Zscaler ZPA User Activity Logs details

Hi Folks,

I’m Naveen working as security analyst, recently we integrated Zscaler ZPA logs with our SIEM tool splunk. I have gone through the log categories and we find “Audit logs” only useful. From our customer who uses Zscaler ZPA they recommended to consider “User Activity Logs”. So in the user activity log schema it only shows the connection status between public / private service edges and app connectors, total bytes transferred between ZCC & Public / private service edges and app connectors, connection is open / close / active.

log fields article link:

I have read an article that mentioned this log generate only for authorized users to
who access your internal applications through ZPA.

article link:

I’m couldn’t able to see any field that represents the connection is blocked / allowed according to the access policy configured to the user.

Please suggest

  1. how to identify whether the connection is blocked / allowed by the access policy in the user activity log.
  2. how can we use this user activity log to identify any threats or whats is the usefulness.
  3. Whether this log is generate for which scenario, its for authorized / unauthorized connections?

Regards,
Naveen

when i’m checking in ZPA GUI a blocked attempt via ‘conection status log’ i see these:

“policyAction”:“Deny”,
“policyType”:“AccessPolicy”,

So i would assume that log field ‘Policy’ should show that, untested though.
(Just about to setup LSS)