收集 Zscaler CASB 記錄
本文說明如何設定 Google 安全作業動態饋給,並將記錄欄位對應至統一資料模型 (UDM),以便匯出 Zscaler CASB 記錄。
詳情請參閱「將資料匯入 Google SecOps 總覽」。
一般部署作業包括 Zscaler CASB 和 Google SecOps Webhook 動態饋給,並設定為將記錄傳送至 Google SecOps。不過,部署詳細資料可能因客戶而異,且可能更為複雜。
部署作業包含下列元件:
Zscaler CASB:您收集記錄的平台。
Google SecOps 動態饋給:從 Zscaler CASB 擷取記錄,並將記錄寫入 Google SecOps 的 Google SecOps 動態饋給。
Google SecOps:保留並分析記錄檔。
擷取標籤可識別剖析器,將原始記錄資料正規化為具結構性的 UDM 格式。本文件適用於與 ZSCALER_CASB 攝入標籤相關聯的剖析器。
事前準備
- 請確認您可以存取 Zscaler Internet Access 控制台。詳情請參閱「Secure Internet and SaaS Access ZIA 說明」。
- 請確認您使用的是 Zscaler CASB 1.0 或 2.0 版。
- 請確認部署架構中的所有系統都已設定世界標準時間。
- 請確認您已取得在 Google SecOps 中完成動態饋給設定所需的 API 金鑰。詳情請參閱「設定 API 金鑰」。
在 Google SecOps 中設定擷取動態饋給,以便擷取 Zscaler CASB 記錄
- 依序前往「設定」>「動態消息」。
- 按一下「新增」。
- 在「動態饋給名稱」欄位中輸入動態饋給的名稱 (例如
Zscaler CASB Logs)。 - 將「來源類型」設為「Webhook」。
- 選取「Zscaler CASB」做為「記錄類型」。
- 點按「Next」。
- 選用:輸入下列輸入參數的值:
- 分隔符號:用來分隔記錄行數的字元。如果沒有使用分隔符號,請留空。
- Asset namespace:資產命名空間。
- 攝入標籤:要套用至這個動態饋給事件的標籤。
- 點按「Next」。
- 查看新的動態饋給設定,然後按一下「提交」。
- 按一下「產生密鑰」,產生用於驗證這則動態饋給的密鑰。
設定 Zscaler CASB
- 在 Zscaler Internet Access Console 中,依序點選「Administration」>「Nanolog Streaming Service」>「Cloud NSS Feeds」>「Add Cloud NSS Feed」。
- 在「新增 Cloud NSS 動態饋給」視窗中輸入詳細資料。
- 在「動態饋給名稱」欄位中,輸入動態饋給的專屬名稱。
- 在「NSS Type」中選取「Zscaler for Web」。
- 在「狀態」清單中選取狀態,即可啟用或停用 NSS 動態饋給。
- 除非因授權或其他限制而需要限制輸出串流,否則請將「SIEM Rate」設為「Unlimited」。
- 在「SIEM 類型」清單中,選取「其他」。
- 在「OAuth 2.0 驗證」清單中,選取「已停用」。
- 在「Max Batch Size」欄位中,輸入 SIEM 最佳做法中單一 HTTP 要求酬載大小上限,例如
512 KB。 在「API 網址」欄位中,使用下列格式輸入 Chronicle API 端點的 HTTPS 網址:
https://<CHRONICLE_REGION>-chronicle.googleapis.com/v1alpha/projects/<GOOGLE_PROJECT_NUMBER>/locations/<LOCATION>/instances/<CUSTOMER_ID>/feeds/<FEED_ID>:importPushLogsCHRONICLE_REGION:Google SecOps 執行個體的代管區域。例如:US。GOOGLE_PROJECT_NUMBER:BYOP 專案編號。請從 C4 取得這項資訊。LOCATION:Chronicle (Google SecOps) 區域 (與CHRONICLE_REGION相同)。例如US。CUSTOMER_ID:您的 Google SecOps 客戶 ID。從 C4 取得。FEED_ID:新建立的 webhook 動態饋給 ID (顯示在動態饋給 UI 中)。API 網址範例:
https://us-chronicle.googleapis.com/v1alpha/projects/12345678910/locations/US/instances/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/feeds/yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyyyyyyy:importPushLogs
按一下「Add HTTP Header」,然後使用以下格式新增 HTTP 標頭:
Header 1:Key1:X-goog-api-key和 Value1:API 金鑰,由 Google Cloud BYOP 的 API 憑證產生。Header 2:Key2:X-Webhook-Access-Key和 Value2: 在 webhook 的「SECRET KEY」中產生的 API 密鑰。
在「記錄類型」清單中,選取「SaaS 安全性」或「SaaS 安全性活動」。
在「動態饋給輸出類型」清單中,選取「JSON」。
將「Feed Escape Character」設為
, \ "。在「動態饋給輸出類型」清單中,選取「自訂」,即可在「動態饋給輸出格式」中新增欄位。
複製並貼上動態饋給輸出格式,然後視需要新增欄位。請確認鍵名稱與實際欄位名稱相符。
以下是預設的動態饋給輸出格式:
- SaaS 安全性
\{ "sourcetype" : "zscalernss-casb", "event" :\{"datetime":"%s{time}","recordid":"%d{recordid}","company":"%s{company}","tenant":"%s{tenant}","login":"%s{user}","dept":"%s{department}","applicationname":"%s{applicationname}","filename":"%s{filename}","filesource":"%s{filesource}","filemd5":"%s{filemd5}","threatname":"%s{threatname}","policy":"%s{policy}","dlpdictnames":"%s{dlpdictnames}","dlpdictcount":"%s{dlpdictcount}","dlpenginenames":"%s{dlpenginenames}","fullurl":"%s{fullurl}","lastmodtime":"%s{lastmodtime}","filescantimems":"%d{filescantimems}","filedownloadtimems":"%d{filedownloadtimems}"\}\}- 軟體即服務 (SaaS) 安全性活動
\{ "sourcetype" : "zscalernss-casb", "event" :\{"login":"%s{username}","tenant":"%s{tenant}","object_type":"%d{objtype1}","applicationname":"%s{appname}","object_name_1":"%s{objnames1}","object_name_2":"%s{objnames2}"\}\}在「Timezone」清單中,選取輸出檔案中「Time」欄位的時區。根據預設,時區會設為貴機構的時區。
查看已設定的設定。
按一下「儲存」即可測試連線。如果連線成功,畫面上就會顯示綠色勾號,並顯示「Test Connectivity Successful: OK (200)」訊息。
如要進一步瞭解 Google SecOps 動態饋給,請參閱 Google SecOps 動態饋給說明文件。如要瞭解各個動態饋給類型的規定,請參閱「依類型分類的動態饋給設定」。
