Zscaler Internet Access (ZIA) is a cloud-based security service that acts as a digital gateway between your organization and the internet. It's designed to protect your network and data from cyber threats while providing secure access to web applications and services. This type of solution is often referred to as a Secure Access Service Edge (SASE) or Security Service Edge (SSE) solution. Data from your Zscaler Internet Access integrations is stored, searchable, and used as context in threat investigations.
How does it work?
This ingest method works by creating a Red Canary-managed Amazon S3 bucket/folder that you can use to receive logs from your Zscaler deployment. You will be provided a fully qualified URL containing the bucket name, folder name (i.e.: prefix), and region to which you will point a Zscaler Cloud NSS feed. Authentication is handled via Amazon’s long-term access keys. If you have a Zscaler product other than ZIA, use the generic Data Source via S3 (Managed by Red Canary) ingest method instead.
By integrating Zscaler Internet Access with the Red Canary Security Data Lake, you can meet data retention requirements for your ZIA logs, export logs when needed for investigation or reporting, and ensure greater visibility into your security infrastructure for your team and Red Canary. To integrate Zscaler Internet Access with Red Canary, follow the procedure below from beginning to end.
Prerequisites
Before you start the Zscaler Internet Access integration, please make sure the following requirements are met:
You have an active Red Canary Security Data Lake license.
Zscaler Internet Access is deployed and active in your environment.
You are subscribed to at least one Cloud NSS SKU like
Z_CLOUD_NSS_FWorZ_CLOUD_NSS_WEB.You have appropriate admin permissions to make configuration changes to your Zscaler instance.
1 | Red Canary | Add a new Zscaler Internet Access integration
From your Red Canary dashboard navigate to Integrations, and click Add Integration.
.png?sv=2022-11-02&spr=https&st=2026-03-24T10%3A24%3A11Z&se=2026-03-24T10%3A41%3A11Z&sr=c&sp=r&sig=FsCXNwFEKfrCecwdifi3Up9Oj3YNziNmDAVqXTqmjxc%3D "image(315).png")
Type and select Zscaler Internet Access.
.png?sv=2022-11-02&spr=https&st=2026-03-24T10%3A24%3A11Z&se=2026-03-24T10%3A41%3A11Z&sr=c&sp=r&sig=FsCXNwFEKfrCecwdifi3Up9Oj3YNziNmDAVqXTqmjxc%3D "image(316).png")
Click Configure.
Next to Add Integration, enter a name for your integration.
.png?sv=2022-11-02&spr=https&st=2026-03-24T10%3A24%3A11Z&se=2026-03-24T10%3A41%3A11Z&sr=c&sp=r&sig=FsCXNwFEKfrCecwdifi3Up9Oj3YNziNmDAVqXTqmjxc%3D)
Choose how Red Canary will receive this data:
Under Ingest Format / Method, select Zscaler via S3 (Security Data Lake).
.png?sv=2022-11-02&spr=https&st=2026-03-24T10%3A24%3A11Z&se=2026-03-24T10%3A41%3A11Z&sr=c&sp=r&sig=FsCXNwFEKfrCecwdifi3Up9Oj3YNziNmDAVqXTqmjxc%3D)
Click the Next button.
Configure Red Canary to retrieve data from this integration:
Click the Provision button.
.png?sv=2022-11-02&spr=https&st=2026-03-24T10%3A24%3A11Z&se=2026-03-24T10%3A41%3A11Z&sr=c&sp=r&sig=FsCXNwFEKfrCecwdifi3Up9Oj3YNziNmDAVqXTqmjxc%3D)
This will save and activate your integration. If successful, you should get a “User provisioned successfully” notification.
.png?sv=2022-11-02&spr=https&st=2026-03-24T10%3A24%3A11Z&se=2026-03-24T10%3A41%3A11Z&sr=c&sp=r&sig=FsCXNwFEKfrCecwdifi3Up9Oj3YNziNmDAVqXTqmjxc%3D)
Below the “User provisioned successfully” message, instructions for how to set up Zscaler will appear.
2 | Zscaler Internet Access | Verify that Cloud NSS is enabled
Navigate to Company Profile > Subscriptions in your Zscaler Internet Access instance.
Validate you are subscribed to at least one Cloud NSS SKU like
Z_CLOUD_NSS_FWorZ_CLOUD_NSS_WEB.If you do not have an active Cloud NSS subscription, please contact your Zscaler customer service representative to request it.
Navigate to Administration > Nanolog Streaming Service and verify there is a Cloud NSS Feeds tab.
If you cannot see the Cloud NSS Feeds tab, contact Zscaler support to request that they enable it. This process typically takes 24 hours.
From Red Canary, check I have verified Cloud NSS is enabled.
.png?sv=2022-11-02&spr=https&st=2026-03-24T10%3A24%3A11Z&se=2026-03-24T10%3A41%3A11Z&sr=c&sp=r&sig=FsCXNwFEKfrCecwdifi3Up9Oj3YNziNmDAVqXTqmjxc%3D)
3 | Zscaler Internet Access | Configure the Cloud NSS Feed
Navigate to Administration > Nanolog Streaming Service in your Zscaler Internet Access instance.
