Esta página foi traduzida pela API Cloud Translation.

Recolha registos de DNS do Zscaler

Compatível com:

Google secops SIEM

Este documento descreve como pode exportar registos de DNS do Zscaler configurando um feed do Google Security Operations e como os campos de registo são mapeados para os campos do modelo de dados unificado (UDM) do Google SecOps.

Para mais informações, consulte o artigo Vista geral da ingestão de dados no Google SecOps.

Uma implementação típica consiste no DNS da Zscaler e no feed de webhook do Google SecOps configurado para enviar registos para o Google SecOps. Cada implementação do cliente pode ser diferente e mais complexa.

A implementação contém os seguintes componentes:

DNS do Zscaler: a plataforma a partir da qual recolhe registos.
Feed do Google SecOps: o feed do Google SecOps que obtém registos do DNS do Zscaler e escreve registos no Google SecOps.
Google SecOps: retém e analisa os registos.

Uma etiqueta de carregamento identifica o analisador que normaliza os dados de registo não processados para o formato UDM estruturado. As informações neste documento aplicam-se ao analisador com a etiqueta de carregamento ZSCALER_DNS.

Antes de começar

Certifique-se de que cumpre os seguintes pré-requisitos:

Acesso à consola do Zscaler Internet Access. Para mais informações, consulte o artigo Acesso seguro à Internet e ao SaaS: ajuda do ZIA.
Zscaler DNS 2024 ou posterior
Todos os sistemas na arquitetura de implementação estão configurados com o fuso horário UTC.
A chave da API necessária para concluir a configuração do feed no Google Security Operations. Para mais informações, consulte o artigo Configurar chaves de API.

Configure feeds

Para configurar este tipo de registo, siga estes passos:

Aceda a Definições do SIEM > Feeds.
Clique em Adicionar novo feed.
Clique no pacote de feeds Zscaler.
Localize o tipo de registo necessário e clique em Adicionar novo feed.
Introduza valores para os seguintes parâmetros de entrada:
- Tipo de origem: webhook (recomendado)
- Delimitador de divisão: o caráter usado para separar linhas de registos. Deixe em branco se não for usado nenhum delimitador.
Opções avançadas
- Nome do feed: um valor pré-preenchido que identifica o feed.
- Espaço de nomes do recurso: espaço de nomes associado ao feed.
- Etiquetas de carregamento: etiquetas aplicadas a todos os eventos deste feed.
Clique em Criar feed.

Para mais informações sobre a configuração de vários feeds para diferentes tipos de registos nesta família de produtos, consulte o artigo Configure feeds por produto.

Configure o DNS do Zscaler

Na consola do Zscaler Internet Access, clique em Administração > Serviço de streaming de nanologs > Feeds NSS na nuvem e, de seguida, clique em Adicionar feed NSS na nuvem.
É apresentada a janela Adicionar feed NSS na nuvem. Na janela Adicionar feed NSS da nuvem, introduza os detalhes.
Introduza um nome para o feed no campo Nome do feed.
Selecione NSS para DNS em Tipo de NSS.
Selecione o estado na lista Estado para ativar ou desativar o feed NSS.
Mantenha o valor no menu pendente Taxa de SIEM como Ilimitado. Para suprimir o fluxo de saída devido a licenciamento ou outras restrições, altere o valor.
Selecione Outro na lista Tipo de SIEM.
Selecione Desativado na lista Autenticação OAuth 2.0.
Introduza um limite de tamanho para uma carga útil de pedido HTTP individual de acordo com a prática recomendada do SIEM em Tamanho máximo do lote. Por exemplo, 512 KB.
Introduza o URL HTTPS do ponto final da API Chronicle no URL da API no seguinte formato:
```
  https://<CHRONICLE_REGION>-chronicle.googleapis.com/v1alpha/projects/<GOOGLE_PROJECT_NUMBER>/locations/<LOCATION>/instances/<CUSTOMER_ID>/feeds/<FEED_ID>:importPushLogs
```
- CHRONICLE_REGION: região onde a sua instância do Chronicle está alojada. Por exemplo, US.
- GOOGLE_PROJECT_NUMBER: número do projeto BYOP. Obtenha-o a partir do C4.
- LOCATION: região do Chronicle. Por exemplo, US.
- CUSTOMER_ID: ID de cliente do Chronicle. Obtenha a partir de C4.
- FEED_ID: ID do feed apresentado na IU do feed no novo webhook criado
- URL da API de exemplo:
```
https://us-chronicle.googleapis.com/v1alpha/projects/12345678910/locations/US/instances/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/feeds/yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyyyyyyy:importPushLogs
```
Clique em Adicionar cabeçalho HTTP e, de seguida, adicione cabeçalhos HTTP no seguinte formato:
- Header 1: Key1: X-goog-api-key e Value1: chave da API gerada nas credenciais da API do Google Cloud BYOP.
- Header 2: Key2: X-Webhook-Access-Key e Value2: chave secreta da API gerada na "CHAVE SECRETA" do webhook.
Selecione Registos DNS na lista Tipos de registos.
Selecione JSON na lista Tipo de saída do feed.
Defina o caráter de escape do feed como , \ ".
Para adicionar um novo campo ao formato de saída do feed,selecione Personalizado na lista Tipo de saída do feed.
Copie e cole o Formato de saída do feed e adicione novos campos. Certifique-se de que os nomes das chaves correspondem aos nomes dos campos reais.

Segue-se o formato de saída do feed predefinido:

  \{ "sourcetype" : "zscalernss-dns", "event" :\{"datetime":"%s{time}","user":"%s{elogin}","department":"%s{edepartment}","location":"%s{elocation}","reqaction":"%s{reqaction}","resaction":"%s{resaction}","reqrulelabel":"%s{reqrulelabel}","resrulelabel":"%s{resrulelabel}","dns_reqtype":"%s{reqtype}","dns_req":"%s{req}","dns_resp":"%s{res}","srv_dport":"%d{sport}","durationms":"%d{durationms}","clt_sip":"%s{cip}","srv_dip":"%s{sip}","category":"%s{domcat}","respipcategory":"%s{respipcat}","deviceowner":"%s{deviceowner}","devicehostname":"%s{devicehostname}"\}\}

Selecione o fuso horário para o campo Hora no ficheiro de saída na lista Fuso horário. Por predefinição, o fuso horário é definido como o fuso horário da sua organização.
Reveja as definições configuradas.
Clique em Guardar para testar a conetividade. Se a ligação for bem-sucedida, é apresentada uma marca de verificação verde acompanhada da mensagem Test Connectivity Successful: OK (200).

Para mais informações sobre os feeds do Google SecOps, consulte a documentação dos feeds do Google SecOps. Para obter informações sobre os requisitos de cada tipo de feed, consulte o artigo Configuração do feed por tipo.

Se tiver problemas ao criar feeds, contacte o apoio técnico da Google SecOps.

Formatos de registos de DNS do Zscaler suportados

O analisador DNS do Zscaler suporta registos no formato JSON.

Registos de exemplo de DNS do Zscaler suportados

JSON

{
  "sourcetype": "zscalernss-dns",
  "event": {
    "srv_dport": "53",
    "durationms": "1306",
    "clt_sip": "1.1.1.1",
    "respipcategory": "Other",
    "datetime": "Sun Sep 18 22:41:05 2020",
    "reqaction": "Allow",
    "resaction": "Allow",
    "resrulelabel": "None",
    "category": "Finance",
    "devicehostname": "dummy_hostname",
    "user": "test.123@test.com",
    "location": "dummy",
    "deviceowner": "212582",
    "department": "Output%20Solutions",
    "reqrulelabel": "Default Firewall DNS Rule",
    "dns_reqtype": "SRV",
    "dns_req": "dummy.domains.com",
    "dns_resp": "NXDOMAIN",
    "srv_dip": "1.1.1.1"
  }
}

Referência de mapeamento de campos

Referência de mapeamento de campos: ZSCALER_DNS

A tabela seguinte apresenta os campos de registo do ZSCALER_DNS tipo de registo e os respetivos campos UDM.

Log field	UDM mapping	Logic
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `NETWORK_DNS`.
	`metadata.product_name`	The `metadata.product_name` UDM field is set to `DNS`.
	`metadata.vendor_name`	The `metadata.vendor_name` UDM field is set to `Zscaler`.
	`metadata.description`	If the `category` log field value is not empty and the `durationms` log field value is not empty, then the `NSSDNSLog \| Duration: durationms ms \| Category: category` log field is mapped to the `metadata.description` UDM field. Else, if the `category` log field value is not empty, then the `DNS request to \category\` log field is mapped to the `metadata.description` UDM field.
`recordid`	`metadata.product_log_id`
`datetime`	`metadata.event_timestamp`
`epochtime`	`metadata.event_timestamp`
	`network.application_protocol`	The `network.application_protocol` UDM field is set to `DNS`.
	`network.dns.response_code`	If the `dns_resp` log field value is equal to `NOERROR`, then the `network.dns.response_code` UDM field is set to `0`. Else, if the `dns_resp` log field value is equal to `FORMERR`, then the `network.dns.response_code` UDM field is set to `1`. Else, if the `dns_resp` log field value is equal to `SERVFAIL`, then the `network.dns.response_code` UDM field is set to `2`. Else, if the `dns_resp` log field value is equal to `NXDOMAIN`, then the `network.dns.response_code` UDM field is set to `3`. Else, if the `dns_resp` log field value is equal to `NOTIMP`, then the `network.dns.response_code` UDM field is set to `4`. Else, if the `dns_resp` log field value is equal to `REFUSED`, then the `network.dns.response_code` UDM field is set to `5`. Else, if the `dns_resp` log field value is equal to `YXDOMAIN`, then the `network.dns.response_code` UDM field is set to `6`. Else, if the `dns_resp` log field value is equal to `YXRRSET`, then the `network.dns.response_code` UDM field is set to `7`. Else, if the `dns_resp` log field value is equal to `NXRRSET`, then the `network.dns.response_code` UDM field is set to `8`. Else, if the `dns_resp` log field value is equal to `NOTAUTH`, then the `network.dns.response_code` UDM field is set to `9`. Else, if the `dns_resp` log field value is equal to `NOTZONE`, then the `network.dns.response_code` UDM field is set to `10`.
`dns_resp`	`network.dns.answers.data`
	`network.dns.answers.type`	If the `restype` log field value matches the regular expression pattern `ipv4`, then the `network.dns.answers.type` UDM field is set to `1`. Else, if the `restype` log field value matches the regular expression pattern `ipv6`, then the `network.dns.answers.type` UDM field is set to `28`.
`dns_req`	`network.dns.questions.name`
	`network.dns.questions.type`	If the `record_type` log field value is equal to `A`, then the `network.dns.questions.type` UDM field is set to `1`. Else, if the `record_type` log field value is equal to `NS`, then the `network.dns.questions.type` UDM field is set to `2`. Else, if the `record_type` log field value is equal to `MD`, then the `network.dns.questions.type` UDM field is set to `3`. Else, if the `record_type` log field value is equal to `MF`, then the `network.dns.questions.type` UDM field is set to `4`. Else, if the `record_type` log field value is equal to `CNAME`, then the `network.dns.questions.type` UDM field is set to `5`. Else, if the `record_type` log field value is equal to `SOA`, then the `network.dns.questions.type` UDM field is set to `6`. Else, if the `record_type` log field value is equal to `MB`, then the `network.dns.questions.type` UDM field is set to `7`. Else, if the `record_type` log field value is equal to `MG`, then the `network.dns.questions.type` UDM field is set to `8`. Else, if the `record_type` log field value is equal to `MR`, then the `network.dns.questions.type` UDM field is set to `9`. Else, if the `record_type` log field value is equal to `NULL`, then the `network.dns.questions.type` UDM field is set