ZSCALER AND EXPEL

DEPLOYMENT GUIDE

JUNE 2024, VERSION 1.0 BUSINESS DEVELOPMENT GUIDE

 Zscaler and ExPel Deployment Guide

Contents
Terms and Acronyms 3

About This Document 5

Zscaler Overview 5
Expel Overview 5
Audience 5
Software Versions 5
Request for Comments 5
Zscaler and Expel Introduction 6
ZIA Overview 6
Expel Managed Detection and Response Overview 7
Expel Resources 7
Introduction 8
Prerequisites 8
Send ZIA Events to a SIEM 9

Configure the Technology in Workbench 11

Edit the Device to Add Console Access 12

Appendix A: Requesting Zscaler Support 13

©2024 Zscaler, Inc. All rights reserved. 2

 Zscaler and ExPel Deployment Guide

Terms and Acronyms

The following table defines acronyms used in this deployment guide. When applicable, a Request for Change (RFC) is
included in the Definition column for your reference.

Acronym Definition
CA Central Authority (Zscaler)
CSV Comma-Separated Values
DLP Data Loss Prevention
DNS Domain Name Service
DPD Dead Peer Detection (RFC 3706)
GRE Generic Routing Encapsulation (RFC2890)
ICMP Internet Control Message Protocol
IdP Identity Provider
IKE Internet Key Exchange (RFC2409)
IPS Intrusion Prevention System
IPSec Internet Protocol Security (RFC2411)
MFA Multi-Factor Authentication
MTTR Mean Time to Repair
NSS Nanolog Streaming Service
PFS Perfect Forward Secrecy
PSK Pre-Shared Key
SaaS Software as a Service
SIEM Security Information and Event Management
SSL Secure Socket Layer (RFC6101)
TLS Transport Layer Security
VDI Virtual Desktop Infrastructure
XFF X-Forwarded-For (RFC7239)
ZPC Zscaler Posture Control (Zscaler)
ZDX Zscaler Digital Experience (Zscaler)
ZIA Zscaler Internet Access (Zscaler)
ZPA Zscaler Private Access (Zscaler)

©2024 Zscaler, Inc. All rights reserved. 3

 Zscaler and ExPel Deployment Guide

Trademark Notice
© 2024 Zscaler, Inc. All rights reserved. Zscaler™ and other trademarks listed at zscaler.com/legal/trademarks are either (i)
registered trademarks or service marks or (ii) trademarks or service marks of Zscaler, Inc. in the United States and/or other
countries. Any other trademarks are the properties of their respective owners.

©2024 Zscaler, Inc. All rights reserved. 4

 Zscaler and ExPel Deployment Guide

About This Document

The following sections describe the organizations and requirements of this deployment guide.

Zscaler Overview
Zscaler (NASDAQ: ZS) enables the world’s leading organizations to securely transform their networks and applications for
a mobile and cloud-first world. Its flagship Zscaler Internet Access (ZIA) and Zscaler Private Access (ZPA) services create
fast, secure connections between users and applications, regardless of device, location, or network. Zscaler delivers its
services 100% in the cloud and offers the simplicity, enhanced security, and improved user experience that traditional
appliances or hybrid solutions can’t match. Used in more than 185 countries, Zscaler operates a massive, global cloud
security platform that protects thousands of enterprises and government agencies from cyberattacks and data loss. To
learn more, see Zscaler’s website or follow Zscaler on Twitter @zscaler.

Expel Overview
Expel is the leading managed detection and response (MDR) provider trusted by some of the world’s most recognizable
brands to expel their adversaries, minimize risk, and build security resilience. Expel’s 24/7/365 coverage spans the widest
breadth of attack surfaces, including cloud, with 100% transparency. Expel combines world-class security practitioners
and our AI-driven platform, Expel Workbench, to ingest billions of events monthly and still achieve a 23-minute critical
alert MTTR. Expel augments existing programs to help customers maximize their security investments and focus on
building trust—with their customers, partners, and employees. To learn more, refer to Expel’s website.

Audience
This guide is for network administrators, endpoint and IT administrators, and security analysts responsible for deploying,
monitoring, and managing enterprise security systems. For additional product and company resources, see:

• Zscaler Resources
• Expel Resources
• Appendix A: Requesting Zscaler Support

Software Versions
This document was authored using the latest version of Zscaler software.

