Integrate Zscaler Data Fabric with Red Canary
- 05 Jan 2026
- 11 Minutes to read
- PDF
Integrate Zscaler Data Fabric with Red Canary
- Updated on 05 Jan 2026
- 11 Minutes to read
- PDF
Article summary
Did you find this summary helpful?
Thank you for your feedback!
This guide outlines how to integrate the Zscaler Data Fabric for Security with Red Canary’s MDR offering. This integration enables Red Canary to correlate Zscaler activity (from solutions like Zscaler Internet Access) with our threat investigations, enabling you to see when there is relevant network context. For more information on how to view related data from Zscaler in an investigation, see here.
This integration is currently in Early Access, and is not available to all customers yet. Please contact your Red Canary team if you are interested in learning more.
Prerequisites
Before you start the Zscaler Data Fabric integration, please make sure the following requirements are met:
You have an active Red Canary MDR subscription.
You know your Zscaler Cloud Name and Company ID for the tenant you’d like to connect to Red Canary.
Make sure that your organization has a subscription to OneAPI and ZIdentity. Most Zscaler customers should be subscribed, but if you have been a Zscaler customer since before June 2024, you may need to migrate to the ZIdentity identity management service. To obtain access to these services, contact your Zscaler Account team.
1 Red Canary | Add the Integration
From your Red Canary homepage, go to the Integrations page, then click Add Integration.
On the Add integration dialog, search for the “Zscaler Data Fabric” integration, then click Configure.
.png?sv=2022-11-02&spr=https&st=2026-01-08T01%3A03%3A35Z&se=2026-01-08T01%3A13%3A35Z&sr=c&sp=r&sig=aAoz%2FdlEc%2B%2FqoXDwVIj9dZ3Q31JcweKnSwBkOtbyFbo%3D)
On the Red Canary configuration page, enter a name for the integration.
.png?sv=2022-11-02&spr=https&st=2026-01-08T01%3A03%3A35Z&se=2026-01-08T01%3A13%3A35Z&sr=c&sp=r&sig=aAoz%2FdlEc%2B%2FqoXDwVIj9dZ3Q31JcweKnSwBkOtbyFbo%3D)
2 Red Canary | Configure Red Canary to Retrieve Data From This Integration
On the Red Canary configuration page, provide the Zscaler Cloud Name and Zscaler Organization ID (also known as Company ID). These values can be found on the Company Profile page in the Zscaler admin portal.
.png?sv=2022-11-02&spr=https&st=2026-01-08T01%3A03%3A35Z&se=2026-01-08T01%3A13%3A35Z&sr=c&sp=r&sig=aAoz%2FdlEc%2B%2FqoXDwVIj9dZ3Q31JcweKnSwBkOtbyFbo%3D)
Click Next.
3 Zscaler | Create an API Client
Add a new API client by following the ZIdentity documentation under “To add an API client”.
Set the Token Lifetime to be long enough to complete the integration configuration — we recommend at least 60 minutes.
Set the Validation Type to “Secret” and click Add. Note this Client Secret.
From Resources, make sure the API client is granted a role/scope that allows it read access to the ZIA API’s orgInformation endpoint.
When you save the API client details, ZIdentity auto-generates a client ID and it is displayed on the API Clients page. Note this Client ID.
4 Red Canary | Give Red Canary Temporary API Access to Validate the Configuration Settings
Copy the secret credentials from the previous step and paste them into the Red Canary configuration page:
Paste the Client ID into Client ID.
Paste the Client Secret into Client Secret.
Enter the Vanity Domain (domain name) used by your organization.
.png?sv=2022-11-02&spr=https&st=2026-01-08T01%3A03%3A35Z&se=2026-01-08T01%3A13%3A35Z&sr=c&sp=r&sig=aAoz%2FdlEc%2B%2FqoXDwVIj9dZ3Q31JcweKnSwBkOtbyFbo%3D)
Click Save.
The Zscaler Data Fabric integration is now live!
Zscaler data should appear when users access a threat investigation from the Red Canary portal, provided it matches the available correlation data for an endpoint or identity involved in the investigation.
