1. Expel Help Center
  2. Connect Your Technology
  3. Q-Z Integrations
  4. Zscaler

Zscaler Internet Access (ZIA) (via SIEM) Setup for Workbench

This setup guide is for Zscaler ZIA users connecting via a SIEM. If you are connecting via a webhook, go to Zscaler Internet Access (ZIA) (via Webhook) Setup for Workbench.

Setting up this integration requires you to create one security device in Workbench for the SIEM (you will find a link to those instructions in this guide), and a separate security device for the Zscaler integration (that device will reference the SIEM's device).

Scope and Limitations

When choosing to set up this integration, remember the following:

  1. You must use a supported SIEM to set up this type of connection. This integration's supported SIEMs include:
    • Microsoft Sentinel
    • Splunk
    • Sumo Logic
  2. Custom detection rules cannot be used for a via SIEM connection.
  3. If you are using the Sumo Logic Data Lake SKU:
    • You may onboard a via SIEM integration while using the Sumo Logic Data Lake SKU, but this may result in unexpected usage spikes and potential license overages.
    • These via SIEM integrations run predefined queries designed for the Sumo Logic Cloud SIEM SKU, which may consume significant search capacity.
    • There is currently no mechanism to prevent this behavior during self-service onboarding.

Prerequisites

  1. You must have the Nanolog Streaming Service (NSS) from Zscaler to forward data to your SIEM.
  2. For Sumo Logic Data Lake, we strongly recommend verifying your Sumo SKU before proceeding. Please consult your internal admin or Sumo Logic representative if you have any questions.
  3.  If you are subject to Sumo Logic’s Flex pricing, you will need to provide a comma-separated list of indexes you wish for us to query when you set up the security device in Workbench.

Quick Links

Setup includes the following steps (select any step for detailed instructions):

  1. Set Up Logging
  2. Set Up the SIEM
  3. Add Zscaler Internet Access (ZIA) (via SIEM) as a Security Device in Workbench

Step 1: Set Up Logging

The Nanolog Streaming Service (NSS) feed specifies the data from the logs that the NSS sends to the SIEM. Expel uses 3 NSS feeds to forward data to a SIEM.

  1. The EXPEL_MALWARE feed captures any malware class events.

    • Feed Output Type: QRadar SIEM LEEF
    • Web Log Filters = Security > Malware Classes : Sandbox, Spyware, Virus

    • Feed Output Format = 

      %s{mon} %02d{dd} %02d{hh}:%02d{mm}:%02d{ss} zscaler-EXPEL_MALWARE: LEEF:1.0|Zscaler|NSS|4.1|fqdn=%s{host}\turl=%s{url}\tmethod=%s{reqmethod}\tuser_agent=%s{ua}\turlclass=%s{urlclass}\tcategory=%s{urlcat}\treferrer=%s{referer}\tresponse=%s{respcode}\tprotocol=%s{proto}\tduration_ms=%d{ctime}\tsrc=%s{cip}\tdst=%s{sip}\tbytes_rx=%d{respsize}\tbytes_tx=%d{reqsize}\tappclass=%s{appclass}\tappname=%s{appname}\tflow_id=%d{recordid}\torganization=%s{dept}\tusername=%s{login}\tvendor_version=%s{productversion}\tname=%s{reason}\talert_at=%s{time}%s{tz}\talertaction=%s{action}\tfile_hash=%s{bamd5}\tmime_type=%s{filetype}\tfilename=%s{filename}\tscore=%d{riskscore}\trealm=%s{location}\tnsssvcip=%s{nsssvcip}\tthreatname=%s{threatname}\tmalwarecategory=%s{malwarecat}\tmalwareclass=%s{malwareclass}\t\n

  2. The EXPEL_THREAT feed surfaces any Advanced Threat events.

    • Feed Output Type: QRadar SIEM LEEF
    • Web Log Filters = Security > Advanced Threats : Adware/Spyware Sites, Botnet Callback, Browser Exploit, Cross-site Scripting, Cryptomining, Malicious Content, Other Threat, Peer-to-Peer, Phishing, Spyware Callback, Suspicious Content, Suspicious Destination, Unauthorized Communication, Web Spam

    • Feed Output Format =

      %s{mon} %02d{dd} %02d{hh}:%02d{mm}:%02d{ss} zscaler-EXPEL_THREAT: LEEF:1.0|Zscaler|NSS|4.1|fqdn=%s{host}\turl=%s{url}\tmethod=%s{reqmethod}\tuser_agent=%s{ua}\turlclass=%s{urlclass}\tcategory=%s{urlcat}\treferrer=%s{referer}\tresponse=%s{respcode}\tprotocol=%s{proto}\tduration_ms=%d{ctime}\tsrc=%s{cip}\tdst=%s{sip}\tbytes_rx=%d{respsize}\tbytes_tx=%d{reqsize}\tappclass=%s{appclass}\tappname=%s{appname}\tflow_id=%d{recordid}\torganization=%s{dept}\tusername=%s{login}\tvendor_version=%s{productversion}\tname=%s{reason}\talert_at=%s{time}%s{tz}\talertaction=%s{action}\tfile_hash=%s{bamd5}\tmime_type=%s{filetype}\tfilename=%s{filename}\tscore=%d{riskscore}\trealm=%s{location}\tnsssvcip=%s{nsssvcip}\tthreatname=%s{threatname}\tmalwarecategory=%s{malwarecat}\tmalwareclass=%s{malwareclass}\t\n

