Zscaler ZIA integration
About this guide
This document is intended as a guide to deploying the required platform to receive the Nanolog Streaming Service (NSS) generated by Zscaler Internet Access on the Devo platform. Although we suggest some main settings (ports/output formats), you can customize these settings according to your needs with limits.
This guide covers only the Nanolog Streaming Service (NSS) for Zscaler ZIA. This guide does not cover the ZIA Cloud Service API or Zscaler Private Access (ZPA) logs.
About Zscaler
Zscaler provides enterprises cloud security services that replace the traditional inbound and outbound gateways. Zscaler helps organizations transform their network and security infrastructures from an appliance-based model to a modern, cloud approach, which allows them to take advantage of cloud agility, intelligence, and scalability—securely. Zscaler has two main cloud services:
Zscaler Internet Access (ZIA)
ZIA delivers the outbound security stack as a cloud service. ZIA includes secure web gateway, cloud firewall, cloud sandbox, next-gen firewall, data loss prevention, advanced threat protection, and more, all delivered from the cloud. With services such as bandwidth control, SSL inspection at scale, SD-WAN security, and simple, one-click configuration for Office 365 deployment, ZIA is everything you need to secure every connection between users and the applications they access over the internet.
Zscaler Private Access (ZPA)
ZPA is a new approach to secure remote access that’s based on a software-defined perimeter (SDP) model. A fully cloud-delivered service, ZPA ensures that only authorized users have access to specific private applications by creating secure segments of one between a user and an app. More than a VPN alternative, ZPA eliminates the attack surface and enables you to support multi-cloud environments simply and securely.
ZPA is out of the reach of this integration.
About Zscaler Internet Access (ZIA)
There are two types of data that can be collected from Zscaler Internet Access (ZIA):
Cloud Service API
The Cloud Service API can be used to manage security rules, users, groups, members, and to create and download audit log reports in CSV format. This log only includes actions related to admin tasks: create or delete users, rules, groups, member relationships, rules, etc.
Nanolog Streaming Service (NSS)
Zscaler Nanolog Streaming Service consolidates logs from all users, globally, into a central repository that is determined by customers, where administrators can view and mine transaction data by user, device, application, and location in real-time. An NSS feed specifies the data from the logs that the NSS will send to the SIEM. You can filter the data, so you send only the data you need to the SIEM. You can add one or more fields for the logs and one field for alerts. You can add up to 8 NSS feeds for each NSS. Each feed can have a different list of fields, a different format, and different filters.
NSS requires two different NSS Servers for each family feeds:
NSS Web Server - This server will be able to receive web logs, SaaS logs, tunnel logs, and alerts.
NSS Firewall Feeds - This server will be able to receive firewall logs and DNS logs.
The Cloud Service API is out of the reach of this integration.