如果在建立動態饋給時遇到問題,請與 Google SecOps 支援團隊聯絡。
欄位對應參考資料
欄位對應參考資料:ZSCALER_CASB
下表列出 ZSCALER_CASB 記錄類型的記錄欄位及其對應的 UDM 欄位。
| Log field | UDM mapping | Logic |
|---|---|---|
sourcetype |
security_result.detection_fields[sourcetype] |
|
objnames2 |
about.resource.name |
|
object_name_2 |
about.resource.name |
|
objtypename2 |
about.resource.resource_subtype |
|
externalownername |
additional.fields[externalownername] |
|
act_cnt |
additional.fields[act_cnt] |
|
attchcomponentfiletypes |
additional.fields[attchcomponentfiletypes] |
|
channel_name |
additional.fields[channel_name] |
|
collabscope |
additional.fields[collabscope] |
|
day |
additional.fields[day] |
|
dd |
additional.fields[dd] |
|
dlpdictcount |
security_result.detection_fields[dlpdictcount] |
If the dlpdictcount log field value is not empty and the dlpdictcount log field value is not equal to None, then the dlpdictcount log field is mapped to the security_result.detection_fields.dlpdictcount UDM field. |
dlpenginenames |
security_result.detection_fields[dlpenginenames] |
If the dlpenginenames log field value is not empty and the dlpenginenames log field value is not equal to None, then the dlpenginenames log field is mapped to the security_result.detection_fields.dlpenginenames UDM field. |
epochlastmodtime |
additional.fields[epochlastmodtime] |
|
extcollabnames |
additional.fields[extcollabnames] |
|
extownername |
additional.fields[extownername] |
|
file_msg_id |
additional.fields[file_msg_id] |
|
fileid |
additional.fields[fileid] |
|
filescantimems |
additional.fields[filescantimems] |
|
filetypecategory |
additional.fields[filetypecategory] |
|
hh |
additional.fields[hh] |
|
messageid |
additional.fields[messageid] |
|
mm |
additional.fields[mm] |
|
mon |
additional.fields[mon] |
|
msgsize |
additional.fields[msgsize] |
|
mth |
additional.fields[mth] |
|
num_ext_recpts |
additional.fields[num_ext_recpts] |
|
num_int_recpts |
additional.fields[num_int_recpts] |
|
numcollab |
additional.fields[numcollab] |
|
rtime |
additional.fields[rtime] |
|
ss |
additional.fields[ss] |
|
suburl |
additional.fields[suburl] |
|
tenant |
additional.fields[tenant] |
|
tz |
additional.fields[tz] |
|
upload_doctypename |
additional.fields[upload_doctypename] |
|
yyyy |
additional.fields[yyyy] |
|
collabnames |
additional.fields[collabnames] |
|
companyid |
additional.fields[companyid] |
|
component |
additional.fields[component] |
|
intcollabnames |
additional.fields[intcollabnames] |
If intcollabnames log field value does not match the regular expression pattern None then, for index in intcollabnames, the index is mapped to the additional.fields.value.list_value UDM field. |
internal_collabnames |
additional.fields[internal_collabnames] |
|
external_collabnames |
additional.fields[externalcollabnames] |
|
num_external_collab |
additional.fields[num_external_collab] |
|
num_internal_collab |
additional.fields[num_internal_collab] |
|
repochtime |
additional.fields[repochtime] |
|
eventtime |
metadata.event_timestamp |
If the eventtime log field value is not empty, then the eventtime log field is mapped to the metadata.event_timestamp UDM field. |
epochtime |
metadata.event_timestamp |
If the epochtime log field value is not empty, then the epochtime log field is mapped to the metadata.event_timestamp UDM field. |
time |
metadata.event_timestamp |
If the time log field value is not empty, then the time log field is mapped to the metadata.event_timestamp UDM field. |
datetime |
metadata.event_timestamp |
If the datetime log field value is not empty, then the datetime log field is mapped to the metadata.event_timestamp UDM field. |
