Zscaler

Integration version: 7.0

Configure Zscaler integration in Google Security Operations SOAR

For detailed instructions on how to configure an integration in Google Security Operations SOAR, see Configure integrations.

Actions

Add to Blacklist

Description

Adds a URL/Domain/IP to black list.

Parameters

N/A

Run On

This action runs on the following entities:

  • URL
  • Hostname
  • IP Address

Action Results

Script Result
Script Result Name Value Options Example
is_success True/False is_success:False
JSON Result
N/A
Entity Enrichment

N/A

Insights

N/A

Add to Whitelist

Description

Adds a URL/Domain/IP to the white-listed URLs.

Parameters

N/A

Run On

This action runs on the following entities:

  • URL
  • Hostname
  • IP Address

Action Results

Script Result
Script Result Name Value Options Example
is_success True/False is_success:False
JSON Result
N/A
Entity Enrichment

N/A

Insights

N/A

Get Blacklist

Description

Gets a list of black-listed URLs.

Parameters

N/A

Run On

This action runs on all entities.

Action Results

Script Result
Script Result Name Value Options Example
is_success True/False is_success:False
JSON Result
N/A
Entity Enrichment

N/A

Insights

N/A

Get Sandbox Report

Description

Get a full report for an MD5 hash of a file that was analyzed by Sandbox.

Parameters

N/A

Run On

This action runs on the Filehash entity.

Action Results

Script Result
Script Result Name Value Options Example
is_success True/False is_success:False
JSON Result
[
    {
        "EntityResult":
        {
            "Full Details":
            {
              "SystemSummary": [
                    {
                        "SignatureSources": [
                            "",
                            "76CD0000 page execute and read and write",
                            "76DD0000 page execute and read and write"
                           ],
                        "Risk": "LOW",
                        "Signature": "Allocates memory within range which is reserved for system DLLs"
                    },{
                     "SignatureSources": [
                            "",
                            "wow64.pdb source: loaddll32.exe",
                            "wow64.pdbH source: loaddll32.exe",
                            "wow64cpu.pdb source: loaddll32.exe",
                            "wow64win.pdb source: loaddll32.exe",
                            "wow64win.pdbH source: loaddll32.exe"
                        ],
                        "Risk": "LOW",
                        "Signature": "Binary contains paths to debug symbols"
                    },{
                        "SignatureSources": [
                            "",
                            "clean0.winDLL@1/1@0/0"
                        ],
                        "Risk": "LOW",
                        "Signature": "Classification label"
                    }, {
                        "SignatureSources":[
                            "",
                            "More than 502 > 100 exports found"
                        ],
                     "Risk": "LOW",
                     "Signature": "PE file exports many functions"
                   }, {
                     "SignatureSources": [
                             "",
                             "Virtual size of .text is bigger than: 0x100000"
                            ],
                     "Risk": "LOW",
                     "Signature": "PE file has a big code size"
                    },{
                     "SignatureSources": [
                             "",
                             "Raw size of .text is bigger than: 0x100000 < 0x176000"
                     ],
                        "Risk": "LOW",
                        "Signature": "PE file has a big raw section"
                    }, {
                     "SignatureSources": [
                         "",
                         "Image base 0x704c0000 > 0x60000000"
                     ],
                        "Risk": "LOW",
                        "Signature": "PE file has a high image base. often used for DLLs"
                    }, {
                        "SignatureSources": [
                            "",
                            "Section: .text IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN"
                        ],
                        "Risk": "LOW",
                        "Signature": "PE file has an executable .text section and no other executable section"
                    }, {
                      "SignatureSources": [
                          "", "HKEY_USERS\\\\Software\\\\Policies\\\\Microsoft\\\\Windows\\\\Safer\\\\CodeIdentifiers"
                      ],
                        "Risk": "LOW",
                        "Signature": "Reads software policies"
                    },{
                      "SignatureSources": [
                          "",
                          "File size 1710606 > 1048576"
                      ],
                        "Risk": "LOW",
                        "Signature": "Submission file is bigger than most known malware samples"
                    },{
                       "SignatureSources": [
                           "",
                           "no activity detected"
                       ],
                        "Risk": "MODERATE",
                        "Signature": "Program does not show much activity"
                    }
                ],
                "Summary":
                {
                    "Status": "COMPLETED",
                    "Category": "EXECS",
                    "FileType": "DLL",
                    "Duration": 499618,
                    "StartTime": 1553130306
                },
                "Classification":
                {
                    "Category": "BENIGN",
                    "Type": "BENIGN",
                    "Score": 0,
                    "DetectedMalware": ""
                },
                "Persistence":[
                    {
                        "SignatureSources": [
                            "",
                            "section name: /4"
                        ],
                        "Risk": "LOW",
                        "Signature": "PE file contains sections with non-standard names"
                    }
                ],
                "FileProperties":
                {
                    "SHA1": "b0aa7eecfa6c0066504bf79efe1bc057ac61e9b8",
                    "FileSize": 1710606,
                    "RootCA": "",
                    "Issuer": "",
                    "FileType": "DLL",
                    "Sha256": "a39180232ae6a689650f5df566bb4e81b94d9d19a53363ce17d7a12fd21f78cf",
                    "DigitalCerificate": "",
                    "SSDeep": "24576:3LnYQhDtnNgQe42lcCZNj4I/MmaOdb+Y+mmY5Gc3nGkh2sQginrgGGQCTQIMGNdd:zYQlEpIE/p3nFhckZF7oU",
                    "MD5": "1803c2c0f0ec61c98b3630d7e4b1cd5d"
                }
            }
        },
        "Entity": "1803C2C0F0EC61C98B3630D7E4B1CD5D"
    }
]
Entity Enrichment
Enrichment Field Name Logic - When to apply
Full Details Returns if it exists in JSON result
Insights

