Zscaler Integration Guide๐
Zscaler must be configured to send logs via the Nanolog Streaming Service (NSS). Secureworksยฎ Taegisโข XDR supports NSS and Cloud NSS to collect Zscaler logs.
The information below provides the necessary actions and steps to configure log forwarding on Zscaler NSS.
Choose the Log Ingestion Method๐
Zscaler NSS can send logs to XDR using Syslog or HTTP.
Follow the instructions in the Zscaler documentation to configure log forwarding to a HTTP destination or a Taegisโข XDR Collector.
Connectivity Requirements๐
NSS๐
| Source | Destination | Port/Protocol |
|---|---|---|
| Zscaler NSS | XDR Collector (mgmt IP) | TCP/601 |
Cloud NSS๐
| Source | Destination | Port/Protocol |
|---|---|---|
| Zscaler Cloud NSS | URL provided by XDR when the HTTP Ingest integration was created | TCP/443 |
Data Provided from Integration๐
| Normalized Data | Out-of-the-Box Detections | Vendor-Specific Detections | |
|---|---|---|---|
| Zscaler Cloud Firewall | DNS, Netflow | ||
| Zscaler Secure Web Gateway | HTTP | Thirdparty |
Note
XDR detectors are not guaranteed to be triggered, even if a data source's logs are normalized to a schema associated with a given detector. However, you can create Custom Detection Rules to generate detections based on normalized data from a data source.
Logging Configuration Requirements๐
Note
You can choose any option for the Policy Reason field as it is not used by Secureworks.
Web Logs๐
Consider the following requirements when completing the configuration steps for web logs:
- SIEM IP Address โ This may be the IP address of the XDR Collector.
- SIEM TCP Port โ Enter 601/tcp
- NSS Type โ Select NSS for Web.
- Feed Output Type โ Custom
- User Obfuscation โ Disable
- Feed Output Format โ Enter the following string:
NSS_Web_v1 %s{mon} %d{dd} %d{hh}:%d{mm}:%d{ss} %d{yyyy} recordId=%d{recordid} login=%s{login} dname=%s{host} dip=%s{sip} sip=%s{cip} natPublicIp=%s{cintip} url=%s{url} ua=%s{ua} module=%s{module} proto=%s{proto} action=%s{action} reason=%s{reason} appName=%s{appname} appClass=%s{appclass} fileType=%s{filetype} reqSize=%d{reqsize} responseSize=%d{respsize} totalSize=%d{totalsize} sTime=%d{ctime} cTime=%d{ctime} malwareCat=%s{malwarecat} malwareClass=%s{malwareclass} threatName=%s{threatname} riskScore=%d{riskscore} DLPEng=%s{dlpeng} DLPDict=%s{dlpdict} location=%s{location} dept=%s{dept} reqMethod=%s{reqmethod} respCode=%s{respcode} respVersion=%s{respversion} urlClass=%s{urlclass} urlSuperCat=%s{urlsupercat} urlCat=%s{urlcat} referer=%s{referer}
Firewall Logs๐
Consider the following requirements when completing the configuration steps for firewall logs:
- SIEM IP Address โ This may be the IP address of the XDR Collector.
- SIEM TCP Port โ Enter 601/tcp
- NSS Type โ Select NSS for Firewall.
- Feed Output Type โ Select Custom.
- User Obfuscation โ Disable
- Feed Output Format โ Copy and paste the following:
time="%s{time}" login="%s{login}" dept="%s{dept}" location="%s{location}" cdport="%d{cdport}" csport="%d{csport}" sdport="%d{sdport}" ssport="%d{ssport}" csip="%s{csip}" cdip="%s{cdip}" ssip="%s{ssip}" sdip="%s{sdip}" tsip="%s{tsip}" tsport="%d{tsport}" ttype="%s{ttype}" action="%s{action}" dnat="%s{dnat}" stateful="%s{stateful}" aggregate="%s{aggregate}" nwsvc="%s{nwsvc}" nwapp="%s{nwapp}" ipproto="%s{ipproto}" ipcat="%s{ipcat}" destcountry="%s{destcountry}" avgduration="%d{avgduration}" rulelabel="%s{rulelabel}" inbytes="%ld{inbytes}" outbytes="%ld{outbytes}" duration="%d{duration}" durationms="%d{durationms}" numsessions="%d{numsessions}"
DNS Logs๐
Consider the following requirements when completing the configuration steps for DNS logs:
- SIEM IP Address โ This may be the IP address of the XDR Collector.
- SIEM TCP Port โ Enter 601/tcp
- NSS Type โ Select NSS for DNS.
- Feed Output Type โ Select Custom.
- User Obfuscation โ Disable
- Feed Output Format โ Copy and paste the following: