Zscaler Deception 로그 수집

다음에서 지원:

이 문서에서는 BindPlane 에이전트를 설정하여 Zscaler Deception 로그를 내보내는 방법과 로그 필드가 Google SecOps 통합 데이터 모델 (UDM) 필드에 매핑되는 방식을 설명합니다.

자세한 내용은 Google SecOps에 데이터 수집을 참조하세요.

일반적인 배포는 로그를 Google SecOps에 전송하도록 구성된 Zscaler Deception 및 BindPlane 에이전트로 구성됩니다. 고객 배포마다 다를 수 있으며 더 복잡할 수도 있습니다.

배포에는 다음 구성요소가 포함됩니다.

  • Zscaler Deception: 로그를 수집하는 플랫폼입니다.

  • BindPlane 에이전트: BindPlane 에이전트는 Zscaler Deception에서 로그를 가져와 Google SecOps로 전송합니다.

  • Google SecOps: 로그를 보관하고 분석합니다.

수집 라벨은 원시 로그 데이터를 구조화된 UDM 형식으로 정규화하는 파서를 식별합니다. 이 문서의 정보는 ZSCALER_DECEPTION 수집 라벨이 있는 파서에 적용됩니다.

시작하기 전에

  • Zscaler Deception 콘솔에 액세스할 수 있는지 확인합니다. 자세한 내용은 Zscaler Deception 도움말을 참고하세요.
  • Zscaler Deception 2024 이상을 사용하고 있는지 확인합니다.
  • 배포 아키텍처의 모든 시스템이 UTC 시간대로 구성되었는지 확인합니다.
  • 서비스 커넥터가 Zscaler Deception Admin Portal과 통신하고 이벤트 로그를 전송하도록 구성되어 있는지 확인합니다. 서비스 커넥터에 대한 자세한 내용은 서비스 커넥터 정보를 참고하세요.

이벤트를 BindPlane 에이전트로 전달하도록 서비스 커넥터 구성

다음 단계에 따라 이벤트를 BindPlane 에이전트로 전달하도록 서비스 커넥터를 구성합니다.

  1. Zscaler Deception Admin Portal에서 Orchestrate > SIEM Integrations(SIEM 통합)로 이동합니다.
  2. 통합 추가를 클릭하고 메뉴에서 Syslog를 선택합니다.
  3. Syslog 세부정보 창에 세부정보를 입력합니다.
  4. 이름 필드에 Syslog SIEM 통합의 이름을 입력합니다.
  5. 사용 설정됨에서 사용 설정을 선택하여 SIEM 통합을 활성화합니다.
  6. 메뉴에서 서비스 커넥터를 선택합니다.
    • Zscaler Deception 관리자 포털에 구성된 서비스 커넥터를 선택하면 관리자 포털에서 로그를 Syslog로 전송합니다.
    • 미끼 커넥터에 구성된 서비스 커넥터를 선택하면 선택한 미끼 커넥터가 로그를 Syslog로 전송합니다.
  7. 로그 유형 메뉴에서 이벤트를 선택하여 Zscaler Deception 이벤트를 전달합니다.
  8. 안전한 이벤트 포함에서 사용 설정을 선택하여 안전으로 표시된 이벤트를 Syslog로 전달합니다.
  9. 필터 필드에 필터링된 이벤트 로그만 Syslog로 전송하는 쿼리를 입력합니다. 비워 두면 모든 이벤트 로그가 전송됩니다. 쿼리를 빌드하는 방법을 알아보려면 쿼리 이해 및 빌드를 참고하세요.
  10. 호스트 필드에 Linux 가상 머신의 IP 주소를 입력합니다.
  11. 포트 필드에 Linux 가상 머신이 리슨하는 포트 번호를 입력합니다.
  12. 전송 메뉴에서 Zscaler 기만 이벤트를 전달하는 데 사용되는 프로토콜을 선택합니다.
  13. 시설 메뉴에서 시설 코드를 선택합니다. 각 이벤트에는 이벤트 로그를 생성하는 소프트웨어 유형을 나타내는 시설 코드가 라벨로 지정됩니다.
  14. 심각도 메뉴에서 심각도 수준을 선택합니다. 각 이벤트에는 이벤트 로그를 생성하는 도구의 심각도를 나타내는 심각도 라벨이 지정됩니다.
  15. 앱 이름 필드에 로그 식별자를 입력합니다.
  16. 저장을 클릭합니다. 서비스 커넥터를 구성하는 방법에 관한 자세한 내용은 시스템로그용 SIEM 구성 가이드를 참고하세요.

BindPlane 에이전트를 사용하여 로그를 Google SecOps로 전달

  1. Linux 가상 머신을 설치하고 설정합니다.
  2. Linux에 BindPlane 에이전트를 설치하고 구성하여 로그를 Google SecOps로 전달합니다. BindPlane 에이전트를 설치하고 구성하는 방법에 관한 자세한 내용은 BindPlane 에이전트 설치 및 구성 안내를 참고하세요.

피드를 만들 때 문제가 발생하면 Google SecOps 지원팀에 문의하세요.

필드 매핑 참조

필드 매핑 참조: 이벤트 식별자에서 이벤트 유형으로

다음 표에는 ZSCALER_DECEPTION 로그 유형과 해당 UDM 이벤트 유형이 나와 있습니다.
Event Identifier Event Type Security Category
amqp USER_RESOURCE_ACCESS
aws USER_STATS
azure USER_STATS
credtheft ACL_VIOLATION
custom USER_STATS
email EMAIL_TRANSACTION
endpoint NETWORK_MALICIOUS
itdr NETWORK_MALICIOUS
ransomware NETWORK_MALICIOUS
filetheft USER_RESOURCE_ACCESS ACL_VIOLATION
mitm NETWORK_CONNECTION
mongodb USER_RESOURCE_ACCESS
network NETWORK_SUSPICIOUS
postgresql USER_RESOURCE_ACCESS
QOS USER_RESOURCE_ACCESS
recon NETWORK_RECON
scada USER_RESOURCE_ACCESS
ssh
telnet
web
windows NETWORK_MALICIOUS

필드 매핑 참조: ZSCALER_DECEPTION - 공통 필드

다음 표에는 ZSCALER_DECEPTION 로그 유형의 공통 필드와 해당 UDM 필드가 나와 있습니다.

Log field UDM mapping Logic
metadata.product_name Json dataendthe metadata.product_name UDM field is set to Deception.
metadata.vendor_name The metadata.vendor_name UDM field is set to Zscaler.
timestamp metadata.event_timestamp

필드 매핑 참조: ZSCALER_DECEPTION - amqp

다음 표에는 amqp 로그 유형의 원시 로그 필드와 해당 UDM 필드가 나와 있습니다.

Log field UDM mapping Logic
type metadata.product_event_type
network.application_protocol If the type log field value is equal to amqp, then the network.application_protocol UDM field is set to AMQP.
amqp.connection_id network.session_id
amqp.user principal.user.userid
amqp.vhost target.hostname
amqp.node target.resource.name
target.resource.resource_type If the amqp.node log field value is not empty, then the target.resource.resource_type UDM field is set to CLUSTER.
amqp.channel additional.fields[amqp_channel]
amqp.exchange additional.fields[amqp_exchange]
amqp.payload additional.fields[amqp_payload]
amqp.queue additional.fields[amqp_queue]
amqp.routed_queues additional.fields[amqp_routed_queues] The amqp.routed_queues log field is mapped to the additional.fields.value.string_value UDM field.
amqp.routing_keys additional.fields[amqp_routing_keys] The amqp.routing_keys log field is mapped to the additional.fields.value.string_value UDM field.

필드 매핑 참조: ZSCALER_DECEPTION - aws

다음 표에는 aws 로그 유형의 원시 로그 필드와 해당 UDM 필드가 나와 있습니다.

Log field UDM mapping Logic
type metadata.product_event_type
aws.event_id metadata.product_log_id
aws.user_agent network.http.user_agent
aws.error_message security_result.description
decoy.s3.dataset security_result.rule_set
aws.error_code security_result.summary
aws.aws_region target.location.country_or_region
aws.vpc_endpoint_id target.resource_ancestors.product_object_id
target.resource_ancestors.resource_type If the aws.vpc_endpoint_id log field value is not empty, then the target.resource_ancestors.resource_type UDM field is set to VPC_NETWORK.
aws.recipient_account_id target.resource.product_object_id
target.resource.resource_type If the aws.recipient_account_id log field value is not empty, then the target.resource.resource_type UDM field is set to SERVICE_ACCOUNT.
aws.event_name additional.fields[aws_event_name]
aws.event_source additional.fields[aws_event_source]
aws.event_type additional.fields[aws_event_type]
aws.readonly additional.fields[aws_readonly]
aws.request_id additional.fields[aws_request_id]
decoy.public additional.fields[decoy_public]

필드 매핑 참조: ZSCALER_DECEPTION - azure

다음 표에는 azure 로그 유형의 원시 로그 필드와 해당 UDM 필드가 나와 있습니다.

Log field UDM mapping Logic
type metadata.product_event_type
azure.caller_ip_address.port principal.port
decoy.dataset security_result.rule_set
decoy.storage_account target.resource.name
target.resource.resource_type If the decoy.storage_account log field value is not empty, then the target.resource.resource_type UDM field is set to STORAGE_BUCKET.
decoy.public additional.fields[decoy_public]
decoy.storage_account_container.dataset additional.fields[decoy_storage_account_container_dataset]

필드 매핑 참조: ZSCALER_DECEPTION - credtheft

다음 표에는 credtheft 로그 유형의 원시 로그 필드와 해당 UDM 필드가 나와 있습니다.

Log field UDM mapping Logic
credtheft.logon_process_name extensions.auth.auth_details
extensions.auth.mechanism If the credtheft.logon_type log field value matches the regular expression pattern (?i)interactive, then the extensions.auth.mechanism UDM field is set to INTERACTIVE.

Else, if the credtheft.logon_type log field value matches the regular expression pattern (?i)network, then the extensions.auth.mechanism UDM field is set to NETWORK.

Else, if the credtheft.logon_type log field value matches the regular expression pattern (?i)batch, then the extensions.auth.mechanism UDM field is set to BATCH.

Else, if the credtheft.logon_type log field value matches the regular expression pattern (?i)service, then the extensions.auth.mechanism UDM field is set to SERVICE.

Else, if the credtheft.logon_type log field value matches the regular expression pattern (?i)remoteinteractive, then the extensions.auth.mechanism UDM field is set to REMOTE_INTERACTIVE.

Else, if the credtheft.logon_type log field value matches the regular expression pattern (?i)unlock, then the extensions.auth.mechanism UDM field is set to UNLOCK.

Else, if the credtheft.logon_type log field value matches the regular expression pattern (?i)cached, then the extensions.auth.mechanism UDM field is set to CACHED_INTERACTIVE.

Else, if the credtheft.logon_type log field value is not empty, then the extensions.auth.mechanism UDM field is set to MECHANISM_OTHER.
credtheft.event_id metadata.description
metadata.event_type If (the credtheft.ip_address log field value is not empty or the credtheft.workstation log field value is not empty or the credtheft.workstation_name log field value is not empty) and (the credtheft.username log field value is not empty or the credtheft.subject_user_name log field value is not empty), then the metadata.event_type UDM field is set to USER_LOGIN.

