Zscaler ZIA

Connecting Zscaler ZIA logs to your Panther Console

Overview

Panther supports ingesting Zscaler Internet and SaaS Access (ZIA) logs by using either an HTTP Source or an AWS S3 Source.

How to onboard Zscaler ZIA logs to Panther

To onboard Zscaler ZIA logs in Panther, you will first create a Zscaler ZIA source in Panther, then configure a NSS Cloud Feed in Zscaler.

If you are onboarding more than one Zscaler ZIA log type in Panther:

  • In Zscaler, you must create a different NSS Cloud Feed for each log type.

  • In Panther, you may create either one Zscaler ZIA source for all of your NSS Cloud Feeds, or one Zscaler ZIA source for each NSS Cloud Feed.

Prerequisites

  • You must have permission to access to the Zscaler Admin Console.

Step 1: Set up the Zscaler ZIA source in Panther

  1. In the left-hand navigation bar of your Panther Console, click Configure > Log Sources.

  2. In the top right, click Create New.

  3. Search for "Zscaler ZIA", then click its tile.

  4. In the Transport Mechanism drop-down, select the Data Transport method you wish to use for this integration: HTTP or AWS S3 Bucket.

    • You can configure Zscaler to either stream ZIA logs directly to a Panther HTTP endpoint, or to an S3 bucket in your environment, which Panther will then pull from.

      Under a "ZScaler ZIA" title at the top of the page is a description of ZScaler. At the top-right is a Transport Mechanism field, as well as a Start Setup button.
  5. Click Start Setup.

  6. Follow Panther's instructions for configuring the Data Transport method you chose:

Step 2 (for S3 ingest only): Set up an S3 bucket

Step 3: Configure a Cloud NSS Feed in the Zscaler admin console

If you are onboarding more than one Zscaler ZIA log type, you must create a different NSS Cloud Feed for each log type. Repeat this step for each log type.

If you are using HTTP as your Data Transport:

Under an "Add Cloud NSS Feed" header are various form fields, including Feed Name, SIEM Type, and HTTP Headers.

Supported log types

Zscaler.ZIA.AdminAuditLog

The Admin Audit log records key events in the Zscaler admin console, such as logins, logouts, and resource actions (like create and update). The Admin Audit log is primarily used to investigate potentially suspicious activity or diagnose and troubleshoot errors.

References:

schema: Zscaler.ZIA.AdminAuditLog
description: Zscaler ZIA Admin Audit Log
referenceURL: https://help.zscaler.com/zia/nss-feed-output-format-admin-audit-logs
fields:
  - name: sourcetype
    required: true
    description: The type of source generating the log event.
    type: string
  - name: event
    required: true
    description: The audit log event.
    type: object
    fields:
      - name: time
        required: true
        description: The timestamp of the audit log.
        type: timestamp
        timeFormats:
          - '%a %b %e %H:%M:%S %Y'
        isEventTime: true
      - name: recordid
        required: true
        description: The unique identifier for the log.
        type: string
      - name: action
        required: true
        description: The action performed.
        type: string
      - name: category
        description: The location in the portal where the action was performed.
        type: string
      - name: subcategory
        description: The sub-location in the portal where the action was performed.
        type: string
      - name: resource
        description: The specific location within a sub-category.
        type: string
      - name: interface
        description: The means by which the user performed their actions.
        type: string
      - name: adminid
        description: The login id of the admin who performed the action.
        type: string
        indicators:
          - email
          - actor_id
      - name: clientip
        description: The source IP address for the admin.
        type: string
        indicators:
          - ip
      - name: result
        description: The outcome of an action.
        type: string
      - name: errorcode
        description: The error code if the action failed.
        type: string
      - name: auditlogtype
        description: The Admin Audit log type.
        type: string
      - name: preaction
        description: Data before any policy or configuration changes.
        type: json
      - name: postaction
        description: Data after any policy or configuration changes.
        type: json

Zscaler.ZIA.WebLog

The Web Log records detailed information about user internet activity through Zscaler, including allowed and blocked requests to websites. It tracks URL categories, risk levels, and policy enforcement actions, making it essential for monitoring browsing behavior, enforcing compliance, and detecting potential threats.

