Zscaler
README
Zscaler ZIA Responders
Cortex responders to manage Zscaler Internet Access (ZIA) directly from TheHive observables. All responders run on thehive:case_artifact observables.
Responders
ATP Denylist (Policy > Security > Advanced Threat Protection > Blocked Malicious URLs)
| Responder |
What it does |
ZscalerZIA_AddToATPDenylist |
Block a domain, FQDN, or URL |
ZscalerZIA_RemoveFromATPDenylist |
Unblock a domain, FQDN, or URL |
ZscalerZIA_AddToATPDenylistWildcard |
Block a domain and all its subdomains. When given a URL observable, the path is ignored and only the parent domain is blocked. |
ZscalerZIA_RemoveFromATPDenylistWildcard |
Unblock a domain and all its subdomains. When given a URL observable, the path is ignored and only the parent domain is removed. |
ATP Security Exceptions (Policy > Security > Advanced Threat Protection > Security Exceptions)
| Responder |
What it does |
ZscalerZIA_AddToATPSecurityExceptions |
Add a domain, FQDN, or URL to bypass ATP content scanning |
ZscalerZIA_RemoveFromATPSecurityExceptions |
Remove a domain, FQDN, or URL from ATP Security Exceptions |
Custom URL Category (Policy > URL & Cloud App Control > Custom URL Categories)
| Responder |
What it does |
ZscalerZIA_AddToURLCategory |
Add a domain, FQDN, URL, IP, or CIDR to a custom category |
ZscalerZIA_RemoveFromURLCategory |
Remove from a custom category |
ZscalerZIA_AddToURLCategoryWildcard |
Add a domain and all its subdomains to a custom category. When given a URL observable, the path is ignored and only the parent domain is added. |
ZscalerZIA_RemoveFromURLCategoryWildcard |
Remove a domain and all its subdomains from a custom category. When given a URL observable, the path is ignored and only the parent domain is removed. |
Cloud Firewall (Policy > Cloud Firewall)
| Responder |
What it does |
ZscalerZIA_AddToCloudFirewallRule |
Add an IP or CIDR to the destination address list of a pre-existing Cloud Firewall block rule (network-layer, all ports/protocols) |
ZscalerZIA_RemoveFromCloudFirewallRule |
Remove an IP or CIDR from the destination address list of a Cloud Firewall rule |
Authentication
All responders support two authentication methods via auth_type.
OneAPI OAuth2 (default, auth_type=oneapi)
For tenants migrated to ZIdentity. Go to ZIdentity Admin UI > Integrations > API Clients and create an OAuth2 client with the appropriate ZIA scopes.
| Parameter |
Description |
zia_vanity_domain |
Your org's vanity domain — the prefix before .zslogin.net (for acme.zslogin.net use acme) |
zia_client_id |
OAuth Client ID |
zia_client_secret |
OAuth Client Secret |
Legacy API (auth_type=legacy)
For tenants not yet on ZIdentity.
| Parameter |
Description |
zia_username |
Admin email address |
zia_password |
Admin password |
zia_api_key |
API key (obfuscated) |
zia_cloud |
Cloud name: zscaler, zscalerone, zscalertwo |
Configuration
In Cortex, go to Organization > Responders, find the Zscaler responder you want to enable, and click Enable. All parameters below are set through the Cortex UI. Credentials are shared across responders using the ZscalerZIA base configuration.
All responders
| Parameter |
Default |
Description |
dry_run |
false |
Validate and read ZIA but make no changes |
activate_changes |
true |
Push changes live immediately after modification |
allow_risky_iocs |
false |
Allow bare TLDs (like com) and oversized CIDRs |
allow_wildcards |
false |
Allow wildcard domains (like *.example.com) — not applicable to Wildcard variants |
Proxy settings are taken from the Cortex standard proxy_http / proxy_https configuration (set at the Cortex organization or instance level). proxy_https takes precedence since all Zscaler API calls are HTTPS.
ZIA prerequisites
URL Category responders
Create a custom URL category in ZIA (Policy > URL & Cloud App Control > Custom URL Categories) and make sure it is blocked in your URL Filtering policy. Note the category ID from the URL when editing it.
Cloud Firewall responders
The responder expects an existing Cloud Firewall rule with a block action (BLOCK_DROP, BLOCK_RESET, or BLOCK_ICMP). It will not run against an ALLOW rule. Pre-create the rule in Policy > Cloud Firewall.
Notes
- All operations are idempotent: adding something already present, or removing something not there, returns success with an
already-present or not-found status rather than an error.
- Wildcard responders use the Mozilla Public Suffix List via
tldextract to safely compute the registrable domain. For example, api.app.evil.co.uk becomes .evil.co.uk, not .co.uk.
- Changes are activated immediately by default (
activate_changes=true). Set to false to batch-activate manually from the ZIA portal.
