Security Incident Response integration with Zscaler

  • Release version: Xanadu
  • Updated August 1, 2024
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Security Incident Response integration with Zscaler

    The Security Incident Response integration with Zscaler allows you to connect Zscaler Internet Access (ZIA) logs with the ServiceNow AI Platform. This integration enhances your ability to view dashboards, create custom alerts, and investigate security incidents, providing valuable insights into your organization's internet usage.

    Show full answer Show less

    Key Features

    • Reputation lookup of observables against the Zscaler global threat library, which categorizes threats by trends, origin, and other factors.
    • Maintenance of observables in block lists or allow lists within the Zscaler product.
    • Fetching and reviewing sandbox reports for MD5 hashes through Zscaler's Cloud Sandbox feature, which analyzes files for malicious behavior.
    • Security alerts generated from Patient 0 events when users download unknown malicious files.
    • Multiple URL category lists for blocking or allowing URLs as defined in Zscaler.
    • Tagging ServiceNow AI Platform security incidents to identify URL categories related to observables.
    • Expiration periods for URL category list entries, facilitating automatic removal of older entries.
    • Approval workflow for managing the addition and removal of observables in URL category lists.
    • Linking URL category entries to observable records and security incidents with detailed threat intelligence results.

    Key Outcomes

    By integrating Zscaler with the ServiceNow AI Platform, you gain enhanced visibility into security incidents, streamline incident management processes, and improve your organization’s overall security posture through actionable insights and automated workflows.

    You can use the Security Incident Response integration with Zscaler product to connect your Zscaler Internet Access server (ZIA) logs with the ServiceNow AI Platform. This integration enables you to view dashboards, create custom alerts, and help you investigate security incidents.

    Request apps on the Store

    Visit the ServiceNow Store website to view all the available apps and for information about submitting requests to the store. For cumulative release notes information for all released apps, see the ServiceNow Store version history release notes.

    Overview

    The Zscaler internet and web gateway product is delivered from the cloud. It provides you with the key data points and insights into your enterprise security environment. Security Incident Response integration with Zscaler connects the Zscaler Internet Access product with your ServiceNow AI Platform instance. By using the Zscaler product on the ServiceNow AI Platform, you get more insights into your organization’s internet usage.

    Key features of the integration

    This integration includes the following key features:
    • Reputation lookup of observables against the global threat library that the Zscaler product maintains.
      Note:
      The Zscaler global threat library lists threats by trends, country of origin, target destination, volume, and various threat categories. This global threat library enables you to investigate your observables against the global threat landscape.
    • Maintenance of observables in a block list or allow list on the Zscaler product.
    • Ability to fetch and review sandbox reports from the Zscaler product for an MD5 hash. The Cloud Sandbox feature in the Zscaler product runs and analyzes files in a virtual environment to detect malicious behavior.
    • Security alerts from Patient 0 events that are generated in the Zscaler product when a user downloads an unknown malicious file.
    • Multiple URL category lists that act as block lists or allow lists as defined in the Zscaler product.
    • ServiceNow AI Platform security incidents that can be tagged to identify the URL category that the observables are added to.
    • Expiration periods that maintain the size of the URL category list entries by automatically expiring or removing the older entries.
    • Approval workflow for adding and removing observables from the URL category lists.
    • URL category entries that can be linked to observable records and security incidents that include threat intelligence results and details about why an entry is blocked.

    Learn about this integration

    Document identifier Document title
    Zscaler product documentation website ZScaler Product Documentation website
    ServiceNow product documentation website ServiceNow Product Documentation website