Extend Cortex XDR visibility into logs from Zscaler Private Access (ZPA).
Note
Ingesting logs and data requires a Cortex XDR Pro per GB license.
If you use Zscaler Private Access (ZPA) in your network as an alternative to VPNs, you can forward your network logs to Cortex XDR for analysis. This enables you to take advantage of Cortex XDR anomalous behavior detection and investigation capabilities. Cortex XDR can use the network logs from ZPA as the sole data source, and can also use these network logs from ZPA in conjunction with Palo Alto Networks network logs.
As soon as Cortex XDR starts to receive logs, the following actions are performed:
Stitching network connection logs with other logs to form network stories. Cortex XDR can also analyze your logs to apply IOC, BIOC, and Correlation Rules matching. You can also use queries to search your network connection logs.
Creates a Zscaler Cortex Query Language (XQL) dataset (
zscaler_zpa_raw
), which enables you to search the logs using XQL Search.
To integrate your logs, you first need to set up an applet in a Broker VM within your network to act as a Syslog Collector. You then configure forwarding on your log devices to send logs to the Syslog collector in a LEEF format. To provide seamless log ingestion, Cortex XDR automatically maps the fields in your traffic logs to the Cortex XDR log format.
Prerequisite Step
Before you can add a log receiver in Zscaler Private Access, as explained in the task below, you must first deploy your App Connectors. For more information, see App Connector Deployment Guides for Supported Platforms.
To ingest logs from Zscaler Private Access (ZPA):
Activate the Syslog Collector.
Increase log storage for ZPA logs. For more information, see Manage Your Log Storage.
Configure ZPA log forwarding in Zscaler Private Access to the Syslog Collector in a LEEF format.
In the Zscaler Private Access application, select
→ .Click Add Log Receiver.
Note
For more information on configuring the parameters on the screen, see the Zscaler Private Access (ZPA) documentation for Configuring a Log Receiver.
In the Add Log Receiver window, configure the following fields in Log Receiver tab:
Name—Specify a name for the log receiver. The name cannot contain special characters, with the exception of periods (.), hyphens (-), and underscores ( _ ).
Description—(Optional) Specify a log receiver description.
Domain or IP Address—Specify the fully qualified domain name (FQDN) or IP address for the log receiver that you set when activating the Syslog Collector in Cortex XDR . See Activate the Syslog Collector.
TCP Port—Specify the TCP port number used by the log receiver that you set when activating the Syslog Collector in Cortex XDR . See Activate the Syslog Collector.
TLS Encryption—Toggle to Enabled to encrypt traffic between the log receiver and your Syslog Collector in Cortex XDRusing mutually authenticated TLS communication. To use this setting, the log receiver must support TLS communication. For more information, see About the Log Streaming Service.
App Connector Groups—(Optional) Select the App Connector groups that can forward logs to the receiver, and click Done. You can search for a specific group, click Select All to apply all groups, or click Clear Selection to remove all selections.
Click Next.
Configure the following fields in the Log Stream tab:
Log Type—Select the log type you want to collect, where only the following logs types are currently supported to collect with your Syslog Collector in Cortex XDR:
Note
You can only configure a ZPA log receiver to collect one type of log with your Syslog Collector in Cortex XDR. To configure more that one log type, you'll need to add another log receiver.
User Activity—Information on end user requests to applications. For more information, see User Activity Log Fields.
User Status—Information related to an end user's availability and connection to ZPA. For more information, see User Status Log Fields.
App Connector Status—Information related to an App Connector's availability and connection to ZPA. For more information, see About App Connector Status Log Fields.
Audit Logs—Session information for all admins accessing the ZPA Admin Portal. For more information, See About Audit Log Fields and About Audit Logs.
Log Template—Select a Custom template.
Log Stream Content—From the table below, copy the applicable log template according to the Log Type you've selected and paste it into the Log Stream Content field.
