Skip to main content

CollectorsCloud Collectors Administration Guide

Configure the Zscaler ZIA Cloud Collector

Zscaler provides a cloud security platform to protect enterprises from cyber-attacks and data loss. If you use Zscaler ZIA for cloud security, you can use the Zscaler ZIA Cloud Collector to ingest data in the Exabeam Security Operations Platform.

The Zscaler Cloud NSS service forwards logs to the Exabeam API using the HTTP/S protocol. The Zscaler ZIA Webhook Cloud Collector also sends data and application events to Exabeam cloud-delivered services such as Advanced Analytics using the HTTPS protocol.

To set up the cloud collector to configure a logging library or an HTTP client with a token to send data to Exabeam in a specific format, use a token-based authentication model.

Obtain the Authentication Token and URL

To obtain the authentication token and URL on the Exabeam Security Operations Platform:

  1. Log in to the Exabeam Security Operations Platform with your registered credentials as an administrator.

  2. Navigate to Collectors > Cloud Collectors.

  3. Click New Collector.

    click_new_collector.png

  4. Click Zscaler ZIA.

    Zscaler_home.png

  5. Specify a name for the Cloud Collector instance.

    Note

    The format for receiving data is set to Raw by default.

    Zscaler_install_1.png

  6. (Optional) SITE – Select an existing site or to create a new site with a unique ID, click manage your sites. Adding a site name helps you to ensure efficient management of environments with overlapping IP addresses.

    By entering a site name, you associate the logs with a specific independent site. A sitename metadata field is automatically added to all the events that are going to be ingested via this collector. For more information about Site Management, see Define a Unique Site Name.

  7. (Optional) TIMEZONE – Select a time zone applicable to you for accurate detections and event monitoring.

    By entering a time zone, you override the default log time zone. A timezone metadata field is automatically added to all events ingested through this collector.

    Timezone_sitename_site_management_1.png

  8. Click Install.

    The message box displays the authentication token and the URL to which logs are sent.

    For all the Webhook based cloud collectors, there is a five minute latency before the logs are tagged with the updated site name.

  9. Copy the authentication token by clicking the copy icon.

    Record the token for later use when you configure Zscaler ZIA on the Zscaler platform.

    install_4.png

  10. Copy the URL to send logs to by clicking the URL.

    Record the URL for later use when you configure Zscaler ZIA on the Zscaler platform.

  11. To view the cloud collector summary, click Go to Overview. If you want to add more cloud collector instances, click Add more collectors.

    The Overview tab displays the Zscaler ZIA Cloud Collector instance that you installed.

  12. Proceed to Configure Zscaler ZIA to Forward Logs to Exabeam.

Configure Zscaler ZIA to Forward Logs to Exabeam

To configure the Zscaler ZIA Cloud Collector to receive data into the Exabeam Security Operations Platform:

  1. Log in to the Zscaler platform with your registered credentials as an administrator.

  2. Complete the Prerequisites to Configure the Zscaler ZIA Cloud Collector.

  3. Navigate to Administration > Cloud Configuration > Nanolog Streaming Service.

    Zscaler1.png

  4. In the Cloud NSS Feeds tab, click Add Cloud NSS Feed.

    Zscaler2.png

  5. In the Feed Name field, enter a descriptive name for the feed. For example, Exabeam CNSS Web Feed.

  6. In the SIEM CONNECTIVITY section, click Other for the SIEM Type.

  7. NSS Type – Select the log type NSS for Web or NSS for firewall.

    NSS_Firewall.png

    • If you retain the NSS for Web option selected by default, enter the following information.

      1. Set the Max Batch Size to 512 KB.

      2. In the API URL field, enter the HTTPS URL of the SIEM log collection API endpoint, that you recorded from the Exabeam Security Operations Platform.

      3. In the Key 1 field, select Authorization.

      4. In the Value 1 field, type Bearer and space, then enter the authentication token that you recorded from the Exabeam Security Operations Platform.

