Skip to main content

Cyware Threat Intelligence eXchange

Zscaler

Connector Category: Enrichment Tool

About Zscaler

You can integrate Intel Exchange with Zscaler to enable security analysts to retrieve the details of URLs, domains, and IP addresses with the associated URL classification. Zscaler classifies URLs into a hierarchy of categories (classes, super-categories, and categories) for granular filtering and policy creation. This allows analysts to identify malicious URLs, and prevent cyberattacks, and data loss.

Use Cases 

  • Retrieve the details of a URL, such as IP, domain, and classification.

  • Flag the URL, IP, and domain as malicious if the classification is associated with a security alert.

    Note

    The urlclassificationwithsecurityalert field in Zscaler is directly associated with the InferredVerdict and Confidence Score assigned to the URL, IP, or domain in Intel Exchange.

Benefits 

  • Enrich URLs, IPs, and domains in real time.

  • Identify malicious IP addresses, URLs, and domains using the URL classification.

  • Prevent cyberattacks and thereby avoid data loss due to the cyberattacks.

  • Identify the URL classification that complements the existing policies of Zscaler (Data Loss Prevention, Sandbox, Filetype, and SSL Policies).

Configure Zscaler as an Enrichment Tool

Configure Zscaler to enrich IPs, URLs, hashes, and domains.

Before you Start 

  • Ensure that you have the API credentials of your Zscaler account.

  • Ensure that you have the view, create, and update permissions for Enrichment Management in CTIX.

Steps 

To configure Zscaler as an enrichment tool in CTIX, do the following:

  1. Sign in to CTIX and go to Administration > Enrichment Management > Enrichment Tools.

  2. Search and select the Zscaler Enrichment tool.

  3. Click Add Account.

  4. Enter a unique account name to identify the instance. For example, Prod_Zscaler.

  5. Enter the base URL to directly connect to the application's server. The default base URL is https://admin.zscalerbeta.net/api/v1.

  6. Enter the username and password of the user associated with the API key.

  7. Enter the API key to authenticate API calls between the CTIX and Zscaler servers.

  8. Select Verify SSL to verify and secure the connection between the CTIX and Zscaler servers.

    Important

    If you disable this option, CTIX may configure an instance for an expired SSL certificate. This may not establish the connection properly and CTIX will not be able to notify you in case of a broken or improper connection. It is recommended to select this option.

  9. Click Save.

After successfully adding an account, you can view and enable the Zscaler feed enrichment types. You can also configure quota to define a limit to the number of enrichment requests a Zscaler account makes. After the quota expires, you can not make enrichment requests until the quota is reset. For more information, see Define Quota in Configure Enrichment Tools.

To understand the number of API calls and quota units consumed by the Zscaler enrichment tool per polling, refer to the following table.

Enrichment Tool

Feed Enrichment Type

Number of API Calls

Quota Consumed

Zscaler

URL

2

1

Domain

2

1

IP

2

1

You can configure an enrichment policy to automatically enrich IOCs using the Zscaler enrichment tool. For more information, see Configure Enrichment Policy.Configure Enrichment Policy

Note

The Zscaler enrichment policy enriches IOCs in bulk and consumes 1 quota per request. Zscaler can bulk enrich a maximum of 100 IOCs per request.