Only for NSS web server.
A large number of filters or complex filters, such as string search, might impact the performance of the NSS.
You can configure multiple types of filters. For example, if an admin selects the location HQ and department Finance, the NSS will select logs that belong to both the HQ location and Finance department.
To configure a feed for SaaS security logs:
- Go to Administration → Nanolog Streaming Service.
- On the NSS Feeds tab, click Add NSS Feed. The Add NSS Feed window appears.
On the Add NSS Feed window, enter the following information:
Field Information Feed Name Enter or edit the name of the feed. Each feed is a connection between NSS and your Devo Relay. NSS Type Select which type of feed you are configuring. NSS for Web is selected by default. NSS Server Choose an NSS from the list. Status The NSS feed is Enabled by default. Click Disabled if you want to activate it later. SIEM Destination Type The type of destination. Choose between:
SIEM IP Address - Enter the IP address of the Devo Relay to which the logs are streamed.
FQDN - (optional) Enter the destination for the TCP connection to which the logs are streamed. This allows failover from one IP to the other without manual intervention, but rather relying on updating the DNS entry. NSS will re-resolve the FQDN only when the existing connection goes down. This feature cannot be used for DNS-based load balancing.
SIEM TCP Port Enter the port number of the Devo Relay to which the logs are streamed. Ensure that the Devo Relay is configured to accept the feed from the NSS. If you are using the proposed TCP configuration: Type 13008 for Collaboration Category.
Type 13009 for CRM Category.
Type 13010 for Email Category.
Type 13011 for File Category.
Type 13012 for ITSM Category.
Type 13013 for Repository Category.
Log Type Choose SaaS Security API. SIEM Rate Limit (Events per Second) Leave as unrestricted, unless you need to throttle the output stream due to licensing or other constraints. A limit that is too low for the traffic volume will cause log loss. Application Category Choose an application category to limit the data to a specific category:
SaaS Security Collaboration
Slack
SaaS Security CRM
Salesforce
SaaS Security Email
Box
Citrix ShareFile
Dropbox
Google Drive
Microsoft OneDrive
Microsoft SharePoint
SaaS Security File
Gmail
Microsoft Exchange
SaaS Security ITSM
ServiceNow
SaaS Security Repository
GitHub
Feed Output Type Choose Custom. Feed Escape Character The Zscaler service hex encodes all non-printable ASCII characters that are in URLs when it sends the logs to the NSS. Any URL character that is less than 0x21, or above 0x7E, will be encoded as %HH. This ensures that your Devo Relay will be able to parse the URLs in case they contain non-printable characters. For example, a \n char in a URL is encoded as %0A, and a space is encoded as %20. In this field, you can specify additional characters that you would like to encode. For example, type a comma (,) to encode it as %2C. This is useful if you are using this character as your delimiter and would like to ensure it does not cause erroneous delimitation. Note that the service encodes characters in URLs, host names, and referer URLs only. If custom encoding was done for a record, the %s{eedone} field will be YES for that record.
