MCAS Help with ZSCaler

%3CLINGO-SUB%20id%3D%22lingo-sub-481159%22%20slang%3D%22en-US%22%3EMCAS%20Help%20with%20ZSCaler%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-481159%22%20slang%3D%22en-US%22%3E%3CP%3EI%20recently%20implemented%20Cloud%20App%20Security%20with%20a%20ZSCaler%20instance.%26nbsp%3B%20I%20am%20getting%20the%20logs%20to%20come%20over%20into%20MCAS%2C%20but%20when%20they%20are%20doing%20so%2C%20they%20user%20ID%20is%20coming%20anonymized.%20%26nbsp%3B%20I%20have%20checked%20in%20MCAS%20and%20ZScaler%2C%20and%20the%20obscuration%20setting%20is%20turned%20off.%20%26nbsp%3B%20Any%20body%20have%20some%20suggestions%20on%20what%20else%20to%20look%20at%20in%20regards%20to%20the%20User%20ID%20being%20shown%20incorrectly%3F%20%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ENote%2C%20when%20I%20do%20put%20the%20obscured%20ID%20into%20MCAS%20decrypting%20tool%2C%20MCAS%20is%20able%20to%20resolve%20it.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-481159%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ECloud%20Discovery%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-482080%22%20slang%3D%22en-US%22%3ERe%3A%20MCAS%20Help%20with%20ZSCaler%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-482080%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F325589%22%20target%3D%22_blank%22%3E%40SteveCombs%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F143984%22%20target%3D%22_blank%22%3E%40Sebastien%20Molendijk%3C%2FA%3E%3A%20Is%20this%20something%20you%20can%20help%20with%3F%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-490346%22%20slang%3D%22en-US%22%3ERe%3A%20MCAS%20Help%20with%20ZSCaler%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-490346%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F325589%22%20target%3D%22_blank%22%3E%40SteveCombs%3C%2FA%3E%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EBefore%20taking%20this%20to%20engineering%20for%20troubleshooting%2C%20could%20you%20please%20confirm%20that%20when%20creating%20your%20Zscaler%20data%20source%20in%20MCAS%20portal%2C%20you%20didn't%20mark%20the%20checkbox%20to%20anonymize%20PII%3F%20(See%20more%20details%20in%20the%20attachment)%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThanks%2C%3C%2FP%3E%0A%3CP%3EDanny.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-499171%22%20slang%3D%22en-US%22%3ERe%3A%20MCAS%20Help%20with%20ZSCaler%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-499171%22%20slang%3D%22en-US%22%3E%3CP%3EI%20am%20checking%20today%20on%20this%20setup%2C%20but%20I%20am%20pretty%20sure%20this%20checkbox%20is%20not%20selected.%26nbsp%3B%20If%20so%2C%20should%20we%20open%20a%20ticket%20with%20MS%20in%20your%20opinion%3F%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F112613%22%20target%3D%22_blank%22%3E%40Danny%20Kadyshevitch%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-503649%22%20slang%3D%22en-US%22%3ERe%3A%20MCAS%20Help%20with%20ZSCaler%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-503649%22%20slang%3D%22en-US%22%3ESteve%2C%3CBR%20%2F%3E%3CBR%20%2F%3EPlease%20note%20that%20this%20option%20is%20set%20only%20once%20when%20the%20data%20source%20is%20created.%3CBR%20%2F%3EI'd%20suggest%20that%20you%20delete%20the%20current%20data%20source%2C%20and%20create%20a%20new%20one%20with%20the%20exact%20configuration%20(consider%20not%20checking%20the%20anonymization%20checkbox)%20and%20then%20see%20whether%20data%20still%20comes%20in%20the%20same%20way.%3CBR%20%2F%3E%3CBR%20%2F%3EIf%20this%20still%20doesn't%20resolve%20your%20case%2C%20so%20opening%20support%20ticket%20is%20the%20suggested%20action.%3CBR%20%2F%3E%3CBR%20%2F%3EThanks%2C%3CBR%20%2F%3EDanny.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-768405%22%20slang%3D%22en-US%22%3ERe%3A%20MCAS%20Help%20with%20ZSCaler%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-768405%22%20slang%3D%22en-US%22%3EDoes%20the%20issue%20still%20occur%3F%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-768408%22%20slang%3D%22en-US%22%3ERe%3A%20MCAS%20Help%20with%20ZSCaler%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-768408%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F1791%22%20target%3D%22_blank%22%3E%40Eli%20Shlomo%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIt%20turns%20out%20that%20the%20source%20for%20ZScaler%20data%20needs%20to%20be%20NSS.%20It%20is%20hard%20coded%20into%20the%20MCAS%20software.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-768416%22%20slang%3D%22en-US%22%3ERe%3A%20MCAS%20Help%20with%20ZSCaler%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-768416%22%20slang%3D%22en-US%22%3Ethere%20are%20main%20settings%20for%20zscaler%20for%20mcas%3A%20NSS%20The%20source%20with%20zscaler%20QRadar%20LEEF%20The%20receiver%20type%20%3D%20Syslog%20-%20UDP%20and%20for%20your%20issue%20is%20the%20anonymize%20private%20information.%20I%20work%20with%20zscaler%20and%20mcas%20together%20and%20it%20does%20a%20great%20job.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-780409%22%20slang%3D%22en-US%22%3ERe%3A%20MCAS%20Help%20with%20ZSCaler%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-780409%22%20slang%3D%22en-US%22%3EThat%20is%20incorrect.%20Data%20source%20name%20(i.e.%20NSS)%20isn't%20hardcoded%20in%20MCAS%2C%20and%20can%20be%20modified%20in%20Zscaler%20'zbridge-mcas.properties'%20file.%3C%2FLINGO-BODY%3E
Highlighted
New Contributor

I recently implemented Cloud App Security with a ZSCaler instance.  I am getting the logs to come over into MCAS, but when they are doing so, they user ID is coming anonymized.   I have checked in MCAS and ZScaler, and the obscuration setting is turned off.   Any body have some suggestions on what else to look at in regards to the User ID being shown incorrectly?   

 

Note, when I do put the obscured ID into MCAS decrypting tool, MCAS is able to resolve it. 

8 Replies
Highlighted

@SteveCombs 

 

@Sebastien Molendijk: Is this something you can help with? 

Highlighted

Hi @SteveCombs,

 

Before taking this to engineering for troubleshooting, could you please confirm that when creating your Zscaler data source in MCAS portal, you didn't mark the checkbox to anonymize PII? (See more details in the attachment)

 

Thanks,

Danny.

 

 

Highlighted

I am checking today on this setup, but I am pretty sure this checkbox is not selected.  If so, should we open a ticket with MS in your opinion?

@Danny Kadyshevitch 

Highlighted
Steve,

Please note that this option is set only once when the data source is created.
I'd suggest that you delete the current data source, and create a new one with the exact configuration (consider not checking the anonymization checkbox) and then see whether data still comes in the same way.

If this still doesn't resolve your case, so opening support ticket is the suggested action.

Thanks,
Danny.
Highlighted
Does the issue still occur?
Highlighted

@Eli Shlomo 

 

It turns out that the source for ZScaler data needs to be NSS. It is hard coded into the MCAS software. 

Highlighted
there are main settings for zscaler for mcas: NSS The source with zscaler QRadar LEEF The receiver type = Syslog - UDP and for your issue is the anonymize private information. I work with zscaler and mcas together and it does a great job.
Highlighted
That is incorrect. Data source name (i.e. NSS) isn't hardcoded in MCAS, and can be modified in Zscaler 'zbridge-mcas.properties' file.