Professional Documents
Culture Documents
Zscaler Expel Deployment Guide FINAL
Zscaler Expel Deployment Guide FINAL
DEPLOYMENT GUIDE
Contents
Terms and Acronyms 3
Acronym Definition
CA Central Authority (Zscaler)
CSV Comma-Separated Values
DLP Data Loss Prevention
DNS Domain Name Service
DPD Dead Peer Detection (RFC 3706)
GRE Generic Routing Encapsulation (RFC2890)
ICMP Internet Control Message Protocol
IdP Identity Provider
IKE Internet Key Exchange (RFC2409)
IPS Intrusion Prevention System
IPSec Internet Protocol Security (RFC2411)
MFA Multi-Factor Authentication
MTTR Mean Time to Repair
NSS Nanolog Streaming Service
PFS Perfect Forward Secrecy
PSK Pre-Shared Key
SaaS Software as a Service
SIEM Security Information and Event Management
SSL Secure Socket Layer (RFC6101)
TLS Transport Layer Security
VDI Virtual Desktop Infrastructure
XFF X-Forwarded-For (RFC7239)
ZPC Zscaler Posture Control (Zscaler)
ZDX Zscaler Digital Experience (Zscaler)
ZIA Zscaler Internet Access (Zscaler)
ZPA Zscaler Private Access (Zscaler)
Trademark Notice
© 2024 Zscaler, Inc. All rights reserved. Zscaler™ and other trademarks listed at zscaler.com/legal/trademarks are either (i)
registered trademarks or service marks or (ii) trademarks or service marks of Zscaler, Inc. in the United States and/or other
countries. Any other trademarks are the properties of their respective owners.
Zscaler Overview
Zscaler (NASDAQ: ZS) enables the world’s leading organizations to securely transform their networks and applications for
a mobile and cloud-first world. Its flagship Zscaler Internet Access (ZIA) and Zscaler Private Access (ZPA) services create
fast, secure connections between users and applications, regardless of device, location, or network. Zscaler delivers its
services 100% in the cloud and offers the simplicity, enhanced security, and improved user experience that traditional
appliances or hybrid solutions can’t match. Used in more than 185 countries, Zscaler operates a massive, global cloud
security platform that protects thousands of enterprises and government agencies from cyberattacks and data loss. To
learn more, see Zscaler’s website or follow Zscaler on Twitter @zscaler.
Expel Overview
Expel is the leading managed detection and response (MDR) provider trusted by some of the world’s most recognizable
brands to expel their adversaries, minimize risk, and build security resilience. Expel’s 24/7/365 coverage spans the widest
breadth of attack surfaces, including cloud, with 100% transparency. Expel combines world-class security practitioners
and our AI-driven platform, Expel Workbench, to ingest billions of events monthly and still achieve a 23-minute critical
alert MTTR. Expel augments existing programs to help customers maximize their security investments and focus on
building trust—with their customers, partners, and employees. To learn more, refer to Expel’s website.
Audience
This guide is for network administrators, endpoint and IT administrators, and security analysts responsible for deploying,
monitoring, and managing enterprise security systems. For additional product and company resources, see:
• Zscaler Resources
• Expel Resources
• Appendix A: Requesting Zscaler Support
Software Versions
This document was authored using the latest version of Zscaler software.
exclamation-triangle Ifdifferent
you are using this guide to implement a solution at a government agency, some of the content might be
for your deployment. Efforts are made throughout the guide to note where government agencies might
need different parameters or input. If you have questions, contact your Zscaler Account team.
ZIA Overview
ZIA is a secure internet and web gateway delivered as a service from the cloud. Think of ZIA as a secure internet on-
ramp—just make Zscaler your next hop to the internet via one of the following methods:
• Setting up a tunnel (GRE or IPSec) to the closest Zscaler data center (for offices).
• Forwarding traffic via our lightweight Zscaler Client Connector or PAC file (for mobile employees).
No matter where users connect—a coffee shop in Milan, a hotel in Hong Kong, or a VDI instance in South Korea—they get
identical protection. ZIA sits between your users and the internet and inspects every transaction inline across multiple
security techniques (even within SSL).
You get full protection from web and internet threats. The Zscaler cloud platform supports Cloud Firewall, IPS,
Sandboxing, DLP, and Isolation, allowing you to start with the services you need now and activate others as your needs
grow.
Zscaler Resources
The following table contains links to Zscaler resources based on general topic areas.
Name Definition
ZIA Help Portal Help articles for ZIA.
Zscaler Tools Troubleshooting, security and analytics, and browser extensions that help
Zscaler determine your security needs.
