Zscaler-Oauth2-WhitelistURL
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊
This playbook enables automated addition of URLs to the Zscaler Internet Access (ZIA) security whitelist when triggered by Microsoft Sentinel incidents. It uses OAuth2 authentication to securely communicate with the Zscaler API and add URLs to the allow list while preserving existing whitelist entries.
| Attribute | Value |
|---|---|
| Type | Playbook |
| Solution | Zscaler Internet Access |
| Source | View on GitHub |
Additional Documentation
📄 Source: Oauth2WhitelistURL/readme.md
Zscaler OAuth2 Whitelist URL Playbook
This playbook enables automated addition of URLs to the Zscaler Internet Access (ZIA) security whitelist when triggered by Microsoft Sentinel incidents. It uses OAuth2 authentication to securely communicate with the Zscaler API and add URLs to the allow list while preserving existing whitelist entries.
Overview
The Zscaler-Oauth2-WhitelistURL playbook is designed to:
- Automatically extract URL entities from Microsoft Sentinel incidents
- Authenticate with Zscaler ZIA using OAuth2 via the authentication playbook
- Retrieve the existing URL whitelist to preserve current entries
- Merge new URLs with the existing whitelist
- Update the security policy with the combined whitelist
Prerequisites
Before deploying this playbook, ensure you have:
- A Zscaler Internet Access (ZIA) subscription with API access enabled
- The Zscaler-Oauth2-Authentication playbook deployed in the same resource group
- OAuth2 client credentials (Client ID and Client Secret) configured in Azure Key Vault
- Appropriate permissions to deploy Azure Logic Apps
Deployment
Click the button below to deploy the Zscaler-Oauth2-WhitelistURL playbook to your Azure environment:
Post-Deployment Configuration
After deployment, complete the following steps:
-
Authorize API Connections - Navigate to the Logic App in the Azure portal - Go to API connections and authorize the Microsoft Sentinel connection - Ensure the managed identity has appropriate permissions
-
Grant Required Permissions - Assign the Logic App managed identity the "Microsoft Sentinel Responder" role on your workspace - Verify the Zscaler-Oauth2-Authentication playbook is deployed and accessible
-
Configure Zscaler API URL (Optional) - The default Base URL is "zsapi.zscalertwo.net/api/v1" - To change, edit the playbook and update the "Define_Base_URL" action for your Zscaler cloud instance
-
Configure Automation Rules - Create automation rules in Microsoft Sentinel to trigger this playbook - Configure rules to run on incidents containing URL entities that should be whitelisted
Parameters
| Parameter | Description | Default Value |
|---|---|---|
| PlaybookName | Name of the Logic App | Zscaler-Oauth2-WhitelistURL |
Workflow
- Triggered by Microsoft Sentinel incident creation
- Initializes temporary variables and empty URL collection array
- Extracts URL entities from the incident
- For each URL entity, parses and appends to the collection array
- Initializes the Zscaler API Base URL variable
- Calls the Zscaler-Oauth2-Authentication playbook to obtain an access token
- Retrieves the existing whitelist via GET request to
/security - Parses existing whitelist URLs and appends to the collection (if not null)
- Deduplicates the combined URL list using union operation
- Joins all URLs into a comma-separated format
- Constructs the JSON request body with the whitelistUrls array
- Updates the security policy via PUT request to
/securitywith the merged whitelist
Learn More
- Zscaler API Documentation
- Security Policy Settings API
- API Developers Guide: Getting Started
- Microsoft Sentinel Playbooks
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