Zscaler DNS 로그 수집

다음에서 지원:

이 문서에서는 Google Security Operations 피드를 설정하여 Zscaler DNS 로그를 내보내는 방법과 로그 필드가 Google SecOps 통합 데이터 모델 (UDM) 필드에 매핑되는 방식을 설명합니다.

자세한 내용은 Google SecOps에 데이터 수집 개요를 참고하세요.

일반적인 배포는 Zscaler DNS 및 Google SecOps에 로그를 전송하도록 구성된 Google SecOps Webhook 피드로 구성됩니다. 고객 배포마다 다를 수 있으며 더 복잡할 수도 있습니다.

배포에는 다음 구성요소가 포함됩니다.

  • Zscaler DNS: 로그를 수집하는 플랫폼입니다.

  • Google SecOps 피드: Zscaler DNS에서 로그를 가져오고 로그를 Google SecOps에 작성하는 Google SecOps 피드입니다.

  • Google SecOps: 로그를 보관하고 분석합니다.

수집 라벨은 원시 로그 데이터를 구조화된 UDM 형식으로 정규화하는 파서를 식별합니다. 이 문서의 정보는 ZSCALER_DNS 수집 라벨이 있는 파서에 적용됩니다.

시작하기 전에

  • Zscaler Internet Access 콘솔에 액세스할 수 있는지 확인합니다. 자세한 내용은 보안 인터넷 및 SaaS 액세스 ZIA 도움말을 참고하세요.
  • Zscaler DNS 2024 이상을 사용하고 있는지 확인합니다.
  • 배포 아키텍처의 모든 시스템이 UTC 시간대로 구성되었는지 확인합니다.
  • Google SecOps에서 피드 설정을 완료하는 데 필요한 API 키가 있는지 확인합니다. 자세한 내용은 API 키 설정을 참고하세요.

Zscaler DNS 로그를 수집하도록 Google SecOps에서 수집 피드 설정

  1. SIEM 설정 > 피드로 이동합니다.
  2. 새로 추가를 클릭합니다.
  3. 피드 이름 필드에 피드 이름을 입력합니다 (예: Zscaler DNS 로그).
  4. 소스 유형으로 Webhook을 선택합니다.
  5. 로그 유형으로 ZScaler DNS를 선택합니다.
  6. 다음을 클릭합니다.
  7. 선택사항: 다음 입력 파라미터의 값을 입력합니다.
    1. 분할 구분 기호: 로그 줄을 구분하는 데 사용되는 구분 기호입니다. 구분자가 사용되지 않는 경우 비워 둡니다.
    2. 애셋 네임스페이스: 애셋 네임스페이스입니다.
    3. 수집 라벨: 이 피드의 이벤트에 적용할 라벨입니다.
  8. 다음을 클릭합니다.
  9. 새 피드 구성을 검토한 다음 제출을 클릭합니다.
  10. 보안 비밀 키 생성을 클릭하여 이 피드를 인증하기 위한 보안 비밀 키를 생성합니다.

Zscaler DNS 설정

  1. Zscaler 인터넷 액세스 콘솔에서 관리 > Nanolog 스트리밍 서비스 > Cloud NSS 피드를 클릭한 다음 Cloud NSS 피드 추가를 클릭합니다.
  2. Add Cloud NSS Feed(Cloud NSS 피드 추가) 창이 표시됩니다. Cloud NSS 피드 추가 창에 세부정보를 입력합니다.
  3. 피드 이름 필드에 피드 이름을 입력합니다.
  4. NSS 유형에서 DNS용 NSS를 선택합니다.
  5. 상태 목록에서 상태를 선택하여 NSS 피드를 활성화 또는 비활성화합니다.
  6. SIEM 요금 드롭다운의 값을 무제한으로 유지합니다. 라이선스 또는 기타 제약 조건으로 인해 출력 스트림을 억제하려면 값을 변경합니다.
  7. SIEM 유형 목록에서 기타를 선택합니다.
  8. OAuth 2.0 인증 목록에서 사용 중지됨을 선택합니다.
  9. 최대 일괄 크기에 SIEM 권장사항에 따라 개별 HTTP 요청 페이로드의 크기 제한을 입력합니다. 예: 512KB

