1. Expel Help Center
  2. Connect Your Technology
  3. Network Integrations

Zscaler ZIA (via SIEM) Setup for Workbench

This article explains how to connect Zscaler Secure Internet Access (ZIA) to Workbench.

Prerequisites

Before starting this procedure, you must have:

  1. A SIEM that Expel supports for this integration, which includes any one of the following:

  2. The Nanolog Streaming Service (NSS) from Zscaler to forward data to your SIEM.

Quick Links

  1. Send Zscaler Events to a SIEM

  2. Configure the Technology in Workbench

  3. Edit the Device to Add Console Access

Step 1: Send Zscaler Events to a SIEM

The Nanolog Streaming Service (NSS) feed specifies the data from the logs that the NSS sends to the SIEM. Expel uses 3 NSS feeds to forward data to a SIEM.

  1. The EXPEL_MALWARE feed captures any malware class events.

    • Feed Output Type: QRadar SIEM LEEF

    • Web Log Filters = Security > Malware Classes : Sandbox, Spyware, Virus

    • Feed Output Format = 

      %s{mon} %02d{dd} %02d{hh}:%02d{mm}:%02d{ss} zscaler-EXPEL_MALWARE: LEEF:1.0|Zscaler|NSS|4.1|fqdn=%s{host}\turl=%s{url}\tmethod=%s{reqmethod}\tuser_agent=%s{ua}\turlclass=%s{urlclass}\tcategory=%s{urlcat}\treferrer=%s{referer}\tresponse=%s{respcode}\tprotocol=%s{proto}\tduration_ms=%d{ctime}\tsrc=%s{cip}\tdst=%s{sip}\tbytes_rx=%d{respsize}\tbytes_tx=%d{reqsize}\tappclass=%s{appclass}\tappname=%s{appname}\tflow_id=%d{recordid}\torganization=%s{dept}\tusername=%s{login}\tvendor_version=%s{productversion}\tname=%s{reason}\talert_at=%s{time}%s{tz}\talertaction=%s{action}\tfile_hash=%s{bamd5}\tmime_type=%s{filetype}\tfilename=%s{filename}\tscore=%d{riskscore}\trealm=%s{location}\tnsssvcip=%s{nsssvcip}\tthreatname=%s{threatname}\tmalwarecategory=%s{malwarecat}\tmalwareclass=%s{malwareclass}\t\n

  2. The EXPEL_THREAT feed surfaces any Advanced Threat events.

    • Feed Output Type: QRadar SIEM LEEF

    • Web Log Filters = Security > Advanced Threats : Adware/Spyware Sites, Botnet Callback, Browser Exploit, Cross-site Scripting, Cryptomining, Malicious Content, Other Threat, Peer-to-Peer, Phishing, Spyware Callback, Suspicious Content, Suspicious Destination, Unauthorized Communication, Web Spam

    • Feed Output Format =

      %s{mon} %02d{dd} %02d{hh}:%02d{mm}:%02d{ss} zscaler-EXPEL_THREAT: LEEF:1.0|Zscaler|NSS|4.1|fqdn=%s{host}\turl=%s{url}\tmethod=%s{reqmethod}\tuser_agent=%s{ua}\turlclass=%s{urlclass}\tcategory=%s{urlcat}\treferrer=%s{referer}\tresponse=%s{respcode}\tprotocol=%s{proto}\tduration_ms=%d{ctime}\tsrc=%s{cip}\tdst=%s{sip}\tbytes_rx=%d{respsize}\tbytes_tx=%d{reqsize}\tappclass=%s{appclass}\tappname=%s{appname}\tflow_id=%d{recordid}\torganization=%s{dept}\tusername=%s{login}\tvendor_version=%s{productversion}\tname=%s{reason}\talert_at=%s{time}%s{tz}\talertaction=%s{action}\tfile_hash=%s{bamd5}\tmime_type=%s{filetype}\tfilename=%s{filename}\tscore=%d{riskscore}\trealm=%s{location}\tnsssvcip=%s{nsssvcip}\tthreatname=%s{threatname}\tmalwarecategory=%s{malwarecat}\tmalwareclass=%s{malwareclass}\t\n

  3. (Optional) You can add an additional feed, EXPEL_INVESTIGATE, to forward all web log data to your SIEM. SOC analysts use this information to understand, scope, and answer security questions related to threat behavior. Specifically, how it got there, what it is, and what must be done to remediate.

