Recopilar registros de Zscaler CASB

En este documento se describe cómo puede exportar registros de Zscaler CASB configurando un feed de Google Security Operations y asignando campos de registro al modelo de datos unificado (UDM).

Para obtener más información, consulta el artículo Descripción general de la ingesta de datos en Google SecOps.

Una implementación típica consta de Zscaler CASB y un feed de webhook de Google SecOps configurado para enviar registros a Google SecOps. Sin embargo, los detalles de la implementación pueden variar en función del cliente y ser más complejos.

La implementación contiene los siguientes componentes:

  • CASB de Zscaler: la plataforma desde la que recoge los registros.

  • Feed de Google SecOps: el feed de Google SecOps que obtiene registros de Zscaler CASB y escribe registros en Google SecOps.

  • Google SecOps: conserva y analiza los registros.

Una etiqueta de ingestión identifica el analizador que normaliza los datos de registro sin procesar en el formato UDM estructurado. Este documento se aplica específicamente al analizador asociado a la etiqueta de ingestión ZSCALER_CASB.

Antes de empezar

  • Asegúrate de que tienes acceso a la consola de Zscaler Internet Access. Para obtener más información, consulta la ayuda de ZIA sobre acceso seguro a Internet y SaaS.
  • Asegúrate de que estás usando la versión 1.0 o 2.0 de Zscaler CASB.
  • Asegúrate de que todos los sistemas de la arquitectura de implementación estén configurados con la zona horaria UTC.
  • Asegúrate de que tienes la clave de API necesaria para completar la configuración del feed en Google SecOps. Para obtener más información, consulta Configurar claves de API.

Configurar feeds

Para configurar este tipo de registro, sigue estos pasos:

  1. Ve a Configuración de SIEM > Feeds.
  2. Haz clic en Añadir feed.
  3. Haga clic en el paquete de feeds Zscaler.
  4. Busca el tipo de registro que necesites y haz clic en Añadir nuevo feed.

  5. Introduce los valores de los siguientes parámetros de entrada:

    • Tipo de fuente: webhook (recomendado)
    • Delimitador de división: carácter que se usa para separar las líneas de registro. Déjelo en blanco si no se usa ningún delimitador.

    Opciones avanzadas

    • Nombre del feed: valor rellenado automáticamente que identifica el feed.
    • Espacio de nombres de recursos: espacio de nombres asociado al feed.
    • Etiquetas de ingestión: etiquetas aplicadas a todos los eventos de este feed.

  6. Haga clic en Crear feed.

Para obtener más información sobre cómo configurar varios feeds para diferentes tipos de registros en esta familia de productos, consulta el artículo Configurar feeds por producto.

Configurar Zscaler CASB

  1. En la consola de Zscaler Internet Access, haz clic en Administración > Servicio de streaming de Nanolog > Feeds de NSS en la nube > Añadir feed de NSS en la nube.
  2. En la ventana Añadir feed de NSS en la nube, introduce los detalles.
  3. En el campo Nombre del feed, introduzca un nombre único para el feed.
  4. Selecciona Zscaler for Web en NSS Type (Tipo de NSS).
  5. En la lista Estado, selecciona un estado para activar o desactivar el feed de NSS.
  6. Deje Velocidad de SIEM como Ilimitada, a menos que necesite limitar el flujo de salida debido a licencias u otras restricciones.
  7. En la lista Tipo de SIEM, selecciona Otro.
  8. En la lista Autenticación de OAuth 2.0, selecciona Inhabilitada.
  9. En el campo Tamaño máximo del lote, introduzca un límite de tamaño para la carga útil de una solicitud HTTP individual según las prácticas recomendadas del SIEM. Por ejemplo, 512 KB.

