Skyhigh with ZScaler


(Alex) #1

We are a ZScaler customer and looking into adding CASB from Skyhigh. Would like to take a look at the integration document prior reaching out to Skyhigh.
Could ZScaler provide any documentation?
Thanks,


(Nick Morgan) #2

Hi @avschch

Typical integration between Zscaler and a third party CASB, such as Skyhigh, will be done through the streaming of Zscaler Web Logs into the CASB event collector using NSS (Zscaler Nanolog Streaming Service).

NSS currently can run on VMWare or AWS - you will need to be licensed to use NSS (check with your account team if unsure).

We don’t have a specific Skyhigh integration article as yet but we do provide a number of NSS articles here:
https://help.zscaler.com/zia/documentation-knowledgebase/analytics/nss/nss-configuration-guide

Once you have NSS installed you will ned to configure the feed output to Skyhigh EC.
https://help.zscaler.com/zia/adding-nss-feeds-web-logs
https://help.zscaler.com/zia/nss-feed-output-format

Skyhigh has an adaptable parsing engine, which means there is flexibility in the log fields you include in your feed output format. However as an example you can use the following feed output format to include most relevant fields for Skyhigh to consume.

%02d{mth}/%02d{dd}/%d{yyyy}\t%02d{hh}:%02d{mm}:%02d{ss}\t%s{action}\t%s{host}\t%s{proto}\t%s{sip}\t%s{filetype}\t%s{urlcat}\t%s{cip}\t%s{login}\t%s{ologin}\t%s{dept}\t%s{bwthrottle}\t%s{location}\t%d{ctime}\t%d{reqdatasize}\t%s{reqmethod}\t%d{reqsize}\t%s{respcode}\t%d{respdatasize}\t%d{respsize}\t%d{totalsize}\t%s{ua}\t%s{url}

Skyhigh should be able to confirm the correct TCP port that the Skyhigh EC will be listening on to receive logs from Zscaler NSS.

Hope that helps