Else, the metadata.event_type UDM field is set to USER_RESOURCE_ACCESS.
type metadata.product_event_type
credtheft.event_record_id metadata.product_log_id
credtheft.authentication_package_name principal.application
credtheft.subject_domain_name principal.domain.name
credtheft.workstation principal.hostname If the credtheft.workstation log field value is not empty, then the credtheft.workstation log field is mapped to the principal.hostname UDM field.
credtheft.workstation_name principal.hostname If the credtheft.workstation_name log field value is not empty, then the credtheft.workstation_name log field is mapped to the principal.hostname UDM field.
credtheft.ip_address principal.ip
credtheft.ip_port principal.port
credtheft.trigger_properties principal.resource.attribute.labels[credtheft_trigger_properties]
credtheft.service_name principal.resource.name
principal.resource.resource_type If the credtheft.service_name log field value is not empty, then the principal.resource.resource_type UDM field is set to BACKEND_SERVICE.
credtheft.subject_logon_id principal.user.product_object_id
credtheft.subject_user_sid principal.user.windows_sid
security_result.action If the credtheft.status log field value matches the regular expression pattern (?i)successful, then the security_result.action UDM field is set to ALLOW.

Else, if the credtheft.status log field value matches the regular expression pattern (?i)failed, then the security_result.action UDM field is set to FAIL.

Else, if the credtheft.status log field value matches the regular expression pattern (?i)denied, then the security_result.action UDM field is set to BLOCK.
credtheft.status security_result.action_details
credtheft.operation_type security_result.action_details
security_result.category The security_result.category UDM field is set to NETWORK_MALICIOUS.
credtheft.access_list security_result.detection_fields[credtheft_access_list]
credtheft.access_mask security_result.detection_fields[credtheft_access_mask]
credtheft.ticket_encryption_type security_result.detection_fields[credtheft_ticket_encryption_type]
credtheft.ticket_options security_result.detection_fields[credtheft_ticket_options]
decoy.ad.asrep_roastable security_result.detection_fields[decoy_ad_asrep_roastable]
decoy.ad.can_password_expire security_result.detection_fields[decoy_ad_can_password_expire]
credtheft.target_domain_name target.domain.name
credtheft.target_server_name target.domain.name_server
credtheft.object_server target.domain.name_server
credtheft.properties target.resource.attribute.labels[credtheft_properties]
credtheft.sub_status target.resource.attribute.labels[credtheft_sub_status]
credtheft.object_name target.resource.name
credtheft.object_type target.resource.resource_subtype
target.resource.resource_type If the credtheft.object_type log field value matches the regular expression pattern (?i)user, then the target.resource.resource_type UDM field is set to USER.

Else, if the credtheft.object_type log field value matches the regular expression pattern (?i)computer, then the target.resource.resource_type UDM field is set to DEVICE.
decoy.ad.profile_path target.user.attribute.labels[decoy_ad_profile_path]
decoy.ad.group_memberships target.user.group_identifiers The decoy.ad.group_memberships log field is mapped to the target.user.group_identifiers UDM field.
credtheft.target_user_name target.user.user_display_name
credtheft.username target.user.userid
credtheft.subject_user_name target.user.userid
credtheft.handle_id additional.fields[credtheft_handle_id]
credtheft.pre_auth_type additional.fields[credtheft_pre_auth_type]
credtheft.system_time additional.fields[credtheft_system_time]
decoy.ad.ou additional.fields[decoy_ad_ou]

필드 매핑 참조: ZSCALER_DECEPTION - 맞춤

다음 표에는 custom 로그 유형의 원시 로그 필드와 해당 UDM 필드가 나와 있습니다.

Log field UDM mapping Logic
type metadata.product_event_type
custom.dataset principal.security_result.rule_set
custom.protocol security_result.detection_fields[custom_protocol]
decoy.custom.protocol security_result.detection_fields[decoy_custom_protocol]
decoy.custom.dataset target.security_result.rule_set
custom.is_binary_request additional.fields[custom_is_binary_request]
custom.is_binary_response additional.fields[custom_is_binary_response]
custom.request additional.fields[custom_request]
custom.response additional.fields[custom_response]

필드 매핑 참조: ZSCALER_DECEPTION - email

다음 표에는 email 로그 유형의 원시 로그 필드와 해당 UDM 필드가 나와 있습니다.

Log field UDM mapping Logic
type metadata.product_event_type
email.evidence_id network.email.mail_id
email.subject network.email.subject
email.body.attachments additional.fields[email_body_attachments] The email.body.attachments log field is mapped to the additional.fields.value.string_value UDM field.
email.body.html additional.fields[email_body_html] The email.body.html log field is mapped to the additional.fields.value.string_value UDM field.
email.body.plain additional.fields[email_body_plain] The email.body.plain log field is mapped to the additional.fields.value.string_value UDM field.

필드 매핑 참조: ZSCALER_DECEPTION - endpoint, itdr, ransomware

다음 표에는 endpoint, itdr, ransomware 로그 유형의 원시 로그 필드와 해당 UDM 필드가 나와 있습니다.

Log field UDM mapping Logic
attacker.event_name metadata.description
psexec.event_name metadata.description
triage.event_name metadata.description
session_enumeration.type metadata.description
metadata.event_type If the attacker.domain_name log field value is not empty and at least one of the following log field is not empty, then the metadata.event_type UDM field is set to PROCESS_TERMINATION.
  • fake_process.process_id
  • pwsh.path
  • pwsh.script_block_id
  • pwsh.script_block_text
  • decoy.command_line
  • decoy.file_name
  • decoy.process_id
Else, if the attacker.domain_name log field value is not empty and at least one of the following log field is not empty, then the metadata.event_type UDM field is set to PROCESS_LAUNCH.
  • psexec.files_and_pipe_names
  • psexec.md5
  • psexec.sha1
  • psexec.sha256
Else, if the file.name log field value is not empty and the attacker.domain_name log field value is not empty, then if the file.operation log field value matches the regular expression pattern (?i)read, then the metadata.event_type UDM field is set to FILE_READ.

Else, if the file.name log field value is not empty and the attacker.domain_name log field value is not empty, then if the file.operation log field value matches the regular expression pattern (?i)write or modify or encrypt, then the metadata.event_type UDM field is set to FILE_MODIFICATION.

Else, if the file.name log field value is not empty and the attacker.domain_name log field value is not empty, then if the file.operation log field value matches the regular expression pattern (?i)create, then the metadata.event_type UDM field is set to FILE_CREATION.

Else, if the file.name log field value is not empty and the attacker.domain_name log field value is not empty, then if the file.operation log field value matches the regular expression pattern (?i)delete, then the metadata.event_type UDM field is set to FILE_DELETION.

Else, if the file.name log field value is not empty and the attacker.domain_name log field value is not empty, then if the file.operation log field value matches the regular expression pattern (?i)open, then the metadata.event_type UDM field is set to FILE_OPEN.

Else, if the file.name log field value is not empty and the attacker.domain_name log field value is not empty, then if the file.operation log field value matches the regular expression pattern (?i)sync, then the metadata.event_type UDM field is set to FILE_SYNC.

Else, if the file.name log field value is not empty and the attacker.domain_name log field value is not empty, then if the file.operation log field value matches the regular expression pattern (?i)copy, then the metadata.event_type UDM field is set to FILE_COPY.

Else, if the file.name log field value is not empty and the attacker.domain_name log field value is not empty, then if the file.operation log field value matches the regular expression pattern (?i)move, then the metadata.event_type UDM field is set to FILE_MOVE.

Else, if the attacker.user_name log field value is not empty and (the message log field value matches the regular expression pattern (cbf or imc).), then the metadata.event_type UDM field is set to USER_UNCATEGORIZED.

Else, if the attacker.domain_name log field value is not empty and the session_enumeration.network_address log field value is not empty, then the metadata.event_type UDM field is set to NETWORK_CONNECTION.

Else, if the attacker.domain_name log field value is not empty, then the metadata.event_type UDM field is set to SCAN_HOST.

Else, the metadata.event_type UDM field is set to USER_RESOURCE_ACCESS.
type metadata.product_event_type
triage.incident_id metadata.product_log_id
session_enumeration.endpoint network.session_id
attacker.domain_name principal.domain.name If the attacker.domain_name log field value is not empty, then the attacker.domain_name log field is mapped to the principal.domain.name UDM field.
attacker.process.domain_name principal.domain.name If the attacker.process.domain_name log field value is not empty, then the attacker.process.domain_name log field is mapped to the principal.domain.name UDM field.
attacker.machine_name principal.hostname
attacker.session_id principal.network.session_id
attacker.command_line principal.process.command_line If the attacker.command_line log field value is not empty, then the attacker.command_line log field is mapped to the principal.process.command_line UDM field.
attacker.process.command_line principal.process.command_line If the attacker.process.command_line log field value is not empty, then the attacker.process.command_line log field is mapped to the principal.process.command_line UDM field.
attacker.process.path principal.process.file.full_path
attacker.process.md5 principal.process.file.md5
attacker.process.sha1 principal.process.file.sha1
attacker.process.sha256 principal.process.file.sha256
attacker.process.parent_info.command_line principal.process.parent_process.command_line
attacker.process.parent_info.path principal.process.parent_process.file.full_path
attacker.process.parent_info.md5 principal.process.parent_process.file.md5
attacker.process.parent_info.sha1 principal.process.parent_process.file.sha1
attacker.process.parent_info.sha256 principal.process.parent_process.file.sha256
attacker.process.parent_info.id principal.process.parent_process.pid
principal.process.parent_process.product_specific_process_id The Deception:attacker.process.parent_info.parent log field is mapped to the principal.process.parent_process.product_specific_process_id UDM field.
attacker.process.id principal.process.pid
attacker.process.user_groups principal.user.group_identifiers The attacker.process.user_groups log field is mapped to the principal.user.group_identifiers UDM field.
attacker.process.user_ou principal.user.group_identifiers The attacker.process.user_groups log field is mapped to the principal.user.group_identifiers UDM field and the attacker.process.user_ou log field is mapped to the principal.user.group_identifiers UDM field.
attacker.process.user_name principal.user.user_display_name
attacker.user_name principal.user.userid If the attacker.user_name log field value is not empty, then the attacker.user_name log field is mapped to the principal.user.userid UDM field.

Else, if the attacker.username log field value is not empty, then the attacker.user_name log field is mapped to the additional.fields UDM field.

Else, if the attacker.zcc_user log field value is not empty, then the attacker.user_name log field is mapped to the additional.fields UDM field.

Else, if the attacker.zia_user log field value is not empty, then the attacker.user_name log field is mapped to the additional.fields UDM field.

Else, if the attacker.zpa_user log field value is not empty, then the attacker.user_name log field is mapped to the additional.fields UDM field.
attacker.username principal.user.userid If the attacker.user_name log field value is not empty, then the attacker.username log field is mapped to the additional.fields UDM field.

Else, if the attacker.username log field value is not empty, then the attacker.username log field is mapped to the principal.user.userid UDM field.

Else, if the attacker.zcc_user log field value is not empty, then the attacker.username log field is mapped to the additional.fields UDM field.

Else, if the attacker.zia_user log field value is not empty, then the attacker.username log field is mapped to the additional.fields UDM field.

Else, if the attacker.zpa_user log field value is not empty, then the attacker.username log field is mapped to the additional.fields UDM field.
attacker.zcc_user principal.user.userid If the attacker.user_name log field value is not empty, then the attacker.zcc_user log field is mapped to the additional.fields UDM field.

Else, if the attacker.username log field value is not empty, then the attacker.zcc_user log field is mapped to the additional.fields UDM field.

Else, if the attacker.zcc_user log field value is not empty, then the attacker.zcc_user log field is mapped to the principal.user.userid UDM field.

Else, if the attacker.zia_user log field value is not empty, then the attacker.zcc_user log field is mapped to the additional.fields UDM field.

Else, if the attacker.zpa_user log field value is not empty, then the attacker.zcc_user log field is mapped to the additional.fields UDM field.
attacker.zia_user principal.user.userid If the attacker.user_name log field value is not empty, then the attacker.zia_user log field is mapped to the additional.fields UDM field.

