Merge pull request #2433 from socprime/zpa_connector_update

ZPA - update connector and parser

DataConnectors/ZPA/Connector_LogAnalytics_agent_Zscaler_ZPA.json

@@ -149,7 +149,7 @@
                 }, 
     { 
             "title": "2. Configure the logs to be collected", 
-            "description":"Follow the configuration steps below to get Zscaler Private Access logs into Azure Sentinel. Refer to the [Azure Monitor Documentation](https://docs.microsoft.com/azure/azure-monitor/agents/data-sources-json) for more details on these steps.\nZscaler Private Access logs are delivered via Log Streaming Service (LSS). Refer to [LSS documentation](https://help.zscaler.com/zpa/about-log-streaming-service) for detailed information\n1. Configure [Log Receivers](https://help.zscaler.com/zpa/configuring-log-receiver). While configuring a Log Receiver, choose **JSON** as **Log Template**.\n2. Download config file [zpa.conf](https://aka.ms/sentinel-ZscalerPrivateAccess-conf).\n3. Login to the server where you have installed Azure Log Analytics agent.\n4. Copy zpa.conf to the /etc/opt/microsoft/omsagent/**workspace_id**/conf/omsagent.d/ folder.\n5. Edit zpa.conf as follows:\n\n\t i. specify port which you have set your Zscaler Log Receivers to forward logs to (line 4)\n\n\t ii. replace **workspace_id** with real value of your Workspace ID (lines 14,15,16,19)\n5. Save changes and restart the Azure Log Analytics agent for Linux service with the following command:\n\t\tsudo /opt/microsoft/omsagent/bin/service_control restart",
+            "description":"Follow the configuration steps below to get Zscaler Private Access logs into Azure Sentinel. Refer to the [Azure Monitor Documentation](https://docs.microsoft.com/azure/azure-monitor/agents/data-sources-json) for more details on these steps.\nZscaler Private Access logs are delivered via Log Streaming Service (LSS). Refer to [LSS documentation](https://help.zscaler.com/zpa/about-log-streaming-service) for detailed information\n1. Configure [Log Receivers](https://help.zscaler.com/zpa/configuring-log-receiver). While configuring a Log Receiver, choose **JSON** as **Log Template**.\n2. Download config file [zpa.conf](https://aka.ms/sentinel-ZscalerPrivateAccess-conf) \n\t\twget -v https://aka.ms/sentinel-zscalerprivateaccess-conf -O zpa.conf\n3. Login to the server where you have installed Azure Log Analytics agent.\n4. Copy zpa.conf to the /etc/opt/microsoft/omsagent/**workspace_id**/conf/omsagent.d/ folder.\n5. Edit zpa.conf as follows:\n\n\t i. specify port which you have set your Zscaler Log Receivers to forward logs to (line 4)\n\n\t ii. replace **workspace_id** with real value of your Workspace ID (lines 14,15,16,19)\n5. Save changes and restart the Azure Log Analytics agent for Linux service with the following command:\n\t\tsudo /opt/microsoft/omsagent/bin/service_control restart",
             "instructions":[
                 {
                     "parameters": {

