Collect Zscaler Internet Access logs

This document describes how you can export Zscaler Internet Access logs by setting up a Google Security Operations feed and how log fields map to Google SecOps Unified Data Model (UDM) fields.

For more information, see Data ingestion to Google SecOps overview.

A typical deployment consists of Zscaler Internet Access and the Google SecOps Webhook feed configured to send logs to Google SecOps. Each customer deployment can differ and might be more complex.

The deployment contains the following components:

• Zscaler Internet Access: The platform from which you collect logs.

• Google SecOps feed: The Google SecOps feed that fetches logs from Zscaler Internet Access and writes logs to Google SecOps.

• Google SecOps: Retains and analyzes the logs.

An ingestion label identifies the parser which normalizes raw log data to structured UDM format. The information in this document applies to the parser with the ZSCALER_INTERNET_ACCESS ingestion label.

Before you begin

• Ensure that you have access to Zscaler Internet Access console. For more information, see Secure Internet and SaaS Access ZIA Help.
• Ensure that you are using Zscaler Internet Access 2024 or later.
• Ensure that all systems in the deployment architecture are configured with the UTC time zone.
• Ensure that you have the API key which is needed to complete feed setup in Google SecOps. For more information, see Setting up API keys.

Set up an ingestion feed in Google Security Operations to ingest Zscaler Internet Access logs

1. Go to SIEM Settings > Feeds.
2. Click Add new.
3. In the Feed name field, enter a name for the feed (for example, Zscaler Internet Access Logs).
4. Select Webhook as the Source Type.
5. Select Zscaler Internet Access Audit Logs as the Log Type.
6. Click Next.
7. Optional: Enter values for the following input parameters:
   1. Split delimiter: the delimiter that is used to separate the logs lines. Leave blank if a delimiter is not used.
   2. Asset namespace: the asset namespace.
   3. Ingestion labels: the label to be applied to the events from this feed.
8. Click Next.
9. Review your new feed configuration, and then click Submit.
10. Click Generate Secret Key to generate a secret key to authenticate this feed.

Set up Zscaler Internet Access

1. In the Zscaler Internet Access console, click Administration > Nanolog Streaming Service > Cloud NSS Feeds and then click Add Cloud NSS Feed.
2. The Add Cloud NSS Feed window appears. In the Add Cloud NSS Feed window, enter the details.
3. Enter a name for the feed in the Feed Name field.
4. Select NSS for Web in NSS Type.
5. Select the status from the Status list to activate or deactivate the NSS feed.
6. Keep the value in the SIEM Rate drop-down as Unlimited. To suppress the output stream due to licensing or other constraints, change the value.
7. Select Other in the SIEM Type list.
8. Select Disabled in the OAuth 2.0 Authentication list.
9. Enter a size limit for an individual HTTP request payload to the SIEM's best practice in Max Batch Size. For example, 512 KB.

10. Enter the HTTPS URL of the Chronicle API endpoint in the API URL in the following format:

      https://<CHRONICLE_REGION>-chronicle.googleapis.com/v1alpha/projects/<GOOGLE_PROJECT_NUMBER>/locations/<LOCATION>/instances/<CUSTOMER_ID>/feeds/<FEED_ID>:importPushLogs
    

    • CHRONICLE_REGION: Region where your Chronicle instance is hosted. For example, US.
    • GOOGLE_PROJECT_NUMBER: BYOP project number. Obtain this from C4.
    • LOCATION: Chronicle region. For example, US.
    • CUSTOMER_ID: Chronicle customer ID. Obtain from C4.
    • FEED_ID: Feed ID shown on Feed UI on the new webhook created

    • Sample API URL:

      https://us-chronicle.googleapis.com/v1alpha/projects/12345678910/locations/US/instances/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/feeds/yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyyyyyyy:importPushLogs
      

11. Click Add HTTP Header to add more HTTP headers with keys and values.

    For example, Header 1: Key1: X-goog-api-key and Value1: API Key generated on Google Cloud BYOP's API Credentials.

12. Select Admin Audit Logs in the Log Types list.

13. Select JSON in the Feed Output Type list.

14. Set Feed Escape Character to , \ ".

15. To add a new field to the Feed Output Format, select Custom in the Feed Output Type list.

16. Copy-paste the Feed Output Format and add new fields. Ensure the key names match the actual field names.

17. Following is the default Feed Output Format:

      \{ "sourcetype" : "zscalernss-audit", "event" :\{"time":"%s{time}","recordid":"%d{recordid}","action":"%s{action}","category":"%s{category}","subcategory":"%s{subcategory}","resource":"%s{resource}","interface":"%s{interface}","adminid":"%s{adminid}","clientip":"%s{clientip}","result":"%s{result}","errorcode":"%s{errorcode}","auditlogtype":"%s{auditlogtype}","preaction":%s{preaction},"postaction":%s{postaction}\}\}
    

18. Select the timezone for the Time field in the output file in the Timezone list. By default, the timezone is set to your organization's time zone.

19. Review the configured settings.

20. Click Save to test connectivity. If the connection is successful, a green tick accompanied by the message Test Connectivity Successful: OK (200) appears.

For more information about Google SecOps feeds, see Google Security Operations feeds documentation. For information about requirements for each feed type, see Feed configuration by type.

If you encounter issues when you create feeds, contact Google Security Operations support.

Field mapping reference

The following table lists the log fields of the ZSCALER_INTERNET_ACCESS log type and their corresponding UDM fields.