Zscaler DNS ログを収集する
以下でサポートされています。
Google SecOpsSIEM
このドキュメントでは、Google Security Operations フィードを設定して Zscaler DNS ログをエクスポートする方法と、ログフィールドが Google SecOps の統合データモデル(UDM)フィールドにマッピングされる方法について説明します。
詳細については、Google SecOps へのデータの取り込みの概要をご覧ください。
一般的なデプロイは、Zscaler DNS と、Google SecOps にログを送信するように構成された Google SecOps Webhook フィードで構成されます。お客様のデプロイはそれぞれ異なり、より複雑になる場合もあります。
デプロイには次のコンポーネントが含まれます。
Zscaler DNS: ログを収集するプラットフォーム。
Google SecOps フィード: Zscaler DNS からログを取得し、Google SecOps にログを書き込む Google SecOps フィード。
Google SecOps: ログを保持して分析します。
取り込みラベルによって、未加工のログデータを構造化 UDM 形式に正規化するパーサーが識別されます。 このドキュメントの情報は、取り込みラベル ZSCALER_DNS が付加されたパーサーに適用されます。
始める前に
- Zscaler Internet Access コンソールにアクセスできることを確認します。詳細については、インターネットと SaaS への安全なアクセス(ZIA)のヘルプをご覧ください。
- Zscaler DNS 2024 以降を使用していることを確認します。
- デプロイ アーキテクチャ内のすべてのシステムが、UTC タイムゾーンで構成されていることを確認します。
- Google SecOps でフィードの設定を完了するために必要な API キーがあることを確認します。詳細については、API キーの設定をご覧ください。
Google SecOps で取り込みフィードを設定して Zscaler DNS ログを取り込む
- [SIEM 設定] > [フィード] に移動します。
- [新しく追加] をクリックします。
- [フィード名] フィールドに、フィードの名前を入力します(例: Zscaler DNS ログ)。
- [ソースタイプ] として [Webhook] を選択します。
- [Log Type] として [ZScaler DNS] を選択します。
- [次へ] をクリックします。
- 省略可: 次の入力パラメータの値を入力します。
- 分割区切り文字: ログ行を区切るために使用される区切り文字。区切り文字を使用しない場合は空白のままにします。
- アセットの名前空間: アセットの名前空間。
- 取り込みラベル: このフィードのイベントに適用されるラベル。
- [次へ] をクリックします。
- 新しいフィードの設定を確認し、[送信] をクリックします。
- [秘密鍵を生成する] をクリックして、このフィードを認証するためのシークレット キーを生成します。
Zscaler DNS を設定する
- Zscaler Internet Access コンソールで、[Administration] > [Nanolog Streaming Service] > [Cloud NSS Feeds] をクリックし、[Add Cloud NSS Feed] をクリックします。
- [Add Cloud NSS Feed] ウィンドウが表示されます。[Cloud NSS フィードの追加] ウィンドウで詳細を入力します。
- [フィード名] フィールドに、フィードの名前を入力します。
- [NSS Type] で [NSS for DNS] を選択します。
- [ステータス] リストからステータスを選択して、NSS フィードを有効または無効にします。
- [SIEM Rate] プルダウンの値は [無制限] のままにします。ライセンスなどの制約により出力ストリームを抑制するには、値を変更します。
- [SIEM Type] リストで [Other] を選択します。
- [OAuth 2.0 Authentication] リストで [Disabled] を選択します。
- [最大バッチサイズ] に、SIEM のベスト プラクティスに従って個々の HTTP リクエスト ペイロードのサイズの上限を入力します。たとえば、512 KB です。
API URL に、Chronicle API エンドポイントの HTTPS URL を次の形式で入力します。
https://<CHRONICLE_REGION>-chronicle.googleapis.com/v1alpha/projects/<GOOGLE_PROJECT_NUMBER>/locations/<LOCATION>/instances/<CUSTOMER_ID>/feeds/<FEED_ID>:importPushLogsCHRONICLE_REGION: Chronicle インスタンスがホストされているリージョン。たとえば、US です。GOOGLE_PROJECT_NUMBER: BYOP プロジェクト番号。C4 から取得します。LOCATION: Chronicle リージョン。たとえば、US です。CUSTOMER_ID: Chronicle のお客様 ID。C4 から取得します。FEED_ID: 作成した新しい Webhook のフィード UI に表示されるフィード ID- API URL の例:
https://us-chronicle.googleapis.com/v1alpha/projects/12345678910/locations/US/instances/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/feeds/yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyyyyyyy:importPushLogs[HTTP ヘッダーを追加] をクリックして、キーと値を含む HTTP ヘッダーを追加します。
たとえば、Header 1 : Key1: X-goog-api-key、Value1: Google Cloud BYOP の API 認証情報で生成された API キー。
[Log Types] リストで [DNS ログ] を選択します。
[フィード出力タイプ] リストで [JSON] を選択します。
[フィード エスケープ文字] を
, \ "に設定します。[フィード出力形式] に新しいフィールドを追加するには、[フィード出力タイプ] リストで [カスタム] を選択します。
フィード出力形式をコピーして貼り付け、新しいフィールドを追加します。キー名が実際のフィールド名と一致していることを確認します。
デフォルトのフィード出力形式は次のとおりです。
\{ "sourcetype" : "zscalernss-dns", "event" :\{"datetime":"%s{time}","user":"%s{elogin}","department":"%s{edepartment}","location":"%s{elocation}","reqaction":"%s{reqaction}","resaction":"%s{resaction}","reqrulelabel":"%s{reqrulelabel}","resrulelabel":"%s{resrulelabel}","dns_reqtype":"%s{reqtype}","dns_req":"%s{req}","dns_resp":"%s{res}","srv_dport":"%d{sport}","durationms":"%d{durationms}","clt_sip":"%s{cip}","srv_dip":"%s{sip}","category":"%s{domcat}","respipcategory":"%s{respipcat}","deviceowner":"%s{deviceowner}","devicehostname":"%s{devicehostname}"\}\}[タイムゾーン] リストで、出力ファイルの [時間] フィールドのタイムゾーンを選択します。デフォルトでは、タイムゾーンは組織のタイムゾーンに設定されます。
構成された設定を確認します。
[保存] をクリックして接続をテストします。接続に成功すると、緑色のチェックマークと「Test Connectivity Successful: OK (200)」というメッセージが表示されます。
Google SecOps フィードの詳細については、Google SecOps フィードのドキュメントをご覧ください。各フィードタイプの要件については、タイプ別のフィード構成をご覧ください。
フィードの作成時に問題が発生した場合は、Google SecOps サポートにお問い合わせください。
フィールド マッピング リファレンス
フィールド マッピング リファレンス: ZSCALER_DNS
次の表に、ZSCALER_DNS ログタイプのログ フィールドと、対応する UDM フィールドを示します。
| Log field | UDM mapping | Logic |
|---|---|---|
|
metadata.event_type |
The metadata.event_type UDM field is set to NETWORK_DNS. |
|
metadata.product_name |
The metadata.product_name UDM field is set to DNS. |
|
metadata.vendor_name |
The metadata.vendor_name UDM field is set to Zscaler. |
|
metadata.description |
If the category log field value is not empty and the durationms log field value is not empty, then the NSSDNSLog | Duration: durationms ms | Category: category log field is mapped to the metadata.description UDM field.Else, if the category log field value is not empty, then the DNS request to \category\ log field is mapped to the metadata.description UDM field. |
recordid |
metadata.product_log_id |
|
datetime |
metadata.event_timestamp |
|
epochtime |
metadata.event_timestamp |
|
|
network.application_protocol |
The network.application_protocol UDM field is set to DNS. |
|
network.dns.response_code |
If the dns_resp log field value is equal to NOERROR, then the network.dns.response_code UDM field is set to 0.Else, if the dns_resp log field value is equal to FORMERR, then the network.dns.response_code UDM field is set to 1.Else, if the dns_resp log field value is equal to SERVFAIL, then the network.dns.response_code UDM field is set to 2.Else, if the dns_resp log field value is equal to NXDOMAIN, then the network.dns.response_code UDM field is set to 3.Else, if the dns_resp log field value is equal to NOTIMP, then the network.dns.response_code UDM field is set to 4.Else, if the dns_resp log field value is equal to REFUSED, then the network.dns.response_code UDM field is set to 5.Else, if the dns_resp log field value is equal to YXDOMAIN, then the network.dns.response_code UDM field is set to 6.Else, if the dns_resp log field value is equal to YXRRSET, then the network.dns.response_code UDM field is set to 7.Else, if the dns_resp log field value is equal to NXRRSET, then the network.dns.response_code UDM field is set to 8.Else, if the dns_resp log field value is equal to NOTAUTH, then the network.dns.response_code UDM field is set to 9.Else, if the dns_resp log field value is equal to NOTZONE, then the network.dns.response_code UDM field is set to 10. |
dns_resp |
network.dns.answers.data |
|
|
network.dns.answers.type |
If the restype log field value matches the regular expression pattern ipv4, then the network.dns.answers.type UDM field is set to 1.Else, if the restype log field value matches the regular expression pattern ipv6, then the network.dns.answers.type UDM field is set to 28. |
dns_req |
network.dns.questions.name |
|
|
network.dns.questions.type |
