Connect this data source on your own, using the Hunters platform.
TL;DR
Supported data types | 3rd party detection | Hunters detection | IOC search | Search | Table name | Log format | Collection method |
|---|---|---|---|---|---|---|---|
Zscaler ZIA Web logs | ✅ | ✅ | ✅ | zscaler_zia | NDJSON | S3 | |
Zscaler ZIA DNS logs | ✅ | ✅ | zscaler_zia_dns | NDJSON | S3 | ||
Zscaler ZIA Firewall logs | ✅ | ✅ | zscaler_zia_firewall | NDJSON | S3 | ||
Zscaler ZIA Audit logs | ✅ | ✅ | zscaler_zia_audit_logs | NDJSON | S3 | ||
Zscaler Cloud NSS logs | ✅ | ✅ | zscaler_nss_logs | NDJSON | S3 | ||
Zscaler Custom Transformer Logs | ✅ | ✅ | zscaler-custom-transformer-logs | Nested JSON CEF | S3 |
Overview
Zscaler Internet Access (ZIA) is a cloud-delivered secure web gateway that provides internet security and access control for organizations. It protects users by inspecting web traffic in real-time, blocking threats like malware, phishing, and zero-day attacks. ZIA enforces security policies, enables secure remote work, and prevents data leaks by integrating with cloud applications and monitoring user activity. By operating as a cloud-native service, ZIA eliminates the need for traditional on-premises security appliances, offering scalable and seamless protection across distributed workforces.
Supported data types
Zscaler ZIA Web logs
Table name: zscaler_zia
Zscaler Internet Access (ZIA) web logs provide detailed records of web traffic and user activities within the Zscaler cloud security platform. These logs capture information such as URLs accessed, user identities, timestamps, request methods, response codes, and categories of web content.
Learn more here.
Zscaler ZIA DNS logs
Table name: zscaler_zia_dns
Zscaler Internet Access (ZIA) DNS logs provide detailed records of DNS queries and responses within the Zscaler cloud security platform. These logs capture information such as domain names, IP addresses, query types, response codes, timestamps, and user identities.
Learn more here.
Zscaler ZIA Firewall logs
Table name: zscaler_zia_firewall
Zscaler Internet Access (ZIA) Firewall logs provide detailed records of network traffic and security events within the Zscaler cloud security platform. These logs capture information such as source and destination IP addresses, port numbers, protocol types, timestamps, and action taken by the firewall (e.g., allow, block, alert).
Learn more here.
Zscaler ZIA Audit logs
Table name: zscaler_zia_audit_logs
Zscaler Internet Access (ZIA) Audit logs provide comprehensive records of user activities, administrative changes, and security events within the Zscaler cloud security platform. These logs capture a wide range of information, including user login/logout events, configuration changes, policy violations, and system alerts.
Learn more here.
Zscaler Cloud NSS logs
Table name: zscaler_nss_logs
Zscaler's Nanolog Streaming Service (NSS) is a family of products that enable Zscaler cloud communication with third-party security solution devices for exchanging event logs.
This provision allows streaming of all logs from the Zscaler Nanolog to your security information and event management (SIEM) system with the following offerings:
Virtual machine (VM)-based NSS: Uses a VM set within your network to stream logs to your SIEM over a raw TCP connection.
Cloud NSS: Uses an HTTPS API feed to push logs to an HTTPS API-based log collector on your SIEM.
Zscaler Cloud NSS allows you to instantly stream logs from Zscaler Internet Access (ZIA) directly into a compatible cloud-based security information and event management (SIEM) system without the need to deploy an NSS virtual machine (VM) for Web or Firewall.
Zscaler Custom Transformer Logs
Table name: zscaler-custom-transformer-logs
Zscaler custom transformer logs provide a comprehensive view of the traffic and security events processed by the Zscaler platform. These logs capture critical details about user activity, network traffic, application access, and potential threats detected in real-time. They are structured to offer deep insights into data flows, user behavior, and system operations, helping organizations enhance visibility into their network environment.
Send data to Hunters
The Zscaler logs should be exported to an S3 bucket and from there ingested into Hunters. To do so you'll need to complete the following steps:
- Direct logs to an on-premise syslog server, such as fluentD
- Direct logs from the on-premise syslog server to an AWS S3 bucket
- Connect the S3 bucket with Hunters
When ingesting multiple Zscaler data types, the separation between data types should take place during the log exporting phase on the vendor side and each data type should get a different prefix.
1. Direct logs to an on-premise syslog server
To send logs to an on-premise syslog server (e.g., Fluentd) using the ZScaler Nanolog Streaming Service (NSS), do the following:
Go to Administration > Nanolog Streaming Service.