ZscalerZIA_AddToURLCategoryWildcard
Description
Add a domain and all its subdomains to a custom ZIA URL category
Configuration
| auth_type |
Authentication type: 'oneapi' for ZIdentity OAuth2 (default) or 'legacy' for legacy API credentials |
| Default value if not configured |
oneapi |
| Type of the configuration item |
string |
| The configuration item can contain multiple values |
False |
| Is required |
False |
| zia_vanity_domain |
[OneAPI only] Zscaler ZIdentity vanity domain for your organization (example: 'acme' from acme.zslogin.net) |
| Default value if not configured |
N/A |
| Type of the configuration item |
string |
| The configuration item can contain multiple values |
False |
| Is required |
False |
| zia_client_id |
[OneAPI only] Zscaler OneAPI OAuth Client ID created in ZIdentity Admin Portal |
| Default value if not configured |
N/A |
| Type of the configuration item |
string |
| The configuration item can contain multiple values |
False |
| Is required |
False |
| zia_client_secret |
[OneAPI only] Zscaler OneAPI OAuth Client Secret from ZIdentity Admin Portal |
| Default value if not configured |
N/A |
| Type of the configuration item |
string |
| The configuration item can contain multiple values |
False |
| Is required |
False |
| zia_username |
[Legacy only] ZIA API admin email address |
| Default value if not configured |
N/A |
| Type of the configuration item |
string |
| The configuration item can contain multiple values |
False |
| Is required |
False |
| zia_password |
[Legacy only] ZIA API admin password |
| Default value if not configured |
N/A |
| Type of the configuration item |
string |
| The configuration item can contain multiple values |
False |
| Is required |
False |
| zia_api_key |
[Legacy only] ZIA API key (obfuscated API key) |
| Default value if not configured |
N/A |
| Type of the configuration item |
string |
| The configuration item can contain multiple values |
False |
| Is required |
False |
| zia_cloud |
Cloud environment name. Required for legacy auth (zscaler, zscalerone, zscalertwo). Optional for OneAPI (use for beta/alpha environments). |
| Default value if not configured |
N/A |
| Type of the configuration item |
string |
| The configuration item can contain multiple values |
False |
| Is required |
False |
| zia_url_category_id |
Custom URL Category ID in ZIA (like 'CUSTOM_02'). Either this OR zia_url_category_name must be provided. |
| Default value if not configured |
N/A |
| Type of the configuration item |
string |
| The configuration item can contain multiple values |
False |
| Is required |
False |
| zia_url_category_name |
Custom URL Category Name in ZIA (like 'Malicious-Blocklist'). Either this OR zia_url_category_id must be provided. Name lookup is case-insensitive. |
| Default value if not configured |
N/A |
| Type of the configuration item |
string |
| The configuration item can contain multiple values |
False |
| Is required |
False |
| dry_run |
Dry run mode: if true, validation runs but no changes are made to ZIA |
| Default value if not configured |
False |
| Type of the configuration item |
boolean |
| The configuration item can contain multiple values |
False |
| Is required |
False |
| activate_changes |
Activate changes after modifying ZIA configuration (recommended). If false, changes remain pending until manual activation or logout. |
| Default value if not configured |
True |
| Type of the configuration item |
boolean |
| The configuration item can contain multiple values |
False |
| Is required |
False |
| allow_private_ips |
Allow adding RFC1918 private IP addresses (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) |
| Default value if not configured |
False |
| Type of the configuration item |
boolean |
| The configuration item can contain multiple values |
False |
| Is required |
False |
| allow_risky_iocs |
Allow adding risky IOCs like bare TLDs (like 'com') and overly broad CIDRs |
| Default value if not configured |
False |
| Type of the configuration item |
boolean |
| The configuration item can contain multiple values |
False |
| Is required |
False |
ZscalerZIA_RemoveFromATPDenylist
Description
Remove domains, FQDNs and URLs from the ZIA ATP Denylist (Policy > Security > Advanced Threat Protection > Blocked Malicious URLs)
Configuration
| auth_type |
Authentication type: 'oneapi' for ZIdentity OAuth2 (default) or 'legacy' for legacy API credentials |
| Default value if not configured |
oneapi |
| Type of the configuration item |
string |
| The configuration item can contain multiple values |
False |
| Is required |
False |
| zia_vanity_domain |
[OneAPI only] Zscaler ZIdentity vanity domain for your organization (example: 'acme' from acme.zslogin.net) |
| Default value if not configured |
N/A |
| Type of the configuration item |
string |
| The configuration item can contain multiple values |
False |
| Is required |
False |
| zia_client_id |
[OneAPI only] Zscaler OneAPI OAuth Client ID created in ZIdentity Admin Portal |
| Default value if not configured |
N/A |
| Type of the configuration item |
string |
| The configuration item can contain multiple values |
False |
| Is required |
False |
| zia_client_secret |
[OneAPI only] Zscaler OneAPI OAuth Client Secret from ZIdentity Admin Portal |
| Default value if not configured |
N/A |
| Type of the configuration item |
string |
| The configuration item can contain multiple values |
False |
| Is required |
False |
| zia_username |
[Legacy only] ZIA API admin email address |
| Default value if not configured |
N/A |
| Type of the configuration item |
string |
| The configuration item can contain multiple values |
False |
| Is required |
False |
| zia_password |
[Legacy only] ZIA API admin password |
| Default value if not configured |
N/A |
| Type of the configuration item |
string |
| The configuration item can contain multiple values |
False |
| Is required |
False |
| zia_api_key |
[Legacy only] ZIA API key (obfuscated API key) |
| Default value if not configured |
N/A |
| Type of the configuration item |
string |
| The configuration item can contain multiple values |
False |
| Is required |
False |
| zia_cloud |
Cloud environment name. Required for legacy auth (zscaler, zscalerone, zscalertwo). Optional for OneAPI (use for beta/alpha environments). |
| Default value if not configured |
N/A |
| Type of the configuration item |
string |
| The configuration item can contain multiple values |
False |
| Is required |
False |
| dry_run |
Dry run mode: if true, validation runs but no changes are made to ZIA |
