Panther’s integration with Zscaler helps security teams centralize and correlate their network and application traffic data to detect threats in real-time with fewer false positives. 

As the security monitoring platform for the cloud, Panther doesn’t restrict ingestion with costly infrastructure, operational overhead, or engineering hours spent troubleshooting integrations. This enables security teams to achieve complete visibility to safeguard their critical infrastructure.

Using Zscaler’s Zero Trust Exchange with Panther's streaming analysis, programmable detections, and seamless cloud integrations empower security teams to rapidly adapt to emerging threats while protecting users, devices, and applications.

How Panther and Zscaler Work Together

Zscaler enables organizations to securely transform their networks and applications for a mobile and cloud-first world. Its Zscaler Internet Access (ZIA) and Zscaler Private Access (ZPA) services create fast, secure connections between users and applications, regardless of device, location, or network—an essential for modern enterprises securing a distributed workforce.

Panther's integration with Zscaler's Zero Trust Exchange—which brokers over 500 billion transactions daily—enables security teams to centralize and correlate critical security data, providing deeper insights into user and device activity while enhancing detection of malicious behavior.

For example, Panther's streaming analytics can expose DNS tunneling, insider threats, and compromised applications in real-time, reducing mean time to detection and response. 

You can also use the integration to investigate critical Zscaler admin actions that could indicate compromise or misuse—such as unexpected logins, privilege escalations, or mass deletions. 

Panther’s intuitive investigation workflows help you pinpoint root causes quickly with the help of multiple search methods, fast querying, AI-powered response, data visualizations, and a UI designed for pivoting and drilling into data.

Benefits of Panther’s Zscaler Integration

Panther’s integration with Zscaler delivers value across your entire security program. By eliminating costly ingestion constraints that force security teams to sacrifice visibility, Panther enables comprehensive detection that prevents threats from slipping through visibility gaps. 

Security teams benefit from:

• Cross-system visibility. Correlate Zscaler ZIA and ZPA logs with your cloud, SaaS, and IDP data for smarter alerts with fewer false positives 

• Real-time threat detection. Detect data exfiltration, unauthorized access, and compromised apps with Panther’s streaming analysis

• Faster time to value. Onboard Zscaler logs in minutes using a webhook or an S3 bucket and increase security coverage for your internet and application traffic with our out-of-the-box detections 

• Rapid iteration. Tailor detections with Python and deploy them like software to continuously improve your security posture

Use Case #1: Identifying Defense Evasion

Consider this scenario: an attacker assumes an administrator role and begins to disable ZIA log streaming to your security monitoring platform to hide their actions and impair your defenses. 

Panther's integration with Zscaler lets you monitor administrator actions like these. Here’s how you would write a Python detection for this use case—in fact, this is one of Panther’s many out-of-the-box detections for ZIA logs available for our customers:

from panther_zscaler_helpers import zia_alert_context, zia_success
  
def rule(event):
    if not zia_success(event):
        return False
    action = event.deep_get("event", "action", default="ACTION_NOT_FOUND")
    category = event.deep_get("event", "category", default="CATEGORY_NOT_FOUND")
    if action == "DELETE" and category == "NSS":
        return True
    return False

def title(event):
    cloud_connection_url = event.deep_get(
        "event",
        "preaction",
        "cloudNssSiemConfiguration",
        "connectionURL",
        default="<CLOUD_CONNECTION_URL_NOT_FOUND>",
    )
    return (
        f"[Zscaler.ZIA]: Log streaming for location [{cloud_connection_url}] "
        f"was deleted by admin with id "
        f"[{event.deep_get('event', 'adminid', default='<ADMIN_ID_NOT_FOUND>')}]"
    )

def alert_context(event):
    return zia_alert_context(event)

This detection monitors changes to Zscaler ZIA NSS feeds to identify when log streaming has been disabled. Tailoring any Panther-managed detection to your environment is as simple as updating the Python, either in the Panther console or in your favorite code editor using our developer workflows. 

This shows Panther’s approach to programmable detections:

• Create and customize detections using open, scalable tech like Python and YAML

• Import external libraries for complex analysis

• Automate detection deployment like software

• Validate detection logic with unit tests and by testing against historical log data

• Manage detections with version control and centralized configuration

Use Case #2: Identifying Persistence Attempts

Another threat scenario involves detecting when someone creates new cloud administrator or audit accounts in Zscaler ZIA. This could indicate a threat actor attempting to maintain access to your systems across disruptions in order to return again to exfiltrate data or move laterally in your environment.

Panther has this persistence scenario covered with an out of the box detection:

from panther_zscaler_helpers import zia_alert_context, zia_success
  
def rule(event):
    if not zia_success(event):
        return False
    action = event.deep_get("event", "action", default="ACTION_NOT_FOUND")
    category = event.deep_get("event", "category", default="CATEGORY_NOT_FOUND")
    role_name = event.deep_get(
        "event", "postaction", "role", "name", default="<ROLE_NAME_NOT_FOUND>"
    ).lower()
    if (
        action == "CREATE"
        and category == "ADMINISTRATOR_MANAGEMENT"
        and ("admin" in role_name or "audit" in role_name)
    ):
        return True
    return False

def title(event):
    return (
        f"[Zscaler.ZIA]: New admin role was created by admin with id "
        f"[{event.deep_get('event', 'adminid', default='<ADMIN_ID_NOT_FOUND>')}]"
    )

def alert_context(event):
    return zia_alert_context(event)

This detection looks at “create” events for administrators and auditors by matching with their role name. You can customize it to your environment by updating the target role names or using it as a security signal in a correlation rule.

A signal is a security-relevant event recorded in Panther, but doesn’t trigger an alert. Instead, this signal is used as a building block in a correlation rule. For example, you can detect when a new ZIA admin account is created, and it is immediately followed by a matching login in your IdP. This approach helps distinguish between legitimate administrative actions and potentially suspicious new cloud admin accounts with greater accuracy.

Getting Started

Ready to centralize and correlate your Zscaler network, application, and audit data with Panther? Request a demo for a personalized look at how the integration can optimize your security operations. Then check out our technical documentation for detailed implementation steps, and stop by our GitHub to explore our out-of-the-box detection rules. 

Strengthen Your Security Posture with Panther and Zscaler

Panther’s Zscaler integration brings together two powerful platforms to give security teams the cloud security controls and monitoring capabilities they need in today's complex threat landscape. By centralizing and correlating your security data in Panther, you can detect advanced threats, respond to incidents in real-time, and achieve greater efficiency in your security operations.

See how Panther and Zscaler can solve your team's specific security needs by requesting a personalized demo.