![white-logo.png]](https://www.livingsecurity.com/hs-fs/hubfs/white-logo.png?height=40&name=white-logo.png){kind=logo}
Data Integration Guide - ZScaler ZIA Cloud NSS
🔒Granting Access
⚠️ Before you begin this process, please ensure that you have a ZScaler ZIA Cloud NSS License.
Without this license you will be unable to establish this connection. If you need to establish an On-Premises NSS Feed connection, we advise you to reach out to help@livingsecurity.com so that you can be provided with support in establishing this setup, as it requires strict requirements that need to be met to push logs via this feed to Unify.
For ZScaler's documentation on this process, please see this link.
- Go to Administration > Nanolog Streaming Service.
- In the Cloud NSS Feeds tab, click Add Cloud NSS Feed.
The Add Cloud NSS Feed window appears.
- In the Add Cloud NSS Feed window:
- Feed Name: Enter or edit the name of the feed. Each feed is a connection between the NSS and your SIEM.
- NSS Type: NSS for Web is selected by default.
- Status: The NSS feed is Enabled by default. Choose Disabled if you want to activate it at a later time.
- SIEM Rate: Set this value to Limited.
- SIEM Rate Limit (Events per Second): Set this to 100 to ensure rate limits are not being hit.
- SIEM Type: Please set this to Other.
- OAuth 2.0 Authentication: This setting is enabled by default if it is applicable to the SIEM type.
- Max Batch Size: Please set this to 20 KB.
- API URL: Living Security will provide you with your API URL.
- Please set Key 1 to be: x-api-key
- Value 1: Please add the <api key>.<api secret> format based on the Unify API article.
❓For Living Security's article on how to create a Unify API Token, please see this link.
- Add HTTP Header: Click to add more HTTP headers (keys and values).
- Please set Key 2 to be: content-type
- Please enter Value 2 to be: application/json
- Log Type: Choose Web Log.
- Feed Output Type: The output is JSON by default.
- JSON Array Notation: Please ensure this setting is ENABLED, as this ensures the API does not hit rate limits. .
- Feed Escape Character: Please leave this field empty.
- Feed Output Format: Please use the following format for the Feed Output Format:
\{ "sourcetype" : "zscalernss-web", "event" : \{"datetime":"%d{yy}-%02d{mth}-%02d{dd} %02d{hh}:%02d{mm}:%02d{ss}","reason":"%s{reason}","event_id":"%d{recordid}","protocol":"%s{proto}","action":"%s{action}","transactionsize":"%d{totalsize}","responsesize":"%d{respsize}","requestsize":"%d{reqsize}","urlcategory":"%s{urlcat}","serverip":"%s{sip}","requestmethod":"%s{reqmethod}","refererURL":"%s{ereferer}","useragent":"%s{eua}","product":"NSS","location":"%s{elocation}","ClientIP":"%s{cip}","status":"%s{respcode}","user":"%s{elogin}","url":"%s{eurl}","vendor":"Zscaler","hostname":"%s{ehost}","clientpublicIP":"%s{cintip}","threatcategory":"%s{malwarecat}","threatname":"%s{threatname}","filetype":"%s{filetype}","appname":"%s{appname}","pagerisk":"%d{riskscore}","department":"%s{edepartment}","urlsupercategory":"%s{urlsupercat}","appclass":"%s{appclass}","dlpengine":"%s{dlpeng}","urlclass":"%s{urlclass}","threatclass":"%s{malwareclass}","dlpdictionaries":"%s{dlpdict}","fileclass":"%s{fileclass}","bwthrottle":"%s{bwthrottle}","contenttype":"%s{contenttype}","unscannabletype":"%s{unscannabletype}","deviceowner":"%s{deviceowner}","devicehostname":"%s{devicehostname}","keyprotectiontype":"%s{keyprotectiontype}"\}\} - Timezone: By default, this is set to the organization's time zone. The time zone you set applies to the time field in the output file. The time zone automatically adjusts to changes in daylight savings in the specific time zone. The configured time zone can be output to the logs as a separate field. The list of time zones is derived from the IANA Time Zone database. Direct GMT offsets can also be specified.
🚰 Defining Filters
Filters will restrict the logs from your ZScaler ZIA instance from overloading the Unify API. It is highly recommended you implements the below filters to ensure Unify Insights expressly sees only logs within these Policy Reasons. Only enable for events that you have established policies within ZScaler for, to ensure your NSS Feed is secure, unless you plan on implementing policies for these events so Unify can have these insights.
| Policy Reason Filter |
| Blocked Mobile App exhibiting malicious behavior Blocked Mobile App leaking user credentials insecurely Blocked Mobile App with known security vulnerability Custom Reputation block outbound request: malicious URL File attachment not allowed IPS block inbound response: malicious content IPS block inbound response: phishing content IPS block inbound response: page contains known browser exploits Malware Block: Malicious File Not allowed because URL is placed on denylist Not allowed because this file contains known vulnerabilities Not allowed to access this file type Not allowed to upload/download encrypted or password-protected archive files Not allowed to upload/download files of size greater than configured limit Not allowed to upload/download files of this type PageRisk block inbound response: page is unsafe Reputation block outbound request: malicious URL Reputation block outbound request: phishing site Secure Browsing blocked an outdated/disallowed component Secure Browsing warned about an outdated/disallowed component |
Once you have defined these filters, you can click save.
ZScaler's NSS feeds require the log structure be dictated by the customer. The suggested format contains what fields we normally use, but generally there is some Living Security engineering effort required to complete this integration.
