ZSCALER AND IBM QRADAR

DEPLOYMENT GUIDE

FEBRUARY 2024, VERSION 1.1 BUSINESS DEVELOPMENT GUIDE

 Zscaler and IBM QRadar Deployment Guide

Contents
Terms and Acronyms 3

Trademark Notice 4

About This Document 5

Zscaler Overview 5
IBM Overview 5
Audience 5
Software Versions 5
Request for Comments 5
Zscaler and IBM QRadar Introduction 6
ZIA Overview 6
ZPA Overview 6
Zscaler Resources 6
IBM QRadar Overview 7
IBM QRadar Resources 7
Introduction 8
NSS 8
Cloud NSS 19

ZPA Logs 31
User Status Logs 33
App Connector Logs 34
Audit Logs 35
User Activity Logs 36
Appendix A: Requesting Zscaler Support 37

©2024 Zscaler, Inc. All rights reserved. 2

 Zscaler and IBM QRadar Deployment Guide

Terms and Acronyms

The following table defines acronyms used in this deployment guide. When applicable, a Request for Change (RFC) is
included in the Definition column for your reference.

Acronym Definition
CA Central Authority (Zscaler)
CSV Comma-Separated Values
DLP Data Loss Prevention
DNS Domain Name Service
DPD Dead Peer Detection (RFC 3706)
EDR Endpoint Detection and Response
GRE Generic Routing Encapsulation (RFC2890)
ICMP Internet Control Message Protocol
IdP Identity Provider
IKE Internet Key Exchange (RFC2409)
IPS Intrusion Prevention System
IPSec Internet Protocol Security (RFC2411)
MDR Managed Detection and Response
PFS Perfect Forward Secrecy
PSK Pre-Shared Key
RPM Remote Patient Monitoring
SaaS Software as a Service
SIEM Security Information and Event Management
SOAR Security Orchestration, Automation, and Response
SSL Secure Socket Layer (RFC6101)
TLS Transport Layer Security
VDI Virtual Desktop Infrastructure
XDR Extended Detection and Response
XFF X-Forwarded-For (RFC7239)
ZCP Zscaler Cloud Protection (Zscaler)
ZDX Zscaler Digital Experience (Zscaler)
ZIA Zscaler Internet Access (Zscaler)
ZPA Zscaler Private Access (Zscaler)

©2024 Zscaler, Inc. All rights reserved. 3

 Zscaler and IBM QRadar Deployment Guide

Trademark Notice
© 2024 Zscaler, Inc. All rights reserved. Zscaler™ and other trademarks listed at zscaler.com/legal/trademarks are either
(i) registered trademarks or service marks or (ii) trademarks or service marks of Zscaler, Inc. in the United States and/or
other countries. Any other trademarks are the properties of their respective owners.

©2024 Zscaler, Inc. All rights reserved. 4

 Zscaler and IBM QRadar Deployment Guide

About This Document

The following sections describe the organizations and requirements of this deployment guide.

Zscaler Overview
Zscaler (NASDAQ: ZS) enables the world’s leading organizations to securely transform their networks and applications for
a mobile and cloud-first world. Its flagship Zscaler Internet Access (ZIA) and Zscaler Private Access (ZPA) services create
fast, secure connections between users and applications, regardless of device, location, or network. Zscaler delivers its
services 100% in the cloud and offers the simplicity, enhanced security, and improved user experience that traditional
appliances or hybrid solutions can’t match. Used in more than 185 countries, Zscaler operates a massive, global cloud
security platform that protects thousands of enterprises and government agencies from cyberattacks and data loss. To
learn more, see Zscaler’s website or follow Zscaler on Twitter @zscaler.

IBM Overview
IBM (NYSE: IBM) looks to be a part of every aspect of an enterprise’s IT needs. The company primarily sells software,
IT services, consulting, and hardware. IBM operates in 175 countries and employs approximately 350,000 people. The
company has a robust roster of 80,000 business partners to service 5,200 clients—which includes 95% of all Fortune
500. While IBM is a B2B company, IBM’s outward impact is substantial. For example, IBM manages 90% of all credit card
transactions globally and is responsible for 50% of all wireless connections in the world. To learn more, refer to the IBM
QRadar website.

Audience
This guide is for network administrators, endpoint and IT administrators, and security analysts responsible for deploying,
monitoring, and managing enterprise security systems. For additional product and company resources, see:

• Zscaler Resources
• IBM QRadar Resources
• Appendix A: Requesting Zscaler Support

Software Versions
This document was authored using the latest version of Zscaler software.

Request for Comments

• For prospects and customers: Zscaler values reader opinions and experiences. Contact partner-doc-support@
zscaler.com to offer feedback or corrections for this guide.
• For Zscaler employees: Contact z-bd-sa@zscaler.com to reach the team that validated and authored the
integrations in this document.

©2024 Zscaler, Inc. All rights reserved. 5

 Zscaler and IBM QRadar Deployment Guide

Zscaler and IBM QRadar Introduction

Overviews of the Zscaler and QRadar applications are described in this section.

If you are using this guide to implement a solution at a government agency, some of the content might be
exclamation-triangle different for your deployment. Efforts are made throughout the guide to note where government agencies might
need different parameters or input. If you have questions, please contact your Zscaler Account team.

ZIA Overview
ZIA is a secure internet and web gateway delivered as a service from the cloud. Think of ZIA as a secure internet on-
ramp—just make Zscaler your next hop to the internet via one of the following methods:

• Setting up a tunnel (GRE or IPSec) to the closest Zscaler data center (for offices).
• Forwarding traffic via our lightweight Zscaler Client Connector or PAC file (for mobile employees).
No matter where users connect—a coffee shop in Milan, a hotel in Hong Kong, or a VDI instance in South Korea—they get
identical protection. ZIA sits between your users and the internet and inspects every transaction inline across multiple
security techniques (even within SSL).

