收集 Zscaler Webproxy 記錄
支援的國家/地區:
Google SecOps
SIEM
本文說明如何設定 Google Security Operations 動態饋給來匯出 Zscaler Webproxy 記錄,以及記錄欄位如何對應至 Google SecOps Unified Data Model (UDM) 欄位。
詳情請參閱「將資料擷取至 Google SecOps 總覽」。
一般部署作業包含 Zscaler Webproxy 和 Google SecOps Webhook 資訊提供,這些設定會將記錄傳送至 Google SecOps。每個客戶的部署作業可能有所不同,也可能更複雜。
部署作業包含下列元件:
Zscaler Webproxy:收集記錄檔的平台。
Google SecOps 資訊提供:從 Zscaler Webproxy 擷取記錄,並將記錄寫入 Google SecOps 的 Google SecOps 資訊提供。
Google SecOps:保留及分析記錄檔。
擷取標籤會識別剖析器,該剖析器會將原始記錄資料正規化為具結構性的 UDM 格式。本文件中的資訊適用於具有 ZSCALER_WEBPROXY 攝入標籤的剖析器。
事前準備
請確認您已完成下列事前準備事項:
- 存取 Zscaler Internet Access 控制台。詳情請參閱「Secure Internet and SaaS Access ZIA Help」。
- Zscaler Webproxy 2024 以上版本
- 部署架構中的所有系統都已設定為世界標準時間時區。
- 在 Google Security Operations 中完成動態饋給設定時,需要使用 API 金鑰。詳情請參閱「設定 API 金鑰」。
設定動態饋給
在 Google SecOps 平台中,有兩種不同的進入點可設定動態饋給:
- 「SIEM 設定」>「動態消息」
- 內容中心 > 內容包
依序前往「SIEM 設定」>「動態消息」,設定動態消息
如要為這個產品系列中的不同記錄類型設定多個動態饋給,請參閱「依產品設定動態饋給」。
如要設定單一動態饋給,請按照下列步驟操作:
- 依序前往「SIEM 設定」>「動態饋給」。
- 按一下「新增動態消息」。
- 在下一個頁面中,按一下「設定單一動態饋給」。
- 在「動態饋給名稱」欄位中,輸入動態饋給的名稱,例如「Zscaler Webproxy Logs」。
- 選取「Webhook」做為「來源類型」。
- 選取「Zscaler」做為「記錄類型」。
- 點選「下一步」。
- 選用:輸入下列輸入參數的值:
- 分割分隔符號:用於分隔記錄行的分隔符號。如未使用分隔符號,請將此欄位留空。
- 資產命名空間:資產命名空間。
- 擷取標籤:要套用至這個動態饋給事件的標籤。
- 點選「下一步」。
- 檢查新的動態消息設定,然後按一下「提交」。
- 按一下「產生密鑰」,產生驗證這個動態消息的密鑰。
從內容中心設定動態饋給
為下列欄位指定值:
- 分割分隔符號:用於分隔記錄行的分隔符號,例如
\n。
進階選項
- 動態饋給名稱:系統預先填入的值,用於識別動態饋給。
- 來源類型:將記錄收集到 Google SecOps 的方法。
- 資產命名空間:資產命名空間。
- 擷取標籤:套用至這個動態饋給事件的標籤。
- 點選「下一步」。
- 在「Finalize」畫面中檢查動態饋給設定,然後按一下「Submit」。
- 按一下「產生密鑰」,產生驗證這個動態消息的密鑰。
設定 Zscaler Webproxy
- 在 Zscaler Internet Access 控制台中,依序點選「Administration」(管理) >「Nanolog Streaming Service」(Nanolog 串流服務) >「Cloud NSS Feeds」(Cloud NSS 資訊饋給),然後點選「Add Cloud NSS Feed」(新增 Cloud NSS 資訊饋給)。
- 系統會隨即顯示「新增 Cloud NSS 饋給」視窗。在「新增 Cloud NSS 動態饋給」視窗中輸入詳細資料。
- 在「動態饋給名稱」欄位中輸入動態饋給名稱。
- 在「NSS Type」中選取「NSS for Web」。
- 從「狀態」清單中選取狀態,即可啟用或停用 NSS 動態饋給。
- 將「SIEM Rate」下拉式選單的值保留為「Unlimited」。如要因授權或其他限制而抑制輸出串流,請變更值。
- 在「SIEM Type」(SIEM 類型) 清單中選取「Other」(其他)。
- 在「OAuth 2.0 Authentication」清單中選取「Disabled」。
- 在「Max Batch Size」(批次大小上限) 中,輸入個別 HTTP 要求酬載的大小上限,以符合 SIEM 的最佳做法。例如 512 KB。
在「API URL」中,以以下格式輸入 Chronicle API 端點的 HTTPS 網址:
https://<CHRONICLE_REGION>-chronicle.googleapis.com/v1alpha/projects/<GOOGLE_PROJECT_NUMBER>/locations/<LOCATION>/instances/<CUSTOMER_ID>/feeds/<FEED_ID>:importPushLogsCHRONICLE_REGION:Chronicle 執行個體的主機代管區域。例如「US」。GOOGLE_PROJECT_NUMBER:自帶專案編號。請從 C4 取得這項資訊。LOCATION:Chronicle 區域。例如「US」。CUSTOMER_ID:Chronicle 客戶 ID。從 C4 取得。FEED_ID:建立新 Webhook 時,動態饋給 UI 中顯示的動態饋給 ID- API 網址範例:
https://us-chronicle.googleapis.com/v1alpha/projects/12345678910/locations/US/instances/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/feeds/yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyyyyyyy:importPushLogs按一下「新增 HTTP 標頭」,然後新增 HTTP 標頭,格式如下:
Header 1:Key1:X-goog-api-key和 Value1:在 Google Cloud BYOP 的 API 憑證中產生的 API 金鑰。Header 2:Key2:X-Webhook-Access-Key和 Value2:在網路鉤子的「SECRET KEY」上產生的 API 密鑰。
在「記錄類型」清單中選取「網頁記錄」。
在「動態饋給輸出類型」清單中選取「JSON」。
將「動態饋給逸出字元」設為
, \ "。如要將新欄位新增至動態饋給輸出格式,請在「動態饋給輸出類型」清單中選取「自訂」。
複製並貼上「動態饋給輸出格式」,然後新增欄位。確認鍵名與實際欄位名稱相符。
以下是預設的動態饋給輸出格式:
