Ctrlk
ProductBook a demoOpen app
linkedinyoutube

ZScaler Cloud NSS

Connect Zscaler Cloud NSS to Radiant Security to forward web, firewall, DNS, and DLP logs over HTTPS for AI triage.

Zscaler is a cloud security platform that proxies user and branch traffic to enforce secure web gateway, firewall, DNS, and data loss prevention policies against external and insider threats. Connecting Zscaler Cloud NSS forwards web, firewall, DNS, tunnel, SaaS security, and DLP logs to Radiant Security over HTTPS. Radiant uses these logs to extract artifacts during Enrichment and to answer triage questions about user behavior, destination reputation, and data movement.

Prerequisites

Add the data connector in Radiant Security

  1. Log in to Radiant Security.

  2. From the navigation menu, select Settings > Data Connectors and click + Add Connector.

  3. Search for and select Zscaler NSS (webhook) from the list, then click Data Feeds.

  4. Under Select your data feeds, select Zscaler NSS Cloud and click Credentials.

  5. In the Credential Name field, enter an identifiable name for this credential (for example, Zscaler Cloud NSS Credentials).

  6. In the Connector tag field, enter any string. Radiant uses this value as salt when generating the authentication token for your connector.

  7. Click Add Connector.

  8. Open the newly created connector. Under Vendor Configuration, copy and save the Token and Webhook URL values. Click Download File to download the SSL certificate and custom log format templates. You will need all four when configuring Zscaler.

  9. Click Done to save your changes.

Configure Zscaler to forward Cloud NSS feeds to Radiant Security

Create one Cloud NSS feed in Zscaler for each log type you want Radiant to triage. The feed-specific parameters are listed in the Cloud NSS feed parameters by log type table at the end of this section.

1

Open the Cloud NSS Feed configuration

Log in to the Zscaler admin portal and go to Administration > Nanolog Streaming Service > Cloud NSS Feed.

2

Add a new Cloud NSS feed

Click Add Cloud NSS Feed.

3

Configure the feed

Enter the following values, using the per-log-type parameters from the table below where indicated:

  • Feed Name: a recognizable name prefixed with radiantSecurity_ (for example, radiantSecurity_WebLogs).

  • NSS Type: see the parameters table for the value matching your log type.

  • SIEM Destination Type: Other.

  • SIEM Rate: Unlimited.

  • Max Batch Size: 1024 KB.

  • API URL: paste the Webhook URL copied from the Radiant connector.

  • HTTP Headers: add a new header with Name rs_token and Value set to the Token copied from the Radiant connector.

  • Log Type: see the parameters table.

  • Feed Output Type: Custom.

  • Feed Escape Character: \",

  • Feed Output Format: paste the format for this log type from the Custom Templates file you downloaded during the Radiant connector setup.

  • Timezone: GMT.

4

Save and activate

Click Save, then click Activate.

5

Repeat for each log type

Repeat the previous steps for every log type listed in the parameters table you want Radiant to triage.

Cloud NSS feed parameters by log type

Log type
NSS Type
Additional parameters

Web Logs

NSS for Web

Log Type: Web Log

Firewall Logs

NSS for Firewall

Log Domain: Firewall; Firewall Log Type: Aggregate Logs

DNS Logs

NSS for Firewall

Log Domain: Firewall

Tunnel Logs

NSS for Web

Record Type: Tunnel Event

SaaS Security Logs

NSS for Web

Application Category: select all applicable categories

SaaS Security Activity Logs

NSS for Web

None

Endpoint DLP Logs

NSS for Web

None

Email DLP Logs

NSS for Web

None

Alerts

Default settings

None

Verify ingestion

After Zscaler Cloud NSS begins forwarding, confirm alerts and events are reaching Radiant.

  1. In Radiant, navigate to Log Management.

  2. Filter by rs_connectorType:"zscaler_nss_webhook".

  3. Confirm recent alerts and events appear.

Allow several minutes for alerts and events to be parsed, indexed, and available for search.

PreviousZscalerNextZScaler NSS On-Prem

Last updated

Was this helpful?