In Zscaler, you must create a different NSS Cloud Feed for each log type.
In Panther, you may create either one Zscaler ZIA source for all of your NSS Cloud Feeds, or one Zscaler ZIA source for each NSS Cloud Feed.
Prerequisites
You must have permission to access to the Zscaler Admin Console.
Step 1: Set up the Zscaler ZIA source in Panther
In the left-hand navigation bar of your Panther Console, click Configure > Log Sources.
In the top right, click Create New.
Search for "Zscaler ZIA", then click its tile.
In the Transport Mechanism drop-down, select the Data Transport method you wish to use for this integration: HTTP or AWS S3 Bucket.
You can configure Zscaler to either stream ZIA logs directly to a Panther HTTP endpoint, or to an S3 bucket in your environment, which Panther will then pull from.
Click Start Setup.
Follow Panther's instructions for configuring the Data Transport method you chose:
Stop when you reach Add a Cloud NSS Feed in the ZIA Admin Portal (on page 37), as you will complete that in the next step.
Step 3: Configure a Cloud NSS Feed in the Zscaler admin console
If you are onboarding more than one Zscaler ZIA log type, you must create a different NSS Cloud Feed for each log type. Repeat this step for each log type.
If you are using HTTP as your Data Transport:
Follow guide within the Zscaler Adding Cloud NSS Feeds documentation based on the log type you are onboarding:
When configuring the Cloud NSS Feed, take note of the following:
NSS Type: Select NSS for Web if you want to onboard Admin Audit or Web log types, or NSS for Web to onboard Firewall or DNS log types.
SIEM Rate: Leave as Unlimited.
SIEM Type: Select Other.
OAuth 2.0 Authentication: This setting should be disabled.
Max Batch Size: Leave as-is.
API URL: Enter the HTTP Source URL you generated in the Panther Console in Step 1.
HTTP Headers: In the Key field, enter x-panther-zscaler. In the Value field, enter the Shared Secret Value you generated or entered in Panther in Step 1.
Log Type:Select the log type for which you want to send logs to Panther, and leave the rest of the fields as they are.
The Admin Audit log records key events in the Zscaler admin console, such as logins, logouts, and resource actions (like create and update). The Admin Audit log is primarily used to investigate potentially suspicious activity or diagnose and troubleshoot errors.
schema:Zscaler.ZIA.AdminAuditLogdescription:Zscaler ZIA Admin Audit LogreferenceURL:https://help.zscaler.com/zia/nss-feed-output-format-admin-audit-logsfields: - name:sourcetyperequired:truedescription:The type of source generating the log event.type:string - name:eventrequired:truedescription:The audit log event.type:objectfields: - name:timerequired:truedescription:The timestamp of the audit log.type:timestamptimeFormats: - '%a %b %e %H:%M:%S %Y'isEventTime:true - name:recordidrequired:truedescription:The unique identifier for the log.type:string - name:actionrequired:truedescription:The action performed.type:string - name:categorydescription:The location in the portal where the action was performed.type:string - name:subcategorydescription:The sub-location in the portal where the action was performed.type:string - name:resourcedescription:The specific location within a sub-category.type:string - name:interfacedescription:The means by which the user performed their actions.type:string - name:adminiddescription:The login id of the admin who performed the action.type:stringindicators: - email - actor_id - name:clientipdescription:The source IP address for the admin.type:stringindicators: - ip - name:resultdescription:The outcome of an action.type:string - name:errorcodedescription:The error code if the action failed.type:string - name:auditlogtypedescription:The Admin Audit log type.type:string - name:preactiondescription:Data before any policy or configuration changes.type:json - name:postactiondescription:Data after any policy or configuration changes.type:json
Zscaler.ZIA.WebLog
The Web Log records detailed information about user internet activity through Zscaler, including allowed and blocked requests to websites. It tracks URL categories, risk levels, and policy enforcement actions, making it essential for monitoring browsing behavior, enforcing compliance, and detecting potential threats.
