SASE Framework Audit Trail Logging —
SASE Audit Trail
SASE Secure Access Service Edge Audit Trail Logging SD-WAN CASB SWG ZTNA FWaaS Compliance SIEM Forensics
| SASE Component | Log Type | Key Fields | Retention |
|---|---|---|---|
| SD-WAN | Network Flow | Src/Dst IP Port Protocol Bytes | 90 วัน |
| CASB | Cloud App Access | User App Action File Risk | 1 ปี |
| SWG | Web Traffic | URL Category Action User | 90 วัน |
| ZTNA | App Access | User App Device Policy Result | 1 ปี |
| FWaaS | Firewall | Rule Src Dst Action Threat | 90 วัน |
| Admin | Config Change | Admin Action Object Before After | 3 ปี |
Log Collection Architecture
# === SASE Audit Trail Architecture ===
# SASE Provider API → Log Collector → SIEM/Storage
#
# Zscaler ZIA/ZPA → API/Syslog → Splunk/Sentinel
# Palo Alto Prisma → Syslog/CEF → QRadar/Elastic
# Cloudflare One → Logpush → S3/R2 → Grafana Loki
# Netskope → REST API → Sumo Logic/Datadog
# Example: Zscaler Log Export via API
# curl -X POST "https://api.zscaler.net/v1/webApplicationRules" \
# -H "Authorization: Bearer $TOKEN" \
# -H "Content-Type: application/json"
# Example: Cloudflare Logpush to S3
# curl -X POST "https://api.cloudflare.com/client/v4/zones/$ZONE/logpush/jobs" \
# -H "Authorization: Bearer $TOKEN" \
# -d '{
# "destination_conf": "s3://my-bucket/logs?region=us-east-1",
# "dataset": "gateway_network",
# "enabled": true
# }'
from dataclasses import dataclass
@dataclass
class LogPipeline:
source: str
method: str
format: str
destination: str
latency: str
cost: str
pipelines = [
LogPipeline("Zscaler ZIA",
"NSS (Nanolog Streaming Service)",
"CEF / LEEF / CSV",
"Splunk / QRadar / Sentinel",
"Near real-time (30-60s)",
"รวมใน License"),
LogPipeline("Palo Alto Prisma SASE",
"Syslog / Cortex Data Lake",
"CEF / JSON",
"Cortex XSIAM / Splunk / Elastic",
"Real-time (Syslog) / 5min (API)",
"Cortex Data Lake มี Cost แยก"),
LogPipeline("Cloudflare One",
"Logpush (Push) / Logpull (Pull)",
"JSON / CSV",
"S3 / R2 / Datadog / Splunk",
"Near real-time (Logpush)",
"รวมใน Enterprise Plan"),
LogPipeline("Netskope",
"REST API / Cloud Exchange",
"JSON / CEF",
"Splunk / Sentinel / S3",
"5-15 นาที (API Poll)",
"รวมใน License"),
]
print("=== Log Pipelines ===")
for p in pipelines:
print(f"\n [{p.source}]")
print(f" Method: {p.method}")
print(f" Format: {p.format}")
print(f" Destination: {p.destination}")
print(f" Latency: {p.latency}")
print(f" Cost: {p.cost}")SIEM Integration
# === SIEM Correlation Rules ===
@dataclass
class CorrelationRule:
rule: str
condition: str
severity: str
action: str
compliance: str
rules = [
CorrelationRule("Brute Force Detection",
"5+ Failed Login จาก IP เดียวกันใน 5 นาที",
"High",
"Block IP + Alert SOC + Create Ticket",
"PCI-DSS 10.2.4, ISO 27001 A.12.4"),
CorrelationRule("Impossible Travel",