You get full protection from web and internet threats. The Zscaler cloud platform supports Cloud Firewall, IPS,
Sandboxing, DLP, and Browser Isolation, allowing you to start with the services you need now and activate others as your
needs grow.

ZPA Overview
ZPA is a cloud service that provides secure remote access to internal applications running on a cloud or data center using
a Zero Trust framework. With ZPA, applications are never exposed to the internet, making them completely invisible
to unauthorized users. The service enables the applications to connect to users via inside-out connectivity rather than
extending the network to them.

ZPA provides a simple, secure, and effective way to access internal applications. Access is based on policies created by
the IT administrator within the ZPA Admin Portal and hosted within the Zscaler cloud. On each user device, software
called Zscaler Client Connector is installed. Zscaler Client Connector ensures the user’s device posture and extends a
secure microtunnel out to the Zscaler cloud when a user attempts to access an internal application.

Zscaler Resources
The following table contains links to Zscaler resources based on general topic areas.

Name Definition
ZIA Help Portal Help articles for ZIA.
ZPA Help Portal Help articles for ZPA.
Zscaler Tools Troubleshooting, security and analytics, and browser extensions that help
Zscaler determine your security needs.
Zscaler Training and Certification Training designed to help you maximize Zscaler products.
Submit a Zscaler Support Ticket Zscaler Support portal for submitting requests and issues.

©2024 Zscaler, Inc. All rights reserved. 6

 Zscaler and IBM QRadar Deployment Guide

The following table contains links to Zscaler resources for government agencies.

Name Definition
ZIA Help Portal Help articles for ZIA.
ZPA Help Portal Help articles for ZPA.
Zscaler Tools Troubleshooting, security and analytics, and browser extensions that help
Zscaler determine your security needs.
Zscaler Training and Certification Training designed to help you maximize Zscaler products.
Submit a Zscaler Support Ticket Zscaler Support portal for submitting requests and issues.

©2024 Zscaler, Inc. All rights reserved. 7

 Zscaler and IBM QRadar Deployment Guide

IBM QRadar Overview

IBM Security QRadar Security Intelligence Platform is a modernized threat detection and response solution designed
to unify the security analyst experience and accelerate their speed across the full incident lifecycle. The portfolio is
embedded with enterprise-grade AI and automation to dramatically increase analyst productivity, helping resource-
strained security teams work more effectively across core technologies. It offers integrated products for endpoint security
(EDR, XDR, MDR), log management, SIEM, and SOAR—all with a common user interface, shared insights and connected
workflows.

IBM QRadar Resources

The following table contains links to IBM QRadar support resources.

Name Definition
IBM Community Forum IBM community forum web pages.
IBM Support IBM Support portal for submitting requests and issues.
IBM QRadar Documentation Online documentation for IBM QRadar Security Intelligence Platform.
IBM QRadar Developer Guide Online developer's guide for IBM QRadar Application Framework Guide.

©2024 Zscaler, Inc. All rights reserved. 8

 Zscaler and IBM QRadar Deployment Guide

Introduction
This guide provides examples for integrating Zscaler Internet Access (ZIA) and Zscaler Private Access (ZPA) with IBM
QRadar. It’s intended for setting up your production network, or for proof of concept (PoC) topologies and demos, if
evaluating interoperability and integration.

Zscaler’s Nanolog Streaming Service (NSS) (government agencies, see Nanolog Streaming Service (NSS)) uses a virtual
machine (VM) to stream traffic logs from ZIA to QRadar, a SIEM system, enabling real-time alerting, correlation with the
logs of your other devices, and long-term local log archival.

If you subscribe to Cloud NSS, you can enable direct cloud-to-cloud log streaming. Instead of deploying an on-premises
NSS VM, you can configure an HTTPS API feed to stream traffic logs from ZIA into an HTTPS API-based log collector on
your cloud-based QRadar system. To learn more about the geo-availability and qualifications for Cloud NSS, contact
Zscaler Support.

Refer to the following procedures for configuring on-premises or Cloud NSS and QRadar.

To send ZPA Events to IBM QRadar, you must configure the Zscaler Log Streaming Service. IBM supports user status, app
connector status, and audit log types for ZPA devices.

NSS

Clipboard-list To complete the following steps, you must have QRadar version 7.3.3 or later installed. To download and install
the required software, refer to IBM Support Fix Central.

To configure NSS and QRadar:

1. In QRadar, install the RPM files. NSS deployment requires two RPM files from QRadar: DSM (Device Support Module)
Common and Zscaler NSS DSM. If you previously enabled automatic updates for your QRadar deployment, you are
not required to manually install the files. To manually install the RPM files:
a. Download the updated RPM files for your version of QRadar from IBM Support Fix Central:
i. (Optional) Under Find Product, configure the filters to narrow your search, then click Continue.

Figure 1. IBM Support Fix Central Product Selector

©2024 Zscaler, Inc. All rights reserved. 9

 Zscaler and IBM QRadar Deployment Guide

ii. In the search bar, enter zscalernss to find the respective RPM files for download.

Figure 2. IBM Support Fix Central search

b. Install the RPM files in QRadar:

i. Log in to the QRadar host as the root user.
ii. Go to the directory that contains the downloaded RPM files.
iii. Install the RPM files using the following command:
yum -y install <rpm_filename>

iv. Log in to the QRadar Console.

v. Go to the Admin tab and click Deploy Changes.

