收集 Zscaler 防火牆記錄
支援以下發布途徑:
Google secops
Siem
本文說明如何設定 Google Security Operations 動態饋給,以匯出 Zscaler 防火牆記錄,以及記錄欄位如何對應至 Google SecOps 統一資料模型 (UDM) 欄位。
詳情請參閱「將資料匯入 Google SecOps 總覽」。
一般部署作業包括 Zscaler 防火牆和 Google SecOps Webhook 動態饋給,可將記錄傳送至 Google SecOps。每個客戶的部署作業可能有所不同,且可能更為複雜。
部署作業包含下列元件:
Zscaler Firewall:您收集記錄的平台。
Google SecOps 動態饋給:Google SecOps 動態饋給會從 Zscaler Firewall 擷取記錄,並將記錄寫入 Google SecOps。
Google SecOps:保留並分析記錄檔。
擷取標籤可識別剖析器,將原始記錄資料正規化為具結構性的 UDM 格式。本文中的資訊適用於使用 ZSCALER_FIREWALL 攝入標籤的剖析器。
事前準備
請確認您已完成下列必要條件:
- 存取 Zscaler Internet Access 主控台。詳情請參閱「Secure Internet and SaaS Access ZIA 說明」。
- Zscaler Firewall 2024 以上版本
- 部署架構中的所有系統都已設定為使用世界標準時間 (UTC) 時區。
- 在 Google Security Operations 中完成動態饋給設定所需的 API 金鑰。詳情請參閱「設定 API 金鑰」。
設定動態饋給
在 Google SecOps 平台中,有兩個不同的入口可用來設定動態消息:
- SIEM 設定 > 動態饋給
- 內容中心 > 內容包
依序前往「SIEM 設定」>「動態」設定動態
如要針對這個產品系列中的不同記錄類型設定多個動態饋給,請參閱「依產品設定動態饋給」。
如要設定單一動態饋給,請按照下列步驟操作:
- 依序前往「SIEM 設定」>「動態饋給」。
- 按一下「新增動態消息」。
- 在下一頁中,按一下「設定單一動態饋給」。
- 在「動態饋給名稱」欄位中輸入動態饋給的名稱,例如「ZScaler 防火牆記錄」。
- 將「來源類型」設為「Webhook」。
- 選取「ZScaler NGFW」做為「記錄類型」。
- 點選「下一步」。
- 選用:輸入下列輸入參數的值:
- 分隔符號:用於分隔記錄行。如果未使用分隔符號,請留空。
- Asset namespace:素材資源命名空間。
- 攝入標籤:要套用至這個動態饋給事件的標籤。
- 點選「下一步」。
- 查看新的動態饋給設定,然後按一下「提交」。
- 按一下「產生密鑰」,產生用於驗證這則動態饋給的密鑰。
透過內容中心設定動態饋給
指定下列欄位的值:
- 分隔符號:用於分隔記錄資料列的符號,例如
\n。
進階選項
- 動態饋給名稱:預先填入的值,用於識別動態饋給。
- 來源類型:用於收集記錄並匯入 Google SecOps 的方法。
- 資產命名空間:資產命名空間。
- 攝入標籤:套用至這個動態饋給事件的標籤。
- 點選「下一步」。
- 在「Finalize」畫面中查看動態饋給設定,然後按一下「Submit」。
- 按一下「產生密鑰」,即可產生密鑰來驗證這項動態饋給。
設定 Zscaler 防火牆
- 在 Zscaler Internet Access 主控台中,依序點選「Administration」>「Nanolog Streaming Service」>「Cloud NSS Feeds」,然後點選「Add Cloud NSS Feed」。
- 系統會隨即顯示「Add Cloud NSS Feed」視窗。在「新增 Cloud NSS 動態饋給」視窗中輸入詳細資料。
- 在「動態饋給名稱」欄位中輸入動態饋給的名稱。
- 在「NSS Type」中選取「NSS for Firewall」。
- 從「狀態」清單中選取狀態,即可啟用或停用 NSS 動態饋給。
- 請將「SIEM Rate」下拉式選單的值設為「Unlimited」。如要因授權或其他限制而抑制輸出串流,請變更該值。
- 在「SIEM 類型」清單中選取「其他」。
- 在「OAuth 2.0 驗證」清單中選取「已停用」。
- 在「最大批次大小」中,輸入 SIEM 最佳做法中個別 HTTP 要求酬載的大小上限。例如 512 KB。
請在 API 網址中輸入 Chronicle API 端點的 HTTPS 網址,格式如下:
https://<CHRONICLE_REGION>-chronicle.googleapis.com/v1alpha/projects/<GOOGLE_PROJECT_NUMBER>/locations/<LOCATION>/instances/<CUSTOMER_ID>/feeds/<FEED_ID>:importPushLogsCHRONICLE_REGION:Chronicle 執行個體所在的區域。例如美國。GOOGLE_PROJECT_NUMBER:BYOP 專案編號。請從 C4 取得這項資訊。LOCATION:Chronicle 區域。例如美國。CUSTOMER_ID:Chronicle 客戶 ID。從 C4 取得。FEED_ID:在建立的新 webhook 的動態饋給 UI 中顯示的動態饋給 ID- API 網址範例:
https://us-chronicle.googleapis.com/v1alpha/projects/12345678910/locations/US/instances/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/feeds/yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyyyyyyy:importPushLogs按一下「Add HTTP Header」,然後使用以下格式新增 HTTP 標頭:
Header 1:Key1:X-goog-api-key和 Value1:在 Google Cloud BYOP 的 API 憑證中產生的 API 金鑰。Header 2:Key2:X-Webhook-Access-Key和 Value2: 在 webhook 的「SECRET KEY」中產生的 API 密鑰。
在「記錄類型」清單中選取「防火牆記錄」。
在「動態饋給輸出類型」清單中選取「JSON」。
將「Feed Escape Character」設為
, \ "。如要新增欄位至動態饋給輸出格式,請在「動態饋給輸出類型」清單中選取「自訂」。
複製貼上動態饋給輸出格式,然後新增欄位。請確認鍵名稱與實際欄位名稱相符。
以下是預設的動態饋給輸出格式:
\{ "sourcetype" : "zscalernss-fw", "event" :\{"datetime":"%s{time}","user":"%s{elogin}","department":"%s{edepartment}","locationname":"%s{elocation}","cdport":"%d{cdport}","csport":"%d{csport}","sdport":"%d{sdport}","ssport":"%d{ssport}","csip":"%s{csip}","cdip":"%s{cdip}","ssip":"%s{ssip}","sdip":"%s{sdip}","tsip":"%s{tsip}","tunsport":"%d{tsport}","tuntype":"%s{ttype}","action":"%s{action}","dnat":"%s{dnat}","stateful":"%s{stateful}","aggregate":"%s{aggregate}","nwsvc":"%s{nwsvc}","nwapp":"%s{nwapp}","proto":"%s{ipproto}","ipcat":"%s{ipcat}","destcountry":"%s{destcountry}","avgduration":"%d{avgduration}","rulelabel":"%s{erulelabel}","inbytes":"%ld{inbytes}","outbytes":"%ld{outbytes}","duration":"%d{duration}","durationms":"%d{durationms}","numsessions":"%d{numsessions}","ipsrulelabel":"%s{ipsrulelabel}","threatcat":"%s{threatcat}","threatname":"%s{ethreatname}","deviceowner":"%s{deviceowner}","devicehostname":"%s{devicehostname}"\}\}在「Timezone」清單中,選取輸出檔案中「Time」欄位的時區。根據預設,時區會設為貴機構的時區。
查看已設定的設定。
按一下「儲存」即可測試連線。如果連線成功,畫面上會顯示綠色勾號,並顯示「Test Connectivity Successful: OK (200)」訊息。
如要進一步瞭解 Google SecOps 動態饋給,請參閱 Google SecOps 動態饋給說明文件。如要瞭解各個動態饋給類型的規定,請參閱「依類型分類的動態饋給設定」。
如果在建立動態饋給時遇到問題,請與 Google SecOps 支援團隊聯絡。
支援的 Zscaler 防火牆記錄格式
Zscaler Firewall 剖析器支援 JSON 格式的記錄。
支援的 Zscaler 防火牆記錄檔範例
JSON:
{ "sourcetype": "zscalernss-fw", "event": { "datetime": "Tue Apr 11 00:44:01 2023", "user": "abc@test.com", "department": "Optum%20Tech%20UHC%20Technology", "locationname": "Road%20Warrior", "cdport": "443", "csport": "50407", "sdport": "443", "ssport": "36223", "csip": "198.51.100.8", "cdip": "198.51.100.7", "ssip": "198.51.100.9", "sdip": "198.51.100.10", "tsip": "198.51.100.11", "tunsport": "0", "tuntype": "ZscalerClientConnector", "action": "Allow", "dnat": "No", "stateful": "Yes", "aggregate": "Yes", "nwsvc": "ZSCALER_PROXY_NW_SERVICES", "nwapp": "sharepoint_document", "proto": "TCP", "ipcat": "Miscellaneous or Unknown", "destcountry": "Other", "avgduration": "239296", "rulelabel": "Default%20Firewall%20Filtering%20Rule", "inbytes": "286134", "outbytes": "515005", "duration": "6461", "durationms": "6461000", "numsessions": "27", "ipsrulelabel": "None", "threatcat": "None", "threatname": "None", "deviceowner": "dummydeviceowner", "devicehostname": "dummyhostname" } }