If the record_type log field value is equal to A, then the network.dns.questions.type UDM field is set to 1.Else, if the record_type log field value is equal to NS, then the network.dns.questions.type UDM field is set to 2.Else, if the record_type log field value is equal to MD, then the network.dns.questions.type UDM field is set to 3.Else, if the record_type log field value is equal to MF, then the network.dns.questions.type UDM field is set to 4.Else, if the record_type log field value is equal to CNAME, then the network.dns.questions.type UDM field is set to 5.Else, if the record_type log field value is equal to SOA, then the network.dns.questions.type UDM field is set to 6.Else, if the record_type log field value is equal to MB, then the network.dns.questions.type UDM field is set to 7.Else, if the record_type log field value is equal to MG, then the network.dns.questions.type UDM field is set to 8.Else, if the record_type log field value is equal to MR, then the network.dns.questions.type UDM field is set to 9.Else, if the record_type log field value is equal to NULL, then the network.dns.questions.type UDM field is set to 10.Else, if the record_type log field value is equal to WKS, then the network.dns.questions.type UDM field is set to 11.Else, if the record_type log field value is equal to PTR, then the network.dns.questions.type UDM field is set to 12.Else, if the record_type log field value is equal to HINFO, then the network.dns.questions.type UDM field is set to 13.Else, if the record_type log field value is equal to MINFO, then the network.dns.questions.type UDM field is set to 14.Else, if the record_type log field value is equal to MX, then the network.dns.questions.type UDM field is set to 15.Else, if the record_type log field value is equal to TXT, then the network.dns.questions.type UDM field is set to 16.Else, if the record_type log field value is equal to RP, then the network.dns.questions.type UDM field is set to 17.Else, if the record_type log field value is equal to AFSDB, then the network.dns.questions.type UDM field is set to 18.Else, if the record_type log field value is equal to X25, then the network.dns.questions.type UDM field is set to 19.Else, if the record_type log field value is equal to ISDN, then the network.dns.questions.type UDM field is set to 20.Else, if the record_type log field value is equal to RT, then the network.dns.questions.type UDM field is set to 21.Else, if the record_type log field value is equal to NSAP, then the network.dns.questions.type UDM field is set to 22.Else, if the record_type log field value is equal to NSAP-PTR, then the network.dns.questions.type UDM field is set to 23.Else, if the record_type log field value is equal to SIG, then the network.dns.questions.type UDM field is set to 24.Else, if the record_type log field value is equal to KEY, then the network.dns.questions.type UDM field is set to 25.Else, if the record_type log field value is equal to PX, then the network.dns.questions.type UDM field is set to 26.Else, if the record_type log field value is equal to GPOS, then the network.dns.questions.type UDM field is set to 27.Else, if the record_type log field value is equal to AAAA, then the network.dns.questions.type UDM field is set to 28.Else, if the record_type log field value is equal to LOC, then the network.dns.questions.type UDM field is set to 29.Else, if the record_type log field value is equal to NXT, then the network.dns.questions.type UDM field is set to 30.Else, if the record_type log field value is equal to EID, then the network.dns.questions.type UDM field is set to 31.Else, if the record_type log field value is equal to NIMLOC, then the network.dns.questions.type UDM field is set to 32.Else, if the record_type log field value is equal to SRV, then the network.dns.questions.type UDM field is set to 33.Else, if the record_type