to `10`. Else, if the `record_type` log field value is equal to `WKS`, then the `network.dns.questions.type` UDM field is set to `11`. Else, if the `record_type` log field value is equal to `PTR`, then the `network.dns.questions.type` UDM field is set to `12`. Else, if the `record_type` log field value is equal to `HINFO`, then the `network.dns.questions.type` UDM field is set to `13`. Else, if the `record_type` log field value is equal to `MINFO`, then the `network.dns.questions.type` UDM field is set to `14`. Else, if the `record_type` log field value is equal to `MX`, then the `network.dns.questions.type` UDM field is set to `15`. Else, if the `record_type` log field value is equal to `TXT`, then the `network.dns.questions.type` UDM field is set to `16`. Else, if the `record_type` log field value is equal to `RP`, then the `network.dns.questions.type` UDM field is set to `17`. Else, if the `record_type` log field value is equal to `AFSDB`, then the `network.dns.questions.type` UDM field is set to `18`. Else, if the `record_type` log field value is equal to `X25`, then the `network.dns.questions.type` UDM field is set to `19`. Else, if the `record_type` log field value is equal to `ISDN`, then the `network.dns.questions.type` UDM field is set to `20`. Else, if the `record_type` log field value is equal to `RT`, then the `network.dns.questions.type` UDM field is set to `21`. Else, if the `record_type` log field value is equal to `NSAP`, then the `network.dns.questions.type` UDM field is set to `22`. Else, if the `record_type` log field value is equal to `NSAP-PTR`, then the `network.dns.questions.type` UDM field is set to `23`. Else, if the `record_type` log field value is equal to `SIG`, then the `network.dns.questions.type` UDM field is set to `24`. Else, if the `record_type` log field value is equal to `KEY`, then the `network.dns.questions.type` UDM field is set to `25`. Else, if the `record_type` log field value is equal to `PX`, then the `network.dns.questions.type` UDM field is set to `26`. Else, if the `record_type` log field value is equal to `GPOS`, then the `network.dns.questions.type` UDM field is set to `27`. Else, if the `record_type` log field value is equal to `AAAA`, then the `network.dns.questions.type` UDM field is set to `28`. Else, if the `record_type` log field value is equal to `LOC`, then the `network.dns.questions.type` UDM field is set to `29`. Else, if the `record_type` log field value is equal to `NXT`, then the `network.dns.questions.type` UDM field is set to `30`. Else, if the `record_type` log field value is equal to `EID`, then the `network.dns.questions.type` UDM field is set to `31`. Else, if the `record_type` log field value is equal to `NIMLOC`, then the `network.dns.questions.type` UDM field is set to `32`. Else, if the `record_type` log field value is equal to `SRV`, then the `network.dns.questions.type` UDM field is set to `33`. Else, if the `record_type` log field value is equal to `ATMA`, then the `network.dns.questions.type` UDM field is set to `34`. Else, if the `record_type` log field value is equal to `NAPTR`, then the `network.dns.questions.type` UDM field is set to `35`. Else, if the `record_type` log field value is equal to `KX`, then the `network.dns.questions.type` UDM field is set to `36`. Else, if the `record_type` log field value is equal to `CERT`, then the `network.dns.questions.type` UDM field is set to `37`. Else, if the `record_type` log field value is equal to `A6`, then the `network.dns.questions.type` UDM field is set to `38`. Else, if the `record_type` log field value is equal to `DNAME`, then the `network.dns.questions.type` UDM field is set to `39`. Else, if the `record_type` log field value is equal to `SINK`, then the `network.dns.questions.type` UDM field is set to `40`. Else, if the `record_type` log field value is equal to `OPT`, then the `network.dns.questions.type` UDM field is set