Skip to content

Zscaler Internet Access (ZIA)

Zscaler Internet Access (ZIA) is a cloud-based security service provided by Zscaler. It is designed to provide secure and fast access to the Internet for organizations of all sizes. ZIA enables organizations to shift their security from the traditional on-premises model to a cloud-based model, ensuring secure access to the internet from anywhere and on any device.

With Coralogix integration, ZIA and Zscaler's Nanolog Streaming Service (NSS) offer real-time visibility into internet traffic, user activity, and log streaming. This allows organizations to monitor and analyze network traffic for security threats and compliance purposes.

Requirements

  • Administrative login to ZIA Admin Portal

  • Administrative login to Coralogix platform

Configure Zscaler NSS

STEP 1. Verify that NSS is functional and healthy.

  • Go to Administration > Cloud Configuration > Nanolog Streaming Service.

  • Verify that the NSS State is Healthy.

STEP 2. On the Nanolog Streaming Service page, click Add NSS Feed.

STEP 3. Configure the following NSS feed parameters:

  • Feed Name - A meaningful NSS feed name

  • NSS Type - The NSS server type, Web or Firewall

  • Status - Enabled

  • SIEM Rate - Unlimited

  • SIEM Type - Other

  • Max Batch Size - 512kb

  • API URL - A URL based your Coralogix domain/region.

  • HTTP Headers - Two headers in the following format: key1:value1

  • Content-Type - application/json

  • Authorization - API KEY

  • Log Type - Desired log type

  • Feed Output Type - JSON

  • Feed Escape Character - Leave this field empty for Web, Firewall, and Tunnel. Set as ,\\" (comma, backslash, quotation mark) for DNS.

  • Feed Output Format - Select Custom and paste the following (depending on the log type). Make sure that have relevant values for the application and subsystem (applicationName, subSystemName).

Web

\\{
"applicationName": "Zscaler",
"subsystemName": "ZIA WEB",
"text": \\{
"sourcetype": "zscalernss-web",
"event": \\{
"datetime": "%d{yy}-%02d{mth}-%02d{dd} %02d{hh}:%02d{mm}:%02d{ss}",
"reason": "%s{reason}",
"event_id": "%d{recordid}",
"protocol": "%s{proto}",
"action": "%s{action}",
"transactionsize": "%d{totalsize}",
"responsesize": "%d{respsize}",
"requestsize": "%d{reqsize}",
"urlcategory": "%s{urlcat}",
"serverip": "%s{sip}",
"requestmethod": "%s{reqmethod}",
"refererURL": "%s{ereferer}",
"useragent": "%s{eua}",
"product": "NSS",
"location": "%s{elocation}",
"ClientIP": "%s{cip}",
"status": "%s{respcode}",
"user": "%s{elogin}",
"url": "%s{eurl}",
"vendor": "Zscaler",
"hostname": "%s{ehost}",
"clientpublicIP": "%s{cintip}",
"threatcategory": "%s{malwarecat}",
"threatname": "%s{threatname}",
"filetype": "%s{filetype}",
"appname": "%s{appname}",
"pagerisk": "%d{riskscore}",
"department": "%s{edepartment}",
"urlsupercategory": "%s{urlsupercat}",
"appclass": "%s{appclass}",
"dlpengine": "%s{dlpeng}",
"urlclass": "%s{urlclass}",
"threatclass": "%s{malwareclass}",
"dlpdictionaries": "%s{dlpdict}",
"fileclass": "%s{fileclass}",
"bwthrottle": "%s{bwthrottle}",
"contenttype": "%s{contenttype}",
"unscannabletype": "%s{unscannabletype}",
"deviceowner": "%s{deviceowner}",
"devicehostname": "%s{devicehostname}",
"keyprotectiontype": "%s{keyprotectiontype}",
"datacenter": "%s{datacenter}",
"datacentercity": "%s{datacentercity}",
"datacentercountry": "%s{datacentercountry}",
"dlpdicthitcount": "%s{dlpdicthitcount}",
"dlpidentifier": "%d{dlpidentifier}",
"dlpmd5": "%s{dlpmd5}",
"dlprulename": "%s{dlprulename}",
"filename": "%s{filename}",
"upload_filetype": "%s{upload_filetype}",
"upload_filename": "%s{upload_filename}",
"rulelabel": "%s{rulelabel}",
"ruletype": "%s{ruletype}",
"apprulelabel": "%s{apprulelabel}",
"host": "%s{host}",
"referer": "%s{referer}"
\\}
\\}
\\}

SaaS security activity

\\{
"applicationName": "Zscaler",
"subsystemName": "ZIA SaaS Activity",
"text": \\{
"sourcetype": "zscalernss-casb",
"event": {
"login": "%s{username}",
"tenant": "%s{tenant}",
"object_type": "%d{objtype1}",
"applicationname": "%s{appname}",
"object_name_1": "%s{objnames1}",
"object_name_2": "%s{objnames2}"
\\}\\}\\}

