Zscaler ZIA

Connecting Zscaler ZIA logs to your Panther Console

Overview

Panther supports ingesting Zscaler Internet and SaaS Access (ZIA) logs by using either an HTTP Source or an AWS S3 Source.

In order to onboard Zscaler ZIA logs in Panther, you must have a subscription to Zscaler ZIA.

How to onboard Zscaler ZIA logs to Panther

To onboard Zscaler ZIA logs in Panther, you will first create a Zscaler ZIA source in Panther, then configure a NSS Cloud Feed in Zscaler.

If you are onboarding more than one Zscaler ZIA log type in Panther:

In Zscaler, you must create a different NSS Cloud Feed for each log type.
In Panther, you may create either one Zscaler ZIA source for all of your NSS Cloud Feeds, or one Zscaler ZIA source for each NSS Cloud Feed.

Prerequisites

You must have permission to access to the Zscaler Admin Console.

Step 1: Set up the Zscaler ZIA source in Panther

In the left-hand navigation bar of your Panther Console, click Configure > Log Sources.
In the top right, click Create New.
Search for "Zscaler ZIA", then click its tile.
In the Transport Mechanism drop-down, select the Data Transport method you wish to use for this integration: HTTP or AWS S3 Bucket.
- You can configure Zscaler to either stream ZIA logs directly to a Panther HTTP endpoint, or to an S3 bucket in your environment, which Panther will then pull from.\
Click Start Setup.
Follow Panther's instructions for configuring the Data Transport method you chose:
- HTTP: Follow Panther's instructions for configuring an HTTP Source, beginning at Step 5.
  - During setup, on the Configure page, you will be required to use shared secret authentication.
  - Payloads sent to this source are subject to the payload requirements for all HTTP sources.
  - Do not proceed to the next step until the creation of your HTTP endpoint has completed.
- S3: Follow Panther's instructions for configuring an S3 Source.
  - Follow the instructions on setting up an S3 source in Panther, beginning at Step 1.5.

Step 2 (for S3 ingest only): Set up an S3 bucket

In this Zscaler SaaS Security API and Amazon S3 Deployment Guide, follow the Integrating Zscaler Cloud NSS with Amazon S3 instructions, beginning on page 18.
- Stop when you reach Add a Cloud NSS Feed in the ZIA Admin Portal (on page 37), as you will complete that in the next step.

Step 3: Configure a Cloud NSS Feed in the Zscaler admin console

If you are onboarding more than one Zscaler ZIA log type, you must create a different NSS Cloud Feed for each log type. Repeat this step for each log type.

If you are using HTTP as your Data Transport:

Follow guide within the Zscaler Adding Cloud NSS Feeds documentation based on the log type you are onboarding:
- For Zscaler.ZIA.AdminAuditLog, follow Adding Cloud NSS Feeds for Admin Audit Logs.
- For Zscaler.ZIA.WebLog, follow Adding Cloud NSS Feeds for Web Logs.
- For Zscaler.ZIA.FWLog, follow Adding Cloud NSS Feeds for Firewall Logs.
- For Zscaler.ZIA.DNSLog, follow Adding Cloud NSS Feeds for DNS Logs.
When configuring the Cloud NSS Feed, take note of the following:
- NSS Type: Select NSS for Web if you want to onboard Admin Audit or Web log types, or NSS for Firewall to onboard Firewall or DNS log types.
- SIEM Rate: Leave as Unlimited.
- SIEM Type: Select Other.
- OAuth 2.0 Authentication: This setting should be disabled.
- Max Batch Size: Leave as-is.
- API URL: Enter the HTTP Source URL you generated in the Panther Console in Step 1.
- HTTP Headers: In the Key 1 field, enter x-panther-zscaler. In the Value 1 field, enter the Shared Secret Value you generated or entered in Panther in Step 1.
- Log Type: Select the log type for which you want to send logs to Panther, and leave the rest of the fields as they are.
- Time Zone: Select GMT, as Panther expects UTC timestamps.

