diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS index 64455992ad82d..0341358c6c750 100644 --- a/.github/CODEOWNERS +++ b/.github/CODEOWNERS @@ -650,6 +650,11 @@ plaid/assets/logs/ @DataDog/saa /checkpoint_harmony_endpoint/manifest.json @DataDog/agent-integrations @DataDog/documentation /checkpoint_harmony_endpoint/assets/logs/ @DataDog/agent-integrations @DataDog/documentation @DataDog/logs-backend @DataDog/logs-core +/zscaler_private_access/ @DataDog/agent-integrations +/zscaler_private_access/*.md @DataDog/agent-integrations @DataDog/documentation +/zscaler_private_access/manifest.json @DataDog/agent-integrations @DataDog/documentation +/zscaler_private_access/assets/logs/ @DataDog/agent-integrations @DataDog/documentation @DataDog/logs-backend + # To keep Security up-to-date with changes to the signing tool. /datadog_checks_dev/datadog_checks/dev/tooling/signing.py @DataDog/agent-integrations # As well as the secure downloader. diff --git a/.github/workflows/config/labeler.yml b/.github/workflows/config/labeler.yml index 5cf70f7355c08..be039a8ced2b7 100644 --- a/.github/workflows/config/labeler.yml +++ b/.github/workflows/config/labeler.yml @@ -771,6 +771,8 @@ integration/zerofox_cloud_platform: - zerofox_cloud_platform/**/* integration/zk: - zk/**/* +integration/zscaler_private_access: +- zscaler_private_access/**/* qa/skip-qa: - '**/__about__.py' - requirements-agent-release.txt diff --git a/zscaler_private_access/CHANGELOG.md b/zscaler_private_access/CHANGELOG.md new file mode 100644 index 0000000000000..e2f009306ec27 --- /dev/null +++ b/zscaler_private_access/CHANGELOG.md @@ -0,0 +1,3 @@ +# CHANGELOG - Zscaler Private Access + + diff --git a/zscaler_private_access/README.md b/zscaler_private_access/README.md new file mode 100644 index 0000000000000..73025ccdcf0ee --- /dev/null +++ b/zscaler_private_access/README.md @@ -0,0 +1,230 @@ +# Zscaler Private Access + +## Overview + +The [Zscaler Private Access][4] (ZPA) service enables organizations to provide access to internal applications and services while ensuring the security of their networks. ZPA is an easier to deploy, more cost-effective, and more secure alternative to VPNs. Unlike VPNs, which require users to connect to your network to access your enterprise applications, ZPA allows you to give users policy-based secure access only to the internal apps they need to get their work done. + +The integration parses and ingests the following types of logs: +- User Activity +- User Status +- App Connector Metrics +- App Connector Status +- Private Service Edge Metrics +- Private Service Edge Status +- Browser Access +- Audit Logs +- AppProtection +- Private Cloud Controller Status +- Private Cloud Controller Metrics +- Microsegmentation Flow. + +Datadog uses its built-in log pipelines to parse and enrich these logs, facilitating easy search and detailed insights. Visualize detailed insights into these logs with out-of-the-box dashboards. Additionally, the integration includes ready-to-use Cloud SIEM detection rules and monitors for enhanced monitoring and security. + +## Setup + +### Installation + +To install the Zscaler Private Access integration, run the following Agent installation command in your terminal. Then, complete the configuration steps. For more information, see the [Integration Management][5] documentation. + +**Note**: This step is not necessary for Agent version >= 7.71.0. + +```shell +sudo -u dd-agent -- datadog-agent integration install datadog-zscaler_private_access==1.0.0 +``` + +### Configuration + +#### Log collection + +1. Collecting logs is disabled by default in the Datadog Agent. Enable it in `datadog.yaml`: + + ```yaml + logs_enabled: true + ``` + +2. Add this configuration block to your `zscaler_private_access.d/conf.yaml` file to start collecting your logs. + + See the sample [zscaler_private_access.d/conf.yaml][6] for available configuration options. + + ```yaml + logs: + - type: tcp + port: + source: zscaler-private-access + ``` + + **Note**: + + - `PORT`: Port should be similar to the port provided in **Configure log receiver from Zscaler Private Access** section. + - It is recommended not to change the source value, as these parameters are integral to the pipeline's operation. + +3. [Restart the Agent][1]. + +#### Configure log receiver from Zscaler Private Access + +1. Sign in to the Zscaler Private Access (ZPA) Admin Portal. +2. Go to **Configuration & Control > Private Infrastructure > LOG STREAMING SERVICE > Log Receivers**. +3. Click **Add**. +4. In the **Log Receiver** tab, configure the following: + - **Name**: Provide a name for the log receiver. + - **Domain or IP Address**: Enter the public IP or hostname of the Datadog Agent that will receive the logs. + - **TCP Port**: Specify an open port on the Datadog Agent for receiving ZPA logs. + - **TLS Encryption**: Keep it disabled. + - **App Connector Groups**: Choose the App Connector groups that can forward logs to the receiver. +5. Click **Next**. +6. In the **Log Stream** tab: + - **Log Type**: Select from the below supported log types. + > Note: Create a separate log receiver for each log type. + - User Activity + - User Status + - App Connector Metrics + - App Connector Status + - Private Service Edge Metrics + - Private Service Edge Status + - Browser Access + - Audit Logs + - AppProtection + - Private Cloud Controller Status + - Private Cloud Controller Metrics + - Microsegmentation Flow + - **Log Stream Content**: For each selected log type, paste the provided custom log format from below **Log Formats** section. + - **Log Template**: When you paste the custom log format, the log template will be set to **Custom** by default. +7. Click **Next**. +8. Review your configuration on the **Review** tab and click **Save**. + +#### Log Formats +For Zscaler Private Access integration, specific custom log formats must be configured for each supported log type. The required formats for each log type are outlined below. + + 1. **User Activity Log** + ``` + {"LogTimestamp": %j{LogTimestamp:time},"Customer": %j{Customer},"SessionID": %j{SessionID},"ConnectionID": %j{ConnectionID},"InternalReason": %j{InternalReason},"ConnectionStatus": %j{ConnectionStatus},"IPProtocol": %d{IPProtocol},"DoubleEncryption": %d{DoubleEncryption},"Username": %j{Username},"ServicePort": %d{ServicePort},"ClientPublicIP": %j{ClientPublicIP},"ClientPrivateIP": %j{ClientPrivateIP},"ClientLatitude": %f{ClientLatitude},"ClientLongitude": %f{ClientLongitude},"ClientCountryCode": %j{ClientCountryCode},"ClientZEN": %j{ClientZEN},"Policy": %j{Policy},"Connector": %j{Connector},"ConnectorZEN": %j{ConnectorZEN},"ConnectorIP": %j{ConnectorIP},"ConnectorPort": %d{ConnectorPort},"Host": %j{Host},"Application": %j{Application},"AppGroup": %j{AppGroup},"Server": %j{Server},"ServerIP": %j{ServerIP},"ServerPort": %d{ServerPort},"PolicyProcessingTime": %d{PolicyProcessingTime},"ServerSetupTime": %d{ServerSetupTime},"TimestampConnectionStart": %j{TimestampConnectionStart:iso8601},"TimestampConnectionEnd": %j{TimestampConnectionEnd:iso8601},"TimestampCATx": %j{TimestampCATx:iso8601},"TimestampCARx": %j{TimestampCARx:iso8601},"TimestampAppLearnStart": %j{TimestampAppLearnStart:iso8601},"TimestampZENFirstRxClient": %j{TimestampZENFirstRxClient:iso8601},"TimestampZENFirstTxClient": %j{TimestampZENFirstTxClient:iso8601},"TimestampZENLastRxClient": %j{TimestampZENLastRxClient:iso8601},"TimestampZENLastTxClient": %j{TimestampZENLastTxClient:iso8601},"TimestampConnectorZENSetupComplete": %j{TimestampConnectorZENSetupComplete:iso8601},"TimestampZENFirstRxConnector": %j{TimestampZENFirstRxConnector:iso8601},"TimestampZENFirstTxConnector": %j{TimestampZENFirstTxConnector:iso8601},"TimestampZENLastRxConnector": %j{TimestampZENLastRxConnector:iso8601},"TimestampZENLastTxConnector": %j{TimestampZENLastTxConnector:iso8601},"ZENTotalBytesRxClient": %d{ZENTotalBytesRxClient},"ZENBytesRxClient": %d{ZENBytesRxClient},"ZENTotalBytesTxClient": %d{ZENTotalBytesTxClient},"ZENBytesTxClient": %d{ZENBytesTxClient},"ZENTotalBytesRxConnector": %d{ZENTotalBytesRxConnector},"ZENBytesRxConnector": %d{ZENBytesRxConnector},"ZENTotalBytesTxConnector": %d{ZENTotalBytesTxConnector},"ZENBytesTxConnector": %d{ZENBytesTxConnector},"Idp": %j{Idp},"ClientToClient": %j{c2c},"ClientCity": %j{ClientCity},"MicroTenantID": %j{MicroTenantID},"AppMicroTenantID": %j{AppMicroTenantID},"Platform": %j{Platform},"Hostname": %j{Hostname},"AppLearnTime": %d{AppLearnTime},"CAProcessingTime": %d{CAProcessingTime},"ConnectionSetupTime": %d{ConnectionSetupTime},"ConnectorZENSetupTime": %d{ConnectorZENSetupTime},"PRAApprovalID": %j{PRAApprovalID},"PRACapabilityPolicyID": %j{PRACapabilityPolicyID},"PRAConnectionID": %j{PRAConnectionID},"PRAConsoleType": %j{PRAConsoleType},"PRACredentialLoginType": %j{PRACredentialLoginType},"PRACredentialPolicyID": %j{PRACredentialPolicyID},"PRACredentialUserName": %j{PRACredentialUserName},"PRAErrorStatus": %j{PRAErrorStatus},"PRAFileTransferList": %j{PRAFileTransferList},"PRARecordingStatus": %j{PRARecordingStatus},"PRASessionType": %j{PRASessionType},"PRASharedMode": %j{PRASharedMode},"PRASharedUserList": %j{PRASharedUserList},"EventType": "user-activity"}\n + ``` + + 2. **User Status Log** + ``` + {"LogTimestamp": %j{LogTimestamp:time},"Customer": %j{Customer},"Username": %j{Username},"SessionID": %j{SessionID},"SessionStatus": %j{SessionStatus},"Version": %j{Version},"ZEN": %j{ZEN},"CertificateCN": %j{CertificateCN},"PrivateIP": %j{PrivateIP},"PublicIP": %j{PublicIP},"Latitude": %f{Latitude},"Longitude": %f{Longitude},"CountryCode": %j{CountryCode},"TimestampAuthentication": %j{TimestampAuthentication:iso8601},"TimestampUnAuthentication": %j{TimestampUnAuthentication:iso8601},"TotalBytesRx": %d{TotalBytesRx},"TotalBytesTx": %d{TotalBytesTx},"Idp": %j{Idp},"Hostname": %j{Hostname},"Platform": %j{Platform},"ClientType": %j{ClientType},"TrustedNetworks": [%j(,){TrustedNetworks}],"TrustedNetworksNames": [%j(,){TrustedNetworksNames}],"PosturesHit": [%j(,){PosturesHit}],"PosturesMiss": [%j(,){PosturesMiss}],"ZENLatitude": %f{ZENLatitude},"ZENLongitude": %f{ZENLongitude},"ZENCountryCode": %j{ZENCountryCode},"FQDNRegistered": %j{fqdn_registered},"FQDNRegisteredError": %j{fqdn_register_error},"City": %j{City},"MicroTenantID": %j{MicroTenantID},"SAMLAttributes": %j{SAMLAttributes},"EventType": "user-status"}\n + ``` + + 3. **App Connector Metrics Log** + ``` + {"LogTimestamp":%j{LogTimestamp:time},"Connector":%j{Connector},"CPUUtilization":%j{CPUUtilization},"SystemMemoryUtilization":%j{SystemMemoryUtilization},"ProcessMemoryUtilization":%j{ProcessMemoryUtilization},"AppCount":%j{AppCount},"ServiceCount":%j{ServiceCount},"TargetCount":%j{TargetCount},"AliveTargetCount":%j{AliveTargetCount},"ActiveConnectionsToPublicSE":%j{ActiveConnectionsToPublicSE},"DisconnectedConnectionsToPublicSE":%j{DisconnectedConnectionsToPublicSE},"ActiveConnectionsToPrivateSE":%j{ActiveConnectionsToPrivateSE},"DisconnectedConnectionsToPrivateSE":%j{DisconnectedConnectionsToPrivateSE},"TransmittedBytesToPublicSE":%j{TransmittedBytesToPublicSE},"ReceivedBytesFromPublicSE":%j{ReceivedBytesFromPublicSE},"TransmittedBytesToPrivateSE":%j{TransmittedBytesToPrivateSE},"ReceivedBytesFromPrivateSE":%j{ReceivedBytesFromPrivateSE},"AppConnectionsCreated":%j{AppConnectionsCreated},"AppConnectionsCleared":%j{AppConnectionsCleared},"AppConnectionsActive":%j{AppConnectionsActive},"UsedTCPPortsIPv4":%j{UsedTCPPortsIPv4},"UsedUDPPortsIPv4":%j{UsedUDPPortsIPv4},"UsedTCPPortsIPv6":%j{UsedTCPPortsIPv6},"UsedUDPPortsIPv6":%j{UsedUDPPortsIPv6},"AvailablePorts":%j{AvailablePorts},"SystemMaximumFileDescriptors":%j{SystemMaximumFileDescriptors},"SystemUsedFileDescriptors":%j{SystemUsedFileDescriptors},"ProcessMaximumFileDescriptors":%j{ProcessMaximumFileDescriptors},"ProcessUsedFileDescriptors":%j{ProcessUsedFileDescriptors},"AvailableDiskBytes":%j{AvailableDiskBytes},"MicroTenantID": %j{MicroTenantID},"EventType": "app-connector-metrics"}\n + ``` + + 4. **App Connector Status Log** + ``` + {"LogTimestamp": %j{LogTimestamp:time},"Customer": %j{Customer},"SessionID": %j{SessionID},"SessionType": %j{SessionType},"SessionStatus": %j{SessionStatus},"Version": %j{Version},"Platform": %j{Platform},"ZEN": %j{ZEN},"Connector": %j{Connector},"ConnectorGroup": %j{ConnectorGroup},"PrivateIP": %j{PrivateIP},"PublicIP": %j{PublicIP},"Latitude": %f{Latitude},"Longitude": %f{Longitude},"CountryCode": %j{CountryCode},"TimestampAuthentication": %j{TimestampAuthentication:iso8601},"TimestampUnAuthentication": %j{TimestampUnAuthentication:iso8601},"CPUUtilization": %d{CPUUtilization},"MemUtilization": %d{MemUtilization},"ServiceCount": %d{ServiceCount},"InterfaceDefRoute": %j{InterfaceDefRoute},"DefRouteGW": %j{DefRouteGW},"PrimaryDNSResolver": %j{PrimaryDNSResolver},"HostStartTime": %j{HostStartTime},"ConnectorStartTime": %j{ConnectorStartTime},"NumOfInterfaces": %d{NumOfInterfaces},"BytesRxInterface": %d{BytesRxInterface},"PacketsRxInterface": %d{PacketsRxInterface},"ErrorsRxInterface": %d{ErrorsRxInterface},"DiscardsRxInterface": %d{DiscardsRxInterface},"BytesTxInterface": %d{BytesTxInterface},"PacketsTxInterface": %d{PacketsTxInterface},"ErrorsTxInterface": %d{ErrorsTxInterface},"DiscardsTxInterface": %d{DiscardsTxInterface},"TotalBytesRx": %d{TotalBytesRx},"TotalBytesTx": %d{TotalBytesTx},"MicroTenantID": %j{MicroTenantID},"EventType": "app-connector-status"}\n + ``` + + 5. **Private Service Edge Metrics Log** + ``` + {"LogTimestamp":%j{LogTimestamp:time},"PrivateSE":%j{PrivateSE},"CPUUtilization":%j{CPUUtilization},"SystemMemoryUtilization":%j{SystemMemoryUtilization},"ProcessMemoryUtilization":%j{ProcessMemoryUtilization},"UsedTCPPortsIPv4":%j{UsedTCPPortsIPv4},"UsedUDPPortsIPv4":%j{UsedUDPPortsIPv4},"UsedTCPPortsIPv6":%j{UsedTCPPortsIPv6},"UsedUDPPortsIPv6":%j{UsedUDPPortsIPv6},"AvailablePorts":%j{AvailablePorts},"SystemMaximumFileDescriptors":%j{SystemMaximumFileDescriptors},"SystemUsedFileDescriptors":%j{SystemUsedFileDescriptors},"ProcessMaximumFileDescriptors":%j{ProcessMaximumFileDescriptors},"ProcessUsedFileDescriptors":%j{ProcessUsedFileDescriptors},"AvailableDiskBytes":%j{AvailableDiskBytes},"MicroTenantID": %j{MicroTenantID},"EventType": "private-service-edge-metrics"}\n + ``` + + 6. **Private Service Edge Status Log** + ``` + {"LogTimestamp": %j{LogTimestamp:time},"Customer": %j{Customer},"SessionID": %j{SessionID},"SessionType": %j{SessionType},"SessionStatus": %j{SessionStatus},"Version": %j{Version},"PackageVersion": %j{PackageVersion},"Platform": %j{Platform},"ZEN": %j{ZEN},"ServiceEdge": %j{ServiceEdge},"ServiceEdgeGroup": %j{ServiceEdgeGroup},"PrivateIP": %j{PrivateIP},"PublicIP": %j{PublicIP},"Latitude": %f{Latitude},"Longitude": %f{Longitude},"CountryCode": %j{CountryCode},"TimestampAuthentication": %j{TimestampAuthentication:iso8601},"TimestampUnAuthentication": %j{TimestampUnAuthentication:iso8601},"CPUUtilization": %d{CPUUtilization},"MemUtilization": %d{MemUtilization},"InterfaceDefRoute": %j{InterfaceDefRoute},"DefRouteGW": %j{DefRouteGW},"PrimaryDNSResolver": %j{PrimaryDNSResolver},"HostUpTime": %j{HostUpTime},"ServiceEdgeStartTime": %j{ServiceEdgeStartTime},"NumOfInterfaces": %d{NumOfInterfaces},"BytesRxInterface": %d{BytesRxInterface},"PacketsRxInterface": %d{PacketsRxInterface},"ErrorsRxInterface": %d{ErrorsRxInterface},"DiscardsRxInterface": %d{DiscardsRxInterface},"BytesTxInterface": %d{BytesTxInterface},"PacketsTxInterface": %d{PacketsTxInterface},"ErrorsTxInterface": %d{ErrorsTxInterface},"DiscardsTxInterface": %d{DiscardsTxInterface},"TotalBytesRx": %d{TotalBytesRx},"TotalBytesTx": %d{TotalBytesTx},"MicroTenantID": %j{MicroTenantID},"EventType": "private-service-edge-status"}\n + ``` + + 7. **Browser Access Log** + ``` + {"LogTimestamp":%j{LogTimestamp:time},"ConnectionID":%j{ConnectionID},"Exporter":%j{Exporter},"TimestampRequestReceiveStart":%j{TimestampRequestReceiveStart:iso8601},"TimestampRequestReceiveHeaderFinish":%j{TimestampRequestReceiveHeaderFinish:iso8601},"TimestampRequestReceiveFinish":%j{TimestampRequestReceiveFinish:iso8601},"TimestampRequestTransmitStart":%j{TimestampRequestTransmitStart:iso8601},"TimestampRequestTransmitFinish":%j{TimestampRequestTransmitFinish:iso8601},"TimestampResponseReceiveStart":%j{TimestampResponseReceiveStart:iso8601},"TimestampResponseReceiveFinish":%j{TimestampResponseReceiveFinish:iso8601},"TimestampResponseTransmitStart":%j{TimestampResponseTransmitStart:iso8601},"TimestampResponseTransmitFinish":%j{TimestampResponseTransmitFinish:iso8601},"TotalTimeRequestReceive":%d{TotalTimeRequestReceive},"TotalTimeRequestTransmit":%d{TotalTimeRequestTransmit},"TotalTimeResponseReceive":%d{TotalTimeResponseReceive},"TotalTimeResponseTransmit":%d{TotalTimeResponseTransmit},"TotalTimeConnectionSetup":%d{TotalTimeConnectionSetup},"TotalTimeServerResponse":%d{TotalTimeServerResponse},"Method":%j{Method},"Protocol":%j{Protocol},"Host":%j{Host},"URL":%j{URL},"UserAgent":%j{UserAgent},"XFF":%j{XFF},"NameID":%j{NameID},"StatusCode":%d{StatusCode},"RequestSize":%d{RequestSize},"ResponseSize":%d{ResponseSize},"ApplicationPort":%d{ApplicationPort},"ClientPublicIp":%j{ClientPublicIp},"ClientPublicPort":%d{ClientPublicPort},"ClientPrivateIp":%j{ClientPrivateIp},"Customer":%j{Customer},"ConnectionStatus":%j{ConnectionStatus},"ConnectionReason":%j{ConnectionReason},"Origin":%j{Origin},"CorsToken":%j{CorsToken},"EventType": "browser-access"}\n + ``` + + 8. **Audit Log** + ``` + {"ModifiedTime":%j{modifiedTime:iso8601},"CreationTime":%j{creationTime:iso8601},"ModifiedBy":%d{modifiedBy},"RequestID":%j{requestId},"SessionID":%j{sessionId},"AuditOldValue":%j{auditOldValue},"AuditNewValue":%j{auditNewValue},"AuditOperationType":%j{auditOperationType},"ObjectType":%j{objectType},"ObjectName":%j{objectName},"ObjectID":%d{objectId},"CustomerID":%d{customerId},"User":%j{modifiedByUser},"ClientAuditUpdate":%d{clientAuditUpdate},"EventType": "audit-logs"}\n + ``` + + 9. **AppProtection Log** + ``` + {"LogTimestamp": %j{LogTimestamp:time},"Customer": %j{Customer},"ConnectionID": %j{ConnectionID},"UserID": %j{UserID},"AssistantID": %j{AssistantID},"ExchangeSequenceIndex": %d{ExchangeSequenceIndex},"TimestampRequestReceiveStart": %d{TimestampRequestReceiveStart},"TimestampRequestReceiveHeaderFinish": %d{TimestampRequestReceiveHeaderFinish},"TimestampRequestReceiveFinish": %d{TimestampRequestReceiveFinish},"TimestampRequestTransmitStart": %d{TimestampRequestTransmitStart},"TimestampRequestTransmitFinish": %d{TimestampRequestTransmitFinish},"TimestampResponseReceiveFinish": %d{TimestampResponseReceiveFinish},"TimestampResponseTransmitStart": %d{TimestampResponseTransmitStart},"TimestampResponseTransmitFinish": %d{TimestampResponseTransmitFinish},"TotalTimeRequestReceive": %d{TotalTimeRequestReceive},"TotalTimeRequestTransmit": %d{TotalTimeRequestTransmit},"TotalTimeResponseReceive": %d{TotalTimeResponseReceive},"TotalTimeResponseTransmit": %d{TotalTimeResponseTransmit},"Domain": %j{Domain},"Method": %j{Method},"Protocol": %j{Protocol},"ProtocolVersion": %j{ProtocolVersion},"ContentType": %j{ContentType},"ContentEncoding": %j{ContentEncoding},"TransferEncoding": %j{TransferEncoding},"Host": %j{Host},"Destination": %j{Destination},"OriginDomain": %j{OriginDomain},"URL": %j{URL},"UserAgent": %j{UserAgent},"HTTPError": %j{HTTPError},"ClientPublicIp": %j{ClientPublicIp},"ClientPort": %d{ClientPort},"UpgradeHeaderPresent": %d{UpgradeHeaderPresent},"StatusCode": %d{StatusCode},"RequestHdrSize": %d{RequestHdrSize},"ResponseHdrSize": %d{ResponseHdrSize},"RequestBodySize": %d{RequestBodySize},"ResponseBodySize": %d{ResponseBodySize},"Application": %d{Application},"ApplicationGroup": %d{ApplicationGroup},"InspectionPolicy": %d{InspectionPolicy},"InspectionProfile": %d{InspectionProfile},"ParanoiaLevel": %d{ParanoiaLevel},"InspectionControlsHitCount": %d{InspectionControlsHitCount},"InspectionRuleProcessingTime": %d{InspectionRuleProcessingTime},"InspectionReqHeadersProcessingTime": %d{InspectionReqHeadersProcessingTime},"InspectionReqBodyProcessingTime": %d{InspectionReqBodyProcessingTime},"InspectionRespHeadersProcessingTime": %d{InspectionRespHeadersProcessingTime},"InspectionRespBodyProcessingTime": %d{InspectionRespBodyProcessingTime},"CertificateId": %d{CertificateId},"DoubleEncryption": %d{DoubleEncryption},"SSLInspection": %d{SSLInspection},"TotalBytesProcessed": %d{TotalBytesProcessed},"InspectionControls": [%j(,){InspectionControlArray}],"InspectionControlTypes": [%j(,){ControlTypeArray}],"InspectionControlCategories": [%j(,){InspectionControlCategories}],"Actions": [%j(,){Actions}],"Severities": [%j(,){SeveritiesArray}],"Descriptions": [%j(,){DescriptiveExplanationsArray}],"EventType": "app-protection"}\n + ``` + + 10. **Private Cloud Controller Status** + ``` + {"LogTimestamp": %j{LogTimestamp:time},"Customer": %j{Customer},"SessionID": %j{SessionID},"SessionType": %j{SessionType},"SessionStatus": %j{SessionStatus},"Version": %j{Version},"Platform": %j{Platform},"ZEN": %j{ZEN},"PrivateCloudController":%j{PrivateCloudController},"PrivateCloudControllerGroup":%j{PrivateCloudControllerGroup},"PrivateIP":%j{PrivateIP},"PublicIP":%j{PublicIP},"PackageVersion": %j{PackageVersion},"Latitude": %f{Latitude},"Longitude": %f{Longitude},"CountryCode": %j{CountryCode},"TimestampAuthentication": %j{TimestampAuthentication:iso8601},"TimestampUnAuthentication": %j{TimestampUnAuthentication:iso8601},"CPUUtilization": %d{CPUUtilization},"MemUtilization": %d{MemUtilization},"InterfaceDefRoute": %j{InterfaceDefRoute},"DefRouteGW": %j{DefRouteGW},"PrimaryDNSResolver": %j{PrimaryDNSResolver},"HostUpTime": %j{HostUpTime},"PrivateCloudControllerStartTime": %j{PrivateCloudControllerStartTime},"NumOfInterfaces": %d{NumOfInterfaces},"BytesRxInterface": %d{BytesRxInterface},"PacketsRxInterface": %d{PacketsRxInterface},"ErrorsRxInterface": %d{ErrorsRxInterface},"DiscardsRxInterface": %d{DiscardsRxInterface},"BytesTxInterface": %d{BytesTxInterface},"PacketsTxInterface": %d{PacketsTxInterface},"ErrorsTxInterface": %d{ErrorsTxInterface},"DiscardsTxInterface": %d{DiscardsTxInterface},"TotalBytesRx": %d{TotalBytesRx},"TotalBytesTx": %d{TotalBytesTx},"MicroTenantID": %j{MicroTenantID},"EventType": "private-cloud-controller-status"}\n + ``` + + 11. **Private Cloud Controller Metrics** + ``` + {"LogTimestamp":%j{LogTimestamp:time},"PrivateCloudController":%j{PrivateCloudController},"CPUUtilization":%d{CPUUtilization},"SystemMemoryUtilization":%j{SystemMemoryUtilization},"ProcessMemoryUtilization":%j{ProcessMemoryUtilization},"UsedTCPPortsIPv4":%j{UsedTCPPortsIPv4},"UsedUDPPortsIPv4":%j{UsedUDPPortsIPv4},"UsedTCPPortsIPv6":%j{UsedTCPPortsIPv6},"UsedUDPPortsIPv6":%j{UsedUDPPortsIPv6},"AvailablePorts":%j{AvailablePorts},"SystemMaximumFileDescriptors":%j{SystemMaximumFileDescriptors},"SystemUsedFileDescriptors":%j{SystemUsedFileDescriptors},"ProcessMaximumFileDescriptors":%j{ProcessMaximumFileDescriptors},"ProcessUsedFileDescriptors":%j{ProcessUsedFileDescriptors},"AvailableDiskBytes":%j{AvailableDiskBytes},"EventType": "private-cloud-controller-metrics"}\n + ``` + + 12. **Microsegmentation Flow** + ``` + {"LogTimestamp": %j{LogTimestamp:time},"Customer": %j{Customer},"AgentID": %j{AgentID},"AgentName": %j{AgentName},"ResourceID": %j{ResourceID},"ResourceName": %j{ResourceName},"AppZoneID": %j{AppZoneID},"AppName": %j{AppName},"AppZoneName": %j{AppZoneName},"ConnectionStartTime": %j{ConnectionStartTime},"SourceIP": %j{SourceIP},"DestinationIP": %j{DestinationIP},"SourcePorts": %j{SourcePorts},"DestinationPort": %j{DestinationPort},"Protocol": %j{Protocol},"AppExecutablePath": %j{AppExecutablePath},"Direction": %j{Direction},"PolicyID": %j{PolicyID},"PolicyName": %j{PolicyName},"EnforcementReason": %j{EnforcementReason},"EnforcementAction": %j{EnforcementAction},"EnforcementDisposition": %j{EnforcementDisposition},"EventType": "microsegmentation"}\n + ``` + + +#### Validation + +[Run the Agent's status subcommand][2] and look for `zscaler_private_access` under the Checks section. + +## Data Collected + +### Logs + +The Zscaler Private Access integration collects and forwards User Activity, User Status, App Connector Metrics, App Connector Status, Private Service Edge Metrics, Private Service Edge Status, Browser Access, Audit Logs, AppProtection, Private Cloud Controller Status, Private Cloud Controller Metrics, Microsegmentation Flow logs to Datadog. + +### Metrics + +The Zscaler Private Access integration does not include any metrics. + +### Events + +The Zscaler Private Access integration does not include any events. + +## Troubleshooting + +### Permission denied while port binding + +If you see a **Permission denied** error while port binding in the Agent logs: + + 1. Binding to a port number under 1024 requires elevated permissions. Grant access to the port using the `setcap` command: + + ```shell + sudo setcap CAP_NET_BIND_SERVICE=+ep /opt/datadog-agent/bin/agent/agent + ``` + + 2. Verify the setup is correct by running the `getcap` command: + + ```shell + sudo getcap /opt/datadog-agent/bin/agent/agent + ``` + + With the expected output: + + ```shell + /opt/datadog-agent/bin/agent/agent = cap_net_bind_service+ep + ``` + + **Note**: Re-run this `setcap` command every time you upgrade the Agent. + + 3. [Restart the Agent][1]. + +### Data is not being collected + +Ensure firewall settings allow traffic through the configured port. + +### Port already in use + +On systems running Syslog, the Agent may fail to bind to port 514 and display the following error: + + `Can't start UDP forwarder on port 514: listen udp :514: bind: address already in use` + +This error occurs because Syslog uses port 514 by default. + +To resolve: + - Disable Syslog, OR + - Configure the Agent to listen on a different, available port. + +## Support + +For further assistance, contact [Datadog support][3]. + +[1]: https://docs.datadoghq.com/agent/guide/agent-commands/#start-stop-and-restart-the-agent +[2]: https://docs.datadoghq.com/agent/guide/agent-commands/#agent-status-and-information +[3]: https://docs.datadoghq.com/help/ +[4]: https://www.zscaler.com/products-and-solutions/zscaler-private-access +[5]: https://docs.datadoghq.com/agent/guide/integration-management/?tab=linux#install +[6]: https://github.com/DataDog/integrations-core/blob/master/zscaler_private_access/datadog_checks/zscaler_private_access/data/conf.yaml.example diff --git a/zscaler_private_access/assets/configuration/spec.yaml b/zscaler_private_access/assets/configuration/spec.yaml new file mode 100644 index 0000000000000..04265686fa960 --- /dev/null +++ b/zscaler_private_access/assets/configuration/spec.yaml @@ -0,0 +1,9 @@ +name: Zscaler Private Access +files: +- name: zscaler_private_access.yaml + options: + - template: logs + example: + - type: tcp + port: + source: zscaler-private-access diff --git a/zscaler_private_access/assets/dashboards/zscaler_private_access_app_connector.json b/zscaler_private_access/assets/dashboards/zscaler_private_access_app_connector.json new file mode 100644 index 0000000000000..e7d04f833686d --- /dev/null +++ b/zscaler_private_access/assets/dashboards/zscaler_private_access_app_connector.json @@ -0,0 +1,1768 @@ +{ + "title": "Zscaler Private Access - App Connector", + "description": "This dashboard provides a comprehensive view of ZPA App Connector operations. It highlights session activity, authentication outcomes, and resource utilization, while surfacing error and discard patterns for deeper reliability insights. It also offers visibility into connector performance and geographic distribution to ensure secure, efficient, and scalable application access.", + "widgets": [ + { + "id": 891368449757820, + "definition": { + "type": "image", + "url": "/static/images/integration_dashboard/zscaler_hero_1.png", + "url_dark_theme": "/static/images/integration_dashboard/zscaler_hero_1.png", + "sizing": "fill", + "has_background": true, + "has_border": false, + "vertical_align": "center", + "horizontal_align": "center" + }, + "layout": { + "x": 0, + "y": 0, + "width": 4, + "height": 3 + } + }, + { + "id": 5878470006369139, + "definition": { + "type": "note", + "content": "[Zscaler Private Access](https://www.zscaler.com/products-and-solutions/zscaler-private-access) securely enables user access to internal applications without the need for traditional VPNs.\n\nThis dashboard provides a comprehensive view of ZPA App Connector operations. It highlights session activity, authentication outcomes, and resource utilization, while surfacing error and discard patterns for deeper reliability insights. It also offers visibility into connector performance and geographic distribution to ensure secure, efficient, and scalable application access.\n\nFor more information, see the [Zscaler Private Access Integration Documentation](https://docs.datadoghq.com/integrations/zscaler_private_access/).\n\n**Tips**\n- Use the timeframe selector in the upper-right corner of the dashboard to change the default timeframe.\n- Clone this dashboard to rearrange, modify, and add widgets and visualizations.", + "background_color": "blue", + "font_size": "14", + "text_align": "left", + "vertical_align": "center", + "show_tick": true, + "tick_pos": "50%", + "tick_edge": "left", + "has_padding": true + }, + "layout": { + "x": 4, + "y": 0, + "width": 8, + "height": 3 + } + }, + { + "id": 7125547913913074, + "definition": { + "title": "Overview", + "background_color": "vivid_blue", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 5032928274059882, + "definition": { + "title": "Total App Connector Sessions", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zscaler-private-access service:app-connector-status $session_status $connector $client_ip" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "default_zero(query1)" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#a2c2e8" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 0, + "y": 0, + "width": 4, + "height": 3 + } + }, + { + "id": 4382007853301117, + "definition": { + "title": "App Connector Sessions over Time", + "title_size": "16", + "title_align": "left", + "show_legend": false, + "legend_layout": "horizontal", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "number_format": {}, + "alias": "Events", + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zscaler-private-access service:app-connector-status $session_status $connector $client_ip" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "datadog16", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ], + "markers": [] + }, + "layout": { + "x": 4, + "y": 0, + "width": 8, + "height": 3 + } + }, + { + "id": 1812666371849421, + "definition": { + "title": "Successful Authenticated Sessions", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zscaler-private-access service:app-connector-status @SessionStatus:ZPN_STATUS_AUTHENTICATED $session_status $connector $client_ip" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "default_zero(query1)" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "black_on_light_green" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 0, + "y": 3, + "width": 4, + "height": 3 + } + }, + { + "id": 91288232130013, + "definition": { + "title": "Failed Authenticated Sessions", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zscaler-private-access service:app-connector-status @SessionStatus:ZPN_STATUS_AUTH_FAILED $session_status $connector $client_ip" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "default_zero(query1)" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "black_on_light_red" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 4, + "y": 3, + "width": 4, + "height": 3 + } + }, + { + "id": 3180849138334354, + "definition": { + "title": "Disconnected Sessions", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zscaler-private-access service:app-connector-status @SessionStatus:ZPN_STATUS_DISCONNECTED $session_status $connector $client_ip" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "default_zero(query1)" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "black_on_light_yellow" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 8, + "y": 3, + "width": 4, + "height": 3 + } + }, + { + "id": 8193814113506325, + "definition": { + "title": "Session Status Trends", + "title_size": "16", + "title_align": "left", + "show_legend": true, + "legend_layout": "auto", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zscaler-private-access service:app-connector-status $session_status $connector $client_ip" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@SessionStatus", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + } + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "dog_classic", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 0, + "y": 6, + "width": 12, + "height": 4 + } + }, + { + "id": 961925961857013, + "definition": { + "title": "Geo Location by App Connectors Events", + "title_size": "16", + "title_align": "left", + "type": "geomap", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zscaler-private-access service:app-connector-status $session_status $connector $client_ip" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@network.client.geoip.country.iso_code", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 250, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "asc" + } + ] + } + } + ], + "style": { + "palette": "hostmap_blues", + "palette_flip": false + }, + "view": { + "focus": "WORLD" + } + }, + "layout": { + "x": 0, + "y": 10, + "width": 12, + "height": 4 + } + }, + { + "id": 1879732464864201, + "definition": { + "title": "App Connectors Event Details", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "event_list", + "query": { + "data_source": "logs_stream", + "query_string": "source:zscaler-private-access service:app-connector-status $session_status $connector $client_ip", + "indexes": [], + "storage": "hot" + }, + "columns": [ + { + "field": "status_line", + "width": "auto" + }, + { + "field": "timestamp", + "width": "auto" + }, + { + "field": "content", + "width": "auto" + } + ] + } + ], + "type": "list_stream" + }, + "layout": { + "x": 0, + "y": 14, + "width": 12, + "height": 4 + } + } + ] + }, + "layout": { + "x": 0, + "y": 3, + "width": 12, + "height": 19 + } + }, + { + "id": 6340593920563496, + "definition": { + "title": "Resource Utilization", + "background_color": "vivid_blue", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 6644954232514904, + "definition": { + "title": "Average Memory Usage (%) over Time", + "title_size": "16", + "title_align": "left", + "show_legend": false, + "legend_layout": "auto", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "alias": "Average Memory Usage", + "number_format": {}, + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zscaler-private-access service:app-connector-status $session_status $connector $client_ip" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "avg", + "metric": "@MemUtilization" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "dog_classic", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 0, + "y": 0, + "width": 6, + "height": 4 + } + }, + { + "id": 5119059317411102, + "definition": { + "title": "Average CPU Usage (%) over