References:

schema: Zscaler.ZIA.WebLog
description: Zscaler ZIA Web Log
referenceURL: https://help.zscaler.com/zia/nss-feed-output-format-web-logs
fields:
  - name: sourcetype
    required: true
    description: The type of source generating the log event.
    type: string
  - name: event
    required: true
    description: The web log event.
    type: object
    fields:
      - name: datetime
        required: true
        type: timestamp
        description: The time and date of the transaction
        timeFormats:
          - '%Y-%m-%d %H:%M:%S'
        isEventTime: true
      - name: reason
        type: string
        description: The action that the service took and the policy that was applied, if the transaction was blocked
      - name: event_id
        description: The unique record identifier for each log
        type: string
      - name: protocol
        description: The protocol type of the transaction
        type: string
      - name: action
        description: The action that the service took on the transaction
        type: string
      - name: transactionsize
        description: The total size of the HTTP transaction in bytes
        type: bigint
      - name: responsesize
        description: The total size of the HTTP response, including the header and payload, in bytes
        type: bigint
      - name: requestsize
        description: The request size in bytes
        type: bigint
      - name: ClientIP
        description: The IP address of the user
        type: string
        indicators:
          - ip
      - name: appclass
        description: The web application class of the application that was accessed.
        type: string
      - name: appname
        description: The name of the cloud application
        type: string
      - name: bwthrottle
        description: Indicates whether the transaction was throttled due to a configured bandwidth policy
        type: string
      - name: clientpublicIP
        description: The client public IP address
        type: string
        indicators:
          - ip
      - name: contenttype
        description: The name of the content type
        type: string
      - name: department
        description: The department of the user
        type: string
      - name: devicehostname
        description: The hostname of the device
        type: string
      - name: deviceowner
        description: The owner of the device
        type: string
      - name: dlpdictionaries
        description: The DLP dictionaries that were matched, if any
        type: string
      - name: dlpengine
        description: The DLP engine that was matched, if any
        type: string
      - name: fileclass
        description: The class of file downloaded during the transaction
        type: string
      - name: filetype
        description: Type of file involved in the transaction.
        type: string
      - name: hostname
        description: Hostname of the URL being accessed.
        indicators:
          - hostname
        type: string
      - name: keyprotectiontype
        description: Indicates whether an HSM Protection or a Software Protection intermediate CA certificate is used
        type: string
      - name: location
        description: The gateway location or sub-location of the source.
        type: string
      - name: pagerisk
        description: The Page Risk Index score of the destination URL.
        type: string
      - name: product
        description: The product name
        type: string
      - name: refererURL
        description: The referer URL
        type: string
      - name: requestmethod
        description: The request method
        type: string
      - name: serverip
        description: The destination server IP address. This displays 0.0.0.0 if the request was blocked.
        type: string
        indicators:
          - ip
      - name: status
        description: The response code
        type: string
      - name: threatcategory
        description: The category of malware that was detected in the transaction, if any
        type: string
      - name: threatclass
        description: The class of malware that was detected in the transaction, if any
        type: string
      - name: threatname
        description: The name of the threat that was detected in the transaction, if any
        type: string
      - name: unscannabletype
        description: The unscannable file type
        type: string
      - name: url
        required: true
        description: The destination URL
        type: string
        indicators:
          - url
      - name: urlcategory
        description: The category of the destination URL
        type: string
      - name: urlclass
        description: The class of the destination URL
        type: string
      - name: urlsupercategory
        description: The super category of the destination URL
        type: string
      - name: user
        required: true
        description: The user's login name in email address format
        type: string
        indicators:
          - email
          - actor_id
          - username
      - name: useragent
        description: The user agent
        type: string
      - name: vendor
        description: The vendor name
        type: string

Zscaler.ZIA.FWLog

The firewall log records non-web traffic events managed by Zscaler ZIA firewall, including details about source and destination IPs, protocols, ports, and session actions. It is used to monitor application usage, enforce network policies, and identify suspicious or unauthorized traffic patterns.

References:

schema: Zscaler.ZIA.FWLog
description: Zscaler ZIA Firewall Log
referenceURL: https://help.zscaler.com/zia/nss-feed-output-format-firewall-logs
fields:
  - name: sourcetype
    required: true
    description: The type of source generating the log event.
    type: string
  - name: event
    required: true
    description: The firewall log event.
    type: object
    fields:
      - name: datetime
        required: true
        type: timestamp
        description: The time and date of the transaction
        timeFormats:
          - '%a %b %e %H:%M:%S %Y'
        isEventTime: true
      - name: action
        description: The action that the service took on the transaction, Allowed or Blocked
        type: string
      - name: aggregate
        description: Indicates whether the Firewall session is aggregated
        type: string
      - name: avgduration
        description: The average session duration, in milliseconds, if the sessions were aggregated
        type: bigint
      - name: cdip
        description: The client destination IP address
        type: string
        indicators:
          - ip
      - name: cdport
        description: The client source port
        type: bigint
      - name: csip
        required: true
        description: The client source IP address
        type: string
        indicators:
          - ip
      - name: csport
        description: The client source port
        type: bigint
      - name: department
        description: The department of the user
        type: string
      - name: destcountry
        description: The abbreviated code of the country of the destination IP address
        type: string
      - name: devicehostname
        description: The hostname of the device
        type: string
      - name: deviceowner
        description: The owner of the device
        type: string
      - name: dnat
        description: Indicates if the destination NAT policy was applied
        type: string
      - name: duration
        description: The session or request duration in seconds
        type: bigint
      - name: durationms
        description: The session or request duration in milliseconds
        type: bigint
      - name: inbytes
        description: The number of bytes sent from the server to the client
        type: bigint
      - name: ipcat
        description: The URL category that corresponds to the server IP address
        type: string
      - name: ipsrulelabel
        description: The name of the IPS policy that was applied to the Firewall session
        type: string
      - name: locationname
        description: The name of the location from which the session was initiated
        type: string
      - name: numsessions
        description: The number of sessions that were aggregated
        type: bigint
      - name: nwapp
        description: The network application that was accessed
        type: string
      - name: nwsvc
        description: The network service that was used
        type: string
      - name: outbytes
        description: The number of bytes sent from the client to the server
        type: bigint
      - name: proto
        description: The type of IP protocol
        type: string
      - name: rulelabel
        description: The name of the rule that was applied to the transaction
        type: string
      - name: sdip
        description: The server destination IP address
        type: string
        indicators:
          - ip
      - name: sdport
        description: The server destination port
        type: bigint
      - name: ssip
        description: The server source IP address
        type: string
        indicators:
          - ip
      - name: ssport
        description: The server source port
        type: bigint
      - name: stateful
        description: Indicates if the Firewall session is stateful
        type: string
      - name: threatcat
        description: The category of the threat in the Firewall session by the IPS engine
        type: string
      - name: threatname
        description: The name of the threat detected in the Firewall session by the IPS engine
        type: string
      - name: tsip
        description: The tunnel IP address of the client (source)
        type: string
        indicators:
          - ip
      - name: tunsport
        description: The tunnel port
        type: bigint
      - name: tuntype
        description: The traffic forwarding method used to send the traffic to the Firewall
        type: string
      - name: user
        required: true
        description: The user's login name in email address format
        type: string
        indicators:
          - email
          - username
          - actor_id

Zscaler.ZIA.DNSLog

The DNS Log captures all DNS queries and responses processed by Zscaler ZIA, including allowed, blocked, or unresolved domains. It provides visibility into domain usage, helps detect malicious or suspicious activity (such as DNS tunneling), and supports policy enforcement for secure DNS filtering.

References:

schema: Zscaler.ZIA.DNSLog
description: Zscaler ZIA DNS Log
referenceURL: https://help.zscaler.com/zia/nss-feed-output-format-dns-logs
fields:
  - name: sourcetype
    required: true
    description: The type of source generating the log event.
    type: string
  - name: event
    required: true
    description: The dns log event.
    type: object
    fields:
      - name: datetime
        required: true
        type: timestamp
        description: The time and date of the transaction
        timeFormats:
          - '%a %b %e %H:%M:%S %Y'
        isEventTime: true
      - name: category
        type: string
        description: The event category
      - name: clt_sip
        description: The IP address of the user
        type: string
        indicators:
          - ip
      - name: department
        description: The department of the user
        type: string
      - name: devicehostname
        description: The hostname of the device
        type: string
      - name: deviceowner
        description: The owner of the device
        type: string
      - name: dns_req
        description: The DNS request
        type: string
        indicators:
          - domain
      - name: dns_reqtype
        required: true
        description: The DNS request type
        type: string
      - name: dns_resp
        description: The DNS response
        type: string
      - name: durationms
        description: The duration of the DNS request in milliseconds
        type: bigint
      - name: location
        description: The event location
        type: string
      - name: reqaction
        description: The name of the action that was applied to the DNS request
        type: string
      - name: reqrulelabel
        description: The name of the rule that was applied to the DNS request
        type: string
      - name: resaction
        description: The name of the action that was applied to the DNS response
        type: string
      - name: respipcategory
        description: The response IP category
        type: string
      - name: resrulelabel
        description: The name of the rule that was applied to the DNS response
        type: string
      - name: srv_dip
        description: The server IP
        type: string
        indicators:
          - ip
      - name: srv_dport
        description: The server port
        type: bigint
      - name: user
        required: true
        description: The login name in email address format
        type: string
        indicators:
          - email
          - username
          - actor_id

Last updated

Was this helpful?