Security Incident Response integration with Zscaler

  • Release version: Zurich
  • Updated July 31, 2025
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Security Incident Response integration with Zscaler

    The Security Incident Response integration with Zscaler connects your Zscaler Internet Access (ZIA) logs to the ServiceNow AI Platform. This integration enhances your visibility into your enterprise’s internet usage and security environment by leveraging cloud-delivered Zscaler internet and web gateway data. It enables you to view dashboards, create custom alerts, and investigate security incidents more effectively within ServiceNow.

    Show full answer Show less

    Key Features

    • Reputation Lookup: Check observables against Zscaler’s global threat library, which categorizes threats by trends, origin, destination, volume, and type. This facilitates thorough investigation against the global threat landscape.
    • Block and Allow Lists: Manage observables by maintaining block lists or allow lists directly on the Zscaler product.
    • Sandbox Reports: Fetch and review detailed sandbox analysis reports for files identified by MD5 hashes. The cloud sandbox runs files in a virtual environment to detect malicious behavior.
    • Security Alerts: Receive alerts from Patient 0 events generated when users download unknown malicious files, enabling rapid response.
    • URL Category Lists: Utilize multiple URL category lists as block or allow lists, with automatic expiration periods to keep list sizes manageable by removing older entries.
    • Integration with ServiceNow AI Platform Incidents: Tag security incidents with URL category information and link entries to observables and threat intelligence results, providing context on why entries are blocked.
    • Approval Workflow: Control additions and removals of observables from URL category lists through an approval process to ensure governance.

    Practical Benefits for ServiceNow Customers

    This integration empowers ServiceNow customers to:

    • Gain enhanced threat visibility by combining Zscaler threat intelligence with ServiceNow’s incident management capabilities.
    • Streamline investigation and response workflows with integrated sandbox reports and threat reputation lookups.
    • Maintain and govern URL and observable lists effectively with automated expiration and approval workflows.
    • Respond to security alerts promptly by correlating Zscaler events with ServiceNow incidents and observables.

    You can use the Security Incident Response integration with Zscaler product to connect your Zscaler Internet Access server (ZIA) logs with the ServiceNow AI Platform. This integration enables you to view dashboards, create custom alerts, and help you investigate security incidents.

    Request apps on the Store

    Visit the ServiceNow Store website to view all the available apps and for information about submitting requests to the store. For cumulative release notes information for all released apps, see the ServiceNow Store version history release notes.

    Overview

    The Zscaler internet and web gateway product is delivered from the cloud. It provides you with the key data points and insights into your enterprise security environment. Security Incident Response integration with Zscaler connects the Zscaler Internet Access product with your ServiceNow AI Platform instance. By using the Zscaler product on the ServiceNow AI Platform, you get more insights into your organization’s internet usage.

    Key features of the integration

    This integration includes the following key features:
    • Reputation lookup of observables against the global threat library that the Zscaler product maintains.
      Note:
      The Zscaler global threat library lists threats by trends, country of origin, target destination, volume, and various threat categories. This global threat library enables you to investigate your observables against the global threat landscape.
    • Maintenance of observables in a block list or allow list on the Zscaler product.
    • Ability to fetch and review sandbox reports from the Zscaler product for an MD5 hash. The Cloud Sandbox feature in the Zscaler product runs and analyzes files in a virtual environment to detect malicious behavior.
    • Security alerts from Patient 0 events that are generated in the Zscaler product when a user downloads an unknown malicious file.
    • Multiple URL category lists that act as block lists or allow lists as defined in the Zscaler product.
    • ServiceNow AI Platform security incidents that can be tagged to identify the URL category that the observables are added to.
    • Expiration periods that maintain the size of the URL category list entries by automatically expiring or removing the older entries.
    • Approval workflow for adding and removing observables from the URL category lists.
    • URL category entries that can be linked to observable records and security incidents that include threat intelligence results and details about why an entry is blocked.

    Learn about this integration

    Document identifier Document title
    Zscaler product documentation website ZScaler Product Documentation website
    ServiceNow product documentation website ServiceNow Product Documentation website