Time", + "title_size": "16", + "title_align": "left", + "show_legend": false, + "legend_layout": "auto", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "alias": "Average CPU Usage", + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zscaler-private-access service:app-connector-status $session_status $connector $client_ip" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "avg", + "metric": "@CPUUtilization" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "dog_classic", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 6, + "y": 0, + "width": 6, + "height": 4 + } + }, + { + "id": 3218046358336654, + "definition": { + "title": "Top App Connectors by Average Memory Utilization (%)", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zscaler-private-access service:app-connector-status $session_status $client_ip $connector" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@Connector", + "limit": 10, + "sort": { + "aggregation": "avg", + "order": "desc", + "metric": "@MemUtilization" + } + } + ], + "compute": { + "aggregation": "avg", + "metric": "@MemUtilization" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "number_format": {}, + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "none" + }, + "palette": "datadog16" + } + }, + "layout": { + "x": 0, + "y": 4, + "width": 6, + "height": 4 + } + }, + { + "id": 192988203298888, + "definition": { + "title": "Top App Connectors by Average CPU Utilization (%)", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zscaler-private-access service:app-connector-status $session_status $client_ip $connector" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@Connector", + "limit": 10, + "sort": { + "aggregation": "avg", + "order": "desc", + "metric": "@CPUUtilization" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "avg", + "metric": "@CPUUtilization" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "number_format": {}, + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "none" + }, + "palette": "datadog16" + } + }, + "layout": { + "x": 6, + "y": 4, + "width": 6, + "height": 4 + } + } + ] + }, + "layout": { + "x": 0, + "y": 22, + "width": 12, + "height": 9 + } + }, + { + "id": 6821690874014614, + "definition": { + "title": "Network Performance", + "background_color": "vivid_blue", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 2385488840169558, + "definition": { + "title": "Total Errors Received vs Transmitted", + "title_size": "16", + "title_align": "left", + "show_legend": true, + "legend_layout": "horizontal", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "alias": "Errors Received", + "formula": "query1" + }, + { + "alias": "Errors Transmitted", + "formula": "query2" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zscaler-private-access service:app-connector-status $session_status $client_ip $connector" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "sum", + "metric": "@ErrorsRxInterface" + }, + "storage": "hot" + }, + { + "name": "query2", + "data_source": "logs", + "search": { + "query": "source:zscaler-private-access service:app-connector-status $session_status $client_ip $connector" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "sum", + "metric": "@ErrorsTxInterface" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "datadog16", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 0, + "y": 0, + "width": 6, + "height": 4 + } + }, + { + "id": 3344842079543799, + "definition": { + "title": "Total Discards Received vs Transmitted", + "title_size": "16", + "title_align": "left", + "show_legend": true, + "legend_layout": "horizontal", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "number_format": {}, + "alias": "Discards Received", + "formula": "query1" + }, + { + "alias": "Discards Transmitted", + "formula": "query2" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zscaler-private-access service:app-connector-status $session_status $client_ip $connector" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "sum", + "metric": "@DiscardsRxInterface" + }, + "storage": "hot" + }, + { + "name": "query2", + "data_source": "logs", + "search": { + "query": "source:zscaler-private-access service:app-connector-status $session_status $client_ip $connector" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "sum", + "metric": "@DiscardsTxInterface" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "datadog16", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 6, + "y": 0, + "width": 6, + "height": 4 + } + }, + { + "id": 7996548351178715, + "definition": { + "title": "Total Bytes Received vs Transmitted", + "title_size": "16", + "title_align": "left", + "show_legend": true, + "legend_layout": "horizontal", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "alias": "Bytes Received", + "formula": "query1", + "number_format": { + "unit": { + "type": "canonical_unit", + "unit_name": "byte_in_binary_bytes_family" + } + } + }, + { + "alias": "Bytes Transmitted", + "formula": "query2", + "number_format": { + "unit": { + "type": "canonical_unit", + "unit_name": "byte_in_binary_bytes_family" + } + } + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zscaler-private-access service:app-connector-status $session_status $client_ip $connector" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "sum", + "metric": "@TotalBytesRx" + }, + "storage": "hot" + }, + { + "name": "query2", + "data_source": "logs", + "search": { + "query": "source:zscaler-private-access service:app-connector-status $session_status $client_ip $connector" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "sum", + "metric": "@TotalBytesTx" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "datadog16", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 0, + "y": 4, + "width": 6, + "height": 4 + } + }, + { + "id": 1345457135210817, + "definition": { + "title": "Packets Received vs Transmitted", + "title_size": "16", + "title_align": "left", + "show_legend": true, + "legend_layout": "horizontal", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "number_format": {}, + "alias": "Packets Received", + "formula": "query1" + }, + { + "alias": "Packets Transmitted", + "formula": "query2" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zscaler-private-access service:app-connector-status $session_status $client_ip $connector" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "sum", + "metric": "@PacketsRxInterface" + }, + "storage": "hot" + }, + { + "name": "query2", + "data_source": "logs", + "search": { + "query": "source:zscaler-private-access service:app-connector-status $session_status $client_ip $connector" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "sum", + "metric": "@PacketsTxInterface" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "datadog16", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 6, + "y": 4, + "width": 6, + "height": 4 + } + } + ] + }, + "layout": { + "x": 0, + "y": 31, + "width": 12, + "height": 9 + } + }, + { + "id": 7326345616845119, + "definition": { + "title": "Connector and Traffic Distribution Insights", + "background_color": "vivid_blue", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 3145333619128777, + "definition": { + "title": "Platform Distribution", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zscaler-private-access service:app-connector-status -@Platform:\"\" $session_status $client_ip $connector" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@Platform", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "style": { + "palette": "datadog16" + }, + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "type": "sunburst", + "legend": { + "type": "table" + } + }, + "layout": { + "x": 0, + "y": 0, + "width": 6, + "height": 5 + } + }, + { + "id": 8215664946099595, + "definition": { + "title": "Most Used Primary DNS Resolvers", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zscaler-private-access service:app-connector-status -@PrimaryDNSResolver:\"\" $session_status $connector $client_ip" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@PrimaryDNSResolver", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "style": { + "palette": "datadog16" + }, + "formulas": [ + { + "formula": "query1", + "number_format": {} + } + ], + "sort": { + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "type": "sunburst", + "legend": { + "type": "table" + } + }, + "layout": { + "x": 6, + "y": 0, + "width": 6, + "height": 5 + } + }, + { + "id": 1989692762104031, + "definition": { + "title": "Top App Connectors", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zscaler-private-access service:app-connector-status $session_status $connector $client_ip" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@Connector", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + } + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "number_format": {}, + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + }, + "palette": "datadog16" + } + }, + "layout": { + "x": 0, + "y": 5, + "width": 4, + "height": 4 + } + }, + { + "id": 5791038705849434, + "definition": { + "title": "Top ZPA Public Service Edges (ZEN)", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zscaler-private-access service:app-connector-status $session_status $client_ip $connector" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@ZEN", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "number_format": {}, + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "none" + }, + "palette": "datadog16" + } + }, + "layout": { + "x": 4, + "y": 5, + "width": 4, + "height": 4 + } + }, + { + "id": 1330309194118740, + "definition": { + "title": "Top Connector Groups", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zscaler-private-access service:app-connector-status $session_status $connector $client_ip" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@ConnectorGroup", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + }, + "palette": "dog_classic" + } + }, + "layout": { + "x": 8, + "y": 5, + "width": 4, + "height": 4 + } + } + ] + }, + "layout": { + "x": 0, + "y": 40, + "width": 12, + "height": 10 + } + }, + { + "id": 1983178833227816, + "definition": { + "title": "App Connector Metrics Analytics", + "background_color": "vivid_blue", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 8520080526008370, + "definition": { + "title": "App Connector Summary", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "event_list", + "query": { + "data_source": "logs_stream", + "query_string": "source:zscaler-private-access service:app-connector-metrics (@TargetCount:* OR @AliveTargetCount:*) $session_status $connector $client_ip", + "indexes": [], + "storage": "hot" + }, + "columns": [ + { + "field": "status_line", + "width": "auto" + }, + { + "field": "@Connector", + "width": "auto" + }, + { + "field": "@AppCount", + "width": "auto" + }, + { + "field": "@ServiceCount", + "width": "auto" + }, + { + "field": "@TargetCount", + "width": "auto" + }, + { + "field": "@AliveTargetCount", + "width": "auto" + } + ] + } + ], + "type": "list_stream" + }, + "layout": { + "x": 0, + "y": 0, + "width": 12, + "height": 4 + } + }, + { + "id": 3870468281450910, + "definition": { + "title": "Average Available Disk over Time", + "title_size": "16", + "title_align": "left", + "show_legend": false, + "legend_layout": "auto", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "number_format": { + "unit": { + "type": "canonical_unit", + "unit_name": "byte_in_bits_family" + } + }, + "alias": "Average Available Disk", + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zscaler-private-access service:app-connector-metrics $session_status $client_ip $connector" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "avg", + "metric": "@AvailableDiskBytes" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "datadog16", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 0, + "y": 4, + "width": 6, + "height": 4 + } + }, + { + "id": 1648197336847155, + "definition": { + "title": "Total Available Ports over Time", + "title_size": "16", + "title_align": "left", + "show_legend": false, + "legend_layout": "auto", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "number_format": {}, + "alias": "Available Ports", + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zscaler-private-access service:app-connector-metrics $session_status $client_ip $connector" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "sum", + "metric": "@AvailablePorts" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "datadog16", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 6, + "y": 4, + "width": 6, + "height": 4 + } + }, + { + "id": 2013996446559285, + "definition": { + "title": "App Connector Metrics details", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "event_list", + "query": { + "data_source": "logs_stream", + "query_string": "source:zscaler-private-access service:app-connector-metrics $session_status $connector $client_ip", + "indexes": [], + "storage": "hot" + }, + "columns": [ + { + "field": "status_line", + "width": "auto" + }, + { + "field": "timestamp", + "width": "auto" + }, + { + "field": "content", + "width": "auto" + } + ] + } + ], + "type": "list_stream" + }, + "layout": { + "x": 0, + "y": 8, + "width": 12, + "height": 4 + } + } + ] + }, + "layout": { + "x": 0, + "y": 50, + "width": 12, + "height": 13 + } + } + ], + "template_variables": [ + { + "name": "client_ip", + "prefix": "@network.client.ip", + "available_values": [], + "default": "*" + }, + { + "name": "connector", + "prefix": "@Connector", + "available_values": [], + "default": "*" + }, + { + "name": "session_status", + "prefix": "@SessionStatus", + "available_values": [], + "default": "*" + } + ], + "layout_type": "ordered", + "notify_list": [], + "reflow_type": "fixed" +} \ No newline at end of file diff --git a/zscaler_private_access/assets/dashboards/zscaler_private_access_app_protection.json b/zscaler_private_access/assets/dashboards/zscaler_private_access_app_protection.json new file mode 100644 index 0000000000000..ddae7c35c0e1e --- /dev/null +++ b/zscaler_private_access/assets/dashboards/zscaler_private_access_app_protection.json @@ -0,0 +1,1785 @@ +{ + "title": "Zscaler Private Access - App Protection", + "description": "This dashboard provides deep visibility into App Protection traffic, policy enforcement, and inspection outcomes.\nIt highlights user activity, client IPs, HTTP methods, domains, and error patterns to identify potential risks.\nIt also tracks bytes processed, inspection efficiency, and protection events to ensure secure and optimized application access.", + "widgets": [ + { + "id": 6964485386392803, + "definition": { + "type": "image", + "url": "/static/images/integration_dashboard/zscaler_hero_1.png", + "url_dark_theme": "/static/images/integration_dashboard/zscaler_hero_1.png", + "sizing": "fill", + "has_background": true, + "has_border": false, + "vertical_align": "center", + "horizontal_align": "center" + }, + "layout": { + "x": 0, + "y": 0, + "width": 4, + "height": 3 + } + }, + { + "id": 890382830237354, + "definition": { + "type": "note", + "content": "[Zscaler Private Access](https://www.zscaler.com/products-and-solutions/zscaler-private-access) securely enables user access to internal applications without the need for traditional VPNs.\n\nThis dashboard provides deep visibility into App Protection traffic, policy enforcement, and inspection outcomes.\nIt highlights user activity, client IPs, HTTP methods, domains, and error patterns to identify potential risks.\nIt also tracks bytes processed, inspection efficiency, and protection events to ensure secure and optimized application access.\n\nFor more information, see the [Zscaler Private Access Integration Documentation](https://docs.datadoghq.com/integrations/zscaler_private_access/).\n\n**Tips**\n- Use the timeframe selector in the upper-right corner of the dashboard to change the default timeframe.\n- Clone this dashboard to rearrange, modify, and add widgets and visualizations.", + "background_color": "blue", + "font_size": "14", + "text_align": "left", + "vertical_align": "center", + "show_tick": true, + "tick_pos": "50%", + "tick_edge": "left", + "has_padding": true + }, + "layout": { + "x": 4, + "y": 0, + "width": 8, + "height": 3 + } + }, + { + "id": 3969985649099231, + "definition": { + "title": "Overview", + "background_color": "vivid_blue", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 4971609672425044, + "definition": { + "title": "Total App Protection Events", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zscaler-private-access service:app-protection $user $method $client_ip $application" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "default_zero(query1)" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#a2c2e8" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 0, + "y": 0, + "width": 4, + "height": 3 + } + }, + { + "id": 3759491169828111, + "definition": { + "title": "App Protection Events over Time", + "title_size": "16", + "title_align": "left", + "show_legend": false, + "legend_layout": "horizontal", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "number_format": {}, + "alias": "Events", + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zscaler-private-access service:app-protection $user $method $client_ip $application" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "datadog16", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ], + "markers": [] + }, + "layout": { + "x": 4, + "y": 0, + "width": 8, + "height": 3 + } + }, + { + "id": 4274973314149706, + "definition": { + "title": "Connections by Location", + "title_size": "16", + "title_align": "left", + "type": "geomap", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zscaler-private-access service:app-protection $user $method $client_ip $application" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@network.client.geoip.country.iso_code", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 250, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "asc" + } + ] + } + } + ], + "style": { + "palette": "hostmap_blues", + "palette_flip": false + }, + "view": { + "focus": "WORLD" + } + }, + "layout": { + "x": 0, + "y": 3, + "width": 12, + "height": 4 + } + }, + { + "id": 6400460107935468, + "definition": { + "title": "App Protection Event Details", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "event_list", + "query": { + "data_source": "logs_stream", + "query_string": "source:zscaler-private-access service:app-protection $user $method $client_ip $application", + "indexes": [], + "storage": "hot" + }, + "columns": [ + { + "field": "status_line", + "width": "auto" + }, + { + "field": "timestamp", + "width": "auto" + }, + { + "field": "content", + "width": "auto" + } + ] + } + ], + "type": "list_stream" + }, + "layout": { + "x": 0, + "y": 7, + "width": 12, + "height": 4 + } + } + ] + }, + "layout": { + "x": 0, + "y": 3, + "width": 12, + "height": 12 + } + }, + { + "id": 5723167218762465, + "definition": { + "title": "User & Client Insights", + "background_color": "vivid_blue", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 896587305756745, + "definition": { + "title": "Most Active Users", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zscaler-private-access service:app-protection $user $method $client_ip $application" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@usr.id", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "number_format": {}, + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "none" + }, + "palette": "datadog16" + } + }, + "layout": { + "x": 0, + "y": 0, + "width": 6, + "height": 5 + } + }, + { + "id": 4107000905355594, + "definition": { + "title": "Most Active Client IPs", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zscaler-private-access service:app-protection $user $method $client_ip $application" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@network.client.ip", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "number_format": {}, + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "none" + }, + "palette": "datadog16" + } + }, + "layout": { + "x": 6, + "y": 0, + "width": 6, + "height": 5 + } + }, + { + "id": 3551494081531973, + "definition": { + "title": "Total Bytes Processed over Time", + "title_size": "16", + "title_align": "left", + "show_legend": false, + "legend_layout": "auto", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "number_format": { + "unit": { + "type": "canonical_unit", + "unit_name": "byte_in_binary_bytes_family" + } + }, + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zscaler-private-access service:app-protection $user $method $client_ip $application" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "sum", + "metric": "@TotalBytesProcessed" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "datadog16", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 0, + "y": 5, + "width": 12, + "height": 5 + } + } + ] + }, + "layout": { + "x": 0, + "y": 15, + "width": 12, + "height": 11 + } + }, + { + "id": 8946924444467351, + "definition": { + "title": "Domain & Traffic Performance Insights", + "background_color": "vivid_blue", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 6193976403849737, + "definition": { + "title": "Connections by HTTP Method", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zscaler-private-access service:app-protection $user $method $client_ip $application" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@http.method", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "style": { + "palette": "datadog16" + }, + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "type": "sunburst", + "legend": { + "type": "table" + } + }, + "layout": { + "x": 0, + "y": 0, + "width": 6, + "height": 5 + } + }, + { + "id": 5896610453134954, + "definition": { + "title": "Top Domains", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zscaler-private-access service:app-protection $user $method $client_ip $application" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@Domain", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "number_format": {}, + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "none" + }, + "palette": "datadog16" + } + }, + "layout": { + "x": 6, + "y": 0, + "width": 6, + "height": 5 + } + }, + { + "id": 3384516036995269, + "definition": { + "title": "Response Receive Duration over Time", + "title_size": "16", + "title_align": "left", + "show_legend": false, + "legend_layout": "auto", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "alias": "Response Receive Duration", + "formula": "default_zero(query1)", + "number_format": { + "unit": { + "type": "canonical_unit", + "unit_name": "microsecond" + } + } + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zscaler-private-access service:app-protection $user $method $client_ip $application" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "sum", + "metric": "@TotalTimeResponseReceive" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "dog_classic", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 0, + "y": 5, + "width": 6, + "height": 3 + } + }, + { + "id": 6189208631370311, + "definition": { + "title": "Response Transmit Duration over Time", + "title_size": "16", + "title_align": "left", + "show_legend": false, + "legend_layout": "auto", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "alias": "Response Transmit Duration", + "formula": "default_zero(query1)", + "number_format": { + "unit": { + "type": "canonical_unit", + "unit_name": "microsecond" + } + } + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zscaler-private-access service:app-protection $user $method $client_ip $application" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "sum", + "metric": "@TotalTimeResponseTransmit" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "dog_classic", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 6, + "y": 5, + "width": 6, + "height": 3 + } + }, + { + "id": 1955522053532754, + "definition": { + "title": "Request Receive Duration over Time", + "title_size": "16", + "title_align": "left", + "show_legend": false, + "legend_layout": "auto", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "alias": "Request Receive Duration", + "number_format": { + "unit": { + "type": "canonical_unit", + "unit_name": "microsecond" + } + }, + "formula": "default_zero(query1)" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zscaler-private-access service:app-protection $user $method $client_ip $application" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "sum", + "metric": "@TotalTimeRequestReceive" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "dog_classic", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 0, + "y": 8, + "width": 6, + "height": 3 + } + }, + { + "id": 3300127427960472, + "definition": { + "title": "Request Transmit Duration over Time", + "title_size": "16", + "title_align": "left", + "show_legend": false, + "legend_layout": "auto", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "alias": "Request Transmit Duration", + "formula": "default_zero(query1)", + "number_format": { + "unit": { + "type": "canonical_unit", + "unit_name": "microsecond" + } + } + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zscaler-private-access service:app-protection $user $method $client_ip $application" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "sum", + "metric": "@TotalTimeRequestTransmit" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "dog_classic", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 6, + "y": 8, + "width": 6, + "height": 3 + } + }, + { + "id": 423800383208275, + "definition": { + "title": "Top Hosts", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zscaler-private-access service:app-protection $user $method $client_ip $application" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@Host", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + } + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "number_format": {}, + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "none" + }, + "palette": "datadog16" + } + }, + "layout": { + "x": 0, + "y": 11, + "width": 5, + "height": 5 + } + }, + { + "id": 518450342014754, + "definition": { + "title": "Error Status Code Distribution over Time", + "title_size": "16", + "title_align": "left", + "show_legend": true, + "legend_layout": "horizontal", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "number_format": {}, + "alias": "4xx", + "formula": "query3" + }, + { + "number_format": {}, + "alias": "5xx", + "formula": "query4" + } + ], + "queries": [ + { + "name": "query3", + "data_source": "logs", + "search": { + "query": "source:zscaler-private-access service:app-protection @http.status_code:4* $method $client_ip $application $user" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + }, + { + "name": "query4", + "data_source": "logs", + "search": { + "query": "source:zscaler-private-access service:app-protection @http.status_code:5* $method $client_ip $application $user" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "datadog16", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ], + "markers": [] + }, + "layout": { + "x": 5, + "y": 11, + "width": 7, + "height": 5 + } + }, + { + "id": 6989451542925943, + "definition": { + "title": "Connections by HTTP Error", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zscaler-private-access service:app-protection $user $method $client_ip $application" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@HTTPError", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + } + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "style": { + "palette": "datadog16" + }, + "formulas": [ + { + "number_format": {}, + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "type": "sunburst", + "legend": { + "type": "automatic" + } + }, + "layout": { + "x": 0, + "y": 16, + "width": 4, + "height": 3 + } + }, + { + "id": 3980373094684741, + "definition": { + "title": "HTTP Error Connections over Time", + "title_size": "16", + "title_align": "left", + "show_legend": true, + "legend_layout": "horizontal", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "number_format": {}, + "alias": "Events", + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zscaler-private-access service:app-protection $user $method $client_ip $application" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@HTTPError", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "datadog16", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ], + "markers": [] + }, + "layout": { + "x": 4, + "y": 16, + "width": 8, + "height": 3 + } + } + ] + }, + "layout": { + "x": 0, + "y": 26, + "width": 12, + "height": 20 + } + }, + { + "id": 2698726300899189, + "definition": { + "title": "Security & Inspection Analytics", + "background_color": "vivid_blue", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 2971509675218997, + "definition": { + "title": "Connections by Inspection Policy", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zscaler-private-access service:app-protection $user $method $client_ip $application" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@InspectionPolicy", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "style": { + "palette": "datadog16" + }, + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "type": "sunburst", + "legend": { + "type": "table" + } + }, + "layout": { + "x": 0, + "y": 0, + "width": 6, + "height": 5 + } + }, + { + "id": 4370232774267037, + "definition": { + "title": "Connections by Inspection Profile", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zscaler-private-access service:app-protection $user $method $client_ip $application" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@InspectionProfile", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "style": { + "palette": "datadog16" + }, + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "type": "sunburst", + "legend": { + "type": "table" + } + }, + "layout": { + "x": 6, + "y": 0, + "width": 6, + "height": 5 + } + }, + { + "id": 3555210253770549, + "definition": { + "title": "DoubleEncryption On vs Off", + "title_size": "16", + "title_align": "left", + "show_legend": true, + "legend_layout": "horizontal", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "number_format": {}, + "alias": "Off", + "formula": "query1" + }, + { + "number_format": {}, + "alias": "On", + "formula": "query2" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zscaler-private-access service:app-protection @DoubleEncryption:0 $application $client_ip $method $user" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + }, + { + "name": "query2", + "data_source": "logs", + "search": { + "query": "source:zscaler-private-access service:app-protection @DoubleEncryption:1 $application $client_ip $method $user" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "datadog16", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ], + "markers": [] + }, + "layout": { + "x": 0, + "y": 5, + "width": 12, + "height": 4 + } + }, + { + "id": 3167832844749494, + "definition": { + "title": "Connections with Paranoia Level: 1", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "formulas": [ + { + "formula": "query1", + "number_format": {} + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zscaler-private-access service:app-protection @ParanoiaLevel:1 $user $method $client_ip $application" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#a2c2e8" + } + ] + } + ], + "autoscale": true, + "precision": 2, + "timeseries_background": { + "type": "area" + } + }, + "layout": { + "x": 0, + "y": 9, + "width": 3, + "height": 2 + } + }, + { + "id": 5354966877947183, + "definition": { + "title": "Connections with Paranoia Level: 2", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "formulas": [ + { + "number_format": {}, + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zscaler-private-access service:app-protection @ParanoiaLevel:2 $user $method $client_ip $application" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#a2c2e8" + } + ] + } + ], + "autoscale": true, + "precision": 2, + "timeseries_background": { + "type": "area" + } + }, + "layout": { + "x": 3, + "y": 9, + "width": 3, + "height": 2 + } + }, + { + "id": 4106451209645774, + "definition": { + "title": "Connection Trends by Paranoia Level", + "title_size": "16", + "title_align": "left", + "show_legend": true, + "legend_layout": "auto", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zscaler-private-access service:app-protection $user $method $client_ip $application" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@ParanoiaLevel", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "datadog16", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 6, + "y": 9, + "width": 6, + "height": 4 + } + }, + { + "id": 1564642362997609, + "definition": { + "title": "Connections with Paranoia Level: 3", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "formulas": [ + { + "number_format": {}, + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zscaler-private-access service:app-protection @ParanoiaLevel:3 $user $method $client_ip $application" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#a2c2e8" + } + ] + } + ], + "autoscale": true, + "precision": 2, + "timeseries_background": { + "type": "area" + } + }, + "layout": { + "x": 0, + "y": 11, + "width": 3, + "height": 2 + } + }, + { + "id": 683833198931845, + "definition": { + "title": "Connections with Paranoia Level: 4", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "formulas": [ + { + "number_format": {}, + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zscaler-private-access service:app-protection @ParanoiaLevel:4 $user $method $client_ip $application" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#a2c2e8" + } + ] + } + ], + "autoscale": true, + "precision": 2, + "timeseries_background": { + "type": "area" + } + }, + "layout": { + "x": 3, + "y": 11, + "width": 3, + "height": 2 + } + } + ] + }, + "layout": { + "x": 0, + "y": 46, + "width": 12, + "height": 14 + } + } + ], + "template_variables": [ + { + "name": "application", + "prefix": "@Application", + "available_values": [], + "default": "*" + }, + { + "name": "client_ip", + "prefix": "@network.client.ip", + "available_values": [], + "default": "*" + }, + { + "name": "method", + "prefix": "@http.method", + "available_values": [], + "default": "*" + }, + { + "name": "user", + "prefix": "@usr.id", + "available_values": [], + "default": "*" + } + ], + "layout_type": "ordered", + "notify_list": [], + "reflow_type": "fixed" +} \ No newline at end of file diff --git a/zscaler_private_access/assets/dashboards/zscaler_private_access_audit.json b/zscaler_private_access/assets/dashboards/zscaler_private_access_audit.json new file mode 100644 index 0000000000000..86f6852388fe0 --- /dev/null +++ b/zscaler_private_access/assets/dashboards/zscaler_private_access_audit.json @@ -0,0 +1,1059 @@ +{ + "title": "Zscaler Private Access - Audit", + "description": "This dashboard provides a comprehensive overview of audit and authentication events, capturing user and object activity across the system. It offers insights into login trends, failed sign-in attempts, operation types, and component lifecycle events.", + "widgets": [ + { + "id": 2287840428293463, + "definition": { + "type": "image", + "url": "/static/images/integration_dashboard/zscaler_hero_1.png", + "url_dark_theme": "/static/images/integration_dashboard/zscaler_hero_1.png", + "sizing": "fill", + "has_background": true, + "has_border": false, + "vertical_align": "center", + "horizontal_align": "center" + }, + "layout": { + "x": 0, + "y": 0, + "width": 4, + "height": 3 + } + }, + { + "id": 7329297442266607, + "definition": { + "type": "note", + "content": "[Zscaler Private Access](https://www.zscaler.com/products-and-solutions/zscaler-private-access) securely enables user access to internal applications without the need for traditional VPNs.