|
metadata.event_type |
The metadata.event_type UDM field is set to USER_UNCATEGORIZED. |
act_type_name |
metadata.product_event_type |
|
recordid |
metadata.product_log_id |
|
|
metadata.product_name |
The metadata.product_name UDM field is set to CASB. |
|
metadata.vendor_name |
The metadata.vendor_name UDM field is set to Zscaler. |
sender |
network.email.from |
If the sender log field value matches the regular expression pattern (^.*@.*$), then the sender log field is mapped to the network.email.from UDM field. |
extrecptnames |
network.email.to |
For index in extrecptnames, the index is mapped to the network.email.to UDM field. |
internal_recptnames |
network.email.to |
For index in internal_recptnames, the index is mapped to the network.email.to UDM field. |
external_recptnames |
network.email.to |
For index in external_recptnames, the index is mapped to the network.email.to UDM field. |
intrecptnames |
network.email.to |
For index in intrecptnames, the index is mapped to the network.email.to UDM field. |
applicationname |
principal.application |
If the applicationname log field value is not empty, then the applicationname log field is mapped to the principal.application UDM field.Else, the appname log field is mapped to the principal.application UDM field. |
src_ip |
principal.ip |
|
fullurl |
principal.url |
If the fullurl log field is not empty and the fullurl log field value is not equal to Unknown URL, then the fullurl log field is mapped to the principal.url UDM field. |
is_admin_act |
principal.user.attribute.labels[is_admin_act] |
|
|
principal.user.attribute.roles.type |
If the is_admin_act log field value is equal to 1, then the principal.user.attribute.roles.type UDM field is set to ADMINISTRATOR. |
company |
principal.user.company_name |
|
department |
principal.user.department |
|
dept |
principal.user.department |
|
user |
principal.user.email_addresses |
If the user log field value matches the regular expression pattern (^.*@.*$), then the user log field is mapped to the principal.user.email_addresses UDM field. |
username |
principal.user.email_addresses |
If the username log field value matches the regular expression pattern (^.*@.*$), then the username log field is mapped to the principal.user.email_addresses UDM field. |
owner |
principal.user.email_addresses |
If the owner log field value matches the regular expression pattern (^.*@.*$), then the owner log field is mapped to the principal.user.email_addresses UDM field. |
login |
principal.user.email_addresses |
If the login log field value matches the regular expression pattern (^.*@.*$), then the login log field is mapped to the principal.user.email_addresses UDM field. |
login |
principal.user.userid |
If the login log field value does not match the regular expression pattern ^.+@.+$, then the login log field is mapped to the principal.user.userid UDM field. |
malware |
security_result.associations.name |
|
|
security_result.associations.type |
If the malware log field value is not empty, then the security_result.associations.type UDM field is set to MALWARE. |
dlpdictnames |
security_result.detection_fields[dlpdictnames] |
|
dlpidentifier |
security_result.detection_fields[dlpidentifier] |
|
filedownloadtimems |
additional.fields[filedownloadtimems] |
|
malwareclass |
security_result.detection_fields[malwareclass] |
|
msgid |
security_result.detection_fields[msgid] |
|
oattchcomponentfilenames |
security_result.detection_fields[oattchcomponentfilenames] |
|
obucketname |
security_result.detection_fields[obucketname] |
|
obucketowner |
