# Zscaler Internet Access
<a name="zscaler-zia-setup"></a>

CloudWatch pipelines enables you to collect logs from Zscaler Internet Access (ZIA). ZIA is a cloud-based secure web gateway that protects users connecting to the internet.

**Topics**
+ [Source configuration for Zscaler Internet Access](zscaler-zia-source-setup.md)
+ [Pipeline configuration for Zscaler Internet Access](zscaler-zia-pipeline-setup.md)

# Source configuration for Zscaler Internet Access
<a name="zscaler-zia-source-setup"></a>

## Integrating with Zscaler Internet Access
<a name="zscaler-zia-integration"></a>

Zscaler Internet Access (ZIA) is a cloud-based secure web gateway that protects users connecting to the internet. It inspects all internet traffic to block malware, phishing, and data leaks using advanced threat detection and SSL inspection. ZIA enforces security policies in real time without requiring on-premises hardware. It ensures safe and compliant internet access for users anywhere. CloudWatch pipelines enables you to collect this data in CloudWatch Logs.

## Instructions to setup Amazon S3 and Amazon SQS
<a name="zscaler-zia-s3-sqs-setup"></a>

Configuring ZIA to send logs to an Amazon S3 bucket involves several steps, primarily focused on setting up the Amazon S3 bucket, Amazon SQS queue, IAM roles, and then configuring the Amazon Telemetry Pipeline.
+ Create Amazon S3 bucket that stores ZIA logs and create separate folders for each log type. Create IAM user and grant s3 write permission, console access not needed only CLI and create Access key and Secret key for this account.
+ Configure NSS feeds with Amazon S3 bucket details to push logs.
+ Configure the Amazon S3 bucket to create event notifications, specifically for "Object Create" events. These notifications should be sent to an Amazon SQS queue.
+ Create an Amazon SQS queue in the same AWS region as your Amazon S3 bucket. This queue will receive notifications when new log files are added to the Amazon S3 bucket.

## Configuring the CloudWatch Pipeline
<a name="zscaler-zia-pipeline-config"></a>

When configuring the pipeline to read data from Zscaler Internet Access, choose Zscaler Internet Access (ZIA) as the data source. After filling in the required information and you create the pipeline, data will be available in the selected CloudWatch Logs log group.

## Supported Open Cybersecurity Schema Framework Event Classes
<a name="zscaler-zia-ocsf-events"></a>

This integration supports OCSF schema version v1.5.0 and events that map to DNS Activity (4003), HTTP Activity (4002), Network Activity (4001), and Authentication (3002). Each event comes from a source as mentioned below.

**DNS Activity** covers all events from source:
+ DNS Logs

**HTTP Activity** covers all events from source:
+ Web Logs

**Network Activity** covers all events from source:
+ Firewall Logs

**Authentication** covers events from source:
+ Admin Audit Logs - Event actions: SIGN\$1IN, SIGN\$1OUT

# Pipeline configuration for Zscaler Internet Access
<a name="zscaler-zia-pipeline-setup"></a>

The Zscaler setup on AWS reads log data from Amazon S3 buckets using Amazon SQS notifications for new object events.

Configure the Zscalar source using the following parameters:

```
source:
  s3:
    aws:
      region: "us-east-1"
      sts_role_arn: "arn:aws:iam::<account>:role/<role-name>"
    compression: "gzip"
    codec:
      ndjson:
    data_source_name: "zscaler_internetaccess"
    default_bucket_owner: "123456789012"
    bucket_owners:
      my-bucket: "123456789012"
    disable_bucket_ownership_validation: false
    notification_type: "sqs"
    sqs:
      queue_url: "https://sqs.region.amazonaws.com/<account>/<queue-name>"
    on_error: "retain_messages"
```Parameters

`notification_type` (required)  
Specifies the notification mechanism. Must be "sqs" to use SQS for S3 event notifications.

`data_source_name` (required)  
Identifies the data source. This can be any string value that represents your data source. Example: "zscaler\$1internetaccess".

`aws.region` (required)  
The AWS region where the S3 bucket and SQS queue are located.

`aws.sts_role_arn` (required)  
The ARN of the IAM role to assume for accessing S3 and SQS resources.

`codec` (required)  
Codec configuration for parsing S3 objects. Supports csv, json, ndjson codecs.

`compression` (optional)  
Compression type of the S3 objects. Valid values are "none", "gzip", "automatic". Defaults to "none".

`sqs.queue_url` (required for SQS)  
The complete SQS queue URL that receives S3 bucket notifications when new objects are created.

`on_error` (optional)  
Determines how to handle errors in Amazon SQS. Can be either retain\$1messages or delete\$1messages. Default is retain\$1messages.