\{ "sourcetype" : "zscalernss-web", "event" : \{"datetime":"%d{yy}-%02d{mth}-%02d{dd} %02d{hh}:%02d{mm}:%02d{ss}","reason":"%s{reason}","event_id":"%d{recordid}","protocol":"%s{proto}","action":"%s{action}","transactionsize":"%d{totalsize}","responsesize":"%d{respsize}","requestsize":"%d{reqsize}","urlcategory":"%s{urlcat}","serverip":"%s{sip}","requestmethod":"%s{reqmethod}","refererURL":"%s{ereferer}","useragent":"%s{eua}","product":"NSS","location":"%s{elocation}","ClientIP":"%s{cip}","status":"%s{respcode}","user":"%s{elogin}","url":"%s{eurl}","vendor":"Zscaler","hostname":"%s{ehost}","clientpublicIP":"%s{cintip}","threatcategory":"%s{malwarecat}","threatname":"%s{threatname}","filetype":"%s{filetype}","appname":"%s{appname}","pagerisk":"%d{riskscore}","threatseverity":"%s{threatseverity}","department":"%s{edepartment}","urlsupercategory":"%s{urlsupercat}","appclass":"%s{appclass}","dlpengine":"%s{dlpeng}","urlclass":"%s{urlclass}","threatclass":"%s{malwareclass}","dlpdictionaries":"%s{dlpdict}","fileclass":"%s{fileclass}","bwthrottle":"%s{bwthrottle}","contenttype":"%s{contenttype}","unscannabletype":"%s{unscannabletype}","deviceowner":"%s{deviceowner}","devicehostname":"%s{devicehostname}","keyprotectiontype":"%s{keyprotectiontype}"\}\}在「Timezone」(時區)清單中,選取輸出檔案「Time」(時間) 欄位的時區。根據預設,時區會設為貴機構的時區。
查看已設定的設定。
按一下「儲存」,測試連線。如果連線成功,畫面會顯示綠色勾號,以及「Test Connectivity Successful: OK (200)」(測試連線成功:OK (200)) 訊息。
如要進一步瞭解 Google SecOps 動態消息,請參閱 Google SecOps 動態消息說明文件。如要瞭解各動態饋給類型的規定,請參閱「依類型設定動態饋給」。
如果在建立動態饋給時遇到問題,請與 Google SecOps 支援團隊聯絡。
支援的 Zscaler Webproxy 記錄格式
Zscaler Webproxy 剖析器支援 JSON 格式的記錄。
支援的 Zscaler Webproxy 記錄檔範例
JSON
{ "event": { "ClientIP": "198.51.100.0", "action": "Allowed", "appclass": "Sales and Marketing", "appname": "Trend Micro", "bwthrottle": "NO", "clientpublicIP": "198.51.100.1", "contenttype": "Other", "datetime": "2024-05-06 10:56:04", "department": "Mid-Continent%20Companies", "devicehostname": "dummyhostname", "deviceowner": "dummydeviceowner", "dlpdictionaries": "None", "dlpengine": "None", "event_id": "7365838693731467265", "fileclass": "None", "filetype": "None", "hostname": "dummyhostname.com", "keyprotectiontype": "N/A", "location": "Road%20Warrior", "pagerisk": "0", "product": "NSS", "protocol": "HTTP_PROXY", "reason": "Allowed", "refererURL": "None", "requestmethod": "CONNECT", "requestsize": "606", "responsesize": "65", "serverip": "198.51.10.2", "status": "200", "threatcategory": "None", "threatclass": "None", "threatname": "None", "threatseverity": "None", "transactionsize": "671", "unscannabletype": "None", "url": "dummyurl.com:443", "urlcategory": "SSL - DNI - Bypass", "urlclass": "Bandwidth Loss", "urlsupercategory": "User-defined", "user": "abc@xyz.com", "useragent": "dummyuseragent", "vendor": "Zscaler" }, "sourcetype": "zscalernss-web" }
欄位對應參考資料
下表列出 ZSCALER_WEBPROXY 記錄類型的記錄欄位,以及對應的 UDM 欄位。
| Log field | UDM mapping | Logic |
|---|---|---|
|
metadata.vendor_name |
The metadata.vendor_name UDM field is set to Zscaler. |
|
metadata.event_type |
If the ClientIP log field value is not empty and the serverip log field value is not empty and the proto log field value contain one of the following values, then the metadata.event_type UDM field is set to NETWORK_HTTP.
ClientIP log field value is not empty and the serverip log field value is not empty, then the metadata.event_type UDM field is set to NETWORK_CONNECTION.Else, if the user log field value is not empty or the deviceowner log field value is not empty, then the metadata.event_type UDM field is set to USER_UNCATEGORIZED.Else, the metadata.event_type UDM field is set to GENERIC_EVENT. |