| Default value if not configured |
False |
| Type of the configuration item |
boolean |
| The configuration item can contain multiple values |
False |
| Is required |
False |
| activate_changes |
Activate changes after modifying ZIA configuration (recommended). If false, changes remain pending until manual activation or logout. |
| Default value if not configured |
True |
| Type of the configuration item |
boolean |
| The configuration item can contain multiple values |
False |
| Is required |
False |
| allow_risky_iocs |
Allow removing risky IOCs like bare TLDs (like 'com') from the ATP Denylist |
| Default value if not configured |
False |
| Type of the configuration item |
boolean |
| The configuration item can contain multiple values |
False |
| Is required |
False |
| allow_wildcards |
Allow wildcard domains (like *.example.com) |
| Default value if not configured |
False |
| Type of the configuration item |
boolean |
| The configuration item can contain multiple values |
False |
| Is required |
False |
ZscalerZIA_AddToATPDenylist
Description
Block domains, FQDNs and URLs in the ZIA ATP Denylist (Policy > Security > Advanced Threat Protection > Blocked Malicious URLs)
Configuration
| auth_type |
Authentication type: 'oneapi' for ZIdentity OAuth2 (default) or 'legacy' for legacy API credentials |
| Default value if not configured |
oneapi |
| Type of the configuration item |
string |
| The configuration item can contain multiple values |
False |
| Is required |
False |
| zia_vanity_domain |
[OneAPI only] Zscaler ZIdentity vanity domain for your organization (example: 'acme' from acme.zslogin.net) |
| Default value if not configured |
N/A |
| Type of the configuration item |
string |
| The configuration item can contain multiple values |
False |
| Is required |
False |
| zia_client_id |
[OneAPI only] Zscaler OneAPI OAuth Client ID created in ZIdentity Admin Portal |
| Default value if not configured |
N/A |
| Type of the configuration item |
string |
| The configuration item can contain multiple values |
False |
| Is required |
False |
| zia_client_secret |
[OneAPI only] Zscaler OneAPI OAuth Client Secret from ZIdentity Admin Portal |
| Default value if not configured |
N/A |
| Type of the configuration item |
string |
| The configuration item can contain multiple values |
False |
| Is required |
False |
| zia_username |
[Legacy only] ZIA API admin email address |
| Default value if not configured |
N/A |
| Type of the configuration item |
string |
| The configuration item can contain multiple values |
False |
| Is required |
False |
| zia_password |
[Legacy only] ZIA API admin password |
| Default value if not configured |
N/A |
| Type of the configuration item |
string |
| The configuration item can contain multiple values |
False |
| Is required |
False |
| zia_api_key |
[Legacy only] ZIA API key (obfuscated API key) |
| Default value if not configured |
N/A |
| Type of the configuration item |
string |
| The configuration item can contain multiple values |
False |
| Is required |
False |
| zia_cloud |
Cloud environment name. Required for legacy auth (zscaler, zscalerone, zscalertwo). Optional for OneAPI (use for beta/alpha environments). |
| Default value if not configured |
N/A |
| Type of the configuration item |
string |
| The configuration item can contain multiple values |
False |
| Is required |
False |
| dry_run |
Dry run mode: if true, validation runs but no changes are made to ZIA |
| Default value if not configured |
False |
| Type of the configuration item |
boolean |
| The configuration item can contain multiple values |
False |
| Is required |
False |
| activate_changes |
Activate changes after modifying ZIA configuration (recommended). If false, changes remain pending until manual activation or logout. |
| Default value if not configured |
True |
| Type of the configuration item |
boolean |
| The configuration item can contain multiple values |
False |
| Is required |
False |
| allow_risky_iocs |
Allow adding risky IOCs like bare TLDs (like 'com') to the ATP Denylist |
| Default value if not configured |
False |
| Type of the configuration item |
boolean |
| The configuration item can contain multiple values |
False |
| Is required |
False |
| allow_wildcards |
Allow wildcard domains (like *.example.com) |
| Default value if not configured |
False |
| Type of the configuration item |
boolean |
| The configuration item can contain multiple values |
False |
| Is required |
False |
ZscalerZIA_AddToURLCategory
Description
Add observables (domain, fqdn, url, ip, cidr) to a custom ZIA URL category
Configuration
| auth_type |
Authentication type: 'oneapi' for ZIdentity OAuth2 (default) or 'legacy' for legacy API credentials |
| Default value if not configured |
oneapi |
| Type of the configuration item |
string |
| The configuration item can contain multiple values |
False |
| Is required |
False |
| zia_vanity_domain |
[OneAPI only] Zscaler ZIdentity vanity domain for your organization (example: 'acme' from acme.zslogin.net) |
| Default value if not configured |
N/A |
| Type of the configuration item |
string |
| The configuration item can contain multiple values |
False |
| Is required |
False |
| zia_client_id |
[OneAPI only] Zscaler OneAPI OAuth Client ID created in ZIdentity Admin Portal |
| Default value if not configured |
N/A |
| Type of the configuration item |
string |
| The configuration item can contain multiple values |
False |
| Is required |
False |
| zia_client_secret |
[OneAPI only] Zscaler OneAPI OAuth Client Secret from ZIdentity Admin Portal |
| Default value if not configured |
N/A |
| Type of the configuration item |
string |
| The configuration item can contain multiple values |
False |
| Is required |
False |
| zia_username |
[Legacy only] ZIA API admin email address |
| Default value if not configured |
N/A |
| Type of the configuration item |
string |
| The configuration item can contain multiple values |
False |
| Is required |
False |
| zia_password |
[Legacy only] ZIA API admin password |
| Default value if not configured |
N/A |
| Type of the configuration item |
string |
| The configuration item can contain multiple values |
False |
| Is required |
False |
| zia_api_key |
[Legacy only] ZIA API key (obfuscated API key) |
| Default value if not configured |
N/A |
| Type of the configuration item |
string |
| The configuration item can contain multiple values |
False |
| Is required |
False |
| zia_cloud |
