Integrating Zscaler with SecurityCoach
In this article, you will learn how to integrate Zscaler Web Proxy with SecurityCoach. Once you set up this integration, data provided by Zscaler will be available under the SecurityCoach tab of your KMSAT console. This data can be viewed in SecurityCoach reports and used to create detection rules for real-time coaching campaigns. For general information about SecurityCoach, see our SecurityCoach Product Manual.
Click the links below to learn how to integrate Zscaler with SecurityCoach.
Jump to:
Copy Your Organization Key and API Key
Set Up the Integration In Your Zscaler Console
- Set Up the NSS Integration in Your Zscaler Console
Set Up the Cloud NSS Integration in Your Zscaler Console
Copy Your Organization Key and API Key
Before you can set up this integration in your Zscaler console, you must authorize the configuration and copy your organization key from the SecurityCoach tab of your KMSAT console. If you are using a Cloud Nanolog Streaming Service (NSS) Zscaler server for the integration, you will also need to copy your API key.
To locate and copy your organization key and API key, follow the steps below:
- Log in to your KMSAT console and navigate to SecurityCoach > Setup > Security Vendor Integrations.
- Locate the Zscaler card and click Configure.
- From the Select Zscaler Server drop-down menu, select your server.
- Click Authorize.
- In the modal that opens, click OK.
- Copy and save your Organization Key. If you selected Zscaler Cloud NSS in step 3 above, also copy and save your API Gateway Key.
Note: These keys are needed to complete the process outlined in the Set Up the Integration in Your Zscaler Console section of this article.
Set Up the Integration in Your Zscaler Console
Once you have copied the needed keys from SecurityCoach, you can set up the NSS or Cloud NSS integration in your Zscaler console. Click the links below to learn how to set up your specific integration.
Note: NSS does not support Transport Layer Security (TLS). This means that the NSS integration will send events in plain text. However, Cloud NSS does offer an HTTPS endpoint that supports TLS.
Set Up the NSS Integration in Your Zscaler Console
Set Up the Cloud NSS Integration in Your Zscaler Console
Set Up the Nanolog Streaming Service (NSS) Integration in Your Zscaler Console
Once you have copied your organization key, you can set up the NSS integration in your Zscaler console by following the steps below:
- Log in to your Zscaler Admin Portal and navigate to Administration > Nanolog Streaming Service.
- Click the pencil icon to update the NSS feed.
- On the Edit NSS Feed page, edit the fields listed below.
- SIEM Destination Type: Select FQDN.
- SIEM FQDN: Enter the fully-qualified domain name (FQDN) for your KnowBe4 instance into the field. To find the FQDN for your KnowBe4 instance, see the table below:
KnowBe4 Instance FQDN United States syslog.training.knowbe4.com European Union syslog.eu.knowbe4.com Canada syslog.ca.knowbe4.com United Kingdom syslog.uk.knowbe4.com Germany syslog.de.knowbe4.com - SIEM TCP Port: Update the value in the field to "5000".
- Feed Output Type: Select Custom.
- Feed Output Format: Copy and paste the code block below into this field. Then, replace [x] with your organization key:
Note: When pasting the code block, ensure the text is one single line. Besides adding your organization key, do not make any other changes to the code block.
zscaler-nss CEF:0|Zscaler|NSS|4.1|NULL|NULL|NULL|org_key=[x]\tvendor_code_name=zscaler\tlog_type=web\tcat=%s{action}\tdevTime=%s{mon} %02d{dd} %d{yy} %02d{hh}:%02d{mm}:%02d{ss} %s{tz}\tdevTimeFormat=MMM dd yyyy HH:mm:ssz\tsourceAddress=%s{cip}\tdst=%s{sip}\trealm=%s{location}\tusrName=%s{login}\tsrcBytes=%d{reqsize}\tpolicy=%s{reason}\trecordid=%d{recordid}\thostname=%s{ehost}\tappproto=%s{proto}\turlcategory=%s{urlcat}\tappclass=%s{appclass}\tappname=%s{appname}\tmalwareclass=%s{malwareclass}\tthreatname=%s{threatname}\tdlpdict=%s{dlpdict}\tdlpeng=%s{dlpeng}\tfiletype=%s{filetype}\turl=%s{eurl}\tdevicehostname=%s{devicehostname}\n
- User Obfuscation: Select Disabled.
