Collecter les journaux du CASB Zscaler
Ce document explique comment exporter les journaux CASB Zscaler en configurant un flux Google Security Operations et en mappant les champs de journal sur le modèle de données unifié (UDM).
Pour en savoir plus, consultez la section Présentation de l'ingestion de données dans Google SecOps.
Un déploiement typique comprend un CASB Zscaler et un flux de webhook Google SecOps configuré pour envoyer des journaux à Google SecOps. Toutefois, les détails de déploiement peuvent varier d'un client à l'autre et être plus complexes.
Le déploiement contient les composants suivants:
Zscaler CASB: plate-forme à partir de laquelle vous collectez les journaux.
Flux Google SecOps: flux Google SecOps qui extrait les journaux de Zscaler CASB et les écrit dans Google SecOps.
Google SecOps: conserve et analyse les journaux.
Un libellé d'ingestion identifie l'analyseur qui normalise les données de journal brutes au format UDM structuré. Ce document s'applique spécifiquement à l'analyseur associé au libellé d'ingestion ZSCALER_CASB.
Avant de commencer
- Assurez-vous d'avoir accès à la console d'accès à Internet Zscaler. Pour en savoir plus, consultez l'aide ZIA sur la sécurisation de l'accès à Internet et aux services SaaS.
- Assurez-vous d'utiliser la version 1.0 ou 2.0 de Zscaler CASB.
- Assurez-vous que tous les systèmes de l'architecture de déploiement sont configurés avec le fuseau horaire UTC.
- Assurez-vous de disposer de la clé API requise pour terminer la configuration du flux dans Google SecOps. Pour en savoir plus, consultez Configurer des clés API.
Configurer un flux d'ingestion dans Google SecOps pour ingérer les journaux CASB Zscaler
- Accédez à Paramètres > Flux.
- Cliquez sur Ajouter.
- Dans le champ Nom du flux, saisissez un nom pour le flux (par exemple,
Zscaler CASB Logs). - Sélectionnez Webhook comme type de source.
- Sélectionnez Zscaler CASB comme Type de journal.
- Cliquez sur Suivant.
- Facultatif: saisissez des valeurs pour les paramètres d'entrée suivants :
- Délimiteur de fractionnement: caractère utilisé pour séparer les lignes de journal. Laissez ce champ vide si aucun délimiteur n'est utilisé.
- Espace de noms de l'asset: espace de noms de l'asset.
- Libellés d'ingestion: libellé à appliquer aux événements de ce flux.
- Cliquez sur Suivant.
- Vérifiez la configuration de votre nouveau flux, puis cliquez sur Envoyer.
- Cliquez sur Générer une clé secrète pour générer une clé secrète permettant d'authentifier ce flux.
Configurer la solution CASB Zscaler
- Dans la console d'accès à Internet Zscaler, cliquez sur Administration > Nanolog Streaming Service > Cloud NSS Feeds > Add Cloud NSS Feed (Administration > Nanolog Streaming Service > Cloud NSS Feeds > Ajouter un flux Cloud NSS).
- Dans la fenêtre Ajouter un flux NSS cloud, saisissez les informations.
- Dans le champ Nom du flux, saisissez un nom unique pour le flux.
- Sélectionnez Zscaler for Web dans Type de NSS.
- Dans la liste État, sélectionnez un état pour activer ou désactiver le flux NSS.
- Laissez Débit du SIEM sur Illimité, sauf si vous devez limiter le flux de sortie en raison de licences ou d'autres contraintes.
- Dans la liste Type de SIEM, sélectionnez Autre.
- Dans la liste Authentification OAuth 2.0, sélectionnez Désactivée.
