Configure ZPA for Arctic Wolf monitoring

You can configure Zscaler Private Access (ZPA)® to send the necessary logs to Arctic Wolf® for security monitoring.

These resources are required:

  • A ZPA admin account

Configure log receivers

You must configure a log receiver for each log type that you want to receive logs from. Repeat this step to configure a log receiver for each of these log types: user activity, user status, audit, and browser access.

  1. Sign in to the Zscaler Private Access portal.
  2. Navigate to Configuration & Control > Private Infrastructure > Log Receivers.
  3. Click Add Log Receiver.
  4. On the Edit Log Receiver page, on the Log Receiver tab, configure these settings:
    • Name — Enter a unique and descriptive name.
    • Optional: Description — Enter a description.
    • Domain or IP Address — Enter the IP address or FQDN of your Arctic Wolf Sensor or vLC.
    • TCP Port — Enter 514.
    • TLS Encryption — Make sure that Disabled is selected.
    • In the App Connector Groups list, select ZPA App Connectors.
  5. Click Next.
  6. On the Log Stream tab, configure these settings:
    • Log Type — Select the log type for the log receiver that you are configuring. For example, select User Activity, User Status, Audit, or Browser Access.
    • Log Template — Select JSON for all log types except Audit. When configuring the Audit log type, select CSV.
  7. Click Next.
  8. Review your changes.
  9. Click Save.
  10. Repeat these steps for each log type.

Provide configuration information to Arctic Wolf

  1. Sign in to the Arctic Wolf Unified Portal.
  2. In the navigation menu, click Tickets & Alerts > All Tickets.
  3. Perform the appropriate action, depending on if you are:
    • A new customer — In the Ticket Type list, select Onboarding. Then, click the existing [Deploy] Site Config: <ticket_subject> ticket.
    • An existing customer — Click Open a New Ticket.
  4. On the Open a New Ticket page, configure these settings:
    • What is this ticket related to? — Select General request.
    • Subject — Enter Syslog changes.
    • Related ticket (optional) — Keep empty.
    • Message — Enter this information for your Concierge Security® Team (CST):
      • Confirmation that you completed the steps in this configuration guide.
      • The IP address or hostname of the Arctic Wolf Sensor that you used during the configuration.
      • The IP address, timezone, and device type for all sources that you are forwarding.
      • Questions or comments that you have.
  5. Click Send Message.

    Your CST reviews the details to make sure that Arctic Wolf is successfully processing the logs.