Feed Output Format Copy and paste the proper output format for the chosen category:
Collaboration Category:
\"tenant":"%s{tenant}","applicationname":"%s{applicationname}","time":"%s{time}","epochtime":%d{epochtime},"recordid":%d{recordid},"filename":"%s{filename}","filetypename":"%s{filetypename}","filesize":%d{filesize},"filemd5":"%s{filemd5}","collabscope":"%s{collabscope}","department":"%s{department}","policy":"%s{policy}","rulelabel":"%s{rulelabel}","ruletype":"%s{ruletype}","malware":"%s{malware}","threatname":"%s{threatname}","malwareclass":"%s{malwareclass}","dlpdictnames":"%s{dlpdictnames}","dlpenginenames":"%s{dlpenginenames}","dlpidentifier":%d{dlpidentifier},"severity":"%s{severity}","dlpdictcount":"%s{dlpdictcount}","filetypecategory":"%s{filetypecategory}","filesize":%d{filesize},"component":"%s{component}","sha":"%s{sha}","internal_recptnames":"%s{internal_recptnames}","external_recptnames":"%s{external_recptnames}","ointernal_recptnames":"%s{ointernal_recptnames}","oexternal_recptnames":"%s{oexternal_recptnames}","sharedchannel_hostname":"%s{sharedchannel_hostname}","sender":"%s{sender}","osender":"%s{osender}","esender":"%s{esender}","channel_name":"%s{channel_name}","ochannel_name":"%s{ochannel_name}","datacenter":"%s{datacenter}","datacentercity":"%s{datacentercity}","datacentercountry":"%s{datacentercountry}"\}\nCRM Category:
\"tenant":"%s{tenant}","applicationname":"%s{applicationname}","time":"%s{time}","epochtime":%d{epochtime},"recordid":%d{recordid},"filename":"%s{filename}","filetypename":"%s{filetypename}","filesize":%d{filesize},"filemd5":"%s{filemd5}","collabscope":"%s{collabscope}","fullurl":"%s{fullurl}","suburl":"%s{suburl}","department":"%s{department}","policy":"%s{policy}","rulelabel":"%s{rulelabel}","ruletype":"%s{ruletype}","malware":"%s{malware}","threatname":"%s{threatname}","malwareclass":"%s{malwareclass}","dlpdictnames":"%s{dlpdictnames}","dlpenginenames":"%s{dlpenginenames}","dlpidentifier":%d{dlpidentifier},"severity":"%s{severity}","dlpdictcount":"%s{dlpdictcount}","num_internal_collab":%d{num_internal_collab},"num_external_collab":%d{num_external_collab},"objectname":"%s{objectname}","objecttype":"%s{objecttype}","file_msg_id":"%s{file_msg_id}","filetypecategory":"%s{filetypecategory}","hostname":"%s{hostname}","ohostname":"%s{ohostname}","ofullurl":"%s{ofullurl}","internal_collabnames":"%s{internal_collabnames}","external_collabnames":"%s{external_collabnames}","ointernal_collabnames":"%s{ointernal_collabnames}","oexternal_collabnames":"%s{oexternal_collabnames}","filesize":%d{filesize},"file_msg_mod_time":"%s{file_msg_mod_time}","filepath":"%s{filepath}","component":"%s{component}","sha":"%s{sha}","datacenter":"%s{datacenter}","datacentercity":"%s{datacentercity}","datacentercountry":"%s{datacentercountry}"\}\nEmail Category:
\"tenant":"%s{tenant}","applicationname":"%s{applicationname}","filedownloadtimems":%d{filedownloadtimems},"filescantimems":%d{filescantimems},"time":"%s{time}","epochtime":%d{epochtime},"recordid":%d{recordid},"epochlastmodtime":%d{epochlastmodtime},"department":"%s{department}","policy":"%s{policy}","rulelabel":"%s{rulelabel}","ruletype":"%s{ruletype}","malware":"%s{malware}","threatname":"%s{threatname}","malwareclass":"%s{malwareclass}","dlpdictnames":"%s{dlpdictnames}","dlpenginenames":"%s{dlpenginenames}","dlpidentifier":%d{dlpidentifier},"severity":"%s{severity}","dlpdictcount":"%s{dlpdictcount}","sender":"%s{sender}","datacenter":"%s{datacenter}","datacentercity":"%s{datacentercity}","datacentercountry":"%s{datacentercountry}"\}\nFile Category:
\"tenant":"%s{tenant}","applicationname":"%s{applicationname}","filedownloadtimems":%d{filedownloadtimems},"filescantimems":%d{filescantimems},"time":"%s{time}","epochtime":%d{epochtime},"recordid":%d{recordid},"filename":"%s{filename}","filetypename":"%s{filetypename}","filesource":"%s{filesource}","filesize":%d{filesize},"lastmodtime":"%s{lastmodtime}","epochlastmodtime":%d{epochlastmodtime},"filemd5":"%s{filemd5}","collabscope":"%s{collabscope}","fullurl":"%s{fullurl}","suburl":"%s{suburl}","department":"%s{department}","user":"%s{user}","policy":"%s{policy}","rulelabel":"%s{rulelabel}","ruletype":"%s{ruletype}","malware":"%s{malware}","threatname":"%s{threatname}","malwareclass":"%s{malwareclass}","dlpdictnames":"%s{dlpdictnames}","dlpenginenames":"%s{dlpenginenames}","dlpidentifier":%d{dlpidentifier},"severity":"%s{severity}","dlpdictcount":"%s{dlpdictcount}","filetypecategory":"%s{filetypecategory}","hostname":"%s{hostname}","filesize":%d{filesize},"sha":"%s{sha}","datacenter":"%s{datacenter}","datacentercity":"%s{datacentercity}","datacentercountry":"%s{datacentercountry}"\}\nITSM Category:
\"tenant":"%s{tenant}","applicationname":"%s{applicationname}","time":"%s{time}","epochtime":%d{epochtime},"recordid":%d{recordid},"filename":"%s{filename}","filetypename":"%s{filetypename}","filesize":%d{filesize},"filemd5":"%s{filemd5}","collabscope":"%s{collabscope}","fullurl":"%s{fullurl}","suburl":"%s{suburl}","department":"%s{department}","policy":"%s{policy}","rulelabel":"%s{rulelabel}","ruletype":"%s{ruletype}","malware":"%s{malware}","threatname":"%s{threatname}","malwareclass":"%s{malwareclass}","dlpdictnames":"%s{dlpdictnames}","dlpenginenames":"%s{dlpenginenames}","dlpidentifier":%d{dlpidentifier},"severity":"%s{severity}","dlpdictcount":"%s{dlpdictcount}","num_internal_collab":%d{num_internal_collab},"num_external_collab":%d{num_external_collab},"objectname":"%s{objectname}","objecttype":"%s{objecttype}","file_msg_id":"%s{file_msg_id}","filetypecategory":"%s{filetypecategory}","hostname":"%s{hostname}","ohostname":"%s{ohostname}","ofullurl":"%s{ofullurl}","internal_collabnames":"%s{internal_collabnames}","external_collabnames":"%s{external_collabnames}","ointernal_collabnames":"%s{ointernal_collabnames}","oexternal_collabnames":"%s{oexternal_collabnames}","filesize":%d{filesize},"file_msg_mod_time":"%s{file_msg_mod_time}","filepath":"%s{filepath}","component":"%s{component}","sha":"%s{sha}","datacenter":"%s{datacenter}","datacentercity":"%s{datacentercity}","datacentercountry":"%s{datacentercountry}"\}\nRepository Category:
\"tenant":"%s{tenant}","applicationname":"%s{applicationname}","time":"%s{time}","epochtime":%d{epochtime},"recordid":%d{recordid},"filename":"%s{filename}","filetypename":"%s{filetypename}","filesize":%d{filesize},"lastmodtime":"%s{lastmodtime}","filemd5":"%s{filemd5}","collabscope":"%s{collabscope}","department":"%s{department}","policy":"%s{policy}","rulelabel":"%s{rulelabel}","ruletype":"%s{ruletype}","malware":"%s{malware}","threatname":"%s{threatname}","malwareclass":"%s{malwareclass}","dlpdictnames":"%s{dlpdictnames}","dlpenginenames":"%s{dlpenginenames}","dlpidentifier":%d{dlpidentifier},"severity":"%s{severity}","dlpdictcount":"%s{dlpdictcount}","num_external_collab":%d{num_external_collab},"filetypecategory":"%s{filetypecategory}","external_collabnames":"%s{external_collabnames}","oexternal_collabnames":"%s{oexternal_collabnames}","filesize":%d{filesize},"filepath":"%s{filepath}","sha":"%s{sha}","datacenter":"%s{datacenter}","datacentercity":"%s{datacentercity}","datacentercountry":"%s{datacentercountry}"\}\n
User Obfuscation You can enable user obfuscation. When you do, it displays a random string instead of the user names. If this is enabled, the login field in Feed Format Output automatically changes to ologin field, which outputs the obfuscated login name. Choose Disable to display the user names. Timezone By default, this is set to the organization's time zone. The time zone you set applies to the time field in the output file. The time zone automatically adjusts to changes in daylight savings in the specific time zone. The configured time zone can be output to the logs as a separate field. The list of time zones is derived from the IANA Time Zone Database. Direct GMT offsets can also be specified. Duplicate Logs To ensure that no logs are skipped during any downtime, specify the number of minutes that the NSS will send duplicate logs. Zscaler recommends setting the number to 60. This allows the NSS to send one-hour logs to the Devo Relay after the connection between the NSS and Devo Relay recovers. - Click Save and activate the change.
