收集 Zscaler CASB 記錄

本文說明如何設定 Google Security Operations 資訊提供,並將記錄檔欄位對應至 Unified Data Model (UDM),藉此匯出 Zscaler CASB 記錄。

詳情請參閱「將資料擷取至 Google SecOps 總覽」。

一般部署作業包含 Zscaler CASB 和 Google SecOps Webhook 饋給,後者會設定為將記錄傳送至 Google SecOps。不過,部署詳細資料可能因客戶而異,也可能更複雜。

部署作業包含下列元件:

  • Zscaler CASB:您從中收集記錄的平台。

  • Google SecOps 資訊提供:從 Zscaler CASB 擷取記錄,並將記錄寫入 Google SecOps 的 Google SecOps 資訊提供。

  • Google SecOps:保留及分析記錄檔。

擷取標籤會識別剖析器,將原始記錄資料正規化為具結構性的 UDM 格式。本文件僅適用於與 ZSCALER_CASB 擷取標籤相關聯的剖析器。

事前準備

  • 確認您可以存取 Zscaler Internet Access 控制台。詳情請參閱「Secure Internet and SaaS Access ZIA Help」。
  • 確認您使用的是 Zscaler CASB 1.0 或 2.0 版。
  • 請確保部署架構中的所有系統都已設定為世界標準時間時區。
  • 請確認您擁有在 Google SecOps 中完成動態消息設定所需的 API 金鑰。詳情請參閱「設定 API 金鑰」。

設定動態饋給

如要設定這類記錄,請按照下列步驟操作:

  1. 依序前往「SIEM 設定」>「動態饋給」
  2. 按一下「新增動態消息」
  3. 按一下「Zscaler」動態饋給套件。
  4. 找出所需記錄類型,然後按一下「新增動態消息」

  5. 輸入下列輸入參數的值:

    • 來源類型:Webhook (建議)
    • 分割分隔符號:用於分隔記錄行的字元。如未使用分隔符號,請留空。

    進階選項

    • 動態饋給名稱:系統預先填入的值,用於識別動態饋給。
    • 資產命名空間與動態饋給相關聯的命名空間
    • 擷取標籤:套用至這個動態饋給所有事件的標籤。

  6. 按一下「建立動態饋給」

如要進一步瞭解如何為這個產品系列中的不同記錄類型設定多個動態饋給,請參閱「依產品設定動態饋給」。

設定 Zscaler CASB

  1. 在 Zscaler Internet Access 控制台中,依序點選「Administration」>「Nanolog Streaming Service」>「Cloud NSS Feeds」>「Add Cloud NSS Feed」
  2. 在「新增 Cloud NSS 動態饋給」視窗中輸入詳細資料。
  3. 在「動態饋給名稱」欄位中,輸入動態饋給的專屬名稱。
  4. 在「NSS Type」中選取「Zscaler for Web」
  5. 在「狀態」清單中選取狀態,啟用或停用 NSS 動態饋給。
  6. 除非您需要因授權或其他限制而節流輸出串流,否則請將「SIEM 速率」設為「無限制」
  7. 在「SIEM Type」(SIEM 類型) 清單中,選取「Other」(其他)
  8. 在「OAuth 2.0 Authentication」清單中,選取「Disabled」
  9. 在「Max Batch Size」(批次大小上限) 欄位中,輸入 SIEM 最佳做法的個別 HTTP 要求酬載大小上限,例如 512 KB

  10. 在「API 網址」欄位中,輸入 Chronicle API 端點的 HTTPS 網址,格式如下:

      https://<CHRONICLE_REGION>-chronicle.googleapis.com/v1alpha/projects/<GOOGLE_PROJECT_NUMBER>/locations/<LOCATION>/instances/<CUSTOMER_ID>/feeds/<FEED_ID>:importPushLogs
    • CHRONICLE_REGION:Google SecOps 執行個體的代管區域。例如:US
    • GOOGLE_PROJECT_NUMBER:您的 BYOP 專案編號。請從 C4 取得這項資訊。
    • LOCATION:Chronicle (Google SecOps) 區域 (與 CHRONICLE_REGION 相同),例如 US
    • CUSTOMER_ID:您的 Google SecOps 客戶 ID。從 C4 取得。
    • FEED_ID:新建立的 Webhook 動態饋給 ID (顯示在動態饋給 UI 中)。

