Zscaler Deception

the zscaler deception connector enables automated interaction with the zscaler deception platform, allowing users to retrieve incident details, comments, and event information zscaler deception is a cloud based security service that specializes in detecting and managing advanced threats through deception technology this connector enables swimlane turbine users to automate the retrieval and analysis of security events and incidents, enhancing their threat detection and response capabilities by integrating with zscaler deception, users can efficiently manage event data, streamline incident analysis, and leverage detailed insights to bolster their security posture without the need for manual intervention limitations none to date supported versions this zscaler deception connector uses the version 2api additional docs https //nfr1278 illusionblack com/ui/api docs/ configuration prerequisites to effectively utilize the zscaler deception connector with swimlane turbine, ensure you have the following api key authentication with the necessary parameters url the endpoint url for the zscaler deception api username your zscaler deception account username password your zscaler deception account password api token a unique identifier used to authenticate api requests authentication methods api key authentication url the endpoint url for the zscaler deception api (default https //admin zscalerbeta net ) username your zscaler deception username with sufficient permissions password the password associated with your zscaler deception account api token the api token/key associated with your zscaler deception account verify ssl certificates option to verify ssl certificate (default true) http(s) proxy optional proxy to route requests through capabilities this zscaler deception connector provides the following capabilities get events get incidents get incident comments get events returns a list of events from the zscaler deception platform this action requires read \ events permission and supports filtering, sorting, and pagination through query parameters zscaler deception's documentation for this action can be found https //nfr1278 illusionblack com/ui/api docs/#/events/get events get incidents returns a list of incidents from the zscaler deception platform this action requires read \ incidents permission and allows filtering by incident id, date range, and other criteria you can use query parameters to limit your search by incident id, status, or date range zscaler deception's documentation for this action can be found https //nfr1278 illusionblack com/ui/api docs/#/incidents/get incidents get incident comments returns all comments for a specific incident from the zscaler deception platform this action requires read \ incidents permission and allows you to retrieve the complete comment history for any incident by providing the incident id zscaler deception's documentation for this action can be found https //nfr1278 illusionblack com/ui/api docs/#/incidents/get incidents id incidentid comments configurations zscaler deception api key authentication authenticates using an api key configuration parameters parameter description type required url a url to the target host string required username username string required secret password string required api key api token string required verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional actions get events retrieves a list of events from zscaler deception with specified limit and offset permission required read \ events endpoint url events/ method get input argument name type required description parameters limit integer required the numbers of items to return in a single response parameters offset integer required the number of items to skip before starting to collect the result parameters sort array optional sort order for events (e g , "timestamp asc", "id desc") parameters fields array optional fields to include in the response parameters from string optional start date/time filter parameters to string optional end date/time filter parameters expfilter array optional expression filter parameters whitelisted string optional whitelist filter parameters test events only string optional filter for test events only input example {"parameters" {"limit" 100,"offset" 123,"sort" \["string"],"fields" \["string"],"from" "string","to" "string","expfilter" \["string"],"whitelisted" "string","test events only" "string"}} output parameter type description status code number http status code of the response reason string response reason phrase data array response data data file name string response data data file string response data meta object output field meta meta paging object output field meta paging meta paging total number output field meta paging total meta paging offset number output field meta paging offset meta paging limit number output field meta paging limit meta paging amount number output field meta paging amount output example {"status code" 200,"reason" "ok","json body" {"data" \[],"meta" {"paging" {}}}} get list of all comments retrieve all comments associated with a specific incident in zscaler deception using the incidentid endpoint url incidents/id/{{incidentid}}/comments method get input argument name type required description path parameters incidentid integer required incident id input example {"path parameters" {"incidentid" 123}} output parameter type description status code number http status code of the response reason string response reason phrase data array response data data file name string response data data file string response data meta object output field meta meta paging object output field meta paging meta paging total number output field meta paging total meta paging offset number output field meta paging offset meta paging limit number output field meta paging limit meta paging amount number output field meta paging amount output example {"status code" 200,"reason" "ok","json body" {"data" \[],"meta" {"paging" {}}}} get incidents retrieves a list of incidents from zscaler deception with optional limit and offset parameters permission required read \ incidents endpoint url incidents method get input argument name type required description parameters incident id string optional incident id parameters from string optional from date parameters to string optional to date parameters spoll boolean optional spoll parameters limit integer required the numbers of items to return in a single response parameters offset integer required the number of items to skip before starting to collect the result input example {"parameters" {"incident id" "string","from" "string","to" "string","spoll"\ true,"limit" 100,"offset" 123}} output parameter type description status code number http status code of the response reason string response reason phrase id string unique identifier title string output field title type string type of the resource filter string output field filter window string output field window description string output field description mitigation string output field mitigation icon string output field icon columns array output field columns output example {"status code" 200,"reason" "ok","json body" {"id" 0,"incident id" 0,"user id" 0,"comment" "string","created timestamp" "string","edited timestamp" "string","user name" "string","user login id" "string"}} response headers header description example content type the media type of the resource application/json date the date and time at which the message was originated thu, 01 jan 2024 00 00 00 gmt