diff --git a/packages/zscaler_zpa/_dev/build/build.yml b/packages/zscaler_zpa/_dev/build/build.yml new file mode 100644 index 00000000000..809e76063e9 --- /dev/null +++ b/packages/zscaler_zpa/_dev/build/build.yml @@ -0,0 +1,3 @@ +dependencies: + ecs: + reference: git@8.0 diff --git a/packages/zscaler_zpa/_dev/build/docs/README.md b/packages/zscaler_zpa/_dev/build/docs/README.md new file mode 100644 index 00000000000..92cbc24246b --- /dev/null +++ b/packages/zscaler_zpa/_dev/build/docs/README.md @@ -0,0 +1,135 @@ +# Zscaler ZPA + +This integration is for Zscaler Private Access logs. It can be used +to receive logs sent by LSS Log Receiver on respective TCP ports. + +The log message is expected to be in JSON format. The data is mapped to +ECS fields where applicable and the remaining fields are written under +`zscaler_zpa..*`. + +## Setup steps + +1. Enable the integration with the TCP input. +2. Configure the Zscaler LSS Log Receiver to send logs to the Elastic Agent +that is running this integration. See [_Setup Log Receiver_](https://help.zscaler.com/zpa/configuring-log-receiver). Use the IP address/hostname of the Elastic Agent as the 'Log Receiver Domain or IP Address', and use the listening port of the Elastic Agent as the 'TCP Port' on the _Add Log Receiver_ configuration screen. +3. *Please make sure to use the given response formats.* + +## Compatibility + +This package has been tested against `Zscaler Private Access Client Connector version 3.7.1.44` + +## Documentation and configuration + +### App Connector Status Logs + +Default port: _9015_ + +Vendor documentation: https://help.zscaler.com/zpa/about-connector-status-log-fields + +Zscaler response format: +``` +{"LogTimestamp": %j{LogTimestamp:time},"Customer": %j{Customer},"SessionID": %j{SessionID},"SessionType": %j{SessionType},"SessionStatus": %j{SessionStatus},"Version": %j{Version},"Platform": %j{Platform},"ZEN": %j{ZEN},"Connector": %j{Connector},"ConnectorGroup": %j{ConnectorGroup},"PrivateIP": %j{PrivateIP},"PublicIP": %j{PublicIP},"Latitude": %f{Latitude},"Longitude": %f{Longitude},"CountryCode": %j{CountryCode},"TimestampAuthentication": %j{TimestampAuthentication:iso8601},"TimestampUnAuthentication": %j{TimestampUnAuthentication:iso8601},"CPUUtilization": %d{CPUUtilization},"MemUtilization": %d{MemUtilization},"ServiceCount": %d{ServiceCount},"InterfaceDefRoute": %j{InterfaceDefRoute},"DefRouteGW": %j{DefRouteGW},"PrimaryDNSResolver": %j{PrimaryDNSResolver},"HostUpTime": %j{HostUpTime},"ConnectorUpTime": %j{ConnectorUpTime},"NumOfInterfaces": %d{NumOfInterfaces},"BytesRxInterface": %d{BytesRxInterface},"PacketsRxInterface": %d{PacketsRxInterface},"ErrorsRxInterface": %d{ErrorsRxInterface},"DiscardsRxInterface": %d{DiscardsRxInterface},"BytesTxInterface": %d{BytesTxInterface},"PacketsTxInterface": %d{PacketsTxInterface},"ErrorsTxInterface": %d{ErrorsTxInterface},"DiscardsTxInterface": %d{DiscardsTxInterface},"TotalBytesRx": %d{TotalBytesRx},"TotalBytesTx": %d{TotalBytesTx}}\n +``` + +Sample Response: +```json +{"LogTimestamp":"Wed Jul 3 05:17:22 2019","Customer":"Safe March","SessionID":"8A64Qwj9zCkfYDGJVoUZ","SessionType":"ZPN_ASSISTANT_BROKER_CONTROL","SessionStatus":"ZPN_STATUS_AUTHENTICATED","Version":"19.20.3","Platform":"el7","ZEN":"US-NY-8179","Connector":"Seattle App Connector 1","ConnectorGroup":"Azure App Connectors","PrivateIP":"10.0.0.4","PublicIP":"0.0.0.0","Latitude":47,"Longitude":-122,"CountryCode":"","TimestampAuthentication":"2019-06-27T05:05:23.348Z","TimestampUnAuthentication":"","CPUUtilization":1,"MemUtilization":20,"ServiceCount":2,"InterfaceDefRoute":"eth0","DefRouteGW":"10.0.0.1","PrimaryDNSResolver":"168.63.129.16","HostStartTime":"1513229995","ConnectorStartTime":"1555920005","NumOfInterfaces":2,"BytesRxInterface":319831966346,"PacketsRxInterface":1617569938,"ErrorsRxInterface":0,"DiscardsRxInterface":0,"BytesTxInterface":192958782635,"PacketsTxInterface":1797471190,"ErrorsTxInterface":0,"DiscardsTxInterface":0,"TotalBytesRx":10902554,"TotalBytesTx":48931771} +``` + +### Audit Logs + +Default port: _9016_ + +Vendor documentation: https://help.zscaler.com/zpa/about-audit-log-fields + +Zscaler response format: +``` +{"ModifiedTime":%j{modifiedTime:iso8601},"CreationTime":%j{creationTime:iso8601},"ModifiedBy":%d{modifiedBy},"RequestID":%j{requestId},"SessionID":%j{sessionId},"AuditOldValue":%j{auditOldValue},"AuditNewValue":%j{auditNewValue},"AuditOperationType":%j{auditOperationType},"ObjectType":%j{objectType},"ObjectName":%j{objectName},"ObjectID":%d{objectId},"CustomerID":%d{customerId},"User":%j{modifiedByUser},"ClientAuditUpdate":%d{isClientAudit}}\n +``` + +Sample Response: +```json +{"ModifiedTime":"2021-11-17T04:29:38.000Z","CreationTime":"2021-11-17T04:29:38.000Z","ModifiedBy":12345678901234567,"RequestID":"11111111-1111-1111-1111-111111111111","SessionID":"1idn23nlfm2q1txa5h3r4mep6","AuditOldValue":"","AuditNewValue":"{\"id\":\"72058340288495701\",\"name\":\"Some-Name\",\"domainOrIpAddress\":\"1.0.0.1\",\"description\":\"This is a description field\",\"enabled\":\"true\"}","AuditOperationType":"Create","ObjectType":"Server","ObjectName":"Some-Name","ObjectID":12345678901234567,"CustomerID":98765432109876543,"User":"zpaadmin@xxxxxxxxxxxxxxxxx.zpa-customer.com","ClientAuditUpdate":0} +``` + +### Browser Access Logs + +Default port: _9017_ + +Vendor documentation: https://help.zscaler.com/zpa/about-browser-access-log-fields + +Zscaler response format: +``` +{"LogTimestamp":%j{LogTimestamp:time},"ConnectionID":%j{ConnectionID},"Exporter":%j{Exporter},"TimestampRequestReceiveStart":%j{TimestampRequestReceiveStart:iso8601},"TimestampRequestReceiveHeaderFinish":%j{TimestampRequestReceiveHeaderFinish:iso8601},"TimestampRequestReceiveFinish":%j{TimestampRequestReceiveFinish:iso8601},"TimestampRequestTransmitStart":%j{TimestampRequestTransmitStart:iso8601},"TimestampRequestTransmitFinish":%j{TimestampRequestTransmitFinish:iso8601},"TimestampResponseReceiveStart":%j{TimestampResponseReceiveStart:iso8601},"TimestampResponseReceiveFinish":%j{TimestampResponseReceiveFinish:iso8601},"TimestampResponseTransmitStart":%j{TimestampResponseTransmitStart:iso8601},"TimestampResponseTransmitFinish":%j{TimestampResponseTransmitFinish:iso8601},"TotalTimeRequestReceive":%d{TotalTimeRequestReceive},"TotalTimeRequestTransmit":%d{TotalTimeRequestTransmit},"TotalTimeResponseReceive":%d{TotalTimeResponseReceive},"TotalTimeResponseTransmit":%d{TotalTimeResponseTransmit},"TotalTimeConnectionSetup":%d{TotalTimeConnectionSetup},"TotalTimeServerResponse":%d{TotalTimeServerResponse},"Method":%j{Method},"Protocol":%j{Protocol},"Host":%j{Host},"URL":%j{URL},"UserAgent":%j{UserAgent},"XFF":%j{XFF},"NameID":%j{NameID},"StatusCode":%d{StatusCode},"RequestSize":%d{RequestSize},"ResponseSize":%d{ResponseSize},"ApplicationPort":%d{ApplicationPort},"ClientPublicIp":%j{ClientPublicIp},"ClientPublicPort":%d{ClientPublicPort},"ClientPrivateIp":%j{ClientPrivateIp},"Customer":%j{Customer},"ConnectionStatus":%j{ConnectionStatus},"ConnectionReason":%j{ConnectionReason},"Origin":%j{Origin},"CorsToken":%j{CorsToken}}\n +``` + +Sample Response: +```json +{"LogTimestamp":"Wed Jul 3 05:12:25 2019","ConnectionID":"","Exporter":"unset","TimestampRequestReceiveStart":"2019-07-03T05:12:25.723Z","TimestampRequestReceiveHeaderFinish":"2019-07-03T05:12:25.723Z","TimestampRequestReceiveFinish":"2019-07-03T05:12:25.723Z","TimestampRequestTransmitStart":"2019-07-03T05:12:25.790Z","TimestampRequestTransmitFinish":"2019-07-03T05:12:25.790Z","TimestampResponseReceiveStart":"2019-07-03T05:12:25.791Z","TimestampResponseReceiveFinish":"2019-07-03T05:12:25.791Z","TimestampResponseTransmitStart":"2019-07-03T05:12:25.791Z","TimestampResponseTransmitFinish":"2019-07-03T05:12:25.791Z","TotalTimeRequestReceive":127,"TotalTimeRequestTransmit":21,"TotalTimeResponseReceive":73,"TotalTimeResponseTransmit":13,"TotalTimeConnectionSetup":66995,"TotalTimeServerResponse":1349,"Method":"GET","Protocol":"HTTPS","Host":"portal.beta.zdemo.net","URL":"/media/Regular.woff","UserAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.1.1 Safari/605.1.15","XFF":"","NameID":"admin@zdemo.net","StatusCode":304,"RequestSize":615,"ResponseSize":331,"ApplicationPort":443,"ClientPublicIp":"175.16.199.1","ClientPublicPort":60006,"ClientPrivateIp":"","Customer":"ANZ Team/zdemo in beta","ConnectionStatus":"","ConnectionReason":""} +``` + +### User Activity Logs + +Default port: _9018_ + +Vendor documentation: https://help.zscaler.com/zpa/about-user-activity-log-fields + +Zscaler response format: +``` +{"LogTimestamp": %j{LogTimestamp:time},"Customer": %j{Customer},"SessionID": %j{SessionID},"ConnectionID": %j{ConnectionID},"InternalReason": %j{InternalReason},"ConnectionStatus": %j{ConnectionStatus},"IPProtocol": %d{IPProtocol},"DoubleEncryption": %d{DoubleEncryption},"Username": %j{Username},"ServicePort": %d{ServicePort},"ClientPublicIP": %j{ClientPublicIP},"ClientPrivateIP": %j{ClientPrivateIP},"ClientLatitude": %f{ClientLatitude},"ClientLongitude": %f{ClientLongitude},"ClientCountryCode": %j{ClientCountryCode},"ClientZEN": %j{ClientZEN},"Policy": %j{Policy},"Connector": %j{Connector},"ConnectorZEN": %j{ConnectorZEN},"ConnectorIP": %j{ConnectorIP},"ConnectorPort": %d{ConnectorPort},"Host": %j{Host},"Application": %j{Application},"AppGroup": %j{AppGroup},"Server": %j{Server},"ServerIP": %j{ServerIP},"ServerPort": %d{ServerPort},"PolicyProcessingTime": %d{PolicyProcessingTime},"ServerSetupTime": %d{ServerSetupTime},"TimestampConnectionStart": %j{TimestampConnectionStart:iso8601},"TimestampConnectionEnd": %j{TimestampConnectionEnd:iso8601},"TimestampCATx": %j{TimestampCATx:iso8601},"TimestampCARx": %j{TimestampCARx:iso8601},"TimestampAppLearnStart": %j{TimestampAppLearnStart:iso8601},"TimestampZENFirstRxClient": %j{TimestampZENFirstRxClient:iso8601},"TimestampZENFirstTxClient": %j{TimestampZENFirstTxClient:iso8601},"TimestampZENLastRxClient": %j{TimestampZENLastRxClient:iso8601},"TimestampZENLastTxClient": %j{TimestampZENLastTxClient:iso8601},"TimestampConnectorZENSetupComplete": %j{TimestampConnectorZENSetupComplete:iso8601},"TimestampZENFirstRxConnector": %j{TimestampZENFirstRxConnector:iso8601},"TimestampZENFirstTxConnector": %j{TimestampZENFirstTxConnector:iso8601},"TimestampZENLastRxConnector": %j{TimestampZENLastRxConnector:iso8601},"TimestampZENLastTxConnector": %j{TimestampZENLastTxConnector:iso8601},"ZENTotalBytesRxClient": %d{ZENTotalBytesRxClient},"ZENBytesRxClient": %d{ZENBytesRxClient},"ZENTotalBytesTxClient": %d{ZENTotalBytesTxClient},"ZENBytesTxClient": %d{ZENBytesTxClient},"ZENTotalBytesRxConnector": %d{ZENTotalBytesRxConnector},"ZENBytesRxConnector": %d{ZENBytesRxConnector},"ZENTotalBytesTxConnector": %d{ZENTotalBytesTxConnector},"ZENBytesTxConnector": %d{ZENBytesTxConnector},"Idp": %j{Idp},"ClientToClient": %j{c2c},"ConnectorZENSetupTime":%d{ConnectorZENSetupTime},"ConnectionSetupTime":%d{ConnectionSetupTime}}\n +``` + +Sample Response: +```json +{"LogTimestamp": "Fri May 31 17:35:42 2019","Customer": "Customer XYZ","SessionID": "LHJdkjmNDf12nclBsvwA","ConnectionID": "SqyZIMkg0JTj7EABsvwA,Q+EjXGdrvbF2lPiBbedm","InternalReason": "","ConnectionStatus": "active","IPProtocol": 6,"DoubleEncryption": 0,"Username": "ZPA LSS Client","ServicePort": 10011,"ClientPublicIP": "81.2.69.193","ClientPrivateIP": "","ClientLatitude": 45.000000,"ClientLongitude": -119.000000,"ClientCountryCode": "US","ClientZEN": "broker2b.pdx","Policy": "ANZ Lab Apps","Connector": "ZDEMO ANZ","ConnectorZEN": "broker2b.pdx","ConnectorIP": "67.43.156.12","ConnectorPort": 60266,"Host": "175.16.199.1","Application": "ANZ Lab Apps","AppGroup": "ANZ Lab Apps","Server": "0","ServerIP": "175.16.199.1","ServerPort": 10011,"PolicyProcessingTime": 28,"CAProcessingTime": 1330,"ServerSetupTime": 465,"AppLearnTime": 0,"TimestampConnectionStart": "2019-05-30T08:20:42.230Z","TimestampConnectionEnd": "","TimestampCATx": "2019-05-30T08:20:42.230Z","TimestampCARx": "2019-05-30T08:20:42.231Z","TimestampAppLearnStart": "","TimestampZENFirstRxClient": "2019-05-30T08:20:42.424Z","TimestampZENFirstTxClient": "","TimestampZENLastRxClient": "2019-05-31T17:34:27.348Z","TimestampZENLastTxClient": "","TimestampConnectorZENSetupComplete": "2019-05-30T08:20:42.422Z","TimestampZENFirstRxConnector": "","TimestampZENFirstTxConnector": "2019-05-30T08:20:42.424Z","TimestampZENLastRxConnector": "","TimestampZENLastTxConnector": "2019-05-31T17:34:27.348Z","ZENTotalBytesRxClient": 2406926,"ZENBytesRxClient": 7115,"ZENTotalBytesTxClient": 0,"ZENBytesTxClient": 0,"ZENTotalBytesRxConnector": 0,"ZENBytesRxConnector": 0,"ZENTotalBytesTxConnector": 2406926,"ZENBytesTxConnector": 7115,"Idp": "Example IDP Config","ConnectorZENSetupTime":1640674274,"ConnectionSetupTime":1640675274} +``` + +**Note: In order to populate _Slowest Applications_ (visualization); _"ConnectorZENSetupTime"_ and _"ConnectionSetupTime"_ fields are added into the default response format of Zscaler User Activity Log above.** + +### User Status Logs + +Default port: _9019_ + +Vendor documentation: https://help.zscaler.com/zpa/about-user-status-log-fields + +Zscaler response format: +``` +{"LogTimestamp": %j{LogTimestamp:time},"Customer": %j{Customer},"Username": %j{Username},"SessionID": %j{SessionID},"SessionStatus": %j{SessionStatus},"Version": %j{Version},"ZEN": %j{ZEN},"CertificateCN": %j{CertificateCN},"PrivateIP": %j{PrivateIP},"PublicIP": %j{PublicIP},"Latitude": %f{Latitude},"Longitude": %f{Longitude},"CountryCode": %j{CountryCode},"TimestampAuthentication": %j{TimestampAuthentication:iso8601},"TimestampUnAuthentication": %j{TimestampUnAuthentication:iso8601},"TotalBytesRx": %d{TotalBytesRx},"TotalBytesTx": %d{TotalBytesTx},"Idp": %j{Idp},"Hostname": %j{Hostname},"Platform": %j{Platform},"ClientType": %j{ClientType},"TrustedNetworks": [%j(,){TrustedNetworks}],"TrustedNetworksNames": [%j(,){TrustedNetworksNames}],"SAMLAttributes": %j{SAMLAttributes},"PosturesHit": [%j(,){PosturesHit}],"PosturesMiss": [%j(,){PosturesMiss}],"ZENLatitude": %f{ZENLatitude},"ZENLongitude": %f{ZENLongitude},"ZENCountryCode": %j{ZENCountryCode},"FQDNRegistered": %j{fqdn_registered},"FQDNRegisteredError": %j{fqdn_register_error}}\n +``` + +Sample Response: +```json +{"LogTimestamp":"Fri May 31 17:34:48 2019","Customer":"Customer XYZ","Username":"ZPA LSS Client","SessionID":"vkczUERSLl88Y+ytH8v5","SessionStatus":"ZPN_STATUS_AUTHENTICATED","Version":"19.12.0-36-g87dad18","ZEN":"broker2b.pdx","CertificateCN":"loggerz2x.pde.zpabeta.net","PrivateIP":"","PublicIP":"81.2.69.144","Latitude":45,"Longitude":-119,"CountryCode":"US","TimestampAuthentication":"2019-05-29T21:18:38.000Z","TimestampUnAuthentication":"","TotalBytesRx":31274866,"TotalBytesTx":25424152,"Idp":"IDP Config","Hostname":"DESKTOP-99HCSJ1","Platform":"windows","ClientType":"zpn_client_type_zapp","TrustedNetworks":"TN1_stc1","TrustedNetworksNames":"145248739466696953","SAMLAttributes":"myname:user,myemail:user@zscaler.com","PosturesHit":"sm-posture1,sm-posture2","PosturesMiss":"sm-posture11,sm-posture12","ZENLatitude":47,"ZENLongitude":-122,"ZENCountryCode":""} +``` + +## Fields and Sample Event + +### App Connector Status Logs + +{{fields "app_connector_status"}} + +{{event "app_connector_status"}} + +## Audit Logs + +{{fields "audit"}} + +{{event "audit"}} + +## Browser Access Logs + +{{fields "browser_access"}} + +{{event "browser_access"}} + +## User Activity Logs + +{{fields "user_activity"}} + +{{event "user_activity"}} + +## User Status Logs + +{{fields "user_status"}} + +{{event "user_status"}} diff --git a/packages/zscaler_zpa/_dev/deploy/docker/docker-compose.yml b/packages/zscaler_zpa/_dev/deploy/docker/docker-compose.yml new file mode 100644 index 00000000000..301b3644bd0 --- /dev/null +++ b/packages/zscaler_zpa/_dev/deploy/docker/docker-compose.yml @@ -0,0 +1,32 @@ +version: '2.3' +services: + zscaler-app-connector-status-tcp: + image: docker.elastic.co/observability/stream:v0.6.2 + volumes: + - ./sample_logs:/sample_logs:ro + entrypoint: /bin/bash + command: -c "/stream log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9015 -p=tcp /sample_logs/app_connector_status.log" + zscaler-zpa-audit-tcp: + image: docker.elastic.co/observability/stream:v0.6.2 + volumes: + - ./sample_logs:/sample_logs:ro + entrypoint: /bin/bash + command: -c "/stream log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9016 -p=tcp /sample_logs/audit.log" + zscaler-zpa-browser-access-tcp: + image: docker.elastic.co/observability/stream:v0.6.2 + volumes: + - ./sample_logs:/sample_logs:ro + entrypoint: /bin/bash + command: -c "/stream log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9017 -p=tcp /sample_logs/browser_access.log" + zscaler-zpa-user-activity-tcp: + image: docker.elastic.co/observability/stream:v0.6.2 + volumes: + - ./sample_logs:/sample_logs:ro + entrypoint: /bin/bash + command: -c "/stream log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9018 -p=tcp /sample_logs/user_activity.log" + zscaler-zpa-user-status-tcp: + image: docker.elastic.co/observability/stream:v0.6.2 + volumes: + - ./sample_logs:/sample_logs:ro + entrypoint: /bin/bash + command: -c "/stream log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9019 -p=tcp /sample_logs/user_status.log" diff --git a/packages/zscaler_zpa/_dev/deploy/docker/sample_logs/app_connector_status.log b/packages/zscaler_zpa/_dev/deploy/docker/sample_logs/app_connector_status.log new file mode 100644 index 00000000000..5edc87895d1 --- /dev/null +++ b/packages/zscaler_zpa/_dev/deploy/docker/sample_logs/app_connector_status.log @@ -0,0 +1 @@ +{"LogTimestamp":"Wed Jul 3 05:17:22 2019","Customer":"Customer Name","SessionID":"8A64Qwj9zCkfYDGJVoUZ","SessionType":"ZPN_ASSISTANT_BROKER_CONTROL","SessionStatus":"ZPN_STATUS_AUTHENTICATED","Version":"19.20.3","Platform":"el7","ZEN":"US-NY-8179","Connector":"Some App Connector","ConnectorGroup":"Some App Connector Group","PrivateIP":"10.0.0.4","PublicIP":"0.0.0.0","Latitude":47,"Longitude":-122,"CountryCode":"","TimestampAuthentication":"2019-06-27T05:05:23.348Z","TimestampUnAuthentication":"","CPUUtilization":1,"MemUtilization":20,"ServiceCount":2,"InterfaceDefRoute":"eth0","DefRouteGW":"10.0.0.1","PrimaryDNSResolver":"168.63.129.16","HostStartTime":"1513229995","HostUpTime":"1513229995","ConnectorUpTime":"1555920005","ConnectorStartTime":"1555920005","NumOfInterfaces":2,"BytesRxInterface":319831966346,"PacketsRxInterface":1617569938,"ErrorsRxInterface":0,"DiscardsRxInterface":0,"BytesTxInterface":192958782635,"PacketsTxInterface":1797471190,"ErrorsTxInterface":0,"DiscardsTxInterface":0,"TotalBytesRx":10902554,"TotalBytesTx":48931771} diff --git a/packages/zscaler_zpa/_dev/deploy/docker/sample_logs/audit.log b/packages/zscaler_zpa/_dev/deploy/docker/sample_logs/audit.log new file mode 100644 index 00000000000..0657a379288 --- /dev/null +++ b/packages/zscaler_zpa/_dev/deploy/docker/sample_logs/audit.log @@ -0,0 +1 @@ +{"ModifiedTime":"2021-11-17T04:29:38.000Z","CreationTime":"2021-11-17T04:29:38.000Z","ModifiedBy":12345678901234567,"RequestID":"11111111-1111-1111-1111-111111111111","SessionID":"1idn23nlfm2q1txa5h3r4mep6","AuditOldValue":"","AuditNewValue":"{\"id\":\"72058340288495701\",\"name\":\"Some-Name\",\"domainOrIpAddress\":\"1.0.0.1\",\"description\":\"This is a description field\",\"enabled\":\"true\"}","AuditOperationType":"Create","ObjectType":"Server","ObjectName":"Some-Name","ObjectID":12345678901234567,"CustomerID":98765432109876543,"User":"zpaadmin@xxxxxxxxxxxxxxxxx.zpa-customer.com","ClientAuditUpdate":0} diff --git a/packages/zscaler_zpa/_dev/deploy/docker/sample_logs/browser_access.log b/packages/zscaler_zpa/_dev/deploy/docker/sample_logs/browser_access.log new file mode 100644 index 00000000000..0848e0e1363 --- /dev/null +++ b/packages/zscaler_zpa/_dev/deploy/docker/sample_logs/browser_access.log @@ -0,0 +1 @@ +{"LogTimestamp":"Wed Jul 3 05:12:25 2019","ConnectionID":"","Exporter":"unset","TimestampRequestReceiveStart":"2019-07-03T05:12:25.723Z","TimestampRequestReceiveHeaderFinish":"2019-07-03T05:12:25.723Z","TimestampRequestReceiveFinish":"2019-07-03T05:12:25.723Z","TimestampRequestTransmitStart":"2019-07-03T05:12:25.790Z","TimestampRequestTransmitFinish":"2019-07-03T05:12:25.790Z","TimestampResponseReceiveStart":"2019-07-03T05:12:25.791Z","TimestampResponseReceiveFinish":"2019-07-03T05:12:25.791Z","TimestampResponseTransmitStart":"2019-07-03T05:12:25.791Z","TimestampResponseTransmitFinish":"2019-07-03T05:12:25.791Z","TotalTimeRequestReceive":127,"TotalTimeRequestTransmit":21,"TotalTimeResponseReceive":73,"TotalTimeResponseTransmit":13,"TotalTimeConnectionSetup":66995,"TotalTimeServerResponse":1349,"Method":"GET","Protocol":"HTTPS","Host":"portal.beta.zdemo.net","URL":"/media/Regular.woff","UserAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.1.1 Safari/605.1.15","XFF":"","NameID":"admin@zdemo.net","StatusCode":304,"RequestSize":615,"ResponseSize":331,"ApplicationPort":443,"ClientPublicIp":"81.2.69.144","ClientPublicPort":60006,"ClientPrivateIp":"81.2.69.193","Customer":"ANZ Team/zdemo in beta","ConnectionStatus":"","ConnectionReason":""} diff --git a/packages/zscaler_zpa/_dev/deploy/docker/sample_logs/user_activity.log b/packages/zscaler_zpa/_dev/deploy/docker/sample_logs/user_activity.log new file mode 100644 index 00000000000..6ac3a87af2e --- /dev/null +++ b/packages/zscaler_zpa/_dev/deploy/docker/sample_logs/user_activity.log @@ -0,0 +1 @@ +{"LogTimestamp": "Fri May 31 17:35:42 2019","Customer": "Customer XYZ","SessionID": "LHJdkjmNDf12nclBsvwA","ConnectionID": "SqyZIMkg0JTj7EABsvwA,Q+EjXGdrvbF2lPiBbedm","InternalReason": "","ConnectionStatus": "active","IPProtocol": 6,"DoubleEncryption": 0,"Username": "ZPA LSS Client","ServicePort": 10011,"ClientPublicIP": "81.2.69.193","ClientPrivateIP": "","ClientLatitude": 45.000000,"ClientLongitude": -119.000000,"ClientCountryCode": "US","ClientZEN": "broker2b.pdx","Policy": "ABC Lab Apps","Connector": "ZDEMO ABC","ConnectorZEN": "broker2b.pdx","ConnectorIP": "67.43.156.12","ConnectorPort": 60266,"Host": "175.16.199.1","Application": "ABC Lab Apps","AppGroup": "ABC Lab Apps","Server": "0","ServerIP": "175.16.199.1","ServerPort": 10011,"PolicyProcessingTime": 28,"CAProcessingTime": 1330,"ConnectorZENSetupTime": 191017,"ConnectionSetupTime": 192397,"ServerSetupTime": 465,"AppLearnTime": 0,"TimestampConnectionStart": "2019-05-30T08:20:42.230Z","TimestampConnectionEnd": "","TimestampCATx": "2019-05-30T08:20:42.230Z","TimestampCARx": "2019-05-30T08:20:42.231Z","TimestampAppLearnStart": "","TimestampZENFirstRxClient": "2019-05-30T08:20:42.424Z","TimestampZENFirstTxClient": "","TimestampZENLastRxClient": "2019-05-31T17:34:27.348Z","TimestampZENLastTxClient": "","TimestampConnectorZENSetupComplete": "2019-05-30T08:20:42.422Z","TimestampZENFirstRxConnector": "","TimestampZENFirstTxConnector": "2019-05-30T08:20:42.424Z","TimestampZENLastRxConnector": "","TimestampZENLastTxConnector": "2019-05-31T17:34:27.348Z","ZENTotalBytesRxClient": 2406926,"ZENBytesRxClient": 7115,"ZENTotalBytesTxClient": 0,"ZENBytesTxClient": 0,"ZENTotalBytesRxConnector": 0,"ZENBytesRxConnector": 0,"ZENTotalBytesTxConnector": 2406926,"ZENBytesTxConnector": 7115,"Idp": "Example IDP Config","ClientToClient": "0"} diff --git a/packages/zscaler_zpa/_dev/deploy/docker/sample_logs/user_status.log b/packages/zscaler_zpa/_dev/deploy/docker/sample_logs/user_status.log new file mode 100644 index 00000000000..178c48f7e55 --- /dev/null +++ b/packages/zscaler_zpa/_dev/deploy/docker/sample_logs/user_status.log @@ -0,0 +1 @@ +{"LogTimestamp":"Fri May 31 17:34:48 2019","Customer":"Customer XYZ","Username":"ZPA LSS Client","SessionID":"vkczUERSLl88Y+ytH8v5","SessionStatus":"ZPN_STATUS_AUTHENTICATED","Version":"19.12.0-36-g87dad18","ZEN":"broker2b.pdx","CertificateCN":"loggerz2x.pde.zpabeta.net","PrivateIP":"","PublicIP":"81.2.69.144","Latitude":45,"Longitude":-119,"CountryCode":"US","TimestampAuthentication":"2019-05-29T21:18:38.000Z","TimestampUnAuthentication":"","TotalBytesRx":31274866,"TotalBytesTx":25424152,"Idp":"IDP Config","Hostname":"DESKTOP-99HCSJ1","Platform":"windows","ClientType":"zpn_client_type_zapp","TrustedNetworks":"TN1_stc1","TrustedNetworksNames":"145248739466696953","SAMLAttributes":"myname:user,myemail:user@zscaler.com","PosturesHit":"sm-posture1,sm-posture2","PosturesMiss":"sm-posture11,sm-posture12","ZENLatitude":47,"ZENLongitude":-122,"ZENCountryCode":"","FQDNRegistered": "0","FQDNRegisteredError": "CUSTOMER_NOT_ENABLED"} diff --git a/packages/zscaler_zpa/changelog.yml b/packages/zscaler_zpa/changelog.yml new file mode 100644 index 00000000000..a6a21ddcccb --- /dev/null +++ b/packages/zscaler_zpa/changelog.yml @@ -0,0 +1,6 @@ +# newer versions go on top +- version: "0.1.0" + changes: + - description: Initial draft of the package + type: enhancement + link: https://github.com/elastic/integrations/pull/2458 diff --git a/packages/zscaler_zpa/data_stream/app_connector_status/_dev/test/pipeline/test-app-connector-status.log b/packages/zscaler_zpa/data_stream/app_connector_status/_dev/test/pipeline/test-app-connector-status.log new file mode 100644 index 00000000000..ca187321ad3 --- /dev/null +++ b/packages/zscaler_zpa/data_stream/app_connector_status/_dev/test/pipeline/test-app-connector-status.log @@ -0,0 +1 @@ +{"LogTimestamp":"Wed Jul 3 05:17:22 2019","Customer":"Customer Name","SessionID":"8A64Qwj9zCkfYDGJVoUZ","SessionType":"ZPN_ASSISTANT_BROKER_CONTROL","SessionStatus":"ZPN_STATUS_AUTHENTICATED","Version":"19.20.3","Platform":"el7","ZEN":"US-NY-8179","Connector":"Some App Connector","ConnectorGroup":"Some App Connector Group","PrivateIP":"10.0.0.4","PublicIP":"0.0.0.0","Latitude":47,"Longitude":-122,"CountryCode":"","TimestampAuthentication":"2019-06-27T05:05:23.348Z","TimestampUnAuthentication":"","CPUUtilization":1,"MemUtilization":20,"ServiceCount":2,"InterfaceDefRoute":"eth0","DefRouteGW":"10.0.0.1","PrimaryDNSResolver":"89.160.20.112","HostStartTime":"1513229995","HostUpTime":"1513229995","ConnectorUpTime":"1555920005","ConnectorStartTime":"1555920005","NumOfInterfaces":2,"BytesRxInterface":319831966346,"PacketsRxInterface":1617569938,"ErrorsRxInterface":0,"DiscardsRxInterface":0,"BytesTxInterface":192958782635,"PacketsTxInterface":1797471190,"ErrorsTxInterface":0,"DiscardsTxInterface":0,"TotalBytesRx":10902554,"TotalBytesTx":48931771} diff --git a/packages/zscaler_zpa/data_stream/app_connector_status/_dev/test/pipeline/test-app-connector-status.log-expected.json b/packages/zscaler_zpa/data_stream/app_connector_status/_dev/test/pipeline/test-app-connector-status.log-expected.json new file mode 100644 index 00000000000..b6303581762 --- /dev/null +++ b/packages/zscaler_zpa/data_stream/app_connector_status/_dev/test/pipeline/test-app-connector-status.log-expected.json @@ -0,0 +1,109 @@ +{ + "expected": [ + { + "@timestamp": "2019-07-03T05:17:22.000Z", + "client": { + "nat": { + "ip": "10.0.0.1" + } + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": "package", + "kind": "event", + "original": "{\"LogTimestamp\":\"Wed Jul 3 05:17:22 2019\",\"Customer\":\"Customer Name\",\"SessionID\":\"8A64Qwj9zCkfYDGJVoUZ\",\"SessionType\":\"ZPN_ASSISTANT_BROKER_CONTROL\",\"SessionStatus\":\"ZPN_STATUS_AUTHENTICATED\",\"Version\":\"19.20.3\",\"Platform\":\"el7\",\"ZEN\":\"US-NY-8179\",\"Connector\":\"Some App Connector\",\"ConnectorGroup\":\"Some App Connector Group\",\"PrivateIP\":\"10.0.0.4\",\"PublicIP\":\"0.0.0.0\",\"Latitude\":47,\"Longitude\":-122,\"CountryCode\":\"\",\"TimestampAuthentication\":\"2019-06-27T05:05:23.348Z\",\"TimestampUnAuthentication\":\"\",\"CPUUtilization\":1,\"MemUtilization\":20,\"ServiceCount\":2,\"InterfaceDefRoute\":\"eth0\",\"DefRouteGW\":\"10.0.0.1\",\"PrimaryDNSResolver\":\"89.160.20.112\",\"HostStartTime\":\"1513229995\",\"HostUpTime\":\"1513229995\",\"ConnectorUpTime\":\"1555920005\",\"ConnectorStartTime\":\"1555920005\",\"NumOfInterfaces\":2,\"BytesRxInterface\":319831966346,\"PacketsRxInterface\":1617569938,\"ErrorsRxInterface\":0,\"DiscardsRxInterface\":0,\"BytesTxInterface\":192958782635,\"PacketsTxInterface\":1797471190,\"ErrorsTxInterface\":0,\"DiscardsTxInterface\":0,\"TotalBytesRx\":10902554,\"TotalBytesTx\":48931771}", + "type": "info" + }, + "host": { + "cpu": { + "usage": 1 + }, + "network": { + "egress": { + "bytes": 48931771 + }, + "ingress": { + "bytes": 10902554 + } + } + }, + "observer": { + "geo": { + "location": { + "lat": 47, + "lon": -122 + } + }, + "ip": [ + "0.0.0.0" + ], + "os": { + "platform": "el7" + }, + "type": "forwarder", + "version": "19.20.3" + }, + "organization": { + "name": "Customer Name" + }, + "related": { + "ip": [ + "10.0.0.1", + "0.0.0.0", + "10.0.0.4", + "89.160.20.112" + ] + }, + "tags": [ + "preserve_original_event" + ], + "zscaler_zpa": { + "app_connector_status": { + "connector": { + "group": "Some App Connector Group", + "name": "Some App Connector" + }, + "connector_start_time": "2019-04-22T08:00:05.000Z", + "connector_up_time": "2019-04-22T08:00:05.000Z", + "host_start_time": "2017-12-14T05:39:55.000Z", + "host_up_time": "2017-12-14T05:39:55.000Z", + "interface": { + "name": "eth0", + "received": { + "bytes": 319831966346, + "discards": 0, + "errors": 0, + "packets": 1617569938 + }, + "transmitted": { + "bytes": 192958782635, + "discards": 0, + "errors": 0, + "packets": 1797471190 + } + }, + "memory": { + "utilization": 20 + }, + "num_of_interfaces": 2, + "primary_dns_resolver": "89.160.20.112", + "private_ip": "10.0.0.4", + "service": { + "count": 2 + }, + "session": { + "id": "8A64Qwj9zCkfYDGJVoUZ", + "status": "ZPN_STATUS_AUTHENTICATED", + "type": "ZPN_ASSISTANT_BROKER_CONTROL" + }, + "timestamp": { + "authentication": "2019-06-27T05:05:23.348Z" + }, + "zen": "US-NY-8179" + } + } + } + ] +} \ No newline at end of file diff --git a/packages/zscaler_zpa/data_stream/app_connector_status/_dev/test/pipeline/test-common-config.yml b/packages/zscaler_zpa/data_stream/app_connector_status/_dev/test/pipeline/test-common-config.yml new file mode 100644 index 00000000000..4da22641654 --- /dev/null +++ b/packages/zscaler_zpa/data_stream/app_connector_status/_dev/test/pipeline/test-common-config.yml @@ -0,0 +1,3 @@ +fields: + tags: + - preserve_original_event diff --git a/packages/zscaler_zpa/data_stream/app_connector_status/_dev/test/system/test-default-config.yml b/packages/zscaler_zpa/data_stream/app_connector_status/_dev/test/system/test-default-config.yml new file mode 100644 index 00000000000..2504e2b3007 --- /dev/null +++ b/packages/zscaler_zpa/data_stream/app_connector_status/_dev/test/system/test-default-config.yml @@ -0,0 +1,7 @@ +service: zscaler-app-connector-status-tcp +service_notify_signal: SIGHUP +vars: + listen_address: 0.0.0.0 +data_stream: + vars: + listen_port: 9015 diff --git a/packages/zscaler_zpa/data_stream/app_connector_status/agent/stream/tcp.yml.hbs b/packages/zscaler_zpa/data_stream/app_connector_status/agent/stream/tcp.yml.hbs new file mode 100644 index 00000000000..030459f2582 --- /dev/null +++ b/packages/zscaler_zpa/data_stream/app_connector_status/agent/stream/tcp.yml.hbs @@ -0,0 +1,19 @@ +tcp: +host: "{{listen_address}}:{{listen_port}}" +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +{{#if ssl}} +ssl: {{ssl}} +{{/if}} +{{#if processors}} +processors: +{{processors}} +{{/if}} diff --git a/packages/zscaler_zpa/data_stream/app_connector_status/elasticsearch/ingest_pipeline/default.yml b/packages/zscaler_zpa/data_stream/app_connector_status/elasticsearch/ingest_pipeline/default.yml new file mode 100644 index 00000000000..12f6f6975ce --- /dev/null +++ b/packages/zscaler_zpa/data_stream/app_connector_status/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,287 @@ +--- +description: Pipeline for Zscaler app connector status logs +processors: + - set: + field: ecs.version + value: '8.0.0' + - rename: + field: message + target_field: event.original + ignore_missing: true + - json: + field: event.original + target_field: json + ignore_failure: true + - set: + field: event.category + value: package + - set: + field: event.kind + value: event + - set: + field: event.type + value: info + - date: + field: json.LogTimestamp + target_field: "@timestamp" + ignore_failure: true + formats: + - E MMM dd HH:mm:ss yyyy + - E MMM d HH:mm:ss yyyy + - E MMM d HH:mm:ss yyyy + - remove: + field: json.LogTimestamp + ignore_failure: true + - rename: + field: json.DefRouteGW + target_field: client.nat.ip + ignore_missing: true + - append: + field: related.ip + value: "{{{client.nat.ip}}}" + if: ctx?.client?.nat?.ip != null + allow_duplicates: false + ignore_failure: true + - rename: + field: json.CPUUtilization + target_field: host.cpu.usage + ignore_missing: true + - rename: + field: json.TotalBytesTx + target_field: host.network.egress.bytes + ignore_missing: true + - rename: + field: json.TotalBytesRx + target_field: host.network.ingress.bytes + ignore_missing: true + - rename: + field: json.CountryCode + target_field: observer.geo.country_iso_code + ignore_missing: true + - rename: + field: json.Latitude + target_field: observer.geo.location.lat + ignore_missing: true + - rename: + field: json.Longitude + target_field: observer.geo.location.lon + ignore_missing: true + - rename: + field: json.InterfaceDefRoute + target_field: zscaler_zpa.app_connector_status.interface.name + ignore_missing: true + - append: + field: observer.ip + value: "{{{json.PublicIP}}}" + if: ctx?.json?.PublicIP != null + ignore_failure: true + - append: + field: related.ip + value: "{{{json.PublicIP}}}" + if: ctx?.json?.PublicIP != null + allow_duplicates: false + ignore_failure: true + - remove: + field: json.PublicIP + ignore_missing: true + - rename: + field: json.Platform + target_field: observer.os.platform + ignore_missing: true + - rename: + field: json.Version + target_field: observer.version + ignore_missing: true + - set: + field: observer.type + value: forwarder + - rename: + field: json.Customer + target_field: organization.name + ignore_missing: true + - rename: + field: json.Customer + target_field: organization.name + ignore_missing: true + - rename: + field: json.SessionID + target_field: zscaler_zpa.app_connector_status.session.id + ignore_missing: true + - rename: + field: json.SessionType + target_field: zscaler_zpa.app_connector_status.session.type + ignore_missing: true + - rename: + field: json.SessionStatus + target_field: zscaler_zpa.app_connector_status.session.status + ignore_missing: true + - rename: + field: json.ZEN + target_field: zscaler_zpa.app_connector_status.zen + ignore_missing: true + - rename: + field: json.Connector + target_field: zscaler_zpa.app_connector_status.connector.name + ignore_missing: true + - rename: + field: json.ConnectorGroup + target_field: zscaler_zpa.app_connector_status.connector.group + ignore_missing: true + - convert: + field: json.PrivateIP + type: ip + target_field: zscaler_zpa.app_connector_status.private_ip + ignore_failure: true + - remove: + field: json.PrivateIP + ignore_missing: true + - append: + field: related.ip + value: "{{{zscaler_zpa.app_connector_status.private_ip}}}" + if: ctx?.zscaler_zpa?.app_connector_status?.private_ip != null + allow_duplicates: false + ignore_failure: true + - date: + field: json.TimestampAuthentication + target_field: zscaler_zpa.app_connector_status.timestamp.authentication + ignore_failure: true + formats: + - ISO8601 + - remove: + field: json.TimestampAuthentication + ignore_missing: true + - date: + field: json.TimestampUnAuthentication + target_field: zscaler_zpa.app_connector_status.timestamp.unauthentication + ignore_failure: true + formats: + - ISO8601 + - remove: + field: json.TimestampUnAuthentication + ignore_missing: true + - rename: + field: json.MemUtilization + target_field: zscaler_zpa.app_connector_status.memory.utilization + ignore_missing: true + - rename: + field: json.ServiceCount + target_field: zscaler_zpa.app_connector_status.service.count + ignore_missing: true + - rename: + field: json.PrimaryDNSResolver + target_field: zscaler_zpa.app_connector_status.primary_dns_resolver + ignore_missing: true + - append: + field: related.ip + value: "{{{zscaler_zpa.app_connector_status.primary_dns_resolver}}}" + if: ctx?.zscaler_zpa?.app_connector_status?.primary_dns_resolver != null + allow_duplicates: false + ignore_failure: true + - date: + field: json.HostStartTime + target_field: zscaler_zpa.app_connector_status.host_start_time + if: ctx?.json?.HostStartTime != "0" + ignore_failure: true + formats: + - UNIX + - remove: + field: json.HostStartTime + ignore_missing: true + - date: + field: json.HostUpTime + target_field: zscaler_zpa.app_connector_status.host_up_time + if: ctx?.json?.HostUpTime != "0" + ignore_failure: true + formats: + - UNIX + - remove: + field: json.HostUpTime + ignore_missing: true + - date: + field: json.ConnectorStartTime + target_field: zscaler_zpa.app_connector_status.connector_start_time + if: ctx?.json?.ConnectorStartTime != "0" + ignore_failure: true + formats: + - UNIX + - remove: + field: json.ConnectorStartTime + ignore_missing: true + - date: + field: json.ConnectorUpTime + target_field: zscaler_zpa.app_connector_status.connector_up_time + if: ctx?.json?.ConnectorUpTime != "0" + ignore_failure: true + formats: + - UNIX + - remove: + field: json.ConnectorUpTime + ignore_missing: true + - rename: + field: json.NumOfInterfaces + target_field: zscaler_zpa.app_connector_status.num_of_interfaces + ignore_missing: true + - rename: + field: json.BytesRxInterface + target_field: zscaler_zpa.app_connector_status.interface.received.bytes + ignore_missing: true + - rename: + field: json.PacketsRxInterface + target_field: zscaler_zpa.app_connector_status.interface.received.packets + ignore_missing: true + - rename: + field: json.ErrorsRxInterface + target_field: zscaler_zpa.app_connector_status.interface.received.errors + ignore_missing: true + - rename: + field: json.DiscardsRxInterface + target_field: zscaler_zpa.app_connector_status.interface.received.discards + ignore_missing: true + - rename: + field: json.BytesTxInterface + target_field: zscaler_zpa.app_connector_status.interface.transmitted.bytes + ignore_missing: true + - rename: + field: json.PacketsTxInterface + target_field: zscaler_zpa.app_connector_status.interface.transmitted.packets + ignore_missing: true + - rename: + field: json.ErrorsTxInterface + target_field: zscaler_zpa.app_connector_status.interface.transmitted.errors + ignore_missing: true + - rename: + field: json.DiscardsTxInterface + target_field: zscaler_zpa.app_connector_status.interface.transmitted.discards + ignore_missing: true + - script: + description: Drops null/empty values recursively + lang: painless + source: | + boolean dropEmptyFields(Object object) { + if (object == null || object == "") { + return true; + } else if (object instanceof Map) { + ((Map) object).values().removeIf(value -> dropEmptyFields(value)); + return (((Map) object).size() == 0); + } else if (object instanceof List) { + ((List) object).removeIf(value -> dropEmptyFields(value)); + return (((List) object).length == 0); + } + return false; + } + dropEmptyFields(ctx); + - script: + description: Adds all the remaining fields in fields under zscaler_zpa.app_connector_status + lang: painless + if: ctx?.json != null + source: | + for (Map.Entry m : ctx.json.entrySet()) { + ctx.zscaler_zpa.app_connector_status[m.getKey()] = m.getValue(); + } + - remove: + field: json + ignore_missing: true +on_failure: + - set: + field: error.message + value: "{{{ _ingest.on_failure_message }}}" diff --git a/packages/zscaler_zpa/data_stream/app_connector_status/fields/agent.yml b/packages/zscaler_zpa/data_stream/app_connector_status/fields/agent.yml new file mode 100644 index 00000000000..e313ec82874 --- /dev/null +++ b/packages/zscaler_zpa/data_stream/app_connector_status/fields/agent.yml @@ -0,0 +1,204 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' + type: group + fields: + - name: account.id + level: extended + type: keyword + ignore_above: 1024 + description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. + + Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' + example: 666777888999 + - name: availability_zone + level: extended + type: keyword + ignore_above: 1024 + description: Availability zone in which this host is running. + example: us-east-1c + - name: instance.id + level: extended + type: keyword + ignore_above: 1024 + description: Instance ID of the host machine. + example: i-1234567890abcdef0 + - name: instance.name + level: extended + type: keyword + ignore_above: 1024 + description: Instance name of the host machine. + - name: machine.type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the host machine. + example: t2.medium + - name: provider + level: extended + type: keyword + ignore_above: 1024 + description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + example: aws + - name: region + level: extended + type: keyword + ignore_above: 1024 + description: Region in which this host is running. + example: us-east-1 + - name: project.id + type: keyword + description: Name of the project in Google Cloud. + - name: image.id + type: keyword + description: Image ID for the cloud instance. +- name: container + title: Container + group: 2 + description: 'Container fields are used for meta information about the specific container that is the source of information. + + These fields help correlate data based containers from any runtime.' + type: group + fields: + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique container id. + - name: image.