Zscaler Deception
App Vendor: Zscaler
App Category: Network Security
Connector Version: 1.1.0
API Version: v2
About App
The Zscaler Deception app helps detect and prevent attacks by using decoys to mislead attackers, providing real-time visibility into threats.
The Zscaler Deception app is configured with Cyware Orchestrate to perform the following actions:
Action Name | Description |
|---|---|
Get Decoy Statistics | This action retrieves statistics for configured decoys. |
Get Network Decoy Instances | This action retrieves a list of network decoy instances to provide visibility into deployed network-based deceptions. |
Get Threat Intelligence | This action retrieves a list of all Threat Intelligence Decoys from the Zscaler Deception platform. |
List Events | This action lists all the events. |
Generic Action | This is a generic action used to make requests to any Zscaler Deception endpoint. |
Configuration Parameters
The following configuration parameters are required for the Zscaler Deception app to communicate with the Zscaler Deception enterprise application. The parameters can be configured by creating instances in the app.
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Base URL | Enter the base URL to access Zscaler Deception. Example: https://zdxyz.illusionblack.com | Text | Required | |
API Key | Enter the API key to authenticate with Zscaler Deception. | Password | Required | |
Timeout | Enter the timeout value in seconds. This is the number of seconds that requests will wait to establish a connection with Zscaler Deception. | Integer | Optional | Allowed range: 15-120 Default value: 15 |
Verify | Choose your preference to verify SSL or TLS while making requests. It is recommended to set this option to yes. Passing no may result in incorrectly establishing the connection. | Boolean | Optional | By default, verification is enabled. |
Action: Get Decoy Statistics
This action retrieves statistics for configured decoys.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Long Polling | Choose true to enable long polling. | Boolean | Optional | |
Is ZPA | Choose true if the decoy is connected through a ZPA (Zscaler Private Access) connector. | Boolean | Optional |
Example Request
[
{
"spoll": true
}
]Action: Get Network Decoy Instances
This action retrieves a list of network decoy instances to provide visibility into deployed network-based deceptions.
Parameter | Description | Field Type | Optional/Required | Commen |
|---|---|---|---|---|
Is ZPA | Choose True if the request should filter for ZPA (Zscaler Private Access) decoy connectors. | Boolean | Required | |
Limit | Enter the number of items to return in a single response. | Integer | Optional | The default value is 100. |
Offset | Enter the number of items to skip before starting to collect the result. | Integer | Optional | The default value is 0. |
FQDN | Enter the Fully Qualified Domain Name (FQDN) to filter the network decoy instances. | Text | Optional | |
Decoy Group Name | Enter the decoy group name to filter results by a specific collection of decoys. | Text | Optional | |
Personality Name | Enter the personality name to filter decoys by their simulated operating system or service profile. | Text | Optional | |
Network Subnet Name | Enter the network subnet name to filter the network decoy instances by their assigned subnet. | Text | Optional | |
ZPA Real App | Choose true to return only decoys associated with a ZPA real application. | Boolean | Optional |
Action: Get Threat Intelligence
This action retrieves a list of all Threat Intelligence Decoys from the Zscaler Deception platform.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Offset | Enter the number of items to skip before starting to collect the result. | Integer | Optional | The default value is 0. |
Limit | Enter the numbers of items to return in a single response. | Integer | Optional | The default value is 100. |
Hostname | Enter the hostname to filter the results. Example: test.domain.com | Text | Optional | |
IP Address | Enter the IP address to filter the decoys by their network location. Example: 1.1.1.1 | Text | Optional | |
Network Subnet Name | Enter the network subnet name to filter results by a specific subnet group. Example: ThreatIntel-1.1.1.1 (ena1) | Text | Optional | |
Threat Intelligence Appliance IP | Enter the IP address of the threat intelligence appliance to filter the decoys associated with it. Example: 1.1.1.1 | Text | Optional | |
Decoy Type | Enter the type of the threat intelligence decoy to retrieve results. Example: STATIC | Text | Optional | Allowed field: STATIC, DYNAMIC, HIGH_INTERACTION |
Action: List Events
This action lists all the events.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Limit | Enter the number of items to retrieve in the response. | Integer | Optional | Default value: 100 |
Offset | Enter the number of items to skip before retrieving results. | Integer | Optional | Default value: 0 |
From Time | Enter the start time to retrieve events from. Example: 2025-01-25t14:30:00z | Text | Optional | Recommended format: ISO 8601 |
To Time | Enter the end time to retrieve events up to. Example: 2025-01-30t14:30:00z | Text | Optional | Recommended format: ISO 8601 |
Extra Params | Enter the extra parameters to list events. Example: {whitelisted: true, test_events_only: true} | Key Value | Optional | Allowed keys: sort, fields, whitelisted, test_events_only, expfilter |
Example Request
[
{
"limit": "2",
"offset": "0",
"to_time": "2024-12-31T11:43:00Z",
"from_time": "2024-12-31T11:42:00Z",
"extra_params": {}
}
]Action: Generic Action
This is a generic action used to make requests to any Zscaler Deception endpoint.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Method | Enter the HTTP method to make the request. | Text | Required | Allowed values: GET, PUT, POST, DELETE |
Endpoint | Enter the endpoint to make the request to. Example: /events/version | Text | Required | |
Query Params | Enter the query parameters to pass to the API. | Key Value | Optional | |
Payload | Enter the payload to pass to the API. | Any | Optional | |
Extra Fields | Enter the extra fields to pass to the API. | Key Value | Optional | Allowed keys: headers, payload_data, download, files, filename, retry_wait, retry_count, custom_output, response_type |
Example Request
[
{
"method": "GET",
"endpoint": "/events/version",
"extra_fields": {},
"query_params": {
"limit": "100",
"offset": "0"
}
}
]