1. Log in to the Microsoft Azure portal using your credentials.
2. Go to Azure services > Microsoft Sentinel.
3. Open the workspace that you created for the Sentinel SIEM integration.
4. Go to Settings > Agents management.
5. Click the Windows servers tab.

6. Copy the Workspace ID and Primary key.

   See image.

   

   Close

1. In the Zscaler ITDR Admin Portal, go to Orchestrate > SIEM Integrations.

2. Click Add Integration, and select Sentinel from the drop-down menu.

   See image.

   

   Close

3. In the Sentinel Details window:

   • Name: Enter a name for the Sentinel SIEM integration.
   • Enabled: Select to enable SIEM integration.
   • Service Connector: Select a Service Connector from the drop-down menu. If you select a Service Connector that is configured in the ITDR Admin Portal, the portal sends logs to Sentinel.
   • Type of logs: Select an option from the drop-down menu.
     • Events: Send events to Sentinel.
     • Audit Logs: Send audit logs to the Sentinel.
   • Include Safe Events: Enable to forward the events that are marked as safe to Sentinel.

   • Filter: Specify a query if you want to send filtered event logs to Sentinel. If this field is blank, all event logs are sent to Sentinel.

     The Filter option is available only for event logs.

   • Workspace ID: Enter the Workspace ID you copied from Sentinel.
   • Primary Key: Enter the Primary key you copied from Sentinel.
   • Log Type: Enter an identifier for the log type.
   • Use Proxy Settings: Enable if the Service Connector requires a proxy to connect to the Sentinel server.

   See image.

   

   Close

4. Click Save.

   The Sentinel SIEM integration is added.

To test Sentinel SIEM integration, generate events on the Investigate page. The Sentinel starts receiving the logs in 10 to 15 minutes.