Integrate Zscaler Internet Access (ZIA) with the Security Data Lake

Updated on 21 Mar 2025
6 Minutes to read

Article summary

Did you find this summary helpful?

Thank you for your feedback!

Zscaler Internet Access (ZIA) is a cloud-based security service that acts as a digital gateway between your organization and the internet. It's designed to protect your network and data from cyber threats while providing secure access to web applications and services. This type of solution is often referred to as a Secure Access Service Edge (SASE) or Security Service Edge (SSE) solution. Data from your Zscaler Internet Access integrations is stored and searchable from the Security Data Lake.

By integrating Zscaler Internet Access with the Red Canary Security Data Lake, you can meet data retention requirements for your ZIA logs, export logs when needed for investigation or reporting, and ensure greater visibility into your security infrastructure for your team and Red Canary. To integrate Zscaler Internet Access with Red Canary, follow the procedure below from beginning to end.

Before you connect Zscaler Internet Access to Red Canary, make sure that Zscaler is deployed and active in your environment.

Step 1: Red Canary–Add a new Zscaler Internet Access integration

From your Red Canary dashboard navigate to Integrations, and click Add Integration.
Type and select Zscaler Internet Access.
Click Configure.
Next to Add Integration, enter a name for your integration.
Choose how Red Canary will receive this data:
1. Under Ingest Format / Method, select Zscaler via S3 (Security Data Lake).
2. Click the Next button.
Configure Red Canary to retrieve data from this integration:
1. Click the Provision button.
2. This will save and activate your integration. If successful, you should get a “User provisioned successfully” notification.
3. Below the “User provisioned successfully” message, instructions for how to set up Zscaler will appear.

Step 2: Zscaler Internet Access–Verify that Cloud NSS is enabled

Navigate to Company Profile > Subscriptions in your Zscaler Internet Access instance.
Validate you are subscribed to at least one Cloud NSS SKU like Z_CLOUD_NSS_FW or Z_CLOUD_NSS_WEB.
If you do not have an active Cloud NSS subscription, please contact your Zscaler customer service representative to request it.
Navigate to Administration > Nanolog Streaming Service and verify there is a Cloud NSS Feeds tab.
If you cannot see the Cloud NSS Feeds tab, contact Zscaler support to request that they enable it. This process typically takes 24 hours.
From Red Canary, check I have verified Cloud NSS is enabled.

Step 3: Zscaler Internet Access–Configure the Cloud NSS Feed

Navigate to Administration > Nanolog Streaming Service in your Zscaler Internet Access instance.
Click the Cloud NSS Feeds tab.
Click Add Cloud NSS Feed.
Enter a Feed Name.
Select the Feed Type. NSS for Web is selected by default.
Leave SIEM Rate as the default value (Unlimited).
For SIEM Type, select S3.
Leave the default Max Batch Size (32 MB).
Copy the values for AWS Access ID, AWS Secret Key, and S3 Folder URL from Red Canary.
The AWS Access ID and AWS Secret Key can take time to generate. If they say “(pending…)”, wait 10 minutes and reload the page.
Select the Log Type. Web Log is selected by default.
For Feed Output Type, select JSON.
Disable the JSON Array Notation option.
Leave the default Feed Escape Character.

Enter the appropriate Feed Output Format from the options below based on the source you are configuring (web logs or firewall logs).

Web logs

\{ "sourcetype" : "zscalernss-web", "event" : \{"datetime":"%d{yy}-%02d{mth}-%02d{dd} %02d{hh}:%02d{mm}:%02d{ss}","reason":"%s{reason}","event_id":"%d{recordid}","protocol":"%s{proto}","action":"%s{action}","transactionsize":"%d{totalsize}","responsesize":"%d{respsize}","requestsize":"%d{reqsize}","urlcategory":"%s{urlcat}","serverip":"%s{sip}","requestmethod":"%s{reqmethod}","refererURL":"%s{ereferer}","useragent":"%s{eua}","product":"NSS","location":"%s{elocation}","ClientIP":"%s{cip}","status":"%s{respcode}","user":"%s{elogin}","url":"%s{eurl}","vendor":"Zscaler","hostname":"%s{ehost}","clientpublicIP":"%s{cintip}","threatcategory":"%s{malwarecat}","threatname":"%s{threatname}","filetype":"%s{filetype}","appname":"%s{appname}","pagerisk":"%d{riskscore}","threatseverity":"%s{threatseverity}","department":"%s{edepartment}","urlsupercategory":"%s{urlsupercat}","appclass":"%s{appclass}","dlpengine":"%s{dlpeng}","urlclass":"%s{urlclass}","threatclass":"%s{malwareclass}","dlpdictionaries":"%s{dlpdict}","fileclass":"%s{fileclass}","bwthrottle":"%s{bwthrottle}","contenttype":"%s{contenttype}","unscannabletype":"%s{unscannabletype}","deviceowner":"%s{deviceowner}","devicehostname":"%s{devicehostname}","keyprotectiontype":"%s{keyprotectiontype}"\}\}

