Zscaler Deception

the zscaler deception connector enables automated interactions with the zscaler deception platform, facilitating the retrieval and management of incidents and events zscaler deception is a cloud based security service that specializes in the detection of advanced threats and targeted attacks this connector enables swimlane turbine users to automate the retrieval and analysis of security events and incidents, as well as the management of incident related comments directly within the swimlane platform by integrating with zscaler deception, users can enhance their security posture with real time threat intelligence and streamline their incident response workflows, ensuring a proactive defense against deceptive attacks limitations none to date supported versions this zscaler deception connector uses the version 2api additional docs https //nfr1278 illusionblack com/ui/api docs/ configuration prerequisites to effectively utilize the zscaler deception connector with swimlane turbine, ensure you have the following api key authentication with the required parameters url the endpoint url for the zscaler deception api api token (x client auth) a unique token used to authenticate api requests authentication methods api key authentication url the endpoint url for the zscaler deception api (default https //admin zscalerbeta net ) username your zscaler deception username with sufficient permissions password the password associated with your zscaler deception account api token the api token/key associated with your zscaler deception account verify ssl certificates option to verify ssl certificate (default true) http(s) proxy optional proxy to route requests through capabilities this zscaler deception connector provides the following capabilities get events get incidents get incident comments get events returns a list of events from the zscaler deception platform this action requires read \ events permission and supports filtering, sorting, and pagination through query parameters zscaler deception's documentation for this action can be found https //nfr1278 illusionblack com/ui/api docs/#/events/get events get incidents returns a list of incidents from the zscaler deception platform this action requires read \ incidents permission and allows filtering by incident id, date range, and other criteria you can use query parameters to limit your search by incident id, status, or date range zscaler deception's documentation for this action can be found https //nfr1278 illusionblack com/ui/api docs/#/incidents/get incidents get incident comments returns all comments for a specific incident from the zscaler deception platform this action requires read \ incidents permission and allows you to retrieve the complete comment history for any incident by providing the incident id zscaler deception's documentation for this action can be found https //nfr1278 illusionblack com/ui/api docs/#/incidents/get incidents id incidentid comments configurations zscaler deception api key authentication authenticates using an api key configuration parameters parameter description type required url a url to the target host string required api key api token for x client auth header string required verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional actions get events retrieves a list of events from zscaler deception, with options to specify limit and offset requires read \ events permission endpoint url api/v2/events/ method get input argument name type required description parameters limit integer required the numbers of items to return in a single response parameters offset integer required the number of items to skip before starting to collect the result parameters sort array optional sort order for events (e g , "timestamp asc", "id desc") parameters fields array optional fields to include in the response parameters from string optional start date/time filter parameters to string optional end date/time filter parameters expfilter array optional expression filter parameters whitelisted string optional whitelist filter parameters test events only string optional filter for test events only input example {"parameters" {"limit" 100,"offset" 123,"sort" \["string"],"fields" \["string"],"from" "string","to" "string","expfilter" \["string"],"whitelisted" "string","test events only" "string"}} output parameter type description status code number http status code of the response reason string response reason phrase data array response data data file name string response data data file string response data meta object output field meta meta paging object output field meta paging meta paging total number output field meta paging total meta paging offset number output field meta paging offset meta paging limit number output field meta paging limit meta paging amount number output field meta paging amount output example {"status code" 200,"reason" "ok","json body" {"data" \[],"meta" {"paging" {}}}} get list of all comments retrieve all comments linked to a given incident in zscaler deception by providing the incidentid endpoint url api/v2/incidents/id/{{incidentid}}/comments method get input argument name type required description path parameters incidentid integer required incident id input example {"path parameters" {"incidentid" 123}} output parameter type description status code number http status code of the response reason string response reason phrase data array response data data file name string response data data file string response data meta object output field meta meta paging object output field meta paging meta paging total number output field meta paging total meta paging offset number output field meta paging offset meta paging limit number output field meta paging limit meta paging amount number output field meta paging amount output example {"status code" 200,"reason" "ok","json body" {"data" \[],"meta" {"paging" {}}}} get incidents retrieves a list of incidents from zscaler deception, with the ability to specify limit and offset read \ incidents permission is required endpoint url api/v2/incidents method get input argument name type required description parameters incident id string optional incident id parameters from string optional from date parameters to string optional to date parameters spoll boolean optional spoll parameters limit integer required the numbers of items to return in a single response parameters offset integer required the number of items to skip before starting to collect the result input example {"parameters" {"incident id" "string","from" "string","to" "string","spoll"\ true,"limit" 100,"offset" 123}} output parameter type description status code number http status code of the response reason string response reason phrase id string unique identifier title string output field title type string type of the resource filter string output field filter window string output field window description string output field description mitigation string output field mitigation icon string output field icon columns array output field columns output example {"status code" 200,"reason" "ok","json body" {"id" 0,"incident id" 0,"user id" 0,"comment" "string","created timestamp" "string","edited timestamp" "string","user name" "string","user login id" "string"}} response headers header description example content type the media type of the resource application/json date the date and time at which the message was originated thu, 01 jan 2024 00 00 00 gmt