ZScaler NSS On-Prem
Connect Zscaler NSS On-Prem to Radiant Security to forward web, firewall, DNS, and DLP logs over syslog for AI triage.
Zscaler is a cloud security platform that proxies user and branch traffic to enforce secure web gateway, firewall, DNS, and data loss prevention policies against external and insider threats. Connecting Zscaler NSS forwards web, firewall, DNS, tunnel, SaaS security, and DLP logs to Radiant Security over syslog. Radiant uses these logs to extract artifacts during Enrichment and to answer triage questions about user behavior, destination reputation, and data movement.
Zscaler NSS can forward syslog to Radiant Security in two ways:
Through the Radiant Agent (recommended). Forward to a Radiant Agent deployed in your environment.
Direct to Radiant Security. Forward to a Radiant-hosted syslog endpoint. Use only when a Radiant Agent is not available.
Prerequisites
Add the data connector in Radiant Security
Log in to Radiant Security.
From the navigation menu, select Settings > Data Connectors, then click + Add Connector.
Search for and select Radiant Agent, then click Data Feeds.
Under Select your data feeds, select ZScaler NSS On-Prem and click Credentials.
In the Credential Name field, enter an identifiable name for the Radiant Agent integration (for example,
Radiant Agent integration). To reuse an existing Radiant Agent credential, select it from the drop-down menu.In the Connector tag field, enter any string. Radiant uses this value as salt when generating the authentication token for your connector.
Click Add Connector.
Open the newly created connector. Under Vendor Configuration, copy and save the Token value, then click Download File to download the SSL certificate and custom log format templates. You will need all three when configuring the NSS server.
Click Done to save your changes.
Log in to Radiant Security.
From the navigation menu, select Settings > Data Connectors, then click + Add Connector.
Search for and select Zscaler NSS (syslog), then click Data Feeds.
Under Select your data feeds, select ZScaler NSS On-Prem and click Credentials.
In the Credential Name field, enter an identifiable name for this credential (for example,
Zscaler NSS Credentials).In the Connector tag field, enter any string. Radiant uses this value as salt when generating the authentication token for your connector.
Click Add Connector.
Open the newly created connector. Under Vendor Configuration, copy and save the Token, then click Download File to download the SSL certificate and custom log format templates. You will need all three when configuring the NSS server.
Click Done to save your changes.
Configure Zscaler NSS to forward syslog through the Radiant Agent
Create one NSS feed in Zscaler for each log type you want Radiant to triage. The feed-specific parameters are listed in the NSS feed parameters by log type table at the end of this article.
Configure the feed
Enter the following values, using the per-log-type parameters from the table at the end of this article where indicated:
Feed Name: a recognizable name prefixed with
radiantSecurity_(for example,radiantSecurity_WebLogs).NSS Server: select the NSS server you deployed.
NSS Type: see the parameters table for the value matching your log type.
SIEM Destination Type: IP or FQDN of the Radiant Agent.
SIEM TCP Port: the port configured on the Radiant Agent to receive Zscaler NSS data. If you do not know the port, contact your Customer Success representative.
SIEM Rate: Unlimited.
Log Type: select Web Log.
Feed Output Type: select Custom.
Feed Escape Character:
,\"Feed Output Format: paste the format for this log type from the Custom Templates file you downloaded during the Radiant connector setup.
Note: TCP is the recommended syslog transport. Use UDP only when TCP is not available in your environment.
Configure Zscaler NSS to forward syslog directly to Radiant Security
Use this path only when a Radiant Agent is not available.
Create one NSS feed in Zscaler for each log type you want Radiant to triage. The feed-specific parameters are listed in the NSS feed parameters by log type table at the end of this article.
Install the Radiant SSL certificate on the NSS server
Import the SSL certificate you downloaded from the Radiant connector into the NSS server's trusted certificate store. For the import procedure, see Zscaler's Adding NSS Servers documentation.
Configure the feed
Enter the following values, using the per-log-type parameters from the table at the end of this article where indicated:
Feed Name: a recognizable name prefixed with
radiantSecurity_(for example,radiantSecurity_WebLogs).NSS Server: select the NSS server you deployed.
NSS Type: see the parameters table for the value matching your log type.
SIEM Destination Type: IP or FQDN of the local Syslog Forwarder
SIEM TCP Port:
514.SIEM Rate: Unlimited.
Log Type: select Web Log.
Feed Output Type: select Custom.
Feed Escape Character:
,\"Feed Output Format: paste the format for this log type from the Custom Templates file you downloaded during the Radiant connector setup.
NSS feed parameters by log type
Web Logs
NSS for Web
Log Type: Web Log
Firewall Logs
NSS for Firewall
Log Domain: Firewall; Firewall Log Type: Aggregate Logs
DNS Logs
NSS for Firewall
Log Domain: Firewall
Tunnel Logs
NSS for Web
Record Type: Tunnel Event
SaaS Security Logs
NSS for Web
Application Category: select all applicable categories
SaaS Security Activity Logs
NSS for Web
None
Endpoint DLP Logs
NSS for Web
None
Email DLP Logs
NSS for Web
None
Verify ingestion
After Zscaler NSS On-Prem begins forwarding, confirm alerts and events are reaching Radiant.
In Radiant, navigate to Log Management.
Filter by
rs_connectorType:"zscaler_nss".Confirm recent alerts and events appear.
Allow several minutes for alerts and events to be parsed, indexed, and available for search.
Last updated
Was this helpful?