Else, if the attacker.username log field value is not empty, then the attacker.zia_user log field is mapped to the additional.fields UDM field.

Else, if the attacker.zcc_user log field value is not empty, then the attacker.zia_user log field is mapped to the additional.fields UDM field.

Else, if the attacker.zia_user log field value is not empty, then the attacker.zia_user log field is mapped to the principal.user.userid UDM field.

Else, if the attacker.zpa_user log field value is not empty, then the attacker.zia_user log field is mapped to the additional.fields UDM field.
attacker.zpa_user principal.user.userid If the attacker.user_name log field value is not empty, then the attacker.zpa_user log field is mapped to the additional.fields UDM field.

Else, if the attacker.username log field value is not empty, then the attacker.zpa_user log field is mapped to the additional.fields UDM field.

Else, if the attacker.zcc_user log field value is not empty, then the attacker.zpa_user log field is mapped to the additional.fields UDM field.

Else, if the attacker.zia_user log field value is not empty, then the attacker.zpa_user log field is mapped to the additional.fields UDM field.

Else, if the attacker.zpa_user log field value is not empty, then the attacker.zpa_user log field is mapped to the principal.user.userid UDM field.
attacker.process.user_sid principal.user.windows_sid
fake_process.action security_result.action_details
security_result.category If the type log field value matches the regular expression pattern ransomware, then the security_result.category UDM field is set to SOFTWARE_MALICIOUS.
cbf.is_ad_decoy_credential security_result.detection_fields[cbf_is_ad_decoy_credential]
file.operation_string security_result.detection_fields[file_operation_string]
file.operation security_result.detection_fields[file_operation]
kerberoast.is_decoy security_result.detection_fields[kerberoast_is_decoy]
mitm.query security_result.detection_fields[mitm_query]
mitm.technique security_result.detection_fields[mitm_technique]
monitor_accounts.win_event_id security_result.detection_fields[monitor_accounts_win_event_id]
triage.reason security_result.summary
monitor_accounts.failure_reason security_result.summary
cbf.target_domain_name target.domain.name
fake_process.domain_name target.domain.name
imc.target_domain_name target.domain.name
psexec.domain_name target.domain.name
monitor_accounts.target_domain_name target.domain.name
file.name target.file.full_path
psexec.machine_name target.hostname
triage.machine_name target.hostname
monitor_accounts.workstation_name target.hostname
session_enumeration.network_address target.ip
dcshadow.network_address target.ip
dcsync.network_address target.ip
zerologon.network_address target.ip
monitor_accounts.ip_address target.ip
fake_process.session_id target.network.session_id
decoy.session_id target.network.session_id
monitor_accounts.ip_port target.port
fake_process.command_line target.process.command_line
pwsh.script_block_text target.process.command_line
decoy.command_line target.process.command_line
pwsh.path target.process.file.full_path
decoy.file_name target.process.file.full_path
psexec.md5 target.process.file.md5
psexec.files_and_pipe_names target.process.file.names The psexec.files_and_pipe_names log field is mapped to the target.process.file.names UDM field.
psexec.sha1 target.process.file.sha1
psexec.sha256 target.process.file.sha256
fake_process.parent_process_id target.process.parent_process.pid
fake_process.process_id target.process.pid
pwsh.script_block_id target.process.pid
decoy.process_id target.process.pid
ad_enumeration.attribute_list target.resource.attribute.labels[ad_enumeration_attribute_list]
ad_enumeration.scope_of_search_string target.resource.attribute.labels[ad_enumeration_scope_of_search_string]
ad_enumeration.scope_of_search target.resource.attribute.labels[ad_enumeration_scope_of_search]
ad_enumeration.search_filter target.resource.attribute.labels[ad_enumeration_search_filter]
ad_enumeration.distinguished_name target.resource.name
kerberoast.spn target.resource.name
psexec.service_name target.resource.name
ad_enumeration.type target.resource.resource_subtype
target.resource.resource_type If the ad_enumeration.distinguished_name log field value is not empty, then the target.resource.resource_type UDM field is set to STORAGE_BUCKET.

Else, if the kerberoast.spn log field value is not empty or the psexec.service_name log field value is not empty, then the target.resource.resource_type UDM field is set to SERVICE_ACCOUNT.
monitor_accounts.is_decoy target.user.attribute.labels[monitor_accounts_is_decoy]
monitor_accounts.is_privileged target.user.attribute.labels[monitor_accounts_is_privileged]
monitor_accounts.logon_process_name target.user.attribute.labels[monitor_accounts_logon_process_name]
monitor_accounts.logon_type target.user.attribute.labels[monitor_accounts_logon_type]
fake_process.user_groups target.user.group_identifiers
fake_process.user_ou target.user.group_identifiers
psexec.user_groups target.user.group_identifiers
psexec.user_ou target.user.group_identifiers
cbf.target_user_name target.user.userid
fake_process.username target.user.userid
imc.target_user_name target.user.userid
psexec.user_name target.user.userid
monitor_accounts.target_user_name target.user.userid
fake_process.user_sid target.user.windows_sid
psexec.user_sid target.user.windows_sid
monitor_accounts.target_sid target.user.windows_sid
attacker.logon_type additional.fields[attacker_logon_type]
attacker.process.exit_code additional.fields[attacker_process_exit_code]
attacker.process.name additional.fields[attacker_process_name]
attacker.process.parent_info.domain_name additional.fields[attacker_process_parent_info_domain_name]
attacker.process.parent_info.name additional.fields[attacker_process_parent_info_name]
attacker.process.parent_info.tree additional.fields[attacker_process_parent_info_tree] The attacker.process.parent_info.tree log field is mapped to the additional.fields.value.string_value UDM field.
attacker.process.parent_info.user_groups additional.fields[attacker_process_parent_info_user_groups]
attacker.process.parent_info.user_name additional.fields[attacker_process_parent_info_user_name]
attacker.process.parent_info.user_ou additional.fields[attacker_process_parent_info_user_ou]
attacker.process.parent_info.user_sid additional.fields[attacker_process_parent_info_user_sid]
attacker.process.parent additional.fields[attacker_process_parent]
attacker.process.tree additional.fields[attacker_process_tree] The attacker.process.tree log field is mapped to the additional.fields.value.string_value UDM field.
fake_process.exit_code additional.fields[fake_process_exit_code]
fake_process.process_name additional.fields[fake_process_process_name]
landmine.version additional.fields[landmine_version]
monitor_accounts.auth_package additional.fields[monitor_accounts_auth_package]
monitor_accounts.status additional.fields[monitor_accounts_status]
monitor_accounts.sub_status_parsed additional.fields[monitor_accounts_sub_status_parsed]
monitor_accounts.sub_status additional.fields[monitor_accounts_sub_status]
pwsh.message_number additional.fields[pwsh_message_number]
pwsh.message_total additional.fields[pwsh_message_total]

필드 매핑 참조: ZSCALER_DECEPTION - filetheft

다음 표에는 filetheft 로그 유형의 원시 로그 필드와 해당 UDM 필드가 나와 있습니다.

Log field UDM mapping Logic
type metadata.product_event_type
filetheft.useragent network.http.user_agent
filetheft.filename target.file.full_path
filetheft.file_uuid additional.fields[filetheft_file_uuid]

필드 매핑 참조: ZSCALER_DECEPTION - mitm

다음 표에는 mitm 로그 유형의 원시 로그 필드와 해당 UDM 필드가 나와 있습니다.

Log field UDM mapping Logic
type metadata.product_event_type
network.application_protocol The network.application_protocol UDM field is set to DNS.
mitm.answer network.dns.answers.data
mitm.qtype network.dns.questions.type
mitm.server principal.hostname
mitm.hostname target.hostname

필드 매핑 참조: ZSCALER_DECEPTION - mongodb

다음 표에는 mongodb 로그 유형의 원시 로그 필드와 해당 UDM 필드가 나와 있습니다.

Log field UDM mapping Logic
mongodb.message metadata.description
type metadata.product_event_type
mongodb.execution_time network.session_duration.seconds
mongodb.connection_id network.session_id
mongodb.command additional.fields[mongodb_command]
mongodb.object additional.fields[mongodb_object]
mongodb.protocol additional.fields[mongodb_protocol]

필드 매핑 참조: ZSCALER_DECEPTION - network

다음 표에는 network 로그 유형의 원시 로그 필드와 해당 UDM 필드가 나와 있습니다.

Log field UDM mapping Logic
rfb.authentication_method extensions.auth.auth_details
ssh.auth_success extensions.auth.auth_details
extensions.auth.mechanism If the mysql.username log field value is not empty, then the extensions.auth.mechanism UDM field is set to USERNAME_PASSWORD.

Else, if the ntlm.username log field value is not empty, then the extensions.auth.mechanism UDM field is set to INTERACTIVE.

Else, if the radius.username log field value is not empty, then the extensions.auth.mechanism UDM field is set to REMOTE.

Else, if the rfb.authentication_method log field value is not empty, then the extensions.auth.mechanism UDM field is set to REMOTE_INTERACTIVE.
socks.bound intermediary.hostname
socks.bound_p intermediary.port
snmp.display_string metadata.description
syslog.message metadata.description
threat.event_type metadata.description
metadata.event_type If (the ntlm.hostname log field value is not empty or the radius.mac log field value is not empty or the radius.remote_ip log field value is not empty) and (the ntlm.username log field value is not empty or the radius.username log field value is not empty), then the metadata.event_type UDM field is set to USER_LOGIN.

Else, if the message log field value matches the regular expression pattern smtp., then the metadata.event_type UDM field is set to EMAIL_TRANSACTION.

Else, if the message log field value matches the regular expression pattern (dnp3 or modbus or scan or snmp or syslog or tunnel)., then the metadata.event_type UDM field is set to USER_STATS.

Else, the metadata.event_type UDM field is set to USER_RESOURCE_ACCESS.
type metadata.product_event_type
threat.tx_id metadata.product_log_id
network.application_protocol If the message log field value matches the regular expression pattern dce_rpc., then the network.application_protocol UDM field is set to DCERPC.

Else, if the message log field value matches the regular expression pattern dnp3., then the network.application_protocol UDM field is set to DNP3.

Else, if the message log field value matches the regular expression pattern dns., then the network.application_protocol UDM field is set to DNS.

Else, if the message log field value matches the regular expression pattern mqtt., then the network.application_protocol UDM field is set to MQTT.

Else, if the message log field value matches the regular expression pattern rdp., then the network.application_protocol UDM field is set to RDP.

Else, if the message log field value matches the regular expression pattern sip., then the network.application_protocol UDM field is set to SIP.

Else, if the message log field value matches the regular expression pattern smb., then the network.application_protocol UDM field is set to SMB.

Else, if the message log field value matches the regular expression pattern smtp., then the network.application_protocol UDM field is set to SMTP.

Else, if the message log field value matches the regular expression pattern snmp., then the network.application_protocol UDM field is set to SNMP.

Else, if the message log field value matches the regular expression pattern ssh., then the network.application_protocol UDM field is set to SSH.
mqtt.proto_version network.application_protocol_version
rdp.client_build network.application_protocol_version
snmp.version network.application_protocol_version
ssh.version network.application_protocol_version
network.direction If the ssh.direction log field value matches the regular expression pattern (?i)INBOUND, then the network.direction UDM field is set to INBOUND.