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the image the container was built on. + - name: labels + level: extended + type: object + object_type: keyword + description: Image labels. + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Container name. +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: architecture + level: core + type: keyword + ignore_above: 1024 + description: Operating system architecture. + example: x86_64 + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the domain of which the host is a member. + + For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' + example: CONTOSO + default_field: false + - name: hostname + level: core + type: keyword + ignore_above: 1024 + description: 'Hostname of the host. + + It normally contains what the `hostname` command returns on the host machine.' + - name: id + level: core + type: keyword + ignore_above: 1024 + description: 'Unique host id. + + As hostname is not always unique, use values that are meaningful in your environment. + + Example: The current usage of `beat.name`.' + - name: ip + level: core + type: ip + description: Host ip addresses. + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: Host mac addresses. + - name: name + level: core + type: keyword + ignore_above: 1024 + description: 'Name of the host. + + It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' + - name: os.family + level: extended + type: keyword + ignore_above: 1024 + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + - name: os.kernel + level: extended + type: keyword + ignore_above: 1024 + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + - name: os.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Operating system name, without the version. + example: Mac OS X + - name: os.platform + level: extended + type: keyword + ignore_above: 1024 + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + - name: os.version + level: extended + type: keyword + ignore_above: 1024 + description: Operating system version as a raw string. + example: 10.14.1 + - name: type + level: core + type: keyword + ignore_above: 1024 + description: 'Type of host. + + For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' + - name: containerized + type: boolean + description: > + If the host is a container. + + - name: os.build + type: keyword + example: "18D109" + description: > + OS build information. + + - name: os.codename + type: keyword + example: "stretch" + description: > + OS codename, if any. + +- name: input.type + type: keyword + description: Input type +- name: log.offset + type: long + description: Log offset diff --git a/packages/zscaler_zpa/data_stream/app_connector_status/fields/base-fields.yml b/packages/zscaler_zpa/data_stream/app_connector_status/fields/base-fields.yml new file mode 100644 index 00000000000..35ed3b7e093 --- /dev/null +++ b/packages/zscaler_zpa/data_stream/app_connector_status/fields/base-fields.yml @@ -0,0 +1,20 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: '@timestamp' + type: date + description: Event timestamp. +- name: event.module + type: constant_keyword + description: Event module + value: zscaler_zpa +- name: event.dataset + type: constant_keyword + description: Event dataset + value: zscaler_zpa.app_connector_status diff --git a/packages/zscaler_zpa/data_stream/app_connector_status/fields/ecs.yml b/packages/zscaler_zpa/data_stream/app_connector_status/fields/ecs.yml new file mode 100644 index 00000000000..a8da6f8b3d3 --- /dev/null +++ b/packages/zscaler_zpa/data_stream/app_connector_status/fields/ecs.yml @@ -0,0 +1,35 @@ +- external: ecs + name: ecs.version +- external: ecs + name: client.nat.ip +- external: ecs + name: event.category +- external: ecs + name: event.kind +- external: ecs + name: event.type +- external: ecs + name: host.cpu.usage +- external: ecs + name: observer.geo.country_iso_code +- description: Longitude and latitude + name: observer.geo.location + type: geo_point +- external: ecs + name: observer.egress.interface.name +- external: ecs + name: observer.ingress.interface.name +- external: ecs + name: observer.ip +- external: ecs + name: observer.os.platform +- external: ecs + name: observer.version +- external: ecs + name: observer.type +- external: ecs + name: organization.name +- external: ecs + name: related.ip +- external: ecs + name: tags diff --git a/packages/zscaler_zpa/data_stream/app_connector_status/fields/fields.yml b/packages/zscaler_zpa/data_stream/app_connector_status/fields/fields.yml new file mode 100644 index 00000000000..fbb36ef10e1 --- /dev/null +++ b/packages/zscaler_zpa/data_stream/app_connector_status/fields/fields.yml @@ -0,0 +1,125 @@ +- name: zscaler_zpa.app_connector_status + type: group + fields: + - name: session + type: group + fields: + - name: id + type: keyword + description: | + The TLS session ID. + - name: type + type: keyword + description: | + The type of session. + - name: status + type: keyword + description: | + The status of the session. + - name: zen + type: keyword + description: | + The TLS session ID. + - name: connector + type: group + fields: + - name: name + type: keyword + description: | + The App Connector name. + - name: group + type: keyword + description: | + The App Connector group name. + - name: private_ip + type: ip + description: | + The private IP address of the App Connector. + - name: timestamp + type: group + fields: + - name: authentication + type: date + description: | + Timestamp in microseconds when the App Connector was authenticated. + - name: unauthentication + type: date + description: | + Timestamp in microseconds when the App Connector was unauthenticated. + - name: memory + type: group + fields: + - name: utilization + type: double + description: | + The memory utilization in %. + - name: service + type: group + fields: + - name: count + type: double + description: | + The number of services (combinations of domains/IP addresses and TCP/UDP ports) being monitored by the App Connector. + - name: primary_dns_resolver + type: ip + description: | + The IP address of the primary DNS resolver. + - name: host_start_time + type: date + description: | + Time in seconds at which host was started. + - name: host_up_time + type: date + description: | + Time in seconds at which host was started. + - name: connector_start_time + type: date + description: | + Time in seconds at which App Connector was started. + - name: connector_up_time + type: date + description: | + Time in seconds at which App Connector was started. + - name: num_of_interfaces + type: double + description: | + The number of interfaces on the App Connector host. + - name: interface + type: group + fields: + - name: name + type: keyword + description: The name of the interface to default route. + - name: received + type: group + fields: + - name: bytes + type: double + description: The bytes received on the interface. + - name: packets + type: double + description: The packets received on the interface. + - name: errors + type: double + description: The errors received on the interface. + - name: discards + type: double + description: The discards received on the interface. + - name: transmitted + type: group + fields: + - name: bytes + type: double + description: The bytes transmitted on the interface. + - name: packets + type: double + description: The packets transmitted on the interface. + - name: errors + type: double + description: The errors transmitted on the interface. + - name: discards + type: double + description: The discards transmitted on the interface. +- name: log.source.address + type: keyword + description: Source address from which the log event was read / sent from. diff --git a/packages/zscaler_zpa/data_stream/app_connector_status/manifest.yml b/packages/zscaler_zpa/data_stream/app_connector_status/manifest.yml new file mode 100644 index 00000000000..befec42cb93 --- /dev/null +++ b/packages/zscaler_zpa/data_stream/app_connector_status/manifest.yml @@ -0,0 +1,41 @@ +title: App Connector Status Logs +type: logs +streams: + - input: tcp + template_path: tcp.yml.hbs + title: Zscaler Private Access App Connector Status Logs + description: Collect Zscaler Private Access App Connector Status Logs using tcp input + vars: + - name: listen_port + type: integer + title: Listen Port + description: The TCP port number to listen on. + multi: false + required: true + show_user: true + default: 9015 + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - forwarded + - zscaler_zpa-app_connectors_status + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: >- + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/zscaler_zpa/data_stream/app_connector_status/sample_event.json b/packages/zscaler_zpa/data_stream/app_connector_status/sample_event.json new file mode 100644 index 00000000000..709f1b74057 --- /dev/null +++ b/packages/zscaler_zpa/data_stream/app_connector_status/sample_event.json @@ -0,0 +1,135 @@ +{ + "@timestamp": "2019-07-03T05:17:22.000Z", + "agent": { + "ephemeral_id": "5879b806-6298-48ab-89a6-19ddcf612162", + "hostname": "docker-fleet-agent", + "id": "d03794ae-c5b7-46b2-8a63-42f00010ac23", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "7.16.2" + }, + "client": { + "nat": { + "ip": "10.0.0.1" + } + }, + "data_stream": { + "dataset": "zscaler_zpa.app_connector_status", + "namespace": "ep", + "type": "logs" + }, + "ecs": { + "version": "8.0.0" + }, + "elastic_agent": { + "id": "d03794ae-c5b7-46b2-8a63-42f00010ac23", + "snapshot": false, + "version": "7.16.2" + }, + "event": { + "agent_id_status": "verified", + "category": "package", + "dataset": "zscaler_zpa.app_connector_status", + "ingested": "2022-02-03T13:30:46Z", + "kind": "event", + "original": "{\"LogTimestamp\":\"Wed Jul 3 05:17:22 2019\",\"Customer\":\"Customer Name\",\"SessionID\":\"8A64Qwj9zCkfYDGJVoUZ\",\"SessionType\":\"ZPN_ASSISTANT_BROKER_CONTROL\",\"SessionStatus\":\"ZPN_STATUS_AUTHENTICATED\",\"Version\":\"19.20.3\",\"Platform\":\"el7\",\"ZEN\":\"US-NY-8179\",\"Connector\":\"Some App Connector\",\"ConnectorGroup\":\"Some App Connector Group\",\"PrivateIP\":\"10.0.0.4\",\"PublicIP\":\"0.0.0.0\",\"Latitude\":47,\"Longitude\":-122,\"CountryCode\":\"\",\"TimestampAuthentication\":\"2019-06-27T05:05:23.348Z\",\"TimestampUnAuthentication\":\"\",\"CPUUtilization\":1,\"MemUtilization\":20,\"ServiceCount\":2,\"InterfaceDefRoute\":\"eth0\",\"DefRouteGW\":\"10.0.0.1\",\"PrimaryDNSResolver\":\"168.63.129.16\",\"HostStartTime\":\"1513229995\",\"HostUpTime\":\"1513229995\",\"ConnectorUpTime\":\"1555920005\",\"ConnectorStartTime\":\"1555920005\",\"NumOfInterfaces\":2,\"BytesRxInterface\":319831966346,\"PacketsRxInterface\":1617569938,\"ErrorsRxInterface\":0,\"DiscardsRxInterface\":0,\"BytesTxInterface\":192958782635,\"PacketsTxInterface\":1797471190,\"ErrorsTxInterface\":0,\"DiscardsTxInterface\":0,\"TotalBytesRx\":10902554,\"TotalBytesTx\":48931771}", + "type": "info" + }, + "host": { + "cpu": { + "usage": 1 + }, + "network": { + "egress": { + "bytes": 48931771 + }, + "ingress": { + "bytes": 10902554 + } + } + }, + "input": { + "type": "tcp" + }, + "log": { + "source": { + "address": "172.21.0.7:33226" + } + }, + "observer": { + "geo": { + "location": { + "lat": 47, + "lon": -122 + } + }, + "ip": [ + "0.0.0.0" + ], + "os": { + "platform": "el7" + }, + "type": "forwarder", + "version": "19.20.3" + }, + "organization": { + "name": "Customer Name" + }, + "related": { + "ip": [ + "10.0.0.1", + "0.0.0.0", + "10.0.0.4", + "168.63.129.16" + ] + }, + "tags": [ + "forwarded", + "zscaler_zpa-app_connectors_status" + ], + "zscaler_zpa": { + "app_connector_status": { + "connector": { + "group": "Some App Connector Group", + "name": "Some App Connector" + }, + "connector_start_time": "2019-04-22T08:00:05.000Z", + "connector_up_time": "2019-04-22T08:00:05.000Z", + "host_start_time": "2017-12-14T05:39:55.000Z", + "host_up_time": "2017-12-14T05:39:55.000Z", + "interface": { + "name": "eth0", + "received": { + "bytes": 319831966346, + "discards": 0, + "errors": 0, + "packets": 1617569938 + }, + "transmitted": { + "bytes": 192958782635, + "discards": 0, + "errors": 0, + "packets": 1797471190 + } + }, + "memory": { + "utilization": 20 + }, + "num_of_interfaces": 2, + "primary_dns_resolver": "168.63.129.16", + "private_ip": "10.0.0.4", + "service": { + "count": 2 + }, + "session": { + "id": "8A64Qwj9zCkfYDGJVoUZ", + "status": "ZPN_STATUS_AUTHENTICATED", + "type": "ZPN_ASSISTANT_BROKER_CONTROL" + }, + "timestamp": { + "authentication": "2019-06-27T05:05:23.348Z" + }, + "zen": "US-NY-8179" + } + } +} \ No newline at end of file diff --git a/packages/zscaler_zpa/data_stream/audit/_dev/test/pipeline/test-audit.log b/packages/zscaler_zpa/data_stream/audit/_dev/test/pipeline/test-audit.log new file mode 100644 index 00000000000..c6193f87781 --- /dev/null +++ b/packages/zscaler_zpa/data_stream/audit/_dev/test/pipeline/test-audit.log @@ -0,0 +1,2 @@ +{"ModifiedTime":"2021-11-17T04:29:38.000Z","CreationTime":"2021-11-17T04:29:38.000Z","ModifiedBy":12345678901234567,"RequestID":"11111111-1111-1111-1111-111111111111","SessionID":"1idn23nlfm2q1txa5h3r4mep6","AuditOldValue":"","AuditNewValue":"{\"id\":\"72058340288495701\",\"name\":\"Some-Name\",\"domainOrIpAddress\":\"81.2.69.144\",\"description\":\"This is a description field\",\"enabled\":\"true\"}","AuditOperationType":"Create","ObjectType":"Server","ObjectName":"Some-Name","ObjectID":12345678901234567,"CustomerID":98765432109876543,"User":"zpaadmin@xxxxxxxxxxxxxxxxx.zpa-customer.com","ClientAuditUpdate":0} +{"ModifiedTime":"","CreationTime":"2021-11-17T04:29:38.000Z","ModifiedBy":12345678901234567,"RequestID":"11111111-1111-1111-1111-111111111111","SessionID":"1idn23nlfm2q1txa5h3r4mep6","AuditOldValue":"","AuditNewValue":"{\"id\":\"72058340288495701\",\"name\":\"Some-Name\",\"domainOrIpAddress\":\"example.com\",\"description\":\"This is a description field\",\"enabled\":\"true\"}","AuditOperationType":"Create","ObjectType":"Server","ObjectName":"Some-Name","ObjectID":12345678901234567,"CustomerID":98765432109876543,"User":"zpaadmin@xxxxxxxxxxxxxxxxx.zpa-customer.com","ClientAuditUpdate":0} diff --git a/packages/zscaler_zpa/data_stream/audit/_dev/test/pipeline/test-audit.log-expected.json b/packages/zscaler_zpa/data_stream/audit/_dev/test/pipeline/test-audit.log-expected.json new file mode 100644 index 00000000000..11a3fe01622 --- /dev/null +++ b/packages/zscaler_zpa/data_stream/audit/_dev/test/pipeline/test-audit.log-expected.json @@ -0,0 +1,118 @@ +{ + "expected": [ + { + "@timestamp": "2021-11-17T04:29:38.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "iam" + ], + "created": "2021-11-17T04:29:38.000Z", + "id": "11111111-1111-1111-1111-111111111111", + "kind": "event", + "original": "{\"ModifiedTime\":\"2021-11-17T04:29:38.000Z\",\"CreationTime\":\"2021-11-17T04:29:38.000Z\",\"ModifiedBy\":12345678901234567,\"RequestID\":\"11111111-1111-1111-1111-111111111111\",\"SessionID\":\"1idn23nlfm2q1txa5h3r4mep6\",\"AuditOldValue\":\"\",\"AuditNewValue\":\"{\\\"id\\\":\\\"72058340288495701\\\",\\\"name\\\":\\\"Some-Name\\\",\\\"domainOrIpAddress\\\":\\\"81.2.69.144\\\",\\\"description\\\":\\\"This is a description field\\\",\\\"enabled\\\":\\\"true\\\"}\",\"AuditOperationType\":\"Create\",\"ObjectType\":\"Server\",\"ObjectName\":\"Some-Name\",\"ObjectID\":12345678901234567,\"CustomerID\":98765432109876543,\"User\":\"zpaadmin@xxxxxxxxxxxxxxxxx.zpa-customer.com\",\"ClientAuditUpdate\":0}", + "type": [ + "creation" + ] + }, + "organization": { + "id": "98765432109876543" + }, + "related": { + "ip": [ + "81.2.69.144" + ] + }, + "server": { + "address": "81.2.69.144", + "ip": "81.2.69.144" + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "id": "12345678901234567", + "name": "zpaadmin@xxxxxxxxxxxxxxxxx.zpa-customer.com" + }, + "zscaler_zpa": { + "audit": { + "client_audit_update": 0, + "object": { + "id": "12345678901234567", + "name": "Some-Name", + "type": "Server" + }, + "operation_type": "Create", + "session": { + "id": "1idn23nlfm2q1txa5h3r4mep6" + }, + "value": { + "new": { + "description": "This is a description field", + "domainOrIpAddress": "81.2.69.144", + "enabled": "true", + "id": "72058340288495701", + "name": "Some-Name" + } + } + } + } + }, + { + "@timestamp": "2021-11-17T04:29:38.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "iam" + ], + "created": "2021-11-17T04:29:38.000Z", + "id": "11111111-1111-1111-1111-111111111111", + "kind": "event", + "original": "{\"ModifiedTime\":\"\",\"CreationTime\":\"2021-11-17T04:29:38.000Z\",\"ModifiedBy\":12345678901234567,\"RequestID\":\"11111111-1111-1111-1111-111111111111\",\"SessionID\":\"1idn23nlfm2q1txa5h3r4mep6\",\"AuditOldValue\":\"\",\"AuditNewValue\":\"{\\\"id\\\":\\\"72058340288495701\\\",\\\"name\\\":\\\"Some-Name\\\",\\\"domainOrIpAddress\\\":\\\"example.com\\\",\\\"description\\\":\\\"This is a description field\\\",\\\"enabled\\\":\\\"true\\\"}\",\"AuditOperationType\":\"Create\",\"ObjectType\":\"Server\",\"ObjectName\":\"Some-Name\",\"ObjectID\":12345678901234567,\"CustomerID\":98765432109876543,\"User\":\"zpaadmin@xxxxxxxxxxxxxxxxx.zpa-customer.com\",\"ClientAuditUpdate\":0}", + "type": [ + "creation" + ] + }, + "organization": { + "id": "98765432109876543" + }, + "server": { + "address": "example.com" + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "id": "12345678901234567", + "name": "zpaadmin@xxxxxxxxxxxxxxxxx.zpa-customer.com" + }, + "zscaler_zpa": { + "audit": { + "client_audit_update": 0, + "object": { + "id": "12345678901234567", + "name": "Some-Name", + "type": "Server" + }, + "operation_type": "Create", + "session": { + "id": "1idn23nlfm2q1txa5h3r4mep6" + }, + "value": { + "new": { + "description": "This is a description field", + "domainOrIpAddress": "example.com", + "enabled": "true", + "id": "72058340288495701", + "name": "Some-Name" + } + } + } + } + } + ] +} \ No newline at end of file diff --git a/packages/zscaler_zpa/data_stream/audit/_dev/test/pipeline/test-common-config.yml b/packages/zscaler_zpa/data_stream/audit/_dev/test/pipeline/test-common-config.yml new file mode 100644 index 00000000000..4da22641654 --- /dev/null +++ b/packages/zscaler_zpa/data_stream/audit/_dev/test/pipeline/test-common-config.yml @@ -0,0 +1,3 @@ +fields: + tags: + - preserve_original_event diff --git a/packages/zscaler_zpa/data_stream/audit/_dev/test/system/test-default-config.yml b/packages/zscaler_zpa/data_stream/audit/_dev/test/system/test-default-config.yml new file mode 100644 index 00000000000..453c5615f6b --- /dev/null +++ b/packages/zscaler_zpa/data_stream/audit/_dev/test/system/test-default-config.yml @@ -0,0 +1,7 @@ +service: zscaler-zpa-audit-tcp +service_notify_signal: SIGHUP +vars: + listen_address: 0.0.0.0 +data_stream: + vars: + listen_port: 9016 diff --git a/packages/zscaler_zpa/data_stream/audit/agent/stream/tcp.yml.hbs b/packages/zscaler_zpa/data_stream/audit/agent/stream/tcp.yml.hbs new file mode 100644 index 00000000000..030459f2582 --- /dev/null +++ b/packages/zscaler_zpa/data_stream/audit/agent/stream/tcp.yml.hbs @@ -0,0 +1,19 @@ +tcp: +host: "{{listen_address}}:{{listen_port}}" +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +{{#if ssl}} +ssl: {{ssl}} +{{/if}} +{{#if processors}} +processors: +{{processors}} +{{/if}} diff --git a/packages/zscaler_zpa/data_stream/audit/elasticsearch/ingest_pipeline/default.yml b/packages/zscaler_zpa/data_stream/audit/elasticsearch/ingest_pipeline/default.yml new file mode 100644 index 00000000000..91496d20504 --- /dev/null +++ b/packages/zscaler_zpa/data_stream/audit/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,276 @@ +--- +description: Pipeline for Zscaler audit logs +processors: + - set: + field: ecs.version + value: '8.0.0' + - rename: + field: message + target_field: event.original + ignore_missing: true + - json: + field: event.original + target_field: json + - date: + field: json.ModifiedTime + target_field: "@timestamp" + ignore_failure: true + formats: + - ISO8601 + - date: + field: json.CreationTime + target_field: "@timestamp" + if: ctx.json.ModifiedTime == "" + ignore_failure: true + formats: + - ISO8601 + - append: + field: event.category + value: iam + - set: + field: event.kind + value: event + - script: + if: ctx.json.AuditOperationType != null && ctx.json.AuditOperationType != "" + lang: painless + source: | + def eventType = ctx.json.AuditOperationType?.toLowerCase(); + ctx.event.type = new ArrayList(); + Map referenceTable = [ + "create": ["creation"], + "delete": ["deletion"], + "update": ["change"], + "sign in": ["access", "allowed"], + "sign in failure": ["access", "error"], + "download": ["info"], + "sign out": ["access"], + "client session revoked": ["end"] + ]; + + ctx.event.type = referenceTable[eventType]; + - rename: + field: json.RequestID + target_field: event.id + ignore_missing: true + - date: + field: json.CreationTime + target_field: event.created + ignore_failure: true + formats: + - ISO8601 + - remove: + field: json.CreationTime + ignore_missing: true + - rename: + field: json.CustomerID + target_field: organization.id + ignore_missing: true + - convert: + field: organization.id + type: string + ignore_missing: true + - rename: + field: json.ModifiedBy + target_field: user.id + ignore_missing: true + - convert: + field: user.id + type: string + ignore_missing: true + - rename: + field: json.User + target_field: user.name + ignore_missing: true + - rename: + field: json.SessionID + target_field: zscaler_zpa.audit.session.id + ignore_missing: true + - json: + field: json.AuditOldValue + target_field: json.AuditOldValue + ignore_failure: true + - json: + field: json.AuditNewValue + target_field: json.AuditNewValue + ignore_failure: true + - set: + field: zscaler_zpa.audit.value.old + copy_from: json.AuditOldValue + ignore_failure: true + - set: + field: zscaler_zpa.audit.value.new + copy_from: json.AuditNewValue + ignore_failure: true + - set: + field: zscaler_zpa.audit.object.type + copy_from: json.ObjectType + ignore_failure: true + - set: + field: zscaler_zpa.audit.object.name + copy_from: json.ObjectName + ignore_failure: true + - rename: + field: json.ClientAuditUpdate + target_field: zscaler_zpa.audit.client_audit_update + ignore_failure: true + - convert: + field: json.ObjectID + target_field: zscaler_zpa.audit.object.id + type: string + ignore_missing: true + - remove: + field: json.ObjectID + ignore_missing: true + - script: + lang: painless + description: Map the fields inside AuditNewValues and AuditOldValues to it's corresponding ECS Field-set. + if: ctx.json.ObjectType != null + source: | + def objectType = ctx.json.ObjectType?.toLowerCase(); + def operationType = ctx.json.AuditOperationType?.toLowerCase(); + def valuesMap; + + if (operationType == "delete" || operationType == "sign out") { + valuesMap = ctx.json.AuditOldValue; + } else if (operationType == "create" || operationType == "sign in" || operationType == "update") { + valuesMap = ctx.json.AuditNewValue; + } + + if (objectType == "administrator") { + ctx.user.target = new HashMap(); + ctx.user.target.roles = new ArrayList(); + def roles = (valuesMap?.roles == null) ? [] : new ArrayList(valuesMap?.roles); + ctx.user.target.email = valuesMap?.email; + for (int i = 0; i < roles.length; i++) { + ctx.user.target.roles.add(roles[i].name); + } + } else if (objectType == "app connector group") { + ctx.group = new HashMap(); + ctx.group.id = valuesMap?.id; + ctx.group.name = valuesMap?.name; + ctx.observer = new HashMap(); + ctx.observer.geo = new HashMap(); + ctx.observer.geo.location = new HashMap(); + ctx.observer.geo.location.lat = valuesMap?.latitude; + ctx.observer.geo.location.lon = valuesMap?.longitude; + ctx.observer.geo.city_name = valuesMap?.cityCountry; + ctx.observer.geo.country_name = valuesMap?.location; + } else if (objectType == "browser access") { + ctx.network = new HashMap(); + ctx.network.protocol = valuesMap?.applicationProtocol?.toLowerCase(); + } else if (objectType == "authentication") { + ctx.client = new HashMap(); + ctx.client.ip = valuesMap?.remoteIP; + } else if (objectType == "certificate") { + ctx.x509 = new HashMap(); + ctx.x509.issuer = new HashMap(); + ctx.x509.alternative_names = valuesMap?.subjectAlternateNames; + ctx.x509.issuer.common_name = valuesMap?.commonName; + ctx.x509.issuer.distinguished_name = valuesMap?.issuedTo; + } else if (objectType == "executive insights user") { + ctx.user = new HashMap(); + ctx.user.target = new HashMap(); + ctx.user.target.id = valuesMap?.id; + ctx.user.target.email = valuesMap?.email; + ctx.user.target.name = valuesMap?.name; + } else if (objectType == "idp certificate") { + ctx.x509 = new HashMap(); + ctx.x509.issuer = new HashMap(); + if (valuesMap?.creationTimeInSeconds != null) { + ctx.x509.not_before = Long.parseLong(valuesMap?.creationTimeInSeconds); + } + if (valuesMap?.expirationTimeInSeconds != null) { + ctx.x509.not_after = Long.parseLong(valuesMap?.expirationTimeInSeconds); + } + ctx.x509.issuer.common_name = valuesMap?.commonName; + } else if (objectType == "server") { + ctx.server = new HashMap(); + ctx.server.address = valuesMap?.domainOrIpAddress; + } + - append: + field: related.ip + value: "{{{client.ip}}}" + if: ctx?.client?.ip != null + allow_duplicates: false + ignore_failure: true + - convert: + field: server.address + target_field: server.ip + type: ip + ignore_failure: true + - append: + field: related.ip + value: "{{{server.ip}}}" + if: ctx?.server?.ip != null + allow_duplicates: false + ignore_failure: true + - date: + if: ctx?.x509?.not_after != null + field: x509.not_after + target_field: x509.not_after + ignore_failure: true + formats: + - UNIX + - date: + if: ctx?.x509?.not_before != null + field: x509.not_before + target_field: x509.not_before + ignore_failure: true + formats: + - UNIX + - rename: + field: json.AuditOperationType + target_field: zscaler_zpa.audit.operation_type + ignore_missing: true + - script: + description: Drops null/empty values recursively + lang: painless + source: | + boolean dropEmptyFields(Object object) { + if (object == null || object == "") { + return true; + } else if (object instanceof Map) { + ((Map) object).values().removeIf(value -> dropEmptyFields(value)); + return (((Map) object).size() == 0); + } else if (object instanceof List) { + ((List) object).removeIf(value -> dropEmptyFields(value)); + return (((List) object).length == 0); + } + return false; + } + dropEmptyFields(ctx); + - remove: + field: json.ObjectName + ignore_failure: true + - remove: + field: json.AuditNewValue + ignore_failure: true + - remove: + field: json.AuditOldValue + ignore_failure: true + - remove: + field: json.ModifiedTime + ignore_failure: true + - remove: + field: json.ObjectType + ignore_failure: true + - script: + description: Adds all the remaining fields in fields under zscaler_zpa.audit + lang: painless + if: ctx?.json != null + source: | + for (Map.Entry m : ctx.json.entrySet()) { + ctx.zscaler_zpa?.audit[m.getKey()] = m.getValue(); + } + - remove: + field: json + ignore_missing: true + - remove: + field: event.original + if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" + ignore_failure: true + ignore_missing: true +on_failure: +- set: + field: error.message + value: "{{{ _ingest.on_failure_message }}}" diff --git a/packages/zscaler_zpa/data_stream/audit/fields/agent.yml b/packages/zscaler_zpa/data_stream/audit/fields/agent.yml new file mode 100644 index 00000000000..e313ec82874 --- /dev/null +++ b/packages/zscaler_zpa/data_stream/audit/fields/agent.yml @@ -0,0 +1,204 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' + type: group + fields: + - name: account.id + level: extended + type: keyword + ignore_above: 1024 + description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. + + Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' + example: 666777888999 + - name: availability_zone + level: extended + type: keyword + ignore_above: 1024 + description: Availability zone in which this host is running. + example: us-east-1c + - name: instance.id + level: extended + type: keyword + ignore_above: 1024 + description: Instance ID of the host machine. + example: i-1234567890abcdef0 + - name: instance.name + level: extended + type: keyword + ignore_above: 1024 + description: Instance name of the host machine. + - name: machine.type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the host machine. + example: t2.medium + - name: provider + level: extended + type: keyword + ignore_above: 1024 + description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + example: aws + - name: region + level: extended + type: keyword + ignore_above: 1024 + description: Region in which this host is running. + example: us-east-1 + - name: project.id + type: keyword + description: Name of the project in Google Cloud. + - name: image.id + type: keyword + description: Image ID for the cloud instance. +- name: container + title: Container + group: 2 + description: 'Container fields are used for meta information about the specific container that is the source of information. + + These fields help correlate data based containers from any runtime.' + type: group + fields: + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique container id. + - name: image.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the image the container was built on. + - name: labels + level: extended + type: object + object_type: keyword + description: Image labels. + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Container name. +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: architecture + level: core + type: keyword + ignore_above: 1024 + description: Operating system architecture. + example: x86_64 + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the domain of which the host is a member. + + For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' + example: CONTOSO + default_field: false + - name: hostname + level: core + type: keyword + ignore_above: 1024 + description: 'Hostname of the host. + + It normally contains what the `hostname` command returns on the host machine.' + - name: id + level: core + type: keyword + ignore_above: 1024 + description: 'Unique host id. + + As hostname is not always unique, use values that are meaningful in your environment. + + Example: The current usage of `beat.name`.' + - name: ip + level: core + type: ip + description: Host ip addresses. + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: Host mac addresses. + - name: name + level: core + type: keyword + ignore_above: 1024 + description: 'Name of the host. + + It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' + - name: os.family + level: extended + type: keyword + ignore_above: 1024 + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + - name: os.kernel + level: extended + type: keyword + ignore_above: 1024 + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + - name: os.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Operating system name, without the version. + example: Mac OS X + - name: os.platform + level: extended + type: keyword + ignore_above: 1024 + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + - name: os.version + level: extended + type: keyword + ignore_above: 1024 + description: Operating system version as a raw string. + example: 10.14.1 + - name: type + level: core + type: keyword + ignore_above: 1024 + description: 'Type of host. + + For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' + - name: containerized + type: boolean + description: > + If the host is a container. + + - name: os.build + type: keyword + example: "18D109" + description: > + OS build information. + + - name: os.codename + type: keyword + example: "stretch" + description: > + OS codename, if any. + +- name: input.type + type: keyword + description: Input type +- name: log.offset + type: long + description: Log offset diff --git a/packages/zscaler_zpa/data_stream/audit/fields/base-fields.yml b/packages/zscaler_zpa/data_stream/audit/fields/base-fields.yml new file mode 100644 index 00000000000..05a4a1d0cc6 --- /dev/null +++ b/packages/zscaler_zpa/data_stream/audit/fields/base-fields.yml @@ -0,0 +1,20 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: '@timestamp' + type: date + description: Event timestamp. +- name: event.module + type: constant_keyword + description: Event module + value: zscaler_zpa +- name: event.dataset + type: constant_keyword + description: Event dataset + value: zscaler_zpa.audit diff --git a/packages/zscaler_zpa/data_stream/audit/fields/ecs.yml b/packages/zscaler_zpa/data_stream/audit/fields/ecs.yml new file mode 100644 index 00000000000..db646bab41a --- /dev/null +++ b/packages/zscaler_zpa/data_stream/audit/fields/ecs.yml @@ -0,0 +1,50 @@ +- external: ecs + name: client.ip +- external: ecs + name: ecs.version +- external: ecs + name: group.id +- external: ecs + name: group.name +- external: ecs + name: network.protocol +- external: ecs + name: observer.geo.city_name +- external: ecs + name: observer.geo.country_name +- description: Longitude and latitude. + level: core + name: observer.geo.location + type: geo_point +- external: ecs + name: organization.id +- external: ecs + name: server.address +- external: ecs + name: server.ip +- external: ecs + name: related.ip +- external: ecs + name: tags +- external: ecs + name: user.id +- external: ecs + name: user.name +- external: ecs + name: user.target.email +- external: ecs + name: user.target.id +- external: ecs + name: user.target.name +- external: ecs + name: user.target.roles +- external: ecs + name: x509.alternative_names +- external: ecs + name: x509.issuer.common_name +- external: ecs + name: x509.issuer.distinguished_name +- external: ecs + name: x509.not_after +- external: ecs + name: x509.not_before diff --git a/packages/zscaler_zpa/data_stream/audit/fields/fields.yml b/packages/zscaler_zpa/data_stream/audit/fields/fields.yml new file mode 100644 index 00000000000..635cbfb9e07 --- /dev/null +++ b/packages/zscaler_zpa/data_stream/audit/fields/fields.yml @@ -0,0 +1,43 @@ +- name: zscaler_zpa.audit + type: group + fields: + - name: client_audit_update + type: long + description: | + The flag to represent if the event is a client Audit log. + - name: object + type: group + fields: + - name: id + type: keyword + description: | + The ID associated with the object name. + - name: name + type: keyword + description: | + The name of the object. This corresponds to the Resource Name in the Audit Log page. + - name: type + type: keyword + description: | + The location within the ZPA Admin Portal where the Action was performed. + - name: operation_type + type: keyword + description: | + The type of action performed. + - name: session.id + type: keyword + description: | + The ID for the administrator's session in the ZPA Admin Portal. This corresponds to a successful sign in action occurring. + - name: value + type: group + fields: + - name: new + type: flattened + description: | + The new value that was changed if the action type is create, sign in, or update. + - name: old + type: flattened + description: The previous value that was changed if the action type is delete, sign out, or update. +- name: log.source.address + type: keyword + description: Source address from which the log event was read / sent from. diff --git a/packages/zscaler_zpa/data_stream/audit/manifest.yml b/packages/zscaler_zpa/data_stream/audit/manifest.yml new file mode 100644 index 00000000000..2d52b38a98f --- /dev/null +++ b/packages/zscaler_zpa/data_stream/audit/manifest.yml @@ -0,0 +1,41 @@ +title: Audit Logs +type: logs +streams: + - input: tcp + template_path: tcp.yml.hbs + title: Zscaler Private Access Audit Logs + description: Collect Zscaler Private Access audit logs using tcp input + vars: + - name: listen_port + type: integer + title: Listen Port + description: The TCP port number to listen on. + multi: false + required: true + show_user: true + default: 9016 + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - forwarded + - zscaler_zpa-audit + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: >- + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/zscaler_zpa/data_stream/audit/sample_event.json b/packages/zscaler_zpa/data_stream/audit/sample_event.json new file mode 100644 index 00000000000..76b48d8a4be --- /dev/null +++ b/packages/zscaler_zpa/data_stream/audit/sample_event.json @@ -0,0 +1,89 @@ +{ + "@timestamp": "2021-11-17T04:29:38.000Z", + "agent": { + "ephemeral_id": "75bcfb32-c04c-4455-88ed-41a659043c80", + "hostname": "docker-fleet-agent", + "id": "d03794ae-c5b7-46b2-8a63-42f00010ac23", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "7.16.2" + }, + "data_stream": { + "dataset": "zscaler_zpa.audit", + "namespace": "ep", + "type": "logs" + }, + "ecs": { + "version": "8.0.0" + }, + "elastic_agent": { + "id": "d03794ae-c5b7-46b2-8a63-42f00010ac23", + "snapshot": false, + "version": "7.16.2" + }, + "event": { + "agent_id_status": "verified", + "category": [ + "iam" + ], + "created": "2021-11-17T04:29:38.000Z", + "dataset": "zscaler_zpa.audit", + "id": "11111111-1111-1111-1111-111111111111", + "ingested": "2022-02-03T13:32:04Z", + "kind": "event", + "type": [ + "creation" + ] + }, + "input": { + "type": "tcp" + }, + "log": { + "source": { + "address": "172.21.0.7:54030" + } + }, + "organization": { + "id": "98765432109876543" + }, + "related": { + "ip": [ + "1.0.0.1" + ] + }, + "server": { + "address": "1.0.0.1", + "ip": "1.0.0.1" + }, + "tags": [ + "forwarded", + "zscaler_zpa-audit" + ], + "user": { + "id": "12345678901234567", + "name": "zpaadmin@xxxxxxxxxxxxxxxxx.zpa-customer.com" + }, + "zscaler_zpa": { + "audit": { + "client_audit_update": 0, + "object": { + "id": "12345678901234567", + "name": "Some-Name", + "type": "Server" + }, + "operation_type": "Create", + "session": { + "id": "1idn23nlfm2q1txa5h3r4mep6" + }, + "value": { + "new": { + "description": "This is a description field", + "domainOrIpAddress": "1.0.0.1", + "enabled": "true", + "id": "72058340288495701", + "name": "Some-Name" + } + } + } + } +} \ No newline at end of file diff --git a/packages/zscaler_zpa/data_stream/browser_access/_dev/test/pipeline/test-browser-access.log b/packages/zscaler_zpa/data_stream/browser_access/_dev/test/pipeline/test-browser-access.log new file mode 100644 index 00000000000..0848e0e1363 --- /dev/null +++ b/packages/zscaler_zpa/data_stream/browser_access/_dev/test/pipeline/test-browser-access.log @@ -0,0 +1 @@ +{"LogTimestamp":"Wed Jul 3 05:12:25 2019","ConnectionID":"","Exporter":"unset","TimestampRequestReceiveStart":"2019-07-03T05:12:25.723Z","TimestampRequestReceiveHeaderFinish":"2019-07-03T05:12:25.723Z","TimestampRequestReceiveFinish":"2019-07-03T05:12:25.723Z","TimestampRequestTransmitStart":"2019-07-03T05:12:25.790Z","TimestampRequestTransmitFinish":"2019-07-03T05:12:25.790Z","TimestampResponseReceiveStart":"2019-07-03T05:12:25.791Z","TimestampResponseReceiveFinish":"2019-07-03T05:12:25.791Z","TimestampResponseTransmitStart":"2019-07-03T05:12:25.791Z","TimestampResponseTransmitFinish":"2019-07-03T05:12:25.791Z","TotalTimeRequestReceive":127,"TotalTimeRequestTransmit":21,"TotalTimeResponseReceive":73,"TotalTimeResponseTransmit":13,"TotalTimeConnectionSetup":66995,"TotalTimeServerResponse":1349,"Method":"GET","Protocol":"HTTPS","Host":"portal.beta.zdemo.net","URL":"/media/Regular.woff","UserAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.1.1 Safari/605.1.15","XFF":"","NameID":"admin@zdemo.net","StatusCode":304,"RequestSize":615,"ResponseSize":331,"ApplicationPort":443,"ClientPublicIp":"81.2.69.144","ClientPublicPort":60006,"ClientPrivateIp":"81.2.69.193","Customer":"ANZ Team/zdemo in beta","ConnectionStatus":"","ConnectionReason":""} diff --git a/packages/zscaler_zpa/data_stream/browser_access/_dev/test/pipeline/test-browser-access.log-expected.json b/packages/zscaler_zpa/data_stream/browser_access/_dev/test/pipeline/test-browser-access.log-expected.json new file mode 100644 index 00000000000..8ee5746be27 --- /dev/null +++ b/packages/zscaler_zpa/data_stream/browser_access/_dev/test/pipeline/test-browser-access.log-expected.json @@ -0,0 +1,133 @@ +{ + "expected": [ + { + "@timestamp": "2019-07-03T05:12:25.000Z", + "client": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.144", + "port": 60006 + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network", + "session" + ], + "kind": "event", + "original": "{\"LogTimestamp\":\"Wed Jul 3 05:12:25 