log field value is equal to ATMA, then the network.dns.questions.type UDM field is set to 34.Else, if the record_type log field value is equal to NAPTR, then the network.dns.questions.type UDM field is set to 35.Else, if the record_type log field value is equal to KX, then the network.dns.questions.type UDM field is set to 36.Else, if the record_type log field value is equal to CERT, then the network.dns.questions.type UDM field is set to 37.Else, if the record_type log field value is equal to A6, then the network.dns.questions.type UDM field is set to 38.Else, if the record_type log field value is equal to DNAME, then the network.dns.questions.type UDM field is set to 39.Else, if the record_type log field value is equal to SINK, then the network.dns.questions.type UDM field is set to 40.Else, if the record_type log field value is equal to OPT, then the network.dns.questions.type UDM field is set to 41.Else, if the record_type log field value is equal to APL, then the network.dns.questions.type UDM field is set to 42.Else, if the record_type log field value is equal to DS, then the network.dns.questions.type UDM field is set to 43.Else, if the record_type log field value is equal to SSHFP, then the network.dns.questions.type UDM field is set to 44.Else, if the record_type log field value is equal to IPSECKEY, then the network.dns.questions.type UDM field is set to 45.Else, if the record_type log field value is equal to RRSIG, then the network.dns.questions.type UDM field is set to 46.Else, if the record_type log field value is equal to NSEC, then the network.dns.questions.type UDM field is set to 47.Else, if the record_type log field value is equal to DNSKEY, then the network.dns.questions.type UDM field is set to 48.Else, if the record_type log field value is equal to DHCID, then the network.dns.questions.type UDM field is set to 49.Else, if the record_type log field value is equal to NSEC3, then the network.dns.questions.type UDM field is set to 50.Else, if the record_type log field value is equal to NSEC3PARAM, then the network.dns.questions.type UDM field is set to 51.Else, if the record_type log field value is equal to TLSA, then the network.dns.questions.type UDM field is set to 52.Else, if the record_type log field value is equal to SMIMEA, then the network.dns.questions.type UDM field is set to 53.Else, if the record_type log field value is equal to UNASSIGNED, then the network.dns.questions.type UDM field is set to 54.Else, if the record_type log field value is equal to HIP, then the network.dns.questions.type UDM field is set to 55.Else, if the record_type log field value is equal to NINFO, then the network.dns.questions.type UDM field is set to 56.Else, if the record_type log field value is equal to RKEY, then the network.dns.questions.type UDM field is set to 57.Else, if the record_type log field value is equal to TALINK, then the network.dns.questions.type UDM field is set to 58.Else, if the record_type log field value is equal to CDS, then the network.dns.questions.type UDM field is set to 59.Else, if the record_type log field value is equal to CDNSKEY, then the network.dns.questions.type UDM field is set to 60.Else, if the record_type log field value is equal to OPENPGPKEY, then the network.dns.questions.type UDM field is set to 61.Else, if the record_type log field value is equal to CSYNC, then the network.dns.questions.type UDM field is set to 62.Else, if the record_type log field value is equal to ZONEMD, then the network.dns.questions.type