\n\nThis dashboard provides a comprehensive overview of audit and authentication events, capturing user and object activity across the system. It offers insights into login trends, failed sign-in attempts, operation types, and component lifecycle events.\n\nFor more information, see the [Zscaler Private Access Integration Documentation](https://docs.datadoghq.com/integrations/zscaler_private_access/).\n\n**Tips**\n- Use the timeframe selector in the upper-right corner of the dashboard to change the default timeframe.\n- Clone this dashboard to rearrange, modify, and add widgets and visualizations.", + "background_color": "blue", + "font_size": "14", + "text_align": "left", + "vertical_align": "center", + "show_tick": true, + "tick_pos": "50%", + "tick_edge": "left", + "has_padding": true + }, + "layout": { + "x": 4, + "y": 0, + "width": 8, + "height": 3 + } + }, + { + "id": 6953883627525775, + "definition": { + "title": "Overview", + "background_color": "vivid_blue", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 1144361365321586, + "definition": { + "title": "Total Audit Events", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zscaler-private-access service:audit-logs $operation_type $component_type $user" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "default_zero(query1)" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#a2c2e8" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 0, + "y": 0, + "width": 3, + "height": 3 + } + }, + { + "id": 5489044405770046, + "definition": { + "title": "Audit Events over Time", + "title_size": "16", + "title_align": "left", + "show_legend": false, + "legend_layout": "auto", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "number_format": {}, + "alias": "Events", + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zscaler-private-access service:audit-logs $operation_type $component_type $user" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "datadog16", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ], + "markers": [] + }, + "layout": { + "x": 3, + "y": 0, + "width": 9, + "height": 3 + } + }, + { + "id": 3916373607149624, + "definition": { + "title": "Audit Event Details", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "event_list", + "query": { + "data_source": "logs_stream", + "query_string": "source:zscaler-private-access service:audit-logs $operation_type $component_type $user", + "indexes": [], + "storage": "hot" + }, + "columns": [ + { + "field": "status_line", + "width": "auto" + }, + { + "field": "timestamp", + "width": "auto" + }, + { + "field": "content", + "width": "auto" + } + ] + } + ], + "type": "list_stream" + }, + "layout": { + "x": 0, + "y": 3, + "width": 12, + "height": 4 + } + } + ] + }, + "layout": { + "x": 0, + "y": 3, + "width": 12, + "height": 8 + } + }, + { + "id": 6163084823934900, + "definition": { + "title": "Authentication Activity Insights", + "background_color": "vivid_blue", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 4250451585773080, + "definition": { + "title": "Total Login Events", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zscaler-private-access service:audit-logs @AuditOperationType:\"Sign In\" $operation_type $component_type $user" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "default_zero(query1)" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "black_on_light_green" + } + ] + } + ], + "autoscale": true, + "precision": 2, + "timeseries_background": { + "yaxis": {}, + "type": "bars" + } + }, + "layout": { + "x": 0, + "y": 0, + "width": 3, + "height": 2 + } + }, + { + "id": 3297504906962720, + "definition": { + "title": "Total Failed Sign-In Attempts", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zscaler-private-access service:audit-logs @AuditOperationType:\"Sign In Failure\" $operation_type $component_type $user" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "default_zero(query1)" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "black_on_light_red" + } + ] + } + ], + "autoscale": true, + "precision": 2, + "timeseries_background": { + "yaxis": {}, + "type": "bars" + } + }, + "layout": { + "x": 3, + "y": 0, + "width": 3, + "height": 4 + } + }, + { + "id": 1698968350819802, + "definition": { + "title": "Top Users with Failed Sign-In", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zscaler-private-access service:audit-logs @AuditOperationType:\"Sign In Failure\" $operation_type $component_type $user" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@usr.email", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + } + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + }, + "palette": "datadog16" + } + }, + "layout": { + "x": 6, + "y": 0, + "width": 6, + "height": 4 + } + }, + { + "id": 2501771341609516, + "definition": { + "title": "Total Sign Out Events", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zscaler-private-access service:audit-logs @AuditOperationType:\"Sign Out\" $operation_type $component_type $user" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "default_zero(query1)" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "black_on_light_yellow" + } + ] + } + ], + "autoscale": true, + "precision": 2, + "timeseries_background": { + "yaxis": {}, + "type": "bars" + } + }, + "layout": { + "x": 0, + "y": 2, + "width": 3, + "height": 2 + } + }, + { + "id": 7651442332515662, + "definition": { + "title": "Failed Sign-In attempts over Time", + "title_size": "16", + "title_align": "left", + "show_legend": false, + "legend_layout": "auto", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "number_format": {}, + "alias": "Failed Sign-In Attempts", + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zscaler-private-access service:audit-logs @AuditOperationType:\"Sign In Failure\" $operation_type $component_type $user" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "datadog16", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ], + "markers": [] + }, + "layout": { + "x": 0, + "y": 4, + "width": 12, + "height": 4 + } + } + ] + }, + "layout": { + "x": 0, + "y": 11, + "width": 12, + "height": 9 + } + }, + { + "id": 4317361116433287, + "definition": { + "title": "User & Component Activity Insights", + "background_color": "vivid_blue", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 2603807294368378, + "definition": { + "title": "Most Active Users", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zscaler-private-access service:audit-logs $operation_type $component_type $user" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@usr.email", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + } + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + }, + "palette": "datadog16" + } + }, + "layout": { + "x": 0, + "y": 0, + "width": 6, + "height": 4 + } + }, + { + "id": 7650941917631902, + "definition": { + "title": "Activity by Operation Type", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zscaler-private-access service:audit-logs $operation_type $component_type $user" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@AuditOperationType", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "style": { + "palette": "datadog16" + }, + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "type": "sunburst", + "legend": { + "type": "table" + } + }, + "layout": { + "x": 6, + "y": 0, + "width": 6, + "height": 4 + } + }, + { + "id": 4066285610509719, + "definition": { + "title": "Most Active Components", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zscaler-private-access service:audit-logs $operation_type $component_type $user" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@ObjectType", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + } + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + }, + "palette": "datadog16" + } + }, + "layout": { + "x": 0, + "y": 4, + "width": 6, + "height": 4 + } + }, + { + "id": 8828891224256650, + "definition": { + "title": "Most Inactive Components", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zscaler-private-access service:audit-logs $operation_type $component_type $user" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@ObjectType", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "asc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "asc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + }, + "palette": "datadog16" + } + }, + "layout": { + "x": 6, + "y": 4, + "width": 6, + "height": 4 + } + }, + { + "id": 3981627312060813, + "definition": { + "title": "Most Created Components", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zscaler-private-access service:audit-logs @AuditOperationType:Create $operation_type $component_type $user" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@ObjectType", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + }, + "palette": "datadog16" + } + }, + "layout": { + "x": 0, + "y": 8, + "width": 4, + "height": 4 + } + }, + { + "id": 7482416046861936, + "definition": { + "title": "Most Updated Components", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zscaler-private-access service:audit-logs @AuditOperationType:Update $operation_type $component_type $user" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@ObjectType", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + }, + "palette": "datadog16" + } + }, + "layout": { + "x": 4, + "y": 8, + "width": 4, + "height": 4 + } + }, + { + "id": 3653276032121677, + "definition": { + "title": "Most Deleted Components", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zscaler-private-access service:audit-logs @AuditOperationType:Delete $operation_type $component_type $user" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@ObjectType", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + }, + "palette": "datadog16" + } + }, + "layout": { + "x": 8, + "y": 8, + "width": 4, + "height": 4 + } + } + ] + }, + "layout": { + "x": 0, + "y": 20, + "width": 12, + "height": 13, + "is_column_break": true + } + } + ], + "template_variables": [ + { + "name": "component_type", + "prefix": "@ObjectType", + "available_values": [], + "default": "*" + }, + { + "name": "operation_type", + "prefix": "@AuditOperationType", + "available_values": [], + "default": "*" + }, + { + "name": "user", + "prefix": "@usr.email", + "available_values": [], + "default": "*" + } + ], + "layout_type": "ordered", + "notify_list": [], + "reflow_type": "fixed" +} \ No newline at end of file diff --git a/zscaler_private_access/assets/dashboards/zscaler_private_access_browser_access.json b/zscaler_private_access/assets/dashboards/zscaler_private_access_browser_access.json new file mode 100644 index 0000000000000..8eb04ee04b48d --- /dev/null +++ b/zscaler_private_access/assets/dashboards/zscaler_private_access_browser_access.json @@ -0,0 +1,1492 @@ +{ + "title": "Zscaler Private Access - Browser Access", + "description": "This dashboard provides a comprehensive view of Browser Access activity within Zscaler Private Access. It delivers insights into request volumes, application performance, and connection reliability, highlighting status codes, latency, and server responsiveness. It also tracks top users, and client sources to support visibility, troubleshooting, and capacity planning.", + "widgets": [ + { + "id": 1343750825869805, + "definition": { + "type": "image", + "url": "/static/images/integration_dashboard/zscaler_hero_1.png", + "url_dark_theme": "/static/images/integration_dashboard/zscaler_hero_1.png", + "sizing": "fill", + "has_background": true, + "has_border": false, + "vertical_align": "center", + "horizontal_align": "center" + }, + "layout": { + "x": 0, + "y": 0, + "width": 4, + "height": 3 + } + }, + { + "id": 5474352824489633, + "definition": { + "type": "note", + "content": "[Zscaler Private Access](https://www.zscaler.com/products-and-solutions/zscaler-private-access) securely enables user access to internal applications without the need for traditional VPNs.\n\nThis dashboard provides a comprehensive view of Browser Access activity within Zscaler Private Access. It delivers insights into request volumes, application performance, and connection reliability, highlighting status codes, latency, and server responsiveness. It also tracks top users, and client sources to support visibility, troubleshooting, and capacity planning.\n\nFor more information, see the [Zscaler Private Access Integration Documentation](https://docs.datadoghq.com/integrations/zscaler_private_access/).\n\n**Tips**\n- Use the timeframe selector in the upper-right corner of the dashboard to change the default timeframe.\n- Clone this dashboard to rearrange, modify, and add widgets and visualizations.", + "background_color": "blue", + "font_size": "14", + "text_align": "left", + "vertical_align": "center", + "show_tick": true, + "tick_pos": "50%", + "tick_edge": "left", + "has_padding": true + }, + "layout": { + "x": 4, + "y": 0, + "width": 8, + "height": 3 + } + }, + { + "id": 5176679995355606, + "definition": { + "title": "Overview", + "background_color": "vivid_blue", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 4431934108964578, + "definition": { + "title": "Total Browser Requests", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zscaler-private-access service:browser-access $method $client_ip $status_code $user" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "default_zero(query1)" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#a2c2e8" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 0, + "y": 0, + "width": 4, + "height": 3 + } + }, + { + "id": 7654444106427964, + "definition": { + "title": "Browser Requests over Time", + "title_size": "16", + "title_align": "left", + "show_legend": false, + "legend_layout": "horizontal", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "number_format": {}, + "alias": "Events", + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zscaler-private-access service:browser-access $method $client_ip $status_code $user" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "datadog16", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ], + "markers": [] + }, + "layout": { + "x": 4, + "y": 0, + "width": 8, + "height": 3 + } + }, + { + "id": 3224618223838373, + "definition": { + "title": "Geo Location by Events", + "title_size": "16", + "title_align": "left", + "type": "geomap", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zscaler-private-access service:browser-access $method $client_ip $status_code $user" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@network.client.geoip.country.iso_code", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 250, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "asc" + } + ] + } + } + ], + "style": { + "palette": "hostmap_blues", + "palette_flip": false + }, + "view": { + "focus": "WORLD" + } + }, + "layout": { + "x": 0, + "y": 3, + "width": 12, + "height": 5 + } + }, + { + "id": 3185263542405538, + "definition": { + "title": "Browser Access Event Details", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "event_list", + "query": { + "data_source": "logs_stream", + "query_string": "source:zscaler-private-access service:browser-access $method $client_ip $status_code $user", + "indexes": [], + "storage": "hot" + }, + "columns": [ + { + "field": "status_line", + "width": "auto" + }, + { + "field": "timestamp", + "width": "auto" + }, + { + "field": "content", + "width": "auto" + } + ] + } + ], + "type": "list_stream" + }, + "layout": { + "x": 0, + "y": 8, + "width": 12, + "height": 4 + } + } + ] + }, + "layout": { + "x": 0, + "y": 3, + "width": 12, + "height": 13 + } + }, + { + "id": 6271744129303765, + "definition": { + "title": "HTTP Request Insights", + "background_color": "vivid_blue", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 1330611993000358, + "definition": { + "title": "Requests Method Distribution", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zscaler-private-access service:browser-access $method $client_ip $status_code $user" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@http.method", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "style": { + "palette": "datadog16" + }, + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "type": "sunburst", + "legend": { + "type": "table" + } + }, + "layout": { + "x": 0, + "y": 0, + "width": 6, + "height": 5 + } + }, + { + "id": 7242898683234470, + "definition": { + "title": "Requests Status Code Distribution", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zscaler-private-access service:browser-access $method $client_ip $status_code $user" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@http.status_code", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "style": { + "palette": "datadog16" + }, + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "type": "sunburst", + "legend": { + "type": "table" + } + }, + "layout": { + "x": 6, + "y": 0, + "width": 6, + "height": 5 + } + }, + { + "id": 222669099187979, + "definition": { + "title": "Error Status Code Distribution over Time", + "title_size": "16", + "title_align": "left", + "show_legend": true, + "legend_layout": "horizontal", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "number_format": {}, + "alias": "4xx", + "formula": "query3" + }, + { + "number_format": {}, + "alias": "5xx", + "formula": "query4" + } + ], + "queries": [ + { + "name": "query3", + "data_source": "logs", + "search": { + "query": "source:zscaler-private-access service:browser-access @http.status_code:4* $method $client_ip $status_code $user" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + }, + { + "name": "query4", + "data_source": "logs", + "search": { + "query": "source:zscaler-private-access service:browser-access @http.status_code:5* $method $client_ip $status_code $user" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "datadog16", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ], + "markers": [] + }, + "layout": { + "x": 0, + "y": 5, + "width": 12, + "height": 4 + } + }, + { + "id": 7852103342278206, + "definition": { + "title": "HTTP Protocol Distribution", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zscaler-private-access service:browser-access $method $client_ip $status_code $user" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@Protocol", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "style": { + "palette": "datadog16" + }, + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "type": "sunburst", + "legend": { + "type": "table" + } + }, + "layout": { + "x": 0, + "y": 9, + "width": 6, + "height": 5 + } + }, + { + "id": 4392215091355462, + "definition": { + "title": "Connection Status Distribution", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zscaler-private-access service:browser-access $method $client_ip $status_code $user" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@ConnectionStatus", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "style": { + "palette": "datadog16" + }, + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "type": "sunburst", + "legend": { + "type": "table" + } + }, + "layout": { + "x": 6, + "y": 9, + "width": 6, + "height": 5 + } + }, + { + "id": 8008009400069177, + "definition": { + "title": "HTTP Error Requests (4xx & 5xx) Details", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "event_list", + "query": { + "data_source": "logs_stream", + "query_string": "source:zscaler-private-access service:browser-access @http.status_code:(4* OR 5*) $method $client_ip $status_code $user", + "indexes": [ + "*" + ], + "storage": "hot" + }, + "columns": [ + { + "field": "status_line", + "width": "auto" + }, + { + "field": "@ConnectionID", + "width": "auto" + }, + { + "field": "@usr.id", + "width": "auto" + }, + { + "field": "@Protocol", + "width": "auto" + }, + { + "field": "@Host", + "width": "auto" + }, + { + "field": "@http.url", + "width": "auto" + }, + { + "field": "@http.method", + "width": "auto" + }, + { + "field": "@http.status_code", + "width": "auto" + } + ] + } + ], + "type": "list_stream" + }, + "layout": { + "x": 0, + "y": 14, + "width": 12, + "height": 4 + } + } + ] + }, + "layout": { + "x": 0, + "y": 16, + "width": 12, + "height": 19 + } + }, + { + "id": 1102327411828911, + "definition": { + "title": "Applications & User Insights", + "background_color": "vivid_blue", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 9002332907890605, + "definition": { + "title": "Top Applications by Requests", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zscaler-private-access service:browser-access $method $client_ip $status_code $user" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@Host", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "number_format": {}, + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "none" + }, + "palette": "datadog16" + } + }, + "layout": { + "x": 0, + "y": 0, + "width": 4, + "height": 4 + } + }, + { + "id": 8586043763981470, + "definition": { + "title": "Top Applications by Response Size over Time", + "title_size": "16", + "title_align": "left", + "show_legend": true, + "legend_layout": "horizontal", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "time": {}, + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "formula": "query1", + "number_format": { + "unit": { + "type": "canonical_unit", + "unit_name": "byte_in_binary_bytes_family" + } + } + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zscaler-private-access service:browser-access $method $client_ip $status_code $user" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@Host", + "limit": 10, + "sort": { + "aggregation": "sum", + "order": "desc", + "metric": "@ResponseSize" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "sum", + "metric": "@ResponseSize" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "datadog16", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 4, + "y": 0, + "width": 8, + "height": 4 + } + }, + { + "id": 5696600664981974, + "definition": { + "title": "Top URLs", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zscaler-private-access service:browser-access $method $client_ip $status_code $user" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@http.url", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "number_format": {}, + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "none" + }, + "palette": "datadog16" + } + }, + "layout": { + "x": 0, + "y": 4, + "width": 6, + "height": 4 + } + }, + { + "id": 7828491358418629, + "definition": { + "title": "Top Users by Requests", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zscaler-private-access service:browser-access $method $client_ip $status_code $user" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@usr.id", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "number_format": {}, + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "none" + }, + "palette": "datadog16" + } + }, + "layout": { + "x": 6, + "y": 4, + "width": 6, + "height": 4 + } + }, + { + "id": 4371504833444858, + "definition": { + "title": "Top Client Public IPs", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zscaler-private-access service:browser-access $method $client_ip $status_code $user" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@network.client.ip", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + } + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "number_format": {}, + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "none" + }, + "palette": "datadog16" + } + }, + "layout": { + "x": 0, + "y": 8, + "width": 6, + "height": 4 + } + }, + { + "id": 3529285395649114, + "definition": { + "title": "Top User Agents", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zscaler-private-access service:browser-access $method $client_ip $status_code $user" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@http.useragent", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "number_format": {}, + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "none" + }, + "palette": "datadog16" + } + }, + "layout": { + "x": 6, + "y": 8, + "width": 6, + "height": 4 + } + } + ] + }, + "layout": { + "x": 0, + "y": 35, + "width": 12, + "height": 13 + } + }, + { + "id": 1707264209378304, + "definition": { + "title": "Performance Analytics", + "background_color": "vivid_blue", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 7076707476933086, + "definition": { + "title": "Average Request Size over Time", + "title_size": "16", + "title_align": "left", + "show_legend": false, + "legend_layout": "horizontal", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "time": {}, + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "number_format": { + "unit": { + "type": "canonical_unit", + "unit_name": "byte_in_binary_bytes_family" + } + }, + "alias": "Average Request Size", + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zscaler-private-access service:browser-access $method $client_ip $status_code $user" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "avg", + "metric": "@RequestSize" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "datadog16", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ], + "markers": [] + }, + "layout": { + "x": 0, + "y": 0, + "width": 6, + "height": 3 + } + }, + { + "id": 8614283096104270, + "definition": { + "title": "Average Response Size over Time", + "title_size": "16", + "title_align": "left", + "show_legend": false, + "legend_layout": "horizontal", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "time": {}, + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "number_format": { + "unit": { + "type": "canonical_unit", + "unit_name": "byte_in_binary_bytes_family" + } + }, + "alias": "Average Response Size", + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zscaler-private-access service:browser-access $method $client_ip $status_code $user" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "avg", + "metric": "@ResponseSize" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "datadog16", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ], + "markers": [] + }, + "layout": { + "x": 6, + "y": 0, + "width": 6, + "height": 3 + } + }, + { + "id": 5034607050834047, + "definition": { + "title": "Average Server Response Duration over Time", + "title_size": "16", + "title_align": "left", + "show_legend": false, + "legend_layout": "horizontal", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "time": {}, + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "number_format": { + "unit": { + "type": "canonical_unit", + "unit_name": "microsecond" + } + }, + "alias": "Average Server Response Duration", + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zscaler-private-access service:browser-access $method $client_ip $status_code $user" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "avg", + "metric": "@TotalTimeServerResponse" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "datadog16", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ], + "markers": [] + }, + "layout": { + "x": 0, + "y": 3, + "width": 6, + "height": 3 + } + }, + { + "id": 2630571880849427, + "definition": { + "title": "Average Connection Setup Duration over Time", + "title_size": "16", + "title_align": "left", + "show_legend": false, + "legend_layout": "horizontal", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "time": {}, + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "number_format": { + "unit": { + "type": "canonical_unit", + "unit_name": "microsecond" + } + }, + "alias": "Average Connection Setup Duration", + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zscaler-private-access service:browser-access $method $client_ip $status_code $user" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "avg", + "metric": "@TotalTimeConnectionSetup" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "datadog16", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ], + "markers": [] + }, + "layout": { + "x": 6, + "y": 3, + "width": 6, + "height": 3 + } + } + ] + }, + "layout": { + "x": 0, + "y": 48, + "width": 12, + "height": 7 + } + } + ], + "template_variables": [ + { + "name": "client_ip", + "prefix": "@network.client.ip", + "available_values": [], + "default": "*" + }, + { + "name": "method", + "prefix": "@http.method", + "available_values": [], + "default": "*" + }, + { + "name": "status_code", + "prefix": "@http.status_code", + "available_values": [], + "default": "*" + }, + { + "name": "user", + "prefix": "@usr.id", + "available_values": [], + "default": "*" + } + ], + "layout_type": "ordered", + "notify_list": [], + "reflow_type": "fixed" +} \ No newline at end of file diff --git a/zscaler_private_access/assets/dashboards/zscaler_private_access_microsegmentation.json b/zscaler_private_access/assets/dashboards/zscaler_private_access_microsegmentation.json new file mode 100644 index 0000000000000..6c06e62c0781c --- /dev/null +++ b/zscaler_private_access/assets/dashboards/zscaler_private_access_microsegmentation.json @@ -0,0 +1,1423 @@ +{ + "title": "Zscaler Private Access - Microsegmentation", + "description": "This dashboard provides a high-level view of microsegmentation events captured by Zscaler Private Access. It offers insights into connection activity, enforcement actions, traffic direction, and protocol usage across users and IPs. It also highlights policy compliance, blocked or allowed connections, and geographical distribution for proactive access and security management.", + "widgets": [ + { + "id": 1441866348237035, + "definition": { + "type": "image", + "url": "/static/images/integration_dashboard/zscaler_hero_1.png", + "url_dark_theme": "/static/images/integration_dashboard/zscaler_hero_1.png", + "sizing": "fill", + "has_background": true, + "has_border": false, + "vertical_align": "center", + "horizontal_align": "center" + }, + "layout": { + "x": 0, + "y": 0, + "width": 4, + "height": 3 + } + }, + { + "id": 7008863632237482, + "definition": { + "type": "note", + "content": "[Zscaler Private Access](https://www.zscaler.com/products-and-solutions/zscaler-private-access) securely enables user access to internal applications without the need for traditional VPNs.\n\nThis dashboard provides a high-level view of microsegmentation events captured by Zscaler Private Access. It offers insights into connection activity, enforcement actions, traffic direction, and protocol usage across users and IPs. It also highlights policy compliance, blocked or allowed connections, and geographical distribution for proactive access and security management.\n\nFor more information, see the [Zscaler Private Access Integration Documentation](https://docs.datadoghq.com/integrations/zscaler_private_access/).\n\n**Tips**\n- Use the timeframe selector in the upper-right corner of the dashboard to change the default timeframe.