This feature is in Early Access. Please contact your Red Canary customer success manager if you are a Zscaler customer interested in joining the waitlist.
The Red Canary Automation interface provides the following 10 response actions for Zscaler Internet Access:
Add IOC URLs to URL Category
Adds URLs/domains that are marked as indicators of compromise (IOCs) to the specified URL Category. Based on the URL Filtering policy applied to that category, use this action to block traffic, display a warning, enforce browser isolation, enforce conditional access, etc.
Remove IOC URLs from URL Category
Removes URLs/domains that are marked as indicators of compromise (IOCs) from the specified URL Category. Use this action to undo a previous “Add” action or remove a URL from a whitelisted category.
Add IOC IPs to Source IP Group
Adds source IP addresses that are marked as indicators of compromise (IOCs) to the specified Source IP Group. Based on the policies that apply to that group (firewall filtering rules, NAT rules, DNS rules, IPS Control policies, forwarding rules, DLP rules, URL filtering rules, or TLS Inspection rules), use this action to control your inbound/outbound traffic from the source IP.
Remove IOC IPs from Source IP Group
Removes source IP addresses that are marked as indicators of compromise (IOCs) from the specified Source IP Group. Use this action to undo a previous “Add” action or remove an IP address from a whitelisted group.
Add IOC IPs/Domains to Destination IP Group
Adds destination IP addresses or domains that are marked as indicators of compromise (IOCs) to the specified Destination IP Group. Based on the policies that apply to that group (firewall filtering rules, NAT rules, DNS rules, IPS Control policies, forwarding rules, or TLS Inspection rules) use this action to control your inbound/outbound traffic from the destination IP or domain.
Remove IOC IPs/Domains to Destination IP Group
Removes destination IP addresses or domains that are marked as indicators of compromise (IOCs) from the specified Destination IP Group. Use this action to undo a previous “Add” action or remove an IP/domain from a whitelisted group.
Add IOC File Hashes to the Deny list
Adds MD5 hashes that are marked as indicators of compromise (IOCs) to the Sandbox Deny list. Use this action to block download of known malicious files.
Remove IOC File Hashes from the Deny list
Removes MD5 hashes that are marked as indicators of compromise (IOCs) from the Sandbox Deny list. Use this action to undo a previous “Add” action.
Add IOC File Hashes to the Allow list
Adds MD5 hashes that are marked as indicators of compromise (IOCs) to the Sandbox Allow list. Use this action to whitelist known good files.
Remove IOC File Hashes from the Allow list
Removes MD5 hashes that are marked as indicators of compromise (IOCs) from the Sandbox Allow list. Use this action to undo a previous “Add” action or remove an IP/domain from the whitelist.
Prerequisites
You have an active Red Canary Zscaler OneAPI integration configured.
Adding Zscaler Internet Access Response Actions to a Playbook
To add one or more Zscaler Internet Access response actions to an Automate playbook:
From the Red Canary portal navigation menu, select Automation > Playbooks.
In the Playbooks section, open an existing Automate playbook or make a new one by clicking +Create New Playbook.
.png?sv=2022-11-02&spr=https&st=2026-04-11T14%3A48%3A05Z&se=2026-04-11T15%3A01%3A05Z&sr=c&sp=r&sig=eU5jgpw%2FCMZ%2BDIerbSxL7KQR16MAKCqzrUnI0%2BQMKz4%3D)
Assign or edit the playbook name and description, then click +Add Action.
.png?sv=2022-11-02&spr=https&st=2026-04-11T14%3A48%3A05Z&se=2026-04-11T15%3A01%3A05Z&sr=c&sp=r&sig=eU5jgpw%2FCMZ%2BDIerbSxL7KQR16MAKCqzrUnI0%2BQMKz4%3D)
From the Zscaler Internet Access section, add the required action to the playbook.
.png?sv=2022-11-02&spr=https&st=2026-04-11T14%3A48%3A05Z&se=2026-04-11T15%3A01%3A05Z&sr=c&sp=r&sig=eU5jgpw%2FCMZ%2BDIerbSxL7KQR16MAKCqzrUnI0%2BQMKz4%3D)
Enter the target ZIA Integration.
.png?sv=2022-11-02&spr=https&st=2026-04-11T14%3A48%3A05Z&se=2026-04-11T15%3A01%3A05Z&sr=c&sp=r&sig=eU5jgpw%2FCMZ%2BDIerbSxL7KQR16MAKCqzrUnI0%2BQMKz4%3D)
If needed, select the target URL Category, Source IP Group, or Destination IP Group.
.png?sv=2022-11-02&spr=https&st=2026-04-11T14%3A48%3A05Z&se=2026-04-11T15%3A01%3A05Z&sr=c&sp=r&sig=eU5jgpw%2FCMZ%2BDIerbSxL7KQR16MAKCqzrUnI0%2BQMKz4%3D)
[OPTIONAL] Check the Require Approval box and provide contact details if you want someone to approve this action before it executes. This will apply to both manual and automatically-triggered executions.
.png?sv=2022-11-02&spr=https&st=2026-04-11T14%3A48%3A05Z&se=2026-04-11T15%3A01%3A05Z&sr=c&sp=r&sig=eU5jgpw%2FCMZ%2BDIerbSxL7KQR16MAKCqzrUnI0%2BQMKz4%3D)
Click Save.
Manually Executing the Response Actions
To execute the Zscaler Internet Access response actions manually:
Open the playbook and click Run.
.png?sv=2022-11-02&spr=https&st=2026-04-11T14%3A48%3A05Z&se=2026-04-11T15%3A01%3A05Z&sr=c&sp=r&sig=eU5jgpw%2FCMZ%2BDIerbSxL7KQR16MAKCqzrUnI0%2BQMKz4%3D)
Search for the threat in the dropdown list then click Run.
.png?sv=2022-11-02&spr=https&st=2026-04-11T14%3A48%3A05Z&se=2026-04-11T15%3A01%3A05Z&sr=c&sp=r&sig=eU5jgpw%2FCMZ%2BDIerbSxL7KQR16MAKCqzrUnI0%2BQMKz4%3D)
Click the Follow along… link to view the results of the action.
.png?sv=2022-11-02&spr=https&st=2026-04-11T14%3A48%3A05Z&se=2026-04-11T15%3A01%3A05Z&sr=c&sp=r&sig=eU5jgpw%2FCMZ%2BDIerbSxL7KQR16MAKCqzrUnI0%2BQMKz4%3D)
If you set the action to Require Approval, you’ll need to approve it before it can execute.
Automatically Executing the Response Actions
To execute the Zscaler Internet Access response actions automatically, link an appropriate trigger to the playbook. For more information, see Customize When a Playbook is Run With Triggers.
FAQs
When should I use URL Category versus Destination IP Group?
Use URL Category actions when you need to target specific URLs (rather than entire domains), and when you need to target web traffic (HTTP/HTTPS) exclusively. Use Destination IP Group actions when you need to target IP addresses or entire domains, or when you need to block all network traffic (not just web traffic).When should I use Source IP Group versus Destination IP Group?
Use Source IP Group actions when you need to target an endpoint within your organization. Use Destination IP Group actions when you need to target an endpoint on the internet.