Recopila registros de Zscaler Webproxy

Compatible con:

En este documento, se describe cómo puedes configurar un feed de Operaciones de seguridad de Google para exportar registros de Zscaler Webproxy y cómo se asignan los campos de registro a los campos del modelo de datos unificado (UDM) de Google SecOps.

Para obtener más información, consulta la descripción general de la transferencia de datos a Google SecOps.

Una implementación típica consta del proxy web de Zscaler y el feed de webhook de Google SecOps configurado para enviar registros a Google SecOps. Cada implementación de cliente puede diferir y ser más compleja.

La implementación contiene los siguientes componentes:

  • Zscaler Webproxy: Es la plataforma desde la que recopilas registros.

  • Feed de Google SecOps: Es el feed de Google SecOps que recupera registros del Webproxy de Zscaler y escribe registros en Google SecOps.

  • Google SecOps: Retiene y analiza los registros.

Una etiqueta de transferencia identifica el analizador que normaliza los datos de registro sin procesar al formato estructurado del UDM. La información de este documento se aplica al analizador con la etiqueta de transferencia ZSCALER_WEBPROXY.

Antes de comenzar

  • Asegúrate de tener acceso a la consola de acceso a Internet de Zscaler. Para obtener más información, consulta la Ayuda de ZIA de acceso seguro a Internet y SaaS.
  • Asegúrate de usar Zscaler Webproxy 2024 o una versión posterior.
  • Asegúrate de que todos los sistemas de la arquitectura de implementación estén configurados con la zona horaria UTC.
  • Asegúrate de tener la clave de API necesaria para completar la configuración del feed en Google SecOps. Para obtener más información, consulta Configura claves de API.

Configura un feed de transferencia en Google SecOps para transferir los registros de Zscaler Webproxy

  1. Ve a Configuración de SIEM > Feeds.
  2. Haz clic en Agregar nueva.
  3. En el campo Nombre del feed, ingresa un nombre para el feed (por ejemplo, Registros de proxy web de Zscaler).
  4. Selecciona Webhook como el Tipo de origen.
  5. Selecciona Zscaler como el Tipo de registro.
  6. Haz clic en Siguiente.
  7. Opcional: Ingresa valores para los siguientes parámetros de entrada:
    1. Delimitador de división: Es el delimitador que se usa para separar las líneas de los registros. Deja el campo en blanco si no se usa un delimitador.
    2. Espacio de nombres del activo: Es el espacio de nombres del activo.
    3. Etiquetas de transferencia: Es la etiqueta que se aplicará a los eventos de este feed.
  8. Haz clic en Siguiente.
  9. Revisa la configuración del nuevo feed y, luego, haz clic en Enviar.
  10. Haz clic en Generate Secret Key para generar una clave secreta que autentique este feed.

Configura el proxy web de Zscaler

  1. En la consola de acceso a Internet de Zscaler, haz clic en Administración > Servicio de transmisión de Nanolog > Feeds de NSS de Cloud y, luego, en Agregar feed de NSS de Cloud.
  2. Aparecerá la ventana Add Cloud NSS Feed. En la ventana Add Cloud NSS Feed, ingresa los detalles.
  3. Ingresa un nombre para el feed en el campo Nombre del feed.
  4. Selecciona NSS para la Web en Tipo de NSS.
  5. Selecciona el estado de la lista Estado para activar o desactivar el feed de NSS.
  6. Mantén el valor en el menú desplegable SIEM Rate como Unlimited. Para suprimir el flujo de salida debido a licencias o a otras restricciones, cambia el valor.
  7. Selecciona Otro en la lista Tipo de SIEM.
  8. Selecciona Disabled en la lista OAuth 2.0 Authentication.
  9. Ingresa un límite de tamaño para una carga útil de solicitud HTTP individual en las prácticas recomendadas de SIEM en Max Batch Size. Por ejemplo, 512 KB.
  10. Ingresa la URL HTTPS del extremo de API de Chronicle en la URL de la API con el siguiente formato:

      https://<CHRONICLE_REGION>-chronicle.googleapis.com/v1alpha/projects/<GOOGLE_PROJECT_NUMBER>/locations/<LOCATION>/instances/<CUSTOMER_ID>/feeds/<FEED_ID>:importPushLogs
    
