Zscaler Internet Access

Zscaler Internet Access is a cloud-based secure services edge (SSE) solution that provides secure access to the internet, regardless of their location or device. It offers advanced features such as web filtering, threat protection, data loss prevention (DLP), and SSL inspection to protect against web-based threats and enforce security policies.

INTEGRATION: S3, HTTP Collector (CloudNSS)

TABLES: Detection Finding, Data Security Finding, Authentication, Network activity, HTTP Activity, DNS Activity

Integration

DataBee ingests ZIA web, firewall, DNS and DLP events via CloudNSS.

ZIA supports two ways of sending events using CloudNSS

• Pushing logs via HTTP/s.

• S3 bucket

Data supports both methods

Sending logs from Zscaler via HTTP/s

DataBee Configuration

In this step, we will get the URL and tokens for Zscaler to use when sending events to DataBee.

The high level steps are:

1. Add a Zscaler Data Source with JSON formatted logs

2. Get Authorization token, DatasourceID and TenantID

Detailed steps can be found at https://docs.databee.buzz/docs/http-collector

Zscaler Configuration (HTTP/s)

We will need to configure ZIA to send logs to the DataBee HTTP collector.

1. Log into the Zscaler console as an Administrator

2. Navigate to the Administration button on the left and click on Nanolog Streaming Service

3. Click on the Cloud NSS tab and Add a new feed. 

4. Enter the following details:

• SIEM type: Other

• API URL: Enter the API URL found in the previous step

• https://docs.databee.buzz/docs/http-collector#get-endpoint-url 

• Add following HTTP keys for the headers.  These values were generated from the previous step. Details can be found at https://docs.databee.buzz/docs/http-collector

• Authorization:

• DatasourceID 

• TenantID

• Select Log type that needs to be forwarded. 

• Set Feed Output Type as JSON 

•  

Sending logs from Zscaler via S3

Sending logs using S3 will require the proper roles and permissions to be set up on AWS.

AWS Configuration

S3 setup is only required if this is a destination of choice for CloudNSS. If CloudNSS sends logs directly to the DataBee’s HTTP endpoint, this step can be skipped.

The integration of Cloud NSS and Amazon S3 provides long-term log retention, preprocessing of log data before ingestion, and compatibility with analytics solutions that can easily read log data from S3 buckets.  

Create a User Group in AWS IAM   

To create an AWS IAM user group:  

1. Log in to the AWS Management Console.  

2. In the search bar, enter IAM and select IAM.  

       3. In the left-side navigation, go to Access Management > User groups.  

4. Click Create group. The Create user group page appears.  

5. On the Create user group page, create a user group:  

a. Enter a name for the user group (e.g., Zscaler_Group_Test).  

b. Skip the options to add users and attach permissions policies.  

c. Click Create group. You are redirected to the User groups page and a success message appears. 

Create a User and Access Key in AWS IAM  

To create a user and access key in AWS IAM:  

1. In the left-side navigation of IAM, go to Access Management > Users.  

2. Click Add users. The Create user wizard appears.  

3. In the Create user wizard, create a user:  

a. Enter a user name (e.g., Zscaler_User_Test), then click Next.  

b. Add the user to the newly created user group (e.g., Zscaler_Group_Test), then click next.  

c. Review your choices, then click Create user.  

You are redirected to the Users page and a success message appears.  

4. Click View user in the success message, or use the search bar to find the user by name, then select the new user.  

5. On the Summary page for the newly created user, scroll down and click the Security credentials tab.  

6. On the Security credentials tab, scroll down to the Access keys section and click Create access key. The Create  access key wizard appears.  

7. In the Create access key wizard, create an access key:  

a. Select a use case, then click Next.  

b. Click Create access key.  

A success message appears.  

c. Click Download .csv file to download and save a CSV file containing the access key ID and secret access key  required for creating a Cloud NSS feed in the ZIA Admin Portal.  

Create an S3 Bucket and Folder in Amazon S3  

To create an S3 bucket and folder in Amazon S3:  

1. In the search bar at the top of the screen, enter S3 and select S3.  

2. In the left-side navigation, go to Buckets.  

3. Click Create bucket. The Create bucket page appears.  

4. On the Create bucket page, create a bucket:  

a. Enter a name for the bucket (e.g., zscaler-bucket-test). The bucket name is part of its Amazon Resource  Name (ARN), which is required for creating a policy in AWS.  

b. Select your AWS Region. The region is part of the URL required for creating a Cloud NSS feed in the ZIA Admin  Portal.  

c. (Optional) Maintain the default configurations for the remaining settings (e.g., Bucket Versioning, Default  encryption, etc.).   

d. Click Create bucket.  

