ZScaler Use Case/Rule Recommendations

%3CLINGO-SUB%20id%3D%22lingo-sub-1996316%22%20slang%3D%22en-US%22%3EZScaler%20Use%20Case%2FRule%20Recommendations%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1996316%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Guys%3C%2FP%3E%3CP%3EI%20am%20new%20to%20the%20Sentinel%20family.%20We%20have%20recently%20setup%20ZScaler%20connector%20and%20can%20see%20the%20NSS%20for%20Web%20logs%20arriving%20Azure%20Sentinel.%20Any%20suggestions%20what%20best%20rule%2Fuse%20case%20we%20can%20setup%20to%20get%20max%20out%20of%20the%20logs%20coming%20in%20and%20how%20can%20we%20set%20it%20up.%3C%2FP%3E%3CP%3EThanks%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1996990%22%20slang%3D%22en-US%22%3ERe%3A%20ZScaler%20Use%20Case%2FRule%20Recommendations%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1996990%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F817217%22%20target%3D%22_blank%22%3E%40gsingh_microsoft%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EHave%20you%20enabled%20the%20three%20recommend%20ones%3F%26nbsp%3B%20You%20can%20also%20look%20at%20four%20workbooks%20Zscalar%20provided%2C%20you%20can%20edit%20these%2C%20and%20see%20the%20queries%20used%2C%20and%20with%20minimal%20adaptation%20create%20some%20more%20rules.%26nbsp%3B%20%3CBR%20%2F%3E%3CBR%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Annotation%202020-12-17%20104550.jpg%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F241318i75F8C81E3B86F314%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22Annotation%202020-12-17%20104550.jpg%22%20alt%3D%22Annotation%202020-12-17%20104550.jpg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CBR%20%2F%3EIf%20you%20do%20create%20some%2C%20it%20would%20be%20great%20to%20share%20these%20back%20in%20the%20Github%3F%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FAzure%2FAzure-Sentinel%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3EAzure%2FAzure-Sentinel%3A%20Cloud-native%20SIEM%20for%20intelligent%20security%20analytics%20for%20your%20entire%20enterprise.%20(github.com)%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
New Contributor

Hi Guys

I am new to the Sentinel family. We have recently setup ZScaler connector and can see the NSS for Web logs arriving Azure Sentinel. Any suggestions what best rule/use case we can setup to get max out of the logs coming in and how can we set it up.

Thanks

2 Replies

@gsingh_microsoft 

 

Have you enabled the three recommend ones?  You can also look at four workbooks Zscalar provided, you can edit these, and see the queries used, and with minimal adaptation create some more rules. 

Annotation 2020-12-17 104550.jpg


If you do create some, it would be great to share these back in the Github? Azure/Azure-Sentinel: Cloud-native SIEM for intelligent security analytics for your entire enterpris...

 

I personally use Zscaler when I am hunting. I join the MDE data and Zscaler data to see which URL's a device/user has surfed too