Request for Comments

• For prospects and customers: Zscaler values reader opinions and experiences. Contact partner-doc-support@
zscaler.com to offer feedback or corrections for this guide.
• For Zscaler employees: Contact z-bd-sa@zscaler.com to reach the team that validated and authored the
integrations in this document.

©2024 Zscaler, Inc. All rights reserved. 5

 Zscaler and ExPel Deployment Guide

Zscaler and Expel Introduction

Overviews of the Zscaler and Expel applications are described in this section.

exclamation-triangle Ifdifferent
you are using this guide to implement a solution at a government agency, some of the content might be
for your deployment. Efforts are made throughout the guide to note where government agencies might
need different parameters or input. If you have questions, contact your Zscaler Account team.

ZIA Overview
ZIA is a secure internet and web gateway delivered as a service from the cloud. Think of ZIA as a secure internet on-
ramp—just make Zscaler your next hop to the internet via one of the following methods:

• Setting up a tunnel (GRE or IPSec) to the closest Zscaler data center (for offices).
• Forwarding traffic via our lightweight Zscaler Client Connector or PAC file (for mobile employees).
No matter where users connect—a coffee shop in Milan, a hotel in Hong Kong, or a VDI instance in South Korea—they get
identical protection. ZIA sits between your users and the internet and inspects every transaction inline across multiple
security techniques (even within SSL).

You get full protection from web and internet threats. The Zscaler cloud platform supports Cloud Firewall, IPS,
Sandboxing, DLP, and Isolation, allowing you to start with the services you need now and activate others as your needs
grow.

Zscaler Resources
The following table contains links to Zscaler resources based on general topic areas.

Name Definition
ZIA Help Portal Help articles for ZIA.
Zscaler Tools Troubleshooting, security and analytics, and browser extensions that help
Zscaler determine your security needs.
Zscaler Training and Certification Training designed to help you maximize Zscaler products.
Submit a Zscaler Support Ticket Zscaler Support portal for submitting requests and issues.

The following table contains links to Zscaler resources for government agencies.

Name Definition
ZIA Help Portal Help articles for ZIA.
Zscaler Tools Troubleshooting, security and analytics, and browser extensions that help
Zscaler determine your security needs.
Zscaler Training and Certification Training designed to help you maximize Zscaler products.
Submit a Zscaler Support Ticket Zscaler Support portal for submitting requests and issues.

©2024 Zscaler, Inc. All rights reserved. 6

 Zscaler and ExPel Deployment Guide

Expel Managed Detection and Response Overview

Expel Managed Detection and Response (Expel MDR) is an MDR provider that delivers rapid detection and response, and
helps you build cyber resilience. Expel MDR quickly detects risks across your tech (endpoint, cloud, Kubernetes, SaaS,
network, SIEM, email, identity, and more) and collaborates with your team to verify the threat, take critical remediation
actions, and provide a detailed report of what happened, where, when, and why in real time.

Expel Resources
The following table contains links to Expel support resources.

Name Definition
Expel Help Portal Help articles and documentation on Expel integrations.
Microsoft Sentinel Setup for Workbench Microsoft Sentinel Expel setup guide.
Splunk Setup for Workbench Splunk Expel setup guide.

©2024 Zscaler, Inc. All rights reserved. 7

 Zscaler and ExPel Deployment Guide

Introduction
You must configure Zscaler to send logs via the Nanolog Streaming Service (NSS) and Cloud NSS to an Expel-approved
SIEM such as Splunk, Microsoft Sentinel, or Sumo Logic. Expel reads these logs from the connected SIEM. The following is
a setup for the syslog NSS.

Figure 1. Zscaler and Expel architecture

Deploy your collector on the same subnet as the NSS VM, since NSS VM doesn’t encrypt data outbound towards their
collector.

Cloud NSS is an optional service managed by Zscaler and uses HTTP/S to send logs. With Cloud NSS, there is no need to
deploy a VM.

