Mengumpulkan log Firewall Zscaler

Didukung di:

Dokumen ini menjelaskan cara mengekspor log Firewall Zscaler dengan menyiapkan feed Google Security Operations dan cara kolom log dipetakan ke kolom Unified Data Model (UDM) Google SecOps.

Untuk mengetahui informasi selengkapnya, lihat Ringkasan penyerapan data ke Google SecOps.

Deployment standar terdiri dari Firewall Zscaler dan feed Webhook Google SecOps yang dikonfigurasi untuk mengirim log ke Google SecOps. Setiap deployment pelanggan dapat berbeda dan mungkin lebih kompleks.

Deployment berisi komponen berikut:

  • Firewall Zscaler: Platform tempat Anda mengumpulkan log.

  • Feed Google SecOps: Feed Google SecOps yang mengambil log dari Zscaler Firewall dan menulis log ke Google SecOps.

  • Google SecOps: Mempertahankan dan menganalisis log.

Label penyerapan mengidentifikasi parser yang menormalisasi data log mentah ke format UDM terstruktur. Informasi dalam dokumen ini berlaku untuk parser dengan label transfer ZSCALER_FIREWALL.

Sebelum memulai

  • Pastikan Anda memiliki akses ke konsol Akses Internet Zscaler. Untuk informasi selengkapnya, lihat Bantuan ZIA Akses Internet dan SaaS yang Aman.
  • Pastikan Anda menggunakan Zscaler Firewall 2024 atau yang lebih baru.
  • Pastikan semua sistem dalam arsitektur deployment dikonfigurasi dengan zona waktu UTC.
  • Pastikan Anda memiliki kunci API yang diperlukan untuk menyelesaikan penyiapan feed di Google SecOps. Untuk mengetahui informasi selengkapnya, lihat Menyiapkan kunci API.

Menyiapkan feed transfer di Google SecOps untuk menyerap log Firewall Zscaler

  1. Buka SIEM Settings > Feeds.
  2. Klik Tambahkan baru.
  3. Di kolom Feed name, masukkan nama untuk feed (misalnya, Zscaler Firewall Logs).
  4. Pilih Webhook sebagai Jenis Sumber.
  5. Pilih ZScaler NGFW sebagai Jenis Log.
  6. Klik Berikutnya.
  7. Opsional: Masukkan nilai untuk parameter input berikut:
    1. Pemisah pemisahan: pemisah yang digunakan untuk memisahkan baris log. Biarkan kosong jika pembatas tidak digunakan.
    2. Namespace aset: namespace aset.
    3. Label penyerapan: label yang akan diterapkan ke peristiwa dari feed ini.
  8. Klik Berikutnya.
  9. Tinjau konfigurasi feed baru Anda, lalu klik Kirim.
  10. Klik Buat Kunci Rahasia untuk membuat kunci rahasia guna mengautentikasi feed ini.

Menyiapkan Firewall Zscaler

  1. Di konsol Zscaler Internet Access, klik Administration > Nanolog Streaming Service > Cloud NSS Feeds, lalu klik Add Cloud NSS Feed.
  2. Jendela Add Cloud NSS Feed akan muncul. Di jendela Tambahkan Feed NSS Cloud, masukkan detailnya.
  3. Masukkan nama untuk feed di kolom Feed Name.
  4. Pilih NSS for Firewall di NSS Type.
  5. Pilih status dari daftar Status untuk mengaktifkan atau menonaktifkan feed NSS.
  6. Tetapkan nilai di drop-down SIEM Rate sebagai Unlimited. Untuk menyembunyikan aliran output karena pemberian lisensi atau batasan lainnya, ubah nilainya.
  7. Pilih Lainnya di daftar Jenis SIEM.
  8. Pilih Nonaktif di daftar Autentikasi OAuth 2.0.
  9. Masukkan batas ukuran untuk setiap payload permintaan HTTP ke praktik terbaik SIEM di Max Batch Size. Misalnya, 512 KB.