\n- Clone this dashboard to rearrange, modify, and add widgets and visualizations.", + "background_color": "blue", + "font_size": "14", + "text_align": "left", + "vertical_align": "center", + "show_tick": true, + "tick_pos": "50%", + "tick_edge": "left", + "has_padding": true + }, + "layout": { + "x": 4, + "y": 0, + "width": 8, + "height": 3 + } + }, + { + "id": 8482951667592440, + "definition": { + "title": "Overview", + "background_color": "vivid_blue", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 7943759648774814, + "definition": { + "title": "Total Microsegmentation Events", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zscaler-private-access service:microsegmentation $direction $enforcement_action $enforcement_disposition $enforcement_reason $client_ip" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "default_zero(query1)" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#a2c2e8" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 0, + "y": 0, + "width": 4, + "height": 3 + } + }, + { + "id": 7502847038179825, + "definition": { + "title": "Microsegmentation Events over Time", + "title_size": "16", + "title_align": "left", + "show_legend": false, + "legend_layout": "auto", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "number_format": {}, + "alias": "Events", + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zscaler-private-access service:microsegmentation $direction $enforcement_action $enforcement_disposition $enforcement_reason $client_ip" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "datadog16", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ], + "markers": [] + }, + "layout": { + "x": 4, + "y": 0, + "width": 8, + "height": 3 + } + }, + { + "id": 2546568404286024, + "definition": { + "title": "Top Events by IP Address", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zscaler-private-access service:microsegmentation $direction $enforcement_action $enforcement_disposition $enforcement_reason $client_ip" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@network.client.ip", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "number_format": {}, + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "none" + }, + "palette": "datadog16" + } + }, + "layout": { + "x": 0, + "y": 3, + "width": 6, + "height": 6 + } + }, + { + "id": 1187434635706962, + "definition": { + "title": "HTTP Protocol Distribution", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zscaler-private-access service:microsegmentation $direction $enforcement_action $enforcement_disposition $enforcement_reason $client_ip" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@ProtocolName", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "style": { + "palette": "datadog16" + }, + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "type": "sunburst", + "legend": { + "type": "table" + } + }, + "layout": { + "x": 6, + "y": 3, + "width": 6, + "height": 6 + } + }, + { + "id": 2446890855274094, + "definition": { + "title": "Geo Location by Microsegmentation Events", + "title_size": "16", + "title_align": "left", + "time": {}, + "type": "geomap", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zscaler-private-access service:microsegmentation $direction $enforcement_action $enforcement_disposition $enforcement_reason $client_ip" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@network.client.geoip.country.iso_code", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 250, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "asc" + } + ] + } + } + ], + "style": { + "palette": "hostmap_blues", + "palette_flip": false + }, + "view": { + "focus": "WORLD" + } + }, + "layout": { + "x": 0, + "y": 9, + "width": 12, + "height": 4 + } + }, + { + "id": 8129183516975238, + "definition": { + "title": "Microsegmentation Connection Event Details", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "event_list", + "query": { + "data_source": "logs_stream", + "query_string": "source:zscaler-private-access service:microsegmentation $direction $enforcement_action $enforcement_disposition $enforcement_reason $client_ip", + "indexes": [], + "storage": "hot" + }, + "columns": [ + { + "field": "status_line", + "width": "auto" + }, + { + "field": "timestamp", + "width": "auto" + }, + { + "field": "content", + "width": "auto" + } + ] + } + ], + "type": "list_stream" + }, + "layout": { + "x": 0, + "y": 13, + "width": 12, + "height": 4 + } + } + ] + }, + "layout": { + "x": 0, + "y": 3, + "width": 12, + "height": 18 + } + }, + { + "id": 3280069157058942, + "definition": { + "title": "Microsegmentation Traffic & Events", + "background_color": "vivid_blue", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 699349633756386, + "definition": { + "title": "Inbound Microsegmentation connections", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zscaler-private-access service:microsegmentation @Direction:INBOUND $direction $enforcement_action $enforcement_disposition $enforcement_reason $client_ip" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "default_zero(query1)" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#a2c2e8" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 0, + "y": 0, + "width": 4, + "height": 2 + } + }, + { + "id": 7054401417767095, + "definition": { + "title": "Microsegmentation Flow Direction Over Time", + "title_size": "16", + "title_align": "left", + "show_legend": true, + "legend_layout": "horizontal", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "number_format": {}, + "alias": "Events", + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zscaler-private-access service:microsegmentation $direction $enforcement_action $enforcement_disposition $enforcement_reason $client_ip" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@Direction", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + } + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "datadog16", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ], + "markers": [] + }, + "layout": { + "x": 4, + "y": 0, + "width": 8, + "height": 4 + } + }, + { + "id": 6258754492626639, + "definition": { + "title": "Outbound Microsegmentation connections", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zscaler-private-access service:microsegmentation @Direction:OUTBOUND $direction $enforcement_action $enforcement_disposition $enforcement_reason $client_ip" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "default_zero(query1)" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#a2c2e8" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 0, + "y": 2, + "width": 4, + "height": 2 + } + }, + { + "id": 6082800650795131, + "definition": { + "title": "Top Events by Agent", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zscaler-private-access service:microsegmentation $direction $enforcement_action $enforcement_disposition $enforcement_reason $client_ip" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@AgentName", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + } + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "number_format": {}, + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "none" + }, + "palette": "datadog16" + } + }, + "layout": { + "x": 0, + "y": 4, + "width": 4, + "height": 4 + } + }, + { + "id": 2716577985740900, + "definition": { + "title": "Most Events by App Zone", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zscaler-private-access service:microsegmentation $direction $enforcement_action $enforcement_disposition $enforcement_reason $client_ip" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@AppZoneName", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "number_format": {}, + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "none" + }, + "palette": "datadog16" + } + }, + "layout": { + "x": 4, + "y": 4, + "width": 4, + "height": 4 + } + }, + { + "id": 7994783190785340, + "definition": { + "title": "Most Events by Policy", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zscaler-private-access service:microsegmentation $direction $enforcement_action $enforcement_disposition $enforcement_reason $client_ip" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@PolicyName", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "number_format": {}, + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "none" + }, + "palette": "datadog16" + } + }, + "layout": { + "x": 8, + "y": 4, + "width": 4, + "height": 4 + } + } + ] + }, + "layout": { + "x": 0, + "y": 21, + "width": 12, + "height": 9, + "is_column_break": true + } + }, + { + "id": 8454922994105803, + "definition": { + "title": "Enforcement & Policy Insights", + "background_color": "vivid_blue", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 2622020692489875, + "definition": { + "title": "Enforcement Action: Allowed", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zscaler-private-access service:microsegmentation @EnforcementAction:ALLOW $direction $enforcement_action $enforcement_disposition $enforcement_reason $client_ip" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "default_zero(query1)" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "black_on_light_green" + } + ] + } + ], + "autoscale": true, + "precision": 2, + "timeseries_background": { + "yaxis": {}, + "type": "bars" + } + }, + "layout": { + "x": 0, + "y": 0, + "width": 6, + "height": 2 + } + }, + { + "id": 4106927971254054, + "definition": { + "title": "Connections by Enforcement Reason", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zscaler-private-access service:microsegmentation $direction $enforcement_action $enforcement_disposition $enforcement_reason $client_ip" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@EnforcementReason", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "style": { + "palette": "datadog16" + }, + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "type": "sunburst", + "legend": { + "type": "table" + } + }, + "layout": { + "x": 6, + "y": 0, + "width": 6, + "height": 4 + } + }, + { + "id": 3730087106925599, + "definition": { + "title": "Enforcement Action: Sim Blocked", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zscaler-private-access service:microsegmentation @EnforcementAction:SIMBLOCK $direction $enforcement_action $enforcement_disposition $enforcement_reason $client_ip" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "default_zero(query1)" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "black_on_light_yellow" + } + ] + } + ], + "autoscale": true, + "precision": 2, + "timeseries_background": { + "yaxis": {}, + "type": "bars" + } + }, + "layout": { + "x": 0, + "y": 2, + "width": 3, + "height": 2 + } + }, + { + "id": 8273084480360066, + "definition": { + "title": "Enforcement Action: Blocked", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zscaler-private-access service:microsegmentation @EnforcementAction:BLOCK $direction $enforcement_action $enforcement_disposition $enforcement_reason $client_ip" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "default_zero(query1)" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "black_on_light_red" + } + ] + } + ], + "autoscale": true, + "precision": 2, + "timeseries_background": { + "yaxis": {}, + "type": "bars" + } + }, + "layout": { + "x": 3, + "y": 2, + "width": 3, + "height": 2 + } + }, + { + "id": 368610172437018, + "definition": { + "title": "Enforcement Decision: Connected", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zscaler-private-access service:microsegmentation @EnforcementDisposition:CONNECTED $direction $enforcement_action $enforcement_disposition $enforcement_reason $client_ip" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "default_zero(query1)" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "black_on_light_green" + } + ] + } + ], + "autoscale": true, + "precision": 2, + "timeseries_background": { + "yaxis": {}, + "type": "bars" + } + }, + "layout": { + "x": 0, + "y": 4, + "width": 4, + "height": 2 + } + }, + { + "id": 5726080410508722, + "definition": { + "title": "Enforcement Decision: Dropped", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zscaler-private-access service:microsegmentation @EnforcementDisposition:DROPPED $direction $enforcement_action $enforcement_disposition $enforcement_reason $client_ip" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "default_zero(query1)" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "black_on_light_yellow" + } + ] + } + ], + "autoscale": true, + "precision": 2, + "timeseries_background": { + "yaxis": {}, + "type": "bars" + } + }, + "layout": { + "x": 4, + "y": 4, + "width": 4, + "height": 2 + } + }, + { + "id": 5757065848133724, + "definition": { + "title": "Enforcement Decision: Rejected", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zscaler-private-access service:microsegmentation @EnforcementDisposition:REJECTED $direction $enforcement_action $enforcement_disposition $enforcement_reason $client_ip" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "default_zero(query1)" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "black_on_light_red" + } + ] + } + ], + "autoscale": true, + "precision": 2, + "timeseries_background": { + "yaxis": {}, + "type": "bars" + } + }, + "layout": { + "x": 8, + "y": 4, + "width": 4, + "height": 2 + } + }, + { + "id": 8876735266945933, + "definition": { + "title": "Connection Trends by Enforcement Action", + "title_size": "16", + "title_align": "left", + "show_legend": true, + "legend_layout": "horizontal", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zscaler-private-access service:microsegmentation $direction $enforcement_action $enforcement_disposition $enforcement_reason $client_ip" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@EnforcementAction", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "datadog16", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 0, + "y": 6, + "width": 6, + "height": 4 + } + }, + { + "id": 790365250111275, + "definition": { + "title": "Connection Trends by Enforcement Decision", + "title_size": "16", + "title_align": "left", + "show_legend": true, + "legend_layout": "horizontal", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zscaler-private-access service:microsegmentation $direction $enforcement_action $enforcement_disposition $enforcement_reason $client_ip" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@EnforcementDisposition", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + } + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "datadog16", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 6, + "y": 6, + "width": 6, + "height": 4 + } + } + ] + }, + "layout": { + "x": 0, + "y": 30, + "width": 12, + "height": 11 + } + } + ], + "template_variables": [ + { + "name": "direction", + "prefix": "@Direction", + "available_values": [], + "default": "*" + }, + { + "name": "enforcement_action", + "prefix": "@EnforcementAction", + "available_values": [], + "default": "*" + }, + { + "name": "enforcement_disposition", + "prefix": "@EnforcementDisposition", + "available_values": [], + "default": "*" + }, + { + "name": "enforcement_reason", + "prefix": "@EnforcementReason", + "available_values": [], + "default": "*" + }, + { + "name": "client_ip", + "prefix": "@network.client.ip", + "available_values": [], + "default": "*" + } + ], + "layout_type": "ordered", + "notify_list": [], + "reflow_type": "fixed" +} \ No newline at end of file diff --git a/zscaler_private_access/assets/dashboards/zscaler_private_access_overview.json b/zscaler_private_access/assets/dashboards/zscaler_private_access_overview.json new file mode 100644 index 0000000000000..a5299b4bf4419 --- /dev/null +++ b/zscaler_private_access/assets/dashboards/zscaler_private_access_overview.json @@ -0,0 +1,1013 @@ +{ + "title": "Zscaler Private Access - Overview", + "description": "This dashboard provides a high level summary of User Activity, User Status, App Connector Metrics, App Connector Status, Private Service Edge Metrics, Private Service Edge Status, Browser Access, Audit Logs, AppProtection, Private Cloud Controller Status, Private Cloud Controller Metrics, and Microsegmentation Flow Events.", + "widgets": [ + { + "id": 7125643406844386, + "definition": { + "type": "image", + "url": "/static/images/integration_dashboard/zscaler_hero_1.png", + "url_dark_theme": "/static/images/integration_dashboard/zscaler_hero_1.png", + "sizing": "fill", + "has_background": true, + "has_border": false, + "vertical_align": "center", + "horizontal_align": "center" + }, + "layout": { + "x": 0, + "y": 0, + "width": 6, + "height": 3 + } + }, + { + "id": 3256290989636507, + "definition": { + "title": "Monitors Summary", + "background_color": "vivid_blue", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 965793608225288, + "definition": { + "title": "Monitors Summary", + "type": "manage_status", + "display_format": "countsAndList", + "color_preference": "text", + "hide_zero_counts": true, + "show_status": true, + "last_triggered_format": "relative", + "query": "tag:(source:zscaler-private-access)", + "sort": "status,asc", + "count": 50, + "start": 0, + "summary_type": "monitors", + "show_priority": false, + "show_last_triggered": false + }, + "layout": { + "x": 0, + "y": 0, + "width": 6, + "height": 5 + } + } + ] + }, + "layout": { + "x": 6, + "y": 0, + "width": 6, + "height": 6 + } + }, + { + "id": 4745891787092245, + "definition": { + "type": "note", + "content": "[Zscaler Private Access](https://www.zscaler.com/products-and-solutions/zscaler-private-access) securely enables user access to internal applications without the need for traditional VPNs.\n\nThis dashboard provides a high level summary of User Activity, User Status, App Connector Metrics, App Connector Status, Private Service Edge Metrics, Private Service Edge Status, Browser Access, Audit Logs, AppProtection, Private Cloud Controller Status, Private Cloud Controller Metrics, and Microsegmentation Flow Events.\n\nFor more information, see the [Zscaler Private Access Integration Documentation](https://docs.datadoghq.com/integrations/zscaler_private_access/).\n\n**Tips**\n- Use the timeframe selector in the upper-right corner of the dashboard to change the default timeframe.\n- Clone this dashboard to rearrange, modify, and add widgets and visualizations.", + "background_color": "blue", + "font_size": "14", + "text_align": "left", + "vertical_align": "center", + "show_tick": true, + "tick_pos": "50%", + "tick_edge": "left", + "has_padding": true + }, + "layout": { + "x": 0, + "y": 3, + "width": 6, + "height": 3 + } + }, + { + "id": 3693037323375817, + "definition": { + "title": "Overview", + "background_color": "vivid_blue", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 5504589634385092, + "definition": { + "title": "Total Events", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zscaler-private-access service:* $service $user $client_ip" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "default_zero(query1)" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#a2c2e8" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 0, + "y": 0, + "width": 4, + "height": 3 + } + }, + { + "id": 7604562402594212, + "definition": { + "title": "Events over Time", + "title_size": "16", + "title_align": "left", + "show_legend": false, + "legend_layout": "auto", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "number_format": {}, + "alias": "Events", + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zscaler-private-access service:* $service $user $client_ip" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "datadog16", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ], + "markers": [] + }, + "layout": { + "x": 4, + "y": 0, + "width": 8, + "height": 3 + } + }, + { + "id": 7479659147591682, + "definition": { + "title": "Events Distribution by Type", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zscaler-private-access $service $user $client_ip" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "service", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "style": { + "palette": "datadog16" + }, + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "type": "sunburst", + "legend": { + "type": "table" + } + }, + "layout": { + "x": 0, + "y": 3, + "width": 12, + "height": 5 + } + }, + { + "id": 668393279536434, + "definition": { + "title": "Top Client IPs", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zscaler-private-access service:* $service $user $client_ip" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@network.client.ip", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + } + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + }, + "palette": "datadog16" + } + }, + "layout": { + "x": 0, + "y": 8, + "width": 6, + "height": 5 + } + }, + { + "id": 3017230613118317, + "definition": { + "title": "Top Users", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zscaler-private-access service:* $service $user $client_ip" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@usr.name", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + }, + "palette": "datadog16" + } + }, + "layout": { + "x": 6, + "y": 8, + "width": 6, + "height": 5 + } + }, + { + "id": 7533146382006737, + "definition": { + "title": "Geo Distribution by Events", + "title_size": "16", + "title_align": "left", + "type": "geomap", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zscaler-private-access service:* $service $user $client_ip" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@network.client.geoip.country.iso_code", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 250, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "asc" + } + ] + } + } + ], + "style": { + "palette": "hostmap_blues", + "palette_flip": false + }, + "view": { + "focus": "WORLD" + } + }, + "layout": { + "x": 0, + "y": 13, + "width": 12, + "height": 5 + } + }, + { + "id": 8890627102191583, + "definition": { + "title": "Event Details", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "event_list", + "query": { + "data_source": "logs_stream", + "query_string": "source:zscaler-private-access service:* $service $user $client_ip", + "indexes": [], + "storage": "hot" + }, + "columns": [ + { + "field": "status_line", + "width": "auto" + }, + { + "field": "timestamp", + "width": "auto" + }, + { + "field": "content", + "width": "auto" + } + ] + } + ], + "type": "list_stream" + }, + "layout": { + "x": 0, + "y": 18, + "width": 12, + "height": 4 + } + } + ] + }, + "layout": { + "x": 0, + "y": 6, + "width": 12, + "height": 23 + } + }, + { + "id": 3615701416052831, + "definition": { + "title": "Datadog Cloud SIEM", + "title_align": "center", + "background_color": "vivid_blue", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 3193514603591756, + "definition": { + "type": "note", + "content": "\nDatadog Cloud SIEM analyzes and correlates **Zscaler Private Access** events to detect threats to your environment in real time. If you don't see signals please make sure you've enabled [Datadog Cloud SIEM](/security). ", + "background_color": "vivid_blue", + "font_size": "14", + "text_align": "center", + "vertical_align": "center", + "show_tick": false, + "tick_pos": "50%", + "tick_edge": "left", + "has_padding": true + }, + "layout": { + "x": 0, + "y": 0, + "width": 12, + "height": 1 + } + }, + { + "id": 6090197662307071, + "definition": { + "title": "CRITICALs", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "conditional_formats": [ + { + "comparator": ">", + "custom_bg_color": "#bc303c", + "palette": "custom_bg", + "value": 0 + } + ], + "formulas": [ + { + "formula": "default_zero(query1)" + } + ], + "queries": [ + { + "data_source": "security_signals", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [], + "search": { + "query": "source:zscaler-private-access status:critical" + } + } + ], + "response_format": "scalar" + } + ], + "autoscale": true, + "custom_links": [], + "precision": 2 + }, + "layout": { + "x": 0, + "y": 1, + "width": 2, + "height": 2 + } + }, + { + "id": 5089511983751957, + "definition": { + "title": "HIGHs", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "conditional_formats": [ + { + "comparator": ">", + "custom_bg_color": "#d33043", + "palette": "custom_bg", + "value": 0 + } + ], + "formulas": [ + { + "formula": "default_zero(query1)" + } + ], + "queries": [ + { + "data_source": "security_signals", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [], + "search": { + "query": "source:zscaler-private-access status:high" + } + } + ], + "response_format": "scalar" + } + ], + "autoscale": true, + "custom_links": [], + "precision": 2 + }, + "layout": { + "x": 2, + "y": 1, + "width": 2, + "height": 2 + } + }, + { + "id": 5738785642448906, + "definition": { + "title": "Critical Security Signals", + "type": "toplist", + "requests": [ + { + "conditional_formats": [ + { + "comparator": ">", + "custom_bg_color": "#bc303c", + "palette": "custom_bg", + "value": 0 + } + ], + "queries": [ + { + "data_source": "security_signals", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@workflow.rule.name", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:zscaler-private-access status:critical" + } + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "default_zero(query1)" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "custom_links": [], + "style": {} + }, + "layout": { + "x": 4, + "y": 1, + "width": 8, + "height": 4 + } + }, + { + "id": 1693133031653888, + "definition": { + "title": "MEDIUMs", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "conditional_formats": [ + { + "comparator": ">", + "custom_bg_color": "#e5a21c", + "palette": "custom_bg", + "value": 0 + } + ], + "formulas": [ + { + "formula": "default_zero(query1)" + } + ], + "queries": [ + { + "data_source": "security_signals", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [], + "search": { + "query": "source:zscaler-private-access status:medium" + } + } + ], + "response_format": "scalar" + } + ], + "autoscale": true, + "custom_links": [], + "precision": 2 + }, + "layout": { + "x": 0, + "y": 3, + "width": 2, + "height": 2 + } + }, + { + "id": 8759866499729432, + "definition": { + "title": "LOWs", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "conditional_formats": [ + { + "comparator": ">", + "custom_bg_color": "#ffb52b", + "palette": "custom_bg", + "value": 0 + } + ], + "formulas": [ + { + "formula": "default_zero(query1)" + } + ], + "queries": [ + { + "data_source": "security_signals", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [], + "search": { + "query": "source:zscaler-private-access status:low" + } + } + ], + "response_format": "scalar" + } + ], + "autoscale": true, + "custom_links": [], + "precision": 2 + }, + "layout": { + "x": 2, + "y": 3, + "width": 2, + "height": 2 + } + }, + { + "id": 6532631773773983, + "definition": { + "title": "High Security Signals", + "type": "toplist", + "requests": [ + { + "conditional_formats": [ + { + "comparator": ">", + "custom_bg_color": "#d33043", + "palette": "custom_bg", + "value": 0 + } + ], + "queries": [ + { + "data_source": "security_signals", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@workflow.rule.name", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:zscaler-private-access status:high" + } + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "default_zero(query1)" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "custom_links": [], + "style": {} + }, + "layout": { + "x": 0, + "y": 5, + "width": 6, + "height": 4 + } + }, + { + "id": 1673632181947035, + "definition": { + "title": "Medium Security Signals", + "type": "toplist", + "requests": [ + { + "conditional_formats": [ + { + "comparator": ">", + "custom_bg_color": "#e5a21c", + "palette": "custom_bg", + "value": 0 + } + ], + "queries": [ + { + "data_source": "security_signals", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@workflow.rule.name", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:zscaler-private-access status:medium" + } + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "default_zero(query1)" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "custom_links": [], + "style": {} + }, + "layout": { + "x": 6, + "y": 5, + "width": 6, + "height": 4 + } + } + ] + }, + "layout": { + "x": 0, + "y": 29, + "width": 12, + "height": 10 + } + } + ], + "template_variables": [ + { + "name": "client_ip", + "prefix": "@network.client.ip", + "available_values": [], + "default": "*" + }, + { + "name": "service", + "prefix": "service", + "available_values": [], + "default": "*" + }, + { + "name": "user", + "prefix": "@usr.name", + "available_values": [], + "default": "*" + } + ], + "layout_type": "ordered", + "notify_list": [], + "reflow_type": "fixed" +} \ No newline at end of file diff --git a/zscaler_private_access/assets/dashboards/zscaler_private_access_private_cloud_controller.json b/zscaler_private_access/assets/dashboards/zscaler_private_access_private_cloud_controller.json new file mode 100644 index 0000000000000..3f442d792a19f --- /dev/null +++ b/zscaler_private_access/assets/dashboards/zscaler_private_access_private_cloud_controller.json @@ -0,0 +1,1740 @@ +{ + "title": "Zscaler Private Access - Private Cloud Controller", + "description": "This dashboard provides deep visibility into Private Cloud Controller performance within Zscaler Private Access. It monitors session activity, authentication success and failures, and controller health metrics to ensure reliable connectivity. It also highlights service edge distribution, platform usage, and traffic trends for complete operational insight.", + "widgets": [ + { + "id": 1961792818509994, + "definition": { + "type": "image", + "url": "/static/images/integration_dashboard/zscaler_hero_1.png", + "url_dark_theme": "/static/images/integration_dashboard/zscaler_hero_1.png", + "sizing": "fill", + "has_background": true, + "has_border": false, + "vertical_align": "center", + "horizontal_align": "center" + }, + "layout": { + "x": 0, + "y": 0, + "width": 4, + "height": 3 + } + }, + { + "id": 5021474982481610, + "definition": { + "type": "note", + "content": "[Zscaler Private Access](https://www.zscaler.com/products-and-solutions/zscaler-private-access) securely enables user access to internal applications without the need for traditional VPNs.\n\nThis dashboard provides deep visibility into Private Cloud Controller performance within Zscaler Private Access. It monitors session activity, authentication success and failures, and controller health metrics to ensure reliable connectivity. It also highlights service edge distribution, platform usage, and traffic trends for complete operational insight.\n\nFor more information, see the [Zscaler Private Access Integration Documentation](https://docs.datadoghq.com/integrations/zscaler_private_access/).\n\n**Tips**\n- Use the timeframe selector in the upper-right corner of the dashboard to change the default timeframe.\n- Clone this dashboard to rearrange, modify, and add widgets and visualizations.", + "background_color": "blue", + "font_size": "14", + "text_align": "left", + "vertical_align": "center", + "show_tick": true, + "tick_pos": "50%", + "tick_edge": "left", + "has_padding": true + }, + "layout": { + "x": 4, + "y": 0, + "width": 8, + "height": 3 + } + }, + { + "id": 5976238208494930, + "definition": { + "title": "Overview", + "background_color": "vivid_blue", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 1567327849263225, + "definition": { + "title": "Total Private Cloud Controller Sessions", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zscaler-private-access service:private-cloud-controller-status $session_status $private_cloud_controller $private_cloud_controller_group $platform" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "default_zero(query1)" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#a2c2e8" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 0, + "y": 0, + "width": 4, + "height": 4 + } + }, + { + "id": 1341192703274461, + "definition": { + "title": "Private Cloud Controller Sessions over Time", + "title_size": "16", + "title_align": "left", + "show_legend": false, + "legend_layout": "horizontal", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "number_format": {}, + "alias": "Events", + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zscaler-private-access service:private-cloud-controller-status $session_status $private_cloud_controller $private_cloud_controller_group $platform" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "datadog16", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ], + "markers": [] + }, + "layout": { + "x": 4, + "y": 0, + "width": 8, + "height": 4 + } + }, + { + "id": 1404374106486312, + "definition": { + "title": "Successful Authenticated Sessions", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zscaler-private-access service:private-cloud-controller-status @SessionStatus:ZPN_STATUS_AUTHENTICATED $session_status $private_cloud_controller $private_cloud_controller_group $platform" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "default_zero(query1)" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "black_on_light_green" + } + ] + } + ], + "autoscale": true, + "precision": 2, + "timeseries_background": { + "yaxis": {}, + "type": "bars" + } + }, + "layout": { + "x": 0, + "y": 4, + "width": 4, + "height": 3 + } + }, + { + "id": 8447158411714081, + "definition": { + "title": "Failed Authenticated Sessions", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zscaler-private-access service:private-cloud-controller-status @SessionStatus:ZPN_STATUS_AUTH_FAILED $session_status $private_cloud_controller $private_cloud_controller_group $platform" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "default_zero(query1)" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "black_on_light_red" + } + ] + } + ], + "autoscale": true, + "precision": 2, + "timeseries_background": { + "yaxis": {}, + "type": "bars" + } + }, + "layout": { + "x": 4, + "y": 4, + "width": 4, + "height": 3 + } + }, + { + "id": 5500555186424243, + "definition": { + "title": "Disconnected Sessions", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zscaler-private-access service:private-cloud-controller-status @SessionStatus:ZPN_STATUS_DISCONNECTED $session_status $private_cloud_controller $private_cloud_controller_group $platform" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "default_zero(query1)" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "black_on_light_yellow" + } + ] + } + ], + "autoscale": true, + "precision": 2, + "timeseries_background": { + "yaxis": {}, + "type": "bars" + } + }, + "layout": { + "x": 8, + "y": 4, + "width": 4, + "height": 3 + } + }, + { + "id": 8759380268764007, + "definition": { + "title": "Session Status Trends", + "title_size": "16", + "title_align": "left", + "show_legend": true, + "legend_layout": "horizontal", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "number_format": {}, + "alias": "Events", + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zscaler-private-access service:private-cloud-controller-status $session_status $private_cloud_controller $private_cloud_controller_group $platform" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@SessionStatus", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + } + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "datadog16", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ], + "markers": [] + }, + "layout": { + "x": 0, + "y": 7, + "width": 12, + "height": 4 + } + }, + { + "id": 6207501621010372, + "definition": { + "title": "Geo Location by Private Cloud Controller", + "title_size": "16", + "title_align": "left", + "type": "geomap", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zscaler-private-access service:private-cloud-controller-status $session_status $private_cloud_controller $private_cloud_controller_group $platform" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@network.client.geoip.country.iso_code", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 250, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "asc" + } + ] + } + } + ], + "style": { + "palette": "hostmap_blues", + "palette_flip": false + }, + "view": { + "focus": "WORLD" + } + }, + "layout": { + "x": 0, + "y": 11, + "width": 12, + "height": 5 + } + }, + { + "id": 6090377110968438, + "definition": { + "title": "Private Cloud Controller Event Details", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "event_list", + "query": { + "data_source": "logs_stream", + "query_string": "source:zscaler-private-access service:private-cloud-controller-status $session_status $private_cloud_controller $private_cloud_controller_group $platform", + "indexes": [], + "storage": "hot" + }, + "columns": [ + { + "field": "status_line", + "width": "auto" + }, + { + "field": "timestamp", + "width": "auto" + }, + { + "field": "content", + "width": "auto" + } + ] + } + ], + "type": "list_stream" + }, + "layout": { + "x": 0, + "y": 16, + "width": 12, + "height": 4 + } + } + ] + }, + "layout": { + "x": 0, + "y": 3, + "width": 12, + "height": 21 + } + }, + { + "id": 1024704070445987, + "definition": { + "title": "Resource Utilization", + "background_color": "vivid_blue", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 2324998161669248, + "definition": { + "title": "Average CPU Usage (%) over Time", + "title_size": "16", + "title_align": "left", + "show_legend": false, + "legend_layout": "auto", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "alias": "Average CPU Usage", + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zscaler-private-access service:private-cloud-controller-status $session_status $private_cloud_controller $private_cloud_controller_group $platform" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "avg", + "metric": "@CPUUtilization" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "dog_classic", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 0, + "y": 0, + "width": 6, + "height": 4 + } + }, + { + "id": 5706778661510028, + "definition": { + "title": "Average Memory Usage (%) over Time", + "title_size": "16", + "title_align": "left", + "show_legend": false, + "legend_layout": "auto", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "alias": "Average Memory Usage", + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zscaler-private-access service:private-cloud-controller-status $session_status $private_cloud_controller $private_cloud_controller_group $platform" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "avg", + "metric": "@MemUtilization" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "dog_classic", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 6, + "y": 0, + "width": 6, + "height": 4 + } + }, + { + "id": 4901388262645240, + "definition": { + "title": "Top Private Cloud Controllers by Average CPU Utilization (%)", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zscaler-private-access service:private-cloud-controller-status $session_status $platform $private_cloud_controller $private_cloud_controller_group" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@PrivateCloudController", + "limit": 