Azure Sentinel + Zscaler

%3CLINGO-SUB%20id%3D%22lingo-sub-1335960%22%20slang%3D%22en-US%22%3EAzure%20Sentinel%20%2B%20Zscaler%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1335960%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20have%20successfully%20connected%20Sentinel%20with%20Zscaler%20and%20so%20far%20the%20logs%20that%20are%20getting%20ingested%20into%20the%20workspace%20are%20more%20or%20less%20the%20urls%20that%20are%20getting%20allowed%2Fblocked.%20Is%20there%20anything%20else%20that%20needs%20to%20be%20done%20to%20get%20more%20logs%20or%20any%20documentation%20that%20could%20help%20us%20do%20it%3F%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20it%20not%20too%20much%20to%20ask%20can%20a%20status%20of%20the%20machine%20active%2Finactive%2C%20last%20connected%20time%20etc%20be%20ingested%20as%20well%20so%20that%20we%20can%20create%20a%20playbook%20for%20the%20respective%20IT%20teams%20to%20take%20action%20on%20it%3F%3C%2FP%3E%3CP%3EAny%20help%20wrt%20to%20this%20will%20be%20on%20great%20help%20to%20us!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1353684%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Sentinel%20%2B%20Zscaler%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1353684%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F428046%22%20target%3D%22_blank%22%3E%40Pranesh1060%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EHi%3C%2FP%3E%0A%3CP%3EDid%20you%20see%20step%20two%20here%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fhelp.zscaler.com%2Fzia%2Fzscaler-microsoft-azure-sentinel-deployment-guide%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fhelp.zscaler.com%2Fzia%2Fzscaler-microsoft-azure-sentinel-deployment-guide%3C%2FA%3E%3F%3C%2FP%3E%0A%3CP%3Eit%20looks%20like%20you%20configure%20the%20feed%2Fformat%20and%20if%20you%20are%20only%20getting%20urls%20than%20maybe%20a%20feed%20is%20missing%20for%20the%20format%20isnt%20sending%20everything.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Contributor

Hi,

 

We have successfully connected Sentinel with Zscaler and so far the logs that are getting ingested into the workspace are more or less the urls that are getting allowed/blocked. Is there anything else that needs to be done to get more logs or any documentation that could help us do it? 

If it not too much to ask can a status of the machine active/inactive, last connected time etc be ingested as well so that we can create a playbook for the respective IT teams to take action on it?

Any help wrt to this will be on great help to us!

 

Thanks

1 Reply

@Pranesh1060 

Hi

Did you see step two here https://help.zscaler.com/zia/zscaler-microsoft-azure-sentinel-deployment-guide?

it looks like you configure the feed/format and if you are only getting urls than maybe a feed is missing for the format isnt sending everything.