Zscaler Custom Data Collection Integration
Before going through this article, check our
Out-of-the-box App Integrations category. This is the recommended way to integrate the components of your cybersecurity stack with Lumu. If the product you are looking to integrate is there, it is advised to use that integration instead.
This article shows how to leverage the Lumu Defender API to integrate and collect URL filtering data via API from Zscaler, and feed it to Lumu.
Requirements
- Zscaler Nss Server with SSL certificate installed
NSS Feed Collector type Firewall
To collect Firewall type logs, it is required to configure the Zscaler Feed.
To do this, you must go to Administration > Cloud Configuration > nanolog Stramong Service > NSS Feeds > Add NSS Feed.
Select NSS for Firewall in the NSS type field, and in the NSS Server field, select the server created earlier.
Fill in the SIEM data which corresponds to the IP and Port of the Lumu VA, and in the Firewall Log Type field, select both Session and Aggregate Logs. In the Feed Output Type field, you must select Name Values Pairs with this structure:
datetime="%04d{yyyy}-%02d{mth}-%02d{dd}T%02d{hh}:%02d{mm}:%02d{ss}Z"\tuser="%s{login}"\tdepartment="%s{dept}"\tlocationname="%s{location}"\tcdport="%d{cdport}"\tcsport="%d{csport}"\tsdport="%d{sdport}"\tssport="%d{ssport}"\tcsip="%s{csip}"\tcdip="%s{cdip}"\tssip="%s{ssip}"\tsdip="%s{sdip}"\ttsip="%s{tsip}"\ttunsport="%d{tsport}"\ttuntype="%s{ttype}"\taction="%s{action}"\tdnat="%s{dnat}"\tstateful="%s{stateful}"\taggregate="%s{aggregate}"\tnwsvc="%s{nwsvc}"\tnwapp="%s{nwapp}"\tprotocol="%s{ipproto}"\tipcat="%s{ipcat}"\tdestcountry="%s{destcountry}"\tavgduration="%d{avgduration}"\trulelabel="%s{rulelabel}"\tinbytes=%ld{inbytes}\toutbytes=%ld{outbytes}\tduration="%d{duration}"\tdurationms="%d{durationms}"\tnumsessions="%d{numsessions}"\tipsrulelabel="%s{ipsrulelabel}"\tthreatcat="%s{threatcat}"\tthreatname="%s{threatname}"\tdeviceowner="%s{deviceowner}"\tdevicehostname="%s{devicehostname}"\n
It is important NOT to select and/or add any value to the Timezone. Use GMT by default. In this case the recollection time of Zscaler to send the information to Lumu is 15 minutes.
NSS Feed Collector type Web
For the collection of web type logs it is required to configure the Zscaler Feed.
To do this we must go to
Administration > Cloud Configuration > nanolog Stramong Service > NSS Feeds > Add NSS Feed
. Select NSS for Web in the NSS type field, and in the NSS Server field select the server created earlier.
Fill in the SIEM data which corresponds to the IP and Port of the Lumu VA and in the Feed Output Type field select SPLUNK CIM. It must have the following structure:
datetime="%d{yy}-%02d{mth}-%02d{dd}T%02d{hh}:%02d{mm}:%02d{ss}Z"\treason="%s{reason}"\tevent_id="%d{recordid}"\tprotocol="%s{proto}"\taction="%s{action}"\trequestdatasize="%d{reqdatasize}"\tresponsesize="%d{respsize}"\trequestsize="%d{reqsize}"\tresponsedatasize="%d{respdatasize}"\turlcategory="%s{urlcat}"\tserverip="%s{sip}"\tclienttranstime="%d{ctime}"\trequestmethod="%s{reqmethod}"\trefererURL="%s{ereferer}"\tuseragent="%s{ua}"\tproduct="NSS"\tlocation="%s{location}"\tClientIP="%s{cip}"\tstatus="%s{respcode}"\tuser="%s{login}"\turl="%s{eurl}"\tvendor="Zscaler"\thostname="%s{ehost}"\tclientpublicIP="%s{cintip}"\tthreatcategory="%s{malwarecat}"\tthreatname="%s{threatname}"\tfiletype="%s{filetype}"\tappname="%s{appname}"\tpagerisk="%d{riskscore}"\tdepartment="%s{dept}"\turlsupercategory="%s{urlsupercat}"\tappclass="%s{appclass}"\tdlpengine="%s{dlpeng}"\turlclass="%s{urlclass}"\tthreatclass="%s{malwareclass}"\tdlpdictionaries="%s{dlpdict}"\tfileclass="%s{fileclass}"\tbwthrottle="%s{bwthrottle}"\tservertranstime="%d{stime}"\tcontenttype="%s{contenttype}"\tunscannabletype="%s{unscannabletype}"\tdevicehostname="%s{devicehostname}"\tdeviceowner="%s{deviceowner}"
It is important NOT to select and/or add any value to the Timezone. Use GMT by default.
Get an AI Summary
Related Articles
Illumio Custom Data Collection Integration
Learn how to enhance the detection & response capabilities of your organization by integrating Illumio with Lumu’s data collection capabilities to pull, transform and inject the activity network logs recorded by Illumio into Lumu. Requirements An ...Netskope Log Streaming Custom Data Collection Integration
In this article, you will find out how to configure your Netskope Log Streaming subscription and its Lumu Custom Data Collection integration to pull, transform, and inject the Web Transactions by Netskope Log Streaming into Lumu to enhance the ...DNSFilter Custom Data Collection Integration
In this article, you will find out how to configure your DNSFilter subscription and its Lumu Custom Data Collection integration to pull, transform, and inject the query logs recorded by DNSFilter into Lumu to enhance the detection & response ...Akamai SIA Custom Data Collection Integration
In this article, you will find out how to configure your Akamai Secure Internet Access Enterprise (SIA) subscription and the Lumu Custom Data Collection integration to pull, transform, and inject the DNS query and Proxy logs recorded by Akamai into ...Zero Networks Custom Data Collection Integration
Learn how to enhance the detection & response capabilities of your organization by integrating Zero Networks with Lumu’s data collection capabilities to pull, transform and inject the activity network logs recorded by Zero Networks into Lumu. ...