欄位對應參考資料
下表列出 ZSCALER_FIREWALL 記錄類型的記錄欄位,以及對應的 UDM 欄位。
| Log field | UDM mapping | Logic |
|---|---|---|
fwd_gw_name |
intermediary.resource.name |
|
|
intermediary.resource.resource_type |
If the fwd_gw_name log field value is not empty or the ofwd_gw_name log field value is not empty, then the intermediary.resource.resource_type UDM field is set to GATEWAY. |
ofwd_gw_name |
intermediary.security_result.detection_fields[ofwd_gw_name] |
|
ordr_rulename |
intermediary.security_result.detection_fields[ordr_rulename] |
|
orulelabel |
intermediary.security_result.detection_fields[orulelabel] |
|
rdr_rulename |
intermediary.security_result.rule_name |
|
rulelabel |
intermediary.security_result.rule_name |
|
erulelabel |
intermediary.security_result.rule_name |
|
bypass_etime |
metadata.collected_timestamp |
|
datetime |
metadata.event_timestamp |
|
epochtime |
metadata.event_timestamp |
|
|
metadata.event_type |
If the sdport log field value is equal to 80 or the sdport log field value is equal to 443 and the csip log field value is not empty or the tsip log field value is not empty or the ssip log field value is not empty and the cdip log field value is not empty or the sdip log field value is not empty, then the metadata.event_type UDM field is set to NETWORK_HTTP.Else, if the csip log field value is not empty or the tsip log field value is not empty or the ssip log field value is not empty and the cdip log field value is not empty or the sdip log field value is not empty, then the metadata.event_type UDM field is set to NETWORK_CONNECTION.Else, if the csip log field value is not empty or the tsip log field value is not empty or the ssip log field value is not empty, then the metadata.event_type UDM field is set to STATUS_UPDATE.Else, the metadata.event_type UDM field is set to GENERIC_EVENT. |
recordid |
metadata.product_log_id |
|
|
metadata.product_name |
The metadata.product_name UDM field is set to Firewall. |
|
metadata.vendor_name |
The metadata.vendor_name UDM field is set to Zscaler. |
proto |
network.ip_protocol |
If the proto log field value contain one of the following values, then the proto log field is mapped to the network.ip_protocol UDM field.