Figure 2. Cloud NSS architecture

Prerequisites
Before starting this procedure, you need:

• An SIEM that Expel supports for this integration, which includes any one of the following:
• Microsoft Sentinel
• Splunk
• Sumo Logic
• The Nanolog Streaming Service (government agencies, see Nanolog Streaming Service) from Zscaler to forward
data to your SIEM.

©2024 Zscaler, Inc. All rights reserved. 8

 Zscaler and ExPel Deployment Guide

Send ZIA Events to a SIEM

The NSS feed specifies the data from the logs that the NSS sends to the SIEM. Expel uses three NSS feeds to forward data
to a SIEM.

1. The EXPEL_MALWARE feed captures any malware class events.

a. Feed Output Type: QRadar SIEM LEEF
b. Web Log Filters: Security > Malware Classes : Sandbox, Spyware, Virus
c. Feed Output Format:
= %s{mon} %02d{dd}%02d{hh}:%02d{mm}:%02d{ss} zscaler-EXPEL_
MALWARE:LEEF:1.0|Zscaler|NSS|4.1|fqdn=%s{host}\turl=%s{url}\tmethod=%s{req-
method}\tuser_agent=%s{ua}\turlclass=%s{urlclass}\tcategory=%s{urlcat}\trefer-
rer=%s{referer}\tresponse=%s{respcode}\tprotocol=%s{proto}\tduration_ms=%d{ctime}\
tsrc=%s{cip}\tdst=%s{sip}\tbytes_rx=%d{respsize}\tbytes_tx=%d{reqsize}\tap-
pclass=%s{appclass}\tappname=%s{appname}\tflow_id=%d{recordid}\torganization=%s{d-
ept}\tusername=%s{login}\tvendor_version=%s{productversion}\tname=%s{reason}\
talert_at=%s{time}%s{tz}\talertaction=%s{action}\tfile_hash=%s{bamd5}\tmime_
type=%s{filetype}\tfilename=%s{filename}\tscore=%d{riskscore}\trealm=%s{loca-
tion}\tnsssvcip=%s{nsssvcip}\tthreatname=%s{threatname}\tmalwarecategory=%s{malw
arecat}\tmalwareclass=%s{malwareclass}\t\n

2. The EXPEL_THREAT feed surfaces any Advanced Threat events.

a. Feed Output Type: QRadar SIEM LEEF
b. Web Log Filters: Security > Advanced Threats : Adware/Spyware Sites, Botnet Callback, Browser Exploit,
Cross-site Scripting, Cryptomining, Malicious Content, Other Threat, Peer-to-Peer, Phishing, Spyware Callback,
Suspicious Content, Suspicious Destination, Unauthorized Communication, Web Spam
c. Feed Output Format:
= %s{mon} %02d{dd}%02d{hh}:%02d{mm}:%02d{ss} zscaler-EXPEL_
THREAT:LEEF:1.0|Zscaler|NSS|4.1|fqdn=%s{host}\turl=%s{url}\tmethod=%s{reqmeth-
od}\tuser_agent=%s{ua}\turlclass=%s{urlclass}\tcategory=%s{urlcat}\trefer-
rer=%s{referer}\tresponse=%s{respcode}\tprotocol=%s{proto}\tduration_ms=%d{ctime}\
tsrc=%s{cip}\tdst=%s{sip}\tbytes_rx=%d{respsize}\tbytes_tx=%d{reqsize}\tap-
pclass=%s{appclass}\tappname=%s{appname}\tflow_id=%d{recordid}\torganization=%s{d-
ept}\tusername=%s{login}\tvendor_version=%s{productversion}\tname=%s{reason}\
talert_at=%s{time}%s{tz}\talertaction=%s{action}\tfile_hash=%s{bamd5}\tmime_
type=%s{filetype}\tfilename=%s{filename}\tscore=%d {riskscore}\trealm=%s{loca-
tion}\tnsssvcip=%s{nsssvcip }\tthreatname=%s{threatname}\tmalwarecategory=%s{malw
arecat}\tmalwareclass=%s{malwareclass}\t\n