10, + "sort": { + "aggregation": "avg", + "order": "desc", + "metric": "@CPUUtilization" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "avg", + "metric": "@CPUUtilization" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "number_format": {}, + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "none" + }, + "palette": "datadog16" + } + }, + "layout": { + "x": 0, + "y": 4, + "width": 6, + "height": 4 + } + }, + { + "id": 7771245750386886, + "definition": { + "title": "Top Private Cloud Controllers by Average Memory Utilization (%)", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zscaler-private-access service:private-cloud-controller-status $session_status $platform $private_cloud_controller $private_cloud_controller_group" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@PrivateCloudController", + "limit": 10, + "sort": { + "aggregation": "avg", + "order": "desc", + "metric": "@MemUtilization" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "avg", + "metric": "@MemUtilization" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "number_format": {}, + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "none" + }, + "palette": "datadog16" + } + }, + "layout": { + "x": 6, + "y": 4, + "width": 6, + "height": 4 + } + } + ] + }, + "layout": { + "x": 0, + "y": 24, + "width": 12, + "height": 9 + } + }, + { + "id": 3454173074771827, + "definition": { + "title": "Network Performance", + "background_color": "vivid_blue", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 3438396908594456, + "definition": { + "title": "Total Errors Received vs Transmitted", + "title_size": "16", + "title_align": "left", + "show_legend": true, + "legend_layout": "horizontal", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "alias": "Errors Received", + "formula": "query1" + }, + { + "alias": "Errors Transmitted", + "formula": "query2" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zscaler-private-access service:private-cloud-controller-status $session_status $platform $private_cloud_controller $private_cloud_controller_group" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "sum", + "metric": "@ErrorsRxInterface" + }, + "storage": "hot" + }, + { + "name": "query2", + "data_source": "logs", + "search": { + "query": "source:zscaler-private-access service:private-cloud-controller-status $session_status $platform $private_cloud_controller $private_cloud_controller_group" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "sum", + "metric": "@ErrorsTxInterface" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "datadog16", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 0, + "y": 0, + "width": 6, + "height": 4 + } + }, + { + "id": 644445915643373, + "definition": { + "title": "Total Discards Received vs Transmitted", + "title_size": "16", + "title_align": "left", + "show_legend": true, + "legend_layout": "horizontal", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "number_format": {}, + "alias": "Discards Received", + "formula": "query1" + }, + { + "alias": "Discards Transmitted", + "formula": "query2" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zscaler-private-access service:private-cloud-controller-status $session_status $platform $private_cloud_controller $private_cloud_controller_group" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "sum", + "metric": "@DiscardsRxInterface" + }, + "storage": "hot" + }, + { + "name": "query2", + "data_source": "logs", + "search": { + "query": "source:zscaler-private-access service:private-service-edge-status $session_status $platform $private_cloud_controller $private_cloud_controller_group" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "sum", + "metric": "@DiscardsTxInterface" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "datadog16", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 6, + "y": 0, + "width": 6, + "height": 4 + } + }, + { + "id": 1070542532711837, + "definition": { + "title": "Total Bytes Received vs Transmitted", + "title_size": "16", + "title_align": "left", + "show_legend": true, + "legend_layout": "horizontal", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "alias": "Bytes Received", + "formula": "query1", + "number_format": { + "unit": { + "type": "canonical_unit", + "unit_name": "byte_in_bits_family" + } + } + }, + { + "alias": "Bytes Transmitted", + "formula": "query2", + "number_format": { + "unit": { + "type": "canonical_unit", + "unit_name": "byte_in_bits_family" + } + } + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zscaler-private-access service:private-cloud-controller-status $session_status $platform $private_cloud_controller $private_cloud_controller_group" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "sum", + "metric": "@TotalBytesRx" + }, + "storage": "hot" + }, + { + "name": "query2", + "data_source": "logs", + "search": { + "query": "source:zscaler-private-access service:private-service-edge-status $session_status $platform $private_cloud_controller $private_cloud_controller_group" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "sum", + "metric": "@TotalBytesTx" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "datadog16", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 0, + "y": 4, + "width": 6, + "height": 4 + } + }, + { + "id": 5946294867545441, + "definition": { + "title": "Packets Received vs Transmitted", + "title_size": "16", + "title_align": "left", + "show_legend": true, + "legend_layout": "horizontal", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "number_format": {}, + "alias": "Packets Received", + "formula": "query1" + }, + { + "alias": "Packets Transmitted", + "formula": "query2" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zscaler-private-access service:private-cloud-controller-status $session_status $platform $private_cloud_controller $private_cloud_controller_group" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "sum", + "metric": "@PacketsRxInterface" + }, + "storage": "hot" + }, + { + "name": "query2", + "data_source": "logs", + "search": { + "query": "source:zscaler-private-access service:private-cloud-controller-status $session_status $platform $private_cloud_controller $private_cloud_controller_group" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "sum", + "metric": "@PacketsTxInterface" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "datadog16", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 6, + "y": 4, + "width": 6, + "height": 4 + } + } + ] + }, + "layout": { + "x": 0, + "y": 33, + "width": 12, + "height": 9 + } + }, + { + "id": 8727671628916146, + "definition": { + "title": "Cloud Controllers & Traffic Distribution Insights", + "background_color": "vivid_blue", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 7371414351049206, + "definition": { + "title": "Platform Distribution", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zscaler-private-access service:private-cloud-controller-status -@Platform:\"\" $session_status $private_cloud_controller $private_cloud_controller_group $platform" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@Platform", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "style": { + "palette": "datadog16" + }, + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "type": "sunburst", + "legend": { + "type": "table" + } + }, + "layout": { + "x": 0, + "y": 0, + "width": 6, + "height": 5 + } + }, + { + "id": 94742971073221, + "definition": { + "title": "Most Used Primary DNS Resolvers", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zscaler-private-access service:private-cloud-controller-status $session_status $platform $private_cloud_controller $private_cloud_controller_group" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@PrimaryDNSResolver", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "style": { + "palette": "datadog16" + }, + "formulas": [ + { + "number_format": {}, + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "type": "sunburst", + "legend": { + "type": "table" + } + }, + "layout": { + "x": 6, + "y": 0, + "width": 6, + "height": 5 + } + }, + { + "id": 1293926137369389, + "definition": { + "title": "Top Private Cloud Controllers", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zscaler-private-access service:private-cloud-controller-status $session_status $private_cloud_controller $private_cloud_controller_group $platform" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@PrivateCloudController", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "number_format": {}, + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "none" + }, + "palette": "datadog16" + } + }, + "layout": { + "x": 0, + "y": 5, + "width": 4, + "height": 3 + } + }, + { + "id": 748432765299950, + "definition": { + "title": "Top Private Cloud Controller Groups", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zscaler-private-access service:private-cloud-controller-status $session_status $private_cloud_controller $private_cloud_controller_group $platform" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@PrivateCloudControllerGroup", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "number_format": {}, + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "none" + }, + "palette": "datadog16" + } + }, + "layout": { + "x": 4, + "y": 5, + "width": 4, + "height": 3 + } + }, + { + "id": 2956578917620285, + "definition": { + "title": "Top ZPA Public Service Edges (ZEN)", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zscaler-private-access service:private-cloud-controller-status $session_status $private_cloud_controller $private_cloud_controller_group $platform" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@ZEN", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "number_format": {}, + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "none" + }, + "palette": "datadog16" + } + }, + "layout": { + "x": 8, + "y": 5, + "width": 4, + "height": 3 + } + } + ] + }, + "layout": { + "x": 0, + "y": 42, + "width": 12, + "height": 9 + } + }, + { + "id": 443036734970018, + "definition": { + "title": "Private Cloud Controller Metrics Analytics", + "background_color": "vivid_blue", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 7914802678420645, + "definition": { + "title": "Average Available Disk over Time", + "title_size": "16", + "title_align": "left", + "show_legend": false, + "legend_layout": "auto", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "number_format": { + "unit": { + "type": "canonical_unit", + "unit_name": "byte_in_binary_bytes_family" + } + }, + "alias": "Average Available Disk", + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zscaler-private-access service:private-cloud-controller-metrics $session_status $platform $private_cloud_controller $private_cloud_controller_group" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "avg", + "metric": "@AvailableDiskBytes" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "datadog16", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 0, + "y": 0, + "width": 6, + "height": 4 + } + }, + { + "id": 5529228847295350, + "definition": { + "title": "Total Available Ports over Time", + "title_size": "16", + "title_align": "left", + "show_legend": false, + "legend_layout": "auto", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "number_format": {}, + "alias": "Available Ports", + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zscaler-private-access service:private-cloud-controller-metrics $session_status $platform $private_cloud_controller $private_cloud_controller_group" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "sum", + "metric": "@AvailablePorts" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "datadog16", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 6, + "y": 0, + "width": 6, + "height": 4 + } + }, + { + "id": 5131012328286342, + "definition": { + "title": "Private Cloud Controller Metrics Details", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "event_list", + "query": { + "data_source": "logs_stream", + "query_string": "source:zscaler-private-access service:private-cloud-controller-metrics $session_status $private_cloud_controller $private_cloud_controller_group $platform", + "indexes": [], + "storage": "hot" + }, + "columns": [ + { + "field": "status_line", + "width": "auto" + }, + { + "field": "timestamp", + "width": "auto" + }, + { + "field": "content", + "width": "auto" + } + ] + } + ], + "type": "list_stream" + }, + "layout": { + "x": 0, + "y": 4, + "width": 12, + "height": 4 + } + } + ] + }, + "layout": { + "x": 0, + "y": 51, + "width": 12, + "height": 9 + } + } + ], + "template_variables": [ + { + "name": "platform", + "prefix": "@Platform", + "available_values": [], + "default": "*" + }, + { + "name": "private_cloud_controller", + "prefix": "@PrivateCloudController", + "available_values": [], + "default": "*" + }, + { + "name": "private_cloud_controller_group", + "prefix": "@PrivateCloudControllerGroup", + "available_values": [], + "default": "*" + }, + { + "name": "session_status", + "prefix": "@SessionStatus", + "available_values": [], + "default": "*" + } + ], + "layout_type": "ordered", + "notify_list": [], + "reflow_type": "fixed" +} \ No newline at end of file diff --git a/zscaler_private_access/assets/dashboards/zscaler_private_access_private_service_edge.json b/zscaler_private_access/assets/dashboards/zscaler_private_access_private_service_edge.json new file mode 100644 index 0000000000000..eaf7f91d1c34b --- /dev/null +++ b/zscaler_private_access/assets/dashboards/zscaler_private_access_private_service_edge.json @@ -0,0 +1,1732 @@ +{ + "title": "Zscaler Private Access - Private Service Edge", + "description": "This dashboard provides a comprehensive view of Zscaler Private Access (ZPA) Private Service Edge activity and performance. It offers insights into user sessions, authentication trends, Private Service Edge health, traffic metrics, and resource utilization. It helps monitor errors, discards, topology, geo-distribution, and detailed event metrics for proactive troubleshooting and optimization.", + "widgets": [ + { + "id": 7458334389122165, + "definition": { + "type": "image", + "url": "/static/images/integration_dashboard/zscaler_hero_1.png", + "url_dark_theme": "/static/images/integration_dashboard/zscaler_hero_1.png", + "sizing": "fill", + "has_background": true, + "has_border": false, + "vertical_align": "center", + "horizontal_align": "center" + }, + "layout": { + "x": 0, + "y": 0, + "width": 4, + "height": 3 + } + }, + { + "id": 9006528127647102, + "definition": { + "type": "note", + "content": "[Zscaler Private Access](https://www.zscaler.com/products-and-solutions/zscaler-private-access) securely enables user access to internal applications without the need for traditional VPNs.\n\nThis dashboard provides a comprehensive view of Zscaler Private Access (ZPA) Private Service Edge activity and performance. It offers insights into user sessions, authentication trends, Private Service Edge health, traffic metrics, and resource utilization. It helps monitor errors, discards, topology, geo-distribution, and detailed event metrics for proactive troubleshooting and optimization.\n\nFor more information, see the [Zscaler Private Access Integration Documentation](https://docs.datadoghq.com/integrations/zscaler_private_access/).\n\n**Tips**\n- Use the timeframe selector in the upper-right corner of the dashboard to change the default timeframe.\n- Clone this dashboard to rearrange, modify, and add widgets and visualizations.", + "background_color": "blue", + "font_size": "14", + "text_align": "left", + "vertical_align": "center", + "show_tick": true, + "tick_pos": "50%", + "tick_edge": "left", + "has_padding": true + }, + "layout": { + "x": 4, + "y": 0, + "width": 8, + "height": 3 + } + }, + { + "id": 1050767269988952, + "definition": { + "title": "Overview", + "background_color": "vivid_blue", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 3217205110786844, + "definition": { + "title": "Total Private Service Edge Sessions", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zscaler-private-access service:private-service-edge-status $session_status $service_edge $service_edge_group $platform" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "default_zero(query1)" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#a2c2e8" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 0, + "y": 0, + "width": 4, + "height": 3 + } + }, + { + "id": 6046113600353979, + "definition": { + "title": "Private Service Edge Sessions over Time", + "title_size": "16", + "title_align": "left", + "show_legend": false, + "legend_layout": "horizontal", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "number_format": {}, + "alias": "Events", + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zscaler-private-access service:private-service-edge-status $session_status $service_edge $service_edge_group $platform" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "datadog16", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ], + "markers": [] + }, + "layout": { + "x": 4, + "y": 0, + "width": 8, + "height": 3 + } + }, + { + "id": 6881868321260237, + "definition": { + "title": "Successful Authenticated Sessions", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zscaler-private-access service:private-service-edge-status @SessionStatus:ZPN_STATUS_AUTHENTICATED $session_status $service_edge $service_edge_group $platform" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "default_zero(query1)" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "black_on_light_green" + } + ] + } + ], + "autoscale": true, + "precision": 2, + "timeseries_background": { + "yaxis": {}, + "type": "bars" + } + }, + "layout": { + "x": 0, + "y": 3, + "width": 4, + "height": 3 + } + }, + { + "id": 1472814155667291, + "definition": { + "title": "Failed Authenticated Sessions", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zscaler-private-access service:private-service-edge-status @SessionStatus:ZPN_STATUS_AUTH_FAILED $session_status $service_edge $service_edge_group $platform" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "default_zero(query1)" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "black_on_light_red" + } + ] + } + ], + "autoscale": true, + "precision": 2, + "timeseries_background": { + "yaxis": {}, + "type": "bars" + } + }, + "layout": { + "x": 4, + "y": 3, + "width": 4, + "height": 3 + } + }, + { + "id": 240450441346588, + "definition": { + "title": "Disconnected Sessions", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zscaler-private-access service:private-service-edge-status @SessionStatus:ZPN_STATUS_DISCONNECTED $session_status $service_edge $service_edge_group $platform" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "default_zero(query1)" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "black_on_light_yellow" + } + ] + } + ], + "autoscale": true, + "precision": 2, + "timeseries_background": { + "yaxis": {}, + "type": "bars" + } + }, + "layout": { + "x": 8, + "y": 3, + "width": 4, + "height": 3 + } + }, + { + "id": 7431885019414931, + "definition": { + "title": "Session Status Trends", + "title_size": "16", + "title_align": "left", + "show_legend": true, + "legend_layout": "horizontal", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "number_format": {}, + "alias": "Events", + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zscaler-private-access service:private-service-edge-status $session_status $service_edge $service_edge_group $platform" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@SessionStatus", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "datadog16", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ], + "markers": [] + }, + "layout": { + "x": 0, + "y": 6, + "width": 12, + "height": 4 + } + }, + { + "id": 5553801877826526, + "definition": { + "title": "Geo Location by Private Service Edges", + "title_size": "16", + "title_align": "left", + "type": "geomap", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zscaler-private-access service:private-service-edge-status $session_status $service_edge $service_edge_group $platform" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@network.client.geoip.country.iso_code", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 250, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "asc" + } + ] + } + } + ], + "style": { + "palette": "hostmap_blues", + "palette_flip": false + }, + "view": { + "focus": "WORLD" + } + }, + "layout": { + "x": 0, + "y": 10, + "width": 12, + "height": 4 + } + }, + { + "id": 7022437048906523, + "definition": { + "title": "Private Service Edge Event Details", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "event_list", + "query": { + "data_source": "logs_stream", + "query_string": "source:zscaler-private-access service:private-service-edge-status $session_status $service_edge $service_edge_group $platform", + "indexes": [], + "storage": "hot" + }, + "columns": [ + { + "field": "status_line", + "width": "auto" + }, + { + "field": "timestamp", + "width": "auto" + }, + { + "field": "content", + "width": "auto" + } + ] + } + ], + "type": "list_stream" + }, + "layout": { + "x": 0, + "y": 14, + "width": 12, + "height": 4 + } + } + ] + }, + "layout": { + "x": 0, + "y": 3, + "width": 12, + "height": 19 + } + }, + { + "id": 8247656959435707, + "definition": { + "title": "Resource Utilization", + "background_color": "vivid_blue", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 5777349091107229, + "definition": { + "title": "Average CPU Usage (%) over Time", + "title_size": "16", + "title_align": "left", + "show_legend": false, + "legend_layout": "auto", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "alias": "Average CPU Usage", + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zscaler-private-access service:private-service-edge-status $session_status $service_edge $service_edge_group $platform" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "avg", + "metric": "@CPUUtilization" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "dog_classic", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 0, + "y": 0, + "width": 6, + "height": 3 + } + }, + { + "id": 3531863275640025, + "definition": { + "title": "Average Memory Usage (%) over Time", + "title_size": "16", + "title_align": "left", + "show_legend": false, + "legend_layout": "auto", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "alias": "Average Memory Usage", + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zscaler-private-access service:private-service-edge-status $session_status $service_edge $service_edge_group $platform" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "avg", + "metric": "@MemUtilization" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "dog_classic", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 6, + "y": 0, + "width": 6, + "height": 3 + } + }, + { + "id": 8808719207901330, + "definition": { + "title": "Top Private Service Edges by Average CPU Utilization (%)", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zscaler-private-access service:private-service-edge-status $session_status $service_edge $service_edge_group $platform" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@ServiceEdge", + "limit": 10, + "sort": { + "aggregation": "avg", + "order": "desc", + "metric": "@CPUUtilization" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "avg", + "metric": "@CPUUtilization" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "number_format": {}, + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "none" + }, + "palette": "datadog16" + } + }, + "layout": { + "x": 0, + "y": 3, + "width": 6, + "height": 4 + } + }, + { + "id": 1967910054387764, + "definition": { + "title": "Top Private Service Edges by Average Memory Utilization (%)", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zscaler-private-access service:private-service-edge-status $session_status $service_edge $service_edge_group $platform" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@ServiceEdge", + "limit": 10, + "sort": { + "aggregation": "avg", + "order": "desc", + "metric": "@MemUtilization" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "avg", + "metric": "@MemUtilization" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "number_format": {}, + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "none" + }, + "palette": "datadog16" + } + }, + "layout": { + "x": 6, + "y": 3, + "width": 6, + "height": 4 + } + } + ] + }, + "layout": { + "x": 0, + "y": 22, + "width": 12, + "height": 8 + } + }, + { + "id": 7028142182145320, + "definition": { + "title": "Network Performance", + "background_color": "vivid_blue", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 4617535982472745, + "definition": { + "title": "Total Errors Received vs Transmitted", + "title_size": "16", + "title_align": "left", + "show_legend": true, + "legend_layout": "horizontal", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "alias": "Errors Received", + "formula": "query1" + }, + { + "alias": "Errors Transmitted", + "formula": "query2" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zscaler-private-access service:private-service-edge-status $session_status $service_edge $service_edge_group $platform" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "sum", + "metric": "@ErrorsRxInterface" + }, + "storage": "hot" + }, + { + "name": "query2", + "data_source": "logs", + "search": { + "query": "source:zscaler-private-access service:private-service-edge-status $session_status $service_edge $service_edge_group $platform" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "sum", + "metric": "@ErrorsTxInterface" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "datadog16", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 0, + "y": 0, + "width": 6, + "height": 4 + } + }, + { + "id": 5805003643202869, + "definition": { + "title": "Total Discards Received vs Transmitted", + "title_size": "16", + "title_align": "left", + "show_legend": true, + "legend_layout": "horizontal", + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "number_format": {}, + "alias": "Discards Received", + "formula": "query1" + }, + { + "alias": "Discards Transmitted", + "formula": "query2" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zscaler-private-access service:private-service-edge-status $session_status $service_edge $service_edge_group $platform" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "sum", + "metric": "@DiscardsRxInterface" + }, + "storage": "hot" + }, + { + "name": "query2", + "data_source": "logs", + "search": { + "query": "source:zscaler-private-access service:private-service-edge-status $session_status $service_edge $service_edge_group $platform" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "sum", + "metric": "@DiscardsTxInterface" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "datadog16", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 6, + "y": 0, + "width": 6, + "height": 4 + } + }, + { + "id": 8414177635563354, + "definition": { + "title": "Total Bytes Received vs Transmitted", + "title_size": "16", + "title_align": "left", + "show_legend": true, + "legend_layout": "horizontal", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "alias": "Bytes Received", + "formula": "query1", + "number_format": { + "unit": { + "type": "canonical_unit", + "unit_name": "byte_in_bits_family" + } + } + }, + { + "alias": "Bytes Transmitted", + "formula": "query2", + "number_format": { + "unit": { + "type": "canonical_unit", + "unit_name": "byte_in_bits_family" + } + } + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zscaler-private-access service:private-service-edge-status $session_status $service_edge $service_edge_group $platform" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "sum", + "metric": "@TotalBytesRx" + }, + "storage": "hot" + }, + { + "name": "query2", + "data_source": "logs", + "search": { + "query": "source:zscaler-private-access service:private-service-edge-status $session_status $service_edge $service_edge_group $platform" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "sum", + "metric": "@TotalBytesTx" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "datadog16", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 0, + "y": 4, + "width": 6, + "height": 4 + } + }, + { + "id": 4139144707913070, + "definition": { + "title": "Packets Received vs Transmitted", + "title_size": "16", + "title_align": "left", + "show_legend": true, + "legend_layout": "horizontal", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "number_format": {}, + "alias": "Packets Received", + "formula": "query1" + }, + { + "alias": "Packets Transmitted", + "formula": "query2" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zscaler-private-access service:private-service-edge-status $session_status $service_edge $service_edge_group $platform" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "sum", + "metric": "@PacketsRxInterface" + }, + "storage": "hot" + }, + { + "name": "query2", + "data_source": "logs", + "search": { + "query": "source:zscaler-private-access service:private-service-edge-status $session_status $service_edge $service_edge_group $platform" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "sum", + "metric": "@PacketsTxInterface" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "datadog16", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 6, + "y": 4, + "width": 6, + "height": 4 + } + } + ] + }, + "layout": { + "x": 0, + "y": 30, + "width": 12, + "height": 9 + } + }, + { + "id": 5448612783719408, + "definition": { + "title": "Service Edge & Traffic Distribution Insights", + "background_color": "vivid_blue", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 6528564929104337, + "definition": { + "title": "Platform Distribution", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zscaler-private-access service:private-service-edge-status -@Platform:\"\" $session_status $service_edge $service_edge_group $platform" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@Platform", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "style": { + "palette": "datadog16" + }, + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "type": "sunburst", + "legend": { + "type": "table" + } + }, + "layout": { + "x": 0, + "y": 0, + "width": 6, + "height": 4 + } + }, + { + "id": 7908774789509455, + "definition": { + "title": "Most Used Primary DNS Resolvers", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zscaler-private-access service:private-service-edge-status -@PrimaryDNSResolver:\"\" $session_status $platform $service_edge $service_edge_group" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@PrimaryDNSResolver", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "style": { + "palette": "datadog16" + }, + "formulas": [ + { + "formula": "query1", + "number_format": {} + } + ], + "sort": { + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "type": "sunburst", + "legend": { + "type": "table" + } + }, + "layout": { + "x": 6, + "y": 0, + "width": 6, + "height": 4 + } + }, + { + "id": 4530302658188282, + "definition": { + "title": "Top Private Service Edges", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zscaler-private-access service:private-service-edge-status $session_status $service_edge $service_edge_group $platform" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@ServiceEdge", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + } + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "number_format": {}, + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + }, + "palette": "datadog16" + } + }, + "layout": { + "x": 0, + "y": 4, + "width": 4, + "height": 3 + } + }, + { + "id": 1112109243112788, + "definition": { + "title": "Top Private Service Edge Groups", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zscaler-private-access service:private-service-edge-status $session_status $service_edge $service_edge_group $platform" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@ServiceEdgeGroup", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "number_format": {}, + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + }, + "palette": "datadog16" + } + }, + "layout": { + "x": 4, + "y": 4, + "width": 4, + "height": 3 + } + }, + { + "id": 2992157292570486, + "definition": { + "title": "Top ZPA Public Service Edges (ZEN)", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zscaler-private-access service:private-service-edge-status $session_status $service_edge $service_edge_group $platform" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@ZEN", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "number_format": {}, + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "none" + }, + "palette": "datadog16" + } + }, + "layout": { + "x": 8, + "y": 4, + "width": 4, + "height": 3 + } + } + ] + }, + "layout": { + "x": 0, + "y": 39, + "width": 12, + "height": 8 + } + }, + { + "id": 8857700779880816, + "definition": { + "title": "Private Service Edge Metrics Analytics", + "background_color": "vivid_blue", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 4178881396339083, + "definition": { + "title": "Average Available Disk over Time", + "title_size": "16", + "title_align": "left", + "show_legend": false, + "legend_layout": "auto", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "number_format": { + "unit": { + "type": "canonical_unit", + "unit_name": "byte_in_binary_bytes_family" + } + }, + "alias": "Average Available Disk", + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zscaler-private-access service:private-service-edge-metrics $session_status $platform $service_edge $service_edge_group" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "avg", + "metric": "@AvailableDiskBytes" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "datadog16", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 0, + "y": 0, + "width": 6, + "height": 4 + } + }, + { + "id": 8386337728278215, + "definition": { + "title": "Total Available Ports over Time", + "title_size": "16", + "title_align": "left", + "show_legend": false, + "legend_layout": "auto", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "number_format": {}, + "alias": "Available Ports", + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zscaler-private-access service:private-service-edge-metrics $session_status $platform $service_edge $service_edge_group" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "sum", + "metric": "@AvailablePorts" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "datadog16", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 6, + "y": 0, + "width": 6, + "height": 4 + } + }, + { + "id": 809317056714989, + "definition": { + "title": "Private Service Edge Metrics Details", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "event_list", + "query": { + "data_source": "logs_stream", + "query_string": "source:zscaler-private-access service:private-service-edge-metrics $session_status $service_edge $service_edge_group $platform", + "indexes": [], + "storage": "hot" + }, + "columns": [ + { + "field": "status_line", + "width": "auto" + }, + { + "field": "timestamp", + "width": "auto" + }, + { + "field": "content", + "width": "auto" + } + ] + } + ], + "type": "list_stream" + }, + "layout": { + "x": 0, + "y": 4, + "width": 12, + "height": 4 + } + } + ] + }, + "layout": { + "x": 0, + "y": 47, + "width": 12, + "height": 9 + } + } + ], + "template_variables": [ + { + "name": "platform", + "prefix": "@Platform", + "available_values": [], + "default": "*" + }, + { + "name": "service_edge", + "prefix": "@ServiceEdge", + "available_values": [], + "default": "*" + }, + { + "name": "service_edge_group", + "prefix": "@ServiceEdgeGroup", + "available_values": [], + "default": "*" + }, + { + "name": "session_status", + "prefix": "@SessionStatus", + "available_values": [], + "default": "*" + } + ], + "layout_type": "ordered", + "notify_list": [], + "reflow_type": "fixed" +} \ No newline at end of file diff --git a/zscaler_private_access/assets/dashboards/zscaler_private_access_user_activity.json b/zscaler_private_access/assets/dashboards/zscaler_private_access_user_activity.json new file mode 100644 index 0000000000000..9488b3a223bd6 --- /dev/null +++ b/zscaler_private_access/assets/dashboards/zscaler_private_access_user_activity.json @@ -0,0 +1,2128 @@ +{ + "title": "Zscaler Private Access - User Activity", + "description": "This dashboard offers a high-level view of user-to-application connectivity within Zscaler Private Access. It tracks connection health, policy enforcement, top users and applications, and PRA events, giving clear visibility into performance, security, and access trends.", + "widgets": [ + { + "id": 5990805718115867, + "definition": { + "type": "image", + "url": "/static/images/integration_dashboard/zscaler_hero_1.png", + "url_dark_theme": "/static/images/integration_dashboard/zscaler_hero_1.png", + "sizing": "fill", + "has_background": true, + "has_border": false, + "vertical_align": "center", + "horizontal_align": "center" + }, + "layout": { + "x": 0, + "y": 0, + "width": 4, + "height": 3 + } + }, + { + "id": 4415658661839985, + "definition": { + "type": "note", + "content": "[Zscaler Private Access](https://www.zscaler.com/products-and-solutions/zscaler-private-access) securely enables user access to internal applications without the need for traditional VPNs.