Azure Sentinel + Zscaler

Brass Contributor



We have successfully connected Sentinel with Zscaler and so far the logs that are getting ingested into the workspace are more or less the urls that are getting allowed/blocked. Is there anything else that needs to be done to get more logs or any documentation that could help us do it? 

If it not too much to ask can a status of the machine active/inactive, last connected time etc be ingested as well so that we can create a playbook for the respective IT teams to take action on it?

Any help wrt to this will be on great help to us!



2 Replies



Did you see step two here

it looks like you configure the feed/format and if you are only getting urls than maybe a feed is missing for the format isnt sending everything.


The data you are looking for like active/inactive, last connected time etc, is all stored in the Zscaler Client Connector Portal. The only data that streams to the NSS is the ZIA (the actual proxy server that processes network traffic from the clients and then to the internet).  Client Connector Portal (formerly known as mobile portal) doesn't do anything with live traffic. I too am anxious to see API opened for the mobile portal to pull similar data that you want. 


It is natural for any proxy server, on prem or in the cloud, to only log transactional details of the actions the proxy took when it processed a web request sent from a proxy client. 


And certainly using the sentinel query budget is lightning faster than waiting on the zsc admin portal to produce any useful report. :p haha