Figure 3. Admin page in QRadar Console with Deploy Changes button

2. In QRadar, add Zscaler NSS as a Log Source. If the log source is not automatically discovered, you can manually add
Zscaler NSS as a log source using the QRadar Log Source Management app.

Clipboard-list For QRadar versions 7.3.3 through 7.5.0, you can also add a log source in QRadar by using the Log Sources icon. To
learn more, refer to the procedure in the IBM documentation.

©2024 Zscaler, Inc. All rights reserved. 10

 Zscaler and IBM QRadar Deployment Guide

To add a log source:

a. From the QRadar Console, go to Admin > Apps > QRadar Log Source Management.
b. Click the QRadar Log Source Management icon to open the app. The IBM QRadar Log Source Management
window appears.

Figure 4. QRadar Log Source Management app

c. In the IBM QRadar Log Source Management window, select Log Sources.

Figure 5. Log Sources in the QRadar Console

d. On the right side of the screen, click + New Log Source.

Figure 6. New Log Source button in QRadar Console

©2024 Zscaler, Inc. All rights reserved. 11

 Zscaler and IBM QRadar Deployment Guide

e. Select Single Log Source. The Add a Single Log Source wizard appears.

Figure 7. Adding a single Log Source in QRadar Console

f. In the Add a Single Log Source wizard, select a Log Source type:
i. In the search bar, enter zscaler Nss.
ii. Select Zscaler Nss from the drop-down menu.
iii. Click Step 2: Select Protocol Type.

Figure 8. Selecting Zscaler NSS Log Source in QRadar Console

©2024 Zscaler, Inc. All rights reserved. 12

 Zscaler and IBM QRadar Deployment Guide

g. Select Syslog as the protocol type, then click Step 3: Configure Log Source Parameters.

Figure 9. Selecting Syslog protocol type in QRadar Console

h. Configure the Log Source parameters, then click Step 4: Configure Protocol Parameters. The following fields
are required (scroll down to see all the parameters):
• Name: Enter a name.
• Groups: Select a group.
• Language: Select a language.
• Target Event Collector: Select a QRadar appliance to collect events from Zscaler.
• Disconnected Log Collector: Select a disconnected log collector if available on your QRadar deployment.
• Credibility: Assign a value from 1 to 10. The default value is 5.

Figure 10. Configuring Log Source parameters in QRadar Console

©2024 Zscaler, Inc. All rights reserved. 13

 Zscaler and IBM QRadar Deployment Guide

i. Configure the protocol parameters, then click Finish:

• Log Source Identifier: Enter the IP address of the Zscaler host that sends the logs to QRadar.

Clipboard-list Contact Zscaler Support to request the IP address.

• Incoming Payload Encoding: Select an encoding type. UTF-8 is selected by default.

Figure 11. Configuring Syslog protocol parameters in QRadar Console

Clipboard-list To learn more about Syslog log source parameters for Zscaler NSS, refer to the IBM documentation.

j. Go to the Admin tab and click Deploy Changes.

3. In QRadar, specify fields to view. The NSS streams a number of fields to the SIEM. Specify which fields you want to
view by adding each one as a custom event property in QRadar. To add a field, enter its output format as a regular
expression (i.e., Regex). For example, to add Referrer URL:
a. From the QRadar Console, go to the Admin > Data Sources > Events.
b. Click Custom Event Properties. The Custom Events Properties window appears.

Figure 12. Custom Event Properties icon in QRadar Console

©2024 Zscaler, Inc. All rights reserved. 14

 Zscaler and IBM QRadar Deployment Guide

c. In the Custom Event Properties window, click Add. The Custom Event Property Definition window appears.

Figure 13. Adding a Custom Event Property in the QRadar Console

d. In the Custom Event Property Definition window, configure the following fields:
• Property Type Selection: Select Extraction Based.
• Property Definition: Select New Property and enter a name for the field (e.g., Referrer URL).
• Property Expression Definition:
• Log Source Type: Select Zscaler Nss from the drop-down menu.
• Regex: Enter referer=([^\t]+)

Figure 14. Configuring a Custom Event Property in the QRadar Console

e. Click Save.
f. Go to the Admin tab and click Deploy Changes.

©2024 Zscaler, Inc. All rights reserved. 15

 Zscaler and IBM QRadar Deployment Guide

4. In the ZIA Admin Portal, add an NSS Server

a. Log in to the ZIA Admin Portal using your admin account. If you’re unable to log in, contact Zscaler Support.
b. Add an NSS server. To learn more, see Adding NSS Servers (government agencies, see Adding NSS Servers) to
set up an NSS server for Web or Firewall.
c. Verify that the state of the NSS Server is healthy:
i. In the ZIA Admin Portal, go to Administration > Nanolog Streaming Service > NSS Servers.
ii. In the State column, confirm that the state of the NSS server is Healthy.

Figure 15. Healthy NSS server in the ZIA Admin Portal

5. In the ZIA Admin Portal, add an NSS Feed. To learn more, see Adding NSS Feeds (government agencies, see Adding
NSS Feeds) and select the type of feed (e.g., Web Logs) to configure. The following fields require specific inputs:
• SIEM IP Address: Enter the IP address of your QRadar SIEM.
• SIEM TCP Port: Enter 514.

Clipboard-list Typically, Syslog uses UDP and destination port 514, but the NSS only supports TCP. In the event the SIEM system
becomes unavailable, the NSS is able to detect this if it loses the TCP connection. If the connection to the
SIEM goes down, the NSS queues logs in memory until the SIEM becomes available. To learn more, see Syslog
Overview (government agencies, see Syslog Overview).

• Feed Output Type: Select Custom.