    • API 網址範例:

      https://us-chronicle.googleapis.com/v1alpha/projects/12345678910/locations/US/instances/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/feeds/yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyyyyyyy:importPushLogs

  11. 按一下「新增 HTTP 標頭」,然後新增 HTTP 標頭,格式如下:

    • Header 1Key1: X-goog-api-keyValue1:從「BYOP 的 API 憑證」產生的 API 金鑰。 Google Cloud
    • Header 2Key2: X-Webhook-Access-KeyValue2:在 Webhook 的「SECRET KEY」中產生的 API 密鑰。

  12. 在「記錄類型」清單中,選取「SaaS 安全性」或「SaaS 安全性活動」

  13. 在「動態饋給輸出類型」清單中,選取「JSON」

  14. 將「動態饋給逸出字元」設為 , \ "

  15. 在「動態饋給輸出類型」清單中選取「自訂」,即可在「動態饋給輸出格式」中新增欄位。

  16. 複製並貼上「動態饋給輸出格式」,然後視需要新增欄位。確認鍵名與實際欄位名稱相符。

  17. 以下是預設的動態饋給輸出格式

    • SaaS 安全性
    \{ "sourcetype" : "zscalernss-casb", "event" :\{"datetime":"%s{time}","recordid":"%d{recordid}","company":"%s{company}","tenant":"%s{tenant}","login":"%s{user}","dept":"%s{department}","applicationname":"%s{applicationname}","filename":"%s{filename}","filesource":"%s{filesource}","filemd5":"%s{filemd5}","threatname":"%s{threatname}","policy":"%s{policy}","dlpdictnames":"%s{dlpdictnames}","dlpdictcount":"%s{dlpdictcount}","dlpenginenames":"%s{dlpenginenames}","fullurl":"%s{fullurl}","lastmodtime":"%s{lastmodtime}","filescantimems":"%d{filescantimems}","filedownloadtimems":"%d{filedownloadtimems}"\}\}
    • 軟體即服務 (SaaS) 安全性活動
    \{ "sourcetype" : "zscalernss-casb", "event" :\{"login":"%s{username}","tenant":"%s{tenant}","object_type":"%d{objtype1}","applicationname":"%s{appname}","object_name_1":"%s{objnames1}","object_name_2":"%s{objnames2}"\}\}

  18. 從「時區」清單中,選取輸出檔案「時間」欄位的時區。根據預設,時區會設為貴機構的時區。

  19. 查看已設定的設定。

  20. 按一下「儲存」,測試連線。如果連線成功,畫面會顯示綠色勾號,以及「Test Connectivity Successful: OK (200)」(測試連線成功:OK (200)) 訊息。

如要進一步瞭解 Google SecOps 動態消息,請參閱 Google SecOps 動態消息說明文件。如要瞭解各動態饋給類型的規定,請參閱「依類型設定動態饋給」。

