Zscaler Custom Data Collection Integration
Before going through this article, check our
Out-of-the-box App Integrations category. This is the recommended way to integrate the components of your cybersecurity stack with Lumu. If the product you are looking to integrate is there, it is advised to use that integration instead.
This article shows how to leverage the Lumu Defender API to integrate and collect URL filtering data via API from Zscaler, and feed it to Lumu.
Requirements
- Zscaler Nss Server with SSL certificate installed
NSS Feed Collector type Firewall
For the collection of Firewall type logs, it is required to configure the Zscaler Feed.
To do this we must go to
Administration → Cloud Configuration → nanolog Stramong Service → NSS Feeds → Add NSS Feed
. Select the NSS type “NSS for Firewall'' and in the NSS Server field, select the server created earlier.
Fill in the SIEM data which corresponds to the IP and Port of the Lumu VA, and in “Firewall Log Type”, select Booth Session and Aggregate Logs. In the Feed Output Type field we must select “Name Values Pairs” with this structure:
- datetime="%04d{yyyy}-02d{mth}%02d{dd}T%02d{hh}:%02d{mm}:%02d{ss}Z"\tuser="%s{login}"\tdepartment="%s{dept}"\tlocationname="%s{location}"\tcdport="%d{cdport}"\tcsport="%d{csport}"\tsdport="%d{sdport}"\tssport="%d{ssport}"\tcsip="%s{csip}"\tcdip="%s{cdip}"\tssip="%s{ssip}"\tsdip="%s{sdip}"\ttsip="%s{tsip}"\ttunsport="%d{tsport}"\ttuntype="%s{ttype}"\taction="%s{action}"\tdnat="%s{dnat}"\tstateful="%s{stateful}"\taggregate="%s{aggregate}"\tnwsvc="%s{nwsvc}"\tnwapp="%s{nwapp}"\tprotocol="%s{ipproto}"\tipcat="%s{ipcat}"\tdestcountry="%s{destcountry}"\tavgduration="%d{avgduration}"\trulelabel="%s{rulelabel}"\tinbytes=%ld{inbytes}\toutbytes=%ld{outbytes}\tduration="%d{duration}"\tdurationms="%d{durationms}"\tnumsessions="%d{numsessions}"\tipsrulelabel="%s{ipsrulelabel}"\tthreatcat="%s{threatcat}"\tthreatname="%s{threatname}"\tdeviceowner="%s{deviceowner}"\tdevicehostname="%s{devicehostname}"\n
It is important NOT to select and/or add any value to the Timezone. Use GMT by default. In this case the recollection time of Zscaler to send the information to Lumu is 15 minutes.
NSS Feed Collector type Web
For the collection of web type logs it is required to configure the Zscaler Feed.
To do this we must go to
Administration → Cloud Configuration → nanolog Stramong Service → NSS Feeds → Add NSS Feed
. Select the NSS type “NSS for Web”, and in the NSS Server field select the server created earlier.
Fill in the SIEM data which corresponds to the IP and Port of the Lumu VA and in the Feed Output Type field select SPLUNK CIM. It must have the following structure:
- datetime="%d{yy}-%02d{mth}-%02d{dd}T%02d{hh}:%02d{mm}:%02d{ss}Z"\treason="%s{reason}"\tevent_id="%d{recordid}"\tprotocol="%s{proto}"\taction="%s{action}"\trequestdatasize="%d{reqdatasize}"\tresponsesize="%d{respsize}"\trequestsize="%d{reqsize}"\tresponsedatasize="%d{respdatasize}"\turlcategory="%s{urlcat}"\tserverip="%s{sip}"\tclienttranstime="%d{ctime}"\trequestmethod="%s{reqmethod}"\trefererURL="%s{ereferer}"\tuseragent="%s{ua}"\tproduct="NSS"\tlocation="%s{location}"\tClientIP="%s{cip}"\tstatus="%s{respcode}"\tuser="%s{login}"\turl="%s{eurl}"\tvendor="Zscaler"\thostname="%s{ehost}"\tclientpublicIP="%s{cintip}"\tthreatcategory="%s{malwarecat}"\tthreatname="%s{threatname}"\tfiletype="%s{filetype}"\tappname="%s{appname}"\tpagerisk="%d{riskscore}"\tdepartment="%s{dept}"\turlsupercategory="%s{urlsupercat}"\tappclass="%s{appclass}"\tdlpengine="%s{dlpeng}"\turlclass="%s{urlclass}"\tthreatclass="%s{malwareclass}"\tdlpdictionaries="%s{dlpdict}"\tfileclass="%s{fileclass}"\tbwthrottle="%s{bwthrottle}"\tservertranstime="%d{stime}"\tcontenttype="%s{contenttype}"\tunscannabletype="%s{unscannabletype}"\tdevicehostname="%s{devicehostname}"\tdeviceowner="%s{deviceowner}"
It is important NOT to select and/or add any value to the Timezone. Use GMT by default.
Related Articles
Cato Networks Custom Data Collection Integration
In this article, you will find out how to configure your Cato Networks subscription and its Lumu Custom Data Collection integration to pull, transform, and inject the FW logs recorded by Cato Networks into Lumu to enhance the detection & response ...DNSFilter Custom Data Collection Integration
In this article, you will find out how to configure your DNSFilter subscription and its Lumu Custom Data Collection integration to pull, transform, and inject the query logs recorded by DNSFilter into Lumu to enhance the detection & response ...Zscaler Custom Response Integration
Before going through this article, check our Out-of-the-box App Integrations category. This is the recommended way to integrate the components of your cybersecurity stack with Lumu. If the product you are looking to integrate is there, it is advised ...Akamai SIA Custom Data Collection Integration
In this article, you will find out how to configure your Akamai Secure Internet Access Enterprise (SIA) subscription and the Lumu Custom Data Collection integration to pull, transform, and inject the DNS query and Proxy logs recorded by Akamai into ...Microsoft Entra ID NSG Flow Logs Custom Data Collection Integration
Microsoft Azure is now called Entra ID In this article, you will find out how to configure your Microsoft Entra ID subscription and its Lumu Custom Data Collection integration to pull, transform, and inject Entra ID Network Security Group flow logs ...