Zscaler

Visualize Zscaler Internet Access (ZIA) resources including accounts, users, roles, sites, applications, policies, and destinations. Monitor security policy configurations, track user access roles, and understand your Zscaler deployment through queries and alerts.

Installation

Installation

The Zscaler integration supports two authentication methods. ZIdentity + OneAPI (OAuth2) is the recommended modern approach, while legacy session-based authentication remains available for backward compatibility.

Configuring the Integration in JupiterOne

To install the Zscaler integration in JupiterOne, navigate to the Integrations tab and select Zscaler. Click New Instance to begin configuring your integration.

Creating an instance requires the following:

• The Account Name used to identify the Zscaler account in JupiterOne. Ingested entities will have this value stored in tag.AccountName when the AccountName toggle is enabled.

• Description to assist in identifying the integration instance, if desired.

• Polling Interval that you feel is sufficient for your monitoring needs. You may leave this as DISABLED and manually execute the integration.

• An authentication method (see below).

Click Create once all values are provided to finalize the integration.

ZIdentity + OneAPI (OAuth2) — Recommended

This method uses OAuth2 Client Credentials via ZIdentity. It requires:

• Client ID: The OAuth2 Client ID from your ZIdentity API client.
• Client Secret: The OAuth2 Client Secret from your ZIdentity API client.
• Vanity Domain: Your Zscaler tenant vanity domain (e.g., mycompany for mycompany.zslogin.net).
• Zscaler Cloud (optional): The Zscaler cloud environment (e.g., zscaler, zscalerone, zscalertwo). Leave blank for the default cloud.

To create OAuth2 credentials:

1. Log in to the ZIdentity Admin Portal.
2. Create an API client with the Client Credentials grant type.
3. Note the Client ID and Client Secret.
4. Note your Vanity Domain — this is the subdomain portion of your zslogin.net URL.

Legacy Authentication (API Key + Session)

This method uses an API key, username, and password to create a session-based connection to the Zscaler ZIA API. It requires:

• API Key: The API key used to authenticate with Zscaler.
• Username: The API user email address.
• Password: The API user password.
• Cloud Name: Your Zscaler cloud instance (e.g., zscaler, zscalerone, zscalertwo, zscalerthree, zscloud, zscalerbeta).

To create legacy API credentials:

1. Log in to your Zscaler Admin Portal.
2. Navigate to Administration > API Key Management.
3. Generate or retrieve your API key.
4. Note the cloud name from your Zscaler URL (the subdomain before .net).

info

See the Zscaler API documentation for more information on generating API keys.

Next steps

Now that your integration instance has been configured, it will begin running on the polling interval you provided, populating data within JupiterOne. Continue on to our Instance management guide to learn more about working with and editing integration instances.

Authorization

Data Model

Entities

The following entities are created:

Resources	Entity _type	Entity _class
Account	zscaler_account	Account
Application	zscaler_application	Application
Application Category	zscaler_application_category	Group
AppTotal App	zscaler_apptotal_app	Application
AppTotal Posture Finding	zscaler_apptotal_posture_finding	Finding
Destination	zscaler_destination	Record
Policy	zscaler_policy	ControlPolicy
Policy Control	zscaler_policy_control	Control
Role	zscaler_role	AccessRole
Site	zscaler_site	Site
User	zscaler_user	User

Relationships

The following relationships are created:

Source Entity _type	Relationship _class	Target Entity _type
zscaler_account	HAS	zscaler_role
zscaler_account	HAS	zscaler_site
zscaler_account	HAS	zscaler_application_category
zscaler_account	HAS	zscaler_application
zscaler_account	HAS	zscaler_destination
zscaler_account	HAS	zscaler_policy
zscaler_account	HAS	zscaler_user
zscaler_account	HAS	zscaler_apptotal_app
zscaler_account	HAS	zscaler_apptotal_posture_finding
zscaler_policy	HAS	zscaler_policy_control
zscaler_user	ASSIGNED	zscaler_role

Types

Zscaler Account

zscaler_account inherits from Account

Property	Type	Description	Specifications
companyId	number
webLink	string

---

Zscaler Application

zscaler_application inherits from Application

Property	Type	Description	Specifications
appTags *	null | array	Tags associated with the application (named appTags to avoid the reserved tag.* property map).
category *	null | string	Application category from the Shadow IT report (e.g. Collaboration).
isSanctioned *	null | boolean	True when the application status is sanctioned.
potentialIntegrations *	null | number	Number of potential 3rd-party integrations the application has with corporate SaaS platforms (populated by Zscaler 3rd-Party App Governance).
riskIndex *	null | number	Zscaler-computed risk index, 1 (lowest risk) to 5 (highest risk).
sanctionedState *	null | string	Whether the application is sanctioned or unsanctioned.

