The Zscaler Internet Access sample Foundry app is a community-driven, open source project which serves as an example of an app which can be built using CrowdStrike's Foundry ecosystem.
foundry-sample-zscaler-internet-access is an open source project, not a CrowdStrike product. As such, it carries no formal support, expressed or implied.
This app is one of several App Templates included in Foundry that you can use to jumpstart your development. It comes complete with a set of preconfigured capabilities aligned to its business purpose. Deploy this app from the Templates page with a single click in the Foundry UI, or create an app from this template using the CLI.
Important
To view documentation and deploy this sample app, you need access to the Falcon console.
Organizations need effective integration between their threat intelligence and web security infrastructure to proactively block malicious URLs before they can cause harm. The Zscaler Internet Access sample Foundry app automates this critical security workflow by bridging CrowdStrike's threat intelligence with Zscaler's inline blocking capabilities.
This application helps security teams:
- Automatically identify high-confidence malicious URLs from CrowdStrike Falcon Intelligence.
- Verify URL categorization status in Zscaler Internet Access.
- Push uncategorized or unknown malicious URLs to custom ZIA URL categories for immediate blocking.
- Maintain continuous protection through automated, scheduled workflows.
This app illustrates the following functionality amongst other components:
- Pull high-confidence malicious URL indicators from CrowdStrike Falcon Intelligence.
- Perform URL lookups against Zscaler's categorization database.
- Automatically push malicious URLs to a custom Zscaler URL category for inline blocking.
- Handle API rate limiting with intelligent retry logic.
- Python 3.13+ (needed if modifying the app's functions). See Python For Beginners for installation instructions.
- The Foundry CLI (instructions below)
- Zscaler Internet Access Configuration
You can install the Foundry CLI with Scoop on Windows or Homebrew on Linux/macOS.
Windows:
Install Scoop. Then, add the Foundry CLI bucket and install the Foundry CLI.
scoop bucket add foundry https://github.com/crowdstrike/scoop-foundry-cli.git
scoop install foundryOr, you can download the latest Windows zip file, expand it, and add the install directory to your PATH environment variable.
Linux and macOS:
Install Homebrew. Then, add the Foundry CLI repository to the list of formulae that Homebrew uses and install the CLI:
brew tap crowdstrike/foundry-cli
brew install crowdstrike/foundry-cli/foundryRun foundry version to verify it's installed correctly.
- Log in to your Zscaler Internet Access (ZIA) admin portal
- Navigate to Administration > Authentication > Cloud Service API Security
- Generate or retrieve your API credentials:
- Securely store these credentials for use during app installation
- In the ZIA admin portal, go to Administration > Resources > Access Control > URL Categories
- Click Add URL Category
- Create a custom category with a name like "CrowdStrike Intel - Foundry"
- Set the Super Category to User-Defined
- Note the exact category name for use during app installation
Note
Contact your Zscaler representative if you're unsure about your entitlements.
Clone this sample to your local system, or download as a zip file.
git clone https://github.com/CrowdStrike/foundry-sample-zscaler-internet-access
cd foundry-sample-zscaler-internet-accessLog in to Foundry:
foundry loginSelect the following permissions:
- Create and run RTR scripts
- Create, execute and test workflow templates
- Create, run and view API integrations
- Create, edit, delete, and list queries
Deploy the app:
foundry apps deployTip
If you get an error that the name already exists, change the name to something unique to your CID in manifest.yml.
Once the deployment has finished, you can release the app:
foundry apps releaseNext, go to Foundry > App catalog, find your app, and install. During app install, you will be prompted for app configuration:
-
(API-Integration) ZIA Cloud Service API credentials:
-
Host: Your Zscaler cloud hostname
-
client_id: Your Zscaler API clientId
-
client_secret: Your Zscaler client secret
-
token URL: Your Zscaler cloud OAuth token endpoint URL
Example:
-
-
(Workflow) Falcon-Zscaler Integration configuration:
-
UrlCategoryConfiguredName: The name of your custom ZIA URL category (e.g., "CrowdStrike Intel - Foundry")
-
Quantity: Maximum number of URLs to process. Controls pagination - the iterations function divides this by 100 to process URLs in batches (e.g., quantity of 500 creates 5 batches: offsets values [0, 100, 200, 300, 400])
Example:
-
Tip
The custom URL category name must match exactly (case-sensitive) with the category you created in Zscaler.
After installation, navigate to Fusion SOAR > Workflows and locate the Falcon-Zscaler Integration workflow. You can:
- Run it on-demand to immediately sync malicious URLs
- Can also modify to run automatically (recommended: daily or multiple times per day)
- API Integration. Used to connect to Zscaler Internet Access (ZIA) Cloud Service API.
- Functions. Five custom Python functions handle:
- Controlling workflow iteration logic
- Retrieving ZIA URL category details
- Pulling high-confidence malicious URLs from Falcon Intelligence and looking up URLs in Zscaler's categorization database
- Extracting uncategorized/unknown URLs for blocking
- Push IOCs to Zscaler Internet Access (ZIA)
- Workflow templates. Orchestrates the automated process of pulling high-confidence malicious URLs from Falcon Intelligence, looking them up in Zscaler to check categorization, filtering uncategorized/unknown URLs, and pushing them to a custom ZIA URL category for inline blocking.
-
ZIA_Cloud_Service_API.json: API-Integration to integrate with Zscaler Internet Access Cloud Service API to perform URL lookups, URL category management, Push IOCs to ZIA and activate changes.
-
pull-lookup-urls: Pulls high-confidence malicious URL indicators from CrowdStrike Falcon Intelligence API and performs batch URL lookups against Zscaler's categorization database. Includes retry logic for rate limiting.extract: Extracts and filters URLs from Zscaler lookup results to identify malicious URLs that are uncategorized or classified as unknown/miscellaneous.push-iocs-to-zia: Pushes filtered malicious URLs to a specified custom URL category in Zscaler for inline blocking. Includes retry logic for API rate limiting.get-url-category: Retrieves URL category details from Zscaler by category name, returning the category ID needed for pushing IOCs.iterations: Utility function that calculates the number of iterations needed for paginated API calls based on total URL count.
-
ZscalerIntegration.yml: Main orchestration workflow that:- Retrieves the target ZIA custom URL category details
- Determines pagination requirements for URL processing
- Iteratively pulls URLs from Falcon Intel and looks them up in Zscaler
- Extracts uncategorized/unknown malicious URLs
- Pushes identified URLs to the custom ZIA URL category
- Activates changes in Zscaler to apply the new blocks
- Logs all operations for audit and troubleshooting
Note
- The workflow processes URLs in batches of 100 to optimize API performance and stay within rate limits.
- URLs are added to the custom category but never automatically removed.
- The workflow should be scheduled based on your organization's threat intelligence refresh requirements (recommended: daily or multiple times per day).