  10. API URL에 Chronicle API 엔드포인트의 HTTPS URL을 다음 형식으로 입력합니다.

      https://<CHRONICLE_REGION>-chronicle.googleapis.com/v1alpha/projects/<GOOGLE_PROJECT_NUMBER>/locations/<LOCATION>/instances/<CUSTOMER_ID>/feeds/<FEED_ID>:importPushLogs
    • CHRONICLE_REGION: Chronicle 인스턴스가 호스팅되는 리전입니다. 예를 들어 미국은 US입니다.
    • GOOGLE_PROJECT_NUMBER: BYOP 프로젝트 번호입니다. C4에서 가져옵니다.
    • LOCATION: Chronicle 리전입니다. 예를 들어 미국은 US입니다.
    • CUSTOMER_ID: Chronicle 고객 ID입니다. C4에서 가져옵니다.
    • FEED_ID: 생성된 새 webhook의 피드 UI에 표시되는 피드 ID입니다.
    • 샘플 API URL:
    https://us-chronicle.googleapis.com/v1alpha/projects/12345678910/locations/US/instances/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/feeds/yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyyyyyyy:importPushLogs

  11. HTTP 헤더 추가를 클릭하여 키와 값이 있는 HTTP 헤더를 추가합니다.

    예를 들어 헤더 1 : Key1: X-goog-api-key 및 Value1: Google Cloud BYOP의 API 사용자 인증 정보에서 생성된 API 키입니다.

  12. 로그 유형 목록에서 DNS 로그를 선택합니다.

  13. 피드 출력 유형 목록에서 JSON을 선택합니다.

  14. 피드 이스케이프 문자, \ "로 설정합니다.

  15. 피드 출력 형식에 새 필드를 추가하려면 피드 출력 유형 목록에서 맞춤을 선택합니다.

  16. 피드 출력 형식을 복사하여 붙여넣고 새 필드를 추가합니다. 키 이름이 실제 필드 이름과 일치하는지 확인합니다.

  17. 다음은 기본 피드 출력 형식입니다.

      \{ "sourcetype" : "zscalernss-dns", "event" :\{"datetime":"%s{time}","user":"%s{elogin}","department":"%s{edepartment}","location":"%s{elocation}","reqaction":"%s{reqaction}","resaction":"%s{resaction}","reqrulelabel":"%s{reqrulelabel}","resrulelabel":"%s{resrulelabel}","dns_reqtype":"%s{reqtype}","dns_req":"%s{req}","dns_resp":"%s{res}","srv_dport":"%d{sport}","durationms":"%d{durationms}","clt_sip":"%s{cip}","srv_dip":"%s{sip}","category":"%s{domcat}","respipcategory":"%s{respipcat}","deviceowner":"%s{deviceowner}","devicehostname":"%s{devicehostname}"\}\}

  18. 시간대 목록에서 출력 파일의 시간 필드에 사용할 시간대를 선택합니다. 기본적으로 시간대는 조직의 시간대로 설정됩니다.

  19. 구성된 설정을 검토합니다.

  20. 저장을 클릭하여 연결을 테스트합니다. 연결에 성공하면 Test Connectivity Successful: OK (200)(연결 테스트 완료: OK(200))라는 메시지와 함께 녹색 체크표시가 표시됩니다.

Google SecOps 피드에 대한 자세한 내용은 Google SecOps 피드 문서를 참고하세요. 각 피드 유형의 요구사항은 유형별 피드 구성을 참조하세요.

피드를 만들 때 문제가 발생하면 Google SecOps 지원팀에 문의하세요.

필드 매핑 참조

필드 매핑 참조: ZSCALER_DNS

다음 표에는 ZSCALER_DNS 로그 유형의 로그 필드와 해당 UDM 필드가 나와 있습니다.

