ZScaler Sandbox Operation
The web format of this guide reflects the most current release. Guides for older iterations are available in PDF format.
Integration Details
ThreatQuotient provides the following details for this integration:
| Current Integration Version | 1.1.0 |
| Compatible with ThreatQ Versions | >= 4.20.0 |
| Support Tier | ThreatQ Supported |
Introduction
The ThreatQuotient for Zscaler Sandbox Operation runs and analyzes files in a virtual environment to detect malicious behavior. It propagates a hash of malicious files to all Zscaler Enforcement Nodes (ZENs) throughout the cloud, effectively maintaining a real time blacklist so that it can prevent users anywhere in the world from downloading malicious files.
The operation provides the following actions:
- Sandbox Report - creates an authenticated session to Zscaler and retrieves the report for the MD5 hash.
- Export IOC - creates an authenticated session to Zscaler and exports the current IOC to Zscaler's blacklist.
The operation is compatible with MD5, FQDN, and URL Indicator types.
Prerequisites
Review the following requirements before attempting to install the operation.
Configure ZScaler for Malware File Submission
Perform the following steps to enable submission of files to the sandbox.
Forward Traffic
In order to be able to submit files to the sandbox, the internet traffic of the computer, from which the submission performed, needs to be forwarded to Zscaler. See the steps in the link provided below to setup traffic forwarding for MacOS or Windows.
https://help.zscaler.com/zia/documentation-knowledgebase/traffic-forwarding/zscaler-app
The following items will be needed for logging in to the Zscaler traffic forwarding app:
- Hostname: The hostname of the ZScaler sandbox instance.
- Username: The ZScaler provided username.
- Password: The password associated with the username listed above.
- API key: The API access key provided by ZScaler.
Submit Files to ZScaler
After the traffic has been forwarded to ZScaler, log into the app, and go to the following location to manually submit files for detonation: http://filecheck.zscaler.com/
There is no official documented API endpoint for detonating files in the sandbox, but it's posible to use CURL for submission. The following is an example of submitting a malware called Anti_EXE_BOOT.IMA to the sandbox using CURL:
curl -F "data=@/PATH/TO/MALWARE/AntiExe.A/Anti_EXE_BOOT.IMA" "http://filecheck.zscaler.com/app/upload?timestamp_load=1554921279087×tamp_upload=1554921285485&name=o_2d8462s6sceqndc11d811cuq7s7.IMA" -v
There are three parameters in the URL that are needed:
| Parameter | Description |
|---|---|
| timestamp_load | Time since epoch in milliseconds (on CentOS use date +%s%3N). |
| timestamp_upload | Time since epoch in milliseconds (should be larger than timestamp_load). |
| name | A unique file name. It appears that the original filename name is changed to a long string which always starts with "o_" but the extension remains the same as the extension of the file in curl. |
Installation
This integration can be installed in the My Integration section of your ThreatQ instance. See the Adding an Integration topic for more details.
Configuration
ThreatQuotient does not issue API keys for third-party vendors. Contact the specific vendor to obtain API keys and other integration-related credentials.
To configure the integration:
- Navigate to your integrations management page in ThreatQ.
- Select the Operation option from the Type dropdown (optional).
- Click on the integration entry to open its details page.
- Enter the following parameters under the Configuration tab:
Parameter Description Hostname The hostname of the ZScaler Sandbox instance. Username Your ZScaler username. Password The password associated with the username above. API Key The API access key provided by ZScaler. - Review any additional settings, make any changes if needed, and click on Save.
- Click on the toggle switch, located above the Additional Information section, to enable it.
Actions
The operation provides the following actions:
| Action | Description | Object Type | Object Subtype |
|---|---|---|---|
| Sandbox Report | Creates an authenticated session to Zscaler and retrieves the report for the MD5 hash. | Indicator | MD5 |
| Export IOC | Creates an authenticated session to Zscaler and exports the current IOC to Zscaler's blacklist. | Indicator | FQDN, URL |
Sandbox Report
The Zscaler sandbox service runs and analyzes files in a virtual environment to detect malicious behavior. It propagates a hash of malicious files to all Zscaler Enforcement Nodes (ZENs)throughout the cloud, effectively maintaining a real time blacklist so it can prevent users anywhere in the world from downloading malicious files.
Currently, the malware files can only be submitted manually via the portal http://filecheck.zscaler.com/. See the Prerequisites chapter for more details.
The ThreatQ operation searches Zscaler for the MD5 of files that have already been scanned by the sandbox and brings back into ThreatQ the results of the malware analysis.
GET https://zsapi.zscalerbeta.net/api/v1/sandbox/report/<MD5 value>?details=summary
Sample Response:
{
"additionalProp1": {},
"additionalProp2": {},
"additionalProp3": {}
}Action Parameters
The Sandbox Report action has the following configuration parameter:
| Parameter | Description |
|---|---|
| Sandbox Report Detail | Select if requested report is a summary or has full details. |
Export IOC
The Export IOC action formats and exports the selected URL to Zscaler's URL blacklist.
POST https://zsapi.zscalerbeta.net/api/v1/security/advanced/blacklistUrls?action=ADD_TO_LIST
Change Log
- Version 1.1.0
- Added new action: Export IOC.
- Version 1.0.0
- Initial release
PDF Guides
| Document | ThreatQ Version |
|---|---|
| ZScaler Sandbox Operation Guide v1.1.0 | 4.20 or Greater |
| ZScaler Sandbox Operation GUide v1.0.0 | 4.20 or Greater |