Zscaler

Integration version: 7.0

Configure Zscaler integration in Google Security Operations

For detailed instructions on how to configure an integration in Google SecOps, see Configure integrations.

Actions

Add to Blacklist

Description

Adds a URL/Domain/IP to black list.

Parameters

N/A

Run On

This action runs on the following entities:

  • URL
  • Hostname
  • IP Address

Action Results

Script Result
Script Result Name Value Options Example
is_success True/False is_success:False
JSON Result
N/A
Entity Enrichment

N/A

Insights

N/A

Add to Whitelist

Description

Adds a URL/Domain/IP to the white-listed URLs.

Parameters

N/A

Run On

This action runs on the following entities:

  • URL
  • Hostname
  • IP Address

Action Results

Script Result
Script Result Name Value Options Example
is_success True/False is_success:False
JSON Result
N/A
Entity Enrichment

N/A

Insights

N/A

Get Blacklist

Description

Gets a list of black-listed URLs.

Parameters

N/A

Run On

This action runs on all entities.

Action Results

Script Result
Script Result Name Value Options Example
is_success True/False is_success:False
JSON Result
N/A
Entity Enrichment

N/A

Insights

N/A

Get Sandbox Report

Description

Get a full report for an MD5 hash of a file that was analyzed by Sandbox.

Parameters

N/A

Run On

This action runs on the Filehash entity.

Action Results

Script Result
Script Result Name Value Options Example
is_success True/False is_success:False
JSON Result
[
    {
        "EntityResult":
        {
            "Full Details":
            {
              "SystemSummary": [
                    {
                        "SignatureSources": [
                            "",
                            "76CD0000 page execute and read and write",
                            "76DD0000 page execute and read and write"
                           ],
                        "Risk": "LOW",
                        "Signature": "Allocates memory within range which is reserved for system DLLs"
                    },{
                     "SignatureSources": [
                            "",
                            "wow64.pdb source: loaddll32.exe",
                            "wow64.pdbH source: loaddll32.exe",
                            "wow64cpu.pdb source: loaddll32.exe",
                            "wow64win.pdb source: loaddll32.exe",
                            "wow64win.pdbH source: loaddll32.exe"
                        ],
                        "Risk": "LOW",
                        "Signature": "Binary contains paths to debug symbols"
                    },{
                        "SignatureSources": [
                            "",
                            "clean0.winDLL@1/1@0/0"
                        ],
                        "Risk": "LOW",
                        "Signature": "Classification label"
                    }, {
                        "SignatureSources":[
                            "",
                            "More than 502 > 100 exports found"
                        ],
                     "Risk": "LOW",
                     "Signature": "PE file exports many functions"
                   }, {
                     "SignatureSources": [
                             "",
                             "Virtual size of .text is bigger than: 0x100000"
                            ],
                     "Risk": "LOW",
                     "Signature": "PE file has a big code size"
                    },{
                     "SignatureSources": [
                             "",
                             "Raw size of .text is bigger than: 0x100000 < 0x176000"
                     ],
                        "Risk": "LOW",
                        "Signature": "PE file has a big raw section"
                    }, {
                     "SignatureSources": [
                         "",
                         "Image base 0x704c0000 > 0x60000000"
                     ],
                        "Risk": "LOW",
                        "Signature": "PE file has a high image base. often used for DLLs"
                    }, {
                        "SignatureSources": [
                            "",
                            "Section: .text IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN"
                        ],
                        "Risk": "LOW",
                        "Signature": "PE file has an executable .text section and no other executable section"
                    }, {
                      "SignatureSources": [
                          "", "HKEY_USERS\\\\Software\\\\Policies\\\\Microsoft\\\\Windows\\\\Safer\\\\CodeIdentifiers"
                      ],
                        "Risk": "LOW",
                        "Signature": "Reads software policies"
                    },{
                      "SignatureSources": [
                          "",
                          "File size 1710606 > 1048576"
                      ],
                        "Risk": "LOW",
                        "Signature": "Submission file is bigger than most known malware samples"
                    },{
                       "SignatureSources": [
                           "",
                           "no activity detected"
                       ],
                        "Risk": "MODERATE",
                        "Signature": "Program does not show much activity"
                    }
                ],
                "Summary":
                {
                    "Status": "COMPLETED",
                    "Category": "EXECS",
                    "FileType": "DLL",
                    "Duration": 499618,
                    "StartTime": 1553130306
                },
                "Classification":
                {
                    "Category": "BENIGN",
                    "Type": "BENIGN",
                    "Score": 0,
                    "DetectedMalware": ""
                },
                "Persistence":[
                    {
                        "SignatureSources": [
                            "",
                            "section name: /4"
                        ],
                        "Risk": "LOW",
                        "Signature": "PE file contains sections with non-standard names"
                    }
                ],
                "FileProperties":
                {
                    "SHA1": "b0aa7eecfa6c0066504bf79efe1bc057ac61e9b8",
                    "FileSize": 1710606,
                    "RootCA": "",
                    "Issuer": "",
                    "FileType": "DLL",
                    "Sha256": "a39180232ae6a689650f5df566bb4e81b94d9d19a53363ce17d7a12fd21f78cf",
                    "DigitalCerificate": "",
                    "SSDeep": "24576:3LnYQhDtnNgQe42lcCZNj4I/MmaOdb+Y+mmY5Gc3nGkh2sQginrgGGQCTQIMGNdd:zYQlEpIE/p3nFhckZF7oU",
                    "MD5": "1803c2c0f0ec61c98b3630d7e4b1cd5d"
                }
            }
        },
        "Entity": "1803C2C0F0EC61C98B3630D7E4B1CD5D"
    }
]
Entity Enrichment
Enrichment Field Name Logic - When to apply
Full Details Returns if it exists in JSON result
Insights

