SASE Audit Trail
SASE Secure Access Service Edge Audit Trail Logging SD-WAN CASB SWG ZTNA FWaaS Compliance SIEM Forensics
| SASE Component | Log Type | Key Fields | Retention |
|---|---|---|---|
| SD-WAN | Network Flow | Src/Dst IP Port Protocol Bytes | 90 วัน |
| CASB | Cloud App Access | User App Action File Risk | 1 ปี |
| SWG | Web Traffic | URL Category Action User | 90 วัน |
| ZTNA | App Access | User App Device Policy Result | 1 ปี |
| FWaaS | Firewall | Rule Src Dst Action Threat | 90 วัน |
| Admin | Config Change | Admin Action Object Before After | 3 ปี |
Log Collection Architecture
# === SASE Audit Trail Architecture ===
# SASE Provider API → Log Collector → SIEM/Storage
#
# Zscaler ZIA/ZPA → API/Syslog → Splunk/Sentinel
# Palo Alto Prisma → Syslog/CEF → QRadar/Elastic
# Cloudflare One → Logpush → S3/R2 → Grafana Loki
# Netskope → REST API → Sumo Logic/Datadog
# Example: Zscaler Log Export via API
# curl -X POST "https://api.zscaler.net/v1/webApplicationRules" \
# -H "Authorization: Bearer $TOKEN" \
# -H "Content-Type: application/json"
# Example: Cloudflare Logpush to S3
# curl -X POST "https://api.cloudflare.com/client/v4/zones/$ZONE/logpush/jobs" \
# -H "Authorization: Bearer $TOKEN" \
# -d '{
# "destination_conf": "s3://my-bucket/logs?region=us-east-1",
# "dataset": "gateway_network",
# "enabled": true
# }'
from dataclasses import dataclass
@dataclass
class LogPipeline:
source: str
method: str
format: str
destination: str
latency: str
cost: str
pipelines = [
LogPipeline("Zscaler ZIA",
"NSS (Nanolog Streaming Service)",
"CEF / LEEF / CSV",
"Splunk / QRadar / Sentinel",
"Near real-time (30-60s)",
"รวมใน License"),
LogPipeline("Palo Alto Prisma SASE",
"Syslog / Cortex Data Lake",
"CEF / JSON",
"Cortex XSIAM / Splunk / Elastic",
"Real-time (Syslog) / 5min (API)",
"Cortex Data Lake มี Cost แยก"),
LogPipeline("Cloudflare One",
"Logpush (Push) / Logpull (Pull)",
"JSON / CSV",
"S3 / R2 / Datadog / Splunk",
"Near real-time (Logpush)",
"รวมใน Enterprise Plan"),
LogPipeline("Netskope",
"REST API / Cloud Exchange",
"JSON / CEF",
"Splunk / Sentinel / S3",
"5-15 นาที (API Poll)",
"รวมใน License"),
]
print("=== Log Pipelines ===")
for p in pipelines:
print(f"\n [{p.source}]")
print(f" Method: {p.method}")
print(f" Format: {p.format}")
print(f" Destination: {p.destination}")
print(f" Latency: {p.latency}")
print(f" Cost: {p.cost}")SIEM Integration
# === SIEM Correlation Rules ===
@dataclass
class CorrelationRule:
rule: str
condition: str
severity: str
action: str
compliance: str
rules = [
CorrelationRule("Brute Force Detection",
"5+ Failed Login จาก IP เดียวกันใน 5 นาที",
"High",
"Block IP + Alert SOC + Create Ticket",
"PCI-DSS 10.2.4, ISO 27001 A.12.4"),
CorrelationRule("Impossible Travel",
"Login จาก 2 ประเทศห่างกัน ภายใน 1 ชั่วโมง",
"Critical",
"Block Session + Force MFA + Alert SOC",
"SOC 2 CC6.1"),
CorrelationRule("Data Exfiltration",