Log Type
Log Template
User Activity
LEEF:1.0|Zscaler|ZPA|4.1|%s{ConnectionStatus}%s{InternalReason}|cat=ZPA User Activity\tdevTime=%s{LogTimestamp:epoch}\tCustomer=%s{Customer}\tSessionID=%s {SessionID}\tConnectionID=%s{ConnectionID}\tInternalReason=%s{InternalReason} \tConnectionStatus=%s{ConnectionStatus}\tproto=%d{IPProtocol} \tDoubleEncryption=%d{DoubleEncryption}\tusrName=%s{Username} \tdstPort=%d{ServicePort}\tsrc=%s{ClientPublicIP}\tsrcPreNAT=%s{ClientPrivateIP} \tClientLatitude=%f{ClientLatitude}\tClientLongitude=%f{ClientLongitude} \tClientCountryCode=%s{ClientCountryCode}\tClientZEN=%s{ClientZEN} \tpolicy=%s{Policy}\tConnector=%s{Connector}\tConnectorZEN=%s{ConnectorZEN} \tConnectorIP=%s{ConnectorIP}\tConnectorPort=%d{ConnectorPort} \tApplicationName=%s{Host}\tApplicationSegment=%s{Application}\tAppGroup=%s{AppGroup} \tServer=%s{Server}\tdst=%s{ServerIP}\tServerPort=%d{ServerPort} \tPolicyProcessingTime=%d{PolicyProcessingTime}\tServerSetupTime=%d{ServerSetupTime} \tTimestampConnectionStart:iso8601=%s{TimestampConnectionStart:iso8601} \tTimestampConnectionEnd:iso8601=%s{TimestampConnectionEnd:iso8601} \tTimestampCATx:iso8601=%s{TimestampCATx:iso8601} \tTimestampCARx:iso8601=%s{TimestampCARx:iso8601} \tTimestampAppLearnStart:iso8601=%s{TimestampAppLearnStart:iso8601} \tTimestampZENFirstRxClient:iso8601=%s{TimestampZENFirstRxClient:iso8601} \tTimestampZENFirstTxClient:iso8601=%s{TimestampZENFirstTxClient:iso8601} \tTimestampZENLastRxClient:iso8601=%s{TimestampZENLastRxClient:iso8601} \tTimestampZENLastTxClient:iso8601=%s{TimestampZENLastTxClient:iso8601} \tTimestampConnectorZENSetupComplete:iso8601=%s{TimestampConnectorZENSetupComplete:iso8601} \tTimestampZENFirstRxConnector:iso8601=%s{TimestampZENFirstRxConnector:iso8601} \tTimestampZENFirstTxConnector:iso8601=%s{TimestampZENFirstTxConnector:iso8601} \tTimestampZENLastRxConnector:iso8601=%s{TimestampZENLastRxConnector:iso8601} \tTimestampZENLastTxConnector:iso8601=%s{TimestampZENLastTxConnector:iso8601} \tZENTotalBytesRxClient=%d{ZENTotalBytesRxClient}\tZENBytesRxClient=%d{ZENBytesRxClient} \tZENTotalBytesTxClient=%d{ZENTotalBytesTxClient}\tZENBytesTxClient=%d{ZENBytesTxClient} \tZENTotalBytesRxConnector=%d{ZENTotalBytesRxConnector} \tZENBytesRxConnector=%d{ZENBytesRxConnector} \tZENTotalBytesTxConnector=%d{ZENTotalBytesTxConnector} \tZENBytesTxConnector=%d{ZENBytesTxConnector}\tIdp=%s{Idp}\n
User Status