如果在建立動態饋給時遇到問題,請與 Google SecOps 支援團隊聯絡。

欄位對應參考資料

欄位對應參考資料:ZSCALER_CASB

下表列出 ZSCALER_CASB 記錄類型的記錄欄位,以及對應的 UDM 欄位。

Log field UDM mapping Logic
sourcetype security_result.detection_fields[sourcetype]
objnames2 about.resource.name
object_name_2 about.resource.name
objtypename2 about.resource.resource_subtype
externalownername additional.fields[externalownername]
act_cnt additional.fields[act_cnt]
attchcomponentfiletypes additional.fields[attchcomponentfiletypes]
channel_name additional.fields[channel_name]
collabscope additional.fields[collabscope]
day additional.fields[day]
dd additional.fields[dd]
dlpdictcount security_result.detection_fields[dlpdictcount] If the dlpdictcount log field value is not empty and the dlpdictcount log field value is not equal to None, then the dlpdictcount log field is mapped to the security_result.detection_fields.dlpdictcount UDM field.
dlpenginenames security_result.detection_fields[dlpenginenames] If the dlpenginenames log field value is not empty and the dlpenginenames log field value is not equal to None, then the dlpenginenames log field is mapped to the security_result.detection_fields.dlpenginenames UDM field.
epochlastmodtime additional.fields[epochlastmodtime]
extcollabnames additional.fields[extcollabnames]
extownername additional.fields[extownername]
file_msg_id additional.fields[file_msg_id]
fileid additional.fields[fileid]
filescantimems additional.fields[filescantimems]
filetypecategory additional.fields[filetypecategory]
hh additional.fields[hh]
messageid additional.fields[messageid]
mm additional.fields[mm]
mon additional.fields[mon]
msgsize additional.fields[msgsize]
mth additional.fields[mth]
num_ext_recpts additional.fields[num_ext_recpts]
num_int_recpts additional.fields[num_int_recpts]
numcollab additional.fields[numcollab]
rtime additional.fields[rtime]
ss additional.fields[ss]
suburl additional.fields[suburl]
tenant additional.fields[tenant]
tz additional.fields[tz]
upload_doctypename additional.fields[upload_doctypename]
yyyy additional.fields[yyyy]
collabnames additional.fields[collabnames]
companyid additional.fields[companyid]
component additional.fields[component]
intcollabnames additional.fields[intcollabnames] If intcollabnames log field value does not match the regular expression pattern None then, for index in intcollabnames, the index is mapped to the additional.fields.value.list_value UDM field.
internal_collabnames additional.fields[internal_collabnames]
external_collabnames additional.fields[externalcollabnames]
num_external_collab additional.fields[num_external_collab]
num_internal_collab additional.fields[num_internal_collab]
repochtime additional.fields[repochtime]
eventtime metadata.event_timestamp If the eventtime log field value is not empty, then the eventtime log field is mapped to the metadata.event_timestamp UDM field.
epochtime metadata.event_timestamp If the epochtime log field value is not empty, then the epochtime log field is mapped to the metadata.event_timestamp UDM field.
time metadata.event_timestamp If the time log field value is not empty, then the time log field is mapped to the metadata.event_timestamp UDM field.
datetime metadata.event_timestamp If the datetime log field value is not empty, then the datetime log field is mapped to the metadata.event_timestamp UDM field.
metadata.event_type The metadata.event_type UDM field is set to USER_UNCATEGORIZED.
act_type_name metadata.product_event_type
recordid metadata.product_log_id
metadata.product_name The metadata.product_name UDM field is set to CASB.
metadata.vendor_name The metadata.vendor_name UDM field is set to Zscaler.
sender network.email.from If the sender log field value matches the regular expression pattern (^.*@.*$), then the sender log field is mapped to the network.email.from UDM field.
extrecptnames network.email.to For index in extrecptnames, the index is mapped to the network.email.to UDM field.
internal_recptnames network.email.to For index in internal_recptnames, the index is mapped to the network.email.to UDM field.
external_recptnames network.email.to For index in external_recptnames, the index is mapped to the network.email.to UDM field.
intrecptnames network.email.to For index in intrecptnames, the index is mapped to the network.email.to UDM field.
applicationname principal.application If the applicationname log field value is not empty, then the applicationname log field is mapped to the principal.application UDM field.