\n\nThis dashboard offers a high-level view of user-to-application connectivity within Zscaler Private Access. It tracks connection health, policy enforcement, top users and applications, and PRA events, giving clear visibility into performance, security, and access trends.\n\nFor more information, see the [Zscaler Private Access Integration Documentation](https://docs.datadoghq.com/integrations/zscaler_private_access/).\n\n**Tips**\n- Use the timeframe selector in the upper-right corner of the dashboard to change the default timeframe.\n- Clone this dashboard to rearrange, modify, and add widgets and visualizations.", + "background_color": "blue", + "font_size": "14", + "text_align": "left", + "vertical_align": "center", + "show_tick": true, + "tick_pos": "50%", + "tick_edge": "left", + "has_padding": true + }, + "layout": { + "x": 4, + "y": 0, + "width": 8, + "height": 3 + } + }, + { + "id": 4279756954501861, + "definition": { + "title": "Overview", + "background_color": "vivid_blue", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 1781375572381878, + "definition": { + "title": "Total User Activity Events", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zscaler-private-access service:user-activity $connection_status $client_zen $idp $platform $user $client_ip" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "default_zero(query1)" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#a2c2e8" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 0, + "y": 0, + "width": 4, + "height": 4 + } + }, + { + "id": 2948646781734016, + "definition": { + "title": "User Activity Events over Time", + "title_size": "16", + "title_align": "left", + "show_legend": false, + "legend_layout": "horizontal", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "number_format": {}, + "alias": "Events", + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zscaler-private-access service:user-activity $connection_status $client_zen $idp $platform $user $client_ip" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "datadog16", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ], + "markers": [] + }, + "layout": { + "x": 4, + "y": 0, + "width": 8, + "height": 4 + } + }, + { + "id": 1444657275896660, + "definition": { + "title": "User Activity Event Details", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "event_list", + "query": { + "data_source": "logs_stream", + "query_string": "source:zscaler-private-access service:user-activity $connection_status $client_zen $idp $platform $user $client_ip", + "indexes": [], + "storage": "hot" + }, + "columns": [ + { + "field": "status_line", + "width": "auto" + }, + { + "field": "timestamp", + "width": "auto" + }, + { + "field": "content", + "width": "auto" + } + ] + } + ], + "type": "list_stream" + }, + "layout": { + "x": 0, + "y": 4, + "width": 12, + "height": 4 + } + } + ] + }, + "layout": { + "x": 0, + "y": 3, + "width": 12, + "height": 9 + } + }, + { + "id": 2509560761872868, + "definition": { + "title": "Connection and Server Insights", + "background_color": "vivid_blue", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 705476856190724, + "definition": { + "title": "Open Connections", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zscaler-private-access service:user-activity @ConnectionStatus:open $connection_status $client_zen $idp $platform $user $client_ip" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "default_zero(query1)" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "black_on_light_yellow" + } + ] + } + ], + "autoscale": true, + "precision": 2, + "timeseries_background": { + "yaxis": {}, + "type": "bars" + } + }, + "layout": { + "x": 0, + "y": 0, + "width": 3, + "height": 2 + } + }, + { + "id": 2425329446500665, + "definition": { + "title": "Connection Status over Time", + "title_size": "16", + "title_align": "left", + "show_legend": true, + "legend_layout": "horizontal", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "number_format": {}, + "alias": "Events", + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zscaler-private-access service:user-activity $connection_status $client_zen $idp $platform $user $client_ip" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@ConnectionStatus", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "datadog16", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ], + "markers": [] + }, + "layout": { + "x": 3, + "y": 0, + "width": 9, + "height": 4 + } + }, + { + "id": 3786655704857730, + "definition": { + "title": "Closed Connections", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zscaler-private-access service:user-activity @ConnectionStatus:close $connection_status $client_zen $idp $platform $user $client_ip" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "default_zero(query1)" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "black_on_light_green" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 0, + "y": 2, + "width": 3, + "height": 2 + } + }, + { + "id": 7363251032463231, + "definition": { + "title": "Connections by Policy", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zscaler-private-access service:user-activity -@Policy:0 $connection_status $client_zen $idp $platform $user $client_ip" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@Policy", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "style": { + "palette": "datadog16" + }, + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "type": "sunburst", + "legend": { + "type": "table" + } + }, + "layout": { + "x": 0, + "y": 4, + "width": 6, + "height": 5 + } + }, + { + "id": 6974575905823248, + "definition": { + "title": "Connection by Internet Protocol", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zscaler-private-access service:user-activity $connection_status $client_zen $idp $platform $user $client_ip" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@IPProtocolName", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "style": { + "palette": "datadog16" + }, + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "type": "sunburst", + "legend": { + "type": "table" + } + }, + "layout": { + "x": 6, + "y": 4, + "width": 6, + "height": 5 + } + }, + { + "id": 8837892387239169, + "definition": { + "title": "Geo distribution of Connections", + "title_size": "16", + "title_align": "left", + "type": "geomap", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zscaler-private-access service:user-activity $connection_status $client_zen $idp $platform $user $client_ip" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@network.client.geoip.country.iso_code", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 250, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "asc" + } + ] + } + } + ], + "style": { + "palette": "hostmap_blues", + "palette_flip": false + }, + "view": { + "focus": "WORLD" + } + }, + "layout": { + "x": 0, + "y": 9, + "width": 12, + "height": 5 + } + }, + { + "id": 5520744858725132, + "definition": { + "title": "Average Server Setup Time", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "formulas": [ + { + "number_format": { + "unit": { + "type": "canonical_unit", + "unit_name": "microsecond" + } + }, + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zscaler-private-access service:user-activity $connection_status $client_zen $idp $platform $user $client_ip" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "avg", + "metric": "@ServerSetupTime" + }, + "storage": "hot" + } + ], + "response_format": "scalar" + } + ], + "autoscale": true, + "precision": 2, + "timeseries_background": { + "type": "area" + } + }, + "layout": { + "x": 0, + "y": 14, + "width": 3, + "height": 2 + } + }, + { + "id": 378392569757744, + "definition": { + "title": "Average Connection Setup/Server Setup Duration over Time", + "title_size": "16", + "title_align": "left", + "show_legend": true, + "legend_layout": "horizontal", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "number_format": { + "unit": { + "type": "canonical_unit", + "unit_name": "microsecond" + } + }, + "alias": "Average Connection Setup Time", + "formula": "query1" + }, + { + "number_format": { + "unit": { + "type": "canonical_unit", + "unit_name": "microsecond" + } + }, + "alias": "Average Server Setup Time", + "formula": "query2" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zscaler-private-access service:user-activity $connection_status $client_zen $idp $platform $user $client_ip" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "avg", + "metric": "@ConnectionSetupTime" + }, + "storage": "hot" + }, + { + "name": "query2", + "data_source": "logs", + "search": { + "query": "source:zscaler-private-access service:user-activity $connection_status $client_zen $idp $platform $user $client_ip" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "avg", + "metric": "@ServerSetupTime" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "datadog16", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ], + "markers": [] + }, + "layout": { + "x": 3, + "y": 14, + "width": 9, + "height": 4 + } + }, + { + "id": 7577857227175160, + "definition": { + "title": "Average Connection Setup Duration", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "formulas": [ + { + "formula": "query1", + "number_format": { + "unit": { + "type": "canonical_unit", + "unit_name": "microsecond" + } + } + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zscaler-private-access service:user-activity $connection_status $client_zen $idp $platform $user $client_ip" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "avg", + "metric": "@ConnectionSetupTime" + }, + "storage": "hot" + } + ], + "response_format": "scalar" + } + ], + "autoscale": true, + "precision": 2, + "timeseries_background": { + "type": "area" + } + }, + "layout": { + "x": 0, + "y": 16, + "width": 3, + "height": 2 + } + }, + { + "id": 4760674185751337, + "definition": { + "title": "Top Connector Service Edge", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zscaler-private-access service:user-activity -@ConnectorZEN:0 $connection_status $client_zen $idp $platform $user $client_ip" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@ConnectorZEN", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + }, + "palette": "datadog16" + } + }, + "layout": { + "x": 0, + "y": 18, + "width": 6, + "height": 5 + } + }, + { + "id": 5592575233014489, + "definition": { + "title": "Distribution by Connector Service Edge", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zscaler-private-access service:user-activity -@ConnectorZEN:0 $connection_status $client_zen $idp $platform $user $client_ip" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@ConnectorZEN", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "style": { + "palette": "datadog16" + }, + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "type": "sunburst", + "legend": { + "type": "table" + } + }, + "layout": { + "x": 6, + "y": 18, + "width": 6, + "height": 5 + } + } + ] + }, + "layout": { + "x": 0, + "y": 12, + "width": 12, + "height": 24 + } + }, + { + "id": 8212703833540709, + "definition": { + "title": "Users and Application Details", + "background_color": "vivid_blue", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 8890842792331803, + "definition": { + "title": "Top Users", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zscaler-private-access service:user-activity $connection_status $client_zen $idp $platform $user $client_ip" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@usr.name", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + }, + "palette": "datadog16" + } + }, + "layout": { + "x": 0, + "y": 0, + "width": 6, + "height": 5 + } + }, + { + "id": 4005351112876616, + "definition": { + "title": "Most Active Client IPs", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zscaler-private-access service:user-activity $connection_status $client_zen $idp $platform $user $client_ip" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@network.client.ip", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + }, + "palette": "datadog16" + } + }, + "layout": { + "x": 6, + "y": 0, + "width": 6, + "height": 5 + } + }, + { + "id": 5762430348224466, + "definition": { + "title": "Top Hosts", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zscaler-private-access service:user-activity -@Hostname:\"\" $connection_status $client_zen $idp $platform $user $client_ip" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@Hostname", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + }, + "palette": "datadog16" + } + }, + "layout": { + "x": 0, + "y": 5, + "width": 6, + "height": 5 + } + }, + { + "id": 805294105337498, + "definition": { + "title": "Top Platforms", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zscaler-private-access service:user-activity -@Platform:\"\" $connection_status $client_zen $idp $platform $user $client_ip" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@Platform", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + }, + "palette": "datadog16" + } + }, + "layout": { + "x": 6, + "y": 5, + "width": 6, + "height": 5 + } + }, + { + "id": 5790733210110191, + "definition": { + "title": "Top Applications", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zscaler-private-access service:user-activity $connection_status $client_zen $idp $platform $user $client_ip" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@Application", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + }, + "palette": "datadog16" + } + }, + "layout": { + "x": 0, + "y": 10, + "width": 6, + "height": 5 + } + }, + { + "id": 4518770059705707, + "definition": { + "title": "Top AppGroups", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zscaler-private-access service:user-activity $connection_status $client_zen $idp $platform $user $client_ip" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@AppGroup", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + }, + "palette": "datadog16" + } + }, + "layout": { + "x": 6, + "y": 10, + "width": 6, + "height": 5 + } + }, + { + "id": 4561294879268170, + "definition": { + "title": "Distribution of Connections by IDP", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zscaler-private-access service:user-activity -@Idp:0 $connection_status $client_zen $idp $platform $user $client_ip" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@Idp", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "style": { + "palette": "datadog16" + }, + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "type": "sunburst", + "legend": { + "type": "table" + } + }, + "layout": { + "x": 0, + "y": 15, + "width": 4, + "height": 4 + } + }, + { + "id": 8338104675350549, + "definition": { + "title": "DoubleEncryption On vs Off", + "title_size": "16", + "title_align": "left", + "show_legend": true, + "legend_layout": "horizontal", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "number_format": {}, + "alias": "Off", + "formula": "query1" + }, + { + "number_format": {}, + "alias": "On", + "formula": "query2" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zscaler-private-access service:user-activity @DoubleEncryption:0 $connection_status $client_zen $idp $platform $user $client_ip" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + }, + { + "name": "query2", + "data_source": "logs", + "search": { + "query": "source:zscaler-private-access service:user-activity @DoubleEncryption:1 $connection_status $client_zen $idp $platform $user $client_ip" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "datadog16", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ], + "markers": [] + }, + "layout": { + "x": 4, + "y": 15, + "width": 8, + "height": 4 + } + } + ] + }, + "layout": { + "x": 0, + "y": 36, + "width": 12, + "height": 20 + } + }, + { + "id": 1886664095945125, + "definition": { + "title": "PRA (Privileged Remote Access) Monitoring", + "background_color": "vivid_blue", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 6306438897428060, + "definition": { + "title": "Top Users", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zscaler-private-access service:user-activity $connection_status $client_zen $idp $platform $user $client_ip" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@PRACredentialUserName", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + }, + "palette": "datadog16" + } + }, + "layout": { + "x": 0, + "y": 0, + "width": 6, + "height": 5 + } + }, + { + "id": 2173499428148616, + "definition": { + "title": "Distribution by console Type", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zscaler-private-access service:user-activity -@PRAConsoleType:\"\" $connection_status $client_zen $idp $platform $user $client_ip" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@PRAConsoleType", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "style": { + "palette": "datadog16" + }, + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "type": "sunburst", + "legend": { + "type": "table" + } + }, + "layout": { + "x": 6, + "y": 0, + "width": 6, + "height": 5 + } + }, + { + "id": 5665223403171038, + "definition": { + "title": "Privileged Session Recording Status over Time", + "title_size": "16", + "title_align": "left", + "show_legend": true, + "legend_layout": "horizontal", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "number_format": {}, + "alias": "Events", + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zscaler-private-access service:user-activity $connection_status $client_zen $idp $platform $user $client_ip" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@PRARecordingStatus", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + } + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "datadog16", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ], + "markers": [] + }, + "layout": { + "x": 0, + "y": 5, + "width": 12, + "height": 4 + } + }, + { + "id": 4720896012713861, + "definition": { + "title": "PRA Events by Shared Mode", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zscaler-private-access service:user-activity -@PRASharedMode:\"\" $connection_status $client_zen $idp $platform $user $client_ip" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@PRASharedMode", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "style": { + "palette": "datadog16" + }, + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "type": "sunburst", + "legend": { + "type": "automatic" + } + }, + "layout": { + "x": 0, + "y": 9, + "width": 4, + "height": 4 + } + }, + { + "id": 3431870174259119, + "definition": { + "title": "Distribution by Credential Login Type", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zscaler-private-access service:user-activity -@PRACredentialLoginType:\"\" $connection_status $client_zen $idp $platform $user $client_ip" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@PRACredentialLoginType", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "style": { + "palette": "datadog16" + }, + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "type": "sunburst", + "legend": { + "type": "automatic" + } + }, + "layout": { + "x": 4, + "y": 9, + "width": 4, + "height": 4 + } + }, + { + "id": 6483298207101287, + "definition": { + "title": "Privileged Sessions by Type", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zscaler-private-access service:user-activity $connection_status $client_zen $idp $platform $user $client_ip" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@PRASessionType", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "style": { + "palette": "datadog16" + }, + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "type": "sunburst", + "legend": { + "type": "automatic" + } + }, + "layout": { + "x": 8, + "y": 9, + "width": 4, + "height": 4 + } + }, + { + "id": 7532675558482139, + "definition": { + "title": "PRA Error Details", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "event_list", + "query": { + "data_source": "logs_stream", + "query_string": "source:zscaler-private-access service:user-activity @PRAErrorStatus:* $connection_status $client_zen $idp $platform $user $client_ip", + "indexes": [], + "storage": "hot" + }, + "columns": [ + { + "field": "status_line", + "width": "auto" + }, + { + "field": "@PRAConnectionID", + "width": "auto" + }, + { + "field": "@PRACredentialLoginType", + "width": "auto" + }, + { + "field": "@PRACredentialUserName", + "width": "auto" + }, + { + "field": "@PRAErrorStatus", + "width": "auto" + } + ] + } + ], + "type": "list_stream" + }, + "layout": { + "x": 0, + "y": 13, + "width": 12, + "height": 5 + } + }, + { + "id": 7276505236361556, + "definition": { + "title": "PRA Event Details", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "event_list", + "query": { + "data_source": "logs_stream", + "query_string": "source:zscaler-private-access service:user-activity @PRAConnectionID:* $connection_status $client_zen $idp $platform $user $client_ip", + "indexes": [], + "storage": "hot" + }, + "columns": [ + { + "field": "status_line", + "width": "auto" + }, + { + "field": "@PRAConnectionID", + "width": "auto" + }, + { + "field": "@PRAConsoleType", + "width": "auto" + }, + { + "field": "@PRACredentialLoginType", + "width": "auto" + }, + { + "field": "@PRACredentialUserName", + "width": "auto" + }, + { + "field": "@PRAErrorStatus", + "width": "auto" + }, + { + "field": "@PRASessionType", + "width": "auto" + } + ] + } + ], + "type": "list_stream" + }, + "layout": { + "x": 0, + "y": 18, + "width": 12, + "height": 5 + } + } + ] + }, + "layout": { + "x": 0, + "y": 56, + "width": 12, + "height": 24 + } + } + ], + "template_variables": [ + { + "name": "client_ip", + "prefix": "@network.client.ip", + "available_values": [], + "default": "*" + }, + { + "name": "client_zen", + "prefix": "@ClientZEN", + "available_values": [], + "default": "*" + }, + { + "name": "connection_status", + "prefix": "@ConnectionStatus", + "available_values": [], + "default": "*" + }, + { + "name": "idp", + "prefix": "@Idp", + "available_values": [], + "default": "*" + }, + { + "name": "platform", + "prefix": "@Platform", + "available_values": [], + "default": "*" + }, + { + "name": "user", + "prefix": "@usr.name", + "available_values": [], + "default": "*" + } + ], + "layout_type": "ordered", + "notify_list": [], + "reflow_type": "fixed" +} \ No newline at end of file diff --git a/zscaler_private_access/assets/dashboards/zscaler_private_access_user_status.json b/zscaler_private_access/assets/dashboards/zscaler_private_access_user_status.json new file mode 100644 index 0000000000000..d0b40084868d3 --- /dev/null +++ b/zscaler_private_access/assets/dashboards/zscaler_private_access_user_status.json @@ -0,0 +1,1798 @@ +{ + "title": "Zscaler Private Access - User Status", + "description": "This dashboard provides a comprehensive view of user sessions and security posture in Zscaler Private Access. It highlights session activity, authentication outcomes, data usage, client and platform distribution, FQDN errors, trusted network events, geographic trends, and policy compliance for proactive monitoring and access management.", + "widgets": [ + { + "id": 3353203326453554, + "definition": { + "type": "image", + "url": "/static/images/integration_dashboard/zscaler_hero_1.png", + "url_dark_theme": "/static/images/integration_dashboard/zscaler_hero_1.png", + "sizing": "fill", + "has_background": true, + "has_border": false, + "vertical_align": "center", + "horizontal_align": "center" + }, + "layout": { + "x": 0, + "y": 0, + "width": 4, + "height": 3 + } + }, + { + "id": 26051993057120, + "definition": { + "type": "note", + "content": "[Zscaler Private Access](https://www.zscaler.com/products-and-solutions/zscaler-private-access) securely enables user access to internal applications without the need for traditional VPNs.\n\nThis dashboard provides a comprehensive view of user sessions and security posture in Zscaler Private Access. It highlights session activity, authentication outcomes, data usage, client and platform distribution, FQDN errors, geographic trends, and policy compliance for proactive monitoring and access management.\n\nFor more information, see the [Zscaler Private Access Integration Documentation](https://docs.datadoghq.com/integrations/zscaler_private_access/).\n\n**Tips**\n- Use the timeframe selector in the upper-right corner of the dashboard to change the default timeframe.\n- Clone this dashboard to rearrange, modify, and add widgets and visualizations.", + "background_color": "blue", + "font_size": "14", + "text_align": "left", + "vertical_align": "center", + "show_tick": true, + "tick_pos": "50%", + "tick_edge": "left", + "has_padding": true + }, + "layout": { + "x": 4, + "y": 0, + "width": 8, + "height": 3 + } + }, + { + "id": 8473043205136702, + "definition": { + "title": "Overview", + "background_color": "vivid_blue", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 7732980099134527, + "definition": { + "title": "Total User Status Events", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zscaler-private-access service:user-status $user $client_ip $hostname $client_type $platform" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "default_zero(query1)" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#a2c2e8" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 0, + "y": 0, + "width": 4, + "height": 3 + } + }, + { + "id": 6322694901381869, + "definition": { + "title": "User Status Events over Time", + "title_size": "16", + "title_align": "left", + "show_legend": false, + "legend_layout": "auto", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "number_format": {}, + "alias": "Events", + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zscaler-private-access service:user-status $user $client_ip $hostname $client_type $platform" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "datadog16", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ], + "markers": [] + }, + "layout": { + "x": 4, + "y": 0, + "width": 8, + "height": 3 + } + }, + { + "id": 7784061281548731, + "definition": { + "title": "Geo distribution by Events", + "title_size": "16", + "title_align": "left", + "type": "geomap", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zscaler-private-access service:user-status $user $client_ip $hostname $client_type $platform" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@network.client.geoip.country.iso_code", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 250, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "asc" + } + ] + } + } + ], + "style": { + "palette": "hostmap_blues", + "palette_flip": false + }, + "view": { + "focus": "WORLD" + } + }, + "layout": { + "x": 0, + "y": 3, + "width": 12, + "height": 5 + } + }, + { + "id": 4556079964109430, + "definition": { + "title": "User Status Event Details", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "event_list", + "query": { + "data_source": "logs_stream", + "query_string": "source:zscaler-private-access service:user-status $user $client_ip $hostname $client_type $platform", + "indexes": [], + "storage": "hot" + }, + "columns": [ + { + "field": "status_line", + "width": "auto" + }, + { + "field": "timestamp", + "width": "auto" + }, + { + "field": "content", + "width": "auto" + } + ] + } + ], + "type": "list_stream" + }, + "layout": { + "x": 0, + "y": 8, + "width": 12, + "height": 4 + } + } + ] + }, + "layout": { + "x": 0, + "y": 3, + "width": 12, + "height": 13 + } + }, + { + "id": 7968994980610701, + "definition": { + "title": "Authentication Activity Insights", + "background_color": "vivid_blue", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 249619678268492, + "definition": { + "title": "Successful Authenticated Sessions", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zscaler-private-access service:user-status @SessionStatus:ZPN_STATUS_AUTHENTICATED $user $client_ip $hostname $client_type $platform" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "default_zero(query1)" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "black_on_light_green" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 0, + "y": 0, + "width": 4, + "height": 3 + } + }, + { + "id": 1789094034466857, + "definition": { + "title": "Failed Authenticated Sessions", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zscaler-private-access service:user-status @SessionStatus:ZPN_STATUS_AUTH_FAILED $user $client_ip $hostname $client_type $platform" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "default_zero(query1)" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "black_on_light_red" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 4, + "y": 0, + "width": 4, + "height": 3 + } + }, + { + "id": 5695152224906551, + "definition": { + "title": "Disconnected Sessions", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zscaler-private-access service:user-status @SessionStatus:ZPN_STATUS_DISCONNECTED $user $client_ip $hostname $client_type $platform" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "default_zero(query1)" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "black_on_light_yellow" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 8, + "y": 0, + "width": 4, + "height": 3 + } + }, + { + "id": 8031651602412847, + "definition": { + "title": "Session Status Trends", + "title_size": "16", + "title_align": "left", + "show_legend": true, + "legend_layout": "horizontal", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "number_format": {}, + "alias": "Events", + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zscaler-private-access service:user-status $user $client_ip $hostname $client_type $platform" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@SessionStatus", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + } + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "datadog16", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ], + "markers": [] + }, + "layout": { + "x": 0, + "y": 3, + "width": 12, + "height": 3 + } + }, + { + "id": 1177038879258834, + "definition": { + "title": "Top Users by Failed Authenticated Sessions", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zscaler-private-access service:user-status @SessionStatus:ZPN_STATUS_AUTH_FAILED $user $client_ip $hostname $client_type $platform" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@usr.name", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + }, + "palette": "datadog16" + } + }, + "layout": { + "x": 0, + "y": 6, + "width": 6, + "height": 5 + } + }, + { + "id": 2723661466352862, + "definition": { + "title": "Top IPs by Failed Authenticated Session", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zscaler-private-access service:user-status @SessionStatus:ZPN_STATUS_AUTH_FAILED $user $client_ip $hostname $client_type $platform" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@network.client.ip", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + }, + "palette": "datadog16" + } + }, + "layout": { + "x": 6, + "y": 6, + "width": 6, + "height": 5 + } + } + ] + }, + "layout": { + "x": 0, + "y": 16, + "width": 12, + "height": 12 + } + }, + { + "id": 8964212916570306, + "definition": { + "title": "Security & Compliance Posture", + "background_color": "vivid_blue", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 8430584844687104, + "definition": { + "title": "Total Security Posture Hits", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zscaler-private-access service:user-status $user $client_ip $hostname $client_type $platform" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "sum", + "metric": "@PosturesHitCount" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "default_zero(query1)" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "black_on_light_green" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 0, + "y": 0, + "width": 4, + "height": 2 + } + }, + { + "id": 5222346678533396, + "definition": { + "title": "Top Users with Security Posture Miss", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zscaler-private-access service:user-status $user $client_ip $hostname $client_type $platform" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@usr.name", + "limit": 10, + "sort": { + "aggregation": "sum", + "order": "desc", + "metric": "@PosturesMissCount" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "sum", + "metric": "@PosturesMissCount" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + }, + "palette": "datadog16", + "scaling": "absolute" + } + }, + "layout": { + "x": 4, + "y": 0, + "width": 8, + "height": 4 + } + }, + { + "id": 2206959201687837, + "definition": { + "title": "Total Security Posture Misses", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zscaler-private-access service:user-status $user $client_ip $hostname $client_type $platform" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "sum", + "metric": "@PosturesMissCount" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "default_zero(query1)" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "black_on_light_red" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 0, + "y": 2, + "width": 4, + "height": 2 + } + }, + { + "id": 291411373404129, + "definition": { + "title": "Posture Miss Rate", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zscaler-private-access service:user-status $user $client_ip $hostname $client_type $platform" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "sum", + "metric": "@PosturesMissCount" + }, + "storage": "hot" + }, + { + "name": "query2", + "data_source": "logs", + "search": { + "query": "source:zscaler-private-access service:user-status $user $client_ip $hostname $client_type $platform" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "sum", + "metric": "@PosturesHitCount" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "default_zero(query1) / (default_zero(query2) + default_zero(query1)) * 100", + "number_format": { + "unit": { + "type": "canonical_unit", + "unit_name": "percent" + } + } + } + ], + "conditional_formats": [ + { + "comparator": "<", + "value": 50, + "palette": "black_on_light_red" + }, + { + "comparator": ">", + "value": 50, + "palette": "white_on_red" + }, + { + "comparator": "=", + "value": 0, + "palette": "black_on_light_green" + } + ] + } + ], + "autoscale": true, + "precision": 2, + "timeseries_background": { + "yaxis": {}, + "type": "bars" + } + }, + "layout": { + "x": 0, + "y": 4, + "width": 3, + "height": 3 + } + }, + { + "id": 8745982686370511, + "definition": { + "title": "Total Security Posture Hits/Misses over time", + "title_size": "16", + "title_align": "left", + "show_legend": true, + "legend_layout": "horizontal", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "number_format": {}, + "alias": "Postures Hits", + "formula": "query1" + }, + { + "number_format": {}, + "alias": "Postures Misses", + "formula": "query2" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zscaler-private-access service:user-status $user $client_ip $hostname $client_type $platform" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "sum", + "metric": "@PosturesHitCount" + }, + "storage": "hot" + }, + { + "name": "query2", + "data_source": "logs", + "search": { + "query": "source:zscaler-private-access service:user-status $user $client_ip $hostname $client_type $platform" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "sum", + "metric": "@PosturesMissCount" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "datadog16", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ], + "markers": [] + }, + "layout": { + "x": 3, + "y": 4, + "width": 9, + "height": 3 + } + }, + { + "id": 6886756428016954, + "definition": { + "title": "Top Security Posture Hits", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zscaler-private-access service:user-status -@PosturesHit:\"\" $user $client_ip $hostname $client_type $platform" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@PosturesHit", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + }, + "palette": "datadog16", + "scaling": "absolute" + } + }, + "layout": { + "x": 0, + "y": 7, + "width": 6, + "height": 5 + } + }, + { + "id": 4915131416568003, + "definition": { + "title": "Top Missed Security Posture", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zscaler-private-access service:user-status -@PosturesMisses:\"\" $user $client_ip $hostname $client_type $platform" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@PosturesMisses", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + }, + "palette": "datadog16", + "scaling": "absolute" + } + }, + "layout": { + "x": 6, + "y": 7, + "width": 6, + "height": 5 + } + } + ] + }, + "layout": { + "x": 0, + "y": 28, + "width": 12, + "height": 13 + } + }, + { + "id": 2917875695242394, + "definition": { + "title": "Network Activity Insights", + "background_color": "vivid_blue", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 1491417262314684, + "definition": { + "title": "Top Hosts", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zscaler-private-access service:user-status -@Hostname:\"\" $user $client_ip $hostname $client_type $platform" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@Hostname", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + }, + "palette": "datadog16", + "scaling": "absolute" + } + }, + "layout": { + "x": 0, + "y": 0, + "width": 6, + "height": 5 + } + }, + { + "id": 8615804626867847, + "definition": { + "title": "Top Platforms", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zscaler-private-access service:user-status -@Platform:\"\" $user $client_ip $hostname $client_type $platform" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@Platform", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + }, + "palette": "datadog16" + } + }, + "layout": { + "x": 6, + "y": 0, + "width": 6, + "height": 5 + } + }, + { + "id": 982144769710290, + "definition": { + "title": "Total Bytes Transmitted over Time", + "title_size": "16", + "title_align": "left", + "show_legend": false, + "legend_layout": "auto", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "formula": "query1", + "number_format": { + "unit": { + "type": "canonical_unit", + "unit_name": "byte_in_binary_bytes_family" + } + } + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zscaler-private-access service:user-status $user $client_ip $hostname $client_type $platform" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "sum", + "metric": "@TotalBytesTx" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "datadog16", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 0, + "y": 5, + "width": 6, + "height": 4 + } + }, + { + "id": 3816477429859654, + "definition": { + "title": "Total Bytes Received over Time", + "title_size": "16", + "title_align": "left", + "show_legend": false, + "legend_layout": "auto", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "formula": "query1", + "number_format": { + "unit": { + "type": "canonical_unit", + "unit_name": "byte_in_binary_bytes_family" + } + } + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zscaler-private-access service:user-status $user $client_ip $hostname $client_type $platform" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "sum", + "metric": "@TotalBytesRx" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "datadog16", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 6, + "y": 5, + "width": 6, + "height": 4 + } + } + ] + }, + "layout": { + "x": 0, + "y": 41, + "width": 12, + "height": 10 + } + }, + { + "id": 5215843163512376, + "definition": { + "title": "Session Distribution & Error Insights", + "background_color": "vivid_blue", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 5426480837998159, + "definition": { + "title": "Session Distribution by Client Type", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zscaler-private-access service:user-status $user $client_ip $hostname $client_type $platform" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@ClientType", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + } + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "style": { + "palette": "datadog16" + }, + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "type": "sunburst", + "legend": { + "type": "table" + } + }, + "layout": { + "x": 0, + "y": 0, + "width": 6, + "height": 4 + } + }, + { + "id": 6791454873568563, + "definition": { + "title": "Distribution by IDP", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zscaler-private-access service:user-status @Idp:* -@Idp:(0 OR \"\") $user $client_ip $hostname $client_type $platform" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@Idp", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "style": { + "palette": "datadog16" + }, + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "type": "sunburst", + "legend": { + "type": "table" + } + }, + "layout": { + "x": 6, + "y": 0, + "width": 6, + "height": 4 + } + }, + { + "id": 1308134937011230, + "definition": { + "title": "Top FQDN Registration Errors", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zscaler-private-access service:user-status -@FQDNRegisteredError:(\"\" OR FQDN_MATCH) $user $client_ip $hostname $client_type $platform" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@FQDNRegisteredError", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + }, + "palette": "datadog16", + "scaling": "absolute" + } + }, + "layout": { + "x": 0, + "y": 4, + "width": 4, + "height": 4 + } + }, + { + "id": 4113409094355886, + "definition": { + "title": "FQDN Registration Errors over Time", + "title_size": "16", + "title_align": "left", + "show_legend": true, + "legend_layout": "horizontal", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "number_format": {}, + "alias": "Events", + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:zscaler-private-access service:user-status -@FQDNRegisteredError:(\"\" OR FQDN_MATCH) $user $client_ip $hostname $client_type $platform" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@FQDNRegisteredError", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "datadog16", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ], + "markers": [] + }, + "layout": { + "x": 4, + "y": 4, + "width": 8, + "height": 4 + } + } + ] + }, + "layout": { + "x": 0, + "y": 51, + "width": 12, + "height": 9 + } + } + ], + "template_variables": [ + { + "name": "client_ip", + "prefix": "@network.client.ip", + "available_values": [], + "default": "*" + }, + { + "name": "client_type", + "prefix": "@ClientType", + "available_values": [], + "default": "*" + }, + { + "name": "hostname", + "prefix": "@Hostname", + "available_values": [], + "default": "*" + }, + { + "name": "platform", + "prefix": "@Platform", + "available_values": [], + "default": "*" + }, + { + "name": "user", + "prefix": "@usr.name", + "available_values": [], + "default": "*" + } + ], + "layout_type": "ordered", + "notify_list": [], + "reflow_type": "fixed" +} \ No newline at end of file diff --git a/zscaler_private_access/assets/logs/zscaler-private-access.yaml b/zscaler_private_access/assets/logs/zscaler-private-access.yaml new file mode 100644 index 0000000000000..88ff0c532a425 --- /dev/null +++ b/zscaler_private_access/assets/logs/zscaler-private-access.yaml @@ -0,0 +1,843 @@ +id: zscaler-private-access +metric_id: zscaler-private-access +backend_only: false +facets: + - groups: + - Web Access + name: Method + path: http.method + source: log + - groups: + - Web Access + name: Status Code + path: http.status_code + source: log + - groups: + - Web Access + name: URL Path + path: http.url + source: log + - groups: + - Web Access + name: User-Agent + path: http.useragent + source: log + - groups: + - Web Access + name: Browser + path: http.useragent_details.browser.family + source: log + - groups: + - Web Access + name: Device + path: http.useragent_details.device.family + source: log + - groups: + - Web Access + name: OS + path: http.useragent_details.os.family + source: log + - groups: + - Web Access + name: Version + path: http.version + source: log + - groups: + - Geoip + name: City Name + path: network.client.geoip.city.name + source: log + - groups: + - Geoip + name: Continent Code + path: network.client.geoip.continent.code + source: log + - groups: + - Geoip + name: Continent Name + path: network.client.geoip.continent.name + source: log + - groups: + - Geoip + name: Country ISO Code + path: network.client.geoip.country.iso_code + source: log + - groups: + - Geoip + name: Country Name + path: network.client.geoip.country.name + source: log + - groups: + - Geoip + name: Subdivision ISO Code + path: network.client.geoip.subdivision.iso_code + source: log + - groups: + - Geoip + name: Subdivision Name + path: network.client.geoip.subdivision.name + source: log + - groups: + - Web Access + name: Client IP + path: network.client.ip + source: log + - groups: + - Web Access + name: Client Port + path: network.client.port + source: log + - groups: + - Geoip + name: Destination City Name + path: network.destination.geoip.city.name + source: log + - groups: + - Geoip + name: Destination Continent Code + path: network.destination.geoip.continent.code + source: log + - groups: + - Geoip + name: Destination Continent Name + path: network.destination.geoip.continent.name + source: log + - groups: + - Geoip + name: Destination Country ISO Code + path: network.destination.geoip.country.iso_code + source: log + - groups: + - Geoip + name: Destination Country Name + path: network.destination.geoip.country.name + source: log + - groups: + - Geoip + name: Destination Subdivision ISO Code + path: network.destination.geoip.subdivision.iso_code + source: log + - groups: + - Geoip + name: Destination Subdivision Name + path: network.destination.geoip.subdivision.name + source: log + - groups: + - Web Access + name: Destination IP + path: network.destination.ip + source: log + - groups: + - Web Access + name: Destination Port + path: network.destination.port + source: log + - groups: + - User + name: User Email + path: usr.email + source: log + - groups: + - User + name: User ID + path: usr.id + source: log + - groups: + - User + name: User Name + path: usr.name + source: log + +pipeline: + type: pipeline + name: Zscaler Private Access + enabled: true + filter: + query: source:zscaler-private-access + processors: + - type: service-remapper + name: Define `EventType` as the official service of the log + enabled: true + sources: + - EventType + - type: pipeline + name: Audit Logs + enabled: true + filter: + query: service:audit-logs + processors: + - type: attribute-remapper + name: Map `CreationTime` to `timestamp` + enabled: true + sources: + - CreationTime + sourceType: attribute + target: timestamp + targetType: attribute + preserveSource: false + overrideOnConflict: false + - type: attribute-remapper + name: Map `ModifiedBy` to `usr.id` + enabled: true + sources: + - ModifiedBy + sourceType: attribute + target: usr.id + targetType: attribute + preserveSource: false + overrideOnConflict: false + - type: attribute-remapper + name: Map `User` to `usr.email` + enabled: true + sources: + - User + sourceType: attribute + target: usr.email + targetType: attribute + preserveSource: false + overrideOnConflict: false + - type: pipeline + name: User Status + enabled: true + filter: + query: service:user-status + processors: + - type: attribute-remapper + name: Map `PublicIP` to `network.client.ip` + enabled: true + sources: + - PublicIP + sourceType: attribute + target: network.client.ip + targetType: attribute + preserveSource: false + overrideOnConflict: false + - type: attribute-remapper + name: Map `Username` to `usr.name` + enabled: true + sources: + - Username + sourceType: attribute + target: usr.name + targetType: attribute + preserveSource: false + overrideOnConflict: false + - type: array-processor + name: Set `PosturesMissCount` as the array length of `PosturesMisses` + enabled: true + operation: + source: PosturesMisses + target: PosturesMissCount + type: length + - type: array-processor + name: Set `PosturesHitCount` as the array length of `PosturesHit` + enabled: true + operation: + source: PosturesHit + target: PosturesHitCount + type: length + - type: pipeline + name: App Protection + enabled: true + filter: + query: service:app-protection + processors: + - type: attribute-remapper + name: Map `ClientPublicIp` to `network.client.ip` + enabled: true + sources: + - ClientPublicIp + sourceType: attribute + target: network.client.ip + targetType: attribute + preserveSource: false + overrideOnConflict: false + - type: attribute-remapper + name: Map `ClientPort` to `network.client.port` + enabled: true + sources: + - ClientPort + sourceType: attribute + target: network.client.port + targetType: attribute + preserveSource: false + overrideOnConflict: false + - type: attribute-remapper + name: Map `UserID` to `usr.id` + enabled: true + sources: + - UserID + sourceType: attribute + target: usr.id + targetType: attribute + preserveSource: false + overrideOnConflict: false + - type: attribute-remapper + name: Map `URL` to `http.url` + enabled: true + sources: + - URL + sourceType: attribute + target: http.url + targetType: attribute + preserveSource: false + overrideOnConflict: false + - type: attribute-remapper + name: Map `UserAgent` to `http.useragent` + enabled: true + sources: + - UserAgent + sourceType: attribute + target: http.useragent + targetType: attribute + preserveSource: false + overrideOnConflict: false + - type: user-agent-parser + name: Extracting useragent details from htttp.useragent + enabled: true + sources: + - http.useragent + target: http.useragent_details + encoded: false + combineVersionDetails: false + - type: attribute-remapper + name: Map `Method` to `http.method` + enabled: true + sources: + - Method + sourceType: attribute + target: http.method + targetType: attribute + preserveSource: false + overrideOnConflict: false + - type: attribute-remapper + name: Map `ProtocolVersion` to `http.version` + enabled: true + sources: + - ProtocolVersion + sourceType: attribute + target: http.version + targetType: attribute + preserveSource: false + overrideOnConflict: false + - type: attribute-remapper + name: Map `StatusCode` to `http.status_code` + enabled: true + sources: + - StatusCode + sourceType: attribute + target: http.status_code + targetType: attribute + preserveSource: false + overrideOnConflict: false + - type: pipeline + name: Browser Access + enabled: true + filter: + query: service:browser-access + processors: + - type: attribute-remapper + name: Map `ClientPublicIp` to `network.client.ip` + enabled: true + sources: + - ClientPublicIp + sourceType: attribute + target: network.client.ip + targetType: attribute + preserveSource: false + overrideOnConflict: false + - type: attribute-remapper + name: Map `URL` to `http.url` + enabled: true + sources: + - URL + sourceType: attribute + target: http.url + targetType: attribute + preserveSource: false + overrideOnConflict: false + - type: attribute-remapper + name: Map `UserAgent` to `http.useragent` + enabled: true + sources: + - UserAgent + sourceType: attribute + target: http.useragent + targetType: attribute + preserveSource: false + overrideOnConflict: false + - type: user-agent-parser + name: Extracting useragent details from htttp.useragent + enabled: true + sources: + - http.useragent + target: http.useragent_details + encoded: false + combineVersionDetails: false + - type: attribute-remapper + name: Map `Method` to `http.method` + enabled: true + sources: + - Method + sourceType: attribute + target: http.method + targetType: attribute + preserveSource: false + overrideOnConflict: false + - type: attribute-remapper + name: Map `StatusCode` to `http.status_code` + enabled: true + sources: + - StatusCode + sourceType: attribute + target: http.status_code + targetType: attribute + preserveSource: false + overrideOnConflict: false + - type: attribute-remapper + name: Map `NameID` to `usr.id` + enabled: true + sources: + - NameID + sourceType: attribute + target: usr.id + targetType: attribute + preserveSource: false + overrideOnConflict: false + - type: pipeline + name: User Activity + enabled: true + filter: + query: service:user-activity + processors: + - type: attribute-remapper + name: Map `ClientPublicIP` to `network.client.ip` + enabled: true + sources: + - ClientPublicIP + sourceType: attribute + target: network.client.ip + targetType: attribute + preserveSource: false + overrideOnConflict: false + - type: attribute-remapper + name: Map `ServerIP` to `network.destination.ip` + enabled: true + sources: + - ServerIP + sourceType: attribute + target: network.destination.ip + targetType: attribute + preserveSource: false + overrideOnConflict: false + - type: geo-ip-parser + name: GeoIp Parser for `network.destination.ip` + enabled: true + sources: + - network.destination.ip + target: network.destination.geoip + ip_processing_behavior: do-nothing + - type: attribute-remapper + name: Map `ServerPort` to `network.destination.port` + enabled: true + sources: + - ServerPort + sourceType: attribute + target: network.destination.port + targetType: attribute + preserveSource: false + overrideOnConflict: false + - type: attribute-remapper + name: Map `Username` to `usr.name` + enabled: true + sources: + - Username + sourceType: attribute + target: usr.name + targetType: attribute + preserveSource: false + overrideOnConflict: false + - name: Lookup for `IPProtocol` to `IPProtocolName` field + enabled: true + source: IPProtocol + target: IPProtocolName + lookupTable: |- + 0,HOPOPT + 1,ICMP + 2,IGMP + 3,GGP + 4,IPv4 + 5,ST + 6,TCP + 7,CBT + 8,EGP + 9,IGP + 10,BBN-RCC-MON + 11,NVP-II + 12,PUP + 14,EMCON + 15,XNET + 16,CHAOS + 17,UDP + 18,MUX + 19,DCN-MEAS + 20,HMP + 21,PRM + 22,XNS-IDP + 23,TRUNK-1 + 24,TRUNK-2 + 25,LEAF-1 + 26,LEAF-2 + 27,RDP + 28,IRTP + 29,ISO-TP4 + 30,NETBLT + 31,MFE-NSP + 32,MERIT-INP + 33,DCCP + 34,3PC + 35,IDPR + 36,XTP + 37,DDP + 38,IDPR-CMTP + 39,TP++ + 40,IL + 41,IPv6 + 42,SDRP + 43,IPv6-Route + 44,IPv6-Frag + 45,IDRP + 46,RSVP + 47,GRE + 48,DSR + 49,BNA + 50,ESP + 51,AH + 52,I-NLSP + 54,NARP + 55,Min-IPv4 + 56,TLSP + 57,SKIP + 58,IPv6-ICMP + 59,IPv6-NoNxt + 60,IPv6-Opts + 62,CFTP + 64,SAT-EXPAK + 65,KRYPTOLAN + 66,RVD + 67,IPPC + 69,SAT-MON + 70,VISA + 71,IPCV + 72,CPNX + 73,CPHB + 74,WSN + 75,PVP + 76,BR-SAT-MON + 77,SUN-ND + 78,WB-MON + 79,WB-EXPAK + 80,ISO-IP + 81,VMTP + 82,SECURE-VMTP + 83,VINES + 84,IPTM + 85,NSFNET-IGP + 86,DGP + 87,TCF + 88,EIGRP + 89,OSPFIGP + 90,Sprite-RPC + 91,LARP + 92,MTP + 93,AX.25 + 94,IPIP + 96,SCC-SP + 97,ETHERIP + 98,ENCAP + 100,GMTP + 101,IFMP + 102,PNNI + 103,PIM + 104,ARIS + 105,SCPS + 106,QNX + 107,A/N + 108,IPComp + 109,SNP + 110,Compaq-Peer + 111,IPX-in-IP + 112,VRRP + 113,PGM + 115,L2TP + 116,DDX + 117,IATP + 118,STP + 119,SRP + 120,UTI + 121,SMP + 123,PTP + 124,ISIS over IPv4 + 125,FIRE + 126,CRTP + 127,CRUDP + 128,SSCOPMCE + 129,IPLT + 130,SPS + 131,PIPE + 132,SCTP + 133,FC + 134,RSVP-E2E-IGNORE + 135,Mobility Header + 136,UDPLite + 137,MPLS-in-IP + 138,manet + 139,HIP + 140,Shim6 + 141,WESP + 142,ROHC + 143,Ethernet + 144,AGGFRAG + 145,NSH + 146,Homa + 147,BIT-EMU + type: lookup-processor + - type: pipeline + name: Microsegmentation + enabled: true + filter: + query: service:microsegmentation + processors: + - type: attribute-remapper + name: Map `DestinationIP` to `network.destination.ip` + enabled: true + sources: + - DestinationIP + sourceType: attribute + target: network.destination.ip + targetType: attribute + preserveSource: false + overrideOnConflict: false + - type: geo-ip-parser + name: GeoIp Parser for `network.destination.ip` + enabled: true + sources: + - network.destination.ip + target: network.destination.geoip + ip_processing_behavior: do-nothing + - name: Lookup for `Protocol` to `ProtocolName` field + enabled: true + source: Protocol + target: ProtocolName + lookupTable: |- + 0,HOPOPT + 1,ICMP + 2,IGMP + 3,GGP + 4,IPv4 + 5,ST + 6,TCP + 7,CBT + 8,EGP + 9,IGP + 10,BBN-RCC-MON + 11,NVP-II + 12,PUP + 14,EMCON + 15,XNET + 16,CHAOS + 17,UDP + 18,MUX + 19,DCN-MEAS + 20,HMP + 21,PRM + 22,XNS-IDP + 23,TRUNK-1 + 24,TRUNK-2 + 25,LEAF-1 + 26,LEAF-2 + 27,RDP + 28,IRTP + 29,ISO-TP4 + 30,NETBLT + 31,MFE-NSP + 32,MERIT-INP + 33,DCCP + 34,3PC + 35,IDPR + 36,XTP + 37,DDP + 38,IDPR-CMTP + 39,TP++ + 40,IL + 41,IPv6 + 42,SDRP + 43,IPv6-Route + 44,IPv6-Frag + 45,IDRP + 46,RSVP + 47,GRE + 48,DSR + 49,BNA + 50,ESP + 51,AH + 52,I-NLSP + 54,NARP + 55,Min-IPv4 + 56,TLSP + 57,SKIP + 58,IPv6-ICMP + 59,IPv6-NoNxt + 60,IPv6-Opts + 62,CFTP + 64,SAT-EXPAK + 65,KRYPTOLAN + 66,RVD + 67,IPPC + 69,SAT-MON + 70,VISA + 71,IPCV + 72,CPNX + 73,CPHB + 74,WSN + 75,PVP + 76,BR-SAT-MON + 77,SUN-ND + 78,WB-MON + 79,WB-EXPAK + 80,ISO-IP + 81,VMTP + 82,SECURE-VMTP + 83,VINES + 84,IPTM + 85,NSFNET-IGP + 86,DGP + 87,TCF + 88,EIGRP + 89,OSPFIGP + 90,Sprite-RPC + 91,LARP + 92,MTP + 93,AX.25 + 94,IPIP + 96,SCC-SP + 97,ETHERIP + 98,ENCAP + 100,GMTP + 101,IFMP + 102,PNNI + 103,PIM + 104,ARIS + 105,SCPS + 106,QNX + 107,A/N + 108,IPComp + 109,SNP + 110,Compaq-Peer + 111,IPX-in-IP + 112,VRRP + 113,PGM + 115,L2TP + 116,DDX + 117,IATP + 118,STP + 119,SRP + 120,UTI + 121,SMP + 123,PTP + 124,ISIS over IPv4 + 125,FIRE + 126,CRTP + 127,CRUDP + 128,SSCOPMCE + 129,IPLT + 130,SPS + 131,PIPE + 132,SCTP + 133,FC + 134,RSVP-E2E-IGNORE + 135,Mobility Header + 136,UDPLite + 137,MPLS-in-IP + 138,manet + 139,HIP + 140,Shim6 + 141,WESP + 142,ROHC + 143,Ethernet + 144,AGGFRAG + 145,NSH + 146,Homa + 147,BIT-EMU + type: lookup-processor + - type: attribute-remapper + name: Map `SourceIP` to `network.client.ip` + enabled: true + sources: + - SourceIP + sourceType: attribute + target: network.client.ip + targetType: attribute + preserveSource: false + overrideOnConflict: false + - type: attribute-remapper + name: Map `SourcePorts` to `network.client.port` + enabled: true + sources: + - SourcePorts + sourceType: attribute + target: network.client.port + targetType: attribute + preserveSource: false + overrideOnConflict: false + - type: attribute-remapper + name: Map `DestinationPort` to `network.destination.port` + enabled: true + sources: + - DestinationPort + sourceType: attribute + target: network.destination.port + targetType: attribute + preserveSource: false + overrideOnConflict: false + - type: pipeline + name: App Connector or Private Service Edge or Private Cloud Controller Status + enabled: true + filter: + query: service:app-connector-status OR service:private-service-edge-status OR + service:private-cloud-controller-status + processors: + - type: attribute-remapper + name: Map `PublicIP` to `network.client.ip` + enabled: true + sources: + - PublicIP + sourceType: attribute + target: network.client.ip + targetType: attribute + preserveSource: false + overrideOnConflict: false + - type: geo-ip-parser + name: GeoIp Parser for `network.client.ip` + enabled: true + sources: + - network.client.ip + target: network.client.geoip + ip_processing_behavior: do-nothing + - type: grok-parser + name: Extract the `LogTimestamp` value from logs + enabled: true + source: LogTimestamp + samples: + - Wed Jul 30 10:06:01 2025 + - Fri May 6 11:40:00 2022 + grok: + supportRules: "" + matchRules: |- + date_1 %{date("EEE MMM dd HH:mm:ss yyyy"):timestamp} + date_2 %{date("EEE MMM d HH:mm:ss yyyy"):timestamp} + - type: date-remapper + name: Define `timestamp` as the official date of the log + enabled: true + sources: + - timestamp diff --git a/zscaler_private_access/assets/logs/zscaler-private-access_tests.yaml b/zscaler_private_access/assets/logs/zscaler-private-access_tests.yaml new file mode 100644 index 0000000000000..680b89e8c18b5 --- /dev/null +++ b/zscaler_private_access/assets/logs/zscaler-private-access_tests.yaml @@ -0,0 +1,853 @@ +id: zscaler-private-access +tests: + - + sample: |- + { + "User" : "financeadmin@test.com", + "ClientAuditUpdate" : "0", + "RequestID" : "b11bb11b-2233-bbc2-223bc223456b", + "ObjectID" : "98765432100123457", + "EventType" : "audit-logs", + "AuditOperationType" : "Sign In", + "CustomerID" : 22345678901234567, + "ModifiedBy" : 99887766554433221, + "ObjectName" : "finance.test.com", + "ObjectType" : "Authentication", + "ModifiedTime" : "2025-08-28T07:02:15.000Z", + "AuditNewValue" : "{\"id\":\"98765432100123457\",\"name\":\"finance.test.com\",\"applicationId\":\"22312312312312301\",\"applicationPort\":\"8443\",\"applicationProtocol\":\"HTTPS\",\"certificateId\":\"20203040506070810\",\"domain\":\"finance.test.com\",\"enabled\":\"true\",\"hidden\":\"false\",\"path\":\"/portal\",\"portal\":\"true\",\"trustUntrustedCert\":\"false\"}", + "CreationTime" : "2025-08-28T07:02:15.000Z", + "AuditOldValue" : "" + } + result: + custom: + AuditNewValue: "{\"id\":\"98765432100123457\",\"name\":\"finance.test.com\",\"applicationId\":\"22312312312312301\",\"applicationPort\":\"8443\",\"applicationProtocol\":\"HTTPS\",\"certificateId\":\"20203040506070810\",\"domain\":\"finance.test.com\",\"enabled\":\"true\",\"hidden\":\"false\",\"path\":\"/portal\",\"portal\":\"true\",\"trustUntrustedCert\":\"false\"}" + AuditOldValue: "" + AuditOperationType: "Sign In" + ClientAuditUpdate: "0" + CustomerID: 22345678901234567 + EventType: "audit-logs" + ModifiedTime: "2025-08-28T07:02:15.000Z" + ObjectID: "98765432100123457" + ObjectName: "finance.test.com" + ObjectType: "Authentication" + RequestID: "b11bb11b-2233-bbc2-223bc223456b" + timestamp: "2025-08-28T07:02:15.000Z" + usr: + email: "financeadmin@test.com" + id: 99887766554433221 + message: |- + { + "User" : "financeadmin@test.com", + "ClientAuditUpdate" : "0", + "RequestID" : "b11bb11b-2233-bbc2-223bc223456b", + "ObjectID" : "98765432100123457", + "EventType" : "audit-logs", + "AuditOperationType" : "Sign In", + "CustomerID" : 22345678901234567, + "ModifiedBy" : 99887766554433221, + "ObjectName" : "finance.test.com", + "ObjectType" : "Authentication", + "ModifiedTime" : "2025-08-28T07:02:15.000Z", + "AuditNewValue" : "{\"id\":\"98765432100123457\",\"name\":\"finance.test.com\",\"applicationId\":\"22312312312312301\",\"applicationPort\":\"8443\",\"applicationProtocol\":\"HTTPS\",\"certificateId\":\"20203040506070810\",\"domain\":\"finance.test.com\",\"enabled\":\"true\",\"hidden\":\"false\",\"path\":\"/portal\",\"portal\":\"true\",\"trustUntrustedCert\":\"false\"}", + "CreationTime" : "2025-08-28T07:02:15.000Z", + "AuditOldValue" : "" + } + service: "audit-logs" + tags: + - "source:LOGS_SOURCE" + timestamp: 1756364535000 + - + sample: |- + { + "Connector" : "Seattle App Connector 1", + "SessionType" : "ZPN_ASSISTANT_BROKER_CONTROL", + "ZEN" : "US-NY-8179", + "TotalBytesRx" : 10902554, + "Platform" : "el7", + "TotalBytesTx" : 48931771, + "Customer" : "Safe March", + "PublicIP" : "52.224.237.221", + "EventType" : "app-connector-status", + "MicroTenantID" : "145257480799129312", + "Latitude" : 47.0, + "TimestampUnAuthentication" : "", + "HostStartTime" : "1513229995", + "ServiceCount" : 2, + "CPUUtilization" : 1, + "MemUtilization" : 20, + "ErrorsRxInterface" : 0, + "PacketsTxInterface" : 1797471190, + "Version" : "19.20.3", + "SessionStatus" : "ZPN_STATUS_AUTHENTICATED", + "InterfaceDefRoute" : "eth0", + "DiscardsRxInterface" : 0, + "CountryCode" : "US", + "PacketsRxInterface" : 1617569938, + "DefRouteGW" : "10.0.0.1", + "BytesTxInterface" : 192958782635, + "ErrorsTxInterface" : 0, + "TimestampAuthentication" : "2019-06-27T05:05:23.348Z", + "PrimaryDNSResolver" : "168.63.129.16", + "NumOfInterfaces" : 2, + "BytesRxInterface" : 319831966346, + "Longitude" : -122.0, + "DiscardsTxInterface" : 0, + "PrivateIP" : "10.0.0.4", + "ConnectorStartTime" : "1555920005", + "ConnectorGroup" : "Azure App Connectors", + "LogTimestamp" : "2025-08-28T08:15:42Z", + "SessionID" : "8A64Qwj9zCkfYDGJVoUZ" + } + result: + custom: + BytesRxInterface: 319831966346 + BytesTxInterface: 192958782635 + CPUUtilization: 1 + Connector: "Seattle App Connector 1" + ConnectorGroup: "Azure App Connectors" + ConnectorStartTime: "1555920005" + CountryCode: "US" + Customer: "Safe March" + DefRouteGW: "10.0.0.1" + DiscardsRxInterface: 0 + DiscardsTxInterface: 0 + ErrorsRxInterface: 0 + ErrorsTxInterface: 0 + EventType: "app-connector-status" + HostStartTime: "1513229995" + InterfaceDefRoute: "eth0" + Latitude: 47.0 + LogTimestamp: "2025-08-28T08:15:42Z" + Longitude: -122.0 + MemUtilization: 20 + MicroTenantID: "145257480799129312" + NumOfInterfaces: 2 + PacketsRxInterface: 1617569938 + PacketsTxInterface: 1797471190 + Platform: "el7" + PrimaryDNSResolver: "168.63.129.16" + PrivateIP: "10.0.0.4" + ServiceCount: 2 + SessionID: "8A64Qwj9zCkfYDGJVoUZ" + SessionStatus: "ZPN_STATUS_AUTHENTICATED" + SessionType: "ZPN_ASSISTANT_BROKER_CONTROL" + TimestampAuthentication: "2019-06-27T05:05:23.348Z" + TimestampUnAuthentication: "" + TotalBytesRx: 10902554 + TotalBytesTx: 48931771 + Version: "19.20.3" + ZEN: "US-NY-8179" + network: + client: + geoip: {} + ip: "52.224.237.221" + message: |- + { + "Connector" : "Seattle App Connector 1", + "SessionType" : "ZPN_ASSISTANT_BROKER_CONTROL", + "ZEN" : "US-NY-8179", + "TotalBytesRx" : 10902554, + "Platform" : "el7", + "TotalBytesTx" : 48931771, + "Customer" : "Safe March", + "PublicIP" : "52.224.237.221", + "EventType" : "app-connector-status", + "MicroTenantID" : "145257480799129312", + "Latitude" : 47.0, + "TimestampUnAuthentication" : "", + "HostStartTime" : "1513229995", + "ServiceCount" : 2, + "CPUUtilization" : 1, + "MemUtilization" : 20, + "ErrorsRxInterface" : 0, + "PacketsTxInterface" : 1797471190, + "Version" : "19.20.3", + "SessionStatus" : "ZPN_STATUS_AUTHENTICATED", + "InterfaceDefRoute" : "eth0", + "DiscardsRxInterface" : 0, + "CountryCode" : "US", + "PacketsRxInterface" : 1617569938, + "DefRouteGW" : "10.0.0.1", + "BytesTxInterface" : 192958782635, + "ErrorsTxInterface" : 0, + "TimestampAuthentication" : "2019-06-27T05:05:23.348Z", + "PrimaryDNSResolver" : "168.63.129.16", + "NumOfInterfaces" : 2, + "BytesRxInterface" : 319831966346, + "Longitude" : -122.0, + "DiscardsTxInterface" : 0, + "PrivateIP" : "10.0.0.4", + "ConnectorStartTime" : "1555920005", + "ConnectorGroup" : "Azure App Connectors", + "LogTimestamp" : "2025-08-28T08:15:42Z", + "SessionID" : "8A64Qwj9zCkfYDGJVoUZ" + } + service: "app-connector-status" + tags: + - "source:LOGS_SOURCE" + timestamp: 1 + - + sample: |- + { + "ZEN" : "broker3.eu1", + "TotalBytesRx" : 5123432, + "ClientType" : "zpn_client_type_zapp", + "TotalBytesTx" : 7234321, + "Platform" : "windows", + "Customer" : "Contoso Corp", + "PublicIP" : "52.174.23.17", + "EventType" : "user-status", + "MicroTenantID" : "23459872345987", + "TrustedNetworksNames" : "Corp_London", + "Latitude" : 51.5074, + "TimestampUnAuthentication" : "", + "TrustedNetworks" : "TN2_eu1", + "Idp" : "AzureAD", + "PosturesHit" : [ "vpn-secure,av-installed" ], + "Version" : "20.1.0-12-g5e7d3b9", + "CertificateCN" : "slogger3.eu1.zpa.net", + "SessionStatus" : "ZPN_STATUS_AUTHENTICATED", + "CountryCode" : "GB", + "ZENLatitude" : 52.52, + "FQDNRegistered" : "1", + "FQDNRegisteredError" : "", + "SAMLAttributes" : "myname:alice,myemail:alice.w@contoso.com", + "Hostname" : "LAPTOP-AW123", + "PosturesMisses" : [ "disk-encryption", "firewall-enabled" ], + "ZENCountryCode" : "DE", + "TimestampAuthentication" : "2019-06-03T08:11:40.000Z", + "City" : "London", + "Longitude" : -0.1278, + "Username" : "alice.w", + "PrivateIP" : "10.0.5.12", + "ZENLongitude" : 13.405, + "LogTimestamp" : "2025-08-28T08:15:42Z", + "SessionID" : "XyZp98KlMn56" + } + result: + custom: + CertificateCN: "slogger3.eu1.zpa.net" + City: "London" + ClientType: "zpn_client_type_zapp" + CountryCode: "GB" + Customer: "Contoso Corp" + EventType: "user-status" + FQDNRegistered: "1" + FQDNRegisteredError: "" + Hostname: "LAPTOP-AW123" + Idp: "AzureAD" + Latitude: 51.5074 + LogTimestamp: "2025-08-28T08:15:42Z" + Longitude: -0.1278 + MicroTenantID: "23459872345987" + Platform: "windows" + PosturesHit: + - "vpn-secure,av-installed" + PosturesHitCount: 1 + PosturesMissCount: 2 + PosturesMisses: + - "disk-encryption" + - "firewall-enabled" + PrivateIP: "10.0.5.12" + SAMLAttributes: "myname:alice,myemail:alice.w@contoso.com" + SessionID: "XyZp98KlMn56" + SessionStatus: "ZPN_STATUS_AUTHENTICATED" + TimestampAuthentication: "2019-06-03T08:11:40.000Z" + TimestampUnAuthentication: "" + TotalBytesRx: 5123432 + TotalBytesTx: 7234321 + TrustedNetworks: "TN2_eu1" + TrustedNetworksNames: "Corp_London" + Version: "20.1.0-12-g5e7d3b9" + ZEN: "broker3.eu1" + ZENCountryCode: "DE" + ZENLatitude: 52.52 + ZENLongitude: 13.405 + network: + client: + geoip: {} + ip: "52.174.23.17" + usr: + name: "alice.w" + message: |- + { + "ZEN" : "broker3.eu1", + "TotalBytesRx" : 5123432, + "ClientType" : "zpn_client_type_zapp", + "TotalBytesTx" : 