Coletar registros do Webproxy do Zscaler
Compatível com:
Google SecOps
SIEM
Este documento descreve como exportar registros do Zscaler Webproxy configurando um feed do Google Security Operations e como os campos de registro são mapeados para os campos do Modelo Unificado de Dados (UDM, na sigla em inglês) do Google SecOps.
Para mais informações, consulte Visão geral da ingestão de dados no Google SecOps.
Uma implantação típica consiste no Webproxy da Zscaler e no feed de webhook do Google SecOps configurado para enviar registros ao Google SecOps. Cada implantação de cliente pode ser diferente e mais complexa.
A implantação contém os seguintes componentes:
Zscaler Webproxy: a plataforma de onde você coleta registros.
Feed do Google SecOps: busca registros do Zscaler Webproxy e grava registros no Google SecOps.
Google SecOps: retém e analisa os registros.
Um rótulo de ingestão identifica o analisador que normaliza dados de registro brutos para o formato UDM estruturado. As informações neste documento se aplicam ao analisador com o rótulo de ingestão ZSCALER_WEBPROXY.
Antes de começar
Verifique se você atende aos seguintes pré-requisitos:
- Acesso ao console do Zscaler Internet Access. Para mais informações, consulte Ajuda do ZIA sobre acesso seguro à Internet e ao SaaS.
- Zscaler Webproxy 2024 ou mais recente
- Todos os sistemas na arquitetura de implantação são configurados com o fuso horário UTC.
- A chave de API necessária para concluir a configuração do feed no Google Security Operations. Para mais informações, consulte Como configurar chaves de API.
Configurar feeds
Há dois pontos de entrada diferentes para configurar feeds na plataforma do Google SecOps:
- Configurações do SIEM > Feeds
- Central de conteúdo > Pacotes de conteúdo
Configure feeds em Configurações do SIEM > Feeds
Para configurar vários feeds para diferentes tipos de registros nessa família de produtos, consulte Configurar feeds por produto.
Para configurar um único feed, siga estas etapas:
- Acesse Configurações do SIEM > Feeds.
- Clique em Adicionar novo feed.
- Na próxima página, clique em Configurar um único feed.
- No campo Nome do feed, insira um nome para o feed, por exemplo, Registros do Webproxy da Zscaler.
- Selecione Webhook como o Tipo de origem.
- Selecione Zscaler como o Tipo de registro.
- Clique em Próxima.
- Opcional: insira valores para os seguintes parâmetros de entrada:
- Delimitador de divisão: o delimitador usado para separar as linhas de registros. Deixe em branco se um delimitador não for usado.
- Namespace do recurso: o namespace do recurso.
- Rótulos de ingestão: o rótulo a ser aplicado aos eventos deste feed.
- Clique em Próxima.
- Revise a nova configuração de feed e clique em Enviar.
- Clique em Gerar chave secreta para autenticar este feed.
Configurar feeds na Central de conteúdo
Especifique valores para os seguintes campos:
- Delimitador de divisão: o delimitador usado para separar linhas de registro, como
\n.
Opções avançadas
- Nome do feed: um valor pré-preenchido que identifica o feed.
- Tipo de origem: método usado para coletar registros no Google SecOps.
- Namespace do recurso: o namespace do recurso.
- Rótulos de ingestão: o rótulo aplicado aos eventos deste feed.
- Clique em Próxima.
- Revise a configuração do feed na tela Finalizar e clique em Enviar.
- Clique em Gerar chave secreta para autenticar o feed.
Configurar o Zscaler Webproxy
- No console do Zscaler Internet Access, clique em Administração > Serviço de streaming do Nanolog > Feeds do NSS na nuvem e em Adicionar feed do NSS na nuvem.
- A janela Adicionar feed do NSS na nuvem vai aparecer. Na janela Adicionar feed do NSS da nuvem, insira os detalhes.
- Digite um nome para o feed no campo Nome do feed.
- Selecione NSS para Web em Tipo de NSS.
- Selecione o status na lista Status para ativar ou desativar o feed do NSS.
- Mantenha o valor no menu suspenso Taxa de SIEM como Ilimitada. Para suprimir o fluxo de saída devido a restrições de licenciamento ou outras, mude o valor.
- Selecione Outro na lista Tipo de SIEM.
- Selecione Desativado na lista Autenticação do OAuth 2.0.
