In order for your MCAS NSS feed to perform optimally, the virtual machine (VM) deployed for the NSS server requires a minimum of 8GB of RAM. To learn more, see Deploying NSS Virtual Appliances and Integrating with Microsoft Cloud App Security.

To configure an MCAS NSS feed:

1. Go to Logs > Log Streaming > Nanolog Streaming Service.

2. From the NSS Feeds tab, click Add MCAS NSS Feed.

   The Add MCAS NSS Feed window appears.

3. In the Add MCAS NSS Feed window:
   • Feed Name: Enter or edit the name of the feed. Each feed is a connection between the NSS and MCAS.
   • NSS Type: NSS for Web is selected by default.
   • NSS Server: Choose an NSS from the list.
   • Status: The NSS feed is Enabled by default. Choose Disabled if you want to activate it at a later time.
   • SIEM IP Address: This is the local host IP address to stream logs from the NSS to MCAS. The field is pre-populated and cannot be edited.
   • Feed Output Format: These are the fields that display in the output. The fields are pre-populated and cannot be edited.
4. Define the filters:
   • Action
     • Policy Action: Use this filter to limit the logs to transactions that were either allowed or blocked. Transactions wherein the service displayed a Caution page are considered blocked transactions; if users proceeded with the transactions, they are considered allowed.
     • Policy Reason: Use this filter to limit the logs based on the policy that the Zscaler service applied. These are the policy reason strings that are in transaction drilldown. They indicate which policy caused a block, or if allowed, the conditions under which they were allowed, such as Allowed due to override and Internet Access cautioned. Multiple selections are allowed.

     Close
   • Who
     • Users: Use this filter to limit the logs to specific users who generated transactions. You can search for users by username or email address. There is no limit on the number of users that you can select. Users that are deleted after they are selected appear with a strikethrough line.
     • Departments: Use this filter to limit the logs to specific departments that generated transactions. You can search for departments. There is no limit on the number of departments that you can select. Departments that are deleted after they are selected appear with a strikethrough line.

     Close
   • From Where
     • Locations: Use this filter to limit the logs to specific locations from which transactions were generated. You can search for locations. There is no limit on the number of locations that you can select. Locations that are deleted after they are selected appear with a strikethrough line.

     • Client IP Addresses: Use this filter to limit the logs based on a client’s private IP address. You can enter:

       • An IP address (e.g., 198.51.100.100)
       • A range of IP addresses (e.g., 192.0.2.1-192.0.2.10)
       • An IP address with a netmask (e.g., 203.0.113.0/24)

       You can enter multiple entries. Press Enter after each entry.

     • Public IP Addresses: Use this filter to limit the logs based on a client’s public IP address. The internal IP address is available if traffic forwarding is forwarded to the service through a GRE or VPN tunnel or from the XFF header. If the internal IP address is not available, the value is the same as the client IP address. You can enter:

       • An IP address (e.g., 198.51.100.100)
       • A range of IP addresses (e.g., 192.0.2.1-192.0.2.10)
       • An IP address with a netmask (e.g., 203.0.113.0/24)

       You can enter multiple entries. Press Enter after each entry.

     • Traffic Forwarding: Use this filter to limit the logs based on the traffic forwarding method to the Internet & SaaS Public Service Edge.

     Close
   • Transaction
     • Direction: Use this filter to limit the logs to either inbound or outbound traffic.
     • User Agents: Use this filter to limit the logs to transactions associated with the user-agent string that the browser included in its GET request. Choose from the list of predefined user-agent strings or enter custom user-agent strings. Multiple selections are allowed.
     • Custom User Agent Strings: Use this filter to limit the logs to specific user-agent strings. A user-agent string contains browser and system information that the destination server can use to provide appropriate content.
     • Protocol Types: Use this filter to limit the logs to specific protocols. Supported protocols are HTTP, HTTPS and FTP. Multiple selections are allowed.
     • Request Methods: Use this filter to limit the logs based on the HTTP request method obtained from the client request. Multiple selections are allowed.
     • Response Codes: Use this filter to limit the logs based on the HTTP response code obtained from the server or generated by the Internet & SaaS Public Service Edge. Multiple selections are allowed.
     • Request Sizes: Use this filter to limit the logs based on HTTP request size. Enter either a specific size or a range with a dash. By default, the service uses bytes, but you can also specify KB, MB, GB, or TB (e.g.,10KB-1MB, 200). You can enter multiple entries. Press Enter after each entry.
     • Response Sizes: Use this filter to limit the logs based on HTTP response size. Enter either a specific size or a range with a dash. By default, the service uses bytes, but you can also specify KB, MB, GB, or TB (e.g., 10KB-1MB, 200). You can enter multiple entries. Press Enter after each entry.
     • Transaction Sizes: Use this filter to limit the logs based on transaction size, which is the header and body request or response size, or the request and response size. Enter either a specific size or a range with a dash. By default, the service uses bytes, but you can also specify KB, MB, GB, or TB (e.g., 10KB-1MB, 200). You can enter multiple entries. Press Enter after each entry.

