Accenture MDR Quick Start Guide for Zscaler™ Cloud Web Security
This quick start guide will help Accenture MDR customers configure Zscaler Cloud Firewall to send logs to the Log Collection Platform (LCP).
This document includes the following topics:
Supported Versions
A list of supported versions is available in the Accenture Security Supported Products List document (Accenture_MDR_Supported_Products_List.xlsx) which can be found in Accenture MDR Portal.
Port Requirements
Table1-1: Port requirements for LCP communication.
Source | Destination | Port | Description |
Zscaler Cloud Firewall | LCP | 601 (TCP) | Default port |
Note: Please discuss with onboarding team if you have any technologies sending logs to LCP with same port and protocol
Configuring Zscaler Cloud Web Security – Firewall and Web Security
Log in to the following URL of the Analytics Admin console of Zscaler. https://admin.zscaler.net
On the top of the window, click Administration > Settings > Nanolog streaming service
Click the tab NSS Feeds
Click Add.
A window named Add NSS Feed appears.
Note: The field names are same in both the consoles apart from Transaction Filters, as specified in the table below.
Configuring NSS Feeds
Add the following information in the Add NSS Feed Window.
Table 1-2: Configuring NSS Feeds fields
Field | Description |
Feed Name | Enter a feed name. The feed is used as a log configuration mechanism for sending logs. Each feed is a connection between the NSS and Log Collection Platform (LCP), which is a Security Information and Event Management (SIEM) system. |
NSS Type | Choose NSS for Web or NSS for Firewall as per the requirement. |
NSS Name | Select the NSS Virtual machine (VM) that collects logs from the cloud. Only one NSS VM can be mapped to a feed. |
Status | Select Enabled. Note: You must select Enabled to activate the feed. |
SIEM IP | Enter the LCP IP address to which the NSS Virtual Machine (VM) will send the logs. |
SIEM TCP Port | The recommended port number is 601. However, you can enter any other port number for TCP communication. The NSS Virtual machine will send the logs to the port number specified. Note: Zscaler supports only TCP connection. |
Log Type | Select Web Log or Firewall Logs only. (Based on what NSS Type has selected) Log Type of NSS alerts is not supported. |
Feed Output Type | Select Custom. Note: Collector supports only customized format. |
Feed Output Format | You must use the following feed, as the collector supports the customized format only. Web Log feed: |ZSCALER|DATE|%s{mon} %d{dd} %02d{hh}:%02d{mm}:%02d{ss}|NSSFEEDIP|%s{nsssvcip}|CLIENTINTIP|%s{cintip}|RECORDID|%d{recordid}|LOGINNAME|%s{login}|PROTOCOL|%s{proto}|URL|%s{url}|HOST|%s{host}|ACTION|%s{action}|REASON|%s{reason}|RISKSCORE|%d{riskscore}|APPNAME|%s{appname}|APPCLASS|%s{appclass}|REQSIZE|%d{reqsize}|RESPSIZE|%d{respsize}|CTIME|%d{ctime}|URLCLASS|%s{urlclass}|SUPERCAT|%s{urlsupercat}|URLCAT|%s{urlcat}|MALWARECAT|%s{malwarecat}|MALWARECLASS|%s{malwareclass}|THREATNAME|%s{threatname}|FILETYPE|%s{filetype}|FILECLASS|%s{fileclass}|DLPENGINE|%s{dlpeng}|DLPDICT|%s{dlpdict}|BWTHROTTLE|%s{bwthrottle}|LOCATION|%s{location}|DEPARTMENT|%s{dept}|CLIENTIP|%s{cip}|DESTINATIONIP|%s{sip}|REQMETHOD|%s{reqmethod}|RESPCODE|%s{respcode}|USERAGENT|%s{ua}|REFERER|%s{referer}|MD5HASH|%s{bamd5}|DLPRULENAME|%s{dlprulename}|DLPMD5|%s{dlpmd5}|DLPIDENTIFIER|%d{dlpidentifier}|DLPDICTHITCOUNT|%s{dlpdicthitcount}|\n Firewall Feed: ( if firewall feed subscription is available) |ZSCALERFIREWALL|DATE|%s{mon} %d{dd} %02d{hh}:%02d{mm}:%02d{ss}|CLIENTIP|%s{csip}|RECORDID|%d{recordid}|LOGINNAME|%s{login}|PROTOCOL|%s{ipproto}|ACTION|%s{action}|DESTINATIONIP|%s{cdip}|SOURCEPORT|%d{csport}|DESTINATIONPORT|%d{cdport}|CLIENTTUNIP|%s{tsip}|CLIENTTUNPORT|%d{tsport}|LOCATION|%s{location}|DEPARTMENT|%s{dept}|DESTINATIONCOUNTRY|%s{destcountry}|INCOMINGBYTES|%ld{inbytes}|NETWORKAPP|%s{nwapp}|NETWORKSVC|%s{nwsvc}|RULELABEL|%s{rulelabel}|NATTING|%s{dnat}|SESSIONDURATION|%d{duration}|AGGREGATEDSESSION|%d{numsessions}|AVERAGEDURATION|%d{avgduration}|TUNNELTYPE|%s{ttype}|SERVERDESTPORT|%d{sdport}|SERVERSOURCEIP|%s{ssip}|SERVERSOURCEPORT|%d{ssport}|IPCAT|%s{ipcat}|\n Note: The order of the fields must be in the same sequence as shown in the table. Do not change the key values, otherwise the collector may fail. This feed includes all the important information produced by the Firewall log. |
User Obfuscation | Select Disabled to display the login usernames in the output. Select Enabled to display random values instead of the usernames. It is required to select Disabled |
Time Zone | Select the appropriate time zone. Default Time is GMT |
