Ingest Logs from Zscaler Cloud Firewall
Extend Cortex XDR visibility into logs from Zscaler
Cloud Firewall.
Ingesting logs and data requires
a
Cortex
XDR
Pro per
TB license.If you use Zscaler Cloud Firewall in your
network, you can forward your firewall and network logs to
Cortex
XDR
for analysis. This enables
you to take advantage of Cortex
XDR
anomalous behavior detection and investigation
capabilities. Cortex
XDR
can use the firewall and network logs from
Zscaler Cloud Firewall as the sole data source, and can also use
these firewall and network logs from Zscaler Cloud Firewall in conjunction
with Palo Alto Networks firewall and network logs. For additional
endpoint context, you can also use Cortex
XDR
to collect and alert on endpoint
data.As soon as
Cortex
XDR
starts to receive logs, the app performs
these actions.- Begins stitching network connection and firewall logs with other logs to form network stories.CortexXDRcan also analyze your logs to raise Analytics alerts and can apply IOC, BIOC, and Correlation Rule matching. You can also use queries to search your network connection logs.
- Creates a Zscaler XQL dataset (<Vendor>_<Product>_raw) based on the<Vendor>and<Product>fields defined on the Zscaler Cloud Firewall syslog configuration. This enables you to search the logs using XQL Search.
To integrate
your logs, you first need to set up an applet in a broker VM within your
network to act as a Syslog Collector. You then configure forwarding
on your log devices to send logs to the syslog collector. To provide
seamless log ingestion,
Cortex
XDR
automatically maps the fields in your traffic
logs to the Cortex
XDR
log format.To ingest logs from Zscaler
Cloud Firewall:
- Increase log storage for Zscaler Cloud Firewall logs. For more information, see Manage Your Log Storage within Cortex XDR.
- Configure NSS log forwarding in Zscaler Cloud Firewall to the Syslog Collector.
- In the Zscaler Cloud Firewall application, go to .
- In theNSS Feedstab,Add NSS Feed.
- In theAdd NSS Feedscreen, configure the fields for theCortexXDRSyslog Collector.The following image displays the fields required to add an NSS feed.For more information on configuring the other configurations on the screen, see the Zscaler Cloud Firewall documentation for Adding NSS Feeds for Firewall Logs.
- SIEM TCP Port—Specify the port that you set when activating the Syslog Collector inCortexXDR. SeeStep 1.
- SIEM IP Address—Specify the IP that you set when activating the Syslog Collector inCortexXDR. SeeStep 1.
- Feed Escape Character—Specify the feed escape character as=.
- Feed Output Type—SelectCustom.
- Feed Output Format—Specify the output format using the following:%s{mon} %02d{dd} %02d{hh}:%02d{mm}:%02d{ss} zscaler-nss-fw CEF:0|Zscaler|NSSFWlog|5.7|%s{action}|%s{rulelabel}|3|act=%s{action} suser=%s{login} src=%s{csip} spt=%d{csport} dst=%s{cdip} dpt=%d{cdport} deviceTranslatedAddress=%s{ssip} deviceTranslatedPort=%d{ssport} destinationTranslatedAddress=%s{sdip} destinationTranslatedPort=%d{sdport} sourceTranslatedAddress=%s{tsip} sourceTranslatedPort=%d{tsport} proto=%s{ipproto} tunnelType=%s{ttype} dnat=%s{dnat} stateful=%s{stateful} spriv=%s{location} reason=%s{rulelabel} in=%ld{inbytes} out=%ld{outbytes} rt=%s{mon} %02d{dd} %02d{hh}:%02d{mm}:%02d{ss} deviceDirection=1 cs1=%s{dept} cs1Label=dept cs2=%s{nwsvc} cs2Label=nwService cs3=%s{nwapp} cs3Label=nwApp cs4=%s{aggregate} cs4Label=aggregated cs5=%s{threatcat} cs5Label=threatcat cs6=%s{threatname} cs6label=threatname cn1=%d{durationms} cn1Label=durationms cn2=%d{numsessions} cn2Label=numsessions cs5Label=ipCat cs5=%s{ipcat} destCountry=%s{destcountry} avgduration=%d{avgduration}
ClickSave.ClickSaveand activate the change according to the Zscaler Cloud Firewall documentation.
