ZScaler Cloud NSS Feed

Configure ZScaler NSS Cloud HTTPS log forwarding to Radiant Security.

In this guide, you will create custom log formats for ZScaler NSS Cloud log configuration. This is required in order to send ZScaler logs to Radiant Security through HTTPS.

Add the data connector in Radiant Security

  1. Log in to Radiant Security.

  2. From the navigation menu, click Settings > Data Connectors and click + Add Connector.

  3. Search for and select the ZScaler NSS (webhook) option and then click Data Feeds, then click Credentials.

  4. Under Credential Name, give the credential an identifiable name (e.g. ZScaler Cloud NSS - Token). If you already have a credential in place, select it from the drop-down menu.

  5. In the Connector tag field, enter a random value. This value will act as the salt to randomize the Token you’ll download in the next step.

  6. Click Add Connector.

  7. Copy and save the Token and Webhook URL values. Click Download File to download the SSL Certificate and Custom Template as you will need these files when configuring the HTTPS source.

  8. Click Done to save your changes.

Set up NSS Cloud Integration with the Radiant Security Connector

Some log types have specific parameters, please refer to the table at the end of this section to check those parameters.

  1. Log in to the ZScaler admin portal and go to the Administration > Nanolog streaming service > Cloud NSS Feed section.

  2. Click Add Cloud NSS Feed.

  3. Enter the following information:

    • Enter the feed name, preferably with the radiantSecurity_ prefix to easily identify the feed.

    • Select NSS for Web in the NSS Type field.

    • Select the SIEM destination type: Other.

    • For SIEM Rate, select Unlimited.

    • Max Batch Size: 1024 KB

    • For the API URL field, enter the Webhook URL provided during the Radiant Connector setup.

    • Under HTTP Headers, add a new header with the following parameters:

      • Name: rs_token

      • Value: enter the Token value provided during the Radiant Connector setup

    • For Log Type, select Web Log.

    • For Feed Output Type, select Custom.

    • Feed Escape Character: \",

    • Feed Output Format:

      • Paste the format according to the log type selected. The custom formats can be found on the Custom Templates file that you downloaded during the Radiant Security data connector setup.

    • Set the Timezone to GMT.

    • Click Save.

    • Click Activate.

  4. Repeat step 2 for each log type listed in the table below. Some log types require additional parameters, as indicated in the table.

    Log Type

    Parameters

    Web Logs

    NSS Type: NSS for Web

    Firewall Logs

    NSS Type: NSS for Firewall Log Domain: Firewall Firewall Log Type: Aggregate Logs

    DNS Logs

    Log Domain: Firewall

    Tunnel Logs

    NSS Type: NSS for Web Record Type: Tunnel Event

    SaaS Security Logs

    NSS Type: NSS for Web Application Category: Select all the application categories that apply

    SaaS Security Activity Logs

    NSS Type: NSS for Web

    Endpoint DLP Logs

    NSS Type: NSS for Web

    Email DLP Logs

    NSS Type: NSS for Web

    Alerts

    Default Settings

PreviousVectra Stream (syslog)NextZScaler NSS (syslog)

Last updated