---

Zscaler Application Category

zscaler_application_category inherits from Group

Property	Type	Description	Specifications
categoryType *	null | string
configuredName *	null | string
customCategory *	null | boolean
superCategory *	null | string

---

Zscaler Apptotal App

zscaler_apptotal_app inherits from Application

Property	Type	Description	Specifications
appTags *	null | array	Tags supplied by AppTotal (e.g. OAuth, 3rd Party). Named appTags to avoid collision with the inherited tags map.
appViewId *	string	UUID of the AppTotal App View that this app was retrieved from.
categories *	array of strings	AppTotal categories (e.g. Games, Productivity).
category *	null | string	First category from categories[], for J1QL convenience scalar.
clientId *	null | string	Primary OAuth client identifier (the preferred _key source).
clientType *	null | string	OAuth client type (e.g. Web Client).
compliance *	null | array	Compliance attestations claimed by the vendor (e.g. GDPR, CCPA).
consentScreenshotUrl *	null | string	URL of the captured OAuth consent screen.
dataRetention *	null | string	Free-text retention policy from the vendor.
developerEmail *	null | string	Vendor contact email for remediation.
externalIds *	array of strings	All OAuth/UUID identifiers from externalIds[].id, parallel-indexed with externalIdTypes.
externalIdTypes *	null | array	Per-identifier type values from externalIds[].type (e.g. clientId). Parallel-indexed with externalIds.
extractedApiCalls *	null | array	API calls observed in app source (Premium Only).
extractedUrls *	null | array	URLs extracted from app source (Premium Only).
instanceClassifications *	null | array	Per-tenant classification from instances[].classification (Sanctioned/Unsanctioned/Unclassified/Reviewing).
instanceStatuses *	null | array	Per-tenant install status from instances[].status (Enabled/Disabled/Deleted/Not Installed).
isCanonicVerified *	null | boolean	True if AppTotal's verification flag is set.
isPlatformVerified *	null | boolean	True if the publisher is verified by the SaaS platform (critical TPR signal).
marketplaceDownloads *	null | number	Vendor trust signal: marketplace download count.
marketplaceReviews *	null | number	Vendor trust signal: marketplace review count.
marketplaceStars *	null | number	Vendor trust signal: marketplace star rating.
permissionAccessTypes *	null | array	Per-scope access category from permissions[].accessType.
permissionLevel *	number	Numeric score quantifying OAuth scope breadth. Critical risk metric.
permissionLevels *	null | array	Per-scope risk band from permissions[].level (LOW/MEDIUM/HIGH).
permissions *	null | array	OAuth scopes flattened from permissions[].scope. Critical TPR signal.
permissionServices *	null | array	Per-scope service from permissions[].service.
platform *	string	The SaaS platform the app integrates with (e.g. google_workspace, microsoft_365).
privacyPolicyUrl *	null | string	Vendor privacy policy URL.
redirectUrls *	null | array	OAuth redirect URIs registered for this app (forensic / token-theft IOC).
riskCategories *	null | array	AppTotal per-app risk categories from risks[].category (Premium Only).
riskLevel *	string	Categorical risk band (LOW/MEDIUM/HIGH). Renamed from the API field risk to avoid collision with the inherited Application.risk numeric 1-10.
riskScore *	null | number	AppTotal numeric risk score (raw, typically 0-10).
riskSeverities *	null | array	Per-risk severity from risks[].severity (LOW/MEDIUM/HIGH) (Premium Only).
termsOfServiceUrl *	null | string	Vendor terms-of-service URL.
totalEnabledUsers *	null | number	Number of internal users currently authorized to use the app (blast radius proxy).
vendor *	null | string	The publisher / vendor name (from publisher.name).
vendorDescription *	null | string	Publisher self-description (from publisher.description).
vendorLogoUrl *	null | string	Publisher logo URL (from publisher.logoUrl).
vendorUrl *	null | string	Publisher web site URL (from publisher.siteUrl).
vulnerabilityCveIds *	null | array	CVEs found in third-party libraries from vulnerabilities[].cveId (Premium Only).
websiteUrls *	null | array	App-controlled URLs (informational).