- Dans le champ Taille maximale du lot, saisissez une limite de taille pour la charge utile d'une requête HTTP individuelle conformément aux bonnes pratiques du SIEM (par exemple,
512 KB). Dans le champ URL de l'API, saisissez l'URL HTTPS du point de terminaison de l'API Chronicle au format suivant:
https://<CHRONICLE_REGION>-chronicle.googleapis.com/v1alpha/projects/<GOOGLE_PROJECT_NUMBER>/locations/<LOCATION>/instances/<CUSTOMER_ID>/feeds/<FEED_ID>:importPushLogsCHRONICLE_REGION: région où est hébergée votre instance Google SecOps. Exemple :USGOOGLE_PROJECT_NUMBER: numéro de votre projet BYOP. Obtenez-le auprès de C4.LOCATION: région Chronicle (Google SecOps) (identique àCHRONICLE_REGION). Par exemple,US.CUSTOMER_ID: votre ID client Google SecOps. Obtenir de C4.FEED_ID: ID du flux de webhook nouvellement créé (affiché dans l'interface utilisateur du flux).Exemple d'URL d'API:
https://us-chronicle.googleapis.com/v1alpha/projects/12345678910/locations/US/instances/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/feeds/yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyyyyyyy:importPushLogs
Cliquez sur Ajouter un en-tête HTTP, puis ajoutez des en-têtes HTTP au format suivant:
Header 1: Key1:X-goog-api-keyet Value1:clé API générée à partir des identifiants API de BYOP. Google CloudHeader 2: Key2:X-Webhook-Access-Keyet Value2:clé secrète de l'API générée dans "SECRET KEY" du webhook.
Dans la liste Types de journaux, sélectionnez Sécurité SaaS ou Activité de sécurité SaaS.
Dans la liste Type de sortie du flux, sélectionnez JSON.
Définissez Feed Escape Character (Caractère d'échappement du flux) sur
, \ ".Dans la liste Type de sortie du flux, sélectionnez Personnalisé pour ajouter un champ au Format de sortie du flux.
Copiez et collez le format de sortie du flux, puis ajoutez des champs si nécessaire. Assurez-vous que les noms des clés correspondent aux noms des champs.
Voici les formats de sortie des flux par défaut:
- Sécurité SaaS
\{ "sourcetype" : "zscalernss-casb", "event" :\{"datetime":"%s{time}","recordid":"%d{recordid}","company":"%s{company}","tenant":"%s{tenant}","login":"%s{user}","dept":"%s{department}","applicationname":"%s{applicationname}","filename":"%s{filename}","filesource":"%s{filesource}","filemd5":"%s{filemd5}","threatname":"%s{threatname}","policy":"%s{policy}","dlpdictnames":"%s{dlpdictnames}","dlpdictcount":"%s{dlpdictcount}","dlpenginenames":"%s{dlpenginenames}","fullurl":"%s{fullurl}","lastmodtime":"%s{lastmodtime}","filescantimems":"%d{filescantimems}","filedownloadtimems":"%d{filedownloadtimems}"\}\}- Activité de sécurité SaaS
\{ "sourcetype" : "zscalernss-casb", "event" :\{"login":"%s{username}","tenant":"%s{tenant}","object_type":"%d{objtype1}","applicationname":"%s{appname}","object_name_1":"%s{objnames1}","object_name_2":"%s{objnames2}"\}\}Dans la liste Fuseau horaire, sélectionnez le fuseau horaire pour le champ Heure dans le fichier de sortie. Par défaut, le fuseau horaire est défini sur celui de votre organisation.
Vérifiez les paramètres configurés.
Cliquez sur Enregistrer pour tester la connectivité. Si la connexion aboutit, une coche verte s'affiche, accompagnée du message Test de connectivité réussi: OK (200).
Pour en savoir plus sur les flux Google SecOps, consultez la documentation sur les flux Google SecOps. Pour en savoir plus sur les exigences de chaque type de flux, consultez la section Configuration des flux par type.
Si vous rencontrez des problèmes lors de la création de flux, contactez l'assistance Google SecOps.
Référence de mappage de champ
Référence de mappage de champ: ZSCALER_CASB
Le tableau suivant répertorie les champs de journal du type de journal ZSCALER_CASB et les champs UDM correspondants.