- Timezone: Select GMT from the drop-down menu.
- Duplicate Logs: Select Disabled from the drop-down menu.
- Policy Action: Select Blocked from the drop-down menu.
- Policy Reason: Select Any from the drop-down menu.
- Click Save.
- Follow the steps below to find the public IP address for your NSS VM:
- Log in to your NSS VM.
- Run the following command:
[zsroot@NSS ~]$ curl ipinfo.io/ip
- Copy the IP address that is found.
- Submit a support ticket that includes your NSS VM IP Address. A member of our support team will whitelist your IP address and ensure that Zscaler has been successfully integrated.
Note: If your NSS VM IP address ever changes, reach out to support again so they can whitelist your new IP address.
Once you’ve successfully set up this integration, you can manage your detection rules for Zscaler on the Detection Rules subtab of SecurityCoach.
Set Up the Cloud Nanolog Streaming Service (NSS) Integration in Your Zscaler Console
Once you have copied your organization key and API key, you can set up the Cloud NSS integration in your Zscaler console. To set up the Cloud NSS integration in your Zscaler console, follow the steps below:
- Log in to your Zscaler Admin Portal and navigate to Administration > Nanolog Streaming Service.
- Click the pencil icon to update the Cloud NSS feed.
- On the Edit Cloud NSS Feed page, edit the fields listed below.
- SIEM Type: Select Other.
- API URL: Enter the URL for your KnowBe4 instance into the field. To find the URL for your KnowBe4 instance, see the table below:
KnowBe4 Instance URL United States https://syslog-webhook.training.knowbe4.com/v1/syslog European Union https://syslog-webhook.eu.knowbe4.com/v1/syslog Canada https://syslog-webhook.ca.knowbe4.com/v1/syslog United Kingdom https://syslog-webhook.uk.knowbe4.com/v1/syslog Germany https://syslog-webhook.de.knowbe4.com/v1/syslog - Key1: Enter "x-api-key" into the field.
- Value1: Enter your API key into the field.
- Feed Output Type: Select JSON.
- Feed Output Format: Copy and paste the code block below into this field. Then, replace [x] with your organization key:
Note: When pasting the code block, ensure the text is one single line. Besides adding your organization key, do not make any other changes to the code block.
\{"sourcetype": "zscalernss-web","org_key":"[x]","vendor_code_name":"zscaler","log_type":"web","cat":"%s{action}","devTime":"%s{mon} %02d{dd} %d{yy} %02d{hh}:%02d{mm}:%02d{ss} %s{tz}","devTimeFormat":"MMM dd yyyy HH:mm:ssz","policy":"%s{reason}","recordid":"%d{recordid}","malwareclass":"%s{malwareclass}","urlcategory":"%s{urlcat}","realm":"%s{location}","sourceAddress":"%s{cip}","srcBytes":"%d{reqsize}","usrName":"%s{login}","url":"%s{eurl}","hostname":"%s{ehost}","appproto":"%s{proto}","threatname":"%s{threatname}","filetype":"%s{filetype}","appclass":"%s{appclass}","appname":"%s{appname}","dlpeng":"%s{dlpeng}","dlpdict":"%s{dlpdict}","devicehostname":"%s{devicehostname}"\}
- Timezone: Select GMT from the drop-down menu.
- Policy Action: Select Blocked from the drop-down menu.
- Policy Reason: Select Any from the drop-down menu.
- Click Save.
Once you’ve successfully set up this integration, you can manage detection rules for Zscaler on the Detection Rules subtab of SecurityCoach. For a full list of available system detection rules for this vendor, see our Which Detection Rules Can I Use with My Vendors? article.
Comments
0 comments
Article is closed for comments.