---

Zscaler Apptotal Posture Finding

zscaler_apptotal_posture_finding inherits from Finding

Property	Type	Description	Specifications
appViewId *	null | string	AppTotal App View UUID carried through from configuration so J1QL can correlate findings to apps.
categoryIds *	null | array	Stable category UUIDs.
categoryNames *	null | array	Human-readable categories (e.g. authentication, encryption).
complexity *	null | string	Remediation effort estimate (LOW/MEDIUM/HIGH).
complianceCategories *	null | array	Per-framework category labels from compliance[].controlCategory.
complianceControlNumbers *	null | array	Framework-specific control numbers from compliance[].controlNumber (e.g. CIS-1.2.3). Auto-correlated by the JupiterOne compliance layer when the strings match.
complianceFrameworks *	null | array	Compliance framework names from compliance[].name (e.g. CIS, SOC2).
complianceIds *	null | array	Compliance framework UUIDs from compliance[].id.
controlId *	string	Stable rule identifier (UUID) for this posture control.
controlName *	string	Human-readable name of the posture control.
failedAssetsCount *	null | number	Count of assets currently failing this control (blast-radius proxy).
mitreTacticId *	null | string	MITRE ATT&CK tactic ID (from mitreTactic.id).
mitreTacticName *	null | string	MITRE ATT&CK tactic name (e.g. Initial Access).
mitreTacticUrl *	null | string	Direct link to the MITRE tactic.
mitreTechniqueIds *	null | array	MITRE technique IDs flattened from mitreTechniques[].id (e.g. T1078).
mitreTechniqueNames *	null | array	MITRE technique names from mitreTechniques[].name.
mitreTechniqueUrls *	null | array	Direct links from mitreTechniques[].url.
platformId *	null | string	UUID of the SaaS platform this control evaluates (e.g. google_workspace).
policyStatus *	null | string	Policy compliance state (PARTIAL / COMPLIANT / NON_COMPLIANT). Drives the inherited open flag.
remediationThreat *	null | string	Risk-of-not-fixing description from AppTotal. Populates the inherited recommendation.
tenantId *	null | string	Multi-tenant identifier (UUID) of the evaluated tenant.
tenantName *	null | string	Customer-facing tenant label.
violationDescription *	null | string	Raw violation description from AppTotal. Populates the inherited description.

---

Zscaler Destination

zscaler_destination inherits from Record

Property	Type	Description	Specifications
addresses *	null | array
countries *	null | array
destinationType *	null | string
ipAddresses *	null | array
urls *	null | array

---

Zscaler Policy

zscaler_policy inherits from ControlPolicy

Property	Type	Description	Specifications
action *	null | string
lastModifiedBy *	null | string
lastModifiedOn *	null | number
order *	null | number
policyType *	null | string
protocols *	null | array
rank *	null | number
state *	null | string

---

Zscaler Policy Control

zscaler_policy_control inherits from Control

Property	Type	Description	Specifications
action *	null | string
controlType *	null | string
enabled *	null | boolean
enforcement *	null | string
policyId *	null | number

---

Zscaler Role

zscaler_role inherits from AccessRole

Property	Type	Description	Specifications
functionalScope *	null | array
permissions *	null | array
policyAccess *	null | string
rank *	null | number
roleType *	null | string

---

Zscaler Site

zscaler_site inherits from Site

Property	Type	Description	Specifications
authRequired *	null | boolean
city *	null | string
country *	null | string
ipAddresses *	null | array
language *	null | string
ports *	null | array
profile *	null | string
sslScanEnabled *	null | boolean
state *	null | string
surrogateIP *	null | string

---

Zscaler User

zscaler_user inherits from User

Property	Type	Description	Specifications
adminScopeType *	null | string
disabled *	null | boolean
firstName *	null | string
isPasswordLoginAllowed *	null | boolean
lastLoginTime *	null | number
lastName *	null | string
loginName *	null | string
passwordExpiryTime *	null | number
twoFactorAuthEnabled *	null | boolean

---

Release Notes

Release Notes

• 2026-04-15 — Added ZIdentity + OneAPI (OAuth2) as a second authentication method alongside legacy session-based auth.
• 2026-01-12 — Added support for ingesting Zscaler Internet Access data including applications, application categories, destinations, policies, roles, sites, and users.