Zscaler Private Access connector for Microsoft Sentinel
The Zscaler Private Access (ZPA) data connector provides the capability to ingest Zscaler Private Access events into Microsoft Sentinel. Refer to Zscaler Private Access documentation for more information.
Connector attributes
| Connector attribute | Description |
|---|---|
| Kusto function alias | ZPAEvent |
| Kusto function url | https://aka.ms/sentinel-ZscalerPrivateAccess-parser |
| Log Analytics table(s) | ZPA_CL |
| Data collection rules support | Not currently supported |
| Supported by | Microsoft Corporation |
Query samples
All logs
ZPAEvent
| sort by TimeGenerated
Vendor installation instructions
Note
This data connector depends on a parser based on a Kusto Function to work as expected. Follow these steps to create the Kusto Functions alias, ZPAEvent
Note
This data connector has been developed using Zscaler Private Access version: 21.67.1
- Install and onboard the agent for Linux or Windows
Install the agent on the Server where the Zscaler Private Access logs are forwarded.
Logs from Zscaler Private Access Server deployed on Linux or Windows servers are collected by Linux or Windows agents.
- Configure the logs to be collected
Follow the configuration steps below to get Zscaler Private Access logs into Microsoft Sentinel. Refer to the Azure Monitor Documentation for more details on these steps. Zscaler Private Access logs are delivered via Log Streaming Service (LSS). Refer to LSS documentation for detailed information
Configure Log Receivers. While configuring a Log Receiver, choose JSON as Log Template.
Download config file zpa.conf wget -v https://aka.ms/sentinel-zscalerprivateaccess-conf -O zpa.conf
Login to the server where you have installed Azure Log Analytics agent.
Copy zpa.conf to the /etc/opt/microsoft/omsagent/workspace_id/conf/omsagent.d/ folder.
Edit zpa.conf as follows:
a. specify port which you have set your Zscaler Log Receivers to forward logs to (line 4)
b. zpa.conf uses the port 22033 by default. Ensure this port is not being used by any other source on your server
c. If you would like to change the default port for zpa.conf make sure that it should not get conflict with default AMA agent ports I.e.(For example CEF uses TCP port 25226 or 25224)
d. replace workspace_id with real value of your Workspace ID (lines 14,15,16,19)
Save changes and restart the Azure Log Analytics agent for Linux service with the following command: sudo /opt/microsoft/omsagent/bin/service_control restart
Next steps
For more information, go to the related solution in the Azure Marketplace.
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for