    • CHRONICLE_REGION: Es la región en la que se aloja tu instancia de Chronicle. Por ejemplo, EE.UU.
    • GOOGLE_PROJECT_NUMBER: Es el número de proyecto de BYOP. Obtén esta información de C4.
    • LOCATION: Región de Chronicle. Por ejemplo, EE.UU.
    • CUSTOMER_ID: ID de cliente de Chronicle. Obtener de C4
    • FEED_ID: Es el ID del feed que se muestra en la IU del feed en el nuevo webhook creado.
    • URL de API de muestra:
    https://us-chronicle.googleapis.com/v1alpha/projects/12345678910/locations/US/instances/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/feeds/yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyyyyyyy:importPushLogs
    
  11. Haz clic en Agregar encabezado HTTP para agregar más encabezados HTTP con claves y valores.

    Por ejemplo, encabezado 1: clave1: X-goog-api-key y valor1: clave de API generada en las credenciales de la API de Google Cloud BYOP.

  12. Selecciona Registros web en la lista Tipos de registro.

  13. Selecciona JSON en la lista Tipo de salida del feed.

  14. Establece el carácter de escape del feed en , \ ".

  15. Para agregar un campo nuevo al Formato de salida del feed, selecciona Personalizado en la lista Tipo de salida del feed.

  16. Copia y pega el Formato de salida del feed y agrega campos nuevos. Asegúrate de que los nombres de las claves coincidan con los nombres de los campos reales.

  17. A continuación, se muestra el formato de salida del feed predeterminado:

      \{ "sourcetype" : "zscalernss-web", "event" : \{"datetime":"%d{yy}-%02d{mth}-%02d{dd} %02d{hh}:%02d{mm}:%02d{ss}","reason":"%s{reason}","event_id":"%d{recordid}","protocol":"%s{proto}","action":"%s{action}","transactionsize":"%d{totalsize}","responsesize":"%d{respsize}","requestsize":"%d{reqsize}","urlcategory":"%s{urlcat}","serverip":"%s{sip}","requestmethod":"%s{reqmethod}","refererURL":"%s{ereferer}","useragent":"%s{eua}","product":"NSS","location":"%s{elocation}","ClientIP":"%s{cip}","status":"%s{respcode}","user":"%s{elogin}","url":"%s{eurl}","vendor":"Zscaler","hostname":"%s{ehost}","clientpublicIP":"%s{cintip}","threatcategory":"%s{malwarecat}","threatname":"%s{threatname}","filetype":"%s{filetype}","appname":"%s{appname}","pagerisk":"%d{riskscore}","threatseverity":"%s{threatseverity}","department":"%s{edepartment}","urlsupercategory":"%s{urlsupercat}","appclass":"%s{appclass}","dlpengine":"%s{dlpeng}","urlclass":"%s{urlclass}","threatclass":"%s{malwareclass}","dlpdictionaries":"%s{dlpdict}","fileclass":"%s{fileclass}","bwthrottle":"%s{bwthrottle}","contenttype":"%s{contenttype}","unscannabletype":"%s{unscannabletype}","deviceowner":"%s{deviceowner}","devicehostname":"%s{devicehostname}","keyprotectiontype":"%s{keyprotectiontype}"\}\}
    
  18. Selecciona la zona horaria para el campo Time en el archivo de salida en la lista Timezone. De forma predeterminada, la zona horaria se establece en la de tu organización.

  19. Revisa la configuración establecida.

  20. Haz clic en Guardar para probar la conectividad. Si la conexión se realiza correctamente, aparecerá una marca de verificación verde acompañada del mensaje Test Connectivity Successful: OK (200).

Para obtener más información sobre los feeds de Google SecOps, consulta la documentación de los feeds de Google SecOps. Para obtener información sobre los requisitos de cada tipo de feed, consulta Configuración de feeds por tipo.

Si tienes problemas cuando creas feeds, comunícate con el equipo de asistencia de SecOps de Google.

Referencia de la asignación de campos

En la siguiente tabla, se enumeran los campos de registro del tipo de registro ZSCALER_WEBPROXY y sus campos de UDM correspondientes.

