Recopila registros de DNS de Zscaler
Compatible con:
Google SecOps
SIEM
En este documento, se describe cómo puedes exportar los registros de DNS de Zscaler configurando un feed de Google Security Operations y cómo los campos de registro se asignan a los campos del Modelo de datos unificado (UDM) de Google SecOps.
Para obtener más información, consulta Descripción general de la transferencia de datos a Google SecOps.
Una implementación típica consta del DNS de Zscaler y el feed de webhook de Google SecOps configurado para enviar registros a Google SecOps. Cada implementación para el cliente puede ser diferente y más compleja.
La implementación contiene los siguientes componentes:
DNS de Zscaler: Es la plataforma desde la que recopilas registros.
Feed de Google SecOps: Es el feed de Google SecOps que recupera registros del DNS de Zscaler y los escribe en Google SecOps.
Google SecOps: Conserva y analiza los registros.
Una etiqueta de transferencia identifica el analizador que normaliza los datos de registro sin procesar al formato UDM estructurado. La información de este documento se aplica al analizador con la etiqueta de transferencia ZSCALER_DNS.
Antes de comenzar
Asegúrate de cumplir con los siguientes requisitos previos:
- Acceso a la consola de Zscaler Internet Access Para obtener más información, consulta la Ayuda de ZIA para el acceso seguro a Internet y SaaS.
- Zscaler DNS 2024 o una versión posterior
- Todos los sistemas de la arquitectura de implementación están configurados con la zona horaria UTC.
- Es la clave de API necesaria para completar la configuración del feed en Google Security Operations. Para obtener más información, consulta Cómo configurar claves de API.
Configura feeds
Existen dos puntos de entrada diferentes para configurar feeds en la plataforma de Google SecOps:
- Configuración de SIEM > Feeds
- Centro de contenido > Paquetes de contenido
Configura feeds desde Configuración del SIEM > Feeds
Para configurar varios feeds para diferentes tipos de registros dentro de esta familia de productos, consulta Cómo configurar feeds por producto.
Para configurar un solo feed, sigue estos pasos:
- Ve a SIEM Settings > Feeds.
- Haz clic en Agregar feed nuevo.
- En la siguiente página, haz clic en Configurar un solo feed.
- En el campo Nombre del feed, ingresa un nombre para el feed, por ejemplo, Registros de DNS de ZScaler.
- Selecciona Webhook como el Tipo de origen.
- Selecciona ZScaler DNS como el Tipo de registro.
- Haz clic en Siguiente.
- Opcional: Ingresa valores para los siguientes parámetros de entrada:
- Delimitador de división: Es el delimitador que se usa para separar las líneas de registro. Déjalo en blanco si no se usa un delimitador.
- Espacio de nombres del recurso: Es el espacio de nombres del recurso.
- Etiquetas de transferencia: Es la etiqueta que se aplicará a los eventos de este feed.
- Haz clic en Siguiente.
- Revisa la nueva configuración del feed en la pantalla Finalizar y, luego, haz clic en Enviar.
- Haz clic en Generar clave secreta para generar una clave secreta que autentique este feed.
Configura feeds desde el Centro de contenido
Especifica valores para los siguientes campos:
- Delimitador de división: Es el delimitador que se usa para separar las líneas de registro, como
\n.
Opciones avanzadas
- Nombre del feed: Es un valor completado previamente que identifica el feed.
- Tipo de fuente: Es el método que se usa para recopilar registros en Google SecOps.
- Espacio de nombres del recurso: Es el espacio de nombres del recurso.
- Etiquetas de transferencia: Es la etiqueta que se aplica a los eventos de este feed.
- Haz clic en Siguiente.
- Revisa la configuración del feed en la pantalla Finalizar y, luego, haz clic en Enviar.
- Haz clic en Generar clave secreta para generar una clave secreta que autentique este feed.
Configura el DNS de Zscaler
- En la consola de Zscaler Internet Access, haz clic en Administration > Nanolog Streaming Service > Cloud NSS Feeds y, luego, en Add Cloud NSS Feed.
- Aparecerá la ventana Add Cloud NSS Feed. En la ventana Add Cloud NSS Feed, ingresa los detalles.
- Ingresa un nombre para el feed en el campo Nombre del feed.
- Selecciona NSS para DNS en Tipo de NSS.
- Selecciona el estado en la lista Estado para activar o desactivar el feed de NSS.