Under an "Add Cloud NSS Feed" header are various form fields, including Feed Name, SIEM Type, and HTTP Headers.

Supported log types

Zscaler.ZIA.AdminAuditLog

The Admin Audit log records key events in the Zscaler admin console, such as logins, logouts, and resource actions (like create and update). The Admin Audit log is primarily used to investigate potentially suspicious activity or diagnose and troubleshoot errors.

References:

schema: Zscaler.ZIA.AdminAuditLog
description: Zscaler ZIA Admin Audit Log
referenceURL: https://help.zscaler.com/zia/nss-feed-output-format-admin-audit-logs
fields:
  - name: sourcetype
    required: true
    description: The type of source generating the log event.
    type: string
  - name: event
    required: true
    description: The audit log event.
    type: object
    fields:
      - name: time
        required: true
        description: The timestamp of the audit log.
        type: timestamp
        timeFormats:
          - '%a %b %e %H:%M:%S %Y'
        isEventTime: true
      - name: recordid
        required: true
        description: The unique identifier for the log.
        type: string
      - name: action
        required: true
        description: The action performed.
        type: string
      - name: category
        description: The location in the portal where the action was performed.
        type: string
      - name: subcategory
        description: The sub-location in the portal where the action was performed.
        type: string
      - name: resource
        description: The specific location within a sub-category.
        type: string
      - name: interface
        description: The means by which the user performed their actions.
        type: string
      - name: adminid
        description: The login id of the admin who performed the action.
        type: string
        indicators:
          - email
          - actor_id
      - name: clientip
        description: The source IP address for the admin.
        type: string
        indicators:
          - ip
      - name: result
        description: The outcome of an action.
        type: string
      - name: errorcode
        description: The error code if the action failed.
        type: string
      - name: auditlogtype
        description: The Admin Audit log type.
        type: string
      - name: preaction
        description: Data before any policy or configuration changes.
        type: json
      - name: postaction
        description: Data after any policy or configuration changes.
        type: json

Zscaler.ZIA.WebLog

The Web Log records detailed information about user internet activity through Zscaler, including allowed and blocked requests to websites. It tracks URL categories, risk levels, and policy enforcement actions, making it essential for monitoring browsing behavior, enforcing compliance, and detecting potential threats.

References:

