Zscaler OAuth2 Lookup IP
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊
This playbook looks up IP categorization information from Zscaler using OAuth2 authentication.
| Attribute | Value |
|---|---|
| Type | Playbook |
| Solution | Zscaler Internet Access |
| Source | View on GitHub |
Logic App Connectors
This playbook uses 3 Logic App connectors / built-in actions:
| Connector / Action | Type | Connections | Actions |
|---|---|---|---|
azuresentinel |
Managed | 1 | 1 |
http |
Built-in | 0 | 1 |
workflow |
Built-in | 0 | 1 |
Action parameters (URLs, paths, function IDs)
azuresentinel (Managed)
| Action | Method | Endpoint | Other |
|---|---|---|---|
| Entities_-_Get_IPs | post | /entities/ip |
— |
http (Built-in)
| Action | Method | Endpoint | Other |
|---|---|---|---|
| HTTP_Lookup_IP | POST | https://api.zsapi.net/zia/api/v1/urlLookup |
— |
workflow (Built-in)
| Action | Method | Endpoint | Other |
|---|---|---|---|
| zscaler | — | — | workflowId=[variables('ZscalerAuthenticationFlow')]triggerName= manual |
Additional Documentation
📄 Source: Oauth2LookupIP/readme.md
This playbook enables automated IP address classification lookup in Zscaler Internet Access (ZIA) when triggered by Microsoft Sentinel incidents. It uses OAuth2 authentication to securely query the Zscaler API and retrieve URL category information for IP addresses found in incidents.
Overview
The Zscaler-Oauth2-LookupIP playbook is designed to:
- Automatically extract IP entities from Microsoft Sentinel incidents
- Authenticate with Zscaler ZIA using OAuth2 via the authentication playbook
- Query Zscaler's URL lookup API to retrieve classification information for each IP
- Return URL classifications and security alert categories for enrichment purposes
Prerequisites
Before deploying this playbook, ensure you have:
- A Zscaler Internet Access (ZIA) subscription with API access enabled
- The Zscaler-Oauth2-Authentication playbook deployed in the same resource group
- OAuth2 client credentials (Client ID and Client Secret) configured in Azure Key Vault
- Appropriate permissions to deploy Azure Logic Apps
Deployment
Click the button below to deploy the Zscaler-Oauth2-LookupIP playbook to your Azure environment:
Post-Deployment Configuration
After deployment, complete the following steps:
Authorize API Connections
- Navigate to the Logic App in the Azure portal
- Go to API connections and authorize the Microsoft Sentinel connection
- Ensure the managed identity has appropriate permissions
Grant Required Permissions
- Assign the Logic App managed identity the "Microsoft Sentinel Responder" role on your workspace
- Verify the Zscaler-Oauth2-Authentication playbook is deployed and accessible
Configure Zscaler API URL (Optional)
- The default Base URL is "zsapi.zscaler.net/api/v1"
- To change, edit the playbook and update the "Initialize_variable" action for BaseURL
Configure Automation Rules
- Create automation rules in Microsoft Sentinel to trigger this playbook
- Configure rules to run on incidents containing IP entities
Parameters
| Parameter | Description | Default Value |
|---|---|---|
| PlaybookName | Name of the Logic App | Zscaler-Oauth2-LookupIP |
Workflow
- Triggered by Microsoft Sentinel incident creation
- Extracts IP entities from the incident
- Initializes the Zscaler API Base URL variable
- Calls the Zscaler-Oauth2-Authentication playbook to obtain an access token
- For each IP address, queries the Zscaler URL lookup API (
/urlLookup) - Parses the response containing:
url: The queried IP addressurlClassifications: Array of URL category classificationsurlClassificationsWithSecurityAlert: Security-related classifications
- IPs are processed sequentially (concurrency set to 1) for reliable execution
Learn More
- Zscaler API Documentation
- URL Lookup API
- API Developers Guide: Getting Started
- Microsoft Sentinel Playbooks
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