ZScaler Zia - initial commit tests

Author: shaeqahmed

examples/zscaler_zia_alerts/fields/base-fields.yml

@@ -0,0 +1,20 @@
+- name: data_stream.type
+  type: constant_keyword
+  description: Data stream type.
+- name: data_stream.dataset
+  type: constant_keyword
+  description: Data stream dataset.
+- name: data_stream.namespace
+  type: constant_keyword
+  description: Data stream namespace.
+- name: '@timestamp'
+  type: date
+  description: Event timestamp.
+- name: event.module
+  type: constant_keyword
+  description: Event module.
+  value: zscaler_zia
+- name: event.dataset
+  type: constant_keyword
+  description: Event dataset.
+  value: zscaler_zia.alerts

examples/zscaler_zia_alerts/fields/beats.yml

@@ -0,0 +1,9 @@
+- name: input.type
+  type: keyword
+  description: Type of Filebeat input.
+- name: log.offset
+  type: long
+  description: Log offset.
+- name: tags
+  type: keyword
+  description: User defined tags.

examples/zscaler_zia_alerts/fields/fields.yml

@@ -0,0 +1,14 @@
+- name: zscaler_zia.alerts
+  type: group
+  fields:
+    - name: connection_lost_minutes
+      type: double
+      description: |
+        Amount of time after loosing connection to a server in Minutes.
+    - name: log_feed_name
+      type: keyword
+      description: |
+        Name of the NSS log feed.
+- name: log.source.address
+  type: keyword
+  description: Source address from which the log event was read / sent from.

examples/zscaler_zia_alerts/log_source.yml

@@ -0,0 +1,52 @@
+name: zscaler_zia_alerts
+
+schema:
+  ecs_field_names:
+  - event.dataset
+  - event.module
+  - log.syslog.priority
+  - related.ip
+  - related.user
+  - tags
+  fields:
+  - name: zscaler_zia
+    type:
+      type: struct
+      fields:
+      - name: alerts
+        type:
+          type: struct
+          fields:
+          - name: connection_lost_minutes
+            type: double
+          - name: log_feed_name
+            type: string
+
+transform: |
+  .event.original = del(.message)
+                                             
+  _grokked, err = parse_groks(.event.original, ["^<%{NUMBER:log.syslog.priority}>%{SYSLOGTIMESTAMP:_tmp.timestamp} \\[%{IPORHOST:destination.address}\\] %{GREEDYDATA:message}$"])  
+  if err == null {                                                            
+      . |= _grokked                                                            
+  }                                                                      
+                                                        
+  _grokked, err = parse_groks(.message, ["^ZscalerNSS: Zscaler cloud configuration connection to  %{IPORHOST:destination.address}:%{NUMBER:destination.port} lost and unavailable for the past %{NUMBER:zscaler_zia.alerts.connection_lost_minutes} minutes$", "^ZscalerNSS: SIEM Feed connection \"%{GREEDYDATA:zscaler_zia.alerts.log_feed_name}\" to %{IPORHOST:destination.address}:%{NUMBER:destination.port} lost and unavailable for the past %{NUMBER:zscaler_zia.alerts.connection_lost_minutes} minutes$"])  
+  if err == null {                                                            
+      . |= _grokked                                                            
+  }
+
+  .zscaler_zia.alerts.connection_lost_minutes = to_float(.zscaler_zia.alerts.connection_lost_minutes) ?? null
+  .log.syslog.priority = to_int(.log.syslog.priority) ?? null
+  .destination.port = to_int(.destination.port) ?? null                                                          
+
+  if .destination.address != null {                       
+      .destination.ip = to_string!(.destination.address) 
+  }                                                  
+
+  if .destination.ip != null { 
+      .related.ip = push!(.related.ip, .destination.ip) 
+  }
+      
+  if !is_nullish(._tmp.timestamp) { 
+  	  .ts = to_timestamp!(._tmp.timestamp, "seconds") 
+  }

examples/zscaler_zia_alerts/test/test-alerts.log

@@ -0,0 +1,3 @@
+<114>Dec 31 12:01:04 [175.16.199.1] ZscalerNSS: Zscaler cloud configuration connection to  175.16.199.1:443 lost and unavailable for the past 2325.00 minutes
+<114>Dec 31 13:02:05 [81.2.69.193] ZscalerNSS: SIEM Feed connection "DNS Logs Feed" to 81.2.69.193:9012 lost and unavailable for the past 2440.00 minutes
+<114>Dec 31 14:03:06 [81.2.69.193] Hey, that's a new type of alert. Isn't it?