  10. En el campo URL de la API, introduce la URL HTTPS del endpoint de la API de Chronicle con el siguiente formato:

      https://<CHRONICLE_REGION>-chronicle.googleapis.com/v1alpha/projects/<GOOGLE_PROJECT_NUMBER>/locations/<LOCATION>/instances/<CUSTOMER_ID>/feeds/<FEED_ID>:importPushLogs
    • CHRONICLE_REGION: región en la que se aloja tu instancia de Google SecOps. Por ejemplo, US.
    • GOOGLE_PROJECT_NUMBER: tu número de proyecto BYOP. Obtén este valor de C4.
    • LOCATION: región de Chronicle (Google SecOps) (igual que CHRONICLE_REGION). Por ejemplo, US.
    • CUSTOMER_ID: tu ID de cliente de Google SecOps. Obtenido de C4.
    • FEED_ID: ID del feed de webhook recién creado (se muestra en la interfaz de usuario del feed).

    • URL de API de ejemplo:

      https://us-chronicle.googleapis.com/v1alpha/projects/12345678910/locations/US/instances/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/feeds/yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyyyyyyy:importPushLogs

  11. Haga clic en Añadir encabezado HTTP y, a continuación, añada encabezados HTTP con el siguiente formato:

    • Header 1: Clave1: X-goog-api-key y Valor1: clave de API generada a partir de las credenciales de API de Google Cloud BYOP.
    • Header 2: Key2: X-Webhook-Access-Key y Value2: clave secreta de la API generada en "SECRET KEY" (clave secreta) del webhook.

  12. En la lista Tipos de registro, selecciona Seguridad de SaaS o Actividad de seguridad de SaaS.

  13. En la lista Feed Output Type (Tipo de salida de feed), seleccione JSON.

  14. Asigna el valor , \ " a Carácter de escape del feed.

  15. En la lista Feed Output Type (Tipo de salida de feed), seleccione Custom (Personalizado) para añadir un campo a Feed Output Format (Formato de salida de feed).

  16. Copia y pega el Formato de salida del feed y, a continuación, añade los campos que necesites. Asegúrate de que los nombres de las claves coincidan con los nombres de los campos.

  17. A continuación, se muestran los formatos de salida de feed predeterminados:

    • Seguridad de SaaS
    \{ "sourcetype" : "zscalernss-casb", "event" :\{"datetime":"%s{time}","recordid":"%d{recordid}","company":"%s{company}","tenant":"%s{tenant}","login":"%s{user}","dept":"%s{department}","applicationname":"%s{applicationname}","filename":"%s{filename}","filesource":"%s{filesource}","filemd5":"%s{filemd5}","threatname":"%s{threatname}","policy":"%s{policy}","dlpdictnames":"%s{dlpdictnames}","dlpdictcount":"%s{dlpdictcount}","dlpenginenames":"%s{dlpenginenames}","fullurl":"%s{fullurl}","lastmodtime":"%s{lastmodtime}","filescantimems":"%d{filescantimems}","filedownloadtimems":"%d{filedownloadtimems}"\}\}
    • Actividad de seguridad de SaaS
    \{ "sourcetype" : "zscalernss-casb", "event" :\{"login":"%s{username}","tenant":"%s{tenant}","object_type":"%d{objtype1}","applicationname":"%s{appname}","object_name_1":"%s{objnames1}","object_name_2":"%s{objnames2}"\}\}

  18. En la lista Zona horaria, selecciona la zona horaria del campo Hora del archivo de salida. De forma predeterminada, la zona horaria es la de tu organización.

  19. Revisa los ajustes configurados.

  20. Haz clic en Guardar para probar la conectividad. Si la conexión se realiza correctamente, aparecerá una marca de verificación verde junto con el mensaje Prueba de conectividad correcta: OK (200).

Para obtener más información sobre los feeds de Google SecOps, consulta la documentación de los feeds de Google SecOps. Para obtener información sobre los requisitos de cada tipo de feed, consulta el artículo Configuración de feeds por tipo.

Si tienes problemas al crear feeds, ponte en contacto con el equipo de Asistencia de SecOps de Google.

Referencia de asignación de campos

Referencia de asignación de campos: ZSCALER_CASB

En la siguiente tabla se enumeran los campos de registro del tipo de registro ZSCALER_CASB y sus campos de UDM correspondientes.