| Log field | UDM mapping | Logic |
|---|---|---|
sourcetype |
security_result.detection_fields[sourcetype] |
|
objnames2 |
about.resource.name |
|
object_name_2 |
about.resource.name |
|
objtypename2 |
about.resource.resource_subtype |
|
externalownername |
additional.fields[externalownername] |
|
act_cnt |
additional.fields[act_cnt] |
|
attchcomponentfiletypes |
additional.fields[attchcomponentfiletypes] |
|
channel_name |
additional.fields[channel_name] |
|
collabscope |
additional.fields[collabscope] |
|
day |
additional.fields[day] |
|
dd |
additional.fields[dd] |
|
dlpdictcount |
security_result.detection_fields[dlpdictcount] |
If the dlpdictcount log field value is not empty and the dlpdictcount log field value is not equal to None, then the dlpdictcount log field is mapped to the security_result.detection_fields.dlpdictcount UDM field. |
dlpenginenames |
security_result.detection_fields[dlpenginenames] |
If the dlpenginenames log field value is not empty and the dlpenginenames log field value is not equal to None, then the dlpenginenames log field is mapped to the security_result.detection_fields.dlpenginenames UDM field. |
epochlastmodtime |
additional.fields[epochlastmodtime] |
|
extcollabnames |
additional.fields[extcollabnames] |
|
extownername |
additional.fields[extownername] |
|
file_msg_id |
additional.fields[file_msg_id] |
|
fileid |
additional.fields[fileid] |
|
filescantimems |
additional.fields[filescantimems] |
|
filetypecategory |
additional.fields[filetypecategory] |
|
hh |
additional.fields[hh] |
|
messageid |
additional.fields[messageid] |
|
mm |
additional.fields[mm] |
|
mon |
additional.fields[mon] |
|
msgsize |
additional.fields[msgsize] |
|
mth |
additional.fields[mth] |
|
num_ext_recpts |
additional.fields[num_ext_recpts] |
|
num_int_recpts |
additional.fields[num_int_recpts] |
|
numcollab |
additional.fields[numcollab] |
|
rtime |
additional.fields[rtime] |
|
ss |
additional.fields[ss] |
|
suburl |
additional.fields[suburl] |
|
tenant |
additional.fields[tenant] |
|
tz |
additional.fields[tz] |
|
upload_doctypename |
additional.fields[upload_doctypename] |
|
yyyy |
additional.fields[yyyy] |
|
collabnames |
additional.fields[collabnames] |
|
companyid |
additional.fields[companyid] |
|
component |
additional.fields[component] |
|
intcollabnames |
additional.fields[intcollabnames] |
If intcollabnames log field value does not match the regular expression pattern None then, for index in intcollabnames, the index is mapped to the additional.fields.value.list_value UDM field. |
internal_collabnames |
additional.fields[internal_collabnames] |
|
external_collabnames |
additional.fields[externalcollabnames] |
|
num_external_collab |
additional.fields[num_external_collab] |
|
num_internal_collab |
additional.fields[num_internal_collab] |
|
repochtime |
additional.fields[repochtime] |
|
eventtime |
metadata.event_timestamp |
If the eventtime log field value is not empty, then the eventtime log field is mapped to the metadata.event_timestamp UDM field. |
epochtime |
metadata.event_timestamp |
If the epochtime log field value is not empty, then the epochtime log field is mapped to the metadata.event_timestamp UDM field. |
time |
metadata.event_timestamp |
If the time log field value is not empty, then the time log field is mapped to the metadata.event_timestamp UDM field. |
datetime |
metadata.event_timestamp |
If the datetime log field value is not empty, then the datetime log field is mapped to the metadata.event_timestamp UDM field. |
|
metadata.event_type |
The metadata.event_type UDM field is set to USER_UNCATEGORIZED. |
act_type_name |
metadata.product_event_type |
|
recordid |
metadata.product_log_id |
|
|
metadata.product_name |
The metadata.product_name UDM field is set to CASB. |
|
metadata.vendor_name |
The metadata.vendor_name UDM field is set to Zscaler. |
sender |
network.email.from |
If the sender log field value matches the regular expression pattern (^.*@.*$), then the sender log field is mapped to the network.email.from UDM field. |
extrecptnames |
network.email.to |
For index in extrecptnames, the index is mapped to the network.email.to UDM field. |
internal_recptnames |
network.email.to |
For index in internal_recptnames, the index is mapped to the network.email.to UDM field. |
external_recptnames |
network.email.to |
For index in external_recptnames, the index is mapped to the network.email.to UDM field. |
intrecptnames |
network.email.to |
For index in intrecptnames, the index is mapped to the network.email.to UDM field. |
applicationname |
principal.application |
If the applicationname log field value is not empty, then the applicationname log field is mapped to the principal.application UDM field.Else, the appname log field is mapped to the principal.application UDM field. |
src_ip |