|
inbytes |
network.received_bytes |
|
outbytes |
network.sent_bytes |
|
avgduration |
network.session_duration.nanos |
If the durationms log field value is empty and the avgduration log field value is not empty, then the avgduration log field is mapped to the network.session_duration.nanos UDM field. |
durationms |
network.session_duration.nanos |
If the durationms log field value is not empty, then the durationms log field is mapped to the network.session_duration.nanos UDM field. |
duration |
network.session_duration.seconds |
|
|
principal.asset.asset_id |
If the devicename log field value is not empty, then the Zscaler:devicename log field is mapped to the principal.asset.asset_id UDM field. |
devicemodel |
principal.asset.hardware.model |
|
devicehostname |
principal.asset.hostname |
If the devicehostname log field value is not empty, then the devicehostname log field is mapped to the principal.asset.hostname UDM field. |
|
principal.asset.platform_software.platform |
If the deviceostype log field value matches the regular expression pattern (?i)iOS, then the principal.asset.platform_software.platform UDM field is set to IOS.Else, if the deviceostype log field value matches the regular expression pattern (?i)Android, then the principal.asset.platform_software.platform UDM field is set to ANDROID.Else, if the deviceostype log field value matches the regular expression pattern (?i)Windows, then the principal.asset.platform_software.platform UDM field is set to WINDOWS.Else, if the deviceostype log field value matches the regular expression pattern (?i)MAC, then the principal.asset.platform_software.platform UDM field is set to MAC.Else, if the deviceostype log field value matches the regular expression pattern (?i)Other, then the principal.asset.platform_software.platform UDM field is set to UNKNOWN_PLATFORM. |
deviceosversion |
principal.asset.platform_software.platform_version |
|
external_deviceid |
principal.asset.product_object_id |
|
csip |
principal.ip |
|
tsip |
principal.ip |
|
srcip_country |
principal.location.country_or_region |
|
location |
principal.location.name |
|
locationname |
principal.location.name |
|
ssip |
principal.nat_ip |
|
ssport |
principal.nat_port |
|
csport |
principal.port |
|
dept |
principal.user.department |
|
department |
principal.user.department |
|
login |
principal.user.email_addresses |
The login field is extracted from login log field using the Grok pattern, and the login log field is mapped to the principal.user.email_addresses UDM field. |
user |
principal.user.email_addresses |
The user field is extracted from user log field using the Grok pattern, and the user log field is mapped to the principal.user.email_addresses UDM field. |
deviceowner |
principal.user.userid |
|
|
security_result.action |
If the action log field value matches the regular expression pattern ^Allow.*, then the security_result.action UDM field is set to ALLOW.Else, if the action log field value matches the regular expression pattern ^Drop.* or ^Block.*, then the security_result.action UDM field is set to BLOCK.Else, if the action log field value is equal to Reset, then the security_result.action UDM field is set to BLOCK. |
action |
security_result.action_details |
|
|
security_result.severity |
If the threat_severity log field value is one of the following: CRITICAL, HIGH, MEDIUM, LOW, NONE then, the threat_severity log field is mapped to the security_result.severity UDM field. Else, if the threat_score log field value is equal to 0 then, the security_result.severity UDM field is set to NONE. Else, if threat_score log field value > 0 and the threat_score log field value <= 45 then, the security_result.severity UDM field is set to LOW. Else, if threat_score log field value > 45 and the threat_score log field value < 75 then, the security_result.severity UDM field is set to MEDIUM. Else, if threat_score log field value >= 75 and the threat_score log field value < 90 then, the security_result.severity UDM field is set to HIGH. Else, if threat_score log field value >= 90 and the threat_score log field value <= 100 then, the security_result.severity UDM field is set to CRITICAL. |
|
security_result.severity_details |
