Mengumpulkan log Zscaler Firewall
Didukung di:
Google SecOps
SIEM
Dokumen ini menjelaskan cara mengekspor log Zscaler Firewall dengan menyiapkan feed Google Security Operations dan cara kolom log dipetakan ke kolom Model Data Terpadu (UDM) Google SecOps.
Untuk mengetahui informasi selengkapnya, lihat Ringkasan penyerapan data ke Google SecOps.
Deployment umum terdiri dari Zscaler Firewall dan feed Webhook Google SecOps yang dikonfigurasi untuk mengirim log ke Google SecOps. Setiap deployment pelanggan dapat berbeda dan mungkin lebih kompleks.
Deployment berisi komponen berikut:
Zscaler Firewall: Platform tempat Anda mengumpulkan log.
Feed Google SecOps: Feed Google SecOps yang mengambil log dari Zscaler Firewall dan menulis log ke Google SecOps.
Google SecOps: Mempertahankan dan menganalisis log.
Label penyerapan mengidentifikasi parser yang menormalisasi data log mentah ke format UDM terstruktur. Informasi dalam dokumen ini berlaku untuk parser dengan label penyerapan ZSCALER_FIREWALL.
Sebelum memulai
Pastikan Anda memiliki prasyarat berikut:
- Akses ke konsol Zscaler Internet Access. Untuk mengetahui informasi selengkapnya, lihat Bantuan ZIA untuk Akses SaaS dan Internet yang Aman.
- Zscaler Firewall 2024 atau yang lebih baru
- Semua sistem dalam arsitektur deployment dikonfigurasi dengan zona waktu UTC.
- Kunci API yang diperlukan untuk menyelesaikan penyiapan feed di Google Security Operations. Untuk mengetahui informasi selengkapnya, lihat Menyiapkan kunci API.
Menyiapkan feed
Untuk mengonfigurasi jenis log ini, ikuti langkah-langkah berikut:
- Buka Setelan SIEM > Feed.
- Klik Tambahkan Feed Baru.
- Klik paket feed Zscaler.
- Cari jenis log yang diperlukan, lalu klik Tambahkan Feed Baru.
Masukkan nilai untuk parameter input berikut:
- Jenis Sumber: Webhook (Direkomendasikan)
- Pemisah pemisahan: karakter yang digunakan untuk memisahkan baris log. Biarkan kosong jika tidak ada pembatas yang digunakan.
Opsi lanjutan
- Nama Feed: Nilai yang telah diisi otomatis yang mengidentifikasi feed.
- Namespace Aset: Namespace yang terkait dengan feed.
- Label Penyerapan: Label yang diterapkan ke semua peristiwa dari feed ini.
Klik Buat Feed.
Untuk mengetahui informasi selengkapnya tentang cara mengonfigurasi beberapa feed untuk berbagai jenis log dalam keluarga produk ini, lihat Mengonfigurasi feed menurut produk.
Menyiapkan Firewall Zscaler
- Di konsol Zscaler Internet Access, klik Administration > Nanolog Streaming Service > Cloud NSS Feeds, lalu klik Add Cloud NSS Feed.
- Jendela Add Cloud NSS Feed akan muncul. Di jendela Tambahkan Feed NSS Cloud, masukkan detailnya.
- Masukkan nama untuk feed di kolom Feed Name.
- Pilih NSS for Firewall di NSS Type.
- Pilih status dari daftar Status untuk mengaktifkan atau menonaktifkan feed NSS.
- Tetapkan nilai di drop-down SIEM Rate ke Unlimited. Untuk menekan aliran output karena pemberian lisensi atau batasan lainnya, ubah nilai.
- Pilih Lainnya di daftar Jenis SIEM.
- Pilih Nonaktifkan dalam daftar Autentikasi OAuth 2.0.
- Masukkan batas ukuran untuk payload permintaan HTTP individual ke praktik terbaik SIEM di Ukuran Batch Maksimum. Misalnya, 512 KB.
