Zero Networks Segment for Microsoft Sentinel

Solution: ZeroNetworks

ZeroNetworks Logo

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

Attribute	Value
Publisher	Zero Networks
Support Tier	Partner
Support Link	https://zeronetworks.com
Categories	domains
Version	3.0.3
Author	Nicholas DiCola - nicholas@zeronetworks.com
First Published	2022-06-06
Last Updated	2026-03-18
Solution Folder	ZeroNetworks
Marketplace	Azure Marketplace · Popularity: 🟡 Low (48%)

The Zero Networks Segment solution for Microsoft Sentinel allows monitoring Zero Networks Segment Audit activity. Audit log data is ingested in Microsoft Sentinel using REST API.

Underlying Microsoft Technologies used:

This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs

a. Azure Monitor HTTP Data Collector API

b. Azure Functions

Data Connectors
Tables Used
Content Items

Data Connectors

This solution provides 2 data connector(s) (plus 1 discovered⚠️):

🔍 Discovered: This item was discovered by scanning the solution folder but is not listed in the Solution JSON file.

Tables Used

This solution uses 5 table(s):

Table	Used By Connectors	Used By Content
`ZNAudit_CL`	Zero Networks Segment (Push)	Analytics, Hunting, Workbooks
`ZNIdentityActivity_CL`	Zero Networks Segment (Push)	-
`ZNNetworkActivity_CL`	Zero Networks Segment (Push)	-
`ZNRPCActivity_CL`	Zero Networks Segment (Push)	-
`ZNSegmentAuditNativePoller_CL`	Zero Networks Segment Audit, Zero Networks Segment Audit	Analytics, Hunting, Workbooks

Content Items

This solution includes 12 content item(s):

Content Type	Count
Hunting Queries	4
Analytic Rules	3
Playbooks	3
Workbooks	1
Parsers	1

Analytic Rules

Name	Severity	Tactics	Tables Used
Zero Networks Segement - Machine Removed from protection	High	DefenseEvasion	`ZNAudit_CL` `ZNSegmentAuditNativePoller_CL`
Zero Networks Segment - New API Token created	Low	CredentialAccess	`ZNAudit_CL` `ZNSegmentAuditNativePoller_CL`
Zero Networks Segment - Rare JIT Rule Creation	Medium	LateralMovement	`ZNAudit_CL` `ZNSegmentAuditNativePoller_CL`

Hunting Queries

Name	Tactics	Tables Used
Zero Networks Segment - Excessive access by user	LateralMovement	`ZNAudit_CL` `ZNSegmentAuditNativePoller_CL`
Zero Networks Segment - Excessive access to a built-in group by user	LateralMovement	`ZNAudit_CL` `ZNSegmentAuditNativePoller_CL`
Zero Networks Segment - Inbound Block Rules Deleted	DefenseEvasion	`ZNAudit_CL` `ZNSegmentAuditNativePoller_CL`
Zero Networks Segment - Outbound Block Rules Deleted	DefenseEvasion	`ZNAudit_CL` `ZNSegmentAuditNativePoller_CL`

Workbooks

Name	Tables Used
ZNSegmentAudit	`ZNAudit_CL` `ZNSegmentAuditNativePoller_CL`

Playbooks

Name	Description	Tables Used
Add Asset to Protection - Zero Networks Segment	This playbook takes a host from a Microsoft Sentinel incident and adds it to protection. The playboo...	-
Add Block Outbound Rule - Zero Networks Acccess Orchestrator	This playbook allows blocking an IP outbound from protected assets in Zero Networks Segment.	-
Enrich Incident - Zero Networks Acccess Orchestrator	This playbook will take each Host entity and get its Asset status from Zero Network Segment. The pla...	-

Parsers

Name	Description	Tables Used
ZNSegmentAudit	-	`ZNAudit_CL` (read) `ZNSegmentAuditNativePoller_CL` (read)

Release Notes

Version	Date Modified (DD-MM-YYYY)	Change History
3.0.3	29-01-2026	Updated audit parser, created CCP Push & Pull connectors
3.0.2	17-09-2025	Removed Deprecated Data Connector.
3.0.1	06-02-2025	Added missing parameter URI to Solution.
3.0.0	11-12-2024	Updated solution to 3.0.0