Azure
/
Azure-Sentinel
зеркало из
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность
Azure-Sentinel/Playbooks/Zscaler
История
v-sabiraj a095792618 Moving playbook files 2023-04-03 18:18:00 +05:30
..
Add-IP-To-Category Updating Zscaler playbooks to add in Solution 2023-03-31 19:43:46 +05:30
Images Playbooks for Zscaler 2021-07-11 16:34:50 +03:00
Url-Category-Lookup Update playbook trigger names 2022-02-22 17:02:56 +02:00
azuredeploy.json Playbooks for Zscaler 2021-07-11 16:34:50 +03:00
readme.md Playbooks for Zscaler 2021-07-11 16:34:50 +03:00

readme.md

Zscaler - Playbooks


Table of Contents

  1. Overview
  2. Playbooks
  3. Prerequisites
  4. Authentication
  5. Deployment
  6. Postdeployment
  7. References

Overview

General info about this product and the core values of this integration.

Zscaler Playbooks

Action Description
Add IP to category Add an IP to a Zscaler block category
Add Url to catogory Add an URL to a Zscaler block category
Get sandbox report for hash Get a Zscaler sandbox report for a file hash
Url category lookup Lookup for Zscaler blocking categories for a given url
Authentication Playbook to support the Zscaler authentication process

Prerequisites for using and deploying the playbooks

All playbook templates leverage the Zscaler API. To use the Zscaler capabilities, you need a Zscaler API key. To obtain a key, please refer this link: API Developers Guide: Getting Started

Authentication

The playbooks are using the Zscaler authentication process. The output of that process is a JSessionID which can be used to do other API actions. Refer this link for the authentication process: Authenticate and create an API session To support the authentication process a authentication playbook is added. The authentication playbook can be used as linked ARM template or, if deployed, as embedded playbook in other playbooks.

Deployment

This package includes:

  • Four functional playbooks
  • One playbook to support the Zscaler authentication process

You can choose to deploy all the playbooks in once using the buttons below. You can also choose to deploy one playbook with or without the authentication playbook. In that case, please refer to the readme in the playbook's folder.

Post-Deployment instructions

a. Authorize connections

Once the deployment is completed, you will need to authorize each connection. There are connection for Azure KeyVault and Azure Sentinel. For each connection complete the following steps:

  1. Click edit API connection
  2. Fill in the necessary information
  3. Click Authorize
  4. Sign in
  5. Click Save

b. Configurations in Azure Sentinel

For Azure Sentinel some additional configuration is needed:

  1. Enable Azure Sentinel Analytics rules that create alerts and incidents which includes the relevant entities.
  2. Configure automation rule(s) to trigger the playbooks.

c. Optional: Change Zscaler Block Category

Both the "Add IP to category" and the "Add Url to category" are using a Zscaler block category to add IP addresses or urls to it. The default Zscaler block category is set during deployment. It can be changed in the playbook using the following steps:

  1. Edit the playbook
  2. Edit the 'Set Zscaler Category' action
  3. Update the value to an existing Zscaler block category
  4. Save the playbook

Learn more