UDM field is set to 63.Else, if the record_type log field value is equal to SVCB, then the network.dns.questions.type UDM field is set to 64.Else, if the record_type log field value is equal to HTTPS, then the network.dns.questions.type UDM field is set to 65.Else, if the record_type log field value is equal to SPF, then the network.dns.questions.type UDM field is set to 99.Else, if the record_type log field value is equal to UINFO, then the network.dns.questions.type UDM field is set to 100.Else, if the record_type log field value is equal to UID, then the network.dns.questions.type UDM field is set to 101.Else, if the record_type log field value is equal to GID, then the network.dns.questions.type UDM field is set to 102.Else, if the record_type log field value is equal to UNSPEC, then the network.dns.questions.type UDM field is set to 103.Else, if the record_type log field value is equal to NID, then the network.dns.questions.type UDM field is set to 104.Else, if the record_type log field value is equal to L32, then the network.dns.questions.type UDM field is set to 105.Else, if the record_type log field value is equal to L64, then the network.dns.questions.type UDM field is set to 106.Else, if the record_type log field value is equal to LP, then the network.dns.questions.type UDM field is set to 107.Else, if the record_type log field value is equal to EUI48, then the network.dns.questions.type UDM field is set to 108.Else, if the record_type log field value is equal to EUI64, then the network.dns.questions.type UDM field is set to 109.Else, if the record_type log field value is equal to TKEY, then the network.dns.questions.type UDM field is set to 249.Else, if the record_type log field value is equal to TSIG, then the network.dns.questions.type UDM field is set to 250.Else, if the record_type log field value is equal to IXFR, then the network.dns.questions.type UDM field is set to 251.Else, if the record_type log field value is equal to AXFR, then the network.dns.questions.type UDM field is set to 252.Else, if the record_type log field value is equal to MAILB, then the network.dns.questions.type UDM field is set to 253.Else, if the record_type log field value is equal to MAILA, then the network.dns.questions.type UDM field is set to 254.Else, if the record_type log field value is equal to ALL, then the network.dns.questions.type UDM field is set to 255.Else, if the record_type log field value is equal to URI, then the network.dns.questions.type UDM field is set to 256.Else, if the record_type log field value is equal to CAA, then the network.dns.questions.type UDM field is set to 257.Else, if the record_type log field value is equal to AVC, then the network.dns.questions.type UDM field is set to 258.Else, if the record_type log field value is equal to DOA, then the network.dns.questions.type UDM field is set to 259.Else, if the record_type log field value is equal to AMTRELAY, then the network.dns.questions.type UDM field is set to 260.Else, if the record_type log field value is equal to TA, then the network.dns.questions.type UDM field is set to 32768.Else, if the record_type log field value is equal to DLV, then the network.dns.questions.type UDM field is set to 32769. |
dns_reqtype |
additional.fields [dns_reqtype] |
|
http_code |
network.http.response_code |
|
protocol |
network.ip_protocol |
If the protocol log field value contain one of the following values, then the protocol log field is mapped to the network.ip_protocol UDM field.
