API to pull disconnected and disabled Zscaler agents

We have a bunch of computers/laptops which use Zscaler and in case anyone disables or disconnects want to capture that information and capture that alert to our Monitoring solution running in Elastic.

Can you please suggest what is available to pull or push alerts to an external system like Elastic with the information on who disabled the alert ip, user etc… I guess the ZSCaler Admin should have a centralized report on which Agents are disabled, disconnected etc…

Hi Mahesh!
The Zscaler™ Client Connector (ZCC) will update registry keys whenever its forwarding state changes, hence, you could use a third-party tool to read those keys and report on them.
More information about these registry keys is here: Zscaler Client Connector: Windows Registry Keys | Zscaler.
Alternatively, multiple Zscaler™ customers are using SIEM integration software to pull and analyze ZCC’s logs to provide reports and alerts.

At this point, the Zscaler™ Product Management team is working on designing an API for the mobile portal which will allow you to do custom reporting on this as well.

Thank you for the response…

  • If I pull ZCC logs will the log have centralized info of all the machines that are disabled or disconnected ? Is it refreshed in real time?
  • How/what method can be used to pull ? If there is no API available right now? Is there any documentation available to understand the same.