Zscaler Private Access sample event messages

Use these sample event messages to verify a successful integration with IBM QRadar.

Important: Due to formatting issues, paste the message format into a text editor and then remove any carriage return or line feed characters.

Zscaler Private Access sample message when you use the Syslog protocol

Sample 1: The following sample event message shows that a user is successfully authenticated in Zscaler Private Access (ZPA).

<166>Tue Apr 20 22:23:25 2021 zscaler.privateaccess.test LEEF:1.0|Zscaler|ZPA|4.1|ZPN_STATUS_AUTHENTICATED|cat=ZPA User Status	Customer=Zscaler Test	usrName=testuser2@domain.test	SessionID=VbPnANNR+Ua/B2OHOMwx	SessionStatus=ZPN_STATUS_AUTHENTICATED	Version=2.1.2.81.225296	ZEN=BETA-CA-7987	CertificateCN=aaaaabbbbbccccceeeee1111122222=@domain.test	srcPreNAT=10.2.3.4	src=10.2.2.2	Latitude=44.972686	Longitude=-65.860879	CountryCode=CA	TimestampAuthentication:iso8601=2021-04-20T10:35:15.000Z	TimestampUnAuthentication:iso8601=	dstBytes=175590	srcBytes=109370	Idp=TestIdp	identHostName=ws1client1	Platform=windows	ClientType=zpn_client_type_zapp	TrustedNetworks=	TrustedNetworksNames=	SAMLAttributes={"FirstName":["testuser2"],"LastName":["testuser2"],"Email":["testuser2@domain.test"]}	PosturesHit=	PosturesMiss=72057767984103498,72057767984103503,72057767984103590,72057767984103745	ZENLatitude=0.000000	ZENLongitude=0.000000	ZENCountryCode=
Table 1. Highlighted fields in the Zscaler Private Access event
QRadar field name Highlighted values in the event payload
Event ID ZPN_STATUS_AUTHENTICATED
Event Category ZPA User Status
Source IP 10.2.2.2
PreNat IP 10.2.3.4
Username testuser2@domain.test
Device Time Tue Apr 20 22:23:25 2021

Sample 2: The following sample event message shows that App Connector is successfully authenticated in ZPA.

<166>Tue Apr 20 22:23:19 2021 zscaler.privateaccess.test LEEF:1.0|Zscaler|ZPA|4.1|ZPN_STATUS_AUTHENTICATED|cat=Connector Status	Customer=Zscaler Test	SessionID=0FQhOAfbQ4yWYSAAUrUn	SessionType=ZPN_ASSISTANT_BROKER_CONTROL	Version=21.88.1	Platform=el7	ZEN=BETA-CA-1234	Connector=AWS Connector account-1	ConnectorGroup=Connector Group1	srcPreNAT=10.3.4.3	src=192.168.2.2	Latitude=44.972686	Longitude=-65.860879	CountryCode=CA	TimestampAuthentication:iso8601=2021-04-20T13:19:19.154Z	TimestampUnAuthentication:iso8601=	CPUUtilization=1	MemUtilization=17	ServiceCount=2	InterfaceDefRoute=ens5	DefRouteGW=10.79.0.1	PrimaryDNSResolver=10.11.11.11	HostUpTime=1587783907	ConnectorUpTime=1618924759	NumOfInterfaces=2	BytesRxInterface=80385754338	PacketsRxInterface=824116164	ErrorsRxInterface=0	DiscardsRxInterface=0	BytesTxInterface=65456179168	PacketsTxInterface=683050042	ErrorsTxInterface=0	DiscardsTxInterface=0	TotalBytesRx=688700	TotalBytesTx=1101224
Table 2. Highlighted fields in the Zscaler Private Access event
QRadar field name Highlighted values in the event payload
Event ID ZPN_STATUS_AUTHENTICATED
Event Category Connector Status
Source IP 192.168.2.2
PreNat IP 10.3.4.3
Device Time Tue Apr 20 22:23:19 2021