©2024 Zscaler, Inc. All rights reserved. 9

 Zscaler and ExPel Deployment Guide

3. (Optional) You can add an additional feed, EXPEL_INVESTIGATE, to forward all web log data to your SIEM. SOC
analysts use this information to understand, scope, and answer security questions related to threat behavior.
Specifically, how it got there, what it is, and what must be done to remediate.
a. Feed Output Type: QRadar SIEM LEEF
b. Web Log Filters: None
c. Feed Output Format:
= %s{mon} %02d{dd}%02d{hh}:%02d{mm}:%02d{ss} zscaler-EXPEL_
INVESTIGATE:LEEF:1.0|Zscaler|NSS|4.1|fqdn=%s{host}\turl=%s{url}\tmethod=%s{req-
method}\tuser_agent=%s{ua}\turlclass=%s{urlclass}\tcategory=%s{urlcat}\trefer-
rer=%s{referer}\tresponse=%s{respcode}\tprotocol=%s{proto}\tduration_ms=%d{ctime}\
tsrc=%s{cip}\tdst=%s{sip}\tbytes_rx=%d{respsize}\tbytes_tx=%d{reqsize}\tap-
pclass=%s{appclass}\tappname=%s{appname}\tflow_id=%d{recordid}\torganization=%s{d-
ept}\tusername=%s{login}\tvendor_version=%s{productversion}\tname=%s{reason}\
talert_at=%s{time}%s{tz}\talertaction=%s{action}\tfile_hash=%s{bamd5}\tmime_
type=%s{filetype}\tfilename=%s{filename}\tscore=%d{riskscore}\trealm=%s{location}\
tnsssvcip=%s{nsssvcip}\tthreatname=%s{threatname}\tmalwarecategory=%s{malwarecat}\
tmalwareclass=%s{malwareclass}\t\n

©2024 Zscaler, Inc. All rights reserved. 10

 Zscaler and ExPel Deployment Guide

Configure the Technology in Workbench

Now that you have the correct access configured and you have noted the credentials, you can integrate your tech with
Workbench.

Having read-only access to the interface of your technology allows Expel to dig deeper during incident investigations.
Zscaler’s device health team uses this access to investigate potential health issues with your tech.

Clipboard-list Expel secures all login information that Zscaler’s SOC analysts need about your devices in an MFA password
product. Access to this login information is protected using internal MFA processes. To learn more about Expel IP
addresses, refer to the Expel documentation.

1. In a new browser tab, log into https://workbench.expel.io/settings/security-devices?setupIntegration=Zscaler.

2. Complete the following fields in Workbench:
a. Select the SIEM. This device should already be onboard in Workbench.
b. Enter the Name and Location of the device.
c. For SIEM index, enter the name of the SIEM index to which Zscaler events are indexed.

Figure 3. Workbench

3. Click Save.
4. Set up console access now or use the following instructions to set it up later.

©2024 Zscaler, Inc. All rights reserved. 11

 Zscaler and ExPel Deployment Guide

Edit the Device to Add Console Access

Expel requires console access to your device to allow their SOC analysts to dig deeper during incident investigations.
Additionally, their engineering teams use this access to investigate potential health issues, including proper alert ingestion.

1. Open Workbench. Go to Organization Settings > Security Devices. Next to the device you just connected, click the
Down arrow and click Edit.
2. In Console Login, enter the following details:
a. Console URL: Enter the console URL from the Server address in Connection Settings. Enter /login to the end
of the URL.
b. Username: Enter the username you created.
c. Password: Enter the password you created.
d. Two-factor secret key (32-character code): Depending on how your organization enforces log-ins, this field
might not apply. In this case, leave it blank. This field is optional and if you have questions or concerns, reach
out to your engagement manager or to Support.
3. Click Save.

©2024 Zscaler, Inc. All rights reserved. 12

 Zscaler and ExPel Deployment Guide

Appendix A: Requesting Zscaler Support

If you need Zscaler Support to provision certain services or to help troubleshoot configuration and service issues, it is
available 24/7/365.

To contact Zscaler Support:

1. Go to Administration > Settings > Company Profile.

Figure 4. Collecting details to open support case with Zscaler TAC

2. Copy your Company ID.

Figure 5. Company ID

©2024 Zscaler, Inc. All rights reserved. 13

 Zscaler and ExPel Deployment Guide

3. With your company ID information, you can open a support ticket. Go to Dashboard > Support > Submit a Ticket.

Figure 6. Submit a ticket

©2024 Zscaler, Inc. All rights reserved. 14