Else, if the ssh.direction log field value matches the regular expression pattern (?i)OUTBOUND, then the network.direction UDM field is set to OUTBOUND.
dns.answers network.dns.answers.data
dns.TTLs network.dns.answers.ttl
dns.trans_id network.dns.id
dns.qclass network.dns.questions.class
dns.query network.dns.questions.name
dns.qtype network.dns.questions.type
dns.RA network.dns.recursion_available
dns.RD network.dns.recursion_desired
dns.AA network.dns.response
dns.rcode network.dns.response_code
dns.rejected network.dns.truncated
smtp.cc network.email.cc
smtp.mailfrom network.email.from
smtp.in_reply_to network.email.reply_to
smtp.reply_to network.email.reply_to
smtp.subject network.email.subject
smtp.to network.email.to
ftp.command network.ftp.command
sip.method network.http.method
sip.status_code network.http.response_code
sip.user_agent network.http.user_agent
network.ip_protocol If the dns.proto log field value matches the regular expression pattern (?i)tcp, then the network.ip_protocol UDM field is set to TCP.

Else, if the dns.proto log field value matches the regular expression pattern (?i)udp, then the network.ip_protocol UDM field is set to UDP.

Else, if the dns.proto log field value matches the regular expression pattern (?i)icmp, then the network.ip_protocol UDM field is set to ICMP.

Else, if the network.protocol log field value matches the regular expression pattern (?i)tcp, then the network.ip_protocol UDM field is set to TCP.

Else, if the network.protocol log field value matches the regular expression pattern (?i)udp, then the network.ip_protocol UDM field is set to UDP.

Else, if the network.protocol log field value matches the regular expression pattern (?i)icmp, then the network.ip_protocol UDM field is set to ICMP.

Else, if the syslog.proto log field value matches the regular expression pattern (?i)tcp, then the network.ip_protocol UDM field is set to TCP.

Else, if the syslog.proto log field value matches the regular expression pattern (?i)udp, then the network.ip_protocol UDM field is set to UDP.

Else, if the syslog.proto log field value matches the regular expression pattern (?i)icmp, then the network.ip_protocol UDM field is set to ICMP.
network.tunnel_parents network.parent_session_id
network.duration network.session_duration
network.connection_uid network.session_id
threat.flow_id network.session_id
smtp.helo network.smtp.helo
network.smtp.is_tls If the smtp.tls log field value matches the regular expression pattern (?i)true, then the network.smtp.is_tls UDM field is set to true.
smtp.from network.smtp.mail_from
smtp.rcptto network.smtp.rcpt_to
ssl.cipher network.tls.cipher
ssl.established network.tls.established
ssl.resumed network.tls.resumed
ssl.issuer network.tls.server.certificate.issuer
ssl.subject network.tls.server.certificate.subject
ssl.version network.tls.version
rdp.client_dig_product_id principal.asset.product_object_id
ntlm.domainname principal.domain.name
threat.alert.gid principal.group.product_object_id
ntlm.hostname principal.hostname
rdp.client_name principal.hostname
radius.remote_ip principal.ip
smtp.x_originating_ip principal.ip
radius.mac principal.mac
network.orig_bytes principal.network.sent_bytes
network.orig_pkts principal.network.sent_packets
rfb.client_major_version principal.platform_version The rfb.client_major_version rfb.client_minor_version log field is mapped to the principal.platform_version UDM field.
rfb.client_minor_version principal.platform_version The rfb.client_major_version rfb.client_minor_version log field is mapped to the principal.platform_version UDM field.
irc.command principal.process.command_line
ftp.password principal.user.attribute.labels[ftp_password]
mysql.password principal.user.attribute.labels[mysql_password]
socks.password principal.user.attribute.labels[socks_password]
ftp.user principal.user.userid
irc.user principal.user.userid
kerberos.client principal.user.userid
mqtt.client_id principal.user.userid
mysql.username principal.user.userid
rdp.cookie principal.user.userid
socks.user principal.user.userid
security_result.action If the rdp.result log field value matches the regular expression pattern (?i)(allow or success), then the security_result.action UDM field is set to ALLOW.

Else, if the rdp.result log field value matches the regular expression pattern (?i)(fail), then the security_result.action UDM field is set to FAIL.

Else, if the rdp.result log field value matches the regular expression pattern (?i)(denied or block), then the security_result.action UDM field is set to BLOCK.

Else, if the radius.result log field value matches the regular expression pattern (?i)(allow or success), then the security_result.action UDM field is set to ALLOW.

Else, if the radius.result log field value matches the regular expression pattern (?i)(fail), then the security_result.action UDM field is set to FAIL.

Else, if the radius.result log field value matches the regular expression pattern (?i)(denied or block), then the security_result.action UDM field is set to BLOCK.

Else, if the threat.alert.action log field value matches the regular expression pattern (?i)(allow or success), then the security_result.action UDM field is set to ALLOW.

Else, if the threat.alert.action log field value matches the regular expression pattern (?i)(fail), then the security_result.action UDM field is set to FAIL.

Else, if the threat.alert.action log field value matches the regular expression pattern (?i)(denied or block), then the security_result.action UDM field is set to BLOCK.
radius.result security_result.action_details
rdp.result security_result.action_details
smb_files.action security_result.action_details
tunnel.action security_result.action_details
threat.alert.category security_result.category_details
kerberos.error_msg security_result.description
sip.warning security_result.description
dce_rpc.operation security_result.detection_fields[dce_rpc_operation]
file.analyzers security_result.detection_fields[file_analyzers]
mqtt.granted_qos_level security_result.detection_fields[mqtt_granted_qos_level]
mqtt.qos_val security_result.detection_fields[mqtt_qos_val]
rdp.cert_count security_result.detection_fields[rdp_cert_count]
rdp.cert_permanent security_result.detection_fields[rdp_cert_permanent]
rdp.cert_type security_result.detection_fields[rdp_cert_type]
rdp.encryption_level security_result.detection_fields[rdp_encryption_level]
rdp.encryption_method security_result.detection_fields[rdp_encryption_method]
rdp.security_protocol security_result.detection_fields[rdp_security_protocol]
ssh.auth_attempts security_result.detection_fields[ssh_auth_attempts]
ssh.cipher_alg security_result.detection_fields[ssh_cipher_alg]
ssh.client security_result.detection_fields[ssh_client]
ssh.compression_alg security_result.detection_fields[ssh_compression_alg]
ssh.host_key_alg security_result.detection_fields[ssh_host_key_alg]
ssh.host_key security_result.detection_fields[ssh_host_key]
ssh.kex_alg security_result.detection_fields[ssh_kex_alg]
ssh.mac_alg security_result.detection_fields[ssh_mac_alg]
ssh.server security_result.detection_fields[ssh_server]
ssl.cert_chain_fuids security_result.detection_fields[ssl_cert_chain_fuids]
ssl.client_cert_chain_fuids security_result.detection_fields[ssl_client_cert_chain_fuids]
ssl.validation_status security_result.detection_fields[ssl_validation_status]
syslog.facility security_result.detection_fields[syslog_facility]
threat.alert.rev security_result.detection_fields[threat_alert_rev]
threat.alert.signature_id security_result.rule_id
decoy.smb.dataset security_result.rule_labels[decoy_smb_dataset] The decoy.smb.dataset log field is mapped to the security_result.rule_labels UDM field.
threat.alert.signature security_result.rule_name
decoy.ftp.dataset security_result.rule_set
security_result.severity If the syslog.severity log field value matches the regular expression pattern (?i)Low, then the security_result.severity UDM field is set to LOW.

Else, if the syslog.severity log field value matches the regular expression pattern (?i)Informational, then the security_result.severity UDM field is set to INFORMATIONAL.

Else, if the syslog.severity log field value matches the regular expression pattern (?i)Medium, then the security_result.severity UDM field is set to MEDIUM.

Else, if the syslog.severity log field value matches the regular expression pattern (?i)Critical, then the security_result.severity UDM field is set to CRITICAL.

Else, if the syslog.severity log field value matches the regular expression pattern (?i)High, then the security_result.severity UDM field is set to HIGH.

Else, if the syslog.severity log field value matches the regular expression pattern (?i)ERROR, then the security_result.severity UDM field is set to ERROR.

Else, if the threat.alert.severity log field value matches the regular expression pattern 4 or 5, then the security_result.severity UDM field is set to HIGH.

Else, if the threat.alert.severity log field value matches the regular expression pattern 1 or 2, then the security_result.severity UDM field is set to LOW.

Else, if the threat.alert.severity log field value matches the regular expression pattern 3, then the security_result.severity UDM field is set to MEDIUM.
syslog.severity security_result.severity_details
threat.alert.severity security_result.severity_details
security_result.summary If the kerberos.error_code log field value is equal to 1, then the security_result.summary UDM field is set to KDC_ERR_NAME_EXP.

Else, if the kerberos.error_code log field value is equal to 2, then the security_result.summary UDM field is set to KDC_ERR_SERVICE_EXP.

Else, if the kerberos.error_code log field value is equal to 3, then the security_result.summary UDM field is set to KDC_ERR_BAD_PVNO.

Else, if the kerberos.error_code log field value is equal to 4, then the security_result.summary UDM field is set to KDC_ERR_C_OLD_MAST_KVNO.

Else, if the kerberos.error_code log field value is equal to 5, then the security_result.summary UDM field is set to KDC_ERR_S_OLD_MAST_KVNO.

Else, if the kerberos.error_code log field value is equal to 6, then the security_result.summary UDM field is set to KDC_ERR_C_PRINCIPAL_UNKNOWN.

Else, if the kerberos.error_code log field value is equal to 7, then the security_result.summary UDM field is set to KDC_ERR_S_PRINCIPAL_UNKNOWN.

Else, if the kerberos.error_code log field value is equal to 8, then the security_result.summary UDM field is set to KDC_ERR_PRINCIPAL_NOT_UNIQUE.

Else, if the kerberos.error_code log field value is equal to 9, then the security_result.summary UDM field is set to KDC_ERR_NULL_KEY.

Else, if the kerberos.error_code log field value is equal to 10, then the security_result.summary UDM field is set to KDC_ERR_CANNOT_POSTDATE.

Else, if the kerberos.error_code log field value is equal to 11, then the security_result.summary UDM field is set to KDC_ERR_NEVER_VALID.

Else, if the kerberos.error_code log field value is equal to 12, then the security_result.summary UDM field is set to KDC_ERR_POLICY.

Else, if the kerberos.error_code log field value is equal to 13, then the security_result.summary UDM field is set to KDC_ERR_BADOPTION.

Else, if the kerberos.error_code log field value is equal to 14, then the security_result.summary UDM field is set to KDC_ERR_ETYPE_NOSUPP.

Else, if the kerberos.error_code log field value is equal to 15, then the security_result.summary UDM field is set to KDC_ERR_SUMTYPE_NOSUPP.

Else, if the kerberos.error_code log field value is equal to 16, then the security_result.summary UDM field is set to KDC_ERR_PADATA_TYPE_NOSUPP.

Else, if the kerberos.error_code log field value is equal to 17, then the security_result.summary UDM field is set to KDC_ERR_TRTYPE_NOSUPP.

Else, if the kerberos.error_code log field value is equal to 18, then the security_result.summary UDM field is set to KDC_ERR_CLIENT_REVOKED.

Else, if the kerberos.error_code log field value is equal to 19, then the security_result.summary UDM field is set to KDC_ERR_SERVICE_REVOKED.

Else, if the kerberos.error_code log field value is equal to 20, then the security_result.summary UDM field is set to KDC_ERR_TGT_REVOKED.

Else, if the kerberos.error_code log field value is equal to 21, then the security_result.summary UDM field is set to KDC_ERR_CLIENT_NOTYET.

Else, if the kerberos.error_code log field value is equal to 22, then the security_result.summary UDM field is set to KDC_ERR_SERVICE_NOTYET.

Else, if the kerberos.error_code log field value is equal to 23, then the security_result.summary UDM field is set to KDC_ERR_KEY_EXPIRED.

Else, if the kerberos.error_code log field value is equal to 24, then the security_result.summary UDM field is set to KDC_ERR_PREAUTH_FAILED.

