Skip to content

Zscaler#

README

Zscaler#

General requirements#

You will need to have an active Zscaler ZIA subscription to be able to utilize this analyzer. For reference, you may use this supporting documentation in case of issues with the API: Getting started with ZIA API.

Credit#

Full credit should go to Simon Lavigne for creating this analyzer in the first place.

Zscaler#

Author: Simon Lavigne, Mikael Keri
License: AGPL-V3
Version: 1.3
Supported observables types:
- ip
- domain
- url
- fqdn
Registration required: True
Subscription required: True
Free subscription: False
Third party service: https://www.zscaler.com/

Description#

Check Zscaler category for a domain, fqdn, IP address or FQDN. This analyzer requires a paid subscription to Zscaler ZIA

Configuration#

username Zscaler username
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
password Zscaler password
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
api_key API key
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
base_uri The base URL of your Zscaler subscription. Example: https://zsapi.zscalertwo.net
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
malicious_categories List of Zscaler categories to be considered as malicious
Default value if not configured ['PHISHING', 'MALWARE_SITE', 'BOTNET', 'SPYWARE_OR_ADWARE', 'ADSPYWARE_SITES', 'ADWARE_OR_SPYWARE', 'CRYPTOMINING', 'WEB_SPAM', 'MALICIOUS_TLD']
Type of the configuration item string
The configuration item can contain multiple values True
Is required True
suspicious_categories List of Zscaler categories to be considered as suspicious
Default value if not configured ['SHAREWARE_DOWNLOAD', 'REMOTE_ACCESS', 'MISCELLANEOUS_OR_UNKNOWN', 'NEWLY_REG_DOMAINS', 'OTHER_ILLEGAL_OR_QUESTIONABLE', 'COPYRIGHT_INFRINGEMENT', 'GAMBLING', 'COMPUTER_HACKING', 'ANONYMIZER', 'MISCELLANEOUS_OR_UNKNOWN', 'DNS_OVER_HTTPS', 'ENCR_WEB_CONTENT']
Type of the configuration item string
The configuration item can contain multiple values True
Is required True

Templates samples for TheHive#

Zscaler Lookup sample Information full report

screenshot

ZscalerZIA_URLLookup#

Author: Fabien Bloume, StrangeBee
License: AGPL-V3
Version: 1.0
Supported observables types:
- domain
- fqdn
- url
- ip
Registration required: True
Subscription required: True
Free subscription: False
Third party service: https://www.zscaler.com/products/zscaler-internet-access

Description#

Query Zscaler Internet Access for URL categorization and security classification. Supports OneAPI OAuth2 and legacy authentication.

Configuration#

auth_type Authentication type: 'oneapi' for ZIdentity OAuth2 (default) or 'legacy' for legacy API credentials
Default value if not configured oneapi
Type of the configuration item string
The configuration item can contain multiple values False
Is required False
zia_vanity_domain [OneAPI only] Zscaler ZIdentity vanity domain for your organization (eg, 'acme' from acme.zslogin.net)
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required False
zia_client_id [OneAPI only] Zscaler OneAPI OAuth Client ID created in ZIdentity Admin Portal
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required False
zia_client_secret [OneAPI only] Zscaler OneAPI OAuth Client Secret from ZIdentity Admin Portal
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required False
zia_username [Legacy only] ZIA API admin email address
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required False
zia_password [Legacy only] ZIA API admin password
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required False
zia_api_key [Legacy only] ZIA API key (obfuscated API key)
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required False
zia_cloud Cloud environment name. Required for legacy auth (eg, 'zscaler', 'zscalerone', 'zscalertwo'). Optional for OneAPI (use for beta/alpha environments).
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required False
malicious_categories List of Zscaler categories to be considered as malicious
Default value if not configured ['PHISHING', 'MALWARE_SITE', 'BOTNET', 'SPYWARE_OR_ADWARE', 'ADSPYWARE_SITES', 'ADWARE_OR_SPYWARE', 'CRYPTOMINING', 'WEB_SPAM', 'MALICIOUS_TLD', 'MALICIOUS_SITES', 'COMMAND_AND_CONTROL']
Type of the configuration item string
The configuration item can contain multiple values True
Is required False
suspicious_categories List of Zscaler categories to be considered as suspicious
Default value if not configured ['SHAREWARE_DOWNLOAD', 'REMOTE_ACCESS', 'MISCELLANEOUS_OR_UNKNOWN', 'NEWLY_REG_DOMAINS', 'OTHER_ILLEGAL_OR_QUESTIONABLE', 'COPYRIGHT_INFRINGEMENT', 'GAMBLING', 'COMPUTER_HACKING', 'ANONYMIZER', 'DNS_OVER_HTTPS', 'ENCR_WEB_CONTENT', 'PROXY_AVOIDANCE', 'SUSPICIOUS']
Type of the configuration item string
The configuration item can contain multiple values True
Is required False

Templates samples for TheHive#

No template samples to display.