Else, the appname log field is mapped to the principal.application UDM field.
src_ip principal.ip
fullurl principal.url If the fullurl log field is not empty and the fullurl log field value is not equal to Unknown URL, then the fullurl log field is mapped to the principal.url UDM field.
is_admin_act principal.user.attribute.labels[is_admin_act]
principal.user.attribute.roles.type If the is_admin_act log field value is equal to 1, then the principal.user.attribute.roles.type UDM field is set to ADMINISTRATOR.
company principal.user.company_name
department principal.user.department
dept principal.user.department
user principal.user.email_addresses If the user log field value matches the regular expression pattern (^.*@.*$), then the user log field is mapped to the principal.user.email_addresses UDM field.
username principal.user.email_addresses If the username log field value matches the regular expression pattern (^.*@.*$), then the username log field is mapped to the principal.user.email_addresses UDM field.
owner principal.user.email_addresses If the owner log field value matches the regular expression pattern (^.*@.*$), then the owner log field is mapped to the principal.user.email_addresses UDM field.
login principal.user.email_addresses If the login log field value matches the regular expression pattern (^.*@.*$), then the login log field is mapped to the principal.user.email_addresses UDM field.
login principal.user.userid If the login log field value does not match the regular expression pattern ^.+@.+$, then the login log field is mapped to the principal.user.userid UDM field.
malware security_result.associations.name
security_result.associations.type If the malware log field value is not empty, then the security_result.associations.type UDM field is set to MALWARE.
dlpdictnames security_result.detection_fields[dlpdictnames]
dlpidentifier security_result.detection_fields[dlpidentifier]
filedownloadtimems additional.fields[filedownloadtimems]
malwareclass security_result.detection_fields[malwareclass]
msgid security_result.detection_fields[msgid]
oattchcomponentfilenames security_result.detection_fields[oattchcomponentfilenames]
obucketname security_result.detection_fields[obucketname]
obucketowner security_result.detection_fields[obucketowner]
ochannel_name security_result.detection_fields[ochannel_name]
ocollabnames security_result.detection_fields[ocollabnames]
odlpdictnames security_result.detection_fields[odlpdictnames]
odlpenginenames security_result.detection_fields[odlpenginenames]
oextcollabnames security_result.detection_fields[oextcollabnames]
oexternal_collabnames security_result.detection_fields[oexternal_collabnames]
oexternal_recptnames security_result.detection_fields[oexternal_recptnames]
oexternalownername security_result.detection_fields[oexternalownername]
oextownername security_result.detection_fields[oextownername]
oextrecptnames security_result.detection_fields[oextrecptnames]
ofile_msg_id security_result.detection_fields[ofile_msg_id]
ofileid security_result.detection_fields[ofileid]
ofullurl security_result.detection_fields[ofullurl]
ohostname security_result.detection_fields[ohostname]
ointcollabnames security_result.detection_fields[ointcollabnames]
ointernal_collabnames security_result.detection_fields[ointernal_collabnames]
ointernal_recptnames security_result.detection_fields[ointernal_recptnames]
ointrecptnames security_result.detection_fields[ointrecptnames]
omessageid security_result.detection_fields[omessageid]
omsgid security_result.detection_fields[omsgid]
oowner security_result.detection_fields[oowner]
orulelabel security_result.detection_fields[orulelabel]
osender security_result.detection_fields[osender]
osharedchannel_hostname security_result.detection_fields[osharedchannel_hostname]
otenant security_result.detection_fields[otenant]
ouser security_result.detection_fields[ouser]
any_incident security_result.detection_fields[any_incident]
is_inbound security_result.detection_fields[is_inbound]
policy security_result.rule_labels[policy]
ruletype security_result.rule_labels[ruletype]
rulelabel security_result.rule_name
security_result.severity If the severity log field value is equal to High, then the security_result.severity UDM field is set to HIGH.

Else, if the severity log field value is equal to Medium, then the security_result.severity UDM field is set to MEDIUM.

Else, if the severity log field value is equal to Low, then the security_result.sevrity UDM field is set to LOW.

