This solution requires an Azure Blob from where ZPC incidents are picked up by a Blob trigger and executes an Azure Function app to push data into the Log Analytics Workspace
Basic steps:
- Create a python Linux app
- Upload the code by creating a workspace in your local machine and leveraging VScode integrations
- Assign a managed identity to the function ensure the service principal has read access to azure blobs and write access to log analytics workspace and sentinel
- Configure a Log Analytics Workspace and obtain workspace id, rg info etc optional map this into Microsoft Sentinel for Incident Management
- Configure environment variables as shown in the screenshot, Blob Trigger requires connection variable to the AZ Storage account, rest of the variables are self explanatory
Eg. Detection Rule for Sentinel
ZscalerPosture_CL
| where type_s != "IaC"
and app_s == "AZURE"
and signature_category_s == "External Exposure"
| extend resourceGroup = split(src_id_s,'/',4)
| extend subscriptionId = split(src_id_s,'/',2)
| project src_id_s, src_name_s, resourceGroup,subscriptionId,signature_category_s