Format of Web logs

schema: Zscaler.ZIA.WebLog
description: Zscaler ZIA Web Log
referenceURL: https://help.zscaler.com/zia/nss-feed-output-format-web-logs
fields:
  - name: sourcetype
    required: true
    description: The type of source generating the log event.
    type: string
  - name: event
    required: true
    description: The web log event.
    type: object
    fields:
      - name: datetime
        required: true
        type: timestamp
        description: The time and date of the transaction
        timeFormats:
          - '%Y-%m-%d %H:%M:%S'
        isEventTime: true
      - name: reason
        type: string
        description: The action that the service took and the policy that was applied, if the transaction was blocked
      - name: event_id
        description: The unique record identifier for each log
        type: string
      - name: protocol
        description: The protocol type of the transaction
        type: string
      - name: action
        description: The action that the service took on the transaction
        type: string
      - name: transactionsize
        description: The total size of the HTTP transaction in bytes
        type: bigint
      - name: responsesize
        description: The total size of the HTTP response, including the header and payload, in bytes
        type: bigint
      - name: requestsize
        description: The request size in bytes
        type: bigint
      - name: ClientIP
        description: The IP address of the user
        type: string
        indicators:
          - ip
      - name: appclass
        description: The web application class of the application that was accessed.
        type: string
      - name: appname
        description: The name of the cloud application
        type: string
      - name: bwthrottle
        description: Indicates whether the transaction was throttled due to a configured bandwidth policy
        type: string
      - name: clientpublicIP
        description: The client public IP address
        type: string
        indicators:
          - ip
      - name: contenttype
        description: The name of the content type
        type: string
      - name: department
        description: The department of the user
        type: string
      - name: devicehostname
        description: The hostname of the device
        type: string
      - name: deviceowner
        description: The owner of the device
        type: string
      - name: dlpdictionaries
        description: The DLP dictionaries that were matched, if any
        type: string
      - name: dlpengine
        description: The DLP engine that was matched, if any
        type: string
      - name: fileclass
        description: The class of file downloaded during the transaction
        type: string
      - name: filetype
        description: Type of file involved in the transaction.
        type: string
      - name: hostname
        description: Hostname of the URL being accessed.
        indicators:
          - hostname
        type: string
      - name: keyprotectiontype
        description: Indicates whether an HSM Protection or a Software Protection intermediate CA certificate is used
        type: string
      - name: location
        description: The gateway location or sub-location of the source.
        type: string
      - name: pagerisk
        description: The Page Risk Index score of the destination URL.
        type: string
      - name: product
        description: The product name
        type: string
      - name: refererURL
        description: The referer URL
        type: string
      - name: requestmethod
        description: The request method
        type: string
      - name: serverip
        description: The destination server IP address. This displays 0.0.0.0 if the request was blocked.
        type: string
        indicators:
          - ip
      - name: status
        description: The response code
        type: string
      - name: threatcategory
        description: The category of malware that was detected in the transaction, if any
        type: string
      - name: threatclass
        description: The class of malware that was detected in the transaction, if any
        type: string
      - name: threatname
        description: The name of the threat that was detected in the transaction, if any
        type: string
      - name: unscannabletype
        description: The unscannable file type
        type: string
      - name: url
        required: true
        description: The destination URL
        type: string
        indicators:
          - url
      - name: urlcategory
        description: The category of the destination URL
        type: string
      - name: urlclass
        description: The class of the destination URL
        type: string
      - name: urlsupercategory
        description: The super category of the destination URL
        type: string
      - name: user
        required: true
        description: The user's login name in email address format
        type: string
        indicators:
          - email
          - actor_id
          - username
      - name: useragent
        description: The user agent
        type: string
      - name: vendor
        description: The vendor name
        type: string

Zscaler.ZIA.FWLog

The firewall log records non-web traffic events managed by Zscaler ZIA firewall, including details about source and destination IPs, protocols, ports, and session actions. It is used to monitor application usage, enforce network policies, and identify suspicious or unauthorized traffic patterns.

References:

Format of Firewall logs

schema: Zscaler.ZIA.FWLog
description: Zscaler ZIA Firewall Log
referenceURL: https://help.zscaler.com/zia/nss-feed-output-format-firewall-logs
fields:
  - name: sourcetype
    required: true
    description: The type of source generating the log event.
    type: string
  - name: event
    required: true
    description: The firewall log event.
    type: object
    fields:
      - name: datetime
        required: true
        type: timestamp
        description: The time and date of the transaction
        timeFormats:
          - '%a %b %e %H:%M:%S %Y'
        isEventTime: true
      - name: action
        description: The action that the service took on the transaction, Allowed or Blocked
        type: string
      - name: aggregate
        description: Indicates whether the Firewall session is aggregated
        type: string
      - name: avgduration
        description: The average session duration, in milliseconds, if the sessions were aggregated
        type: bigint
      - name: cdip
        description: The client destination IP address
        type: string
        indicators:
          - ip
      - name: cdport
        description: The client source port
        type: bigint
      - name: csip
        required: true
        description: The client source IP address
        type: string
        indicators:
          - ip
      - name: csport
        description: The client source port
        type: bigint
      - name: department
        description: The department of the user
        type: string
      - name: destcountry
        description: The abbreviated code of the country of the destination IP address
        type: string
      - name: devicehostname
        description: The hostname of the device
        type: string
      - name: deviceowner
        description: The owner of the device
        type: string
      - name: dnat
        description: Indicates if the destination NAT policy was applied
        type: string
      - name: duration
        description: The session or request duration in seconds
        type: bigint
      - name: durationms
        description: The session or request duration in milliseconds
        type: bigint
      - name: inbytes
        description: The number of bytes sent from the server to the client
        type: bigint
      - name: ipcat
        description: The URL category that corresponds to the server IP address
        type: string
      - name: ipsrulelabel
        description: The name of the IPS policy that was applied to the Firewall session
        type: string
      - name: locationname
        description: The name of the location from which the session was initiated
        type: string
      - name: numsessions
        description: The number of sessions that were aggregated
        type: bigint
      - name: nwapp
        description: The network application that was accessed
        type: string
      - name: nwsvc
        description: The network service that was used
        type: string
      - name: outbytes
        description: The number of bytes sent from the client to the server
        type: bigint
      - name: proto
        description: The type of IP protocol
        type: string
      - name: rulelabel
        description: The name of the rule that was applied to the transaction
        type: string
      - name: sdip
        description: The server destination IP address
        type: string
        indicators:
          - ip
      - name: sdport
        description: The server destination port
        type: bigint
      - name: ssip
        description: The server source IP address
        type: string
        indicators:
          - ip
      - name: ssport
        description: The server source port
        type: bigint
      - name: stateful
        description: Indicates if the Firewall session is stateful
        type: string
      - name: threatcat
        description: The category of the threat in the Firewall session by the IPS engine
        type: string
      - name: threatname
        description: The name of the threat detected in the Firewall session by the IPS engine
        type: string
      - name: tsip
        description: The tunnel IP address of the client (source)
        type: string
        indicators:
          - ip
      - name: tunsport
        description: The tunnel port
        type: bigint
      - name: tuntype
        description: The traffic forwarding method used to send the traffic to the Firewall
        type: string
      - name: user
        required: true
        description: The user's login name in email address format
        type: string
        indicators:
          - email
          - username
          - actor_id