In the NSS Feeds tab, click Add NSS Feed.
In the Add NSS Feed window input the following:
Feed Name: Enter or edit the name of the feed. Each feed is a connection between the NSS and your Fluentd or Logstash server.
NSS Type: NSS for Web is selected by default.
NSS Server: Choose an NSS from the list (your on-premise NSS server).
Status: The NSS feed is Enabled by default. Choose Disabled if you want to activate it at a later time.
SIEM Destination Type: The type of destination.
SIEM IP Address: Enter the IP address of your Fluentd or Logstash server to which the logs are streamed.
FQDN: Enter the destination for the TCP connection to which the logs are streamed. This allows failover from one IP to the other without manual intervention, but rather relying on updating the DNS entry. NSS will re-resolve the FQDN only when the existing connection goes down. This feature cannot be used for DNS-based load balancing.
SIEM TCP Port: Enter the port number of the Fluentd or Logstash server to which the logs are streamed. Ensure that the server is configured to accept the feed from the NSS.
Log Type: Choose Web Log.
SIEM Rate Limit (Events per Second): Leave as unrestricted, unless you need to throttle the output stream due to licensing or other constraints. A limit that is too low for the traffic volume will cause log loss.
Feed Output Type: Choose RSA.
Feed Output Format: These are the fields that will be displayed in the output. You can edit the default list and if you chose Custom as the Field Output Type, change the delimiter as well. See NSS Feed Output Format: Web Logs for information about the available fields and their syntax.
2. Direct logs to an AWS S3 bucket
Follow this guide to learn how to route logs from your network (Fluentd or Logstash server) to an AWS S3 bucket storage service shared with Hunters.
3. Connect the S3 bucket with Hunters
Once the export is completed and the logs are collected to S3, follow the steps in this section.
Expected format
Integration with Hunters is available providing Zscaler data in ND-JSON format (for all Zscaler Data Types), similar to the following example:
{"datetime": "2023-03-03 03:03:03", "reason": "Allowed", "event_id": "1423094812934812093", "protocol": "HTTP_PROXY", "action": "Allowed", "transactionsize": "625", "responsesize": "65", "requestsize": "560", "urlcategory": "media", "serverip": "1.1.1.1", "clienttranstime": "0", "requestmethod": "CONNECT", "refererURL": "None", "useragent": "Macintosh", "product": "ASD", "location": "loc", "ClientIP": "1.1.1.1", "status": "200", "user": "email@url.com", "url": "www.url.com:443", "vendor": "Zscaler", "hostname": "www.url.com", "clientpublicIP": "1.1.1.1", "threatcategory": "None", "threatname": "None", "filetype": "None", "appname": "browsing", "pagerisk": "0", "department": "dep", "urlsupercategory": "media", "appclass": "General Browsing", "engine": "None", "urlclass": "Bandwidth Loss", "threatclass": "None", "dlpdictionaries": "None", "fileclass": "None", "bwthrottle": "NO", "servertranstime": "0", "contenttype": "Other", "unscannabletype": "None", "deviceowner": "ASDF2", "devicehostname": "ASDF"}
Zscaler Custom Transformer Logs
Logs are expected in Nested JSON CEF format.