N/A

Get URL Categories

Description

Gets information about all URL categories.

Parameters

N/A

Run On

This action runs on all entities.

Action Results

Script Result
Script Result Name Value Options Example
is_success True/False is_success:False
JSON Result
[
    {
        "description": "OTHER_ADULT_MATERIAL_DESC",
        "val": 1,
        "dbCategorizedUrls": [],
        "editable": true,
        "urls": [],
        "customCategory": false,
        "id": "OTHER_ADULT_MATERIAL"
    }, {
        "description": "ADULT_THEMES_DESC",
        "val": 2,
        "dbCategorizedUrls": [],
        "editable": true,
        "urls": [],
        "customCategory": false,
        "id": "ADULT_THEMES"
    }
]
Entity Enrichment

N/A

Insights

N/A

Get Whitelist

Description

Gets a list of white-listed URLs.

Parameters

N/A

Run On

This action runs on all entities.

Action Results

Script Result
Script Result Name Value Options Example
is_success True/False is_success:False
JSON Result
N/A
Entity Enrichment

N/A

Insights

N/A

Lookup Entity

Description

Look up the categorization of a URL/Domain/IP.

Parameters

N/A

Run On

This action runs on the following entities:

  • URL
  • Hostname

Action Results

Script Result
Script Result Name Value Options Example
is_success True/False is_success:False
JSON Result
[
    {
   "EntityResult": {
       "url": "markossolomon.com/f1q7qx.php",
       "urlClassificationsWithSecurityAlert": ["MALWARE_SITE"],
       "urlClassifications": []
   },
        "Entity": "HTTP://MARKOSSOLOMON.COM/F1Q7QX.PHP"
    }
]
Entity Enrichment
Enrichment Field Name Logic - When to apply
url Returns if it exists in JSON result
urlClassificationsWithSecurityAlert Returns if it exists in JSON result
urlClassifications Returns if it exists in JSON result
Insights

N/A

Ping

Description

Check connectivity.

Parameters

N/A

Run On

This action runs on all entities.

Action Results

Script Result
Script Result Name Value Options Example
is_success True/False is_success:False
JSON Result
N/A
Entity Enrichment

N/A

Insights

N/A

Remove From Blacklist

Description

Removes a URL/Domain/IP from the blacklist.

Parameters

N/A

Run On

This action runs on the following entities:

  • URL
  • Hostname
  • IP Address

Action Results

Script Result
Script Result Name Value Options Example
is_success True/False is_success:False
JSON Result
N/A
Entity Enrichment

N/A

Insights

N/A

Remove From Whitelist

Description

Removes a URL/Domain/IP from the white-listed URLs.

Parameters

N/A

Run On

This action runs on the following entities:

  • URL
  • Hostname
  • IP Address

Action Results

Script Result
Script Result Name Value Options Example
is_success True/False is_success:False
JSON Result
N/A
Entity Enrichment

N/A

Insights

N/A

Need more help? Get answers from Community members and Google SecOps professionals.