    • Feed Output Type: QRadar SIEM LEEF

    • Web Log Filters = None

    • Feed Output Format =

      %s{mon} %02d{dd} %02d{hh}:%02d{mm}:%02d{ss} zscaler-EXPEL_INVESTIGATE: LEEF:1.0|Zscaler|NSS|4.1|fqdn=%s{host}\turl=%s{url}\tmethod=%s{reqmethod}\tuser_agent=%s{ua}\turlclass=%s{urlclass}\tcategory=%s{urlcat}\treferrer=%s{referer}\tresponse=%s{respcode}\tprotocol=%s{proto}\tduration_ms=%d{ctime}\tsrc=%s{cip}\tdst=%s{sip}\tbytes_rx=%d{respsize}\tbytes_tx=%d{reqsize}\tappclass=%s{appclass}\tappname=%s{appname}\tflow_id=%d{recordid}\torganization=%s{dept}\tusername=%s{login}\tvendor_version=%s{productversion}\tname=%s{reason}\talert_at=%s{time}%s{tz}\talertaction=%s{action}\tfile_hash=%s{bamd5}\tmime_type=%s{filetype}\tfilename=%s{filename}\tscore=%d{riskscore}\trealm=%s{location}\tnsssvcip=%s{nsssvcip}\tthreatname=%s{threatname}\tmalwarecategory=%s{malwarecat}\tmalwareclass=%s{malwareclass}\t\n

Step 2: Configure the Technology in Workbench

Now that we have the correct access configured and noted the credentials, we can integrate your tech with Workbench.

  1. In a new browser tab, log into https://workbench.expel.io/settings/security-devices?setupIntegration=Zscaler.

  2. Complete the following fields in Workbench:

    Screenshot 2025-04-24 at 12.03.28 PM.png

    • SIEM - select the SIEM you onboarded in Workbench.

    • Name - enter a name that might help you more easily identify this integration, such as “CompanyName Zscaler”; this name will display in Workbench under the Name column, and is a text string that you can filter on.
    • Location - enter the location of your integration, for example “cloud.” This is also a text string that you can filter on, so we recommend being consistent with location naming across your Expel integrations.
    • SIEM index - enter the name of the SIEM index that Zscaler events are being indexed to.

    • Sumologic query indices - if you are subject to Sumo Logic’s Flex pricing, you will need to provide a comma-separated list of indexes you wish Expel to query in this field. If you are on the traditional Sumo Logic pricing model, do not use this field.

      If you are not sure if this applies to you or you need more information, see Considerations for Sumo Logic Flex Pricing Customers.

  3. Click Save.

  4. You can set up console access now or use the instructions below to set it up later. Why do we need console access?

Step 3: Edit the Device to Add Console Access

Expel needs console access to your device to allow our SOC analysts to dig deeper during incident investigations. Additionally, our engineering teams use this access to investigate potential health issues, including proper alert ingestion.

Note
Expel secures all login information our SOC analysts need about your devices in an MFA password product. Access to this login information is protected using our internal MFA processes. To learn more about the IP addresses all Expel traffic comes from, go here.

  1. Open Workbench. Go to Organization Settings > Security Devices. Next to the device you just connected, click the down arrow and click Edit.

  2. In the Console Login area, type these details:

    • Console URL: type the console URL from the Server address in the Connection Settings area above. At the end of the URL, type /login.

    • Username: type the user name you created above.

    • Password: type the password you created above.

    • Two-factor secret key (32-character code): depending on how your organization enforces log-ins, this field may not apply to you. In these cases, you can leave it blank. This field is optional and if you have questions or concerns, reach out to your engagement manager or to support.

  3. Click Save.

Related articles