{
"src_proto": "HTTPS",
"#type": "Zscaler-customized",
"mobile_device_type": "None",
"zscaler_reason": "Allowed",
"src_location": "Road Warrior",
"cef.event_class_id": "Allowed",
"http_method": "POST",
"file_class": "Images",
"src_user": "dega.w@pg.com",
"mobile_app_name": "None",
"http_code": "200",
"dlp_rule": "NA",
"bytes_in": "337",
"dst_ip": "162.247.243.29",
"@timestamp": 1710145163185,
"@ingesttimestamp": "1710145163185",
"ssl_reason": "INSPECTED",
"@ingestsourceip": "137.182.156.40",
"file_md5": "None",
"url_rule": "None",
"app_class": "General Browsing",
"file_name": "None",
"@ingestconfigname": "Zscaler_Test",
"http_ua": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36",
"cef.device.version": "5.0",
"sec_threat_sev": "None",
"url_class": "Business Use",
"src_port": "0",
"ssl_decrypted": "Yes",
"log_timezone": "GMT",
"#repo": "Zscaler_Test",
"src_ip": "192.168.200.192",
"http_size": "1484",
"log_uuid": "7345017418161324050",
"cef.device.vendor": "Zscaler",
"zscaler_method": "ZscalerClientConnector",
"dlp_dict": "None",
"http_content_type": "image/gif",
"http_version": "1.1",
"zscaler_action": "Allowed",
"ssl_version": "TLS1_3",
"dst_host": "bam.nr-data.net",
"cef.device.product": "NSSWeblog",
"sec_threat_name": "None",
"@timezone": "Z",
"bytes_out": "1147",
"src_device_type": "Windows OS",
"app_name": "General Browsing",
"cef.name": "Allowed",
"zscaler_version": "4.3.0.131",
"file_type": "Gif Files",
"src_hostname": "5CG2114JG7-W10",
"http_referrer": "www.olx.pl/",
"src_nat_ip": "79.184.55.123",
"sec_risk_score": "0",
"@timestamp.nanos": "0",
"cef.version": "0",
"sec_malware_cat": "None",
"cef.severity": "3",
"url_cat": "Corporate Marketing",
"@rawstring": "Mar 11 2024 08:18:53 CEF:0|Zscaler|NSSWeblog|5.0|Allowed|Allowed|3| zscaler_action=Allowed src_proto=HTTPS url_cat=Corporate Marketing dst_host=bam.nr-data.net dst_ip=162.247.243.29 src_ip=192.168.200.192 bytes_in=337 http_code=200 bytes_out=1147 http_request=bam.nr-data.net/jserrors/1/nrbr-4b04b28ea1f542d97be?a%3d66672666&sa%3d1&v%3d1.249.0&t%3dUnnamed%20Transaction&rst%3d233555&ck%3d0&s%3db365022b49822820&ref%3dhttps://www.olx.pl/d/oferta/tynki-maszynowe-gipsowe-i-cementowe-CID4371-IDPVLw5.html&ri%3d{\"app\":\"5fb2cffe_5849935\"} src_nat_ip=79.184.55.123 http_ua=Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36 http_method=POST src_user=dega.w@pg.com src_location=Road Warrior log_uuid=7345017418161324050 file_type=Gif Files zscaler_reason=Allowed app_name=General Browsing sec_risk_score=0 url_supercat=Business and Economy app_class=General Browsing sec_malware_cat=None sec_threat_name=None dlp_eng=None src_hostname=5CG2114JG7-W10 file_name=None file_md5=None mobile_app_name=None mobile_device_type=None zscaler_method=ZscalerClientConnector url_class=Business Use dlp_dict=None http_referrer=www.olx.pl/ log_timezone=GMT src_port=0 zscaler_node=WAW2 src_device_type=Windows OS zscaler_version=4.3.0.131 url_rule=None app_rule=None http_version=1.1 http_content_type=image/gif http_size=1484 ssl_decrypted=Yes ssl_reason=INSPECTED ssl_version=TLS1_3 sec_threat_sev=None sec_malware_class=None file_class=Images dlp_rule=NA",
"zscaler_node": "WAW2",
"app_rule": "None",
"dlp_eng": "None",
"sec_malware_class": "None",
"url_supercat": "Business and Economy",
"http_request": "bam.nr-data.net/jserrors/1/nrbr-4b04b28ea1f542d97be?a%3d66672666&sa%3d1&v%3d1.249.0&t%3dUnnamed%20Transaction&rst%3d233555&ck%3d0&s%3db365022b49822820&ref%3dhttps://www.olx.pl/d/oferta/tynki-maszynowe-gipsowe-i-cementowe-CID4371-IDPVLw5.html&ri%3d{\"app\":\"5fb2cffe_5849935\"}",
"@id": "srzlFJlcv1dfLm9f3WOki9EJ_7_394_1710145163"
},
{
"src_proto": "SSL",
"#type": "Zscaler-customized",
"mobile_device_type": "None",
"zscaler_reason": "Allowed",
"src_location": "Road Warrior",
"cef.event_class_id": "Allowed",
"http_method": "NA",