Click the Cloud NSS Feeds tab.
Click Add Cloud NSS Feed.
Enter a Feed Name.
Select the Feed Type.
NSS for Webis selected by default.Leave SIEM Rate as the default value (
Unlimited).For SIEM Type, select
S3.Leave the default Max Batch Size (32 MB).
Copy the values for AWS Access ID, AWS Secret Key, and S3 Folder URL from Red Canary.
.png?sv=2022-11-02&spr=https&st=2026-03-24T10%3A24%3A11Z&se=2026-03-24T10%3A41%3A11Z&sr=c&sp=r&sig=FsCXNwFEKfrCecwdifi3Up9Oj3YNziNmDAVqXTqmjxc%3D)
The AWS Access ID and AWS Secret Key can take time to generate. If they say “(pending…)”, wait 10 minutes and reload the page.
Select the Log Type.
Web Logis selected by default.For Feed Output Type, select
JSON.Disable the JSON Array Notation option.
Leave the default Feed Escape Character.
Enter the appropriate Feed Output Format from the options below based on the source you are configuring (web logs or firewall logs).
Web logs
\{ "sourcetype" : "zscalernss-web", "event" : \{"datetime":"%d{yy}-%02d{mth}-%02d{dd} %02d{hh}:%02d{mm}:%02d{ss}","reason":"%s{reason}","event_id":"%d{recordid}","protocol":"%s{proto}","action":"%s{action}","transactionsize":"%d{totalsize}","responsesize":"%d{respsize}","requestsize":"%d{reqsize}","urlcategory":"%s{urlcat}","serverip":"%s{sip}","requestmethod":"%s{reqmethod}","refererURL":"%s{ereferer}","useragent":"%s{eua}","product":"NSS","location":"%s{elocation}","ClientIP":"%s{cip}","status":"%s{respcode}","user":"%s{elogin}","url":"%s{eurl}","vendor":"Zscaler","hostname":"%s{ehost}","clientpublicIP":"%s{cintip}","threatcategory":"%s{malwarecat}","threatname":"%s{threatname}","filetype":"%s{filetype}","appname":"%s{appname}","pagerisk":"%d{riskscore}","threatseverity":"%s{threatseverity}","department":"%s{edepartment}","urlsupercategory":"%s{urlsupercat}","appclass":"%s{appclass}","dlpengine":"%s{dlpeng}","urlclass":"%s{urlclass}","threatclass":"%s{malwareclass}","dlpdictionaries":"%s{dlpdict}","fileclass":"%s{fileclass}","bwthrottle":"%s{bwthrottle}","contenttype":"%s{contenttype}","unscannabletype":"%s{unscannabletype}","deviceowner":"%s{deviceowner}","devicehostname":"%s{devicehostname}","keyprotectiontype":"%s{keyprotectiontype}"\}\}Firewall logs
\{ "sourcetype" : "zscalernss-fw", "event" : \{"datetime":"%s{time}","user":"%s{elogin}","department":"%s{edepartment}","locationname":"%s{elocation}","cdport":"%d{cdport}","csport":"%d{csport}","sdport":"%d{sdport}","ssport":"%d{ssport}","csip":"%s{csip}","cdip":"%s{cdip}","ssip":"%s{ssip}","sdip":"%s{sdip}","tsip":"%s{tsip}","tunsport":"%d{tsport}","tuntype":"%s{ttype}","action":"%s{action}","dnat":"%s{dnat}","stateful":"%s{stateful}","aggregate":"%s{aggregate}","nwsvc":"%s{nwsvc}","nwapp":"%s{nwapp}","proto":"%s{ipproto}","ipcat":"%s{ipcat}","destcountry":"%s{destcountry}","avgduration":"%d{avgduration}","rulelabel":"%s{erulelabel}","inbytes":"%ld{inbytes}","outbytes":"%ld{outbytes}","duration":"%d{duration}","durationms":"%d{durationms}","numsessions":"%d{numsessions}","ipsrulelabel":"%s{ipsrulelabel}","threatcat":"%s{threatcat}","threatname":"%s{ethreatname}","deviceowner":"%s{deviceowner}","devicehostname":"%s{devicehostname}"\}\}
Click Save.
Hover over the Activation menu near the bottom left and click Activate.
From Red Canary:
Check I configured a Cloud NSS export.
.png?sv=2022-11-02&spr=https&st=2026-03-24T10%3A24%3A11Z&se=2026-03-24T10%3A41%3A11Z&sr=c&sp=r&sig=FsCXNwFEKfrCecwdifi3Up9Oj3YNziNmDAVqXTqmjxc%3D)
Click the Next button.
4 | Red Canary | Specify data retention
Customize how data from this integration is handled:
Specify your desired data retention period in days.
.png?sv=2022-11-02&spr=https&st=2026-03-24T10%3A24%3A11Z&se=2026-03-24T10%3A41%3A11Z&sr=c&sp=r&sig=FsCXNwFEKfrCecwdifi3Up9Oj3YNziNmDAVqXTqmjxc%3D)
Click Save in the bottom right corner.
What fields are available for Zscaler sources?
