Azure Sentinel + Zscaler




We have successfully connected Sentinel with Zscaler and so far the logs that are getting ingested into the workspace are more or less the urls that are getting allowed/blocked. Is there anything else that needs to be done to get more logs or any documentation that could help us do it? 

If it not too much to ask can a status of the machine active/inactive, last connected time etc be ingested as well so that we can create a playbook for the respective IT teams to take action on it?

Any help wrt to this will be on great help to us!



1 Reply



Did you see step two here

it looks like you configure the feed/format and if you are only getting urls than maybe a feed is missing for the format isnt sending everything.