examples/zscaler_zia_alerts/test/test-alerts.log-expected.json

@@ -0,0 +1,98 @@
+{
+    "expected": [
+        {
+            "@timestamp": "2023-12-31T12:01:04.000Z",
+            "destination": {
+                "address": "175.16.199.1",
+                "ip": "175.16.199.1",
+                "port": 443
+            },
+            "ecs": {
+                "version": "8.6.0"
+            },
+            "event": {
+                "original": "\u003c114\u003eDec 31 12:01:04 [175.16.199.1] ZscalerNSS: Zscaler cloud configuration connection to  175.16.199.1:443 lost and unavailable for the past 2325.00 minutes"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 114
+                }
+            },
+            "message": "ZscalerNSS: Zscaler cloud configuration connection to  175.16.199.1:443 lost and unavailable for the past 2325.00 minutes",
+            "related": {
+                "ip": [
+                    "175.16.199.1"
+                ]
+            },
+            "tags": [
+                "preserve_original_event"
+            ],
+            "zscaler_zia": {
+                "alerts": {
+                    "connection_lost_minutes": 2325.0
+                }
+            }
+        },
+        {
+            "@timestamp": "2023-12-31T13:02:05.000Z",
+            "destination": {
+                "address": "81.2.69.193",
+                "ip": "81.2.69.193",
+                "port": 9012
+            },
+            "ecs": {
+                "version": "8.6.0"
+            },
+            "event": {
+                "original": "\u003c114\u003eDec 31 13:02:05 [81.2.69.193] ZscalerNSS: SIEM Feed connection \"DNS Logs Feed\" to 81.2.69.193:9012 lost and unavailable for the past 2440.00 minutes"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 114
+                }
+            },
+            "message": "ZscalerNSS: SIEM Feed connection \"DNS Logs Feed\" to 81.2.69.193:9012 lost and unavailable for the past 2440.00 minutes",
+            "related": {
+                "ip": [
+                    "81.2.69.193"
+                ]
+            },
+            "tags": [
+                "preserve_original_event"
+            ],
+            "zscaler_zia": {
+                "alerts": {
+                    "connection_lost_minutes": 2440.0,
+                    "log_feed_name": "DNS Logs Feed"
+                }
+            }
+        },
+        {
+            "@timestamp": "2023-12-31T14:03:06.000Z",
+            "destination": {
+                "address": "81.2.69.193",
+                "ip": "81.2.69.193"
+            },
+            "ecs": {
+                "version": "8.6.0"
+            },
+            "event": {
+                "original": "\u003c114\u003eDec 31 14:03:06 [81.2.69.193] Hey, that's a new type of alert. Isn't it?"
+            },
+            "log": {
+                "syslog": {
+                    "priority": 114
+                }
+            },
+            "message": "Hey, that's a new type of alert. Isn't it?",
+            "related": {
+                "ip": [
+                    "81.2.69.193"
+                ]
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        }
+    ]
+}

examples/zscaler_zia_alerts/test/test-common-config.yml

@@ -0,0 +1,5 @@
+dynamic_fields:
+  "@timestamp": "^[0-9]{4}(-[0-9]{2}){2}T[0-9]{2}(:[0-9]{2}){2}\\.[0-9]{3}"
+fields:
+  tags:
+    - preserve_original_event

examples/zscaler_zia_dns/fields/base-fields.yml

@@ -0,0 +1,20 @@
+- name: data_stream.type
+  type: constant_keyword
+  description: Data stream type.
+- name: data_stream.dataset
+  type: constant_keyword
+  description: Data stream dataset.
+- name: data_stream.namespace
+  type: constant_keyword
+  description: Data stream namespace.
+- name: '@timestamp'
+  type: date
+  description: Event timestamp.
+- name: event.module
+  type: constant_keyword
+  description: Event module.
+  value: zscaler_zia
+- name: event.dataset
+  type: constant_keyword
+  description: Event dataset.
+  value: zscaler_zia.dns

examples/zscaler_zia_dns/fields/beats.yml

@@ -0,0 +1,9 @@
+- name: input.type
+  type: keyword
+  description: Type of Filebeat input.
+- name: log.offset
+  type: long
+  description: Log offset.
+- name: tags
+  type: keyword
+  description: User defined tags.

examples/zscaler_zia_dns/fields/fields.yml

@@ -0,0 +1,48 @@
+- name: zscaler_zia.dns
+  type: group
+  fields:
+    - name: department
+      type: keyword
+      description: |
+        Department of the user.
+    - name: dom.category
+      type: keyword
+      description: |
+        URL Category of the FQDN in the DNS request.
+    - name: duration.milliseconds
+      type: long
+      description: |
+        Duration of the DNS request in milliseconds.
+    - name: hostname
+      type: keyword
+      description: |
+        N/A
+    - name: location
+      type: keyword
+      description: |
+        Gateway location or sub-location of the source.
+    - name: request
+      type: group
+      fields:
+        - name: action
+          type: keyword
+          description: |
+            Name of the action that was applied to the DNS request.
+        - name: rule.label
+          type: keyword
+          description: |
+            Name of the rule that was applied to the DNS request.
+    - name: response
+      type: group
+      fields:
+        - name: action
+          type: keyword
+          description: |
+            Name of the action that was applied to the DNS response.
+        - name: rule.label
+          type: keyword
+          description: |-
+            Name of the rule that was applied to the DNS response.
+- name: log.source.address
+  type: keyword
+  description: Source address from which the log event was read / sent from.

