Integrate Zscaler Internet Access (ZIA) with the Security Data Lake

Updated on 12 Nov 2024
2 Minutes to read

Article summary

Did you find this summary helpful?

Thank you for your feedback

Zscaler Internet Access (ZIA) is a cloud-based security service that acts as a digital gateway between your organization and the internet. It's designed to protect your network and data from cyber threats while providing secure access to web applications and services. This type of solution is often referred to as a Secure Access Service Edge (SASE) or Security Service Edge (SSE) solution.

By integrating Zscaler Internet Access with the Red Canary Security Data Lake, you can meet data retention requirements for your ZIA logs, export logs when needed for investigation or reporting, and ensure greater visibility into your security infrastructure for your team and Red Canary. To integrate Zscaler Internet Access with Red Canary, follow the procedure below from beginning to end.

Before you connect Zscaler Internet Access to Red Canary, make sure that Zscaler is deployed and active in your environment.

Step 1: Zscaler Internet Access–Verify that Cloud NSS is enabled

Navigate to Company Profile > Subscriptions in your Zscaler Internet Access instance.
Validate you are subscribed to at least one Cloud NSS SKU like Z_CLOUD_NSS_FW or Z_CLOUD_NSS_WEB.
If you do not have an active Cloud NSS subscription, please contact your Zscaler customer service representative to request it.
Navigate to Administration > Nanolog Streaming Service and verify there is a Cloud NSS Feeds tab.
If you cannot see the Cloud NSS Feeds tab, contact Zscaler support to request that they enable it. This process typically takes 24 hours.

Step 2: Red Canary–Create your Red Canary generated URL

From your Red Canary dashboard navigate to Integrations, and click Add Integration.
Type and select Zscaler Internet Access.
Click Configure.
Enter a name for your integration.
Under Ingest Format / Method, select Zscaler via S3 (Security Data Lake).
Select the desired data retention period in days (default: 90).
Click Save.
Click Edit Configuration.
Click Activate.
After a few minutes, Red Canary will generate an S3 Folder URL, AWS Access ID, and AWS Secret Key that you will use to set up log forwarding in your Zscaler account. Copy and then save these values. You will use them in a later step.
These configuration settings will not be generated until the Red Canary integration is saved and activated.

Step 3: Zscaler Internet Access–Configure the Cloud NSS Feed

Navigate to Administration > Nanolog Streaming Service in your Zscaler Internet Access instance.
Click the Cloud NSS Feeds tab.
Click Add Cloud NSS Feed.
Enter a Feed Name.
Select the Feed Type. NSS for Web is selected by default.
Leave SIEM Rate as the default value (Unlimited).
For SIEM Type, select S3.
Leave the default Max Batch Size (32 MB).
Update AWS Access ID, AWS Secret Key, and S3 Folder URL using the values noted in the previous section.
Select the Log Type. Web Log is selected by default.
For Feed Output Type, select JSON.
Disable the JSON Array Notation option.
Leave the default Feed Escape Character.

Enter the appropriate Feed Output Format from the options below based on the source you are configuring (web logs or firewall logs).

Web logs

{ "sourcetype" : "zscalernss-web", "event" : \{"datetime":"%d{yy}-%02d{mth}-%02d{dd} %02d{hh}:%02d{mm}:%02d{ss}","reason":"%s{reason}","event_id":"%d{recordid}","protocol":"%s{proto}","action":"%s{action}","transactionsize":"%d{totalsize}","responsesize":"%d{respsize}","requestsize":"%d{reqsize}","urlcategory":"%s{urlcat}","serverip":"%s{sip}","requestmethod":"%s{reqmethod}","refererURL":"%s{ereferer}","useragent":"%s{eua}","product":"NSS","location":"%s{elocation}","ClientIP":"%s{cip}","status":"%s{respcode}","user":"%s{elogin}","url":"%s{eurl}","vendor":"Zscaler","hostname":"%s{ehost}","clientpublicIP":"%s{cintip}","threatcategory":"%s{malwarecat}","threatname":"%s{threatname}","filetype":"%s{filetype}","appname":"%s{appname}","pagerisk":"%d{riskscore}","threatseverity":"%s{threatseverity}","department":"%s{edepartment}","urlsupercategory":"%s{urlsupercat}","appclass":"%s{appclass}","dlpengine":"%s{dlpeng}","urlclass":"%s{urlclass}","threatclass":"%s{malwareclass}","dlpdictionaries":"%s{dlpdict}","fileclass":"%s{fileclass}","bwthrottle":"%s{bwthrottle}","contenttype":"%s{contenttype}","unscannabletype":"%s{unscannabletype}","deviceowner":"%s{deviceowner}","devicehostname":"%s{devicehostname}","keyprotectiontype":"%s{keyprotectiontype}"\}\}

Firewall logs

{ "sourcetype" : "zscalernss-fw", "event" :\{"datetime":"%s{time}","user":"%s{elogin}","department":"%s{edepartment}","locationname":"%s{elocation}","cdport":"%d{cdport}","csport":"%d{csport}","sdport":"%d{sdport}","ssport":"%d{ssport}","csip":"%s{csip}","cdip":"%s{cdip}","ssip":"%s{ssip}","sdip":"%s{sdip}","tsip":"%s{tsip}","tunsport":"%d{tsport}","tuntype":"%s{ttype}","action":"%s{action}","dnat":"%s{dnat}","stateful":"%s{stateful}","aggregate":"%s{aggregate}","nwsvc":"%s{nwsvc}","nwapp":"%s{nwapp}","proto":"%s{ipproto}","ipcat":"%s{ipcat}","destcountry":"%s{destcountry}","avgduration":"%d{avgduration}","rulelabel":"%s{erulelabel}","inbytes":"%ld{inbytes}","outbytes":"%ld{outbytes}","duration":"%d{duration}","durationms":"%d{durationms}","numsessions":"%d{numsessions}","ipsrulelabel":"%s{ipsrulelabel}","threatcat":"%s{threatcat}","threatname":"%s{ethreatname}","deviceowner":"%s{deviceowner}","devicehostname":"%s{devicehostname}"\}\}

Click Save.
Hover over the Activation menu near the bottom left and click Activate.
Repeat the above steps for each additional NSS Type you want to send to Red Canary.

Was this article helpful?

What's Next

Review Security Data Lake Usage

Table of contents

Step 1: Zscaler Internet Access–Verify that Cloud NSS is enabled
Step 2: Red Canary–Create your Red Canary generated URL
Step 3: Zscaler Internet Access–Configure the Cloud NSS Feed