Log field UDM mapping Logic
sourcetype security_result.detection_fields[sourcetype]
objnames2 about.resource.name
object_name_2 about.resource.name
objtypename2 about.resource.resource_subtype
externalownername additional.fields[externalownername]
act_cnt additional.fields[act_cnt]
attchcomponentfiletypes additional.fields[attchcomponentfiletypes]
channel_name additional.fields[channel_name]
collabscope additional.fields[collabscope]
day additional.fields[day]
dd additional.fields[dd]
dlpdictcount security_result.detection_fields[dlpdictcount] If the dlpdictcount log field value is not empty and the dlpdictcount log field value is not equal to None, then the dlpdictcount log field is mapped to the security_result.detection_fields.dlpdictcount UDM field.
dlpenginenames security_result.detection_fields[dlpenginenames] If the dlpenginenames log field value is not empty and the dlpenginenames log field value is not equal to None, then the dlpenginenames log field is mapped to the security_result.detection_fields.dlpenginenames UDM field.
epochlastmodtime additional.fields[epochlastmodtime]
extcollabnames additional.fields[extcollabnames]
extownername additional.fields[extownername]
file_msg_id additional.fields[file_msg_id]
fileid additional.fields[fileid]
filescantimems additional.fields[filescantimems]
filetypecategory additional.fields[filetypecategory]
hh additional.fields[hh]
messageid additional.fields[messageid]
mm additional.fields[mm]
mon additional.fields[mon]
msgsize additional.fields[msgsize]
mth additional.fields[mth]
num_ext_recpts additional.fields[num_ext_recpts]
num_int_recpts additional.fields[num_int_recpts]
numcollab additional.fields[numcollab]
rtime additional.fields[rtime]
ss additional.fields[ss]
suburl additional.fields[suburl]
tenant additional.fields[tenant]
tz additional.fields[tz]
upload_doctypename additional.fields[upload_doctypename]
yyyy additional.fields[yyyy]
collabnames additional.fields[collabnames]
companyid additional.fields[companyid]
component additional.fields[component]
intcollabnames additional.fields[intcollabnames] If intcollabnames log field value does not match the regular expression pattern None then, for index in intcollabnames, the index is mapped to the additional.fields.value.list_value UDM field.
internal_collabnames additional.fields[internal_collabnames]
external_collabnames additional.fields[externalcollabnames]
num_external_collab additional.fields[num_external_collab]
num_internal_collab additional.fields[num_internal_collab]
repochtime additional.fields[repochtime]
eventtime metadata.event_timestamp If the eventtime log field value is not empty, then the eventtime log field is mapped to the metadata.event_timestamp UDM field.
epochtime metadata.event_timestamp If the epochtime log field value is not empty, then the epochtime log field is mapped to the metadata.event_timestamp UDM field.
time metadata.event_timestamp If the time log field value is not empty, then the time log field is mapped to the metadata.event_timestamp UDM field.
datetime metadata.event_timestamp If the datetime log field value is not empty, then the datetime log field is mapped to the metadata.event_timestamp UDM field.
metadata.event_type The metadata.event_type UDM field is set to USER_UNCATEGORIZED.
act_type_name metadata.product_event_type
recordid metadata.product_log_id
metadata.product_name The metadata.product_name UDM field is set to CASB.
metadata.vendor_name The metadata.vendor_name UDM field is set to Zscaler.
sender network.email.from If the sender log field value matches the regular expression pattern (^.*@.*$), then the sender log field is mapped to the network.email.from UDM field.
extrecptnames network.email.to For index in extrecptnames, the index is mapped to the network.email.to UDM field.
internal_recptnames network.email.to For index in internal_recptnames, the index is mapped to the network.email.to UDM field.
external_recptnames network.email.to For index in external_recptnames, the index is mapped to the network.email.to UDM field.
intrecptnames network.email.to For index in intrecptnames, the index is mapped to the network.email.to UDM field.
applicationname principal.application If the applicationname log field value is not empty, then the applicationname log field is mapped to the principal.application UDM field.

