Skip to main content

Cyware Threat Intelligence eXchange

Zscaler Network Security

Connector Category: Network Security

About Zscaler

Zscaler is a comprehensive network security and threat intelligence solution that is seamlessly integrated as an internal application in Intel Exchange. This integration enables users to easily add URL objects of the Intel Exchange platform to the Zscaler allowlist and denylist. This empowers the threat intelligence teams to promptly take action against threats in real-time on the Zscaler application.

  • Allowlist: URLs of the allowlist are exempted from security scans, URL filtering, or both. The URLs from Intel Exchange are added to the Advanced Threat Protection > Security Exceptions list in Zscaler.

  • Denylist: URLs of the allowlist are blocked to protect traffic from fraud, unauthorized communication, and other malicious objects and scripts. The URLs from Intel Exchange are added to the Advanced Threat Protection > Advanced Threat Policy > Blocked Malicious URLs in Zscaler.

The Zscaler internal application in Intel Exchange supports the following actions:

Action Name

Description

Update Zscaler Denylist Url

This action updates the denylist of the Zscaler application with the URLs retrieved from Intel Exchange.

Update Zscaler Allowlist Url

This action updates the allowlist of the Zscaler application with the URLs retrieved from Intel Exchange.

Configure Zscaler Authentication and Permissions

To enable Intel Exchange to access Zscaler, you must first create an API role with the necessary permissions. This API role allows secure interaction with the Zscaler API. After the role is set up, you can proceed to configure authentication using one of the supported methods.

Create API Role and Assign Permissions in Zscaler

To create an API role and assign permissions to the role, follow these steps:

  1. Go to Administration > Role Management and click Add API Role.

  2. Enter a name for the API Role.

  3. Select FULL access for all the options, such as Policy & Components, Cloud Configurations & Integrations, Traffic Forwarding, and Administration Controls.

  4. Click Save.

  5. To activate the changes, in the left pane, select Activation, and click Activate.

Configure Zscaler Authentication

You can configure Zscaler authentication using either of the following methods:

To enable Intel Exchange access to Zscaler, configure authentication using the Cloud Service API key. This method uses the API key and URL credentials to connect Intel Exchange to Zscaler securely.

Steps

To configure the Cloud Service API key, follow these steps:

  1. Go to Administration > Cloud Service API Security > Cloud Service API Key.

  2. In the Cloud Service API Key tab, ensure you have deleted the existing key.

    Note

    Your organization can only have one API key.

  3. After the key is removed, click Add API Key.

    After creating the key, you can view the API key and URL used to configure Zscaler in Intel Exchange.

To enable Intel Exchange to access Zscaler using OAuth, register an application in Azure Active Directory. This app provides the necessary credentials and permissions for API authentication.

Before you Start

You must have one of the following permissions to create an app in Azure:

  • The Application Administrator role in Azure Active Directory

  • Any role with the Application.ReadWrite.All permissions (to register apps and assign roles)

Steps

To configure the OAuth 2.0 authentication server, follow these steps:

  1. Create Client App

    To create a client app in Azure, follow these steps:

    1. Go to Microsoft Entra ID, search, and select App registrations.

    2. To register a new app, click New registration.

    3. In Name, enter a name for the client app. For example, Intel Exchange Zscaler Integration.

      Note

      You can leave all other settings at their default values.

    4. Click Register. After registration, go to the Overview section to view and copy the following:

      • Application (client) ID

      • Directory (tenant) ID

  2. Create a Client Secret

    To create a client secret and assign API permissions, follow these steps:

    1. Go to Manage > Certificates & secrets and click New client secret.

    2. Enter a description and select an expiration period. By default, the expiration is set to 180 days.

    3. Click Add. Copy and store the Value of the client secret securely, as it is required to configure Zscaler in Intel Exchange. You will not be able to view it again after you leave the page.

