, "UserAgent": %j{UserAgent}, "HTTPError": %j{HTTPError}, "ClientPublicIp": %j{ClientPublicIp}, "ClientPort": %d{ClientPort}, "UpgradeHeaderPresent": %d{UpgradeHeaderPresent}, "StatusCode": %d{StatusCode}, "RequestHdrSize": %d{RequestHdrSize}, "ResponseHdrSize": %d{ResponseHdrSize}, "RequestBodySize": %d{RequestBodySize}, "ResponseBodySize": %d{ResponseBodySize}, "Application": %d{Application}, "ApplicationGroup": %d{ApplicationGroup}, "InspectionPolicy": %d{InspectionPolicy}, "InspectionProfile": %d{InspectionProfile}, "ParanoiaLevel": %d{ParanoiaLevel}, "InspectionControlsHitCount": %d{InspectionControlsHitCount}, "InspectionRuleProcessingTime": %d{InspectionRuleProcessingTime}, "InspectionReqHeadersProcessingTime": %d{InspectionReqHeadersProcessingTime}, "InspectionReqBodyProcessingTime": %d{InspectionReqBodyProcessingTime}, "InspectionRespHeadersProcessingTime": %d{InspectionRespHeadersProcessingTime}, "InspectionRespBodyProcessingTime": %d{InspectionRespBodyProcessingTime}, "CertificateId": %d{CertificateId}, "DoubleEncryption": %d{DoubleEncryption}, "SSLInspection": %d{SSLInspection}, "TotalBytesProcessed": %d{TotalBytesProcessed}}\n

Audit

{"ModifiedTime":%j{modifiedTime:iso8601},"CreationTime":%j{creationTime:iso8601},"ModifiedBy":%d{modifiedBy},"RequestID":%j{requestId},"SessionID":%j{sessionId},"AuditOldValue":%j{auditOldValue},"AuditNewValue":%j{auditNewValue},"AuditOperationType":%j{auditOperationType},"ObjectType":%j{objectType},"ObjectName":%j{objectName},"ObjectID":%d{objectId},"CustomerID":%d{customerId},"User":%j{modifiedByUser},"ClientAuditUpdate":%d{isClientAudit}}\n

Browser Access

{"LogTimestamp":%j{LogTimestamp:time},"ConnectionID":%j{ConnectionID},"Exporter":%j{Exporter},"TimestampRequestReceiveStart":%j{TimestampRequestReceiveStart:iso8601},"TimestampRequestReceiveHeaderFinish":%j{TimestampRequestReceiveHeaderFinish:iso8601},"TimestampRequestReceiveFinish":%j{TimestampRequestReceiveFinish:iso8601},"TimestampRequestTransmitStart":%j{TimestampRequestTransmitStart:iso8601},"TimestampRequestTransmitFinish":%j{TimestampRequestTransmitFinish:iso8601},"TimestampResponseReceiveStart":%j{TimestampResponseReceiveStart:iso8601},"TimestampResponseReceiveFinish":%j{TimestampResponseReceiveFinish:iso8601},"TimestampResponseTransmitStart":%j{TimestampResponseTransmitStart:iso8601},"TimestampResponseTransmitFinish":%j{TimestampResponseTransmitFinish:iso8601},"TotalTimeRequestReceive":%d{TotalTimeRequestReceive},"TotalTimeRequestTransmit":%d{TotalTimeRequestTransmit},"TotalTimeResponseReceive":%d{TotalTimeResponseReceive},"TotalTimeResponseTransmit":%d{TotalTimeResponseTransmit},"TotalTimeConnectionSetup":%d{TotalTimeConnectionSetup},"TotalTimeServerResponse":%d{TotalTimeServerResponse},"Method":%j{Method},"Protocol":%j{Protocol},"Host":%j{Host},"URL":%j{URL},"UserAgent":%j{UserAgent},"XFF":%j{XFF},"NameID":%j{NameID},"StatusCode":%d{StatusCode},"RequestSize":%d{RequestSize},"ResponseSize":%d{ResponseSize},"ApplicationPort":%d{ApplicationPort},"ClientPublicIp":%j{ClientPublicIp},"ClientPublicPort":%d{ClientPublicPort},"ClientPrivateIp":%j{ClientPrivateIp},"Customer":%j{Customer},"ConnectionStatus":%j{ConnectionStatus},"ConnectionReason":%j{ConnectionReason},"Origin":%j{Origin},"CorsToken":%j{CorsToken}}\n