principal.ip |
|
fullurl |
principal.url |
If the fullurl log field is not empty and the fullurl log field value is not equal to Unknown URL, then the fullurl log field is mapped to the principal.url UDM field. |
is_admin_act |
principal.user.attribute.labels[is_admin_act] |
|
|
principal.user.attribute.roles.type |
If the is_admin_act log field value is equal to 1, then the principal.user.attribute.roles.type UDM field is set to ADMINISTRATOR. |
company |
principal.user.company_name |
|
department |
principal.user.department |
|
dept |
principal.user.department |
|
user |
principal.user.email_addresses |
If the user log field value matches the regular expression pattern (^.*@.*$), then the user log field is mapped to the principal.user.email_addresses UDM field. |
username |
principal.user.email_addresses |
If the username log field value matches the regular expression pattern (^.*@.*$), then the username log field is mapped to the principal.user.email_addresses UDM field. |
owner |
principal.user.email_addresses |
If the owner log field value matches the regular expression pattern (^.*@.*$), then the owner log field is mapped to the principal.user.email_addresses UDM field. |
login |
principal.user.email_addresses |
If the login log field value matches the regular expression pattern (^.*@.*$), then the login log field is mapped to the principal.user.email_addresses UDM field. |
login |
principal.user.userid |
If the login log field value does not match the regular expression pattern ^.+@.+$, then the login log field is mapped to the principal.user.userid UDM field. |
malware |
security_result.associations.name |
|
|
security_result.associations.type |
If the malware log field value is not empty, then the security_result.associations.type UDM field is set to MALWARE. |
dlpdictnames |
security_result.detection_fields[dlpdictnames] |
|
dlpidentifier |
security_result.detection_fields[dlpidentifier] |
|
filedownloadtimems |
additional.fields[filedownloadtimems] |
|
malwareclass |
security_result.detection_fields[malwareclass] |
|
msgid |
security_result.detection_fields[msgid] |
|
oattchcomponentfilenames |
security_result.detection_fields[oattchcomponentfilenames] |
|
obucketname |
security_result.detection_fields[obucketname] |
|
obucketowner |
security_result.detection_fields[obucketowner] |
|
ochannel_name |
security_result.detection_fields[ochannel_name] |
|
ocollabnames |
security_result.detection_fields[ocollabnames] |
|
odlpdictnames |
security_result.detection_fields[odlpdictnames] |
|
odlpenginenames |
security_result.detection_fields[odlpenginenames] |
|
oextcollabnames |
security_result.detection_fields[oextcollabnames] |
|
oexternal_collabnames |
security_result.detection_fields[oexternal_collabnames] |
|
oexternal_recptnames |
security_result.detection_fields[oexternal_recptnames] |
|
oexternalownername |
security_result.detection_fields[oexternalownername] |
|
oextownername |
security_result.detection_fields[oextownername] |
|
oextrecptnames |
security_result.detection_fields[oextrecptnames] |
|
ofile_msg_id |
security_result.detection_fields[ofile_msg_id] |
|
ofileid |
security_result.detection_fields[ofileid] |
|
ofullurl |
security_result.detection_fields[ofullurl] |
|
ohostname |
security_result.detection_fields[ohostname] |
|
ointcollabnames |
security_result.detection_fields[ointcollabnames] |
|
ointernal_collabnames |
security_result.detection_fields[ointernal_collabnames] |
|
ointernal_recptnames |
security_result.detection_fields[ointernal_recptnames] |
|
ointrecptnames |
security_result.detection_fields[ointrecptnames] |
|
omessageid |
security_result.detection_fields[omessageid] |
|
omsgid |
security_result.detection_fields[omsgid] |
|
oowner |
security_result.detection_fields[oowner] |
|
orulelabel |
security_result.detection_fields[orulelabel] |
|
osender |
security_result.detection_fields[osender] |
|
osharedchannel_hostname |
security_result.detection_fields[osharedchannel_hostname] |
|
otenant |
security_result.detection_fields[otenant] |
|
ouser |
security_result.detection_fields[ouser] |
|
any_incident |
security_result.detection_fields[any_incident] |
|
is_inbound |
security_result.detection_fields[is_inbound] |
|
policy |
security_result.rule_labels[policy] |
|
ruletype |
security_result.rule_labels[ruletype] |
|
rulelabel |
security_result.rule_name |
|
|
security_result.severity |
If the severity log field value is equal to High, then the security_result.severity UDM field is set to HIGH.Else, if the severity log field value is equal to Medium, then the security_result.severity UDM field is set to MEDIUM.Else, if the severity log field value is equal to Low, then the security_result.sevrity UDM field is set to LOW.Else, if the severity log field value is equal to Information, then the security_result.severity UDM field is set to INFORMATIONAL. |