.png?sv=2022-11-02&spr=https&st=2026-01-08T01%3A03%3A35Z&se=2026-01-08T01%3A13%3A35Z&sr=c&sp=r&sig=aAoz%2FdlEc%2B%2FqoXDwVIj9dZ3Q31JcweKnSwBkOtbyFbo%3D)
5 Red Canary | Modify the Integration
After the Zscaler Data Fabric integration is active, you can make the following modifications to the configuration:
Update the Data Fabric tenant by providing new API credentials
Decommission the integration
To modify the configuration:
From your Red Canary homepage, go to the Integrations page, then click on the name of the integration you want to modify.
.png?sv=2022-11-02&spr=https&st=2026-01-08T01%3A03%3A35Z&se=2026-01-08T01%3A13%3A35Z&sr=c&sp=r&sig=aAoz%2FdlEc%2B%2FqoXDwVIj9dZ3Q31JcweKnSwBkOtbyFbo%3D)
After you’ve finished editing the configuration, click Save to apply your changes.
Deleting the Integration
To delete the integration from Red Canary, click the 
button, then click OK to confirm.
FAQ
How is the Zscaler Data Fabric used in threat investigations?
The Zscaler Data Fabric integration is a contextual integration: related data from this integration is correlated with investigative leads based on the endpoints or identities involved, and that enrichment data is displayed on the Related Data and Related Data Insights tabs of an investigation.
What Zscaler data can I expect to see under Related Data?
Red Canary will attempt to look up Zscaler Internet Access web logs from the Data Fabric. Web log data is considered related to an investigation based on the following:
Matching time frame: The Zscaler transactions occurred within 15 minutes of the investigation event span.
For a threat investigation with a single investigative lead, this would be the 30 minutes surrounding that event.
For a threat investigation with multiple investigative leads, this can be a longer span of time. For example, if there are two leads in the investigation that occurred 60 minutes apart, the time frame considered for related data will be 90 minutes: from 15 minutes before the first lead to 15 minutes after the last lead.
Matching source endpoint or identity: The Zscaler transaction includes device or user information that matches the endpoint (hostname) or identity (email address) in an investigative lead.
If an investigation contains multiple affected endpoints or related identities, matching is attempted on each of them.
If the endpoint in the investigative lead does not include a hostname, no match for that endpoint is attempted.
If the identity in the investigative lead does not include an email address, no match for that identity is attempted.
Matching destination (optional): The Zscaler transaction includes destination information that matches the destination (hostname) in an investigative lead.
This is only attempted if the investigative lead contains a source and destination. For example, an investigative lead based on a network connection is likely to include a destination, while a suspicious file execution is unlikely to include a destination.
The “source” can be an endpoint or an identity. For example, the source for a network connection is likely to be an endpoint, but the source for a SaaS transaction is likely to be an identity.
Query results will include:
Log Type | Field Category | Field | Description |
|---|---|---|---|
Zscaler Internet Access Web Log | Row Identifiers | Event Timestamp | Transaction time (UTC). |
Event ID | Transaction identifier. | ||
User Details | Login Name | The user's login name in email address format. | |
Source Details | Endpoint Hostname | The hostname of the source device. | |
Endpoint Location | The gateway location or sub-location of the source. To learn more, see About Locations. | ||
Endpoint IP Country | The country associated with the source IP address. | ||
Is Endpoint Country Risky | Indicates whether the country associated with the source IP address is risky or not. | ||
User Agent String | The full user agent string for both known and unknown agents. The user agent string contains browser and system information that the destination server can use to provide appropriate content. | ||
User Agent String Type | The user agent class (e.g.: Firefox, Chrome, Safari, etc.). | ||
Endpoint IP | The IP address of the source device. It can be the internal IP address if it’s visible, otherwise it is the internet (NATed Public) IP address. | ||
Endpoint Port | The source device port. | ||
Endpoint Mobile Device Type | If applicable, the type of mobile device (e.g.: | ||
Is Endpoint ZCC Enabled | Indicates whether the Zscaler Client Connector is enabled on the source device or not. | ||
Is Traffic Bypassed | Indicates whether the traffic bypassed the Zscaler Client Connector or not. | ||
Destination Details | Destination Application | The name of the cloud application ( | |