security_result.detection_fields[obucketowner] |
|
ochannel_name |
security_result.detection_fields[ochannel_name] |
|
ocollabnames |
security_result.detection_fields[ocollabnames] |
|
odlpdictnames |
security_result.detection_fields[odlpdictnames] |
|
odlpenginenames |
security_result.detection_fields[odlpenginenames] |
|
oextcollabnames |
security_result.detection_fields[oextcollabnames] |
|
oexternal_collabnames |
security_result.detection_fields[oexternal_collabnames] |
|
oexternal_recptnames |
security_result.detection_fields[oexternal_recptnames] |
|
oexternalownername |
security_result.detection_fields[oexternalownername] |
|
oextownername |
security_result.detection_fields[oextownername] |
|
oextrecptnames |
security_result.detection_fields[oextrecptnames] |
|
ofile_msg_id |
security_result.detection_fields[ofile_msg_id] |
|
ofileid |
security_result.detection_fields[ofileid] |
|
ofullurl |
security_result.detection_fields[ofullurl] |
|
ohostname |
security_result.detection_fields[ohostname] |
|
ointcollabnames |
security_result.detection_fields[ointcollabnames] |
|
ointernal_collabnames |
security_result.detection_fields[ointernal_collabnames] |
|
ointernal_recptnames |
security_result.detection_fields[ointernal_recptnames] |
|
ointrecptnames |
security_result.detection_fields[ointrecptnames] |
|
omessageid |
security_result.detection_fields[omessageid] |
|
omsgid |
security_result.detection_fields[omsgid] |
|
oowner |
security_result.detection_fields[oowner] |
|
orulelabel |
security_result.detection_fields[orulelabel] |
|
osender |
security_result.detection_fields[osender] |
|
osharedchannel_hostname |
security_result.detection_fields[osharedchannel_hostname] |
|
otenant |
security_result.detection_fields[otenant] |
|
ouser |
security_result.detection_fields[ouser] |
|
any_incident |
security_result.detection_fields[any_incident] |
|
is_inbound |
security_result.detection_fields[is_inbound] |
|
policy |
security_result.rule_labels[policy] |
|
ruletype |
security_result.rule_labels[ruletype] |
|
rulelabel |
security_result.rule_name |
|
|
security_result.severity |
If the severity log field value is equal to High, then the security_result.severity UDM field is set to HIGH.Else, if the severity log field value is equal to Medium, then the security_result.severity UDM field is set to MEDIUM.Else, if the severity log field value is equal to Low, then the security_result.sevrity UDM field is set to LOW.Else, if the severity log field value is equal to Information, then the security_result.severity UDM field is set to INFORMATIONAL. |
threatname |
security_result.threat_name |
If the threatname log field value is not empty and the dlpdictcount log field value is not equal to None, then the threatname log field is mapped to the security_result.threat_name UDM field. |
filesource |
target.file.full_path |
If the filesource log field value is not empty, then the filesource log field is mapped to the target.file.full_path UDM field. |
filepath |
target.file.full_path |
If the filesource log field value is not empty, then the filesource log field is mapped to the target.file.full_path UDM field.Else if the filepath log field value is not empty, then the filepath log field is mapped to the target.file.full_path UDM field. |
lastmodtime |
target.file.last_modification_time |
If the lastmodtime log field value is not empty, then the lastmodtime log field is mapped to the target.file.last_modification_time UDM field. |
file_msg_mod_time |
target.file.last_modification_time |
