Check out the Carbon Black Cloud Zscaler Integration
Posted on September 28, 2020
What is the Zscaler Internet Access Sandbox Integration?
This integration is between Zscaler’s Internet Access (ZIA) Sandbox and Carbon Black Cloud Endpoint Standard or Enterprise EDR. Zscaler can scan all files before they reach the endpoint if they come through the network, but cannot scan files coming in from other methods, or prior to sensor installation.
This connector will scan for any Endpoint Standard events or Enterprise EDR processes. It pulls the processes, checks the unique hashes against a database of files that have been checked in the past, and if the file is not known, a request to Zscaler’s Sandbox is made to see if they have any information on it. If they do, or if the local database indicates the file is malicious, you can take one of the following actions:
- Add to an Enterprise EDR Watchlist Feed
- Send the event and sandbox report to a webhook
- Run a script
- Isolate the endpoint
- Move the endpoint into a policy
Requirements
Customers must have Carbon Black Cloud Endpoint Standard or Enterprise EDR, and must have the proper licensing from Zscaler with Sandbox enabled.
Getting Started
See the installation instructions on Github.