- Insira um limite de tamanho para uma carga útil de solicitação HTTP individual na prática recomendada do SIEM em Tamanho máximo do lote. Por exemplo, 512 KB.
Insira o URL HTTPS do endpoint de API do Chronicle no URL da API no seguinte formato:
https://<CHRONICLE_REGION>-chronicle.googleapis.com/v1alpha/projects/<GOOGLE_PROJECT_NUMBER>/locations/<LOCATION>/instances/<CUSTOMER_ID>/feeds/<FEED_ID>:importPushLogsCHRONICLE_REGION: região em que a instância do Chronicle está hospedada. Por exemplo, US.GOOGLE_PROJECT_NUMBER: número do projeto BYOP. Obtenha isso do C4.LOCATION: região do Chronicle. Por exemplo, US.CUSTOMER_ID: ID do cliente do Chronicle. Obtenha do C4.FEED_ID: ID do feed mostrado na interface do usuário do feed no novo webhook criado- Exemplo de URL da API:
https://us-chronicle.googleapis.com/v1alpha/projects/12345678910/locations/US/instances/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/feeds/yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyyyyyyy:importPushLogsClique em Adicionar cabeçalho HTTP e adicione cabeçalhos HTTP no seguinte formato:
Header 1: Key1:X-goog-api-keye Value1:chave de API gerada nas credenciais de API do BYOP Google Cloud .Header 2: Key2:X-Webhook-Access-Keye Value2:chave secreta da API gerada em "SECRET KEY" do webhook.
Selecione Registros da Web na lista Tipos de registro.
Selecione JSON na lista Tipo de saída do feed.
Defina Caractere de escape do feed como
, \ ".Para adicionar um novo campo ao Formato de saída do feed,selecione Personalizado na lista Tipo de saída do feed.
Copie e cole o Formato de saída do feed e adicione novos campos. Verifique se os nomes das chaves correspondem aos nomes dos campos.
Confira a seguir o Formato de saída do feed padrão:
\{ "sourcetype" : "zscalernss-web", "event" : \{"datetime":"%d{yy}-%02d{mth}-%02d{dd} %02d{hh}:%02d{mm}:%02d{ss}","reason":"%s{reason}","event_id":"%d{recordid}","protocol":"%s{proto}","action":"%s{action}","transactionsize":"%d{totalsize}","responsesize":"%d{respsize}","requestsize":"%d{reqsize}","urlcategory":"%s{urlcat}","serverip":"%s{sip}","requestmethod":"%s{reqmethod}","refererURL":"%s{ereferer}","useragent":"%s{eua}","product":"NSS","location":"%s{elocation}","ClientIP":"%s{cip}","status":"%s{respcode}","user":"%s{elogin}","url":"%s{eurl}","vendor":"Zscaler","hostname":"%s{ehost}","clientpublicIP":"%s{cintip}","threatcategory":"%s{malwarecat}","threatname":"%s{threatname}","filetype":"%s{filetype}","appname":"%s{appname}","pagerisk":"%d{riskscore}","threatseverity":"%s{threatseverity}","department":"%s{edepartment}","urlsupercategory":"%s{urlsupercat}","appclass":"%s{appclass}","dlpengine":"%s{dlpeng}","urlclass":"%s{urlclass}","threatclass":"%s{malwareclass}","dlpdictionaries":"%s{dlpdict}","fileclass":"%s{fileclass}","bwthrottle":"%s{bwthrottle}","contenttype":"%s{contenttype}","unscannabletype":"%s{unscannabletype}","deviceowner":"%s{deviceowner}","devicehostname":"%s{devicehostname}","keyprotectiontype":"%s{keyprotectiontype}"\}\}Selecione o fuso horário do campo Hora no arquivo de saída na lista Fuso horário. Por padrão, o fuso horário é definido como o da sua organização.
Revise as configurações definidas.
Clique em Salvar para testar a conectividade. Se a conexão for bem-sucedida, uma marca de seleção verde acompanhada da mensagem Teste de conectividade bem-sucedido: OK (200) vai aparecer.
Para mais informações sobre feeds do Google SecOps, consulte a documentação sobre feeds do Google SecOps. Para informações sobre os requisitos de cada tipo de feed, consulte Configuração de feed por tipo.
Se você tiver problemas ao criar feeds, entre em contato com o suporte do Google SecOps.
