Configure ZIA for Arctic Wolf Active Response

With the Active Response service, Arctic Wolf® can can perform URL-based response actions in your network using Zscaler Internet Access (ZIA).

ZIA supports these response actions:
  • Block a malicious URL

For more information, see Response action descriptions.

These resources are required:

  • An API subscription. For more information, see About Cloud Service API Key.
  • A Sandbox API subscription. For more information, see About Sandbox API Token.
  • An administrator account with the Authentication Configuration functional role, if you need to create a Cloud Service API key.
  • Contact your CST to validate the Active Response integration. Have an external domain ready that Arctic Wolf can use to validate the desired response actions without causing interruptions.

Create a Zscaler super admin account

We recommend creating a dedicated Zscaler super admin account to configure Active Response, however, you can use an existing super admin account.

If you want to use an existing super admin account, proceed to Retrieve the ZIA base URL and API keys. For more information about creating super admin accounts, see Adding ZIA Super Admins.
  1. Sign in to the ZIA Admin Portal.
  2. Go to Administration > Authentication > Administrator Management.
  3. Click Add Administrator.
  4. In the Add Administrator window, configure these settings:
    • Login ID — Enter a login ID and select the appropriate domain name.
    • Email — Enter an email address.
    • Name — Enter a meaningful name, for example, Active Response Admin.
    • Role — Select Super Admin.
    • Status — Keep the Enabled value.
    • Scope — Keep the Organization value.
    • Executive Insights App Access — Keep this setting disabled.
    • Comments — Enter any additional notes or description for the super admin account.
    • Security Updates — Enable this setting if you want the email account to receive information about security threats and vulnerabilities.
    • Service Updates — Enable this setting if you want the email account to receive service and product enhancement announcements.
    • Product Updates — Enable this setting if you want the email account to receive Zscaler product service change announcements.
    • Password — Enter a password for the account.
    • Confirm Password — Re-enter the password for the account.
  5. Click Save.
  6. In the navigation menu, click Activation > Activate.
    For more information about activating changes, see Saving and Activating Changes in the ZIA Admin Portal.

Retrieve the ZIA base URL and API keys

  1. In the ZIA Admin Portal, go to Administration > Authentication > Cloud Service API Security.
  2. On the Cloud Service API Key tab, copy the base URL value, and then save it in a safe, encrypted location.
    The base URL uses this format: $zsapi.instance_name/api/v1. You will provide it to Arctic Wolf later.
  3. Copy the API key value, and then save it in a safe, encrypted location.

    You will provide it to Arctic Wolf later.

    If an API key doesn't exist, create one. For more information, see Managing Cloud Service API Key.

  4. Click the Sandbox API Token tab.
  5. Copy the sandbox base URL value, and then save it in a safe, encrypted location.
    The sandbox base URL uses this format: $zsbapi.instance_name/api/v1. You will provide it to Arctic Wolf later.
  6. Copy the sandbox API key value, and then save it in a safe, encrypted location.

    You will provide it to Arctic Wolf later.

    If a sandbox API key doesn't exist, create one. For more information, see https://help.zscaler.com/zia/managing-cloud-service-api-key.

Provide ZIA Active Response credentials to Arctic Wolf

  1. Sign in to the Arctic Wolf Unified Portal.
  2. In the navigation menu, click Organization Profile > Integrations.
  3. On the Active Response tab, click New Active Response Integration +.
  4. Click Zscaler Internet Access (ZIA).
  5. On the New Active Response Integration page, configure these settings:
    • Integration Name — Enter a unique and descriptive name for the integration, including the tenant name. For example, <tenant_name> ZIA Active Response Integration.
    • Base URL — Enter the base URL value from Retrieve the ZIA base URL and API keys, using this format: https://zsapi.<instance_name>.net.
      Note: Remove any additional characters from the end of the URL, such as /api.
    • API Key — Enter the API key value from Retrieve the ZIA base URL and API keys.
    • Username — Enter the login ID for the super admin account that you created in Create a Zscaler super admin account or an existing super admin account.
    • Password — Enter the password for the super admin account that you created in Create a Zscaler super admin account or an existing super admin account.
    • Sandbox Base URL — Enter the sandbox base URL from Retrieve the ZIA base URL and API keys, using this form: https://zbsapi.<instance_name>.net.
      Note: Remove any additional characters from the end of the URL, such as /api.
    • Sandbox API key — Enter the sandbox API key from Retrieve the ZIA base URL and API keys.
    • Ignore List Name — (Optional) Keep this field blank.
  6. Click Save Integration.