Zscaler Custom Response Integration

Zscaler Custom Response Integration


Before going through this article, check our Out-of-the-box App Integrations category. This is the recommended way to integrate the components of your cybersecurity stack with Lumu. If the product you are looking to integrate is there, it is advised to use that integration instead.

This article shows how to leverage the Lumu Defender API through URL filtering by API from Zscaler integration.

Lumu Event API data collection configurationLumu Event API data collection configuration

Requirements

  1. Lumu Defender API key.
  2. Scripting host with Python v3.6+.
  3. Zscaler user with role admin.
  4. Zscaler API key.
  5. Script package.
  6. Contact the Lumu support team  to request the package we created to deploy the required files.

Deploy the script

First, contact the Lumu support team  to request the package we created to deploy the required files.

Script location

Unpack the deployed package provided by Lumu in your preferred path/folder. Keep in mind this location, as it will be required for further configurations. From now on, we will refer to this folder as <zscaler_lumu_root> .

Install requirements

The file requirements.txt contains the list of dependencies for this data collector. After deploying the package locally, run the following command from the deployment folder:

[sudo] pip install -r ./requirements.txt

Script details

For using the script, head to the path selected for deployment (<zscaler_response>). Use the following command to show all options available for the package:

python szcaler_response.py --help

Usage: sw_response.py [options]

Options
Description
-h, --help
show this help message and exit
--config CONFIG
Load options from config file
--proxy-host PROXY_HOST   
--proxy-port PROXY_PORT
--proxy-user PROXY_USER              
--proxy-password PROXY_PASSWORD     
Proxy host (if required)
Proxy port (if required)
Proxy user (if required)
Proxy password (if required)
--company_key COMPANY_KEY
Lumu Company Key (Defender API).
--url url                 
--user-name USERNAME   
--password PASSWORD   
--api-key PORT 
--category-name
--delete-category
IP/URL Address or url of Sonicwall.
Username of zscaler with admin role.
Password of zscaler user.
Api key generated by Zscaler portal.
Name of Zscaler policy
Remove the category name from the ZScaler policy. To update with only the new IOCS
--logging {screen,file}
--verbose, -v         
--time_days TIME      
Logging option (default screen).
Verbosity level.
Days to search adversaries.

Usage examples

By default
Use the following command to fetch and push all adversaries detected by Lumu in the last 7 days to sonicwall.

python zscaler_response.py --url <region access (Default zscalerbeta)> --user-name <user name of zscaler with admin role>--password <password_zscaler> --company-key <company_api_key>

Each time the script is run, it will overwrite the locks and execute locks by web access.

Expected results

After running the script, all query adversaries will be pushed into the Zscaler Portal. In Policy -> Url & Cloud App Control  you should see the rule list created with Url Categories.

Rule list created with URL CategoriesRule list created with URL Categories

In Administration -> URL Categories you should view the category list created

Category List, in detailCategory List, in detail

When any user tries to ingress to a Url in the list, the navigator will show this message:

Forbidden URL message through policy enforcingForbidden URL message through policy enforcing

Troubleshooting

To identify failures on the script, please use the -v flag. This will allow you to identify failures in the script execution.
        • Related Articles

        • Zscaler Custom Data Collection Integration

          Before going through this article, check our Out-of-the-box App Integrations category. This is the recommended way to integrate the components of your cybersecurity stack with Lumu. If the product you are looking to integrate is there, it is advised ...
        • Infoblox Custom Response Integration

          Before going through this article, check our Out-of-the-box App Integrations category. This is the recommended way to integrate the components of your cybersecurity stack with Lumu. If the product you are looking to integrate is there, it is advised ...
        • CylanceENDPOINT Custom Response Integration

          This article shows how to leverage the Lumu Defender API and CylanceENDPOINT API to mitigate security risks. Requirements CylanceENDPOINT subscription A CylanceENDPOINT Standard subscription or above is required (formerly CylancePROTECT) Lumu ...
        • Forcepoint NGFW Custom Response Integration

          This article shows how to leverage Forcepoint NGFW provided by the SMC (Security Manager Center) API and Lumu Defender API to enhance your Response capabilities. Response integration between Forcepoint NGFW and Lumu A typical Forcepoint NGFW ...
        • Bitdefender Custom Response Integration

          Bitdefender Custom Response Integration This article shows how to leverage the Lumu Defender API and Bitdefender API to mitigate security risks. Requirements GravityZone Business Security Enterprise, cloud version, ...