If the threat_score log field value is not empty and the threat_severity log field value is not empty then, %{threat_score} - %{threat_severity} log field is mapped to the security_result.severity_details UDM field. Else, if threat_severity log field value is not empty then, threat_severity log field is mapped to the security_result.severity_details UDM field. Else, if threat_score log field value is not empty then, threat_score log field is mapped to the security_result.severity_details UDM field. |
|
security_result.category |
If the ipcat log field value is not empty or the oipcat log field value is not empty, then the security_result.category UDM field is set to NETWORK_CATEGORIZED_CONTENT. |
ipcat |
security_result.category_details |
The ipcat log field is mapped to the security_result.category_details UDM field. |
threatcat |
security_result.category_details |
If the threatcat log field value is not equal to None, then the threatcat log field is mapped to the security_result.category_details UDM field. |
|
security_result.detection_fields[bypassed_session] |
If the bypassed_session log field value is equal to 0, then the security_result.detection_fields.bypassed_session UDM field is set to the traffic did not bypass Zscaler Client Connector.Else, if the bypassed_session log field value is equal to 1, then the security_result.detection_fields.bypassed_session UDM field is set to the traffic bypassed Zscaler Client Connector. |
odevicehostname |
security_result.detection_fields[odevicehostname] |
|
odevicename |
security_result.detection_fields[odevicename] |
|
odeviceowner |
security_result.detection_fields[odeviceowner] |
|
oipcat |
security_result.detection_fields[oipcat] |
|
oipsrulelabel |
security_result.detection_fields[oipsrulelabel] |
|
numsessions |
security_result.detection_fields[numsessions] |
|
|
security_result.rule_labels [ips_custom_signature] |
If the ips_custom_signature log field value is equal to 0, then the security_result.rule_labels.ips_custom_signature UDM field is set to non-custom IPS rule.Else, if the ips_custom_signature log field value is equal to 1, then the security_result.rule_labels.ips_custom_signature UDM field is set to custom IPS rule. |
ipsrulelabel |
security_result.rule_name |
If the ipsrulelabel log field value is not equal to None, then the ipsrulelabel log field is mapped to the security_result.rule_name UDM field. |
threatname |
security_result.threat_name |
If the threatname log field value is not equal to None, then the threatname log field is mapped to the security_result.threat_name UDM field. |
ethreatname |
security_result.threat_name |
If the ethreatname log field value is not equal to None, then the ethreatname log field is mapped to the security_result.threat_name UDM field. |
nwapp |
target.application |
|
cdfqdn |
target.domain.name |
|
sdip |
target.ip |
|
datacentercity |
target.location.city |
|
destcountry |
target.location.country_or_region |
|
datacentercountry |
target.location.country_or_region |
|
datacenter |
target.location.name |
|
cdip |
target.nat_ip |
|
cdport |
target.nat_port |
|
sdport |
target.port |
|
odnatlabel |
target.security_result.detection_fields[odnatlabel] |
|
dnat |
target.security_result.rule_labels[dnat] |
|
dnatrulelabel |
target.security_result.rule_name |
|
aggregate |
additional.fields[aggregate] |
|
day |
additional.fields[day] |
|
dd |
additional.fields[dd] |
|
deviceappversion |
additional.fields[deviceappversion] |
|
eedone |
additional.fields[eedone] |
|
flow_type |
additional.fields[flow_type] |
|
hh |
additional.fields[hh] |
|
mm |
additional.fields[mm] |
|
mon |
additional.fields[mon] |
|
mth |
additional.fields[mth] |
|
nwsvc |
additional.fields[nwsvc] |
|
ocsip |
additional.fields[ocsip] |
|
ozpa_app_seg_name |
additional.fields[ozpa_app_seg_name] |
|
ss |
additional.fields[ss] |
|
sourcetype |
additional.fields[sourcetype] |
|
stateful |
additional.fields[stateful] |
|
tz |
additional.fields[tz] |
|
tuntype |
additional.fields[traffic_forwarding_method] |
|
tunsport |
additional.fields[tunsport] |
|
yyyy |
additional.fields[yyyy] |
|
zpa_app_seg_name |
additional.fields[zpa_app_seg_name] |
|
ztunnelversion |
additional.fields[ztunnelversion] |
還有其他問題嗎?向社群成員和 Google SecOps 專家尋求解答。