Else, if the kerberos.error_code log field value is equal to 25, then the security_result.summary UDM field is set to KDC_ERR_PREAUTH_REQUIRED.

Else, if the kerberos.error_code log field value is equal to 26, then the security_result.summary UDM field is set to KDC_ERR_SERVER_NOMATCH.

Else, if the kerberos.error_code log field value is equal to 27, then the security_result.summary UDM field is set to KDC_ERR_MUST_USE_USER2USER.

Else, if the kerberos.error_code log field value is equal to 28, then the security_result.summary UDM field is set to KDC_ERR_PATH_NOT_ACCEPTED.

Else, if the kerberos.error_code log field value is equal to 29, then the security_result.summary UDM field is set to KDC_ERR_SVC_UNAVAILABLE.

Else, if the kerberos.error_code log field value is equal to 31, then the security_result.summary UDM field is set to KRB_AP_ERR_BAD_INTEGRITY.

Else, if the kerberos.error_code log field value is equal to 32, then the security_result.summary UDM field is set to KRB_AP_ERR_TKT_EXPIRED.

Else, if the kerberos.error_code log field value is equal to 33, then the security_result.summary UDM field is set to KRB_AP_ERR_TKT_NYV.

Else, if the kerberos.error_code log field value is equal to 34, then the security_result.summary UDM field is set to KRB_AP_ERR_REPEAT.

Else, if the kerberos.error_code log field value is equal to 35, then the security_result.summary UDM field is set to KRB_AP_ERR_NOT_US.

Else, if the kerberos.error_code log field value is equal to 36, then the security_result.summary UDM field is set to KRB_AP_ERR_BADMATCH.

Else, if the kerberos.error_code log field value is equal to 37, then the security_result.summary UDM field is set to KRB_AP_ERR_SKEW.

Else, if the kerberos.error_code log field value is equal to 38, then the security_result.summary UDM field is set to KRB_AP_ERR_BADADDR.

Else, if the kerberos.error_code log field value is equal to 39, then the security_result.summary UDM field is set to KRB_AP_ERR_BADVERSION.

Else, if the kerberos.error_code log field value is equal to 40, then the security_result.summary UDM field is set to KRB_AP_ERR_MSG_TYPE.

Else, if the kerberos.error_code log field value is equal to 41, then the security_result.summary UDM field is set to KRB_AP_ERR_MODIFIED.

Else, if the kerberos.error_code log field value is equal to 42, then the security_result.summary UDM field is set to KRB_AP_ERR_BADORDER.

Else, if the kerberos.error_code log field value is equal to 44, then the security_result.summary UDM field is set to KRB_AP_ERR_BADKEYVER.

Else, if the kerberos.error_code log field value is equal to 45, then the security_result.summary UDM field is set to KRB_AP_ERR_NOKEY.

Else, if the kerberos.error_code log field value is equal to 46, then the security_result.summary UDM field is set to KRB_AP_ERR_MUT_FAIL.

Else, if the kerberos.error_code log field value is equal to 47, then the security_result.summary UDM field is set to KRB_AP_ERR_BADDIRECTION.

Else, if the kerberos.error_code log field value is equal to 48, then the security_result.summary UDM field is set to KRB_AP_ERR_METHOD.

Else, if the kerberos.error_code log field value is equal to 49, then the security_result.summary UDM field is set to KRB_AP_ERR_BADSEQ.

Else, if the kerberos.error_code log field value is equal to 50, then the security_result.summary UDM field is set to KRB_AP_ERR_INAPP_CKSUM.

Else, if the kerberos.error_code log field value is equal to 51, then the security_result.summary UDM field is set to KRB_AP_PATH_NOT_ACCEPTED.

Else, if the kerberos.error_code log field value is equal to 52, then the security_result.summary UDM field is set to KRB_ERR_RESPONSE_TOO_BIG.

Else, if the kerberos.error_code log field value is equal to 60, then the security_result.summary UDM field is set to KRB_ERR_GENERIC.

Else, if the kerberos.error_code log field value is equal to 61, then the security_result.summary UDM field is set to KRB_ERR_FIELD_TOOLONG.

Else, if the kerberos.error_code log field value is equal to 62, then the security_result.summary UDM field is set to KDC_ERROR_CLIENT_NOT_TRUSTED.

Else, if the kerberos.error_code log field value is equal to 63, then the security_result.summary UDM field is set to KDC_ERROR_KDC_NOT_TRUSTED.

Else, if the kerberos.error_code log field value is equal to 64, then the security_result.summary UDM field is set to KDC_ERROR_INVALID_SIG.

Else, if the kerberos.error_code log field value is equal to 65, then the security_result.summary UDM field is set to KDC_ERR_KEY_TOO_WEAK.

Else, if the kerberos.error_code log field value is equal to 66, then the security_result.summary UDM field is set to KDC_ERR_CERTIFICATE_MISMATCH.

Else, if the kerberos.error_code log field value is equal to 67, then the security_result.summary UDM field is set to KRB_AP_ERR_NO_TGT.

Else, if the kerberos.error_code log field value is equal to 68, then the security_result.summary UDM field is set to KDC_ERR_WRONG_REALM.

Else, if the kerberos.error_code log field value is equal to 69, then the security_result.summary UDM field is set to KRB_AP_ERR_USER_TO_USER_REQUIRED.

Else, if the kerberos.error_code log field value is equal to 70, then the security_result.summary UDM field is set to KDC_ERR_CANT_VERIFY_CERTIFICATE.

Else, if the kerberos.error_code log field value is equal to 71, then the security_result.summary UDM field is set to KDC_ERR_INVALID_CERTIFICATE.

Else, if the kerberos.error_code log field value is equal to 72, then the security_result.summary UDM field is set to KDC_ERR_REVOKED_CERTIFICATE.

Else, if the kerberos.error_code log field value is equal to 73, then the security_result.summary UDM field is set to KDC_ERR_REVOCATION_STATUS_UNKNOWN.

Else, if the kerberos.error_code log field value is equal to 74, then the security_result.summary UDM field is set to KDC_ERR_REVOCATION_STATUS_UNAVAILABLE.

Else, if the kerberos.error_code log field value is equal to 75, then the security_result.summary UDM field is set to KDC_ERR_CLIENT_NAME_MISMATCH.

Else, if the kerberos.error_code log field value is equal to 76, then the security_result.summary UDM field is set to KDC_ERR_KDC_NAME_MISMATCH.
target.asset.asset_id The Zscaler:pe.machine log field is mapped to the target.asset.asset_id UDM field.
target.file.file_type If the pe.is_exe log field value is equal to true, then the target.file.file_type UDM field is set to FILE_TYPE_PE_EXE.
smb_files.times.created target.file.first_submission_time
file.source target.file.full_path
smb_files.path target.file.full_path
smb_mapping.path target.file.full_path
smb_files.times.accessed target.file.last_analysis_time
smb_files.times.changed target.file.last_modification_time If the smb_files.times.modified log field value is not empty, then the smb_files.times.modified log field is mapped to the target.file.last_modification_time UDM field.

Else, if the smb_files.times.changed log field value is not empty, then the smb_files.times.changed log field is mapped to the target.file.last_modification_time UDM field.
smb_files.times.modified target.file.last_modification_time If the smb_files.times.modified log field value is not empty, then the smb_files.times.modified log field is mapped to the target.file.last_modification_time UDM field.
file.md5 target.file.md5
file.mime_type target.file.mime_type
smb_files.name target.file.names
pe.compile_ts target.file.pe_file.compilation_time
pe.section_names target.file.pe_file.section.name The pe.section_names log field is mapped to the target.file.pe_file.section.name UDM field.
file.sha1 target.file.sha1
file.total_bytes target.file.size
smb_files.size target.file.size
socks.request target.hostname
scan.ips target.ip The scan.ips log field is mapped to the target.ip UDM field.
network.resp_bytes target.network.sent_bytes
network.resp_pkts target.network.sent_packets
target.platform If the pe.os log field value matches the regular expression pattern (?i)Win, then the principal.platform UDM field is set to WINDOWS.

Else, if the pe.os log field value matches the regular expression pattern (?i)Lin, then the principal.platform UDM field is set to LINUX.

Else, if the pe.os log field value matches the regular expression pattern (?i)(Mac or iOS), then the principal.platform UDM field is set to MAC.
rfb.server_major_version target.platform_version The rfb.server_major_version rfb.server_minor_version log field is mapped to the target.platform_version UDM field.
rfb.server_minor_version target.platform_version The rfb.server_major_version rfb.server_minor_version log field is mapped to the target.platform_version UDM field.
scan.ports target.port If the index log field value is equal to 0, then the scan.ports log field is mapped to the target.port UDM field.

Else, the scan.ports log field is mapped to the additional.fields.value.string_value UDM field.
socks.request_p target.port The socks.request_p log field is mapped to the target.port UDM field.
dce_rpc.endpoint target.resource_ancestors.name
target.resource_ancestors.resource_type If the dce_rpc.endpoint log field value is not empty, then the target.resource_ancestors.resource_type UDM field is set to BACKEND_SERVICE.
rfb.height target.resource.attribute.labels[rfb_height]
rfb.width target.resource.attribute.labels[rfb_width]
dce_rpc.named_pipe target.resource.name
kerberos.service target.resource.name
rfb.desktop_name target.resource.name
target.resource.resource_type If the dce_rpc.named_pipe log field value is not empty, then the target.resource.resource_type UDM field is set to PIPE.

Else, if the kerberos.service log field value is not empty, then the target.resource.resource_type UDM field is set to BACKEND_SERVICE.

