Zscaler
Integration version: 7.0
Configure Zscaler integration in Google Security Operations
For detailed instructions on how to configure an integration in Google SecOps, see Configure integrations.
Actions
Add to Blacklist
Description
Adds a URL/Domain/IP to black list.
Parameters
N/A
Run On
This action runs on the following entities:
- URL
- Hostname
- IP Address
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON Result
N/A
Entity Enrichment
N/A
Insights
N/A
Add to Whitelist
Description
Adds a URL/Domain/IP to the white-listed URLs.
Parameters
N/A
Run On
This action runs on the following entities:
- URL
- Hostname
- IP Address
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON Result
N/A
Entity Enrichment
N/A
Insights
N/A
Get Blacklist
Description
Gets a list of black-listed URLs.
Parameters
N/A
Run On
This action runs on all entities.
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON Result
N/A
Entity Enrichment
N/A
Insights
N/A
Get Sandbox Report
Description
Get a full report for an MD5 hash of a file that was analyzed by Sandbox.
Parameters
N/A
Run On
This action runs on the Filehash entity.
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON Result
[
{
"EntityResult":
{
"Full Details":
{
"SystemSummary": [
{
"SignatureSources": [
"",
"76CD0000 page execute and read and write",
"76DD0000 page execute and read and write"
],
"Risk": "LOW",
"Signature": "Allocates memory within range which is reserved for system DLLs"
},{
"SignatureSources": [
"",
"wow64.pdb source: loaddll32.exe",
"wow64.pdbH source: loaddll32.exe",
"wow64cpu.pdb source: loaddll32.exe",
"wow64win.pdb source: loaddll32.exe",
"wow64win.pdbH source: loaddll32.exe"
],
"Risk": "LOW",
"Signature": "Binary contains paths to debug symbols"
},{
"SignatureSources": [
"",
"clean0.winDLL@1/1@0/0"
],
"Risk": "LOW",
"Signature": "Classification label"
}, {
"SignatureSources":[
"",
"More than 502 > 100 exports found"
],
"Risk": "LOW",
"Signature": "PE file exports many functions"
}, {
"SignatureSources": [
"",
"Virtual size of .text is bigger than: 0x100000"
],
"Risk": "LOW",
"Signature": "PE file has a big code size"
},{
"SignatureSources": [
"",
"Raw size of .text is bigger than: 0x100000 < 0x176000"
],
"Risk": "LOW",
"Signature": "PE file has a big raw section"
}, {
"SignatureSources": [
"",
"Image base 0x704c0000 > 0x60000000"
],
"Risk": "LOW",
"Signature": "PE file has a high image base. often used for DLLs"
}, {
"SignatureSources": [
"",
"Section: .text IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN"
],
"Risk": "LOW",
"Signature": "PE file has an executable .text section and no other executable section"
}, {
"SignatureSources": [
"", "HKEY_USERS\\\\Software\\\\Policies\\\\Microsoft\\\\Windows\\\\Safer\\\\CodeIdentifiers"
],
"Risk": "LOW",
"Signature": "Reads software policies"
},{
"SignatureSources": [
"",
"File size 1710606 > 1048576"
],
"Risk": "LOW",
"Signature": "Submission file is bigger than most known malware samples"
},{
"SignatureSources": [
"",
"no activity detected"
],
"Risk": "MODERATE",
"Signature": "Program does not show much activity"
}
],
"Summary":
{
"Status": "COMPLETED",
"Category": "EXECS",
"FileType": "DLL",
"Duration": 499618,
"StartTime": 1553130306
},
"Classification":
{
"Category": "BENIGN",
"Type": "BENIGN",
"Score": 0,
"DetectedMalware": ""
},
"Persistence":[
{
"SignatureSources": [
"",
"section name: /4"
],
"Risk": "LOW",
"Signature": "PE file contains sections with non-standard names"
}
],
"FileProperties":
{
"SHA1": "b0aa7eecfa6c0066504bf79efe1bc057ac61e9b8",
"FileSize": 1710606,
"RootCA": "",
"Issuer": "",
"FileType": "DLL",
"Sha256": "a39180232ae6a689650f5df566bb4e81b94d9d19a53363ce17d7a12fd21f78cf",
"DigitalCerificate": "",
"SSDeep": "24576:3LnYQhDtnNgQe42lcCZNj4I/MmaOdb+Y+mmY5Gc3nGkh2sQginrgGGQCTQIMGNdd:zYQlEpIE/p3nFhckZF7oU",
"MD5": "1803c2c0f0ec61c98b3630d7e4b1cd5d"
}
}
},
"Entity": "1803C2C0F0EC61C98B3630D7E4B1CD5D"
}
]
Entity Enrichment
| Enrichment Field Name | Logic - When to apply |
|---|---|
| Full Details | Returns if it exists in JSON result |
Insights
N/A
Get URL Categories
Description
Gets information about all URL categories.
Parameters
N/A
Run On
This action runs on all entities.
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON Result
[
{
"description": "OTHER_ADULT_MATERIAL_DESC",
"val": 1,
"dbCategorizedUrls": [],
"editable": true,
"urls": [],
"customCategory": false,
"id": "OTHER_ADULT_MATERIAL"
}, {
"description": "ADULT_THEMES_DESC",
"val": 2,
"dbCategorizedUrls": [],
"editable": true,
"urls": [],
"customCategory": false,
"id": "ADULT_THEMES"
}
]
Entity Enrichment
N/A
Insights
N/A
Get Whitelist
Description
Gets a list of white-listed URLs.
Parameters
N/A
Run On
This action runs on all entities.
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON Result
N/A
Entity Enrichment
N/A
Insights
N/A
Lookup Entity
Description
Look up the categorization of a URL/Domain/IP.
Parameters
N/A
Run On
This action runs on the following entities:
- URL
- Hostname
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON Result
[
{
"EntityResult": {
"url": "markossolomon.com/f1q7qx.php",
"urlClassificationsWithSecurityAlert": ["MALWARE_SITE"],
"urlClassifications": []
},
"Entity": "HTTP://MARKOSSOLOMON.COM/F1Q7QX.PHP"
}
]
Entity Enrichment
| Enrichment Field Name | Logic - When to apply |
|---|---|
| url | Returns if it exists in JSON result |
| urlClassificationsWithSecurityAlert | Returns if it exists in JSON result |
| urlClassifications | Returns if it exists in JSON result |
Insights
N/A
Ping
Description
Check connectivity.
Parameters
N/A
Run On
This action runs on all entities.
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON Result
N/A
Entity Enrichment
N/A
Insights
N/A
Remove From Blacklist
Description
Removes a URL/Domain/IP from the blacklist.
Parameters
N/A
Run On
This action runs on the following entities:
- URL
- Hostname
- IP Address
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON Result
N/A
Entity Enrichment
N/A
Insights
N/A
Remove From Whitelist
Description
Removes a URL/Domain/IP from the white-listed URLs.
Parameters
N/A
Run On
This action runs on the following entities:
- URL
- Hostname
- IP Address
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON Result
N/A
Entity Enrichment
N/A
Insights
N/A
Need more help? Get answers from Community members and Google SecOps professionals.