        Zscaler_batch_size_update.png

      5. In the Formatting section set the following values for the HTTP header.

        Field

        Values

        Log Type

        Web Log

        Feed Output Type

        Custom

        Feed Escape Character

        \",

        Feed Output Format

        %s{mon} %02d{dd} %02d{hh}:%02d{mm}:%02d{ss} zscaler-nss CEF:0|Zscaler|NSSWeblog|5.0|%s{action}|%s{reason}|3|act=%s{action} app=%s{proto} cat=%s{urlcat} dhost=%s{ehost} dst=%s{sip} src=%s{cip} in=%d{respsize} outcome=%s{respcode} out=%d{reqsize} request=%s{eurl} rt=%s{mon} %02d{dd} %d{yy} %02d{hh}:%02d{mm}:%02d{ss} sourceTranslatedAddress=%s{cintip} requestClientApplication=%s{ua} requestMethod=%s{reqmethod} suser=%s{login} spriv=%s{location} externalId=%d{recordid} fileType=%s{filetype} reason=%s{reason} destinationServiceName=%s{appname} cn1=%d{riskscore} cn1Label=riskscore cs1=%s{dept} cs1Label=dept cs2=%s{urlsupercat} cs2Label=urlsupercat cs3=%s{appclass} cs3Label=appclass cs4=%s{malwarecat} cs4Label=malwarecat cs5=%s{threatname} cs5Label=threatname cs6=%s{dlpeng} cs6Label=dlpeng ZscalerNSSWeblogURLClass=%s{urlclass} ZscalerNSSWeblogDLPDictionaries=%s{dlpdict} requestContext=%s{ereferer} contenttype=%s{contenttype} unscannabletype=%s{unscannabletype} deviceowner=%s{deviceowner} devicehostname=%s{devicehostname}\n

        Timezone

        GMT

    • If you select the NSS for firewall option selected by default, in the Formatting section, enter the following information.

      NSS_Firewall_feed.png

      Field

      Values

      Log Type

      Firewall Logs

      Firewall Log Type

      Both Session and Aggregate Logs

      Feed Output Type

      Custom

      Feed Escape Character

      Keep this field blank.

      Feed Output Format

      datetime=%s{time}\tuser=%s{login}\tdepartment=%s{dept}\tlocationname=%s{location}\tcdport=%d{cdport}\tcsport=%d{csport}\tsdport=%d{sdport}\tssport=%d{ssport}\tcsip=%s{csip}\tcdip=%s{cdip}\tssip=%s{ssip}\tsdip=%s{sdip}\ttsip=%s{tsip}\ttunsport=%d{tsport}\ttuntype=%s{ttype}\taction=%s{action}\tdnat=%s{dnat}\tstateful=%s{stateful}\taggregate=%s{aggregate}\tnwsvc=%s{nwsvc}\tnwapp=%s{nwapp}\tproto=%s{ipproto}\tipcat=%s{ipcat}\tdestcountry=%s{destcountry}\tavgduration=%d{avgduration}\trulelabel=%s{rulelabel}\tinbytes=%ld{inbytes}\toutbytes=%ld{outbytes}\tduration=%d{duration}\tdurationms=%d{durationms}\tnumsessions=%d{numsessions}\tipsrulelabel=%s{ipsrulelabel}\tthreatcat=%s{threatcat}\tthreatname=%s{threatname}\tdeviceowner=%s{deviceowner}\tdevicehostname=%s{devicehostname}\n

    • For the log type DNS Logs, select the Feed Output Type as JSON and enter the value for Feed Output Format as displayed in the following screenshot.

      Zscaler_logType_DNS_Logs.png

  8. Click Save.

    The Zscaler ZIA Cloud Collector is now set up to start ingesting events.

  9. (Optional) Selectively filter the events you want to send to the collector.

    For more information, refer to Define the Filters in the Zscaler ZIA documentation.