ZIA ZPA Log Correlation Agent

The ZIA ZPA Correlation Agent is a security investigation agent that integrates with Microsoft Sentinel to correlate Zscaler Internet Access (ZIA) and Zscaler Private Access (ZPA) log data ingested into Sentinel's Log Analytics workspace. When a ZIA security alert is triggered for a user, the agent automatically cross-references both ZIA and ZPA telemetry to build a complete picture of user activity, identify anomalous behavior, and recommend policy remediation — all scoped to the last 24 hours.

Agent Tasks:

• Query the Sentinel table for ZIA events tied to the specified user, surfacing security events, device actions, destination details, and activity context
• Query the Sentinel table for the same user, preprocessing raw Message fields (stripping leading dashes and parsing JSON) to extract private application access events
• Correlate activity across both log sources using overlapping fields (user identity, IP addresses, timestamps, session IDs) to identify related or suspicious patterns
• Surface key insights including total logins, applications accessed, unusual destinations, failed connections, authentication anomalies, and privilege escalation indicators
• Evaluate whether existing ZIA or ZPA policies require adjustment based on findings

Inputs:

• : Zscaler username or User Principal Name (UPN) to investigate
• Microsoft Sentinel Log Analytics workspace with ingested (ZIA events) and (ZPA events) tables, scoped to the last 24 hours

Outputs:

• Correlated investigation summary detailing user activity across ZIA and ZPA, including anomalous behaviors, security event highlights, and discrepancies between the two log sources
• Key findings covering failed connections, suspicious destinations, access patterns, and authentication issues
• Policy adjustment recommendations specifying whether ZIA or ZPA policy configurations should be updated to address identified gaps or risks