title | description | author | ms.topic | ms.date | ms.service | ms.author | ms.collection |
---|---|---|---|---|---|---|---|
Zscaler Private Access connector for Microsoft Sentinel |
Learn how to install the connector Zscaler Private Access to connect your data source to Microsoft Sentinel. |
cwatson-cat |
how-to |
08/27/2024 |
microsoft-sentinel |
cwatson |
sentinel-data-connector |
[!INCLUDE data-connector-deprecation]
The Zscaler Private Access (ZPA) data connector provides the capability to ingest Zscaler Private Access events into Microsoft Sentinel. Refer to Zscaler Private Access documentation for more information.
This is autogenerated content. For changes, contact the solution provider.
Connector attribute | Description |
---|---|
Kusto function alias | ZPAEvent |
Kusto function url | https://aka.ms/sentinel-ZscalerPrivateAccess-parser |
Log Analytics table(s) | ZPA_CL |
Data collection rules support | Not currently supported |
Supported by | Microsoft Corporation |
All logs
ZPAEvent
| sort by TimeGenerated
Note
This data connector depends on a parser based on a Kusto Function to work as expected. Follow these steps to create the Kusto Functions alias, ZPAEvent
Note
This data connector has been developed using Zscaler Private Access version: 21.67.1
- Install and onboard the agent for Linux or Windows
Install the agent on the Server where the Zscaler Private Access logs are forwarded.
Logs from Zscaler Private Access Server deployed on Linux or Windows servers are collected by Linux or Windows agents.
- Configure the logs to be collected
Follow the configuration steps below to get Zscaler Private Access logs into Microsoft Sentinel. Refer to the Azure Monitor Documentation for more details on these steps. Zscaler Private Access logs are delivered via Log Streaming Service (LSS). Refer to LSS documentation for detailed information
-
Configure Log Receivers. While configuring a Log Receiver, choose JSON as Log Template.
-
Download config file zpa.conf wget -v https://aka.ms/sentinel-zscalerprivateaccess-conf -O zpa.conf
-
Log in to the server where you have installed Azure Log Analytics agent.
-
Copy zpa.conf to the /etc/opt/microsoft/omsagent/workspace_id/conf/omsagent.d/ folder.
-
Edit zpa.conf as follows:
a. specify port which you have set your Zscaler Log Receivers to forward logs to (line 4)
b. zpa.conf uses the port 22033 by default. Ensure this port isn't being used by any other source on your server
c. If you would like to change the default port for zpa.conf make sure that it shouldn't get conflict with default AMA agent ports I.e.(For example CEF uses TCP port 25226 or 25224)
d. replace workspace_id with real value of your Workspace ID (lines 14,15,16,19)
-
Save changes and restart the Azure Log Analytics agent for Linux service with the following command: sudo /opt/microsoft/omsagent/bin/service_control restart
For more information, go to the related solution in the Azure Marketplace.