Zscaler Analyzer

[xg5-simon]

Zscaler Analyzer

Request Type

Analyzer

Work Environment

NA

Question	Answer
OS version (server)	NA
OS version (client)	NA
Cortex Analyzer Name	Zscaler Analyzer
Cortex Analyzer Version	1.2
Cortex Version	1.14.x
Browser type & version	NA

Description

Beta version of a Zscaler Analyzer released. This analyzer requires a valid Zscaler subscription, ZIA API key and user account. Attempted to keep the analyzer inline with the Fortinet Analyzer where malicious and suspicious categories are configurable.

Supports the following dataTypes:

• domain
• fqdn
• ip

Complementary information

https://github.com/xg5-simon/Zscaler-Cortex-Analyzer

[kx499-zz]

Whats the possibility we could get this merged in? Does it need any work or changes? Be happy to make it happen

[xg5-simon]

Needs to be tested with the latest version of Cortex. Feel free to submit it to the official repo. The only thing I can change it it right now is the license.

…

Sent from my iPhone

On 20 Apr 2020, at 08:33, kx499 ***@***.***> wrote:  Whats the possibility we could get this merged in? Does it need any work or changes? Be happy to make it happen — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub, or unsubscribe.

[kx499-zz]

Will do

[Tux-Panik]

Hi,

I tested it today and I reach an "Invalid output" error message:
I tried using a domain name and an IP address too.

I'm using Cortex v2.1.3-1 in a Docker.
Files permissions are OK.

Did you face this issue?
Thanks in advance.
Kind regards,

[nsmfoo]

Hi,

I have verified this analyser running Cortex 3.1.1.

It works very well!

I did however make 3 very small changes

• Zscaler.json: edit the "command" row to look like this: "Zscaler-Cortex-Analyzer/zscaler_analyzer.py"
• zscaler_analyzer.py: edit the first row from "python" to "python3"
• zscaler_analyzer.py: edit the row with "now = str(long(time.time() * 1000))" to look like this: "now = str(int(time.time() * 1000))"

So with these changes, maybe it's time to commit this analyzer =)

I can send a PR for the updates if needed, just let me know

[xg5-simon]

Feel free to fork and submit the analyser to TheHive project. I’m not working in this space anymore. Glad it works for you!

…

On 6 Apr 2021, at 21:46, Mikael Keri ***@***.***> wrote:  Hi, I have verified this analyser running Cortex 3.1.1. It works very well! I did however make 3 very small changes Zscaler.json: edit the "command" row to look like this: "Zscaler-Cortex-Analyzer/zscaler_analyzer.py" zscaler_analyzer.py: edit the first row from "python" to "python3" zscaler_analyzer.py: edit the row with "now = str(long(time.time() * 1000))" to look like this: "now = str(int(time.time() * 1000))" So with these changes, maybe it's time to commit this analyzer =) I can send a PR for the updates if needed, just let me know — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub, or unsubscribe.

[nsmfoo]

@xg5-simon Ok will do, thank you for writing it in the first place =)

[xg5-simon]

I’ll dig up the responder to block/allow urls for you.

…

On 7 Apr 2021, at 17:28, Mikael Keri ***@***.***> wrote:  @xg5-simon Ok will do, thank you for writing it in the first place =) — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or unsubscribe.

[nsmfoo]

Greatly appreciated =)

[jhk70]

I’ll dig up the responder to block/allow urls for you.
…
On 7 Apr 2021, at 17:28, Mikael Keri @.***> wrote:  @xg5-simon Ok will do, thank you for writing it in the first place =) — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or unsubscribe.

Hi xg5-simon. Apols for jumping in on this thread but were you able to track down the responder? Would be great to get that added. Thanks

[xg5-simon]

@nsmfoo & @jhk70 Here you go. Might need some tweaking or updating.
Zscaler.zip