|
metadata.product_name |
The metadata.product_name UDM field is set to Web Proxy. |
sourcetype |
additional.fields[sourcetype] |
|
datetime |
metadata.event_timestamp |
|
tz |
additional.fields[tz] |
|
ss |
additional.fields[ss] |
|
mm |
additional.fields[mm] |
|
hh |
additional.fields[hh] |
|
dd |
additional.fields[dd] |
|
mth |
additional.fields[mth] |
|
yyyy |
additional.fields[yyyy] |
|
mon |
additional.fields[mon] |
|
day |
additional.fields[day] |
|
department |
principal.user.department |
|
b64dept |
principal.user.department |
|
edepartment |
principal.user.department |
|
user |
principal.user.email_addresses |
|
b64login |
principal.user.email_addresses |
|
elogin |
principal.user.email_addresses |
|
ologin |
additional.fields[ologin] |
|
cloudname |
principal.user.attribute.labels[cloudname] |
|
company |
principal.user.company_name |
|
throttlereqsize |
security_result.detection_fields[throttlereqsize] |
|
throttlerespsize |
security_result.detection_fields[throttlerespsize] |
|
bwthrottle |
security_result.detection_fields[bwthrottle] |
|
|
security_result.category |
If the bwthrottle log field value is equal to Yes, then the security_result.category UDM field is set to POLICY_VIOLATION. |
bwclassname |
security_result.detection_fields[bwclassname] |
|
obwclassname |
security_result.detection_fields[obwclassname] |
|
bwrulename |
security_result.rule_name |
|
appname |
target.application |
|
appclass |
target.security_result.detection_fields[appclass] |
|
module |
target.security_result.detection_fields[module] |
|
app_risk_score |
target.security_result.risk_score |
If the app_risk_score log field value matches the regular expression pattern [0-9]+, then the app_risk_score log field is mapped to the security_result.risk_score UDM field. |
datacenter |
target.location.name |
|
datacentercity |
target.location.city |
|
datacentercountry |
target.location.country_or_region |
|
dlpdictionaries |
security_result.detection_fields[dlpdictionaries] |
|
odlpdict |
security_result.detection_fields[odlpdict] |
|
dlpdicthitcount |
security_result.detection_fields[dlpdicthitcount] |
|
dlpengine |
security_result.detection_fields[dlpengine] |
|
odlpeng |
security_result.detection_fields[odlpeng] |
|
dlpidentifier |
security_result.detection_fields[dlpidentifier] |
|
dlpmd5 |
security_result.detection_fields[dlpmd5] |
|
dlprulename |
security_result.rule_name |
|
odlprulename |
security_result.detection_fields[odlprulename] |
|
fileclass |
additional.fields[fileclass] |
|
filetype |
target.file.mime_type |
|
filename |
target.file.full_path |
|
b64filename |
target.file.full_path |
|
efilename |
target.file.full_path |
|
filesubtype |
additional.fields[filesubtype] |
|
upload_fileclass |
additional.fields[upload_fileclass] |
|
upload_filetype |
target.file.mime_type |
If the filetype log field value is equal to None and the upload_filetype log field value is not equal to None, then the upload_filetype log field is mapped to the target.file.mime_type UDM field. |
upload_filename |
target.file.full_path |
If the filename log field value is equal to None and the upload_filename log field value is not equal to None, then the upload_filename log field is mapped to the target.file.full_path UDM field. |