N/A

Get URL Categories

Description

Gets information about all URL categories.

Parameters

N/A

Run On

This action runs on all entities.

Action Results

Script Result
Script Result Name Value Options Example
is_success True/False is_success:False
JSON Result
[
    {
        "description": "OTHER_ADULT_MATERIAL_DESC",
        "val": 1,
        "dbCategorizedUrls": [],
        "editable": true,
        "urls": [],
        "customCategory": false,
        "id": "OTHER_ADULT_MATERIAL"
    }, {
        "description": "ADULT_THEMES_DESC",
        "val": 2,
        "dbCategorizedUrls": [],
        "editable": true,
        "urls": [],
        "customCategory": false,
        "id": "ADULT_THEMES"
    }
]
Entity Enrichment

N/A

Insights

N/A

Get Whitelist

Description

Gets a list of white-listed URLs.

Parameters

N/A

Run On

This action runs on all entities.

Action Results

Script Result
Script Result Name Value Options Example
is_success True/False is_success:False
JSON Result
N/A
Entity Enrichment

N/A

Insights

N/A

Lookup Entity

Description

Look up the categorization of a URL/Domain/IP.

Parameters

N/A

Run On

This action runs on the following entities:

  • URL
  • Hostname

Action Results

Script Result
Script Result Name Value Options Example
is_success True/False is_success:False
JSON Result
[
    {
   "EntityResult": {
       "url": "markossolomon.com/f1q7qx.php",
       "urlClassificationsWithSecurityAlert": ["MALWARE_SITE"],
       "urlClassifications": []
   },
        "Entity": "HTTP://MARKOSSOLOMON.COM/F1Q7QX.PHP"
    }
]
Entity Enrichment
Enrichment Field Name Logic - When to apply
url Returns if it exists in JSON result
urlClassificationsWithSecurityAlert Returns if it exists in JSON result
urlClassifications Returns if it exists in JSON result
Insights

N/A

Ping

Description

Check connectivity.

Parameters

N/A

Run On

This action runs on all entities.

Action Results

Script Result
Script Result Name Value Options Example
is_success True/False is_success:False
JSON Result
N/A
Entity Enrichment

N/A

Insights

N/A

Remove From Blacklist

Description

Removes a URL/Domain/IP from the blacklist.

Parameters

N/A

Run On

This action runs on the following entities:

  • URL
  • Hostname
  • IP Address

Action Results

Script Result
Script Result Name Value Options Example
is_success True/False is_success:False
JSON Result
N/A
Entity Enrichment

N/A

Insights

N/A

Remove From Whitelist

Description

Removes a URL/Domain/IP from the white-listed URLs.

Parameters

N/A

Run On

This action runs on the following entities:

  • URL
  • Hostname
  • IP Address

Action Results

Script Result
Script Result Name Value Options Example
is_success True/False is_success:False
JSON Result
N/A
Entity Enrichment

N/A

Insights

N/A