2019\",\"ConnectionID\":\"\",\"Exporter\":\"unset\",\"TimestampRequestReceiveStart\":\"2019-07-03T05:12:25.723Z\",\"TimestampRequestReceiveHeaderFinish\":\"2019-07-03T05:12:25.723Z\",\"TimestampRequestReceiveFinish\":\"2019-07-03T05:12:25.723Z\",\"TimestampRequestTransmitStart\":\"2019-07-03T05:12:25.790Z\",\"TimestampRequestTransmitFinish\":\"2019-07-03T05:12:25.790Z\",\"TimestampResponseReceiveStart\":\"2019-07-03T05:12:25.791Z\",\"TimestampResponseReceiveFinish\":\"2019-07-03T05:12:25.791Z\",\"TimestampResponseTransmitStart\":\"2019-07-03T05:12:25.791Z\",\"TimestampResponseTransmitFinish\":\"2019-07-03T05:12:25.791Z\",\"TotalTimeRequestReceive\":127,\"TotalTimeRequestTransmit\":21,\"TotalTimeResponseReceive\":73,\"TotalTimeResponseTransmit\":13,\"TotalTimeConnectionSetup\":66995,\"TotalTimeServerResponse\":1349,\"Method\":\"GET\",\"Protocol\":\"HTTPS\",\"Host\":\"portal.beta.zdemo.net\",\"URL\":\"/media/Regular.woff\",\"UserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.1.1 Safari/605.1.15\",\"XFF\":\"\",\"NameID\":\"admin@zdemo.net\",\"StatusCode\":304,\"RequestSize\":615,\"ResponseSize\":331,\"ApplicationPort\":443,\"ClientPublicIp\":\"81.2.69.144\",\"ClientPublicPort\":60006,\"ClientPrivateIp\":\"81.2.69.193\",\"Customer\":\"ANZ Team/zdemo in beta\",\"ConnectionStatus\":\"\",\"ConnectionReason\":\"\"}", + "type": "connection" + }, + "http": { + "request": { + "body": { + "bytes": 615 + }, + "method": "GET" + }, + "response": { + "body": { + "bytes": 331 + }, + "status_code": 304 + } + }, + "organization": { + "name": "ANZ Team/zdemo in beta" + }, + "related": { + "ip": [ + "81.2.69.144", + "81.2.69.193" + ] + }, + "server": { + "address": "portal.beta.zdemo.net", + "port": 443 + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "portal.beta.zdemo.net", + "extension": "woff", + "original": "https://portal.beta.zdemo.net/media/regular.woff", + "path": "/media/regular.woff", + "scheme": "https" + }, + "user": { + "name": "admin@zdemo.net" + }, + "user_agent": { + "device": { + "name": "Mac" + }, + "name": "Safari", + "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.1.1 Safari/605.1.15", + "os": { + "full": "Mac OS X 10.14.5", + "name": "Mac OS X", + "version": "10.14.5" + }, + "version": "12.1.1" + }, + "zscaler_zpa": { + "browser_access": { + "client_private_ip": "81.2.69.193", + "exporter": "unset", + "timestamp": { + "request": { + "receive": { + "finish": "2019-07-03T05:12:25.723Z", + "header_finish": "2019-07-03T05:12:25.723Z", + "start": "2019-07-03T05:12:25.723Z" + }, + "transmit": { + "finish": "2019-07-03T05:12:25.790Z", + "start": "2019-07-03T05:12:25.790Z" + } + }, + "response": { + "receive": { + "finish": "2019-07-03T05:12:25.791Z", + "start": "2019-07-03T05:12:25.791Z" + }, + "transmit": { + "finish": "2019-07-03T05:12:25.791Z", + "start": "2019-07-03T05:12:25.791Z" + } + } + }, + "total_time": { + "connection": { + "setup": 66995 + }, + "request": { + "receive": 127, + "transmit": 21 + }, + "response": { + "receive": 73, + "transmit": 13 + }, + "server": { + "response": 1349 + } + } + } + } + } + ] +} \ No newline at end of file diff --git a/packages/zscaler_zpa/data_stream/browser_access/_dev/test/pipeline/test-common-config.yml b/packages/zscaler_zpa/data_stream/browser_access/_dev/test/pipeline/test-common-config.yml new file mode 100644 index 00000000000..4da22641654 --- /dev/null +++ b/packages/zscaler_zpa/data_stream/browser_access/_dev/test/pipeline/test-common-config.yml @@ -0,0 +1,3 @@ +fields: + tags: + - preserve_original_event diff --git a/packages/zscaler_zpa/data_stream/browser_access/_dev/test/system/test-default-config.yml b/packages/zscaler_zpa/data_stream/browser_access/_dev/test/system/test-default-config.yml new file mode 100644 index 00000000000..51ed60fba1a --- /dev/null +++ b/packages/zscaler_zpa/data_stream/browser_access/_dev/test/system/test-default-config.yml @@ -0,0 +1,7 @@ +service: zscaler-zpa-browser-access-tcp +service_notify_signal: SIGHUP +vars: + listen_address: 0.0.0.0 +data_stream: + vars: + listen_port: 9017 diff --git a/packages/zscaler_zpa/data_stream/browser_access/agent/stream/tcp.yml.hbs b/packages/zscaler_zpa/data_stream/browser_access/agent/stream/tcp.yml.hbs new file mode 100644 index 00000000000..030459f2582 --- /dev/null +++ b/packages/zscaler_zpa/data_stream/browser_access/agent/stream/tcp.yml.hbs @@ -0,0 +1,19 @@ +tcp: +host: "{{listen_address}}:{{listen_port}}" +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +{{#if ssl}} +ssl: {{ssl}} +{{/if}} +{{#if processors}} +processors: +{{processors}} +{{/if}} diff --git a/packages/zscaler_zpa/data_stream/browser_access/elasticsearch/ingest_pipeline/default.yml b/packages/zscaler_zpa/data_stream/browser_access/elasticsearch/ingest_pipeline/default.yml new file mode 100644 index 00000000000..71d3f0032da --- /dev/null +++ b/packages/zscaler_zpa/data_stream/browser_access/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,306 @@ +--- +description: Pipeline for Zscaler browser access logs +processors: + - set: + field: ecs.version + value: '8.0.0' + - rename: + field: message + target_field: event.original + ignore_missing: true + - json: + field: event.original + target_field: json + - date: + field: json.LogTimestamp + target_field: "@timestamp" + ignore_failure: true + formats: + - E MMM dd HH:mm:ss yyyy + - E MMM d HH:mm:ss yyyy + - E MMM d HH:mm:ss yyyy + - remove: + field: json.LogTimestamp + ignore_failure: true + - append: + field: event.category + value: network + - append: + field: event.category + value: session + - set: + field: event.kind + value: event + - set: + field: event.type + value: connection + - rename: + field: json.ConnectionReason + target_field: event.reason + ignore_missing: true + - rename: + field: json.ClientPublicIp + target_field: client.ip + ignore_missing: true + - geoip: + field: client.ip + target_field: client.geo + ignore_missing: true + - geoip: + database_file: GeoLite2-ASN.mmdb + field: client.ip + target_field: client.as + properties: + - asn + - organization_name + ignore_missing: true + - append: + field: related.ip + value: "{{{client.ip}}}" + if: ctx?.client?.ip != null + allow_duplicates: false + ignore_failure: true + - rename: + field: json.ClientPublicPort + target_field: client.port + ignore_missing: true + - rename: + field: json.RequestSize + target_field: http.request.body.bytes + ignore_missing: true + - rename: + field: json.Method + target_field: http.request.method + ignore_missing: true + - rename: + field: json.ResponseSize + target_field: http.response.body.bytes + ignore_missing: true + - rename: + field: json.StatusCode + target_field: http.response.status_code + ignore_missing: true + - rename: + field: json.Customer + target_field: organization.name + ignore_missing: true + - rename: + field: json.ApplicationPort + target_field: server.port + ignore_missing: true + - set: + field: server.address + copy_from: json.Host + ignore_failure: true + - script: + lang: painless + source: | + ctx.url = new HashMap(); + def protocol = ctx.json?.Protocol?.toLowerCase(); + def domain = ctx.json?.Host?.toLowerCase(); + def endpoint = ctx.json?.URL?.toLowerCase(); + if (protocol != null && domain != null && endpoint != null) { + ctx.url.full = protocol + "://" + domain + endpoint; + } + - uri_parts: + field: url.full + ignore_failure: true + - remove: + field: json.Host + ignore_missing: true + - remove: + field: json.URL + ignore_missing: true + - remove: + field: json.Protocol + ignore_missing: true + - user_agent: + field: json.UserAgent + ignore_missing: true + - remove: + field: json.UserAgent + ignore_missing: true + - rename: + field: json.NameID + target_field: user.name + ignore_missing: true + - rename: + field: json.ConnectionStatus + target_field: zscaler_zpa.browser_access.connection.status + ignore_missing: true + - rename: + field: json.ConnectionID + target_field: zscaler_zpa.browser_access.connection.id + ignore_missing: true + - rename: + field: json.Exporter + target_field: zscaler_zpa.browser_access.exporter + ignore_missing: true + - date: + field: json.TimestampRequestReceiveStart + target_field: zscaler_zpa.browser_access.timestamp.request.receive.start + ignore_failure: true + formats: + - ISO8601 + - remove: + field: json.TimestampRequestReceiveStart + ignore_failure: true + - date: + field: json.TimestampRequestReceiveHeaderFinish + target_field: zscaler_zpa.browser_access.timestamp.request.receive.header_finish + ignore_failure: true + formats: + - ISO8601 + - remove: + field: json.TimestampRequestReceiveHeaderFinish + ignore_failure: true + - date: + field: json.TimestampRequestReceiveFinish + target_field: zscaler_zpa.browser_access.timestamp.request.receive.finish + ignore_failure: true + formats: + - ISO8601 + - remove: + field: json.TimestampRequestReceiveFinish + ignore_failure: true + - date: + field: json.TimestampRequestTransmitStart + target_field: zscaler_zpa.browser_access.timestamp.request.transmit.start + ignore_failure: true + formats: + - ISO8601 + - remove: + field: json.TimestampRequestTransmitStart + ignore_failure: true + - date: + field: json.TimestampRequestTransmitFinish + target_field: zscaler_zpa.browser_access.timestamp.request.transmit.finish + ignore_failure: true + formats: + - ISO8601 + - remove: + field: json.TimestampRequestTransmitFinish + ignore_failure: true + - date: + field: json.TimestampResponseReceiveStart + target_field: zscaler_zpa.browser_access.timestamp.response.receive.start + ignore_failure: true + formats: + - ISO8601 + - remove: + field: json.TimestampResponseReceiveStart + ignore_failure: true + - date: + field: json.TimestampResponseReceiveFinish + target_field: zscaler_zpa.browser_access.timestamp.response.receive.finish + ignore_failure: true + formats: + - ISO8601 + - remove: + field: json.TimestampResponseReceiveFinish + ignore_failure: true + - date: + field: json.TimestampResponseTransmitStart + target_field: zscaler_zpa.browser_access.timestamp.response.transmit.start + ignore_failure: true + formats: + - ISO8601 + - remove: + field: json.TimestampResponseTransmitStart + ignore_failure: true + - date: + field: json.TimestampResponseTransmitFinish + target_field: zscaler_zpa.browser_access.timestamp.response.transmit.finish + ignore_failure: true + formats: + - ISO8601 + - remove: + field: json.TimestampResponseTransmitFinish + ignore_failure: true + - rename: + field: json.TotalTimeRequestReceive + target_field: zscaler_zpa.browser_access.total_time.request.receive + ignore_missing: true + - rename: + field: json.TotalTimeRequestTransmit + target_field: zscaler_zpa.browser_access.total_time.request.transmit + ignore_missing: true + - rename: + field: json.TotalTimeResponseReceive + target_field: zscaler_zpa.browser_access.total_time.response.receive + ignore_missing: true + - rename: + field: json.TotalTimeResponseTransmit + target_field: zscaler_zpa.browser_access.total_time.response.transmit + ignore_missing: true + - rename: + field: json.TotalTimeConnectionSetup + target_field: zscaler_zpa.browser_access.total_time.connection.setup + ignore_missing: true + - rename: + field: json.TotalTimeServerResponse + target_field: zscaler_zpa.browser_access.total_time.server.response + ignore_missing: true + - rename: + field: json.XFF + target_field: zscaler_zpa.browser_access.xff + ignore_missing: true + - convert: + field: json.ClientPrivateIp + target_field: zscaler_zpa.browser_access.client_private_ip + type: ip + ignore_failure: true + - append: + field: related.ip + value: "{{{zscaler_zpa.browser_access.client_private_ip}}}" + if: ctx?.zscaler_zpa?.browser_access?.client_private_ip != null + allow_duplicates: false + ignore_failure: true + - remove: + field: json.ClientPrivateIp + ignore_missing: true + - rename: + field: json.CorsToken + target_field: zscaler_zpa.browser_access.cors_token + ignore_missing: true + - rename: + field: json.Origin + target_field: zscaler_zpa.browser_access.origin + ignore_missing: true + - script: + description: Drops null/empty values recursively + lang: painless + source: | + boolean dropEmptyFields(Object object) { + if (object == null || object == "") { + return true; + } else if (object instanceof Map) { + ((Map) object).values().removeIf(value -> dropEmptyFields(value)); + return (((Map) object).size() == 0); + } else if (object instanceof List) { + ((List) object).removeIf(value -> dropEmptyFields(value)); + return (((List) object).length == 0); + } + return false; + } + dropEmptyFields(ctx); + - script: + description: Adds all the remaining fields in fields under zscaler_zpa.user_activity + lang: painless + if: ctx.json != null + source: | + for (Map.Entry m : ctx.json.entrySet()) { + ctx.zscaler_zpa.browser_access[m.getKey()] = m.getValue(); + } + - remove: + field: json + ignore_missing: true + - remove: + field: event.original + if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" + ignore_failure: true + ignore_missing: true +on_failure: +- set: + field: error.message + value: "{{{ _ingest.on_failure_message }}}" diff --git a/packages/zscaler_zpa/data_stream/browser_access/fields/agent.yml b/packages/zscaler_zpa/data_stream/browser_access/fields/agent.yml new file mode 100644 index 00000000000..e313ec82874 --- /dev/null +++ b/packages/zscaler_zpa/data_stream/browser_access/fields/agent.yml @@ -0,0 +1,204 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' + type: group + fields: + - name: account.id + level: extended + type: keyword + ignore_above: 1024 + description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. + + Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' + example: 666777888999 + - name: availability_zone + level: extended + type: keyword + ignore_above: 1024 + description: Availability zone in which this host is running. + example: us-east-1c + - name: instance.id + level: extended + type: keyword + ignore_above: 1024 + description: Instance ID of the host machine. + example: i-1234567890abcdef0 + - name: instance.name + level: extended + type: keyword + ignore_above: 1024 + description: Instance name of the host machine. + - name: machine.type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the host machine. + example: t2.medium + - name: provider + level: extended + type: keyword + ignore_above: 1024 + description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + example: aws + - name: region + level: extended + type: keyword + ignore_above: 1024 + description: Region in which this host is running. + example: us-east-1 + - name: project.id + type: keyword + description: Name of the project in Google Cloud. + - name: image.id + type: keyword + description: Image ID for the cloud instance. +- name: container + title: Container + group: 2 + description: 'Container fields are used for meta information about the specific container that is the source of information. + + These fields help correlate data based containers from any runtime.' + type: group + fields: + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique container id. + - name: image.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the image the container was built on. + - name: labels + level: extended + type: object + object_type: keyword + description: Image labels. + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Container name. +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: architecture + level: core + type: keyword + ignore_above: 1024 + description: Operating system architecture. + example: x86_64 + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the domain of which the host is a member. + + For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' + example: CONTOSO + default_field: false + - name: hostname + level: core + type: keyword + ignore_above: 1024 + description: 'Hostname of the host. + + It normally contains what the `hostname` command returns on the host machine.' + - name: id + level: core + type: keyword + ignore_above: 1024 + description: 'Unique host id. + + As hostname is not always unique, use values that are meaningful in your environment. + + Example: The current usage of `beat.name`.' + - name: ip + level: core + type: ip + description: Host ip addresses. + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: Host mac addresses. + - name: name + level: core + type: keyword + ignore_above: 1024 + description: 'Name of the host. + + It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' + - name: os.family + level: extended + type: keyword + ignore_above: 1024 + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + - name: os.kernel + level: extended + type: keyword + ignore_above: 1024 + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + - name: os.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Operating system name, without the version. + example: Mac OS X + - name: os.platform + level: extended + type: keyword + ignore_above: 1024 + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + - name: os.version + level: extended + type: keyword + ignore_above: 1024 + description: Operating system version as a raw string. + example: 10.14.1 + - name: type + level: core + type: keyword + ignore_above: 1024 + description: 'Type of host. + + For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' + - name: containerized + type: boolean + description: > + If the host is a container. + + - name: os.build + type: keyword + example: "18D109" + description: > + OS build information. + + - name: os.codename + type: keyword + example: "stretch" + description: > + OS codename, if any. + +- name: input.type + type: keyword + description: Input type +- name: log.offset + type: long + description: Log offset diff --git a/packages/zscaler_zpa/data_stream/browser_access/fields/base-fields.yml b/packages/zscaler_zpa/data_stream/browser_access/fields/base-fields.yml new file mode 100644 index 00000000000..26ea267ad3c --- /dev/null +++ b/packages/zscaler_zpa/data_stream/browser_access/fields/base-fields.yml @@ -0,0 +1,20 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: '@timestamp' + type: date + description: Event timestamp. +- name: event.module + type: constant_keyword + description: Event module + value: zscaler_zpa +- name: event.dataset + type: constant_keyword + description: Event dataset + value: zscaler_zpa.browser_access diff --git a/packages/zscaler_zpa/data_stream/browser_access/fields/ecs.yml b/packages/zscaler_zpa/data_stream/browser_access/fields/ecs.yml new file mode 100644 index 00000000000..f59d7cbe5e6 --- /dev/null +++ b/packages/zscaler_zpa/data_stream/browser_access/fields/ecs.yml @@ -0,0 +1,67 @@ +- external: ecs + name: client.geo.city_name +- external: ecs + name: client.geo.country_name +- external: ecs + name: client.geo.country_iso_code +- external: ecs + name: client.geo.continent_name +- external: ecs + name: client.geo.country_iso_code +- external: ecs + name: client.geo.region_iso_code +- description: Longitude and latitude + name: client.geo.location + type: geo_point +- external: ecs + name: client.geo.region_name +- external: ecs + name: client.ip +- external: ecs + name: client.port +- external: ecs + name: ecs.version +- external: ecs + name: http.request.body.bytes +- external: ecs + name: http.request.method +- external: ecs + name: http.response.body.bytes +- external: ecs + name: http.response.status_code +- external: ecs + name: organization.name +- external: ecs + name: server.address +- external: ecs + name: server.port +- external: ecs + name: related.ip +- external: ecs + name: tags +- external: ecs + name: url.domain +- external: ecs + name: url.extension +- external: ecs + name: url.original +- external: ecs + name: url.path +- external: ecs + name: url.scheme +- external: ecs + name: user.name +- external: ecs + name: user_agent.device.name +- external: ecs + name: user_agent.name +- external: ecs + name: user_agent.original +- external: ecs + name: user_agent.os.full +- external: ecs + name: user_agent.os.name +- external: ecs + name: user_agent.os.version +- external: ecs + name: user_agent.version diff --git a/packages/zscaler_zpa/data_stream/browser_access/fields/fields.yml b/packages/zscaler_zpa/data_stream/browser_access/fields/fields.yml new file mode 100644 index 00000000000..d29515193f4 --- /dev/null +++ b/packages/zscaler_zpa/data_stream/browser_access/fields/fields.yml @@ -0,0 +1,127 @@ +- name: zscaler_zpa.browser_access + type: group + fields: + - name: client_private_ip + type: ip + description: | + The private IP address of the user's device. + - name: connection + type: group + fields: + - name: id + type: keyword + description: | + The application connection ID. + - name: status + type: keyword + description: | + The status of the connection. + - name: cors_token + type: keyword + description: | + The token from the CORS request. + - name: exporter + type: keyword + description: | + The Browser Access Service instance to ZPA Public Service Edge or ZPA Private Service Edge instance. + - name: origin + type: keyword + description: | + The Browser Access domain that led to the origination of the CORS request. + - name: timestamp + type: group + fields: + - name: request + type: group + fields: + - name: receive + type: group + fields: + - name: finish + type: date + description: | + Timestamp in microseconds when Browser Access Service received the last byte of the HTTP request from web browser. + - name: header_finish + type: date + description: | + Timestamp in microseconds when Browser Access Service received the last byte of the HTTP header corresponding to the request from web browser. + - name: start + type: date + description: | + Timestamp in microseconds when Browser Access Service received the first byte of the HTTP request from web browser. + - name: transmit + type: group + fields: + - name: finish + type: date + description: | + Timestamp in microseconds when Browser Access Service sent the last byte of the HTTP request to the web server. + - name: start + type: date + description: | + Timestamp in microseconds when Browser Access Service sent the first byte of the HTTP request to the web server. + - name: response + type: group + fields: + - name: receive + type: group + fields: + - name: finish + type: date + description: | + Timestamp in microseconds when Browser Access Service received the last byte of the HTTP response from the web server. + - name: start + type: date + description: | + Timestamp in microseconds when Browser Access Service received the first byte of the HTTP response from the web server. + - name: transmit + type: group + fields: + - name: finish + type: date + description: | + Timestamp in microseconds when Browser Access Service sent the last byte of the HTTP response to the web browser. + - name: start + type: date + description: | + Timestamp in microseconds when Browser Access Service sent the first byte of the HTTP response to the web browser. + - name: total_time + type: group + fields: + - name: connection.setup + type: long + description: | + Time difference between reception of the first byte of the HTTP request from web browser and transmission of the first byte towards the web server, as seen by the Browser Access Service. + - name: request + type: group + fields: + - name: receive + type: long + description: | + Time difference between reception of the first and last byte of the HTTP request from the web browser as seen by the Browser Access Service. + - name: transmit + type: long + description: | + Time difference between transmission of the first and last byte of the HTTP request towards the web server as seen by the Browser Access Service. + - name: response + type: group + fields: + - name: receive + type: long + description: | + Time difference between reception of the first and last byte of the HTTP response from the web server as seen by the Browser Access Service. + - name: transmit + type: long + description: | + Time difference between transmission of the first and last byte of the HTTP request towards the web server as seen by the Browser Access Service. + - name: server.response + type: long + description: | + Time difference between transmission of the last byte of the HTTP request towards the web server and reception of the first byte of the HTTP response from web server, as seen by the Browser Access Service. + - name: xff + type: keyword + description: |- + The X-Forwarded-For (XFF) HTTP header. +- name: log.source.address + type: keyword + description: Source address from which the log event was read / sent from. diff --git a/packages/zscaler_zpa/data_stream/browser_access/manifest.yml b/packages/zscaler_zpa/data_stream/browser_access/manifest.yml new file mode 100644 index 00000000000..45508b19524 --- /dev/null +++ b/packages/zscaler_zpa/data_stream/browser_access/manifest.yml @@ -0,0 +1,41 @@ +title: Browser Access Logs +type: logs +streams: + - input: tcp + template_path: tcp.yml.hbs + title: Zscaler Private Access Browser Access Logs + description: Collect Zscaler Private Access Browser Access Logs using tcp input + vars: + - name: listen_port + type: integer + title: Listen Port + description: The TCP port number to listen on. + multi: false + required: true + show_user: true + default: 9017 + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - forwarded + - zscaler_zpa-browser_access + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: >- + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/zscaler_zpa/data_stream/browser_access/sample_event.json b/packages/zscaler_zpa/data_stream/browser_access/sample_event.json new file mode 100644 index 00000000000..ce40a5e7eb6 --- /dev/null +++ b/packages/zscaler_zpa/data_stream/browser_access/sample_event.json @@ -0,0 +1,158 @@ +{ + "@timestamp": "2019-07-03T05:12:25.000Z", + "agent": { + "ephemeral_id": "10484a2f-b664-42ef-a849-7386c8257491", + "hostname": "docker-fleet-agent", + "id": "acf7dca8-817d-4681-bad3-1cc9bfefc49c", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "7.16.2" + }, + "client": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.144", + "port": 60006 + }, + "data_stream": { + "dataset": "zscaler_zpa.browser_access", + "namespace": "ep", + "type": "logs" + }, + "ecs": { + "version": "8.0.0" + }, + "elastic_agent": { + "id": "acf7dca8-817d-4681-bad3-1cc9bfefc49c", + "snapshot": false, + "version": "7.16.2" + }, + "event": { + "agent_id_status": "verified", + "category": [ + "network", + "session" + ], + "dataset": "zscaler_zpa.browser_access", + "ingested": "2022-02-14T07:28:10Z", + "kind": "event", + "type": "connection" + }, + "http": { + "request": { + "body": { + "bytes": 615 + }, + "method": "GET" + }, + "response": { + "body": { + "bytes": 331 + }, + "status_code": 304 + } + }, + "input": { + "type": "tcp" + }, + "log": { + "source": { + "address": "172.26.0.7:47148" + } + }, + "organization": { + "name": "ANZ Team/zdemo in beta" + }, + "related": { + "ip": [ + "81.2.69.144", + "81.2.69.193" + ] + }, + "server": { + "address": "portal.beta.zdemo.net", + "port": 443 + }, + "tags": [ + "forwarded", + "zscaler_zpa-browser_access" + ], + "url": { + "domain": "portal.beta.zdemo.net", + "extension": "woff", + "original": "https://portal.beta.zdemo.net/media/regular.woff", + "path": "/media/regular.woff", + "scheme": "https" + }, + "user": { + "name": "admin@zdemo.net" + }, + "user_agent": { + "device": { + "name": "Mac" + }, + "name": "Safari", + "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.1.1 Safari/605.1.15", + "os": { + "full": "Mac OS X 10.14.5", + "name": "Mac OS X", + "version": "10.14.5" + }, + "version": "12.1.1" + }, + "zscaler_zpa": { + "browser_access": { + "client_private_ip": "81.2.69.193", + "exporter": "unset", + "timestamp": { + "request": { + "receive": { + "finish": "2019-07-03T05:12:25.723Z", + "header_finish": "2019-07-03T05:12:25.723Z", + "start": "2019-07-03T05:12:25.723Z" + }, + "transmit": { + "finish": "2019-07-03T05:12:25.790Z", + "start": "2019-07-03T05:12:25.790Z" + } + }, + "response": { + "receive": { + "finish": "2019-07-03T05:12:25.791Z", + "start": "2019-07-03T05:12:25.791Z" + }, + "transmit": { + "finish": "2019-07-03T05:12:25.791Z", + "start": "2019-07-03T05:12:25.791Z" + } + } + }, + "total_time": { + "connection": { + "setup": 66995 + }, + "request": { + "receive": 127, + "transmit": 21 + }, + "response": { + "receive": 73, + "transmit": 13 + }, + "server": { + "response": 1349 + } + } + } + } +} \ No newline at end of file diff --git a/packages/zscaler_zpa/data_stream/user_activity/_dev/test/pipeline/test-common-config.yml b/packages/zscaler_zpa/data_stream/user_activity/_dev/test/pipeline/test-common-config.yml new file mode 100644 index 00000000000..4da22641654 --- /dev/null +++ b/packages/zscaler_zpa/data_stream/user_activity/_dev/test/pipeline/test-common-config.yml @@ -0,0 +1,3 @@ +fields: + tags: + - preserve_original_event diff --git a/packages/zscaler_zpa/data_stream/user_activity/_dev/test/pipeline/test-user-activity.log b/packages/zscaler_zpa/data_stream/user_activity/_dev/test/pipeline/test-user-activity.log new file mode 100644 index 00000000000..6ac3a87af2e --- /dev/null +++ b/packages/zscaler_zpa/data_stream/user_activity/_dev/test/pipeline/test-user-activity.log @@ -0,0 +1 @@ +{"LogTimestamp": "Fri May 31 17:35:42 2019","Customer": "Customer XYZ","SessionID": "LHJdkjmNDf12nclBsvwA","ConnectionID": "SqyZIMkg0JTj7EABsvwA,Q+EjXGdrvbF2lPiBbedm","InternalReason": "","ConnectionStatus": "active","IPProtocol": 6,"DoubleEncryption": 0,"Username": "ZPA LSS Client","ServicePort": 10011,"ClientPublicIP": "81.2.69.193","ClientPrivateIP": "","ClientLatitude": 45.000000,"ClientLongitude": -119.000000,"ClientCountryCode": "US","ClientZEN": "broker2b.pdx","Policy": "ABC Lab Apps","Connector": "ZDEMO ABC","ConnectorZEN": "broker2b.pdx","ConnectorIP": "67.43.156.12","ConnectorPort": 60266,"Host": "175.16.199.1","Application": "ABC Lab Apps","AppGroup": "ABC Lab Apps","Server": "0","ServerIP": "175.16.199.1","ServerPort": 10011,"PolicyProcessingTime": 28,"CAProcessingTime": 1330,"ConnectorZENSetupTime": 191017,"ConnectionSetupTime": 192397,"ServerSetupTime": 465,"AppLearnTime": 0,"TimestampConnectionStart": "2019-05-30T08:20:42.230Z","TimestampConnectionEnd": "","TimestampCATx": "2019-05-30T08:20:42.230Z","TimestampCARx": "2019-05-30T08:20:42.231Z","TimestampAppLearnStart": "","TimestampZENFirstRxClient": "2019-05-30T08:20:42.424Z","TimestampZENFirstTxClient": "","TimestampZENLastRxClient": "2019-05-31T17:34:27.348Z","TimestampZENLastTxClient": "","TimestampConnectorZENSetupComplete": "2019-05-30T08:20:42.422Z","TimestampZENFirstRxConnector": "","TimestampZENFirstTxConnector": "2019-05-30T08:20:42.424Z","TimestampZENLastRxConnector": "","TimestampZENLastTxConnector": "2019-05-31T17:34:27.348Z","ZENTotalBytesRxClient": 2406926,"ZENBytesRxClient": 7115,"ZENTotalBytesTxClient": 0,"ZENBytesTxClient": 0,"ZENTotalBytesRxConnector": 0,"ZENBytesRxConnector": 0,"ZENTotalBytesTxConnector": 2406926,"ZENBytesTxConnector": 7115,"Idp": "Example IDP Config","ClientToClient": "0"} diff --git a/packages/zscaler_zpa/data_stream/user_activity/_dev/test/pipeline/test-user-activity.log-expected.json b/packages/zscaler_zpa/data_stream/user_activity/_dev/test/pipeline/test-user-activity.log-expected.json new file mode 100644 index 00000000000..921869a11ea --- /dev/null +++ b/packages/zscaler_zpa/data_stream/user_activity/_dev/test/pipeline/test-user-activity.log-expected.json @@ -0,0 +1,134 @@ +{ + "expected": [ + { + "@timestamp": "2019-05-31T17:35:42.000Z", + "client": { + "geo": { + "country_iso_code": "US", + "location": { + "lat": 45, + "lon": -119 + } + }, + "ip": "81.2.69.193" + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": "iam", + "kind": "event", + "original": "{\"LogTimestamp\": \"Fri May 31 17:35:42 2019\",\"Customer\": \"Customer XYZ\",\"SessionID\": \"LHJdkjmNDf12nclBsvwA\",\"ConnectionID\": \"SqyZIMkg0JTj7EABsvwA,Q+EjXGdrvbF2lPiBbedm\",\"InternalReason\": \"\",\"ConnectionStatus\": \"active\",\"IPProtocol\": 6,\"DoubleEncryption\": 0,\"Username\": \"ZPA LSS Client\",\"ServicePort\": 10011,\"ClientPublicIP\": \"81.2.69.193\",\"ClientPrivateIP\": \"\",\"ClientLatitude\": 45.000000,\"ClientLongitude\": -119.000000,\"ClientCountryCode\": \"US\",\"ClientZEN\": \"broker2b.pdx\",\"Policy\": \"ABC Lab Apps\",\"Connector\": \"ZDEMO ABC\",\"ConnectorZEN\": \"broker2b.pdx\",\"ConnectorIP\": \"67.43.156.12\",\"ConnectorPort\": 60266,\"Host\": \"175.16.199.1\",\"Application\": \"ABC Lab Apps\",\"AppGroup\": \"ABC Lab Apps\",\"Server\": \"0\",\"ServerIP\": \"175.16.199.1\",\"ServerPort\": 10011,\"PolicyProcessingTime\": 28,\"CAProcessingTime\": 1330,\"ConnectorZENSetupTime\": 191017,\"ConnectionSetupTime\": 192397,\"ServerSetupTime\": 465,\"AppLearnTime\": 0,\"TimestampConnectionStart\": \"2019-05-30T08:20:42.230Z\",\"TimestampConnectionEnd\": \"\",\"TimestampCATx\": \"2019-05-30T08:20:42.230Z\",\"TimestampCARx\": \"2019-05-30T08:20:42.231Z\",\"TimestampAppLearnStart\": \"\",\"TimestampZENFirstRxClient\": \"2019-05-30T08:20:42.424Z\",\"TimestampZENFirstTxClient\": \"\",\"TimestampZENLastRxClient\": \"2019-05-31T17:34:27.348Z\",\"TimestampZENLastTxClient\": \"\",\"TimestampConnectorZENSetupComplete\": \"2019-05-30T08:20:42.422Z\",\"TimestampZENFirstRxConnector\": \"\",\"TimestampZENFirstTxConnector\": \"2019-05-30T08:20:42.424Z\",\"TimestampZENLastRxConnector\": \"\",\"TimestampZENLastTxConnector\": \"2019-05-31T17:34:27.348Z\",\"ZENTotalBytesRxClient\": 2406926,\"ZENBytesRxClient\": 7115,\"ZENTotalBytesTxClient\": 0,\"ZENBytesTxClient\": 0,\"ZENTotalBytesRxConnector\": 0,\"ZENBytesRxConnector\": 0,\"ZENTotalBytesTxConnector\": 2406926,\"ZENBytesTxConnector\": 7115,\"Idp\": \"Example IDP Config\",\"ClientToClient\": \"0\"}", + "type": [ + "info", + "user" + ] + }, + "host": { + "ip": "175.16.199.1" + }, + "network": { + "type": "ipv6" + }, + "organization": { + "name": "Customer XYZ" + }, + "related": { + "hosts": [ + "broker2b.pdx" + ], + "ip": [ + "81.2.69.193", + "175.16.199.1", + "67.43.156.12" + ] + }, + "server": { + "ip": "175.16.199.1", + "port": 10011 + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "ZPA LSS Client" + }, + "zscaler_zpa": { + "user_activity": { + "app_group": "ABC Lab Apps", + "app_learn_time": 0, + "application": "ABC Lab Apps", + "ca_processing_time": 1330, + "client_to_client": "0", + "connection": { + "id": "SqyZIMkg0JTj7EABsvwA,Q+EjXGdrvbF2lPiBbedm", + "setup_time": 192397, + "status": "active" + }, + "connector": { + "ip": "67.43.156.12", + "name": "ZDEMO ABC", + "port": 60266 + }, + "connector_zen_setup_time": 191017, + "double_encryption": 0, + "idp": "Example IDP Config", + "policy": { + "name": "ABC Lab Apps", + "processing_time": 28 + }, + "server": "0", + "server_setup_time": 465, + "service_port": 10011, + "session_id": "LHJdkjmNDf12nclBsvwA", + "timestamp": { + "ca": { + "rx": "2019-05-30T08:20:42.231Z", + "tx": "2019-05-30T08:20:42.230Z" + }, + "connection": { + "start": "2019-05-30T08:20:42.230Z" + }, + "connector_zen": { + "setup_complete": "2019-05-30T08:20:42.422Z" + }, + "zen": { + "client": { + "rx": { + "first": "2019-05-30T08:20:42.424Z", + "last": "2019-05-31T17:34:27.348Z" + } + }, + "connector": { + "tx": { + "first": "2019-05-30T08:20:42.424Z", + "last": "2019-05-31T17:34:27.348Z" + } + } + } + }, + "zen": { + "client": { + "bytes_rx": 7115, + "bytes_tx": 0, + "domain": "broker2b.pdx", + "total": { + "bytes_rx": 2406926, + "bytes_tx": 0 + } + }, + "connector": { + "bytes_rx": 0, + "bytes_tx": 7115, + "domain": "broker2b.pdx", + "total": { + "bytes_rx": 0, + "bytes_tx": 2406926 + } + } + } + } + } + } + ] +} \ No newline at end of file diff --git a/packages/zscaler_zpa/data_stream/user_activity/_dev/test/system/test-default-config.yml b/packages/zscaler_zpa/data_stream/user_activity/_dev/test/system/test-default-config.yml new file mode 100644 index 00000000000..84d9234cecf --- /dev/null +++ b/packages/zscaler_zpa/data_stream/user_activity/_dev/test/system/test-default-config.yml @@ -0,0 +1,7 @@ +service: zscaler-zpa-user-activity-tcp +service_notify_signal: SIGHUP +vars: + listen_address: 0.0.0.0 +data_stream: + vars: + listen_port: 9018 diff --git a/packages/zscaler_zpa/data_stream/user_activity/agent/stream/tcp.yml.hbs b/packages/zscaler_zpa/data_stream/user_activity/agent/stream/tcp.yml.hbs new file mode 100644 index 00000000000..030459f2582 --- /dev/null +++ b/packages/zscaler_zpa/data_stream/user_activity/agent/stream/tcp.yml.hbs @@ -0,0 +1,19 @@ +tcp: +host: "{{listen_address}}:{{listen_port}}" +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +{{#if ssl}} +ssl: {{ssl}} +{{/if}} +{{#if processors}} +processors: +{{processors}} +{{/if}} diff --git a/packages/zscaler_zpa/data_stream/user_activity/elasticsearch/ingest_pipeline/default.yml b/packages/zscaler_zpa/data_stream/user_activity/elasticsearch/ingest_pipeline/default.yml new file mode 100644 index 00000000000..e489e89bd50 --- /dev/null +++ b/packages/zscaler_zpa/data_stream/user_activity/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,444 @@ +--- +description: Pipeline for Zscaler user activity logs +processors: + - set: + field: ecs.version + value: '8.0.0' + - rename: + field: message + target_field: event.original + ignore_missing: true + - json: + field: event.original + target_field: json + - date: + field: json.LogTimestamp + target_field: "@timestamp" + ignore_failure: true + formats: + - E MMM dd HH:mm:ss yyyy + - E MMM d HH:mm:ss yyyy + - E MMM d HH:mm:ss yyyy + - remove: + field: json.LogTimestamp + ignore_failure: true + - set: + field: event.category + value: iam + - set: + field: event.kind + value: event + - append: + field: event.type + value: info + - append: + field: event.type + value: user + - rename: + field: json.Username + target_field: user.name + ignore_missing: true + - rename: + field: json.ClientCountryCode + target_field: client.geo.country_iso_code + ignore_missing: true + - rename: + field: json.ClientLatitude + target_field: client.geo.location.lat + ignore_missing: true + - rename: + field: json.ClientLongitude + target_field: client.geo.location.lon + ignore_missing: true + - convert: + field: json.ClientPublicIP + target_field: client.ip + type: ip + ignore_failure: true + - remove: + field: json.ClientPublicIP + ignore_missing: true + - append: + field: related.ip + value: "{{{client.ip}}}" + if: ctx?.client?.ip != null + allow_duplicates: false + ignore_failure: true + - set: + field: host.domain + copy_from: json.Host + ignore_failure: true + - convert: + field: host.domain + target_field: host.ip + type: ip + ignore_missing: true + ignore_failure: true + - append: + field: related.hosts + value: "{{{host.domain}}}" + if: ctx?.host?.ip == null + allow_duplicates: false + ignore_failure: true + - remove: + field: host.domain + if: ctx?.host?.ip != null + - remove: + field: json.Host + ignore_missing: true + - append: + field: related.ip + value: "{{{host.ip}}}" + if: ctx?.host?.ip != null + allow_duplicates: false + ignore_failure: true + - script: + lang: painless + if: ctx?.json?.IPProtocol != null && ctx?.json?.IPProtocol != '' + source: | + ctx.network = new HashMap(); + ctx.network.type = (ctx.json.IPProtocol == 4 ? 