Log field UDM mapping Logic
metadata.event_type The metadata.event_type UDM field is set to NETWORK_DNS.
metadata.product_name The metadata.product_name UDM field is set to DNS.
metadata.vendor_name The metadata.vendor_name UDM field is set to Zscaler.
metadata.description If the category log field value is not empty and the durationms log field value is not empty, then the NSSDNSLog | Duration: durationms ms | Category: category log field is mapped to the metadata.description UDM field.

Else, if the category log field value is not empty, then the DNS request to \category\ log field is mapped to the metadata.description UDM field.
recordid metadata.product_log_id
datetime metadata.event_timestamp
epochtime metadata.event_timestamp
network.application_protocol The network.application_protocol UDM field is set to DNS.
network.dns.response_code If the dns_resp log field value is equal to NOERROR, then the network.dns.response_code UDM field is set to 0.

Else, if the dns_resp log field value is equal to FORMERR, then the network.dns.response_code UDM field is set to 1.

Else, if the dns_resp log field value is equal to SERVFAIL, then the network.dns.response_code UDM field is set to 2.

Else, if the dns_resp log field value is equal to NXDOMAIN, then the network.dns.response_code UDM field is set to 3.

Else, if the dns_resp log field value is equal to NOTIMP, then the network.dns.response_code UDM field is set to 4.

Else, if the dns_resp log field value is equal to REFUSED, then the network.dns.response_code UDM field is set to 5.

Else, if the dns_resp log field value is equal to YXDOMAIN, then the network.dns.response_code UDM field is set to 6.

Else, if the dns_resp log field value is equal to YXRRSET, then the network.dns.response_code UDM field is set to 7.

Else, if the dns_resp log field value is equal to NXRRSET, then the network.dns.response_code UDM field is set to 8.

Else, if the dns_resp log field value is equal to NOTAUTH, then the network.dns.response_code UDM field is set to 9.

Else, if the dns_resp log field value is equal to NOTZONE, then the network.dns.response_code UDM field is set to 10.
dns_resp network.dns.answers.data
network.dns.answers.type If the restype log field value matches the regular expression pattern ipv4, then the network.dns.answers.type UDM field is set to 1.

Else, if the restype log field value matches the regular expression pattern ipv6, then the network.dns.answers.type UDM field is set to 28.
dns_req network.dns.questions.name
network.dns.questions.type If the record_type log field value is equal to A, then the network.dns.questions.type UDM field is set to 1.

Else, if the record_type log field value is equal to NS, then the network.dns.questions.type UDM field is set to 2.

Else, if the record_type log field value is equal to MD, then the network.dns.questions.type UDM field is set to 3.

Else, if the record_type log field value is equal to MF, then the network.dns.questions.type UDM field is set to 4.

Else, if the record_type log field value is equal to CNAME, then the network.dns.questions.type UDM field is set to 5.

Else, if the record_type log field value is equal to SOA, then the network.dns.questions.type UDM field is set to 6.

Else, if the record_type log field value is equal to MB, then the network.dns.questions.type UDM field is set to 7.

Else, if the record_type log field value is equal to MG, then the network.dns.questions.type UDM field is set to 8.

Else, if the record_type log field value is equal to MR, then the network.dns.questions.type UDM field is set to 9.

Else, if the record_type log field value is equal to NULL, then the network.dns.questions.type UDM field is set to 10.

Else, if the record_type log field value is equal to WKS, then the network.dns.questions.type UDM field is set to 11.

Else, if the record_type log field value is equal to PTR, then the network.dns.questions.type UDM field is set to 12.

Else, if the record_type log field value is equal to HINFO, then the network.dns.questions.type UDM field is set to 13.

Else, if the record_type log field value is equal to MINFO, then the network.dns.questions.type UDM field is set to 14.

Else, if the record_type log field value is equal to MX, then the network.dns.questions.type UDM field is set to 15.

Else, if the record_type log field value is equal to TXT, then the network.dns.questions.type UDM field is set to 16.

Else, if the record_type log field value is equal to RP, then the network.dns.questions.type UDM field is set to 17.

Else, if the record_type log field value is equal to AFSDB, then the network.dns.questions.type UDM field is set to 18.