- Mantén el valor Ilimitado en el menú desplegable Tasa de SIEM. Cambia el valor para suprimir el flujo de salida debido a licencias o a otras restricciones.
- Selecciona Otro en la lista Tipo de SIEM.
- Selecciona Inhabilitada en la lista Autenticación de OAuth 2.0.
- Ingresa un límite de tamaño para la carga útil de una solicitud HTTP individual en la práctica recomendada del SIEM en Max Batch Size. Por ejemplo, 512 KB.
Ingresa la URL HTTPS del extremo de API de Chronicle en la URL de la API con el siguiente formato:
https://<CHRONICLE_REGION>-chronicle.googleapis.com/v1alpha/projects/<GOOGLE_PROJECT_NUMBER>/locations/<LOCATION>/instances/<CUSTOMER_ID>/feeds/<FEED_ID>:importPushLogsCHRONICLE_REGION: Es la región en la que se aloja tu instancia de Chronicle. Por ejemplo, US.GOOGLE_PROJECT_NUMBER: Es el número del proyecto de BYOP. Obtén este valor de C4.LOCATION: Región de Chronicle. Por ejemplo, US.CUSTOMER_ID: Es el ID de cliente de Chronicle. Obténla del C4.FEED_ID: ID del feed que se muestra en la IU del feed en el webhook nuevo que se creó- URL de API de muestra:
https://us-chronicle.googleapis.com/v1alpha/projects/12345678910/locations/US/instances/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/feeds/yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyyyyyyy:importPushLogsHaz clic en Agregar encabezado HTTP y, luego, agrega encabezados HTTP con el siguiente formato:
Header 1: Key1:X-goog-api-keyy Value1: Clave de API generada en las credenciales de API de Google Cloud BYOP.Header 2: Key2:X-Webhook-Access-Keyy Value2: clave secreta de la API generada en la "CLAVE SECRETA" del webhook.
Selecciona Registros de DNS en la lista Tipos de registros.
Selecciona JSON en la lista Tipo de salida del feed.
Establece Feed Escape Character en
, \ ".Para agregar un campo nuevo al Formato de salida del feed, selecciona Personalizado en la lista Tipo de salida del feed.
Copia y pega el Formato de salida del feed y agrega campos nuevos. Asegúrate de que los nombres de las claves coincidan con los nombres de los campos reales.
A continuación, se muestra el formato de salida del feed predeterminado:
\{ "sourcetype" : "zscalernss-dns", "event" :\{"datetime":"%s{time}","user":"%s{elogin}","department":"%s{edepartment}","location":"%s{elocation}","reqaction":"%s{reqaction}","resaction":"%s{resaction}","reqrulelabel":"%s{reqrulelabel}","resrulelabel":"%s{resrulelabel}","dns_reqtype":"%s{reqtype}","dns_req":"%s{req}","dns_resp":"%s{res}","srv_dport":"%d{sport}","durationms":"%d{durationms}","clt_sip":"%s{cip}","srv_dip":"%s{sip}","category":"%s{domcat}","respipcategory":"%s{respipcat}","deviceowner":"%s{deviceowner}","devicehostname":"%s{devicehostname}"\}\}Selecciona la zona horaria para el campo Hora en el archivo de salida en la lista Zona horaria. De forma predeterminada, la zona horaria se establece en la de tu organización.
Revisa la configuración.
Haz clic en Guardar para probar la conectividad. Si la conexión se realiza correctamente, aparecerá una marca de verificación verde junto con el mensaje Test Connectivity Successful: OK (200).
Para obtener más información sobre los feeds de Google SecOps, consulta la documentación de los feeds de Google SecOps. Para obtener información sobre los requisitos de cada tipo de feed, consulta Configuración de feeds por tipo.
Si tienes problemas para crear feeds, comunícate con el equipo de asistencia de Google SecOps.
Formatos de registros de DNS de Zscaler compatibles
El analizador de DNS de Zscaler admite registros en formato JSON.