"Login จาก 2 ประเทศห่างกัน ภายใน 1 ชั่วโมง",
"Critical",
"Block Session + Force MFA + Alert SOC",
"SOC 2 CC6.1"),
CorrelationRule("Data Exfiltration",
"Upload > 100MB ไป Cloud App ที่ไม่ได้ Approve",
"Critical",
"Block Transfer + Alert DLP Team + Quarantine File",
"PDPA, PCI-DSS 10.2"),
CorrelationRule("Admin Config Change",
"Policy Change นอกเวลาทำงาน หรือจาก IP ไม่คุ้นเคย",
"High",
"Alert SOC + Require Approval + Log Review",
"ISO 27001 A.12.1.2"),
CorrelationRule("Malware Download Attempt",
"SWG Block Malware แต่ User พยายามซ้ำ 3+ ครั้ง",
"High",
"Block User + Scan Device + Alert SOC",
"PCI-DSS 5.1"),
CorrelationRule("ZTNA Policy Violation",
"Access Denied 10+ ครั้งจาก User เดียวกัน",
"Medium",
"Lock Account Temporarily + Alert + Review",
"SOC 2 CC6.3"),
]
print("=== SIEM Correlation Rules ===")
for r in rules:
print(f"\n [{r.rule}]")
print(f" Condition: {r.condition}")
print(f" Severity: {r.severity}")
print(f" Action: {r.action}")
print(f" Compliance: {r.compliance}")Compliance & Retention
# === Compliance Requirements ===
@dataclass
class ComplianceReq:
standard: str
log_requirement: str
retention: str
audit_frequency: str
key_control: str
requirements = [
ComplianceReq("PCI-DSS v4.0",
"บันทึก Access ทุก Cardholder Data Environment",
"1 ปี (3 เดือน Online)",
"ทุกปี (External Audit)",
"10.2: Log all access, 10.3: Log fields required"),
ComplianceReq("ISO 27001:2022",
"บันทึก Security Event ทุกประเภท",
"ตาม Risk Assessment (แนะนำ 1-3 ปี)",
"ทุกปี (Internal + External)",
"A.12.4: Logging and Monitoring"),
ComplianceReq("PDPA (Thailand)",
"บันทึก Access Personal Data ทุกครั้ง",
"ตาม Data Retention Policy",
"ตาม DPO กำหนด",
"มาตรา 37: บันทึกรายการเข้าถึงข้อมูลส่วนบุคคล"),
ComplianceReq("SOC 2 Type II",
"บันทึก Access Control Change Management",
"1 ปีขึ้นไป",
"ทุกปี (External Audit)",
"CC6: Logical Access, CC7: System Operations"),
]
print("=== Compliance ===")
for c in requirements:
print(f"\n [{c.standard}]")
print(f" Log: {c.log_requirement}")
print(f" Retention: {c.retention}")
print(f" Audit: {c.audit_frequency}")
print(f" Control: {c.key_control}")เคล็ดลับ
- CEF: ใช้ CEF Format สำหรับ SIEM Integration มาตรฐานที่สุด
- Retention: เก็บ Hot 90 วัน Warm 1 ปี Cold 3 ปี ตาม Compliance
- Real-time: ใช้ Syslog/Logpush สำหรับ Real-time Alert
- Correlation: ตั้ง SIEM Rule ตรวจจับ Brute Force Data Exfil Impossible Travel
- Test: ทดสอบ Audit Trail ทุกไตรมาส ว่า Log ครบและ Alert ทำงาน
SASE คืออะไร
Secure Access Service Edge Cloud-native SD-WAN CASB SWG ZTNA FWaaS Zscaler Prisma Cloudflare Netskope Zero Trust ทุกที่ทุกอุปกรณ์
อ่านเพิ่ม: MinIO S3 Compatible Storage self-hosted ทดแทน AWS S3 · อ่านเพิ่ม: Zigbee2MQTT ตั้งค่า Smart Home ไม่ง้อ Cloud · อ่านเพิ่ม: Mosquitto MQTT Broker ตั้งค่าสำหรับ IoT ที่บ้าน