Else, if the record_type log field value is equal to X25, then the network.dns.questions.type UDM field is set to 19.

Else, if the record_type log field value is equal to ISDN, then the network.dns.questions.type UDM field is set to 20.

Else, if the record_type log field value is equal to RT, then the network.dns.questions.type UDM field is set to 21.

Else, if the record_type log field value is equal to NSAP, then the network.dns.questions.type UDM field is set to 22.

Else, if the record_type log field value is equal to NSAP-PTR, then the network.dns.questions.type UDM field is set to 23.

Else, if the record_type log field value is equal to SIG, then the network.dns.questions.type UDM field is set to 24.

Else, if the record_type log field value is equal to KEY, then the network.dns.questions.type UDM field is set to 25.

Else, if the record_type log field value is equal to PX, then the network.dns.questions.type UDM field is set to 26.

Else, if the record_type log field value is equal to GPOS, then the network.dns.questions.type UDM field is set to 27.

Else, if the record_type log field value is equal to AAAA, then the network.dns.questions.type UDM field is set to 28.

Else, if the record_type log field value is equal to LOC, then the network.dns.questions.type UDM field is set to 29.

Else, if the record_type log field value is equal to NXT, then the network.dns.questions.type UDM field is set to 30.

Else, if the record_type log field value is equal to EID, then the network.dns.questions.type UDM field is set to 31.

Else, if the record_type log field value is equal to NIMLOC, then the network.dns.questions.type UDM field is set to 32.

Else, if the record_type log field value is equal to SRV, then the network.dns.questions.type UDM field is set to 33.

Else, if the record_type log field value is equal to ATMA, then the network.dns.questions.type UDM field is set to 34.

Else, if the record_type log field value is equal to NAPTR, then the network.dns.questions.type UDM field is set to 35.

Else, if the record_type log field value is equal to KX, then the network.dns.questions.type UDM field is set to 36.

Else, if the record_type log field value is equal to CERT, then the network.dns.questions.type UDM field is set to 37.

Else, if the record_type log field value is equal to A6, then the network.dns.questions.type UDM field is set to 38.

Else, if the record_type log field value is equal to DNAME, then the network.dns.questions.type UDM field is set to 39.

Else, if the record_type log field value is equal to SINK, then the network.dns.questions.type UDM field is set to 40.

Else, if the record_type log field value is equal to OPT, then the network.dns.questions.type UDM field is set to 41.

Else, if the record_type log field value is equal to APL, then the network.dns.questions.type UDM field is set to 42.

Else, if the record_type log field value is equal to DS, then the network.dns.questions.type UDM field is set to 43.

Else, if the record_type log field value is equal to SSHFP, then the network.dns.questions.type UDM field is set to 44.

Else, if the record_type log field value is equal to IPSECKEY, then the network.dns.questions.type UDM field is set to 45.

Else, if the record_type log field value is equal to RRSIG, then the network.dns.questions.type UDM field is set to 46.

Else, if the record_type log field value is equal to NSEC, then the network.dns.questions.type UDM field is set to 47.

Else, if the record_type log field value is equal to DNSKEY, then the network.dns.questions.type UDM field is set to 48.

Else, if the record_type log field value is equal to DHCID, then the network.dns.questions.type UDM field is set to 49.

Else, if the record_type log field value is equal to NSEC3, then the network.dns.questions.type UDM field is set to 50.

Else, if the record_type log field value is equal to NSEC3PARAM, then the network.dns.questions.type UDM field is set to 51.

Else, if the record_type log field value is equal to TLSA, then the network.dns.questions.type UDM field is set to 52.

Else, if the record_type log field value is equal to SMIMEA, then the network.dns.questions.type UDM field is set to 53.

Else, if the record_type log field value is equal to UNASSIGNED, then the network.dns.questions.type UDM field is set to 54.

Else, if the record_type log field value is equal to HIP, then the network.dns.questions.type UDM field is set to 55.

Else, if the record_type log field value is equal to NINFO, then the network.dns.questions.type UDM field is set to 56.

Else, if the record_type log field value is equal to RKEY, then the network.dns.questions.type UDM field is set to 57.

