Collect Zscaler DNS logs

This document describes how you can export Zscaler DNS logs by setting up a Google Security Operations feed and how log fields map to Google SecOps Unified Data Model (UDM) fields.

For more information, see Data ingestion to Google SecOps overview .

A typical deployment consists of Zscaler DNS and the Google SecOps Webhook feed configured to send logs to Google SecOps. Each customer deployment can differ and might be more complex.

The deployment contains the following components:

• Zscaler DNS: The platform from which you collect logs.

• Google SecOps feed: The Google SecOps feed that fetches logs from Zscaler DNS and writes logs to Google SecOps.

• Google SecOps: Retains and analyzes the logs.

An ingestion label identifies the parser which normalizes raw log data to structured UDM format. The information in this document applies to the parser with the ZSCALER_DNS ingestion label.

Before you begin

Ensure you have the following prerequisites:

• Access to Zscaler Internet Access console. For more information, see Secure Internet and SaaS Access ZIA Help .
• Zscaler DNS 2024 or later
• All systems in the deployment architecture are configured with the UTC time zone.
• The API key which is needed to complete feed setup in Google Security Operations. For more information, see Setting up API keys .

Set up feeds

To configure this log type, follow these steps:

1. Go to SIEM Settings > Feeds.
2. Click Add New Feed.
3. Click the Zscalerfeed pack.
4. Locate the required log type and click Add New Feed.

5. Enter values for the following input parameters:

   • Source Type: Webhook (Recommended)
   • Split delimiter: the character used to separate logs lines. Leave blank if no delimiter is used.

   Advanced options

   • Feed Name: A prepopulated value that identifies the feed.
   • Asset Namespace: Namespace associated with the feed .
   • Ingestion Labels: Labels applied to all events from this feed.

6. Click Create Feed.

For more information about configuring multiple feeds for different log types within this product family, see Configure feeds by product .

Set up Zscaler DNS

1. In the Zscaler Internet Access console, click Administration > Nanolog Streaming Service > Cloud NSS Feedsand then click Add Cloud NSS Feed.
2. The Add Cloud NSS Feedwindow appears. In the Add Cloud NSS Feedwindow, enter the details.
3. Enter a name for the feed in the Feed Namefield.
4. Select NSS for DNSin NSS Type.
5. Select the status from the Statuslist to activate or deactivate the NSS feed.
6. Keep the value in the SIEM Ratedrop-down as Unlimited. To suppress the output stream due to licensing or other constraints, change the value.
7. Select Otherin the SIEM Typelist.
8. Select Disabledin the OAuth 2.0 Authenticationlist.
9. Enter a size limit for an individual HTTP request payload to the SIEM's best practice in Max Batch Size. For example, 512 KB.

10. Enter the HTTPS URL of the Chronicle API endpoint in the API URL in the following format:

     https://<CHRONICLE_REGION>-chronicle.googleapis.com/v1alpha/projects/<GOOGLE_PROJECT_NUMBER>/locations/<LOCATION>/instances/<CUSTOMER_ID>/feeds/<FEED_ID>:importPushLogs 
    

    • CHRONICLE_REGION : Region where your Chronicle instance is hosted. For example, US.
    • GOOGLE_PROJECT_NUMBER : BYOP project number. Obtain this from C4.
    • LOCATION : Chronicle region. For example, US.
    • CUSTOMER_ID : Chronicle customer ID. Obtain from C4.
    • FEED_ID : Feed ID shown on Feed UI on the new webhook created
    • Sample API URL:

     https://us-chronicle.googleapis.com/v1alpha/projects/12345678910/locations/US/instances/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/feeds/yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyyyyyyy:importPushLogs 
    

11. Click Add HTTP Header, and then add HTTP headers in the following format:

    • Header 1 : Key1: X-goog-api-key and Value1:API Key generated on Google Cloud BYOP's API Credentials.
    • Header 2 : Key2: X-Webhook-Access-Key and Value2:API secret key generated on webhook's "SECRET KEY".

12. Select DNS Logsin the Log Typeslist.

13. Select JSONin the Feed Output Typelist.

14. Set Feed Escape Characterto , \ " .

15. To add a new field to the Feed Output Format,select Customin the Feed Output Typelist.

16. Copy-paste the Feed Output Formatand add new fields. Ensure the key names match the actual field names.

17. Following is the default Feed Output Format:

       
     \ 
     { 
      
     "sourcetype" 
      
     : 
      
     "zscalernss-dns" 
     , 
      
     "event" 
      
     : 
     \ 
     { 
     "datetime" 
     : 
     "%s{time}" 
     , 
     "user" 
     : 
     "%s{elogin}" 
     , 
     "department" 
     : 
     "%s{edepartment}" 
     , 
     "location" 
     : 
     "%s{elocation}" 
     , 
     "reqaction" 
     : 
     "%s{reqaction}" 
     , 
     "resaction" 
     : 
     "%s{resaction}" 
     , 
     "reqrulelabel" 
     : 
     "%s{reqrulelabel}" 
     , 
     "resrulelabel" 
     : 
     "%s{resrulelabel}" 
     , 
     "dns_reqtype" 
     : 
     "%s{reqtype}" 
     , 
     "dns_req" 
     : 
     "%s{req}" 
     , 
     "dns_resp" 
     : 
     "%s{res}" 
     , 
     "srv_dport" 
     : 
     "%d{sport}" 
     , 
     "durationms" 
     : 
     "%d{durationms}" 
     , 
     "clt_sip" 
     : 
     "%s{cip}" 
     , 
     "srv_dip" 
     : 
     "%s{sip}" 
     , 
     "category" 
     : 
     "%s{domcat}" 
     , 
     "respipcategory" 
     : 
     "%s{respipcat}" 
     , 
     "deviceowner" 
     : 
     "%s{deviceowner}" 
     , 
     "devicehostname" 
     : 
     "%s{devicehostname}" 
     \ 
     } 
     \ 
     } 
     
    

18. Select the timezone for the Timefield in the output file in the Timezonelist. By default, the timezone is set to your organization's time zone.

19. Review the configured settings.

20. Click Saveto test connectivity. If the connection is successful, a green tick accompanied by the message Test Connectivity Successful: OK (200)appears.

For more information about Google SecOps feeds, see Google SecOps feeds documentation . For information about requirements for each feed type, see Feed configuration by type .

If you encounter issues when you create feeds, contact Google SecOps support .

Supported Zscaler DNS log formats

The Zscaler DNS parser supports logs in JSON format.

Supported Zscaler DNS Sample Logs

• JSON

   {
    "sourcetype": "zscalernss-dns",
    "event": {
      "srv_dport": "53",
      "durationms": "1306",
      "clt_sip": "1.1.1.1",
      "respipcategory": "Other",
      "datetime": "Sun Sep 18 22:41:05 2020",
      "reqaction": "Allow",
      "resaction": "Allow",
      "resrulelabel": "None",
      "category": "Finance",
      "devicehostname": "dummy_hostname",
      "user": "test.123@test.com",
      "location": "dummy",
      "deviceowner": "212582",
      "department": "Output%20Solutions",
      "reqrulelabel": "Default Firewall DNS Rule",
      "dns_reqtype": "SRV",
      "dns_req": "dummy.domains.com",
      "dns_resp": "NXDOMAIN",
      "srv_dip": "1.1.1.1"
    }
  } 
  

Field mapping reference

Field mapping reference: ZSCALER_DNS

The following table lists the log fields of the ZSCALER_DNS log type and their corresponding UDM fields.

Need more help? Get answers from Community members and Google SecOps professionals.