Appearance
Zscaler NSS
Realm Security integrates seamlessly with Zscaler NSS VM and Cloud based appliances, enabling intelligent routing and analysis of security event logs.
Depending on your setup, select one of the following methods to send logs to Realm
Zscaler NSS VM
Zscaler NSS VM supports sending log data to configured destinations using the generic syslog protocol in key/value format.
Data Flow:
text
Zscaler (VM based) NSS > Realm Data Connector (onprem) > Realm Cloud Backend
Prerequisites
- Ensure you have administrative access to your Zscaler NSS VM.
- Realm collector is set up and running. See Realm Collector install guide for setting up a collector.
- Realm Security syslog collector IP address or FQDN.
- Realm Collector receiving port numbers. In the Realm console, go to Collectors > select collector > More actions (
...) for the Zscaler stream > View assigned ports and copy the port number listed for each NSS feed type.
Realm: Setup Source
- Login to Realm console.
- Go to Sources > Add > Zscaler ZIA / Splunk (CIM) and add a new Source.
Name:
Zscaler ZIADescription:Zscaler ZIA logs - If a collector is already set up, go to Collectors and select your collector. If not, go to Collectors > Add and give it a name and description.
- Add a Zscaler stream to the Collector. Click Add Stream.
Product Format:
Zscaler ZIA / Splunk (CIM)Source:ZscalerFraming Trailer:Unspecified - Click Add Stream.
- To view all assigned ports for Zscaler ZIA feeds, click VIEW PORTS. The modal shows receiving port numbers for each NSS feed type. You will need these when configuring each Zscaler NSS Syslog feed.
Zscaler: Setup NSS VM feed
Follow these steps to configure an NSS feed for firewall logs to Realm Security Data Fabric.
Use the following values:
Feed Name: Name of the feed
NSS Type: Select type
SIEM Destination Type:SIEM IP Address— enter the IP address of the Realm Data Collector VM
SIEM TCP Port: Port number from the Realm console corresponding to the NSS feed type
Feed Output Type:Splunk CIM
Zscaler NSS Cloud
Zscaler NSS Cloud supports sending log data to configured destinations using format strings to format data into the correct schema for a given SIEM/Data store.
Data Flow:
text
Zscaler (Cloud based) NSS > Realm Cloud Backend
Prerequisites
- Ensure you have administrative access to your Zscaler NSS Cloud console.
Realm: Setup Source
- Login to Realm console.
- Go to Sources > Add > Zscaler NSS Cloud Sentinel and add a new Source.
Name:
Zscaler NSS Cloud
Description:Zscaler NSS Cloud logs - Select Cloud HTTP, and give the input feed a name and description.
- You can provide your own token, if not, a token will be generated on creation of the feed.
- Copy your token and HTTP URL, as this will be used to configure your Zscaler NSS Cloud feeds.
Zscaler: Setup NSS Cloud feed
Follow these steps to configure an NSS feed for web logs to Realm Security Data Fabric.
Use the following values:
Feed Name: Name of the feed
NSS Type: Select type
SIEM Destination Type:
Other
API URL: Enter HTTP URL from Realm console
HTTP Headers: Set the key to
Authorizationand set the value toBearer {Realm Token}
Log Type: Choose the log type corresponding to the NSS feed you are setting up (Web, Firewall, etc.)
Feed Output Type:
JSON— By default it sends JSON data in JSON array notation. You must disable this option so data is sent in NDJSON.
Feed Output Format: Paste the format string for the corresponding Zscaler NSS feed from here: Zscaler NSS Format Strings for MS Sentinel
- Note: Ensure that OAuth 2.0 Authentication has been disabled.
Support
For additional details, refer to the official Zscaler NSS documentation.
If you encounter any issues or require assistance, contact Realm Security support.
Event Metadata
The following additional metadata fields will be included with the events. _sourceCatgeory is only set when sending data to Splunk and is not applied for data going to other SIEMs.
| Feed Type | Field Name | Value |
|---|---|---|
| All feeds | _sourceCategory | zscaler/zia-splunk |
| Feed Type | Field Name | Value |
|---|---|---|
| ZIA WEB | source_type | zscalernss-web |
| ZIA TUNNEL | source_type | zscalernss-tunnel |
| ZIA FIREWALL | source_type | zscalernss-fw |
| ZIA DNS | source_type | zscalernss-dns |
| ZIA AUDIT | source_type | zscalernss-audit |