• Feed Escape Character: Enter ,\”

©2024 Zscaler, Inc. All rights reserved. 16

 Zscaler and IBM QRadar Deployment Guide

• Feed Output Format: See the following feed output formats by log type.
• For NSS Feeds for Web Logs (government agencies, see NSS Feeds for Web Logs), replace the pre-
populated text with the following:
%s{mon} %02d{dd} %02d{hh}:%02d{mm}:%02d{ss} zscaler-nss:LEEF:1.0|Zscaler|NS-
S|4.1|%s{reason}|cat=%s{action}\tdevTime=%s{mon} %02d{dd} %d{yy} %02d{h-
h}:%02d{mm}:%02d{ss} %s{tz}\tdevTimeFormat=MMM dd yyyy HH:mm:ssz\tsrc=%s{cip}\
tdst=%s{sip}\tsrcPostNAT=%s{cintip}\trealm=%s{location}\tusrName=%s{login}\ts-
rcBytes=%d{reqsize}\tdstBytes=%d{respsize}\trole=%s{dept}\tpolicy=%s{reason}\
trecordid=%d{recordid}\tbwthrottle=%s{bwthrottle}\tuseragent=%s{ua}\trefer-
er=%s{ereferer}\thostname=%s{ehost}\tappproto=%s{proto}\turlcategory=%s{urlcat}\
turlsupercategory=%s{urlsupercat}\turlclass=%s{urlclass}\tappclass=%s{appclass}\
tappname=%s{appname}\tmalwaretype=%s{malwarecat}\tmalwareclass=%s{malware-
class}\tthreatname=%s{threatname}\triskscore=%d{riskscore}\tdlpdict=%s{dlp-
dict}\tdlpeng=%s{dlpeng}\tfileclass=%s{fileclass}\tfiletype=%s{filetype}\
treqmethod=%s{reqmethod}\trespcode=%s{respcode}\tmd5=%s{bamd5}\turl=%s{eurl}

Figure 16. NSS feed for web logs configured for IBM QRadar SIEM

©2024 Zscaler, Inc. All rights reserved. 17

 Zscaler and IBM QRadar Deployment Guide

• For NSS Feeds for Firewall Logs (government agencies, see NSS Feeds for Firewall Logs), replace the pre-
populated text with the following:
%s{mon} %02d{dd} %02d{hh}:%02d{mm}:%02d{ss} zscaler-nss: LEEF:1.0|Zscaler|NSS-
FW|6.0|%s{action}|usrName=%s{login}\trole=%s{dept}\trealm=%s{location}\ts-
rc=%s{csip}\tdst=%s{cdip}\tsrcPort=%d{csport}\tdstPort=%d{cdport}\tdst-
PreNATPort=%d{cdport}\tsrcPreNATPort=%d{csport}\tdstPostNATPort=%d{sdport}\
tsrcPostNATPort=%d{ssport}\tsrcPreNAT=%s{csip}\tdstPreNAT=%s{cdip}\tsrcPost-
NAT=%s{ssip}\tdstPostNAT=%s{sdip}\ttsip=%s{tsip}\ttsport=%d{tsport}\tttype=%s{t-
type}\tcat=nss-fw\tdnat=%s{dnat}\tstateful=%s{stateful}\taggregate=%s{aggre-
gate}\tnwsvc=%s{nwsvc}\tnwapp=%s{nwapp}\tproto=%s{ipproto}\tipcat=%s{ipcat}\
tdestcountry=%s{destcountry}\tavgduration=%ld{avgduration}\trulelabel=%s{rule-
label}\tdstBytes=%ld{inbytes}\tsrcBytes=%ld{outbytes}\tduration=%d{duration}\
tdurationms=%d{durationms}\tnumsessions=%d{numsessions}

Figure 17. NSS feed for firewall logs configured for IBM QRadar SIEM

©2024 Zscaler, Inc. All rights reserved. 18

 Zscaler and IBM QRadar Deployment Guide

• For NSS Feeds for DNS Logs (government agencies, see NSS Feeds for DNS Logs), replace the pre-populated
text with the following:
%s{mon} %02d{dd} %02d{hh}:%02d{mm}:%02d{ss} zscaler-nss:LEEF:1.0|Zs-
caler|NSS-FW|6.0|%s{reqaction}|usrName=%s{login}\trole=%s{dept}\trealm=%s{loca-
tion}\treqaction=%s{reqaction}\tresaction=%s{resaction}\tcat=nss-dns\treqrule-
label=%s{reqrulelabel}\tresrulelabel=%s{resrulelabel}\tdnsReqtype=%s{reqtype}\
tdnsReq=%s{req}\tdnsResp=%s{res}\tdstPort=%d{sport}\tdurationms=%d{durationms}\
tsrc=%s{cip}\tdst=%s{sip}\tcategory=%s{domcat}\tdeviceowner=%s{deviceowner}\
tdevicehostname=%s{devicehostname}

Figure 18. NSS feed for DNS logs configured for IBM QRadar SIEM

©2024 Zscaler, Inc. All rights reserved. 19

 Zscaler and IBM QRadar Deployment Guide

Cloud NSS
To configure Cloud NSS and QRadar:

1. In QRadar, install the RPM Files. Cloud NSS deployment requires two RPM files from QRadar: HTTP Receiver Protocol
and Zscaler NSS DSM (Device Support Module). If you previously enabled automatic updates for your QRadar
deployment, you are not required to manually install the files. To manually install the RPM files:
a. Download the updated RPM files for your version of QRadar from IBM Support Fix Central:
i. (Optional) Under Find Product, configure the filters to narrow your search, then click Continue.

Figure 19. IBM Support Fix Central Product Selector

ii. In the search bar, enter zscalernss to find the respective RPM files for download.