User-Activity

{"LogTimestamp": %j{LogTimestamp:time},"Customer": %j{Customer},"SessionID": %j{SessionID},"ConnectionID": %j{ConnectionID},"InternalReason": %j{InternalReason},"ConnectionStatus": %j{ConnectionStatus},"IPProtocol": %d{IPProtocol},"DoubleEncryption": %d{DoubleEncryption},"Username": %j{Username},"ServicePort": %d{ServicePort},"ClientPublicIP": %j{ClientPublicIP},"ClientPrivateIP": %j{ClientPrivateIP},"ClientLatitude": %f{ClientLatitude},"ClientLongitude": %f{ClientLongitude},"ClientCountryCode": %j{ClientCountryCode},"ClientZEN": %j{ClientZEN},"Policy": %j{Policy},"Connector": %j{Connector},"ConnectorZEN": %j{ConnectorZEN},"ConnectorIP": %j{ConnectorIP},"ConnectorPort": %d{ConnectorPort},"Host": %j{Host},"Application": %j{Application},"AppGroup": %j{AppGroup},"Server": %j{Server},"ServerIP": %j{ServerIP},"ServerPort": %d{ServerPort},"PolicyProcessingTime": %d{PolicyProcessingTime},"ServerSetupTime": %d{ServerSetupTime},"TimestampConnectionStart": %j{TimestampConnectionStart:iso8601},"TimestampConnectionEnd": %j{TimestampConnectionEnd:iso8601},"TimestampCATx": %j{TimestampCATx:iso8601},"TimestampCARx": %j{TimestampCARx:iso8601},"TimestampAppLearnStart": %j{TimestampAppLearnStart:iso8601},"TimestampZENFirstRxClient": %j{TimestampZENFirstRxClient:iso8601},"TimestampZENFirstTxClient": %j{TimestampZENFirstTxClient:iso8601},"TimestampZENLastRxClient": %j{TimestampZENLastRxClient:iso8601},"TimestampZENLastTxClient": %j{TimestampZENLastTxClient:iso8601},"TimestampConnectorZENSetupComplete": %j{TimestampConnectorZENSetupComplete:iso8601},"TimestampZENFirstRxConnector": %j{TimestampZENFirstRxConnector:iso8601},"TimestampZENFirstTxConnector": %j{TimestampZENFirstTxConnector:iso8601},"TimestampZENLastRxConnector": %j{TimestampZENLastRxConnector:iso8601},"TimestampZENLastTxConnector": %j{TimestampZENLastTxConnector:iso8601},"ZENTotalBytesRxClient": %d{ZENTotalBytesRxClient},"ZENBytesRxClient": %d{ZENBytesRxClient},"ZENTotalBytesTxClient": %d{ZENTotalBytesTxClient},"ZENBytesTxClient": %d{ZENBytesTxClient},"ZENTotalBytesRxConnector": %d{ZENTotalBytesRxConnector},"ZENBytesRxConnector": %d{ZENBytesRxConnector},"ZENTotalBytesTxConnector": %d{ZENTotalBytesTxConnector},"ZENBytesTxConnector": %d{ZENBytesTxConnector},"Idp": %j{Idp},"ClientToClient": %j{c2c}}\n

User-Status

{"LogTimestamp": %j{LogTimestamp:time},"Customer": %j{Customer},"Username": %j{Username},"SessionID": %j{SessionID},"SessionStatus": %j{SessionStatus},"Version": %j{Version},"ZEN": %j{ZEN},"CertificateCN": %j{CertificateCN},"PrivateIP": %j{PrivateIP},"PublicIP": %j{PublicIP},"Latitude": %f{Latitude},"Longitude": %f{Longitude},"CountryCode": %j{CountryCode},"TimestampAuthentication": %j{TimestampAuthentication:iso8601},"TimestampUnAuthentication": %j{TimestampUnAuthentication:iso8601},"TotalBytesRx": %d{TotalBytesRx},"TotalBytesTx": %d{TotalBytesTx},"Idp": %j{Idp},"Hostname": %j{Hostname},"Platform": %j{Platform},"ClientType": %j{ClientType},"TrustedNetworks": [%j(,){TrustedNetworks}],"TrustedNetworksNames": [%j(,){TrustedNetworksNames}],"SAMLAttributes": %j{SAMLAttributes},"PosturesHit": [%j(,){PosturesHit}],"PosturesMiss": [%j(,){PosturesMiss}],"ZENLatitude": %f{ZENLatitude},"ZENLongitude": %f{ZENLongitude},"ZENCountryCode": %j{ZENCountryCode},"FQDNRegistered": %j{fqdn_registered},"FQDNRegisteredError": %j{fqdn_register_error}}\n

Verify Data is Arriving in LogScale

Once you have completed the above steps the Zscaler ZPA data should be arriving in your LogScale repository.

You can verify this by doing a simple search for the events:

logscale

#Vendor = "zscaler" 
| Product="zpa"

Package Contents Explained

This package contains the following parsers:

zscaler-zpa-app-connector-status-json.yaml for App-Connector-Status log type
zscaler-zpa-app-protection-json.yaml for App-Protection log type
zscaler-zpa-audit-json.yaml for Audit log type
zscaler-zpa-browser-access-json.yaml for Browser-Access log type
zscaler-zpa-user-activity-json.yaml for User-Activity log type
zscaler-zpa-user-status-json.yaml for User-Status log type

This package parses incoming data, and normalizing the data as part of that parsing. The parser normalizes the data to CrowdStrike Parsing Standard (CPS) schema based on OpenTelemetry standards, while still preserving the original data.

If you want to search using the original field names and values, you can access those in the fields whose names are prefixed with the word Vendor. Fields which are not prefixed with Vendor are standard fields which are either based on the schema (e.g. source.ip) or on LogScale conventions (e.g. @rawstring).

The fields which the parser currently maps the data to, are chosen based on what seems the most relevant, and will potentially be expanded in the future. But the parser won't necessarily normalize every field that has potential to be normalized.

Event Categorisation

As part of the schema, events are categorized by fields:

event.category

event.category is an array so needs to be searched using the following syntax:

array:contains("event.category[]", value="iam")

For example, the following will find events where some event.type[n] field contains the value network, regardless of what n is.

Note that not all events will be categorized to this level of detail.

Normalized Fields

Here are some of the normalized fields which are being set by this parser:

event.* (e.g. event.type, event.kind, event.category )
client.* (e.g. client.ip, client.port)
server.* (e.g. server.ip, server.port )
related.* (e.g. related.ip )
host.* (e.g. host.hostname, host.ip )

Integrations

Integrations

Packages

LogScale APIs 1.118.0-1.137.0

APIs

API Authentication

Cluster Management API

Health Check API

Ingest API

Lookup API

Redact Events API

Search API

Software Libraries

LogScale Third-Party Log Shippers

Third-Party Log Shippers