Registros de muestra de DNS de Zscaler admitidos
JSON
{ "sourcetype": "zscalernss-dns", "event": { "srv_dport": "53", "durationms": "1306", "clt_sip": "1.1.1.1", "respipcategory": "Other", "datetime": "Sun Sep 18 22:41:05 2020", "reqaction": "Allow", "resaction": "Allow", "resrulelabel": "None", "category": "Finance", "devicehostname": "dummy_hostname", "user": "test.123@test.com", "location": "dummy", "deviceowner": "212582", "department": "Output%20Solutions", "reqrulelabel": "Default Firewall DNS Rule", "dns_reqtype": "SRV", "dns_req": "dummy.domains.com", "dns_resp": "NXDOMAIN", "srv_dip": "1.1.1.1" } }
Referencia de la asignación de campos
Referencia de asignación de campos: ZSCALER_DNS
En la siguiente tabla, se enumeran los campos de registro del tipo de registro ZSCALER_DNS y sus campos de UDM correspondientes.
| Log field | UDM mapping | Logic |
|---|---|---|
|
metadata.event_type |
The metadata.event_type UDM field is set to NETWORK_DNS. |
|
metadata.product_name |
The metadata.product_name UDM field is set to DNS. |
|
metadata.vendor_name |
The metadata.vendor_name UDM field is set to Zscaler. |
|
metadata.description |
If the category log field value is not empty and the durationms log field value is not empty, then the NSSDNSLog | Duration: durationms ms | Category: category log field is mapped to the metadata.description UDM field.Else, if the category log field value is not empty, then the DNS request to \category\ log field is mapped to the metadata.description UDM field. |
recordid |
metadata.product_log_id |
|
datetime |
metadata.event_timestamp |
|
epochtime |
metadata.event_timestamp |
|
|
network.application_protocol |
The network.application_protocol UDM field is set to DNS. |
|
network.dns.response_code |
If the dns_resp log field value is equal to NOERROR, then the network.dns.response_code UDM field is set to 0.Else, if the dns_resp log field value is equal to FORMERR, then the network.dns.response_code UDM field is set to 1.Else, if the dns_resp log field value is equal to SERVFAIL, then the network.dns.response_code UDM field is set to 2.Else, if the dns_resp log field value is equal to NXDOMAIN, then the network.dns.response_code UDM field is set to 3.Else, if the dns_resp log field value is equal to NOTIMP, then the network.dns.response_code UDM field is set to 4.Else, if the dns_resp log field value is equal to REFUSED, then the network.dns.response_code UDM field is set to 5.Else, if the dns_resp log field value is equal to YXDOMAIN, then the network.dns.response_code UDM field is set to 6.Else, if the dns_resp log field value is equal to YXRRSET, then the network.dns.response_code UDM field is set to 7.Else, if the dns_resp log field value is equal to NXRRSET, then the network.dns.response_code UDM field is set to 8.Else, if the dns_resp log field value is equal to NOTAUTH, then the network.dns.response_code UDM field is set to 9.Else, if the dns_resp log field value is equal to NOTZONE, then the network.dns.response_code UDM field is set to 10. |
dns_resp |
network.dns.answers.data |
|
|
network.dns.answers.type |
If the restype log field value matches the regular expression pattern ipv4, then the network.dns.answers.type UDM field is set to 1.Else, if the restype log field value matches the regular expression pattern ipv6, then the network.dns.answers.type UDM field is set to 28. |
dns_req |
network.dns.questions.name |
|
|
network.dns.questions.type |
If the record_type log field value is equal to A, then the network.dns.questions.type UDM field is set to 1.Else, if the record_type log field value is equal to NS, then the network.dns.questions.type UDM field is set to 2.Else, if the record_type log field value is equal to MD, then the network.dns.questions.type UDM field is set to 3.Else, if the record_type log field value is equal to MF, then the network.dns.questions.type UDM field is set to 4.Else, if the record_type log field value is equal to CNAME, then the network.dns.questions.type UDM field is set to 5.Else, if the record_type log field value is equal to SOA, then the network.dns.questions.type UDM field is set to 6.Else, if the record_type log field value is equal to MB, then the network.dns.questions.type UDM field is set to 7.Else, if the record_type log field value is equal to MG, then the network.dns.questions.type UDM field is set to 8.Else, if the record_type log field value is equal to MR, then the network.dns.questions.type UDM field is set to 9.Else, if the record_type log field value is equal to NULL, then the network.dns.questions.type UDM field is set to 10.Else, if the record_type log field value is equal to WKS, then the network.dns.questions.type UDM field is set to 11.Else, if the record_type log field value is equal to PTR, then the