Masukkan URL HTTPS endpoint Chronicle API di URL API dalam format berikut:
https://<CHRONICLE_REGION>-chronicle.googleapis.com/v1alpha/projects/<GOOGLE_PROJECT_NUMBER>/locations/<LOCATION>/instances/<CUSTOMER_ID>/feeds/<FEED_ID>:importPushLogsCHRONICLE_REGION: Region tempat instance Chronicle Anda dihosting. Misalnya, Amerika Serikat.GOOGLE_PROJECT_NUMBER: Nomor project BYOP. Dapatkan ini dari C4.LOCATION: Region Chronicle. Misalnya, Amerika Serikat.CUSTOMER_ID: ID pelanggan Chronicle. Dapatkan dari C4.FEED_ID: ID Feed yang ditampilkan di UI Feed pada webhook baru yang dibuat- Contoh URL API:
https://us-chronicle.googleapis.com/v1alpha/projects/12345678910/locations/US/instances/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/feeds/yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyyyyyyy:importPushLogsKlik Tambahkan Header HTTP, lalu tambahkan header HTTP dalam format berikut:
Header 1: Key1:X-goog-api-keydan Value1: Kunci API yang dibuat di Kredensial API Google Cloud BYOP.Header 2: Key2:X-Webhook-Access-Keydan Value2: Kunci rahasia API yang dihasilkan di "SECRET KEY" webhook.
Pilih Log Firewall di daftar Jenis Log.
Pilih JSON di daftar Jenis Output Feed.
Tetapkan Feed Escape Character ke
, \ ".Untuk menambahkan kolom baru ke Format Output Feed, pilih Kustom di daftar Jenis Output Feed.
Salin dan tempel Format Output Feed, lalu tambahkan kolom baru. Pastikan nama kunci cocok dengan nama kolom sebenarnya.
Berikut adalah Format Output Feed default:
\{ "sourcetype" : "zscalernss-fw", "event" :\{"datetime":"%s{time}","user":"%s{elogin}","department":"%s{edepartment}","locationname":"%s{elocation}","cdport":"%d{cdport}","csport":"%d{csport}","sdport":"%d{sdport}","ssport":"%d{ssport}","csip":"%s{csip}","cdip":"%s{cdip}","ssip":"%s{ssip}","sdip":"%s{sdip}","tsip":"%s{tsip}","tunsport":"%d{tsport}","tuntype":"%s{ttype}","action":"%s{action}","dnat":"%s{dnat}","stateful":"%s{stateful}","aggregate":"%s{aggregate}","nwsvc":"%s{nwsvc}","nwapp":"%s{nwapp}","proto":"%s{ipproto}","ipcat":"%s{ipcat}","destcountry":"%s{destcountry}","avgduration":"%d{avgduration}","rulelabel":"%s{erulelabel}","inbytes":"%ld{inbytes}","outbytes":"%ld{outbytes}","duration":"%d{duration}","durationms":"%d{durationms}","numsessions":"%d{numsessions}","ipsrulelabel":"%s{ipsrulelabel}","threatcat":"%s{threatcat}","threatname":"%s{ethreatname}","deviceowner":"%s{deviceowner}","devicehostname":"%s{devicehostname}"\}\}Pilih zona waktu untuk kolom Time dalam file output di daftar Timezone. Secara default, zona waktu ditetapkan ke zona waktu organisasi Anda.
Tinjau setelan yang dikonfigurasi.
Klik Simpan untuk menguji konektivitas. Jika koneksi berhasil, tanda centang hijau yang disertai pesan Test Connectivity Successful: OK (200) akan muncul.
Untuk mengetahui informasi selengkapnya tentang feed Google SecOps, lihat dokumentasi feed Google SecOps. Untuk mengetahui informasi tentang persyaratan untuk setiap jenis feed, lihat Konfigurasi feed menurut jenis.
Jika Anda mengalami masalah saat membuat feed, hubungi dukungan SecOps Google.
