Skip to content

[zscaler_zia] Add ZScaler ZIA package.#2459

Merged
andrewkroh merged 5 commits intoelastic:mainfrom
vinit-chauhan:package_zscaler_zia
Feb 16, 2022
Merged

[zscaler_zia] Add ZScaler ZIA package.#2459
andrewkroh merged 5 commits intoelastic:mainfrom
vinit-chauhan:package_zscaler_zia

Conversation

@vinit-chauhan
Copy link
Contributor

@vinit-chauhan vinit-chauhan commented Jan 3, 2022

What does this PR do?

  • Generated the skeleton of the ZScaler ZIA integration package.
  • Added 5 data streams (Alert, DNS, Firewall, Tunnel, and Web Logs).
  • Added data collection logic for all 5 data streams.
  • Added the ingest pipeline for all the data streams.
  • Mapped fields according to the ECS schema and added Fields metadata in the appropriate yml files
  • Added dashboards and visualizations.
  • Added test for pipeline for all the data streams.
  • Added system test cases for all the data streams.

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package's changelog.yml file.
  • If I'm introducing a new feature, I have modified the Kibana version constraint in my package's manifest.yml file to point to the latest Elastic stack release (e.g. ^7.16.2).

How to test this PR locally

  • Clone integrations repo.
  • Install elastic-package locally.
  • Start elastic stack using elastic-package.
  • Move to integrations/packages/zscaler_zia directory.
  • Run the following command to run tests.

elastic-package test

Screenshots

image
image
image
image

@elasticmachine
Copy link

elasticmachine commented Jan 3, 2022
edited
Loading

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS
Pipeline View Test View Changes Artifacts preview preview

Expand to view the summary

Build stats

  • Start Time: 2022-02-16T17:39:44.695+0000

  • Duration: 25 min 46 sec

Test stats 🧪

Test Results
Failed 0
Passed 60
Skipped 0
Total 60

🤖 GitHub comments

To re-run your PR in the CI, just comment with:

  • /test : Re-trigger the build.

@vinit-chauhan vinit-chauhan marked this pull request as ready for review January 6, 2022 13:58
@elasticmachine
Copy link

elasticmachine commented Jan 6, 2022

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

efd6
efd6 reviewed Jan 9, 2022
View reviewed changes
Copy link
Contributor

@efd6 efd6 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Query: update ECS version to 8.0.0 here?

packages/zscaler_zia/_dev/build/docs/README.md

ZScaler response format:
```json
\{ "sourcetype" : "zscalernss-dns", "event" :\{"datetime":"%s{time}","user":"%s{elogin}","department":"%s{edepartment}","location":"%s{elocation}","reqaction":"%s{reqaction}","resaction":"%s{resaction}","reqrulelabel":"%s{reqrulelabel}","resrulelabel":"%s{resrulelabel}","dns_reqtype":"%s{reqtype}","dns_req":"%s{req}","dns_resp":"%s{res}","srv_dport":"%d{sport}","durationms":"%d{durationms}","clt_sip":"%s{cip}","srv_dip":"%s{sip}","category":"%s{domcat}","deviceowner":"%s{deviceowner}","devicehostname":"%s{devicehostname}"\}\}
Copy link
Contributor

@efd6 efd6 Jan 9, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Query why the outer braces are escaped here and below.

Copy link
Contributor Author

@vinit-chauhan vinit-chauhan Jan 10, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Basically, it is the default syntax that the user has to put in the response format configuration section in the ZScaler.

Copy link
Contributor

@efd6 efd6 Jan 31, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

OK so they are not really JSON, but rather opaque strings that just happen to resolve to JSON when fed to the configuration. I'd suggest that the json syntax marker be removed and some additional text be added explaining how the string should be used.

Note that these look different to the ZPA response format strings that lack the \-escaped braces (see here). Is this expected; are they actually different or is it just an accident of documentation editing?

Copy link
Contributor Author

@vinit-chauhan vinit-chauhan Feb 7, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Firstly, We have removed the JSON marker from the section as it is not a valid JSON. Additionally, The SOP for the end-user is mentioned clearly in the README.md file.

Secondly, to answer your second comment, yes, the response formats for both ZIA and ZPA are different. For both ZIA and ZPA it is required that the exact string, which we have given in the user guide is to be put in the Response Format section.

Copy link
Contributor

@efd6 efd6 Feb 14, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for clarifying. I think that the user instructions for use of the response format strings could be expanded a little. I doesn't need a lot, just where they should be pasted.

Copy link
Contributor Author

@vinit-chauhan vinit-chauhan Feb 15, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sure, I will update the steps to be simpler, and I will also add a step where it describes where to put the given response format.

@efd6
Copy link
Contributor

efd6 commented Jan 9, 2022

/test

@vinit-chauhan
- Updated documentation.
9ec2a26 
- Corrected the case in vendor name
@vinit-chauhan
Copy link
Contributor Author

vinit-chauhan commented Jan 21, 2022

/test

1 similar comment
@marc-gr
Copy link
Contributor

marc-gr commented Jan 25, 2022

/test

andrewkroh
andrewkroh reviewed Jan 27, 2022
View reviewed changes
efd6
efd6 reviewed Feb 1, 2022
View reviewed changes
@andrewkroh
Copy link
Member

andrewkroh commented Feb 1, 2022

  • As a follow up to merging this the zscaler package needs to be marked as deprecated.

@vinit-chauhan
- Removed extra newline ( README.md: line 123 )
edc02f8 
- Removed dynamic_fields section from pipeline tests
- Updated ecs version to 8.0.0
- Converted values of network.protocol to lowercase.
- Updated mappings
- Added newline in logfiles
- Re-generated pipeline test expacted files.
@andrewkroh
Copy link
Member

andrewkroh commented Feb 9, 2022

/test

@andrewkroh
Copy link
Member

andrewkroh commented Feb 10, 2022

/test

@vinit-chauhan vinit-chauhan requested a review from efd6 February 10, 2022 12:29
andrewkroh
andrewkroh reviewed Feb 10, 2022
View reviewed changes
@jamiehynds jamiehynds linked an issue Feb 16, 2022 that may be closed by this pull request
Zscaler Internet Access #1134
Closed
15 tasks
@andrewkroh
Copy link
Member

andrewkroh commented Feb 16, 2022

/test

@andrewkroh andrewkroh merged commit cde118b into elastic:main Feb 16, 2022
This was referenced Feb 16, 2022
Merged
Merged
andrewkroh added a commit that referenced this pull request Feb 16, 2022
@andrewkroh
zscaler - Mark package as deprecated (#2708)
8359e92 
There are now Zscaler ZIA and Zscaler ZPA integrations that are specific Zscaler products.
This package is being marked as deprecated. The new integrations are not generated parsers
based on rsa2elk.

Relates #2459
@andrewkroh andrewkroh mentioned this pull request Feb 22, 2022
Merged
@andrewkroh andrewkroh added the New Integration Issue or pull request for creating a new integration package. label Aug 13, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@marc-gr marc-gr marc-gr left review comments

@andrewkroh andrewkroh andrewkroh approved these changes

@efd6 efd6 Awaiting requested review from efd6

Assignees

No one assigned

Labels

Integration:zscaler_zia Zscaler Internet Access New Integration Issue or pull request for creating a new integration package.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Zscaler Internet Access

5 participants

@vinit-chauhan @elasticmachine @efd6 @marc-gr @andrewkroh