For customers who already have Zscaler Private Access (ZPA) LSS logs flowing into QRadar for other reasons, Vectra is providing this additional set of instructions for how to setup QRadar forwarding of these logs to Detect.
Vectra recommends that customers also read the information in the following article that covers ZPA LSS Log Ingestion directly to Cognito Detect without using QRadar as an intermediary:
Within the QRadar Admin Panel, click on Forwarding Destinations under the System Configuration section.
Add an entry with the Destination Address as your Cognito Detect Brain.
- Event Format = Payload,
- Destination Port = 4639
- Protocol = TCP
- It is important that the option “Prefix a syslog header if it is missing or invalid” is NOT enabled
- Next, within the Admin Panel (see screenshot above), click on Routing Rules
- Add an entry to forward the ZPA logs to the Detect Brain (screenshots below)
- If event filtering is desired for specific QIDs, create that filter in the Event Filters section
- Select the appropriate event collector where the ZPA logs are already being sent
- Under Routing Options, check the box for Forward and select the Forwarding Destination created in the first step
- Finally, check the box for Log Only, this will forward the original payload with no QRadar log wrapper
- Click Save and forwarding to Detect should be complete
Status of forwarding to Detect can be seen at Settings > External Connectors > Zscaler Private Access (ZPA)