"file_class": "None",
"src_user": "dega.w@pg.com",
"mobile_app_name": "None",
"http_code": "NA",
"dlp_rule": "NA",
"bytes_in": "1545",
"dst_ip": "184.86.251.134",
"@timestamp": 1710145161174,
"@ingesttimestamp": "1710145161174",
"ssl_reason": "O365_BYP",
"@ingestsourceip": "137.182.156.40",
"file_md5": "None",
"url_rule": "None",
"app_class": "Business",
"file_name": "None",
"@ingestconfigname": "Zscaler_Test",
"http_ua": "Unknown",
"cef.device.version": "5.0",
"sec_threat_sev": "None",
"url_class": "Business Use",
"src_port": "0",
"ssl_decrypted": "No",
"log_timezone": "GMT",
"#repo": "Zscaler_Test",
"src_ip": "192.168.200.192",
"http_size": "3367",
"log_uuid": "7345017349441847316",
"cef.device.vendor": "Zscaler",
"zscaler_method": "ZscalerClientConnector",
"dlp_dict": "None",
"http_content_type": "Other",
"http_version": "None",
"zscaler_action": "Allowed",
"ssl_version": "TLS1_3",
"dst_host": "statics.teams.cdn.office.net",
"cef.device.product": "NSSWeblog",
"sec_threat_name": "None",
"@timezone": "Z",
"bytes_out": "1822",
"src_device_type": "Windows OS",
"app_name": "Common Office 365 Applications",
"cef.name": "Allowed",
"zscaler_version": "4.3.0.131",
"file_type": "None",
"src_hostname": "5CG2114JG7-W10",
"http_referrer": "None",
"src_nat_ip": "79.184.55.123",
"sec_risk_score": "0",
"@timestamp.nanos": "0",
"cef.version": "0",
"sec_malware_cat": "None",
"cef.severity": "3",
"url_cat": "Corporate Marketing",
"@rawstring": "Mar 11 2024 08:18:37 CEF:0|Zscaler|NSSWeblog|5.0|Allowed|Allowed|3| zscaler_action=Allowed src_proto=SSL url_cat=Corporate Marketing dst_host=statics.teams.cdn.office.net dst_ip=184.86.251.134 src_ip=192.168.200.192 bytes_in=1545 http_code=NA bytes_out=1822 http_request=statics.teams.cdn.office.net src_nat_ip=79.184.55.123 http_ua=Unknown http_method=NA src_user=dega.w@pg.com src_location=Road Warrior log_uuid=7345017349441847316 file_type=None zscaler_reason=Allowed app_name=Common Office 365 Applications sec_risk_score=0 url_supercat=Business and Economy app_class=Business sec_malware_cat=None sec_threat_name=None dlp_eng=None src_hostname=5CG2114JG7-W10 file_name=None file_md5=None mobile_app_name=None mobile_device_type=None zscaler_method=ZscalerClientConnector url_class=Business Use dlp_dict=None http_referrer=None log_timezone=GMT src_port=0 zscaler_node=WAW2 src_device_type=Windows OS zscaler_version=4.3.0.131 url_rule=None app_rule=None http_version=None http_content_type=Other http_size=3367 ssl_decrypted=No ssl_reason=O365_BYP ssl_version=TLS1_3 sec_threat_sev=None sec_malware_class=None file_class=None dlp_rule=NA",
"zscaler_node": "WAW2",
"app_rule": "None",
"dlp_eng": "None",
"sec_malware_class": "None",
"url_supercat": "Business and Economy",
"http_request": "statics.teams.cdn.office.net",
"@id": "srzlFJlcv1dfLm9f3WOki9EJ_7_391_1710145161"
}⚠️Attention
The below formats are not currently supported. To ingest Zscaler data in one of the below formats, open an Onboarding Supported Integration request to Hunters Support.
Zscaler ZIA Web Data Schema
%s{mon} %02d{dd} %02d{hh}:%02d{mm}:%02d{ss} zscaler-nss CEF:0|Zscaler|NSSWeblog|5.0|%s{action}|%s{reason}|3|act=%s{action} app=%s{proto} cat=%s{urlcat} dhost=%s{ehost} dst=%s{sip} src=%s{cip} in=%d{respsize} outcome=%s{respcode} out=%d{reqsize} request=%s{eurl} rt=%s{mon} %02d{dd} %d{yy} %02d{hh}:%02d{mm}:%02d{ss} sourceTranslatedAddress=%s{cintip} requestClientApplication=%s{ua} requestMethod=%s{reqmethod} suser=%s{login} spriv=%s{location} externalId=%d{recordid} fileType=%s{filetype} reason=%s{reason} destinationServiceName=%s{appname} cn1=%d{riskscore} cn1Label=riskscore cs1=%s{dept} cs1Label=dept cs2=%s{urlsupercat} cs2Label=urlsupercat cs3=%s{appclass} cs3Label=appclass cs4=%s{malwarecat} cs4Label=malwarecat cs5=%s{threatname} cs5Label=threatname cs6=%s{dlpeng} cs6Label=dlpeng ZscalerNSSWeblogURLClass=%s{urlclass} ZscalerNSSWeblogDLPDictionaries=%s{dlpdict} requestContext=%s{ereferer} contenttype=%s{contenttype} unscannabletype=%s{unscannabletype} deviceowner=%s{deviceowner} devicehostname=%s{devicehostname}\r\n