examples/zscaler_zia_dns/test/test-common-config.yml

@@ -0,0 +1,3 @@
+fields:
+  tags:
+    - preserve_original_event

examples/zscaler_zia_dns/test/test-dns-http-endpoint.log

@@ -0,0 +1 @@
+{"sourcetype":"zscalernss-dns","input": {"type": "http_endpoint"}, "event":{"location":"Unknown","deviceowner":"NA","devicehostname":"NA","dns_req":"Unknown","resaction":"None","durationms":"34000","category":"Other","resrulelabel":"None","dns_reqtype":"NotFound","dns_resp":"NotFound","department":"Unknown","user":"Unknown","reqaction":"None","datetime":"Tue Dec  31 02:22:22 2021","srv_dip":"0.0.0.0","clt_sip":"0.0.0.0","reqrulelabel":"None","srv_dport":"0"}}

examples/zscaler_zia_dns/test/test-dns-http-endpoint.log-expected.json

@@ -0,0 +1,75 @@
+{
+    "expected": [
+        {
+            "@timestamp": "2021-12-31T02:22:22.000Z",
+            "destination": {
+                "ip": "0.0.0.0",
+                "port": 0
+            },
+            "dns": {
+                "answers": {
+                    "name": "NotFound"
+                },
+                "question": {
+                    "name": "Unknown",
+                    "type": "NotFound"
+                }
+            },
+            "ecs": {
+                "version": "8.6.0"
+            },
+            "event": {
+                "category": [
+                    "network"
+                ],
+                "duration": 34000000000,
+                "kind": "event",
+                "original": "{\"sourcetype\":\"zscalernss-dns\",\"input\": {\"type\": \"http_endpoint\"}, \"event\":{\"location\":\"Unknown\",\"deviceowner\":\"NA\",\"devicehostname\":\"NA\",\"dns_req\":\"Unknown\",\"resaction\":\"None\",\"durationms\":\"34000\",\"category\":\"Other\",\"resrulelabel\":\"None\",\"dns_reqtype\":\"NotFound\",\"dns_resp\":\"NotFound\",\"department\":\"Unknown\",\"user\":\"Unknown\",\"reqaction\":\"None\",\"datetime\":\"Tue Dec  31 02:22:22 2021\",\"srv_dip\":\"0.0.0.0\",\"clt_sip\":\"0.0.0.0\",\"reqrulelabel\":\"None\",\"srv_dport\":\"0\"}}",
+                "type": [
+                    "info"
+                ]
+            },
+            "network": {
+                "protocol": "dns"
+            },
+            "related": {
+                "ip": [
+                    "0.0.0.0"
+                ]
+            },
+            "source": {
+                "ip": "0.0.0.0"
+            },
+            "tags": [
+                "preserve_original_event"
+            ],
+            "user": {
+                "email": "Unknown"
+            },
+            "zscaler_zia": {
+                "dns": {
+                    "department": "Unknown",
+                    "dom": {
+                        "category": "Other"
+                    },
+                    "duration": {
+                        "milliseconds": 34000
+                    },
+                    "location": "Unknown",
+                    "request": {
+                        "action": "None",
+                        "rule": {
+                            "label": "None"
+                        }
+                    },
+                    "response": {
+                        "action": "None",
+                        "rule": {
+                            "label": "None"
+                        }
+                    }
+                }
+            }
+        }
+    ]
+}

examples/zscaler_zia_dns/test/test-dns.log

@@ -0,0 +1 @@
+{ "sourcetype" : "zscalernss-dns", "event" :{"datetime":"Fri Dec 31 01:11:11 2021","user":"[email protected]","department":"Unknown","location":"TestLoc%20DB","reqaction":"REQ_ALLOW","resaction":"Some Response Action","reqrulelabel":"Access%20Blocked","resrulelabel":"None","dns_reqtype":"Some type","dns_req":"example.com","dns_resp":"Some response string","srv_dport":"8080","durationms":"123456","clt_sip":"89.160.20.112","srv_dip":"89.160.20.156","category":"Professional Services","deviceowner":"Owner77","devicehostname":"Machine9000"}}