Loginsoft, as part of its Technology Engagement in delivering comprehensive cybersecurity services, has successfully implemented the Zscaler Nanolog Streaming Service (NSS) for one of its Enterprise Cloud SIEM clients. By deploying a virtual appliance, its Content Pack engineers enabled real-time streaming of security information and access event logs detected by Zscaler. These logs are seamlessly configured to integrate with the client’s Enterprise Cloud SIEM, enhancing their customer’s ability to monitor, analyze, and respond to security incidents effectively.
Deploying Zscaler NSS: A Step-by-Step Guide
Requirements:
- An active NSS license and access to the Zscaler NSS web administration interface.
- Identify each log type that you want to monitor such as Web, Firewall, DNS and destinations required for your organization.
Setup/ Configuring ZScaler NSS using VMware:
- Deploy the NSS Virtual Appliance-on-premises or in the cloud as per requirement.
- Here we have three platforms to choose from – VMWare, AWS and Azure. This section has instructions for VMWare.
- Download the virtual appliance and register VM in ESXi with the OVA file.
- Configure network connectivity and upload the required certificates for secure communication.
- Add NSS Feed by defining SIEM IP address, port number, log format, output format.
Log Formats: CEF, Syslog, LEEF
Sample Web Logs:
Syslog
<14>1 2024-12-24T12:01:00Z host.domain.com NSS - - - action=blocked app_name=HTTP dst_ip=203.0.113.20 dst_port=80 proto=TCP src_ip=192.0.2.15 src_port=54321 bytes=12345 duration=15 rule_label=Block_HTTP rule_id=102 category=Web_Browsing url=http://blocked-site.com
CEF
CEF:0|Zscaler|NSS|1.0|102|Web Browsing|8|act=blocked app=HTTP dst=203.0.113.20 dpt=80 proto=TCP src=192.0.2.15 spt=54321 cs1Label=Rule_Label cs1=Block_HTTP cs2Label=Category cs2=Web_Browsing cs3Label=URL cs3=http://blocked-site.com rt=2024-12-24T12:01:00Z in=12345 out=0 du=15
LEEF
LEEF:2.0|Zscaler|NSS|1.0|102|devTime=2024-12-24T12:01:00Z src=192.0.2.15 dst=203.0.113.20 dpt=80 proto=TCP spt=54321 app=HTTP cat=Web_Browsing rule=Block_HTTP action=blocked bytesIn=12345 duration=15 url=http://blocked-site.com
Verify Ingestion on your cloud SIEM
- Verify that the SIEM configuration is functioning correctly, including the launch of the input with the appropriate type, protocol, and port.
- Secure transmission can be ensured with the availability of TSL/SSL certificates.
- Create test scenarios from the Zscaler NSS Troubleshooting section on the admin portal.
- To identify transmission errors, we can examine the Zscaler NSS logs.
- Using SIEM search queries like 'source:' and 'action:' can validate logs.
- Logs can be validated by using queries in SIEM search like source:"<NSS hostname>" AND action:*
About Loginsoft
For over 20 years, leading companies in Telecom, Cybersecurity, Healthcare, Banking, New Media, and more have come to rely on Loginsoft as a trusted resource for technology talent. From startups, to product and enterprises rely on our services. Whether Onsite, Offsite, or Offshore, we deliver. With a track record of successful partnerships with leading technology companies globally, and specifically in the past 6 years with Cybersecurity product companies, Loginsoft offers a comprehensive range of security offerings, including Software Supply Chain, Vulnerability Management, Threat Intelligence, Cloud Security, Cybersecurity Platform Integrations, creating content packs for Cloud SIEM, Logs onboarding and more. Our commitment to innovation and expertise has positioned us as a trusted player in the cybersecurity space. Loginsoft continues to provide traditional IT services which include Software development & Support, QA automation, Data Science & AI, etc.
Expertise in Integrations with Threat Intelligence and Security Products: Built more than 250+ integrations with leading TIP, SIEM, SOAR, and Ticketing Platforms such as Cortex XSOAR, Anomali, ThreatQ, Splunk, IBM QRadar & Resilient, Microsoft Azure Sentinel, ServiceNow, Swimlane, Siemplify, MISP, Maltego, Cryptocurrency Digital Exchange Platforms, CISCO, Datadog, Symantec, Carbonblack, F5, Fortinet, and so on. Loginsoft is a partner with industry leading technology vendors Palo Alto, Splunk, Elastic, IBM Security, etc.
In addition, Loginsoft offers Research as a service: We're more than just experts in cybersecurity; we're your accredited in-house research team focused on unraveling the complexities of cybersecurity and future technologies. From Application Security to Threat Research, our seasoned professionals have cultivated expertise in every facet of the field. We've earned the trust of over 20 security platform companies, who count on our research and analysis to strengthen their cybersecurity solutions.
Interested to learn more? Let’s start a conversation.