  3. Create a Service App and Define Scope

    To create a service app and define the scope, follow these steps:

    1. Go back to App registrations, and click New registration to create a service app for authentication.

    2. Enter a name and click Register.

    3. After registering the app, go to Manage > Expose an API, and click Add a scope. Copy the Application ID URI, as it will be required later.

    4. Click Save and continue, and enter the following:

      • Scope name: Enter a unique name for the scope. This is the internal name used in access tokens and must be URI-compatible.

      • Admin consent display name: Enter a display name that describes what the scope allows. This name is shown to administrators when they’re prompted to grant consent for the application.

      • Admin consent description: Enter a description for the scope.

    5. Click Add scope. Copy the Scope value as it is required to configure Zscaler in Intel Exchange.

    6. Click Add a client application. In the Client ID field, enter the Application ID saved in Step 1.

    7. In Authorized scopes, select your scope. Click Add application. The application is added to the scope.

  4. Create App Role and Assign Owners

    To create an app role and assign owners, follow these steps:

    1. Go to Manage > App roles, and click Create app role. Enter the following details:

      • Display name: Enter a display name for the app role.

      • Allowed member types: Select Application as the type.

      • Value: Enter the scope value, which is a combination of the Company ID and the API role name. For example, zscaler.net::101010109::admin-role

        • To find the Company ID, in Zscaler, go to Administration > Company Profile, copy the Company ID.

        • To find the API role, in Zscaler, go to Role Management and copy the name of the role you created.

      • Description: Enter a description for the app role.

    2. Click Apply.

    3. To assign owners, go to Manage > Owners, and click Add owners.

    4. Select your user as the owner and click Select.

  5. Assign API Permissions and Get JWKS URI

    To assign API permissions and get the JWKS URL, follow these steps:

    1. Go to App registrations and in All applications, select your client app.

    2. Go to Manage > API permissions and click Add a permission.

    3. Select My APIs, choose your service app. Choose Application permissions, select your ZIA API scope, and click Add permissions.

    4. To apply these permissions, select Grant admin consent and click Yes to confirm.

    5. Go to App registrations, select your service app, and click Endpoints. Copy the OpenID Connect metadata document URL and open it in a new browser tab.

    6. From the metadata JSON, copy the jwks_uri value. This will be required to configure the OAuth 2.0 Authorization Server in Zscaler.

  6. Configure the OAuth 2.0 Authorization Server in Zscaler

    To configure the OAuth 2.0 Authorization Server in Zscaler, follow these steps:

    1. Go to Administration > Cloud Service API Security > OAuth 2.0 Authorization Servers.

    2. Click "Add Authorization Server," and then turn on the "Enable server" toggle. Enter a name and description for the server.

    3. In the OAuth 2.0 JWKS Location field, enter the value copied from the metadata JSON in step 5 and click Validate.

    4. Click Save. To activate the changes, in the left pane, select Activation, and click Activate.

Note

For a detailed walkthrough, see OAuth 2.0 Configuration for Entra ID.

Configure Zscaler as an Internal Application

Configure Zscaler as an internal application to update URLs to Zscaler allowlist and denylist as required.

Before you Start

  • You must have the base URL, username, password, and API key of your Zscaler account.

    Note

    You can either use the URL, username, password, and API key for authentication or use Scope, Client ID, Client Secret, and Tenant ID for OAuth-based authentication.

  • You must have the view and update tool integration permissions in Intel Exchange.

Steps

  1. Go to Administration > Integration Management > Tool Integrations > Internal Applications > Network Security.

  2. Search and select the Zscaler app.

  3. Click Add Instance and enter the following details:

    • Instance Name: Enter a unique instance name to identify. For example, prod_instance.

    • Base URL: Enter a unique name to identify the instance. The default base URL is https://admin.zscalerbeta.net/api/v1.

    • Username: Enter the username for your Zscaler account.

    • Password: Enter the password for your Zscaler account.

    • API Key: Enter the API key for your Zscaler account. This key is used for API authentication.