Firewall logs

\{ "sourcetype" : "zscalernss-fw", "event" : \{"datetime":"%s{time}","user":"%s{elogin}","department":"%s{edepartment}","locationname":"%s{elocation}","cdport":"%d{cdport}","csport":"%d{csport}","sdport":"%d{sdport}","ssport":"%d{ssport}","csip":"%s{csip}","cdip":"%s{cdip}","ssip":"%s{ssip}","sdip":"%s{sdip}","tsip":"%s{tsip}","tunsport":"%d{tsport}","tuntype":"%s{ttype}","action":"%s{action}","dnat":"%s{dnat}","stateful":"%s{stateful}","aggregate":"%s{aggregate}","nwsvc":"%s{nwsvc}","nwapp":"%s{nwapp}","proto":"%s{ipproto}","ipcat":"%s{ipcat}","destcountry":"%s{destcountry}","avgduration":"%d{avgduration}","rulelabel":"%s{erulelabel}","inbytes":"%ld{inbytes}","outbytes":"%ld{outbytes}","duration":"%d{duration}","durationms":"%d{durationms}","numsessions":"%d{numsessions}","ipsrulelabel":"%s{ipsrulelabel}","threatcat":"%s{threatcat}","threatname":"%s{ethreatname}","deviceowner":"%s{deviceowner}","devicehostname":"%s{devicehostname}"\}\}

Click Save.
Hover over the Activation menu near the bottom left and click Activate.
From Red Canary:
1. Check I configured a Cloud NSS export.
2. Click the Next button.

Step 4: Red Canary–Specify data retention

Customize how data from this integration is handled:
1. Specify your desired data retention period in days.
Click Save in the bottom right corner.

What fields are available for Zscaler sources?

All Security Data Lake sources include a set of metadata columns — data generated by Red Canary at time of ingest. These always begin with rc_:

Column Name	Data Type	Description
`rc_id`	String	Internal row identifier.
`rc_customer_id`	String	Red Canary subdomain name.
`rc_source_id`	String	Internal source identifier.
`rc_format`	String	Internal source type.
`rc_source_file`	String	Internal file name.
`rc_source_file_line_number`	Numeric	Internal file line number.
`rc_ingested_at`	Timestamp	Red Canary ingestion date.
`rc_created_at`	Timestamp	Red Canary creation date.
`rc_timestamp`	Timestamp	Set to Red Canary ingestion date if timestamp when vendor timestamp isn’t available.

Zscaler sources will also include a set of columns parsed from the original ZIA logs. Both firewall and web logs are supported — some fields may be blank or missing if they are not present in the source log.