  10. Masukkan URL HTTPS endpoint Chronicle API di URL API dalam format berikut:

      https://<CHRONICLE_REGION>-chronicle.googleapis.com/v1alpha/projects/<GOOGLE_PROJECT_NUMBER>/locations/<LOCATION>/instances/<CUSTOMER_ID>/feeds/<FEED_ID>:importPushLogs
    • CHRONICLE_REGION: Region tempat instance Chronicle Anda dihosting. Misalnya, US.
    • GOOGLE_PROJECT_NUMBER: Nomor project BYOP. Dapatkan ini dari C4.
    • LOCATION: Region Chronicle. Misalnya, AS.
    • CUSTOMER_ID: ID pelanggan Chronicle. Dapatkan dari C4.
    • FEED_ID: ID feed yang ditampilkan di UI Feed pada webhook baru yang dibuat
    • Contoh URL API:
    https://us-chronicle.googleapis.com/v1alpha/projects/12345678910/locations/US/instances/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/feeds/yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyyyyyyy:importPushLogs

  11. Klik Tambahkan Header HTTP untuk menambahkan header HTTP lainnya dengan kunci dan nilai.

    Misalnya, Header 1: Key1: X-goog-api-key dan Value1: Kunci API yang dibuat di Google Cloud Kredensial API BYOP.

  12. Pilih Firewall Logs di daftar Log Types.

  13. Pilih JSON di daftar Jenis Output Feed.

  14. Tetapkan Feed Escape Character ke , \ ".

  15. Untuk menambahkan kolom baru ke Format Output Feed,pilih Kustom di daftar Jenis Output Feed.

  16. Salin-tempel Format Output Feed dan tambahkan kolom baru. Pastikan nama kunci cocok dengan nama kolom yang sebenarnya.

  17. Berikut adalah Format Output Feed default:

      \{ "sourcetype" : "zscalernss-fw", "event" :\{"datetime":"%s{time}","user":"%s{elogin}","department":"%s{edepartment}","locationname":"%s{elocation}","cdport":"%d{cdport}","csport":"%d{csport}","sdport":"%d{sdport}","ssport":"%d{ssport}","csip":"%s{csip}","cdip":"%s{cdip}","ssip":"%s{ssip}","sdip":"%s{sdip}","tsip":"%s{tsip}","tunsport":"%d{tsport}","tuntype":"%s{ttype}","action":"%s{action}","dnat":"%s{dnat}","stateful":"%s{stateful}","aggregate":"%s{aggregate}","nwsvc":"%s{nwsvc}","nwapp":"%s{nwapp}","proto":"%s{ipproto}","ipcat":"%s{ipcat}","destcountry":"%s{destcountry}","avgduration":"%d{avgduration}","rulelabel":"%s{erulelabel}","inbytes":"%ld{inbytes}","outbytes":"%ld{outbytes}","duration":"%d{duration}","durationms":"%d{durationms}","numsessions":"%d{numsessions}","ipsrulelabel":"%s{ipsrulelabel}","threatcat":"%s{threatcat}","threatname":"%s{ethreatname}","deviceowner":"%s{deviceowner}","devicehostname":"%s{devicehostname}"\}\}

  18. Pilih zona waktu untuk kolom Time dalam file output di daftar Timezone. Secara default, zona waktu ditetapkan ke zona waktu organisasi Anda.

  19. Tinjau setelan yang dikonfigurasi.

  20. Klik Simpan untuk menguji konektivitas. Jika koneksi berhasil, tanda centang hijau yang disertai pesan Uji Konektivitas Berhasil: OK (200) akan muncul.

Untuk informasi selengkapnya tentang feed Google SecOps, lihat dokumentasi feed Google SecOps. Untuk mengetahui informasi tentang persyaratan untuk setiap jenis feed, lihat Konfigurasi feed menurut jenis.

Jika Anda mengalami masalah saat membuat feed, hubungi dukungan Google SecOps.

