Zscaler
Integration version: 7.0
Before you begin
Before you configure the Zscaler integration in Google SecOps,verify that you have the following:
Zscaler API key: An API key generated within the Zscaler Admin portal.
To authenticate the integration, seeManaging Cloud Service API Keyfor instructions on navigating the portal and generating credentials.
Zscaler administrator account: An account in your Zscaler Admin Portal that has API access permissions for the required modules (such asURL filtering or user management).
Note: This account must have the appropriate roles assigned. Fordetails, seeZscaler help portal for API rolesfor API role permission requirements or consult your Zscaler administrator.
Integration parameters
The Zscaler integration requires the following parameters:
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
API Root | String | N/A | Yes | The base URL for the Zscaler API (e.g., |
Login ID | String | N/A | Yes | The login ID of the Zscaler administrator account with API access permissions. |
API Key | Password | N/A | Yes | The API Key generated from your Zscaler Admin Portal. This is a unique key for authenticating API requests. |
Password | Password | N/A | Yes | The password for the Zscaler administrator account. |
Verify SSL | Boolean | Checked | No | If selected, the integration verifies the SSL certificate when connecting to Zscaler. Selected by default. |
For instructions about how to configure an integration inGoogle SecOps, seeConfigureintegrations.
You can make changes at a later stage, if needed. After you configure anintegration instance, you can use it in playbooks. For more information abouthow to configure and support multiple instances, seeSupportingmultiple instances.
How authentication works
The Zscaler integration uses a combination of theLogin ID,Password, andthe generatedAPI Key to authenticate with the Zscaler API.
The integration sends these credentials to a Zscaler authentication endpoint toestablish a session and retrieve a session cookie or a temporary token, which isthen used for subsequent API requests.
Important: Make sure your HTTPS connections allows outbound connections from yourGoogle SecOps environment to the Zscaler API endpoint(for example,zsapi.<your_cloud_name>).xsActions
For more information about actions, seeRespond to pending actions fromYour Workdesk andPerform a manualaction.
Add to Blacklist
Adds a URL/Domain/IP to blocklist.
Note: If the submitted URL begins withhttp:// orhttps://, the action willblock the entire domain instead of the specific URL.Parameters
N/A
Run On
This action runs on the following entities:
- URL
- Hostname
- IP Address
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON Result
N/AEntity Enrichment
N/A
Insights
N/A
Add to Whitelist
Adds a URL/Domain/IP to the allowlist.
Parameters
N/A
Run On
This action runs on the following entities:
- URL
- Hostname
- Domain
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON Result
N/AEntity Enrichment
N/A
Insights
N/A
Get Blacklist
Gets a list of black-listed URLs.
Parameters
N/A
Run On
This action runs on all entities.
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON Result
N/AEntity Enrichment
N/A
Insights
N/A
Get Sandbox Report
Get a full report for an MD5 hash of a file that was analyzed by Sandbox.
Parameters
N/A
Run On
This action runs on the Filehash entity.
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON Result
[{"EntityResult":{"Full Details":{"SystemSummary":[{"SignatureSources":["","76CD0000 page execute and read and write","76DD0000 page execute and read and write"],"Risk":"LOW","Signature":"Allocates memory within range which is reserved for system DLLs"},{"SignatureSources":["","wow64.pdb source: loaddll32.exe","wow64.pdbH source: loaddll32.exe","wow64cpu.pdb source: loaddll32.exe","wow64win.pdb source: loaddll32.exe","wow64win.pdbH source: loaddll32.exe"],"Risk":"LOW","Signature":"Binary contains paths to debug symbols"},{"SignatureSources":["","clean0.winDLL@1/1@0/0"],"Risk":"LOW","Signature":"Classification label"},{"SignatureSources":["","More than 502 > 100 exports found"],"Risk":"LOW","Signature":"PE file exports many