Else, if the rfb.desktop_name log field value is not empty, then the target.resource.resource_type UDM field is set to DEVICE.
sip.uri target.url
ntlm.username target.user.userid
radius.username target.user.userid
dce_rpc.rtt additional.fields[dce_rpc_rtt]
decoy.ftp.banner additional.fields[decoy_ftp_banner]
dnp3.fc_reply additional.fields[dnp3_fc_reply]
dnp3.fc_request additional.fields[dnp3_fc_request]
dnp3.iin additional.fields[dnp3_iin]
dns.qclass_name additional.fields[dns_qclass_name]
dns.qtype_name additional.fields[dns_qtype_name]
dns.rcode_name additional.fields[dns_rcode_name]
dns.rtt additional.fields[dns_rtt]
dns.saw_query additional.fields[dns_saw_query]
dns.saw_reply additional.fields[dns_saw_reply]
dns.TC additional.fields[dns_tc]
dns.total_answers additional.fields[dns_total_answers]
dns.total_replies additional.fields[dns_total_replies]
dns.Z additional.fields[dns_z]
file.depth additional.fields[file_depth]
file.duration additional.fields[file_duration]
file.is_orig additional.fields[file_is_orig]
file.missing_bytes additional.fields[file_missing_bytes]
file.overflow_bytes additional.fields[file_overflow_bytes]
file.seen_bytes additional.fields[file_seen_bytes]
file.timedout additional.fields[file_timedout]
file.uid additional.fields[file_uid]
ftp.arg additional.fields[ftp_arg]
ftp.data_channel.passive additional.fields[ftp_data_channel_passive]
ftp.reply_code additional.fields[ftp_reply_code]
ftp.reply_msg additional.fields[ftp_reply_msg]
irc.addl additional.fields[irc_addl]
irc.nick additional.fields[irc_nick]
irc.value additional.fields[irc_value]
kerberos.cipher additional.fields[kerberos_cipher]
kerberos.forwardable additional.fields[kerberos_forwardable]
kerberos.from additional.fields[kerberos_from]
kerberos.logged additional.fields[kerberos_logged]
kerberos.renewable additional.fields[kerberos_renewable]
kerberos.request_type additional.fields[kerberos_request_type]
kerberos.success additional.fields[kerberos_success]
kerberos.till additional.fields[kerberos_till]
modbus.func additional.fields[modbus_func]
mqtt.ack additional.fields[mqtt_ack]
mqtt.action additional.fields[mqtt_action]
mqtt.connect_status additional.fields[mqtt_connect_status]
mqtt.from_client additional.fields[mqtt_from_client]
mqtt.message_type additional.fields[mqtt_message_type]
mqtt.payload_len additional.fields[mqtt_payload_len]
mqtt.payload additional.fields[mqtt_payload]
mqtt.retain additional.fields[mqtt_retain]
mqtt.status additional.fields[mqtt_status]
mqtt.topic additional.fields[mqtt_topic]
mqtt.topics additional.fields[mqtt_topics]
mysql.arg additional.fields[mysql_arg]
mysql.cmd additional.fields[mysql_cmd]
mysql.response additional.fields[mysql_response]
mysql.rows additional.fields[mysql_rows]
network.conn_state additional.fields[network_conn_state]
network.connection_uids additional.fields[network_connection_uids] The network.connection_uids log field is mapped to the additional.fields.value.string_value UDM field.
network.history additional.fields[network_history]
network.icmp_type additional.fields[network_icmp_type]
network.local_orig additional.fields[network_local_orig]
network.local_resp additional.fields[network_local_resp]
network.missed_bytes additional.fields[network_missed_bytes]
network.orig_ip_bytes additional.fields[network_orig_ip_bytes]
network.resp_ip_bytes additional.fields[network_resp_ip_bytes]
network.service additional.fields[network_service]
ntlm.done additional.fields[ntlm_done]
ntlm.status additional.fields[ntlm_status]
pe.has_cert_table additional.fields[pe_has_cert_table]
pe.has_debug_data additional.fields[pe_has_debug_data]
pe.has_export_table additional.fields[pe_has_export_table]
pe.has_import_table additional.fields[pe_has_import_table]
pe.is_64bit additional.fields[pe_is_64bit]
pe.subsystem additional.fields[pe_subsystem]
pe.uses_aslr additional.fields[pe_uses_aslr]
pe.uses_code_integrity additional.fields[pe_uses_code_integrity]
pe.uses_dep additional.fields[pe_uses_dep]
pe.uses_seh additional.fields[pe_uses_seh]
radius.connect_info additional.fields[radius_connect_info]
radius.logged additional.fields[radius_logged]
rdp.desktop_height additional.fields[rdp_desktop_height]
rdp.desktop_width additional.fields[rdp_desktop_width]
rdp.keyboard_layout additional.fields[rdp_keyboard_layout]
rdp.requested_color_depth additional.fields[rdp_requested_color_depth]
rfb.auth additional.fields[rfb_auth]
rfb.done additional.fields[rfb_done]
rfb.share_flag additional.fields[rfb_share_flag]
scan.type additional.fields[scan_type]
sip.call_id additional.fields[sip_call_id]
sip.content_type additional.fields[sip_content_type]
sip.date additional.fields[sip_date]
sip.reply_to additional.fields[sip_reply_to]
sip.request_body_len additional.fields[sip_request_body_len]
sip.request_from additional.fields[sip_request_from]
sip.request_path additional.fields[sip_request_path] The sip.request_path log field is mapped to the additional.fields.value.string_value UDM field.
sip.request_to additional.fields[sip_request_to]
sip.response_body_len additional.fields[sip_response_body_len]
sip.response_from additional.fields[sip_response_from]
sip.response_path additional.fields[sip_response_path] The sip.response_path log field is mapped to the additional.fields.value.string_value UDM field.
sip.response_to additional.fields[sip_response_to]
sip.seq additional.fields[sip_seq]
sip.status_msg additional.fields[sip_status_msg]
sip.subject additional.fields[sip_subject]
sip.trans_depth additional.fields[sip_trans_depth]
smb_mapping.share_type additional.fields[smb_mapping_share_type]
smtp.date additional.fields[smtp_date]
smtp.first_received additional.fields[smtp_first_received]
smtp.has_client_activity additional.fields[smtp_has_client_activity]
smtp.last_reply additional.fields[smtp_last_reply]
smtp.msg_id additional.fields[smtp_msg_id]
smtp.path_list additional.fields[smtp_path_list]
smtp.process_received_from additional.fields[smtp_process_received_from]
smtp.second_received additional.fields[smtp_second_received]
smtp.trans_depth additional.fields[smtp_trans_depth]
smtp.user_agent additional.fields[smtp_user_agent]
snmp.duration additional.fields[snmp_duration]
snmp.get_bulk_requests additional.fields[snmp_get_bulk_requests]
snmp.get_requests additional.fields[snmp_get_requests]
snmp.get_responses additional.fields[snmp_get_responses]
snmp.set_requests additional.fields[snmp_set_requests]
snmp.up_since additional.fields[snmp_up_since]
socks.status additional.fields[socks_status]
socks.version additional.fields[socks_version]
tunnel.tunnel_type additional.fields[tunnel_tunnel_type]

필드 매핑 참조: ZSCALER_DECEPTION - postgresql

다음 표에는 postgresql 로그 유형의 원시 로그 필드와 해당 UDM 필드가 나와 있습니다.

Log field UDM mapping Logic
postgresql.message metadata.description
type metadata.product_event_type
postgresql.user principal.user.userid
postgresql.error_severity security_result.detection_fields[postgresql_error_severity]
postgresql.state_code security_result.detection_fields[postgresql_state_code]
postgresql.application_name target.application
postgresql.session_id target.network.session_id
postgresql.statement target.process.command_line
postgresql.pid target.process.pid
target.process.product_specific_process_id The Deception:postgresql.vpid log field is mapped to the target.process.product_specific_process_id UDM field.
postgresql.dbname target.resource.name
target.resource.resource_type The target.resource.resource_type UDM field is set to DATABASE.
postgresql.password additional.fields[postgresql_password]
postgresql.vxid additional.fields[postgresql_vxid]

필드 매핑 참조: ZSCALER_DECEPTION - QOS

다음 표에는 QOS 로그 유형의 원시 로그 필드와 해당 UDM 필드가 나와 있습니다.

Log field UDM mapping Logic
type metadata.product_event_type
qos.message security_result.summary

필드 매핑 참조: ZSCALER_DECEPTION - recon

다음 표에는 recon 로그 유형의 원시 로그 필드와 해당 UDM 필드가 나와 있습니다.

Log field UDM mapping Logic
extensions.auth.mechanism The extensions.auth.mechanism UDM field is set to USERNAME_PASSWORD.
recon.cve_type extensions.vulns.vulnerabilities.about.security_result.detection_fields[recon_cve_type]
recon.cve_name extensions.vulns.vulnerabilities.cve_description
recon.cve_id extensions.vulns.vulnerabilities.cve_id
timestamp(Europe/Amsterdam) metadata.event_timestamp
metadata.event_type If (the recon.http_x_forwarded_for log field value is not empty or the attacker.ip log field value is not empty or the attacker.name log field value is not empty) and (the decoy.ip log field value is not empty or the recon.host log field value is not empty), then the metadata.event_type UDM field is set to NETWORK_CONNECTION.

Else, if the recon.http_x_forwarded_for log field value is not empty or the attacker.ip log field value is not empty or the attacker.name log field value is not empty, then the metadata.event_type UDM field is set to STATUS_UPDATE.

Else, the metadata.event_type UDM field is set to USER_STATS.
type metadata.product_event_type
id metadata.product_log_id
recon.bytes_sent network.sent_bytes
attacker.name principal.hostname
recon.http_x_forwarded_for principal.ip
attacker.ip principal.ip
recon.scheme principal.network.application_protocol If the recon.scheme log field value contain one of the following values, then the recon.scheme log field is mapped to the principal.network.application_protocol UDM field.
  • AFP
  • APPC
  • AMQP
  • ATOM
  • BEEP
  • BITCOIN
  • BIT_TORRENT
  • CFDP
  • COAP
  • DCERPC
  • DDS
  • DEVICE_NET
  • DHCP
  • DNS
  • E_DONKEY
  • ENRP
  • FAST_TRACK
  • FINGER
  • FREENET
  • FTAM
  • GOPHER
  • HL7
  • H323
  • HTTP
  • HTTPS
  • IRCP
  • KADEMLIA
  • KRB5
  • LDAP
  • LPD
  • MIME
  • MODBUS
  • MQTT
  • NETCONF
  • NFS
  • NIS
  • NNTP
  • NTCIP
  • NTP
  • OSCAR
  • PNRP
  • QUIC
  • RDP
  • RELP
  • RIP
  • RLOGIN
  • RPC
  • RTMP
  • RTP
  • RTPS
  • RTSP
  • SAP
  • SDP
  • SIP
  • SLP
  • SMB
  • SMTP
  • SNTP
  • SSH
  • SSMS
  • STYX
  • TCAP
  • TDS
  • TOR
  • TSP
  • VTP
  • WHOIS
  • WEB_DAV
  • X400
  • X500
  • XMPP
attacker.id principal.network.dns.id
recon.method principal.network.http.method
recon.http_referrer principal.network.http.referral_url
recon.status principal.network.http.response_code
recon.user_agent.string principal.network.http.user_agent If the recon.user_agent.string log field value is not empty or the recon.user_agent.string log field value is not equal to $, then the recon.user_agent.string log field is mapped to the principal.network.http.user_agent UDM field.
principal.platform If the recon.user_agent.os.family log field value matches the regular expression pattern (?i)WIN, then the principal.platform UDM field is set to WINDOWS.

Else, if the recon.user_agent.os.family log field value matches the regular expression pattern (?i)LIN, then the principal.platform UDM field is set to LINUX.