Else, the appname log field is mapped to the principal.application UDM field.
src_ip principal.ip
fullurl principal.url If the fullurl log field is not empty and the fullurl log field value is not equal to Unknown URL, then the fullurl log field is mapped to the principal.url UDM field.
is_admin_act principal.user.attribute.labels[is_admin_act]
principal.user.attribute.roles.type If the is_admin_act log field value is equal to 1, then the principal.user.attribute.roles.type UDM field is set to ADMINISTRATOR.
company principal.user.company_name
department principal.user.department
dept principal.user.department
user principal.user.email_addresses If the user log field value matches the regular expression pattern (^.*@.*$), then the user log field is mapped to the principal.user.email_addresses UDM field.
username principal.user.email_addresses If the username log field value matches the regular expression pattern (^.*@.*$), then the username log field is mapped to the principal.user.email_addresses UDM field.
owner principal.user.email_addresses If the owner log field value matches the regular expression pattern (^.*@.*$), then the owner log field is mapped to the principal.user.email_addresses UDM field.
login principal.user.email_addresses If the login log field value matches the regular expression pattern (^.*@.*$), then the login log field is mapped to the principal.user.email_addresses UDM field.
login principal.user.userid If the login log field value does not match the regular expression pattern ^.+@.+$, then the login log field is mapped to the principal.user.userid UDM field.
malware security_result.associations.name
security_result.associations.type If the malware log field value is not empty, then the security_result.associations.type UDM field is set to MALWARE.
dlpdictnames security_result.detection_fields[dlpdictnames]
dlpidentifier security_result.detection_fields[dlpidentifier]
filedownloadtimems additional.fields[filedownloadtimems]
malwareclass security_result.detection_fields[malwareclass]
msgid security_result.detection_fields[msgid]
oattchcomponentfilenames security_result.detection_fields[oattchcomponentfilenames]
obucketname security_result.detection_fields[obucketname]
obucketowner security_result.detection_fields[obucketowner]
ochannel_name security_result.detection_fields[ochannel_name]
ocollabnames security_result.detection_fields[ocollabnames]
odlpdictnames security_result.detection_fields[odlpdictnames]
odlpenginenames security_result.detection_fields[odlpenginenames]
oextcollabnames security_result.detection_fields[oextcollabnames]
oexternal_collabnames security_result.detection_fields[oexternal_collabnames]
oexternal_recptnames security_result.detection_fields[oexternal_recptnames]
oexternalownername security_result.detection_fields[oexternalownername]
oextownername security_result.detection_fields[oextownername]
oextrecptnames security_result.detection_fields[oextrecptnames]
ofile_msg_id security_result.detection_fields[ofile_msg_id]
ofileid security_result.detection_fields[ofileid]
ofullurl security_result.detection_fields[ofullurl]
ohostname security_result.detection_fields[ohostname]
ointcollabnames security_result.detection_fields[ointcollabnames]
ointernal_collabnames security_result.detection_fields[ointernal_collabnames]
ointernal_recptnames security_result.detection_fields[ointernal_recptnames]
ointrecptnames security_result.detection_fields[ointrecptnames]
omessageid security_result.detection_fields[omessageid]
omsgid security_result.detection_fields[omsgid]
oowner security_result.detection_fields[oowner]
orulelabel security_result.detection_fields[orulelabel]
osender security_result.detection_fields[osender]
osharedchannel_hostname security_result.detection_fields[osharedchannel_hostname]
otenant security_result.detection_fields[otenant]
ouser security_result.detection_fields[ouser]
any_incident security_result.detection_fields[any_incident]
is_inbound security_result.detection_fields[is_inbound]
policy security_result.rule_labels[policy]
ruletype security_result.rule_labels[ruletype]
rulelabel security_result.rule_name
security_result.severity If the severity log field value is equal to High, then the security_result.severity UDM field is set to HIGH.

Else, if the severity log field value is equal to Medium, then the security_result.severity UDM field is set to MEDIUM.

Else, if the severity log field value is equal to Low, then the security_result.sevrity UDM field is set to LOW.