Formatos de registro do Zscaler Webproxy compatíveis
O analisador Zscaler Webproxy é compatível com registros no formato JSON.
Registros de amostra do Webproxy do Zscaler compatíveis
JSON
{ "event": { "ClientIP": "198.51.100.0", "action": "Allowed", "appclass": "Sales and Marketing", "appname": "Trend Micro", "bwthrottle": "NO", "clientpublicIP": "198.51.100.1", "contenttype": "Other", "datetime": "2024-05-06 10:56:04", "department": "Mid-Continent%20Companies", "devicehostname": "dummyhostname", "deviceowner": "dummydeviceowner", "dlpdictionaries": "None", "dlpengine": "None", "event_id": "7365838693731467265", "fileclass": "None", "filetype": "None", "hostname": "dummyhostname.com", "keyprotectiontype": "N/A", "location": "Road%20Warrior", "pagerisk": "0", "product": "NSS", "protocol": "HTTP_PROXY", "reason": "Allowed", "refererURL": "None", "requestmethod": "CONNECT", "requestsize": "606", "responsesize": "65", "serverip": "198.51.10.2", "status": "200", "threatcategory": "None", "threatclass": "None", "threatname": "None", "threatseverity": "None", "transactionsize": "671", "unscannabletype": "None", "url": "dummyurl.com:443", "urlcategory": "SSL - DNI - Bypass", "urlclass": "Bandwidth Loss", "urlsupercategory": "User-defined", "user": "abc@xyz.com", "useragent": "dummyuseragent", "vendor": "Zscaler" }, "sourcetype": "zscalernss-web" }
Referência de mapeamento de campos
A tabela a seguir lista os campos de registro do tipo ZSCALER_WEBPROXY e os campos correspondentes da UDM.
| Log field | UDM mapping | Logic |
|---|---|---|
|
metadata.vendor_name |
The metadata.vendor_name UDM field is set to Zscaler. |
|
metadata.event_type |
If the ClientIP log field value is not empty and the serverip log field value is not empty and the proto log field value contain one of the following values, then the metadata.event_type UDM field is set to NETWORK_HTTP.
ClientIP log field value is not empty and the serverip log field value is not empty, then the metadata.event_type UDM field is set to NETWORK_CONNECTION.Else, if the user log field value is not empty or the deviceowner log field value is not empty, then the metadata.event_type UDM field is set to USER_UNCATEGORIZED.Else, the metadata.event_type UDM field is set to GENERIC_EVENT. |
|
metadata.product_name |
The metadata.product_name UDM field is set to Web Proxy. |
sourcetype |
additional.fields[sourcetype] |
|
datetime |
metadata.event_timestamp |
|
tz |
additional.fields[tz] |
|
ss |
additional.fields[ss] |
|
mm |
additional.fields[mm] |
|
hh |
additional.fields[hh] |
|
dd |
additional.fields[dd] |
|
mth |
additional.fields[mth] |
|
yyyy |
additional.fields[yyyy] |
|
mon |
additional.fields[mon] |
|
day |
additional.fields[day] |
|
department |
principal.user.department |
|
b64dept |
principal.user.department |
|
edepartment |
principal.user.department |
|
user |
principal.user.email_addresses |
|
b64login |
principal.user.email_addresses |
|
elogin |
principal.user.email_addresses |
|
ologin |
additional.fields[ologin] |
|
cloudname |
principal.user.attribute.labels[cloudname] |
|
company |
principal.user.company_name |
|
throttlereqsize |
security_result.detection_fields[throttlereqsize] |
|
throttlerespsize |
security_result.detection_fields[throttlerespsize] |
|
bwthrottle |
security_result.detection_fields[bwthrottle] |
|
|
security_result.category |
If the bwthrottle log field value is equal to Yes, then the security_result.category UDM field is set to POLICY_VIOLATION. |
bwclassname |
security_result.detection_fields[bwclassname] |
|
obwclassname |
security_result.detection_fields[obwclassname] |
|
bwrulename |
security_result.rule_name |
|
appname |
target.application |
|
appclass |
target.security_result.detection_fields[appclass] |
|
module |
target.security_result.detection_fields[module] |
|
app_risk_score |
target.security_result.risk_score |
If the app_risk_score log field value matches the regular expression pattern [0-9]+, then the app_risk_score log field is mapped to the security_result.risk_score UDM field. |
datacenter |
target.location.name |
|
datacentercity |
target.location.city |
|
datacentercountry |
target.location.country_or_region |
|
dlpdictionaries |
security_result.detection_fields[dlpdictionaries] |
|
odlpdict |
security_result.detection_fields[odlpdict] |
|
dlpdicthitcount |
security_result.detection_fields[dlpdicthitcount] |
|
dlpengine |