Else, if the recon.user_agent.os.family log field value matches the regular expression pattern (?i)(MAC or iOS), then the principal.platform UDM field is set to MAC.
recon.user_agent.os.patch principal.platform_patch_level
recon.user_agent.os.major principal.platform_version The recon.user_agent.os.major recon.user_agent.os.minor log field is mapped to the principal.platform_version UDM field.
recon.user_agent.os.minor principal.platform_version The recon.user_agent.os.major recon.user_agent.os.minor log field is mapped to the principal.platform_version UDM field.
attacker.port principal.port
attacker.threat_parse_ids principal.security_result.detection_fields[attacker_threat_parse_ids] The attacker.threat_parse_ids log field is mapped to the security_result.detection_fields UDM field.
attacker.score principal.security_result.risk_score
recon.uri principal.url
recon.post_data.username principal.user.email_addresses
mitre_ids security_result.attack_details.techniques.id The mitre_ids log field is mapped to the security_result.attack_details.techniques.id UDM field.
abuseip.abuseConfidenceScore security_result.confidence_score
is_itdr security_result.detection_fields[is_itdr]
kill_chain_phase security_result.detection_fields[kill_chain_phase]
threat_parse_ids security_result.detection_fields[threat_parse_ids] The threat_parse_ids log field is mapped to the security_result.detection_fields UDM field.
whitelisted security_result.detection_fields[whitelisted]
updated_on security_result.last_updated_time
score security_result.risk_score
decoy.recon.dataset_type security_result.rule_labels[decoy_recon_dataset_type]
decoy.recon.dataset security_result.rule_set
severity security_result.severity If the severity log field value contain one of the following values, then the severity log field is mapped to the security_result.severity UDM field.
  • LOW
  • MEDIUM
  • HIGH
  • CRITICAL
severity security_result.severity_details
abuseip.ipAddress src.artifact.ip
abuseip.lastReportedAt src.artifact.last_seen_time
abuseip.countryCode src.artifact.location.country_or_region
recon.server_name target.domain.whois_server
decoy.group target.group.group_display_name
recon.host target.hostname
decoy.ip target.ip
target.network.application_protocol The app_proto field is extracted from recon.server_protocol log field using the Grok pattern.
If the app_proto log field value contain one of the following values, then the app_proto extracted field is mapped to the target.network.application_protocol UDM field.
  • AFP
  • APPC
  • AMQP
  • ATOM
  • BEEP
  • BITCOIN
  • BIT_TORRENT
  • CFDP
  • COAP
  • DCERPC
  • DDS
  • DEVICE_NET
  • DHCP
  • DNS
  • E_DONKEY
  • ENRP
  • FAST_TRACK
  • FINGER
  • FREENET
  • FTAM
  • GOPHER
  • HL7
  • H323
  • HTTP
  • HTTPS
  • IRCP
  • KADEMLIA
  • KRB5
  • LDAP
  • LPD
  • MIME
  • MODBUS
  • MQTT
  • NETCONF
  • NFS
  • NIS
  • NNTP
  • NTCIP
  • NTP
  • OSCAR
  • PNRP
  • QUIC
  • RDP
  • RELP
  • RIP
  • RLOGIN
  • RPC
  • RTMP
  • RTP
  • RTPS
  • RTSP
  • SAP
  • SDP
  • SIP
  • SLP
  • SMB
  • SMTP
  • SNTP
  • SSH
  • SSMS
  • STYX
  • TCAP
  • TDS
  • TOR
  • TSP
  • VTP
  • WHOIS
  • WEB_DAV
  • X400
  • X500
  • XMPP
target.network.application_protocol_version The proto_version field is extracted from recon.server_protocol log field using the Grok pattern.
If the proto_version log field value is not empty, then the proto_version extracted field is mapped to the target.network.application_protocol_version UDM field.
decoy.name target.resource.name
decoy.id target.resource.product_object_id
decoy.type target.resource.resource_subtype
decoy.client.id target.user.product_object_id
decoy.client.name target.user.user_display_name
recon.http_basicauth_user target.user.userid
version additional.fields[version]
abuseip.ipVersion additional.fields[abuseip_ipversion]
abuseip.isPublic additional.fields[abuseip_ispublic]
abuseip.isWhitelisted additional.fields[abuseip_iswhitelisted]
abuseip.totalReports additional.fields[abuseip_total_reports]
decoy.appliance.id additional.fields[decoy_appliance_id]
decoy.appliance.name additional.fields[decoy_appliance_name]
decoy.network_name additional.fields[decoy_network_name]
decoy.recon.server_type additional.fields[decoy_recon_server_type]
decoy.vlan_id additional.fields[decoy_vlan_id]
heatmap_per_week_15_min additional.fields[heatmap_per_week_15_min]
indexed_on additional.fields[indexed_on]
recon.content_length additional.fields[recon_content_length]
recon.post_data.password additional.fields[recon_post_data_password]
recon.post_data additional.fields[recon_post_data]
recon.query_string additional.fields[recon_query_string]
recon.request_body additional.fields[recon_request_body]
recon.request_length additional.fields[recon_request_length]
recon.request_time additional.fields[recon_request_time]
recon.request_uri additional.fields[recon_request_uri]
recon.request additional.fields[recon_request]
recon.user_agent.family additional.fields[recon_user_agent_family]
recon.user_agent.major additional.fields[recon_user_agent_major]
recon.user_agent.minor additional.fields[recon_user_agent_minor]
recon.user_agent.patch additional.fields[recon_user_agent_patch]
record_type additional.fields[record_type]
update_id additional.fields[update_id]

필드 매핑 참조: ZSCALER_DECEPTION - scada

다음 표에는 scada 로그 유형의 원시 로그 필드와 해당 UDM 필드가 나와 있습니다.

Log field UDM mapping Logic
scada.event_type metadata.description
type metadata.product_event_type
decoy.scada.dataset security_result.rule_set
scada.data_type additional.fields[scada_data_type]
scada.request additional.fields[scada_request]
scada.response additional.fields[scada_response]

필드 매핑 참조: ZSCALER_DECEPTION - ssh, telnet

다음 표에는 sshtelnet 로그 유형의 원시 로그 필드와 해당 UDM 필드가 나와 있습니다.

Log field UDM mapping Logic
extensions.auth.mechanism If the linux.remote_host log field value is not empty, then the extensions.auth.mechanism UDM field is set to REMOTE.
metadata.event_type If the linux.remote_host log field value is not empty and the linux.user log field value is not empty, then the metadata.event_type UDM field is set to USER_LOGIN.

Else, the metadata.event_type UDM field is set to USER_RESOURCE_ACCESS.
type metadata.product_event_type
linux.read_bytes network.received_bytes
linux.written_bytes network.sent_bytes
linux.remote_host principal.ip
linux.vpid principal.process.pid
linux.owner_id principal.user.product_object_id
linux.user principal.user.userid If the linux.remote_host log field value is not empty, then the linux.user log field is mapped to the target.user.userid UDM field.

Else, the linux.user log field is mapped to the principal.user.userid UDM field.
linux.password security_result.detection_fields[linux_password]
linux.new_path target.file.full_path
linux.mode target.file.security_result.detection_fields[linux_mode]
linux.group_id target.group.product_object_id
target.platform If the decoy.ssh.ostype log field value matches the regular expression pattern (?i)Win, then the target.platform UDM field is set to WINDOWS.

Else, if the decoy.ssh.ostype log field value matches the regular expression pattern (?i)Lin, then the target.platform UDM field is set to LINUX.

Else, if the decoy.ssh.ostype log field value matches the regular expression pattern (?i)(Mac or iOS), then the target.platform UDM field is set to MAC.

If the decoy.telnet.ostype log field value matches the regular expression pattern (?i)Win, then the target.platform UDM field is set to WINDOWS.

Else, if the decoy.telnet.ostype log field value matches the regular expression pattern (?i)Lin, then the target.platform UDM field is set to LINUX.

Else, if the decoy.telnet.ostype log field value matches the regular expression pattern (?i)(Mac or iOS), then the target.platform UDM field is set to MAC.
linux.command_line target.process.command_line
linux.path target.process.file.full_path
linux.ppid target.process.parent_process.pid
linux.pid target.process.pid
target.process.product_specific_process_id The Deception:linux.process_name log field is mapped to the target.process.product_specific_process_id UDM field.
linux.container_name target.resource.name
target.resource.resource_type If the linux.container_name log field value is not empty, then the target.resource.resource_type UDM field is set to CONTAINER.
linux.connection_info additional.fields[linux_connection_info]
linux.flags additional.fields[linux_flags]
linux.info additional.fields[linux_info]
linux.parent_process_name additional.fields[linux_parent_process_name]

필드 매핑 참조: ZSCALER_DECEPTION - web

다음 표에는 web 로그 유형의 원시 로그 필드와 해당 UDM 필드가 나와 있습니다.

Log field UDM mapping Logic
extensions.auth.mechanism The extensions.auth.mechanism UDM field is set to USERNAME_PASSWORD.
web.cve_type extensions.vulns.vulnerabilities.about.security_result.detection_fields[web_cve_type]
web.cve_name extensions.vulns.vulnerabilities.cve_description
web.cve_id extensions.vulns.vulnerabilities.cve_id
metadata.event_type If the web.http_x_forwarded_for log field value is not empty and (the web.http_basicauth_user log field value is not empty or the web.post_data.username log field value is not empty), then the metadata.event_type UDM field is set to USER_LOGIN.

Else, the metadata.event_type UDM field is set to USER_RESOURCE_ACCESS.
type metadata.product_event_type
web.bytes_sent network.sent_bytes
web.http_x_forwarded_for principal.ip
web.scheme principal.network.application_protocol If the web.scheme log field value contain one of the following values, then the web.scheme log field is mapped to the principal.network.application_protocol UDM field.
  • AFP
  • APPC
  • AMQP
  • ATOM
  • BEEP
  • BITCOIN
  • BIT_TORRENT
  • CFDP
  • COAP
  • DCERPC
  • DDS
  • DEVICE_NET
  • DHCP
  • DNS
  • E_DONKEY
  • ENRP
  • FAST_TRACK
  • FINGER
  • FREENET
  • FTAM
  • GOPHER
  • HL7
  • H323
  • HTTP
  • HTTPS
  • IRCP
  • KADEMLIA
  • KRB5
  • LDAP
  • LPD
  • MIME
  • MODBUS
  • MQTT
  • NETCONF
  • NFS
  • NIS
  • NNTP
  • NTCIP
  • NTP
  • OSCAR
  • PNRP
  • QUIC
  • RDP
  • RELP
  • RIP
  • RLOGIN
  • RPC
  • RTMP
  • RTP
  • RTPS
  • RTSP
  • SAP
  • SDP
  • SIP
  • SLP
  • SMB
  • SMTP
  • SNTP
  • SSH
  • SSMS
  • STYX
  • TCAP
  • TDS
  • TOR
  • TSP
  • VTP
  • WHOIS
  • WEB_DAV
  • X400
  • X500
  • XMPP
web.method principal.network.http.method
web.http_referrer principal.network.http.referral_url
web.status principal.network.http.response_code
web.user_agent.string principal.network.http.user_agent
principal.platform If the web.user_agent.os.family log field value matches the regular expression pattern (?i)Win, then the principal.platform UDM field is set to WINDOWS.

Else, if the web.user_agent.os.family log field value matches the regular expression pattern (?i)Lin, then the principal.platform UDM field is set to LINUX.

Else, if the web.user_agent.os.family log field value matches the regular expression pattern (?i)(Mac or iOS), then the principal.platform UDM field is set to MAC.
web.user_agent.os.patch principal.platform_patch_level
web.user_agent.os.major principal.platform_version The web.user_agent.os.major web.user_agent.os.minor log field is mapped to the principal.platform_version UDM field.
web.user_agent.os.minor principal.platform_version The web.user_agent.os.major web.user_agent.os.minor log field is mapped to the principal.platform_version UDM field.
web.uri principal.url
decoy.web.dataset_type security_result.rule_labels[decoy_web_dataset_type]
decoy.web.dataset security_result.rule_set
web.host target.hostname
target.network.application_protocol The app_proto field is extracted from web.server_protocol log field using the Grok pattern.
If the app_proto log field value contain one of the following values, then the app_proto extracted field is mapped to the target.network.application_protocol UDM field.
  • AFP
  • APPC
  • AMQP
  • ATOM
  • BEEP
  • BITCOIN
  • BIT_TORRENT
  • CFDP
  • COAP
  • DCERPC
  • DDS
  • DEVICE_NET
  • DHCP
  • DNS
  • E_DONKEY
  • ENRP
  • FAST_TRACK
  • FINGER
  • FREENET
  • FTAM
  • GOPHER
  • HL7
  • H323
  • HTTP
  • HTTPS
  • IRCP
  • KADEMLIA
  • KRB5
  • LDAP
  • LPD
  • MIME
  • MODBUS
  • MQTT
  • NETCONF
  • NFS
  • NIS
  • NNTP
  • NTCIP
  • NTP
  • OSCAR
  • PNRP
  • QUIC
  • RDP
  • RELP
  • RIP
  • RLOGIN
  • RPC
  • RTMP
  • RTP
  • RTPS
  • RTSP
  • SAP
  • SDP
  • SIP
  • SLP
  • SMB
  • SMTP
  • SNTP
  • SSH
  • SSMS
  • STYX
  • TCAP
  • TDS
  • TOR
  • TSP
  • VTP
  • WHOIS
  • WEB_DAV
  • X400
  • X500
  • XMPP
web.post_data.username target.user.email_addresses
web.http_basicauth_user target.user.userid
decoy.web.server_type additional.fields[decoy_web_server_type]
web.content_length additional.fields[web_content_length]
web.post_data.password additional.fields[web_post_data_password]
web.post_data additional.fields[web_post_data]
web.query_string additional.fields[web_query_string]
web.request_body additional.fields[web_request_body]
web.request_length additional.fields[web_request_length]
web.request_time additional.fields[web_request_time]
web.request_uri additional.fields[web_request_uri]
web.request additional.fields[web_request]
web.user_agent.family additional.fields[web_user_agent_family]
web.user_agent.major additional.fields[web_user_agent_major]
web.user_agent.minor additional.fields[web_user_agent_minor]
web.user_agent.patch additional.fields[web_user_agent_patch]

필드 매핑 참조: ZSCALER_DECEPTION - windows

다음 표에는 windows 로그 유형의 원시 로그 필드와 해당 UDM 필드가 나와 있습니다.