'ipv4' : 'ipv6'); + - remove: + field: json.IPProtocol + ignore_failure: true + - rename: + field: json.Customer + target_field: organization.name + ignore_missing: true + - rename: + field: json.ServerIP + target_field: server.ip + ignore_missing: true + - append: + field: related.ip + value: "{{{server.ip}}}" + if: ctx?.server?.ip != null + allow_duplicates: false + ignore_failure: true + - rename: + field: json.ServerPort + target_field: server.port + ignore_missing: true + - rename: + field: json.ClientZEN + target_field: zscaler_zpa.user_activity.zen.client.domain + ignore_missing: true + - append: + field: related.hosts + value: "{{{zscaler_zpa.user_activity.zen.client.domain}}}" + if: ctx?.zscaler_zpa?.user_activity?.zen?.client?.domain != null + allow_duplicates: false + ignore_failure: true + - rename: + field: json.ConnectorZEN + target_field: zscaler_zpa.user_activity.zen.connector.domain + ignore_missing: true + - append: + field: related.hosts + value: "{{{zscaler_zpa.user_activity.zen.connector.domain}}}" + if: ctx?.zscaler_zpa?.user_activity?.zen?.connector?.domain != null + allow_duplicates: false + ignore_failure: true + - rename: + field: json.SessionID + target_field: zscaler_zpa.user_activity.session_id + ignore_missing: true + - rename: + field: json.ConnectionID + target_field: zscaler_zpa.user_activity.connection.id + ignore_missing: true + - rename: + field: json.InternalReason + target_field: zscaler_zpa.user_activity.internal_reason + ignore_missing: true + - rename: + field: json.ConnectionStatus + target_field: zscaler_zpa.user_activity.connection.status + ignore_missing: true + - rename: + field: json.DoubleEncryption + target_field: zscaler_zpa.user_activity.double_encryption + ignore_missing: true + - rename: + field: json.ServicePort + target_field: zscaler_zpa.user_activity.service_port + ignore_missing: true + - convert: + field: json.ClientPrivateIP + target_field: zscaler_zpa.user_activity.client_private_ip + type: ip + ignore_failure: true + - remove: + field: json.ClientPrivateIP + ignore_missing: true + - append: + field: related.ip + value: "{{{zscaler_zpa.user_activity.client_private_ip}}}" + if: ctx?.zscaler_zpa?.user_activity?.client_private_ip != null + allow_duplicates: false + ignore_failure: true + - rename: + field: json.Policy + target_field: zscaler_zpa.user_activity.policy.name + ignore_missing: true + - rename: + field: json.Connector + target_field: zscaler_zpa.user_activity.connector.name + ignore_missing: true + - convert: + field: json.ConnectorIP + target_field: zscaler_zpa.user_activity.connector.ip + type: ip + ignore_failure: true + - append: + field: related.ip + value: "{{{zscaler_zpa.user_activity.connector.ip}}}" + if: ctx?.zscaler_zpa?.user_activity?.connector?.ip != null + allow_duplicates: false + ignore_failure: true + - remove: + field: json.ConnectorIP + ignore_failure: true + - rename: + field: json.ConnectorPort + target_field: zscaler_zpa.user_activity.connector.port + ignore_missing: true + - rename: + field: json.Application + target_field: zscaler_zpa.user_activity.application + ignore_missing: true + - rename: + field: json.AppGroup + target_field: zscaler_zpa.user_activity.app_group + ignore_missing: true + - rename: + field: json.Server + target_field: zscaler_zpa.user_activity.server + ignore_missing: true + - rename: + field: json.PolicyProcessingTime + target_field: zscaler_zpa.user_activity.policy.processing_time + ignore_missing: true + - rename: + field: json.CAProcessingTime + target_field: zscaler_zpa.user_activity.ca_processing_time + ignore_missing: true + - rename: + field: json.ConnectorZENSetupTime + target_field: zscaler_zpa.user_activity.connector_zen_setup_time + ignore_missing: true + - rename: + field: json.ConnectionSetupTime + target_field: zscaler_zpa.user_activity.connection.setup_time + ignore_missing: true + - rename: + field: json.ServerSetupTime + target_field: zscaler_zpa.user_activity.server_setup_time + ignore_missing: true + - rename: + field: json.AppLearnTime + target_field: zscaler_zpa.user_activity.app_learn_time + ignore_missing: true + - date: + field: json.TimestampConnectionStart + target_field: zscaler_zpa.user_activity.timestamp.connection.start + ignore_failure: true + formats: + - ISO8601 + - remove: + field: json.TimestampConnectionStart + ignore_failure: true + - date: + field: json.TimestampConnectionEnd + target_field: zscaler_zpa.user_activity.timestamp.connection.end + ignore_failure: true + formats: + - ISO8601 + - remove: + field: json.TimestampConnectionEnd + ignore_failure: true + - date: + field: json.TimestampCATx + target_field: zscaler_zpa.user_activity.timestamp.ca.tx + ignore_failure: true + formats: + - ISO8601 + - remove: + field: json.TimestampCATx + ignore_failure: true + - date: + field: json.TimestampCARx + target_field: zscaler_zpa.user_activity.timestamp.ca.rx + ignore_failure: true + formats: + - ISO8601 + - remove: + field: json.TimestampCARx + ignore_failure: true + - date: + field: json.TimestampAppLearnStart + target_field: zscaler_zpa.user_activity.timestamp.app_learn_start + ignore_failure: true + formats: + - ISO8601 + - remove: + field: json.TimestampAppLearnStart + ignore_failure: true + - date: + field: json.TimestampZENFirstRxClient + target_field: zscaler_zpa.user_activity.timestamp.zen.client.rx.first + ignore_failure: true + formats: + - ISO8601 + - remove: + field: json.TimestampZENFirstRxClient + ignore_failure: true + - date: + field: json.TimestampZENFirstTxClient + target_field: zscaler_zpa.user_activity.timestamp.zen.client.tx.first + ignore_failure: true + formats: + - ISO8601 + - remove: + field: json.TimestampZENFirstTxClient + ignore_failure: true + - date: + field: json.TimestampZENLastRxClient + target_field: zscaler_zpa.user_activity.timestamp.zen.client.rx.last + ignore_failure: true + formats: + - ISO8601 + - remove: + field: json.TimestampZENLastRxClient + ignore_failure: true + - date: + field: json.TimestampZENLastTxClient + target_field: zscaler_zpa.user_activity.timestamp.zen.client.tx.last + ignore_failure: true + formats: + - ISO8601 + - remove: + field: json.TimestampZENLastTxClient + ignore_failure: true + - date: + field: json.TimestampConnectorZENSetupComplete + target_field: zscaler_zpa.user_activity.timestamp.connector_zen.setup_complete + ignore_failure: true + formats: + - ISO8601 + - remove: + field: json.TimestampConnectorZENSetupComplete + ignore_failure: true + - date: + field: json.TimestampZENFirstRxConnector + target_field: zscaler_zpa.user_activity.timestamp.zen.connector.rx.first + ignore_failure: true + formats: + - ISO8601 + - remove: + field: json.TimestampZENFirstRxConnector + ignore_failure: true + - date: + field: json.TimestampZENFirstTxConnector + target_field: zscaler_zpa.user_activity.timestamp.zen.connector.tx.first + ignore_failure: true + formats: + - ISO8601 + - remove: + field: json.TimestampZENFirstTxConnector + ignore_failure: true + - date: + field: json.TimestampZENLastRxConnector + target_field: zscaler_zpa.user_activity.timestamp.zen.connector.rx.last + ignore_failure: true + formats: + - ISO8601 + - remove: + field: json.TimestampZENLastRxConnector + ignore_failure: true + - date: + field: json.TimestampZENLastTxConnector + target_field: zscaler_zpa.user_activity.timestamp.zen.connector.tx.last + ignore_failure: true + formats: + - ISO8601 + - remove: + field: json.TimestampZENLastTxConnector + ignore_failure: true + - rename: + field: json.ZENTotalBytesRxClient + target_field: zscaler_zpa.user_activity.zen.client.total.bytes_rx + ignore_missing: true + - rename: + field: json.ZENBytesRxClient + target_field: zscaler_zpa.user_activity.zen.client.bytes_rx + ignore_missing: true + - rename: + field: json.ZENTotalBytesTxClient + target_field: zscaler_zpa.user_activity.zen.client.total.bytes_tx + ignore_missing: true + - rename: + field: json.ZENBytesTxClient + target_field: zscaler_zpa.user_activity.zen.client.bytes_tx + ignore_missing: true + - rename: + field: json.ZENTotalBytesRxConnector + target_field: zscaler_zpa.user_activity.zen.connector.total.bytes_rx + ignore_missing: true + - rename: + field: json.ZENBytesRxConnector + target_field: zscaler_zpa.user_activity.zen.connector.bytes_rx + ignore_missing: true + - rename: + field: json.ZENTotalBytesTxConnector + target_field: zscaler_zpa.user_activity.zen.connector.total.bytes_tx + ignore_missing: true + - rename: + field: json.ZENBytesTxConnector + target_field: zscaler_zpa.user_activity.zen.connector.bytes_tx + ignore_missing: true + - rename: + field: json.ClientToClient + target_field: zscaler_zpa.user_activity.client_to_client + ignore_missing: true + - rename: + field: json.Idp + target_field: zscaler_zpa.user_activity.idp + ignore_missing: true + - script: + description: Drops null/empty values recursively + lang: painless + source: | + boolean dropEmptyFields(Object object) { + if (object == null || object == "") { + return true; + } else if (object instanceof Map) { + ((Map) object).values().removeIf(value -> dropEmptyFields(value)); + return (((Map) object).size() == 0); + } else if (object instanceof List) { + ((List) object).removeIf(value -> dropEmptyFields(value)); + return (((List) object).length == 0); + } + return false; + } + dropEmptyFields(ctx); + - script: + description: Adds all the remaining fields in fields under zscaler_zpa.user_activity + lang: painless + if: ctx.json != null + source: | + for (Map.Entry m : ctx.json.entrySet()) { + ctx.zscaler_zpa.user_activity[m.getKey()] = m.getValue(); + } + - remove: + field: json + ignore_missing: true + - remove: + field: event.original + if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" + ignore_failure: true + ignore_missing: true +on_failure: +- set: + field: error.message + value: "{{{ _ingest.on_failure_message }}}" diff --git a/packages/zscaler_zpa/data_stream/user_activity/fields/agent.yml b/packages/zscaler_zpa/data_stream/user_activity/fields/agent.yml new file mode 100644 index 00000000000..e313ec82874 --- /dev/null +++ b/packages/zscaler_zpa/data_stream/user_activity/fields/agent.yml @@ -0,0 +1,204 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' + type: group + fields: + - name: account.id + level: extended + type: keyword + ignore_above: 1024 + description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. + + Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' + example: 666777888999 + - name: availability_zone + level: extended + type: keyword + ignore_above: 1024 + description: Availability zone in which this host is running. + example: us-east-1c + - name: instance.id + level: extended + type: keyword + ignore_above: 1024 + description: Instance ID of the host machine. + example: i-1234567890abcdef0 + - name: instance.name + level: extended + type: keyword + ignore_above: 1024 + description: Instance name of the host machine. + - name: machine.type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the host machine. + example: t2.medium + - name: provider + level: extended + type: keyword + ignore_above: 1024 + description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + example: aws + - name: region + level: extended + type: keyword + ignore_above: 1024 + description: Region in which this host is running. + example: us-east-1 + - name: project.id + type: keyword + description: Name of the project in Google Cloud. + - name: image.id + type: keyword + description: Image ID for the cloud instance. +- name: container + title: Container + group: 2 + description: 'Container fields are used for meta information about the specific container that is the source of information. + + These fields help correlate data based containers from any runtime.' + type: group + fields: + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique container id. + - name: image.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the image the container was built on. + - name: labels + level: extended + type: object + object_type: keyword + description: Image labels. + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Container name. +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: architecture + level: core + type: keyword + ignore_above: 1024 + description: Operating system architecture. + example: x86_64 + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the domain of which the host is a member. + + For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' + example: CONTOSO + default_field: false + - name: hostname + level: core + type: keyword + ignore_above: 1024 + description: 'Hostname of the host. + + It normally contains what the `hostname` command returns on the host machine.' + - name: id + level: core + type: keyword + ignore_above: 1024 + description: 'Unique host id. + + As hostname is not always unique, use values that are meaningful in your environment. + + Example: The current usage of `beat.name`.' + - name: ip + level: core + type: ip + description: Host ip addresses. + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: Host mac addresses. + - name: name + level: core + type: keyword + ignore_above: 1024 + description: 'Name of the host. + + It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' + - name: os.family + level: extended + type: keyword + ignore_above: 1024 + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + - name: os.kernel + level: extended + type: keyword + ignore_above: 1024 + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + - name: os.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Operating system name, without the version. + example: Mac OS X + - name: os.platform + level: extended + type: keyword + ignore_above: 1024 + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + - name: os.version + level: extended + type: keyword + ignore_above: 1024 + description: Operating system version as a raw string. + example: 10.14.1 + - name: type + level: core + type: keyword + ignore_above: 1024 + description: 'Type of host. + + For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' + - name: containerized + type: boolean + description: > + If the host is a container. + + - name: os.build + type: keyword + example: "18D109" + description: > + OS build information. + + - name: os.codename + type: keyword + example: "stretch" + description: > + OS codename, if any. + +- name: input.type + type: keyword + description: Input type +- name: log.offset + type: long + description: Log offset diff --git a/packages/zscaler_zpa/data_stream/user_activity/fields/base-fields.yml b/packages/zscaler_zpa/data_stream/user_activity/fields/base-fields.yml new file mode 100644 index 00000000000..31eec69bf4b --- /dev/null +++ b/packages/zscaler_zpa/data_stream/user_activity/fields/base-fields.yml @@ -0,0 +1,20 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: '@timestamp' + type: date + description: Event timestamp. +- name: event.module + type: constant_keyword + description: Event module + value: zscaler_zpa +- name: event.dataset + type: constant_keyword + description: Event dataset + value: zscaler_zpa.user_activity diff --git a/packages/zscaler_zpa/data_stream/user_activity/fields/ecs.yml b/packages/zscaler_zpa/data_stream/user_activity/fields/ecs.yml new file mode 100644 index 00000000000..e962c22ab2f --- /dev/null +++ b/packages/zscaler_zpa/data_stream/user_activity/fields/ecs.yml @@ -0,0 +1,26 @@ +- external: ecs + name: client.geo.country_iso_code +- description: Longitude and latitude. + level: core + name: client.geo.location + type: geo_point +- external: ecs + name: client.ip +- external: ecs + name: ecs.version +- external: ecs + name: network.type +- external: ecs + name: organization.name +- external: ecs + name: server.ip +- external: ecs + name: server.port +- external: ecs + name: related.hosts +- external: ecs + name: related.ip +- external: ecs + name: tags +- external: ecs + name: user.name diff --git a/packages/zscaler_zpa/data_stream/user_activity/fields/fields.yml b/packages/zscaler_zpa/data_stream/user_activity/fields/fields.yml new file mode 100644 index 00000000000..8e0f0d6da7d --- /dev/null +++ b/packages/zscaler_zpa/data_stream/user_activity/fields/fields.yml @@ -0,0 +1,244 @@ +- name: zscaler_zpa.user_activity + type: group + fields: + - name: app_group + type: keyword + description: | + The application group name. + - name: app_learn_time + type: long + description: | + Time in microseconds taken for App Connectors to learn about the requested application and report the learned information to the central authority. + - name: application + type: keyword + description: | + The application name. + - name: ca_processing_time + type: long + description: | + Time in microseconds taken for processing in the central authority. + - name: client_to_client + type: keyword + description: | + The status of the client-to-client connection. + - name: client_private_ip + type: ip + description: | + The private IP address of the Zscaler Client Connector. + - name: connection + type: group + fields: + - name: id + type: keyword + description: | + The application connection ID. + - name: setup_time + type: long + description: | + Time taken by the App Connector to process a notification from the App Connector selection microservice and set up the connection to the application server. + - name: status + type: keyword + description: | + The status of the connection. The expected values for this field are: [ Open, Close, Active ]. + - name: connector + type: group + fields: + - name: ip + type: ip + description: | + The source IP address of the App Connector. + - name: name + type: keyword + description: | + The App Connector name. + - name: port + type: integer + description: | + The source port of the App Connector. + - name: connector_zen_setup_time + type: long + description: | + Time in microseconds taken for setting up connection between App Connector and ZPA Public Service Edge or ZPA Private Service Edge. + - name: double_encryption + type: integer + description: | + The double encryption status. + - name: idp + type: keyword + description: | + The name of the identity provider (IdP) as configured in the ZPA Admin Portal. + - name: internal_reason + type: keyword + description: | + The internal reason for the status of the transaction. + - name: policy + type: group + fields: + - name: name + type: keyword + description: | + The access policy or timeout policy rule name. + - name: processing_time + type: long + description: | + Time in microseconds taken for processing the access policy associated with the application. + - name: server + type: keyword + description: | + The server ID name. The server ID must be set to zero if dynamic server discovery is enabled. + - name: server_setup_time + type: long + description: | + Time in microseconds taken for setting up connection at server. + - name: service_port + type: integer + description: | + The destination port of the server. + - name: session_id + type: keyword + description: | + The TLS session ID. + - name: timestamp + type: group + fields: + - name: app_learn_start + type: keyword + description: | + Time in microseconds taken for App Connectors to learn about the requested application and report the learned information to the central authority. + - name: ca + type: group + fields: + - name: rx + type: date + description: | + Timestamp in microseconds when the central authority received request from ZPA Public Service Edge or ZPA Private Service Edge. + - name: tx + type: date + description: | + Timestamp in microseconds when the central authority sent request to ZPA Public Service Edge or ZPA Private Service Edge. + - name: connection + type: group + fields: + - name: end + type: date + description: | + Timestamp in microseconds when the ZPA Public Service Edge or ZPA Private Service Edge terminated the connection. + - name: start + type: date + description: | + Timestamp in microseconds when the ZPA Public Service Edge or ZPA Private Service Edge received the initial request from Zscaler Client Connector to start the connection. + - name: connector_zen.setup_complete + type: date + description: | + Timestamp in microseconds when the ZPA Public Service Edge or ZPA Private Service Edge received request from App Connector to set up data connection. The request from the App Connector is triggered by the initial request for a specific application from the Zscaler Client Connector. + - name: zen + type: group + fields: + - name: client + type: group + fields: + - name: rx + type: group + fields: + - name: first + type: date + description: | + Timestamp in microseconds when the ZPA Public Service Edge or ZPA Private Service Edge received the first byte from the Zscaler Client Connector. + - name: last + type: date + description: | + Timestamp in microseconds when the ZPA Public Service Edge or ZPA Private Service Edge received the last byte from the Zscaler Client Connector. + - name: tx + type: group + fields: + - name: first + type: date + description: | + Timestamp in microseconds when the ZPA Public Service Edge or ZPA Private Service Edge sent the first byte to the Zscaler Client Connector. + - name: last + type: date + description: | + Timestamp in microseconds when the ZPA Public Service Edge or ZPA Private Service Edge sent the last byte to the Zscaler Client Connector. + - name: connector + type: group + fields: + - name: rx + type: group + fields: + - name: first + type: date + description: | + Timestamp in microseconds when the ZPA Public Service Edge or ZPA Private Service Edge received the first byte from the App Connector. + - name: last + type: date + description: | + Timestamp in microseconds when the ZPA Public Service Edge or ZPA Private Service Edge received the last byte from the App Connector. + - name: tx + type: group + fields: + - name: first + type: date + description: | + Timestamp in microseconds when the ZPA Public Service Edge or ZPA Private Service Edge sent the first byte to the App Connector. + - name: last + type: date + description: | + Timestamp in microseconds when the ZPA Public Service Edge or ZPA Private Service Edge sent the last byte to the App Connector. + - name: zen + type: group + fields: + - name: client + type: group + fields: + - name: domain + type: keyword + description: | + The ZPA Public Service Edge (formerly Zscaler Enforcement Node or ZEN) or ZPA Private Service Edge that received the request from the Zscaler Client Connector. + - name: bytes_rx + type: long + description: | + The additional bytes received from the Zscaler Client Connector since the last transaction log. + - name: bytes_tx + type: long + description: | + The additional bytes transmitted to the Zscaler Client Connector since the last transaction log. + - name: total + type: group + fields: + - name: bytes_rx + type: long + description: | + The total bytes received from the Zscaler Client Connector by the ZPA Public Service Edge or ZPA Private Service Edge. + - name: bytes_tx + type: long + description: | + The total bytes transmitted to the Zscaler Client Connector from the ZPA Public Service Edge or ZPA Private Service Edge. + - name: connector + type: group + fields: + - name: domain + type: keyword + description: | + The ZPA Public Service Edge or ZPA Private Service Edge that sent the request from the App Connector. + - name: bytes_rx + type: long + description: | + The additional bytes received from the App Connector since the last transaction log. + - name: bytes_tx + type: long + description: | + The additional bytes transmitted by the App Connector since the last transaction log. + - name: total + type: group + fields: + - name: bytes_rx + type: long + description: | + The total bytes received from the App Connector by the ZPA Public Service Edge or ZPA Private Service Edge. + - name: bytes_tx + type: long + description: |- + The total bytes transmitted to the App Connector from the ZPA Public Service Edge or ZPA Private Service Edge. +- name: log.source.address + type: keyword + description: Source address from which the log event was read / sent from. diff --git a/packages/zscaler_zpa/data_stream/user_activity/manifest.yml b/packages/zscaler_zpa/data_stream/user_activity/manifest.yml new file mode 100644 index 00000000000..df6b66c5141 --- /dev/null +++ b/packages/zscaler_zpa/data_stream/user_activity/manifest.yml @@ -0,0 +1,41 @@ +title: User Activity Logs +type: logs +streams: + - input: tcp + template_path: tcp.yml.hbs + title: Zscaler Private Access User Activity Logs + description: Collect Zscaler Private Access User Activity Logs using tcp input + vars: + - name: listen_port + type: integer + title: Listen Port + description: The TCP port number to listen on. + multi: false + required: true + show_user: true + default: 9018 + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - forwarded + - zscaler_zpa-user_activity + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: >- + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/zscaler_zpa/data_stream/user_activity/sample_event.json b/packages/zscaler_zpa/data_stream/user_activity/sample_event.json new file mode 100644 index 00000000000..7cb6453ce96 --- /dev/null +++ b/packages/zscaler_zpa/data_stream/user_activity/sample_event.json @@ -0,0 +1,159 @@ +{ + "@timestamp": "2019-05-31T17:35:42.000Z", + "agent": { + "ephemeral_id": "2686f611-4bf3-4df9-8934-843cbd32d161", + "hostname": "docker-fleet-agent", + "id": "d03794ae-c5b7-46b2-8a63-42f00010ac23", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "7.16.2" + }, + "client": { + "geo": { + "country_iso_code": "US", + "location": { + "lat": 45, + "lon": -119 + } + }, + "ip": "81.2.69.193" + }, + "data_stream": { + "dataset": "zscaler_zpa.user_activity", + "namespace": "ep", + "type": "logs" + }, + "ecs": { + "version": "8.0.0" + }, + "elastic_agent": { + "id": "d03794ae-c5b7-46b2-8a63-42f00010ac23", + "snapshot": false, + "version": "7.16.2" + }, + "event": { + "agent_id_status": "verified", + "category": "iam", + "dataset": "zscaler_zpa.user_activity", + "ingested": "2022-02-03T13:34:37Z", + "kind": "event", + "type": [ + "info", + "user" + ] + }, + "host": { + "ip": "175.16.199.1" + }, + "input": { + "type": "tcp" + }, + "log": { + "source": { + "address": "172.21.0.7:59296" + } + }, + "network": { + "type": "ipv6" + }, + "organization": { + "name": "Customer XYZ" + }, + "related": { + "hosts": [ + "broker2b.pdx" + ], + "ip": [ + "81.2.69.193", + "175.16.199.1", + "67.43.156.12" + ] + }, + "server": { + "ip": "175.16.199.1", + "port": 10011 + }, + "tags": [ + "forwarded", + "zscaler_zpa-user_activity" + ], + "user": { + "name": "ZPA LSS Client" + }, + "zscaler_zpa": { + "user_activity": { + "app_group": "ABC Lab Apps", + "app_learn_time": 0, + "application": "ABC Lab Apps", + "ca_processing_time": 1330, + "client_to_client": "0", + "connection": { + "id": "SqyZIMkg0JTj7EABsvwA,Q+EjXGdrvbF2lPiBbedm", + "setup_time": 192397, + "status": "active" + }, + "connector": { + "ip": "67.43.156.12", + "name": "ZDEMO ABC", + "port": 60266 + }, + "connector_zen_setup_time": 191017, + "double_encryption": 0, + "idp": "Example IDP Config", + "policy": { + "name": "ABC Lab Apps", + "processing_time": 28 + }, + "server": "0", + "server_setup_time": 465, + "service_port": 10011, + "session_id": "LHJdkjmNDf12nclBsvwA", + "timestamp": { + "ca": { + "rx": "2019-05-30T08:20:42.231Z", + "tx": "2019-05-30T08:20:42.230Z" + }, + "connection": { + "start": "2019-05-30T08:20:42.230Z" + }, + "connector_zen": { + "setup_complete": "2019-05-30T08:20:42.422Z" + }, + "zen": { + "client": { + "rx": { + "first": "2019-05-30T08:20:42.424Z", + "last": "2019-05-31T17:34:27.348Z" + } + }, + "connector": { + "tx": { + "first": "2019-05-30T08:20:42.424Z", + "last": "2019-05-31T17:34:27.348Z" + } + } + } + }, + "zen": { + "client": { + "bytes_rx": 7115, + "bytes_tx": 0, + "domain": "broker2b.pdx", + "total": { + "bytes_rx": 2406926, + "bytes_tx": 0 + } + }, + "connector": { + "bytes_rx": 0, + "bytes_tx": 7115, + "domain": "broker2b.pdx", + "total": { + "bytes_rx": 0, + "bytes_tx": 2406926 + } + } + } + } + } +} \ No newline at end of file diff --git a/packages/zscaler_zpa/data_stream/user_status/_dev/test/pipeline/test-common-config.yml b/packages/zscaler_zpa/data_stream/user_status/_dev/test/pipeline/test-common-config.yml new file mode 100644 index 00000000000..4da22641654 --- /dev/null +++ b/packages/zscaler_zpa/data_stream/user_status/_dev/test/pipeline/test-common-config.yml @@ -0,0 +1,3 @@ +fields: + tags: + - preserve_original_event diff --git a/packages/zscaler_zpa/data_stream/user_status/_dev/test/pipeline/test-user-status.log b/packages/zscaler_zpa/data_stream/user_status/_dev/test/pipeline/test-user-status.log new file mode 100644 index 00000000000..178c48f7e55 --- /dev/null +++ b/packages/zscaler_zpa/data_stream/user_status/_dev/test/pipeline/test-user-status.log @@ -0,0 +1 @@ +{"LogTimestamp":"Fri May 31 17:34:48 2019","Customer":"Customer XYZ","Username":"ZPA LSS Client","SessionID":"vkczUERSLl88Y+ytH8v5","SessionStatus":"ZPN_STATUS_AUTHENTICATED","Version":"19.12.0-36-g87dad18","ZEN":"broker2b.pdx","CertificateCN":"loggerz2x.pde.zpabeta.net","PrivateIP":"","PublicIP":"81.2.69.144","Latitude":45,"Longitude":-119,"CountryCode":"US","TimestampAuthentication":"2019-05-29T21:18:38.000Z","TimestampUnAuthentication":"","TotalBytesRx":31274866,"TotalBytesTx":25424152,"Idp":"IDP Config","Hostname":"DESKTOP-99HCSJ1","Platform":"windows","ClientType":"zpn_client_type_zapp","TrustedNetworks":"TN1_stc1","TrustedNetworksNames":"145248739466696953","SAMLAttributes":"myname:user,myemail:user@zscaler.com","PosturesHit":"sm-posture1,sm-posture2","PosturesMiss":"sm-posture11,sm-posture12","ZENLatitude":47,"ZENLongitude":-122,"ZENCountryCode":"","FQDNRegistered": "0","FQDNRegisteredError": "CUSTOMER_NOT_ENABLED"} diff --git a/packages/zscaler_zpa/data_stream/user_status/_dev/test/pipeline/test-user-status.log-expected.json b/packages/zscaler_zpa/data_stream/user_status/_dev/test/pipeline/test-user-status.log-expected.json new file mode 100644 index 00000000000..172ce6916a4 --- /dev/null +++ b/packages/zscaler_zpa/data_stream/user_status/_dev/test/pipeline/test-user-status.log-expected.json @@ -0,0 +1,105 @@ +{ + "expected": [ + { + "@timestamp": "2019-05-31T17:34:48.000Z", + "client": { + "geo": { + "country_iso_code": "US", + "location": { + "lat": 45, + "lon": -119 + } + }, + "ip": "81.2.69.144" + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": "iam", + "kind": "state", + "original": "{\"LogTimestamp\":\"Fri May 31 17:34:48 2019\",\"Customer\":\"Customer XYZ\",\"Username\":\"ZPA LSS Client\",\"SessionID\":\"vkczUERSLl88Y+ytH8v5\",\"SessionStatus\":\"ZPN_STATUS_AUTHENTICATED\",\"Version\":\"19.12.0-36-g87dad18\",\"ZEN\":\"broker2b.pdx\",\"CertificateCN\":\"loggerz2x.pde.zpabeta.net\",\"PrivateIP\":\"\",\"PublicIP\":\"81.2.69.144\",\"Latitude\":45,\"Longitude\":-119,\"CountryCode\":\"US\",\"TimestampAuthentication\":\"2019-05-29T21:18:38.000Z\",\"TimestampUnAuthentication\":\"\",\"TotalBytesRx\":31274866,\"TotalBytesTx\":25424152,\"Idp\":\"IDP Config\",\"Hostname\":\"DESKTOP-99HCSJ1\",\"Platform\":\"windows\",\"ClientType\":\"zpn_client_type_zapp\",\"TrustedNetworks\":\"TN1_stc1\",\"TrustedNetworksNames\":\"145248739466696953\",\"SAMLAttributes\":\"myname:user,myemail:user@zscaler.com\",\"PosturesHit\":\"sm-posture1,sm-posture2\",\"PosturesMiss\":\"sm-posture11,sm-posture12\",\"ZENLatitude\":47,\"ZENLongitude\":-122,\"ZENCountryCode\":\"\",\"FQDNRegistered\": \"0\",\"FQDNRegisteredError\": \"CUSTOMER_NOT_ENABLED\"}", + "type": [ + "info", + "user" + ] + }, + "host": { + "hostname": "DESKTOP-99HCSJ1", + "os": { + "platform": "windows" + } + }, + "organization": { + "name": "Customer XYZ" + }, + "related": { + "ip": [ + "81.2.69.144" + ] + }, + "server": { + "geo": { + "location": { + "lat": 47, + "lon": -122 + } + } + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "ZPA LSS Client" + }, + "x509": { + "issuer": { + "common_name": "loggerz2x.pde.zpabeta.net" + } + }, + "zscaler_zpa": { + "user_status": { + "client": { + "type": "zpn_client_type_zapp" + }, + "fqdn": { + "registered": false, + "registered_error": "CUSTOMER_NOT_ENABLED" + }, + "idp": "IDP Config", + "postures": { + "hit": [ + "sm-posture1", + "sm-posture2" + ], + "miss": [ + "sm-posture11", + "sm-posture12" + ] + }, + "saml_attributes": [ + "myname:user", + "myemail:user@zscaler.com" + ], + "session": { + "id": "vkczUERSLl88Y+ytH8v5", + "status": "ZPN_STATUS_AUTHENTICATED" + }, + "timestamp": { + "authentication": "2019-05-29T21:18:38.000Z" + }, + "total": { + "bytes_rx": 31274866, + "bytes_tx": 25424152 + }, + "trusted_networks": "TN1_stc1", + "trusted_networks_names": "145248739466696953", + "version": "19.12.0-36-g87dad18", + "zen": { + "domain": "broker2b.pdx" + } + } + } + } + ] +} \ No newline at end of file diff --git a/packages/zscaler_zpa/data_stream/user_status/_dev/test/system/test-default-config.yml b/packages/zscaler_zpa/data_stream/user_status/_dev/test/system/test-default-config.yml new file mode 100644 index 00000000000..eba6622b4b3 --- /dev/null +++ b/packages/zscaler_zpa/data_stream/user_status/_dev/test/system/test-default-config.yml @@ -0,0 +1,7 @@ +service: zscaler-zpa-user-status-tcp +service_notify_signal: SIGHUP +vars: + listen_address: 0.0.0.0 +data_stream: + vars: + listen_port: 9019 diff --git a/packages/zscaler_zpa/data_stream/user_status/agent/stream/tcp.yml.hbs b/packages/zscaler_zpa/data_stream/user_status/agent/stream/tcp.yml.hbs new file mode 100644 index 00000000000..030459f2582 --- /dev/null +++ b/packages/zscaler_zpa/data_stream/user_status/agent/stream/tcp.yml.hbs @@ -0,0 +1,19 @@ +tcp: +host: "{{listen_address}}:{{listen_port}}" +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +{{#if ssl}} +ssl: {{ssl}} +{{/if}} +{{#if processors}} +processors: +{{processors}} +{{/if}} diff --git a/packages/zscaler_zpa/data_stream/user_status/elasticsearch/ingest_pipeline/default.yml b/packages/zscaler_zpa/data_stream/user_status/elasticsearch/ingest_pipeline/default.yml new file mode 100644 index 00000000000..dd43d929525 --- /dev/null +++ b/packages/zscaler_zpa/data_stream/user_status/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,239 @@ +--- +description: Pipeline for Zscaler user status logs +processors: + - set: + field: ecs.version + value: '8.0.0' + - rename: + field: message + target_field: event.original + ignore_missing: true + - json: + field: event.original + target_field: json + - date: + field: json.LogTimestamp + target_field: "@timestamp" + ignore_failure: true + formats: + - E MMM dd HH:mm:ss yyyy + - E MMM d HH:mm:ss yyyy + - E MMM d HH:mm:ss yyyy + - remove: + field: json.LogTimestamp + ignore_failure: true + - set: + field: event.category + value: iam + - set: + field: event.kind + value: state + - append: + field: event.type + value: info + - append: + field: event.type + value: user + - rename: + field: json.CountryCode + target_field: client.geo.country_iso_code + ignore_missing: true + - rename: + field: json.Latitude + target_field: client.geo.location.lat + ignore_missing: true + - rename: + field: json.Longitude + target_field: client.geo.location.lon + ignore_missing: true + - rename: + field: json.PublicIP + target_field: client.ip + ignore_missing: true + - append: + field: related.ip + value: "{{{client.ip}}}" + if: ctx?.client?.ip != null + allow_duplicates: false + ignore_failure: true + - rename: + field: json.Hostname + target_field: host.hostname + ignore_missing: true + - rename: + field: json.Platform + target_field: host.os.platform + ignore_missing: true + - rename: + field: json.Customer + target_field: organization.name + ignore_missing: true + - append: + field: related.hosts + value: "{{{server.domain}}}" + if: ctx?.server?.domain != null + allow_duplicates: false + ignore_failure: true + - rename: + field: json.ZENCountryCode + target_field: server.geo.country_iso_code + ignore_missing: true + - rename: + field: json.ZENLatitude + target_field: server.geo.location.lat + ignore_missing: true + - rename: + field: json.ZENLongitude + target_field: server.geo.location.lon + ignore_missing: true + - rename: + field: json.Username + target_field: user.name + ignore_missing: true + - rename: + field: json.CertificateCN + target_field: x509.issuer.common_name + ignore_missing: true + - rename: + field: json.SessionID + target_field: zscaler_zpa.user_status.session.id + ignore_missing: true + - rename: + field: json.SessionStatus + target_field: zscaler_zpa.user_status.session.status + ignore_missing: true + - rename: + field: json.Version + target_field: zscaler_zpa.user_status.version + ignore_missing: true + - rename: + field: json.ZEN + target_field: zscaler_zpa.user_status.zen.domain + ignore_missing: true + - convert: + field: json.PrivateIP + target_field: zscaler_zpa.user_status.private_ip + type: ip + ignore_failure: true + - append: + field: related.ip + value: "{{{zscaler_zpa.user_status.private_ip}}}" + if: ctx?.zscaler_zpa?.user_status?.private_ip != null + allow_duplicates: false + ignore_failure: true + - date: + field: json.TimestampAuthentication + target_field: zscaler_zpa.user_status.timestamp.authentication + ignore_failure: true + formats: + - ISO8601 + - remove: + field: json.TimestampAuthentication + ignore_missing: true + - date: + field: json.TimestampUnAuthentication + target_field: zscaler_zpa.user_status.timestamp.unauthentication + ignore_failure: true + formats: + - ISO8601 + - remove: + field: json.TimestampUnAuthentication + ignore_missing: true + - rename: + field: json.TotalBytesRx + target_field: zscaler_zpa.user_status.total.bytes_rx + ignore_missing: true + - rename: + field: json.TotalBytesTx + target_field: zscaler_zpa.user_status.total.bytes_tx + ignore_missing: true + - rename: + field: json.Idp + target_field: zscaler_zpa.user_status.idp + ignore_missing: true + - rename: + field: json.ClientType + target_field: zscaler_zpa.user_status.client.type + ignore_missing: true + - rename: + field: json.TrustedNetworks + target_field: zscaler_zpa.user_status.trusted_networks + ignore_missing: true + - rename: + field: json.TrustedNetworksNames + target_field: zscaler_zpa.user_status.trusted_networks_names + ignore_missing: true + - script: + source: | + ctx.zscaler_zpa.user_status.fqdn = new HashMap(); + ctx.zscaler_zpa.user_status.fqdn.registered = (ctx.json.FQDNRegistered != "0"); + if: ctx.json.FQDNRegistered != null + ignore_failure: true + - remove: + field: json.FQDNRegistered + ignore_missing: true + - rename: + field: json.FQDNRegisteredError + target_field: zscaler_zpa.user_status.fqdn.registered_error + ignore_missing: true + - split: + field: json.SAMLAttributes + target_field: zscaler_zpa.user_status.saml_attributes + separator: ',' + ignore_failure: true + - remove: + field: json.SAMLAttributes + ignore_failure: true + - split: + field: json.PosturesHit + target_field: zscaler_zpa.user_status.postures.hit + separator: ',' + ignore_failure: true + - remove: + field: json.PosturesHit + ignore_failure: true + - split: + field: json.PosturesMiss + target_field: zscaler_zpa.user_status.postures.miss + separator: ',' + ignore_failure: true + - remove: + field: json.PosturesMiss + ignore_failure: true + - script: + description: Drops null/empty values recursively + lang: painless + source: | + boolean dropEmptyFields(Object object) { + if (object == null || object == "") { + return true; + } else if (object instanceof Map) { + ((Map) object).values().removeIf(value -> dropEmptyFields(value)); + return (((Map) object).size() == 0); + } else if (object instanceof List) { + ((List) object).removeIf(value -> dropEmptyFields(value)); + return (((List) object).length == 0); + } + return false; + } + dropEmptyFields(ctx); + - script: + description: Adds all the remaining fields in fields under zscaler_zpa.user_status + lang: painless + if: ctx?.json != null + source: | + for (Map.Entry m : ctx.json.entrySet()) { + ctx.zscaler_zpa.user_status[m.getKey()] = m.getValue(); + } + - remove: + field: json + ignore_missing: true + - remove: + field: event.original + if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" + ignore_failure: true + ignore_missing: true +on_failure: +- set: + field: error.message + value: "{{{ _ingest.on_failure_message }}}" diff --git a/packages/zscaler_zpa/data_stream/user_status/fields/agent.yml b/packages/zscaler_zpa/data_stream/user_status/fields/agent.yml new file mode 100644 index 00000000000..e313ec82874 --- /dev/null +++ b/packages/zscaler_zpa/data_stream/user_status/fields/agent.yml @@ -0,0 +1,204 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' + type: group + fields: + - name: account.id + level: extended + type: keyword + ignore_above: 1024 + description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. + + Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' + example: 666777888999 + - name: availability_zone + level: extended + type: keyword + ignore_above: 1024 + description: Availability zone in which this host is running. + example: us-east-1c + - name: instance.id + level: extended + type: keyword + ignore_above: 1024 + description: Instance ID of the host machine. + example: i-1234567890abcdef0 + - name: instance.name + level: extended + type: keyword + ignore_above: 1024 + description: Instance name of the host machine. + - name: machine.type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the host machine. + example: t2.medium + - name: provider + level: extended + type: keyword + ignore_above: 1024 + description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + example: aws + - name: region + level: extended + type: keyword + ignore_above: 1024 + description: Region in which this host is running. + example: us-east-1 + - name: project.id + type: keyword + description: Name of the project in Google Cloud. + - name: image.id + type: keyword + description: Image ID for the cloud instance. +- name: container + title: Container + group: 2 + description: 'Container fields are used for meta information about the specific container that is the source of information. + + These fields help correlate data based containers from any runtime.' + type: group + fields: + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique container id. + - name: image.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the image the container was built on. + - name: labels + level: extended + type: object + object_type: keyword + description: Image labels. + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Container name. +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: architecture + level: core + type: keyword + ignore_above: 1024 + description: Operating system architecture. + example: x86_64 + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the domain of which the host is a member. + + For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' + example: CONTOSO + default_field: false + - name: hostname + level: core + type: keyword + ignore_above: 1024 + description: 'Hostname of the host. + + It normally contains what the `hostname` command returns on the host machine.' + - name: id + level: core + type: keyword + ignore_above: 1024 + description: 'Unique host id. + + As hostname is not always unique, use values that are meaningful in your environment. + + Example: The current usage of `beat.name`.' + - name: ip + level: core + type: ip + description: Host ip addresses. + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: Host mac addresses. + - name: name + level: core + type: keyword + ignore_above: 1024 + description: 'Name of the host. + + It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' + - name: os.family + level: extended + type: keyword + ignore_above: 1024 + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + - name: os.kernel + level: extended + type: keyword + ignore_above: 1024 + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + - name: os.