This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Announcements
New SecOps Webinar May 14th! Learn about Gemini's generative AI within Google SecOps
Log in to ask a question

Zscaler log ingestion

Posted on 11-20-2023 07:14 AM
Roberto_Lio
Bronze 4
Bronze 4
Reply posted on --/--/---- --:-- AM

Hi everyone

Has anyone had any experience with ingesting ZScaler logs?
I was expecting a cloud-to-cloud connection, but I don't see any documentation on this.

Thanks

Roberto

 

Solved Solved
1 12 2,434
Topic Labels
Jump to Solution
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
adam9
Staff
In response to jkephsecru
Reply posted on --/--/---- --:-- AM

We're working on a new set of documentation (and updated parsers) for Zscaler products. We will be using webhooks where possible. The new docs should be ready later this quarter.

View solution in original post

Jump to Solution
12 REPLIES 12

Posted on --/--/---- --:-- AM
phaubertin
Bronze 4
Bronze 4
Reply posted on --/--/---- --:-- AM

Hi Roberto, if you have the zscaler cloud appliance. You would probably need to configure a feed in chronicle. If you have a the on prem nss log server, you will have to forward  all your log to your collector and configure well. 

phaubertin_0-1701362793748.png

phaubertin_1-1701362842345.png

 

Jump to Solution

Posted on --/--/---- --:-- AM
Roberto_Lio
Bronze 4
Bronze 4
Reply posted on --/--/---- --:-- AM

HI @phaubertin zscaler is a cloud appliance. The easiest way perhaps is to use a webook feed, but right now they are suspended. To use what you suggest, I would have to copy or publish the logs somewhere(like a S3 bucket), I think

Jump to Solution

Posted on --/--/---- --:-- AM
phaubertin
Bronze 4
Bronze 4
In response to Roberto_Lio
Reply posted on --/--/---- --:-- AM

Hi Roberto, I understand that zscaler is cloud appliance. However, Zscaler offer 2 way to sending log to SIEM: VM-based NSS and Cloud NSS (source). 

There is several way to configure the feeds in chronicle. Right now, third party api is not a way for zscaler log ingestion.

phaubertin_0-1701363705182.png

I'm not aware how to ingest log with web hook. Chronicle Feeds offer a way to ingest from S3 bucket. 

Wish you luck,

Jump to Solution

Posted on --/--/---- --:-- AM
Mustache
Bronze 5
Bronze 5
In response to Roberto_Lio
Reply posted on --/--/---- --:-- AM

Chronicle currently recommends you leverage native APIs (third party integrations that are supported), and if that isn't available then to leverage the GCS bucket method (or s3). 

https://github.com/chronicle/ingestion-scripts Google has a lot of ingest scripts, but they offer no support on them. I would look into maybe ripping apart some scripts to get zscalar to ingest to a bucket so then you can use Feed Management to ingest from that bucket. 

Jump to Solution

Posted on --/--/---- --:-- AM
hzmndt
Staff
Reply posted on --/--/---- --:-- AM

Depends on the Zscaler products:

1. If ZPA -> https://help.zscaler.com/zscaler-deployments-operations/siem-zpa-integration-deployment-and-operatio...
Use ISS to send logs over chronicle forwarder or the new collector agent in json format

2. If ZIA -> https://help.zscaler.com/zia/about-insights-logs
Use NSS to send logs over chronicle forwarder or the new collector agent or Use NSS to push the logs via Webhook

 

Jump to Solution

Posted on --/--/---- --:-- AM
jkephsecru
Bronze 3
Bronze 3
Reply posted on --/--/---- --:-- AM

Hi @Roberto_Lio 

Seeing as this thread has been resurrected it would be worth mentioning that Webhooks are GA again and instead of needing NSS / Cloud-NSS over Syslog to CFPS we are now able to use Webhooks with the ZIA & ZDX products.

https://help.zscaler.com/zia/about-webhooks
https://help.zscaler.com/zdx/configuring-webhooks

I haven't seen any documentation yet to enable ZPA to be sent using the same method.

Jump to Solution

Posted on --/--/---- --:-- AM
adam9
Staff
In response to jkephsecru
Reply posted on --/--/---- --:-- AM

We're working on a new set of documentation (and updated parsers) for Zscaler products. We will be using webhooks where possible. The new docs should be ready later this quarter.

Jump to Solution

Posted on --/--/---- --:-- AM
bobSC
Bronze 1
Bronze 1
In response to adam9
Reply posted on --/--/---- --:-- AM

Any update to this documentation for ZPA?

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
Roberto_Lio
Bronze 4
Bronze 4
Reply posted on --/--/---- --:-- AM

Thanks @adam9 for your reply, we'll wait new docs

Jump to Solution

Posted on --/--/---- --:-- AM
Carlos_Garcia
Bronze 1
Bronze 1
In response to Roberto_Lio
Reply posted on --/--/---- --:-- AM

Correct me if I'm wrong, but I believe this is what you are looking for:

<URL removed by staff>

Jump to Solution

Posted on --/--/---- --:-- AM
Roberto_Lio
Bronze 4
Bronze 4
In response to Carlos_Garcia
Reply posted on --/--/---- --:-- AM

Thanks @Carlos_Garcia 

PS

for those who don't see the shared link, look on a search engine for "Zscaler and Google SecOps Deployment Guide"

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
citreno
Bronze 2
Bronze 2
In response to Roberto_Lio
Reply posted on --/--/---- --:-- AM

Thank you! The guide mostly worked, but it turnes out Cloud NSS is a separate entitlement/license that not every customer has. @adam9 perhaps the docs could be updated to indicate that! A screenshot might also help, since if the license is not applied that tab is just not visible and when you start setting up a regular NSS feed the settings are not the same.

Jump to Solution
0 Likes
Top Solution Authors
View all