|
durationms |
network.session_duration.seconds |
|
devicemodel |
principal.asset.hardware.model |
|
devicename |
principal.asset.asset_id |
|
devicehostname |
principal.asset.hostname |
|
|
principal.asset.platform_software.platform |
If the deviceostype log field value matches the regular expression pattern (?i)win, then the principal.asset.platform_software.platform UDM field is set to WINDOWS.Else, if the deviceostype log field value matches the regular expression pattern (?i)lin, then the principal.asset.platform_software.platform UDM field is set to LINUX. |
deviceosversion |
principal.asset.platform_software.platform_version |
|
company |
principal.user.company_name |
|
department |
principal.user.department |
|
user |
principal.user.email_addresses |
If the user log field value matches the regular expression pattern (^.@.$) or the login log field value matches the regular expression pattern (^.@.$), then if the user log field value is not empty, then the user log field is mapped to the principal.user.email_addresses UDM field. |
login |
principal.user.email_addresses |
If the user log field value matches the regular expression pattern (^.@.$) or the login log field value matches the regular expression pattern (^.@.$), then if the user log field value is not empty, then else, the login log field is mapped to the principal.user.email_addresses UDM field. |
deviceowner |
principal.user.userid |
|
clt_sip |
principal.ip |
|
location |
principal.location.name |
|
reqrulelabel |
security_result.rule_name |
|
rule |
security_result.rule_name |
|
|
security_result.action |
If the reqaction log field value matches the regular expression pattern (?i)BLOCK, then the security_result.action UDM field is set to BLOCK.Else, if the reqaction log field value matches the regular expression pattern (?i)ALLOW, then the security_result.action UDM field is set to ALLOW. |
reqaction |
security_result.action_details |
|
|
security_result.category |
If the category log field value is not empty, then the security_result.category UDM field is set to NETWORK_CATEGORIZED_CONTENT. |
category |
security_result.category_details |
|
resrulelabel |
security_result.rule_name |
|
|
security_result.action |
If the resaction log field value matches the regular expression pattern (?i)BLOCK, then the security_result.action UDM field is set to BLOCK.Else, if the resaction log field value matches the regular expression pattern (?i)ALLOW, then the security_result.action UDM field is set to ALLOW. |
resaction |
security_result.action_details |
|
|
security_result.category |
If the respipcategory log field value is not empty, then the security_result.category UDM field is set to NETWORK_CATEGORIZED_CONTENT. |
respipcategory |
security_result.category_details |
|
ecs_slot |
security_result.rule_labels [ecs_slot] |
If the dnsgw_slot log field value is empty, then the ecs_slot log field is mapped to the security_result.rule_name UDM field. |
dnsgw_slot |
security_result.rule_name |
If the dnsgw_slot log field value is not empty, then the dnsgw_slot log field is mapped to the security_result.rule_name UDM field. |
ecs_slot |
security_result.rule_name |
If the dnsgw_slot log field value is not empty, then the ecs_slot log field is mapped to the security_result.rule_labels UDM field. |
dnsapp |
target.application |
|
srv_dip |
target.ip |
|
srv_dport |
target.port |
|
datacentercity |
target.location.city |
|
datacentercountry |
target.location.country_or_region |
|
datacenter |
target.location.name |
|
cloudname |
security_result.detection_fields [cloudname] |
|
dnsappcat |
security_result.detection_fields [dnsappcat] |
|
ecs_prefix |
security_result.detection_fields [ecs_prefix] |
|
error |
security_result.detection_fields [error] |
|
istcp |
security_result.detection_fields [istcp] |
|
ocip |
security_result.detection_fields [ocip] |
|
odevicehostname |
security_result.detection_fields [odevicehostname] |
|
odeviceowner |
security_result.detection_fields [odeviceowner] |
|
odevicename |
security_result.detection_fields [odevicename] |
|
odomcat |
security_result.detection_fields [odomcat] |
|
dnsgw_flags |
security_result.detection_fields[dnsgw_flags] |
|
dnsgw_srv_proto |
security_result.detection_fields[dnsgw_srv_proto] |
|
erulelabel |
security_result.rule_labels [erulelabel] |
|
ethreatname |
security_result.threat_name |
|
durationms |
additional.fields [durationms] |
If the durationms log field value is equal to 1, then the durationms log field is mapped to the additional.fields.durationms UDM field. |
sourcetype |
additional.fields[sourcetype] |
|
deviceappversion |
additional.fields [deviceappversion] |
|
devicetype |
additional.fields [devicetype] |
|
eedone |
additional.fields [eedone] |
|
tz |
additional.fields [tz] |
|
ss |
additional.fields [ss] |
|
mm |
additional.fields [mm] |
|
hh |
additional.fields [hh] |
|
dd |
additional.fields [dd] |
|
mth |
additional.fields [mth] |
|
yyyy |
additional.fields [yyyy] |
|
mon |
additional.fields [mon] |
|
day |
additional.fields [day] |