Scribd
Upload
226 views4 pages

Darktrace Zscaler ZIA Integration

This document provides instructions for integrating Darktrace and Zscaler ZIA to allow Darktrace to ingest weblogs from a Zscaler ZIA device. The integration will simulate connection data in Darktrace based on the Zscaler logs. Devices seen in the Zscaler logs will be created in Darktrace if they don't already exist. Connections created from the Zscaler logs will be analyzed by Darktrace and available in the Advanced Search. The document outlines requirements and provides steps to configure the integration in both the Darktrace and Zscaler systems.

Uploaded by

Nelson Junior
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
226 views4 pages

Darktrace Zscaler ZIA Integration

This document provides instructions for integrating Darktrace and Zscaler ZIA to allow Darktrace to ingest weblogs from a Zscaler ZIA device. The integration will simulate connection data in Darktrace based on the Zscaler logs. Devices seen in the Zscaler logs will be created in Darktrace if they don't already exist. Connections created from the Zscaler logs will be analyzed by Darktrace and available in the Advanced Search. The document outlines requirements and provides steps to configure the integration in both the Darktrace and Zscaler systems.

Uploaded by

Nelson Junior
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 4

Darktrace Zscaler ZIA Integration

Threat Visualizer v5.1

Last Updated: August 4 2021


DARKTRACE ZSCALER ZIA INTEGRATION 2

Darktrace and Zscaler ZIA


The Darktrace Zscaler ZIA integration ingests weblogs from a ZIA device to simulate connection data. Web events
produced by the Zscaler logging will be associated with a device of the same hostname. If a device of that hostname does
not already exist, Darktrace will create a new device. Connection events created from Zscaler logs will be available to core
Darktrace analysis and accessible in Advanced Search.

Devices which have ZIA simulated connectivity associated will be automatically tagged with the ZIA tag.

Requirements

• A Darktrace Appliance running v4.1 or above and optionally a Darktrace vSensor or hardware probe configured
to receive logs.

• A Zscaler ZIA instance with Collect Device Owner Information and Collect Machine Hostname Information
enabled.

• A configured Nanolog Streaming Service (Zscaler NSS subscription required) setup with a local NSS server
able to contact a Darktrace Master or Probe (Hardware or Virtualized) over the required port (1514).

• Access to the Zscaler administration portal to configure NSS feeds.

Considerations

• Packet data is not available for connections constructed from Zscaler ZIA logs.

• Connections are only created for protocols included in the ZIA logs and are limited by the data provided within
the log.

Due to the lack of source port information in ZIA logs, simulated connections are assigned to port 18000.
DARKTRACE ZSCALER ZIA INTEGRATION 3

Deploying the ZIA Integration


Darktrace Configuration
1. Access the Darktrace master intended to receive the Zscaler logs. Within the Threat Visualizer, navigate to the
System Config page in the main menu under Admin.

Select Modules from the left-hand menu.

2. Locate the Telemetry subsection, select “Zscaler ZIA” from the available options.

A new dialog will open. Ensure the module is enabled.

3. Click the “Details” button to display the log output format. Record this securely as it is required for configuration
later.

4. Returning to the Modules page, locate the Telemetry subsection. Click the  Config button. A new dialog will
open.

5. Select the appliance or probe that logs are being sent to. In the field Log Input Allowed IPs, enter the IP
address of the Zscaler device sending the logs.

Save the changes.

Zscaler Configuration
1. Access the ZIA console as a user with permission to configure NSS feeds.

2. Navigate to Administration > Nanolog Stream Service and select NSS feeds from the available table. Click “+
Add NSS Feed”

3. Provide a descriptive name for the feed and ensure it is Enabled.

4. Select the NSS Server located locally to the master appliance or vSensor. Enter the IP of the master appliance
or vSensor/hardware probe intended to receive the logs.

5. Set the Destination Type and enter the TCP Port as 1514.

6. Ensure the SIEM Rate is unlimited and the Log Type is set to Web Log.

7. Set Feed Output Type to “Custom” and paste the output format retrieved from the Darktrace Threat Visualizer
config page into the Feed Output Format field.

8. Save the changes.

ZIA logs should now be received by the master or probe and begin to populate connection and hostname data within the
Threat Visualizer.
US:+1 415 229 9100 UK:+44 (0) 1223 394 100 LATAM:+55 11 4949 7696 APAC:+65 6804 5010 [email protected] darktrace.com

You might also like