Admin audit

\\{
"applicationName": "Zscaler",
"subsystemName": "ZIA Audit",
"text": \\{
"sourcetype": "zscalernss-audit",
"event": {
"time": "%s{time}",
"recordid": "%d{recordid}",
"action": "%s{action}",
"category": "%s{category}",
"subcategory": "%s{subcategory}",
"resource": "%s{resource}",
"interface": "%s{interface}",
"adminid": "%s{adminid}",
"clientip": "%s{clientip}",
"result": "%s{result}",
"errorcode": "%s{errorcode}",
"auditlogtype": "%s{auditlogtype}",
"preaction": "%s{epreaction}",
"postaction": "%s{epostaction}"
\\}\\}\\}

Firewall

\\{
"applicationName": "Zscaler",
"subsystemName": "ZIA FW",
"text": \\{
"sourcetype": "zscalernss-fw",
"event": {
"datetime": "%s{time}",
"user": "%s{elogin}",
"department": "%s{edepartment}",
"locationname": "%s{elocation}",
"cdport": "%d{cdport}",
"csport": "%d{csport}",
"sdport": "%d{sdport}",
"ssport": "%d{ssport}",
"csip": "%s{csip}",
"cdip": "%s{cdip}",
"ssip": "%s{ssip}",
"sdip": "%s{sdip}",
"tsip": "%s{tsip}",
"tunsport": "%d{tsport}",
"tuntype": "%s{ttype}",
"action": "%s{action}",
"dnat": "%s{dnat}",
"stateful": "%s{stateful}",
"aggregate": "%s{aggregate}",
"nwsvc": "%s{nwsvc}",
"nwapp": "%s{nwapp}",
"proto": "%s{ipproto}",
"ipcat": "%s{ipcat}",
"destcountry": "%s{destcountry}",
"avgduration": "%d{avgduration}",
"rulelabel": "%s{erulelabel}",
"inbytes": "%ld{inbytes}",
"outbytes": "%ld{outbytes}",
"duration": "%d{duration}",
"durationms": "%d{durationms}",
"numsessions": "%d{numsessions}",
"ipsrulelabel": "%s{ipsrulelabel}",
"threatcat": "%s{threatcat}",
"threatname": "%s{ethreatname}",
"deviceowner": "%s{deviceowner}",
"devicehostname": "%s{devicehostname}"
\\}\\}\\}

DNS

\\{
"applicationName": "Zscaler",
"subsystemName": "ZIA DNS",
"text": {
"sourcetype": "zscalernss-dns",
"event": \\{
"datetime": "%s{time}",
"user": "%s{elogin}",
"department": "%s{edepartment}",
"location": "%s{elocation}",
"reqaction": "%s{reqaction}",
"resaction": "%s{resaction}",
"reqrulelabel": "%s{reqrulelabel}",
"resrulelabel": "%s{resrulelabel}",
"dns_reqtype": "%s{reqtype}",
"dns_req": "%s{req}",
"dns_resp": "%s{res}",
"srv_dport": "%d{sport}",
"durationms": "%d{durationms}",
"clt_sip": "%s{cip}",
"srv_dip": "%s{sip}",
"category": "%s{domcat}",
"respipcategory": "%s{respipcat}",
"deviceowner": "%s{deviceowner}",
"devicehostname": "%s{devicehostname}"
\\}\\}\\}

SaaS security

\\{
"applicationName": "Zscaler",
"subsystemName": "ZIA SAAS",
"text": \\{
"sourcetype": "zscalernss-casb",
"event": {
"datetime": "%s{time}",
"recordid": "%d{recordid}",
"company": "%s{company}",
"tenant": "%s{tenant}",
"login": "%s{user}",
"dept": "%s{department}",
"applicationname": "%s{applicationname}",
"filename": "%s{filename}",
"filesource": "%s{filesource}",
"filemd5": "%s{filemd5}",
"threatname": "%s{threatname}",
"policy": "%s{policy}",
"dlpdictnames": "%s{dlpdictnames}",
"dlpdictcount": "%s{dlpdictcount}",
"dlpenginenames": "%s{dlpenginenames}",
"fullurl": "%s{fullurl}",
"lastmodtime": "%s{lastmodtime}",
"filescantimems": "%d{filescantimems}",
"filedownloadtimems": "%d{filedownloadtimems}"
\\}\\}\\}

