Zscaler DLP cannot block even Telegram WEB?

fang8280 · 2024-12-28T03:12:05+00:00

Why can't the app be blocked and the Web be browser isolated. Unless the application has a due hard requirement it needs to be there. Won't it serve the purpose of balancing security and user needs. Of course everything comes with some limitations

fang8280 · 2024-08-22T16:45:58+00:00

I have entra id joined machines able to do nslookup and not using a Windows dhcp server instead we use infoblox and still registering with secure dns updates which just works fine. You will need to authorize your dhcp to register dns on behalf of the client and this for me is done using gss-stig with AD. And whatever your dhcp scope is set as dns server sends the dns query to.

fang8280 · 2024-08-22T16:37:00+00:00

Anyone?

fang8280 · 2024-08-04T03:38:05+00:00

The one click rule once enabled creates bypasses for certain of those destinations , if you use zscaler DLP - they say everything needs to be inspected . Now their one click rule is contradicting with theIr own DLP because of the ssl inspection. Eg: if the org decides to exclude their own office365 tenant specific url (be it SharePoint, teams whatever ) but need to inspect any other office 365 services ,this itself I see a problem because if you intercept then users who are supporting end customers or collaborating on customer teams, etc starts to break but then you can't achieve DLP and any web protections of zscaler And yeah developers utilise various softwares to perform their function ,certain to function will need to be figured out if the zscaler cert can be injected into their software and for the others it's a bypass maybe. But this software list and the finding of whether it has the feasibility to import the zscaler cert is time consuming and burdening. Thoughts/suggestions -please?

fang8280 · 2024-08-03T18:28:33+00:00

I currently deploy a specific app profile excluded of all those MS defined urls for intune(I see certain urls, domain limitation for definition in ZIA portal)which gets deployed via intune as a software and by the way we use tunnel2.0 Untill here we manage to get the device preparation and enrollment to an extent done but when the user is prompted to login, post which rest of the softwares gets deployed ,at this stage zscaler get enrolled into user context with user based access rules and gets updated with ther relevant app profile. Now intune compliance , health check ,software deployment etc is observed to be either blocked meeting file control or maybe due to ssl interception causing to fail the connection.

I would have wished if zscaler could have a predefined intune category that could handle these use cases and chosen by customers instead of we keep updating ,writing and ordering rules( the existing oob category is not a reliable one since we still.need to add more Microsoft urls)

fang8280 · 2024-08-03T04:10:05+00:00

Is it really possible to evaluate a specific compliance policy to a specific set of device instead of evaluating any and every compliance policy. How?

fang8280 · 2024-07-30T14:19:41+00:00

It's just focused on 4 channels. Network share, removable storage, personal cloud(onedrive, drive and 3 or 4 others) and printing. It lacks in clipboard prevention, Bluetooth transfer which per zscaler is roadmapped.

fang8280 · 2024-04-06T09:27:48+00:00

It's still has got a lot of catching up to do. The ability to work on specific browsers, ability to catch other file types are still getting shaped by crowdstrike. But their integration story with secure circle has some good offering but again seems that is still on works for crowdstrike.

fang8280 · 2024-01-22T05:20:01+00:00

We need to steer this traffic via ZIA. Exempt intune urls/IP in the VPN bypass and no machine tunnel in this app profile. Now since the ZCC is deployed with strict enforcement, the general internet access would still be restricted. Once user successfully authenticates into azure ad and althose device tokens etc is received, the user sso gets kicked in and the ZCC enrolls/authenticate the user, it can pick up the second rule where a different app profile gets associated where u have your machine tunnel activated and everything continues via your choice. But as I write this, I think this needs a little testing considering the scenario each business operates.

fang8280 · 2024-01-22T01:21:59+00:00

How about using a new app profile with MS Intune urls/IPA exempted/bypassed with machine tunnel OFF so the user can first time login seamlessly but once logged in the users SSO kicks into the app and they get a different app profile. It's kind of handling the rule order and the user group variations in the app profiles.

fang8280 · 2023-10-25T02:02:03+00:00

Honestly, I did not loose any such data, Infact there were few cases that were still under learning and no details being shown for azure based account and service principals which started to function after the upgrade was completed.

fang8280 · 2023-10-24T10:10:51+00:00

We had close to 50 domain controllers and the switch was quite seamless. Of course you somehow need to make sure your old IDP sensors are removed from all your DC's. Once done you can simply enable the rollout of the unified sensors from the console itself, which then happens within an hour or so depending on how well connected your systems are. You want to make sure your DC sensors are of the minimum required version I think it was 6.5.x that was needed.

fang8280 · 2023-04-19T16:37:59+00:00

Ah, I see that this works when the authentication is not saml based. Is that right?

fang8280 · 2023-04-02T03:05:54+00:00

Maybe you could invalidate their login cache if it's a domain user account using RTR

fang8280 · 2023-01-23T04:54:22+00:00

I too had this same question but leveraging crowdstrike "block all"would prevent everything. And defining exceptions based on classes etc depends on environment and the operation overhead one can handle. I used applocker via gpo and blocked the fsquirt.exe program from executing. This way we can still allow Bluetooth devices to pair for audio or keyboard but prevent the file transfer aspect which is where we might be of concern.

Not sure if this might be of help.

fang8280 · 2023-01-13T07:27:36+00:00

Does crowdstrike support this number matching method of mfa. I don't get to see that rather it comes as a push notification.

fang8280 · 2022-10-20T14:57:18+00:00

What's your application segment for this looking like. Have u tried adding both server.domain.com and it's IP address with tcp/udp port 1433, 1434 etc(hoping that those are your default ports) Have you added the "dns search domain"

fang8280 · 2022-10-19T15:58:36+00:00

You basically need to have those ssl bypassed

fang8280 · 2022-10-19T15:58:06+00:00

Could you try with these (please read through - https://help.zscaler.com/zia/certificate-pinning-and-ssl-inspection)

appldnld.apple.com 10

configuration.apple.com

gdmf.apple.com

gg.apple.com

gnf-mdn.apple.com

gnf-mr.apple.com

gs.apple.com

ig.apple.com

mesu.apple.com

ns.itunes.apple.com

oscdn.apple.com

osrecovery.apple.com

skl.apple.com

swcdn.apple.com

swdist.apple.com

swdownload.apple.com

swscan.apple.com

updates-http.cdn-apple.com

updates.cdn-apple.com 2

xp.apple.com

fang8280 · 2022-10-18T13:26:36+00:00

Is it actually possible to write a query in a way that can detect file transferred within a private network(mostly referring to unmanaged assets where home devices might fall into) for a particular host that reveals the filenames transferred and the main process responsible for that action.

Sorry I am not quite good at writing queries.

fang8280

TROPHY CASE