Zscaler
README
Zscaler
General requirements
You will need to have an active Zscaler ZIA subscription to be able to utilize this analyzer. For reference, you may use this supporting documentation in case of issues with the API: Getting started with ZIA API.
Credit
Full credit should go to Simon Lavigne for creating this analyzer in the first place.
Zscaler
Author: Simon Lavigne, Mikael Keri
License: AGPL-V3
Version: 1.3
Supported observables types:
- ip
- domain
- url
- fqdn
Registration required: True
Subscription required: True
Free subscription: False
Third party service: https://www.zscaler.com/
Description
Check Zscaler category for a domain, fqdn, IP address or FQDN. This analyzer requires a paid subscription to Zscaler ZIA
Configuration
| username |
Zscaler username |
| Default value if not configured |
N/A |
| Type of the configuration item |
string |
| The configuration item can contain multiple values |
False |
| Is required |
True |
| password |
Zscaler password |
| Default value if not configured |
N/A |
| Type of the configuration item |
string |
| The configuration item can contain multiple values |
False |
| Is required |
True |
| api_key |
API key |
| Default value if not configured |
N/A |
| Type of the configuration item |
string |
| The configuration item can contain multiple values |
False |
| Is required |
True |
| base_uri |
The base URL of your Zscaler subscription. Example: https://zsapi.zscalertwo.net |
| Default value if not configured |
N/A |
| Type of the configuration item |
string |
| The configuration item can contain multiple values |
False |
| Is required |
True |
| malicious_categories |
List of Zscaler categories to be considered as malicious |
| Default value if not configured |
['PHISHING', 'MALWARE_SITE', 'BOTNET', 'SPYWARE_OR_ADWARE', 'ADSPYWARE_SITES', 'ADWARE_OR_SPYWARE', 'CRYPTOMINING', 'WEB_SPAM', 'MALICIOUS_TLD'] |
| Type of the configuration item |
string |
| The configuration item can contain multiple values |
True |
| Is required |
True |
| suspicious_categories |
List of Zscaler categories to be considered as suspicious |
| Default value if not configured |
['SHAREWARE_DOWNLOAD', 'REMOTE_ACCESS', 'MISCELLANEOUS_OR_UNKNOWN', 'NEWLY_REG_DOMAINS', 'OTHER_ILLEGAL_OR_QUESTIONABLE', 'COPYRIGHT_INFRINGEMENT', 'GAMBLING', 'COMPUTER_HACKING', 'ANONYMIZER', 'MISCELLANEOUS_OR_UNKNOWN', 'DNS_OVER_HTTPS', 'ENCR_WEB_CONTENT'] |
| Type of the configuration item |
string |
| The configuration item can contain multiple values |
True |
| Is required |
True |
Templates samples for TheHive
ZscalerZIA_URLLookup
Description
Query Zscaler Internet Access for URL categorization and security classification. Supports OneAPI OAuth2 and legacy authentication.
Configuration
| auth_type |
Authentication type: 'oneapi' for ZIdentity OAuth2 (default) or 'legacy' for legacy API credentials |
| Default value if not configured |
oneapi |
| Type of the configuration item |
string |
| The configuration item can contain multiple values |
False |
| Is required |
False |
| zia_vanity_domain |
[OneAPI only] Zscaler ZIdentity vanity domain for your organization (eg, 'acme' from acme.zslogin.net) |
| Default value if not configured |
N/A |
| Type of the configuration item |
string |
| The configuration item can contain multiple values |
False |
| Is required |
False |
| zia_client_id |
[OneAPI only] Zscaler OneAPI OAuth Client ID created in ZIdentity Admin Portal |
| Default value if not configured |
N/A |
| Type of the configuration item |
string |
| The configuration item can contain multiple values |
False |
| Is required |
False |
| zia_client_secret |
[OneAPI only] Zscaler OneAPI OAuth Client Secret from ZIdentity Admin Portal |
| Default value if not configured |
N/A |
| Type of the configuration item |
string |
| The configuration item can contain multiple values |
False |
| Is required |
False |
| zia_username |
[Legacy only] ZIA API admin email address |
| Default value if not configured |
N/A |
| Type of the configuration item |
string |
| The configuration item can contain multiple values |
False |
| Is required |
False |
| zia_password |
[Legacy only] ZIA API admin password |
| Default value if not configured |
N/A |
| Type of the configuration item |
string |
| The configuration item can contain multiple values |
False |
| Is required |
False |
| zia_api_key |
[Legacy only] ZIA API key (obfuscated API key) |
| Default value if not configured |
N/A |
| Type of the configuration item |
string |
| The configuration item can contain multiple values |
False |
| Is required |
False |
| zia_cloud |
Cloud environment name. Required for legacy auth (eg, 'zscaler', 'zscalerone', 'zscalertwo'). Optional for OneAPI (use for beta/alpha environments). |
| Default value if not configured |
N/A |
| Type of the configuration item |
string |
| The configuration item can contain multiple values |
False |
| Is required |
False |
| malicious_categories |
List of Zscaler categories to be considered as malicious |
| Default value if not configured |
['PHISHING', 'MALWARE_SITE', 'BOTNET', 'SPYWARE_OR_ADWARE', 'ADSPYWARE_SITES', 'ADWARE_OR_SPYWARE', 'CRYPTOMINING', 'WEB_SPAM', 'MALICIOUS_TLD', 'MALICIOUS_SITES', 'COMMAND_AND_CONTROL'] |
| Type of the configuration item |
string |
| The configuration item can contain multiple values |
True |
| Is required |
False |
| suspicious_categories |
List of Zscaler categories to be considered as suspicious |
| Default value if not configured |
['SHAREWARE_DOWNLOAD', 'REMOTE_ACCESS', 'MISCELLANEOUS_OR_UNKNOWN', 'NEWLY_REG_DOMAINS', 'OTHER_ILLEGAL_OR_QUESTIONABLE', 'COPYRIGHT_INFRINGEMENT', 'GAMBLING', 'COMPUTER_HACKING', 'ANONYMIZER', 'DNS_OVER_HTTPS', 'ENCR_WEB_CONTENT', 'PROXY_AVOIDANCE', 'SUSPICIOUS'] |
| Type of the configuration item |
string |
| The configuration item can contain multiple values |
True |
| Is required |
False |
Templates samples for TheHive
No template samples to display.