Log field UDM mapping Logic
metadata.event_type If the file.path log field value is not empty and the attacker.domain log field value is not empty, then if the file.operation log field value matches the regular expression pattern (?i)read, then the metadata.event_type UDM field is set to FILE_READ.

Else, if the file.path log field value is not empty and the attacker.domain log field value is not empty, then if the file.operation log field value matches the regular expression pattern (?i)write or modify or encrypt, then the metadata.event_type UDM field is set to FILE_MODIFICATION.

Else, if the file.path log field value is not empty and the attacker.domain log field value is not empty, then if the file.operation log field value matches the regular expression pattern (?i)create, then the metadata.event_type UDM field is set to FILE_CREATION.

Else, if the file.path log field value is not empty and the attacker.domain log field value is not empty, then if the file.operation log field value matches the regular expression pattern (?i)delete, then the metadata.event_type UDM field is set to FILE_DELETION.

Else, if the file.path log field value is not empty and the attacker.domain log field value is not empty, then if the file.operation log field value matches the regular expression pattern (?i)open, then the metadata.event_type UDM field is set to FILE_OPEN.

Else, if the file.path log field value is not empty and the attacker.domain log field value is not empty, then if the file.operation log field value matches the regular expression pattern (?i)sync, then the metadata.event_type UDM field is set to FILE_SYNC.

Else, if the file.path log field value is not empty and the attacker.domain log field value is not empty, then if the file.operation log field value matches the regular expression pattern (?i)copy, then the metadata.event_type UDM field is set to FILE_COPY.

Else, if the file.path log field value is not empty and the attacker.domain log field value is not empty, then if the file.operation log field value matches the regular expression pattern (?i)move, then the metadata.event_type UDM field is set to FILE_MOVE.

Else, if the attacker.domain log field value is not empty and (the powershell.path log field value is not empty or the powershell.script_block_id log field value is not empty or the powershell.script_block_text log field value is not empty), then the metadata.event_type UDM field is set to PROCESS_TERMINATION.

Else, if the attacker.domain log field value is not empty and (the smb.path log field value is not empty or the smb.file_name log field value is not empty), then the metadata.event_type UDM field is set to FILE_READ.

Else, if the attacker.domain log field value is not empty and the network.destination.ip log field value is not empty, then the metadata.event_type UDM field is set to NETWORK_CONNECTION.

Else, if the attacker.domain log field value is not empty and (the wmi_process.command_line log field value is not empty or the wmi_process.created_process_id log field value is not empty), then the metadata.event_type UDM field is set to PROCESS_LAUNCH.

Else, if the attacker.domain log field value is not empty and the windows.base_vm_ip log field value is not empty, then the metadata.event_type UDM field is set to STATUS_STARTUP.

Else, the metadata.event_type UDM field is set to USER_RESOURCE_ACCESS.
type metadata.product_event_type
windows.incident_id metadata.product_log_id
network.application_protocol If the message log field value matches the regular expression pattern ldap., then the network.application_protocol UDM field is set to LDAP.

Else, if the message log field value matches the regular expression pattern rdp., then the network.application_protocol UDM field is set to RDP.

Else, if the message log field value matches the regular expression pattern smb., then the network.application_protocol UDM field is set to SMB.
smb.session_guid network.session_id
winrm.activity_id network.session_id
attacker.process.domain_name principal.domain.name
attacker.domain principal.hostname
attacker.process.session_id principal.network.session_id
attacker.process.command_line principal.process.command_line
attacker.process.md5 principal.process.file.md5
attacker.process.sha1 principal.process.file.sha1
attacker.process.sha256 principal.process.file.sha256
attacker.process.parent principal.process.parent_process.pid
attacker.process.id principal.process.pid
psexec.service_name principal.resource.name
principal.resource.resource_type If the psexec.service_name log field value is not empty, then the principal.resource.resource_type UDM field is set to BACKEND_SERVICE.
attacker.process.user_groups principal.user.group_identifiers The attacker.process.user_groups log field is mapped to the principal.user.group_identifiers UDM field.
attacker.process.user_ou principal.user.group_identifiers The attacker.process.user_groups log field is mapped to the principal.user.group_identifiers UDM field and the attacker.process.user_ou log field is mapped to the principal.user.group_identifiers UDM field.
attacker.process.user_name principal.user.user_display_name
attacker.user principal.user.userid
attacker.process.user_sid principal.user.windows_sid
attacker.process.exit_code security_result.detection_fields[attacker_process_exit_code]
file.operation_string security_result.detection_fields[file_operation_string]
file.operation security_result.detection_fields[file_operation]
mssql.data_sensitivity_information security_result.detection_fields[mssql_data_sensitivity_information]
mssql.is_column_permission security_result.detection_fields[mssql_is_column_permission]
decoy.smb.dataset security_result.rule_set
smb.disconnect_reason security_result.summary
network.source.hostname src.hostname
network.source.ip src.ip
network.source.port src.port
wmi_process.client_machine_fqdn target.domain.name
mssql.server_instance_name target.domain.name_server
file.path target.file.full_path
smb.path target.file.full_path
psexec.md5 target.file.md5
file.file_name target.file.names
psexec.file_and_pipe_names target.file.names The psexec.file_and_pipe_names log field is mapped to the target.file.names UDM field.
smb.file_name target.file.names
psexec.sha1 target.file.sha1
psexec.sha256 target.file.sha256
mssql.host_name target.hostname
network.destination.hostname target.hostname
wmi_process.client_machine target.hostname
windows.base_vm_ip target.ip
mssql.client_ip target.ip
network.destination.ip target.ip
mssql.duration_milliseconds target.network.session_duration.seconds
mssql.session_id target.network.session_id
rdp.session_id target.network.session_id
smb.connection_guid target.network.session_id
target.platform If the decoy.vm.os log field value matches the regular expression pattern (?i)Win, then the target.platform UDM field is set to WINDOWS.

Else, if the decoy.vm.os log field value matches the regular expression pattern (?i)Lin, then the target.platform UDM field is set to LINUX.

Else, if the decoy.vm.os log field value matches the regular expression pattern (?i)(Mac or iOS), then the target.platform UDM field is set to MAC.
network.destination.port target.port
wmi_process.command_line target.process.command_line
powershell.script_block_text target.process.command_line
powershell.path target.process.file.full_path
wmi_process.client_process_id target.process.parent_process.pid
wmi_process.created_process_id target.process.pid
target.process.product_specific_process_id The Deception:powershell.script_block_id log field is mapped to the target.process.product_specific_process_id UDM field.
mssql.database_principal_id target.resource_ancestors.attribute.labels[mssql_database_principal_id]
mssql.database_principal_name target.resource_ancestors.attribute.labels[mssql_database_principal_name]
target.resource_ancestors.resource_type If the mssql.database_name log field value is not empty, then the target.resource_ancestors.resource_type UDM field is set to DATABASE.
ldap.attribute_list target.resource.attribute.labels[ldap_attribute_list] The ldap.attribute_list log field is mapped to the target.resource.attribute.labels UDM field.
ldap.distinguished_name target.resource.attribute.labels[ldap_distinguished_name]
ldap.scope_of_search_string target.resource.attribute.labels[ldap_scope_of_search_string]
ldap.scope_of_search target.resource.attribute.labels[ldap_scope_of_search]
ldap.search_filter target.resource.attribute.labels[ldap_search_filter]
decoy.vm.name target.resource.name
mssql.database_name target.resource.name
decoy.vm.id target.resource.product_object_id
smb.tree_connect_guid target.resource.product_object_id
target.resource.resource_type If the decoy.vm.id log field value is not empty or the decoy.vm.name log field value is not empty, then the target.resource.resource_type UDM field is set to VIRTUAL_MACHINE.
attacker.process.name additional.fields[attacker_process_name]
attacker.process.thread_id additional.fields[attacker_process_thread_id]
attacker.process.tree additional.fields[attacker_process_tree] The attacker.process.tree log field is mapped to the additional.fields.value.string_value UDM field.
mssql.action_id additional.fields[mssql_action_id]
mssql.action_string additional.fields[mssql_action_string]
mssql.additional_information additional.fields[mssql_additional_information]
mssql.affected_rows additional.fields[mssql_affected_rows]
mssql.application_name additional.fields[mssql_application_name]
mssql.audit_schema_version additional.fields[mssql_audit_schema_version]
mssql.class_type_string additional.fields[mssql_class_type_string]
mssql.class_type additional.fields[mssql_class_type]
mssql.connection_id additional.fields[mssql_connection_id]
mssql.event_time additional.fields[mssql_event_time]
mssql.object_id additional.fields[mssql_object_id]
mssql.object_name additional.fields[mssql_object_name]
mssql.permission_bitmask additional.fields[mssql_permission_bitmask]
mssql.response_rows additional.fields[mssql_response_rows]
mssql.schema_name additional.fields[mssql_schema_name]
mssql.sequence_group_id additional.fields[mssql_sequence_group_id]
mssql.sequence_number additional.fields[mssql_sequence_number]
mssql.server_principal_id additional.fields[mssql_server_principal_id]
mssql.server_principal_name additional.fields[mssql_server_principal_name]
mssql.server_principal_sid additional.fields[mssql_server_principal_sid]
mssql.session_server_principal_name additional.fields[mssql_session_server_principal_name]
mssql.statement additional.fields[mssql_statement]
mssql.succeeded additional.fields[mssql_succeeded]
mssql.target_database_principal_id additional.fields[mssql_target_database_principal_id]
mssql.target_database_principal_name additional.fields[mssql_target_database_principal_name]
mssql.target_server_principal_id additional.fields[mssql_target_server_principal_id]
mssql.target_server_principal_name additional.fields[mssql_target_server_principal_name]
mssql.target_server_principal_sid additional.fields[mssql_target_server_principal_sid]
mssql.transaction_id additional.fields[mssql_transaction_id]
mssql.user_defined_event_id additional.fields[mssql_user_defined_event_id]
mssql.user_defined_information additional.fields[mssql_user_defined_information]
powershell.message_number additional.fields[powershell_message_number]
powershell.message_total additional.fields[powershell_message_total]
rdp.activity_id additional.fields[rdp_activity_id]
smb.lease_id additional.fields[smb_lease_id]
smb.open_guid additional.fields[smb_open_guid]
smb.share_guid additional.fields[smb_share_guid]
wmi_process.client_process_creation_time additional.fields[wmi_process_client_process_creation_time]
wmi_process.correlation_id additional.fields[wmi_process_correlation_id]
wmi_process.created_process_creation_time additional.fields[wmi_process_created_process_creation_time]
wmi_process.group_operation_id additional.fields[wmi_process_group_operation_id]
wmi_process.is_local additional.fields[wmi_process_is_local]
wmi_process.operation_id additional.fields[wmi_process_operation_id]

도움이 더 필요하신가요? 커뮤니티 회원 및 Google SecOps 전문가의 답변을 받아 보세요.