Ctrlk
ProductBook a demoOpen app
linkedinyoutube

ZScaler ZPA

Connect Zscaler ZPA to Radiant Security to forward user activity, authentication, and application access logs through the Radiant Agent for AI triage.

Zscaler Private Access (ZPA) is a zero trust network access service that brokers user connections to internal applications without exposing them to the public internet, mitigating lateral movement and unauthorized access threats. Connecting ZPA forwards user activity, user status, browser access, AppProtection, and microsegmentation flow logs to Radiant Security through the Radiant Agent. Radiant uses these logs to extract artifacts during Enrichment and to answer triage questions about user access, application activity, and policy violations.

Prerequisites

Add the data connector in Radiant Security

  1. Log in to Radiant Security.

  2. From the navigation menu, select Settings > Data Connectors, then click + Add Connector.

  3. Search for and select Radiant Agent, then click Data Feeds.

  4. Under Select your data feeds, select Zscaler ZPA and click Credentials.

  5. In the Credential Name field, enter an identifiable name for the Radiant Agent integration (for example, Radiant Agent integration). To reuse an existing Radiant Agent credential, select it from the drop-down menu.

  6. In the Connector tag field, enter any string. Radiant uses this value as salt when generating the authentication token for your connector.

  7. Click Add Connector.

  8. Click Done to save your changes.

Configure ZPA to forward logs through the Radiant Agent

Zscaler's Log Streaming Service (LSS) forwards events from the ZPA cloud through your on-premises ZPA App Connectors to a log receiver. In this configuration, the Radiant Agent is the log receiver. For background on LSS, see Zscaler's About Log Streaming Service and Configuring Log Receiver documentation.

Before you start, confirm the IP address or hostname of the Radiant Agent and the port configured to receive Zscaler ZPA data. If you do not know the port, contact your Customer Success representative.

1

Open the Log Receivers configuration

Log in to the ZPA Admin Portal and navigate to Administration > Log Streaming Service > Log Receivers.

2

Add a new log receiver

Click Add Log Receiver.

3

Configure the log receiver

On the Add Log Receiver page, enter the following:

  • Name: a descriptive name (for example, Radiant Security Log Receiver).

  • Domain or IP Address: the IP address or hostname of the Radiant Agent.

  • Port: the port configured on the Radiant Agent to receive Zscaler ZPA data.

  • TLS Encryption: Yes (recommended).

  • App Connector Groups: ALL.

4

Configure the log stream

On the Log Stream page, enter the following:

  • Log Stream: select User Activity, User Status, Browser Access Logs, AppProtection, and Microsegmentation Flow.

  • Log Template: JSON.

  • Log Stream Content: keep the default.

  • Policy: Any SAML attribute from an IdP. Leave all other tabs at their default settings.

5

Review and save

Click Next to review the configuration, then click Save.

Verify ingestion

After Zscaler ZPA begins forwarding, confirm alerts and events are reaching Radiant.

  1. In Radiant, navigate to Log Management.

  2. Filter by rs_connectorType:"zscaler_zpa".

  3. Confirm recent alerts and events appear.

Allow several minutes for alerts and events to be parsed, indexed, and available for search.

PreviousExecute Response Actions with Zscaler OneAPINextCommunication Tools

Last updated

Was this helpful?