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Operating system name, without the version. + example: Mac OS X + - name: os.platform + level: extended + type: keyword + ignore_above: 1024 + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + - name: os.version + level: extended + type: keyword + ignore_above: 1024 + description: Operating system version as a raw string. + example: 10.14.1 + - name: type + level: core + type: keyword + ignore_above: 1024 + description: 'Type of host. + + For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' + - name: containerized + type: boolean + description: > + If the host is a container. + + - name: os.build + type: keyword + example: "18D109" + description: > + OS build information. + + - name: os.codename + type: keyword + example: "stretch" + description: > + OS codename, if any. + +- name: input.type + type: keyword + description: Input type +- name: log.offset + type: long + description: Log offset diff --git a/packages/zscaler_zpa/data_stream/user_status/fields/base-fields.yml b/packages/zscaler_zpa/data_stream/user_status/fields/base-fields.yml new file mode 100644 index 00000000000..8e148e061fb --- /dev/null +++ b/packages/zscaler_zpa/data_stream/user_status/fields/base-fields.yml @@ -0,0 +1,20 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: '@timestamp' + type: date + description: Event timestamp. +- name: event.module + type: constant_keyword + description: Event module + value: zscaler_zpa +- name: event.dataset + type: constant_keyword + description: Event dataset + value: zscaler_zpa.user_status diff --git a/packages/zscaler_zpa/data_stream/user_status/fields/ecs.yml b/packages/zscaler_zpa/data_stream/user_status/fields/ecs.yml new file mode 100644 index 00000000000..7eb11b68a46 --- /dev/null +++ b/packages/zscaler_zpa/data_stream/user_status/fields/ecs.yml @@ -0,0 +1,28 @@ +- external: ecs + name: client.geo.country_iso_code +- description: Longitude and latitude. + level: core + name: client.geo.location + type: geo_point +- external: ecs + name: client.ip +- external: ecs + name: ecs.version +- external: ecs + name: organization.name +- external: ecs + name: server.geo.country_iso_code +- description: Longitude and latitude. + level: core + name: server.geo.location + type: geo_point +- external: ecs + name: related.hosts +- external: ecs + name: related.ip +- external: ecs + name: tags +- external: ecs + name: user.name +- external: ecs + name: x509.issuer.common_name diff --git a/packages/zscaler_zpa/data_stream/user_status/fields/fields.yml b/packages/zscaler_zpa/data_stream/user_status/fields/fields.yml new file mode 100644 index 00000000000..5a0ba286584 --- /dev/null +++ b/packages/zscaler_zpa/data_stream/user_status/fields/fields.yml @@ -0,0 +1,93 @@ +- name: zscaler_zpa.user_status + type: group + fields: + - name: client.type + type: keyword + description: | + The client type for the request (i.e., Zscaler Client Connector, ZPA LSS, or Web Browser). + - name: idp + type: keyword + description: | + The name of the identity provider (IdP) as configured in the ZPA Admin Portal. + - name: fqdn + type: group + fields: + - name: registered + type: boolean + description: | + The status of the hostname for the client-to-client connection. The expected values for this field are true or false. + - name: registered_error + type: keyword + description: | + The status of the registered hostname. + - name: postures + type: group + fields: + - name: hit + type: keyword + description: | + The posture profiles that the Zscaler Client Connector verified for this device. + - name: miss + type: keyword + description: | + The posture profiles that the Zscaler Client Connector failed to verified for this device. + - name: private_ip + type: ip + description: | + The private IP address of the Zscaler Client Connector. + - name: saml_attributes + type: keyword + description: | + The list of SAML attributes reported by the IdP. + - name: session + type: group + fields: + - name: id + type: keyword + description: | + The TLS session ID. + - name: status + type: keyword + description: | + The status of the session. + - name: timestamp + type: group + fields: + - name: authentication + type: date + description: | + Timestamp in microseconds when the Zscaler Client Connector was authenticated. + - name: unauthentication + type: date + description: | + Timestamp in microseconds when the Zscaler Client Connector was unauthenticated. + - name: total + type: group + fields: + - name: bytes_rx + type: long + description: | + The total bytes received. + - name: bytes_tx + type: long + description: | + The total bytes transmitted. + - name: trusted_networks + type: keyword + description: | + The unique IDs for the trusted networks that the Zscaler Client Connector has determined for this device. + - name: trusted_networks_names + type: keyword + description: | + The names for the trusted networks that the Zscaler Client Connector has determined for this device. + - name: version + type: keyword + description: | + The Zscaler Client Connector version. + - name: zen.domain + type: keyword + description: |- + The Public Service Edge (formerly Zscaler Enforcement Node or ZEN) or ZPA Private Service Edge that was selected for the connection +- name: log.source.address + type: keyword + description: Source address from which the log event was read / sent from. diff --git a/packages/zscaler_zpa/data_stream/user_status/manifest.yml b/packages/zscaler_zpa/data_stream/user_status/manifest.yml new file mode 100644 index 00000000000..68be6616e6f --- /dev/null +++ b/packages/zscaler_zpa/data_stream/user_status/manifest.yml @@ -0,0 +1,41 @@ +title: User Status Logs +type: logs +streams: + - input: tcp + template_path: tcp.yml.hbs + title: Zscaler Private Access User Status Logs + description: Collect Zscaler Private Access User Status Logs using tcp input + vars: + - name: listen_port + type: integer + title: Listen Port + description: The TCP port number to listen on. + multi: false + required: true + show_user: true + default: 9019 + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - forwarded + - zscaler_zpa-user_status + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: >- + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/zscaler_zpa/data_stream/user_status/sample_event.json b/packages/zscaler_zpa/data_stream/user_status/sample_event.json new file mode 100644 index 00000000000..fe6f41e1639 --- /dev/null +++ b/packages/zscaler_zpa/data_stream/user_status/sample_event.json @@ -0,0 +1,130 @@ +{ + "@timestamp": "2019-05-31T17:34:48.000Z", + "agent": { + "ephemeral_id": "24dbe515-d3ac-4cb8-aa21-eeee2c2f9204", + "hostname": "docker-fleet-agent", + "id": "d03794ae-c5b7-46b2-8a63-42f00010ac23", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "7.16.2" + }, + "client": { + "geo": { + "country_iso_code": "US", + "location": { + "lat": 45, + "lon": -119 + } + }, + "ip": "81.2.69.144" + }, + "data_stream": { + "dataset": "zscaler_zpa.user_status", + "namespace": "ep", + "type": "logs" + }, + "ecs": { + "version": "8.0.0" + }, + "elastic_agent": { + "id": "d03794ae-c5b7-46b2-8a63-42f00010ac23", + "snapshot": false, + "version": "7.16.2" + }, + "event": { + "agent_id_status": "verified", + "category": "iam", + "dataset": "zscaler_zpa.user_status", + "ingested": "2022-02-03T13:36:02Z", + "kind": "state", + "type": [ + "info", + "user" + ] + }, + "host": { + "hostname": "DESKTOP-99HCSJ1", + "os": { + "platform": "windows" + } + }, + "input": { + "type": "tcp" + }, + "log": { + "source": { + "address": "172.21.0.7:57146" + } + }, + "organization": { + "name": "Customer XYZ" + }, + "related": { + "ip": [ + "81.2.69.144" + ] + }, + "server": { + "geo": { + "location": { + "lat": 47, + "lon": -122 + } + } + }, + "tags": [ + "forwarded", + "zscaler_zpa-user_status" + ], + "user": { + "name": "ZPA LSS Client" + }, + "x509": { + "issuer": { + "common_name": "loggerz2x.pde.zpabeta.net" + } + }, + "zscaler_zpa": { + "user_status": { + "client": { + "type": "zpn_client_type_zapp" + }, + "fqdn": { + "registered": false, + "registered_error": "CUSTOMER_NOT_ENABLED" + }, + "idp": "IDP Config", + "postures": { + "hit": [ + "sm-posture1", + "sm-posture2" + ], + "miss": [ + "sm-posture11", + "sm-posture12" + ] + }, + "saml_attributes": [ + "myname:user", + "myemail:user@zscaler.com" + ], + "session": { + "id": "vkczUERSLl88Y+ytH8v5", + "status": "ZPN_STATUS_AUTHENTICATED" + }, + "timestamp": { + "authentication": "2019-05-29T21:18:38.000Z" + }, + "total": { + "bytes_rx": 31274866, + "bytes_tx": 25424152 + }, + "trusted_networks": "TN1_stc1", + "trusted_networks_names": "145248739466696953", + "version": "19.12.0-36-g87dad18", + "zen": { + "domain": "broker2b.pdx" + } + } + } +} \ No newline at end of file diff --git a/packages/zscaler_zpa/docs/README.md b/packages/zscaler_zpa/docs/README.md new file mode 100644 index 00000000000..5d55fc4508c --- /dev/null +++ b/packages/zscaler_zpa/docs/README.md @@ -0,0 +1,1248 @@ +# Zscaler ZPA + +This integration is for Zscaler Private Access logs. It can be used +to receive logs sent by LSS Log Receiver on respective TCP ports. + +The log message is expected to be in JSON format. The data is mapped to +ECS fields where applicable and the remaining fields are written under +`zscaler_zpa..*`. + +## Setup steps + +1. Enable the integration with the TCP input. +2. Configure the Zscaler LSS Log Receiver to send logs to the Elastic Agent +that is running this integration. See [_Setup Log Receiver_](https://help.zscaler.com/zpa/configuring-log-receiver). Use the IP address/hostname of the Elastic Agent as the 'Log Receiver Domain or IP Address', and use the listening port of the Elastic Agent as the 'TCP Port' on the _Add Log Receiver_ configuration screen. +3. *Please make sure to use the given response formats.* + +## Compatibility + +This package has been tested against `Zscaler Private Access Client Connector version 3.7.1.44` + +## Documentation and configuration + +### App Connector Status Logs + +Default port: _9015_ + +Vendor documentation: https://help.zscaler.com/zpa/about-connector-status-log-fields + +Zscaler response format: +``` +{"LogTimestamp": %j{LogTimestamp:time},"Customer": %j{Customer},"SessionID": %j{SessionID},"SessionType": %j{SessionType},"SessionStatus": %j{SessionStatus},"Version": %j{Version},"Platform": %j{Platform},"ZEN": %j{ZEN},"Connector": %j{Connector},"ConnectorGroup": %j{ConnectorGroup},"PrivateIP": %j{PrivateIP},"PublicIP": %j{PublicIP},"Latitude": %f{Latitude},"Longitude": %f{Longitude},"CountryCode": %j{CountryCode},"TimestampAuthentication": %j{TimestampAuthentication:iso8601},"TimestampUnAuthentication": %j{TimestampUnAuthentication:iso8601},"CPUUtilization": %d{CPUUtilization},"MemUtilization": %d{MemUtilization},"ServiceCount": %d{ServiceCount},"InterfaceDefRoute": %j{InterfaceDefRoute},"DefRouteGW": %j{DefRouteGW},"PrimaryDNSResolver": %j{PrimaryDNSResolver},"HostUpTime": %j{HostUpTime},"ConnectorUpTime": %j{ConnectorUpTime},"NumOfInterfaces": %d{NumOfInterfaces},"BytesRxInterface": %d{BytesRxInterface},"PacketsRxInterface": %d{PacketsRxInterface},"ErrorsRxInterface": %d{ErrorsRxInterface},"DiscardsRxInterface": %d{DiscardsRxInterface},"BytesTxInterface": %d{BytesTxInterface},"PacketsTxInterface": %d{PacketsTxInterface},"ErrorsTxInterface": %d{ErrorsTxInterface},"DiscardsTxInterface": %d{DiscardsTxInterface},"TotalBytesRx": %d{TotalBytesRx},"TotalBytesTx": %d{TotalBytesTx}}\n +``` + +Sample Response: +```json +{"LogTimestamp":"Wed Jul 3 05:17:22 2019","Customer":"Safe March","SessionID":"8A64Qwj9zCkfYDGJVoUZ","SessionType":"ZPN_ASSISTANT_BROKER_CONTROL","SessionStatus":"ZPN_STATUS_AUTHENTICATED","Version":"19.20.3","Platform":"el7","ZEN":"US-NY-8179","Connector":"Seattle App Connector 1","ConnectorGroup":"Azure App Connectors","PrivateIP":"10.0.0.4","PublicIP":"0.0.0.0","Latitude":47,"Longitude":-122,"CountryCode":"","TimestampAuthentication":"2019-06-27T05:05:23.348Z","TimestampUnAuthentication":"","CPUUtilization":1,"MemUtilization":20,"ServiceCount":2,"InterfaceDefRoute":"eth0","DefRouteGW":"10.0.0.1","PrimaryDNSResolver":"168.63.129.16","HostStartTime":"1513229995","ConnectorStartTime":"1555920005","NumOfInterfaces":2,"BytesRxInterface":319831966346,"PacketsRxInterface":1617569938,"ErrorsRxInterface":0,"DiscardsRxInterface":0,"BytesTxInterface":192958782635,"PacketsTxInterface":1797471190,"ErrorsTxInterface":0,"DiscardsTxInterface":0,"TotalBytesRx":10902554,"TotalBytesTx":48931771} +``` + +### Audit Logs + +Default port: _9016_ + +Vendor documentation: https://help.zscaler.com/zpa/about-audit-log-fields + +Zscaler response format: +``` +{"ModifiedTime":%j{modifiedTime:iso8601},"CreationTime":%j{creationTime:iso8601},"ModifiedBy":%d{modifiedBy},"RequestID":%j{requestId},"SessionID":%j{sessionId},"AuditOldValue":%j{auditOldValue},"AuditNewValue":%j{auditNewValue},"AuditOperationType":%j{auditOperationType},"ObjectType":%j{objectType},"ObjectName":%j{objectName},"ObjectID":%d{objectId},"CustomerID":%d{customerId},"User":%j{modifiedByUser},"ClientAuditUpdate":%d{isClientAudit}}\n +``` + +Sample Response: +```json +{"ModifiedTime":"2021-11-17T04:29:38.000Z","CreationTime":"2021-11-17T04:29:38.000Z","ModifiedBy":12345678901234567,"RequestID":"11111111-1111-1111-1111-111111111111","SessionID":"1idn23nlfm2q1txa5h3r4mep6","AuditOldValue":"","AuditNewValue":"{\"id\":\"72058340288495701\",\"name\":\"Some-Name\",\"domainOrIpAddress\":\"1.0.0.1\",\"description\":\"This is a description field\",\"enabled\":\"true\"}","AuditOperationType":"Create","ObjectType":"Server","ObjectName":"Some-Name","ObjectID":12345678901234567,"CustomerID":98765432109876543,"User":"zpaadmin@xxxxxxxxxxxxxxxxx.zpa-customer.com","ClientAuditUpdate":0} +``` + +### Browser Access Logs + +Default port: _9017_ + +Vendor documentation: https://help.zscaler.com/zpa/about-browser-access-log-fields + +Zscaler response format: +``` +{"LogTimestamp":%j{LogTimestamp:time},"ConnectionID":%j{ConnectionID},"Exporter":%j{Exporter},"TimestampRequestReceiveStart":%j{TimestampRequestReceiveStart:iso8601},"TimestampRequestReceiveHeaderFinish":%j{TimestampRequestReceiveHeaderFinish:iso8601},"TimestampRequestReceiveFinish":%j{TimestampRequestReceiveFinish:iso8601},"TimestampRequestTransmitStart":%j{TimestampRequestTransmitStart:iso8601},"TimestampRequestTransmitFinish":%j{TimestampRequestTransmitFinish:iso8601},"TimestampResponseReceiveStart":%j{TimestampResponseReceiveStart:iso8601},"TimestampResponseReceiveFinish":%j{TimestampResponseReceiveFinish:iso8601},"TimestampResponseTransmitStart":%j{TimestampResponseTransmitStart:iso8601},"TimestampResponseTransmitFinish":%j{TimestampResponseTransmitFinish:iso8601},"TotalTimeRequestReceive":%d{TotalTimeRequestReceive},"TotalTimeRequestTransmit":%d{TotalTimeRequestTransmit},"TotalTimeResponseReceive":%d{TotalTimeResponseReceive},"TotalTimeResponseTransmit":%d{TotalTimeResponseTransmit},"TotalTimeConnectionSetup":%d{TotalTimeConnectionSetup},"TotalTimeServerResponse":%d{TotalTimeServerResponse},"Method":%j{Method},"Protocol":%j{Protocol},"Host":%j{Host},"URL":%j{URL},"UserAgent":%j{UserAgent},"XFF":%j{XFF},"NameID":%j{NameID},"StatusCode":%d{StatusCode},"RequestSize":%d{RequestSize},"ResponseSize":%d{ResponseSize},"ApplicationPort":%d{ApplicationPort},"ClientPublicIp":%j{ClientPublicIp},"ClientPublicPort":%d{ClientPublicPort},"ClientPrivateIp":%j{ClientPrivateIp},"Customer":%j{Customer},"ConnectionStatus":%j{ConnectionStatus},"ConnectionReason":%j{ConnectionReason},"Origin":%j{Origin},"CorsToken":%j{CorsToken}}\n +``` + +Sample Response: +```json +{"LogTimestamp":"Wed Jul 3 05:12:25 2019","ConnectionID":"","Exporter":"unset","TimestampRequestReceiveStart":"2019-07-03T05:12:25.723Z","TimestampRequestReceiveHeaderFinish":"2019-07-03T05:12:25.723Z","TimestampRequestReceiveFinish":"2019-07-03T05:12:25.723Z","TimestampRequestTransmitStart":"2019-07-03T05:12:25.790Z","TimestampRequestTransmitFinish":"2019-07-03T05:12:25.790Z","TimestampResponseReceiveStart":"2019-07-03T05:12:25.791Z","TimestampResponseReceiveFinish":"2019-07-03T05:12:25.791Z","TimestampResponseTransmitStart":"2019-07-03T05:12:25.791Z","TimestampResponseTransmitFinish":"2019-07-03T05:12:25.791Z","TotalTimeRequestReceive":127,"TotalTimeRequestTransmit":21,"TotalTimeResponseReceive":73,"TotalTimeResponseTransmit":13,"TotalTimeConnectionSetup":66995,"TotalTimeServerResponse":1349,"Method":"GET","Protocol":"HTTPS","Host":"portal.beta.zdemo.net","URL":"/media/Regular.woff","UserAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.1.1 Safari/605.1.15","XFF":"","NameID":"admin@zdemo.net","StatusCode":304,"RequestSize":615,"ResponseSize":331,"ApplicationPort":443,"ClientPublicIp":"175.16.199.1","ClientPublicPort":60006,"ClientPrivateIp":"","Customer":"ANZ Team/zdemo in beta","ConnectionStatus":"","ConnectionReason":""} +``` + +### User Activity Logs + +Default port: _9018_ + +Vendor documentation: https://help.zscaler.com/zpa/about-user-activity-log-fields + +Zscaler response format: +``` +{"LogTimestamp": %j{LogTimestamp:time},"Customer": %j{Customer},"SessionID": %j{SessionID},"ConnectionID": %j{ConnectionID},"InternalReason": %j{InternalReason},"ConnectionStatus": %j{ConnectionStatus},"IPProtocol": %d{IPProtocol},"DoubleEncryption": %d{DoubleEncryption},"Username": %j{Username},"ServicePort": %d{ServicePort},"ClientPublicIP": %j{ClientPublicIP},"ClientPrivateIP": %j{ClientPrivateIP},"ClientLatitude": %f{ClientLatitude},"ClientLongitude": %f{ClientLongitude},"ClientCountryCode": %j{ClientCountryCode},"ClientZEN": %j{ClientZEN},"Policy": %j{Policy},"Connector": %j{Connector},"ConnectorZEN": %j{ConnectorZEN},"ConnectorIP": %j{ConnectorIP},"ConnectorPort": %d{ConnectorPort},"Host": %j{Host},"Application": %j{Application},"AppGroup": %j{AppGroup},"Server": %j{Server},"ServerIP": %j{ServerIP},"ServerPort": %d{ServerPort},"PolicyProcessingTime": %d{PolicyProcessingTime},"ServerSetupTime": %d{ServerSetupTime},"TimestampConnectionStart": %j{TimestampConnectionStart:iso8601},"TimestampConnectionEnd": %j{TimestampConnectionEnd:iso8601},"TimestampCATx": %j{TimestampCATx:iso8601},"TimestampCARx": %j{TimestampCARx:iso8601},"TimestampAppLearnStart": %j{TimestampAppLearnStart:iso8601},"TimestampZENFirstRxClient": %j{TimestampZENFirstRxClient:iso8601},"TimestampZENFirstTxClient": %j{TimestampZENFirstTxClient:iso8601},"TimestampZENLastRxClient": %j{TimestampZENLastRxClient:iso8601},"TimestampZENLastTxClient": %j{TimestampZENLastTxClient:iso8601},"TimestampConnectorZENSetupComplete": %j{TimestampConnectorZENSetupComplete:iso8601},"TimestampZENFirstRxConnector": %j{TimestampZENFirstRxConnector:iso8601},"TimestampZENFirstTxConnector": %j{TimestampZENFirstTxConnector:iso8601},"TimestampZENLastRxConnector": %j{TimestampZENLastRxConnector:iso8601},"TimestampZENLastTxConnector": %j{TimestampZENLastTxConnector:iso8601},"ZENTotalBytesRxClient": %d{ZENTotalBytesRxClient},"ZENBytesRxClient": %d{ZENBytesRxClient},"ZENTotalBytesTxClient": %d{ZENTotalBytesTxClient},"ZENBytesTxClient": %d{ZENBytesTxClient},"ZENTotalBytesRxConnector": %d{ZENTotalBytesRxConnector},"ZENBytesRxConnector": %d{ZENBytesRxConnector},"ZENTotalBytesTxConnector": %d{ZENTotalBytesTxConnector},"ZENBytesTxConnector": %d{ZENBytesTxConnector},"Idp": %j{Idp},"ClientToClient": %j{c2c},"ConnectorZENSetupTime":%d{ConnectorZENSetupTime},"ConnectionSetupTime":%d{ConnectionSetupTime}}\n +``` + +Sample Response: +```json +{"LogTimestamp": "Fri May 31 17:35:42 2019","Customer": "Customer XYZ","SessionID": "LHJdkjmNDf12nclBsvwA","ConnectionID": "SqyZIMkg0JTj7EABsvwA,Q+EjXGdrvbF2lPiBbedm","InternalReason": "","ConnectionStatus": "active","IPProtocol": 6,"DoubleEncryption": 0,"Username": "ZPA LSS Client","ServicePort": 10011,"ClientPublicIP": "81.2.69.193","ClientPrivateIP": "","ClientLatitude": 45.000000,"ClientLongitude": -119.000000,"ClientCountryCode": "US","ClientZEN": "broker2b.pdx","Policy": "ANZ Lab Apps","Connector": "ZDEMO ANZ","ConnectorZEN": "broker2b.pdx","ConnectorIP": "67.43.156.12","ConnectorPort": 60266,"Host": "175.16.199.1","Application": "ANZ Lab Apps","AppGroup": "ANZ Lab Apps","Server": "0","ServerIP": "175.16.199.1","ServerPort": 10011,"PolicyProcessingTime": 28,"CAProcessingTime": 1330,"ServerSetupTime": 465,"AppLearnTime": 0,"TimestampConnectionStart": "2019-05-30T08:20:42.230Z","TimestampConnectionEnd": "","TimestampCATx": "2019-05-30T08:20:42.230Z","TimestampCARx": "2019-05-30T08:20:42.231Z","TimestampAppLearnStart": "","TimestampZENFirstRxClient": "2019-05-30T08:20:42.424Z","TimestampZENFirstTxClient": "","TimestampZENLastRxClient": "2019-05-31T17:34:27.348Z","TimestampZENLastTxClient": "","TimestampConnectorZENSetupComplete": "2019-05-30T08:20:42.422Z","TimestampZENFirstRxConnector": "","TimestampZENFirstTxConnector": "2019-05-30T08:20:42.424Z","TimestampZENLastRxConnector": "","TimestampZENLastTxConnector": "2019-05-31T17:34:27.348Z","ZENTotalBytesRxClient": 2406926,"ZENBytesRxClient": 7115,"ZENTotalBytesTxClient": 0,"ZENBytesTxClient": 0,"ZENTotalBytesRxConnector": 0,"ZENBytesRxConnector": 0,"ZENTotalBytesTxConnector": 2406926,"ZENBytesTxConnector": 7115,"Idp": "Example IDP Config","ConnectorZENSetupTime":1640674274,"ConnectionSetupTime":1640675274} +``` + +**Note: In order to populate _Slowest Applications_ (visualization); _"ConnectorZENSetupTime"_ and _"ConnectionSetupTime"_ fields are added into the default response format of Zscaler User Activity Log above.** + +### User Status Logs + +Default port: _9019_ + +Vendor documentation: https://help.zscaler.com/zpa/about-user-status-log-fields + +Zscaler response format: +``` +{"LogTimestamp": %j{LogTimestamp:time},"Customer": %j{Customer},"Username": %j{Username},"SessionID": %j{SessionID},"SessionStatus": %j{SessionStatus},"Version": %j{Version},"ZEN": %j{ZEN},"CertificateCN": %j{CertificateCN},"PrivateIP": %j{PrivateIP},"PublicIP": %j{PublicIP},"Latitude": %f{Latitude},"Longitude": %f{Longitude},"CountryCode": %j{CountryCode},"TimestampAuthentication": %j{TimestampAuthentication:iso8601},"TimestampUnAuthentication": %j{TimestampUnAuthentication:iso8601},"TotalBytesRx": %d{TotalBytesRx},"TotalBytesTx": %d{TotalBytesTx},"Idp": %j{Idp},"Hostname": %j{Hostname},"Platform": %j{Platform},"ClientType": %j{ClientType},"TrustedNetworks": [%j(,){TrustedNetworks}],"TrustedNetworksNames": [%j(,){TrustedNetworksNames}],"SAMLAttributes": %j{SAMLAttributes},"PosturesHit": [%j(,){PosturesHit}],"PosturesMiss": [%j(,){PosturesMiss}],"ZENLatitude": %f{ZENLatitude},"ZENLongitude": %f{ZENLongitude},"ZENCountryCode": %j{ZENCountryCode},"FQDNRegistered": %j{fqdn_registered},"FQDNRegisteredError": %j{fqdn_register_error}}\n +``` + +Sample Response: +```json +{"LogTimestamp":"Fri May 31 17:34:48 2019","Customer":"Customer XYZ","Username":"ZPA LSS Client","SessionID":"vkczUERSLl88Y+ytH8v5","SessionStatus":"ZPN_STATUS_AUTHENTICATED","Version":"19.12.0-36-g87dad18","ZEN":"broker2b.pdx","CertificateCN":"loggerz2x.pde.zpabeta.net","PrivateIP":"","PublicIP":"81.2.69.144","Latitude":45,"Longitude":-119,"CountryCode":"US","TimestampAuthentication":"2019-05-29T21:18:38.000Z","TimestampUnAuthentication":"","TotalBytesRx":31274866,"TotalBytesTx":25424152,"Idp":"IDP Config","Hostname":"DESKTOP-99HCSJ1","Platform":"windows","ClientType":"zpn_client_type_zapp","TrustedNetworks":"TN1_stc1","TrustedNetworksNames":"145248739466696953","SAMLAttributes":"myname:user,myemail:user@zscaler.com","PosturesHit":"sm-posture1,sm-posture2","PosturesMiss":"sm-posture11,sm-posture12","ZENLatitude":47,"ZENLongitude":-122,"ZENCountryCode":""} +``` + +## Fields and Sample Event + +### App Connector Status Logs + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| client.nat.ip | Translated IP of source based NAT sessions (e.g. internal client to internet). Typically connections traversing load balancers, firewalls, or routers. | ip | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | +| cloud.instance.id | Instance ID of the host machine. | keyword | +| cloud.instance.name | Instance name of the host machine. | keyword | +| cloud.machine.type | Machine type of the host machine. | keyword | +| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.region | Region in which this host is running. | keyword | +| container.id | Unique container id. | keyword | +| container.image.name | Name of the image the container was built on. | keyword | +| container.labels | Image labels. | object | +| container.name | Container name. | keyword | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | +| event.dataset | Event dataset | constant_keyword | +| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | +| event.module | Event module | constant_keyword | +| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | +| host.architecture | Operating system architecture. | keyword | +| host.containerized | If the host is a container. | boolean | +| host.cpu.usage | Percent CPU used which is normalized by the number of CPU cores and it ranges from 0 to 1. Scaling factor: 1000. For example: For a two core host, this value should be the average of the two cores, between 0 and 1. | scaled_float | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | +| host.ip | Host ip addresses. | ip | +| host.mac | Host mac addresses. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | +| host.os.name | Operating system name, without the version. | keyword | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.version | Operating system version as a raw string. | keyword | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| input.type | Input type | keyword | +| log.offset | Log offset | long | +| log.source.address | Source address from which the log event was read / sent from. | keyword | +| observer.egress.interface.name | Interface name as reported by the system. | keyword | +| observer.geo.country_iso_code | Country ISO code. | keyword | +| observer.geo.location | Longitude and latitude | geo_point | +| observer.ingress.interface.name | Interface name as reported by the system. | keyword | +| observer.ip | IP addresses of the observer. | ip | +| observer.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| observer.type | The type of the observer the data is coming from. There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. | keyword | +| observer.version | Observer version. | keyword | +| organization.name | Organization name. | keyword | +| related.ip | All of the IPs seen on your event. | ip | +| tags | List of keywords used to tag each event. | keyword | +| zscaler_zpa.app_connector_status.connector.group | The App Connector group name. | keyword | +| zscaler_zpa.app_connector_status.connector.name | The App Connector name. | keyword | +| zscaler_zpa.app_connector_status.connector_start_time | Time in seconds at which App Connector was started. | date | +| zscaler_zpa.app_connector_status.connector_up_time | Time in seconds at which App Connector was started. | date | +| zscaler_zpa.app_connector_status.host_start_time | Time in seconds at which host was started. | date | +| zscaler_zpa.app_connector_status.host_up_time | Time in seconds at which host was started. | date | +| zscaler_zpa.app_connector_status.interface.name | The name of the interface to default route. | keyword | +| zscaler_zpa.app_connector_status.interface.received.bytes | The bytes received on the interface. | double | +| zscaler_zpa.app_connector_status.interface.received.discards | The discards received on the interface. | double | +| zscaler_zpa.app_connector_status.interface.received.errors | The errors received on the interface. | double | +| zscaler_zpa.app_connector_status.interface.received.packets | The packets received on the interface. | double | +| zscaler_zpa.app_connector_status.interface.transmitted.bytes | The bytes transmitted on the interface. | double | +| zscaler_zpa.app_connector_status.interface.transmitted.discards | The discards transmitted on the interface. | double | +| zscaler_zpa.app_connector_status.interface.transmitted.errors | The errors transmitted on the interface. | double | +| zscaler_zpa.app_connector_status.interface.transmitted.packets | The packets transmitted on the interface. | double | +| zscaler_zpa.app_connector_status.memory.utilization | The memory utilization in %. | double | +| zscaler_zpa.app_connector_status.num_of_interfaces | The number of interfaces on the App Connector host. | double | +| zscaler_zpa.app_connector_status.primary_dns_resolver | The IP address of the primary DNS resolver. | ip | +| zscaler_zpa.app_connector_status.private_ip | The private IP address of the App Connector. | ip | +| zscaler_zpa.app_connector_status.service.count | The number of services (combinations of domains/IP addresses and TCP/UDP ports) being monitored by the App Connector. | double | +| zscaler_zpa.app_connector_status.session.id | The TLS session ID. | keyword | +| zscaler_zpa.app_connector_status.session.status | The status of the session. | keyword | +| zscaler_zpa.app_connector_status.session.type | The type of session. | keyword | +| zscaler_zpa.app_connector_status.timestamp.authentication | Timestamp in microseconds when the App Connector was authenticated. | date | +| zscaler_zpa.app_connector_status.timestamp.unauthentication | Timestamp in microseconds when the App Connector was unauthenticated. | date | +| zscaler_zpa.app_connector_status.zen | The TLS session ID. | keyword | + + +An example event for `app_connector_status` looks as following: + +```json +{ + "@timestamp": "2019-07-03T05:17:22.000Z", + "agent": { + "ephemeral_id": "5879b806-6298-48ab-89a6-19ddcf612162", + "hostname": "docker-fleet-agent", + "id": "d03794ae-c5b7-46b2-8a63-42f00010ac23", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "7.16.2" + }, + "client": { + "nat": { + "ip": "10.0.0.1" + } + }, + "data_stream": { + "dataset": "zscaler_zpa.app_connector_status", + "namespace": "ep", + "type": "logs" + }, + "ecs": { + "version": "8.0.0" + }, + "elastic_agent": { + "id": "d03794ae-c5b7-46b2-8a63-42f00010ac23", + "snapshot": false, + "version": "7.16.2" + }, + "event": { + "agent_id_status": "verified", + "category": "package", + "dataset": "zscaler_zpa.app_connector_status", + "ingested": "2022-02-03T13:30:46Z", + "kind": "event", + "original": "{\"LogTimestamp\":\"Wed Jul 3 05:17:22 2019\",\"Customer\":\"Customer Name\",\"SessionID\":\"8A64Qwj9zCkfYDGJVoUZ\",\"SessionType\":\"ZPN_ASSISTANT_BROKER_CONTROL\",\"SessionStatus\":\"ZPN_STATUS_AUTHENTICATED\",\"Version\":\"19.20.3\",\"Platform\":\"el7\",\"ZEN\":\"US-NY-8179\",\"Connector\":\"Some App Connector\",\"ConnectorGroup\":\"Some App Connector Group\",\"PrivateIP\":\"10.0.0.4\",\"PublicIP\":\"0.0.0.0\",\"Latitude\":47,\"Longitude\":-122,\"CountryCode\":\"\",\"TimestampAuthentication\":\"2019-06-27T05:05:23.348Z\",\"TimestampUnAuthentication\":\"\",\"CPUUtilization\":1,\"MemUtilization\":20,\"ServiceCount\":2,\"InterfaceDefRoute\":\"eth0\",\"DefRouteGW\":\"10.0.0.1\",\"PrimaryDNSResolver\":\"168.63.129.16\",\"HostStartTime\":\"1513229995\",\"HostUpTime\":\"1513229995\",\"ConnectorUpTime\":\"1555920005\",\"ConnectorStartTime\":\"1555920005\",\"NumOfInterfaces\":2,\"BytesRxInterface\":319831966346,\"PacketsRxInterface\":1617569938,\"ErrorsRxInterface\":0,\"DiscardsRxInterface\":0,\"BytesTxInterface\":192958782635,\"PacketsTxInterface\":1797471190,\"ErrorsTxInterface\":0,\"DiscardsTxInterface\":0,\"TotalBytesRx\":10902554,\"TotalBytesTx\":48931771}", + "type": "info" + }, + "host": { + "cpu": { + "usage": 1 + }, + "network": { + "egress": { + "bytes": 48931771 + }, + "ingress": { + "bytes": 10902554 + } + } + }, + "input": { + "type": "tcp" + }, + "log": { + "source": { + "address": "172.21.0.7:33226" + } + }, + "observer": { + "geo": { + "location": { + "lat": 47, + "lon": -122 + } + }, + "ip": [ + "0.0.0.0" + ], + "os": { + "platform": "el7" + }, + "type": "forwarder", + "version": "19.20.3" + }, + "organization": { + "name": "Customer Name" + }, + "related": { + "ip": [ + "10.0.0.1", + "0.0.0.0", + "10.0.0.4", + "168.63.129.16" + ] + }, + "tags": [ + "forwarded", + "zscaler_zpa-app_connectors_status" + ], + "zscaler_zpa": { + "app_connector_status": { + "connector": { + "group": "Some App Connector Group", + "name": "Some App Connector" + }, + "connector_start_time": "2019-04-22T08:00:05.000Z", + "connector_up_time": "2019-04-22T08:00:05.000Z", + "host_start_time": "2017-12-14T05:39:55.000Z", + "host_up_time": "2017-12-14T05:39:55.000Z", + "interface": { + "name": "eth0", + "received": { + "bytes": 319831966346, + "discards": 0, + "errors": 0, + "packets": 1617569938 + }, + "transmitted": { + "bytes": 192958782635, + "discards": 0, + "errors": 0, + "packets": 1797471190 + } + }, + "memory": { + "utilization": 20 + }, + "num_of_interfaces": 2, + "primary_dns_resolver": "168.63.129.16", + "private_ip": "10.0.0.4", + "service": { + "count": 2 + }, + "session": { + "id": "8A64Qwj9zCkfYDGJVoUZ", + "status": "ZPN_STATUS_AUTHENTICATED", + "type": "ZPN_ASSISTANT_BROKER_CONTROL" + }, + "timestamp": { + "authentication": "2019-06-27T05:05:23.348Z" + }, + "zen": "US-NY-8179" + } + } +} +``` + +## Audit Logs + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| client.ip | IP address of the client (IPv4 or IPv6). | ip | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | +| cloud.instance.id | Instance ID of the host machine. | keyword | +| cloud.instance.name | Instance name of the host machine. | keyword | +| cloud.machine.type | Machine type of the host machine. | keyword | +| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.region | Region in which this host is running. | keyword | +| container.id | Unique container id. | keyword | +| container.image.name | Name of the image the container was built on. | keyword | +| container.labels | Image labels. | object | +| container.name | Container name. | keyword | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| event.dataset | Event dataset | constant_keyword | +| event.module | Event module | constant_keyword | +| group.id | Unique identifier for the group on the system/platform. | keyword | +| group.name | Name of the group. | keyword | +| host.architecture | Operating system architecture. | keyword | +| host.containerized | If the host is a container. | boolean | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | +| host.ip | Host ip addresses. | ip | +| host.mac | Host mac addresses. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | +| host.os.name | Operating system name, without the version. | keyword | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.version | Operating system version as a raw string. | keyword | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| input.type | Input type | keyword | +| log.offset | Log offset | long | +| log.source.address | Source address from which the log event was read / sent from. | keyword | +| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | +| observer.geo.city_name | City name. | keyword | +| observer.geo.country_name | Country name. | keyword | +| observer.geo.location | Longitude and latitude. | geo_point | +| organization.id | Unique identifier for the organization. | keyword | +| related.ip | All of the IPs seen on your event. | ip | +| server.address | Some event server addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | +| server.ip | IP address of the server (IPv4 or IPv6). | ip | +| tags | List of keywords used to tag each event. | keyword | +| user.id | Unique identifier of the user. | keyword | +| user.name | Short name or login of the user. | keyword | +| user.target.email | User email address. | keyword | +| user.target.id | Unique identifier of the user. | keyword | +| user.target.name | Short name or login of the user. | keyword | +| user.target.roles | Array of user roles at the time of the event. | keyword | +| x509.alternative_names | List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. | keyword | +| x509.issuer.common_name | List of common name (CN) of issuing certificate authority. | keyword | +| x509.issuer.distinguished_name | Distinguished name (DN) of issuing certificate authority. | keyword | +| x509.not_after | Time at which the certificate is no longer considered valid. | date | +| x509.not_before | Time at which the certificate is first considered valid. | date | +| zscaler_zpa.audit.client_audit_update | The flag to represent if the event is a client Audit log. | long | +| zscaler_zpa.audit.object.id | The ID associated with the object name. | keyword | +| zscaler_zpa.audit.object.name | The name of the object. This corresponds to the Resource Name in the Audit Log page. | keyword | +| zscaler_zpa.audit.object.type | The location within the ZPA Admin Portal where the Action was performed. | keyword | +| zscaler_zpa.audit.operation_type | The type of action performed. | keyword | +| zscaler_zpa.audit.session.id | The ID for the administrator's session in the ZPA Admin Portal. This corresponds to a successful sign in action occurring. | keyword | +| zscaler_zpa.audit.value.new | The new value that was changed if the action type is create, sign in, or update. | flattened | +| zscaler_zpa.audit.value.old | The previous value that was changed if the action type is delete, sign out, or update. | flattened | + + +An example event for `audit` looks as following: + +```json +{ + "@timestamp": "2021-11-17T04:29:38.000Z", + "agent": { + "ephemeral_id": "75bcfb32-c04c-4455-88ed-41a659043c80", + "hostname": "docker-fleet-agent", + "id": "d03794ae-c5b7-46b2-8a63-42f00010ac23", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "7.16.2" + }, + "data_stream": { + "dataset": "zscaler_zpa.audit", + "namespace": "ep", + "type": "logs" + }, + "ecs": { + "version": "8.0.0" + }, + "elastic_agent": { + "id": "d03794ae-c5b7-46b2-8a63-42f00010ac23", + "snapshot": false, + "version": "7.16.2" + }, + "event": { + "agent_id_status": "verified", + "category": [ + "iam" + ], + "created": "2021-11-17T04:29:38.000Z", + "dataset": "zscaler_zpa.audit", + "id": "11111111-1111-1111-1111-111111111111", + "ingested": "2022-02-03T13:32:04Z", + "kind": "event", + "type": [ + "creation" + ] + }, + "input": { + "type": "tcp" + }, + "log": { + "source": { + "address": "172.21.0.7:54030" + } + }, + "organization": { + "id": "98765432109876543" + }, + "related": { + "ip": [ + "1.0.0.1" + ] + }, + "server": { + "address": "1.0.0.1", + "ip": "1.0.0.1" + }, + "tags": [ + "forwarded", + "zscaler_zpa-audit" + ], + "user": { + "id": "12345678901234567", + "name": "zpaadmin@xxxxxxxxxxxxxxxxx.zpa-customer.com" + }, + "zscaler_zpa": { + "audit": { + "client_audit_update": 0, + "object": { + "id": "12345678901234567", + "name": "Some-Name", + "type": "Server" + }, + "operation_type": "Create", + "session": { + "id": "1idn23nlfm2q1txa5h3r4mep6" + }, + "value": { + "new": { + "description": "This is a description field", + "domainOrIpAddress": "1.0.0.1", + "enabled": "true", + "id": "72058340288495701", + "name": "Some-Name" + } + } + } + } +} +``` + +## Browser Access Logs + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| client.geo.city_name | City name. | keyword | +| client.geo.continent_name | Name of the continent. | keyword | +| client.geo.country_iso_code | Country ISO code. | keyword | +| client.geo.country_name | Country name. | keyword | +| client.geo.location | Longitude and latitude | geo_point | +| client.geo.region_iso_code | Region ISO code. | keyword | +| client.geo.region_name | Region name. | keyword | +| client.ip | IP address of the client (IPv4 or IPv6). | ip | +| client.port | Port of the client. | long | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | +| cloud.instance.id | Instance ID of the host machine. | keyword | +| cloud.instance.name | Instance name of the host machine. | keyword | +| cloud.machine.type | Machine type of the host machine. | keyword | +| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.region | Region in which this host is running. | keyword | +| container.id | Unique container id. | keyword | +| container.image.name | Name of the image the container was built on. | keyword | +| container.labels | Image labels. | object | +| container.name | Container name. | keyword | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| event.dataset | Event dataset | constant_keyword | +| event.module | Event module | constant_keyword | +| host.architecture | Operating system architecture. | keyword | +| host.containerized | If the host is a container. | boolean | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | +| host.ip | Host ip addresses. | ip | +| host.mac | Host mac addresses. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | +| host.os.name | Operating system name, without the version. | keyword | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.version | Operating system version as a raw string. | keyword | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| http.request.body.bytes | Size in bytes of the request body. | long | +| http.request.method | HTTP request method. The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. | keyword | +| http.response.body.bytes | Size in bytes of the response body. | long | +| http.response.status_code | HTTP response status code. | long | +| input.type | Input type | keyword | +| log.offset | Log offset | long | +| log.source.address | Source address from which the log event was read / sent from. | keyword | +| organization.name | Organization name. | keyword | +| related.ip | All of the IPs seen on your event. | ip | +| server.address | Some event server addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | +| server.port | Port of the server. | long | +| tags | List of keywords used to tag each event. | keyword | +| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | +| url.extension | The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | +| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | +| url.path | Path of the request, such as "/search". | wildcard | +| url.scheme | Scheme of the request, such as "https". Note: The `:` is not part of the scheme. | keyword | +| user.name | Short name or login of the user. | keyword | +| user_agent.device.name | Name of the device. | keyword | +| user_agent.name | Name of the user agent. | keyword | +| user_agent.original | Unparsed user_agent string. | keyword | +| user_agent.os.full | Operating system name, including the version or code name. | keyword | +| user_agent.os.name | Operating system name, without the version. | keyword | +| user_agent.os.version | Operating system version as a raw string. | keyword | +| user_agent.version | Version of the user agent. | keyword | +| zscaler_zpa.browser_access.client_private_ip | The private IP address of the user's device. | ip | +| zscaler_zpa.browser_access.connection.id | The application connection ID. | keyword | +| zscaler_zpa.browser_access.connection.status | The status of the connection. | keyword | +| zscaler_zpa.browser_access.cors_token | The token from the CORS request. | keyword | +| zscaler_zpa.browser_access.exporter | The Browser Access Service instance to ZPA Public Service Edge or ZPA Private Service Edge instance. | keyword | +| zscaler_zpa.browser_access.origin | The Browser Access domain that led to the origination of the CORS request. | keyword | +| zscaler_zpa.browser_access.timestamp.request.receive.finish | Timestamp in microseconds when Browser Access Service received the last byte of the HTTP request from web browser. | date | +| zscaler_zpa.browser_access.timestamp.request.receive.header_finish | Timestamp in microseconds when Browser Access Service received the last byte of the HTTP header corresponding to the request from web browser. | date | +| zscaler_zpa.browser_access.timestamp.request.receive.start | Timestamp in microseconds when Browser Access Service received the first byte of the HTTP request from web browser. | date | +| zscaler_zpa.browser_access.timestamp.request.transmit.finish | Timestamp in microseconds when Browser Access Service sent the last byte of the HTTP request to the web server. | date | +| zscaler_zpa.browser_access.timestamp.request.transmit.start | Timestamp in microseconds when Browser Access Service sent the first byte of the HTTP request to the web server. | date | +| zscaler_zpa.browser_access.timestamp.response.receive.finish | Timestamp in microseconds when Browser Access Service received the last byte of the HTTP response from the web server. | date | +| zscaler_zpa.browser_access.timestamp.response.receive.start | Timestamp in microseconds when Browser Access Service received the first byte of the HTTP response from the web server. | date | +| zscaler_zpa.browser_access.timestamp.response.transmit.finish | Timestamp in microseconds when Browser Access Service sent the last byte of the HTTP response to the web browser. | date | +| zscaler_zpa.browser_access.timestamp.response.transmit.start | Timestamp in microseconds when Browser Access Service sent the first byte of the HTTP response to the web browser. | date | +| zscaler_zpa.browser_access.total_time.connection.setup | Time difference between reception of the first byte of the HTTP request from web browser and transmission of the first byte towards the web server, as seen by the Browser Access Service. | long | +| zscaler_zpa.browser_access.total_time.request.receive | Time difference between reception of the first and last byte of the HTTP request from the web browser as seen by the Browser Access Service. | long | +| zscaler_zpa.browser_access.total_time.request.transmit | Time difference between transmission of the first and last byte of the HTTP request towards the web server as seen by the Browser Access Service. | long | +| zscaler_zpa.browser_access.total_time.response.receive | Time difference between reception of the first and last byte of the HTTP response from the web server as seen by the Browser Access Service. | long | +| zscaler_zpa.browser_access.total_time.response.transmit | Time difference between transmission of the first and last byte of the HTTP request towards the web server as seen by the Browser Access Service. | long | +| zscaler_zpa.browser_access.total_time.server.response | Time difference between transmission of the last byte of the HTTP request towards the web server and reception of the first byte of the HTTP response from web server, as seen by the Browser Access Service. | long | +| zscaler_zpa.browser_access.xff | The X-Forwarded-For (XFF) HTTP header. | keyword | + + +An example event for `browser_access` looks as following: + +```json +{ + "@timestamp": "2019-07-03T05:12:25.000Z", + "agent": { + "ephemeral_id": "10484a2f-b664-42ef-a849-7386c8257491", + "hostname": "docker-fleet-agent", + "id": "acf7dca8-817d-4681-bad3-1cc9bfefc49c", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "7.16.2" + }, + "client": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.144", + "port": 60006 + }, + "data_stream": { + "dataset": "zscaler_zpa.browser_access", + "namespace": "ep", + "type": "logs" + }, + "ecs": { + "version": "8.0.0" + }, + "elastic_agent": { + "id": "acf7dca8-817d-4681-bad3-1cc9bfefc49c", + "snapshot": false, + "version": "7.16.2" + }, + "event": { + "agent_id_status": "verified", + "category": [ + "network", + "session" + ], + "dataset": "zscaler_zpa.browser_access", + "ingested": "2022-02-14T07:28:10Z", + "kind": "event", + "type": "connection" + }, + "http": { + "request": { + "body": { + "bytes": 615 + }, + "method": "GET" + }, + "response": { + "body": { + "bytes": 331 + }, + "status_code": 304 + } + }, + "input": { + "type": "tcp" + }, + "log": { + "source": { + "address": "172.26.0.7:47148" + } + }, + "organization": { + "name": "ANZ Team/zdemo in beta" + }, + "related": { + "ip": [ + "81.2.69.144", + "81.2.69.193" + ] + }, + "server": { + "address": "portal.beta.zdemo.net", + "port": 443 + }, + "tags": [ + "forwarded", + "zscaler_zpa-browser_access" + ], + "url": { + "domain": "portal.beta.zdemo.net", + "extension": "woff", + "original": "https://portal.beta.zdemo.net/media/regular.woff", + "path": "/media/regular.woff", + "scheme": "https" + }, + "user": { + "name": "admin@zdemo.net" + }, + "user_agent": { + "device": { + "name": "Mac" + }, + "name": "Safari", + "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.1.1 Safari/605.1.15", + "os": { + "full": "Mac OS X 10.14.5", + "name": "Mac OS X", + "version": "10.14.5" + }, + "version": "12.1.1" + }, + "zscaler_zpa": { + "browser_access": { + "client_private_ip": "81.2.69.193", + "exporter": "unset", + "timestamp": { + "request": { + "receive": { + "finish": "2019-07-03T05:12:25.723Z", + "header_finish": "2019-07-03T05:12:25.723Z", + "start": "2019-07-03T05:12:25.723Z" + }, + "transmit": { + "finish": "2019-07-03T05:12:25.790Z", + "start": "2019-07-03T05:12:25.790Z" + } + }, + "response": { + "receive": { + "finish": "2019-07-03T05:12:25.791Z", + "start": "2019-07-03T05:12:25.791Z" + }, + "transmit": { + "finish": "2019-07-03T05:12:25.791Z", + "start": "2019-07-03T05:12:25.791Z" + } + } + }, + "total_time": { + "connection": { + "setup": 66995 + }, + "request": { + "receive": 127, + "transmit": 21 + }, + "response": { + "receive": 73, + "transmit": 13 + }, + "server": { + "response": 1349 + } + } + } + } +} +``` + +## User Activity Logs + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| client.geo.country_iso_code | Country ISO code. | keyword | +| client.geo.location | Longitude and latitude. | geo_point | +| client.ip | IP address of the client (IPv4 or IPv6). | ip | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | +| cloud.instance.id | Instance ID of the host machine. | keyword | +| cloud.instance.name | Instance name of the host machine. | keyword | +| cloud.machine.type | Machine type of the host machine. | keyword | +| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.region | Region in which this host is running. | keyword | +| container.id | Unique container id. | keyword | +| container.image.name | Name of the image the container was built on. | keyword | +| container.labels | Image labels. | object | +| container.name | Container name. | keyword | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| event.dataset | Event dataset | constant_keyword | +| event.module | Event module | constant_keyword | +| host.architecture | Operating system architecture. | keyword | +| host.containerized | If the host is a container. | boolean | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | +| host.ip | Host ip addresses. | ip | +| host.mac | Host mac addresses. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | +| host.os.name | Operating system name, without the version. | keyword | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.version | Operating system version as a raw string. | keyword | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| input.type | Input type | keyword | +| log.offset | Log offset | long | +| log.source.address | Source address from which the log event was read / sent from. | keyword | +| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | +| organization.name | Organization name. | keyword | +| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | +| related.ip | All of the IPs seen on your event. | ip | +| server.ip | IP address of the server (IPv4 or IPv6). | ip | +| server.port | Port of the server. | long | +| tags | List of keywords used to tag each event. | keyword | +| user.name | Short name or login of the user. | keyword | +| zscaler_zpa.user_activity.app_group | The application group name. | keyword | +| zscaler_zpa.user_activity.app_learn_time | Time in microseconds taken for App Connectors to learn about the requested application and report the learned information to the central authority. | long | +| zscaler_zpa.user_activity.application | The application name. | keyword | +| zscaler_zpa.user_activity.ca_processing_time | Time in microseconds taken for processing in the central authority. | long | +| zscaler_zpa.user_activity.client_private_ip | The private IP address of the Zscaler Client Connector. | ip | +| zscaler_zpa.user_activity.client_to_client | The status of the client-to-client connection. | keyword | +| zscaler_zpa.user_activity.connection.id | The application connection ID. | keyword | +| zscaler_zpa.user_activity.connection.setup_time | Time taken by the App Connector to process a notification from the App Connector selection microservice and set up the connection to the application server. | long | +| zscaler_zpa.user_activity.connection.status | The status of the connection. The expected values for this field are: [ Open, Close, Active ]. | keyword | +| zscaler_zpa.user_activity.connector.ip | The source IP address of the App Connector. | ip | +| zscaler_zpa.user_activity.connector.name | The App Connector name. | keyword | +| zscaler_zpa.user_activity.connector.port | The source port of the App Connector. | integer | +| zscaler_zpa.user_activity.connector_zen_setup_time | Time in microseconds taken for setting up connection between App Connector and ZPA Public Service Edge or ZPA Private Service Edge. | long | +| zscaler_zpa.user_activity.double_encryption | The double encryption status. | integer | +| zscaler_zpa.user_activity.idp | The name of the identity provider (IdP) as configured in the ZPA Admin Portal. | keyword | +| zscaler_zpa.user_activity.internal_reason | The internal reason for the status of the transaction. | keyword | +| zscaler_zpa.user_activity.policy.name | The access policy or timeout policy rule name. | keyword | +| zscaler_zpa.user_activity.policy.processing_time | Time in microseconds taken for processing the access policy associated with the application. | long | +| zscaler_zpa.user_activity.server | The server ID name. The server ID must be set to zero if dynamic server discovery is enabled. | keyword | +| zscaler_zpa.user_activity.server_setup_time | Time in microseconds taken for setting up connection at server. | long | +| zscaler_zpa.user_activity.service_port | The destination port of the server. | integer | +| zscaler_zpa.user_activity.session_id | The TLS session ID. | keyword | +| zscaler_zpa.user_activity.timestamp.app_learn_start | Time in microseconds taken for App Connectors to learn about the requested application and report the learned information to the central authority. | keyword | +| zscaler_zpa.user_activity.timestamp.ca.rx | Timestamp in microseconds when the central authority received request from ZPA Public Service Edge or ZPA Private Service Edge. | date | +| zscaler_zpa.user_activity.timestamp.ca.tx | Timestamp in microseconds when the central authority sent request to ZPA Public Service Edge or ZPA Private Service Edge. | date | +| zscaler_zpa.user_activity.timestamp.connection.end | Timestamp in microseconds when the ZPA Public Service Edge or ZPA Private Service Edge terminated the connection. | date | +| zscaler_zpa.user_activity.timestamp.connection.start | Timestamp in microseconds when the ZPA Public Service Edge or ZPA Private Service Edge received the initial request from Zscaler Client Connector to start the connection. | date | +| zscaler_zpa.user_activity.timestamp.connector_zen.setup_complete | Timestamp in microseconds when the ZPA Public Service Edge or ZPA Private Service Edge received request from App Connector to set up data connection. The request from the App Connector is triggered by the initial request for a specific application from the Zscaler Client Connector. | date | +| zscaler_zpa.user_activity.timestamp.zen.client.rx.first | Timestamp in microseconds when the ZPA Public Service Edge or ZPA Private Service Edge received the first byte from the Zscaler Client Connector. | date | +| zscaler_zpa.user_activity.timestamp.zen.client.rx.last | Timestamp in microseconds when the ZPA Public Service Edge or ZPA Private Service Edge received the last byte from the Zscaler Client Connector. | date | +| zscaler_zpa.user_activity.timestamp.zen.client.tx.first | Timestamp in microseconds when the ZPA Public Service Edge or ZPA Private Service Edge sent the first byte to the Zscaler Client Connector. | date | +| zscaler_zpa.user_activity.timestamp.zen.client.tx.last | Timestamp in microseconds when the ZPA Public Service Edge or ZPA Private Service Edge sent the last byte to the Zscaler Client Connector. | date | +| zscaler_zpa.user_activity.timestamp.zen.connector.rx.first | Timestamp in microseconds when the ZPA Public Service Edge or ZPA Private Service Edge received the first byte from the App Connector. | date | +| zscaler_zpa.user_activity.timestamp.zen.connector.rx.last | Timestamp in microseconds when the ZPA Public Service Edge or ZPA Private Service Edge received the last byte from the App Connector. | date | +| zscaler_zpa.user_activity.timestamp.zen.connector.tx.first | Timestamp in microseconds when the ZPA Public Service Edge or ZPA Private Service Edge sent the first byte to the App Connector. | date | +| zscaler_zpa.user_activity.timestamp.zen.connector.tx.last | Timestamp in microseconds when the ZPA Public Service Edge or ZPA Private Service Edge sent the last byte to the App Connector. | date | +| zscaler_zpa.user_activity.zen.client.bytes_rx | The additional bytes received from the Zscaler Client Connector since the last transaction log. | long | +| zscaler_zpa.user_activity.zen.client.bytes_tx | The additional bytes transmitted to the Zscaler Client Connector since the last transaction log. | long | +| zscaler_zpa.user_activity.zen.client.domain | The ZPA Public Service Edge (formerly Zscaler Enforcement Node or ZEN) or ZPA Private Service Edge that received the request from the Zscaler Client Connector. | keyword | +| zscaler_zpa.user_activity.zen.client.total.bytes_rx | The total bytes received from the Zscaler Client Connector by the ZPA Public Service Edge or ZPA Private Service Edge. | long | +| zscaler_zpa.user_activity.zen.client.total.bytes_tx | The total bytes transmitted to the Zscaler Client Connector from the ZPA Public Service Edge or ZPA Private Service Edge. | long | +| zscaler_zpa.user_activity.zen.connector.bytes_rx | The additional bytes received from the App Connector since the last transaction log. | long | +| zscaler_zpa.user_activity.zen.connector.bytes_tx | The additional bytes transmitted by the App Connector since the last transaction log. | long | +| zscaler_zpa.user_activity.zen.connector.domain | The ZPA Public Service Edge or ZPA Private Service Edge that sent the request from the App Connector. | keyword | +| zscaler_zpa.user_activity.zen.connector.total.bytes_rx | The total bytes received from the App Connector by the ZPA Public Service Edge or ZPA Private Service Edge. | long | +| zscaler_zpa.user_activity.zen.connector.total.bytes_tx | The total bytes transmitted to the App Connector from the ZPA Public Service Edge or ZPA Private Service Edge. | long | + + +An example event for `user_activity` looks as following: + +```json +{ + "@timestamp": "2019-05-31T17:35:42.000Z", + "agent": { + "ephemeral_id": "2686f611-4bf3-4df9-8934-843cbd32d161", + "hostname": "docker-fleet-agent", + "id": "d03794ae-c5b7-46b2-8a63-42f00010ac23", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "7.16.2" + }, + "client": { + "geo": { + "country_iso_code": "US", + "location": { + "lat": 45, + "lon": -119 + } + }, + "ip": "81.2.69.193" + }, + "data_stream": { + "dataset": "zscaler_zpa.user_activity", + "namespace": "ep", + "type": "logs" + }, + "ecs": { + "version": "8.0.0" + }, + "elastic_agent": { + "id": "d03794ae-c5b7-46b2-8a63-42f00010ac23", + "snapshot": false, + "version": "7.16.2" + }, + "event": { + "agent_id_status": "verified", + "category": "iam", + "dataset": "zscaler_zpa.user_activity", + "ingested": "2022-02-03T13:34:37Z", + "kind": "event", + "type": [ + "info", + "user" + ] + }, + "host": { + "ip": "175.16.199.1" + }, + "input": { + "type": "tcp" + }, + "log": { + "source": { + "address": "172.21.0.7:59296" + } + }, + "network": { + "type": "ipv6" + }, + "organization": { + "name": "Customer XYZ" + }, + "related": { + "hosts": [ + "broker2b.pdx" + ], + "ip": [ + "81.2.69.193", + "175.16.199.1", + "67.43.156.12" + ] + }, + "server": { + "ip": "175.16.199.1", + "port": 10011 + }, + "tags": [ + "forwarded", + "zscaler_zpa-user_activity" + ], + "user": { + "name": "ZPA LSS Client" + }, + "zscaler_zpa": { + "user_activity": { + "app_group": "ABC Lab Apps", + "app_learn_time": 0, + "application": "ABC Lab Apps", + "ca_processing_time": 1330, + "client_to_client": "0", + "connection": { + "id": "SqyZIMkg0JTj7EABsvwA,Q+EjXGdrvbF2lPiBbedm", + "setup_time": 192397, + "status": "active" + }, + "connector": { + "ip": "67.43.156.12", + "name": "ZDEMO ABC", + "port": 60266 + }, + "connector_zen_setup_time": 191017, + "double_encryption": 0, + "idp": "Example IDP Config", + "policy": { + "name": "ABC Lab Apps", + "processing_time": 28 + }, + "server": "0", + "server_setup_time": 465, + "service_port": 10011, + "session_id": "LHJdkjmNDf12nclBsvwA", + "timestamp": { + "ca": { + "rx": "2019-05-30T08:20:42.231Z", + "tx": "2019-05-30T08:20:42.230Z" + }, + "connection": { + "start": "2019-05-30T08:20:42.230Z" + }, + "connector_zen": { + "setup_complete": "2019-05-30T08:20:42.422Z" + }, + "zen": { + "client": { + "rx": { + "first": "2019-05-30T08:20:42.424Z", + "last": "2019-05-31T17:34:27.348Z" + } + }, + "connector": { + "tx": { + "first": "2019-05-30T08:20:42.424Z", + "last": "2019-05-31T17:34:27.348Z" + } + } + } + }, + "zen": { + "client": { + "bytes_rx": 7115, + "bytes_tx": 0, + "domain": "broker2b.pdx", + "total": { + "bytes_rx": 2406926, + "bytes_tx": 0 + } + }, + "connector": { + "bytes_rx": 0, + "bytes_tx": 7115, + "domain": "broker2b.pdx", + "total": { + "bytes_rx": 0, + "bytes_tx": 2406926 + } + } + } + } + } +} +``` + +## User Status Logs + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| client.geo.country_iso_code | Country ISO code. | keyword | +| client.geo.location | Longitude and latitude. | geo_point | +| client.ip | IP address of the client (IPv4 or IPv6). | ip | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | +| cloud.instance.id | Instance ID of the host machine. | keyword | +| cloud.instance.name | Instance name of the host machine. | keyword | +| cloud.machine.type | Machine type of the host machine. | keyword | +| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.region | Region in which this host is running. | keyword | +| container.id | Unique container id. | keyword | +| container.image.name | Name of the image the container was built on. | keyword | +| container.labels | Image labels. | object | +| container.name | Container name. | keyword | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| event.dataset | Event dataset | constant_keyword | +| event.module | Event module | constant_keyword | +| host.architecture | Operating system architecture. | keyword | +| host.containerized | If the host is a container. | boolean | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | +| host.ip | Host ip addresses. | ip | +| host.mac | Host mac addresses. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | +| host.os.name | Operating system name, without the version. | keyword | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.version | Operating system version as a raw string. | keyword | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| input.type | Input type | keyword | +| log.offset | Log offset | long | +| log.source.address | Source address from which the log event was read / sent from. | keyword | +| organization.name | Organization name. | keyword | +| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | +| related.ip | All of the IPs seen on your event. | ip | +| server.geo.country_iso_code | Country ISO code. | keyword | +| server.geo.location | Longitude and latitude. | geo_point | +| tags | List of keywords used to tag each event. | keyword | +| user.name | Short name or login of the user. | keyword | +| x509.issuer.common_name | List of common name (CN) of issuing certificate authority. | keyword | +| zscaler_zpa.user_status.client.type | The client type for the request (i.e., Zscaler Client Connector, ZPA LSS, or Web Browser). | keyword | +| zscaler_zpa.user_status.fqdn.registered | The status of the hostname for the client-to-client connection. The expected values for this field are true or false. | boolean | +| zscaler_zpa.user_status.fqdn.registered_error | The status of the registered hostname. | keyword | +| zscaler_zpa.user_status.idp | The name of the identity provider (IdP) as configured in the ZPA Admin Portal. | keyword | +| zscaler_zpa.user_status.postures.hit | The posture profiles that the Zscaler Client Connector verified for this device. | keyword | +| zscaler_zpa.user_status.postures.miss | The posture profiles that the Zscaler Client Connector failed to verified for this device. | keyword | +| zscaler_zpa.user_status.private_ip | The private IP address of the Zscaler Client Connector. | ip | +| zscaler_zpa.user_status.saml_attributes | The list of SAML attributes reported by the IdP. | keyword | +| zscaler_zpa.user_status.session.id | The TLS session ID. | keyword | +| zscaler_zpa.user_status.session.status | The status of the session. | keyword | +| zscaler_zpa.user_status.timestamp.authentication | Timestamp in microseconds when the Zscaler Client Connector was authenticated. | date | +| zscaler_zpa.user_status.timestamp.unauthentication | Timestamp in microseconds when the Zscaler Client Connector was unauthenticated. | date | +| zscaler_zpa.user_status.total.bytes_rx | The total bytes received. | long | +| zscaler_zpa.user_status.total.bytes_tx | The total bytes transmitted. | long | +| zscaler_zpa.user_status.trusted_networks | The unique IDs for the trusted networks that the Zscaler Client Connector has determined for this device. | keyword | +| zscaler_zpa.user_status.trusted_networks_names | The names for the trusted networks that the Zscaler Client Connector has determined for this device. | keyword | +| zscaler_zpa.user_status.version | The Zscaler Client Connector version. | keyword | +| zscaler_zpa.user_status.zen.domain | The Public Service Edge (formerly Zscaler Enforcement Node or ZEN) or ZPA Private Service Edge that was selected for the connection | keyword | + + +An example event for `user_status` looks as following: + +```json +{ + "@timestamp": "2019-05-31T17:34:48.000Z", + "agent": { + "ephemeral_id": "24dbe515-d3ac-4cb8-aa21-eeee2c2f9204", + "hostname": "docker-fleet-agent", + "id": "d03794ae-c5b7-46b2-8a63-42f00010ac23", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "7.16.2" + }, + "client": { + "geo": { + "country_iso_code": "US", + "location": { + "lat": 45, + "lon": -119 + } + }, + "ip": "81.2.69.144" + }, + "data_stream": { + "dataset": "zscaler_zpa.user_status", + "namespace": "ep", + "type": "logs" + }, + "ecs": { + "version": "8.0.0" + }, + "elastic_agent": { + "id": "d03794ae-c5b7-46b2-8a63-42f00010ac23", + "snapshot": false, + "version": "7.16.2" + }, + "event": { + "agent_id_status": "verified", + "category": "iam", + "dataset": "zscaler_zpa.user_status", + "ingested": "2022-02-03T13:36:02Z", + "kind": "state", + "type": [ + "info", + "user" + ] + }, + "host": { + "hostname": "DESKTOP-99HCSJ1", + "os": { + "platform": "windows" + } + }, + "input": { + "type": "tcp" + }, + "log": { + "source": { + "address": "172.21.0.7:57146" + } + }, + "organization": { + "name": "Customer XYZ" + }, + "related": { + "ip": [ + "81.2.69.144" + ] + }, + "server": { + "geo": { + "location": { + "lat": 47, + "lon": -122 + } + } + }, + "tags": [ + "forwarded", + "zscaler_zpa-user_status" + ], + "user": { + "name": "ZPA LSS Client" + }, + "x509": { + "issuer": { + "common_name": "loggerz2x.pde.zpabeta.net" + } + }, + "zscaler_zpa": { + "user_status": { + "client": { + "type": "zpn_client_type_zapp" + }, + "fqdn": { + "registered": false, + "registered_error": "CUSTOMER_NOT_ENABLED" + }, + "idp": "IDP Config", + "postures": { + "hit": [ + "sm-posture1", + "sm-posture2" + ], + "miss": [ + "sm-posture11", + "sm-posture12" + ] + }, + "saml_attributes": [ + "myname:user", + "myemail:user@zscaler.com" + ], + "session": { + "id": "vkczUERSLl88Y+ytH8v5", + "status": "ZPN_STATUS_AUTHENTICATED" + }, + "timestamp": { + "authentication": "2019-05-29T21:18:38.000Z" + }, + "total": { + "bytes_rx": 31274866, + "bytes_tx": 25424152 + }, + "trusted_networks": "TN1_stc1", + "trusted_networks_names": "145248739466696953", + "version": "19.12.0-36-g87dad18", + "zen": { + "domain": "broker2b.pdx" + } + } + } +} +``` diff --git a/packages/zscaler_zpa/img/zscaler-logo.svg b/packages/zscaler_zpa/img/zscaler-logo.svg new file mode 100644 index 00000000000..b8a21a2fa6e --- /dev/null +++ b/packages/zscaler_zpa/img/zscaler-logo.svg @@ -0,0 +1 @@ +Zscaler-Logo-TM-Blue-RGB-May2019 \ No newline at end of file diff --git a/packages/zscaler_zpa/img/zscaler-zpa-screenshot.png b/packages/zscaler_zpa/img/zscaler-zpa-screenshot.png new file mode 100644 index 00000000000..45c90c9d1e5 Binary files /dev/null and b/packages/zscaler_zpa/img/zscaler-zpa-screenshot.png differ diff --git a/packages/zscaler_zpa/kibana/dashboard/zscaler_zpa-26cc19c0-4c44-11ec-9023-a76a2cb41dcd.json b/packages/zscaler_zpa/kibana/dashboard/zscaler_zpa-26cc19c0-4c44-11ec-9023-a76a2cb41dcd.json new file mode 100644 index 00000000000..57a04d39d3b --- /dev/null +++ b/packages/zscaler_zpa/kibana/dashboard/zscaler_zpa-26cc19c0-4c44-11ec-9023-a76a2cb41dcd.json @@ -0,0 +1,136 @@ +{ + "attributes": { + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "query": { + "query": "data_stream.dataset : \"zscaler_zpa.browser_access\"", + "language": "kuery" + }, + "filter": [] + } + }, + "optionsJSON": { + "useMargins": true, + "syncColors": false, + "hidePanelTitles": false + }, + "panelsJSON": [ + { + "version": "7.16.0-SNAPSHOT", + "type": "map", + "gridData": { + "x": 0, + "y": 0, + "w": 48, + "h": 18, + "i": "26f3b155-53ad-40e1-a01d-e469c7193d9d" + }, + "panelIndex": "26f3b155-53ad-40e1-a01d-e469c7193d9d", + "embeddableConfig": { + "mapCenter": { + "lat": 19.94277, + "lon": 0, + "zoom": 1.06 + }, + "mapBuffer": { + "minLon": -180, + "minLat": -66.51326, + "maxLon": 180, + "maxLat": 66.51326 + }, + "isLayerTOCOpen": true, + "openTOCDetails": [], + "hiddenLayers": [], + "enhancements": {} + }, + "panelRefName": "panel_0" + }, + { + "version": "7.16.0-SNAPSHOT", + "type": "visualization", + "gridData": { + "x": 0, + "y": 18, + "w": 16, + "h": 15, + "i": "2b16dc24-ff32-475b-8dd7-cb51f5d93954" + }, + "panelIndex": "2b16dc24-ff32-475b-8dd7-cb51f5d93954", + "embeddableConfig": { + "enhancements": {}, + "vis": { + "legendOpen": true + } + }, + "panelRefName": "panel_1" + }, + { + "version": "7.16.0-SNAPSHOT", + "type": "visualization", + "gridData": { + "x": 32, + "y": 18, + "w": 16, + "h": 15, + "i": "ac107bfb-95e0-4f77-9aec-9674891d047b" + }, + "panelIndex": "ac107bfb-95e0-4f77-9aec-9674891d047b", + "embeddableConfig": { + "enhancements": {} + }, + "panelRefName": "panel_2" + }, + { + "version": "7.16.0-SNAPSHOT", + "type": "visualization", + "gridData": { + "x": 16, + "y": 18, + "w": 16, + "h": 15, + "i": "286696da-f87c-4872-b7c7-6a20f8584ea6" + }, + "panelIndex": "286696da-f87c-4872-b7c7-6a20f8584ea6", + "embeddableConfig": { + "enhancements": {} + }, + "panelRefName": "panel_3" + } + ], + "timeRestore": false, + "title": "[Zscaler][ZPA] Browser Access Logs", + "version": 1 + }, + "coreMigrationVersion": "7.16.0", + "id": "zscaler_zpa-26cc19c0-4c44-11ec-9023-a76a2cb41dcd", + "migrationVersion": { + "dashboard": "7.16.0" + }, + "references": [ + { + "id": "zscaler_zpa-5a0f9320-4c44-11ec-9023-a76a2cb41dcd", + "name": "panel_0", + "type": "map" + }, + { + "id": "zscaler_zpa-1b5846e0-4c44-11ec-9023-a76a2cb41dcd", + "name": "panel_1", + "type": "visualization" + }, + { + "id": "zscaler_zpa-23d03780-4eb8-11ec-9527-b704eaaa5c53", + "name": "panel_2", + "type": "visualization" + }, + { + "id": "zscaler_zpa-d8e44aa0-5992-11ec-b2d0-45019404f2e5", + "name": "panel_3", + "type": "visualization" + } + ], + "type": "dashboard", + "updated_at": "2021-12-10T08:26:57.853Z", + "version": "WzEwNjcsMV0=" +} \ No newline at end of file diff --git a/packages/zscaler_zpa/kibana/dashboard/zscaler_zpa-7511d7f0-4c49-11ec-9023-a76a2cb41dcd.json b/packages/zscaler_zpa/kibana/dashboard/zscaler_zpa-7511d7f0-4c49-11ec-9023-a76a2cb41dcd.json new file mode 100644 index 00000000000..64c3c59c2be --- /dev/null +++ b/packages/zscaler_zpa/kibana/dashboard/zscaler_zpa-7511d7f0-4c49-11ec-9023-a76a2cb41dcd.json @@ -0,0 +1,397 @@ +{ + "attributes": { + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "query": { + "query": "", + "language": "kuery" + }, + "filter": [] + } + }, + "optionsJSON": { + "useMargins": true, + "syncColors": false, + "hidePanelTitles": false + }, + "panelsJSON": [ + { + "version": "7.16.0-SNAPSHOT", + "type": "map", + "gridData": { + "x": 0, + "y": 0, + "w": 48, + "h": 22, + "i": "5d6fd558-dee7-432b-9374-8d1e7eb8dbc9" + }, + "panelIndex": "5d6fd558-dee7-432b-9374-8d1e7eb8dbc9", + "embeddableConfig": { + "mapCenter": { + "lat": 1.7677, + "lon": 0, + "zoom": 1.06 + }, + "mapBuffer": { + "minLon": -270, + "minLat": -85.05113, + "maxLon": 270, + "maxLat": 85.05113 + }, + "isLayerTOCOpen": true, + "openTOCDetails": [], + "hiddenLayers": [], + "enhancements": {} + }, + "panelRefName": "panel_0" + }, + { + "version": "7.16.0-SNAPSHOT", + "type": "visualization", + "gridData": { + "x": 0, + "y": 22, + "w": 16, + "h": 14, + "i": "2b19f9ee-4ba4-4f5b-bddb-8be10b5d085e" + }, + "panelIndex": "2b19f9ee-4ba4-4f5b-bddb-8be10b5d085e", + "embeddableConfig": { + "enhancements": {} + }, + "panelRefName": "panel_1" + }, + { + "version": "7.16.0-SNAPSHOT", + "type": "visualization", + "gridData": { + "x": 16, + "y": 22, + "w": 15, + "h": 14, + "i": "dc65087e-2242-4e8b-86a0-61e1c0da98f5" + }, + "panelIndex": "dc65087e-2242-4e8b-86a0-61e1c0da98f5", + "embeddableConfig": { + "enhancements": {} + }, + "panelRefName": "panel_2" + }, + { + "version": "7.16.0-SNAPSHOT", + "type": "visualization", + "gridData": { + "x": 31, + "y": 22, + "w": 17, + "h": 14, + "i": "ac1bbf4b-b227-4d6a-812d-f6f682a86cb5" + }, + "panelIndex": "ac1bbf4b-b227-4d6a-812d-f6f682a86cb5", + "embeddableConfig": { + "vis": { + "legendOpen": true + }, + "enhancements": {} + }, + "panelRefName": "panel_3" + }, + { + "version": "7.16.0-SNAPSHOT", + "type": "visualization", + "gridData": { + "x": 0, + "y": 36, + "w": 24, + "h": 15, + "i": "d8929019-59a4-4158-b1f1-b769f1b8ed3c" + }, + "panelIndex": "d8929019-59a4-4158-b1f1-b769f1b8ed3c", + "embeddableConfig": { + "vis": { + "legendOpen": true + }, + "enhancements": {} + }, + "panelRefName": "panel_4" + }, + { + "version": "7.16.0-SNAPSHOT", + "type": "visualization", + "gridData": { + "x": 24, + "y": 36, + "w": 24, + "h": 15, + "i": "8f582a11-a96d-42ab-a4af-8723737dedc0" + }, + "panelIndex": "8f582a11-a96d-42ab-a4af-8723737dedc0", + "embeddableConfig": { + "enhancements": {} + }, + "panelRefName": "panel_5" + }, + { + "version": "7.16.0-SNAPSHOT", + "type": "visualization", + "gridData": { + "x": 0, + "y": 51, + "w": 16, + "h": 15, + "i": "f1106d4f-52b0-4837-bd41-a0ff1f3e13bb" + }, + "panelIndex": "f1106d4f-52b0-4837-bd41-a0ff1f3e13bb", + "embeddableConfig": { + "enhancements": {} + }, + "panelRefName": "panel_6" + }, + { + "version": "7.16.0-SNAPSHOT", + "type": "visualization", + "gridData": { + "x": 16, + "y": 51, + "w": 16, + "h": 15, + "i": "4b74af86-5ad3-4d2b-87e9-c98cb12c673a" + }, + "panelIndex": "4b74af86-5ad3-4d2b-87e9-c98cb12c673a", + "embeddableConfig": { + "enhancements": {} + }, + "panelRefName": "panel_7" + }, + { + "version": "7.16.0-SNAPSHOT", + "type": "visualization", + "gridData": { + "x": 32, + "y": 51, + "w": 16, + "h": 15, + "i": "5fbfcc7f-07b1-4751-a569-04a0104a9806" + }, + "panelIndex": "5fbfcc7f-07b1-4751-a569-04a0104a9806", + "embeddableConfig": { + "enhancements": {} + }, + "panelRefName": "panel_8" + }, + { + "version": "7.16.0-SNAPSHOT", + "type": "visualization", + "gridData": { + "x": 0, + "y": 66, + "w": 24, + "h": 15, + "i": "429030c5-d674-4696-8aac-9385e886ce19" + }, + "panelIndex": "429030c5-d674-4696-8aac-9385e886ce19", + "embeddableConfig": { + "savedVis": { + "id": "", + "title": "[Zscaler][ZPA] Slowest Applications", + "description": "", + "type": "metrics", + "params": { + "time_range_mode": "entire_time_range", + "axis_formatter": "number", + "axis_position": "left", + "axis_scale": "normal", + "bar_color_rules": [ + { + "id": "4ac99360-4dd5-11ec-9c7f-599fe68d9667" + } + ], + "drop_last_bucket": 0, + "id": "81cebc93-9e11-4079-9241-baa103cd5db6", + "interval": "", + "isModelInvalid": false, + "max_lines_legend": 1, + "pivot_id": "client.ip", + "pivot_label": "Client IP", + "pivot_type": "string", + "series": [ + { + "time_range_mode": "entire_time_range", + "axis_position": "right", + "chart_type": "line", + "color": "#68BC00", + "fill": 0.5, + "formatter": "default", + "hidden": false, + "id": "a5e34d80-4dd6-11ec-9c7f-599fe68d9667", + "label": "Application Setup Time (Time in microseconds)", + "line_width": 1, + "metrics": [ + { + "id": "1c4724b0-4dfa-11ec-9c7f-599fe68d9667", + "type": "avg", + "field": "json.ServerSetupTime" + }, + { + "id": "5adf7740-4dfa-11ec-9c7f-599fe68d9667", + "type": "avg", + "field": "json.ConnectionSetupTime" + }, + { + "id": "6f1124c0-4dfa-11ec-9c7f-599fe68d9667", + "type": "avg", + "field": "json.ConnectorZENSetupTime" + }, + { + "id": "7956fef0-4dfa-11ec-9c7f-599fe68d9667", + "type": "math", + "variables": [ + { + "id": "7ad8bcf0-4dfa-11ec-9c7f-599fe68d9667", + "name": "a", + "field": "1c4724b0-4dfa-11ec-9c7f-599fe68d9667" + }, + { + "id": "80181f30-4dfa-11ec-9c7f-599fe68d9667", + "name": "b", + "field": "5adf7740-4dfa-11ec-9c7f-599fe68d9667" + }, + { + "id": "81c5f640-4dfa-11ec-9c7f-599fe68d9667", + "name": "c", + "field": "6f1124c0-4dfa-11ec-9c7f-599fe68d9667" + } + ], + "script": "params.a + params.b + params.c" + } + ], + "palette": { + "name": "default", + "type": "palette" + }, + "point_size": 1, + "separate_axis": 0, + "split_mode": "everything", + "stacked": "none" + } + ], + "show_grid": 1, + "show_legend": 1, + "time_field": "", + "tooltip_mode": "show_all", + "truncate_legend": 1, + "type": "table", + "use_kibana_indexes": true, + "index_pattern_ref_name": "metrics_429030c5-d674-4696-8aac-9385e886ce19_0_index_pattern" + }, + "uiState": {}, + "data": { + "aggs": [], + "searchSource": { + "query": { + "query": "data_stream.dataset : \"zscaler_zpa.user_activity\" ", + "language": "kuery" + }, + "filter": [] + } + } + }, + "enhancements": {}, + "table": { + "sort": { + "column": "_default_", + "order": "desc" + } + } + }, + "panelRefName": "panel_9" + }, + { + "version": "7.16.0-SNAPSHOT", + "type": "visualization", + "gridData": { + "x": 24, + "y": 66, + "w": 24, + "h": 15, + "i": "911a577a-4b0e-44e2-80c8-3a70407f8a22" + }, + "panelIndex": "911a577a-4b0e-44e2-80c8-3a70407f8a22", + "embeddableConfig": { + "enhancements": {} + }, + "panelRefName": "panel_10" + } + ], + "timeRestore": false, + "title": "[Zscaler][ZPA] User Activity and Status Logs", + "version": 1 + }, + "coreMigrationVersion": "7.16.0", + "id": "zscaler_zpa-7511d7f0-4c49-11ec-9023-a76a2cb41dcd", + "migrationVersion": { + "dashboard": "7.16.0" + }, + "references": [ + { + "id": "zscaler_zpa-1f09dc30-4c4f-11ec-9023-a76a2cb41dcd", + "name": "panel_0", + "type": "map" + }, + { + "id": "zscaler_zpa-c8d009c0-4c4e-11ec-9023-a76a2cb41dcd", + "name": "panel_1", + "type": "visualization" + }, + { + "id": "zscaler_zpa-4ea78dd0-4c49-11ec-9023-a76a2cb41dcd", + "name": "panel_2", + "type": "visualization" + }, + { + "id": "zscaler_zpa-9f334ef0-4c4f-11ec-9023-a76a2cb41dcd", + "name": "panel_3", + "type": "visualization" + }, + { + "id": "zscaler_zpa-552331e0-4c4f-11ec-9023-a76a2cb41dcd", + "name": "panel_4", + "type": "visualization" + }, + { + "id": "zscaler_zpa-76176ed0-4c4e-11ec-9023-a76a2cb41dcd", + "name": "panel_5", + "type": "visualization" + }, + { + "id": "zscaler_zpa-e86c2d90-4c49-11ec-9023-a76a2cb41dcd", + "name": "panel_6", + "type": "visualization" + }, + { + "id": "zscaler_zpa-ccbe7ed0-4c4a-11ec-9023-a76a2cb41dcd", + "name": "panel_7", + "type": "visualization" + }, + { + "id": "zscaler_zpa-d124a2a0-4c4b-11ec-9023-a76a2cb41dcd", + "name": "panel_8", + "type": "visualization" + }, + { + "id": "zscaler_zpa-82076ba0-4e74-11ec-ad09-d9f49962d407", + "name": "panel_9", + "type": "visualization" + }, + { + "id": "zscaler_zpa-4cf30750-4d0a-11ec-ad09-d9f49962d407", + "name": "panel_10", + "type": "visualization" + } + ], + "type": "dashboard", + "updated_at": "2021-11-26T12:58:31.486Z", + "version": "WzU4NjcsMV0=" +} \ No newline at end of file diff --git a/packages/zscaler_zpa/kibana/dashboard/zscaler_zpa-fa3c3c00-4c57-11ec-9023-a76a2cb41dcd.json b/packages/zscaler_zpa/kibana/dashboard/zscaler_zpa-fa3c3c00-4c57-11ec-9023-a76a2cb41dcd.json new file mode 100644 index 00000000000..0252915d947 --- /dev/null +++ b/packages/zscaler_zpa/kibana/dashboard/zscaler_zpa-fa3c3c00-4c57-11ec-9023-a76a2cb41dcd.json @@ -0,0 +1,273 @@ +{ + "attributes": { + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "query": { + "query": "", + "language": "kuery" + }, + "filter": [] + } + }, + "optionsJSON": { + "useMargins": true, + "syncColors": false, + "hidePanelTitles": false + }, + "panelsJSON": [ + { + "version": "7.16.0-SNAPSHOT", + "type": "map", + "gridData": { + "x": 0, + "y": 0, + "w": 48, + "h": 15, + "i": "d65f21eb-eb68-4cbc-abd9-d8ff48776d1d" + }, + "panelIndex": "d65f21eb-eb68-4cbc-abd9-d8ff48776d1d", + "embeddableConfig": { + "mapCenter": { + "lat": 0, + "lon": 115.86278, + "zoom": 0.6 + }, + "mapBuffer": { + "minLon": -360, + "minLat": -89.78601, + "maxLon": 540, + "maxLat": 89.78601 + }, + "isLayerTOCOpen": true, + "openTOCDetails": [], + "hiddenLayers": [], + "enhancements": {} + }, + "panelRefName": "panel_0" + }, + { + "version": "7.16.0-SNAPSHOT", + "type": "map", + "gridData": { + "x": 0, + "y": 15, + "w": 48, + "h": 