Zscaler
Integration version: 7.0
Before you begin
Before you configure the Zscaler integration in Google SecOps, verify that you have the following:
Zscaler API key: An API key generated from the Zscaler Admin Portal.
Zscaler administrator account: An account in your Zscaler Admin Portal that has API access permissions for the required modules (for example, URL filtering, user management).
Create a Zscaler API key
To create an API key in the Zscaler Admin Portal, complete these steps:
Sign in to your APIVoid User Dashboard (Navigate to APIVoid).
- Select Login, Dashboard, or My Account link to access your user dashboard.
Navigate to the API Keys section.
Generate a new API key. Immediately copy and store the key securely. It may only be displayed once.
Integration parameters
The Zscaler integration requires the following parameters:
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
API Root |
String | N/A | Yes | The base URL for the Zscaler API
(e.g., |
Login ID |
String | N/A | Yes | The login ID of the Zscaler administrator account with API access permissions. |
API Key |
Password | N/A | Yes | The API Key generated from your Zscaler Admin Portal. This is a unique key for authenticating API requests. |
Password |
Password | N/A | Yes | The password for the Zscaler administrator account. |
Verify SSL |
Boolean | Checked | No | If selected, the integration verifies the SSL certificate when connecting to Zscaler. Selected by default. |
For instructions about how to configure an integration in Google SecOps, see Configure integrations.
You can make changes at a later stage, if needed. After you configure an integration instance, you can use it in playbooks. For more information about how to configure and support multiple instances, see Supporting multiple instances.
How authentication works
The Zscaler integration uses a combination of the Login ID, Password, and
the generated API Key to authenticate with the Zscaler API.
The integration sends these credentials to a Zscaler authentication endpoint to establish a session and retrieve a session cookie or a temporary token, which is then used for subsequent API requests.
Actions
For more information about actions, see Respond to pending actions from Your Workdesk and Perform a manual action.
Add to Blacklist
Adds a URL/Domain/IP to blocklist.
Parameters
N/A
Run On
This action runs on the following entities:
- URL
- Hostname
- IP Address
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON Result
N/A
Entity Enrichment
N/A
Insights
N/A
Add to Whitelist
Adds a URL/Domain/IP to the allowlist.
Parameters
N/A
Run On
This action runs on the following entities:
- URL
- Hostname
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON Result
N/A
Entity Enrichment
N/A
Insights
N/A
Get Blacklist
Gets a list of black-listed URLs.
Parameters
N/A
Run On
This action runs on all entities.
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON Result
N/A
Entity Enrichment
N/A
Insights
N/A
Get Sandbox Report
Get a full report for an MD5 hash of a file that was analyzed by Sandbox.
Parameters
N/A
Run On
This action runs on the Filehash entity.
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON Result
[
{
"EntityResult":
{
"Full Details":
{
"SystemSummary": [
{
"SignatureSources": [
"",
"76CD0000 page execute and read and write",
"76DD0000 page execute and read and write"
],
"Risk": "LOW",
"Signature": "Allocates memory within range which is reserved for system DLLs"
},{
"SignatureSources": [
"",
"wow64.pdb source: loaddll32.exe",
"wow64.pdbH source: loaddll32.exe",
"wow64cpu.pdb source: loaddll32.exe",
"wow64win.pdb source: loaddll32.exe",
"wow64win.pdbH source: loaddll32.exe"
],
"Risk": "LOW",
"Signature": "Binary contains paths to debug symbols"
},{
"SignatureSources": [
"",
"clean0.winDLL@1/1@0/0"
],
"Risk": "LOW",
"Signature": "Classification label"
}, {
"SignatureSources":[
"",
"More than 502 > 100 exports found"
],
"Risk": "LOW",
"Signature": "PE file exports many functions"
}, {
"SignatureSources": [
"",
"Virtual size of .text is bigger than: 0x100000"
],
"Risk": "LOW",
"Signature": "PE file has a big code size"
},{
