Zscaler
LAST UPDATED: 05/30/2024
Overview
Zscaler is a cloud-based security service platform that enables users to establish fast and secure connections to their devices, regardless of their network, device or location. D3 SOAR's integration with Zscaler includes functions such as adding URLs to the blacklist or whitelist, removing URLs from the blacklist or whitelist and retrieving the blacklist or whitelist. Security teams can leverage D3 SOAR's integration with Zscaler for threat hunting, automating incident reponse, and orchestrating changes to black/white list.
D3 SOAR is providing REST operations to function with Zscaler.
Zscaler is available for use in:
D3 SOAR | V12.7.83.0+ |
Category | Network Security |
Deployment Options |
Known Limitations
D3 Command | Required Source API | Rate Limit |
Add URL To Blacklist | POST /security/advanced/blacklistUrls | 1/sec and 400/hr |
DELETE /authenticatedSession | 2/sec and 1000/hr | |
Add URL To Category | PUT /urlCategories/{categoryId} | 1/sec and 400/hr |
DELETE /authenticatedSession | 2/sec and 1000/hr | |
Add URL To Whitelist | PUT /security | 1/sec and 400/hr |
DELETE /authenticatedSession | 2/sec and 1000/hr | |
Get Blacklist | GET /security/advanced | 1/sec and 400/hr |
DELETE /authenticatedSession | 2/sec and 1000/hr | |
Get Sandbox Report | GET /sandbox/report/{md5Hash} | 2/sec, 1000/hr, 1000/day |
Get URL Category | POST /urlLookup | 1/sec and 400/hr (100 URLs per call) |
DELETE /authenticatedSession | 2/sec and 1000/hr | |
Get Whitelist | GET /security | 2/sec and 1000/hr |
DELETE /authenticatedSession | 2/sec and 1000/hr | |
List All Categories | GET /urlCategories | 2/sec and 1000/hr |
DELETE /authenticatedSession | 2/sec and 1000/hr | |
Remove URL From Blacklist | POST /security/advanced/blacklistUrls | 1/sec and 400/hr |
DELETE /authenticatedSession | 2/sec and 1000/hr | |
Remove URL From Whitelist | GET /security | 2/sec and 1000/hr |
PUT /security | 1/sec and 400/hr | |
DELETE /authenticatedSession | 2/sec and 1000/hr | |
Upload File to Sandbox | POST /zscsb/submit | 1/sec and 400/hr |
Test Connection | POST /authenticatedSession | 2/sec and 1000/hr |
Please refer to the API Rate Limit Summary to check your rate limits.
Connection
To connect to Zscaler from D3 SOAR, please follow this part to collect the required information below:
Parameter | Description | Example |
Server URL | The URL of the Zscaler server. | https://admin.*************.net/ |
Username | The username to authenticate the connection. | test@example.net |
Password | The password to authenticate the connection. | P@$$w0rd |
API Key | The API key to authenticate the connection. | api*********************H2g |
Sandbox Submission API Token | The Sandbox Submission API token to authenticate the connection. | AQ*********************1wY |
API Version | The version of the API to use for the connection. | v1.0 |
Permission Requirements
Each endpoint in the Zscaler API requires a certain permission scope. The following are required scopes for the commands in this integration:
Command | Required Permission (Policy and Administrators Access) | Required Permission (Functional Scope) |
Add URL To Blacklist | Policy Access: Full Administrators Access: N/A | Security |
Add URL To Category | Policy Access: Full Administrators Access: N/A | Access Control (Web and Mobile) ->Custom URL Category Management, Override Existing Categories |
Add URL To Whitelist | Policy Access: Full Administrators Access: N/A | Security |
Get Blacklist | Policy Access: View Only Administrators Access: N/A | Security |
Get Sandbox Report | Policy Access:N/A Administrators Access: N/A | N/A |
Get URL Category | Policy Access: View Only Administrators Access: N/A | Access Control (Web and Mobile) ->Custom URL Category Management |
Get Whitelist | Policy Access: View Only Administrators Access: N/A | Security |
List All Categories | Policy Access: View Only Administrators Access: N/A | Access Control (Web and Mobile) ->Custom URL Category Management |
Remove URL From Blacklist | Policy Access: Full Administrators Access: N/A | Security |
Remove URL From Whitelist | Policy Access: Full Administrators Access: N/A | Security |
Upload File to sandbox | Policy Access: N/A Administrators Access: N/A | N/A |
Test Connection | Policy Access: N/A Administrators Access: N/A | N/A |
Configuring Zscaler to Work with D3 SOAR
Adding a User
To add users in Zscaler, see Adding Users from Zscaler's documentation for instructions. You may use your created user or system default user for configuration.
Obtaining API key and Sandbox Submission API Token
To obtain your API key and Sanbox Submission API token, see Cloud Service API Key Management from Zscaler's documentation for instructions.
Creating an API Role
To create an API role, navigate to Administration > Role Management > Add API Role. Refer to Permission Requirements for the respective permissions to enable for each command.
Configuring D3 SOAR to Work with Zscaler
Log in to D3 SOAR.
Find the Zscaler integration.
Navigate to Configuration on the top header menu.
