LSS user activity log stream content format for QRadar


For those who may be integrating ZPA LSS logs with back-end QRadar SIEM, here is an example of how to customize log stream content for the user activity log to send to a QRadar log receiver:

%s{LogTimestamp:time} User Activity zpa-lss: ,Customer = %s{Customer},InternalReason = %s{InternalReason},ConnectionStatus = %s{ConnectionStatus},Username = %s{Username},ServicePort = %d{ServicePort},ClientPublicIP = %s{ClientPublicIP},ClientLatitude = %f{ClientLatitude}, ClientLongitude = %f{ClientLongitude},ClientCountryCode = %s{ClientCountryCode},ClientZEN = %s{ClientZEN},AccessPolicy = %s{AccessPolicy},ReauthPolicy = %s{ReauthPolicy},Connector = %s{Connector},ConnectorIP = %s{ConnectorIP},Host = %s{Host},Application = %s{Application},AppGroup = %s{AppGroup},Server = %s{Server},ServerIP = %s{ServerIP},ServerPort = %d{ServerPort}\n

You may also want to exclude the Session Status reauthBlock / Timeout policy blocked access to cut down significantly on the volume of log data sent over LSS.

(I don’t have an example of QRadar config on the other end - if anyone has suggestions, or better yet screenshots, please share!)