Overview

Zscaler is a cloud security company that provides Security Service Edge (SSE) solution.

Integrating your Zscaler logs to the Hunters ecosystem will allow storing the data in a parsed format, as well as investigate threat scenarios over it and getting related Hunters detections.

Supported Data Types

  • ZIA Zscaler - Detailed internet and SaaS connections activity logged by Zscaler

Prerequisites

Disclaimer: In order to send Zscaler logs to Hunters, you need an on-premise log shipping infrastructure such as Fluentd or Logstash, which will receive the logs from an on-premise NSS server via syslog and output these logs to S3.

To send logs to an on-premise syslog server (e.g., Fluentd) using the ZScaler Nanolog Streaming Service (NSS), do the following:

  1. Go to Administration > Nanolog Streaming Service.

    In the NSS Feeds tab, click Add NSS Feed.

    In the Add NSS Feed window:

  • Feed Name: Enter or edit the name of the feed. Each feed is a connection between the NSS and your Fluentd or Logstash server.

    NSS TypeNSS for Web is selected by default.

    NSS Server: Choose an NSS from the list (your on-premise NSS server).

    Status: The NSS feed is Enabled by default. Choose Disabled if you want to activate it at a later time.

  • SIEM Destination Type: The type of destination.

    • SIEM IP Address: Enter the IP address of your Fluentd or Logstash server to which the logs are streamed. 

      FQDN: Enter the destination for the TCP connection to which the logs are streamed. This allows failover from one IP to the other without manual intervention, but rather relying on updating the DNS entry. NSS will re-resolve the FQDN only when the existing connection goes down. This feature cannot be used for DNS-based load balancing.

  • SIEM TCP Port: Enter the port number of the Fluentd or Logstash server to which the logs are streamed. Ensure that the server is configured to accept the feed from the NSS.

    Log Type: Choose Web Log.

    SIEM Rate Limit (Events per Second): Leave as unrestricted, unless you need to throttle the output stream due to licensing or other constraints. A limit that is too low for the traffic volume will cause log loss.

    Feed Output Type: Choose RSA.

    Feed Output Format: These are the fields that will be displayed in the output. You can edit the default list and if you chose Custom as the Field Output Type, change the delimiter as well. See NSS Feed Output Format: Web Logs for information about the available fields and their syntax.

Hunters Integration

In order to integrate your Zscaler logs into Hunters, the logs need to be collected from your network (using your Fluentd or Logstash server) to a Storage Service (e.g. to an S3 bucket or Azure Blob Storage) shared with Hunters.

The expected format of the logs can be seen in the data sample below and in the picture.

Zscaler data schema

%s{mon} %02d{dd} %02d{hh}:%02d{mm}:%02d{ss} zscaler-nss CEF:0|Zscaler|NSSWeblog|5.0|%s{action}|%s{reason}|3|act=%s{action} app=%s{proto} cat=%s{urlcat} dhost=%s{ehost} dst=%s{sip} src=%s{cip} in=%d{respsize} outcome=%s{respcode} out=%d{reqsize} request=%s{eurl} rt=%s{mon} %02d{dd} %d{yy} %02d{hh}:%02d{mm}:%02d{ss} sourceTranslatedAddress=%s{cintip} requestClientApplication=%s{ua} requestMethod=%s{reqmethod} suser=%s{login} spriv=%s{location} externalId=%d{recordid} fileType=%s{filetype} reason=%s{reason} destinationServiceName=%s{appname} cn1=%d{riskscore} cn1Label=riskscore cs1=%s{dept} cs1Label=dept cs2=%s{urlsupercat} cs2Label=urlsupercat cs3=%s{appclass} cs3Label=appclass cs4=%s{malwarecat} cs4Label=malwarecat cs5=%s{threatname} cs5Label=threatname cs6=%s{dlpeng} cs6Label=dlpeng ZscalerNSSWeblogURLClass=%s{urlclass} ZscalerNSSWeblogDLPDictionaries=%s{dlpdict} requestContext=%s{ereferer} contenttype=%s{contenttype} unscannabletype=%s{unscannabletype} deviceowner=%s{deviceowner} devicehostname=%s{devicehostname}\r\n

Zscaler Data Sample

<134>1 ZSCALERNSS: time=Wed Feb 10 11:01:59 2021^^timezone=GMT^^action=Allowed^^reason=Allowed^^hostname=temphost.com^^protocol=HTTPS^^serverip=1.2.3.4^^url=temphost.net&sp=w&api-version=2014-02-14&timeout=15^^urlcategory=Corporate Marketing^^urlclass=Business Use^^dlpdictionaries=None^^dlpengine=None^^filetype=None^^threatcategory=None^^threatclass=None^^pagerisk=0^^threatname=None^^clientpublicIP=1.2.3.4^^ClientIP=10.0.12.5^^location=Road Warrior^^refererURL=None^^useragent=WA-Storage/4.3.0 (.NET CLR 4.0.30319.42000; Win32NT 10.0.18362.0)^^department=Main^^user=username@tempdomain.com^^event_id=6927588627446038529^^clienttranstime=37^^requestmethod=PUT^^requestsize=494^^requestversion=1.1^^status=201^^responsesize=288^^responseversion=1.1^^transactionsize=782^^contenttype=Other^^unscannabletype=None^^deviceowner=device_owner^^devicehostname=device_name