network.dns.questions.type UDM field is set to 12.Else, if the record_type log field value is equal to HINFO, then the network.dns.questions.type UDM field is set to 13.Else, if the record_type log field value is equal to MINFO, then the network.dns.questions.type UDM field is set to 14.Else, if the record_type log field value is equal to MX, then the network.dns.questions.type UDM field is set to 15.Else, if the record_type log field value is equal to TXT, then the network.dns.questions.type UDM field is set to 16.Else, if the record_type log field value is equal to RP, then the network.dns.questions.type UDM field is set to 17.Else, if the record_type log field value is equal to AFSDB, then the network.dns.questions.type UDM field is set to 18.Else, if the record_type log field value is equal to X25, then the network.dns.questions.type UDM field is set to 19.Else, if the record_type log field value is equal to ISDN, then the network.dns.questions.type UDM field is set to 20.Else, if the record_type log field value is equal to RT, then the network.dns.questions.type UDM field is set to 21.Else, if the record_type log field value is equal to NSAP, then the network.dns.questions.type UDM field is set to 22.Else, if the record_type log field value is equal to NSAP-PTR, then the network.dns.questions.type UDM field is set to 23.Else, if the record_type log field value is equal to SIG, then the network.dns.questions.type UDM field is set to 24.Else, if the record_type log field value is equal to KEY, then the network.dns.questions.type UDM field is set to 25.Else, if the record_type log field value is equal to PX, then the network.dns.questions.type UDM field is set to 26.Else, if the record_type log field value is equal to GPOS, then the network.dns.questions.type UDM field is set to 27.Else, if the record_type log field value is equal to AAAA, then the network.dns.questions.type UDM field is set to 28.Else, if the record_type log field value is equal to LOC, then the network.dns.questions.type UDM field is set to 29.Else, if the record_type log field value is equal to NXT, then the network.dns.questions.type UDM field is set to 30.Else, if the record_type log field value is equal to EID, then the network.dns.questions.type UDM field is set to 31.Else, if the record_type log field value is equal to NIMLOC, then the network.dns.questions.type UDM field is set to 32.Else, if the record_type log field value is equal to SRV, then the network.dns.questions.type UDM field is set to 33.Else, if the record_type log field value is equal to ATMA, then the network.dns.questions.type UDM field is set to 34.Else, if the record_type log field value is equal to NAPTR, then the network.dns.questions.type UDM field is set to 35.Else, if the record_type log field value is equal to KX, then the network.dns.questions.type UDM field is set to 36.Else, if the record_type log field value is equal to CERT, then the network.dns.questions.type UDM field is set to 37.Else, if the record_type log field value is equal to A6, then the network.dns.questions.type UDM field is set to 38.Else, if the record_type log field value is equal to DNAME, then the network.dns.questions.type UDM field is set to 39.Else, if the record_type log field value is equal to SINK, then the network.dns.questions.type UDM field is set to 40.Else, if the record_type log field value is equal to OPT, then the network.dns.questions.type UDM field is set to 41.Else, if the record_type log field value is equal to APL, then the network.dns.questions.type UDM field is set to 42.Else, if the record_type log field value is equal to DS, then the network.dns.questions.type UDM field is set to 43.Else, if the record_type log field value is equal to SSHFP, then the network.dns.questions.type UDM field is set to 44.Else, if the record_type log field value is equal to IPSECKEY, then the network.dns.questions.type UDM field is set to 45.Else, if the record_type log field value is equal to RRSIG, then the network.dns.questions.type UDM field is set to 46.Else, if the record_type log field value is equal to NSEC, then the network.dns.questions.type UDM field is set to 47.Else, if the record_type log field value is equal to DNSKEY, then the network.dns.questions.type UDM field is set to 48.Else, if the record_type log field value is equal to DHCID, then the network.dns.questions.type UDM field is set to 49.Else, if the record_type log field value is equal to NSEC3, then the network.dns.questions.type UDM field is set to 50.Else, if the record_type log field value is equal to NSEC3PARAM, then the network.dns.questions.type UDM field is set to 51.Else, if the record_type log field value is equal to TLSA, then the network.dns.questions.type UDM field is set to 52.Else, if the