Zscaler-Oauth2-UnblacklistURL

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊

↑ Back to Content Index

This playbook enables automated removal of URLs from the Zscaler Internet Access (ZIA) blacklist when triggered by Microsoft Sentinel incidents. It uses OAuth2 authentication to securely communicate with the Zscaler API and remove URLs from the advanced threat protection blacklist.

Attribute	Value
Type	Playbook
Solution	Zscaler Internet Access
Source	View on GitHub

Logic App Connectors

This playbook uses 4 Logic App connectors / built-in actions:

Connector / Action	Type	Connections	Actions
`azuresentinel`	Managed	1	0
`azuresentinel_1`	Managed	0	1
`http`	Built-in	0	1
`workflow`	Built-in	0	1

Action parameters (URLs, paths, function IDs)

`azuresentinel_1` (Managed)

Action	Method	Endpoint	Other
Entities_-_Get_URLs	post	`/entities/url`	—

`http` (Built-in)

Action	Method	Endpoint	Other
HTTP	POST	`https://api.zsapi.net/zia/api/v1/security/advanced/blacklistUrls?action=REMOVE_FROM_LIST`	—

`workflow` (Built-in)

Action	Method	Endpoint	Other
Zscaler-Oauth2-Authentication	—	—	workflowId=`[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Logic/workflows/Zscaler-Oauth2-Authentication')]` triggerName=`manual`

Additional Documentation

📄 Source: Oauth2UnblacklistURL/readme.md

Zscaler OAuth2 Unblacklist URL Playbook

Overview

The Zscaler-Oauth2-UnblacklistURL playbook is designed to:

Automatically extract URL entities from Microsoft Sentinel incidents
Collect and deduplicate URLs from the incident
Authenticate with Zscaler ZIA using OAuth2 via the authentication playbook
Remove the URLs from the Zscaler advanced threat protection blacklist
Process all URLs in a single API call for efficiency

Prerequisites

Before deploying this playbook, ensure you have:

A Zscaler Internet Access (ZIA) subscription with API access enabled
The Zscaler-Oauth2-Authentication playbook deployed in the same resource group
OAuth2 client credentials (Client ID and Client Secret) configured in Azure Key Vault
Appropriate permissions to deploy Azure Logic Apps

Deployment

Click the button below to deploy the Zscaler-Oauth2-UnblacklistURL playbook to your Azure environment:

Post-Deployment Configuration

After deployment, complete the following steps:

Authorize API Connections
- Navigate to the Logic App in the Azure portal
- Go to API connections and authorize the Microsoft Sentinel connection
- Ensure the managed identity has appropriate permissions
Grant Required Permissions
- Assign the Logic App managed identity the "Microsoft Sentinel Responder" role on your workspace
- Verify the Zscaler-Oauth2-Authentication playbook is deployed and accessible
Configure Zscaler API URL (Optional)
- The default Base URL is "zsapi.zscaler.net/api/v1"
- To change, edit the playbook and update the "Define_Base_URL" action
Configure Automation Rules
- Create automation rules in Microsoft Sentinel to trigger this playbook
- Configure rules to run on incidents containing URL entities that need to be unblocked

Parameters

Parameter	Description	Default Value
PlaybookName	Name of the Logic App	Zscaler-Oauth2-UnblacklistURL

Workflow

Triggered by Microsoft Sentinel incident creation
Initializes an empty array to collect URLs
Extracts URL entities from the incident
For each URL entity, parses and appends the URL to the collection array
Initializes the Zscaler API Base URL variable
Calls the Zscaler-Oauth2-Authentication playbook to obtain an access token
Deduplicates the URL list using union operation
Joins all URLs into a comma-separated format
Constructs the JSON request body with the blacklistUrls array
Makes a single API call to remove all URLs from the blacklist (/security/advanced/blacklistUrls?action=REMOVE_FROM_LIST)

Learn More