to `41`. Else, if the `record_type` log field value is equal to `APL`, then the `network.dns.questions.type` UDM field is set to `42`. Else, if the `record_type` log field value is equal to `DS`, then the `network.dns.questions.type` UDM field is set to `43`. Else, if the `record_type` log field value is equal to `SSHFP`, then the `network.dns.questions.type` UDM field is set to `44`. Else, if the `record_type` log field value is equal to `IPSECKEY`, then the `network.dns.questions.type` UDM field is set to `45`. Else, if the `record_type` log field value is equal to `RRSIG`, then the `network.dns.questions.type` UDM field is set to `46`. Else, if the `record_type` log field value is equal to `NSEC`, then the `network.dns.questions.type` UDM field is set to `47`. Else, if the `record_type` log field value is equal to `DNSKEY`, then the `network.dns.questions.type` UDM field is set to `48`. Else, if the `record_type` log field value is equal to `DHCID`, then the `network.dns.questions.type` UDM field is set to `49`. Else, if the `record_type` log field value is equal to `NSEC3`, then the `network.dns.questions.type` UDM field is set to `50`. Else, if the `record_type` log field value is equal to `NSEC3PARAM`, then the `network.dns.questions.type` UDM field is set to `51`. Else, if the `record_type` log field value is equal to `TLSA`, then the `network.dns.questions.type` UDM field is set to `52`. Else, if the `record_type` log field value is equal to `SMIMEA`, then the `network.dns.questions.type` UDM field is set to `53`. Else, if the `record_type` log field value is equal to `UNASSIGNED`, then the `network.dns.questions.type` UDM field is set to `54`. Else, if the `record_type` log field value is equal to `HIP`, then the `network.dns.questions.type` UDM field is set to `55`. Else, if the `record_type` log field value is equal to `NINFO`, then the `network.dns.questions.type` UDM field is set to `56`. Else, if the `record_type` log field value is equal to `RKEY`, then the `network.dns.questions.type` UDM field is set to `57`. Else, if the `record_type` log field value is equal to `TALINK`, then the `network.dns.questions.type` UDM field is set to `58`. Else, if the `record_type` log field value is equal to `CDS`, then the `network.dns.questions.type` UDM field is set to `59`. Else, if the `record_type` log field value is equal to `CDNSKEY`, then the `network.dns.questions.type` UDM field is set to `60`. Else, if the `record_type` log field value is equal to `OPENPGPKEY`, then the `network.dns.questions.type` UDM field is set to `61`. Else, if the `record_type` log field value is equal to `CSYNC`, then the `network.dns.questions.type` UDM field is set to `62`. Else, if the `record_type` log field value is equal to `ZONEMD`, then the `network.dns.questions.type` UDM field is set to `63`. Else, if the `record_type` log field value is equal to `SVCB`, then the `network.dns.questions.type` UDM field is set to `64`. Else, if the `record_type` log field value is equal to `HTTPS`, then the `network.dns.questions.type` UDM field is set to `65`. Else, if the `record_type` log field value is equal to `SPF`, then the `network.dns.questions.type` UDM field is set to `99`. Else, if the `record_type` log field value is equal to `UINFO`, then the `network.dns.questions.type` UDM field is set to `100`. Else, if the `record_type` log field value is equal to `UID`, then the `network.dns.questions.type` UDM field is set to `101`. Else, if the `record_type` log field value is equal to `GID`, then the `network.dns.questions.type` UDM field is set to `102`. Else, if the `record_type` log field value is equal to `UNSPEC`, then the `network.dns.questions.type` UDM field is set to `103`. Else, if the `record_type` log field value is equal to `NID`, then the `network.dns.questions.type` UDM field is set to `104`. Else, if the `record_type` log field value is equal to `L32`, then