Setting Up Integrations

Zscaler Integration Guide for SecurityCoach

In this article, you'll learn how to integrate Zscaler Web Proxy with SecurityCoach. Once you set up this integration, data provided by Zscaler will be available under the SecurityCoach tab of your KMSAT console. This data can be viewed in SecurityCoach reports and used to create detection rules for real-time coaching campaigns. For general information about SecurityCoach, see our SecurityCoach Product Manual.

Important: To configure the Zscaler integration, you will need access to a Zscaler admin account.

Copy Your Organization Key and API Key

Before you can set up this integration in your Zscaler console, you must authorize the configuration and copy your organization key from the SecurityCoach tab of your KMSAT console. If you are using a Cloud Nanolog Streaming Service (NSS) Zscaler server for the integration, you will also need to copy your API key.

To locate and copy your organization key and API key, follow the steps below:

  1. Log in to your KMSAT console and navigate to SecurityCoach > Setup > Security Vendor Integrations.
  2. Locate the Zscaler card and click Configure.
  3. From the Select Zscaler Server drop-down menu, select your server.
  4. Click Authorize.
  5. In the modal that opens, click OK.
  6. Copy and save your Organization Key. If you selected Zscaler Cloud NSS in step 3 above, also copy and save your API Gateway Key.
    Note: These keys are needed to complete the process outlined in the Set Up the Integration in Your Zscaler Console section of this article.

Set Up the Integration in Your Zscaler Console

Once you have copied the needed keys from SecurityCoach, you can set up the NSS or Cloud NSS integration in your Zscaler console. Click the links below to learn how to set up your specific integration.

Note: NSS does not support Transport Layer Security (TLS). This means that the NSS integration will send events in plain text. However, Cloud NSS does offer an HTTPS endpoint that supports TLS.

Set Up the NSS Integration in Your Zscaler ConsoleSet Up the Cloud NSS Integration in Your Zscaler Console

Set Up the Nanolog Streaming Service (NSS) Integration in Your Zscaler Console

Once you have copied your organization key, you can set up the NSS integration in your Zscaler console by following the steps below:

  1. Log in to your Zscaler Admin Portal and navigate to Administration > Nanolog Streaming Service.
  2. Click the pencil icon to update the NSS feed. Zscaler NSS Feed pencil icon
  3. On the Edit NSS Feed page, edit the fields listed below.Edit NSS Feed
    1. SIEM Destination Type: Select FQDN.
    2. SIEM FQDN: Enter the fully-qualified domain name (FQDN) for your KnowBe4 instance into the field. To find the FQDN for your KnowBe4 instance, see the table below:
      KnowBe4 Instance FQDN
      United States syslog.training.knowbe4.com
      European Union syslog.eu.knowbe4.com
      Canada syslog.ca.knowbe4.com
      United Kingdom syslog.uk.knowbe4.com
      Germany syslog.de.knowbe4.com
    3. SIEM TCP Port: Update the value in the field to "5000".
    4. Feed Output Type: Select Custom.
    5. Feed Output Format: Copy and paste the code block below into this field. Then, replace [x] with your organization key:
      Note: When pasting the code block, ensure the text is one single line. Besides adding your organization key, do not make any other changes to the code block.
      zscaler-nss CEF:0|Zscaler|NSS|4.1|NULL|NULL|NULL|org_key=[x]\tvendor_code_name=zscaler\tlog_type=web\tcat=%s{action}\tdevTime=%s{mon} %02d{dd} %d{yy} %02d{hh}:%02d{mm}:%02d{ss} %s{tz}\tdevTimeFormat=MMM dd yyyy HH:mm:ssz\tsourceAddress=%s{cip}\tdst=%s{sip}\trealm=%s{location}\tusrName=%s{login}\tsrcBytes=%d{reqsize}\tpolicy=%s{reason}\trecordid=%d{recordid}\thostname=%s{ehost}\tappproto=%s{proto}\turlcategory=%s{urlcat}\tappclass=%s{appclass}\tappname=%s{appname}\tmalwareclass=%s{malwareclass}\tthreatname=%s{threatname}\tdlpdict=%s{dlpdict}\tdlpeng=%s{dlpeng}\tfiletype=%s{filetype}\turl=%s{eurl}\tdevicehostname=%s{devicehostname}\n
    6. User Obfuscation: Select Disabled.
    7. Timezone: Select GMT from the drop-down menu.
    8. Duplicate Logs: Select Disabled from the drop-down menu.
    9. Policy Action: Select Blocked from the drop-down menu.
    10. Policy Reason: Select Any from the drop-down menu.
  4. Click Save.
  5. Follow the steps below to find the public IP address for your NSS VM:
    1. Log in to your NSS VM.
    2. Run the following command:
      [zsroot@NSS ~]$ curl ipinfo.io/ip
    3. Copy the IP address that is found.
  6. Submit a support ticket that includes your NSS VM IP Address. A member of our support team will whitelist your IP address and ensure that Zscaler has been successfully integrated.
    Important: If your NSS VM IP address ever changes, reach out to support again so they can whitelist your new IP address.

