fatcousin
// industry vertical

zero-trust / SASE access forensics

Zscaler ZIA/ZPA · Cloudflare Access · Palo Alto Prisma Access · Cisco Umbrella DNS · Netskope CASB · Okta device trust · Microsoft Entra conditional access · Tailscale WireGuard sessions · cross-vendor access anomaly correlation.

tools
12
priority
H
processing
local · in browser

start here · primary tools

ordered. work top-down. the first tool is the suggested entry point for this vertical.

  1. zscaler zia web log forensic analyzerdrop zscaler zia web log export · parse url category + policy + user · runs locally
  2. cloudflare access audit log forensic analyzerdrop cloudflare access audit export · parse app + identity + device posture · runs locally
  3. microsoft entra conditional access log forensic analyzerdrop entra ca sign-in export · parse grant/block + policy id + risk · runs locally
  4. zero trust access anomaly correlatordrop 2+ sase/zero-trust exports · correlate user + app + geo mismatch · runs locally
  5. case report generatorfill in case number · examiner · dates · findings · drop evidence files for auto hash · generates structured forensic report PDF · runs locally

also useful · secondary tools

cross-cutting tools that surface depending on the specific investigation.

  1. zscaler zpa app connector log forensic analyzerdrop zscaler zpa connector log · parse app segment + broker + session · runs locally
  2. palo alto prisma access log forensic analyzerdrop prisma access log export · parse gateway + app + risk score · runs locally
  3. cisco umbrella dns security log forensic analyzerdrop umbrella dns log export · parse category + identity + block/allow · runs locally
  4. netskope cloud access security log forensic analyzerdrop netskope casb log export · parse app + activity + dlp hits · runs locally
  5. okta device trust posture log forensic analyzerdrop okta device trust export · parse posture checks + managed vs unmanaged · runs locally
  6. tailscale wireguard session log forensic analyzerdrop tailscale admin audit + flow log · parse node + acl + exit node use · runs locally
  7. evidence manifest generatordrop evidence files · compute md5 sha1 sha256 · chain of custody manifest · case number · analyst · export pdf and csv · runs locally

want deeper zero-trust coverage?

this vertical is intentionally sparse — deep-moat coverage grows over time. tracked in the forensics rollout.

ready