Configuring the Zscaler NSS feed from the Zscaler admin portal
A Zscaler NSS feed specifies the data from the logs that the NSS sends to the SIEM for high-speed retrieval of reporting and analytics. Each feed can have a different list of fields, a different format, and different filters. You can add one or more fields for the logs and one field for alerts. You can add up to 8 NSS feeds for each NSS.
Configuring the Zscaler NSS threat feed
- Log in to the Zscaler admin portal and go to the section.
- Click Add NSS Feed and enter the following information:
- Enter the feed name, preferably with the
maas360_
prefix to easily identify the feed. - Select NSS for Web in the NSS Type field.
- Select an NSS server from the drop-down list. You can use a new NSS server setup for MaaS360 integration or an existing NSS server setup in the customer premises.
- Select the SIEM destination type:
- If you select IP address, enter the IP address of the host that the
maas360-threat-connector
is running on and then enter 9000 as the SIEM TCP port. - If you select FQDN:
- For standalone mode, enter the hostname of the machine that the
maas360-threat-connector
is executed on. - For HA mode, enter the load balancer IP address that the
maas360-threat-connector
is executed on.
- For standalone mode, enter the hostname of the machine that the
- If you select IP address, enter the IP address of the host that the
- For SIEM Rate, select Unlimited.
- For Log Type, select Web Log.
- For Feed Output Type, select QRadar LEEF.
- Enter the text from the following string in the Feed Output Format section: https://public.dhe.ibm.com/software/security/products/maas360/Zscaler/zscaler_threat_feed_string.txt
- Enter the feed time zone in GMT.
- In the Web Log Filters section, go to Security and select All threats in the Advanced Threats section. Use the default settings for the other sections.
- Save the settings.
- Enter the feed name, preferably with the
Configuring the device feed
- Log in to the Zscaler admin portal and go to the section.
- Click Add NSS Feed and enter the following information:
- Enter the feed name, preferably with the
maas360_ prefix
to easily identify the feed. - Select NSS for Web in the NSS Type field.
- Select an NSS server from the drop-down list. You can use a new NSS server setup for MaaS360 integration or an existing NSS server setup in the customer premises.
- Select the SIEM destination type:
- If you select IP address, enter the IP address of the host that the
maas360-threat-connector
is running on and then enter 9000 as the SIEM TCP port. - If you select FQDN:
- For standalone mode, enter the hostname of the machine that the
maas360-threat-connector
is executed on. - For HA mode, enter the load balancer IP address that the
maas360-threat-connector
is executed on.
- For standalone mode, enter the hostname of the machine that the
- If you select IP address, enter the IP address of the host that the
- For SIEM Rate, select Unlimited.
- For Log Type, select Web Log.
- For Feed Output Type, select QRadar LEEF.
- Enter the text from the following string in the Feed Output Format section: https://public.dhe.ibm.com/software/security/products/maas360/Zscaler/zscaler_device_feed_string.txt
- Enter the feed time zone in GMT.
- In the Web Log Filters section, go to Security and select All threats in the Advanced Threats section. Use the default settings for the other sections.
- Save the settings.
- Enter the feed name, preferably with the