security_result.detection_fields[dlpengine] |
|
odlpeng |
security_result.detection_fields[odlpeng] |
|
dlpidentifier |
security_result.detection_fields[dlpidentifier] |
|
dlpmd5 |
security_result.detection_fields[dlpmd5] |
|
dlprulename |
security_result.rule_name |
|
odlprulename |
security_result.detection_fields[odlprulename] |
|
fileclass |
additional.fields[fileclass] |
|
filetype |
target.file.mime_type |
|
filename |
target.file.full_path |
|
b64filename |
target.file.full_path |
|
efilename |
target.file.full_path |
|
filesubtype |
additional.fields[filesubtype] |
|
upload_fileclass |
additional.fields[upload_fileclass] |
|
upload_filetype |
target.file.mime_type |
If the filetype log field value is equal to None and the upload_filetype log field value is not equal to None, then the upload_filetype log field is mapped to the target.file.mime_type UDM field. |
upload_filename |
target.file.full_path |
If the filename log field value is equal to None and the upload_filename log field value is not equal to None, then the upload_filename log field is mapped to the target.file.full_path UDM field. |
b64upload_filename |
target.file.full_path |
|
eupload_filename |
target.file.full_path |
|
upload_filesubtype |
additional.fields[upload_filesubtype] |
|
upload_doctypename |
additional.fields[upload_doctypename] |
|
unscannabletype |
security_result.detection_fields[unscannabletype] |
|
rdr_rulename |
intermediary.security_result.rule_name |
|
b64rdr_rulename |
intermediary.security_result.rule_name |
|
|
intermediary.resource.resource_type |
If the rdr_rulename log field value is not empty, then the intermediary.resource.resource_type UDM field is set to GATEWAY. |
ordr_rulename |
additional.fields[ordr_rulename] |
|
fwd_type |
intermediary.resource.attribute.labels[fwd_type] |
|
fwd_gw_name |
intermediary.resource.name |
|
b64fwd_gw_name |
intermediary.resource.name |
|
ofwd_gw_name |
security_result.detection_fields[ofwd_gw_name] |
|
fwd_gw_ip |
intermediary.ip |
|
zpa_app_seg_name |
additional.fields[zpa_app_seg_name] |
|
b64zpa_app_seg_name |
additional.fields[zpa_app_seg_name] |
|
ozpa_app_seg_name |
additional.fields[ozpa_app_seg_name] |
|
reqdatasize |
additional.fields[reqdatasize] |
|
reqhdrsize |
additional.fields[reqhdrsize] |
|
requestsize |
network.sent_bytes |
|
respdatasize |
additional.fields[respdatasize] |
|
resphdrsize |
additional.fields[resphdrsize] |
|
responsesize |
network.received_bytes |
|
transactionsize |
additional.fields[transactionsize] |
|
contenttype |
additional.fields[contenttype] |
|
df_hosthead |
security_result.detection_fields[df_hosthead] |
|
df_hostname |
security_result.detection_fields[df_hostname] |
|
hostname |
target.hostnametarget.asset.hostname |
|
b64host |
target.hostnametarget.asset.hostname |
|
ehost |
target.hostnametarget.asset.hostname |
|
refererURL |
network.http.referral_url |
|
b64referer |
network.http.referral_url |
|
ereferer |
network.http.referral_url |
|
erefererpath |
additional.fields[erefererpath] |
|
refererhost |
additional.fields[refererhost] |
|
erefererhost |
additional.fields[refererhost] |
|
requestmethod |
network.http.method |
|
reqversion |
additional.fields[reqversion] |
|
status |
network.http.response_code |
|
respversion |
additional.fields[respversion] |
|
ua_token |
additional.fields[ua_token] |
|
useragent |
network.http.user_agent |
|
b64ua |
network.http.user_agent |
|
eua |
network.http.user_agent |
|
useragent |
network.http.parsed_user_agent |
|
b64ua |
network.http.parsed_user_agent |
|
eua |
network.http.parsed_user_agent |
|
uaclass |
additional.fields[uaclass] |
|
url |
target.url |
|
b64url |
target.url |
|
eurl |
target.url |
|
eurlpath |
additional.fields[eurlpath] |
|
mobappname |
additional.fields[mobappname] |
|
b64mobappname |
additional.fields[mobappname] |
|
emobappname |
additional.fields[mobappname] |
|
mobappcat |
additional.fields[mobappcat] |
|
mobdevtype |
additional.fields[mobdevtype] |
|
clt_sport |
principal.port |
|
ClientIP |
principal.ip |
|
ocip |
security_result.detection_fields[ocip] |
|
cpubip |
additional.fields[cpubip] |
|
ocpubip |
additional.fields[ocpubip] |
|
clientpublicIP |
principal.nat_ip |
|
serverip |
target.ip |
|
|
network.application_protocol |
If the protocol log field value contain one of the following values, then the network.application_protocol UDM field is set to HTTP.
