Zscaler OAuth2 Block IP

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊

↑ Back to Content Index

This playbook blocks IP addresses in Zscaler by adding them to a category using OAuth2 authentication.

Attribute	Value
Type	Playbook
Solution	Zscaler Internet Access
Source	View on GitHub

Logic App Connectors

This playbook uses 3 Logic App connectors / built-in actions:

Connector / Action	Type	Connections	Actions
`azuresentinel`	Managed	1	2
`http`	Built-in	0	2
`workflow`	Built-in	0	1

Action parameters (URLs, paths, function IDs)

`azuresentinel` (Managed)

Action	Method	Endpoint	Other
Entities_-_Get_IPs	post	`/entities/ip`	—
Add_comment_to_incident_(V3)	post	`/Incidents/Comment`	—

`http` (Built-in)

Action	Method	Endpoint	Other
HTTP_Add_IP	PUT	`https://api.zsapi.net/zia/api/v1/urlCategories/@{variables('Category')}?action=ADD_TO_LIST`	—
HTTP_Activate_Changes	POST	`https://api.zsapi.net/zia/api/v1/status/activate`	—

`workflow` (Built-in)

Action	Method	Endpoint	Other
zscaler	—	—	workflowId=`[variables('ZscalerAuthenticationFlow')]` triggerName=`manual`

Additional Documentation

📄 Source: Oauth2BlockIP/readme.md

This playbook enables automated IP blocking in Zscaler Internet Access (ZIA) when triggered by Microsoft Sentinel incidents. It uses OAuth2 authentication to securely communicate with the Zscaler API and add malicious IP addresses to a designated block category.

Overview

The Zscaler-Oauth2-BlockIP playbook is designed to:

Automatically extract IP entities from Microsoft Sentinel incidents
Authenticate with Zscaler ZIA using OAuth2 via the authentication playbook
Add malicious IP addresses to a specified Zscaler URL category for blocking
Process multiple IPs sequentially to ensure reliable API communication

Prerequisites

Before deploying this playbook, ensure you have:

A Zscaler Internet Access (ZIA) subscription with API access enabled
The Zscaler-Oauth2-Authentication playbook deployed in the same resource group
OAuth2 client credentials (Client ID and Client Secret) configured in Azure Key Vault
A block category created in Zscaler (default: "OTHER_MISCELLANEOUS")
Appropriate permissions to deploy Azure Logic Apps

Deployment

Click the button below to deploy the Zscaler-Oauth2-BlockIP playbook to your Azure environment:

Post-Deployment Configuration

After deployment, complete the following steps:

Authorize API Connections
- Navigate to the Logic App in the Azure portal
- Go to API connections and authorize the Microsoft Sentinel connection
- Ensure the managed identity has appropriate permissions
Grant Required Permissions
- Assign the Logic App managed identity the "Microsoft Sentinel Responder" role on your workspace
- Verify the Zscaler-Oauth2-Authentication playbook is deployed and accessible
Configure Block Category (Optional)
- The default category is "OTHER_MISCELLANEOUS"
- Update the parameter during deployment if you use a different category
Configure Zscaler Admin URL (Optional)
- The default is "https://admin.zscaler.net"
- Update the parameter for your Zscaler cloud instance
Configure Automation Rules
- Create automation rules in Microsoft Sentinel to trigger this playbook
- Configure rules to run on incidents containing IP entities

Parameters

Parameter	Description	Default Value
PlaybookName	Name of the Logic App	Zscaler-Oauth2-BlockIP
Zscaler OAuth2 Authentication Playbook	Name of the OAuth2 authentication playbook	Zscaler-Oauth2-Authentication
Zscaler Admin Url	Your Zscaler admin portal URL	https://admin.zscaler.net
Block Category	Zscaler URL category for blocking	OTHER_MISCELLANEOUS

Workflow

Triggered by Microsoft Sentinel incident creation
Extracts IP entities from the incident
Calls the Zscaler-Oauth2-Authentication playbook to obtain an access token
For each IP address, adds it to the configured Zscaler URL category using the API
IPs are processed sequentially (concurrency set to 1) for reliable execution

Learn More