7234321, + "Platform" : "windows", + "Customer" : "Contoso Corp", + "PublicIP" : "52.174.23.17", + "EventType" : "user-status", + "MicroTenantID" : "23459872345987", + "TrustedNetworksNames" : "Corp_London", + "Latitude" : 51.5074, + "TimestampUnAuthentication" : "", + "TrustedNetworks" : "TN2_eu1", + "Idp" : "AzureAD", + "PosturesHit" : [ "vpn-secure,av-installed" ], + "Version" : "20.1.0-12-g5e7d3b9", + "CertificateCN" : "slogger3.eu1.zpa.net", + "SessionStatus" : "ZPN_STATUS_AUTHENTICATED", + "CountryCode" : "GB", + "ZENLatitude" : 52.52, + "FQDNRegistered" : "1", + "FQDNRegisteredError" : "", + "SAMLAttributes" : "myname:alice,myemail:alice.w@contoso.com", + "Hostname" : "LAPTOP-AW123", + "PosturesMisses" : [ "disk-encryption", "firewall-enabled" ], + "ZENCountryCode" : "DE", + "TimestampAuthentication" : "2019-06-03T08:11:40.000Z", + "City" : "London", + "Longitude" : -0.1278, + "Username" : "alice.w", + "PrivateIP" : "10.0.5.12", + "ZENLongitude" : 13.405, + "LogTimestamp" : "2025-08-28T08:15:42Z", + "SessionID" : "XyZp98KlMn56" + } + service: "user-status" + tags: + - "source:LOGS_SOURCE" + timestamp: 1 + - + sample: |- + { + "ContentType" : "", + "Customer" : "AlphaCorp", + "EventType" : "app-protection", + "ClientPort" : 54521, + "ResponseHdrSize" : 1240, + "ProtocolVersion" : "", + "StatusCode" : 200, + "RequestBodySize" : 0, + "ExchangeSequenceIndex" : 0, + "TimestampRequestReceiveFinish" : 1661670131000800, + "ClientPublicIp" : "192.168.1.101", + "RequestHdrSize" : 560, + "ResponseBodySize" : 512, + "TotalBytesProcessed" : 1752, + "TimestampResponseReceiveStart" : 1661670131002000, + "InspectionReqHeadersProcessingTime" : 500, + "ParanoiaLevel" : 2, + "TimestampRequestReceiveStart" : 1661670131000100, + "InspectionReqBodyProcessingTime" : 700, + "Method" : "GET", + "TimestampResponseTransmitStart" : 1661670131003000, + "UpgradeHeaderPresent" : 0, + "SSLInspection" : 1, + "TimestampRequestTransmitFinish" : 1661670131001200, + "Domain" : "alphacorp.com", + "TotalTimeRequestTransmit" : 300, + "Application" : 145254438888544100, + "CertificateId" : 145254438888538200, + "AssistantID" : "alpha-key-001", + "TotalTimeResponseTransmit" : 500, + "TimestampRequestReceiveHeaderFinish" : 1661670131000250, + "TotalTimeResponseReceive" : 900, + "ContentEncoding" : "", + "URL" : "/login", + "HTTPError" : "success", + "ApplicationGroup" : 145254438888544120, + "TimestampRequestTransmitStart" : 1661670131000900, + "InspectionControlsHitCount" : 0, + "InspectionRespHeadersProcessingTime" : 30, + "UserID" : "user1@alphacorp.com", + "UserAgent" : "Mozilla/5.0 (Windows NT 10.0; Win64; x64)", + "OriginDomain" : "", + "Protocol" : "1.1", + "TransferEncoding" : "", + "InspectionRespBodyProcessingTime" : 5, + "InspectionProfile" : 145254438888538680, + "TotalTimeRequestReceive" : 700, + "TimestampResponseReceiveFinish" : 1661670131002900, + "TimestampResponseTransmitFinish" : 1661670131003500, + "DoubleEncryption" : 1, + "Host" : "alphacorp.com", + "InspectionPolicy" : 145254438888543731, + "InspectionRuleProcessingTime" : 0, + "ConnectionID" : "a9K2s3LmTnYz84GhXvP1", + "LogTimestamp" : "Sun Aug 28 07:02:11 2025" + } + result: + custom: + Application: 145254438888544100 + ApplicationGroup: 145254438888544120 + AssistantID: "alpha-key-001" + CertificateId: 145254438888538200 + ConnectionID: "a9K2s3LmTnYz84GhXvP1" + ContentEncoding: "" + ContentType: "" + Customer: "AlphaCorp" + Domain: "alphacorp.com" + DoubleEncryption: 1 + EventType: "app-protection" + ExchangeSequenceIndex: 0 + HTTPError: "success" + Host: "alphacorp.com" + InspectionControlsHitCount: 0 + InspectionPolicy: 145254438888543731 + InspectionProfile: 145254438888538680 + InspectionReqBodyProcessingTime: 700 + InspectionReqHeadersProcessingTime: 500 + InspectionRespBodyProcessingTime: 5 + InspectionRespHeadersProcessingTime: 30 + InspectionRuleProcessingTime: 0 + LogTimestamp: "Sun Aug 28 07:02:11 2025" + OriginDomain: "" + ParanoiaLevel: 2 + Protocol: "1.1" + RequestBodySize: 0 + RequestHdrSize: 560 + ResponseBodySize: 512 + ResponseHdrSize: 1240 + SSLInspection: 1 + TimestampRequestReceiveFinish: 1661670131000800 + TimestampRequestReceiveHeaderFinish: 1661670131000250 + TimestampRequestReceiveStart: 1661670131000100 + TimestampRequestTransmitFinish: 1661670131001200 + TimestampRequestTransmitStart: 1661670131000900 + TimestampResponseReceiveFinish: 1661670131002900 + TimestampResponseReceiveStart: 1661670131002000 + TimestampResponseTransmitFinish: 1661670131003500 + TimestampResponseTransmitStart: 1661670131003000 + TotalBytesProcessed: 1752 + TotalTimeRequestReceive: 700 + TotalTimeRequestTransmit: 300 + TotalTimeResponseReceive: 900 + TotalTimeResponseTransmit: 500 + TransferEncoding: "" + UpgradeHeaderPresent: 0 + http: + method: "GET" + status_code: 200 + url: "/login" + useragent: "Mozilla/5.0 (Windows NT 10.0; Win64; x64)" + useragent_details: + browser: + family: "Other" + device: + category: "Desktop" + family: "Other" + os: + family: "Windows" + major: "10" + version: "" + network: + client: + geoip: {} + ip: "192.168.1.101" + port: 54521 + usr: + id: "user1@alphacorp.com" + message: |- + { + "ContentType" : "", + "Customer" : "AlphaCorp", + "EventType" : "app-protection", + "ClientPort" : 54521, + "ResponseHdrSize" : 1240, + "ProtocolVersion" : "", + "StatusCode" : 200, + "RequestBodySize" : 0, + "ExchangeSequenceIndex" : 0, + "TimestampRequestReceiveFinish" : 1661670131000800, + "ClientPublicIp" : "192.168.1.101", + "RequestHdrSize" : 560, + "ResponseBodySize" : 512, + "TotalBytesProcessed" : 1752, + "TimestampResponseReceiveStart" : 1661670131002000, + "InspectionReqHeadersProcessingTime" : 500, + "ParanoiaLevel" : 2, + "TimestampRequestReceiveStart" : 1661670131000100, + "InspectionReqBodyProcessingTime" : 700, + "Method" : "GET", + "TimestampResponseTransmitStart" : 1661670131003000, + "UpgradeHeaderPresent" : 0, + "SSLInspection" : 1, + "TimestampRequestTransmitFinish" : 1661670131001200, + "Domain" : "alphacorp.com", + "TotalTimeRequestTransmit" : 300, + "Application" : 145254438888544100, + "CertificateId" : 145254438888538200, + "AssistantID" : "alpha-key-001", + "TotalTimeResponseTransmit" : 500, + "TimestampRequestReceiveHeaderFinish" : 1661670131000250, + "TotalTimeResponseReceive" : 900, + "ContentEncoding" : "", + "URL" : "/login", + "HTTPError" : "success", + "ApplicationGroup" : 145254438888544120, + "TimestampRequestTransmitStart" : 1661670131000900, + "InspectionControlsHitCount" : 0, + "InspectionRespHeadersProcessingTime" : 30, + "UserID" : "user1@alphacorp.com", + "UserAgent" : "Mozilla/5.0 (Windows NT 10.0; Win64; x64)", + "OriginDomain" : "", + "Protocol" : "1.1", + "TransferEncoding" : "", + "InspectionRespBodyProcessingTime" : 5, + "InspectionProfile" : 145254438888538680, + "TotalTimeRequestReceive" : 700, + "TimestampResponseReceiveFinish" : 1661670131002900, + "TimestampResponseTransmitFinish" : 1661670131003500, + "DoubleEncryption" : 1, + "Host" : "alphacorp.com", + "InspectionPolicy" : 145254438888543731, + "InspectionRuleProcessingTime" : 0, + "ConnectionID" : "a9K2s3LmTnYz84GhXvP1", + "LogTimestamp" : "Sun Aug 28 07:02:11 2025" + } + service: "app-protection" + tags: + - "source:LOGS_SOURCE" + timestamp: 1 + - + sample: |- + { + "Origin" : "https://beta.demo.org", + "ClientPrivateIp" : "192.168.1.25", + "Customer" : "Beta Testers", + "EventType" : "browser-access", + "TotalTimeResponseTransmit" : 2, + "TimestampRequestReceiveHeaderFinish" : "2025-08-28T07:06:48.553Z", + "TotalTimeResponseReceive" : 3, + "Exporter" : "edge-instance-03", + "StatusCode" : 502, + "URL" : "/api/v1/login", + "CorsToken" : "token_login_345", + "ResponseSize" : 498, + "TimestampRequestReceiveFinish" : "2025-08-28T07:06:48.556Z", + "ClientPublicIp" : "198.51.100.10", + "TimestampRequestTransmitStart" : "2025-08-28T07:06:48.590Z", + "TotalTimeConnectionSetup" : 34, + "UserAgent" : "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) Safari/605.1.15", + "XFF" : "198.51.100.42", + "TimestampResponseReceiveStart" : "2025-08-28T07:06:48.701Z", + "Protocol" : "HTTPS", + "ConnectionStatus" : "Redirect", + "ClientPublicPort" : 60012, + "NameID" : "jane.doe@demo.org", + "RequestSize" : 1200, + "ConnectionReason" : "AuthRedirect", + "TotalTimeRequestReceive" : 4, + "TimestampRequestReceiveStart" : "2025-08-28T07:06:48.552Z", + "TimestampResponseReceiveFinish" : "2025-08-28T07:06:48.704Z", + "TimestampResponseTransmitFinish" : "2025-08-28T07:06:48.712Z", + "ApplicationPort" : 443, + "Host" : "api.beta.demo.org", + "Method" : "POST", + "TimestampResponseTransmitStart" : "2025-08-28T07:06:48.710Z", + "ConnectionID" : "xyz908op", + "TotalTimeServerResponse" : 109, + "TimestampRequestTransmitFinish" : "2025-08-28T07:06:48.592Z", + "LogTimestamp" : "Thu August 28 07:12:25 2025", + "TotalTimeRequestTransmit" : 2 + } + result: + custom: + ApplicationPort: 443 + ClientPrivateIp: "192.168.1.25" + ClientPublicPort: 60012 + ConnectionID: "xyz908op" + ConnectionReason: "AuthRedirect" + ConnectionStatus: "Redirect" + CorsToken: "token_login_345" + Customer: "Beta Testers" + EventType: "browser-access" + Exporter: "edge-instance-03" + Host: "api.beta.demo.org" + LogTimestamp: "Thu August 28 07:12:25 2025" + Origin: "https://beta.demo.org" + Protocol: "HTTPS" + RequestSize: 1200 + ResponseSize: 498 + TimestampRequestReceiveFinish: "2025-08-28T07:06:48.556Z" + TimestampRequestReceiveHeaderFinish: "2025-08-28T07:06:48.553Z" + TimestampRequestReceiveStart: "2025-08-28T07:06:48.552Z" + TimestampRequestTransmitFinish: "2025-08-28T07:06:48.592Z" + TimestampRequestTransmitStart: "2025-08-28T07:06:48.590Z" + TimestampResponseReceiveFinish: "2025-08-28T07:06:48.704Z" + TimestampResponseReceiveStart: "2025-08-28T07:06:48.701Z" + TimestampResponseTransmitFinish: "2025-08-28T07:06:48.712Z" + TimestampResponseTransmitStart: "2025-08-28T07:06:48.710Z" + TotalTimeConnectionSetup: 34 + TotalTimeRequestReceive: 4 + TotalTimeRequestTransmit: 2 + TotalTimeResponseReceive: 3 + TotalTimeResponseTransmit: 2 + TotalTimeServerResponse: 109 + XFF: "198.51.100.42" + http: + method: "POST" + status_code: 502 + url: "/api/v1/login" + useragent: "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) Safari/605.1.15" + useragent_details: + browser: + family: "Safari" + device: + brand: "Apple" + category: "Desktop" + family: "Mac" + model: "Mac" + os: + family: "Mac OS X" + major: "10" + minor: "15" + patch: "7" + network: + client: + geoip: {} + ip: "198.51.100.10" + usr: + id: "jane.doe@demo.org" + message: |- + { + "Origin" : "https://beta.demo.org", + "ClientPrivateIp" : "192.168.1.25", + "Customer" : "Beta Testers", + "EventType" : "browser-access", + "TotalTimeResponseTransmit" : 2, + "TimestampRequestReceiveHeaderFinish" : "2025-08-28T07:06:48.553Z", + "TotalTimeResponseReceive" : 3, + "Exporter" : "edge-instance-03", + "StatusCode" : 502, + "URL" : "/api/v1/login", + "CorsToken" : "token_login_345", + "ResponseSize" : 498, + "TimestampRequestReceiveFinish" : "2025-08-28T07:06:48.556Z", + "ClientPublicIp" : "198.51.100.10", + "TimestampRequestTransmitStart" : "2025-08-28T07:06:48.590Z", + "TotalTimeConnectionSetup" : 34, + "UserAgent" : "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) Safari/605.1.15", + "XFF" : "198.51.100.42", + "TimestampResponseReceiveStart" : "2025-08-28T07:06:48.701Z", + "Protocol" : "HTTPS", + "ConnectionStatus" : "Redirect", + "ClientPublicPort" : 60012, + "NameID" : "jane.doe@demo.org", + "RequestSize" : 1200, + "ConnectionReason" : "AuthRedirect", + "TotalTimeRequestReceive" : 4, + "TimestampRequestReceiveStart" : "2025-08-28T07:06:48.552Z", + "TimestampResponseReceiveFinish" : "2025-08-28T07:06:48.704Z", + "TimestampResponseTransmitFinish" : "2025-08-28T07:06:48.712Z", + "ApplicationPort" : 443, + "Host" : "api.beta.demo.org", + "Method" : "POST", + "TimestampResponseTransmitStart" : "2025-08-28T07:06:48.710Z", + "ConnectionID" : "xyz908op", + "TotalTimeServerResponse" : 109, + "TimestampRequestTransmitFinish" : "2025-08-28T07:06:48.592Z", + "LogTimestamp" : "Thu August 28 07:12:25 2025", + "TotalTimeRequestTransmit" : 2 + } + service: "browser-access" + tags: + - "source:LOGS_SOURCE" + timestamp: 1 + - + sample: |- + { + "Policy" : "PRA SSH Policy", + "ServicePort" : 22, + "Connector" : "NY-AppConnector-2", + "Platform" : "linux", + "Customer" : "Global Corp", + "EventType" : "user-activity", + "PRAConsoleType" : "SSH", + "ClientCity" : "New York", + "ClientZEN" : "broker1.us-east", + "PRACredentialLoginType" : "Username/Password", + "ClientCountryCode" : "US", + "Idp" : "Okta", + "PRAConnectionID" : "PRA-SESSION-1", + "PRAErrorStatus" : "", + "PRASharedUserList" : "{\"shared_user_list\":[{\"name\":\"secops@global.com\"}]}", + "PRASharedMode" : "control", + "ConnectionStatus" : "active", + "PRAApprovalID" : 11111, + "AppGroup" : "Privileged Access", + "ClientPrivateIP" : "10.0.4.15", + "DoubleEncryption" : "0", + "Hostname" : "PRA-SERVER", + "Host" : "10.40.1.100", + "PRACredentialUserName" : "root", + "ConnectionID" : "pra001,conn001", + "ClientPublicIP" : "23.44.55.66", + "Username" : "dave@global.com", + "PRARecordingStatus" : "Available", + "PRACapabilityPolicyID" : 22222, + "LogTimestamp" : "Fri Aug 29 05:40:42 2025", + "SessionID" : "pra001", + "Application" : "PRA-SSH-Server" + } + result: + custom: + AppGroup: "Privileged Access" + Application: "PRA-SSH-Server" + ClientCity: "New York" + ClientCountryCode: "US" + ClientPrivateIP: "10.0.4.15" + ClientZEN: "broker1.us-east" + ConnectionID: "pra001,conn001" + ConnectionStatus: "active" + Connector: "NY-AppConnector-2" + Customer: "Global Corp" + DoubleEncryption: "0" + EventType: "user-activity" + Host: "10.40.1.100" + Hostname: "PRA-SERVER" + Idp: "Okta" + LogTimestamp: "Fri Aug 29 05:40:42 2025" + PRAApprovalID: 11111 + PRACapabilityPolicyID: 22222 + PRAConnectionID: "PRA-SESSION-1" + PRAConsoleType: "SSH" + PRACredentialLoginType: "Username/Password" + PRACredentialUserName: "root" + PRAErrorStatus: "" + PRARecordingStatus: "Available" + PRASharedMode: "control" + PRASharedUserList: "{\"shared_user_list\":[{\"name\":\"secops@global.com\"}]}" + Platform: "linux" + Policy: "PRA SSH Policy" + ServicePort: 22 + SessionID: "pra001" + network: + client: + geoip: {} + ip: "23.44.55.66" + timestamp: 1756446042000 + usr: + name: "dave@global.com" + message: |- + { + "Policy" : "PRA SSH Policy", + "ServicePort" : 22, + "Connector" : "NY-AppConnector-2", + "Platform" : "linux", + "Customer" : "Global Corp", + "EventType" : "user-activity", + "PRAConsoleType" : "SSH", + "ClientCity" : "New York", + "ClientZEN" : "broker1.us-east", + "PRACredentialLoginType" : "Username/Password", + "ClientCountryCode" : "US", + "Idp" : "Okta", + "PRAConnectionID" : "PRA-SESSION-1", + "PRAErrorStatus" : "", + "PRASharedUserList" : "{\"shared_user_list\":[{\"name\":\"secops@global.com\"}]}", + "PRASharedMode" : "control", + "ConnectionStatus" : "active", + "PRAApprovalID" : 11111, + "AppGroup" : "Privileged Access", + "ClientPrivateIP" : "10.0.4.15", + "DoubleEncryption" : "0", + "Hostname" : "PRA-SERVER", + "Host" : "10.40.1.100", + "PRACredentialUserName" : "root", + "ConnectionID" : "pra001,conn001", + "ClientPublicIP" : "23.44.55.66", + "Username" : "dave@global.com", + "PRARecordingStatus" : "Available", + "PRACapabilityPolicyID" : 22222, + "LogTimestamp" : "Fri Aug 29 05:40:42 2025", + "SessionID" : "pra001", + "Application" : "PRA-SSH-Server" + } + service: "user-activity" + tags: + - "source:LOGS_SOURCE" + timestamp: 1756446042000 + - + sample: |- + { + "AppExecutablePath" : [ "/usr/bin/curl" ], + "Customer" : "NextGenHealth", + "ConnectionStartTime" : 1661675251000100, + "EventType" : "microsegmentation", + "ResourceName" : "app01.nextgen.net", + "AppZoneID" : "72097421269663744-34567890123456789", + "EnforcementDisposition" : "REJECTED", + "DestinationPort" : 43321, + "Direction" : "OUTBOUND", + "AppName" : "curl", + "DestinationIP" : "10.45.23.89", + "AppZoneName" : "prod-zone", + "EnforcementReason" : "NO_POLICY_EXISTS", + "SourceIP" : "192.168.1.101", + "ResourceID" : "72097421269663744-23456789012345678", + "EnforcementAction" : "BLOCK", + "PolicyName" : "web_tls_policy", + "AgentID" : "72097421269663744-12345678901234567", + "AgentName" : "agent3.nextgen.net", + "LogTimestamp" : "Fri Aug 29 05:40:42 2025", + "Protocol" : 6, + "PolicyID" : "72097421269663744-45678901234567890", + "SourcePorts" : 54521 + } + result: + custom: + AgentID: "72097421269663744-12345678901234567" + AgentName: "agent3.nextgen.net" + AppExecutablePath: + - "/usr/bin/curl" + AppName: "curl" + AppZoneID: "72097421269663744-34567890123456789" + AppZoneName: "prod-zone" + ConnectionStartTime: 1661675251000100 + Customer: "NextGenHealth" + Direction: "OUTBOUND" + EnforcementAction: "BLOCK" + EnforcementDisposition: "REJECTED" + EnforcementReason: "NO_POLICY_EXISTS" + EventType: "microsegmentation" + LogTimestamp: "Fri Aug 29 05:40:42 2025" + PolicyID: "72097421269663744-45678901234567890" + PolicyName: "web_tls_policy" + Protocol: 6 + ProtocolName: "TCP" + ResourceID: "72097421269663744-23456789012345678" + ResourceName: "app01.nextgen.net" + network: + client: + geoip: {} + ip: "192.168.1.101" + port: 54521 + destination: + geoip: {} + ip: "10.45.23.89" + port: 43321 + timestamp: 1756446042000 + message: |- + { + "AppExecutablePath" : [ "/usr/bin/curl" ], + "Customer" : "NextGenHealth", + "ConnectionStartTime" : 1661675251000100, + "EventType" : "microsegmentation", + "ResourceName" : "app01.nextgen.net", + "AppZoneID" : "72097421269663744-34567890123456789", + "EnforcementDisposition" : "REJECTED", + "DestinationPort" : 43321, + "Direction" : "OUTBOUND", + "AppName" : "curl", + "DestinationIP" : "10.45.23.89", + "AppZoneName" : "prod-zone", + "EnforcementReason" : "NO_POLICY_EXISTS", + "SourceIP" : "192.168.1.101", + "ResourceID" : "72097421269663744-23456789012345678", + "EnforcementAction" : "BLOCK", + "PolicyName" : "web_tls_policy", + "AgentID" : "72097421269663744-12345678901234567", + "AgentName" : "agent3.nextgen.net", + "LogTimestamp" : "Fri Aug 29 05:40:42 2025", + "Protocol" : 6, + "PolicyID" : "72097421269663744-45678901234567890", + "SourcePorts" : 54521 + } + service: "microsegmentation" + tags: + - "source:LOGS_SOURCE" + timestamp: 1756446042000 diff --git a/zscaler_private_access/assets/monitors/app_connector_high_cpu_utilization.json b/zscaler_private_access/assets/monitors/app_connector_high_cpu_utilization.json new file mode 100644 index 0000000000000..526ba7949a82d --- /dev/null +++ b/zscaler_private_access/assets/monitors/app_connector_high_cpu_utilization.json @@ -0,0 +1,36 @@ +{ + "version": 2, + "created_at": "2025-09-03", + "last_updated_at": "2025-09-03", + "title": "App connector high cpu utilization", + "description": "This monitor alerts when the App connector's CPU utilization reaches or exceeds 80%, indicating potential resource saturation. High CPU usage may lead to performance degradation, delayed user connections, or disruptions in application access.", + "definition": { + "id": 186315896, + "name": "App connector high cpu utilization", + "type": "log alert", + "query": "logs(\"source:zscaler-private-access service:app-connector-status @CPUUtilization:>=80\").index(\"*\").rollup(\"count\").by(\"@Connector\").last(\"5m\") >= 1", + "message": "{{#is_alert}} \nConnector: `{{@Connector}}` with high CPU Utilization(>=80) detected. This may indicate resource saturation, which can degrade performance, delay user connections, or disrupt application access.\n{{/is_alert}}\n\n\n@example@example.com", + "tags": [ + "source:zscaler-private-access" + ], + "options": { + "thresholds": { + "critical": 1 + }, + "enable_logs_sample": true, + "notify_audit": false, + "on_missing_data": "default", + "include_tags": true, + "new_group_delay": 60, + "groupby_simple_monitor": false, + "silenced": {} + }, + "priority": null, + "restriction_policy": { + "bindings": [] + } + }, + "tags": [ + "integration:zscaler-private-access" + ] +} diff --git a/zscaler_private_access/assets/monitors/app_connector_low_available_disk_space.json b/zscaler_private_access/assets/monitors/app_connector_low_available_disk_space.json new file mode 100644 index 0000000000000..cd06267c3fbf3 --- /dev/null +++ b/zscaler_private_access/assets/monitors/app_connector_low_available_disk_space.json @@ -0,0 +1,36 @@ +{ + "version": 2, + "created_at": "2025-09-03", + "last_updated_at": "2025-09-03", + "title": "App connector low available disk space", + "description": "This monitor triggers an alert when the App connector's available disk space falls at or below 100 bytes, which may compromise system stability and logging, and can affect the processing of user connections in a reliable manner.", + "definition": { + "id": 186318366, + "name": "App connector low available disk space", + "type": "log alert", + "query": "logs(\"source:zscaler-private-access service:app-connector-metrics @AvailableDiskBytes:<=100\").index(\"*\").rollup(\"count\").by(\"@Connector\").last(\"5m\") >= 1", + "message": "{{#is_alert}} \nConnector: `{{@Connector}}` detected with low available disk space(<=100), which may impact system stability, logging, and the ability to process user connections reliably.\n{{/is_alert}}\n\n@example@example.com", + "tags": [ + "source:zscaler-private-access" + ], + "options": { + "thresholds": { + "critical": 1 + }, + "enable_logs_sample": true, + "notify_audit": false, + "on_missing_data": "default", + "include_tags": true, + "new_group_delay": 60, + "groupby_simple_monitor": false, + "silenced": {} + }, + "priority": null, + "restriction_policy": { + "bindings": [] + } + }, + "tags": [ + "integration:zscaler-private-access" + ] +} \ No newline at end of file diff --git a/zscaler_private_access/assets/zscaler_private_access.svg b/zscaler_private_access/assets/zscaler_private_access.svg new file mode 100644 index 0000000000000..5e3bb26ea5055 --- /dev/null +++ b/zscaler_private_access/assets/zscaler_private_access.svg @@ -0,0 +1,3 @@ + + + diff --git a/zscaler_private_access/changelog.d/21228.added b/zscaler_private_access/changelog.d/21228.added new file mode 100644 index 0000000000000..aa949b47b7b41 --- /dev/null +++ b/zscaler_private_access/changelog.d/21228.added @@ -0,0 +1 @@ +Initial Release \ No newline at end of file diff --git a/zscaler_private_access/datadog_checks/__init__.py b/zscaler_private_access/datadog_checks/__init__.py new file mode 100644 index 0000000000000..a77b3f5ff63ac --- /dev/null +++ b/zscaler_private_access/datadog_checks/__init__.py @@ -0,0 +1,4 @@ +# (C) Datadog, Inc. 2025-present +# All rights reserved +# Licensed under a 3-clause BSD style license (see LICENSE) +__path__ = __import__('pkgutil').extend_path(__path__, __name__) # type: ignore diff --git a/zscaler_private_access/datadog_checks/zscaler_private_access/__about__.py b/zscaler_private_access/datadog_checks/zscaler_private_access/__about__.py new file mode 100644 index 0000000000000..1bde5986a04b2 --- /dev/null +++ b/zscaler_private_access/datadog_checks/zscaler_private_access/__about__.py @@ -0,0 +1,4 @@ +# (C) Datadog, Inc. 2025-present +# All rights reserved +# Licensed under a 3-clause BSD style license (see LICENSE) +__version__ = '0.0.1' diff --git a/zscaler_private_access/datadog_checks/zscaler_private_access/__init__.py b/zscaler_private_access/datadog_checks/zscaler_private_access/__init__.py new file mode 100644 index 0000000000000..b408666583b85 --- /dev/null +++ b/zscaler_private_access/datadog_checks/zscaler_private_access/__init__.py @@ -0,0 +1,6 @@ +# (C) Datadog, Inc. 2025-present +# All rights reserved +# Licensed under a 3-clause BSD style license (see LICENSE) +from .__about__ import __version__ + +__all__ = ['__version__'] diff --git a/zscaler_private_access/datadog_checks/zscaler_private_access/data/conf.yaml.example b/zscaler_private_access/datadog_checks/zscaler_private_access/data/conf.yaml.example new file mode 100644 index 0000000000000..69b64891485c8 --- /dev/null +++ b/zscaler_private_access/datadog_checks/zscaler_private_access/data/conf.yaml.example @@ -0,0 +1,19 @@ +## Log Section +## +## type - required - Type of log input source (tcp / udp / file / windows_event). +## port / path / channel_path - required - Set port if type is tcp or udp. +## Set path if type is file. +## Set channel_path if type is windows_event. +## source - required - Attribute that defines which integration sent the logs. +## encoding - optional - For file specifies the file encoding. Default is utf-8. Other +## possible values are utf-16-le and utf-16-be. +## service - optional - The name of the service that generates the log. +## Overrides any `service` defined in the `init_config` section. +## tags - optional - Add tags to the collected logs. +## +## Discover Datadog log collection: https://docs.datadoghq.com/logs/log_collection/ +# +# logs: +# - type: tcp +# port: +# source: zscaler-private-access diff --git a/zscaler_private_access/images/zscaler_private_access_app_connector_light.png b/zscaler_private_access/images/zscaler_private_access_app_connector_light.png new file mode 100644 index 0000000000000..b2724370fe189 Binary files /dev/null and b/zscaler_private_access/images/zscaler_private_access_app_connector_light.png differ diff --git a/zscaler_private_access/images/zscaler_private_access_app_protection_light_1.png b/zscaler_private_access/images/zscaler_private_access_app_protection_light_1.png new file mode 100644 index 0000000000000..c048bd78a4fae Binary files /dev/null and b/zscaler_private_access/images/zscaler_private_access_app_protection_light_1.png differ diff --git a/zscaler_private_access/images/zscaler_private_access_app_protection_light_2.png b/zscaler_private_access/images/zscaler_private_access_app_protection_light_2.png new file mode 100644 index 0000000000000..98398a608044d Binary files /dev/null and b/zscaler_private_access/images/zscaler_private_access_app_protection_light_2.png differ diff --git a/zscaler_private_access/images/zscaler_private_access_audit_light.png b/zscaler_private_access/images/zscaler_private_access_audit_light.png new file mode 100644 index 0000000000000..f12ca5f5b6163 Binary files /dev/null and b/zscaler_private_access/images/zscaler_private_access_audit_light.png differ diff --git a/zscaler_private_access/images/zscaler_private_access_browser_access_light_1.png b/zscaler_private_access/images/zscaler_private_access_browser_access_light_1.png new file mode 100644 index 0000000000000..13625eb64aee4 Binary files /dev/null and b/zscaler_private_access/images/zscaler_private_access_browser_access_light_1.png differ diff --git a/zscaler_private_access/images/zscaler_private_access_browser_access_light_2.png b/zscaler_private_access/images/zscaler_private_access_browser_access_light_2.png new file mode 100644 index 0000000000000..3dd909198caa0 Binary files /dev/null and b/zscaler_private_access/images/zscaler_private_access_browser_access_light_2.png differ diff --git a/zscaler_private_access/images/zscaler_private_access_microsegmentation_light.png b/zscaler_private_access/images/zscaler_private_access_microsegmentation_light.png new file mode 100644 index 0000000000000..ecd2a9ad5e34f Binary files /dev/null and b/zscaler_private_access/images/zscaler_private_access_microsegmentation_light.png differ diff --git a/zscaler_private_access/images/zscaler_private_access_overview_light_1.png b/zscaler_private_access/images/zscaler_private_access_overview_light_1.png new file mode 100644 index 0000000000000..b54fc03e222c3 Binary files /dev/null and b/zscaler_private_access/images/zscaler_private_access_overview_light_1.png differ diff --git a/zscaler_private_access/images/zscaler_private_access_private_cloud_controller_light_1.png b/zscaler_private_access/images/zscaler_private_access_private_cloud_controller_light_1.png new file mode 100644 index 0000000000000..71bb565619f5a Binary files /dev/null and b/zscaler_private_access/images/zscaler_private_access_private_cloud_controller_light_1.png differ diff --git a/zscaler_private_access/images/zscaler_private_access_private_service_edge_light_1.png b/zscaler_private_access/images/zscaler_private_access_private_service_edge_light_1.png new file mode 100644 index 0000000000000..e8719956a0859 Binary files /dev/null and b/zscaler_private_access/images/zscaler_private_access_private_service_edge_light_1.png differ diff --git a/zscaler_private_access/images/zscaler_private_access_user_activity_light_1.png b/zscaler_private_access/images/zscaler_private_access_user_activity_light_1.png new file mode 100644 index 0000000000000..9651e4db47a51 Binary files /dev/null and b/zscaler_private_access/images/zscaler_private_access_user_activity_light_1.png differ diff --git a/zscaler_private_access/images/zscaler_private_access_user_activity_light_2.png b/zscaler_private_access/images/zscaler_private_access_user_activity_light_2.png new file mode 100644 index 0000000000000..4b8c20d638a4f Binary files /dev/null and b/zscaler_private_access/images/zscaler_private_access_user_activity_light_2.png differ diff --git a/zscaler_private_access/images/zscaler_private_access_user_status_light_1.png b/zscaler_private_access/images/zscaler_private_access_user_status_light_1.png new file mode 100644 index 0000000000000..eac2e454d9a80 Binary files /dev/null and b/zscaler_private_access/images/zscaler_private_access_user_status_light_1.png differ diff --git a/zscaler_private_access/images/zscaler_private_access_user_status_light_2.png b/zscaler_private_access/images/zscaler_private_access_user_status_light_2.png new file mode 100644 index 0000000000000..83ee583419443 Binary files /dev/null and b/zscaler_private_access/images/zscaler_private_access_user_status_light_2.png differ diff --git a/zscaler_private_access/manifest.json b/zscaler_private_access/manifest.json new file mode 100644 index 0000000000000..41cebdc4f2016 --- /dev/null +++ b/zscaler_private_access/manifest.json @@ -0,0 +1,104 @@ +{ + "manifest_version": "2.0.0", + "app_uuid": "316cf13a-3c12-4014-9cb1-e3fa6ad8dd5e", + "app_id": "zscaler-private-access", + "display_on_public_website": false, + "tile": { + "overview": "README.md#Overview", + "configuration": "README.md#Setup", + "support": "README.md#Support", + "changelog": "CHANGELOG.md", + "description": "Gain insights into your Zscaler Private Access logs.", + "title": "Zscaler Private Access", + "media": [ + { + "caption": "Zscaler Private Access - Overview", + "image_url": "images/zscaler_private_access_overview_light_1.png", + "media_type": "image" + }, + { + "caption": "Zscaler Private Access - App Protection", + "image_url": "images/zscaler_private_access_app_protection_light_1.png", + "media_type": "image" + }, + { + "caption": "Zscaler Private Access - App Protection", + "image_url": "images/zscaler_private_access_app_protection_light_2.png", + "media_type": "image" + }, + { + "caption": "Zscaler Private Access - Audit", + "image_url": "images/zscaler_private_access_audit_light.png", + "media_type": "image" + }, + { + "caption": "Zscaler Private Access - Private Cloud Controller", + "image_url": "images/zscaler_private_access_private_cloud_controller_light_1.png", + "media_type": "image" + }, + { + "caption": "Zscaler Private Access - Private Service Edge", + "image_url": "images/zscaler_private_access_private_service_edge_light_1.png", + "media_type": "image" + }, + { + "caption": "Zscaler Private Access - User Status", + "image_url": "images/zscaler_private_access_user_status_light_1.png", + "media_type": "image" + }, + { + "caption": "Zscaler Private Access - Microsegmentation", + "image_url": "images/zscaler_private_access_microsegmentation_light.png", + "media_type": "image" + } + ], + "classifier_tags": [ + "Supported OS::Linux", + "Supported OS::macOS", + "Category::Log Collection", + "Category::Security", + "Category::Cloud", + "Category::Network", + "Offering::Integration", + "Submitted Data Type::Logs" + ] + }, + "assets": { + "integration": { + "auto_install": true, + "source_type_id": 56444351, + "source_type_name": "Zscaler Private Access", + "configuration": { + "spec": "assets/configuration/spec.yaml" + }, + "events": { + "creates_events": false + } + }, + "dashboards": { + "Zscaler Private Access - App Connector": "assets/dashboards/zscaler_private_access_app_connector.json", + "Zscaler Private Access - App Protection": "assets/dashboards/zscaler_private_access_app_protection.json", + "Zscaler Private Access - Audit": "assets/dashboards/zscaler_private_access_audit.json", + "Zscaler Private Access - Browser Access": "assets/dashboards/zscaler_private_access_browser_access.json", + "Zscaler Private Access - Microsegmentation": "assets/dashboards/zscaler_private_access_microsegmentation.json", + "Zscaler Private Access - Overview": "assets/dashboards/zscaler_private_access_overview.json", + "Zscaler Private Access - Private Cloud Controller": "assets/dashboards/zscaler_private_access_private_cloud_controller.json", + "Zscaler Private Access - Private Service Edge": "assets/dashboards/zscaler_private_access_private_service_edge.json", + "Zscaler Private Access - User Activity": "assets/dashboards/zscaler_private_access_user_activity.json", + "Zscaler Private Access - User Status": "assets/dashboards/zscaler_private_access_user_status.json" + }, + "monitors": { + "App connector low available disk space": "assets/monitors/app_connector_low_available_disk_space.json", + "App connector high cpu utilization": "assets/monitors/app_connector_high_cpu_utilization.json" + }, + "logs": { + "source": "zscaler-private-access" + } + }, + "author": { + "support_email": "help@datadoghq.com", + "name": "Datadog", + "homepage": "https://www.datadoghq.com", + "sales_email": "info@datadoghq.com" + } +} \ No newline at end of file diff --git a/zscaler_private_access/pyproject.toml b/zscaler_private_access/pyproject.toml new file mode 100644 index 0000000000000..090a6d03157e1 --- /dev/null +++ b/zscaler_private_access/pyproject.toml @@ -0,0 +1,59 @@ +[build-system] +requires = [ + "hatchling>=0.13.0", +] +build-backend = "hatchling.build" + +[project] +name = "datadog-zscaler-private-access" +description = "The Zscaler Private Access check" +readme = "README.md" +license = "BSD-3-Clause" +keywords = [ + "datadog", + "datadog agent", + "datadog check", + "zscaler_private_access", +] +authors = [ + { name = "Datadog", email = "packages@datadoghq.com" }, +] +classifiers = [ + "Development Status :: 5 - Production/Stable", + "Intended Audience :: Developers", + "Intended Audience :: System Administrators", + "License :: OSI Approved :: BSD License", + "Private :: Do Not Upload", + "Programming Language :: Python :: 3.11", + "Topic :: System :: Monitoring", +] +dependencies = [ + "datadog-checks-base>=4.2.0", +] +dynamic = [ + "version", +] + +[project.optional-dependencies] +deps = [] + +[project.urls] +Source = "https://github.com/DataDog/integrations-core" + +[tool.hatch.version] +path = "datadog_checks/zscaler_private_access/__about__.py" + +[tool.hatch.build.targets.sdist] +include = [ + "/datadog_checks", + "/tests", + "/manifest.json", +] + +[tool.hatch.build.targets.wheel] +include = [ + "/datadog_checks/zscaler_private_access", +] +dev-mode-dirs = [ + ".", +]