Format log Firewall Zscaler yang didukung
Parser Zscaler Firewall mendukung log dalam format JSON.
Contoh Log Firewall Zscaler yang Didukung
JSON:
{ "sourcetype": "zscalernss-fw", "event": { "datetime": "Tue Apr 11 00:44:01 2023", "user": "abc@test.com", "department": "Optum%20Tech%20UHC%20Technology", "locationname": "Road%20Warrior", "cdport": "443", "csport": "50407", "sdport": "443", "ssport": "36223", "csip": "198.51.100.8", "cdip": "198.51.100.7", "ssip": "198.51.100.9", "sdip": "198.51.100.10", "tsip": "198.51.100.11", "tunsport": "0", "tuntype": "ZscalerClientConnector", "action": "Allow", "dnat": "No", "stateful": "Yes", "aggregate": "Yes", "nwsvc": "ZSCALER_PROXY_NW_SERVICES", "nwapp": "sharepoint_document", "proto": "TCP", "ipcat": "Miscellaneous or Unknown", "destcountry": "Other", "avgduration": "239296", "rulelabel": "Default%20Firewall%20Filtering%20Rule", "inbytes": "286134", "outbytes": "515005", "duration": "6461", "durationms": "6461000", "numsessions": "27", "ipsrulelabel": "None", "threatcat": "None", "threatname": "None", "deviceowner": "dummydeviceowner", "devicehostname": "dummyhostname" } }
Referensi pemetaan kolom
Tabel berikut mencantumkan kolom log jenis log ZSCALER_FIREWALL dan kolom UDM yang sesuai.
| Log field | UDM mapping | Logic |
|---|---|---|
fwd_gw_name |
intermediary.resource.name |
|
|
intermediary.resource.resource_type |
If the fwd_gw_name log field value is not empty or the ofwd_gw_name log field value is not empty, then the intermediary.resource.resource_type UDM field is set to GATEWAY. |
ofwd_gw_name |
intermediary.security_result.detection_fields[ofwd_gw_name] |
|
ordr_rulename |
intermediary.security_result.detection_fields[ordr_rulename] |
|
orulelabel |
intermediary.security_result.detection_fields[orulelabel] |
|
rdr_rulename |
intermediary.security_result.rule_name |
|
rulelabel |
intermediary.security_result.rule_name |
|
erulelabel |
intermediary.security_result.rule_name |
|
bypass_etime |
metadata.collected_timestamp |
|
datetime |
metadata.event_timestamp |
|
epochtime |
metadata.event_timestamp |
|
|
metadata.event_type |
If the sdport log field value is equal to 80 or the sdport log field value is equal to 443 and the csip log field value is not empty or the tsip log field value is not empty or the ssip log field value is not empty and the cdip log field value is not empty or the sdip log field value is not empty, then the metadata.event_type UDM field is set to NETWORK_HTTP.Else, if the csip log field value is not empty or the tsip log field value is not empty or the ssip log field value is not empty and the cdip log field value is not empty or the sdip log field value is not empty, then the metadata.event_type UDM field is set to NETWORK_CONNECTION.Else, if the csip log field value is not empty or the tsip log field value is not empty or the ssip log field value is not empty, then the metadata.event_type UDM field is set to STATUS_UPDATE.Else, the metadata.event_type UDM field is set to GENERIC_EVENT. |
recordid |
metadata.product_log_id |
|
|
metadata.product_name |
The metadata.product_name UDM field is set to Firewall. |
|
metadata.vendor_name |
The metadata.vendor_name UDM field is set to Zscaler. |
proto |
network.ip_protocol |
If the proto log field value contain one of the following values, then the proto log field is mapped to the network.ip_protocol UDM field.
