Using Sentinel API to connect Zscaler Cloud NSS

LauriK000 · ‎Feb 03 2023

Hi guys,

I'm looking into connecting my Zscaler environment logs to Sentinel via Zscaler Cloud NSS.

Which will stream the logs direct to Sentinel without a VM.

Zscaler Cloud NSS is asking Sentinel API URL.

Which one should I use? How can I find out?

I think I'm also trying to grasp the entire workflow of this.

Do I need to set up Functions App - write some code that will make the two endpoints talk to each other?

Or do I need to register an app in AAD and grant the permissions to pull/push data?

If I'm totally wrong, what is the method I would need to use instead?

mikhailf · ‎Feb 04 2023

Hello @LauriK000,

I've just looked into my Sentinel and found that there are 2 connectors available out-of-the box: Zscaler Internet Access and Zscaler Private Access (both of them are not your case).

So you need to check what options of SIEM integration Zscaler Cloud NSS has.

It can be a Syslog forwarding (needs a Syslog forwarder), pulling logs via HTTPS (API requests by Logic App or Azure Function, for example), or anything else. You can find it in the Zscaler documentation.

When you have verified the available options, you can decide how to proceed.

LauriK000 · ‎Feb 05 2023

Hi @mikhailf

Cheers for the response.

I've contacted Zscaler and they told me they support Sentinel through API URL.
It's in the preview stage, thus no reference documentation exists at this time.
So, I thought surely someone has done some integration with this.

Zscaler side seems to ask very few things on its setup page.
- API URL
- HTTP HEADERS (key & value pair)

And other not so related things such as rate limit, log type, log format and log filters.

Syslog would def. be an option, but trying to minimise infrastructure to maintain.