You are redirected to the Buckets page and a success message appears.  

5. Click View details in the success message, or use the search bar to find the bucket by name, then select the new  bucket.  

6. On the Objects tab of the bucket page, click Create folder. The Create folder page appears.  

7. On the Create folder page, create a folder:  

a. Enter a Folder name (e.g., logs-test).  

b. Maintain the default Server-side encryption settings and click Create folder.  

You are redirected to the bucket page and a success message appears.  

8. Select the folder and click Copy URL. Save the URL (e.g., https://zscaler-bucket-test.s3.us-west-2. amazonaws.com/logs-test/) required for creating a Cloud NSS feed in the ZIA Admin Portal. The name of your  region (e.g., us-west-2) must be present in the URL.  

9. Click the Properties tab, then copy and save the ARN (e.g., arn:aws:s3:::zscaler-bucket-test) required for  creating a policy in AWS.  

Create a Policy Granting the User Group Access to the S3 Bucket in Amazon IAM  

A policy is a JSON document in AWS that specifies who has access to AWS resources and what actions they can perform  on those resources. You can attach a policy to an identity (e.g., user group) or resource (e.g., S3 bucket) to define its  permissions. 

To integrate with Cloud NSS, the user group (e.g., Zscaler_Group_Test) needs permission to perform the PutObject action on the S3 bucket (e.g., zscaler-bucket-test). The PutObject action adds an object to a bucket. The  user must have WRITE permissions to perform the PutObject action..  

To create a policy granting the user group PutObject access to the S3 bucket:  

1. Go to the IAM Management Console.  

2. In the left-side navigation, go to Access management > Policies.  

     3. Click Create policy. The Create policy wizard appears.  

4. In the Create policy wizard, create a policy:  

a. Click the JSON tab.  

b. In the JSON editor, write a policy that allows PutObject access to the S3 bucket (e.g., zscaler-bucket-test).  See the following example.  

{ 

"Version": "2012-10-17", 

"Statement": [ 

{ 

"Sid": "PutObjectActions", "Effect": "Allow", "Action": [ 

"s3:PutObject" 

], 

"Resource": [ 

"arn:aws:s3:::zscaler-bucket-test/*" 

] 

} 

] 

} 

c. Click Next: Tags.  

d. Click Next: Review.  

 
 
e. Enter a name for the policy (e.g., zscaler_policy_test).  

f. Review the policy Summary information and click Create policy.  

You are redirected to the Policies page and a success message appears.  

5. Attach the policy to the newly created user group:  

a. Click the link in the success message, or use the search bar to filter the policies by name, then select the new  policy (e.g., zscaler_policy_test). The policy Summary page appears.  

b. On the policy Summary page, click the Policy usage tab, then click Attach. The Attach policy page appears.  

c. On the Attach policy page, search for and select the newly created user group (e.g., zscaler_group_test),  then click Attach policy.  

You are redirected to the Summary page, which shows the user group (e.g., zscaler_group_test) under Permissions.  

Zscaler Configuration (S3)

Log in to the Zscaler console as an Administrator and go to Nanolog Streaming Service

Go to the Cloud NSS Feeds tab and add a new destination

See Adding Cloud NSS Feeds and select the type of feed (e.g., Web Logs, Firewall Logs, DNS Logs etc.) that you want to configure. The following fields  require specific inputs:  

• SIEM Type: Select S3.  

• AWS Access Id: Enter the access key ID for the user created in AWS.  

• AWS Secret Key: Enter the secret access key for the user created in AWS.  

• Max Batch Size: This field shows the default maximum batch size for the log type (e.g., 32 MB for Web Log, 8 MB for  Tunnel, etc.). Optionally, you can enter a value between 1 MB and 32 MB.  

• S3 Folder URL: Enter the URL of the folder created in the S3 bucket (e.g., https://zscaler-bucket-test.s3.us-west-2.amazonaws.com/logs-test/).  

• Feed Output Type: Select JSON.  

• Feed Escape Character: Enter ,\".  

• Feed Output Format: Zscaler recommends adding "time":"%d{epochtime}" to the Feed Output Format.