Skip to content
Find out how we support MDR.

Zscaler ZIA integration

You can integrate Zscaler ZIA (Zscaler Internet Access) with Sophos Central so that it sends alerts to Sophos for analysis.

This page gives you an overview of the integration.

Zscaler ZIA product overview

Zscaler ZIA is an SSE (Security Service Edge) platform. ZIA monitors the cloud and provides a central location for software and database updates, policy and configuration settings, and threat intelligence.

Sophos documents

Integrate Zscaler ZIA

What we ingest

Sample alerts we see:

  • Reputation block outbound request: malicious URL
  • Reputation block outbound request: phishing site
  • Not allowed non-RFC compliant HTTP traffic
  • Not allowed to upload/download encrypted or password-protected archive files
  • IPS block outbound request: cross-site scripting (XSS) attack
  • Remote Backup Failed
  • IPS block: cryptomining & blockchain traffic
  • RDP Allow
  • Malware block: malicious file
  • Sandbox block inbound response: malicious file

We also ingest many others.

Alerts ingested in full

We recommend that you configure the following categories in NSS (Nanolog Streaming Service):

  • Zscaler ZIA firewall logs
  • Zscaler ZIA web logs
  • Zscaler ZIA DNS logs

Filtering

We filter alerts as follows.

At the log collector

At the log collector, we filter for:

  • Incorrectly formatted data (CEF)
  • High-volume, low-interest logs, for example allowed traffic logs

At the platform

At the platform, we filter a number of high-volume logs that aren't interesting as security events, including the following:

  • Policy access logs, for example social media access
  • Default allowed connections within standard firewall policies
  • High-volume trivial items, for example SSL handshake logs

Sample threat mappings

Alert types are defined by the name field in the CEF header.

{"alertType": "Reputation block outbound request: malicious URL","threatId": "T1598.003","threatName": "Spearphishing Link",}
{"alertType": "Remote Backup Failed", "threatId": "T1020","threatName": "Automated Exfiltration",},
{"alertType": "Reputation block outbound request: malicious URL","threatId": "T1598.003","threatName": "Spearphishing Link",}
{"alertType": "IPS block: cryptomining & blockchain traffic","threatId": "T1496","threatName": "Resource Hijacking",}
{"alertType": "Reputation block outbound request: phishing site","threatId": "T1566","threatName": "Phishing",}
{"alertType": "RDP Allow","threatId": "T1021.001","threatName": "Remote Desktop Protocol",}
{"alertType": "IPS block outbound request: cross-site scripting (XSS) attack","threatId": "T1189","threatName": "Drive-by Compromise",}
{"alertType": "Malware block: malicious file","threatId": "T1204.002","threatName": "Malicious File",}
{"alertType": "Sandbox block inbound response: malicious file","threatId": "T1204.002","threatName": "Malicious File",}
{"alertType": "Not allowed non-RFC compliant HTTP traffic","threatId": "T1071","threatName": "Application Layer Protocol",}
{"alertType": "Not allowed to upload/download encrypted or password-protected archive files","threatId": "T1027","threatName": "Obfuscated Files or Information",}

Vendor documentation