zscaler_zpa: fix handling of multiple remote IPs, and event categorisation #13755

efd6 · 2025-05-01T20:41:19Z

Proposed commit message

zscaler_zpa: fix handling of multiple remote IPs, and event categorisation

ZScaler appears to sometimes send events with multiple remote IPs. So
split the list an raise client.ip to an array if this is the case. The
Zscaler ZPA documentation does not make clear what the semantics of this
case are, so we bend the ECS a little here.

Also fix handling of event.type and event.category to ensure that they
agree with ECS definitions, and add event.outcome mappings.

Checklist

I have reviewed tips for building integrations and this pull request is aligned with them.
I have verified that all data streams collect metrics or logs.
I have added an entry to my package's changelog.yml file.
I have verified that Kibana version constraints are current according to guidelines.
I have verified that any added dashboard complies with Kibana's Dashboard good practices

Author's Checklist

[ ]

How to test this PR locally

Related issues

Fixes [Zscaler Private Access]: audit data stream does not tolerate remoteIP lists #13754

Screenshots

…ation ZScaler appears to sometimes send events with multiple remote IPs. So split the list an raise client.ip to an array if this is the case. The Zscaler ZPA documentation does not make clear what the semantics of this case are, so we bend the ECS a little here. Also fix handling of event.type and event.category to ensure that they agree with ECS definitions, and add event.outcome mappings.

elasticmachine · 2025-05-01T21:06:53Z

💔 Build Failed

Buildkite Build
Commit: 1c9eae2

Failed CI Steps

:sonarqube: Continuous Code Inspection

History

cc @efd6

elasticmachine · 2025-05-01T21:19:11Z

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)

kcreddy · 2025-05-05T09:03:41Z

packages/zscaler_zpa/data_stream/audit/elasticsearch/ingest_pipeline/default.yml

+  - split:
+      field: client.ip
+      separator: ', *'
+      if: ctx.client?.ip instanceof String && ctx.client.ip.contains(',')


I think having a list of client.ip/ source.ip will prevent us from using geoip processor on them. Maybe we should find the public IP among the 2 IPs and populate just with it?

I'm following this up to see if there is a known behaviour we can rely on to do this.

efd6 added Integration:zscaler_zpa Zscaler Private Access bugfix Pull request that fixes a bug issue Team:Security-Service Integrations Security Service Integrations team [elastic/security-service-integrations] labels May 1, 2025

efd6 self-assigned this May 1, 2025

efd6 force-pushed the 13754-zscaler_zpa branch from a1a6de7 to 1c9eae2 Compare May 1, 2025 20:41

efd6 marked this pull request as ready for review May 1, 2025 21:19

efd6 requested a review from a team as a code owner May 1, 2025 21:19

kcreddy reviewed May 5, 2025

View reviewed changes

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

zscaler_zpa: fix handling of multiple remote IPs, and event categorisation #13755

zscaler_zpa: fix handling of multiple remote IPs, and event categorisation #13755

efd6 commented May 1, 2025

elasticmachine commented May 1, 2025 •

edited

Loading

elasticmachine commented May 1, 2025

kcreddy May 5, 2025

efd6 May 7, 2025

zscaler_zpa: fix handling of multiple remote IPs, and event categorisation #13755

Are you sure you want to change the base?

zscaler_zpa: fix handling of multiple remote IPs, and event categorisation #13755

Conversation

efd6 commented May 1, 2025

Proposed commit message

Checklist

Author's Checklist

How to test this PR locally

Related issues

Screenshots

elasticmachine commented May 1, 2025 • edited Loading

💔 Build Failed

Failed CI Steps

History

elasticmachine commented May 1, 2025

kcreddy May 5, 2025

Choose a reason for hiding this comment

efd6 May 7, 2025

Choose a reason for hiding this comment

elasticmachine commented May 1, 2025 •

edited

Loading