Documentation to setup ZScaler as Audit Log feed has the following directions:
"SIEM IP Address and SIEM TCP Port: Enter the IP address and port of the SpanVA to which the logs are streamed.
Ensure that the SpanVA is configured to accept the feed from NSS."
The following is unclear
Ports for the ZScaler NSS SpanVA data source (DS) are not configurable and auto assigned when the DS is created in CloudSOC
It is required to create the new data source first in CloudSOC to determine what the TCP Port is.
To create a new ZScaler NSS SpanVA DS:
Then Configure NSS feeds on Zscaler side to complete the configuration.
After completing configuration
Check SpanVA Monitoring tab to see that logs are being processed and uploaded to CloudSOC (good sign)
After sufficient processing time - check to see that logs are also being processed successfully in CloudSOC Audit after sufficient time
Note: End to End logs to Audit processing time can vary from minutes to hours depending on multiple factors.
Client should see "processed" logs in Audit / Device Logs / Select DS / Details within a day or less if NSS log format was properly configured