Cloud environment name. Required for legacy auth (zscaler, zscalerone, zscalertwo). Optional for OneAPI (use for beta/alpha environments). |
| Default value if not configured |
N/A |
| Type of the configuration item |
string |
| The configuration item can contain multiple values |
False |
| Is required |
False |
| zia_url_category_id |
Custom URL Category ID in ZIA (like 'CUSTOM_02'). Either this OR zia_url_category_name must be provided. |
| Default value if not configured |
N/A |
| Type of the configuration item |
string |
| The configuration item can contain multiple values |
False |
| Is required |
False |
| zia_url_category_name |
Custom URL Category Name in ZIA (like 'Malicious-Blocklist'). Either this OR zia_url_category_id must be provided. Name lookup is case-insensitive. |
| Default value if not configured |
N/A |
| Type of the configuration item |
string |
| The configuration item can contain multiple values |
False |
| Is required |
False |
| dry_run |
Dry run mode: if true, validation runs but no changes are made to ZIA |
| Default value if not configured |
False |
| Type of the configuration item |
boolean |
| The configuration item can contain multiple values |
False |
| Is required |
False |
| activate_changes |
Activate changes after modifying ZIA configuration (recommended). If false, changes remain pending until manual activation or logout. |
| Default value if not configured |
True |
| Type of the configuration item |
boolean |
| The configuration item can contain multiple values |
False |
| Is required |
False |
| allow_private_ips |
Allow adding RFC1918 private IP addresses (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) |
| Default value if not configured |
False |
| Type of the configuration item |
boolean |
| The configuration item can contain multiple values |
False |
| Is required |
False |
| allow_risky_iocs |
Allow adding risky IOCs like bare TLDs (like 'com') and overly broad CIDRs |
| Default value if not configured |
False |
| Type of the configuration item |
boolean |
| The configuration item can contain multiple values |
False |
| Is required |
False |
| allow_wildcards |
Allow wildcard domains (like *.example.com) |
| Default value if not configured |
False |
| Type of the configuration item |
boolean |
| The configuration item can contain multiple values |
False |
| Is required |
False |
ZscalerZIA_RemoveFromURLCategory
Description
Remove observables (domain, fqdn, url, ip, cidr) from a custom ZIA URL category
Configuration
| auth_type |
Authentication type: 'oneapi' for ZIdentity OAuth2 (default) or 'legacy' for legacy API credentials |
| Default value if not configured |
oneapi |
| Type of the configuration item |
string |
| The configuration item can contain multiple values |
False |
| Is required |
False |
| zia_vanity_domain |
[OneAPI only] Zscaler ZIdentity vanity domain for your organization (example: 'acme' from acme.zslogin.net) |
| Default value if not configured |
N/A |
| Type of the configuration item |
string |
| The configuration item can contain multiple values |
False |
| Is required |
False |
| zia_client_id |
[OneAPI only] Zscaler OneAPI OAuth Client ID created in ZIdentity Admin Portal |
| Default value if not configured |
N/A |
| Type of the configuration item |
string |
| The configuration item can contain multiple values |
False |
| Is required |
False |
| zia_client_secret |
[OneAPI only] Zscaler OneAPI OAuth Client Secret from ZIdentity Admin Portal |
| Default value if not configured |
N/A |
| Type of the configuration item |
string |
| The configuration item can contain multiple values |
False |
| Is required |
False |
| zia_username |
[Legacy only] ZIA API admin email address |
| Default value if not configured |
N/A |
| Type of the configuration item |
string |
| The configuration item can contain multiple values |
False |
| Is required |
False |
| zia_password |
[Legacy only] ZIA API admin password |
| Default value if not configured |
N/A |
| Type of the configuration item |
string |
| The configuration item can contain multiple values |
False |
| Is required |
False |
| zia_api_key |
[Legacy only] ZIA API key (obfuscated API key) |
| Default value if not configured |
N/A |
| Type of the configuration item |
string |
| The configuration item can contain multiple values |
False |
| Is required |
False |
| zia_cloud |
Cloud environment name. Required for legacy auth (zscaler, zscalerone, zscalertwo). Optional for OneAPI (use for beta/alpha environments). |
| Default value if not configured |
N/A |
| Type of the configuration item |
string |
| The configuration item can contain multiple values |
False |
| Is required |
False |
| zia_url_category_id |
Custom URL Category ID in ZIA (like 'CUSTOM_02'). Either this OR zia_url_category_name must be provided. |
| Default value if not configured |
N/A |
| Type of the configuration item |
string |
| The configuration item can contain multiple values |
False |
| Is required |
False |
| zia_url_category_name |
Custom URL Category Name in ZIA (like 'Malicious-Blocklist'). Either this OR zia_url_category_id must be provided. Name lookup is case-insensitive. |
| Default value if not configured |
N/A |
| Type of the configuration item |
string |
| The configuration item can contain multiple values |
False |
| Is required |
False |
| dry_run |
Dry run mode: if true, validation runs but no changes are made to ZIA |
| Default value if not configured |
False |
| Type of the configuration item |
boolean |
| The configuration item can contain multiple values |
False |
| Is required |
False |
| activate_changes |
Activate changes after modifying ZIA configuration (recommended). If false, changes remain pending until manual activation or logout. |
| Default value if not configured |
True |
| Type of the configuration item |
boolean |
| The configuration item can contain multiple values |
False |
| Is required |
False |
| allow_private_ips |
Allow removing RFC1918 private IP addresses (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) |
| Default value if not configured |
False |
| Type of the configuration item |
boolean |
| The configuration item can contain multiple values |
False |
| Is required |
False |
| allow_risky_iocs |
Allow removing risky IOCs like bare TLDs (like 'com') and overly broad CIDRs |
| Default value if not configured |
False |
| Type of the configuration item |
boolean |
| The configuration item can contain multiple values |
False |
| Is required |
False |
| allow_wildcards |
Allow wildcard domains (like *.example.com) |