    • Scope: Enter the Application ID URI value for your Zscaler instance. Ensure the value ends with /.default. For example, api://b0xxx133-1373-xxxa-8c45-ea3fxxx518d3/.default

    • Client ID: Enter the client ID of your Zscaler account.

    • Client Secret: Enter the client secret for the client ID. This is used along with the client ID for secure API authentication.

    • Tenant ID: Enter the tenant ID of your Zscaler account.

    • Verify SSL: Enable this option to verify the SSL certificate and secure the connection between the Intel Exchange and Zscaler servers. By default, SSL verification is enabled.

      Note

      It is recommended to enable Verify SSL. If you disable this option, Intel Exchange may configure an instance for an expired SSL certificate. This may not establish the connection properly, and Intel Exchange will not be able to notify you in case of a broken or improper connection.

  4. Click Save.

The Zscaler instance is configured, and you can view the actions provided by the Zscaler tool. You can configure multiple instances of this integration by clicking Manage > Add More.

Enable App Actions

After configuring the Zscaler application, enable the actions to update the allowlist and denylist on Zscaler.

To enable an action of the Zscaler internal application, follow these steps:

  1. Go to Administration > Integration Management > Tool Integrations > Internal Applications and select Network Security.

  2. Search and select Zscaler.

  3. On the upper-right corner, click the vertical ellipsis and click Manage.

  4. Click Manage Actions.

  5. Select the actions and turn on the toggles to enable.

  6. Click Save.

The actions are enabled and are now ready to use.

Create a Rule to Update URLs to Allowlist in Zscaler

Create a rule to upload specific URLs from Intel Exchange to the Zscaler application.

Before you Start

You must have the View Rules, Create Rules, and Update Rules permissions.

Steps

To create a rule to upload indicators to the Zscaler application, do the following:

  1. Go to Main Menu > Actions > Rules.

  2. Click New Rule.

  3. Enter a rule name within 100 characters and click Submit.

  4. In Source, select the sources and collections to retrieve URLs.

  5. In Condition, enter the following details:

    1. Intent Type: Select the intent type as Indicator.

    2. Rule Type: Select a rule type to apply specific conditions.

  6. In Actions, enter the following details:

    1. Actions: Select Update Zscaler Allowlist Url.

    2. Application: Select Zscaler Network Security.

    3. Account: Select a Zscaler instance you have configured.

    4. Operation: Select Add to add URLs to the allowlist. Select Remove to remove URLs from the allowlist.

  7. Set the global conditions from Additional Actions. For more information, see Additional Actions for Rules.

  8. Click Save.

The rule is created, and the URLs will be updated to the Zscaler Allowlist based on the configured sources and conditions when you run the rule.

Create a Rule to Update URLs to Denylist in Zscaler

Create a rule to upload specific URLs from Intel Exchange to the Zscaler application.

Before you Start

You must have the View Rules, Create Rules, and Update Rules permissions.

Steps

To create a rule to upload indicators to the Zscaler application, do the following:

  1. Go to Main Menu > Actions > Rules.

  2. Click New Rule.

  3. Enter a rule name within 100 characters and click Submit.

  4. In Source, select the source and collection from which you want to upload indicators.

  5. In Condition, enter the following details:

    1. Intent Type: Select the intent type as Indicator.

    2. Rule Type: Select a rule type to apply specific conditions.

  6. In Actions, enter the following details:

    1. Actions: Select Update Zscaler Denylist Url.

    2. Application: Select Zscaler Network Security.

    3. Account: Select a Zscaler instance you have configured.

    4. Operation: Select Add to add URLs to the denylist. Select Remove to remove URLs from the denylist.

  7. Set the global conditions from Additional Actions. For more information, see Additional Actions for Rules.

  8. Click Save.

The rule is created, and the URLs will be updated to the Zscaler Denylist based on the configured sources and conditions when you run the rule.