18, + "i": "304163ec-bce7-4995-99cd-7892cf6e4277" + }, + "panelIndex": "304163ec-bce7-4995-99cd-7892cf6e4277", + "embeddableConfig": { + "mapCenter": { + "lat": 20.96631, + "lon": -81.88323, + "zoom": 0.69 + }, + "mapBuffer": { + "minLon": -360, + "minLat": -85.05113, + "maxLon": 180, + "maxLat": 85.05113 + }, + "isLayerTOCOpen": true, + "openTOCDetails": [], + "hiddenLayers": [], + "enhancements": {} + }, + "panelRefName": "panel_1" + }, + { + "version": "7.16.0-SNAPSHOT", + "type": "visualization", + "gridData": { + "x": 0, + "y": 33, + "w": 16, + "h": 15, + "i": "b32ccd6a-9edb-47f2-829d-d9e11ad3b850" + }, + "panelIndex": "b32ccd6a-9edb-47f2-829d-d9e11ad3b850", + "embeddableConfig": { + "enhancements": {} + }, + "panelRefName": "panel_2" + }, + { + "version": "7.16.0-SNAPSHOT", + "type": "visualization", + "gridData": { + "x": 16, + "y": 33, + "w": 16, + "h": 15, + "i": "a6f8c118-5b3d-4339-8037-21651b658e0a" + }, + "panelIndex": "a6f8c118-5b3d-4339-8037-21651b658e0a", + "embeddableConfig": { + "enhancements": {} + }, + "panelRefName": "panel_3" + }, + { + "version": "7.16.0-SNAPSHOT", + "type": "visualization", + "gridData": { + "x": 32, + "y": 33, + "w": 16, + "h": 15, + "i": "99a58fff-e3ec-42df-9f37-f69008909dc1" + }, + "panelIndex": "99a58fff-e3ec-42df-9f37-f69008909dc1", + "embeddableConfig": { + "enhancements": {} + }, + "panelRefName": "panel_4" + }, + { + "version": "7.16.0-SNAPSHOT", + "type": "visualization", + "gridData": { + "x": 0, + "y": 48, + "w": 24, + "h": 15, + "i": "f2952e7e-2165-4908-a9a6-6ebf385438e2" + }, + "panelIndex": "f2952e7e-2165-4908-a9a6-6ebf385438e2", + "embeddableConfig": { + "enhancements": {} + }, + "panelRefName": "panel_5" + }, + { + "version": "7.16.0-SNAPSHOT", + "type": "visualization", + "gridData": { + "x": 24, + "y": 48, + "w": 24, + "h": 15, + "i": "efcf0961-81c8-4e07-9bea-b0db4d0a5ec1" + }, + "panelIndex": "efcf0961-81c8-4e07-9bea-b0db4d0a5ec1", + "embeddableConfig": { + "enhancements": {} + }, + "panelRefName": "panel_6" + }, + { + "version": "7.16.0-SNAPSHOT", + "type": "visualization", + "gridData": { + "x": 0, + "y": 63, + "w": 24, + "h": 16, + "i": "b1fccb13-65ac-413c-b600-674dfb9b42d5" + }, + "panelIndex": "b1fccb13-65ac-413c-b600-674dfb9b42d5", + "embeddableConfig": { + "enhancements": {} + }, + "panelRefName": "panel_7" + }, + { + "version": "7.16.0-SNAPSHOT", + "type": "visualization", + "gridData": { + "x": 24, + "y": 63, + "w": 24, + "h": 16, + "i": "1d384991-def5-4620-b55f-31e9a8b3218a" + }, + "panelIndex": "1d384991-def5-4620-b55f-31e9a8b3218a", + "embeddableConfig": { + "enhancements": {} + }, + "panelRefName": "panel_8" + }, + { + "version": "7.16.0-SNAPSHOT", + "type": "visualization", + "gridData": { + "x": 0, + "y": 79, + "w": 48, + "h": 15, + "i": "cfd0d990-2314-4b7c-bad4-07b895bf4b55" + }, + "panelIndex": "cfd0d990-2314-4b7c-bad4-07b895bf4b55", + "embeddableConfig": { + "enhancements": {} + }, + "panelRefName": "panel_9" + } + ], + "timeRestore": false, + "title": "[Zscaler][ZPA] App Connector Status", + "version": 1 + }, + "coreMigrationVersion": "7.16.0", + "id": "zscaler_zpa-fa3c3c00-4c57-11ec-9023-a76a2cb41dcd", + "migrationVersion": { + "dashboard": "7.16.0" + }, + "references": [ + { + "id": "zscaler_zpa-43836b20-4c55-11ec-9023-a76a2cb41dcd", + "name": "panel_0", + "type": "map" + }, + { + "id": "zscaler_zpa-dff56dd0-4ce8-11ec-9023-a76a2cb41dcd", + "name": "panel_1", + "type": "map" + }, + { + "id": "zscaler_zpa-b0fa5650-4c55-11ec-9023-a76a2cb41dcd", + "name": "panel_2", + "type": "visualization" + }, + { + "id": "zscaler_zpa-860071f0-4c55-11ec-9023-a76a2cb41dcd", + "name": "panel_3", + "type": "visualization" + }, + { + "id": "zscaler_zpa-89a91550-4c5a-11ec-9023-a76a2cb41dcd", + "name": "panel_4", + "type": "visualization" + }, + { + "id": "zscaler_zpa-d0c885a0-4c5b-11ec-9023-a76a2cb41dcd", + "name": "panel_5", + "type": "visualization" + }, + { + "id": "zscaler_zpa-f03d3c90-4c5c-11ec-9023-a76a2cb41dcd", + "name": "panel_6", + "type": "visualization" + }, + { + "id": "zscaler_zpa-1b2c06c0-4eb5-11ec-9527-b704eaaa5c53", + "name": "panel_7", + "type": "visualization" + }, + { + "id": "zscaler_zpa-17759700-4c5b-11ec-9023-a76a2cb41dcd", + "name": "panel_8", + "type": "visualization" + }, + { + "id": "zscaler_zpa-8ca8eb00-4c5e-11ec-9023-a76a2cb41dcd", + "name": "panel_9", + "type": "visualization" + } + ], + "type": "dashboard", + "updated_at": "2021-12-06T11:14:42.883Z", + "version": "WzQ4MTU1LDFd" +} \ No newline at end of file diff --git a/packages/zscaler_zpa/kibana/dashboard/zscaler_zpa-fa5b1830-4c63-11ec-9023-a76a2cb41dcd.json b/packages/zscaler_zpa/kibana/dashboard/zscaler_zpa-fa5b1830-4c63-11ec-9023-a76a2cb41dcd.json new file mode 100644 index 00000000000..27f0ea00df9 --- /dev/null +++ b/packages/zscaler_zpa/kibana/dashboard/zscaler_zpa-fa5b1830-4c63-11ec-9023-a76a2cb41dcd.json @@ -0,0 +1,142 @@ +{ + "attributes": { + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "query": { + "query": "", + "language": "kuery" + }, + "filter": [] + } + }, + "optionsJSON": { + "useMargins": true, + "syncColors": false, + "hidePanelTitles": false + }, + "panelsJSON": [ + { + "version": "7.16.0-SNAPSHOT", + "type": "visualization", + "gridData": { + "x": 0, + "y": 0, + "w": 24, + "h": 15, + "i": "c61f1028-287d-427a-80dd-7530fe1d407b" + }, + "panelIndex": "c61f1028-287d-427a-80dd-7530fe1d407b", + "embeddableConfig": { + "enhancements": {} + }, + "panelRefName": "panel_0" + }, + { + "version": "7.16.0-SNAPSHOT", + "type": "visualization", + "gridData": { + "x": 24, + "y": 0, + "w": 24, + "h": 15, + "i": "0c5e09b0-f4c9-41bf-9855-b6aedef7e49b" + }, + "panelIndex": "0c5e09b0-f4c9-41bf-9855-b6aedef7e49b", + "embeddableConfig": { + "enhancements": {} + }, + "panelRefName": "panel_1" + }, + { + "version": "7.16.0-SNAPSHOT", + "type": "visualization", + "gridData": { + "x": 0, + "y": 15, + "w": 24, + "h": 15, + "i": "590bd39d-7ba8-475f-99a4-94d6fe3c7a66" + }, + "panelIndex": "590bd39d-7ba8-475f-99a4-94d6fe3c7a66", + "embeddableConfig": { + "enhancements": {} + }, + "panelRefName": "panel_2" + }, + { + "version": "7.16.0-SNAPSHOT", + "type": "visualization", + "gridData": { + "x": 24, + "y": 15, + "w": 24, + "h": 15, + "i": "c779f9f4-69c6-4e08-af7b-b79fed7e1b9c" + }, + "panelIndex": "c779f9f4-69c6-4e08-af7b-b79fed7e1b9c", + "embeddableConfig": { + "enhancements": {} + }, + "panelRefName": "panel_3" + }, + { + "version": "7.16.0-SNAPSHOT", + "type": "search", + "gridData": { + "x": 0, + "y": 30, + "w": 48, + "h": 21, + "i": "b4f9406f-ee08-487d-924a-1012fa15442c" + }, + "panelIndex": "b4f9406f-ee08-487d-924a-1012fa15442c", + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": false + }, + "title": "[Zscaler][ZPA] Audit Operations Details", + "panelRefName": "panel_4" + } + ], + "timeRestore": false, + "title": "[Zscaler][ZPA] Audit Logs", + "version": 1 + }, + "coreMigrationVersion": "7.16.0", + "id": "zscaler_zpa-fa5b1830-4c63-11ec-9023-a76a2cb41dcd", + "migrationVersion": { + "dashboard": "7.16.0" + }, + "references": [ + { + "id": "zscaler_zpa-be0fc2e0-4c63-11ec-9023-a76a2cb41dcd", + "name": "panel_0", + "type": "visualization" + }, + { + "id": "zscaler_zpa-f2e526e0-4c63-11ec-9023-a76a2cb41dcd", + "name": "panel_1", + "type": "visualization" + }, + { + "id": "zscaler_zpa-2fffbd90-4d29-11ec-ad09-d9f49962d407", + "name": "panel_2", + "type": "visualization" + }, + { + "id": "zscaler_zpa-fc5f4ea0-4ebe-11ec-9527-b704eaaa5c53", + "name": "panel_3", + "type": "visualization" + }, + { + "id": "zscaler_zpa-d9d5e800-537b-11ec-9527-b704eaaa5c53", + "name": "panel_4", + "type": "search" + } + ], + "type": "dashboard", + "updated_at": "2021-12-03T05:25:34.232Z", + "version": "WzI0ODQyLDFd" +} \ No newline at end of file diff --git a/packages/zscaler_zpa/kibana/map/zscaler_zpa-1f09dc30-4c4f-11ec-9023-a76a2cb41dcd.json b/packages/zscaler_zpa/kibana/map/zscaler_zpa-1f09dc30-4c4f-11ec-9023-a76a2cb41dcd.json new file mode 100644 index 00000000000..e2c08cd4dda --- /dev/null +++ b/packages/zscaler_zpa/kibana/map/zscaler_zpa-1f09dc30-4c4f-11ec-9023-a76a2cb41dcd.json @@ -0,0 +1,120 @@ +{ + "attributes": { + "description": "", + "layerListJSON": [ + { + "sourceDescriptor": { + "type": "EMS_TMS", + "isAutoSelect": true + }, + "id": "31d17945-828a-4b1e-9d63-5ff628cae1b3", + "label": null, + "minZoom": 0, + "maxZoom": 24, + "alpha": 1, + "visible": true, + "style": { + "type": "TILE" + }, + "includeInFitToBounds": true, + "type": "VECTOR_TILE" + }, + { + "sourceDescriptor": { + "geoField": "client.geo.location", + "requestType": "heatmap", + "id": "aab6b218-afd7-47cf-825f-a39f7b57b1fe", + "type": "ES_GEO_GRID", + "applyGlobalQuery": true, + "applyGlobalTime": true, + "applyForceRefresh": true, + "metrics": [ + { + "type": "count" + } + ], + "resolution": "COARSE", + "indexPatternRefName": "layer_1_source_index_pattern" + }, + "id": "0a3d538b-2454-4860-aa46-46f706c738b1", + "label": null, + "minZoom": 0, + "maxZoom": 24, + "alpha": 0.75, + "visible": true, + "style": { + "type": "HEATMAP", + "colorRampName": "theclassic" + }, + "includeInFitToBounds": true, + "type": "HEATMAP" + } + ], + "mapStateJSON": { + "zoom": 1.06, + "center": { + "lon": 0, + "lat": 19.94277 + }, + "timeFilters": { + "from": "now-15y", + "to": "now" + }, + "refreshConfig": { + "isPaused": true, + "interval": 0 + }, + "query": { + "query": "data_stream.dataset : \"zscaler_zpa.user_status\" OR data_stream.dataset : \"zscaler_zpa.user_activity\"", + "language": "kuery" + }, + "filters": [], + "settings": { + "autoFitToDataBounds": false, + "backgroundColor": "#ffffff", + "disableInteractive": false, + "disableTooltipControl": false, + "hideToolbarOverlay": false, + "hideLayerControl": false, + "hideViewControl": false, + "initialLocation": "LAST_SAVED_LOCATION", + "fixedLocation": { + "lat": 0, + "lon": 0, + "zoom": 2 + }, + "browserLocation": { + "zoom": 2 + }, + "maxZoom": 24, + "minZoom": 0, + "showScaleControl": false, + "showSpatialFilters": true, + "showTimesliderToggleButton": true, + "spatialFiltersAlpa": 0.3, + "spatialFiltersFillColor": "#DA8B45", + "spatialFiltersLineColor": "#DA8B45" + } + }, + "title": "[Zscaler][ZPA] Users by region", + "uiStateJSON": { + "isLayerTOCOpen": true, + "openTOCDetails": [] + } + }, + "coreMigrationVersion": "7.16.0", + "id": "zscaler_zpa-1f09dc30-4c4f-11ec-9023-a76a2cb41dcd", + "migrationVersion": { + "map": "7.14.0" + }, + "references": [ + { + "id": "logs-*", + "name": "layer_1_source_index_pattern", + "type": "index-pattern" + } + ], + "type": "map", + "updated_at": "2021-12-02T08:37:35.859Z", + "version": "WzExMDE5LDFd" +} \ No newline at end of file diff --git a/packages/zscaler_zpa/kibana/map/zscaler_zpa-43836b20-4c55-11ec-9023-a76a2cb41dcd.json b/packages/zscaler_zpa/kibana/map/zscaler_zpa-43836b20-4c55-11ec-9023-a76a2cb41dcd.json new file mode 100644 index 00000000000..4a84b191dc6 --- /dev/null +++ b/packages/zscaler_zpa/kibana/map/zscaler_zpa-43836b20-4c55-11ec-9023-a76a2cb41dcd.json @@ -0,0 +1,120 @@ +{ + "attributes": { + "description": "", + "layerListJSON": [ + { + "sourceDescriptor": { + "type": "EMS_TMS", + "isAutoSelect": true + }, + "id": "3099042d-0154-49b6-8c0c-f492730c5835", + "label": null, + "minZoom": 0, + "maxZoom": 24, + "alpha": 1, + "visible": true, + "style": { + "type": "TILE" + }, + "includeInFitToBounds": true, + "type": "VECTOR_TILE" + }, + { + "sourceDescriptor": { + "geoField": "observer.geo.location", + "requestType": "heatmap", + "id": "aab6b218-afd7-47cf-825f-a39f7b57b1fe", + "type": "ES_GEO_GRID", + "applyGlobalQuery": true, + "applyGlobalTime": true, + "applyForceRefresh": true, + "metrics": [ + { + "type": "count" + } + ], + "resolution": "COARSE", + "indexPatternRefName": "layer_1_source_index_pattern" + }, + "id": "0a3d538b-2454-4860-aa46-46f706c738b1", + "label": null, + "minZoom": 0, + "maxZoom": 24, + "alpha": 0.75, + "visible": true, + "style": { + "type": "HEATMAP", + "colorRampName": "theclassic" + }, + "includeInFitToBounds": true, + "type": "HEATMAP" + } + ], + "mapStateJSON": { + "zoom": 0.15, + "center": { + "lon": -130.09157, + "lat": 0 + }, + "timeFilters": { + "from": "now-50y", + "to": "now" + }, + "refreshConfig": { + "isPaused": true, + "interval": 0 + }, + "query": { + "query": "data_stream.dataset : \"zscaler_zpa.app_connector_status\"", + "language": "kuery" + }, + "filters": [], + "settings": { + "autoFitToDataBounds": false, + "backgroundColor": "#ffffff", + "disableInteractive": false, + "disableTooltipControl": false, + "hideToolbarOverlay": false, + "hideLayerControl": false, + "hideViewControl": false, + "initialLocation": "LAST_SAVED_LOCATION", + "fixedLocation": { + "lat": 0, + "lon": 0, + "zoom": 2 + }, + "browserLocation": { + "zoom": 2 + }, + "maxZoom": 24, + "minZoom": 0, + "showScaleControl": false, + "showSpatialFilters": true, + "showTimesliderToggleButton": true, + "spatialFiltersAlpa": 0.3, + "spatialFiltersFillColor": "#DA8B45", + "spatialFiltersLineColor": "#DA8B45" + } + }, + "title": "[Zscaler][ZPA] App Connectors by region", + "uiStateJSON": { + "isLayerTOCOpen": true, + "openTOCDetails": [] + } + }, + "coreMigrationVersion": "7.16.0", + "id": "zscaler_zpa-43836b20-4c55-11ec-9023-a76a2cb41dcd", + "migrationVersion": { + "map": "7.14.0" + }, + "references": [ + { + "id": "logs-*", + "name": "layer_1_source_index_pattern", + "type": "index-pattern" + } + ], + "type": "map", + "updated_at": "2021-12-02T08:29:02.976Z", + "version": "WzEwNjk0LDFd" +} \ No newline at end of file diff --git a/packages/zscaler_zpa/kibana/map/zscaler_zpa-5a0f9320-4c44-11ec-9023-a76a2cb41dcd.json b/packages/zscaler_zpa/kibana/map/zscaler_zpa-5a0f9320-4c44-11ec-9023-a76a2cb41dcd.json new file mode 100644 index 00000000000..644e25952a1 --- /dev/null +++ b/packages/zscaler_zpa/kibana/map/zscaler_zpa-5a0f9320-4c44-11ec-9023-a76a2cb41dcd.json @@ -0,0 +1,120 @@ +{ + "attributes": { + "description": "", + "layerListJSON": [ + { + "sourceDescriptor": { + "type": "EMS_TMS", + "isAutoSelect": true + }, + "id": "44962ab1-9a18-493c-a7c4-4408f7df2ca7", + "label": null, + "minZoom": 0, + "maxZoom": 24, + "alpha": 1, + "visible": true, + "style": { + "type": "TILE" + }, + "includeInFitToBounds": true, + "type": "VECTOR_TILE" + }, + { + "sourceDescriptor": { + "geoField": "client.geo.location", + "requestType": "heatmap", + "id": "aab6b218-afd7-47cf-825f-a39f7b57b1fe", + "type": "ES_GEO_GRID", + "applyGlobalQuery": true, + "applyGlobalTime": true, + "applyForceRefresh": true, + "metrics": [ + { + "type": "count" + } + ], + "resolution": "COARSE", + "indexPatternRefName": "layer_1_source_index_pattern" + }, + "id": "0a3d538b-2454-4860-aa46-46f706c738b1", + "label": null, + "minZoom": 0, + "maxZoom": 24, + "alpha": 0.75, + "visible": true, + "style": { + "type": "HEATMAP", + "colorRampName": "theclassic" + }, + "includeInFitToBounds": true, + "type": "HEATMAP" + } + ], + "mapStateJSON": { + "zoom": 0.77, + "center": { + "lon": 35.52056, + "lat": -0.77104 + }, + "timeFilters": { + "from": "now-5y", + "to": "now" + }, + "refreshConfig": { + "isPaused": true, + "interval": 0 + }, + "query": { + "query": "data_stream.dataset : \"zscaler_zpa.browser_access\"", + "language": "kuery" + }, + "filters": [], + "settings": { + "autoFitToDataBounds": false, + "backgroundColor": "#ffffff", + "disableInteractive": false, + "disableTooltipControl": false, + "hideToolbarOverlay": false, + "hideLayerControl": false, + "hideViewControl": false, + "initialLocation": "LAST_SAVED_LOCATION", + "fixedLocation": { + "lat": 0, + "lon": 0, + "zoom": 2 + }, + "browserLocation": { + "zoom": 2 + }, + "maxZoom": 24, + "minZoom": 0, + "showScaleControl": false, + "showSpatialFilters": true, + "showTimesliderToggleButton": true, + "spatialFiltersAlpa": 0.3, + "spatialFiltersFillColor": "#DA8B45", + "spatialFiltersLineColor": "#DA8B45" + } + }, + "title": "[Zscaler][ZPA] Browser Access Events by Region", + "uiStateJSON": { + "isLayerTOCOpen": true, + "openTOCDetails": [] + } + }, + "coreMigrationVersion": "7.16.0", + "id": "zscaler_zpa-5a0f9320-4c44-11ec-9023-a76a2cb41dcd", + "migrationVersion": { + "map": "7.14.0" + }, + "references": [ + { + "id": "logs-*", + "name": "layer_1_source_index_pattern", + "type": "index-pattern" + } + ], + "type": "map", + "updated_at": "2021-12-07T14:31:15.512Z", + "version": "WzE0ODIsMV0=" +} \ No newline at end of file diff --git a/packages/zscaler_zpa/kibana/map/zscaler_zpa-dff56dd0-4ce8-11ec-9023-a76a2cb41dcd.json b/packages/zscaler_zpa/kibana/map/zscaler_zpa-dff56dd0-4ce8-11ec-9023-a76a2cb41dcd.json new file mode 100644 index 00000000000..cabd7fa16ee --- /dev/null +++ b/packages/zscaler_zpa/kibana/map/zscaler_zpa-dff56dd0-4ce8-11ec-9023-a76a2cb41dcd.json @@ -0,0 +1,121 @@ +{ + "attributes": { + "description": "", + "layerListJSON": [ + { + "sourceDescriptor": { + "type": "EMS_TMS", + "isAutoSelect": true + }, + "id": "72f12276-ca0b-455c-a518-bf4493c7d673", + "label": null, + "minZoom": 0, + "maxZoom": 24, + "alpha": 1, + "visible": true, + "style": { + "type": "TILE" + }, + "includeInFitToBounds": true, + "type": "VECTOR_TILE" + }, + { + "sourceDescriptor": { + "geoField": "observer.geo.location", + "requestType": "heatmap", + "id": "aab6b218-afd7-47cf-825f-a39f7b57b1fe", + "type": "ES_GEO_GRID", + "applyGlobalQuery": true, + "applyGlobalTime": true, + "applyForceRefresh": true, + "metrics": [ + { + "type": "cardinality", + "field": "zscaler_zpa.app_connector_status.connector.group" + } + ], + "resolution": "COARSE", + "indexPatternRefName": "layer_1_source_index_pattern" + }, + "id": "0a3d538b-2454-4860-aa46-46f706c738b1", + "label": null, + "minZoom": 0, + "maxZoom": 24, + "alpha": 0.75, + "visible": true, + "style": { + "type": "HEATMAP", + "colorRampName": "theclassic" + }, + "includeInFitToBounds": true, + "type": "HEATMAP" + } + ], + "mapStateJSON": { + "zoom": 0.69, + "center": { + "lon": -81.88323, + "lat": 20.96631 + }, + "timeFilters": { + "from": "now-15y", + "to": "now" + }, + "refreshConfig": { + "isPaused": true, + "interval": 0 + }, + "query": { + "query": "data_stream.dataset : \"zscaler_zpa.app_connector_status\"", + "language": "kuery" + }, + "filters": [], + "settings": { + "autoFitToDataBounds": false, + "backgroundColor": "#ffffff", + "disableInteractive": false, + "disableTooltipControl": false, + "hideToolbarOverlay": false, + "hideLayerControl": false, + "hideViewControl": false, + "initialLocation": "LAST_SAVED_LOCATION", + "fixedLocation": { + "lat": 0, + "lon": 0, + "zoom": 2 + }, + "browserLocation": { + "zoom": 2 + }, + "maxZoom": 24, + "minZoom": 0, + "showScaleControl": false, + "showSpatialFilters": true, + "showTimesliderToggleButton": true, + "spatialFiltersAlpa": 0.3, + "spatialFiltersFillColor": "#DA8B45", + "spatialFiltersLineColor": "#DA8B45" + } + }, + "title": "[Zscaler][ZPA] Connector Groups by region", + "uiStateJSON": { + "isLayerTOCOpen": true, + "openTOCDetails": [] + } + }, + "coreMigrationVersion": "7.16.0", + "id": "zscaler_zpa-dff56dd0-4ce8-11ec-9023-a76a2cb41dcd", + "migrationVersion": { + "map": "7.14.0" + }, + "references": [ + { + "id": "logs-*", + "name": "layer_1_source_index_pattern", + "type": "index-pattern" + } + ], + "type": "map", + "updated_at": "2021-12-16T06:12:52.253Z", + "version": "WzIwNDUsMV0=" +} \ No newline at end of file diff --git a/packages/zscaler_zpa/kibana/search/zscaler_zpa-d9d5e800-537b-11ec-9527-b704eaaa5c53.json b/packages/zscaler_zpa/kibana/search/zscaler_zpa-d9d5e800-537b-11ec-9527-b704eaaa5c53.json new file mode 100644 index 00000000000..a3ad60061ab --- /dev/null +++ b/packages/zscaler_zpa/kibana/search/zscaler_zpa-d9d5e800-537b-11ec-9527-b704eaaa5c53.json @@ -0,0 +1,46 @@ +{ + "attributes": { + "columns": [ + "user.name", + "zscaler_zpa.audit.object.type", + "zscaler_zpa.audit.object.name", + "zscaler_zpa.audit.value.new", + "zscaler_zpa.audit.value.old" + ], + "description": "", + "grid": {}, + "hideChart": true, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "query": { + "query": "data_stream.dataset : \"zscaler_zpa.audit\"", + "language": "kuery" + }, + "filter": [], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index" + } + }, + "sort": [ + [ + "@timestamp", + "desc" + ] + ], + "title": "[Zscaler][ZPA] Audit Operations Details" + }, + "coreMigrationVersion": "7.16.0", + "id": "zscaler_zpa-d9d5e800-537b-11ec-9527-b704eaaa5c53", + "migrationVersion": { + "search": "7.9.3" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "search", + "updated_at": "2021-12-03T12:58:06.911Z", + "version": "WzM2NDQyLDFd" +} \ No newline at end of file diff --git a/packages/zscaler_zpa/kibana/visualization/zscaler_zpa-17759700-4c5b-11ec-9023-a76a2cb41dcd.json b/packages/zscaler_zpa/kibana/visualization/zscaler_zpa-17759700-4c5b-11ec-9023-a76a2cb41dcd.json new file mode 100644 index 00000000000..d1cc94ab82e --- /dev/null +++ b/packages/zscaler_zpa/kibana/visualization/zscaler_zpa-17759700-4c5b-11ec-9023-a76a2cb41dcd.json @@ -0,0 +1,105 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "query": { + "query": "data_stream.dataset : \"zscaler_zpa.app_connector_status\"", + "language": "kuery" + }, + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "key": "zscaler_zpa.app_connector_status.connector_up_time", + "negate": false, + "type": "exists", + "value": "exists", + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index" + }, + "query": { + "exists": { + "field": "zscaler_zpa.app_connector_status.connector_up_time" + } + } + } + ], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index" + } + }, + "title": "[Zscaler][ZPA] Top 10 Connector with highest uptime", + "uiStateJSON": {}, + "version": 1, + "visState": { + "title": "[Zscaler][ZPA] Top 10 Connector with highest uptime", + "type": "table", + "aggs": [ + { + "id": "1", + "enabled": true, + "type": "top_hits", + "params": { + "field": "zscaler_zpa.app_connector_status.connector_up_time", + "aggregate": "max", + "size": 10, + "sortField": "@timestamp", + "sortOrder": "desc", + "customLabel": "Connector UpTime" + }, + "schema": "metric" + }, + { + "id": "2", + "enabled": true, + "type": "terms", + "params": { + "field": "zscaler_zpa.app_connector_status.connector.name", + "orderBy": "_key", + "order": "desc", + "size": 10, + "otherBucket": false, + "otherBucketLabel": "Other", + "missingBucket": false, + "missingBucketLabel": "Missing", + "customLabel": "Connector Name" + }, + "schema": "bucket" + } + ], + "params": { + "perPage": 10, + "showPartialRows": false, + "showMetricsAtAllLevels": false, + "showTotal": false, + "showToolbar": false, + "totalFunc": "sum", + "percentageCol": "", + "autoFitRowToContent": false + } + } + }, + "coreMigrationVersion": "7.16.0", + "id": "zscaler_zpa-17759700-4c5b-11ec-9023-a76a2cb41dcd", + "migrationVersion": { + "visualization": "7.14.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + } + ], + "type": "visualization", + "updated_at": "2021-12-16T06:17:25.442Z", + "version": "WzIxMjgsMV0=" +} \ No newline at end of file diff --git a/packages/zscaler_zpa/kibana/visualization/zscaler_zpa-1b2c06c0-4eb5-11ec-9527-b704eaaa5c53.json b/packages/zscaler_zpa/kibana/visualization/zscaler_zpa-1b2c06c0-4eb5-11ec-9527-b704eaaa5c53.json new file mode 100644 index 00000000000..600b219ceed --- /dev/null +++ b/packages/zscaler_zpa/kibana/visualization/zscaler_zpa-1b2c06c0-4eb5-11ec-9527-b704eaaa5c53.json @@ -0,0 +1,149 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "query": { + "query": "data_stream.dataset : \"zscaler_zpa.app_connector_status\"", + "language": "kuery" + }, + "filter": [], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index" + } + }, + "title": "[Zscaler][ZPA] Distribution of App Connector Status by Session Type", + "uiStateJSON": "{}", + "version": 1, + "visState": { + "title": "[Zscaler][ZPA] Distribution of App Connector Status by Session Type", + "type": "horizontal_bar", + "aggs": [ + { + "id": "1", + "enabled": true, + "type": "count", + "params": {}, + "schema": "metric" + }, + { + "id": "2", + "enabled": true, + "type": "terms", + "params": { + "field": "zscaler_zpa.app_connector_status.session.type", + "orderBy": "1", + "order": "desc", + "size": 10, + "otherBucket": false, + "otherBucketLabel": "Other", + "missingBucket": false, + "missingBucketLabel": "Missing", + "customLabel": "Session Type" + }, + "schema": "segment" + } + ], + "params": { + "type": "histogram", + "grid": { + "categoryLines": false + }, + "categoryAxes": [ + { + "id": "CategoryAxis-1", + "type": "category", + "position": "left", + "show": true, + "scale": { + "type": "linear" + }, + "labels": { + "show": true, + "rotate": 0, + "filter": false, + "truncate": 200 + }, + "title": {}, + "style": {} + } + ], + "valueAxes": [ + { + "id": "ValueAxis-1", + "name": "LeftAxis-1", + "type": "value", + "position": "bottom", + "show": true, + "scale": { + "type": "linear", + "mode": "normal" + }, + "labels": { + "show": true, + "rotate": 0, + "filter": true, + "truncate": 100 + }, + "title": { + "text": "" + }, + "style": {} + } + ], + "seriesParams": [ + { + "show": true, + "type": "histogram", + "mode": "normal", + "data": { + "label": "Count", + "id": "1" + }, + "interpolate": "linear", + "valueAxis": "ValueAxis-1", + "drawLinesBetweenPoints": true, + "lineWidth": 2, + "showCircles": true, + "circlesRadius": 3 + } + ], + "addTooltip": true, + "detailedTooltip": true, + "palette": { + "type": "palette", + "name": "temperature" + }, + "addLegend": true, + "legendPosition": "right", + "times": [], + "addTimeMarker": false, + "truncateLegend": true, + "maxLegendLines": 1, + "labels": {}, + "radiusRatio": 0, + "thresholdLine": { + "show": false, + "value": 10, + "width": 1, + "style": "full", + "color": "#E7664C" + } + } + } + }, + "coreMigrationVersion": "7.16.0", + "id": "zscaler_zpa-1b2c06c0-4eb5-11ec-9527-b704eaaa5c53", + "migrationVersion": { + "visualization": "7.14.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization", + "updated_at": "2021-12-02T08:15:40.723Z", + "version": "WzEwMzAzLDFd" +} \ No newline at end of file diff --git a/packages/zscaler_zpa/kibana/visualization/zscaler_zpa-1b5846e0-4c44-11ec-9023-a76a2cb41dcd.json b/packages/zscaler_zpa/kibana/visualization/zscaler_zpa-1b5846e0-4c44-11ec-9023-a76a2cb41dcd.json new file mode 100644 index 00000000000..e83efee0a54 --- /dev/null +++ b/packages/zscaler_zpa/kibana/visualization/zscaler_zpa-1b5846e0-4c44-11ec-9023-a76a2cb41dcd.json @@ -0,0 +1,91 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "query": { + "query": "data_stream.dataset : \"zscaler_zpa.browser_access\"", + "language": "kuery" + }, + "filter": [], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index" + } + }, + "title": "[Zscaler][ZPA] Distribution of Browser Access by Exporter", + "uiStateJSON": { + "vis": { + "legendOpen": true + } + }, + "version": 1, + "visState": { + "title": "[Zscaler][ZPA] Distribution of Browser Access by Exporter", + "type": "pie", + "aggs": [ + { + "id": "1", + "enabled": true, + "type": "count", + "params": {}, + "schema": "metric" + }, + { + "id": "2", + "enabled": true, + "type": "terms", + "params": { + "field": "zscaler_zpa.browser_access.exporter", + "orderBy": "1", + "order": "desc", + "size": 5, + "otherBucket": false, + "otherBucketLabel": "Other", + "missingBucket": false, + "missingBucketLabel": "Missing", + "customLabel": "Exporter" + }, + "schema": "segment" + } + ], + "params": { + "type": "pie", + "addTooltip": true, + "addLegend": true, + "legendPosition": "right", + "nestedLegend": false, + "truncateLegend": true, + "maxLegendLines": 1, + "distinctColors": false, + "isDonut": false, + "palette": { + "type": "palette", + "name": "temperature" + }, + "labels": { + "show": true, + "last_level": false, + "values": true, + "valuesFormat": "percent", + "percentDecimals": 2, + "truncate": 100, + "position": "default" + } + } + } + }, + "coreMigrationVersion": "7.16.0", + "id": "zscaler_zpa-1b5846e0-4c44-11ec-9023-a76a2cb41dcd", + "migrationVersion": { + "visualization": "7.14.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization", + "updated_at": "2021-12-06T10:33:40.004Z", + "version": "WzQ3NjY5LDFd" +} \ No newline at end of file diff --git a/packages/zscaler_zpa/kibana/visualization/zscaler_zpa-23d03780-4eb8-11ec-9527-b704eaaa5c53.json b/packages/zscaler_zpa/kibana/visualization/zscaler_zpa-23d03780-4eb8-11ec-9527-b704eaaa5c53.json new file mode 100644 index 00000000000..56fee5e6d69 --- /dev/null +++ b/packages/zscaler_zpa/kibana/visualization/zscaler_zpa-23d03780-4eb8-11ec-9527-b704eaaa5c53.json @@ -0,0 +1,87 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "query": { + "query": "data_stream.dataset : \"zscaler_zpa.browser_access\"", + "language": "kuery" + }, + "filter": [], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index" + } + }, + "title": "[Zscaler][ZPA] Distribution of Browser Access by Browser", + "uiStateJSON": {}, + "version": 1, + "visState": { + "title": "[Zscaler][ZPA] Distribution of Browser Access by Browser", + "type": "pie", + "aggs": [ + { + "id": "1", + "enabled": true, + "type": "count", + "params": {}, + "schema": "metric" + }, + { + "id": "2", + "enabled": true, + "type": "terms", + "params": { + "field": "user_agent.name", + "orderBy": "1", + "order": "desc", + "size": 5, + "otherBucket": false, + "otherBucketLabel": "Other", + "missingBucket": false, + "missingBucketLabel": "Missing", + "customLabel": "Browser" + }, + "schema": "segment" + } + ], + "params": { + "type": "pie", + "addTooltip": true, + "addLegend": true, + "legendPosition": "right", + "nestedLegend": false, + "truncateLegend": true, + "maxLegendLines": 1, + "distinctColors": false, + "isDonut": false, + "palette": { + "type": "palette", + "name": "temperature" + }, + "labels": { + "show": true, + "last_level": false, + "values": true, + "valuesFormat": "percent", + "percentDecimals": 2, + "truncate": 100, + "position": "default" + } + } + } + }, + "coreMigrationVersion": "7.16.0", + "id": "zscaler_zpa-23d03780-4eb8-11ec-9527-b704eaaa5c53", + "migrationVersion": { + "visualization": "7.14.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization", + "updated_at": "2021-12-06T10:33:52.939Z", + "version": "WzQ3Njk2LDFd" +} \ No newline at end of file diff --git a/packages/zscaler_zpa/kibana/visualization/zscaler_zpa-2fffbd90-4d29-11ec-ad09-d9f49962d407.json b/packages/zscaler_zpa/kibana/visualization/zscaler_zpa-2fffbd90-4d29-11ec-ad09-d9f49962d407.json new file mode 100644 index 00000000000..9c969514461 --- /dev/null +++ b/packages/zscaler_zpa/kibana/visualization/zscaler_zpa-2fffbd90-4d29-11ec-ad09-d9f49962d407.json @@ -0,0 +1,91 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "query": { + "query": "data_stream.dataset : \"zscaler_zpa.audit\"", + "language": "kuery" + }, + "filter": [], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index" + } + }, + "title": "[Zscaler][ZPA] Distribution of Audit Events by Object Type", + "uiStateJSON": { + "vis": { + "legendOpen": true + } + }, + "version": 1, + "visState": { + "title": "[Zscaler][ZPA] Distribution of Audit Events by Object Type", + "type": "pie", + "aggs": [ + { + "id": "1", + "enabled": true, + "type": "count", + "params": {}, + "schema": "metric" + }, + { + "id": "2", + "enabled": true, + "type": "terms", + "params": { + "field": "zscaler_zpa.audit.object.type", + "orderBy": "1", + "order": "desc", + "size": 5, + "otherBucket": false, + "otherBucketLabel": "Other", + "missingBucket": false, + "missingBucketLabel": "Missing", + "customLabel": "Object Type" + }, + "schema": "segment" + } + ], + "params": { + "type": "pie", + "addTooltip": true, + "addLegend": true, + "legendPosition": "right", + "nestedLegend": false, + "truncateLegend": true, + "maxLegendLines": 1, + "distinctColors": false, + "isDonut": false, + "palette": { + "type": "palette", + "name": "temperature" + }, + "labels": { + "show": true, + "last_level": false, + "values": true, + "valuesFormat": "percent", + "percentDecimals": 2, + "truncate": 100, + "position": "default" + } + } + } + }, + "coreMigrationVersion": "7.16.0", + "id": "zscaler_zpa-2fffbd90-4d29-11ec-ad09-d9f49962d407", + "migrationVersion": { + "visualization": "7.14.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization", + "updated_at": "2021-12-02T07:26:39.134Z", + "version": "Wzk0NDIsMV0=" +} \ No newline at end of file diff --git a/packages/zscaler_zpa/kibana/visualization/zscaler_zpa-4cf30750-4d0a-11ec-ad09-d9f49962d407.json b/packages/zscaler_zpa/kibana/visualization/zscaler_zpa-4cf30750-4d0a-11ec-ad09-d9f49962d407.json new file mode 100644 index 00000000000..1f6c41d53a2 --- /dev/null +++ b/packages/zscaler_zpa/kibana/visualization/zscaler_zpa-4cf30750-4d0a-11ec-ad09-d9f49962d407.json @@ -0,0 +1,101 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "query": { + "query": "data_stream.dataset : \"zscaler_zpa.user_activity\"", + "language": "kuery" + }, + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "key": "zscaler_zpa.user_activity.server_setup_time", + "negate": false, + "type": "exists", + "value": "exists", + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index" + }, + "query": { + "exists": { + "field": "zscaler_zpa.user_activity.server_setup_time" + } + } + } + ], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index" + } + }, + "title": "[Zscaler][ZPA] Slowest Connector Server", + "uiStateJSON": {}, + "version": 1, + "visState": { + "title": "[Zscaler][ZPA] Slowest Connector Server", + "type": "table", + "aggs": [ + { + "id": "1", + "enabled": true, + "type": "avg", + "params": { + "field": "zscaler_zpa.user_activity.server_setup_time", + "customLabel": "Server Setup Time (in microseconds)" + }, + "schema": "metric" + }, + { + "id": "2", + "enabled": true, + "type": "terms", + "params": { + "field": "client.ip", + "orderBy": "1", + "order": "desc", + "size": 10, + "otherBucket": false, + "otherBucketLabel": "Other", + "missingBucket": false, + "missingBucketLabel": "Missing", + "customLabel": "Host" + }, + "schema": "bucket" + } + ], + "params": { + "perPage": 10, + "showPartialRows": false, + "showMetricsAtAllLevels": false, + "showTotal": false, + "showToolbar": false, + "totalFunc": "sum", + "percentageCol": "", + "autoFitRowToContent": false + } + } + }, + "coreMigrationVersion": "7.16.0", + "id": "zscaler_zpa-4cf30750-4d0a-11ec-ad09-d9f49962d407", + "migrationVersion": { + "visualization": "7.14.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + } + ], + "type": "visualization", + "updated_at": "2021-12-03T10:15:04.677Z", + "version": "WzMxMzkyLDFd" +} \ No newline at end of file diff --git a/packages/zscaler_zpa/kibana/visualization/zscaler_zpa-4ea78dd0-4c49-11ec-9023-a76a2cb41dcd.json b/packages/zscaler_zpa/kibana/visualization/zscaler_zpa-4ea78dd0-4c49-11ec-9023-a76a2cb41dcd.json new file mode 100644 index 00000000000..1d7915cc00b --- /dev/null +++ b/packages/zscaler_zpa/kibana/visualization/zscaler_zpa-4ea78dd0-4c49-11ec-9023-a76a2cb41dcd.json @@ -0,0 +1,91 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "query": { + "query": "data_stream.dataset : \"zscaler_zpa.user_activity\"", + "language": "kuery" + }, + "filter": [], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index" + } + }, + "title": "[Zscaler][ZPA] Distribution of Users by Connection Status", + "uiStateJSON": { + "vis": { + "legendOpen": true + } + }, + "version": 1, + "visState": { + "title": "[Zscaler][ZPA] Distribution of Users by Connection Status", + "type": "pie", + "aggs": [ + { + "id": "1", + "enabled": true, + "type": "count", + "params": {}, + "schema": "metric" + }, + { + "id": "2", + "enabled": true, + "type": "terms", + "params": { + "field": "zscaler_zpa.user_activity.connection.status", + "orderBy": "1", + "order": "desc", + "size": 5, + "otherBucket": false, + "otherBucketLabel": "Other", + "missingBucket": false, + "missingBucketLabel": "Missing", + "customLabel": "Connection Status" + }, + "schema": "segment" + } + ], + "params": { + "type": "pie", + "addTooltip": true, + "addLegend": true, + "legendPosition": "right", + "nestedLegend": false, + "truncateLegend": true, + "maxLegendLines": 1, + "distinctColors": false, + "isDonut": false, + "palette": { + "type": "palette", + "name": "temperature" + }, + "labels": { + "show": true, + "last_level": false, + "values": true, + "valuesFormat": "percent", + "percentDecimals": 2, + "truncate": 100, + "position": "default" + } + } + } + }, + "coreMigrationVersion": "7.16.0", + "id": "zscaler_zpa-4ea78dd0-4c49-11ec-9023-a76a2cb41dcd", + "migrationVersion": { + "visualization": "7.14.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization", + "updated_at": "2021-12-03T09:46:37.308Z", + "version": "WzI5OTg1LDFd" +} \ No newline at end of file diff --git a/packages/zscaler_zpa/kibana/visualization/zscaler_zpa-552331e0-4c4f-11ec-9023-a76a2cb41dcd.json b/packages/zscaler_zpa/kibana/visualization/zscaler_zpa-552331e0-4c4f-11ec-9023-a76a2cb41dcd.json new file mode 100644 index 00000000000..b084d338430 --- /dev/null +++ b/packages/zscaler_zpa/kibana/visualization/zscaler_zpa-552331e0-4c4f-11ec-9023-a76a2cb41dcd.json @@ -0,0 +1,91 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "query": { + "query": "data_stream.dataset : \"zscaler_zpa.user_status\"", + "language": "kuery" + }, + "filter": [], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index" + } + }, + "title": "[Zscaler][ZPA] Distribution of User by Client type", + "uiStateJSON": { + "vis": { + "legendOpen": true + } + }, + "version": 1, + "visState": { + "title": "[Zscaler][ZPA] Distribution of User by Client type", + "type": "pie", + "aggs": [ + { + "id": "1", + "enabled": true, + "type": "count", + "params": {}, + "schema": "metric" + }, + { + "id": "2", + "enabled": true, + "type": "terms", + "params": { + "field": "zscaler_zpa.user_status.client.type", + "orderBy": "1", + "order": "desc", + "size": 10, + "otherBucket": false, + "otherBucketLabel": "Other", + "missingBucket": false, + "missingBucketLabel": "Missing", + "customLabel": "Client Type" + }, + "schema": "segment" + } + ], + "params": { + "type": "pie", + "addTooltip": true, + "addLegend": true, + "legendPosition": "right", + "nestedLegend": false, + "truncateLegend": true, + "maxLegendLines": 1, + "distinctColors": false, + "isDonut": false, + "palette": { + "type": "palette", + "name": "temperature" + }, + "labels": { + "show": true, + "last_level": false, + "values": true, + "valuesFormat": "percent", + "percentDecimals": 2, + "truncate": 100, + "position": "default" + } + } + } + }, + "coreMigrationVersion": "7.16.0", + "id": "zscaler_zpa-552331e0-4c4f-11ec-9023-a76a2cb41dcd", + "migrationVersion": { + "visualization": "7.14.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization", + "updated_at": "2021-11-26T12:58:31.486Z", + "version": "WzU4NjAsMV0=" +} \ No newline at end of file diff --git a/packages/zscaler_zpa/kibana/visualization/zscaler_zpa-76176ed0-4c4e-11ec-9023-a76a2cb41dcd.json b/packages/zscaler_zpa/kibana/visualization/zscaler_zpa-76176ed0-4c4e-11ec-9023-a76a2cb41dcd.json new file mode 100644 index 00000000000..b8349688628 --- /dev/null +++ b/packages/zscaler_zpa/kibana/visualization/zscaler_zpa-76176ed0-4c4e-11ec-9023-a76a2cb41dcd.json @@ -0,0 +1,151 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "query": { + "query": "data_stream.dataset : \"zscaler_zpa.user_status\"", + "language": "kuery" + }, + "filter": [], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index" + } + }, + "title": "[Zscaler][ZPA] Top Countries with Users", + "uiStateJSON": {}, + "version": 1, + "visState": { + "title": "[Zscaler][ZPA] Top Countries with Users", + "type": "horizontal_bar", + "aggs": [ + { + "id": "1", + "enabled": true, + "type": "count", + "params": { + "customLabel": "Count" + }, + "schema": "metric" + }, + { + "id": "2", + "enabled": true, + "type": "terms", + "params": { + "field": "client.geo.country_iso_code", + "orderBy": "1", + "order": "desc", + "size": 10, + "otherBucket": false, + "otherBucketLabel": "Other", + "missingBucket": false, + "missingBucketLabel": "Missing", + "customLabel": "Country Code" + }, + "schema": "segment" + } + ], + "params": { + "type": "histogram", + "grid": { + "categoryLines": false + }, + "categoryAxes": [ + { + "id": "CategoryAxis-1", + "type": "category", + "position": "left", + "show": true, + "scale": { + "type": "linear" + }, + "labels": { + "show": true, + "rotate": 0, + "filter": false, + "truncate": 200 + }, + "title": {}, + "style": {} + } + ], + "valueAxes": [ + { + "id": "ValueAxis-1", + "name": "LeftAxis-1", + "type": "value", + "position": "bottom", + "show": true, + "scale": { + "type": "linear", + "mode": "normal" + }, + "labels": { + "show": true, + "rotate": 0, + "filter": true, + "truncate": 100 + }, + "title": { + "text": "Count" + }, + "style": {} + } + ], + "seriesParams": [ + { + "show": true, + "type": "histogram", + "mode": "normal", + "data": { + "label": "Count", + "id": "1" + }, + "interpolate": "linear", + "valueAxis": "ValueAxis-1", + "drawLinesBetweenPoints": true, + "lineWidth": 2, + "showCircles": true, + "circlesRadius": 3 + } + ], + "addTooltip": true, + "detailedTooltip": true, + "palette": { + "type": "palette", + "name": "temperature" + }, + "addLegend": true, + "legendPosition": "right", + "times": [], + "addTimeMarker": false, + "truncateLegend": true, + "maxLegendLines": 1, + "labels": {}, + "radiusRatio": 0, + "thresholdLine": { + "show": false, + "value": 10, + "width": 1, + "style": "full", + "color": "#E7664C" + } + } + } + }, + "coreMigrationVersion": "7.16.0", + "id": "zscaler_zpa-76176ed0-4c4e-11ec-9023-a76a2cb41dcd", + "migrationVersion": { + "visualization": "7.14.