| Default value if not configured |
False |
| Type of the configuration item |
boolean |
| The configuration item can contain multiple values |
False |
| Is required |
False |
ZscalerZIA_AddToCloudFirewallRule
Description
Add an IP address or CIDR to the destination address list of a ZIA Cloud Firewall rule - network-layer block, all ports/protocols (Policy > Cloud Firewall)
Configuration
| auth_type |
Authentication type: 'oneapi' for ZIdentity OAuth2 (default) or 'legacy' for legacy API credentials |
| Default value if not configured |
oneapi |
| Type of the configuration item |
string |
| The configuration item can contain multiple values |
False |
| Is required |
False |
| zia_vanity_domain |
[OneAPI only] Zscaler ZIdentity vanity domain for your organization (example: 'acme' from acme.zslogin.net) |
| Default value if not configured |
N/A |
| Type of the configuration item |
string |
| The configuration item can contain multiple values |
False |
| Is required |
False |
| zia_client_id |
[OneAPI only] Zscaler OneAPI OAuth Client ID created in ZIdentity Admin Portal |
| Default value if not configured |
N/A |
| Type of the configuration item |
string |
| The configuration item can contain multiple values |
False |
| Is required |
False |
| zia_client_secret |
[OneAPI only] Zscaler OneAPI OAuth Client Secret from ZIdentity Admin Portal |
| Default value if not configured |
N/A |
| Type of the configuration item |
string |
| The configuration item can contain multiple values |
False |
| Is required |
False |
| zia_username |
[Legacy only] ZIA API admin email address |
| Default value if not configured |
N/A |
| Type of the configuration item |
string |
| The configuration item can contain multiple values |
False |
| Is required |
False |
| zia_password |
[Legacy only] ZIA API admin password |
| Default value if not configured |
N/A |
| Type of the configuration item |
string |
| The configuration item can contain multiple values |
False |
| Is required |
False |
| zia_api_key |
[Legacy only] ZIA API key (obfuscated API key) |
| Default value if not configured |
N/A |
| Type of the configuration item |
string |
| The configuration item can contain multiple values |
False |
| Is required |
False |
| zia_cloud |
Cloud environment name. Required for legacy auth (zscaler, zscalerone, zscalertwo). Optional for OneAPI. |
| Default value if not configured |
N/A |
| Type of the configuration item |
string |
| The configuration item can contain multiple values |
False |
| Is required |
False |
| firewall_rule_id |
ZIA Cloud Firewall Rule ID (integer). Either this OR firewall_rule_name must be provided. The rule must already exist in ZIA with action DENY. |
| Default value if not configured |
N/A |
| Type of the configuration item |
number |
| The configuration item can contain multiple values |
False |
| Is required |
False |
| firewall_rule_name |
ZIA Cloud Firewall Rule name (like 'TheHive-BlockedIPs'). Either this OR firewall_rule_id must be provided. Name lookup is case-insensitive. |
| Default value if not configured |
N/A |
| Type of the configuration item |
string |
| The configuration item can contain multiple values |
False |
| Is required |
False |
| dry_run |
Dry run mode: if true, validation runs but no changes are made to ZIA |
| Default value if not configured |
False |
| Type of the configuration item |
boolean |
| The configuration item can contain multiple values |
False |
| Is required |
False |
| activate_changes |
Activate changes after modifying ZIA configuration (recommended). If false, changes remain pending until manual activation or logout. |
| Default value if not configured |
True |
| Type of the configuration item |
boolean |
| The configuration item can contain multiple values |
False |
| Is required |
False |
| allow_private_ips |
Allow adding RFC1918 private IP addresses (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) |
| Default value if not configured |
False |
| Type of the configuration item |
boolean |
| The configuration item can contain multiple values |
False |
| Is required |
False |
| allow_risky_iocs |
Allow adding overly broad CIDR ranges (>/24, more than 256 addresses) |
| Default value if not configured |
False |
| Type of the configuration item |
boolean |
| The configuration item can contain multiple values |
False |
| Is required |
False |
ZscalerZIA_AddToATPSecurityExceptions
Description
Add domains, FQDNs and URLs to ZIA Security Exceptions - bypasses ATP content scanning (Policy > Security > Advanced Threat Protection > Security Exceptions)
Configuration
| auth_type |
Authentication type: 'oneapi' for ZIdentity OAuth2 (default) or 'legacy' for legacy API credentials |
| Default value if not configured |
oneapi |
| Type of the configuration item |
string |
| The configuration item can contain multiple values |
False |
| Is required |
False |
| zia_vanity_domain |
[OneAPI only] Zscaler ZIdentity vanity domain for your organization (example: 'acme' from acme.zslogin.net) |
| Default value if not configured |
N/A |
| Type of the configuration item |
string |
| The configuration item can contain multiple values |
False |
| Is required |
False |
| zia_client_id |
[OneAPI only] Zscaler OneAPI OAuth Client ID created in ZIdentity Admin Portal |
| Default value if not configured |
N/A |
| Type of the configuration item |
string |
| The configuration item can contain multiple values |
False |
| Is required |
False |
| zia_client_secret |
[OneAPI only] Zscaler OneAPI OAuth Client Secret from ZIdentity Admin Portal |
| Default value if not configured |
N/A |
| Type of the configuration item |
string |
| The configuration item can contain multiple values |
False |
| Is required |
False |
| zia_username |
[Legacy only] ZIA API admin email address |
| Default value if not configured |
N/A |
| Type of the configuration item |
string |
| The configuration item can contain multiple values |
False |
| Is required |
False |
| zia_password |
[Legacy only] ZIA API admin password |
| Default value if not configured |
N/A |
| Type of the configuration item |
string |
| The configuration item can contain multiple values |
False |
| Is required |
False |
| zia_api_key |
[Legacy only] ZIA API key (obfuscated API key) |
| Default value if not configured |
N/A |
| Type of the configuration item |
string |
| The configuration item can contain multiple values |
False |
| Is required |
False |
| zia_cloud |
Cloud environment name. Required for legacy auth (zscaler, zscalerone, zscalertwo). Optional for OneAPI (use for beta/alpha environments). |
