@Rafael Ruales Thanks for reaching out and apologies for delay on this.
Sentinel acts as SIEM and SOAR on basis of data which is being sent to Sentinel Workspace. We rely on different connectors to send us the data in format we can consume and most likely show only the data which are being sent.
So in your scenario, for Zscaler you would have setup a Linux machine as a CEF collector and then forward the logs to Sentinel.
The only delay here should be with the data flow into the Sentinel after any event has happened, any delay in Timegenerated Field should be investigate at service level (ZScaler) as Sentinel would show the data which is being sent.
Let me know if you need any further help.
-----------------------------------------------------------------------------------------------------------------
Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.