Collect Zscaler DLP logs

This document explains how to export Zscaler DLP logs by setting up a Google Security Operations feed and how log fields map to Google SecOps Unified Data Model (UDM) fields.

For more information, see Data ingestion to Google SecOps overview.

A typical deployment consists of Zscaler DLP and the Google SecOps Webhook feed configured to send logs to Google SecOps. Each customer deployment can differ and might be more complex.

The deployment contains the following components:

• Zscaler DLP: the platform from which you collect logs.

• Google SecOps feed: the Google SecOps feed that fetches logs from Zscaler DLP and writes logs to Google SecOps.

• Google Security Operations: retains and analyzes the logs.

An ingestion label identifies the parser which normalizes raw log data to structured UDM format. The information in this document applies to the parser with the ZSCALER_DLP label.

Before you begin

• Ensure that you have access to Zscaler Internet Access console. For more information, see Secure Internet and SaaS Access ZIA Help.
• Ensure that you are using Zscaler DLP 2024 or later.
• Ensure that all systems in the deployment architecture are configured with the UTC time zone.
• Ensure that you have the API key which is needed to complete feed setup in Google Security Operations. For more information, see Setting up API keys.

Set up an ingestion feed in Google SecOps to ingest Zscaler DLP logs

1. Go to SIEM Settings > Feeds.
2. Click Add new.
3. In the Feed name field, enter a name for the feed (for example, Zscaler DLP Logs).
4. Select Webhook as the Source Type.
5. Select Zscaler DLP as the Log Type.
6. Click Next.
7. Optional: Specify values for the following input parameters:
   1. Split delimiter: the delimiter that is used to separate the logs lines (leave blank if a delimiter is not used).
   2. Asset namespace: the asset namespace.
   3. Ingestion labels: the label to be applied to the events from this feed.
8. Click Next.
9. Review your new feed configuration in the Finalize screen, and then click Submit.
10. Click Generate Secret Key to generate a secret key to authenticate this feed.

Set up Zscaler DLP

1. In Zscaler Internet Access console, go to Administration > Nanolog Streaming Service > Cloud NSS Feeds.
2. Click Add Cloud NSS Feed.
3. Enter a name for the feed in the Feed Name field.
4. Select NSS for Web in NSS Type.
5. Select the status from the Status list to activate or deactivate the NSS feed.
6. Keep the value in the SIEM Rate menu as Unlimited. To suppress the output stream due to licensing or other constraints, change the value.
7. Select Other in the SIEM Type list.
8. Select Disabled in the OAuth 2.0 Authentication list.
9. Enter a size limit for an individual HTTP request payload to the SIEM's best practice in Max Batch Size (for example, 512 KB).

10. Enter the HTTPS URL of the Chronicle API endpoint in the API URL in the following format:

    https://<CHRONICLE_REGION>-chronicle.googleapis.com/v1alpha/projects/<GOOGLE_PROJECT_NUMBER>/locations/<LOCATION>/instances/<CUSTOMER_ID>/feeds/<FEED_ID>:importPushLogs
    

    • CHRONICLE_REGION: region where your Google SecOps instance is hosted (for example, US).
    • GOOGLE_PROJECT_NUMBER: BYOP project number (obtain this from C4).
    • LOCATION: Google SecOps region (for example, US).
    • CUSTOMER_ID: Google SecOps customer ID (obtain this from C4).
    • FEED_ID: Feed ID shown on the Feed UI on the new webhook created.

    Sample API URL:

    https://us-chronicle.googleapis.com/v1alpha/projects/12345678910/locations/US/instances/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/feeds/yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyyyyyyy:importPushLogs
    

11. Click Add HTTP Header to add more HTTP headers with keys and values.

    For example:

    • Key: X-goog-api-key
    • Value: API Key generated on Google Cloud BYOP's API Credentials

12. Select Endpoint DLP from the Log Types list.

13. Select JSON in the Feed Output Type list.

14. Set Feed Escape Character to , \ ".

15. To add a new field to the Feed Output Format, select Custom in the Feed Output Type list.

16. Copy-paste the Feed Output Format and add new fields. Ensure the key names match the actual field names.

    The following is the default Feed Output Format:

    \{ "sourcetype" : "zscalernss-edlp", "event" :\{"time":"%s{time}","recordid":"%d{recordid}","login":"%s{user}","dept":"%s{department}","filetypename":"%s{filetypename}","filemd5":"%s{filemd5}","dlpdictnames":"%s{dlpdictnames}","dlpdictcount":"%s{dlpcounts}","dlpenginenames":"%s{dlpengnames}","channel":"%s{channel}","actiontaken":"%s{actiontaken}","severity":"%s{severity}","rulename":"%s{triggeredrulelabel}","itemdstname":"%s{itemdstname}"\}\}
    

17. Select the time zone for the Time field in the output file in the Timezone list. By default, the time zone is set to your organization's time zone.

18. Review the configured settings.

19. Click Save to test connectivity. If the connection is successful, a green tick accompanied by the message Test Connectivity Successful: OK (200) appears.

For more information about Google SecOps feeds, see Google SecOps feeds documentation. For information about requirements for each feed type, see Feed configuration by type.

If you encounter issues when you create feeds, contact Google SecOps support.

UDM Mapping Table

The following table lists the log fields of the ZSCALER_DLP log type and their corresponding UDM fields.

Need more help? Get answers from Community members and Google SecOps professionals.