Once you’ve successfully set up this integration, you can manage your detection rules for Zscaler on the Detection Rules subtab of SecurityCoach.

Set Up the Cloud Nanolog Streaming Service (NSS) Integration in Your Zscaler Console

Once you have copied your organization key and API key, you can set up the Cloud NSS integration in your Zscaler console. To set up the Cloud NSS integration in your Zscaler console, follow the steps below:

  1. Log in to your Zscaler Admin Portal and navigate to Administration > Nanolog Streaming Service.
  2. Click the pencil icon to update the Cloud NSS feed.
  3. On the Edit Cloud NSS Feed page, edit the fields listed below.
    1. SIEM Type: Select Other.
    2. API URL: Enter the URL for your KnowBe4 instance into the field. To find the URL for your KnowBe4 instance, see the table below:
      KnowBe4 Instance URL
      United States https://syslog-webhook.training.knowbe4.com/v1/syslog
      European Union https://syslog-webhook.eu.knowbe4.com/v1/syslog
      Canada https://syslog-webhook.ca.knowbe4.com/v1/syslog
      United Kingdom https://syslog-webhook.uk.knowbe4.com/v1/syslog
      Germany https://syslog-webhook.de.knowbe4.com/v1/syslog
    3. Key1: Enter "x-api-key" into the field.
    4. Value1: Enter your API key into the field.
    5. Feed Output Type: Select JSON.
    6. Feed Output Format: Copy and paste the code block below into this field. Then, replace [x] with your organization key:
      Note: When pasting the code block, ensure the text is one single line. Besides adding your organization key, do not make any other changes to the code block.
      \{"sourcetype": "zscalernss-web","org_key":"[x]","vendor_code_name":"zscaler","log_type":"web","cat":"%s{action}","devTime":"%s{mon} %02d{dd} %d{yy} %02d{hh}:%02d{mm}:%02d{ss} %s{tz}","devTimeFormat":"MMM dd yyyy HH:mm:ssz","policy":"%s{reason}","recordid":"%d{recordid}","malwareclass":"%s{malwareclass}","urlcategory":"%s{urlcat}","realm":"%s{location}","sourceAddress":"%s{cip}","srcBytes":"%d{reqsize}","usrName":"%s{login}","url":"%s{eurl}","hostname":"%s{ehost}","appproto":"%s{proto}","threatname":"%s{threatname}","filetype":"%s{filetype}","appclass":"%s{appclass}","appname":"%s{appname}","dlpeng":"%s{dlpeng}","dlpdict":"%s{dlpdict}","devicehostname":"%s{devicehostname}"\}
    7. Timezone: Select GMT from the drop-down menu.
    8. Policy Action: Select Blocked from the drop-down menu.
    9. Policy Reason: Select Any from the drop-down menu.
  4. Click Save.

Map Your Users

After you’ve finished integrating Zscaler, you can map your users either through mapping rules (recommended) or through a CSV file upload. For more information about user mapping, see our Mapping Users in SecurityCoach article.

Once you’ve successfully set up this integration, you can manage detection rules for Zscaler on the Detection Rules subtab of SecurityCoach. For a full list of available system detection rules for this vendor, see our Which Detection Rules Can I Use with My Vendors? article.

Delete the Integration in Your Zscaler Console

If you want to delete your Zscaler integration with SecurityCoach, you can delete it in your Zscaler console. For more information, on how to delete your Zscaler integration, see the sections below.

Delete the Nanolog Streaming Service (NSS) Integration in Your Zscaler Console

To delete the NSS integration in your Zscaler console, follow the steps below:

  1. Log in to your Zscaler Admin Portal and navigate to Administration > Nanolog Streaming Service.
  2. Select NSS Feeds.
  3. Locate the fully-qualified domain name (FQDN) you want to remove. To find the FQDN for your KnowBe4 instance, see the table below:
    KnowBe4 Instance FQDN
    United States

    syslog.training.knowbe4.com

    European Union syslog.eu.knowbe4.com
    Canada syslog.ca.knowbe4.com
    United Kingdom syslog.uk.knowbe4.com
    Germany syslog.de.knowbe4.com
  4. Select the pencil icon.
  5. Click Delete, then click Confirm.

Delete the Cloud Nanolog Streaming Service (NSS) Integration in Your Zscaler Console

To delete the Cloud NSS integration in your Zscaler console, follow the steps below:

  1. Log in to your Zscaler Admin Portal and navigate to Administration > Nanolog Streaming Service.
  2. Select Cloud NSS Feeds.
  3. Locate the fully-qualified domain name (FQDN) you want to remove. To find the FQDN for your KnowBe4 instance, see the table below:
    KnowBe4 Instance FQDN
    United States

    syslog.training.knowbe4.com

    European Union syslog.eu.knowbe4.com
    Canada syslog.ca.knowbe4.com
    United Kingdom syslog.uk.knowbe4.com
    Germany syslog.de.knowbe4.com
  4. Select the pencil icon.
  5. Click Delete, then click Confirm.

Can't find what you're looking for?

Contact Support
circle-arrow-up