Figure 20. IBM Support Fix Central search

©2024 Zscaler, Inc. All rights reserved. 20

 Zscaler and IBM QRadar Deployment Guide

b. Install the RPM files in QRadar:

i. Log in to the QRadar host as the root user.
ii. Go to the directory that has the downloaded RPM files.
iii. Install the RPM files using the following command:
yum -y install <rpm_filename>

iv. Log in to the QRadar Console.

v. Go to the Admin tab and click Deploy Changes.

Figure 21. Admin page in QRadar Console with Deploy Changes button

2. In QRadar, add Zscaler NSS as a Log Source. If the log source is not automatically discovered, you can manually add
Zscaler NSS as a log source using the QRadar Log Source Management app.

Clipboard-list For QRadar 7.3.3 to 7.5.0, you can also add a log source in QRadar by using the Log Sources icon. To learn more,
refer to the IBM documentation.

To add a log source:

a. From the QRadar Console, go to Admin > Apps > QRadar Log Source Management.
b. Click QRadar Log Source Management to open the app. The IBM QRadar Log Source Management window
appears.

Figure 22. QRadar Log Source Management app

©2024 Zscaler, Inc. All rights reserved. 21

 Zscaler and IBM QRadar Deployment Guide

c. In the IBM QRadar Log Source Management window, select Log Sources.

Figure 23. Log Sources in the QRadar Console

d. On the right side of the screen, click + New Log Source.

Figure 24. New Log Source button in QRadar Console

e. Select Single Log Source. The Add a Single Log Source wizard appears.

Figure 25. Adding a single Log Source in QRadar Console

f. In the Add a Single Log Source wizard, select a Log Source type:
i. In the search bar, enter zscaler Nss.
ii. Select Zscaler Nss from the drop-down menu.
iii. Click Step 2: Select Protocol Type.

©2024 Zscaler, Inc. All rights reserved. 22

 Zscaler and IBM QRadar Deployment Guide

Figure 26. Selecting Zscaler NSS Log Source in QRadar Console

g. Select HTTP Receiver as the protocol type, then click Step 3: Configure Log Source Parameters.

Figure 27. Selecting HTTP Receiver protocol type in QRadar Console

©2024 Zscaler, Inc. All rights reserved. 23

 Zscaler and IBM QRadar Deployment Guide

h. Configure the Log Source parameters, then click Step 4: Configure Protocol Parameters. The following fields
are required (scroll down to see all parameters):
• Name: Enter a name.
• Groups: Select a group.
• Language: Select a language.
• Target Event Collector: Select the appliance to collect events from Zscaler.

Clipboard-list For QRadar on Cloud, the appliance is your Data Gateway. To learn more, refer to the IBM documentation.

• Disconnected Log Collector: Select a disconnected log collector if available on your QRadar deployment.
• Credibility: Assign a value from 1 to 10. The default value is 5.

Figure 28. Configuring Log Source parameters in QRadar Console

©2024 Zscaler, Inc. All rights reserved. 24

 Zscaler and IBM QRadar Deployment Guide

i. Configure the protocol parameters (scroll down to see all parameters), then click Step 5: Test Protocol
Parameters:
• Log Source Identifier: Enter the IP address of the Zscaler host that sends the logs to QRadar.
• Incoming Payload Encoding. Select an encoding type. UTF-8 is selected by default.
j. Click Finish.

Clipboard-list Contact Zscaler Support to request the IP address.

Figure 29. Configuring HTTP Receiver protocol parameters in QRadar Console

Clipboard-list To learn more about HTTP Receiver log source parameters for Zscaler NSS, refer to the IBM documentation.

©2024 Zscaler, Inc. All rights reserved. 25

 Zscaler and IBM QRadar Deployment Guide

k. (Optional) Click Start Test. To fix any errors, click Configure Protocol Parameters.
l. When you complete testing, click Finish.

Figure 30. Testing HTTP Receiver protocol parameters in QRadar Console

m. Go to the Admin tab and click Deploy Changes.

3. In QRadar, add a Public CA Certificate. Cloud NSS requires a public CA-signed certificate for your QRadar system to
receive logs. To add a certificate to the HTTP Receiver certificate chain, refer to the IBM documentation for specific
configuration information to complete the following steps:
a. Ensure your PKCS12 file has all required certificates, including:
• Certificate private key.
• Endpoint certificate.
• Any intermediate certificates.
b. Concatenate your PKCS12 file.
c. Import the PKCS12 certificate to use with the HTTP Receiver.
d. Disable and re-enable the log source to allow the certificates to take effect.
4. Verify your setup in QRadar. To ensure the HTTP Receiver is listening on the port you set up, use the openssl
command and the Listen Port. In the following example, the Listen Port is 12469.
openssl s_client -connect localhost:12469

Clipboard-list For examples of certificate setups, refer to the IBM documentation.

©2024 Zscaler, Inc. All rights reserved. 26

 Zscaler and IBM QRadar Deployment Guide

5. In the ZIA Admin Portal, add a Cloud NSS Feed. To add a Cloud NSS Feed, see Adding Cloud NSS Feeds
(government agencies, see Adding Cloud NSS Feeds) and select the type of feed (e.g., Web Log) to configure. The
following fields require specific inputs:
• SIEM Type: Select Other.
• API URL: Enter the URL of the configured HTTP Receiver (e.g., https://your-qradar-data-collector.
com:12469).
• HTTP Headers: QRadar does not require a specific key and value, but to save your configuration in the ZIA Admin
Portal, enter placeholder text. For example:
• Key 1: Enter header1.
• Value 1: Enter IBMQR.
• Feed Output Type: Select Custom.
• Feed Escape Character: Enter ,\”