Destination Application Risk | The computed or assigned risk index for the cloud application, with 1 being the lowest risk and 5 being the highest. If the risk index is not available, the field displays | ||
Destination Hostname | The destination hostname. | ||
Destination URL | The destination URL. It excludes the protocol identifier (e.g., | ||
Destination Page Index Risk | The Page Risk Index score of the destination URL. Zscaler computes risk for each page by weighing several factors, including page locations, reputation of destination, and content that may look suspicious. The range is 0–100, from the lowest to the highest risk. | ||
Destination IP Country | The country associated with the destination IP address. | ||
Is Destination Country Risky | Indicates whether the country associated with the destination IP address is risky or not. | ||
Destination IP | The destination server IP address. This displays | ||
Destination Port | The destination server port. | ||
Destination URL Class | The class of the destination URL (e.g.: | ||
Destination URL Super Category | The super category of the destination URL (e.g.: | ||
Destination URL Category | The category of the destination URL (e.g.: | ||
Destination Domain Fronting Host Header | The field contains HTTP/S transactions that indicate domain fronting due to an FQDN mismatch between the request URL and the request's host header. The field is present in the logs only if there is a mismatch. | ||
Destination Domain Fronting Host Name | An optional field that contains the TLS connection's Server Name Indication (SNI) in cases that the HTTPS request host header does not match the SNI. TLS Inspection must be enabled for this field to be populated. The field is present in the logs only if there is a mismatch. | ||
Transaction Details | HTTP Request Type | The HTTP request method (e.g.: | |
HTTP Response Type | The HTTP response code sent to the client (e.g.: | ||
Event Type | The name of the action the user performed on the application (e.g.: | ||
Internal SSL Policy Reason | SSL inspection status between source and Zscaler and if not inspected, the reason (e.g.: | ||
External SSL Policy Reason | SSL inspection status between Zscaler and destination and if not inspected, the reason (e.g.: | ||
Policy Action | The action that the service took and the policy that was applied if the transaction was blocked ( | ||
Referrer Hostname | The hostname of the referrer URL (i.e.: | ||
Referrer URL | The HTTP referrer URL. | ||
File Details | Is File Attached | Flag indicating whether this transaction includes a file. | |
MD5 Checksum | The MD5 hash of the transaction. | ||
SHA256 Checksum | The SHA256 hash of the transaction. | ||
BAMD5 Checksum | The MD5 hash of the malware file that was detected in the transaction, or the MD5 of the file that was sent for analysis to the Sandbox engine. | ||
Download Filename | The name of downloaded files during the transaction. | ||
Upload Filename | The name of uploaded files during the transaction. | ||
Upload Document Type | The type of document uploaded during the transaction ( | ||
Threat Name | The name of the threat that was detected in the transaction, if any (e.g.: | ||
Malware Category | The category of malware that was detected in the transaction, if any. Also indicates if a file was submitted to the Sandbox engine for analysis and the result of the analysis (e.g.: | ||
Malware Classification | The class of malware that was detected in the transaction, if any (e.g.: | ||
DLP Severity | The severity of the DLP match (e.g.: | ||
DLP Dictionary Reason | The DLP dictionary that was matched, if any (e.g.: | ||
DLP Engine Reason | The DLP engine that was matched, if any (e.g.: | ||
File Scan Failure Reason | The reason the file was unscannable, if any (e.g.: |
What Zscaler data can I expect to see under Related Data Insights?
To help analysts quickly understand the potential impact of any related Zscaler data on the threat investigation, correlated logs are automatically evaluated for specific insights with security implications. Think of each insight as the answer to a single Zscaler-specific question that an investigator might ask. Insights include the following:
Insight Type | Insight | Impact | Example |
|---|---|---|---|
Zscaler Internet Access activity involving similar identities | Multiple devices used by a single identity. | An unexpected device/OS/browser adds to the risk of identity compromise. | john.doe@zscaler.com seen using 2 devices (abc12345.zscaler, xyz12345.zscaler) |
Multiple locations observed for a single identity. | An unexpected location adds to the risk of identity compromise. | john.doe@zscaler.com seen in 2 locations (San Jose, New York) | |