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization", + "updated_at": "2021-11-26T12:58:31.486Z", + "version": "WzU4NjEsMV0=" +} \ No newline at end of file diff --git a/packages/zscaler_zpa/kibana/visualization/zscaler_zpa-82076ba0-4e74-11ec-ad09-d9f49962d407.json b/packages/zscaler_zpa/kibana/visualization/zscaler_zpa-82076ba0-4e74-11ec-ad09-d9f49962d407.json new file mode 100644 index 00000000000..de226cc5ad8 --- /dev/null +++ b/packages/zscaler_zpa/kibana/visualization/zscaler_zpa-82076ba0-4e74-11ec-ad09-d9f49962d407.json @@ -0,0 +1,198 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "query": { + "query": "data_stream.dataset : \"zscaler_zpa.user_activity\"", + "language": "kuery" + }, + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "key": "zscaler_zpa.user_activity.connector_zen_setup_time", + "negate": false, + "type": "exists", + "value": "exists", + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index" + }, + "query": { + "exists": { + "field": "zscaler_zpa.user_activity.connector_zen_setup_time" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "key": "zscaler_zpa.user_activity.connection.setup_time", + "negate": false, + "type": "exists", + "value": "exists", + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index" + }, + "query": { + "exists": { + "field": "zscaler_zpa.user_activity.connection.setup_time" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "key": "zscaler_zpa.user_activity.server_setup_time", + "negate": false, + "type": "exists", + "value": "exists", + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index" + }, + "query": { + "exists": { + "field": "zscaler_zpa.user_activity.server_setup_time" + } + } + } + ] + } + }, + "title": "[Zscaler][ZPA] Slowest Applications", + "uiStateJSON": {}, + "version": 1, + "visState": { + "title": "[Zscaler][ZPA] Slowest Applications", + "type": "metrics", + "aggs": [], + "params": { + "time_range_mode": "entire_time_range", + "axis_formatter": "number", + "axis_position": "left", + "axis_scale": "normal", + "bar_color_rules": [ + { + "id": "4ac99360-4dd5-11ec-9c7f-599fe68d9667" + } + ], + "drop_last_bucket": 0, + "id": "81cebc93-9e11-4079-9241-baa103cd5db6", + "interval": "", + "isModelInvalid": false, + "max_lines_legend": 1, + "pivot_id": "client.ip", + "pivot_label": "Client IP", + "pivot_type": "string", + "series": [ + { + "time_range_mode": "entire_time_range", + "axis_position": "right", + "chart_type": "line", + "color": "#68BC00", + "fill": 0.5, + "formatter": "default", + "hidden": false, + "id": "a5e34d80-4dd6-11ec-9c7f-599fe68d9667", + "label": "Application Setup Time (in microseconds)", + "line_width": 1, + "metrics": [ + { + "id": "1c4724b0-4dfa-11ec-9c7f-599fe68d9667", + "type": "avg", + "field": "zscaler_zpa.user_activity.server_setup_time" + }, + { + "id": "5adf7740-4dfa-11ec-9c7f-599fe68d9667", + "type": "avg", + "field": "zscaler_zpa.user_activity.connection.setup_time" + }, + { + "id": "6f1124c0-4dfa-11ec-9c7f-599fe68d9667", + "type": "avg", + "field": "zscaler_zpa.user_activity.connector_zen_setup_time" + }, + { + "id": "7956fef0-4dfa-11ec-9c7f-599fe68d9667", + "type": "math", + "variables": [ + { + "id": "7ad8bcf0-4dfa-11ec-9c7f-599fe68d9667", + "name": "a", + "field": "1c4724b0-4dfa-11ec-9c7f-599fe68d9667" + }, + { + "id": "80181f30-4dfa-11ec-9c7f-599fe68d9667", + "name": "b", + "field": "5adf7740-4dfa-11ec-9c7f-599fe68d9667" + }, + { + "id": "81c5f640-4dfa-11ec-9c7f-599fe68d9667", + "name": "c", + "field": "6f1124c0-4dfa-11ec-9c7f-599fe68d9667" + } + ], + "script": "params.a + params.b + params.c" + } + ], + "palette": { + "name": "default", + "type": "palette" + }, + "point_size": 1, + "separate_axis": 0, + "split_mode": "everything", + "stacked": "none" + } + ], + "show_grid": 1, + "show_legend": 1, + "time_field": "", + "tooltip_mode": "show_all", + "truncate_legend": 1, + "type": "table", + "use_kibana_indexes": true, + "index_pattern_ref_name": "metrics_0_index_pattern" + } + } + }, + "coreMigrationVersion": "7.16.0", + "id": "zscaler_zpa-82076ba0-4e74-11ec-ad09-d9f49962d407", + "migrationVersion": { + "visualization": "7.14.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "metrics_0_index_pattern", + "type": "index-pattern" + } + ], + "type": "visualization", + "updated_at": "2021-12-03T10:14:36.668Z", + "version": "WzMxMzYxLDFd" +} \ No newline at end of file diff --git a/packages/zscaler_zpa/kibana/visualization/zscaler_zpa-860071f0-4c55-11ec-9023-a76a2cb41dcd.json b/packages/zscaler_zpa/kibana/visualization/zscaler_zpa-860071f0-4c55-11ec-9023-a76a2cb41dcd.json new file mode 100644 index 00000000000..82637040b8d --- /dev/null +++ b/packages/zscaler_zpa/kibana/visualization/zscaler_zpa-860071f0-4c55-11ec-9023-a76a2cb41dcd.json @@ -0,0 +1,75 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "query": { + "query": "data_stream.dataset : \"zscaler_zpa.app_connector_status\"", + "language": "kuery" + }, + "filter": [], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index" + } + }, + "title": "[Zscaler][ZPA] Top 10 ZEN with frequent usage", + "uiStateJSON": {}, + "version": 1, + "visState": { + "title": "[Zscaler][ZPA] Top 10 ZEN with frequent usage", + "type": "table", + "aggs": [ + { + "id": "1", + "enabled": true, + "type": "count", + "params": { + "customLabel": "Count" + }, + "schema": "metric" + }, + { + "id": "2", + "enabled": true, + "type": "terms", + "params": { + "field": "zscaler_zpa.app_connector_status.zen", + "orderBy": "1", + "order": "desc", + "size": 10, + "otherBucket": false, + "otherBucketLabel": "Other", + "missingBucket": false, + "missingBucketLabel": "Missing", + "customLabel": "ZEN" + }, + "schema": "bucket" + } + ], + "params": { + "perPage": 10, + "showPartialRows": false, + "showMetricsAtAllLevels": false, + "showTotal": false, + "showToolbar": false, + "totalFunc": "sum", + "percentageCol": "", + "autoFitRowToContent": false + } + } + }, + "coreMigrationVersion": "7.16.0", + "id": "zscaler_zpa-860071f0-4c55-11ec-9023-a76a2cb41dcd", + "migrationVersion": { + "visualization": "7.14.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization", + "updated_at": "2021-12-02T08:10:02.798Z", + "version": "WzEwMDYxLDFd" +} \ No newline at end of file diff --git a/packages/zscaler_zpa/kibana/visualization/zscaler_zpa-89a91550-4c5a-11ec-9023-a76a2cb41dcd.json b/packages/zscaler_zpa/kibana/visualization/zscaler_zpa-89a91550-4c5a-11ec-9023-a76a2cb41dcd.json new file mode 100644 index 00000000000..24df6a8a566 --- /dev/null +++ b/packages/zscaler_zpa/kibana/visualization/zscaler_zpa-89a91550-4c5a-11ec-9023-a76a2cb41dcd.json @@ -0,0 +1,73 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "query": { + "query": "data_stream.dataset : \"zscaler_zpa.app_connector_status\"", + "language": "kuery" + }, + "filter": [], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index" + } + }, + "title": "[Zscaler][ZPA] Top 10 Connectors by name", + "uiStateJSON": {}, + "version": 1, + "visState": { + "title": "[Zscaler][ZPA] Top 10 Connectors by name", + "type": "table", + "aggs": [ + { + "id": "1", + "enabled": true, + "type": "count", + "params": {}, + "schema": "metric" + }, + { + "id": "2", + "enabled": true, + "type": "terms", + "params": { + "field": "zscaler_zpa.app_connector_status.connector.name", + "orderBy": "1", + "order": "desc", + "size": 10, + "otherBucket": false, + "otherBucketLabel": "Other", + "missingBucket": false, + "missingBucketLabel": "Missing", + "customLabel": "Connector Name" + }, + "schema": "bucket" + } + ], + "params": { + "perPage": 10, + "showPartialRows": false, + "showMetricsAtAllLevels": false, + "showTotal": false, + "showToolbar": false, + "totalFunc": "sum", + "percentageCol": "", + "autoFitRowToContent": false + } + } + }, + "coreMigrationVersion": "7.16.0", + "id": "zscaler_zpa-89a91550-4c5a-11ec-9023-a76a2cb41dcd", + "migrationVersion": { + "visualization": "7.14.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization", + "updated_at": "2021-12-02T08:10:44.274Z", + "version": "WzEwMDk1LDFd" +} \ No newline at end of file diff --git a/packages/zscaler_zpa/kibana/visualization/zscaler_zpa-8ca8eb00-4c5e-11ec-9023-a76a2cb41dcd.json b/packages/zscaler_zpa/kibana/visualization/zscaler_zpa-8ca8eb00-4c5e-11ec-9023-a76a2cb41dcd.json new file mode 100644 index 00000000000..07481d5e072 --- /dev/null +++ b/packages/zscaler_zpa/kibana/visualization/zscaler_zpa-8ca8eb00-4c5e-11ec-9023-a76a2cb41dcd.json @@ -0,0 +1,125 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "query": { + "query": "data_stream.dataset : \"zscaler_zpa.app_connector_status\"", + "language": "kuery" + }, + "filter": [], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index" + } + }, + "title": "[Zscaler][ZPA] Distribution of App Connector by Session Type, Session Status, OS Platform", + "uiStateJSON": "{}", + "version": 1, + "visState": { + "title": "[Zscaler][ZPA] Distribution of App Connector by Session Type, Session Status, OS Platform", + "type": "table", + "aggs": [ + { + "id": "1", + "enabled": true, + "type": "count", + "params": {}, + "schema": "metric" + }, + { + "id": "4", + "enabled": true, + "type": "terms", + "params": { + "field": "zscaler_zpa.app_connector_status.connector.name", + "orderBy": "1", + "order": "desc", + "size": 10, + "otherBucket": false, + "otherBucketLabel": "Other", + "missingBucket": false, + "missingBucketLabel": "Missing", + "customLabel": "Connector Name" + }, + "schema": "bucket" + }, + { + "id": "2", + "enabled": true, + "type": "terms", + "params": { + "field": "zscaler_zpa.app_connector_status.session.status", + "orderBy": "1", + "order": "desc", + "size": 10, + "otherBucket": false, + "otherBucketLabel": "Other", + "missingBucket": false, + "missingBucketLabel": "Missing", + "customLabel": "Session Status" + }, + "schema": "bucket" + }, + { + "id": "3", + "enabled": true, + "type": "terms", + "params": { + "field": "zscaler_zpa.app_connector_status.session.type", + "orderBy": "1", + "order": "desc", + "size": 10, + "otherBucket": false, + "otherBucketLabel": "Other", + "missingBucket": false, + "missingBucketLabel": "Missing", + "customLabel": "Session Type" + }, + "schema": "bucket" + }, + { + "id": "5", + "enabled": true, + "type": "terms", + "params": { + "field": "observer.os.platform", + "orderBy": "1", + "order": "desc", + "size": 10, + "otherBucket": false, + "otherBucketLabel": "Other", + "missingBucket": false, + "missingBucketLabel": "Missing", + "customLabel": "OS Platform" + }, + "schema": "bucket" + } + ], + "params": { + "perPage": 10, + "showPartialRows": false, + "showMetricsAtAllLevels": false, + "showTotal": false, + "showToolbar": false, + "totalFunc": "sum", + "percentageCol": "", + "autoFitRowToContent": false, + "row": false + } + } + }, + "coreMigrationVersion": "7.16.0", + "id": "zscaler_zpa-8ca8eb00-4c5e-11ec-9023-a76a2cb41dcd", + "migrationVersion": { + "visualization": "7.14.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization", + "updated_at": "2021-12-02T08:23:25.330Z", + "version": "WzEwNTIxLDFd" +} \ No newline at end of file diff --git a/packages/zscaler_zpa/kibana/visualization/zscaler_zpa-9f334ef0-4c4f-11ec-9023-a76a2cb41dcd.json b/packages/zscaler_zpa/kibana/visualization/zscaler_zpa-9f334ef0-4c4f-11ec-9023-a76a2cb41dcd.json new file mode 100644 index 00000000000..eb12ca4e173 --- /dev/null +++ b/packages/zscaler_zpa/kibana/visualization/zscaler_zpa-9f334ef0-4c4f-11ec-9023-a76a2cb41dcd.json @@ -0,0 +1,91 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "query": { + "query": "data_stream.dataset : \"zscaler_zpa.user_status\"", + "language": "kuery" + }, + "filter": [], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index" + } + }, + "title": "[Zscaler][ZPA] Distribution of User by Session Status", + "uiStateJSON": { + "vis": { + "legendOpen": true + } + }, + "version": 1, + "visState": { + "title": "[Zscaler][ZPA] Distribution of User by Session Status", + "type": "pie", + "aggs": [ + { + "id": "1", + "enabled": true, + "type": "count", + "params": {}, + "schema": "metric" + }, + { + "id": "2", + "enabled": true, + "type": "terms", + "params": { + "field": "zscaler_zpa.user_status.session.status", + "orderBy": "1", + "order": "desc", + "size": 10, + "otherBucket": false, + "otherBucketLabel": "Other", + "missingBucket": false, + "missingBucketLabel": "Missing", + "customLabel": "Session Status" + }, + "schema": "segment" + } + ], + "params": { + "type": "pie", + "addTooltip": true, + "addLegend": true, + "legendPosition": "right", + "nestedLegend": false, + "truncateLegend": true, + "maxLegendLines": 1, + "distinctColors": false, + "isDonut": false, + "palette": { + "type": "palette", + "name": "temperature" + }, + "labels": { + "show": true, + "last_level": false, + "values": true, + "valuesFormat": "percent", + "percentDecimals": 2, + "truncate": 100, + "position": "default" + } + } + } + }, + "coreMigrationVersion": "7.16.0", + "id": "zscaler_zpa-9f334ef0-4c4f-11ec-9023-a76a2cb41dcd", + "migrationVersion": { + "visualization": "7.14.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization", + "updated_at": "2021-11-26T12:58:31.486Z", + "version": "WzU4NTksMV0=" +} \ No newline at end of file diff --git a/packages/zscaler_zpa/kibana/visualization/zscaler_zpa-b0fa5650-4c55-11ec-9023-a76a2cb41dcd.json b/packages/zscaler_zpa/kibana/visualization/zscaler_zpa-b0fa5650-4c55-11ec-9023-a76a2cb41dcd.json new file mode 100644 index 00000000000..911546ac03a --- /dev/null +++ b/packages/zscaler_zpa/kibana/visualization/zscaler_zpa-b0fa5650-4c55-11ec-9023-a76a2cb41dcd.json @@ -0,0 +1,77 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "query": { + "query": "data_stream.dataset : \"zscaler_zpa.app_connector_status\"", + "language": "kuery" + }, + "filter": [], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index" + } + }, + "title": "[Zscaler][ZPA] Total App Connectors", + "uiStateJSON": {}, + "version": 1, + "visState": { + "title": "[Zscaler][ZPA] Total App Connectors", + "type": "metric", + "aggs": [ + { + "id": "1", + "enabled": true, + "type": "cardinality", + "params": { + "field": "zscaler_zpa.app_connector_status.connector.name", + "customLabel": "Total App Connectors" + }, + "schema": "metric" + } + ], + "params": { + "addTooltip": true, + "addLegend": false, + "type": "metric", + "metric": { + "percentageMode": false, + "useRanges": false, + "colorSchema": "Green to Red", + "metricColorMode": "None", + "colorsRange": [ + { + "from": 0, + "to": 10000 + } + ], + "labels": { + "show": true + }, + "invertColors": false, + "style": { + "bgFill": "#000", + "bgColor": false, + "labelColor": false, + "subText": "", + "fontSize": 60 + } + } + } + } + }, + "coreMigrationVersion": "7.16.0", + "id": "zscaler_zpa-b0fa5650-4c55-11ec-9023-a76a2cb41dcd", + "migrationVersion": { + "visualization": "7.14.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization", + "updated_at": "2021-12-02T07:57:25.973Z", + "version": "Wzk4MjIsMV0=" +} \ No newline at end of file diff --git a/packages/zscaler_zpa/kibana/visualization/zscaler_zpa-be0fc2e0-4c63-11ec-9023-a76a2cb41dcd.json b/packages/zscaler_zpa/kibana/visualization/zscaler_zpa-be0fc2e0-4c63-11ec-9023-a76a2cb41dcd.json new file mode 100644 index 00000000000..db1f4209066 --- /dev/null +++ b/packages/zscaler_zpa/kibana/visualization/zscaler_zpa-be0fc2e0-4c63-11ec-9023-a76a2cb41dcd.json @@ -0,0 +1,75 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "query": { + "query": "data_stream.dataset : \"zscaler_zpa.audit\"", + "language": "kuery" + }, + "filter": [], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index" + } + }, + "title": "[Zscaler][ZPA] Top Users with most activities", + "uiStateJSON": {}, + "version": 1, + "visState": { + "title": "[Zscaler][ZPA] Top Users with most activities", + "type": "table", + "aggs": [ + { + "id": "1", + "enabled": true, + "type": "count", + "params": { + "customLabel": "Count" + }, + "schema": "metric" + }, + { + "id": "2", + "enabled": true, + "type": "terms", + "params": { + "field": "user.name", + "orderBy": "1", + "order": "desc", + "size": 10, + "otherBucket": false, + "otherBucketLabel": "Other", + "missingBucket": false, + "missingBucketLabel": "Missing", + "customLabel": "User" + }, + "schema": "bucket" + } + ], + "params": { + "perPage": 10, + "showPartialRows": false, + "showMetricsAtAllLevels": false, + "showTotal": false, + "showToolbar": false, + "totalFunc": "sum", + "percentageCol": "", + "autoFitRowToContent": false + } + } + }, + "coreMigrationVersion": "7.16.0", + "id": "zscaler_zpa-be0fc2e0-4c63-11ec-9023-a76a2cb41dcd", + "migrationVersion": { + "visualization": "7.14.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization", + "updated_at": "2021-12-02T07:24:53.458Z", + "version": "WzkzMjksMV0=" +} \ No newline at end of file diff --git a/packages/zscaler_zpa/kibana/visualization/zscaler_zpa-c8d009c0-4c4e-11ec-9023-a76a2cb41dcd.json b/packages/zscaler_zpa/kibana/visualization/zscaler_zpa-c8d009c0-4c4e-11ec-9023-a76a2cb41dcd.json new file mode 100644 index 00000000000..10c42acd741 --- /dev/null +++ b/packages/zscaler_zpa/kibana/visualization/zscaler_zpa-c8d009c0-4c4e-11ec-9023-a76a2cb41dcd.json @@ -0,0 +1,77 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "query": { + "query": "data_stream.dataset : \"zscaler_zpa.user_activity\"", + "language": "kuery" + }, + "filter": [], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index" + } + }, + "title": "[Zscaler][ZPA] Total Users", + "uiStateJSON": {}, + "version": 1, + "visState": { + "title": "[Zscaler][ZPA] Total Users", + "type": "metric", + "aggs": [ + { + "id": "1", + "enabled": true, + "type": "cardinality", + "params": { + "field": "user.name", + "customLabel": "Total Users" + }, + "schema": "metric" + } + ], + "params": { + "addTooltip": true, + "addLegend": false, + "type": "metric", + "metric": { + "percentageMode": false, + "useRanges": false, + "colorSchema": "Green to Red", + "metricColorMode": "None", + "colorsRange": [ + { + "from": 0, + "to": 10000 + } + ], + "labels": { + "show": true + }, + "invertColors": false, + "style": { + "bgFill": "#000", + "bgColor": false, + "labelColor": false, + "subText": "", + "fontSize": 60 + } + } + } + } + }, + "coreMigrationVersion": "7.16.0", + "id": "zscaler_zpa-c8d009c0-4c4e-11ec-9023-a76a2cb41dcd", + "migrationVersion": { + "visualization": "7.14.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization", + "updated_at": "2021-11-26T12:58:31.486Z", + "version": "WzU4NTcsMV0=" +} \ No newline at end of file diff --git a/packages/zscaler_zpa/kibana/visualization/zscaler_zpa-ccbe7ed0-4c4a-11ec-9023-a76a2cb41dcd.json b/packages/zscaler_zpa/kibana/visualization/zscaler_zpa-ccbe7ed0-4c4a-11ec-9023-a76a2cb41dcd.json new file mode 100644 index 00000000000..935842d7368 --- /dev/null +++ b/packages/zscaler_zpa/kibana/visualization/zscaler_zpa-ccbe7ed0-4c4a-11ec-9023-a76a2cb41dcd.json @@ -0,0 +1,92 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "query": { + "query": "data_stream.dataset : \"zscaler_zpa.user_activity\"", + "language": "kuery" + }, + "filter": [], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index" + } + }, + "title": "[Zscaler][ZPA] Distribution of Users per Application (Top 10)", + "uiStateJSON": {}, + "version": 1, + "visState": { + "title": "[Zscaler][ZPA] Distribution of Users per Application (Top 10)", + "type": "table", + "aggs": [ + { + "id": "1", + "enabled": true, + "type": "count", + "params": { + "customLabel": "Count" + }, + "schema": "metric" + }, + { + "id": "2", + "enabled": true, + "type": "terms", + "params": { + "field": "zscaler_zpa.user_activity.application", + "orderBy": "1", + "order": "desc", + "size": 10, + "otherBucket": false, + "otherBucketLabel": "Other", + "missingBucket": false, + "missingBucketLabel": "Missing", + "customLabel": "Application Name" + }, + "schema": "bucket" + }, + { + "id": "3", + "enabled": true, + "type": "terms", + "params": { + "field": "user.name", + "orderBy": "1", + "order": "desc", + "size": 10, + "otherBucket": false, + "otherBucketLabel": "Other", + "missingBucket": false, + "missingBucketLabel": "Missing", + "customLabel": "Username" + }, + "schema": "bucket" + } + ], + "params": { + "perPage": 10, + "showPartialRows": false, + "showMetricsAtAllLevels": false, + "showTotal": false, + "showToolbar": false, + "totalFunc": "sum", + "percentageCol": "", + "autoFitRowToContent": false + } + } + }, + "coreMigrationVersion": "7.16.0", + "id": "zscaler_zpa-ccbe7ed0-4c4a-11ec-9023-a76a2cb41dcd", + "migrationVersion": { + "visualization": "7.14.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization", + "updated_at": "2021-11-26T12:58:31.486Z", + "version": "WzU4NjMsMV0=" +} \ No newline at end of file diff --git a/packages/zscaler_zpa/kibana/visualization/zscaler_zpa-d0c885a0-4c5b-11ec-9023-a76a2cb41dcd.json b/packages/zscaler_zpa/kibana/visualization/zscaler_zpa-d0c885a0-4c5b-11ec-9023-a76a2cb41dcd.json new file mode 100644 index 00000000000..9cea071ae5c --- /dev/null +++ b/packages/zscaler_zpa/kibana/visualization/zscaler_zpa-d0c885a0-4c5b-11ec-9023-a76a2cb41dcd.json @@ -0,0 +1,177 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "query": { + "query": "data_stream.dataset : \"zscaler_zpa.app_connector_status\"", + "language": "kuery" + }, + "filter": [], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index" + } + }, + "title": "[Zscaler][ZPA] CPU Utilization by Connector over time", + "uiStateJSON": "{}", + "version": 1, + "visState": { + "title": "[Zscaler][ZPA] CPU Utilization by Connector over time", + "type": "line", + "aggs": [ + { + "id": "1", + "enabled": true, + "type": "top_hits", + "params": { + "field": "host.cpu.usage", + "aggregate": "concat", + "size": 10, + "sortField": "@timestamp", + "sortOrder": "desc", + "customLabel": "CPU Utilization" + }, + "schema": "metric" + }, + { + "id": "2", + "enabled": true, + "type": "date_histogram", + "params": { + "field": "@timestamp", + "timeRange": { + "from": "now-15d", + "to": "now" + }, + "useNormalizedEsInterval": true, + "scaleMetricValues": false, + "interval": "auto", + "used_interval": "12h", + "drop_partials": false, + "min_doc_count": 1, + "extended_bounds": {}, + "customLabel": "" + }, + "schema": "segment" + }, + { + "id": "3", + "enabled": true, + "type": "terms", + "params": { + "field": "zscaler_zpa.app_connector_status.connector.name", + "orderBy": "_key", + "order": "desc", + "size": 5, + "otherBucket": false, + "otherBucketLabel": "Other", + "missingBucket": false, + "missingBucketLabel": "Missing", + "customLabel": "Connector Name" + }, + "schema": "group" + } + ], + "params": { + "type": "line", + "grid": { + "categoryLines": false + }, + "categoryAxes": [ + { + "id": "CategoryAxis-1", + "type": "category", + "position": "bottom", + "show": true, + "scale": { + "type": "linear" + }, + "labels": { + "show": true, + "filter": true, + "truncate": 100 + }, + "title": {}, + "style": {} + } + ], + "valueAxes": [ + { + "id": "ValueAxis-1", + "name": "LeftAxis-1", + "type": "value", + "position": "left", + "show": true, + "scale": { + "type": "linear", + "mode": "normal" + }, + "labels": { + "show": true, + "rotate": 0, + "filter": false, + "truncate": 100 + }, + "title": { + "text": "CPU Utilization" + }, + "style": {} + } + ], + "seriesParams": [ + { + "show": true, + "type": "line", + "mode": "normal", + "data": { + "label": "CPU Utilization", + "id": "1" + }, + "valueAxis": "ValueAxis-1", + "drawLinesBetweenPoints": true, + "lineWidth": 2, + "interpolate": "linear", + "showCircles": true, + "circlesRadius": 3 + } + ], + "addTooltip": true, + "detailedTooltip": true, + "palette": { + "type": "palette", + "name": "default" + }, + "addLegend": true, + "legendPosition": "right", + "fittingFunction": "linear", + "times": [], + "addTimeMarker": false, + "truncateLegend": true, + "maxLegendLines": 1, + "labels": {}, + "radiusRatio": 9, + "thresholdLine": { + "show": false, + "value": 10, + "width": 1, + "style": "full", + "color": "#E7664C" + } + } + } + }, + "coreMigrationVersion": "7.16.0", + "id": "zscaler_zpa-d0c885a0-4c5b-11ec-9023-a76a2cb41dcd", + "migrationVersion": { + "visualization": "7.14.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization", + "updated_at": "2021-12-02T08:13:27.959Z", + "version": "WzEwMjAzLDFd" +} \ No newline at end of file diff --git a/packages/zscaler_zpa/kibana/visualization/zscaler_zpa-d124a2a0-4c4b-11ec-9023-a76a2cb41dcd.json b/packages/zscaler_zpa/kibana/visualization/zscaler_zpa-d124a2a0-4c4b-11ec-9023-a76a2cb41dcd.json new file mode 100644 index 00000000000..bcfb43b9c63 --- /dev/null +++ b/packages/zscaler_zpa/kibana/visualization/zscaler_zpa-d124a2a0-4c4b-11ec-9023-a76a2cb41dcd.json @@ -0,0 +1,73 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "query": { + "query": "data_stream.dataset : \"zscaler_zpa.user_activity\"", + "language": "kuery" + }, + "filter": [], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index" + } + }, + "title": "[Zscaler][ZPA] Top 10 AppGroups", + "uiStateJSON": {}, + "version": 1, + "visState": { + "title": "[Zscaler][ZPA] Top 10 AppGroups", + "type": "table", + "aggs": [ + { + "id": "1", + "enabled": true, + "type": "count", + "params": {}, + "schema": "metric" + }, + { + "id": "2", + "enabled": true, + "type": "terms", + "params": { + "field": "zscaler_zpa.user_activity.app_group", + "orderBy": "1", + "order": "desc", + "size": 10, + "otherBucket": false, + "otherBucketLabel": "Other", + "missingBucket": false, + "missingBucketLabel": "Missing", + "customLabel": "App Groups" + }, + "schema": "bucket" + } + ], + "params": { + "perPage": 10, + "showPartialRows": false, + "showMetricsAtAllLevels": false, + "showTotal": false, + "showToolbar": false, + "totalFunc": "sum", + "percentageCol": "", + "autoFitRowToContent": false + } + } + }, + "coreMigrationVersion": "7.16.0", + "id": "zscaler_zpa-d124a2a0-4c4b-11ec-9023-a76a2cb41dcd", + "migrationVersion": { + "visualization": "7.14.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization", + "updated_at": "2021-11-26T12:58:31.486Z", + "version": "WzU4NjQsMV0=" +} \ No newline at end of file diff --git a/packages/zscaler_zpa/kibana/visualization/zscaler_zpa-d8e44aa0-5992-11ec-b2d0-45019404f2e5.json b/packages/zscaler_zpa/kibana/visualization/zscaler_zpa-d8e44aa0-5992-11ec-b2d0-45019404f2e5.json new file mode 100644 index 00000000000..d12c7455940 --- /dev/null +++ b/packages/zscaler_zpa/kibana/visualization/zscaler_zpa-d8e44aa0-5992-11ec-b2d0-45019404f2e5.json @@ -0,0 +1,109 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "query": { + "query": "data_stream.dataset : \"zscaler_zpa.browser_access\"", + "language": "kuery" + }, + "filter": [], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index" + } + }, + "title": "[Zscaler][ZPA] Distribution of OS across user.", + "uiStateJSON": { + "vis": { + "legendOpen": true + } + }, + "version": 1, + "visState": { + "title": "[Zscaler][ZPA] Distribution of OS across user.", + "type": "pie", + "aggs": [ + { + "id": "1", + "enabled": true, + "type": "cardinality", + "params": { + "field": "user.name" + }, + "schema": "metric" + }, + { + "id": "2", + "enabled": true, + "type": "terms", + "params": { + "field": "user_agent.os.name", + "orderBy": "1", + "order": "desc", + "size": 10, + "otherBucket": false, + "otherBucketLabel": "Other", + "missingBucket": false, + "missingBucketLabel": "Missing" + }, + "schema": "segment" + }, + { + "id": "3", + "enabled": true, + "type": "terms", + "params": { + "field": "user_agent.os.version", + "orderBy": "1", + "order": "desc", + "size": 5, + "otherBucket": false, + "otherBucketLabel": "Other", + "missingBucket": false, + "missingBucketLabel": "Missing" + }, + "schema": "segment" + } + ], + "params": { + "type": "pie", + "addTooltip": true, + "addLegend": true, + "legendPosition": "right", + "nestedLegend": false, + "truncateLegend": true, + "maxLegendLines": 1, + "distinctColors": false, + "isDonut": false, + "palette": { + "type": "palette", + "name": "default" + }, + "labels": { + "show": true, + "last_level": false, + "values": true, + "valuesFormat": "percent", + "percentDecimals": 2, + "truncate": 100, + "position": "default" + }, + "row": false + } + } + }, + "coreMigrationVersion": "7.16.0", + "id": "zscaler_zpa-d8e44aa0-5992-11ec-b2d0-45019404f2e5", + "migrationVersion": { + "visualization": "7.14.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization", + "updated_at": "2021-12-10T08:26:18.069Z", + "version": "WzEwNTMsMV0=" +} \ No newline at end of file diff --git a/packages/zscaler_zpa/kibana/visualization/zscaler_zpa-e86c2d90-4c49-11ec-9023-a76a2cb41dcd.json b/packages/zscaler_zpa/kibana/visualization/zscaler_zpa-e86c2d90-4c49-11ec-9023-a76a2cb41dcd.json new file mode 100644 index 00000000000..ba5f6fc4003 --- /dev/null +++ b/packages/zscaler_zpa/kibana/visualization/zscaler_zpa-e86c2d90-4c49-11ec-9023-a76a2cb41dcd.json @@ -0,0 +1,73 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "query": { + "query": "data_stream.dataset : \"zscaler_zpa.user_activity\" and zscaler_zpa.user_activity.connection.status : \"active\"", + "language": "kuery" + }, + "filter": [], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index" + } + }, + "title": "[Zscaler][ZPA] Top 10 Active Users", + "uiStateJSON": {}, + "version": 1, + "visState": { + "title": "[Zscaler][ZPA] Top 10 Active Users", + "type": "table", + "aggs": [ + { + "id": "1", + "enabled": true, + "type": "count", + "params": {}, + "schema": "metric" + }, + { + "id": "2", + "enabled": true, + "type": "terms", + "params": { + "field": "user.name", + "orderBy": "1", + "order": "desc", + "size": 10, + "otherBucket": false, + "otherBucketLabel": "Other", + "missingBucket": false, + "missingBucketLabel": "Missing", + "customLabel": "User Name" + }, + "schema": "bucket" + } + ], + "params": { + "perPage": 10, + "showPartialRows": false, + "showMetricsAtAllLevels": false, + "showTotal": false, + "showToolbar": false, + "totalFunc": "sum", + "percentageCol": "", + "autoFitRowToContent": false + } + } + }, + "coreMigrationVersion": "7.16.0", + "id": "zscaler_zpa-e86c2d90-4c49-11ec-9023-a76a2cb41dcd", + "migrationVersion": { + "visualization": "7.14.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization", + "updated_at": "2021-12-03T09:50:43.417Z", + "version": "WzMwMjYwLDFd" +} \ No newline at end of file diff --git a/packages/zscaler_zpa/kibana/visualization/zscaler_zpa-f03d3c90-4c5c-11ec-9023-a76a2cb41dcd.json b/packages/zscaler_zpa/kibana/visualization/zscaler_zpa-f03d3c90-4c5c-11ec-9023-a76a2cb41dcd.json new file mode 100644 index 00000000000..0878d86a459 --- /dev/null +++ b/packages/zscaler_zpa/kibana/visualization/zscaler_zpa-f03d3c90-4c5c-11ec-9023-a76a2cb41dcd.json @@ -0,0 +1,177 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "query": { + "query": "data_stream.dataset : \"zscaler_zpa.app_connector_status\"", + "language": "kuery" + }, + "filter": [], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index" + } + }, + "title": "[Zscaler][ZPA] Memory Utilization by Connector over time", + "uiStateJSON": "{}", + "version": 1, + "visState": { + "title": "[Zscaler][ZPA] Memory Utilization by Connector over time", + "type": "line", + "aggs": [ + { + "id": "1", + "enabled": true, + "type": "top_hits", + "params": { + "field": "zscaler_zpa.app_connector_status.memory.utilization", + "aggregate": "concat", + "size": 1, + "sortField": "@timestamp", + "sortOrder": "desc", + "customLabel": "Memory Utilization" + }, + "schema": "metric" + }, + { + "id": "2", + "enabled": true, + "type": "date_histogram", + "params": { + "field": "@timestamp", + "timeRange": { + "from": "now-15d", + "to": "now" + }, + "useNormalizedEsInterval": true, + "scaleMetricValues": false, + "interval": "auto", + "used_interval": "12h", + "drop_partials": false, + "min_doc_count": 1, + "extended_bounds": {}, + "customLabel": "" + }, + "schema": "segment" + }, + { + "id": "3", + "enabled": true, + "type": "terms", + "params": { + "field": "zscaler_zpa.app_connector_status.connector.name", + "orderBy": "_key", + "order": "desc", + "size": 5, + "otherBucket": false, + "otherBucketLabel": "Other", + "missingBucket": false, + "missingBucketLabel": "Missing", + "customLabel": "Connector Name" + }, + "schema": "group" + } + ], + "params": { + "type": "line", + "grid": { + "categoryLines": false + }, + "categoryAxes": [ + { + "id": "CategoryAxis-1", + "type": "category", + "position": "bottom", + "show": true, + "scale": { + "type": "linear" + }, + "labels": { + "show": true, + "filter": true, + "truncate": 100 + }, + "title": {}, + "style": {} + } + ], + "valueAxes": [ + { + "id": "ValueAxis-1", + "name": "LeftAxis-1", + "type": "value", + "position": "left", + "show": true, + "scale": { + "type": "linear", + "mode": "normal" + }, + "labels": { + "show": true, + "rotate": 0, + "filter": false, + "truncate": 100 + }, + "title": { + "text": "Memory Utilization" + }, + "style": {} + } + ], + "seriesParams": [ + { + "show": true, + "type": "line", + "mode": "normal", + "data": { + "label": "Memory Utilization", + "id": "1" + }, + "valueAxis": "ValueAxis-1", + "drawLinesBetweenPoints": true, + "lineWidth": 2, + "interpolate": "linear", + "showCircles": true, + "circlesRadius": 3 + } + ], + "addTooltip": true, + "detailedTooltip": true, + "palette": { + "type": "palette", + "name": "default" + }, + "addLegend": true, + "legendPosition": "right", + "fittingFunction": "linear", + "times": [], + "addTimeMarker": false, + "truncateLegend": true, + "maxLegendLines": 1, + "labels": {}, + "radiusRatio": 9, + "thresholdLine": { + "show": false, + "value": 10, + "width": 1, + "style": "full", + "color": "#E7664C" + } + } + } + }, + "coreMigrationVersion": "7.16.0", + "id": "zscaler_zpa-f03d3c90-4c5c-11ec-9023-a76a2cb41dcd", + "migrationVersion": { + "visualization": "7.14.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization", + "updated_at": "2021-12-02T08:14:55.427Z", + "version": "WzEwMjU4LDFd" +} \ No newline at end of file diff --git a/packages/zscaler_zpa/kibana/visualization/zscaler_zpa-f2e526e0-4c63-11ec-9023-a76a2cb41dcd.json b/packages/zscaler_zpa/kibana/visualization/zscaler_zpa-f2e526e0-4c63-11ec-9023-a76a2cb41dcd.json new file mode 100644 index 00000000000..b00eed9fa8e --- /dev/null +++ b/packages/zscaler_zpa/kibana/visualization/zscaler_zpa-f2e526e0-4c63-11ec-9023-a76a2cb41dcd.json @@ -0,0 +1,91 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "query": { + "query": "data_stream.dataset : \"zscaler_zpa.audit\"", + "language": "kuery" + }, + "filter": [], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index" + } + }, + "title": "[Zscaler][ZPA] Distribution of Audit Events by type of Operation", + "uiStateJSON": { + "vis": { + "legendOpen": true + } + }, + "version": 1, + "visState": { + "title": "[Zscaler][ZPA] Distribution of Audit Events by type of Operation", + "type": "pie", + "aggs": [ + { + "id": "1", + "enabled": true, + "type": "count", + "params": {}, + "schema": "metric" + }, + { + "id": "2", + "enabled": true, + "type": "terms", + "params": { + "field": "zscaler_zpa.audit.operation_type", + "orderBy": "1", + "order": "desc", + "size": 5, + "otherBucket": false, + "otherBucketLabel": "Other", + "missingBucket": false, + "missingBucketLabel": "Missing", + "customLabel": "Audit Operation type" + }, + "schema": "segment" + } + ], + "params": { + "type": "pie", + "addTooltip": true, + "addLegend": true, + "legendPosition": "right", + "nestedLegend": false, + "truncateLegend": true, + "maxLegendLines": 1, + "distinctColors": false, + "isDonut": false, + "palette": { + "type": "palette", + "name": "temperature" + }, + "labels": { + "show": true, + "last_level": false, + "values": true, + "valuesFormat": "percent", + "percentDecimals": 2, + "truncate": 100, + "position": "default" + } + } + } + }, + "coreMigrationVersion": "7.16.0", + "id": "zscaler_zpa-f2e526e0-4c63-11ec-9023-a76a2cb41dcd", + "migrationVersion": { + "visualization": "7.14.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization", + "updated_at": "2021-12-02T07:25:49.816Z", + "version": "WzkzNjMsMV0=" +} \ No newline at end of file diff --git a/packages/zscaler_zpa/kibana/visualization/zscaler_zpa-fc5f4ea0-4ebe-11ec-9527-b704eaaa5c53.json b/packages/zscaler_zpa/kibana/visualization/zscaler_zpa-fc5f4ea0-4ebe-11ec-9527-b704eaaa5c53.json new file mode 100644 index 00000000000..5294dc4d4b1 --- /dev/null +++ b/packages/zscaler_zpa/kibana/visualization/zscaler_zpa-fc5f4ea0-4ebe-11ec-9527-b704eaaa5c53.json @@ -0,0 +1,73 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "query": { + "query": "data_stream.dataset : \"zscaler_zpa.audit\"", + "language": "kuery" + }, + "filter": [], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index" + } + }, + "title": "[Zscaler][ZPA] Top 10 Objects on which most operations are performed", + "uiStateJSON": {}, + "version": 1, + "visState": { + "title": "[Zscaler][ZPA] Top 10 Objects on which most operations are performed", + "type": "table", + "aggs": [ + { + "id": "1", + "enabled": true, + "type": "count", + "params": {}, + "schema": "metric" + }, + { + "id": "2", + "enabled": true, + "type": "terms", + "params": { + "field": "zscaler_zpa.audit.object.name", + "orderBy": "1", + "order": "desc", + "size": 10, + "otherBucket": false, + "otherBucketLabel": "Other", + "missingBucket": false, + "missingBucketLabel": "Missing", + "customLabel": "Object Name" + }, + "schema": "bucket" + } + ], + "params": { + "perPage": 10, + "showPartialRows": false, + "showMetricsAtAllLevels": false, + "showTotal": false, + "showToolbar": false, + "totalFunc": "sum", + "percentageCol": "", + "autoFitRowToContent": false + } + } + }, + "coreMigrationVersion": "7.16.0", + "id": "zscaler_zpa-fc5f4ea0-4ebe-11ec-9527-b704eaaa5c53", + "migrationVersion": { + "visualization": "7.14.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization", + "updated_at": "2021-12-02T07:27:29.190Z", + "version": "Wzk0NjYsMV0=" +} \ No newline at end of file diff --git a/packages/zscaler_zpa/manifest.yml b/packages/zscaler_zpa/manifest.yml new file mode 100644 index 00000000000..8f1a091f11d --- /dev/null +++ b/packages/zscaler_zpa/manifest.yml @@ -0,0 +1,70 @@ +format_version: 1.0.0 +name: zscaler_zpa +title: "Zscaler Private Access" +version: 0.1.0 +license: basic +description: Collect logs from Zscaler Private Access (ZPA) with Elastic Agent. +type: integration +categories: + - security +release: beta +conditions: + kibana.version: ^7.16.2 || ^8.0.0 +screenshots: + - src: /img/zscaler-zpa-screenshot.png + title: Zscaler ZPA app connector status dashboard screenshot + size: 600x600 + type: image/png +icons: + - src: /img/zscaler-logo.svg + title: Zscaler logo + size: 32x32 + type: image/svg+xml +policy_templates: + - name: zscaler_zpa + title: Zscaler Private Access logs + description: Collect Zscaler Private Access logs + inputs: + - type: tcp + vars: + - name: listen_address + type: text + title: Listen Address + description: The bind address to listen for TCP connections. Set to `0.0.0.0` to bind to all available interfaces. + multi: false + required: true + show_user: true + default: localhost + - name: ssl + type: yaml + title: SSL Configuration + description: i.e. certificate_authorities, supported_protocols, verification_mode etc. + multi: false + required: false + show_user: false + default: | + #certificate_authorities: + # - | + # -----BEGIN CERTIFICATE----- + # MIIDCjCCAfKgAwIBAgITJ706Mu2wJlKckpIvkWxEHvEyijANBgkqhkiG9w0BAQsF + # ADAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwIBcNMTkwNzIyMTkyOTA0WhgPMjExOTA2 + # MjgxOTI5MDRaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB + # BQADggEPADCCAQoCggEBANce58Y/JykI58iyOXpxGfw0/gMvF0hUQAcUrSMxEO6n + # fZRA49b4OV4SwWmA3395uL2eB2NB8y8qdQ9muXUdPBWE4l9rMZ6gmfu90N5B5uEl + # 94NcfBfYOKi1fJQ9i7WKhTjlRkMCgBkWPkUokvBZFRt8RtF7zI77BSEorHGQCk9t + # /D7BS0GJyfVEhftbWcFEAG3VRcoMhF7kUzYwp+qESoriFRYLeDWv68ZOvG7eoWnP + # PsvZStEVEimjvK5NSESEQa9xWyJOmlOKXhkdymtcUd/nXnx6UTCFgnkgzSdTWV41 + # CI6B6aJ9svCTI2QuoIq2HxX/ix7OvW1huVmcyHVxyUECAwEAAaNTMFEwHQYDVR0O + # BBYEFPwN1OceFGm9v6ux8G+DZ3TUDYxqMB8GA1UdIwQYMBaAFPwN1OceFGm9v6ux + # 8G+DZ3TUDYxqMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAG5D + # 874A4YI7YUwOVsVAdbWtgp1d0zKcPRR+r2OdSbTAV5/gcS3jgBJ3i1BN34JuDVFw + # 3DeJSYT3nxy2Y56lLnxDeF8CUTUtVQx3CuGkRg1ouGAHpO/6OqOhwLLorEmxi7tA + # H2O8mtT0poX5AnOAhzVy7QW0D/k4WaoLyckM5hUa6RtvgvLxOwA0U+VGurCDoctu + # 8F4QOgTAWyh8EZIwaKCliFRSynDpv3JTUwtfZkxo6K6nce1RhCWFAsMvDZL8Dgc0 + # yvgJ38BRsFOtkRuAGSf6ZUwTO8JJRRIFnpUzXflAnGivK9M13D5GEQMmIl6U9Pvk + # sxSmbIUfc2SGJGCJD4I= + # -----END CERTIFICATE----- + title: Collect Zscaler Private Access logs via TCP input + description: Collecting Zscaler Private Access logs via TCP input +owner: + github: elastic/security-external-integrations