Zscaler Internet Access
- Details
- Content
- Dependencies
- Version History
Zscaler is a cloud security solution built for performance and flexible scalability.
Zscaler Internet Access
This pack includes Cortex XSIAM content. It supports ingestion and modeling both for ZIA logs which are streamed via VM-based NSS Feed, and for ZIA logs which are streamed via Cloud NSS Feed.
The sections below describe the necessary configurations required on Cortex XSIAM and Zscaler ZIA for each NSS feed type.
Configuration for Cloud NSS (HTTPS API Feed)
Configure an HTTP Log Collector on XSIAM
Navigate to Settings → Configurations → Data Collection → Data Sources.
Set a new instance for the Custom - HTTP based Collector data source as follows -
Parameter Name Value Name
Specify a descriptive Name, for e.g., Zscaler ZIA Cloud NSS. Compression
Select gzip. Log Format
Select JSON. Vendor
Enter zscaler. Product
Enter cloudnss. Click Save & Generate Token.
- Click the Copy icon and record the copied generated token somewhere safe. You will need to provide this token when you configure the ZIA Cloud NSS feed on Zscaler.
- Click Done when finished.
Hover over the new created HTTP Collector instance, and click the Copy API URL. You will need to provide this URL when you configure the ZIA Cloud NSS feed on Zscaler.
Configure a Cloud NSS Feed on Zscaler ZIA Admin Portal
You will need to add a Cloud NSS Feed on the Zscaler ZIA Admin Portal for each log type to subscribe to.
- Adding Cloud NSS Feeds for Web Logs
- Adding Cloud NSS Feeds for DNS Logs
- Adding Cloud NSS Feeds for Admin Audit Logs
- Adding Cloud NSS Feeds for Firewall Logs
Remarks
For each Cloud NSS Feed you configure:
- Set the
API URL
to the URL of the Cortex XSIAM HTTP Collector Zscaler instance. - Set the
Key 1
HTTP header name to Authorization. - Set the
Value 1
Http Header value to the generated token of the Zscaler HTTP Collector instance. - Select JSON for the
Feed Output Type
. - In order to assign the _time field on Cortex XSIAM with the event record's timestamp, the feed output format you configure must include either the timestamp as an epoch value if such exists (for e.g.,
%d{epochtime}
on the Web logs output format), or a formatted date/time string representation along it's corresponding time zone field (for e.g.,%s{tz}
on the Admin Audit logs output format). See the following links for the available output formats for each log type, and general guidelines for each the feeds formats:
For additional details, see About Cloud NSS Feeds.
Configurations for VM-Based NSS (Syslog Over TCP)
Configure a VM-Based NSS Feed on Zscaler ZIA Admin Portal
To configure the Zscaler Internet Access (ZIA) to send logs via the NSS feed output, refer to steps 1-3 in the following XDR documentation which relates to both Web logs and FW logs.
More information on configuring NSS feed outputs:
- Adding NSS Feeds for Firewall Logs.
- Adding NSS Feeds for Web Logs.
- NSS Feed Output Format: Firewall logs.
- NSS Feed Output Format: Web Logs.
Remarks
- Make sure to specify the feed escape character as
=
. - As mentioned in the referenced documentation above, make sure to add the feed output format for Web logs and/or FW logs.
Configure a Broker VM on Cortex XSIAM
To create or configure the Broker VM, use the information described here.
- Navigate to Settings → Configuration → Data Broker → Broker VMs.
- Go to the APPS column under the Brokers tab and add the Syslog app for the relevant broker instance. If the Syslog app already exists, hover over it and click Configure.
- Click Add New.
- When configuring the Syslog Collector, set the following parameters:
| Parameter | Value
| :--- | :---
|Protocol
| Select TCP.
|Port
| Enter the syslog service port that Cortex XSIAM Broker VM should listen on for receiving streamed syslog events from Zscaler. This should be aligned with the port number defined on the Zscaler NSS feed.
|Format
| Select Auto-Detect.