Multiple user agent strings observed for a single identity. | An unexpected device/OS/browser adds to the risk of identity compromise. | john.doe@zscaler.com seen using 2 user agent strings (Mozilla/5.0…, Mozilla/2.0…) | |
Multiple mobile device types observed for a single identity. | An unexpected device/OS/browser adds to the risk of identity compromise. | john.doe@zscaler.com seen using 2 mobile device types (Android, iPhone) | |
The observed location’s country is risky. | An unexpected location adds to the risk of identity compromise. | john.doe@zscaler.com seen in: Russia | |
Zscaler Internet Access activity involving similar endpoints | Multiple locations observed for a single endpoint. | An unexpected location adds to the risk of endpoint compromise. | device1.zscaler.com seen in 2 locations (San Jose, New York) |
Multiple user agent strings observed for a single endpoint. | An unexpected device attribute adds to the risk of device compromise. | device1.zscaler.com seen using 2 user agent strings (Mozilla/5.0…, Mozilla/2.0…) | |
The observed location’s country is risky. | An unexpected location adds to the risk of device compromise. | device1.zscaler.com seen in: Russia | |
Zscaler Internet Access activity involving similar transactions | The destination website has a high risk score (4 or 5). | ZIA has deemed the application being accessed to be a security risk. | john.doe@zscaler.com accessed csp.withgoogle.com (risk score 4 of 5) from device1.zscaler.com |
The destination’s country is risky. | ZIA has deemed the location of the application being accessed to be a security risk. | john.doe@zscaler.com accessed csp.withgoogle.com (in Russia) from device1.zscaler.com | |
The destination website is classified as a risky non-business function. | The application is less likely to be used for legitimate business purposes. | john.doe@zscaler.com accessed rashcolonizeexpand.com (class/super-category/category = Advanced Security Risk / Advanced Security / Malicious Content) from device1.zscaler.com | |
Traffic was allowed by ZIA. | If there was a malicious transaction, it might not have been stopped by ZIA. | john.doe@zscaler.com accessed docs.google.com (620 of 620 allowed) from device1.zscaler.com | |
Traffic was blocked by ZIA. | If there was a malicious transaction, it was stopped by ZIA. | john.doe@zscaler.com accessed rashcolonizeexpand.com (0 of 12 allowed) from device1.zscaler.com | |
ZIA was unable to inspect the SSL transaction. | ZIA does not know what was sent/received. If there was malware or data exfiltration involved, ZIA would not know. | john.doe@zsscaler.com accessed mobile.events.data.microsoft.com (0 of 186 inspected) from device1.zscaler.com | |
The Zscaler “Page Risk Index” is high (75+). | ZIA has deemed the URL being accessed to be a security risk. | john.doe@zscaler.com accessed ext.securysearch.com:443 (Page Risk Index Score: 100) from device1.zscaler.com | |
Zscaler detected malware in the transaction. | If ZIA allowed the transaction, this is a security risk. | john.doe@zscaler.com accessed www.securegfm2.com (Threat/Category/Classification: Html.Malurl.Redirector.LZ / None / None) from device1.zscaler.com | |
The transaction bypassed the Zscaler Client Connector. | Zscaler controls have been bypassed for this transaction, so there cannot be any expectation of Zscaler protection/inspection. | john.doe@zscaler.com accessed nexus-websocket-a.intercom.io (14 of 14 bypassed ZCC) from device1.zscaler.com | |
The user downloaded something. | If nothing was downloaded, there is less risk of malware. | john.doe@zscaler.com downloaded PythonSoftwareFoundation.Python.3.13_3.13.2288.0_x64__qbz5n2kfra8p0.Msix from 14.102.231.202 using device1.zscaler.com | |
The downloaded file was not scannable by ZIA. | If there was malware involved, ZIA would not know. | john.doe@zscaler.com failed to scan pdffloattool_1.1.2024.205.7z (Reason: UNSCANNABLE) from wdl1.pcfg.cache.wpscdn.com using device1.zscaler.com | |
The user uploaded something. | If nothing was uploaded, there is less risk of data exfiltration. | john.doe@zscaler.com uploaded WAMEventBuffer.dat to dit.whatsapp.net using device1.zscaler.com | |
The uploaded file triggered DLP detection rules. | There is increased risk of data exfiltration. | john.doe@zscaler.com uploaded "all jp lead_10_コール対象_第1弾_Final_iXiO関西用のみ抽出.xlsx" (DLP risk: High Severity, DLP rules triggered: CustomDictionary-1, CustomDictionary-3, Social Security Number (US): Detect leakage of United States Social Security Numbers) when uploading to zscalercorp-my.sharepoint.com using device1.zscaler.com | |
The uploaded file was not scannable by ZIA. | If there was data exfiltration happening, ZIA would not know. | john.doe@zscaler.com failed to scan Active_Roster_CONFIDENTIAL_100125.xlsx (Reason: ENCRYPTED) when uploading to files.slack.com using device1.zscaler.com |
Was this article helpful?