functions"},{"SignatureSources":["","Virtual size of .text is bigger than: 0x100000"],"Risk":"LOW","Signature":"PE file has a big code size"},{"SignatureSources":["","Raw size of .text is bigger than: 0x100000 < 0x176000"],"Risk":"LOW","Signature":"PE file has a big raw section"},{"SignatureSources":["","Image base 0x704c0000 > 0x60000000"],"Risk":"LOW","Signature":"PE file has a high image base. often used for DLLs"},{"SignatureSources":["","Section: .text IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN"],"Risk":"LOW","Signature":"PE file has an executable .text section and no other executable section"},{"SignatureSources":["","HKEY_USERS\\\\Software\\\\Policies\\\\Microsoft\\\\Windows\\\\Safer\\\\CodeIdentifiers"],"Risk":"LOW","Signature":"Reads software policies"},{"SignatureSources":["","File size 1710606 > 1048576"],"Risk":"LOW","Signature":"Submission file is bigger than most known malware samples"},{"SignatureSources":["","no activity detected"],"Risk":"MODERATE","Signature":"Program does not show much activity"}],"Summary":{"Status":"COMPLETED","Category":"EXECS","FileType":"DLL","Duration":499618,"StartTime":1553130306},"Classification":{"Category":"BENIGN","Type":"BENIGN","Score":0,"DetectedMalware":""},"Persistence":[{"SignatureSources":["","section name: /4"],"Risk":"LOW","Signature":"PE file contains sections with non-standard names"}],"FileProperties":{"SHA1":"b0aa7eecfa6c0066504bf79efe1bc057ac61e9b8","FileSize":1710606,"RootCA":"","Issuer":"","FileType":"DLL","Sha256":"a39180232ae6a689650f5df566bb4e81b94d9d19a53363ce17d7a12fd21f78cf","DigitalCerificate":"","SSDeep":"24576:3LnYQhDtnNgQe42lcCZNj4I/MmaOdb+Y+mmY5Gc3nGkh2sQginrgGGQCTQIMGNdd:zYQlEpIE/p3nFhckZF7oU","MD5":"1803c2c0f0ec61c98b3630d7e4b1cd5d"}}},"Entity":"1803C2C0F0EC61C98B3630D7E4B1CD5D"}]Entity Enrichment
| Enrichment Field Name | Logic - When to apply |
|---|---|
| Full Details | Returns if it exists in JSON result |
Insights
N/A
Get URL Categories
Gets information about all URL categories.
Parameters
N/A
Run On
This action runs on all entities.
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON Result
[{"description":"OTHER_ADULT_MATERIAL_DESC","val":1,"dbCategorizedUrls":[],"editable":true,"urls":[],"customCategory":false,"id":"OTHER_ADULT_MATERIAL"},{"description":"ADULT_THEMES_DESC","val":2,"dbCategorizedUrls":[],"editable":true,"urls":[],"customCategory":false,"id":"ADULT_THEMES"}]Entity Enrichment
N/A
Insights
N/A
Get Whitelist
Gets a list of white-listed URLs.
Parameters
N/A
Run On
This action runs on all entities.
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON Result
N/AEntity Enrichment
N/A
Insights
N/A
Lookup Entity
Look up the categorization of a URL/Domain/IP.
Parameters
N/A
Run On
This action runs on the following entities:
- URL
- Hostname
- Domain
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON Result
[{"EntityResult":{"url":"markossolomon.com/f1q7qx.php","urlClassificationsWithSecurityAlert":["MALWARE_SITE"],"urlClassifications":[]},"Entity":"HTTP://MARKOSSOLOMON.COM/F1Q7QX.PHP"}]Entity Enrichment
| Enrichment Field Name | Logic - When to apply |
|---|---|
| url | Returns if it exists in JSON result |
| urlClassificationsWithSecurityAlert | Returns if it exists in JSON result |
| urlClassifications | Returns if it exists in JSON result |
Insights
N/A
Ping
Check connectivity.
Parameters
N/A
Run On
This action runs on all entities.
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON Result
N/AEntity Enrichment
N/A
Insights
N/A
Remove From Blacklist
Removes a URL/Domain/IP from the blacklist.
Parameters
N/A
Run On
This action runs on the following entities:
- URL
- Hostname
- IP Address
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON Result
N/AEntity Enrichment
N/A
Insights
N/A
Remove From Whitelist
Removes a URL/Domain/IP from the white-listed URLs.
Parameters
N/A
Run On
This action runs on the following entities:
- URL
- Hostname
- IP Address
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON Result
N/AEntity Enrichment
N/A
Insights
N/A
Need more help?Get answers from Community members and Google SecOps professionals.
Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2026-02-19 UTC.