Click on the Integration icon on the left sidebar.
Type Zscaler in the search box to find the integration, then click it to select it.
Click + New Connection, on the right side of the Connections section. A new connection window will appear.
Configure the following fields to create a connection to Zscaler.
Connection Name: The desired name for the connection.
Site: Specifies the site to use the integration connection. Use the drop-down menu to select the site. The Share to Internal Sites option enables all sites defined as internal sites to use the connection. Selecting a specific site will only enable that site to use the connection.
Recipient site for events from connections Shared to Internal Sites: This field appears if you selected Share to Internal Sites for Site to let you select the internal site to deploy the integration connection.
Agent Name (Optional): Specifies the proxy agent required to build the connection. Use the dropdown menu to select the proxy agent from a list of previously configured proxy agents.
Description (Optional): Add your desired description for the connection.
Configure User Permissions: Defines which users have access to the connection.
Active: Check the tick box to ensure the connection is available for use.
System: This section contains the parameters defined specifically for the integration. These parameters must be configured to create the integration connection.
1. Input your domain level Server URL. The default value is https://admin.zscalerthree.net.
2. Input your Username.
3. Input your Password.
4. Input your saved API Key.
5. Input the Sandbox Submission API Token if you need to use the Upload File to Sandbox command, it is optional for all other commands.
6. Input your API Version. The default value is v1.Connection Health Check: Updates the connection status you have created. A connection health check is done by scheduling the Test Connection command of this integration. This can only be done when the connection is active.
To set up a connection health check, check the Connection Health Check tickbox. You can customize the interval (minutes) for scheduling the health check. An email notification can be set up after a specified number of failed connection attempts.Enable Password Vault: An optional feature that allows users to take the stored credentials from their own password vault. Please refer to the password vault connection guide if needed.
Test the connection.
Click Test Connection to verify the account credentials and network connection. If the Test Connection Passed alert window appears, the test connection is successful. You will see Passed with a green check mark appear beside the Test Connection button. If the test connection fails, please check your connection parameters and try again.
Click OK to close the alert window.
Click Add to create and add the configured connection.
Commands
Zscaler includes the following executable commands for users to set up schedules or create playbook workflows. With the Test Command, you can execute these commands independently for playbook troubleshooting.
Integration API Note
For more information about the Zscaler API, please refer to the Zscaler API reference.
READER NOTE
Certain permissions are required for each command. Please refer to the Permission Requirements and Configuring Zscaler to Work with D3 SOAR for details.
Add URL To Blacklist
Adds URLs to the blacklist.
Input
Input Parameter | Required/Optional | Description | Example |
URLs | Optional | The list of URLs to add to the blacklist. | ["Hello.com"] |
Output
Error Handling
If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | Add URL To Blacklist failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Zscaler portal. Refer to the HTTP Status Code Registry for details. | Status Code: 403. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: AUTHENTICATION_FAILED. |
Error Sample Data Add URL To Blacklist failed. Status Code: 403. Message: AUTHENTICATION_FAILED. |
Add URL To Category
Adds URLs to a category.
READER NOTE
Category is a required parameter to run this command.
Run the List All Categories command to obtain Category. Category is referring to the Category ID, which can be found from the returned raw data at the path $[*].id.
Input
Input Parameter | Required/Optional | Description | Example |
URLs | Optional | The list of URLs to add to the specified category. | ["hello.com"] |
Category | Required | The ID of the category to add URLs. Category IDs can be obtained using the List All Categories command. | MUSIC |
Output
Error Handling
If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | Add URL To Category failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Zscaler portal. Refer to the HTTP Status Code Registry for details. | Status Code: 404. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: Category Not Found. |
Error Sample Data Add URL To Category failed. Status Code: 404. Message: Category Not Found. |
Add URL To Whitelist
Adds URLs to the whitelist.
Input
Input Parameter | Required/Optional | Description | Example |
URLs | Optional | The list of URLs to add to the whitelist. | ["world.com"] |
Output
Error Handling
If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | Add URL To Whitelist failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Zscaler portal. Refer to the HTTP Status Code Registry for details. | Status Code: 403. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: AUTHENTICATION_FAILED. |
Error Sample Data Add URL To Whitelist failed. Status Code: 403. Message: AUTHENTICATION_FAILED. |
Get Blacklist
Retrieves blacklisted URLs.
Input
N/A
Output
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | Get Blacklist failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Zscaler portal. Refer to the HTTP Status Code Registry for details. | Status Code: 400. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: AUTHENTICATION_FAILED. |
Error Sample Data Get Blacklist failed. Status Code: 400. Message: AUTHENTICATION_FAILED. |
Get Sandbox Report
Retrieves a full or summarized report containing details about the MD5 hash of a file analyzed in the sandbox.
READER NOTE
If the selected report type is "Summary", the "Summary" path will provide data on "Summary", "Classification", and "FileProperties". On the other hand, if the selected report type is "Full", the "Full Details" path will include information on "System Summary", "Networking", "Security Bypass", "Stealth", as well as "Summary", "Classification", and "FileProperties". Refer to the sample data for more information.