Zscaler Training and Certification Training designed to help you maximize Zscaler products.
Submit a Zscaler Support Ticket Zscaler Support portal for submitting requests and issues.
The following table contains links to Zscaler resources for government agencies.
Name Definition
ZIA Help Portal Help articles for ZIA.
Zscaler Tools Troubleshooting, security and analytics, and browser extensions that help
Zscaler determine your security needs.
Zscaler Training and Certification Training designed to help you maximize Zscaler products.
Submit a Zscaler Support Ticket Zscaler Support portal for submitting requests and issues.
Expel Resources
The following table contains links to Expel support resources.
Name Definition
Expel Help Portal Help articles and documentation on Expel integrations.
Microsoft Sentinel Setup for Workbench Microsoft Sentinel Expel setup guide.
Splunk Setup for Workbench Splunk Expel setup guide.
Introduction
You must configure Zscaler to send logs via the Nanolog Streaming Service (NSS) and Cloud NSS to an Expel-approved
SIEM such as Splunk, Microsoft Sentinel, or Sumo Logic. Expel reads these logs from the connected SIEM. The following is
a setup for the syslog NSS.
Deploy your collector on the same subnet as the NSS VM, since NSS VM doesn’t encrypt data outbound towards their
collector.
Cloud NSS is an optional service managed by Zscaler and uses HTTP/S to send logs. With Cloud NSS, there is no need to
deploy a VM.
Prerequisites
Before starting this procedure, you need:
• An SIEM that Expel supports for this integration, which includes any one of the following:
• Microsoft Sentinel
• Splunk
• Sumo Logic
• The Nanolog Streaming Service (government agencies, see Nanolog Streaming Service) from Zscaler to forward
data to your SIEM.
3. (Optional) You can add an additional feed, EXPEL_INVESTIGATE, to forward all web log data to your SIEM. SOC
analysts use this information to understand, scope, and answer security questions related to threat behavior.
Specifically, how it got there, what it is, and what must be done to remediate.
a. Feed Output Type: QRadar SIEM LEEF
b. Web Log Filters: None
c. Feed Output Format:
= %s{mon} %02d{dd}%02d{hh}:%02d{mm}:%02d{ss} zscaler-EXPEL_
INVESTIGATE:LEEF:1.0|Zscaler|NSS|4.1|fqdn=%s{host}\turl=%s{url}\tmethod=%s{req-
method}\tuser_agent=%s{ua}\turlclass=%s{urlclass}\tcategory=%s{urlcat}\trefer-
rer=%s{referer}\tresponse=%s{respcode}\tprotocol=%s{proto}\tduration_ms=%d{ctime}\
tsrc=%s{cip}\tdst=%s{sip}\tbytes_rx=%d{respsize}\tbytes_tx=%d{reqsize}\tap-
pclass=%s{appclass}\tappname=%s{appname}\tflow_id=%d{recordid}\torganization=%s{d-
ept}\tusername=%s{login}\tvendor_version=%s{productversion}\tname=%s{reason}\
talert_at=%s{time}%s{tz}\talertaction=%s{action}\tfile_hash=%s{bamd5}\tmime_
type=%s{filetype}\tfilename=%s{filename}\tscore=%d{riskscore}\trealm=%s{location}\
tnsssvcip=%s{nsssvcip}\tthreatname=%s{threatname}\tmalwarecategory=%s{malwarecat}\
tmalwareclass=%s{malwareclass}\t\n
Having read-only access to the interface of your technology allows Expel to dig deeper during incident investigations.
Zscaler’s device health team uses this access to investigate potential health issues with your tech.
Clipboard-list Expel secures all login information that Zscaler’s SOC analysts need about your devices in an MFA password
product. Access to this login information is protected using internal MFA processes. To learn more about Expel IP
addresses, refer to the Expel documentation.
Figure 3. Workbench
3. Click Save.
4. Set up console access now or use the following instructions to set it up later.
1. Open Workbench. Go to Organization Settings > Security Devices. Next to the device you just connected, click the
Down arrow and click Edit.
2. In Console Login, enter the following details:
a. Console URL: Enter the console URL from the Server address in Connection Settings. Enter /login to the end
of the URL.
b. Username: Enter the username you created.
c. Password: Enter the password you created.
d. Two-factor secret key (32-character code): Depending on how your organization enforces log-ins, this field
might not apply. In this case, leave it blank. This field is optional and if you have questions or concerns, reach
out to your engagement manager or to Support.
3. Click Save.
Figure 5. Company ID
3. With your company ID information, you can open a support ticket. Go to Dashboard > Support > Submit a Ticket.