Zscaler Private Access
Solution: Zscaler Private Access (ZPA)
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊
| Attribute | Value |
|---|---|
| Publisher | Microsoft Corporation |
| Support Tier | Microsoft |
| Support Link | https://support.microsoft.com |
| Categories | domains |
| Version | 3.0.1 |
| Author | Microsoft - support@microsoft.com |
| First Published | 2022-01-31 |
| Last Updated | 2026-01-15 |
| Solution Folder | Zscaler Private Access (ZPA) |
| Marketplace | Azure Marketplace · Rating: ★★☆☆☆ 2.0/5 (3 ratings) · Popularity: 🟢 High (87%) |
| Pre-requisites | CustomLogsAma |
The Zscaler Private Access (ZPA) solution provides the capability to ingest Zscaler Private Access events into Microsoft Sentinel.
This solution is dependent on the Custom logs via AMA connector to collect the logs. The Custom logs solution will be installed as part of this solution installation.
NOTE: Microsoft recommends installation of Custom logs via AMA Connector. Legacy connector uses the Log Analytics agent which were deprecated on Aug 31, 2024. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost more details.
Contents
Pre-requisites
This solution depends on 1 other solution(s):
| Solution |
|---|
| CustomLogsAma |
Data Connectors
This solution has 1 discovered data connector(s)⚠️ (not in Solution definition):
Connectors from dependency solutions:
- Custom logs via AMA 🔶 (dependency on CustomLogsAma)
🔍 Discovered: This item was discovered by scanning the solution folder but is not listed in the Solution JSON file.
🔶 CLv1: This connector ingests into a table that uses the legacy Custom Log V1 schema format with type-suffixed column names (e.g.
_s,_d,_b,_t,_g). Note: identification is based on column name suffixes which are also permitted in CLv2, so this classification may not always be accurate.
Tables Used
This solution uses 16 table(s):
| Table | Used By Connectors | Used By Content |
|---|---|---|
ApacheHTTPServer_CL |
Custom logs via AMA (dependency) | - |
JBossEvent_CL |
Custom logs via AMA (dependency) | - |
JuniperIDP_CL |
Custom logs via AMA (dependency) | - |
MarkLogicAudit_CL |
Custom logs via AMA (dependency) | - |
MongoDBAudit_CL |
Custom logs via AMA (dependency) | - |
NGINX_CL |
Custom logs via AMA (dependency) | - |
OracleWebLogicServer_CL |
Custom logs via AMA (dependency) | - |
PostgreSQL_CL |
Custom logs via AMA (dependency) | - |
SecurityBridgeLogs_CL |
Custom logs via AMA (dependency) | - |
SquidProxy_CL 🔶 |
Custom logs via AMA (dependency) | - |
Tomcat_CL |
Custom logs via AMA (dependency) | - |
Ubiquiti_CL |
Custom logs via AMA (dependency) | - |
VectraStream_CL 🔶 |
Custom logs via AMA (dependency) | - |
ZPA_CL |
Custom logs via AMA (dependency), [Deprecated] Zscaler Private Access | Analytics, Hunting, Workbooks |
meraki_CL |
Custom logs via AMA (dependency) | - |
vcenter_CL |
Custom logs via AMA (dependency) | - |
🔶 CLv1: This table uses the legacy Custom Log V1 schema format with type-suffixed column names (e.g.
_s,_d,_b,_t,_g). Note: identification is based on column name suffixes which are also permitted in CLv2, so this classification may not always be accurate.
Content Items
This solution includes 22 content item(s):
| Content Type | Count |
|---|---|
| Analytic Rules | 10 |
| Hunting Queries | 10 |
| Workbooks | 1 |
| Parsers | 1 |
Analytic Rules
| Name | Severity | Tactics | Tables Used |
|---|---|---|---|
| Zscaler - Connections by dormant user | High | Persistence | ZPA_CL |
| Zscaler - Forbidden countries | High | InitialAccess | ZPA_CL |
| Zscaler - Shared ZPA session | High | InitialAccess | ZPA_CL |
| Zscaler - Unexpected ZPA session duration | Medium | InitialAccess | ZPA_CL |
| Zscaler - Unexpected event count of rejects by policy | High | InitialAccess | ZPA_CL |
| Zscaler - Unexpected update operation | Medium | InitialAccess | ZPA_CL |
| Zscaler - ZPA connections by new user | Medium | Persistence | ZPA_CL |
| Zscaler - ZPA connections from new IP | Medium | InitialAccess | ZPA_CL |
| Zscaler - ZPA connections from new country | Medium | InitialAccess | ZPA_CL |
| Zscaler - ZPA connections outside operational hours | Medium | InitialAccess | ZPA_CL |
Hunting Queries
| Name | Tactics | Tables Used |
|---|---|---|
| Zscaler - Abnormal total bytes size | Exfiltration, Collection | ZPA_CL |
| Zscaler - Applications using by accounts | InitialAccess | ZPA_CL |
| Zscaler - Connection close reasons | InitialAccess | ZPA_CL |
| Zscaler - Destination ports by IP | InitialAccess | ZPA_CL |
| Zscaler - Rare urlhostname requests | InitialAccess | ZPA_CL |
| Zscaler - Server error by user | InitialAccess | ZPA_CL |
| Zscaler - Top connectors | InitialAccess | ZPA_CL |
| Zscaler - Top source IP | InitialAccess | ZPA_CL |
| Zscaler - Users access groups | InitialAccess | ZPA_CL |
| Zscaler - Users by source location countries | InitialAccess | ZPA_CL |
Workbooks
| Name | Tables Used |
|---|---|
| ZscalerZPA | ZPA_CL |
Parsers
| Name | Description | Tables Used |
|---|---|---|
| ZPAEvent | - | ZPA_CL (read) |
Release Notes
| Version | Date Modified (DD-MM-YYYY) | Change History |
|---|---|---|
| 3.0.4 | 12-01-2026 | Updated the ZscalerZPAUnexpectedSessionDuration Analytic Rule |
| 3.0.3 | 28-08-2025 | The parser query now includes additional fields such as SessionID, IPProtocol, ClientCountryCode, and others, improving event parsing and enrichment. |
| 3.0.2 | 08-07-2025 | Enhanced Parser logic to improve result filtering. |
| 3.0.1 | 05-12-2024 | Removed Deperacted Data connectors |
| 3.0.0 | 22-08-2024 | Deprecating data connectors |
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