protocol log field value contain one of the following values, then the network.application_protocol UDM field is set to HTTPS.
network.application_protocol UDM field is set to UNKNOWN_APPLICATION_PROTOCOL. |
alpnprotocol |
additional.fields[alpnprotocol] |
|
trafficredirectmethod |
intermediary.resource.attribute.labels[trafficredirectmethod] |
|
location |
principal.location.name |
|
elocation |
principal.location.name |
|
userlocationname |
principal.location.name |
If the userlocationname log field value is not equal to None, then the userlocationname log field is mapped to the principal.location.name UDM field. |
b64userlocationname |
principal.location.name |
|
euserlocationname |
principal.location.name |
|
rulelabel |
security_result.rule_name |
If the action log field value is equal to Blocked, then the rulelabel log field is mapped to the security_result.rule_name UDM field. |
b64rulelabel |
security_result.rule_name |
|
erulelabel |
security_result.rule_name |
|
ruletype |
security_result.rule_type |
|
reason |
security_result.description |
If the action log field value is equal to Blocked, then the reason log field is mapped to the security_result.description UDM field. |
action |
security_result.action_details |
|
|
security_result.action |
If the action log field value is equal to Allowed, then the security_result.action UDM field is set to ALLOW.Else, if the action log field value is equal to Blocked, then the security_result.action UDM field is set to BLOCK. |
urlfilterrulelabel |
security_result.rule_name |
|
b64urlfilterrulelabel |
security_result.rule_name |
|
eurlfilterrulelabel |
security_result.rule_name |
|
ourlfilterrulelabel |
security_result.detection_fields[ourlfilterrulelabel] |
|
apprulelabel |
target.security_result.rule_name |
|
b64apprulelabel |
target.security_result.rule_name |
|
oapprulelabel |
security_result.detection_fields[oapprulelabel] |
|
bamd5 |
target.file.md5 |
|
sha256 |
target.file.sha256 |
|
ssldecrypted |
security_result.detection_fields[ssldecrypted] |
|
externalspr |
security_result.about.artifact.last_https_certificate.extension.certificate_policies |
|
keyprotectiontype |
security_result.about.artifact.last_https_certificate.extension.key_usage |
|
clientsslcipher |
network.tls.client.supported_ciphers |
|
clienttlsversion |
network.tls.version |
|
clientsslsessreuse |
security_result.detection_fields[clientsslsessreuse] |
|
cltsslfailreason |
security_result.detection_fields[cltsslfailreason] |
|
cltsslfailcount |
security_result.detection_fields[cltsslfailcount] |
|
srvsslcipher |
network.tls.cipher |
|
srvtlsversion |
security_result.detection_fields[srvtlsversion] |
|
srvocspresult |
security_result.detection_fields[srvocspresult] |
|
srvcertchainvalpass |
security_result.detection_fields[srvcertchainvalpass] |
|
srvwildcardcert |
security_result.detection_fields[srvwildcardcert] |
|
serversslsessreuse |
security_result.detection_fields[server_ssl_sess_reuse] |
|
srvcertvalidationtype |
security_result.detection_fields[srvcertvalidationtype] |
|
srvcertvalidityperiod |
security_result.detection_fields[srvcertvalidityperiod] |
|
is_ssluntrustedca |
security_result.detection_fields[is_ssluntrustedca] |
|
is_sslselfsigned |
security_result.detection_fields[is_sslselfsigned] |
|
is_sslexpiredca |
security_result.detection_fields[is_sslexpiredca] |
|
pagerisk |
security_result.risk_score |
|
|
security_result.severity |
If the pagerisk log field value is greater than or equal to 90 and the pagerisk log field value is less than or equal to 100, then the security_result.severity UDM field is set to CRITICAL.If the pagerisk log field value is greater than or equal to 75 and the pagerisk log field value is less than or equal to 89, then the security_result.severity UDM field is set to HIGH.If the pagerisk log field value is greater than or equal to 46 and the pagerisk log field value is less than or equal to 74, then the security_result.severity UDM field is set to MEDIUM.If the pagerisk log field value is greater than or equal to 1 and the pagerisk log field value &is less than or equal to 45, then the security_result.severity UDM field is set to LOW.If the pagerisk log field value is equal to 0, then the security_result.severity UDM field is set to NONE. |
