Zscaler LSS

Zscaler Private Access (ZPA) is a VPN alternative which allows you to give users policy-based secure access to only the internal apps they need to get their work done. The Log Streaming Service (LSS) provides a better understanding of the information coming from the ZPA service by allowing you to create log receivers that receive information about App Connectors and users.

Zscaler LSS product logs can contain information about hosts and accounts, in addition to the source address. When setting up Zscaler LSS as an event source, you will have the ability to specify attribution options.

To set up Zscaler LSS, you’ll need to:

  1. Configure Zscaler LSS to forward logs to the InsightIDR Collector.
  2. Set up the Zscaler LSS event source in InsightIDR.
  3. Verify the configuration.

Task 1: Configure Zscaler LSS to forward logs to your Collector

You must first configure Zscaler LSS to forward logs to the InsightIDR Collector. You can find information on how to configure Zscaler LSS at: https://help.zscaler.com/zpa/configuring-log-receiver

Supported log format and log types

InsightIDR only supports logs formatted in JSON. When selecting a Log Template, select JSON. Use the default Log Stream Content that is mentioned in the Zscaler documentation. InsightIDR only supports User Activity and Audit Logs for the Zscaler LSS event source; these should be the only Log Types set up in the Log Stream tab. (Note that only one log type can be selected per stream, so if you wish for both log types to be sent to InsightIDR, a separate log stream will be required for each).

Task 2: Set up the Zscaler LSS event source in InsightIDR

  1. From the left menu, go to Data Collection.
  2. When the Data Collection page appears, click the Setup Event Source dropdown and choose Add Event Source.
  3. From the Security Data section, click the Ingress Authentication icon. The Add Event Source panel appears.
  4. Choose your Collector and event source.
  5. (Optional) Name your event source if you want.
  6. (Optional) Choose to send unfiltered logs.
  7. Choose the time zone that matches the location of your event source logs.
  8. Select an attribution source.
  9. Select a collection method and specify a port and a protocol.
  10. (Optional) If you are using TCP, you may choose to download the Rapid7 Certificate to encrypt the event source.
  11. Click Save.

Attribution source options

Zscaler LSS product logs can contain information about hosts and accounts. When setting up Zscaler LSS as an event source, you will have the ability to specify the following attribution options:

  • Use IDR engine if possible; if not, use event log By selecting this option, the InsightIDR attribution engine will perform attribution using the source address present in the log lines. If it's unable to resolve assets or accounts using the source address, it will use the assets or accounts present in the log lines, if any.
  • Use event log if possible; if not, use IDR engine By selecting this option, attribution will be done using the assets and accounts present in the log lines. If no assets or accounts are present in the log lines, the InsightIDR attribution engine will perform attribution using the source address present in the log lines.
  • Use IDR engine only By selecting this option, the InsightIDR attribution engine will perform the attribution using the source address present in the log lines, ignoring any assets and accounts present in the log lines.
  • Use event log only By selecting this option, attribution will be done using the assets and accounts present in the log lines, ignoring the source address.

Task 3: Verify the configuration

Complete the following steps to view your logs and ensure events are making it to the Collector.

  1. On the new event source that was just created, click the View Raw Log button. If you see log messages in the box, then this shows that logs are flowing to the Collector.
  2. Click Log Search in the left menu.
  3. Select the applicable log sets and the log names within them. The log name will be the event source name or “Zscaler LSS” if you did not name the event source. Zscaler LSS User Activity logs flow into the Ingress Authentication log set, and Audit Logs flow into the Cloud Admin Activity log set.

