Last updated
Was this helpful?
Last updated
Was this helpful?
Panther supports ingesting Internet and SaaS Access (ZIA) logs by using either an HTTP Source or an AWS S3 Source.
In order to onboard Zscaler ZIA logs in Panther, you must have a subscription to Zscaler ZIA.
To onboard Zscaler ZIA logs in Panther, you will first create a Zscaler ZIA source in Panther, then configure a NSS Cloud Feed in Zscaler.
If you are onboarding more than one in Panther:
In Zscaler, you must create a different NSS Cloud Feed for each log type.
In Panther, you may create either one Zscaler ZIA source for all of your NSS Cloud Feeds, or one Zscaler ZIA source for each NSS Cloud Feed.
You must have permission to access to the Zscaler Admin Console.
In the left-hand navigation bar of your Panther Console, click Configure > Log Sources.
In the top right, click Create New.
Search for "Zscaler ZIA", then click its tile.
In the Transport Mechanism drop-down, select the method you wish to use for this integration: HTTP or AWS S3 Bucket.
You can configure Zscaler to either stream ZIA logs directly to a Panther HTTP endpoint, or to an S3 bucket in your environment, which Panther will then pull from.
Click Start Setup.
Follow Panther's instructions for configuring the Data Transport method you chose:
HTTP: Follow Panther's , beginning at Step 5.
During setup, on the Configure page, you will be required to use .
Payloads sent to this source are subject to the .
Do not proceed to the next step until the creation of your HTTP endpoint has completed.
S3: Follow .
Follow the , beginning at Step 1.5.
Stop when you reach Add a Cloud NSS Feed in the ZIA Admin Portal (on page 37), as you will complete that in the next step.
If you are using HTTP as your Data Transport:
When configuring the Cloud NSS Feed, take note of the following:
NSS Type: Select NSS for Web if you want to onboard Admin Audit or Web log types, or NSS for Web to onboard Firewall or DNS log types.
SIEM Rate: Leave as Unlimited.
SIEM Type: Select Other.
OAuth 2.0 Authentication: This setting should be disabled.
Max Batch Size: Leave as-is.
Log Type: Select the log type for which you want to send logs to Panther, and leave the rest of the fields as they are.
The Admin Audit log records key events in the Zscaler admin console, such as logins, logouts, and resource actions (like create and update). The Admin Audit log is primarily used to investigate potentially suspicious activity or diagnose and troubleshoot errors.
References:
The Web Log records detailed information about user internet activity through Zscaler, including allowed and blocked requests to websites. It tracks URL categories, risk levels, and policy enforcement actions, making it essential for monitoring browsing behavior, enforcing compliance, and detecting potential threats.
References:
The firewall log records non-web traffic events managed by Zscaler ZIA firewall, including details about source and destination IPs, protocols, ports, and session actions. It is used to monitor application usage, enforce network policies, and identify suspicious or unauthorized traffic patterns.
References:
The DNS Log captures all DNS queries and responses processed by Zscaler ZIA, including allowed, blocked, or unresolved domains. It provides visibility into domain usage, helps detect malicious or suspicious activity (such as DNS tunneling), and supports policy enforcement for secure DNS filtering.
References:
In this , follow the Integrating Zscaler Cloud NSS with Amazon S3 instructions, beginning on page 18.
If you are onboarding more than one , you must create a different NSS Cloud Feed for each log type. Repeat this step for each log type.
Follow guide within the Zscaler documentation based on the log type you are onboarding:
For , follow .
For , follow .
For , follow .
For , follow .
API URL: Enter the HTTP Source URL you generated in the Panther Console in .
HTTP Headers: In the Key field, enter x-panther-zscaler. In the Value field, enter the Shared Secret Value you generated or entered in Panther in .
In this , follow the Add a Cloud NSS Feed in the ZIA Admin Portal instructions, beginning on page 37.
Connecting Zscaler ZIA logs to your Panther Console