ITSM

\\{
"applicationName": "Zscaler",
"subsystemName": "ZIA ITSM",
"text": \\{
"sourcetype": "zscalernss-casb",
"event": {
"datetime": "%s{time}",
"company": "%s{company}",
"login": "%s{owner}",
"tenant": "%s{tenant}",
"dept": "%s{department}",
"applicationname": "%s{applicationname}",
"threatname": "%s{threatname}",
"policy": "%s{policy}",
"dlpdictnames": "%s{dlpdictnames}",
"dlpdictcount": "%s{dlpdictcount}",
"dlpenginenames": "%s{dlpenginenames}"
\\}\\}\\}

Public cloud storage

\\{
"applicationName": "Zscaler",
"subsystemName": "ZIA Storage",
"text": \\{
"sourcetype": "zscalernss-casb",
"event": {
"datetime": "%s{time}",
"recordid": "%d{recordid}",
"company": "%s{company}",
"tenant": "%s{tenant}",
"owner": "%s{owner}",
"dept": "%s{department}",
"applicationname": "%s{applicationname}",
"filename": "%s{filename}",
"filesource": "%s{filesource}",
"filemd5": "%s{filemd5}",
"threatname": "%s{threatname}",
"policy": "%s{policy}",
"dlpdictnames": "%s{dlpdictnames}",
"dlpdictcount": "%s{dlpdictcount}",
"dlpenginenames": "%s{dlpenginenames}",
"fullurl": "%s{fullurl}",
"lastmodtime": "%s{lastmodtime}",
"bucket_name": "%s{bucketname}"
\\}\\}\\}

Collaboration

\\{
"applicationName": "Zscaler",
"subsystemName": "ZIA Collaboration",
"text": {
"sourcetype": "zscalernss-casb",
"event": \\{
"datetime": "%s{time}",
"company": "%s{company}",
"login": "%s{owner}",
"tenant": "%s{tenant}",
"dept": "%s{department}",
"applicationname": "%s{applicationname}",
"threatname": "%s{threatname}",
"policy": "%s{policy}",
"dlpdictnames": "%s{dlpdictnames}",
"dlpdictcount": "%s{dlpdictcount}",
"dlpenginenames": "%s{dlpenginenames}"
\\}\\}\\}

CRM

\\{
"applicationName": "Zscaler",
"subsystemName": "ZIA CRM",
"text": \\{
"sourcetype": "zscalernss-casb",
"event": {
"datetime": "%s{time}",
"company": "%s{company}",
"login": "%s{owner}",
"tenant": "%s{tenant}",
"dept": "%s{department}",
"applicationname": "%s{applicationname}",
"threatname": "%s{threatname}",
"policy": "%s{policy}",
"dlpdictnames": "%s{dlpdictnames}",
"dlpdictcount": "%s{dlpdictcount}",
"dlpenginenames": "%s{dlpenginenames}"
\\}\\}\\}

Email

\\{
"applicationName": "Zscaler",
"subsystemName": "ZIA Email",
"text": \\{
"sourcetype": "zscalernss-casb",
"event": {
"datetime": "%s{time}",
"recordid": "%d{recordid}",
"company": "%s{company}",
"tenant": "%s{tenant}",
"login": "%s{owner}",
"dept": "%s{department}",
"applicationname": "%s{applicationname}",
"threatname": "%s{threatname}",
"policy": "%s{policy}",
"message": "%s{messageid}",
"dlpdictnames": "%s{dlpdictnames}",
"dlpdictcount": "%s{dlpdictcount}",
"dlpenginenames": "%s{dlpenginenames}"
\\}\\}\\}

Repository

\\{
"applicationName": "Zscaler",
"subsystemName": "ZIA Repository",
"text": \\{
"sourcetype": "zscalernss-casb",
"event": {
"datetime": "%s{time}",
"company": "%s{company}",
"login": "%s{owner}",
"tenant": "%s{tenant}",
"dept": "%s{department}",
"applicationname": "%s{applicationname}",
"threatname": "%s{threatname}",
"policy": "%s{policy}",
"dlpdictnames": "%s{dlpdictnames}",
"dlpdictcount": "%s{dlpdictcount}",
"dlpenginenames": "%s{dlpenginenames}"
\\}\\}\\}

STEP 4. Click Save and verify connectivity with the remote server.

Make sure you receive the following message:

You should see now the ZIA traffic on Coralogix platform.

Create a Replace parsing rule in Coralogix

Use a Replace rule to mark the incoming logs as originating from Zscaler. This will trigger the appropriate alerts and visualize the data as custom dashboards.

STEP 1. Go to Data Flow > Parsing Rules, and add a new Replace rule.

STEP 2. On the New rule group page, configure the rule as follows:

Previous Previous Duo Security
Next Zscaler Secure Private Access (ZPA) Next
Home
User Guides User Guides
Integrations Integrations
OpenTelemetry OpenTelemetry
Developer Portal Developer Portal