schema:Zscaler.ZIA.WebLogdescription:Zscaler ZIA Web LogreferenceURL:https://help.zscaler.com/zia/nss-feed-output-format-web-logsfields: - name:sourcetyperequired:truedescription:The type of source generating the log event.type:string - name:eventrequired:truedescription:The web log event.type:objectfields: - name:datetimerequired:truetype:timestampdescription:The time and date of the transactiontimeFormats: - '%Y-%m-%d %H:%M:%S'isEventTime:true - name:reasontype:stringdescription:The action that the service took and the policy that was applied, if the transaction was blocked - name:event_iddescription:The unique record identifier for each logtype:string - name:protocoldescription:The protocol type of the transactiontype:string - name:actiondescription:The action that the service took on the transactiontype:string - name:transactionsizedescription:The total size of the HTTP transaction in bytestype:bigint - name:responsesizedescription:The total size of the HTTP response, including the header and payload, in bytestype:bigint - name:requestsizedescription:The request size in bytestype:bigint - name:ClientIPdescription:The IP address of the usertype:stringindicators: - ip - name:appclassdescription:The web application class of the application that was accessed.type:string - name:appnamedescription:The name of the cloud applicationtype:string - name:bwthrottledescription:Indicates whether the transaction was throttled due to a configured bandwidth policytype:string - name:clientpublicIPdescription:The client public IP addresstype:stringindicators: - ip - name:contenttypedescription:The name of the content typetype:string - name:departmentdescription:The department of the usertype:string - name:devicehostnamedescription:The hostname of the devicetype:string - name:deviceownerdescription:The owner of the devicetype:string - name:dlpdictionariesdescription:The DLP dictionaries that were matched, if anytype:string - name:dlpenginedescription:The DLP engine that was matched, if anytype:string - name:fileclassdescription:The class of file downloaded during the transactiontype:string - name:filetypedescription:Type of file involved in the transaction.type:string - name:hostnamedescription:Hostname of the URL being accessed.indicators: - hostnametype:string - name:keyprotectiontypedescription:Indicates whether an HSM Protection or a Software Protection intermediate CA certificate is usedtype:string - name:locationdescription:The gateway location or sub-location of the source.type:string - name:pageriskdescription:The Page Risk Index score of the destination URL.type:bigint - name:productdescription:The product nametype:string - name:refererURLdescription:The referer URLtype:string - name:requestmethoddescription:The request methodtype:string - name:serveripdescription:The destination server IP address. This displays 0.0.0.0 if the request was blocked.type:stringindicators: - ip - name:statusdescription:The response codetype:bigint - name:threatcategorydescription:The category of malware that was detected in the transaction, if anytype:string - name:threatclassdescription:The class of malware that was detected in the transaction, if anytype:string - name:threatnamedescription:The name of the threat that was detected in the transaction, if anytype:string - name:unscannabletypedescription:The unscannable file typetype:string - name:urlrequired:truedescription:The destination URLtype:stringindicators: - url - name:urlcategorydescription:The category of the destination URLtype:string - name:urlclassdescription:The class of the destination URLtype:string - name:urlsupercategorydescription:The super category of the destination URLtype:string - name:userrequired:truedescription:The user's login name in email address formattype:stringindicators: - email - actor_id - username - name:useragentdescription:The user agenttype:string - name:vendordescription:The vendor nametype:string
Zscaler.ZIA.FWLog
The firewall log records non-web traffic events managed by Zscaler ZIA firewall, including details about source and destination IPs, protocols, ports, and session actions. It is used to monitor application usage, enforce network policies, and identify suspicious or unauthorized traffic patterns.
