Skip to main content

Zscaler Internet Access

Download With Dependencies

Zscaler is a cloud security solution built for performance and flexible scalability.

Zscaler Internet Access

Zscaler Internet Access

This pack includes Cortex XSIAM content. It supports ingestion and modeling both for ZIA logs which are streamed via VM-based NSS Feed, and for ZIA logs which are streamed via Cloud NSS Feed.

The sections below describe the necessary configurations required on Cortex XSIAM and Zscaler ZIA for each NSS feed type.

Configuration for Cloud NSS (HTTPS API Feed)

Configure an HTTP Log Collector on XSIAM

  1. Navigate to SettingsConfigurationsData CollectionData Sources.

  2. Set a new instance for the Custom - HTTP based Collector data source as follows -

    Parameter Name Value
    Name Specify a descriptive Name, for e.g., Zscaler ZIA Cloud NSS.
    Compression Select gzip.
    Log Format Select JSON.
    Vendor Enter zscaler.
    Product Enter cloudnss.
  3. Click Save & Generate Token.

    1. Click the Copy icon and record the copied generated token somewhere safe. You will need to provide this token when you configure the ZIA Cloud NSS feed on Zscaler.
    2. Click Done when finished.
  4. Hover over the new created HTTP Collector instance, and click the Copy API URL. You will need to provide this URL when you configure the ZIA Cloud NSS feed on Zscaler.

Configure a Cloud NSS Feed on Zscaler ZIA Admin Portal

You will need to add a Cloud NSS Feed on the Zscaler ZIA Admin Portal for each log type to subscribe to.

Remarks

For each Cloud NSS Feed you configure:

For additional details, see About Cloud NSS Feeds.

Configurations for VM-Based NSS (Syslog Over TCP)

Configure a VM-Based NSS Feed on Zscaler ZIA Admin Portal

To configure the Zscaler Internet Access (ZIA) to send logs via the NSS feed output, refer to steps 1-3 in the following XDR documentation which relates to both Web logs and FW logs.

More information on configuring NSS feed outputs:

  1. Adding NSS Feeds for Firewall Logs.
  2. Adding NSS Feeds for Web Logs.
  3. NSS Feed Output Format: Firewall logs.
  4. NSS Feed Output Format: Web Logs.
Remarks
  • Make sure to specify the feed escape character as =.
  • As mentioned in the referenced documentation above, make sure to add the feed output format for Web logs and/or FW logs.

Configure a Broker VM on Cortex XSIAM

To create or configure the Broker VM, use the information described here.

  1. Navigate to SettingsConfigurationData BrokerBroker VMs.
  2. Go to the APPS column under the Brokers tab and add the Syslog app for the relevant broker instance. If the Syslog app already exists, hover over it and click Configure.
  3. Click Add New.
  4. When configuring the Syslog Collector, set the following parameters:
    | Parameter | Value
    | :--- | :---
    | Protocol | Select TCP.
    | Port | Enter the syslog service port that Cortex XSIAM Broker VM should listen on for receiving streamed syslog events from Zscaler. This should be aligned with the port number defined on the Zscaler NSS feed.
    | Format | Select Auto-Detect.

PUBLISHER

PLATFORMS

Cortex XSOARCortex XSIAM

INFO

CertificationRead more
Supported ByCortex
CreatedJuly 15, 2020
Last ReleaseDecember 4, 2024
WORKS WITH THE FOLLOWING INTEGRATIONS:

DISCLAIMER
Content packs are licensed by the Publisher identified above and subject to the Publisher’s own licensing terms. Palo Alto Networks is not liable for and does not warrant or support any content pack produced by a third-party Publisher, whether or not such packs are designated as “Palo Alto Networks-certified” or otherwise. For more information, see the Marketplace documentation.