Query Details
Zscaler Private Access Data Gap Detection
Query
//This query checks for gaps in Zscaler Private Access data ingestion
//Returns results if no logs received in past 2 hours
//Requires ZPAUserActivity function configuration
ZPAUserActivity
| where LogTimestamp > ago(30d)
| summarize last_log = datetime_diff("second",now(), max(LogTimestamp))
| where last_log >= 7200 Explanation
This query is designed to identify any gaps in the data being received from Zscaler Private Access (ZPA) over the past 30 days. Specifically, it checks if there have been no logs received in the last 2 hours (7200 seconds). Here's a breakdown of what each part does:
-
ZPAUserActivity: This is a function or table that contains the Zscaler Private Access user activity logs.
-
| where LogTimestamp > ago(30d): Filters the logs to only include those from the last 30 days.
-
| summarize last_log = datetime_diff("second",now(), max(LogTimestamp)): Calculates the time difference in seconds between the current time and the most recent log entry.
-
| where last_log >= 7200: Filters the results to show only those cases where the most recent log entry was received 2 hours or more ago, indicating a potential gap in data ingestion.
In summary, this query helps to identify if there have been any interruptions or delays in receiving ZPA logs by checking if the latest log entry is older than 2 hours.
Details
Peter Upfold
Released: November 10, 2024
Tables
Keywords
Operators