Zscaler ZIA Web Data Sample
<134>1 ZSCALERNSS: time=Wed Feb 10 11:01:59 2021^^timezone=GMT^^action=Allowed^^reason=Allowed^^hostname=temphost.com^^protocol=HTTPS^^serverip=1.2.3.4^^url=temphost.net&sp=w&api-version=2014-02-14&timeout=15^^urlcategory=Corporate Marketing^^urlclass=Business Use^^dlpdictionaries=None^^dlpengine=None^^filetype=None^^threatcategory=None^^threatclass=None^^pagerisk=0^^threatname=None^^clientpublicIP=1.2.3.4^^ClientIP=10.0.12.5^^location=Road Warrior^^refererURL=None^^useragent=WA-Storage/4.3.0 (.NET CLR 4.0.30319.42000; Win32NT 10.0.18362.0)^^department=Main^^user=username@tempdomain.com^^event_id=6927588627446038529^^clienttranstime=37^^requestmethod=PUT^^requestsize=494^^requestversion=1.1^^status=201^^responsesize=288^^responseversion=1.1^^transactionsize=782^^contenttype=Other^^unscannabletype=None^^deviceowner=device_owner^^devicehostname=device_name
Zscaler ZIA DNS Data Sample
{"datetime":"Thu Mar 2 00:41:23 2023","user":"xyz@cloud.com","department":"Engineering","location":"Road%20Warrior","reqaction":"Allow","resaction":"Allow","reqrulelabel":"Default Firewall DNS Rule","resrulelabel":"Default Firewall DNS Rule","dns_reqtype":"UNKNOWN","dns_req":"guzzoni.apple.com","dns_resp":"guzzoni-apple-com.v.aaplimg.com","srv_dport":"53","durationms":"0","clt_sip":"192.160.11.100","srv_dip":"100.225.00.100","category":"Corporate Marketing","respipcategory":"Internet Services","deviceowner":"xyz","devicehostname":"MacBook Air"}
Zscaler ZIA Firewall Data Sample
{"datetime":"Thu Mar 9 23:57:20 2023","user":"user@email.com","department":"Engineering","locationname":"Road%20Warrior","cdport":"443","csport":"12345","sdport":"0","ssport":"0","csip":"192.168.0.1","cdip":"101.102.103.104","ssip":"0.0.0.0","sdip":"0.0.0.0","tsip":"201.202.203.204","tunsport":"0","tuntype":"ZscalerClientConnector","action":"Reset","dnat":"No","stateful":"Yes","aggregate":"No","nwsvc":"QUIC","nwapp":"udp","proto":"UDP","ipcat":"Miscellaneous or Unknown","destcountry":"United States","avgduration":"4008","rulelabel":"label","inbytes":"0","outbytes":"6390","duration":"4","durationms":"4008","numsessions":"1","ipsrulelabel":"None","threatcat":"None","threatname":"None","deviceowner":"koko","devicehostname":"host"}
Zscaler ZIA Audit Sample
{ "time": "Wed Dec 20 17:04:46 2023", "recordid": "12345", "action": "action1", "category": "LOGIN", "subcategory": "LOGIN", "resource": "None", "interface": "Unknown", "adminid": "admin@abc.com", "clientip": "Unknown", "result": "SUCCESS", "errorcode": "None", "auditlogtype": "type1", "preaction": "{}", "postaction": "{}" }
Zscaler NSS Sample
{"datetime":"2024-09-19 02:02:13","reason":"Allowed","event_id":"7416137781556150273","protocol":"HTTP_PROXY","action":"Allowed","transactionsize":"697","responsesize":"65","requestsize":"632","urlcategory":"Office365","serverip":"1.1.1.1","requestmethod":"CONNECT","refererURL":"None","useragent":"Macintosh","product":"NSS","location":"loc","ClientIP":"2.2.2.2","status":"200","user":"email@url.com","url":"www.url.com:443","vendor":"Zscaler","hostname":"URL.com - MediaOptions ","clientpublicIP":"2.2.2.3","threatcategory":"None","threatname":"None","filetype":"None","appname":"General Browsing","pagerisk":"0","threatseverity":"None","department":"Default%20Department","urlsupercategory":"User-defined","appclass":"General Browsing","dlpengine":"None","urlclass":"Bandwidth Loss","threatclass":"None","dlpdictionaries":"None","fileclass":"None","bwthrottle":"NO","contenttype":"Other","unscannabletype":"None","deviceowner":"sameutchamiz","devicehostname":"BEN10","keyprotectiontype":"N/A"}