Zscaler Technical Add-On for Splunk
Overview
This TA should be installed as per Splunk's guidelines on TA installation, e.g. http://docs.splunk.com/Documentation/ES/5.0.0/Install/InstallTechnologyAdd-ons
Full App and TA Documentarian is available here --> https://help.zscaler.com/downloads/zscaler-technology-partners/operations/zscaler-and-splunk-deployment-guide/Zscaler-Splunk-Deployment-Guide-FINAL.pdf
Release Notes
Version 4.1.0
This version uses Splunk SDK for Python (2.0.2)
Version 4.0.16
Version 4.0.13
fixing zsten compatibility issue
Version 4.0.10
Fixing Splunk cloud compatibility issues
Version 4.0.7
Version 4.0.3
Bug fixes related to app compat testing
Version 4.0.2
- Added a new Zscaler Cloud instance - zsapi.zscalerten.net
- Scanned and vetted the add-on to ensure Python3 and jQuery3.5 compatibility
- Added parsing for below sourcetype
- zscalerlss-zpa-app
- zscalerlss-zpa-audit
- zscalerlss-zpa-auth
- zscalerlss-zpa-bba
- zscalerlss-zpa-connector
- zscalerlss-zpa-pse
- zscalerlss-zpa-web-inspection
- zscaler-posturecontrol-alerts
- CIM normalization done including field alias, calculated fields, eventtypes and tags for below sourcetypes
- zscalerlss-zpa-app
- zscalerlss-zpa-audit
- zscalerlss-zpa-auth
- zscalerlss-zpa-bba
- zscalerlss-zpa-web-inspection
- Recreated scheduled alert - New MD5 to index - CSV - that populates pending sandbox detonations as a scheduled report that directly write the MD5 hashes to lookup within the query instead of as an Alert action. This will now work on Splunk Free version as well where Alert Action triggers are not available
Version 3.1.4
- Improved Sandbox detonation results
Version 3.1.3
Fixed support for proxies configured in the TA settings
Version 3.1.2
Regression fix - removed predefined-testing stanzas from inputs.conf
Version 3.1.0
Updated to latest Splunk SDK as per update in Add-On Builder 4.0; maintain Splunk Cloud compatibility
Version 3.0.6
Fixed proxy support - no longer needs code changes, functions with Splunk UI
CIM Corrections
Added Source-type for Zscaler DLP Incident Receiver
Change in how Audit logs events are ingested - each event is logged separately, not nested in the report/JSON
Removed predefined ZDMEO::Beta inputs accidentally inserted in previous release
Added ZscalerGov back into Cloud Types, this is a repaired regression
Full doc here --> https://community.zscaler.com/t/zscaler-splunk-app-design-and-installation-documentation/4728
Note - Release 3.0.3 - 3.0.5 were only released privately.
Version 3.0.2
3.0.2 - Fixes an issues where ZIA Audit Logs were missing or duplicated in some corner cases
Version 3.0.1
3.0.1
Modified to macro "z-metricis" to value of index=_metrics so as to pass app-inspect validation - you will still need to modify this for your metrics index as per the full doc
Full doc here --> https://community.zscaler.com/t/zscaler-splunk-app-design-and-installation-documentation/4728
3.0.0.
Zscaler's Technical Add-on for Splunk has been fully rebuilt in latest Splunk Add-On builder (needed to pass new app-inspect and cloud-vetting requirements)
New ! - Connector Heath - requires admin to bond to Metrics-type Splunk index (default expected is z-metrics, can change in macros.conf)
- Now using AoB2/AoB3/splunklib with python 3 compatibility (Zscaler SDK is already pithing 2/3 compat)
- Enabled Proxy Settings in TA (not working for API)
- Added new saved search to export connector metrics to metric index
- Fixed Sandbox saved search and event logging
- New requires python3 (per latest Splunk guidance) - reversion to python 2 via manual config changes
Version 3.0.0
Zscaler's Technical Add-on for Splunk has been fully rebuilt in latest Splunk Add-On builder (needed to pass new app-inspect and cloud-vetting requirements)
New ! - Connector Heath - requires admin to bond to Metrics-type Splunk index (default expected is z-metrics, can change in macros.conf)
- Now using AoB2/AoB3/splunklib with python 3 compatibility (Zscaler SDK is already pithing 2/3 compat)
- Enabled Proxy Settings in TA configuration
- Added new saved search to export connector metrics to metric index
- Fixed Sandbox saved search and event logging
- New requires python3 (per latest Splunk guidance) - reversion to python 2 via manual config changes
Full doc here --> https://community.zscaler.com/t/zscaler-splunk-app-design-and-installation-documentation/4728
Version 2.1.4
Added fix to prevent extraction in proxied URL field
NOTE: When upgrading to this versions of the TA prior to 2.1.0 you will need to recreate your sandbox and/or audit-log modular inputs as these now use Global Accounts as per requirements for Splunk Cloud. The process for creating these inputs has been updated in the supporting documentation which is available here: https://community.zscaler.com/t/zscaler-splunk-app-design-and-installation-documentation/4728
Version 2.1.3
Added fixes to make macro edit more friendly
Disabled KV Auto-Extract on web/proxy sourcetype to event URL query string extrapolation & overwrite at search time.
Minor app.manifest config fix for Splunk App Inspect pass
Version 2.1.0
This version of the TA contains fixes for Splunk Cloud appvetting, it is the first API enabled version of the TA to be available for Splunk Cloud usage.
NOTE: When upgrading to this versions of the TA you will need to recreate your sandbox and/or audit-log modular inputs as these now use Global Accounts as per requirements for Splunk Cloud. The process for creating these inputs has been updated in the supporting documentation which is available here: https://community.zscaler.com/t/zscaler-splunk-app-design-and-installation-documentation/4728
Version 2.0.4
Minor fix - correctly added ZIA-tunnel sourcetype
Version 2.0.2
2.0.2 - added transforms.conf stanza for sandbox lookup (needed for App Inspect pass)
Version 2.0.0
Version 2.0.0
Added Modular Inputs for Zscaler API's
- Admin Audit Logs (ZIA)
- Cloud Sandbox detailed reports
Moved all macros into TA, removed from App
Added and cleaned CIM mapping