Else, if the record_type log field value is equal to TALINK, then the network.dns.questions.type UDM field is set to 58.

Else, if the record_type log field value is equal to CDS, then the network.dns.questions.type UDM field is set to 59.

Else, if the record_type log field value is equal to CDNSKEY, then the network.dns.questions.type UDM field is set to 60.

Else, if the record_type log field value is equal to OPENPGPKEY, then the network.dns.questions.type UDM field is set to 61.

Else, if the record_type log field value is equal to CSYNC, then the network.dns.questions.type UDM field is set to 62.

Else, if the record_type log field value is equal to ZONEMD, then the network.dns.questions.type UDM field is set to 63.

Else, if the record_type log field value is equal to SVCB, then the network.dns.questions.type UDM field is set to 64.

Else, if the record_type log field value is equal to HTTPS, then the network.dns.questions.type UDM field is set to 65.

Else, if the record_type log field value is equal to SPF, then the network.dns.questions.type UDM field is set to 99.

Else, if the record_type log field value is equal to UINFO, then the network.dns.questions.type UDM field is set to 100.

Else, if the record_type log field value is equal to UID, then the network.dns.questions.type UDM field is set to 101.

Else, if the record_type log field value is equal to GID, then the network.dns.questions.type UDM field is set to 102.

Else, if the record_type log field value is equal to UNSPEC, then the network.dns.questions.type UDM field is set to 103.

Else, if the record_type log field value is equal to NID, then the network.dns.questions.type UDM field is set to 104.

Else, if the record_type log field value is equal to L32, then the network.dns.questions.type UDM field is set to 105.

Else, if the record_type log field value is equal to L64, then the network.dns.questions.type UDM field is set to 106.

Else, if the record_type log field value is equal to LP, then the network.dns.questions.type UDM field is set to 107.

Else, if the record_type log field value is equal to EUI48, then the network.dns.questions.type UDM field is set to 108.

Else, if the record_type log field value is equal to EUI64, then the network.dns.questions.type UDM field is set to 109.

Else, if the record_type log field value is equal to TKEY, then the network.dns.questions.type UDM field is set to 249.

Else, if the record_type log field value is equal to TSIG, then the network.dns.questions.type UDM field is set to 250.

Else, if the record_type log field value is equal to IXFR, then the network.dns.questions.type UDM field is set to 251.

Else, if the record_type log field value is equal to AXFR, then the network.dns.questions.type UDM field is set to 252.

Else, if the record_type log field value is equal to MAILB, then the network.dns.questions.type UDM field is set to 253.

Else, if the record_type log field value is equal to MAILA, then the network.dns.questions.type UDM field is set to 254.

Else, if the record_type log field value is equal to ALL, then the network.dns.questions.type UDM field is set to 255.

Else, if the record_type log field value is equal to URI, then the network.dns.questions.type UDM field is set to 256.

Else, if the record_type log field value is equal to CAA, then the network.dns.questions.type UDM field is set to 257.

Else, if the record_type log field value is equal to AVC, then the network.dns.questions.type UDM field is set to 258.

Else, if the record_type log field value is equal to DOA, then the network.dns.questions.type UDM field is set to 259.

Else, if the record_type log field value is equal to AMTRELAY, then the network.dns.questions.type UDM field is set to 260.

Else, if the record_type log field value is equal to TA, then the network.dns.questions.type UDM field is set to 32768.

Else, if the record_type log field value is equal to DLV, then the network.dns.questions.type UDM field is set to 32769.
dns_reqtype additional.fields [dns_reqtype]
http_code network.http.response_code
protocol network.ip_protocol If the protocol log field value contain one of the following values, then the protocol log field is mapped to the network.ip_protocol UDM field.
  • TCP
  • EIGRP
  • ESP
  • ETHERIP
  • GRE
  • ICMP
  • IGMP
  • IP6IN4
  • PIM
  • UDP
  • VRRP
.
durationms network.session_duration.seconds
devicemodel principal.asset.hardware.model
devicename principal.asset.asset_id
devicehostname principal.asset.hostname
principal.asset.platform_software.platform If the deviceostype log field value matches the regular expression pattern (?i)win, then the principal.asset.platform_software.platform UDM field is set to WINDOWS.