Column Name	Data Type	Log Type?	Description
`sourcetype`	String	FW, Web	`zscalernss-fw` or `zscalernss-web`
`event`	Array	FW, Web	Raw JSON event.
`event.ClientIP`	String	Web	The IP address of the user.
`event.action`	String	FW	The action that the service took on the transaction (`Allowed`, `Blocked`, etc.).
`event.aggregate`	String	FW	Indicates whether the Firewall session is aggregated.
`event.appclass`	String	Web	The Cloud Application Class of the application that was accessed.
`event.appname`	String	Web	The name of the cloud application.
`event.avgduration`	Numeric	FW	The average session duration, in milliseconds, if the sessions were aggregated.
`event.bwthrottle`	String	Web	Indicates whether the transaction was throttled due to a configured bandwidth policy.
`event.cdip`	String	FW	The client destination IP address.
`event.cdport`	String	FW	The client destination port.
`event.clientpublicIP`	String	Web	The client public IP address.
`event.contenttype`	String	Web	The content type (`image/gif`, `text/x_python`, etc.).
`event.csip`	String	FW	The client source IP address.
`event.csport`	String	FW	The client source port.
`event.datetime`	Timestamp	FW, Web	The time and date of the transaction.
`event.department`	String	FW, Web	The department of the user.
`event.destcountry`	String	FW	The abbreviated code of the country of the destination IP address.
`event.devicehostname`	String	FW, Web	The hostname of the device.
`event.deviceowner`	String	FW, Web	The owner of the device.
`event.dlpdictionaries`	String	Web	The DLP dictionaries that were matched, if any (`Credit Cards`, `Gambling`, `MRN Numbers`, etc.).
`event.dlpengine`	String	Web	The DLP engine that was matched, if any (`HIPAA`, `PCI`, `Social Security Numbers`, etc.).
`event.dnat`	String	FW	Indicates if the destination NAT policy was applied.
`event.duration`	Numeric	FW	The session or request duration in seconds.
`event.durationms`	Numeric	FW	The session or request duration in milliseconds.
`event.event_id`	String	Web	The unique record identifier for each log.
`event.fileclass`	String	Web	The class of file downloaded during the transaction (`Active Web Contents`, `Archive Files`, `Audio`, etc.).
`event.filetype`	String	Web	The type of file downloaded during the transaction (`RAR`, `ZIP`, `Windows Executable`, etc.).
`event.hostname`	String	Web	The destination hostname.
`event.inbytes`	Numeric	FW	The number of bytes sent from the server to the client.
`event.ipcat`	String	FW	The URL category that corresponds to the server IP address (`Finance`, etc.).
`event.ipsrulelabel`	String	FW	The name of the IPS policy that was applied to the Firewall session.
`event.keyprotectiontype`	String	Web	Indicates whether an HSM Protection or a Software Protection intermediate CA certificate is used for the TLS interception.
`event.location`	String	Web	The gateway location or sub-location of the source.
`event.locationname`	String	FW	Applicable to the web traffic processed via Isolation. The field shows the actual traffic origination point, whereas the `event.location` field displays the Isolation Location. When the web traffic is not handled by Isolation, the field value is `None`.
`event.numsessions`	Numeric	FW	The number of sessions that were aggregated.
`event.nwapp`	String	FW	The network application that was accessed (`Skype`, etc.).
`event.nwsvc`	String	FW	The network service that was used (`HTTP`, etc.).
`event.outbytes`	Numeric		The number of bytes sent from the client to the server.
`event.pagerisk`	String	Web	The Page Risk Index score of the destination URL. The service computes risk for each page by weighing several factors, including page locations, reputation of destination, and content that may look suspicious. The range is 0–100, from the lowest to the highest risk.
`event.product`	String	Web	`NSS`, etc.
`event.proto`	String	FW	The type of IP protocol (`TCP`, etc.).
`event.protocol`	String	Web	The protocol type of the transaction (`HTTP`, `FTP`, etc.).
`event.reason`	String	Web	The action that the service took and the policy that was applied, if the transaction was blocked.
`event.refererURL`	String	Web	The HTTP referer URL.
`event.requestmethod`	String	Web	The HTTP request method.
`event.requestsize`	Numeric	Web	The request size in bytes.
`event.responsesize`	Numeric	Web	The total size of the HTTP response, including the header and payload, in bytes.
`event.rulelabel`	String	FW	The name of the rule that was applied to the transaction.
`event.sdip`	String	FW	The server destination IP address.
`event.sdport`	String	FW	The server destination port.
`event.serverip`	String	Web	The destination server IP address. This displays `0.0.0.0` if the request was blocked.
`event.ssip`	String	FW	The server source IP address.
`event.ssport`	String	FW	The server source port.
`event.stateful`	String	FW	Indicates if the Firewall session is stateful.
`event.status`	String	Web	The status of the cloud application (`Sanctioned`, `Unsanctioned`, `N/A`).
`event.threatcat`	String	FW	The category of the threat in the Firewall session by the IPS engine (`Botnet Callback`, `Denial of Service attack`, `Malicious Content`, etc.).
`event.threatcategory`	String	Web	The category of malware that was detected in the transaction, if any. Also indicates if a file was submitted to the Sandbox engine for analysis and the result of the analysis.
`event.threatclass`	String	Web	The class of malware that was detected in the transaction, if any.
`event.threatname`	String	Web	The name of the threat that was detected in the transaction, if any.
`event.threatseverity`	String	Web	The severity of the threat that was detected in the transaction, if any. The severity relates to the Page Risk Index score.
`event.transactionsize`	Numeric	Web	The total size of the HTTP transaction in bytes. The sum of the total request size and total response size.
`event.tsip`	String	FW	The tunnel IP address of the client (source).
`event.tunsport`	String	FW	The tunnel port of the client (source).
`event.tuntype`	String	FW	The traffic forwarding method used to send the traffic to the Firewall (`L2 tunnel`, etc.).
`event.unscannabletype`	String	Web	The unscannable file type: Encrypted (password protected `GZIP`, `PDF`, etc.), Unscannable (corrupt archive, etc.), or Undetectable (unable to determine file type).
`event.url`	String	Web	The destination URL.
`event.urlcategory`	String	Web	The category of the destination URL (`Entertainment`, `Adult Themes`, `Games`, etc.).
`event.urlclass`	String	Web	The class of the destination URL (`Bandwidth Loss`, `General Surfing`, `Privacy Risk`, etc.).
`event.urlsupercategory`	String	Web	The super category of the destination URL (`Entertainment/Recreation`, `Travel`, `Security`, etc.).
`event.user`	String	FW, Web	The user's login name in email address format.
`event.useragent`	String	Web	The full user agent string (`Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0)`, etc.).
`event.vendor`	String	Web	`Zscaler`, etc.

Was this article helpful?

What's Next

Searching Your Data

Table of contents

Step 1: Red Canary–Add a new Zscaler Internet Access integration
Step 2: Zscaler Internet Access–Verify that Cloud NSS is enabled
Step 3: Zscaler Internet Access–Configure the Cloud NSS Feed
Step 4: Red Canary–Specify data retention
What fields are available for Zscaler sources?