# ZScaler Cloud NSS

Zscaler is a cloud security platform that proxies user and branch traffic to enforce secure web gateway, firewall, DNS, and data loss prevention policies against external and insider threats. Connecting Zscaler Cloud NSS forwards web, firewall, DNS, tunnel, SaaS security, and DLP logs to Radiant Security over HTTPS. Radiant uses these logs to extract artifacts during Enrichment and to answer triage questions about user behavior, destination reputation, and data movement.

### Prerequisites

* [ ] Admin access to Zscaler

### Add the data connector in Radiant Security

1. Log in to [Radiant Security](https://app.radiantsecurity.ai/).
2. From the navigation menu, select **Settings** > **Data Connectors** and click **+ Add Connector**.
3. Search for and select **Zscaler NSS (webhook)** from the list, then click **Data Feeds**.
4. Under **Select your data feeds**, select **Zscaler NSS Cloud** and click **Credentials**.
5. In the **Credential Name** field, enter an identifiable name for this credential (for example, `Zscaler Cloud NSS Credentials`).
6. In the **Connector tag** field, enter any string. Radiant uses this value as salt when generating the authentication token for your connector.
7. Click **Add Connector**.
8. Open the newly created connector. Under **Vendor Configuration**, copy and save the **Token** and **Webhook URL** values. Click **Download File** to download the SSL certificate and custom log format templates. You will need all four when configuring Zscaler.
9. Click **Done** to save your changes.

### Configure Zscaler to forward Cloud NSS feeds to Radiant Security

Create one Cloud NSS feed in Zscaler for each log type you want Radiant to triage. The feed-specific parameters are listed in the Cloud NSS feed parameters by log type table at the end of this section.

{% stepper %}
{% step %}

#### Open the Cloud NSS Feed configuration

Log in to the Zscaler admin portal and go to **Administration** > **Nanolog Streaming Service** > **Cloud NSS Feed**.

<div align="left"><figure><img src="/files/Dbhd2RKujAEex9DNrsI7" alt=""><figcaption></figcaption></figure></div>
{% endstep %}

{% step %}

#### Add a new Cloud NSS feed

Click **Add Cloud NSS Feed**.

<div align="left"><figure><img src="/files/Pi1opt4EQHjxMQn0Re8d" alt=""><figcaption></figcaption></figure></div>
{% endstep %}

{% step %}

#### Configure the feed

Enter the following values, using the per-log-type parameters from the table below where indicated:

* **Feed Name**: a recognizable name prefixed with `radiantSecurity_` (for example, `radiantSecurity_WebLogs`).
* **NSS Type**: see the parameters table for the value matching your log type.
* **SIEM Destination Type**: **Other**.
* **SIEM Rate**: **Unlimited**.
* **Max Batch Size**: `1024 KB`.&#x20;
* **API URL**: paste the **Webhook URL** copied from the Radiant connector.
* **HTTP Headers**: add a new header with **Name** `rs_token` and **Value** set to the **Token** copied from the Radiant connector.
* **Log Type**: see the parameters table.
* **Feed Output Type**: **Custom**.
* **Feed Escape Character**: `\",`
* **Feed Output Format**: paste the format for this log type from the **Custom Templates** file you downloaded during the Radiant connector setup.

<div align="left"><figure><img src="/files/isavP1VugKEiU75qlBVj" alt=""><figcaption></figcaption></figure></div>

* **Timezone**: **GMT**.
  {% endstep %}

{% step %}

#### Save and activate

Click **Save**, then click **Activate**.
{% endstep %}

{% step %}

#### Repeat for each log type

Repeat the previous steps for every log type listed in the parameters table you want Radiant to triage.
{% endstep %}
{% endstepper %}

#### Cloud NSS feed parameters by log type

| Log type                    | NSS Type         | Additional parameters                                   |
| --------------------------- | ---------------- | ------------------------------------------------------- |
| Web Logs                    | NSS for Web      | Log Type: Web Log                                       |
| Firewall Logs               | NSS for Firewall | Log Domain: Firewall; Firewall Log Type: Aggregate Logs |
| DNS Logs                    | NSS for Firewall | Log Domain: Firewall                                    |
| Tunnel Logs                 | NSS for Web      | Record Type: Tunnel Event                               |
| SaaS Security Logs          | NSS for Web      | Application Category: select all applicable categories  |
| SaaS Security Activity Logs | NSS for Web      | None                                                    |
| Endpoint DLP Logs           | NSS for Web      | None                                                    |
| Email DLP Logs              | NSS for Web      | None                                                    |
| Alerts                      | Default settings | None                                                    |

### Verify ingestion

After Zscaler Cloud NSS begins forwarding, confirm alerts and events are reaching Radiant.

1. In Radiant, navigate to [Log Management](https://app.radiantsecurity.ai/logs).
2. Filter by `rs_connectorType:"zscaler_nss_webhook"`.
3. Confirm recent alerts and events appear.

{% hint style="info" %}
Allow several minutes for alerts and events to be parsed, indexed, and available for search.
{% endhint %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://help.radiantsecurity.ai/radiant-connectors/data-connectors/zscaler/zscaler-cloud-nss.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.