Parsers/ZPA/ZPAEvent.txt

@@ -149,143 +149,5 @@ let ZPAEvent_main_view = view () {
             EventResultDetails=column_ifexists('ConnectionReason', ''),
             CorsToken=column_ifexists('CorsToken', ''),
             Origin=column_ifexists('Origin', '')
-       | project
-            TimeGenerated,
-            LogTimestamp,
-            Customer,
-            NetworkSessionId,
-            ConnectionID,
-            EventResult,
-            DvcAction,
-            NetworkProtocol,
-            DoubleEncryption,
-            DstUserName,
-            DstPortNumber,
-            SrcIpAddr,
-            SrcNatIpAddr,
-            SrcGeoLatitude,
-            SrcGeoLongitude,
-            SrcGeoCountry,
-            ClientZEN,
-            NetworkRuleName,
-            Connector,
-            ConnectorZEN,
-            ConnectorIP,
-            ConnectorPort,
-            SrcDvcHostname,
-            Application,
-            AppGroup,
-            DstDomainHostname,
-            DstIpAddr,
-            PolicyProcessingTime,
-            CAProcessingTime,
-            ConnectorZENSetupTime,
-            ConnectionSetupTime,
-            ServerSetupTime,
-            AppLearnTime,
-            TimestampConnectionStart,
-            TimestampConnectionEnd,
-            TimestampCATx,
-            TimestampCARx,
-            TimestampAppLearnStart,
-            TimestampZENFirstRxClient,
-            TimestampZENFirstTxClient,
-            TimestampZENLastRxClient,
-            TimestampZENLastTxClient,
-            TimestampConnectorZENSetupComplete,
-            TimestampZENFirstRxConnector,
-            TimestampZENFirstTxConnector,
-            TimestampZENLastRxConnector,
-            TimestampZENLastTxConnector,
-            SrcBytes,
-            ZENBytesRxClient,
-            DstBytes,
-            ZENBytesTxClient,
-            ZENTotalBytesRxConnector,
-            ZENBytesRxConnector,
-            ZENTotalBytesTxConnector,
-            ZENBytesTxConnector,
-            Idp,
-            Version,
-            ZEN,
-            CertificateCN,
-            PrivateIP,
-            DvcIpAddr,
-            Latitude,
-            Longitude,
-            CountryCode,
-            TimestampAuthentication,
-            TimestampUnAuthentication,
-            DvcHostname,
-            DvcType,
-            TrustedNetworks,
-            TrustedNetworksNames,
-            SAMLAttributes,
-            PosturesHit,
-            PosturesMiss,
-            ZENLatitude,
-            ZENLongitude,
-            ZENCountryCode,
-            SessionType,
-            SrcDvcOs,
-            ConnectorGroup,
-            CPUUtilization,
-            MemUtilization,
-            ServiceCount,
-            InterfaceDefRoute,
-            DefRouteGW,
-            PrimaryDNSResolver,
-            HostUpTime,
-            ConnectorUpTime,
-            NumOfInterfaces,
-            BytesRxInterface,
-            PacketsRxInterface,
-            ErrorsRxInterface,
-            DiscardsRxInterface,
-            BytesTxInterface,
-            PacketsTxInterface,
-            ErrorsTxInterface,
-            DiscardsTxInterface,
-            ModifiedTime,
-            CreationTime,
-            ModifiedBy,
-            RequestID,
-            AuditOldValue,
-            AuditNewValue,
-            AuditOperationType,
-            ObjectType,
-            ObjectName,
-            ObjectID,
-            CustomerID,
-            Exporter,
-            TimestampRequestReceiveStart,
-            TimestampRequestReceiveHeaderFinish,
-            TimestampRequestReceiveFinish,
-            TimestampRequestTransmitStart,
-            TimestampRequestTransmitFinish,
-            TimestampResponseReceiveStart,
-            TimestampResponseReceiveFinish,
-            TimestampResponseTransmitStart,
-            TimestampResponseTransmitFinish,
-            TotalTimeRequestReceive,
-            TotalTimeRequestTransmit,
-            TotalTimeResponseReceive,
-            TotalTimeResponseTransmit,
-            TotalTimeConnectionSetup,
-            TotalTimeServerResponse,
-            HttpRequestMethod,
-            NetworkApplicationProtocol,
-            UrlHostname,
-            UrlOriginal,
-            HttpUserAgentOriginal,
-            HttpRequestXff,
-            NameID,
-            HttpStatusCode,
-            HttpRequestBodyBytes,
-            HttpResponseBodyBytes,
-            SrcPortNumber,
-            EventResultDetails,
-            CorsToken,
-            Origin
 };
 ZPAEvent_main_view