Follow

Detect ZPA LSS Log Ingestion via QRadar

For customers who already have Zscaler Private Access (ZPA) LSS logs flowing into QRadar for other reasons, Vectra is providing this additional set of instructions for how to setup QRadar forwarding of these logs to Detect.

Vectra recommends that customers also read the information in the following article that covers ZPA LSS Log Ingestion directly to Cognito Detect without using QRadar as an intermediary:

https://support.vectranetworks.com/hc/en-us/articles/1260801520550-Zscaler-Private-Access-ZPA-Log-Ingestion-Configuration

Instructions

Step 1

Within the QRadar Admin Panel, click on Forwarding Destinations under the System Configuration section.

mceclip2.png

Add an entry with the Destination Address as your Cognito Detect Brain.

  • Event Format = Payload,
  • Destination Port = 4639
  • Protocol = TCP
  • It is important that the option “Prefix a syslog header if it is missing or invalid” is NOT enabled

mceclip1.png

Step 2

  • Next, within the Admin Panel (see screenshot above), click on Routing Rules
  • Add an entry to forward the ZPA logs to the Detect Brain (screenshots below)
    • If event filtering is desired for specific QIDs, create that filter in the Event Filters section
  • Select the appropriate event collector where the ZPA logs are already being sent
  • Under Routing Options, check the box for Forward and select the Forwarding Destination created in the first step
  • Finally, check the box for Log Only, this will forward the original payload with no QRadar log wrapper
  • Click Save and forwarding to Detect should be complete

mceclip3.png

mceclip7.png

mceclip6.png

mceclip5.png

Status of forwarding to Detect can be seen at Settings > External Connectors > Zscaler Private Access (ZPA)

Was this article helpful?
0 out of 0 found this helpful

Download PDF

0 Comments

Article is closed for comments.