Available filters
Policy Type
Filter logs based on the specific policy type. You can specify multiple policies.
Policy Action
Filter logs based on the specific policy action taken. You can specify multiple policy actions.
Scan Time
Filter logs based on the time the SaaS Security API policy took to scan content within the tenant. Enter either a specific value or a range with a dash. The default unit of measure is milliseconds, but you can specify this unit using either MS or SEC. For example: 10MS-100MS.
Event
Choose the type of event.
Who
Departments: Filter logs to specific departments that generated transactions. You can search for users by user name or email address. There's no limit to the number of users that you can select. Users that are deleted after they are selected appear with a strikethrough line.
Groups: Filter logs to specific groups that generated transactions. You can search for users by user name or email address. There's no limit to the number of users that you can select. Users that are deleted after they are selected appear with a strikethrough line.
Users: Filter logs to specific users that generated transactions. You can search for users by user name or email address. There's no limit to the number of users that you can select. Users that are deleted after they are selected appear with a strikethrough line.
ITSM
File Name: Filter logs to specific file names. You can enter multiple file names separated by commas.
File Size: Filter logs based on their file size. Enter either a specific size or a range with a dash. You can enter multiple values separated by commas. By default, the service uses bytes, but you can also specify KB, MB, GB, or TB. For example: 10KB-1MB, 200.
File Source: Filter logs based on their source location.
External Owner: Filter logs associated with the external owner (outside your organization) of the questionable file. Multiple selections are allowed.
Internal Collaborators: Filter logs associated with specific collaborators within your organization. Multiple selections are allowed.
External Collaborators: Filter logs associated with specific collaborators outside of your organization. Multiple selections are allowed.
Object Type: Choose Any to inspect all object types or choose an object type
Object Name: Filter logs to specific object names. You can enter multiple object names separated by commas.
Collaboration
External Recipients: Filter logs to specific recipients outside your organization. Multiple selections are allowed.
Internal Recipients: Filter logs to specific recipients within your organization. Multiple selections are allowed.
Channel Name: Filter logs to specific channel names. You can enter multiple channel names separated by commas.
File
File Type Category: Filter logs based on the file type category detected from the content. Multiple selections are allowed.
File Name: Filter logs to specific file names. You can enter multiple file names separated by commas.
File Size: Filter logs based on their file size. Enter either a specific size or a range with a dash. You can enter multiple values separated by commas. By default, the service uses bytes, but you can also specify KB, MB, GB, or TB. For example: 10KB-1MB, 200.
DLP
DLP Engines: Filter logs to transactions in which data leakage was detected based on specific DLP engines. Multiple selections are allowed.
DLP Dictionaries: Filter logs to transactions in which data leakage was detected based on specific DLP dictionaries. Multiple selections are allowed.
Severity: Choose the severity level of the incidents detected by the SaaS Security API DLP policy.
Malware
Threat Class: Filter logs based on the specific threat class. You can specify multiple threat classes.
Threat Category: Filter logs based on the specific threat category. You can specify multiple threat categories.
Threat Name: Filter logs based on specific threats that were detected. You can specify multiple threat names separated by commas.
Application
SaaS Application: Filter logs based on the specific sanctioned SaaS application. You can specify multiple applications.
SaaS Application Tenant: Filter logs based on the specific SaaS application tenant. You can specify multiple tenants.