Zscaler ZIA

Connecting Zscaler ZIA logs to your Panther Console

Overview

Panther supports ingesting Zscaler Internet and SaaS Access (ZIA) Admin Audit logs by using either an HTTP Source or an AWS S3 Source.

In order to onboard Zscaler ZIA Admin Audit logs in Panther, you must have a subscription to Zscaler ZIA.

How to onboard Zscaler ZIA logs to Panther

To onboard Zscaler ZIA log in Panther, you will first create a Zscaler ZIA source in Panther, then configure a NSS Cloud Feed in Zscaler.

Prerequisites

You must have permission to access to the Zscaler Admin Console.

Step 1: Set up the Zscaler ZIA source in Panther

In the left-hand navigation bar of your Panther Console, click Configure > Log Sources.
In the top right, click Create New.
Search for "Zscaler ZIA", then click its tile.
In the Transport Mechanism drop-down, select the Data Transport method you wish to use for this integration: HTTP or AWS S3 Bucket.
- You can configure Zscaler to either stream ZIA logs directly to a Panther HTTP endpoint, or to an S3 bucket in your environment, which Panther will then pull from.
Click Start Setup.
Follow Panther's instructions for configuring the Data Transport method you chose:
- HTTP: Follow Panther's instructions for configuring an HTTP Source, beginning at Step 5.
  - During setup, on the security configuration page, you will be required to use shared secret authentication.
  - Payloads sent to this source are subject to the payload requirements for all HTTP sources.
  - Do not proceed to the next step until the creation of your HTTP endpoint has completed.
- S3: Follow Panther's instructions for configuring an S3 Source.
  - Follow the instructions on setting up an S3 source in Panther, beginning at Step 1.5.

Step 2 (for S3 ingest only): Set up an S3 bucket

In this Zscaler SaaS Security API and Amazon S3 Deployment Guide, follow the Integrating Zscaler Cloud NSS with Amazon S3 instructions, beginning on page 17.
- Stop when you reach Add a Cloud NSS Feed in the ZIA Admin Portal (on page 35), as you will complete that in the next step.

Step 3: Configure a Cloud NSS Feed in the Zscaler admin console

If you are using HTTP as your Data Transport:

Follow the instructions in this Zscaler documentation: Adding Cloud NSS Feeds for Admin Audit Logs.
- SIEM Rate: Leave as Unlimited.
- SIEM Type: Select Other.
- OAuth 2.0 Authentication: This setting should be disabled.
- Max Batch Size: Leave as-is.
- API URL: Enter the HTTP Source URL you generated in the Panther Console in Step 1.
- HTTP Headers: In the Key field, enter x-panther-zscaler. In the Value field, enter the Shared Secret Value you generated or entered in Panther in Step 1.
- Log Type: Select Admin Audit, and leave the rest of the fields as they are.

Supported log types

Zscaler.ZIA.AdminAuditLog

The Admin Audit log records key events in the Zscaler admin console, such as logins, logouts, and resource actions (like create and update). The Admin Audit log is primarily used to investigate potentially suspicious activity or diagnose and troubleshoot errors.

References:

schema: Zscaler.ZIA.AdminAuditLog
description: Zscaler ZIA Admin Audit Log
referenceURL: https://help.zscaler.com/zia/nss-feed-output-format-admin-audit-logs
fields:
  - name: sourcetype
    required: true
    description: The type of source generating the log event.
    type: string
  - name: event
    required: true
    description: The audit log event.
    type: object
    fields:
      - name: time
        required: true
        description: The timestamp of the audit log.
        type: timestamp
        timeFormats:
          - '%a %b %e %H:%M:%S %Y'
        isEventTime: true
      - name: recordid
        required: true
        description: The unique identifier for the log.
        type: string
      - name: action
        required: true
        description: The action performed.
        type: string
      - name: category
        description: The location in the portal where the action was performed.
        type: string
      - name: subcategory
        description: The sub-location in the portal where the action was performed.
        type: string
      - name: resource
        description: The specific location within a sub-category.
        type: string
      - name: interface
        description: The means by which the user performed their actions.
        type: string
      - name: adminid
        description: The login id of the admin who performed the action.
        type: string
        indicators:
          - email
          - actor_id
      - name: clientip
        description: The source IP address for the admin.
        type: string
        indicators:
          - ip
      - name: result
        description: The outcome of an action.
        type: string
      - name: errorcode
        description: The error code if the action failed.
        type: string
      - name: auditlogtype
        description: The Admin Audit log type.
        type: string
      - name: preaction
        description: Data before any policy or configuration changes.
        type: json
      - name: postaction
        description: Data after any policy or configuration changes.
        type: json

PreviousZscaler Logs NextZscaler ZPA

Last updated 1 month ago

How to onboard Zscaler ZIA logs to Panther

To onboard Zscaler ZIA log in Panther, you will first create a Zscaler ZIA source in Panther, then configure a NSS Cloud Feed in Zscaler.

Prerequisites

You must have permission to access to the Zscaler Admin Console.

Step 1: Set up the Zscaler ZIA source in Panther

In the left-hand navigation bar of your Panther Console, click Configure > Log Sources.

In the top right, click Create New.

Search for "Zscaler ZIA", then click its tile.

In the Transport Mechanism drop-down, select the Data Transport method you wish to use for this integration: HTTP or AWS S3 Bucket.

You can configure Zscaler to either stream ZIA logs directly to a Panther HTTP endpoint, or to an S3 bucket in your environment, which Panther will then pull from.

Click Start Setup.

Follow Panther's instructions for configuring the Data Transport method you chose:

HTTP: Follow Panther's instructions for configuring an HTTP Source, beginning at Step 5.
- During setup, on the security configuration page, you will be required to use shared secret authentication.
- Payloads sent to this source are subject to the payload requirements for all HTTP sources.
- Do not proceed to the next step until the creation of your HTTP endpoint has completed.
S3: Follow Panther's instructions for configuring an S3 Source.
- Follow the instructions on setting up an S3 source in Panther, beginning at Step 1.5.