Zscaler
Connector Category: Network Security
About Zscaler
Zscaler is a comprehensive network security and threat intelligence solution that is seamlessly integrated as an internal application in Intel Exchange (CTIX). This integration enables users to easily add URL objects of the Intel Exchange platform to the Zscaler allowlist and denylist. This empowers the threat intelligence teams to promptly take action against threats in real-time on the Zscaler application.
Allowlist: URLs of the allowlist are exempted from security scans, URL filtering, or both.
Denylist: URLs of the allowlist are blocked to protect traffic from fraud, unauthorized communication, and other malicious objects and scripts.
The Zscaler internal application in Intel Exchange supports the following actions:
Action Name | Description |
|---|---|
Update Zscaler Denylist Url | This action updates the denylist of the Zscaler application with the URLs retrieved from Intel Exchange. |
Update Zscaler Allowlist Url | This action updates the allowlist of the Zscaler application with the URLs retrieved from Intel Exchange. |
Configure Zscaler as an Internal Application
Configure Zscaler as an internal application to update URLs to Zscaler allowlist and denylist as required.
Before you Start
You must have the base URL, username, password, and API key of your Zscaler account.
You must have the view and update tool integration permissions in Intel Exchange.
Steps
Go to Administration > Integration Management > Tool Integrations > Internal Applications > Network Security.
Search and select the Zscaler app.
Click Add Instance and enter the following details:
Instance Name: Enter a unique instance name to identify. For example, prod_instance.
Base URL: Enter the base URL of your Zscaler instance. For example,
https://admin.zscalerbeta.net/api/v1.Username: Enter the username for your Zscaler account.
Password: Enter the password for your Zscaler account.
API Key: Enter the API key of your Zscaler account.
Verify SSL: Enable this option to verify the SSL certificate and secure the connection between the Intel Exchange and Zscaler servers. By default, Verify SSL is selected.
Note
We recommend you to enable Verify SSL. If you disable this option, Intel Exchange may configure an instance for an expired SSL certificate. This may not establish the connection properly and Intel Exchange will not be able to notify you in case of a broken or improper connection.
Click Save.
The Zscaler instance is configured and you can view the actions provided by the Zscaler tool. You can configure multiple instances of this integration by clicking Manage > Add More.
Enable App Actions
After configuring the Zscaler application, enable the actions to update the allowlist and denylist on Zscaler.
To enable an action of the Zscaler internal application, follow these steps:
Go to Administration > Integration Management > Tool Integrations > Internal Applications and select Network Security.
Search and select Zscaler.
On the upper-right corner, click the vertical ellipsis and click Manage.
Click Manage Actions.
Select the actions and turn on the toggles to enable.
Click Save.
The actions are enabled and are now ready to use.
Create a Rule to Update URLs to Allowlist in Zscaler
Create a rule to upload specific URLs from Intel Exchange to the Zscaler application.
Before you Start
You must have the View Rules, Create Rules, and Update Rules permissions.
Steps
To create a rule to upload indicators to the Zscaler application, do the following:
Go to Main Menu > Actions > Rules.
Click New Rule.
Enter a rule name within 100 characters and click Submit.
In Source, select the sources and collections to retrieve URLs.
In Condition, enter the following details:
Intent Type: Select the intent type as Indicator.
Rule Type: Select a rule type to apply specific conditions.
In Actions, enter the following details:
Actions: Select Update Zscaler Allowlist Url.
Application: Select Zscaler Network Security.
Account: Select a Zscaler instance you have configured.
Operation: Select Add to add URLs to the allowlist. Select Remove to remove URLs from the allowlist.
Set the global conditions from Additional Actions. For more information, see Additional Actions for Rules.
Click Save.
The rule is created and the URLs will be updated to the Zscaler Allowlist based on the configured sources and conditions when you run the rule.
Create a Rule to Update URLs to Denylist in Zscaler
Create a rule to upload specific URLs from Intel Exchange to the Zscaler application.
Before you Start
You must have the View Rules, Create Rules, and Update Rules permissions.
Steps
To create a rule to upload indicators to the Zscaler application, do the following:
Go to Main Menu > Actions > Rules.
Click New Rule.
Enter a rule name within 100 characters and click Submit.
In Source, select the source and collection from which you want to upload indicators.
In Condition, enter the following details:
Intent Type: Select the intent type as Indicator.
Rule Type: Select a rule type to apply specific conditions.
In Actions, enter the following details:
Actions: Select Update Zscaler Denylist Url.
Application: Select Zscaler Network Security.
Account: Select a Zscaler instance you have configured.
Operation: Select Add to add URLs to the denylist. Select Remove to remove URLs from the denylist.
Set the global conditions from Additional Actions. For more information, see Additional Actions for Rules.
Click Save.
The rule is created and the URLs will be updated to the Zscaler Denylist based on the configured sources and conditions when you run the rule.