b64upload_filename |
target.file.full_path |
|
eupload_filename |
target.file.full_path |
|
upload_filesubtype |
additional.fields[upload_filesubtype] |
|
upload_doctypename |
additional.fields[upload_doctypename] |
|
unscannabletype |
security_result.detection_fields[unscannabletype] |
|
rdr_rulename |
intermediary.security_result.rule_name |
|
b64rdr_rulename |
intermediary.security_result.rule_name |
|
|
intermediary.resource.resource_type |
If the rdr_rulename log field value is not empty, then the intermediary.resource.resource_type UDM field is set to GATEWAY. |
ordr_rulename |
additional.fields[ordr_rulename] |
|
fwd_type |
intermediary.resource.attribute.labels[fwd_type] |
|
fwd_gw_name |
intermediary.resource.name |
|
b64fwd_gw_name |
intermediary.resource.name |
|
ofwd_gw_name |
security_result.detection_fields[ofwd_gw_name] |
|
fwd_gw_ip |
intermediary.ip |
|
zpa_app_seg_name |
additional.fields[zpa_app_seg_name] |
|
b64zpa_app_seg_name |
additional.fields[zpa_app_seg_name] |
|
ozpa_app_seg_name |
additional.fields[ozpa_app_seg_name] |
|
reqdatasize |
additional.fields[reqdatasize] |
|
reqhdrsize |
additional.fields[reqhdrsize] |
|
requestsize |
network.sent_bytes |
|
respdatasize |
additional.fields[respdatasize] |
|
resphdrsize |
additional.fields[resphdrsize] |
|
responsesize |
network.received_bytes |
|
transactionsize |
additional.fields[transactionsize] |
|
contenttype |
additional.fields[contenttype] |
|
df_hosthead |
security_result.detection_fields[df_hosthead] |
|
df_hostname |
security_result.detection_fields[df_hostname] |
|
hostname |
target.hostnametarget.asset.hostname |
|
b64host |
target.hostnametarget.asset.hostname |
|
ehost |
target.hostnametarget.asset.hostname |
|
refererURL |
network.http.referral_url |
|
b64referer |
network.http.referral_url |
|
ereferer |
network.http.referral_url |
|
erefererpath |
additional.fields[erefererpath] |
|
refererhost |
additional.fields[refererhost] |
|
erefererhost |
additional.fields[refererhost] |
|
requestmethod |
network.http.method |
|
reqversion |
additional.fields[reqversion] |
|
status |
network.http.response_code |
|
respversion |
additional.fields[respversion] |
|
ua_token |
additional.fields[ua_token] |
|
useragent |
network.http.user_agent |
|
b64ua |
network.http.user_agent |
|
eua |
network.http.user_agent |
|
useragent |
network.http.parsed_user_agent |
|
b64ua |
network.http.parsed_user_agent |
|
eua |
network.http.parsed_user_agent |
|
uaclass |
additional.fields[uaclass] |
|
url |
target.url |
|
b64url |
target.url |
|
eurl |
target.url |
|
eurlpath |
additional.fields[eurlpath] |
|
mobappname |
additional.fields[mobappname] |
|
b64mobappname |
additional.fields[mobappname] |
|
emobappname |
additional.fields[mobappname] |
|
mobappcat |
additional.fields[mobappcat] |
|
mobdevtype |
additional.fields[mobdevtype] |
|
clt_sport |
principal.port |
|
ClientIP |
principal.ip |
|
ocip |
security_result.detection_fields[ocip] |
|
cpubip |
additional.fields[cpubip] |
|
ocpubip |
additional.fields[ocpubip] |
|
clientpublicIP |
principal.nat_ip |
|
serverip |
target.ip |
|
|
network.application_protocol |
If the protocol log field value contain one of the following values, then the network.application_protocol UDM field is set to HTTP.