the `network.dns.questions.type` UDM field is set to `105`. Else, if the `record_type` log field value is equal to `L64`, then the `network.dns.questions.type` UDM field is set to `106`. Else, if the `record_type` log field value is equal to `LP`, then the `network.dns.questions.type` UDM field is set to `107`. Else, if the `record_type` log field value is equal to `EUI48`, then the `network.dns.questions.type` UDM field is set to `108`. Else, if the `record_type` log field value is equal to `EUI64`, then the `network.dns.questions.type` UDM field is set to `109`. Else, if the `record_type` log field value is equal to `TKEY`, then the `network.dns.questions.type` UDM field is set to `249`. Else, if the `record_type` log field value is equal to `TSIG`, then the `network.dns.questions.type` UDM field is set to `250`. Else, if the `record_type` log field value is equal to `IXFR`, then the `network.dns.questions.type` UDM field is set to `251`. Else, if the `record_type` log field value is equal to `AXFR`, then the `network.dns.questions.type` UDM field is set to `252`. Else, if the `record_type` log field value is equal to `MAILB`, then the `network.dns.questions.type` UDM field is set to `253`. Else, if the `record_type` log field value is equal to `MAILA`, then the `network.dns.questions.type` UDM field is set to `254`. Else, if the `record_type` log field value is equal to `ALL`, then the `network.dns.questions.type` UDM field is set to `255`. Else, if the `record_type` log field value is equal to `URI`, then the `network.dns.questions.type` UDM field is set to `256`. Else, if the `record_type` log field value is equal to `CAA`, then the `network.dns.questions.type` UDM field is set to `257`. Else, if the `record_type` log field value is equal to `AVC`, then the `network.dns.questions.type` UDM field is set to `258`. Else, if the `record_type` log field value is equal to `DOA`, then the `network.dns.questions.type` UDM field is set to `259`. Else, if the `record_type` log field value is equal to `AMTRELAY`, then the `network.dns.questions.type` UDM field is set to `260`. Else, if the `record_type` log field value is equal to `TA`, then the `network.dns.questions.type` UDM field is set to `32768`. Else, if the `record_type` log field value is equal to `DLV`, then the `network.dns.questions.type` UDM field is set to `32769`.
`dns_reqtype`	`additional.fields [dns_reqtype]`
`http_code`	`network.http.response_code`
`protocol`	`network.ip_protocol`	If the `protocol` log field value contain one of the following values, then the `protocol` log field is mapped to the `network.ip_protocol` UDM field. `TCP` `EIGRP` `ESP` `ETHERIP` `GRE` `ICMP` `IGMP` `IP6IN4` `PIM` `UDP` `VRRP` .
`durationms`	`network.session_duration.seconds`
`devicemodel`	`principal.asset.hardware.model`
`devicename`	`principal.asset.asset_id`
`devicehostname`	`principal.asset.hostname`
	`principal.asset.platform_software.platform`	If the `deviceostype` log field value matches the regular expression pattern `(?i)win`, then the `principal.asset.platform_software.platform` UDM field is set to `WINDOWS`. Else, if the `deviceostype` log field value matches the regular expression pattern `(?i)lin`, then the `principal.asset.platform_software.platform` UDM field is set to `LINUX`.
`deviceosversion`	`principal.asset.platform_software.platform_version`
`company`	`principal.user.company_name`
`department`	`principal.user.department`
`user`	`principal.user.email_addresses`	If the `user` log field value matches the regular expression pattern `(^.@.$)` or the `login` log field value matches the regular expression pattern `(^.@.$)`, then if the `user` log field value is not empty, then the `user` log field is mapped to the `principal.user.email_addresses` UDM field.
