…
|
||
---|---|---|
.. | ||
Add-IP-To-Category | ||
Images | ||
Url-Category-Lookup | ||
azuredeploy.json | ||
readme.md |
readme.md
Zscaler - Playbooks
Table of Contents
Overview
General info about this product and the core values of this integration.
Zscaler Playbooks
Action | Description |
---|---|
Add IP to category | Add an IP to a Zscaler block category |
Add Url to catogory | Add an URL to a Zscaler block category |
Get sandbox report for hash | Get a Zscaler sandbox report for a file hash |
Url category lookup | Lookup for Zscaler blocking categories for a given url |
Authentication | Playbook to support the Zscaler authentication process |
Prerequisites for using and deploying the playbooks
All playbook templates leverage the Zscaler API. To use the Zscaler capabilities, you need a Zscaler API key. To obtain a key, please refer this link: API Developers Guide: Getting Started
Authentication
The playbooks are using the Zscaler authentication process. The output of that process is a JSessionID which can be used to do other API actions. Refer this link for the authentication process: Authenticate and create an API session To support the authentication process a authentication playbook is added. The authentication playbook can be used as linked ARM template or, if deployed, as embedded playbook in other playbooks.
Deployment
This package includes:
- Four functional playbooks
- One playbook to support the Zscaler authentication process
You can choose to deploy all the playbooks in once using the buttons below. You can also choose to deploy one playbook with or without the authentication playbook. In that case, please refer to the readme in the playbook's folder.
Post-Deployment instructions
a. Authorize connections
Once the deployment is completed, you will need to authorize each connection. There are connection for Azure KeyVault and Azure Sentinel. For each connection complete the following steps:
- Click edit API connection
- Fill in the necessary information
- Click Authorize
- Sign in
- Click Save
b. Configurations in Azure Sentinel
For Azure Sentinel some additional configuration is needed:
- Enable Azure Sentinel Analytics rules that create alerts and incidents which includes the relevant entities.
- Configure automation rule(s) to trigger the playbooks.
c. Optional: Change Zscaler Block Category
Both the "Add IP to category" and the "Add Url to category" are using a Zscaler block category to add IP addresses or urls to it. The default Zscaler block category is set during deployment. It can be changed in the playbook using the following steps:
- Edit the playbook
- Edit the 'Set Zscaler Category' action
- Update the value to an existing Zscaler block category
- Save the playbook