In this article, you'll learn how to integrate Zscaler Web Proxy with SecurityCoach. Once you set up this integration, data provided by Zscaler will be available under the SecurityCoach tab of your KSAT console. This data can be viewed in SecurityCoach reports and used to create detection rules for real-time coaching campaigns. For general information about SecurityCoach, see our SecurityCoach Product Manual.

Copy Your Organization Key and API Key

Before you can set up this integration in your Zscaler console, you must authorize the configuration and copy your organization key from the SecurityCoach tab of your KSAT console. If you are using a Cloud Nanolog Streaming Service (NSS) Zscaler server for the integration, you will also need to copy your API key.

To locate and copy your organization key and API key, follow the steps below:

1. Log in to your KSAT console and navigate to SecurityCoach > Setup > Security Vendor Integrations.
2. Locate the Zscaler card and click Configure.
3. From the Select Zscaler Server drop-down menu, select your server.

4. Click Authorize.

   

5. In the modal that opens, click OK.

6. Copy and save your Organization Key. If you selected Zscaler Cloud NSS in step 3 above, also copy and save your API Gateway Key.

   Note: These keys are needed to complete the process outlined in the Set Up the Integration in Your Zscaler Console section of this article.

   

   

Set Up the Integration in Your Zscaler Console

Once you have copied the needed keys from SecurityCoach, you can set up the Nanolog Streaming Service (NSS) or Cloud NSS integration in your Zscaler console. Click the links below to learn how to set up your specific integration.

Set Up the Nanolog Streaming Service (NSS) Integration in Your Zscaler Console

Set Up the Cloud Nanolog Streaming Service (NSS) Integration in Your Zscaler Console

Set Up the Nanolog Streaming Service (NSS) Integration in Your Zscaler Console

Once you have copied your organization key, you can set up the NSS integration in your Zscaler console by following the steps below:

1. Log in to your Zscaler Admin Portal and navigate to Administration > Nanolog Streaming Service.

2. Click the pencil icon to update the NSS feed.

   

3. On the Edit NSS Feed page, edit the fields listed below.
   1. SIEM Destination Type: Select FQDN.

   2. SIEM FQDN: Enter the fully-qualified domain name (FQDN) for your KnowBe4 instance into the field. To find the FQDN for your KnowBe4 instance, see the table below:

      KnowBe4 Instance	FQDN
      United States	syslog.training.knowbe4.com
      European Union	syslog.eu.knowbe4.com
      Canada	syslog.ca.knowbe4.com
      United Kingdom	syslog.uk.knowbe4.com
      Germany	syslog.de.knowbe4.com

   3. SIEM TCP Port: Update the value in the field to "5000".
   4. Feed Output Type: Select Custom.

   5. Feed Output Format: Copy and paste the code block below into this field. Then, replace [x] with your organization key:

      Note:When pasting the code block, ensure the text is one single line. Besides adding your organization key, do not make any other changes to the code block.

      zscaler-nss CEF:0|Zscaler|NSS|4.1|NULL|NULL|NULL|org_key=[x]\tvendor_code_name=zscaler\tlog_type=web\tcat=%s{action}\tdevTime=%s{mon} %02d{dd} %d{yy} %02d{hh}:%02d{mm}:%02d{ss} %s{tz}\tdevTimeFormat=MMM dd yyyy HH:mm:ssz\tsourceAddress=%s{cip}\tdst=%s{sip}\trealm=%s{location}\tusrName=%s{login}\tsrcBytes=%d{reqsize}\tpolicy=%s{reason}\trecordid=%d{recordid}\thostname=%s{ehost}\tappproto=%s{proto}\turlcategory=%s{urlcat}\tappclass=%s{appclass}\tappname=%s{appname}\tmalwareclass=%s{malwareclass}\tthreatname=%s{threatname}\tdlpdict=%s{dlpdict}\tdlpeng=%s{dlpeng}\tfiletype=%s{filetype}\turl=%s{eurl}\tdevicehostname=%s{devicehostname}\n

   6. User Obfuscation: Select Disabled.
   7. Timezone: Select GMT from the drop-down menu.
   8. Duplicate Logs: Select Disabled from the drop-down menu.
   9. Policy Action: Select Blocked from the drop-down menu.

   10. Policy Reason: Select Any from the drop-down menu.

       

4. Click Save.
5. Follow the steps below to find the public IP address for your NSS VM:
   1. Log in to your NSS VM.

   2. Run the following command:

      [zsroot@NSS ~]$ curl ipinfo.io/ip

   3. Copy the IP address that is found.

6. Submit a support ticket Submit a support ticket (link opens in new window) that includes your NSS VM IP Address. A member of our support team will whitelist your IP address and ensure that Zscaler has been successfully integrated.

   Important:If your NSS VM IP address ever changes, reach out to support again so they can whitelist your new IP address.

Once you’ve successfully set up this integration, you can manage your detection rules for Zscaler on the Detection Rules subtab of SecurityCoach.