LEEF:1.0|Zscaler|ZPA|4.1|%s{SessionStatus}|cat=ZPA User Status \tdevTime=%s{LogTimestamp:epoch}\tCustomer=%s{Customer} \tusrName=%s{Username}\tSessionID=%s{SessionID}\tSessionStatus=%s{SessionStatus} \tVersion=%s{Version}\tZEN=%s{ZEN}\tCertificateCN=%s{CertificateCN} \tsrcPreNAT=%s{PrivateIP}\tsrc=%s{PublicIP}\tLatitude=%f{Latitude} \tLongitude=%f{Longitude}\tCountryCode=%s{CountryCode} \tTimestampAuthentication:iso8601=%s{TimestampAuthentication:iso8601} \tTimestampUnAuthentication:iso8601=%s{TimestampUnAuthentication:iso8601} \tdstBytes=%d{TotalBytesRx}\tsrcBytes=%d{TotalBytesTx}\tIdp=%s{Idp} \tidentHostName=%s{Hostname}\tPlatform=%s{Platform}\tClientType=%s{ClientType} \tTrustedNetworks=%s(,){TrustedNetworks}\tTrustedNetworksNames=%s(,){TrustedNetworksNames} \tSAMLAttributes=%s{SAMLAttributes}\tPosturesHit=%s(,){PosturesHit} \tPosturesMiss=%s(,){PosturesMiss}\tZENLatitude=%f{ZENLatitude} \tZENLongitude=%f{ZENLongitude}\tZENCountryCode=%s{ZENCountryCode}\n
App Connector Status
LEEF:1.0|Zscaler|ZPA|4.1|%s{SessionStatus}|cat=Connector Status \tdevTime=%s{LogTimestamp:epoch}\tCustomer=%s{Customer}\tSessionID=%s{SessionID} \tSessionType=%s{SessionType}\tVersion=%s{Version}\tPlatform=%s{Platform} \tZEN=%s{ZEN}\tConnector=%s{Connector}\tConnectorGroup=%s{ConnectorGroup} \tsrcPreNAT=%s{PrivateIP}\tsrc=%s{PublicIP}\tLatitude=%f{Latitude} \tLongitude=%f{Longitude}\tCountryCode=%s{CountryCode} \tTimestampAuthentication:iso8601=%s{TimestampAuthentication:iso8601} \tTimestampUnAuthentication:iso8601=%s{TimestampUnAuthentication:iso8601} \tCPUUtilization=%d{CPUUtilization}\tMemUtilization=%d{MemUtilization} \tServiceCount=%d{ServiceCount}\tInterfaceDefRoute=%s{InterfaceDefRoute} \tDefRouteGW=%s{DefRouteGW}\tPrimaryDNSResolver=%s{PrimaryDNSResolver} \tHostStartTime=%s{HostStartTime}\tConnectorStartTime=%s{ConnectorStartTime} \tNumOfInterfaces=%d{NumOfInterfaces}\tBytesRxInterface=%d{BytesRxInterface} \tPacketsRxInterface=%d{PacketsRxInterface}\tErrorsRxInterface=%d{ErrorsRxInterface} \tDiscardsRxInterface=%d{DiscardsRxInterface}\tBytesTxInterface=%d{BytesTxInterface} \tPacketsTxInterface=%d{PacketsTxInterface}\tErrorsTxInterface=%d{ErrorsTxInterface} \tDiscardsTxInterface=%d{DiscardsTxInterface}\tTotalBytesRx=%d{TotalBytesRx} \tTotalBytesTx=%d{TotalBytesTx}
Audit Logs
LEEF:1.0|Zscaler|ZPA|4.1|%s{auditOperationType}|cat=ZPA_Audit_Log \tdevTime=%s{LogTimestamp:epoch}\tcreationTime=%s{creationTime:iso8601} \trequestId=%s{requestId}\tsessionId=%s{sessionId}\tauditOldValue=%s{auditOldValue} \tauditNewValue=%s{auditNewValue}\tauditOperationType=%s{auditOperationType} \tobjectType=%s{objectType}\tobjectName=%s{objectName}\tobjectId=%d{objectId} \taccountName=%d{customerId}\tusrName=%s{modifiedByUser}\n
(Optional) You can define a streaming Policy for the log receiver. This entails configuring the SAML Attributes, Application Segments, Segment Groups, Client Types, and Session Statuses. For more information on configuring these settings, see the Log Stream instructions.
Click Next.
In the Review tab, verify your log receiver configuration.
Click Save.