Log field UDM mapping Logic
metadata.vendor_name The metadata.vendor_name UDM field is set to Zscaler.
metadata.event_type If the ClientIP log field value is not empty and the serverip log field value is not empty and the proto log field value contain one of the following values, then the metadata.event_type UDM field is set to NETWORK_HTTP.
  • HTTPS
  • HTTP
Else, if the ClientIP log field value is not empty and the serverip log field value is not empty, then the metadata.event_type UDM field is set to NETWORK_CONNECTION.

Else, if the user log field value is not empty or the deviceowner log field value is not empty, then the metadata.event_type UDM field is set to USER_UNCATEGORIZED.

Else, the metadata.event_type UDM field is set to GENERIC_EVENT.
metadata.product_name The metadata.product_name UDM field is set to Web Proxy.
sourcetype additional.fields[sourcetype]
datetime metadata.event_timestamp
tz additional.fields[tz]
ss additional.fields[ss]
mm additional.fields[mm]
hh additional.fields[hh]
dd additional.fields[dd]
mth additional.fields[mth]
yyyy additional.fields[yyyy]
mon additional.fields[mon]
day additional.fields[day]
department principal.user.department
b64dept principal.user.department
edepartment principal.user.department
user principal.user.email_addresses
b64login principal.user.email_addresses
elogin principal.user.email_addresses
ologin additional.fields[ologin]
cloudname principal.user.attribute.labels[cloudname]
company principal.user.company_name
throttlereqsize security_result.detection_fields[throttlereqsize]
throttlerespsize security_result.detection_fields[throttlerespsize]
bwthrottle security_result.detection_fields[bwthrottle]
security_result.category If the bwthrottle log field value is equal to Yes, then the security_result.category UDM field is set to POLICY_VIOLATION.
bwclassname security_result.detection_fields[bwclassname]
obwclassname security_result.detection_fields[obwclassname]
bwrulename security_result.rule_name
appname target.application
appclass target.security_result.detection_fields[appclass]
module target.security_result.detection_fields[module]
app_risk_score target.security_result.risk_score If the app_risk_score log field value matches the regular expression pattern [0-9]+, then the app_risk_score log field is mapped to the security_result.risk_score UDM field.
datacenter target.location.name
datacentercity target.location.city
datacentercountry target.location.country_or_region
dlpdictionaries security_result.detection_fields[dlpdictionaries]
odlpdict security_result.detection_fields[odlpdict]
dlpdicthitcount security_result.detection_fields[dlpdicthitcount]
dlpengine security_result.detection_fields[dlpengine]
odlpeng security_result.detection_fields[odlpeng]
dlpidentifier security_result.detection_fields[dlpidentifier]
dlpmd5 security_result.detection_fields[dlpmd5]
dlprulename security_result.rule_name
odlprulename security_result.detection_fields[odlprulename]
fileclass additional.fields[fileclass]
filetype target.file.mime_type
filename target.file.full_path
b64filename target.file.full_path
efilename target.file.full_path
filesubtype additional.fields[filesubtype]
upload_fileclass additional.fields[upload_fileclass]
upload_filetype target.file.mime_type If the filetype log field value is equal to None and the upload_filetype log field value is not equal to None, then the upload_filetype log field is mapped to the target.file.mime_type UDM field.
upload_filename target.file.full_path If the filename log field value is equal to None and the upload_filename log field value is not equal to None, then the upload_filename log field is mapped to the target.file.full_path UDM field.
b64upload_filename target.file.full_path
eupload_filename target.file.full_path
upload_filesubtype additional.fields[upload_filesubtype]
upload_doctypename additional.fields[upload_doctypename]
unscannabletype security_result.detection_fields[unscannabletype]
rdr_rulename intermediary.security_result.rule_name