record_type log field value is equal to SMIMEA, then the network.dns.questions.type UDM field is set to 53.Else, if the record_type log field value is equal to UNASSIGNED, then the network.dns.questions.type UDM field is set to 54.Else, if the record_type log field value is equal to HIP, then the network.dns.questions.type UDM field is set to 55.Else, if the record_type log field value is equal to NINFO, then the network.dns.questions.type UDM field is set to 56.Else, if the record_type log field value is equal to RKEY, then the network.dns.questions.type UDM field is set to 57.Else, if the record_type log field value is equal to TALINK, then the network.dns.questions.type UDM field is set to 58.Else, if the record_type log field value is equal to CDS, then the network.dns.questions.type UDM field is set to 59.Else, if the record_type log field value is equal to CDNSKEY, then the network.dns.questions.type UDM field is set to 60.Else, if the record_type log field value is equal to OPENPGPKEY, then the network.dns.questions.type UDM field is set to 61.Else, if the record_type log field value is equal to CSYNC, then the network.dns.questions.type UDM field is set to 62.Else, if the record_type log field value is equal to ZONEMD, then the network.dns.questions.type UDM field is set to 63.Else, if the record_type log field value is equal to SVCB, then the network.dns.questions.type UDM field is set to 64.Else, if the record_type log field value is equal to HTTPS, then the network.dns.questions.type UDM field is set to 65.Else, if the record_type log field value is equal to SPF, then the network.dns.questions.type UDM field is set to 99.Else, if the record_type log field value is equal to UINFO, then the network.dns.questions.type UDM field is set to 100.Else, if the record_type log field value is equal to UID, then the network.dns.questions.type UDM field is set to 101.Else, if the record_type log field value is equal to GID, then the network.dns.questions.type UDM field is set to 102.Else, if the record_type log field value is equal to UNSPEC, then the network.dns.questions.type UDM field is set to 103.Else, if the record_type log field value is equal to NID, then the network.dns.questions.type UDM field is set to 104.Else, if the record_type log field value is equal to L32, then the network.dns.questions.type UDM field is set to 105.Else, if the record_type log field value is equal to L64, then the network.dns.questions.type UDM field is set to 106.Else, if the record_type log field value is equal to LP, then the network.dns.questions.type UDM field is set to 107.Else, if the record_type log field value is equal to EUI48, then the network.dns.questions.type UDM field is set to 108.Else, if the record_type log field value is equal to EUI64, then the network.dns.questions.type UDM field is set to 109.Else, if the record_type log field value is equal to TKEY, then the network.dns.questions.type UDM field is set to 249.Else, if the record_type log field value is equal to TSIG, then the network.dns.questions.type UDM field is set to 250.Else, if the record_type log field value is equal to IXFR, then the network.dns.questions.type UDM field is set to 251.Else, if the record_type log field value is equal to AXFR, then the network.dns.questions.type UDM field is set to 252.Else, if the record_type log field value is equal to MAILB, then the network.dns.questions.type UDM field is set to 253.Else, if the record_type log field value is equal to MAILA, then the network.dns.questions.type UDM field is set to 254.Else, if the record_type log field value is equal to ALL, then the network.dns.questions.type UDM field is set to 255.Else, if the record_type log field value is equal to URI, then the network.dns.questions.type UDM field is set to 256.Else, if the record_type log field value is equal to CAA, then the network.dns.questions.type UDM field is set to 257.Else, if the record_type log field value is equal to AVC, then the network.dns.questions.type UDM field is set to 258.Else, if the record_type log field value is equal to DOA, then the network.dns.questions.type UDM field is set to 259.Else, if the record_type log field value is equal to AMTRELAY, then the network.dns.questions.type UDM field is set to 260.Else, if the record_type log field value is equal to TA, then the network.dns.questions.type UDM field is set to 32768.Else, if the record_type log field value is equal to DLV, then the network.dns.questions.type UDM field is set to 32769. |
dns_reqtype |
additional.fields [dns_reqtype] |
|
http_code |
network.http.response_code |
|
protocol |
network.ip_protocol |
If the protocol log field value contain one of the following values, then the protocol log field is mapped to the network.ip_protocol UDM field.
