Feb 03 2023 03:59 PM
Hi guys,
I'm looking into connecting my Zscaler environment logs to Sentinel via Zscaler Cloud NSS.
Which will stream the logs direct to Sentinel without a VM.
Zscaler Cloud NSS is asking Sentinel API URL.
Which one should I use? How can I find out?
I think I'm also trying to grasp the entire workflow of this.
Do I need to set up Functions App - write some code that will make the two endpoints talk to each other?
Or do I need to register an app in AAD and grant the permissions to pull/push data?
If I'm totally wrong, what is the method I would need to use instead?
Feb 04 2023 01:39 AM
Hello @LauriK000,
I've just looked into my Sentinel and found that there are 2 connectors available out-of-the box: Zscaler Internet Access and Zscaler Private Access (both of them are not your case).
So you need to check what options of SIEM integration Zscaler Cloud NSS has.
It can be a Syslog forwarding (needs a Syslog forwarder), pulling logs via HTTPS (API requests by Logic App or Azure Function, for example), or anything else. You can find it in the Zscaler documentation.
When you have verified the available options, you can decide how to proceed.
Feb 05 2023 02:10 PM
Feb 06 2023 01:25 AM
Solution
There is an API, Logs Ingestion API in Azure Monitor - Azure Monitor | Microsoft Learn
Probably this will help.
Feb 06 2023 01:25 AM
Solution
There is an API, Logs Ingestion API in Azure Monitor - Azure Monitor | Microsoft Learn
Probably this will help.