zScaler NSS

zScaler is a software as a service (SaaS) web proxy with an "on-premises" NSS component that retrieves the logs from the cloud and pulls them into the local network for log aggregators, such as the InsightIDR Collector.

You can find additional information on how to configure zScaler NSS here: https://help.zscaler.com/zia/documentation-knowledgebase/analytics/nss/nss-deployment-guides.

While zScaler NSS supports multiple log formats, InsightIDR currently only has parsers for QRadar LEEF (Log Event Extended Format) and CEF (Common Event Format), which you can read about here: https://help.zscaler.com/zia/nss-configuration-example-qradar#subc-Add.

The zScaler logs must arrive in a certain format in order for InsightIDR to correctly parse them. Configure log forwarding to use the following LEEF format: 

%s{mon} %02d{dd} %02d{hh}:%02d{mm}:%02d{ss} zscaler-nss: LEEF:1.0|Zscaler|NSS|4.1|%s{reason}|cat=%s{action}\tdevTime=%s{mon} %02d{dd} %d{yy} %02d{hh}:%02d{mm}:%02d{ss} America/Chicago\tdevTimeFormat=MMM dd yyyy HH:mm:ss z\tsrc=%s{cip}\tdst=%s{sip}\tsrcPostNAT=%s{cintip}\trealm=%s{location}\tusrName=%s{login}\tsrcBytes=%d{reqsize}\tdstBytes=%d{respsize}\trole=%s{dept}\tpolicy=%s{reason}\turl=%s{url}\trecordid=%d{recordid}\tbwthrottle=%s{bwthrottle}\tuseragent=%s{ua}\treferer=%s{referer}\thostname=%s{host}\tappproto=%s{proto}\turlcategory=%s{urlcat}\turlsupercategory=%s{urlsupercat}\turlclass=%s{urlclass}\tappclass=%s{appclass}\tappname=%s{appname}\tmalwaretype=%s{malwarecat}\tmalwareclass=%s{malwareclass}\tthreatname=%s{threatname}\triskscore=%d{riskscore}\tdlpdict=%s{dlpdict}\tdlpeng=%s{dlpeng}\tfileclass=%s{fileclass}\tfiletype=%s{filetype}\treqmethod=%s{reqmethod}\trespcode=%s{respcode}

How to Configure This Event Source

  1. From your dashboard, select Data Collection on the left hand menu.
  2. When the Data Collection page appears, click the Setup Event Source dropdown and choose Add Event Source.
  3. From the “Security Data” section, click the Web Proxy icon. The “Add Event Source” panel appears.
  4. Choose your collector and event source. You can also name your event source if you want.
  5. Optionally choose to send unfiltered logs.
  6. Choose the timezone that matches the location of your event source logs.
  7. Select a collection method and specify a port and a protocol.
    • Optionally choose to Encrypt the event source if choosing TCP by downloading the Rapid7 Certificate.
  8. Click Save.