Sample logs

Example User Activity log:

json
1
{
2
    "LogTimestamp": "Fri May 31 17:35:42 2019",
3
    "Customer": "ANZ Team/zdemo in beta",
4
    "SessionID": "SqyZIMkg0JTj7EABsvwA",
5
    "ConnectionID": "SqyZIMkg0JTj7EABsvwA,Q+EjXGdrvbF2lPiBbedm",
6
    "InternalReason": "OPEN_OR_ACTIVE_CONNECTION",
7
    "ConnectionStatus": "active",
8
    "IPProtocol": 6,
9
    "DoubleEncryption": 0,
10
    "Username": "ZPA LSS Client",
11
    "ServicePort": 10011,
12
    "ClientPublicIP": "34.209.189.218",
13
    "ClientPrivateIP": "",
14
    "ClientLatitude": 45.000000,
15
    "ClientLongitude": -119.000000,
16
    "ClientCountryCode": "US",
17
    "ClientZEN": "broker1b.pdx2",
18
    "Policy": "ANZ Lab Apps_1",
19
    "Connector": "ZDEMO ANZ Lab-1",
20
    "ConnectorZEN": "broker1b.pdx2",
21
    "ConnectorIP": "192.168.1.53",
22
    "ConnectorPort": 60266,
23
    "Host": "192.168.1.57",
24
    "Application": "ANZ Lab Apps",
25
    "AppGroup": "ANZ Lab Apps",
26
    "Server": "0",
27
    "ServerIP": "192.168.1.57",
28
    "ServerPort": 10011,
29
    "PolicyProcessingTime": 28,
30
    "CAProcessingTime": 1330,
31
    "ConnectorZENSetupTime": 191017,
32
    "ConnectionSetupTime": 192397,
33
    "ServerSetupTime": 465,
34
    "AppLearnTime": 0,
35
    "TimestampConnectionStart": "2019-05-30T08:20:42.230Z",
36
    "TimestampConnectionEnd": "",
37
    "TimestampCATx": "2019-05-30T08:20:42.230Z",
38
    "TimestampCARx": "2019-05-30T08:20:42.231Z",
39
    "TimestampAppLearnStart": "",
40
    "TimestampZENFirstRxClient": "2019-05-30T08:20:42.424Z",
41
    "TimestampZENFirstTxClient": "",
42
    "TimestampZENLastRxClient": "2019-05-31T17:34:27.348Z",
43
    "TimestampZENLastTxClient": "",
44
    "TimestampConnectorZENSetupComplete": "2019-05-30T08:20:42.422Z",
45
    "TimestampZENFirstRxConnector": "",
46
    "TimestampZENFirstTxConnector": "2019-05-30T08:20:42.424Z",
47
    "TimestampZENLastRxConnector": "",
48
    "TimestampZENLastTxConnector": "2019-05-31T17:34:27.348Z",
49
    "ZENTotalBytesRxClient": 2406926,
50
    "ZENBytesRxClient": 7115,
51
    "ZENTotalBytesTxClient": 0,
52
    "ZENBytesTxClient": 0,
53
    "ZENTotalBytesRxConnector": 0,
54
    "ZENBytesRxConnector": 0,
55
    "ZENTotalBytesTxConnector": 2406926,
56
    "ZENBytesTxConnector": 7115,
57
    "Idp": "Example IDP Config"
58
}

Example Audit log:

json
1
{
2
    "ModifiedTime": "2020-07-13T20:53:10.000Z",
3
    "CreationTime": "2020-07-13T20:53:10.000Z",
4
    "ModifiedBy": 11223344556677889,
5
    "RequestID": "a12aa12a-1234-aab1-123ab123456a",
6
    "SessionID": "a123456789abc12a123456789a12a1a1a12345678ab12a12345a",
7
    "AuditOldValue": "",
8
    "AuditNewValue": "{\"id\":\"98765432100123456\",\"name\":\"app1.test.com\",\"applicationId\":\"12312312312312300\",\"applicationPort\":\"443\",\"applicationProtocol\":\"HTTPS\",\"certificateId\":\"10203040506070809\",\"domain\":\"app1.test.com\",\"enabled\":\"true\",\"hidden\":\"false\",\"path\":\"\\/\",\"portal\":\"false\",\"trustUntrustedCert\":\"true\"}",
9
    "AuditOperationType": "Create",
10
    "ObjectType": "Browser Access",
11
    "ObjectName": "app1.test.com",
12
    "ObjectID": 98765432100123456,
13
    "CustomerID": 12345678901234567,
14
    "User": "zpaadmin@test.com"
15
}