b64rdr_rulename intermediary.security_result.rule_name
intermediary.resource.resource_type If the rdr_rulename log field value is not empty, then the intermediary.resource.resource_type UDM field is set to GATEWAY.
ordr_rulename additional.fields[ordr_rulename]
fwd_type intermediary.resource.attribute.labels[fwd_type]
fwd_gw_name intermediary.resource.name
b64fwd_gw_name intermediary.resource.name
ofwd_gw_name security_result.detection_fields[ofwd_gw_name]
fwd_gw_ip intermediary.ip
zpa_app_seg_name additional.fields[zpa_app_seg_name]
b64zpa_app_seg_name additional.fields[zpa_app_seg_name]
ozpa_app_seg_name additional.fields[ozpa_app_seg_name]
reqdatasize additional.fields[reqdatasize]
reqhdrsize additional.fields[reqhdrsize]
requestsize network.sent_bytes
respdatasize additional.fields[respdatasize]
resphdrsize additional.fields[resphdrsize]
responsesize network.received_bytes
transactionsize additional.fields[transactionsize]
contenttype additional.fields[contenttype]
df_hosthead security_result.detection_fields[df_hosthead]
df_hostname security_result.detection_fields[df_hostname]
hostname target.hostnametarget.asset.hostname
b64host target.hostnametarget.asset.hostname
ehost target.hostnametarget.asset.hostname
refererURL network.http.referral_url
b64referer network.http.referral_url
ereferer network.http.referral_url
erefererpath additional.fields[erefererpath]
refererhost additional.fields[refererhost]
erefererhost additional.fields[refererhost]
requestmethod network.http.method
reqversion additional.fields[reqversion]
status network.http.response_code
respversion additional.fields[respversion]
ua_token additional.fields[ua_token]
useragent network.http.user_agent
b64ua network.http.user_agent
eua network.http.user_agent
useragent network.http.parsed_user_agent
b64ua network.http.parsed_user_agent
eua network.http.parsed_user_agent
uaclass additional.fields[uaclass]
url target.url
b64url target.url
eurl target.url
eurlpath additional.fields[eurlpath]
mobappname additional.fields[mobappname]
b64mobappname additional.fields[mobappname]
emobappname additional.fields[mobappname]
mobappcat additional.fields[mobappcat]
mobdevtype additional.fields[mobdevtype]
clt_sport principal.port
ClientIP principal.ip
ocip security_result.detection_fields[ocip]
cpubip additional.fields[cpubip]
ocpubip additional.fields[ocpubip]
clientpublicIP principal.nat_ip
serverip target.ip
network.application_protocol If the protocol log field value contain one of the following values, then the network.application_protocol UDM field is set to HTTP.
  • HTTP
  • HTTP_PROXY
Else, if the protocol log field value contain one of the following values, then the network.application_protocol UDM field is set to HTTPS.
  • HTTPS
  • SSL
  • TUNNEL_SSL
  • DNSOVERHTTPS
  • TUNNEL
Else, the network.application_protocol UDM field is set to UNKNOWN_APPLICATION_PROTOCOL.
alpnprotocol additional.fields[alpnprotocol]
trafficredirectmethod intermediary.resource.attribute.labels[trafficredirectmethod]
location principal.location.name
elocation principal.location.name
userlocationname principal.location.name If the userlocationname log field value is not equal to None, then the userlocationname log field is mapped to the principal.location.name UDM field.
b64userlocationname principal.location.name
euserlocationname principal.location.name
rulelabel security_result.rule_name If the action log field value is equal to Blocked, then the rulelabel log field is mapped to the security_result.rule_name UDM field.
b64rulelabel security_result.rule_name
erulelabel security_result.rule_name
ruletype security_result.rule_type
reason security_result.description If the action log field value is equal to Blocked, then the reason log field is mapped to the security_result.description UDM field.
action security_result.action_details
security_result.action If the action log field value is equal to Allowed, then the security_result.action UDM field is set to ALLOW.