Duplicate Logs | Specify the number of minutes that NSS will send duplicate logs. You can select the time based on your requirement. This will be used if the LCP goes down, or in case of any network issue between the NSS Virtual Machine and LCP. Example: if the LCP went offline at 6:29:00 p.m., the NSS detected the lost connection at 6:30:00 p.m., and the connection was restored at 6:40:00 p.m., So If Duplicate Logs was set to five minutes, the NSS will resend the logs from 6:25:00 onward, after the connection is restored. It will send five minutes of duplicate logs. If Duplicate Logs was disabled, the NSS will resend the logs from 6:30:01 onwards, after the connection gets restored |
Transactions filters | There are various parameters available based on which you can actually filter the logs sent by NSS virtual machine to LCP. To see different filter sets, refer NSS guide. Configure SECURITY filter For WEB Logs :
Configure SECURITY filter For FW Logs :
|
Do one of the following, as appropriate:
If you are using the Policy Admin console, click Done.
If you are using the Analytics Admin console, click Save.
The Add NSS Feed window is closed, and you will return to the previous window, and the added feed details display under the Configure Feeds section.
Do one of the following, as appropriate:
If you are using the Policy Admin console, do the following in the same sequence:
In the right pane, under Configure Feeds section, click Save.
A message appears on the top of the screen, activate changes to update all gateways: Activate Now
Click Activate Now.
The status of the result appears in a new window.
Example: Activation completed successfully.
6. Click Done.
7. If you are using the Analytics Admin console, on the top right corner, then click Activate.
The status of the result appears on top of the window.
Example: Activate Succeeded!.
Note: There is no configuration control over the logs comi vng from the Cloud to NSS Virtual machine. Hence, if connectivity between NSS Virtual Machine and Zscaler cloud Firewall is fine,
then the logs would automatically be sent to the LCP. For more information on connectivity, refer the NSS Admin Guide
Configuring ZPA:
Steps to configure log receiver for ZPA listed below:
Select Log Type from User Activity
Select CSV as Log Template
Please enter log stream as shared below:
%s{LogTimestamp:time} User Activity zpa-lss: ,%s{Username},%d{ServicePort},%s{ClientPublicIP},%s{ClientCountryCode},%s{ConnectionStatus},%d{IPProtocol},%s{ClientZEN},%s{Policy},%s{Connector},%s{ConnectorZEN},%s{ConnectorIP},%s{Host},%s{ServerIP},%s{TimestampConnectionStart:iso8601},%d{ServerPort}\n
LCP Configuration Parameters
Table 1-3: The Zscaler Cloud Web Security event collector (3746 -Syslog) properties to be configured by MDR are shown in the table.
Property | Default Value | Description |
Protocol | TCP | Default protocol for syslog events. |
Hostnames / IP Address | Zscaler Interface IP Address | Logging device IP address mentioned in the Pre-Installation Questionnaire (PIQ). Note: If the device sends logs using multiple interfaces, contact the Accenture Security MDR onboarding team. |
Signatures | |ZSCALER|,|ZSCALERFIREWALL|,zpa-lss: | MDR recommended signatures processed by the Zscaler Cloud Firewall event collector. |
Port | 601 | The default port for syslog. Note: Please discuss with onboarding team if you have any technologies sending logs to CP with same port and protocol |
Legal Notice
Copyright © 2021 Accenture. All rights reserved.
Accenture, the Accenture Logo, and DeepSight Intelligence are trademarks or registered trademarks of Accenture in the U.S. and other countries. Other names may be trademarks of their respective owners.
The product described in this document is distributed under licenses restricting its use, copying, distribution, and decompilation/reverse engineering. No part of this document may be reproduced in any form by any means without prior written authorization of Accenture and its licensors, if any.
THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. ACCENTURE SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.
The Licensed Software and Documentation are deemed to be commercial computer software as defined in FAR 12.212 and subject to restricted rights as defined in FAR Section 52.227-19 "Commercial Computer Software - Restricted Rights" and DFARS 227.7202, et seq. "Commercial Computer Software and Commercial Computer Software Documentation," as applicable, and any successor regulations, whether delivered by Accenture as on premises or hosted services. Any use, modification, reproduction release, performance, display or disclosure of the Licensed Software and Documentation by the U.S. Government shall be solely in accordance with the terms of this Agreement.