|
inbytes |
network.received_bytes |
|
outbytes |
network.sent_bytes |
|
avgduration |
network.session_duration.nanos |
If the durationms log field value is empty and the avgduration log field value is not empty, then the avgduration log field is mapped to the network.session_duration.nanos UDM field. |
durationms |
network.session_duration.nanos |
If the durationms log field value is not empty, then the durationms log field is mapped to the network.session_duration.nanos UDM field. |
duration |
network.session_duration.seconds |
|
devicename |
principal.asset.asset_id |
If the devicename log field value is not empty, then the Zscaler:devicename log field is mapped to the principal.asset.asset_id UDM field. |
devicemodel |
principal.asset.hardware.model |
|
devicehostname |
principal.asset.hostname |
If the devicehostname log field value is not empty, then the devicehostname log field is mapped to the principal.asset.hostname UDM field. |
|
principal.asset.platform_software.platform |
If the deviceostype log field value matches the regular expression pattern (?i)iOS, then the principal.asset.platform_software.platform UDM field is set to IOS.Else, if the deviceostype log field value matches the regular expression pattern (?i)Android, then the principal.asset.platform_software.platform UDM field is set to ANDROID.Else, if the deviceostype log field value matches the regular expression pattern (?i)Windows, then the principal.asset.platform_software.platform UDM field is set to WINDOWS.Else, if the deviceostype log field value matches the regular expression pattern (?i)MAC, then the principal.asset.platform_software.platform UDM field is set to MAC.Else, if the deviceostype log field value matches the regular expression pattern (?i)Other, then the principal.asset.platform_software.platform UDM field is set to UNKNOWN_PLATFORM. |
deviceosversion |
principal.asset.platform_software.platform_version |
|
external_deviceid |
principal.asset.product_object_id |
|
csip |
principal.ip |
|
tsip |
principal.ip |
|
srcip_country |
principal.location.country_or_region |
|
location |
principal.location.name |
|
locationname |
principal.location.name |
|
ssip |
principal.nat_ip |
|
ssport |
principal.nat_port |
|
csport |
principal.port |
|
dept |
principal.user.department |
|
department |
principal.user.department |
|
login |
principal.user.email_addresses |
The login field is extracted from login log field using the Grok pattern, and the login log field is mapped to the principal.user.email_addresses UDM field. |
user |
principal.user.email_addresses |
The user field is extracted from user log field using the Grok pattern, and the user log field is mapped to the principal.user.email_addresses UDM field. |
deviceowner |
principal.user.userid |
|
|
security_result.action |
If the action log field value matches the regular expression pattern ^Allow.*, then the security_result.action UDM field is set to ALLOW.Else, if the action log field value matches the regular expression pattern ^Drop.* or ^Block.*, then the security_result.action UDM field is set to BLOCK.Else, if the action log field value is equal to Reset, then the security_result.action UDM field is set to BLOCK. |
action |
security_result.action_details |
|
threat_severity,threat_score |
security_result.severity |
If the threat_severity log field value is one of the following: CRITICAL, HIGH, MEDIUM, LOW, NONE then, the threat_severity log field is mapped to the security_result.severity UDM field. Else, if the threat_score log field value is equal to 0 then, the security_result.severity UDM field is set to NONE. Else, if threat_score log field value > 0 and the threat_score log field value <= 45 then, the security_result.severity UDM field is set to LOW. Else, if threat_score log field value > 45 and the threat_score log field value < 75 then, the security_result.severity UDM field is set to MEDIUM. Else, if threat_score log field value >= 75 and the threat_score log field value < 90 then, the security_result.severity UDM field is set to HIGH. Else, if threat_score log field value >= 90 and the threat_score log field value <= 100 then, the security_result.severity UDM field is set to CRITICAL. |
threat_severity,threat_score |
security_result.severity_details |