protocol log field value contain one of the following values, then the network.application_protocol UDM field is set to HTTPS.
network.application_protocol UDM field is set to UNKNOWN_APPLICATION_PROTOCOL. |
alpnprotocol |
additional.fields[alpnprotocol] |
|
trafficredirectmethod |
intermediary.resource.attribute.labels[trafficredirectmethod] |
|
location |
principal.location.name |
|
elocation |
principal.location.name |
|
userlocationname |
principal.location.name |
If the userlocationname log field value is not equal to None, then the userlocationname log field is mapped to the principal.location.name UDM field. |
b64userlocationname |
principal.location.name |
|
euserlocationname |
principal.location.name |
|
rulelabel |
security_result.rule_name |
If the action log field value is equal to Blocked, then the rulelabel log field is mapped to the security_result.rule_name UDM field. |
b64rulelabel |
security_result.rule_name |
|
erulelabel |
security_result.rule_name |
|
ruletype |
security_result.rule_type |
|
reason |
security_result.description |
If the action log field value is equal to Blocked, then the reason log field is mapped to the security_result.description UDM field. |
action |
security_result.action_details |
|
|
security_result.action |
If the action log field value is equal to Allowed, then the security_result.action UDM field is set to ALLOW.Else, if the action log field value is equal to Blocked, then the security_result.action UDM field is set to BLOCK. |
urlfilterrulelabel |
security_result.rule_name |
|
b64urlfilterrulelabel |
security_result.rule_name |
|
eurlfilterrulelabel |
security_result.rule_name |
|
ourlfilterrulelabel |
security_result.detection_fields[ourlfilterrulelabel] |
|
apprulelabel |
target.security_result.rule_name |
|
b64apprulelabel |
target.security_result.rule_name |
|
oapprulelabel |
security_result.detection_fields[oapprulelabel] |
|
bamd5 |
target.file.md5 |
|
sha256 |
target.file.sha256 |
|
ssldecrypted |
security_result.detection_fields[ssldecrypted] |
|
externalspr |
security_result.about.artifact.last_https_certificate.extension.certificate_policies |
|
keyprotectiontype |
security_result.about.artifact.last_https_certificate.extension.key_usage |
|
clientsslcipher |
network.tls.client.supported_ciphers |
|
clienttlsversion |
network.tls.version |
|
clientsslsessreuse |
security_result.detection_fields[clientsslsessreuse] |
|
cltsslfailreason |
security_result.detection_fields[cltsslfailreason] |
|
cltsslfailcount |
security_result.detection_fields[cltsslfailcount] |
|
srvsslcipher |
network.tls.cipher |
|
srvtlsversion |
security_result.detection_fields[srvtlsversion] |
|
srvocspresult |
security_result.detection_fields[srvocspresult] |
|
srvcertchainvalpass |
security_result.detection_fields[srvcertchainvalpass] |
|
srvwildcardcert |
security_result.detection_fields[srvwildcardcert] |
|
serversslsessreuse |
security_result.detection_fields[server_ssl_sess_reuse] |
|
srvcertvalidationtype |
security_result.detection_fields[srvcertvalidationtype] |
|
srvcertvalidityperiod |
security_result.detection_fields[srvcertvalidityperiod] |
|
is_ssluntrustedca |
security_result.detection_fields[is_ssluntrustedca] |
|
is_sslselfsigned |
security_result.detection_fields[is_sslselfsigned] |
|
is_sslexpiredca |
security_result.detection_fields[is_sslexpiredca] |
|
pagerisk |
security_result.risk_score |
|
|
security_result.severity |
If the pagerisk log field value is greater than or equal to 90 and the pagerisk log field value is less than or equal to 100, then the security_result.severity UDM field is set to CRITICAL.If the pagerisk log field value is greater than or equal to 75 and the pagerisk log field value is less than or equal to 89, then the security_result.severity UDM field is set to HIGH.If the pagerisk log field value is greater than or equal to 46 and the pagerisk log field value is less than or equal to 74, then the security_result.severity UDM field is set to MEDIUM.If the pagerisk log field value is greater than or equal to 1 and the pagerisk log field value &is less than or equal to 45, then the security_result.severity UDM field is set to LOW.If the pagerisk log field value is equal to 0, then the security_result.severity UDM field is set to NONE. |