Else, if the action log field value is equal to Blocked, then the security_result.action UDM field is set to BLOCK.
urlfilterrulelabel security_result.rule_name
b64urlfilterrulelabel security_result.rule_name
eurlfilterrulelabel security_result.rule_name
ourlfilterrulelabel security_result.detection_fields[ourlfilterrulelabel]
apprulelabel target.security_result.rule_name
b64apprulelabel target.security_result.rule_name
oapprulelabel security_result.detection_fields[oapprulelabel]
bamd5 target.file.md5
sha256 target.file.sha256
ssldecrypted security_result.detection_fields[ssldecrypted]
externalspr security_result.about.artifact.last_https_certificate.extension.certificate_policies
keyprotectiontype security_result.about.artifact.last_https_certificate.extension.key_usage
clientsslcipher network.tls.client.supported_ciphers
clienttlsversion network.tls.version
clientsslsessreuse security_result.detection_fields[clientsslsessreuse]
cltsslfailreason security_result.detection_fields[cltsslfailreason]
cltsslfailcount security_result.detection_fields[cltsslfailcount]
srvsslcipher network.tls.cipher
srvtlsversion security_result.detection_fields[srvtlsversion]
srvocspresult security_result.detection_fields[srvocspresult]
srvcertchainvalpass security_result.detection_fields[srvcertchainvalpass]
srvwildcardcert security_result.detection_fields[srvwildcardcert]
serversslsessreuse security_result.detection_fields[server_ssl_sess_reuse]
srvcertvalidationtype security_result.detection_fields[srvcertvalidationtype]
srvcertvalidityperiod security_result.detection_fields[srvcertvalidityperiod]
is_ssluntrustedca security_result.detection_fields[is_ssluntrustedca]
is_sslselfsigned security_result.detection_fields[is_sslselfsigned]
is_sslexpiredca security_result.detection_fields[is_sslexpiredca]
pagerisk security_result.risk_score
security_result.severity If the pagerisk log field value is greater than or equal to 90 and the pagerisk log field value is less than or equal to 100, then the security_result.severity UDM field is set to CRITICAL.

If the pagerisk log field value is greater than or equal to 75 and the pagerisk log field value is less than or equal to 89, then the security_result.severity UDM field is set to HIGH.

If the pagerisk log field value is greater than or equal to 46 and the pagerisk log field value is less than or equal to 74, then the security_result.severity UDM field is set to MEDIUM.

If the pagerisk log field value is greater than or equal to 1 and the pagerisk log field value &is less than or equal to 45, then the security_result.severity UDM field is set to LOW.

If the pagerisk log field value is equal to 0, then the security_result.severity UDM field is set to NONE.
threatname security_result.threat_name
b64threatname security_result.threat_name
threatcategory security_result.associations.name
threatclass security_result.associations.description
urlclass security_result.detection_fields[urlclass]
urlsupercategory security_result.category_details
urlcategory security_result.category_details
b64urlcat security_result.category_details
ourlcat security_result.detection_fields[ourlcat]
urlcatmethod security_result.detection_fields[urlcatmethod]
bypassed_traffic security_result.detection_fields[bypassed_traffic]
bypassed_etime security_result.detection_fields[bypassed_etime]
deviceappversion additional.fields[deviceappversion]
devicehostname principal.asset.hostname
odevicehostname security_result.detection_fields[odevicehostname]
devicemodel principal.asset.hardware.model
devicename principal.asset.asset_id
odevicename security_result.detection_fields[odevicename]
principal.asset.platform_software.platform If the deviceostype log field value matches the regular expression pattern (?i)iOS, then the principal.asset.platform_software.platform UDM field is set to IOS.

Else, if the deviceostype log field value matches the regular expression pattern (?i)Android, then the principal.asset.platform_software.platform UDM field is set to ANDROID.

Else, if the deviceostype log field value matches the regular expression pattern (?i)Windows, then the principal.asset.platform_software.platform UDM field is set to WINDOWS.

Else, if the deviceostype log field value matches the regular expression pattern (?i)MAC, then the principal.asset.platform_software.platform UDM field is set to MAC.

Else, if the deviceostype log field value matches the regular expression pattern (?i)Other, then the principal.asset.platform_software.platform UDM field is set to UNKNOWN_PLATFORM.
deviceosversion principal.asset.software.version
deviceowner principal.user.userid
odeviceowner security_result.detection_fields[odeviceowner]
devicetype principal.asset.category
external_devid additional.fields[external_devid]
flow_type additional.fields[flow_type]
ztunnelversion additional.fields[ztunnelversion]
event_id metadata.product_log_id
productversion metadata.product_version
nsssvcip about.ip
eedone additional.fields[eedone]