Set Up the Cloud Nanolog Streaming Service (NSS) Integration in Your Zscaler Console

Once you have copied your organization key and API key, you can set up the Cloud NSS integration in your Zscaler console. To set up the Cloud NSS integration in your Zscaler console, follow the steps below:

1. Log in to your Zscaler Admin Portal and navigate to Administration > Nanolog Streaming Service.
2. Click the pencil icon to update the Cloud NSS feed.
3. On the Edit Cloud NSS Feed page, edit the fields listed below.
   1. SIEM Type: Select Other.

   2. API URL: Enter the URL for your KnowBe4 instance into the field. To find the URL for your KnowBe4 instance, see the table below:

      KnowBe4 Instance	URL
      United States	https://syslog-webhook.training.knowbe4.com/v1/syslog
      European Union	https://syslog-webhook.eu.knowbe4.com/v1/syslog
      Canada	https://syslog-webhook.ca.knowbe4.com/v1/syslog
      United Kingdom	https://syslog-webhook.uk.knowbe4.com/v1/syslog
      Germany	https://syslog-webhook.de.knowbe4.com/v1/syslog

   3. Key1: Enter "x-api-key" into the field.
   4. Value1: Enter your API key into the field.
   5. Feed Output Type: Select JSON.

   6. Feed Output Format: Copy and paste the code block below into this field. Then, replace [x] with your organization key:

      Note:When pasting the code block, ensure the text is one single line. Besides adding your organization key, do not make any other changes to the code block.

      \{"sourcetype": "zscalernss-web","org_key":"[x]","vendor_code_name":"zscaler","log_type":"web","cat":"%s{action}","devTime":"%s{mon} %02d{dd} %d{yy} %02d{hh}:%02d{mm}:%02d{ss} %s{tz}","devTimeFormat":"MMM dd yyyy HH:mm:ssz","policy":"%s{reason}","recordid":"%d{recordid}","malwareclass":"%s{malwareclass}","urlcategory":"%s{urlcat}","realm":"%s{location}","sourceAddress":"%s{cip}","srcBytes":"%d{reqsize}","usrName":"%s{login}","url":"%s{eurl}","hostname":"%s{ehost}","appproto":"%s{proto}","threatname":"%s{threatname}","filetype":"%s{filetype}","appclass":"%s{appclass}","appname":"%s{appname}","dlpeng":"%s{dlpeng}","dlpdict":"%s{dlpdict}","devicehostname":"%s{devicehostname}"\}

   7. Timezone: Select GMT from the drop-down menu.
   8. Policy Action: Select Blocked from the drop-down menu.

   9. Policy Reason: Select Any from the drop-down menu.

      

4. Click Save.

Map Your Users

After you’ve finished integrating Zscaler, you can map your users either through mapping rules (recommended) or through a CSV file upload. For more information about user mapping, see our Mapping Users in SecurityCoach article.

Once you’ve successfully set up this integration, you can manage detection rules for Zscaler on the Detection Rules subtab of SecurityCoach. For a full list of available system detection rules for this vendor, see our Which Detection Rules Can I Use with My Vendors? article.

Delete the Integration in Your Zscaler Console

If you want to delete your Zscaler integration with SecurityCoach, you can delete it in your Zscaler console. For more information, on how to delete your Zscaler integration, see the sections below.

Delete the Nanolog Streaming Service (NSS) Integration in Your Zscaler Console

To delete the NSS integration in your Zscaler console, follow the steps below:

1. Log in to your Zscaler Admin Portal and navigate to Administration > Nanolog Streaming Service.

2. Select NSS Feeds.

   

3. Locate the fully-qualified domain name (FQDN) you want to remove. To find the FQDN for your KnowBe4 instance, see the table below:

   KnowBe4 Instance	FQDN
   United States	syslog.training.knowbe4.com
   European Union	syslog.eu.knowbe4.com
   Canada	syslog.ca.knowbe4.com
   United Kingdom	syslog.uk.knowbe4.com
   Germany	syslog.de.knowbe4.com

4. Select the pencil icon.

   

5. Click Delete, then click Confirm.

   

Delete the Cloud Nanolog Streaming Service (NSS) Integration in Your Zscaler Console

To delete the Cloud NSS integration in your Zscaler console, follow the steps below:

1. Log in to your Zscaler Admin Portal and navigate to Administration > Nanolog Streaming Service.

2. Select Cloud NSS Feeds.

   

3. Locate the fully-qualified domain name (FQDN) you want to remove. To find the FQDN for your KnowBe4 instance, see the table below:

   KnowBe4 Instance	FQDN
   United States	syslog.training.knowbe4.com
   European Union	syslog.eu.knowbe4.com
   Canada	syslog.ca.knowbe4.com
   United Kingdom	syslog.uk.knowbe4.com
   Germany	syslog.de.knowbe4.com

4. Select the pencil icon.

   

5. Click Delete, then click Confirm.