|
security_result.severity_details |
If the pagerisk log field value is not empty and the threatseverity log field value is not empty, then the security_result.severity_details UDM field is set to %{pagerisk} - %{threatseverity}.Else, if the threatseverity log field value is not empty, then the threatseverity log field is mapped to the security_result.severity_details UDM field. |
activity |
additional.fields[activity] |
|
is_dst_cntry_risky |
additional.fields[is_dst_cntry_risky] |
|
is_src_cntry_risky |
additional.fields[is_src_cntry_risky] |
|
prompt_req |
additional.fields[prompt_req] |
|
srcip_country |
principal.ip_geo_artifact.location.country_or_region |
|
pcapid |
security_result.about.file.full_path |
|
all_dlprulenames |
security_result.rule_labels[all_dlprulenames] |
|
other_dlprulenames |
security_result.rule_labels[other_dlprulenames] |
|
trig_dlprulename |
security_result.rule_name |
|
dstip_country |
target.ip_geo_artifact.location.country_or_region |
|
srv_dport |
target.port |
|
inst_level2_name |
target.resource_ancestors.name |
|
inst_level3_name |
target.resource_ancestors.name |
|
inst_level2_id |
target.resource_ancestors.product_object_id |
|
inst_level3_id |
target.resource_ancestors.product_object_id |
|
inst_level2_type |
target.resource_ancestors.resource_subtype |
|
inst_level3_type |
target.resource_ancestors.resource_subtype |
|
|
target.resource_ancestors.resource_type |
If the inst_level2_type log field value matches the regular expression pattern organization then, the target.resource_ancestors.resource_type UDM field is set to CLOUD_ORGANIZATION. Else, if inst_level2_type log field value matches the regular expression pattern service then, the target.resource_ancestors.resource_type UDM field is set to BACKEND_SERVICE. Else, if inst_level2_type log field value matches the regular expression pattern policy then, the target.resource_ancestors.resource_type UDM field is set to ACCESS_POLICY. Else, if inst_level2_type log field value matches the regular expression pattern project then, the target.resource_ancestors.resource_type UDM field is set to CLOUD_PROJECT. Else, if inst_level2_type log field value matches the regular expression pattern cluster then, the target.resource_ancestors.resource_type UDM field is set to CLUSTER. Else, if inst_level2_type log field value matches the regular expression pattern container then, the target.resource_ancestors.resource_type UDM field is set to CONTAINER. Else, if inst_level2_type log field value matches the regular expression pattern pod then, the target.resource_ancestors.resource_type UDM field is set to POD. Else, if inst_level2_type log field value matches the regular expression pattern repository then, the target.resource_ancestors.resource_type UDM field is set to REPOSITORY.If the inst_level3_type log field value matches the regular expression pattern organization then, the target.resource_ancestors.resource_type UDM field is set to CLOUD_ORGANIZATION. Else, if inst_level3_type log field value matches the regular expression pattern service then, the target.resource_ancestors.resource_type UDM field is set to BACKEND_SERVICE. Else, if inst_level3_type log field value matches the regular expression pattern policy then, the target.resource_ancestors.resource_type UDM field is set to ACCESS_POLICY. Else, if inst_level3_type log field value matches the regular expression pattern project then, the target.resource_ancestors.resource_type UDM field is set to CLOUD_PROJECT. Else, if inst_level3_type log field value matches the regular expression pattern cluster then, the target.resource_ancestors.resource_type UDM field is set to CLUSTER. Else, if inst_level3_type log field value matches the regular expression pattern container then, the target.resource_ancestors.resource_type UDM field is set to CONTAINER. Else, if inst_level3_type log field value matches the regular expression pattern pod then, the target.resource_ancestors.resource_type UDM field is set to POD. Else, if inst_level3_type log field value matches the regular expression pattern repository then, the target.resource_ancestors.resource_type UDM field is set to REPOSITORY. |