     • Referer URLs: Use this filter to limit the logs based on the Referer URL in the HTTP header. You can use wildcards based on the rules:

       • *string: Suffix matching match URLs ending with ‘string’
       • String*: Prefix matching match URLs beginning with ‘string’
       • *string*: Substring matching match URLs containing ‘string’
       • String: Exact matching match URLs that are exactly ‘string’

       Multiple strings are allowed. Enter one string per line. String search is not case-sensitive.

     Close
   • To Where
     • URL Filter Type: Use this filter to limit the logs based on URLs in HTTP Requests. You can specify either a Hostname or the Full URL. You can use wildcards based on the rules:
       • String: Exact matching match URLs that are exactly ‘string’
       • *string*: Substring matching match URLs containing ‘string’
       • String*: Prefix matching match URLs beginning with ‘string’
       • *string: Suffix matching match URLs ending with ‘string’
     • Hostnames: Use this filter to limit the logs based on specific hostnames.
     • URL Classes: Use this filter to limit the logs to specific URL classes. Select those that you want to include. Multiple selections are allowed.
     • URL Super Categories: Use this filter to limit the logs to specific URL super categories. Select those that you want to include. Multiple selections are allowed.
     • URL Categories: Use this filter to limit the logs to specific URL categories. Select those that you want to include. Multiple selections are allowed.

     • Server IP Addresses: Use this filter to limit the logs based on the destination server’s IP address. You can enter:

       • An IP address (e.g., 198.51.100.100)
       • A range of IP addresses (e.g., 192.0.2.1-192.0.2.10)
       • An IP address with a netmask (e.g., 203.0.113.0/24)

       You can enter multiple entries. Press Enter after each entry.

     • Cloud Application Classes: Use this filter to limit the logs to the selected cloud application classes. Multiple selections are allowed.

     • Cloud Applications: Use this filter to limit the logs to selected cloud applications. Multiple selections are allowed.

       The Miscellaneous <Cloud Application Category> Apps (e.g., Miscellaneous Finance Apps) option in this filter represents all the newly added lesser-known predefined applications for the category (e.g., Finance). Use the Search function to view and select the available Miscellaneous <Cloud Application Category> Apps options. To view the list of supported applications for each category, see Viewing Supported Cloud Applications.

     • Application Segment: Use this filter to limit the logs to specific application segments. The default option for this filter is Any.

     Close
   • Security
     • Malware Classes: Use this filter to limit the logs based on malware class or name. Multiple selections are allowed.
     • Malware Names: Use this filter to limit the logs based on specific malware or viruses that were detected. You can specify multiple malware or virus names. Use the Search function to search for either.
     • Advanced Threats: Use this filter to limit the logs based on the types of advanced threats that were detected. Multiple selections are allowed.
     • Threat Names: Use this filter to limit the logs based on specific threats that were detected. You can specify multiple threat names. Use the Search function to search for either.
     • Suspicious Content: Use this filter to limit the logs based on the Page Risk Index score of a transaction. Enter either a single value or a range of values, between 0 and 100. Multiple values separated by commas are allowed.

     Close
   • File Type
     • File Type Categories: Use this filter to limit the logs based on the file type categories detected from the content. Multiple selections are allowed.
     • File Types: Use this filter to limit the logs based on the file type detected from the content. Multiple selections are allowed.
     • Unscannable Type: Use this filter to limit the logs based on an unscannable file type. Multiple selections are allowed. The following options appear under this filter:
       • Encrypted File: Encrypted or password-protected (e.g., GZIP, PDF)
       • Undetectable File: Unable to determine the file type, based on multiple methods
       • Unscannable File: Unscannable (e.g., corrupt archive)

     Close
   • DLP
     • DLP Engines: Use this filter to limit the logs to transactions in which data leakage was detected based on specific DLP engines. Multiple selections are allowed.
     • DLP Dictionaries: Use this filter to limit the logs to transactions in which data leakage was detected based on specific DLP dictionaries. Multiple selections are allowed.

     Close
5. Click Save and activate the change.