Zscaler ZIA integration
You can integrate Zscaler ZIA (Zscaler Internet Access) with Sophos Central so that it sends alerts to Sophos for analysis.
This page gives you an overview of the integration.
Zscaler ZIA product overview
Zscaler ZIA is an SSE (Security Service Edge) platform. ZIA monitors the cloud and provides a central location for software and database updates, policy and configuration settings, and threat intelligence.
Sophos documents
What we ingest
Sample alerts we see:
Reputation block outbound request: malicious URL
Reputation block outbound request: phishing site
Not allowed non-RFC compliant HTTP traffic
Not allowed to upload/download encrypted or password-protected archive files
IPS block outbound request: cross-site scripting (XSS) attack
Remote Backup Failed
IPS block: cryptomining & blockchain traffic
RDP Allow
Malware block: malicious file
Sandbox block inbound response: malicious file
We also ingest many others.
Alerts ingested in full
We recommend that you configure the following categories in NSS (Nanolog Streaming Service):
- Zscaler ZIA firewall logs
- Zscaler ZIA web logs
- Zscaler ZIA DNS logs
Filtering
We filter alerts as follows.
At the log collector
At the log collector, we filter for:
- Incorrectly formatted data (CEF)
- High-volume, low-interest logs, for example allowed traffic logs
At the platform
At the platform, we filter a number of high-volume logs that aren't interesting as security events, including the following:
- Policy access logs, for example social media access
- Default allowed connections within standard firewall policies
- High-volume trivial items, for example SSL handshake logs
Sample threat mappings
Alert types are defined by the name
field in the CEF
header.
{"alertType": "Reputation block outbound request: malicious URL","threatId": "T1598.003","threatName": "Spearphishing Link",}
{"alertType": "Remote Backup Failed", "threatId": "T1020","threatName": "Automated Exfiltration",},
{"alertType": "Reputation block outbound request: malicious URL","threatId": "T1598.003","threatName": "Spearphishing Link",}
{"alertType": "IPS block: cryptomining & blockchain traffic","threatId": "T1496","threatName": "Resource Hijacking",}
{"alertType": "Reputation block outbound request: phishing site","threatId": "T1566","threatName": "Phishing",}
{"alertType": "RDP Allow","threatId": "T1021.001","threatName": "Remote Desktop Protocol",}
{"alertType": "IPS block outbound request: cross-site scripting (XSS) attack","threatId": "T1189","threatName": "Drive-by Compromise",}
{"alertType": "Malware block: malicious file","threatId": "T1204.002","threatName": "Malicious File",}
{"alertType": "Sandbox block inbound response: malicious file","threatId": "T1204.002","threatName": "Malicious File",}
{"alertType": "Not allowed non-RFC compliant HTTP traffic","threatId": "T1071","threatName": "Application Layer Protocol",}
{"alertType": "Not allowed to upload/download encrypted or password-protected archive files","threatId": "T1027","threatName": "Obfuscated Files or Information",}