©2024 Zscaler, Inc. All rights reserved. 27

 Zscaler and IBM QRadar Deployment Guide

• Feed Output Format: See the following output formats by log type.
• For NSS Feeds for Web Logs (government agencies, see NSS Feeds for Web Logs), replace the pre-
populated text with the following:
%s{mon} %02d{dd} %02d{hh}:%02d{mm}:%02d{ss} zscaler-nss:
LEEF:1.0|Zscaler|NSS|4.1|%s{reason}|cat=%s{action}\tdevTime=%s{mon} %02d{dd}
%d{yy} %02d{hh}:%02d{mm}:%02d{ss} %s{tz}\tdevTimeFormat=MMM dd yyyy HH:mm:ss
z\tsrc=%s{cip}\tdst=%s{sip}\tsrcPostNAT=%s{cintip}\trealm=%s{location}\tusr-
Name=%s{login}\tsrcBytes=%d{reqsize}\tdstBytes=%d{respsize}\trole=%s{dept}\
tpolicy=%s{reason}\trecordid=%d{recordid}\tbwthrottle=%s{bwthrottle}\tuser-
agent=%s{ua}\treferer=%s{ereferer}\thostname=%s{ehost}\tappproto=%s{proto}\turl-
category=%s{urlcat}\turlsupercategory=%s{urlsupercat}\turlclass=%s{urlclass}\
tappclass=%s{appclass}\tappname=%s{appname}\tmalwaretype=%s{malwarecat}\tmalware-
class=%s{malwareclass}\tthreatname=%s{threatname}\triskscore=%d{riskscore}\tdlp-
dict=%s{dlpdict}\tdlpeng=%s{dlpeng}\tfileclass=%s{fileclass}\tfiletype=%s{filetype}\
treqmethod=%s{reqmethod}\trespcode=%s{respcode}\tbamd5=%s{bamd5}\turl=%s{eurl}

Figure 31. Cloud NSS feed for web logs configured for IBM QRadar SIEM

©2024 Zscaler, Inc. All rights reserved. 28

 Zscaler and IBM QRadar Deployment Guide

• For NSS Feeds for Firewall Logs (government agencies, see NSS Feeds for Firewall Logs), replace the pre-
populated text with the following:
%s{mon} %02d{dd} %02d{hh}:%02d{mm}:%02d{ss} zscaler-nss: LEEF:1.0|Zscaler|NSS-
FW|6.0|%s{action}|usrName=%s{login}\trole=%s{dept}\trealm=%s{location}\ts-
rc=%s{csip}\tdst=%s{cdip}\tsrcPort=%d{csport}\tdstPort=%d{cdport}\tdst-
PreNATPort=%d{cdport}\tsrcPreNATPort=%d{csport}\tdstPostNATPort=%d{sdport}\
tsrcPostNATPort=%d{ssport}\tsrcPreNAT=%s{csip}\tdstPreNAT=%s{cdip}\tsrcPost-
NAT=%s{ssip}\tdstPostNAT=%s{sdip}\ttsip=%s{tsip}\ttsport=%d{tsport}\tttype=%s{t-
type}\tcat=nss-fw\tdnat=%s{dnat}\tstateful=%s{stateful}\taggregate=%s{aggre-
gate}\tnwsvc=%s{nwsvc}\tnwapp=%s{nwapp}\tproto=%s{ipproto}\tipcat=%s{ipcat}\
tdestcountry=%s{destcountry}\tavgduration=%ld{avgduration}\trulelabel=%s{rule-
label}\tdstBytes=%ld{inbytes}\tsrcBytes=%ld{outbytes}\tduration=%d{duration}\
tdurationms=%d{durationms}\tnumsessions=%d{numsessions}

Figure 32. Cloud NSS feed for firewall logs configured for IBM QRadar SIEM

©2024 Zscaler, Inc. All rights reserved. 29

 Zscaler and IBM QRadar Deployment Guide

• For NSS Feeds for DNS Logs (government agencies, see NSS Feeds for DNS Logs), replace the pre-populated
text with the following:
%s{mon} %02d{dd} %02d{hh}:%02d{mm}:%02d{ss} zscaler-nss:LEEF:1.0|Zs-
caler|NSS-FW|6.0|%s{reqaction}|usrName=%s{login}\tdevTime=%s{mon} %02d{dd}
%d{yy} %02d{hh}:%02d{mm}:%02d{ss} %s{tz}\tdevTimeFormat=MMM dd yyyy HH:mm:ssz\
trole=%s{dept}\trealm=%s{location}\treqaction=%s{reqaction}\tresaction=%s{res-
action}\tcat=nss-dns\treqrulelabel=%s{reqrulelabel}\tresrulelabel=%s{resrulela-
bel}\tdnsReqtype=%s{reqtype}\tdnsReq=%s{req}\tdnsResp=%s{res}\tdstPort=%d{sport}\
tdurationms=%d{durationms}\tsrc=%s{cip}\tdst=%s{sip}\tcategory=%s{domcat}\tde-
viceowner=%s{deviceowner}\tdevicehostname=%s{devicehostname}\trecordid=%d{re-
cordid}\tdatacenter=%s{datacenter}\tdatacentercity=%s{datacentercity}\
tdatacentercountry=%s{datacentercountry}

Figure 33. Cloud NSS feed for DNS logs configured for IBM QRadar SIEM

©2024 Zscaler, Inc. All rights reserved. 30

 Zscaler and IBM QRadar Deployment Guide

6. Test the connectivity to QRadar:

a. From the Cloud NSS Feeds page, click Test Connectivity.

Figure 34. Test Connectivity icon on the Cloud NSS Feeds page in the ZIA Admin Portal

b. If the test is successful, the following message is displayed: Test Connectivity Successful: OK-
Success (200). If you require further assistance after deployment, contact Zscaler Support.