Else, if the deviceostype log field value matches the regular expression pattern (?i)lin, then the principal.asset.platform_software.platform UDM field is set to LINUX.
deviceosversion principal.asset.platform_software.platform_version
company principal.user.company_name
department principal.user.department
user principal.user.email_addresses If the user log field value matches the regular expression pattern (^.@.$) or the login log field value matches the regular expression pattern (^.@.$), then if the user log field value is not empty, then the user log field is mapped to the principal.user.email_addresses UDM field.
login principal.user.email_addresses If the user log field value matches the regular expression pattern (^.@.$) or the login log field value matches the regular expression pattern (^.@.$), then if the user log field value is not empty, then else, the login log field is mapped to the principal.user.email_addresses UDM field.
deviceowner principal.user.userid
clt_sip principal.ip
location principal.location.name
reqrulelabel security_result.rule_name
rule security_result.rule_name
security_result.action If the reqaction log field value matches the regular expression pattern (?i)BLOCK, then the security_result.action UDM field is set to BLOCK.

Else, if the reqaction log field value matches the regular expression pattern (?i)ALLOW, then the security_result.action UDM field is set to ALLOW.
reqaction security_result.action_details
security_result.category If the category log field value is not empty, then the security_result.category UDM field is set to NETWORK_CATEGORIZED_CONTENT.
category security_result.category_details
resrulelabel security_result.rule_name
security_result.action If the resaction log field value matches the regular expression pattern (?i)BLOCK, then the security_result.action UDM field is set to BLOCK.

Else, if the resaction log field value matches the regular expression pattern (?i)ALLOW, then the security_result.action UDM field is set to ALLOW.
resaction security_result.action_details
security_result.category If the respipcategory log field value is not empty, then the security_result.category UDM field is set to NETWORK_CATEGORIZED_CONTENT.
respipcategory security_result.category_details
ecs_slot security_result.rule_labels [ecs_slot] If the dnsgw_slot log field value is empty, then the ecs_slot log field is mapped to the security_result.rule_name UDM field.
dnsgw_slot security_result.rule_name If the dnsgw_slot log field value is not empty, then the dnsgw_slot log field is mapped to the security_result.rule_name UDM field.
ecs_slot security_result.rule_name If the dnsgw_slot log field value is not empty, then the ecs_slot log field is mapped to the security_result.rule_labels UDM field.
dnsapp target.application
srv_dip target.ip
srv_dport target.port
datacentercity target.location.city
datacentercountry target.location.country_or_region
datacenter target.location.name
cloudname security_result.detection_fields [cloudname]
dnsappcat security_result.detection_fields [dnsappcat]
ecs_prefix security_result.detection_fields [ecs_prefix]
error security_result.detection_fields [error]
istcp security_result.detection_fields [istcp]
ocip security_result.detection_fields [ocip]
odevicehostname security_result.detection_fields [odevicehostname]
odeviceowner security_result.detection_fields [odeviceowner]
odevicename security_result.detection_fields [odevicename]
odomcat security_result.detection_fields [odomcat]
dnsgw_flags security_result.detection_fields[dnsgw_flags]
dnsgw_srv_proto security_result.detection_fields[dnsgw_srv_proto]
erulelabel security_result.rule_labels [erulelabel]
ethreatname security_result.threat_name
durationms additional.fields [durationms] If the durationms log field value is equal to 1, then the durationms log field is mapped to the additional.fields.durationms UDM field.
sourcetype additional.fields[sourcetype]
deviceappversion additional.fields [deviceappversion]
devicetype additional.fields [devicetype]
eedone additional.fields [eedone]
tz additional.fields [tz]
ss additional.fields [ss]
mm additional.fields [mm]
hh additional.fields [hh]
dd additional.fields [dd]
mth additional.fields [mth]
yyyy additional.fields [yyyy]
mon additional.fields [mon]
day additional.fields [day]