Configuring the Zscaler NSS feed from the Zscaler admin portal

A Zscaler NSS feed specifies the data from the logs that the NSS sends to the SIEM for high-speed retrieval of reporting and analytics. Each feed can have a different list of fields, a different format, and different filters. You can add one or more fields for the logs and one field for alerts. You can add up to 8 NSS feeds for each NSS.

Configuring the Zscaler NSS threat feed

  1. Log in to the Zscaler admin portal and go to the Administration > Nanolog streaming service > NSS Feed section.
  2. Click Add NSS Feed and enter the following information:
    1. Enter the feed name, preferably with the maas360_ prefix to easily identify the feed.
    2. Select NSS for Web in the NSS Type field.
    3. Select an NSS server from the drop-down list. You can use a new NSS server setup for MaaS360 integration or an existing NSS server setup in the customer premises.
    4. Select the SIEM destination type:
      • If you select IP address, enter the IP address of the host that the maas360-threat-connector is running on and then enter 9000 as the SIEM TCP port.
      • If you select FQDN:
        • For standalone mode, enter the hostname of the machine that the maas360-threat-connector is executed on.
        • For HA mode, enter the load balancer IP address that the maas360-threat-connector is executed on.
    5. For SIEM Rate, select Unlimited.
    6. For Log Type, select Web Log.
    7. For Feed Output Type, select QRadar LEEF.
    8. Enter the text from the following string in the Feed Output Format section: https://public.dhe.ibm.com/software/security/products/maas360/Zscaler/zscaler_threat_feed_string.txt
    9. Enter the feed time zone in GMT.
    10. In the Web Log Filters section, go to Security and select All threats in the Advanced Threats section. Use the default settings for the other sections.
    11. Save the settings.
      Threat feed
      Threat feed

Configuring the device feed

  1. Log in to the Zscaler admin portal and go to the Administration > Nanolog streaming service > NSS Feed section.
  2. Click Add NSS Feed and enter the following information:
    1. Enter the feed name, preferably with the maas360_ prefix to easily identify the feed.
    2. Select NSS for Web in the NSS Type field.
    3. Select an NSS server from the drop-down list. You can use a new NSS server setup for MaaS360 integration or an existing NSS server setup in the customer premises.
    4. Select the SIEM destination type:
      • If you select IP address, enter the IP address of the host that the maas360-threat-connector is running on and then enter 9000 as the SIEM TCP port.
      • If you select FQDN:
        • For standalone mode, enter the hostname of the machine that the maas360-threat-connector is executed on.
        • For HA mode, enter the load balancer IP address that the maas360-threat-connector is executed on.
    5. For SIEM Rate, select Unlimited.
    6. For Log Type, select Web Log.
    7. For Feed Output Type, select QRadar LEEF.
    8. Enter the text from the following string in the Feed Output Format section: https://public.dhe.ibm.com/software/security/products/maas360/Zscaler/zscaler_device_feed_string.txt
    9. Enter the feed time zone in GMT.
    10. In the Web Log Filters section, go to Security and select All threats in the Advanced Threats section. Use the default settings for the other sections.
    11. Save the settings.
      Device feed
      Device feed