If the threat_score log field value is not empty and the threat_severity log field value is not empty then, %{threat_score} - %{threat_severity} log field is mapped to the security_result.severity_details UDM field. Else, if threat_severity log field value is not empty then, threat_severity log field is mapped to the security_result.severity_details UDM field. Else, if threat_score log field value is not empty then, threat_score log field is mapped to the security_result.severity_details UDM field. |
|
security_result.category |
If the ipcat log field value is not empty or the oipcat log field value is not empty, then the security_result.category UDM field is set to NETWORK_CATEGORIZED_CONTENT. |
ipcat |
security_result.category_details |
The ipcat log field is mapped to the security_result.category_details UDM field. |
threatcat |
security_result.category_details |
If the threatcat log field value is not equal to None, then the threatcat log field is mapped to the security_result.category_details UDM field. |
|
security_result.detection_fields[bypassed_session] |
If the bypassed_session log field value is equal to 0, then the security_result.detection_fields.bypassed_session UDM field is set to the traffic did not bypass Zscaler Client Connector.Else, if the bypassed_session log field value is equal to 1, then the security_result.detection_fields.bypassed_session UDM field is set to the traffic bypassed Zscaler Client Connector. |
odevicehostname |
security_result.detection_fields[odevicehostname] |
|
odevicename |
security_result.detection_fields[odevicename] |
|
odeviceowner |
security_result.detection_fields[odeviceowner] |
|
oipcat |
security_result.detection_fields[oipcat] |
|
oipsrulelabel |
security_result.detection_fields[oipsrulelabel] |
|
numsessions |
security_result.detection_fields[numsessions] |
|
|
security_result.rule_labels [ips_custom_signature] |
If the ips_custom_signature log field value is equal to 0, then the security_result.rule_labels.ips_custom_signature UDM field is set to non-custom IPS rule.Else, if the ips_custom_signature log field value is equal to 1, then the security_result.rule_labels.ips_custom_signature UDM field is set to custom IPS rule. |
ipsrulelabel |
security_result.rule_name |
If the ipsrulelabel log field value is not equal to None, then the ipsrulelabel log field is mapped to the security_result.rule_name UDM field. |
threatname |
security_result.threat_name |
If the threatname log field value is not equal to None, then the threatname log field is mapped to the security_result.threat_name UDM field. |
ethreatname |
security_result.threat_name |
If the ethreatname log field value is not equal to None, then the ethreatname log field is mapped to the security_result.threat_name UDM field. |
nwapp |
target.application |
|
cdfqdn |
target.domain.name |
|
sdip |
target.ip |
|
datacentercity |
target.location.city |
|
destcountry |
target.location.country_or_region |
|
datacentercountry |
target.location.country_or_region |
|
datacenter |
target.location.name |
|
cdip |
target.nat_ip |
|
cdport |
target.nat_port |
|
sdport |
target.port |
|
odnatlabel |
target.security_result.detection_fields[odnatlabel] |
|
dnat |
target.security_result.rule_labels[dnat] |
|
dnatrulelabel |
target.security_result.rule_name |
|
aggregate |
additional.fields[aggregate] |
|
day |
additional.fields[day] |
|
dd |
additional.fields[dd] |
|
deviceappversion |
additional.fields[deviceappversion] |
|
eedone |
additional.fields[eedone] |
|
flow_type |
additional.fields[flow_type] |
|
hh |
additional.fields[hh] |
|
mm |
additional.fields[mm] |
|
mon |
additional.fields[mon] |
|
mth |
additional.fields[mth] |
|
nwsvc |
additional.fields[nwsvc] |
|
ocsip |
additional.fields[ocsip] |
|
ozpa_app_seg_name |
additional.fields[ozpa_app_seg_name] |
|
ss |
additional.fields[ss] |
|
sourcetype |
additional.fields[sourcetype] |
|
stateful |
additional.fields[stateful] |
|
tz |
additional.fields[tz] |
|
tuntype |
additional.fields[traffic_forwarding_method] |
|
tunsport |
additional.fields[tunsport] |
|
yyyy |
additional.fields[yyyy] |
|
zpa_app_seg_name |
additional.fields[zpa_app_seg_name] |
|
ztunnelversion |
additional.fields[ztunnelversion] |
Perlu bantuan lain? Dapatkan jawaban dari anggota Komunitas dan profesional Google SecOps.