Integrate a Zscaler Internet Access On-Premises Device

Configure a Zscaler Internet Access on-premises device. IOCs are pushed from Threat Command to the device.

When IOCs are pushed to this device, only new IOCs that were discovered since the last push (the delta) are sent.

To receive IOCs, you use the Threat Command virtual appliance web interface to integrate the device with Threat Command, and then use Threat Command to configure an IOC group whose IOCs will be pushed to the device. IOC groups for ZIA devices can consist of the following types of IOCs: domains, URLs, and IP addresses.

Before you begin, ensure:

• You have administrative credentials to access Threat Command with a subscription to the Automation and TIP modules.
• You have the credentials to access the Threat Command virtual appliance web interface.
• You have the credentials to access the device management console.
• You have the Zscaler Internet Access API key (from the Zscaler Administration > API Key Management page).

Integrate a Zscaler Internet Access device

Use the Threat Command virtual appliance to integrate the Zscaler Internet Access (ZIA) device with Threat Command.

To integrate a ZIA device:

1. From an internet browser, navigate to https://<virtual appliance IP address>

2. Log in to the Threat Command virtual appliance using the web access username and password.

3. From the Devices page, click Devices.

4. Click Add new device.

5. In the Devices screen, set up the new device:

   1. Type a user-defined, unique device name (for example, Zscaler_demo).
   2. Select the Zscaler Internet Access  device type. 
       
   3. Type values for User and Password. 
      These should be the same values used to access the ZIA web management console.
   4. Paste the ZIA API key into the API Key field.
      Ensure that what is pasted is only the key, not other copied data.
   5. Type the URL or IP address of the ZIA machine:
      • URL/Domain: Type the domain with no additional fields (for example, admin.zscaler.net or https://admin.zscaler.net)
      • IP address: Type the IP address with no additional fields (for example, 198.XX.XX.XXX or https:// XXXXX)
   6. (Optional) You can test the connection by clicking Test connection.
   7. Click Create.
   8. Review and approve the device license agreement.

6. Verify that the new device is displayed in the Threat Command platform:

   1. Log in to Threat Command at https://dashboard.ti.insight.rapid7.com
   2. From the main menu, selectAutomation > Integrations. 
      If this window is already open, refresh it by selecting Automation > Integrations  from the menu. 
      The new device is displayed in the On-Premises tab.

The following figure shows a newly added device in the  Automation > Integrations window: 

Configure an IOC group to push IOCs to the device

Once the Zscaler Internet Access (ZIA) device has been added and is synching with the Threat Command virtual appliance, it is ready to receive IOCs that are pushed from Threat Command. IOCs are pushed by creating an IOC group for this device in Threat Command.

Creating IOC groups is described here.

IOC groups for ZIA devices can consist of the following types of IOCs: domains, URLs, and IP addresses.

Verify that IOCs are being pushed to the device

You can verify that IOCs are being pushed to the ZIA device.

To verify IOCs:

1. From the Threat Command main menu, select Automation > Integrations.
2. Select the device.
3. On an IOC group of the device, click the Information icon:
   
   The IOCs in the group are displayed:
   
4. In the ZIA management console, select Administration > URL Categories.
   Rapid7 IOCs are displayed in the User-Defined section under the following name format:
   <DeviceName_IOCGroupName> for example, zscaler_test1