Zscaler Admin API Token
Service Name: Zscaler
Service Description: Zscaler is a cloud security platform that provides secure access to the internet and applications. It offers a range of security services including secure web gateway, cloud firewall, sandbox, CASB, and zero trust network access.
Service Address: https://www.zscaler.com/
Validation Type: API Auth
IP Allow list: IP restrictions can be configured at the admin portal level through admin settings.
Secret Access Scope: Grants programmatic access to Zscaler Admin APIs, allowing management of Zscaler services, policies, and configurations.
Secret Revokement URL: https://help.zscaler.com/zia/api-getting-started#APIAuthentication
Secret Example: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJ6c2NhbGVyYWRtaW4iLCJpYXQiO jE2MzQ1Njc4OTAsImV4cCI6MTYzNDU3MTQ5MH0.EXAMPLE_TOKEN
Suspicious Activity Investigation Instructions:
- Review Zscaler audit logs for unusual API calls or configuration changes
- Check for unauthorized policy modifications or rule changes
- Monitor for unexpected user permission changes or new admin accounts
- Look for unusual traffic patterns or policy bypasses
- Verify if there are any unauthorized IP addresses accessing the admin API
Mitigation Instructions:
- Log in to the Zscaler Admin Portal
- Navigate to Administration > API Key Management
- Locate the compromised API key and click "Revoke"
- Generate a new API key if needed
- Update any legitimate applications or scripts with the new API key
- Review and update admin access policies
- Enable multi-factor authentication for all admin accounts if not already enabled
- Consider implementing IP restrictions for API access