To use this command, a subscription to the cloud sandbox is required. Without it, the command cannot be executed.
Input
Input Parameter | Required/Optional | Description | Example |
MD5 Hash | Required | The MD5 hash of the file analyzed in the sandbox. | b3b13c2fe5710507612106cb11ceced3 |
Report Type | Optional | The report type (i.e., full or summary) to return. The default setting is Summary. | Full |
Output
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | Get Sandbox Report failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Zscaler portal. Refer to the HTTP Status Code Registry for details. | Status Code: 403. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: Cloud Sandbox subscription is required, but it is currently expired. |
Error Sample Data Get Sandbox Report failed. Status Code: 403. Message: Cloud Sandbox subscription is required, but it is currently expired. |
Get URL Category
Retrieves the categories of the given URLs. If the total number of URLs exceeds 100, only the first 100 functional URLs will be processed.
Input
Input Parameter | Required/Optional | Description | Example |
URLs | Required | The list of URLs to retrieve their respective categories. | ["google.com","youtube.com","facebook.com"] |
Output
Error Handling
If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | Get URL Category failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Zscaler portal. Refer to the HTTP Status Code Registry for details. | Status Code: 400. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: Invalid URL. |
Error Sample Data Get URL Category failed. Status Code: 400. Message: Invalid URL. |
Get Whitelist
Retrieves whitelisted URLs.
Input
N/A
Output
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | Get Whitelist failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Zscaler portal. Refer to the HTTP Status Code Registry for details. | Status Code: 400. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: AUTHENTICATION_FAILED. |
Error Sample Data Get Whitelist failed. Status Code: 400. Message: AUTHENTICATION_FAILED. |
List All Categories
Retrieves a list of all categories.
Input
N/A
Output
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | List All Categories failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Zscaler portal. Refer to the HTTP Status Code Registry for details. | Status Code: 400. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: AUTHENTICATION_FAILED. |
Error Sample Data List All Categories failed. Status Code: 400. Message: AUTHENTICATION_FAILED. |
Remove URL From Blacklist
Removes URLs from the blacklist. Note: After running the command, it will indicate that all URLs are removed successfully without errors; however, only the specified URLs will be removed.
Input
Input Parameter | Required/Optional | Description | Example |
URLs | Optional | The list of URLs to remove from the blacklist. | ["Hello.com"] |
Output
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | Remove URL From Blacklist failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Zscaler portal. Refer to the HTTP Status Code Registry for details. | Status Code: 403. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: AUTHENTICATION_FAILED. |
Error Sample Data Remove URL From Blacklist failed. Status Code: 403. Message: AUTHENTICATION_FAILED. |
Remove URL From Whitelist
Removes URLs from the whitelist.
Input
Input Parameter | Required/Optional | Description | Example |
URLs | Optional | The list of URLs to remove from the whitelist. | ["remove.com"] |
Output
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | Remove URL From Whitelist failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Zscaler portal. Refer to the HTTP Status Code Registry for details. | Status Code: 403. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: AUTHENTICATION_FAILED. |
Error Sample Data Remove URL From Whitelist failed. Status Code: 403. Message: AUTHENTICATION_FAILED. |
Upload File to Sandbox
Uploads files to the Zscaler Sandbox.
File ID and File Source
It is not recommended to use the Test Command feature with the Submit Sample Files command as it is designed for dynamic input files in Playbooks, Incident Attachments, and Artifact Attachments. There is a simple workaround to test the command:
In D3 SOAR, navigate to Configuration on the top bar menu.
Click Utility Commands on the left sidebar menu.
Use the search box to find and select the Create a File from input Text Array command.
Select the Test tab, then input the required information for the parameters. Click Test Command.
A D3 File ID will appear in the output data after the file has been successfully created.
(Note: The D3 File Source of the created file will be Playbook File)
Input
Input Parameter | Required/Optional | Description | Example |
File IDs | Required | The file path of the file source. The options for file paths are: Incident Attachment: Incident.file.file ID Playbook File: Task output Artifact File: Incident.Events.file.file ID | [ "473" ] |
File Source | Required | The file source of the file to send. The options for file sources are: Incident Attachment File: Manually uploaded file from Incident Playbook File: Output from another Task Artifact File: Ingested Artifact in an Event | Playbook File |
Force Submit | Required | Enabling this will submit the file(s) to Zscaler sandbox even if found malicious during AV scan and a verdict already exists. | True |
Output
Error Handling
If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | Upload File to sandbox failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Zscaler portal. Refer to the HTTP Status Code Registry for details. | Status Code: 404. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: File Not Found. |
Error Sample Data Upload File to sandbox failed. Status Code: 404. Message: File Not Found. |
Test Connection
Allows you to perform a health check on an integration connection. You can schedule a periodic health check by selecting Connection Health Check when editing an integration connection.
Input
N/A
Output
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | Test Connection failed. Failed to check the connector. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Zscaler portal. Refer to the HTTP Status Code Registry for details. | Status Code: 400. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: AUTHENTICATION_FAILED. |
Error Sample Data Test Connection failed. Failed to check the connector. Status Code: 400. Message: AUTHENTICATION_FAILED. |