Else, if the severity log field value is equal to Information, then the security_result.severity UDM field is set to INFORMATIONAL.
threatname security_result.threat_name If the threatname log field value is not empty and the dlpdictcount log field value is not equal to None, then the threatname log field is mapped to the security_result.threat_name UDM field.
filesource target.file.full_path If the filesource log field value is not empty, then the filesource log field is mapped to the target.file.full_path UDM field.
filepath target.file.full_path If the filesource log field value is not empty, then the filesource log field is mapped to the target.file.full_path UDM field.

Else if the filepath log field value is not empty, then the filepath log field is mapped to the target.file.full_path UDM field.
lastmodtime target.file.last_modification_time If the lastmodtime log field value is not empty, then the lastmodtime log field is mapped to the target.file.last_modification_time UDM field.
file_msg_mod_time target.file.last_modification_time If the lastmodtime log field value is not empty, then the lastmodtime log field is mapped to the target.file.last_modification_time UDM field.

Else if the file_msg_mod_time log field value is not empty, then the file_msg_mod_time log field is mapped to the target.file.fullpath UDM field.
filemd5 target.file.md5 If the filemd5 log field value is not equal to None and the filemd5 log field value matches the regular expression pattern ^[a-fA-F0-9]{32}$, then the filemd5 log field is mapped to the target.file.md5 UDM field.

Else, if the attchcomponentmd5s log field value matches the regular expression pattern ^[a-fA-F0-9]{32}$, then the attchcomponentmd5s log field is mapped to the target.file.md5 UDM field.
filetypename target.file.mime_type
filename target.file.names
attchcomponentfilenames target.file.names
sha target.file.sha256
attchcomponentfilesizes target.file.size If the attchcomponentfilesizes log field value is not empty, then the attchcomponentfilesizes log field is mapped to the target.file.size UDM field.
filesize target.file.size If the attchcomponentfilesizes log field value is not empty, then the attchcomponentfilesizes log field is mapped to the target.file.size UDM field.

Else if the filesize log field value is not empty, then the filesize log field is mapped to the target.file.size UDM field.
sharedchannel_hostname target.hostname If the hostname log field value is not empty, then the hostname log field is mapped to the target.hostname UDM field.

Else if the sharedchannel_hostname log field value is not empty, then the sharedchannel_hostname log field is mapped to the target.hostname UDM field.
hostname target.hostname If the hostname log field value is not empty, then the hostname log field is mapped to the target.hostname UDM field.
datacentercity target.location.city
datacentercountry target.location.country_or_region
datacenter target.location.name
bucketowner target.resource.attribute.labels[bucketowner]
projectname target.resource.attribute.labels[projectname]
bucketname target.resource.name If the bucketname log field value is not empty, then the bucketname log field is mapped to the target.resource.name UDM field.
objnames1 target.resource.name If the objnames1 log field value is not empty, then the objnames1 log field is mapped to the target.resource.name UDM field.
objectname target.resource.name If the objectname log field value is not empty, then the objectname log field is mapped to the target.resource.name UDM field.
reponame target.resource.name If the reponame log field value is not empty, then the reponame log field is mapped to the target.resource.name UDM field.
object_name_1 target.resource.name If the object_name_1 log field value is not empty, then the object_name_1 log field is mapped to the target.resource.name UDM field.
bucketid target.resource.product_object_id
objtypename1 target.resource.resource_subtype If the objtypename1 log field value is not empty, then the objtypename1 log field is mapped to the target.resource.resource_subtype UDM field.
objecttype target.resource.resource_subtype If the objecttype log field value is not empty, then the objecttype log field is mapped to the target.resource.resource_subtype UDM field.
object_type target.resource.resource_subtype
target.resource.resource_type If the bucketname log field value is not empty, then the target.resource.resource_type UDM field is set to STORAGE_BUCKET.

If the reponame log field value is not empty, then the target.resource.resource_type UDM field is set to REPOSITORY.

Siguientes pasos

¿Necesitas más ayuda? Recibe respuestas de los miembros de la comunidad y de los profesionales de Google SecOps.