  3. (Optional) You can add an additional feed, EXPEL_INVESTIGATE, to forward all web log data to your SIEM. SOC analysts use this information to understand, scope, and answer security questions related to threat behavior. Specifically, how it got there, what it is, and what must be done to remediate.

    • Feed Output Type: QRadar SIEM LEEF
    • Web Log Filters = None

    • Feed Output Format =

      %s{mon} %02d{dd} %02d{hh}:%02d{mm}:%02d{ss} zscaler-EXPEL_INVESTIGATE: LEEF:1.0|Zscaler|NSS|4.1|fqdn=%s{host}\turl=%s{url}\tmethod=%s{reqmethod}\tuser_agent=%s{ua}\turlclass=%s{urlclass}\tcategory=%s{urlcat}\treferrer=%s{referer}\tresponse=%s{respcode}\tprotocol=%s{proto}\tduration_ms=%d{ctime}\tsrc=%s{cip}\tdst=%s{sip}\tbytes_rx=%d{respsize}\tbytes_tx=%d{reqsize}\tappclass=%s{appclass}\tappname=%s{appname}\tflow_id=%d{recordid}\torganization=%s{dept}\tusername=%s{login}\tvendor_version=%s{productversion}\tname=%s{reason}\talert_at=%s{time}%s{tz}\talertaction=%s{action}\tfile_hash=%s{bamd5}\tmime_type=%s{filetype}\tfilename=%s{filename}\tscore=%d{riskscore}\trealm=%s{location}\tnsssvcip=%s{nsssvcip}\tthreatname=%s{threatname}\tmalwarecategory=%s{malwarecat}\tmalwareclass=%s{malwareclass}\t\n

Before continuing to Step 2, note the SIEM index where the logs are located (you will need it in a later step).

Step 2: Set Up the SIEM

You must set up the SIEM as its own security device before you can configure this integration's security device, since you are using it as a connection. Select the link below to go to your SIEM's setup guide, then return to this page when you have completed it:

Important

Be sure to confirm the SIEM's security device in Workbench is connected and logs are flowing before continuing to Step 3 in this guide.

Step 3: Add Zscaler Internet Access (ZIA) (via SIEM) as a Security Device in Workbench

When you set up this device, you will choose the security device you created in Step 2 as the SIEM (this will enable the via SIEM connection). Before you begin, make sure you have your saved values from Step 1. If you are using Sumo Logic and are subject to its Flex pricing, make sure you also have the comma-separated list of indexes you want us to query.

  1. Log in to Workbench.
  2. In the side menu, navigate to Organization Settings > Security Devices. If you have multiple organizations, you must select the appropriate organization name from the list.
  3. Select Add Security Device.
  4. In the search box, type “Zscaler” and then select the Zscaler Internet Access (ZIA) (via SIEM) integration.
  5. Complete the fields as follows:
    • SIEM - select the SIEM's device from Step 2.
    • Name - enter a name that might help you more easily identify this integration, such as “CompanyName ZIA”; this name will display in Workbench under the Name column, and is a text string that you can filter on.
    • Location - enter the location of your integration, for example “cloud;” this is also a text string that you can filter on, so we recommend being consistent with location naming across your Expel integrations.
    • SIEM Index - enter the SIEM index where the logs are located.
    • Sumologic query indices - for Sumo Logic Flex pricing only, enter the comma-separated list of indexes you wish us to query (all other Sumo Logic users should leave this field blank).
    • Select Save.
  6. Select Set up now (recommended) from the console access dropdown. Why do we need console access?
  7. Enter the Zscaler URL and all applicable login credentials.
  8. Select Save.
  9. Your device should be created successfully within a few seconds. A few reminders:
    • After your connection is healthy, it will take some time for your device to begin polling and receiving data.
    • To check on the status, select the downward arrow for your device in the first column and choose View details.
    • Polling will happen first; data will be received after that. You must refresh the page to see updates.
    • If your device does not begin polling within 15 minutes, and does not begin receiving data within 30 minutes, contact our support team for help.
    • To check if alerts are coming through, navigate to Dashboards > Alert Analysis. Scroll to the device you want to check and select the Expel Alerts tab to reveal more alert information. It can take 36 to 72 hours for alerts to appear after setup, as we tune your device.

Related articles