All Security Data Lake sources include a set of metadata columns — data generated by Red Canary at time of ingest. These always begin with rc_:
Column Name | Data Type | Description |
|---|---|---|
| String | Internal row identifier. |
| String | Red Canary subdomain name. |
| String | Internal source identifier. |
| String | Internal source type. |
| String | Internal file name. |
| Numeric | Internal file line number. |
| Timestamp | Red Canary ingestion date. |
| Timestamp | Red Canary creation date. |
| Timestamp | Set to Red Canary ingestion date if timestamp when vendor timestamp isn’t available. |
Zscaler sources will also include a set of columns parsed from the original ZIA logs. Both firewall and web logs are supported — some fields may be blank or missing if they are not present in the source log.
Column Name | Data Type | Log Type? | Description |
|---|---|---|---|
| String | FW, Web |
|
| Array | FW, Web | Raw JSON event. |
| String | Web | The IP address of the user. |
| String | FW | The action that the service took on the transaction ( |
| String | FW | Indicates whether the Firewall session is aggregated. |
| String | Web | The Cloud Application Class of the application that was accessed. |
| String | Web | The name of the cloud application. |
| Numeric | FW | The average session duration, in milliseconds, if the sessions were aggregated. |
| String | Web | Indicates whether the transaction was throttled due to a configured bandwidth policy. |
| String | FW | The client destination IP address. |
| String | FW | The client destination port. |
| String | Web | The client public IP address. |
| String | Web | The content type ( |
| String | FW | The client source IP address. |
| String | FW | The client source port. |
| Timestamp | FW, Web | The time and date of the transaction. |
| String | FW, Web | The department of the user. |
| String | FW | The abbreviated code of the country of the destination IP address. |
| String | FW, Web | The hostname of the device. |
| String | FW, Web | The owner of the device. |
| String | Web | The DLP dictionaries that were matched, if any ( |
| String | Web | The DLP engine that was matched, if any ( |
| String | FW | Indicates if the destination NAT policy was applied. |
| Numeric | FW | The session or request duration in seconds. |
| Numeric | FW | The session or request duration in milliseconds. |
| String | Web | The unique record identifier for each log. |
| String | Web | The class of file downloaded during the transaction ( |
| String | Web | The type of file downloaded during the transaction ( |
| String | Web | The destination hostname. |
| Numeric | FW | The number of bytes sent from the server to the client. |
| String | FW | The URL category that corresponds to the server IP address ( |
| String | FW | The name of the IPS policy that was applied to the Firewall session. |
| String | Web | Indicates whether an HSM Protection or a Software Protection intermediate CA certificate is used for the TLS interception. |
| String | Web | The gateway location or sub-location of the source. |
| String | FW | Applicable to the web traffic processed via Isolation. The field shows the actual traffic origination point, whereas the |
| Numeric | FW | The number of sessions that were aggregated. |
| String | FW | The network application that was accessed ( |
| String | FW | The network service that was used ( |
| Numeric | The number of bytes sent from the client to the server. | |
| String | Web | The Page Risk Index score of the destination URL. The service computes risk for each page by weighing several factors, including page locations, reputation of destination, and content that may look suspicious. The range is 0–100, from the lowest to the highest risk. |
| String | Web |
|
| String | FW | The type of IP protocol ( |
| String | Web | The protocol type of the transaction ( |
| String | Web | The action that the service took and the policy that was applied, if the transaction was blocked. |
| String | Web | The HTTP referer URL. |
| String | Web | The HTTP request method. |
| Numeric | Web | The request size in bytes. |
| Numeric | Web | The total size of the HTTP response, including the header and payload, in bytes. |
| String | FW | The name of the rule that was applied to the transaction. |
| String | FW | The server destination IP address. |
| String | FW | The server destination port. |
| String | Web | The destination server IP address. This displays |
| String | FW | The server source IP address. |
| String | FW | The server source port. |
| String | FW | Indicates if the Firewall session is stateful. |
| String | Web | The HTTP response code sent to the client. ZIA generates a |
| String | FW | The category of the threat in the Firewall session by the IPS engine ( |
| String | Web | The category of malware that was detected in the transaction, if any. Also indicates if a file was submitted to the Sandbox engine for analysis and the result of the analysis. |
| String | Web | The class of malware that was detected in the transaction, if any. |
| String | Web | The name of the threat that was detected in the transaction, if any. |
| String | Web | The severity of the threat that was detected in the transaction, if any. The severity relates to the Page Risk Index score. |
| Numeric | Web | The total size of the HTTP transaction in bytes. The sum of the total request size and total response size. |
| String | FW | The tunnel IP address of the client (source). |
| String | FW | The tunnel port of the client (source). |
| String | FW | The traffic forwarding method used to send the traffic to the Firewall ( |
| String | Web | The unscannable file type: Encrypted (password protected |
| String | Web | The destination URL. |
| String | Web | The category of the destination URL ( |
| String | Web | The class of the destination URL ( |
| String | Web | The super category of the destination URL ( |
| String | FW, Web | The user's login name in email address format. |
| String | Web | The full user agent string ( |
| String | Web |
|