If the lastmodtime log field value is not empty, then the lastmodtime log field is mapped to the target.file.last_modification_time UDM field.Else if the file_msg_mod_time log field value is not empty, then the file_msg_mod_time log field is mapped to the target.file.fullpath UDM field. |
filemd5 |
target.file.md5 |
If the filemd5 log field value is not equal to None and the filemd5 log field value matches the regular expression pattern ^[a-fA-F0-9]{32}$, then the filemd5 log field is mapped to the target.file.md5 UDM field.Else, if the attchcomponentmd5s log field value matches the regular expression pattern ^[a-fA-F0-9]{32}$, then the attchcomponentmd5s log field is mapped to the target.file.md5 UDM field. |
filetypename |
target.file.mime_type |
|
filename |
target.file.names |
|
attchcomponentfilenames |
target.file.names |
|
sha |
target.file.sha256 |
|
attchcomponentfilesizes |
target.file.size |
If the attchcomponentfilesizes log field value is not empty, then the attchcomponentfilesizes log field is mapped to the target.file.size UDM field. |
filesize |
target.file.size |
If the attchcomponentfilesizes log field value is not empty, then the attchcomponentfilesizes log field is mapped to the target.file.size UDM field.Else if the filesize log field value is not empty, then the filesize log field is mapped to the target.file.size UDM field. |
sharedchannel_hostname |
target.hostname |
If the hostname log field value is not empty, then the hostname log field is mapped to the target.hostname UDM field.Else if the sharedchannel_hostname log field value is not empty, then the sharedchannel_hostname log field is mapped to the target.hostname UDM field. |
hostname |
target.hostname |
If the hostname log field value is not empty, then the hostname log field is mapped to the target.hostname UDM field. |
datacentercity |
target.location.city |
|
datacentercountry |
target.location.country_or_region |
|
datacenter |
target.location.name |
|
bucketowner |
target.resource.attribute.labels[bucketowner] |
|
projectname |
target.resource.attribute.labels[projectname] |
|
bucketname |
target.resource.name |
If the bucketname log field value is not empty, then the bucketname log field is mapped to the target.resource.name UDM field. |
objnames1 |
target.resource.name |
If the objnames1 log field value is not empty, then the objnames1 log field is mapped to the target.resource.name UDM field. |
objectname |
target.resource.name |
If the objectname log field value is not empty, then the objectname log field is mapped to the target.resource.name UDM field. |
reponame |
target.resource.name |
If the reponame log field value is not empty, then the reponame log field is mapped to the target.resource.name UDM field. |
object_name_1 |
target.resource.name |
If the object_name_1 log field value is not empty, then the object_name_1 log field is mapped to the target.resource.name UDM field. |
bucketid |
target.resource.product_object_id |
|
objtypename1 |
target.resource.resource_subtype |
If the objtypename1 log field value is not empty, then the objtypename1 log field is mapped to the target.resource.resource_subtype UDM field. |
objecttype |
target.resource.resource_subtype |
If the objecttype log field value is not empty, then the objecttype log field is mapped to the target.resource.resource_subtype UDM field. |
object_type |
target.resource.resource_subtype |
|
|
target.resource.resource_type |
If the bucketname log field value is not empty, then the target.resource.resource_type UDM field is set to STORAGE_BUCKET.If the reponame log field value is not empty, then the target.resource.resource_type UDM field is set to REPOSITORY. |
後續步驟
還有其他問題嗎?向社群成員和 Google SecOps 專家尋求解答。