Zscaler
Integration version: 7.0
Configure Zscaler integration in Google Security Operations
For detailed instructions on how to configure an integration in Google SecOps, see Configure integrations.
Actions
For more information about actions, see Respond to pending actions from Your Workdesk and Perform a manual action.
Add to Blacklist
Adds a URL/Domain/IP to blocklist.
Parameters
N/A
Run On
This action runs on the following entities:
- URL
- Hostname
- IP Address
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON Result
N/A
Entity Enrichment
N/A
Insights
N/A
Add to Whitelist
Adds a URL/Domain/IP to the allowlist.
Parameters
N/A
Run On
This action runs on the following entities:
- URL
- Hostname
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON Result
N/A
Entity Enrichment
N/A
Insights
N/A
Get Blacklist
Gets a list of black-listed URLs.
Parameters
N/A
Run On
This action runs on all entities.
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON Result
N/A
Entity Enrichment
N/A
Insights
N/A
Get Sandbox Report
Get a full report for an MD5 hash of a file that was analyzed by Sandbox.
Parameters
N/A
Run On
This action runs on the Filehash entity.
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON Result
[
{
"EntityResult":
{
"Full Details":
{
"SystemSummary": [
{
"SignatureSources": [
"",
"76CD0000 page execute and read and write",
"76DD0000 page execute and read and write"
],
"Risk": "LOW",
"Signature": "Allocates memory within range which is reserved for system DLLs"
},{
"SignatureSources": [
"",
"wow64.pdb source: loaddll32.exe",
"wow64.pdbH source: loaddll32.exe",
"wow64cpu.pdb source: loaddll32.exe",
"wow64win.pdb source: loaddll32.exe",
"wow64win.pdbH source: loaddll32.exe"
],
"Risk": "LOW",
"Signature": "Binary contains paths to debug symbols"
},{
"SignatureSources": [
"",
"clean0.winDLL@1/1@0/0"
],
"Risk": "LOW",
"Signature": "Classification label"
}, {
"SignatureSources":[
"",
"More than 502 > 100 exports found"
],
"Risk": "LOW",
"Signature": "PE file exports many functions"
}, {
"SignatureSources": [
"",
"Virtual size of .text is bigger than: 0x100000"
],
"Risk": "LOW",
"Signature": "PE file has a big code size"
},{
"SignatureSources": [
"",
"Raw size of .text is bigger than: 0x100000 < 0x176000"
],
"Risk": "LOW",
"Signature": "PE file has a big raw section"
}, {
"SignatureSources": [
"",
"Image base 0x704c0000 > 0x60000000"
],
"Risk": "LOW",
"Signature": "PE file has a high image base. often used for DLLs"
}, {
"SignatureSources": [
"",
"Section: .text IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN"
],
"Risk": "LOW",
"Signature": "PE file has an executable .text section and no other executable section"
}, {
"SignatureSources": [
"", "HKEY_USERS\\\\Software\\\\Policies\\\\Microsoft\\\\Windows\\\\Safer\\\\CodeIdentifiers"
],
"Risk": "LOW",
"Signature": "Reads software policies"
},{
"SignatureSources": [
"",
"File size 1710606 > 1048576"
],
"Risk": "LOW",
"Signature": "Submission file is bigger than most known malware samples"
},{
"SignatureSources": [
"",
"no activity detected"
],
"Risk": "MODERATE",
"Signature": "Program does not show much activity"
}
],
"Summary":
{
"Status": "COMPLETED",
"Category": "EXECS",
"FileType": "DLL",
"Duration": 499618,
"StartTime": 1553130306
},
"Classification":
{
"Category": "BENIGN",
"Type": "BENIGN",
"Score": 0,
"DetectedMalware": ""
},
"Persistence":[
{
"SignatureSources": [
"",
"section name: /4"
],
"Risk": "LOW",
"Signature": "PE file contains sections with non-standard names"
}
],
"FileProperties":
{
"SHA1": "b0aa7eecfa6c0066504bf79efe1bc057ac61e9b8",
"FileSize": 1710606,
"RootCA": "",
"Issuer": "",
"FileType": "DLL",
"Sha256": "a39180232ae6a689650f5df566bb4e81b94d9d19a53363ce17d7a12fd21f78cf",
"DigitalCerificate": "",
"SSDeep": "24576:3LnYQhDtnNgQe42lcCZNj4I/MmaOdb+Y+mmY5Gc3nGkh2sQginrgGGQCTQIMGNdd:zYQlEpIE/p3nFhckZF7oU",
"MD5": "1803c2c0f0ec61c98b3630d7e4b1cd5d"
}
}
},
"Entity": "1803C2C0F0EC61C98B3630D7E4B1CD5D"
}
]
Entity Enrichment
| Enrichment Field Name | Logic - When to apply |
|---|---|
| Full Details | Returns if it exists in JSON result |
Insights
N/A
Get URL Categories
Gets information about all URL categories.
Parameters
N/A
Run On
This action runs on all entities.
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON Result
[
{
"description": "OTHER_ADULT_MATERIAL_DESC",
"val": 1,
"dbCategorizedUrls": [],
"editable": true,
"urls": [],
"customCategory": false,
"id": "OTHER_ADULT_MATERIAL"
}, {
"description": "ADULT_THEMES_DESC",
"val": 2,
"dbCategorizedUrls": [],
"editable": true,
"urls": [],
"customCategory": false,
"id": "ADULT_THEMES"
}
]
Entity Enrichment
N/A
Insights
N/A
Get Whitelist
Gets a list of white-listed URLs.
Parameters
N/A
Run On
This action runs on all entities.
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON Result
N/A
Entity Enrichment
N/A
Insights
N/A
Lookup Entity
Look up the categorization of a URL/Domain/IP.
Parameters
N/A
Run On
This action runs on the following entities:
- URL
- Hostname
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON Result
[
{
"EntityResult": {
"url": "markossolomon.com/f1q7qx.php",
"urlClassificationsWithSecurityAlert": ["MALWARE_SITE"],
"urlClassifications": []
},
"Entity": "HTTP://MARKOSSOLOMON.COM/F1Q7QX.PHP"
}
]
Entity Enrichment
| Enrichment Field Name | Logic - When to apply |
|---|---|
| url | Returns if it exists in JSON result |
| urlClassificationsWithSecurityAlert | Returns if it exists in JSON result |
| urlClassifications | Returns if it exists in JSON result |
Insights
N/A
Ping
Check connectivity.
Parameters
N/A
Run On
This action runs on all entities.
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON Result
N/A
Entity Enrichment
N/A
Insights
N/A
Remove From Blacklist
Removes a URL/Domain/IP from the blacklist.
Parameters
N/A
Run On
This action runs on the following entities:
- URL
- Hostname
- IP Address
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON Result
N/A
Entity Enrichment
N/A
Insights
N/A
Remove From Whitelist
Removes a URL/Domain/IP from the white-listed URLs.
Parameters
N/A
Run On
This action runs on the following entities:
- URL
- Hostname
- IP Address
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON Result
N/A
Entity Enrichment
N/A
Insights
N/A
Need more help? Get answers from Community members and Google SecOps professionals.