Referensi pemetaan kolom

Tabel berikut mencantumkan kolom log dari jenis log ZSCALER_FIREWALL dan kolom UDM yang sesuai.

Log field UDM mapping Logic
fwd_gw_name intermediary.resource.name
intermediary.resource.resource_type If the fwd_gw_name log field value is not empty or the ofwd_gw_name log field value is not empty, then the intermediary.resource.resource_type UDM field is set to GATEWAY.
ofwd_gw_name intermediary.security_result.detection_fields[ofwd_gw_name]
ordr_rulename intermediary.security_result.detection_fields[ordr_rulename]
orulelabel intermediary.security_result.detection_fields[orulelabel]
rdr_rulename intermediary.security_result.rule_name
rulelabel intermediary.security_result.rule_name
erulelabel intermediary.security_result.rule_name
bypass_etime metadata.collected_timestamp
datetime metadata.event_timestamp
epochtime metadata.event_timestamp
metadata.event_type If the sdport log field value is equal to 80 or the sdport log field value is equal to 443 and the csip log field value is not empty or the tsip log field value is not empty or the ssip log field value is not empty and the cdip log field value is not empty or the sdip log field value is not empty, then the metadata.event_type UDM field is set to NETWORK_HTTP.

Else, if the csip log field value is not empty or the tsip log field value is not empty or the ssip log field value is not empty and the cdip log field value is not empty or the sdip log field value is not empty, then the metadata.event_type UDM field is set to NETWORK_CONNECTION.

Else, if the csip log field value is not empty or the tsip log field value is not empty or the ssip log field value is not empty, then the metadata.event_type UDM field is set to STATUS_UPDATE.

Else, the metadata.event_type UDM field is set to GENERIC_EVENT.
recordid metadata.product_log_id
metadata.product_name The metadata.product_name UDM field is set to Firewall.
metadata.vendor_name The metadata.vendor_name UDM field is set to Zscaler.
proto network.ip_protocol If the proto log field value contain one of the following values, then the proto log field is mapped to the network.ip_protocol UDM field.
  • TCP
  • UDP
  • ICMP
  • GRE
  • IP6IN4
  • IGMP
inbytes network.received_bytes
outbytes network.sent_bytes
avgduration network.session_duration.nanos If the durationms log field value is empty and the avgduration log field value is not empty, then the avgduration log field is mapped to the network.session_duration.nanos UDM field.
durationms network.session_duration.nanos If the durationms log field value is not empty, then the durationms log field is mapped to the network.session_duration.nanos UDM field.
duration network.session_duration.seconds
principal.asset.asset_id If the devicename log field value is not empty, then the Zscaler:devicename log field is mapped to the principal.asset.asset_id UDM field.
devicemodel principal.asset.hardware.model
devicehostname principal.asset.hostname If the devicehostname log field value is not empty, then the devicehostname log field is mapped to the principal.asset.hostname UDM field.
principal.asset.platform_software.platform If the deviceostype log field value matches the regular expression pattern (?i)iOS, then the principal.asset.platform_software.platform UDM field is set to IOS.

Else, if the deviceostype log field value matches the regular expression pattern (?i)Android, then the principal.asset.platform_software.platform UDM field is set to ANDROID.

Else, if the deviceostype log field value matches the regular expression pattern (?i)Windows, then the principal.asset.platform_software.platform UDM field is set to WINDOWS.

Else, if the deviceostype log field value matches the regular expression pattern (?i)MAC, then the principal.asset.platform_software.platform UDM field is set to MAC.

Else, if the deviceostype log field value matches the regular expression pattern (?i)Other, then the principal.asset.platform_software.platform UDM field is set to UNKNOWN_PLATFORM.
deviceosversion principal.asset.platform_software.platform_version
external_deviceid principal.asset.product_object_id
csip principal.ip
tsip principal.ip
srcip_country principal.location.country_or_region
location principal.location.name
locationname principal.location.name
ssip principal.nat_ip
ssport principal.nat_port
csport principal.port
dept principal.user.department
department principal.user.department
login principal.user.email_addresses The login field is extracted from login log field using the Grok pattern, and the login log field is mapped to the principal.user.email_addresses UDM field.
user principal.user.email_addresses The user field is extracted from user log field using the Grok pattern, and the user log field is mapped to the principal.user.email_addresses UDM field.
deviceowner principal.user.userid
security_result.action If the action log field value matches the regular expression pattern ^Allow.*, then the security_result.action UDM field is set to ALLOW.

