Zscaler Internet Access - Learn more about collecting Zscaler Internet Access logs using a Syslog Collector applet and content pack integrations in Cortex XDR. - Administrator Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR 5.x Documentation
Product
Cortex XDR
License
XDR + Cloud
Creation date
2025-07-13
Last date published
2026-06-04
Category
Administrator Guide
Abstract

Learn more about collecting Zscaler Internet Access logs using a Syslog Collector applet and content pack integrations in Cortex XDR.

You can configure collecting Zscaler Internet Access logs using a Broker VM Syslog Collector applet or with a content pack integration:

Zscaler Internet Access vendor

Description

Syslog Collector applet overview

Forward firewall and network logs to Cortex XDR from Zscaler Internet Access using the Broker VM Syslog Collector applet in a CEF format.

Link to Syslog Collector applet instructions

Ingest logs from Zscaler Internet Access

Links to content pack/integration details

The Zscaler Internet Access content pack provides Cloud security features, including managing URL and IP address policies, managing categories, sandbox reporting, and ingestion and normalization of Zscaler Internet Access (ZIA) logs into Cortex XDR via both VM-based NSS Feed and Cloud NSS Feed methods. It contains the Zscaler Internet Access Modeling Rule, the Zscaler ZIA Parsing Rule, and the Block Domain - Zscaler playbook. It also includes the following integration:

  • Zscaler Internet Access: Use this integration to manage URL and IP address allow lists and block lists, manage and update categories, retrieve Sandbox reports, and manage IP destination groups within a Zscaler session. It includes commands for blacklisting and unblacklisting URLs and IPs, managing categories (adding/removing URLs and IPs), retrieving categories, listing, creating, editing, and deleting IP destination groups, manually logging in and logging out, and activating configuration changes in Zscaler.