Else, if the severity log field value is equal to Information, then the security_result.severity UDM field is set to INFORMATIONAL.
threatname security_result.threat_name If the threatname log field value is not empty and the dlpdictcount log field value is not equal to None, then the threatname log field is mapped to the security_result.threat_name UDM field.
filesource target.file.full_path If the filesource log field value is not empty, then the filesource log field is mapped to the target.file.full_path UDM field.
filepath target.file.full_path If the filesource log field value is not empty, then the filesource log field is mapped to the target.file.full_path UDM field.

Else if the filepath log field value is not empty, then the filepath log field is mapped to the target.file.full_path UDM field.
lastmodtime target.file.last_modification_time If the lastmodtime log field value is not empty, then the lastmodtime log field is mapped to the target.file.last_modification_time UDM field.
file_msg_mod_time target.file.last_modification_time If the lastmodtime log field value is not empty, then the lastmodtime log field is mapped to the target.file.last_modification_time UDM field.

Else if the file_msg_mod_time log field value is not empty, then the file_msg_mod_time log field is mapped to the target.file.fullpath UDM field.
filemd5 target.file.md5 If the filemd5 log field value is not equal to None and the filemd5 log field value matches the regular expression pattern ^[a-fA-F0-9]{32}$, then the filemd5 log field is mapped to the target.file.md5 UDM field.

Else, if the attchcomponentmd5s log field value matches the regular expression pattern ^[a-fA-F0-9]{32}$, then the attchcomponentmd5s log field is mapped to the target.file.md5 UDM field.
filetypename target.file.mime_type
filename target.file.names
attchcomponentfilenames target.file.names
sha target.file.sha256
attchcomponentfilesizes target.file.size If the attchcomponentfilesizes log field value is not empty, then the attchcomponentfilesizes log field is mapped to the target.file.size UDM field.
filesize target.file.size If the attchcomponentfilesizes log field value is not empty, then the attchcomponentfilesizes log field is mapped to the target.file.size UDM field.

Else if the filesize log field value is not empty, then the filesize log field is mapped to the target.file.size UDM field.
sharedchannel_hostname target.hostname If the hostname log field value is not empty, then the hostname log field is mapped to the target.hostname UDM field.

Else if the sharedchannel_hostname log field value is not empty, then the sharedchannel_hostname log field is mapped to the target.hostname UDM field.
hostname target.hostname If the hostname log field value is not empty, then the hostname log field is mapped to the target.hostname UDM field.
datacentercity target.location.city
datacentercountry target.location.country_or_region
datacenter target.location.name
bucketowner target.resource.attribute.labels[bucketowner]
projectname target.resource.attribute.labels[projectname]
bucketname target.resource.name If the bucketname log field value is not empty, then the bucketname log field is mapped to the target.resource.name UDM field.
objnames1 target.resource.name If the objnames1 log field value is not empty, then the objnames1 log field is mapped to the target.resource.name UDM field.
objectname target.resource.name If the objectname log field value is not empty, then the objectname log field is mapped to the target.resource.name UDM field.
reponame target.resource.name If the reponame log field value is not empty, then the reponame log field is mapped to the target.resource.name UDM field.
object_name_1 target.resource.name If the object_name_1 log field value is not empty, then the object_name_1 log field is mapped to the target.resource.name UDM field.
bucketid target.resource.product_object_id
objtypename1 target.resource.resource_subtype If the objtypename1 log field value is not empty, then the objtypename1 log field is mapped to the target.resource.resource_subtype UDM field.
objecttype target.resource.resource_subtype If the objecttype log field value is not empty, then the objecttype log field is mapped to the target.resource.resource_subtype UDM field.
object_type target.resource.resource_subtype
target.resource.resource_type If the bucketname log field value is not empty, then the target.resource.resource_type UDM field is set to STORAGE_BUCKET.

If the reponame log field value is not empty, then the target.resource.resource_type UDM field is set to REPOSITORY.

後續步驟

還有其他問題嗎?向社群成員和 Google SecOps 專業人員尋求答案。