| Default value if not configured |
N/A |
| Type of the configuration item |
string |
| The configuration item can contain multiple values |
False |
| Is required |
False |
| dry_run |
Dry run mode: if true, validation runs but no changes are made to ZIA |
| Default value if not configured |
False |
| Type of the configuration item |
boolean |
| The configuration item can contain multiple values |
False |
| Is required |
False |
| activate_changes |
Activate changes after modifying ZIA configuration (recommended). If false, changes remain pending until manual activation or logout. |
| Default value if not configured |
True |
| Type of the configuration item |
boolean |
| The configuration item can contain multiple values |
False |
| Is required |
False |
| allow_risky_iocs |
Allow adding risky IOCs like bare TLDs (like 'com') to ATP Security Exceptions |
| Default value if not configured |
False |
| Type of the configuration item |
boolean |
| The configuration item can contain multiple values |
False |
| Is required |
False |
| allow_wildcards |
Allow wildcard domains (like *.example.com) |
| Default value if not configured |
False |
| Type of the configuration item |
boolean |
| The configuration item can contain multiple values |
False |
| Is required |
False |
ZscalerZIA_AddToATPDenylistWildcard
Description
Block a domain and all its subdomains in the ZIA ATP Denylist (Policy > Security > Advanced Threat Protection > Blocked Malicious URLs)
Configuration
| auth_type |
Authentication type: 'oneapi' for ZIdentity OAuth2 (default) or 'legacy' for legacy API credentials |
| Default value if not configured |
oneapi |
| Type of the configuration item |
string |
| The configuration item can contain multiple values |
False |
| Is required |
False |
| zia_vanity_domain |
[OneAPI only] Zscaler ZIdentity vanity domain for your organization (example: 'acme' from acme.zslogin.net) |
| Default value if not configured |
N/A |
| Type of the configuration item |
string |
| The configuration item can contain multiple values |
False |
| Is required |
False |
| zia_client_id |
[OneAPI only] Zscaler OneAPI OAuth Client ID created in ZIdentity Admin Portal |
| Default value if not configured |
N/A |
| Type of the configuration item |
string |
| The configuration item can contain multiple values |
False |
| Is required |
False |
| zia_client_secret |
[OneAPI only] Zscaler OneAPI OAuth Client Secret from ZIdentity Admin Portal |
| Default value if not configured |
N/A |
| Type of the configuration item |
string |
| The configuration item can contain multiple values |
False |
| Is required |
False |
| zia_username |
[Legacy only] ZIA API admin email address |
| Default value if not configured |
N/A |
| Type of the configuration item |
string |
| The configuration item can contain multiple values |
False |
| Is required |
False |
| zia_password |
[Legacy only] ZIA API admin password |
| Default value if not configured |
N/A |
| Type of the configuration item |
string |
| The configuration item can contain multiple values |
False |
| Is required |
False |
| zia_api_key |
[Legacy only] ZIA API key (obfuscated API key) |
| Default value if not configured |
N/A |
| Type of the configuration item |
string |
| The configuration item can contain multiple values |
False |
| Is required |
False |
| zia_cloud |
Cloud environment name. Required for legacy auth (zscaler, zscalerone, zscalertwo). Optional for OneAPI (use for beta/alpha environments). |
| Default value if not configured |
N/A |
| Type of the configuration item |
string |
| The configuration item can contain multiple values |
False |
| Is required |
False |
| dry_run |
Dry run mode: if true, validation runs but no changes are made to ZIA |
| Default value if not configured |
False |
| Type of the configuration item |
boolean |
| The configuration item can contain multiple values |
False |
| Is required |
False |
| activate_changes |
Activate changes after modifying ZIA configuration (recommended). If false, changes remain pending until manual activation or logout. |
| Default value if not configured |
True |
| Type of the configuration item |
boolean |
| The configuration item can contain multiple values |
False |
| Is required |
False |
| allow_risky_iocs |
Allow adding risky IOCs like bare TLDs (like 'com') to the ATP Denylist |
| Default value if not configured |
False |
| Type of the configuration item |
boolean |
| The configuration item can contain multiple values |
False |
| Is required |
False |
ZscalerZIA_RemoveFromATPSecurityExceptions
Description
Remove domains, FQDNs and URLs from ZIA Security Exceptions (Policy > Security > Advanced Threat Protection > Security Exceptions)
Configuration
| auth_type |
Authentication type: 'oneapi' for ZIdentity OAuth2 (default) or 'legacy' for legacy API credentials |
| Default value if not configured |
oneapi |
| Type of the configuration item |
string |
| The configuration item can contain multiple values |
False |
| Is required |
False |
| zia_vanity_domain |
[OneAPI only] Zscaler ZIdentity vanity domain for your organization (example: 'acme' from acme.zslogin.net) |
| Default value if not configured |
N/A |
| Type of the configuration item |
string |
| The configuration item can contain multiple values |
False |
| Is required |
False |
| zia_client_id |
[OneAPI only] Zscaler OneAPI OAuth Client ID created in ZIdentity Admin Portal |
| Default value if not configured |
N/A |
| Type of the configuration item |
string |
| The configuration item can contain multiple values |
False |
| Is required |
False |
| zia_client_secret |
[OneAPI only] Zscaler OneAPI OAuth Client Secret from ZIdentity Admin Portal |
| Default value if not configured |
N/A |
| Type of the configuration item |
string |
| The configuration item can contain multiple values |
False |
| Is required |
False |
| zia_username |
[Legacy only] ZIA API admin email address |
| Default value if not configured |
N/A |
| Type of the configuration item |
string |
| The configuration item can contain multiple values |
False |
| Is required |
False |
| zia_password |
[Legacy only] ZIA API admin password |
| Default value if not configured |
N/A |
| Type of the configuration item |
string |
| The configuration item can contain multiple values |
False |
| Is required |
False |
| zia_api_key |
[Legacy only] ZIA API key (obfuscated API key) |
| Default value if not configured |
N/A |
| Type of the configuration item |