Zscaler.ZIA.DNSLog

The DNS Log captures all DNS queries and responses processed by Zscaler ZIA, including allowed, blocked, or unresolved domains. It provides visibility into domain usage, helps detect malicious or suspicious activity (such as DNS tunneling), and supports policy enforcement for secure DNS filtering.

References:

Format of DNS logs

schema: Zscaler.ZIA.DNSLog
description: Zscaler ZIA DNS Log
referenceURL: https://help.zscaler.com/zia/nss-feed-output-format-dns-logs
fields:
  - name: sourcetype
    required: true
    description: The type of source generating the log event.
    type: string
  - name: event
    required: true
    description: The dns log event.
    type: object
    fields:
      - name: datetime
        required: true
        type: timestamp
        description: The time and date of the transaction
        timeFormats:
          - '%a %b %e %H:%M:%S %Y'
        isEventTime: true
      - name: category
        type: string
        description: The event category
      - name: clt_sip
        description: The IP address of the user
        type: string
        indicators:
          - ip
      - name: department
        description: The department of the user
        type: string
      - name: devicehostname
        description: The hostname of the device
        type: string
      - name: deviceowner
        description: The owner of the device
        type: string
      - name: dns_req
        description: The DNS request
        type: string
        indicators:
          - domain
      - name: dns_reqtype
        required: true
        description: The DNS request type
        type: string
      - name: dns_resp
        description: The DNS response
        type: string
      - name: durationms
        description: The duration of the DNS request in milliseconds
        type: bigint
      - name: location
        description: The event location
        type: string
      - name: reqaction
        description: The name of the action that was applied to the DNS request
        type: string
      - name: reqrulelabel
        description: The name of the rule that was applied to the DNS request
        type: string
      - name: resaction
        description: The name of the action that was applied to the DNS response
        type: string
      - name: respipcategory
        description: The response IP category
        type: string
      - name: resrulelabel
        description: The name of the rule that was applied to the DNS response
        type: string
      - name: srv_dip
        description: The server IP
        type: string
        indicators:
          - ip
      - name: srv_dport
        description: The server port
        type: bigint
      - name: user
        required: true
        description: The login name in email address format
        type: string
        indicators:
          - email
          - username
          - actor_id

PreviousZscaler Logs NextZscaler ZPA

Last updated 3 months ago

Was this helpful?