inst_level1_name |
target.resource.name |
|
inst_level1_id |
target.resource.product_object_id |
|
inst_level1_type |
target.resource.resource_subtype |
|
|
target.resource.resource_type |
If the inst_level1_type log field value matches the regular expression pattern organization then, the target.resource.resource_type UDM field is set to CLOUD_ORGANIZATION. Else, if inst_level1_type log field value matches the regular expression pattern service then, the target.resource.resource_type UDM field is set to BACKEND_SERVICE. Else, if inst_level1_type log field value matches the regular expression pattern policy then, the target.resource.resource_type UDM field is set to ACCESS_POLICY. Else, if inst_level1_type log field value matches the regular expression pattern project then, the target.resource.resource_type UDM field is set to CLOUD_PROJECT. Else, if inst_level1_type log field value matches the regular expression pattern cluster then, the target.resource.resource_type UDM field is set to CLUSTER. Else, if inst_level1_type log field value matches the regular expression pattern container then, the target.resource.resource_type UDM field is set to CONTAINER. Else, if inst_level1_type log field value matches the regular expression pattern pod then, the target.resource.resource_type UDM field is set to POD. Else, if inst_level1_type log field value matches the regular expression pattern repository then, the target.resource.resource_type UDM field is set to REPOSITORY. |
app_status |
target.security_result.detection_fields[app_status] |
|
threatname |
security_result.threat_name |
|
b64threatname |
security_result.threat_name |
|
threatcategory |
security_result.associations.name |
|
threatclass |
security_result.associations.description |
|
urlclass |
security_result.detection_fields[urlclass] |
|
urlsupercategory |
security_result.category_details |
|
urlcategory |
security_result.category_details |
|
b64urlcat |
security_result.category_details |
|
ourlcat |
security_result.detection_fields[ourlcat] |
|
urlcatmethod |
security_result.detection_fields[urlcatmethod] |
|
bypassed_traffic |
security_result.detection_fields[bypassed_traffic] |
|
bypassed_etime |
security_result.detection_fields[bypassed_etime] |
|
deviceappversion |
additional.fields[deviceappversion] |
|
devicehostname |
principal.asset.hostname |
|
odevicehostname |
security_result.detection_fields[odevicehostname] |
|
devicemodel |
principal.asset.hardware.model |
|
devicename |
principal.asset.asset_id |
|
odevicename |
security_result.detection_fields[odevicename] |
|
|
principal.asset.platform_software.platform |
If the deviceostype log field value matches the regular expression pattern (?i)iOS, then the principal.asset.platform_software.platform UDM field is set to IOS.Else, if the deviceostype log field value matches the regular expression pattern (?i)Android, then the principal.asset.platform_software.platform UDM field is set to ANDROID.Else, if the deviceostype log field value matches the regular expression pattern (?i)Windows, then the principal.asset.platform_software.platform UDM field is set to WINDOWS.Else, if the deviceostype log field value matches the regular expression pattern (?i)MAC, then the principal.asset.platform_software.platform UDM field is set to MAC.Else, if the deviceostype log field value matches the regular expression pattern (?i)Other, then the principal.asset.platform_software.platform UDM field is set to UNKNOWN_PLATFORM. |
deviceosversion |
principal.asset.software.version |
|
deviceowner |
principal.user.userid |
|
odeviceowner |
security_result.detection_fields[odeviceowner] |
|
devicetype |
principal.asset.category |
|
external_devid |
additional.fields[external_devid] |
|
flow_type |
additional.fields[flow_type] |
|
ztunnelversion |
additional.fields[ztunnelversion] |
|
event_id |
metadata.product_log_id |
|
productversion |
metadata.product_version |
|
nsssvcip |
about.ip |
|
eedone |
additional.fields[eedone] |
還有其他問題嗎?向社群成員和 Google SecOps 專業人員尋求答案。