schema:Zscaler.ZIA.FWLogdescription:Zscaler ZIA Firewall LogreferenceURL:https://help.zscaler.com/zia/nss-feed-output-format-firewall-logsfields: - name:sourcetyperequired:truedescription:The type of source generating the log event.type:string - name:eventrequired:truedescription:The firewall log event.type:objectfields: - name:datetimerequired:truetype:timestampdescription:The time and date of the transactiontimeFormats: - '%a %b %e %H:%M:%S %Y'isEventTime:true - name:actiondescription:The action that the service took on the transaction, Allowed or Blockedtype:string - name:aggregatedescription:Indicates whether the Firewall session is aggregatedtype:string - name:avgdurationdescription:The average session duration, in milliseconds, if the sessions were aggregatedtype:bigint - name:cdipdescription:The client destination IP addresstype:stringindicators: - ip - name:cdportdescription:The client source porttype:bigint - name:csiprequired:truedescription:The client source IP addresstype:stringindicators: - ip - name:csportdescription:The client source porttype:bigint - name:departmentdescription:The department of the usertype:string - name:destcountrydescription:The abbreviated code of the country of the destination IP addresstype:string - name:devicehostnamedescription:The hostname of the devicetype:string - name:deviceownerdescription:The owner of the devicetype:string - name:dnatdescription:Indicates if the destination NAT policy was appliedtype:string - name:durationdescription:The session or request duration in secondstype:bigint - name:durationmsdescription:The session or request duration in millisecondstype:bigint - name:inbytesdescription:The number of bytes sent from the server to the clienttype:bigint - name:ipcatdescription:The URL category that corresponds to the server IP addresstype:string - name:ipsrulelabeldescription:The name of the IPS policy that was applied to the Firewall sessiontype:string - name:locationnamedescription:The name of the location from which the session was initiatedtype:string - name:numsessionsdescription:The number of sessions that were aggregatedtype:bigint - name:nwappdescription:The network application that was accessedtype:string - name:nwsvcdescription:The network service that was usedtype:string - name:outbytesdescription:The number of bytes sent from the client to the servertype:bigint - name:protodescription:The type of IP protocoltype:string - name:rulelabeldescription:The name of the rule that was applied to the transactiontype:string - name:sdipdescription:The server destination IP addresstype:stringindicators: - ip - name:sdportdescription:The server destination porttype:bigint - name:ssipdescription:The server source IP addresstype:stringindicators: - ip - name:ssportdescription:The server source porttype:bigint - name:statefuldescription:Indicates if the Firewall session is statefultype:string - name:threatcatdescription:The category of the threat in the Firewall session by the IPS enginetype:string - name:threatnamedescription:The name of the threat detected in the Firewall session by the IPS enginetype:string - name:tsipdescription:The tunnel IP address of the client (source)type:stringindicators: - ip - name:tunsportdescription:The tunnel porttype:bigint - name:tuntypedescription:The traffic forwarding method used to send the traffic to the Firewalltype:string - name:userrequired:truedescription:The user's login name in email address formattype:stringindicators: - email - username - actor_id
Zscaler.ZIA.DNSLog
The DNS Log captures all DNS queries and responses processed by Zscaler ZIA, including allowed, blocked, or unresolved domains. It provides visibility into domain usage, helps detect malicious or suspicious activity (such as DNS tunneling), and supports policy enforcement for secure DNS filtering.
schema:Zscaler.ZIA.DNSLogdescription:Zscaler ZIA DNS LogreferenceURL:https://help.zscaler.com/zia/nss-feed-output-format-dns-logsfields: - name:sourcetyperequired:truedescription:The type of source generating the log event.type:string - name:eventrequired:truedescription:The dns log event.type:objectfields: - name:datetimerequired:truetype:timestampdescription:The time and date of the transactiontimeFormats: - '%a %b %e %H:%M:%S %Y'isEventTime:true - name:categorytype:stringdescription:The event category - name:clt_sipdescription:The IP address of the usertype:stringindicators: - ip - name:departmentdescription:The department of the usertype:string - name:devicehostnamedescription:The hostname of the devicetype:string - name:deviceownerdescription:The owner of the devicetype:string - name:dns_reqdescription:The DNS requesttype:stringindicators: - domain - name:dns_reqtyperequired:truedescription:The DNS request typetype:string - name:dns_respdescription:The DNS responsetype:string - name:durationmsdescription:The duration of the DNS request in millisecondstype:bigint - name:locationdescription:The event locationtype:string - name:reqactiondescription:The name of the action that was applied to the DNS requesttype:string - name:reqrulelabeldescription:The name of the rule that was applied to the DNS requesttype:string - name:resactiondescription:The name of the action that was applied to the DNS responsetype:string - name:respipcategorydescription:The response IP categorytype:string - name:resrulelabeldescription:The name of the rule that was applied to the DNS responsetype:string - name:srv_dipdescription:The server IPtype:stringindicators: - ip - name:srv_dportdescription:The server porttype:bigint - name:userrequired:truedescription:The login name in email address formattype:stringindicators: - email - username - actor_id