"SignatureSources": [
"",
"Raw size of .text is bigger than: 0x100000 < 0x176000"
],
"Risk": "LOW",
"Signature": "PE file has a big raw section"
}, {
"SignatureSources": [
"",
"Image base 0x704c0000 > 0x60000000"
],
"Risk": "LOW",
"Signature": "PE file has a high image base. often used for DLLs"
}, {
"SignatureSources": [
"",
"Section: .text IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN"
],
"Risk": "LOW",
"Signature": "PE file has an executable .text section and no other executable section"
}, {
"SignatureSources": [
"", "HKEY_USERS\\\\Software\\\\Policies\\\\Microsoft\\\\Windows\\\\Safer\\\\CodeIdentifiers"
],
"Risk": "LOW",
"Signature": "Reads software policies"
},{
"SignatureSources": [
"",
"File size 1710606 > 1048576"
],
"Risk": "LOW",
"Signature": "Submission file is bigger than most known malware samples"
},{
"SignatureSources": [
"",
"no activity detected"
],
"Risk": "MODERATE",
"Signature": "Program does not show much activity"
}
],
"Summary":
{
"Status": "COMPLETED",
"Category": "EXECS",
"FileType": "DLL",
"Duration": 499618,
"StartTime": 1553130306
},
"Classification":
{
"Category": "BENIGN",
"Type": "BENIGN",
"Score": 0,
"DetectedMalware": ""
},
"Persistence":[
{
"SignatureSources": [
"",
"section name: /4"
],
"Risk": "LOW",
"Signature": "PE file contains sections with non-standard names"
}
],
"FileProperties":
{
"SHA1": "b0aa7eecfa6c0066504bf79efe1bc057ac61e9b8",
"FileSize": 1710606,
"RootCA": "",
"Issuer": "",
"FileType": "DLL",
"Sha256": "a39180232ae6a689650f5df566bb4e81b94d9d19a53363ce17d7a12fd21f78cf",
"DigitalCerificate": "",
"SSDeep": "24576:3LnYQhDtnNgQe42lcCZNj4I/MmaOdb+Y+mmY5Gc3nGkh2sQginrgGGQCTQIMGNdd:zYQlEpIE/p3nFhckZF7oU",
"MD5": "1803c2c0f0ec61c98b3630d7e4b1cd5d"
}
}
},
"Entity": "1803C2C0F0EC61C98B3630D7E4B1CD5D"
}
]
Entity Enrichment
| Enrichment Field Name | Logic - When to apply |
|---|---|
| Full Details | Returns if it exists in JSON result |
Insights
N/A
Get URL Categories
Gets information about all URL categories.
Parameters
N/A
Run On
This action runs on all entities.
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON Result
[
{
"description": "OTHER_ADULT_MATERIAL_DESC",
"val": 1,
"dbCategorizedUrls": [],
"editable": true,
"urls": [],
"customCategory": false,
"id": "OTHER_ADULT_MATERIAL"
}, {
"description": "ADULT_THEMES_DESC",
"val": 2,
"dbCategorizedUrls": [],
"editable": true,
"urls": [],
"customCategory": false,
"id": "ADULT_THEMES"
}
]
Entity Enrichment
N/A
Insights
N/A
Get Whitelist
Gets a list of white-listed URLs.
Parameters
N/A
Run On
This action runs on all entities.
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON Result
N/A
Entity Enrichment
N/A
Insights
N/A
Lookup Entity
Look up the categorization of a URL/Domain/IP.
Parameters
N/A
Run On
This action runs on the following entities:
- URL
- Hostname
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON Result
[
{
"EntityResult": {
"url": "markossolomon.com/f1q7qx.php",
"urlClassificationsWithSecurityAlert": ["MALWARE_SITE"],
"urlClassifications": []
},
"Entity": "HTTP://MARKOSSOLOMON.COM/F1Q7QX.PHP"
}
]
Entity Enrichment
| Enrichment Field Name | Logic - When to apply |
|---|---|
| url | Returns if it exists in JSON result |
| urlClassificationsWithSecurityAlert | Returns if it exists in JSON result |
| urlClassifications | Returns if it exists in JSON result |
Insights
N/A
Ping
Check connectivity.
Parameters
N/A
Run On
This action runs on all entities.
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON Result
N/A
Entity Enrichment
N/A
Insights
N/A
Remove From Blacklist
Removes a URL/Domain/IP from the blacklist.
Parameters
N/A
Run On
This action runs on the following entities:
- URL
- Hostname
- IP Address
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON Result
N/A
Entity Enrichment
N/A
Insights
N/A
Remove From Whitelist
Removes a URL/Domain/IP from the white-listed URLs.
Parameters
N/A
Run On
This action runs on the following entities:
- URL
- Hostname
- IP Address
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON Result
N/A
Entity Enrichment
N/A
Insights
N/A
Need more help? Get answers from Community members and Google SecOps professionals.