|
security_result.severity_details |
If the pagerisk log field value is not empty and the threatseverity log field value is not empty, then the security_result.severity_details UDM field is set to %{pagerisk} - %{threatseverity}.Else, if the threatseverity log field value is not empty, then the threatseverity log field is mapped to the security_result.severity_details UDM field. |
activity |
additional.fields[activity] |
|
is_dst_cntry_risky |
additional.fields[is_dst_cntry_risky] |
|
is_src_cntry_risky |
additional.fields[is_src_cntry_risky] |
|
prompt_req |
additional.fields[prompt_req] |
|
srcip_country |
principal.ip_geo_artifact.location.country_or_region |
|
pcapid |
security_result.about.file.full_path |
|
all_dlprulenames |
security_result.rule_labels[all_dlprulenames] |
|
other_dlprulenames |
security_result.rule_labels[other_dlprulenames] |
|
trig_dlprulename |
security_result.rule_name |
|
dstip_country |
target.ip_geo_artifact.location.country_or_region |
|
srv_dport |
target.port |
|
inst_level2_name |
target.resource_ancestors.name |
|
inst_level3_name |
target.resource_ancestors.name |
|
inst_level2_id |
target.resource_ancestors.product_object_id |
|
inst_level3_id |
target.resource_ancestors.product_object_id |
|
inst_level2_type |
target.resource_ancestors.resource_subtype |
|
inst_level3_type |
target.resource_ancestors.resource_subtype |
|
|
target.resource_ancestors.resource_type |
If the inst_level2_type log field value matches the regular expression pattern organization then, the target.resource_ancestors.resource_type UDM field is set to CLOUD_ORGANIZATION. Else, if inst_level2_type log field value matches the regular expression pattern service then, the target.resource_ancestors.resource_type UDM field is set to BACKEND_SERVICE. Else, if inst_level2_type log field value matches the regular expression pattern policy then, the target.resource_ancestors.resource_type UDM field is set to ACCESS_POLICY. Else, if inst_level2_type log field value matches the regular expression pattern project then, the target.resource_ancestors.resource_type UDM field is set to CLOUD_PROJECT. Else, if inst_level2_type log field value matches the regular expression pattern cluster then, the target.resource_ancestors.resource_type UDM field is set to CLUSTER. Else, if inst_level2_type log field value matches the regular expression pattern container then, the target.resource_ancestors.resource_type UDM field is set to CONTAINER. Else, if inst_level2_type log field value matches the regular expression pattern pod then, the target.resource_ancestors.resource_type UDM field is set to POD. Else, if inst_level2_type log field value matches the regular expression pattern repository then, the target.resource_ancestors.resource_type UDM field is set to REPOSITORY.If the inst_level3_type log field value matches the regular expression pattern organization then, the target.resource_ancestors.resource_type UDM field is set to CLOUD_ORGANIZATION. Else, if inst_level3_type log field value matches the regular expression pattern service then, the target.resource_ancestors.resource_type UDM field is set to BACKEND_SERVICE. Else, if inst_level3_type log field value matches the regular expression pattern policy then, the target.resource_ancestors.resource_type UDM field is set to ACCESS_POLICY. Else, if inst_level3_type log field value matches the regular expression pattern project then, the target.resource_ancestors.resource_type UDM field is set to CLOUD_PROJECT. Else, if inst_level3_type log field value matches the regular expression pattern cluster then, the target.resource_ancestors.resource_type UDM field is set to CLUSTER. Else, if inst_level3_type log field value matches the regular expression pattern container then, the target.resource_ancestors.resource_type UDM field is set to CONTAINER. Else, if inst_level3_type log field value matches the regular expression pattern pod then, the target.resource_ancestors.resource_type UDM field is set to POD. Else, if inst_level3_type log field value matches the regular expression pattern repository then, the target.resource_ancestors.resource_type UDM field is set to REPOSITORY. |