|
durationms |
network.session_duration.seconds |
|
devicemodel |
principal.asset.hardware.model |
|
devicename |
principal.asset.asset_id |
|
devicehostname |
principal.asset.hostname |
|
|
principal.asset.platform_software.platform |
If the deviceostype log field value matches the regular expression pattern (?i)win, then the principal.asset.platform_software.platform UDM field is set to WINDOWS.Else, if the deviceostype log field value matches the regular expression pattern (?i)lin, then the principal.asset.platform_software.platform UDM field is set to LINUX. |
deviceosversion |
principal.asset.platform_software.platform_version |
|
company |
principal.user.company_name |
|
department |
principal.user.department |
|
user |
principal.user.email_addresses |
If the user log field value matches the regular expression pattern (^.@.$) or the login log field value matches the regular expression pattern (^.@.$), then if the user log field value is not empty, then the user log field is mapped to the principal.user.email_addresses UDM field. |
login |
principal.user.email_addresses |
If the user log field value matches the regular expression pattern (^.@.$) or the login log field value matches the regular expression pattern (^.@.$), then if the user log field value is not empty, then else, the login log field is mapped to the principal.user.email_addresses UDM field. |
deviceowner |
principal.user.userid |
|
clt_sip |
principal.ip |
|
location |
principal.location.name |
|
reqrulelabel |
security_result.rule_name |
|
rule |
security_result.rule_name |
|
|
security_result.action |
If the reqaction log field value matches the regular expression pattern (?i)BLOCK, then the security_result.action UDM field is set to BLOCK.Else, if the reqaction log field value matches the regular expression pattern (?i)ALLOW, then the security_result.action UDM field is set to ALLOW. |
reqaction |
security_result.action_details |
|
|
security_result.category |
If the category log field value is not empty, then the security_result.category UDM field is set to NETWORK_CATEGORIZED_CONTENT. |
category |
security_result.category_details |
|
resrulelabel |
security_result.rule_name |
|
|
security_result.action |
If the resaction log field value matches the regular expression pattern (?i)BLOCK, then the security_result.action UDM field is set to BLOCK.Else, if the resaction log field value matches the regular expression pattern (?i)ALLOW, then the security_result.action UDM field is set to ALLOW. |
resaction |
security_result.action_details |
|
|
security_result.category |
If the respipcategory log field value is not empty, then the security_result.category UDM field is set to NETWORK_CATEGORIZED_CONTENT. |
respipcategory |
security_result.category_details |
|
ecs_slot |
security_result.rule_labels [ecs_slot] |
If the dnsgw_slot log field value is empty, then the ecs_slot log field is mapped to the security_result.rule_name UDM field. |
dnsgw_slot |
security_result.rule_name |
If the dnsgw_slot log field value is not empty, then the dnsgw_slot log field is mapped to the security_result.rule_name UDM field. |
ecs_slot |
security_result.rule_name |
If the dnsgw_slot log field value is not empty, then the ecs_slot log field is mapped to the security_result.rule_labels UDM field. |
dnsapp |
target.application |
|
srv_dip |
target.ip |
|
srv_dport |
target.port |
|
datacentercity |
target.location.city |
|
datacentercountry |
target.location.country_or_region |
|
datacenter |
target.location.name |
|
cloudname |
security_result.detection_fields [cloudname] |
|
dnsappcat |
security_result.detection_fields [dnsappcat] |
|
ecs_prefix |
security_result.detection_fields [ecs_prefix] |
|
error |
security_result.detection_fields [error] |
|
istcp |
security_result.detection_fields [istcp] |
|
ocip |
security_result.detection_fields [ocip] |
|
odevicehostname |
security_result.detection_fields [odevicehostname] |
|
odeviceowner |
security_result.detection_fields [odeviceowner] |
|
odevicename |
security_result.detection_fields [odevicename] |
|
odomcat |
security_result.detection_fields [odomcat] |
|
dnsgw_flags |
security_result.detection_fields[dnsgw_flags] |
|
dnsgw_srv_proto |
security_result.detection_fields[dnsgw_srv_proto] |
|
erulelabel |
security_result.rule_labels [erulelabel] |
|
ethreatname |
security_result.threat_name |
|
durationms |
additional.fields [durationms] |
If the durationms log field value is equal to 1, then the durationms log field is mapped to the additional.fields.durationms UDM field. |
sourcetype |
additional.fields[sourcetype] |
|
deviceappversion |
additional.fields [deviceappversion] |
|
devicetype |
additional.fields [devicetype] |
|
eedone |
additional.fields [eedone] |
|
tz |
additional.fields [tz] |
|
ss |
additional.fields [ss] |
|
mm |
additional.fields [mm] |
|
hh |
additional.fields [hh] |
|
dd |
additional.fields [dd] |
|
mth |
additional.fields [mth] |
|
yyyy |
additional.fields [yyyy] |
|
mon |
additional.fields [mon] |
|
day |
additional.fields [day] |
¿Necesitas más ayuda? Obtén respuestas de miembros de la comunidad y profesionales de Google SecOps.