Name | Description |
---|---|
Zscaler Internet Access | Zscaler is a cloud security solution built for performance and flexible scalability. This integration enables you to manage URL and IP address allow lists and block lists, manage and update categories, get Sandbox reports, create, manage, and update IP destination groups and manually log in, log out, and activate changes in a Zscaler session. |
Name | Description |
---|---|
Block Domain - Zscaler | This playbook blocks domains using Zscaler. |
Name | Description |
---|---|
Zscaler Internet Access | Zscaler is a cloud security solution built for performance and flexible scalability. This integration enables you to manage URL and IP address allow lists and block lists, manage and update categories, get Sandbox reports, create, manage, and update IP destination groups and manually log in, log out, and activate changes in a Zscaler session. |
Name | Description |
---|---|
Zscaler Internet Access Modeling Rule |
Name | Description |
---|---|
Zscaler ZIA Parsing Rule |
Name | Description |
---|---|
Block Domain - Zscaler | This playbook blocks domains using Zscaler. |
Pack Name | Pack By |
---|---|
Base | By: Cortex XSOAR |
Pack Name | Pack By |
---|
Pack Name | Pack By |
---|---|
Base | By: Cortex XSOAR |
Integrations
Zscaler Internet Access
- Added support to the zscaler-category-add-url and zscaler-category-add-ip commands to display retaining-parent-category addresses in the readable output.
- Added support for the RetainingParentCategoryURL key in the readable and context outputs of the zscaler-get-categories command.
- Updated the Docker image to: demisto/python3:3.11.9.107902.
- 35844
Download
Integrations
Zscaler Internet Access
- Fixed an issue where the following commands did not send the request properly:
- zscaler-blacklist-url
- zscaler-blacklist-ip
- zscaler-undo-blacklist-url
- zscaler-undo-blacklist-ip
- Updated the Docker image to: demisto/python3:3.11.9.105369.
- 35537
Download
Integrations
Zscaler Internet Access
- Fixed an issue where the zscaler-category-add-ip and zscaler-category-remove-ip commands did not work properly when retaining-parent-category-ip argument was set, causing the list values to be overridden.
- Updated the Docker image to: demisto/python3:3.10.13.89009.
- 33310
Download
Integrations
Zscaler Internet Access
- Added support for "retaining-parent-category-url" arguments for the add/remove url commands (zscaler-category-add-url, zscaler-category-remove-url).
- Added support for "retaining-parent-category-ip" arguments for the add/remove ip commands (zscaler-category-add-ip, zscaler-category-remove-ip).
- Updated the Docker image to: demisto/python3:3.10.13.82980.
- 30637
Download
Integrations
Zscaler Internet Access
- Added the following new commands:
- zscaler-list-ip-destination-groups
- zscaler-create-ip-destination-groups
- zscaler-edit-ip-destination-groups
- zscaler-delete-ip-destination-groups
- Updated the Docker image to: * demisto/python3:3.10.12.62631*.
- 27386
- 26447
Download
Integrations
Zscaler Internet Access
- Fixed an issue where the ip and url reputation commands returned the data in wrong format.
- Updated the Docker image to: demisto/python3:3.10.8.37753.
- Breaking Change replaced the following context output keys:
- URL.urlClassifications has been replaced by Zscaler.URL.urlClassifications
- URL.urlClassificationsWithSecurityAlert has been replaced by Zscaler.URL.urlClassificationsWithSecurityAlert.
- IP.ipClassifications has been replaced by Zscaler.IP.ipClassifications.
- IP.iplClassificationsWithSecurityAlert has been replaced by Zscaler.IP.iplClassificationsWithSecurityAlert.
- 22477
Download
Integrations
Zscaler Internet Access
Added the requestTimeout parameter, which enables you to define the amount of time (in seconds) that the http requests to zscaler will wait before it throws an error. Default was left to 15 seconds.
- Updated the Docker image to: demisto/python3:3.10.7.33922.
- 21429
- 21215
Download
PUBLISHER
PLATFORMS
INFO
Certification | Certified | Read more |
Supported By | Cortex | |
Created | July 15, 2020 | |
Last Release | December 4, 2024 |