Else, if the action log field value matches the regular expression pattern ^Drop.* or ^Block.*, then the security_result.action UDM field is set to BLOCK.

Else, if the action log field value is equal to Reset, then the security_result.action UDM field is set to BLOCK.
action security_result.action_details
security_result.category If the ipcat log field value is not empty or the oipcat log field value is not empty, then the security_result.category UDM field is set to NETWORK_CATEGORIZED_CONTENT.
ipcat security_result.category_details The ipcat log field is mapped to the security_result.category_details UDM field.
threatcat security_result.category_details If the threatcat log field value is not equal to None, then the threatcat log field is mapped to the security_result.category_details UDM field.
security_result.detection_fields[bypassed_session] If the bypassed_session log field value is equal to 0, then the security_result.detection_fields.bypassed_session UDM field is set to the traffic did not bypass Zscaler Client Connector.

Else, if the bypassed_session log field value is equal to 1, then the security_result.detection_fields.bypassed_session UDM field is set to the traffic bypassed Zscaler Client Connector.
odevicehostname security_result.detection_fields[odevicehostname]
odevicename security_result.detection_fields[odevicename]
odeviceowner security_result.detection_fields[odeviceowner]
oipcat security_result.detection_fields[oipcat]
oipsrulelabel security_result.detection_fields[oipsrulelabel]
numsessions security_result.detection_fields[numsessions]
security_result.rule_labels [ips_custom_signature] If the ips_custom_signature log field value is equal to 0, then the security_result.rule_labels.ips_custom_signature UDM field is set to non-custom IPS rule.

Else, if the ips_custom_signature log field value is equal to 1, then the security_result.rule_labels.ips_custom_signature UDM field is set to custom IPS rule.
ipsrulelabel security_result.rule_name If the ipsrulelabel log field value is not equal to None, then the ipsrulelabel log field is mapped to the security_result.rule_name UDM field.
threatname security_result.threat_name If the threatname log field value is not equal to None, then the threatname log field is mapped to the security_result.threat_name UDM field.
ethreatname security_result.threat_name If the ethreatname log field value is not equal to None, then the ethreatname log field is mapped to the security_result.threat_name UDM field.
nwapp target.application
cdfqdn target.domain.name
sdip target.ip
datacentercity target.location.city
destcountry target.location.country_or_region
datacentercountry target.location.country_or_region
datacenter target.location.name
cdip target.nat_ip
cdport target.nat_port
sdport target.port
odnatlabel target.security_result.detection_fields[odnatlabel]
dnat target.security_result.rule_labels[dnat]
dnatrulelabel target.security_result.rule_name
aggregate additional.fields[aggregate]
day additional.fields[day]
dd additional.fields[dd]
deviceappversion additional.fields[deviceappversion]
eedone additional.fields[eedone]
flow_type additional.fields[flow_type]
hh additional.fields[hh]
mm additional.fields[mm]
mon additional.fields[mon]
mth additional.fields[mth]
nwsvc additional.fields[nwsvc]
ocsip additional.fields[ocsip]
ozpa_app_seg_name additional.fields[ozpa_app_seg_name]
ss additional.fields[ss]
sourcetype additional.fields[sourcetype]
stateful additional.fields[stateful]
tz additional.fields[tz]
tuntype additional.fields[traffic_forwarding_method]
tunsport additional.fields[tunsport]
yyyy additional.fields[yyyy]
zpa_app_seg_name additional.fields[zpa_app_seg_name]
ztunnelversion additional.fields[ztunnelversion]