`login`	`principal.user.email_addresses`	If the `user` log field value matches the regular expression pattern `(^.@.$)` or the `login` log field value matches the regular expression pattern `(^.@.$)`, then if the `user` log field value is not empty, then else, the `login` log field is mapped to the `principal.user.email_addresses` UDM field.
`deviceowner`	`principal.user.userid`
`clt_sip`	`principal.ip`
`location`	`principal.location.name`
`reqrulelabel`	`security_result.rule_name`
`rule`	`security_result.rule_name`
	`security_result.action`	If the `reqaction` log field value matches the regular expression pattern `(?i)BLOCK`, then the `security_result.action` UDM field is set to `BLOCK`. Else, if the `reqaction` log field value matches the regular expression pattern `(?i)ALLOW`, then the `security_result.action` UDM field is set to `ALLOW`.
`reqaction`	`security_result.action_details`
	`security_result.category`	If the `category` log field value is not empty, then the `security_result.category` UDM field is set to `NETWORK_CATEGORIZED_CONTENT`.
`category`	`security_result.category_details`
`resrulelabel`	`security_result.rule_name`
	`security_result.action`	If the `resaction` log field value matches the regular expression pattern `(?i)BLOCK`, then the `security_result.action` UDM field is set to `BLOCK`. Else, if the `resaction` log field value matches the regular expression pattern `(?i)ALLOW`, then the `security_result.action` UDM field is set to `ALLOW`.
`resaction`	`security_result.action_details`
	`security_result.category`	If the `respipcategory` log field value is not empty, then the `security_result.category` UDM field is set to `NETWORK_CATEGORIZED_CONTENT`.
`respipcategory`	`security_result.category_details`
`ecs_slot`	`security_result.rule_labels [ecs_slot]`	If the `dnsgw_slot` log field value is empty, then the `ecs_slot` log field is mapped to the `security_result.rule_name` UDM field.
`dnsgw_slot`	`security_result.rule_name`	If the `dnsgw_slot` log field value is not empty, then the `dnsgw_slot` log field is mapped to the `security_result.rule_name` UDM field.
`ecs_slot`	`security_result.rule_name`	If the `dnsgw_slot` log field value is not empty, then the `ecs_slot` log field is mapped to the `security_result.rule_labels` UDM field.
`dnsapp`	`target.application`
`srv_dip`	`target.ip`
`srv_dport`	`target.port`
`datacentercity`	`target.location.city`
`datacentercountry`	`target.location.country_or_region`
`datacenter`	`target.location.name`
`cloudname`	`security_result.detection_fields [cloudname]`
`dnsappcat`	`security_result.detection_fields [dnsappcat]`
`ecs_prefix`	`security_result.detection_fields [ecs_prefix]`
`error`	`security_result.detection_fields [error]`
`istcp`	`security_result.detection_fields [istcp]`
`ocip`	`security_result.detection_fields [ocip]`
`odevicehostname`	`security_result.detection_fields [odevicehostname]`
`odeviceowner`	`security_result.detection_fields [odeviceowner]`
`odevicename`	`security_result.detection_fields [odevicename]`
`odomcat`	`security_result.detection_fields [odomcat]`
`dnsgw_flags`	`security_result.detection_fields[dnsgw_flags]`
`dnsgw_srv_proto`	`security_result.detection_fields[dnsgw_srv_proto]`
`erulelabel`	`security_result.rule_labels [erulelabel]`
`ethreatname`	`security_result.threat_name`
`durationms`	`additional.fields [durationms]`	If the `durationms` log field value is equal to `1`, then the `durationms` log field is mapped to the `additional.fields.durationms` UDM field.
`sourcetype`	`additional.fields[sourcetype]`
`deviceappversion`	`additional.fields [deviceappversion]`
`devicetype`	`additional.fields [devicetype]`
`eedone`	`additional.fields [eedone]`
`tz`	`additional.fields [tz]`
`ss`	`additional.fields [ss]`
`mm`	`additional.fields [mm]`
`hh`	`additional.fields [hh]`
`dd`	`additional.fields [dd]`
`mth`	`additional.fields [mth]`
`yyyy`	`additional.fields [yyyy]`
`mon`	`additional.fields [mon]`
`day`	`additional.fields [day]`

Precisa de mais ajuda? Receba respostas de membros da comunidade e profissionais da Google SecOps.