string |
| The configuration item can contain multiple values |
False |
| Is required |
False |
| zia_cloud |
Cloud environment name. Required for legacy auth (zscaler, zscalerone, zscalertwo). Optional for OneAPI (use for beta/alpha environments). |
| Default value if not configured |
N/A |
| Type of the configuration item |
string |
| The configuration item can contain multiple values |
False |
| Is required |
False |
| dry_run |
Dry run mode: if true, validation runs but no changes are made to ZIA |
| Default value if not configured |
False |
| Type of the configuration item |
boolean |
| The configuration item can contain multiple values |
False |
| Is required |
False |
| activate_changes |
Activate changes after modifying ZIA configuration (recommended). If false, changes remain pending until manual activation or logout. |
| Default value if not configured |
True |
| Type of the configuration item |
boolean |
| The configuration item can contain multiple values |
False |
| Is required |
False |
| allow_risky_iocs |
Allow removing risky IOCs like bare TLDs (like 'com') from ATP Security Exceptions |
| Default value if not configured |
False |
| Type of the configuration item |
boolean |
| The configuration item can contain multiple values |
False |
| Is required |
False |
| allow_wildcards |
Allow wildcard domains (like *.example.com) |
| Default value if not configured |
False |
| Type of the configuration item |
boolean |
| The configuration item can contain multiple values |
False |
| Is required |
False |
ZscalerZIA_RemoveFromURLCategoryWildcard
Description
Remove a domain and all its subdomains from a custom ZIA URL category
Configuration
| auth_type |
Authentication type: 'oneapi' for ZIdentity OAuth2 (default) or 'legacy' for legacy API credentials |
| Default value if not configured |
oneapi |
| Type of the configuration item |
string |
| The configuration item can contain multiple values |
False |
| Is required |
False |
| zia_vanity_domain |
[OneAPI only] Zscaler ZIdentity vanity domain for your organization (example: 'acme' from acme.zslogin.net) |
| Default value if not configured |
N/A |
| Type of the configuration item |
string |
| The configuration item can contain multiple values |
False |
| Is required |
False |
| zia_client_id |
[OneAPI only] Zscaler OneAPI OAuth Client ID created in ZIdentity Admin Portal |
| Default value if not configured |
N/A |
| Type of the configuration item |
string |
| The configuration item can contain multiple values |
False |
| Is required |
False |
| zia_client_secret |
[OneAPI only] Zscaler OneAPI OAuth Client Secret from ZIdentity Admin Portal |
| Default value if not configured |
N/A |
| Type of the configuration item |
string |
| The configuration item can contain multiple values |
False |
| Is required |
False |
| zia_username |
[Legacy only] ZIA API admin email address |
| Default value if not configured |
N/A |
| Type of the configuration item |
string |
| The configuration item can contain multiple values |
False |
| Is required |
False |
| zia_password |
[Legacy only] ZIA API admin password |
| Default value if not configured |
N/A |
| Type of the configuration item |
string |
| The configuration item can contain multiple values |
False |
| Is required |
False |
| zia_api_key |
[Legacy only] ZIA API key (obfuscated API key) |
| Default value if not configured |
N/A |
| Type of the configuration item |
string |
| The configuration item can contain multiple values |
False |
| Is required |
False |
| zia_cloud |
Cloud environment name. Required for legacy auth (zscaler, zscalerone, zscalertwo). Optional for OneAPI (use for beta/alpha environments). |
| Default value if not configured |
N/A |
| Type of the configuration item |
string |
| The configuration item can contain multiple values |
False |
| Is required |
False |
| zia_url_category_id |
Custom URL Category ID in ZIA (like 'CUSTOM_02'). Either this OR zia_url_category_name must be provided. |
| Default value if not configured |
N/A |
| Type of the configuration item |
string |
| The configuration item can contain multiple values |
False |
| Is required |
False |
| zia_url_category_name |
Custom URL Category Name in ZIA (like 'Malicious-Blocklist'). Either this OR zia_url_category_id must be provided. Name lookup is case-insensitive. |
| Default value if not configured |
N/A |
| Type of the configuration item |
string |
| The configuration item can contain multiple values |
False |
| Is required |
False |
| dry_run |
Dry run mode: if true, validation runs but no changes are made to ZIA |
| Default value if not configured |
False |
| Type of the configuration item |
boolean |
| The configuration item can contain multiple values |
False |
| Is required |
False |
| activate_changes |
Activate changes after modifying ZIA configuration (recommended). If false, changes remain pending until manual activation or logout. |
| Default value if not configured |
True |
| Type of the configuration item |
boolean |
| The configuration item can contain multiple values |
False |
| Is required |
False |
| allow_private_ips |
Allow removing RFC1918 private IP addresses (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) |
| Default value if not configured |
False |
| Type of the configuration item |
boolean |
| The configuration item can contain multiple values |
False |
| Is required |
False |
| allow_risky_iocs |
Allow removing risky IOCs like bare TLDs (like 'com') and overly broad CIDRs |
| Default value if not configured |
False |
| Type of the configuration item |
boolean |
| The configuration item can contain multiple values |
False |
| Is required |
False |
ZscalerZIA_RemoveFromCloudFirewallRule
Description
Remove an IP address or CIDR from the destination address list of a ZIA Cloud Firewall rule - network-layer block, all ports/protocols (Policy > Cloud Firewall)
Configuration
| auth_type |
Authentication type: 'oneapi' for ZIdentity OAuth2 (default) or 'legacy' for legacy API credentials |
| Default value if not configured |
oneapi |
| Type of the configuration item |
string |
| The configuration item can contain multiple values |
False |
| Is required |
False |
| zia_vanity_domain |
[OneAPI only] Zscaler ZIdentity vanity domain for your organization (example: 'acme' from acme.zslogin.net) |
| Default value if not configured |
N/A |
| Type of the configuration item |
string |
| The configuration item can contain multiple values |
False |
| Is required |
False |
| zia_client_id |