©2024 Zscaler, Inc. All rights reserved. 31

 Zscaler and IBM QRadar Deployment Guide

ZPA Logs
Zscaler Private Access (ZPA) sends its logs securely to QRadar via the Log Streaming Service (LSS). LSS is deployed using
two components: a log receiver and a ZPA App Connector. LSS resides in ZPA and initiates a log stream through a ZPA
Public Service Edge. The App Connector resides in your company’s enterprise environment. It receives the log stream and
then forwards it to a log receiver.

Figure 35. ZPA integration architecture

For details in setting up the LSS log receiver, see About the Log Streaming Service (government agencies, see About the
Log Streaming Service).

QRadar parses ZPA’s Users Status, User Activity, App Connector Status, and Audit logs.

For details on the fields that these log types provides, see:

• About User Activity Log Fields (government agencies, see About User Activity Log Fields).
• About User Status Log Fields (government agencies, see About User Status Log Fields).
• About Audit Log Fields (government agencies, see About Audit Log Fields).
• About App Connector Status Log Fields (government agencies, see About App Connector Status Log Fields).

©2024 Zscaler, Inc. All rights reserved. 32

 Zscaler and IBM QRadar Deployment Guide

To send events to IBM QRadar, you must direct the log stream to the IP address of the IBM QRadar. You must format each
log type into a LEEF format.

Log in to the ZPA Admin Portal and go to Configuration & Control > Private Infrastructure > Log Receivers.

Figure 36. Log Receivers

©2024 Zscaler, Inc. All rights reserved. 33

 Zscaler and IBM QRadar Deployment Guide

User Status Logs

1. Log Type: User Status
2. Log Stream Content: Enter the following:
<166>%s{LogTimestamp:time} zpa-lss LEEF:1.0|Zscaler|ZPA|4.1|%s{SessionStatus}|cat=ZPA
User Status\tCustomer=%s{Customer}\tusrName=%s{Username}\tSessionID=%s{Session-
ID}\tSessionStatus=%s{SessionStatus}\tVersion=%s{Version}\tZEN=%s{ZEN}\tCer-
tificateCN=%s{CertificateCN}\tsrcPreNAT=%s{PrivateIP}\tsrc=%s{PublicIP}\tLat-
itude=%f{Latitude}\tLongitude=%f{Longitude}\tCountryCode=%s{CountryCode}\
tTimestampAuthentication:iso8601=%s{TimestampAuthentication:iso8601}\tTimestam-
pUnAuthentication:iso8601=%s{TimestampUnAuthentication:iso8601}\tdstBytes=%d{-
TotalBytesRx}\tsrcBytes=%d{TotalBytesTx}\tIdp=%s{Idp}\tidentHostName=%s{Host-
name}\tPlatform=%s{Platform}\tClientType=%s{ClientType}\tTrustedNetworks=%s(,)
{TrustedNetworks}\tTrustedNetworksNames=%s(,){TrustedNetworksNames}\tSAMLAttri-
butes=%s{SAMLAttributes}\tPosturesHit=%s(,){PosturesHit}\tPosturesMiss=%s(,)
{PosturesMiss}\tZENLatitude=%f{ZENLatitude}\tZENLongitude=%f{ZENLongitude}\
tZENCountryCode=%s{ZENCountryCode}\n

Figure 37. User Status Log Stream

©2024 Zscaler, Inc. All rights reserved. 34

 Zscaler and IBM QRadar Deployment Guide

App Connector Logs

1. Log Type: App Connector Status
2. Log Stream Content: Enter the following:
<166>%s{LogTimestamp:time} zpa-lss
LEEF:1.0|Zscaler|ZPA|4.1|%s{SessionStatus}|cat=Connector Status\tCustomer=%s{-
Customer}\tSessionID=%s{SessionID}\tSessionType=%s{SessionType}\tVersion=%s{Ver-
sion}\tPlatform=%s{Platform}\tZEN=%s{ZEN}\tConnector=%s{Connector}\tCon-
nectorGroup=%s{ConnectorGroup}\tsrcPreNAT=%s{PrivateIP}\tsrc=%s{PublicIP}\
tLatitude=%f{Latitude}\tLongitude=%f{Longitude}\tCountryCode=%s{CountryCode}\
tTimestampAuthentication:iso8601=%s{TimestampAuthentication:iso8601}\tTimestam-
pUnAuthentication:iso8601=%s{TimestampUnAuthentication:iso8601}\tCPUUtiliza-
tion=%d{CPUUtilization}\tMemUtilization=%d{MemUtilization}\tServiceCount=%d{Ser-
viceCount}\tInterfaceDefRoute=%s{InterfaceDefRoute}\tDefRouteGW=%s{DefRouteGW}\
tPrimaryDNSResolver=%s{PrimaryDNSResolver}\tHostUpTime=%s{HostUpTime}\tConnec-
torUpTime=%s{ConnectorUpTime}\tNumOfInterfaces=%d{NumOfInterfaces}\tBytesRxInter-
face=%d{BytesRxInterface}\tPacketsRxInterface=%d{PacketsRxInterface}\tErrorsRx-
Interface=%d{ErrorsRxInterface}\tDiscardsRxInterface=%d{DiscardsRxInterface}\
tBytesTxInterface=%d{BytesTxInterface}\tPacketsTxInterface=%d{PacketsTxInterface}\tEr-
rorsTxInterface=%d{ErrorsTxInterface}\tDiscardsTxInterface=%d{DiscardsTxInterface}\
tTotalBytesRx=%d{TotalBytesRx}\tTotalBytesTx=%d{TotalBytesTx}\n

