Skip to content

ZScaler Web Security

Chronicle supports ingesting ZScaler Web Security logs in order to visualize web traffic. CYDERES can host the Nanolog Streaming Service provided by ZScaler on customer's behalf in order to get data into Chronicle. This document outlines the procedure to generate the SSL certificate needed for the integration to be implemented.

Chronicle Data Types

  • Web Proxy

Configuration

Reference: https://help.zscaler.com/zia/nss-deployment-guide-amazon-web-services

Setup Nanolog Streaming Service

  1. Go to Administration > Nanolog Streaming Service.
  2. From the "NSS Servers" tab, click Add NSS Server.
  3. In the Add NSS Server window, enter a "CYDERES" for the NSS name and select "NSS for Web".
  4. Click Save.
  5. Click Download in the "SSL Certificate" column of the NSS that you are configuring, and then save the certificate ZIP file. At this point, provide the ZIP file to CYDERES.
  6. CYDERES will deploy an NSS server with the certificate ZIP to gather logs and a collector to send them to Chronicle.
  7. An NSS Feed will need to be created. This document is used for "NSS for Web". While in the Administration > Nanolog Streaming Service section, in the NSS Feeds tab, click Add NSS Feed. In the Add NSS Feed window, enter the following information:

    • Feed Name: CYDERES – Chronicle
    • NSS Type: NSS for Web
    • NSS Server: CYDERES will provide the name of the NSS Server deployed
    • Status: Enabled
    • SIEM IP Address: CYDERES will provide the IP address of the forwarder
    • SIEM TCP Port: CYDERES will provide the TCP port of the forwarder
    • Log Type: Web Log
    • SIEM Rate Limit: Unrestricted
    • Feed Output Type: Splunk CIM
    • Feed Escape Character: leave blank
    • Feed Output Format: leave default
    • User Obfuscation: Disable
    • Timezone: GMT
    • Duplicate Logs: 60

Gather Information

  • SSL certificate