[OneAPI only] Zscaler OneAPI OAuth Client ID created in ZIdentity Admin Portal |
| Default value if not configured |
N/A |
| Type of the configuration item |
string |
| The configuration item can contain multiple values |
False |
| Is required |
False |
| zia_client_secret |
[OneAPI only] Zscaler OneAPI OAuth Client Secret from ZIdentity Admin Portal |
| Default value if not configured |
N/A |
| Type of the configuration item |
string |
| The configuration item can contain multiple values |
False |
| Is required |
False |
| zia_username |
[Legacy only] ZIA API admin email address |
| Default value if not configured |
N/A |
| Type of the configuration item |
string |
| The configuration item can contain multiple values |
False |
| Is required |
False |
| zia_password |
[Legacy only] ZIA API admin password |
| Default value if not configured |
N/A |
| Type of the configuration item |
string |
| The configuration item can contain multiple values |
False |
| Is required |
False |
| zia_api_key |
[Legacy only] ZIA API key (obfuscated API key) |
| Default value if not configured |
N/A |
| Type of the configuration item |
string |
| The configuration item can contain multiple values |
False |
| Is required |
False |
| zia_cloud |
Cloud environment name. Required for legacy auth (zscaler, zscalerone, zscalertwo). Optional for OneAPI. |
| Default value if not configured |
N/A |
| Type of the configuration item |
string |
| The configuration item can contain multiple values |
False |
| Is required |
False |
| firewall_rule_id |
ZIA Cloud Firewall Rule ID (integer). Either this OR firewall_rule_name must be provided. |
| Default value if not configured |
N/A |
| Type of the configuration item |
number |
| The configuration item can contain multiple values |
False |
| Is required |
False |
| firewall_rule_name |
ZIA Cloud Firewall Rule name (like 'TheHive-BlockedIPs'). Either this OR firewall_rule_id must be provided. Name lookup is case-insensitive. |
| Default value if not configured |
N/A |
| Type of the configuration item |
string |
| The configuration item can contain multiple values |
False |
| Is required |
False |
| dry_run |
Dry run mode: if true, validation runs but no changes are made to ZIA |
| Default value if not configured |
False |
| Type of the configuration item |
boolean |
| The configuration item can contain multiple values |
False |
| Is required |
False |
| activate_changes |
Activate changes after modifying ZIA configuration (recommended). If false, changes remain pending until manual activation or logout. |
| Default value if not configured |
True |
| Type of the configuration item |
boolean |
| The configuration item can contain multiple values |
False |
| Is required |
False |
| allow_private_ips |
Allow removing RFC1918 private IP addresses (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) |
| Default value if not configured |
False |
| Type of the configuration item |
boolean |
| The configuration item can contain multiple values |
False |
| Is required |
False |
| allow_risky_iocs |
Allow removing overly broad CIDR ranges (>/24, more than 256 addresses) |
| Default value if not configured |
False |
| Type of the configuration item |
boolean |
| The configuration item can contain multiple values |
False |
| Is required |
False |
ZscalerZIA_RemoveFromATPDenylistWildcard
Description
Remove a domain and all its subdomains from the ZIA ATP Denylist (Policy > Security > Advanced Threat Protection > Blocked Malicious URLs)
Configuration
| auth_type |
Authentication type: 'oneapi' for ZIdentity OAuth2 (default) or 'legacy' for legacy API credentials |
| Default value if not configured |
oneapi |
| Type of the configuration item |
string |
| The configuration item can contain multiple values |
False |
| Is required |
False |
| zia_vanity_domain |
[OneAPI only] Zscaler ZIdentity vanity domain for your organization (example: 'acme' from acme.zslogin.net) |
| Default value if not configured |
N/A |
| Type of the configuration item |
string |
| The configuration item can contain multiple values |
False |
| Is required |
False |
| zia_client_id |
[OneAPI only] Zscaler OneAPI OAuth Client ID created in ZIdentity Admin Portal |
| Default value if not configured |
N/A |
| Type of the configuration item |
string |
| The configuration item can contain multiple values |
False |
| Is required |
False |
| zia_client_secret |
[OneAPI only] Zscaler OneAPI OAuth Client Secret from ZIdentity Admin Portal |
| Default value if not configured |
N/A |
| Type of the configuration item |
string |
| The configuration item can contain multiple values |
False |
| Is required |
False |
| zia_username |
[Legacy only] ZIA API admin email address |
| Default value if not configured |
N/A |
| Type of the configuration item |
string |
| The configuration item can contain multiple values |
False |
| Is required |
False |
| zia_password |
[Legacy only] ZIA API admin password |
| Default value if not configured |
N/A |
| Type of the configuration item |
string |
| The configuration item can contain multiple values |
False |
| Is required |
False |
| zia_api_key |
[Legacy only] ZIA API key (obfuscated API key) |
| Default value if not configured |
N/A |
| Type of the configuration item |
string |
| The configuration item can contain multiple values |
False |
| Is required |
False |
| zia_cloud |
Cloud environment name. Required for legacy auth (zscaler, zscalerone, zscalertwo). Optional for OneAPI (use for beta/alpha environments). |
| Default value if not configured |
N/A |
| Type of the configuration item |
string |
| The configuration item can contain multiple values |
False |
| Is required |
False |
| dry_run |
Dry run mode: if true, validation runs but no changes are made to ZIA |
| Default value if not configured |
False |
| Type of the configuration item |
boolean |
| The configuration item can contain multiple values |
False |
| Is required |
False |
| activate_changes |
Activate changes after modifying ZIA configuration (recommended). If false, changes remain pending until manual activation or logout. |
| Default value if not configured |
True |
| Type of the configuration item |
boolean |
| The configuration item can contain multiple values |
False |
| Is required |
False |
| allow_risky_iocs |
Allow removing risky IOCs like bare TLDs (like 'com') from the ATP Denylist |
| Default value if not configured |
False |
| Type of the configuration item |
boolean |
| The configuration item can contain multiple values |
False |
| Is required |
False |