inst_level1_name |
target.resource.name |
|
inst_level1_id |
target.resource.product_object_id |
|
inst_level1_type |
target.resource.resource_subtype |
|
|
target.resource.resource_type |
If the inst_level1_type log field value matches the regular expression pattern organization then, the target.resource.resource_type UDM field is set to CLOUD_ORGANIZATION. Else, if inst_level1_type log field value matches the regular expression pattern service then, the target.resource.resource_type UDM field is set to BACKEND_SERVICE. Else, if inst_level1_type log field value matches the regular expression pattern policy then, the target.resource.resource_type UDM field is set to ACCESS_POLICY. Else, if inst_level1_type log field value matches the regular expression pattern project then, the target.resource.resource_type UDM field is set to CLOUD_PROJECT. Else, if inst_level1_type log field value matches the regular expression pattern cluster then, the target.resource.resource_type UDM field is set to CLUSTER. Else, if inst_level1_type log field value matches the regular expression pattern container then, the target.resource.resource_type UDM field is set to CONTAINER. Else, if inst_level1_type log field value matches the regular expression pattern pod then, the target.resource.resource_type UDM field is set to POD. Else, if inst_level1_type log field value matches the regular expression pattern repository then, the target.resource.resource_type UDM field is set to REPOSITORY. |
app_status |
target.security_result.detection_fields[app_status] |
|
threatname |
security_result.threat_name |
|
b64threatname |
security_result.threat_name |
|
threatcategory |
security_result.associations.name |
|
threatclass |
security_result.associations.description |
|
urlclass |
security_result.detection_fields[urlclass] |
|
urlsupercategory |
security_result.category_details |
|
urlcategory |
security_result.category_details |
|
b64urlcat |
security_result.category_details |
|
ourlcat |
security_result.detection_fields[ourlcat] |
|
urlcatmethod |
security_result.detection_fields[urlcatmethod] |
|
bypassed_traffic |
security_result.detection_fields[bypassed_traffic] |
|
bypassed_etime |
security_result.detection_fields[bypassed_etime] |
|
deviceappversion |
additional.fields[deviceappversion] |
|
devicehostname |
principal.asset.hostname |
|
odevicehostname |
security_result.detection_fields[odevicehostname] |
|
devicemodel |
principal.asset.hardware.model |
|
devicename |
principal.asset.asset_id |
|
odevicename |
security_result.detection_fields[odevicename] |
|
|
principal.asset.platform_software.platform |
If the deviceostype log field value matches the regular expression pattern (?i)iOS, then the principal.asset.platform_software.platform UDM field is set to IOS.Else, if the deviceostype log field value matches the regular expression pattern (?i)Android, then the principal.asset.platform_software.platform UDM field is set to ANDROID.Else, if the deviceostype log field value matches the regular expression pattern (?i)Windows, then the principal.asset.platform_software.platform UDM field is set to WINDOWS.Else, if the deviceostype log field value matches the regular expression pattern (?i)MAC, then the principal.asset.platform_software.platform UDM field is set to MAC.Else, if the deviceostype log field value matches the regular expression pattern (?i)Other, then the principal.asset.platform_software.platform UDM field is set to UNKNOWN_PLATFORM. |
deviceosversion |
principal.asset.software.version |
|
deviceowner |
principal.user.userid |
|
odeviceowner |
security_result.detection_fields[odeviceowner] |
|
devicetype |
principal.asset.category |
|
external_devid |
additional.fields[external_devid] |
|
flow_type |
additional.fields[flow_type] |
|
ztunnelversion |
additional.fields[ztunnelversion] |
|
event_id |
metadata.product_log_id |
|
productversion |
metadata.product_version |
|
nsssvcip |
about.ip |
|
eedone |
additional.fields[eedone] |
Precisa de mais ajuda? Receba respostas de membros da comunidade e profissionais do Google SecOps.