threatname |
security_result.threat_name |
If the threatname log field value is not empty and the dlpdictcount log field value is not equal to None, then the threatname log field is mapped to the security_result.threat_name UDM field. |
filesource |
target.file.full_path |
If the filesource log field value is not empty, then the filesource log field is mapped to the target.file.full_path UDM field. |
filepath |
target.file.full_path |
If the filesource log field value is not empty, then the filesource log field is mapped to the target.file.full_path UDM field.Else if the filepath log field value is not empty, then the filepath log field is mapped to the target.file.full_path UDM field. |
lastmodtime |
target.file.last_modification_time |
If the lastmodtime log field value is not empty, then the lastmodtime log field is mapped to the target.file.last_modification_time UDM field. |
file_msg_mod_time |
target.file.last_modification_time |
If the lastmodtime log field value is not empty, then the lastmodtime log field is mapped to the target.file.last_modification_time UDM field.Else if the file_msg_mod_time log field value is not empty, then the file_msg_mod_time log field is mapped to the target.file.fullpath UDM field. |
filemd5 |
target.file.md5 |
If the filemd5 log field value is not equal to None and the filemd5 log field value matches the regular expression pattern ^[a-fA-F0-9]{32}$, then the filemd5 log field is mapped to the target.file.md5 UDM field.Else, if the attchcomponentmd5s log field value matches the regular expression pattern ^[a-fA-F0-9]{32}$, then the attchcomponentmd5s log field is mapped to the target.file.md5 UDM field. |
filetypename |
target.file.mime_type |
|
filename |
target.file.names |
|
attchcomponentfilenames |
target.file.names |
|
sha |
target.file.sha256 |
|
attchcomponentfilesizes |
target.file.size |
If the attchcomponentfilesizes log field value is not empty, then the attchcomponentfilesizes log field is mapped to the target.file.size UDM field. |
filesize |
target.file.size |
If the attchcomponentfilesizes log field value is not empty, then the attchcomponentfilesizes log field is mapped to the target.file.size UDM field.Else if the filesize log field value is not empty, then the filesize log field is mapped to the target.file.size UDM field. |
sharedchannel_hostname |
target.hostname |
If the hostname log field value is not empty, then the hostname log field is mapped to the target.hostname UDM field.Else if the sharedchannel_hostname log field value is not empty, then the sharedchannel_hostname log field is mapped to the target.hostname UDM field. |
hostname |
target.hostname |
If the hostname log field value is not empty, then the hostname log field is mapped to the target.hostname UDM field. |
datacentercity |
target.location.city |
|
datacentercountry |
target.location.country_or_region |
|
datacenter |
target.location.name |
|
bucketowner |
target.resource.attribute.labels[bucketowner] |
|
projectname |
target.resource.attribute.labels[projectname] |
|
bucketname |
target.resource.name |
If the bucketname log field value is not empty, then the bucketname log field is mapped to the target.resource.name UDM field. |
objnames1 |
target.resource.name |
If the objnames1 log field value is not empty, then the objnames1 log field is mapped to the target.resource.name UDM field. |
objectname |
target.resource.name |
If the objectname log field value is not empty, then the objectname log field is mapped to the target.resource.name UDM field. |
reponame |
target.resource.name |
If the reponame log field value is not empty, then the reponame log field is mapped to the target.resource.name UDM field. |
object_name_1 |
target.resource.name |
If the object_name_1 log field value is not empty, then the object_name_1 log field is mapped to the target.resource.name UDM field. |
bucketid |
target.resource.product_object_id |
|
objtypename1 |
target.resource.resource_subtype |
If the objtypename1 log field value is not empty, then the objtypename1 log field is mapped to the target.resource.resource_subtype UDM field. |
objecttype |
target.resource.resource_subtype |
If the objecttype log field value is not empty, then the objecttype log field is mapped to the target.resource.resource_subtype UDM field. |
object_type |
target.resource.resource_subtype |
|
|
target.resource.resource_type |
If the bucketname log field value is not empty, then the target.resource.resource_type UDM field is set to STORAGE_BUCKET.If the reponame log field value is not empty, then the target.resource.resource_type UDM field is set to REPOSITORY. |
Étape suivante
Vous avez encore besoin d'aide ? Obtenez des réponses de membres de la communauté et de professionnels Google SecOps.