Figure 38. App Connector Log Stream

©2024 Zscaler, Inc. All rights reserved. 35

 Zscaler and IBM QRadar Deployment Guide

Audit Logs
1. Log Type: Audit Logs
2. Log Stream Content: Enter the following:
<166>%s{modifiedTime:iso8601} zpa-lss
LEEF:1.0|Zscaler|ZPA|4.1|%s{auditOperationType}|cat=ZPA_Audit_Log\tcreation-
Time=%s{creationTime:iso8601}\trequestId=%s{requestId}\tsessionId=%s{session-
Id}\tauditOldValue=%s{auditOldValue}\tauditNewValue=%s{auditNewValue}\tauditOpera-
tionType=%s{auditOperationType}\tobjectType=%s{objectType}\tobjectName=%s{objectName}\
tobjectId=%d{objectId}\taccountName=%d{customerId}\tusrName=%s{modifiedByUser}\n

Figure 39. Audit Log Stream

©2024 Zscaler, Inc. All rights reserved. 36

 Zscaler and IBM QRadar Deployment Guide

User Activity Logs

1. Log Type: User Activity
2. Log Stream Content: Enter the following:
<166>%s{LogTimestamp:time} zpa-lss
LEEF:1.0|Zscaler|ZPA|4.1|%s{ConnectionStatus}%s{InternalReason}|cat=ZPA User
Activity\t\tCustomer=%s{Customer}\tSessionID=%s{SessionID}\tConnectionID=%s{Con-
nectionID}\tInternalReason=%s{InternalReason}\tConnectionStatus=%s{ConnectionSta-
tus}\tproto=%d{IPProtocol}\tDoubleEncryption=%d{DoubleEncryption}\tusrName=%s{User-
name}\tdstPort=%d{ServicePort}\tsrc=%s{ClientPublicIP}\tsrcPreNAT=%s{ClientPrivateIP}\
tClientLatitude=%f{ClientLatitude}\tClientLongitude=%f{ClientLongitude}\tClient-
CountryCode=%s{ClientCountryCode}\tClientZEN=%s{ClientZEN}\tpolicy=%s{Policy}\
tConnector=%s{Connector}\tConnectorZEN=%s{ConnectorZEN}\tConnectorIP=%s{Connec-
torIP}\tConnectorPort=%d{ConnectorPort}\tApplicationName=%s{Host}\tApplicationSeg-
ment=%s{Application}\tAppGroup=%s{AppGroup}\tServer=%s{Server}\tdst=%s{ServerIP}\
tServerPort=%d{ServerPort}\tPolicyProcessingTime=%d{PolicyProcessingTime}\tServer-
SetupTime=%d{ServerSetupTime}\tTimestampConnectionStart:iso8601=%s{TimestampConnec-
tionStart:iso8601}\tTimestampConnectionEnd:iso8601=%s{TimestampConnectionEnd:iso8601}\
tTimestampCATx:iso8601=%s{TimestampCATx:iso8601}\tTimestampCARx:iso8601=%s{-
TimestampCARx:iso8601}\tTimestampAppLearnStart:iso8601=%s{TimestampAppLearn-
Start:iso8601}\tTimestampZENFirstRxClient:iso8601=%s{TimestampZENFirstRxClient:i-
so8601}\tTimestampZENFirstTxClient:iso8601=%s{TimestampZENFirstTxClient:iso8601}\
tTimestampZENLastRxClient:iso8601=%s{TimestampZENLastRxClient:iso8601}\tTime-
stampZENLastTxClient:iso8601=%s{TimestampZENLastTxClient:iso8601}\tTimestampCon-
nectorZENSetupComplete:iso8601=%s{TimestampConnectorZENSetupComplete:iso8601}\
tTimestampZENFirstRxConnector:iso8601=%s{TimestampZENFirstRxConnector:iso8601}\
tTimestampZENFirstTxConnector:iso8601=%s{TimestampZENFirstTxConnector:iso8601}\
tTimestampZENLastRxConnector:iso8601=%s{TimestampZENLastRxConnector:iso8601}\
tTimestampZENLastTxConnector:iso8601=%s{TimestampZENLastTxConnector:iso8601}\tZENTo-
talBytesRxClient=%d{ZENTotalBytesRxClient}\tZENBytesRxClient=%d{ZENBytesRxClient}\tZ-
ENTotalBytesTxClient=%d{ZENTotalBytesTxClient}\tZENBytesTxClient=%d{ZENBytesTxClient}\
tZENTotalBytesRxConnector=%d{ZENTotalBytesRxConnector}\tZENBytesRxConnector=%d{ZEN-
BytesRxConnector}\tZENTotalBytesTxConnector=%d{ZENTotalBytesTxConnector}\tZENBytesTx-
Connector=%d{ZENBytesTxConnector}\tIdp=%s{Idp}\n

Figure 40. User Activity Log Stream

©2024 Zscaler, Inc. All rights reserved. 37

 Zscaler and IBM QRadar Deployment Guide

Appendix A: Requesting Zscaler Support

If you need Zscaler Support for provisioning certain services or to help troubleshoot configuration and service issues, it is
available 24/7/365.

To contact Zscaler Support:

1. Go to Administration > Settings > Company Profile.

Figure 41. Collecting details to open support case with Zscaler TAC

2. Copy your Company ID.

Figure 42. Company ID

©2024 Zscaler, Inc. All rights reserved. 38

 Zscaler and IBM QRadar Deployment Guide

3. With your company ID information, you can open a support ticket. Go to Dashboard > Support > Submit a Ticket.

Figure 43. Submit a ticket

©2024 Zscaler, Inc. All rights reserved. 39