"Upload > 100MB ไป Cloud App ที่ไม่ได้ Approve",
"Critical",
"Block Transfer + Alert DLP Team + Quarantine File",
"PDPA, PCI-DSS 10.2"),
CorrelationRule("Admin Config Change",
"Policy Change นอกเวลาทำงาน หรือจาก IP ไม่คุ้นเคย",
"High",
"Alert SOC + Require Approval + Log Review",
"ISO 27001 A.12.1.2"),
CorrelationRule("Malware Download Attempt",
"SWG Block Malware แต่ User พยายามซ้ำ 3+ ครั้ง",
"High",
"Block User + Scan Device + Alert SOC",
"PCI-DSS 5.1"),
CorrelationRule("ZTNA Policy Violation",
"Access Denied 10+ ครั้งจาก User เดียวกัน",
"Medium",
"Lock Account Temporarily + Alert + Review",
"SOC 2 CC6.3"),
]
print("=== SIEM Correlation Rules ===")
for r in rules:
print(f"\n [{r.rule}]")
print(f" Condition: {r.condition}")
print(f" Severity: {r.severity}")
print(f" Action: {r.action}")
print(f" Compliance: {r.compliance}")Compliance & Retention
# === Compliance Requirements ===
@dataclass
class ComplianceReq:
standard: str
log_requirement: str
retention: str
audit_frequency: str
key_control: str
requirements = [
ComplianceReq("PCI-DSS v4.0",
"บันทึก Access ทุก Cardholder Data Environment",
"1 ปี (3 เดือน Online)",
"ทุกปี (External Audit)",
"10.2: Log all access, 10.3: Log fields required"),
ComplianceReq("ISO 27001:2022",
"บันทึก Security Event ทุกประเภท",
"ตาม Risk Assessment (แนะนำ 1-3 ปี)",
"ทุกปี (Internal + External)",
"A.12.4: Logging and Monitoring"),
ComplianceReq("PDPA (Thailand)",
"บันทึก Access Personal Data ทุกครั้ง",
"ตาม Data Retention Policy",
"ตาม DPO กำหนด",
"มาตรา 37: บันทึกรายการเข้าถึงข้อมูลส่วนบุคคล"),
ComplianceReq("SOC 2 Type II",
"บันทึก Access Control Change Management",
"1 ปีขึ้นไป",
"ทุกปี (External Audit)",
"CC6: Logical Access, CC7: System Operations"),
]
print("=== Compliance ===")
for c in requirements:
print(f"\n [{c.standard}]")
print(f" Log: {c.log_requirement}")
print(f" Retention: {c.retention}")
print(f" Audit: {c.audit_frequency}")
print(f" Control: {c.key_control}")เคล็ดลับ
- CEF: ใช้ CEF Format สำหรับ SIEM Integration มาตรฐานที่สุด
- Retention: เก็บ Hot 90 วัน Warm 1 ปี Cold 3 ปี ตาม Compliance
- Real-time: ใช้ Syslog/Logpush สำหรับ Real-time Alert
- Correlation: ตั้ง SIEM Rule ตรวจจับ Brute Force Data Exfil Impossible Travel
- Test: ทดสอบ Audit Trail ทุกไตรมาส ว่า Log ครบและ Alert ทำงาน
SASE คืออะไร
Secure Access Service Edge Cloud-native SD-WAN CASB SWG ZTNA FWaaS Zscaler Prisma Cloudflare Netskope Zero Trust ทุกที่ทุกอุปกรณ์
Audit Trail สำคัญอย่างไร
Compliance PCI-DSS ISO 27001 PDPA SOC 2 Investigation Forensics Anomaly Detection Access Review เก็บ 1-7 ปี
เก็บ Log อะไรบ้าง
Authentication Authorization Network Web Cloud App ZTNA Threat Admin Config Change Login MFA DNS URL Malware Policy
ส่ง Log ไปที่ไหร
SIEM Splunk QRadar Sentinel Elastic SOAR XSOAR S3 GCS Archive Datadog Sumo Logic Grafana Loki Syslog CEF API Webhook
สรุป
SASE Audit Trail Logging SD-WAN CASB SWG ZTNA SIEM CEF Compliance PCI-DSS ISO 27001 PDPA Correlation Retention Forensics
