Coletar registros do Zscaler Webproxy
Este documento descreve como exportar registros do Zscaler Webproxy configurando um feed de operações de segurança do Google e como os campos de registro são mapeados para os campos do modelo de dados unificado (UDM, na sigla em inglês) do Google SecOps.
Para mais informações, consulte Visão geral da ingestão de dados no Google SecOps.
Uma implantação típica consiste no Zscaler Webproxy e no feed de webhook do Google SecOps configurado para enviar registros ao Google SecOps. Cada implantação do cliente pode ser diferente e mais complexa.
A implantação contém os seguintes componentes:
Zscaler Webproxy: a plataforma em que você coleta registros.
Feed do Google SecOps: o feed do Google SecOps que busca logs do Zscaler Webproxy e grava logs no Google SecOps.
Google SecOps: retém e analisa os registros.
Um rótulo de ingestão identifica o analisador que normaliza os dados de registro brutos para o formato estruturado do UDM. As informações neste documento se aplicam ao analisador com o rótulo de transferência ZSCALER_WEBPROXY
.
Antes de começar
- Confira se você tem acesso ao console do Zscaler Internet Access. Para mais informações, consulte Ajuda do ZIA para acesso seguro à Internet e ao SaaS.
- Verifique se você está usando o Zscaler Webproxy 2024 ou uma versão mais recente.
- Verifique se todos os sistemas na arquitetura de implantação estão configurados com o fuso horário UTC.
- Verifique se você tem a chave de API necessária para concluir a configuração do feed no Google SecOps. Para mais informações, consulte Como configurar chaves de API.
Configurar um feed de ingestão no Google SecOps para processar os registros do Zscaler Webproxy
- Acesse Configurações do SIEM > Feeds.
- Clique em Adicionar novo.
- No campo Nome do feed, insira um nome para o feed (por exemplo, Zscaler Webproxy Logs).
- Selecione Webhook como o Tipo de origem.
- Selecione Zscaler como o Tipo de registro.
- Clique em Próxima.
- Opcional: insira valores para os seguintes parâmetros de entrada:
- Delimitador de divisão: o delimitador usado para separar as linhas de registro. Deixe em branco se não for usado.
- Namespace do recurso: o namespace do recurso.
- Rótulos de ingestão: o rótulo a ser aplicado aos eventos desse feed.
- Clique em Próxima.
- Revise a configuração do novo feed e clique em Enviar.
- Clique em Generate Secret Key para gerar uma chave secreta para autenticar esse feed.
Configurar o Zscaler Webproxy
- No console do Zscaler Internet Access, clique em Administration > Nanolog Streaming Service > Cloud NSS Feeds e clique em Add Cloud NSS Feed.
- A janela Add Cloud NSS Feed vai aparecer. Na janela Adicionar feed de NSS do Cloud, insira os detalhes.
- Digite um nome para o feed no campo Nome do feed.
- Selecione NSS para Web em Tipo de NSS.
- Selecione o status na lista Status para ativar ou desativar o feed do NSS.
- Mantenha o valor no menu suspenso SIEM Rate como Unlimited. Para suprimir o fluxo de saída devido a licenciamento ou outras restrições, mude o valor.
- Selecione Outro na lista Tipo de SIEM.
- Selecione Desativada na lista Autenticação OAuth 2.0.
- Insira um limite de tamanho para uma carga útil de solicitação HTTP individual na prática recomendada do SIEM em Tamanho máximo do lote. Por exemplo, 512 KB.
Insira o URL HTTPS do endpoint de API Chronicle no URL da API no seguinte formato:
https://<CHRONICLE_REGION>-chronicle.googleapis.com/v1alpha/projects/<GOOGLE_PROJECT_NUMBER>/locations/<LOCATION>/instances/<CUSTOMER_ID>/feeds/<FEED_ID>:importPushLogs
CHRONICLE_REGION
: região em que a instância do Chronicle está hospedada. Por exemplo, EUA.GOOGLE_PROJECT_NUMBER
: número do projeto BYOP. Receba isso do C4.LOCATION
: região do Chronicle. Por exemplo, EUA.CUSTOMER_ID
: ID do cliente do Chronicle. Receber do C4.FEED_ID
: o ID do feed mostrado na interface do feed no novo webhook criado- URL da API de exemplo:
https://us-chronicle.googleapis.com/v1alpha/projects/12345678910/locations/US/instances/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/feeds/yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyyyyyyy:importPushLogs
Clique em Adicionar cabeçalho HTTP para adicionar mais cabeçalhos HTTP com chaves e valores.
Por exemplo, Header 1: Key1: X-goog-api-key e Value1: chave de API gerada nas credenciais da API do Google Cloud BYOP.
Selecione Registros da Web na lista Tipos de registro.
Selecione JSON na lista Tipo de saída do feed.
Defina Caracter de escape do feed como
, \ "
.Para adicionar um novo campo ao Formato de saída do feed,selecione Personalizado na lista Tipo de saída do feed.
Copie e cole o Formato de saída do feed e adicione novos campos. Confira se os nomes das chaves correspondem aos nomes dos campos.
Confira a seguir o formato de saída do feed padrão:
\{ "sourcetype" : "zscalernss-web", "event" : \{"datetime":"%d{yy}-%02d{mth}-%02d{dd} %02d{hh}:%02d{mm}:%02d{ss}","reason":"%s{reason}","event_id":"%d{recordid}","protocol":"%s{proto}","action":"%s{action}","transactionsize":"%d{totalsize}","responsesize":"%d{respsize}","requestsize":"%d{reqsize}","urlcategory":"%s{urlcat}","serverip":"%s{sip}","requestmethod":"%s{reqmethod}","refererURL":"%s{ereferer}","useragent":"%s{eua}","product":"NSS","location":"%s{elocation}","ClientIP":"%s{cip}","status":"%s{respcode}","user":"%s{elogin}","url":"%s{eurl}","vendor":"Zscaler","hostname":"%s{ehost}","clientpublicIP":"%s{cintip}","threatcategory":"%s{malwarecat}","threatname":"%s{threatname}","filetype":"%s{filetype}","appname":"%s{appname}","pagerisk":"%d{riskscore}","threatseverity":"%s{threatseverity}","department":"%s{edepartment}","urlsupercategory":"%s{urlsupercat}","appclass":"%s{appclass}","dlpengine":"%s{dlpeng}","urlclass":"%s{urlclass}","threatclass":"%s{malwareclass}","dlpdictionaries":"%s{dlpdict}","fileclass":"%s{fileclass}","bwthrottle":"%s{bwthrottle}","contenttype":"%s{contenttype}","unscannabletype":"%s{unscannabletype}","deviceowner":"%s{deviceowner}","devicehostname":"%s{devicehostname}","keyprotectiontype":"%s{keyprotectiontype}"\}\}
Selecione o fuso horário do campo Time no arquivo de saída na lista Timezone. Por padrão, o fuso horário é definido como o da sua organização.
Revise as configurações definidas.
Clique em Salvar para testar a conectividade. Se a conexão for bem-sucedida, uma marca de seleção verde acompanhada da mensagem Test Connectivity Successful: OK (200) vai aparecer.
Para mais informações sobre os feeds do Google SecOps, consulte a documentação sobre feeds do Google SecOps. Para informações sobre os requisitos de cada tipo de feed, consulte Configuração de feed por tipo.
Se você tiver problemas ao criar feeds, entre em contato com o suporte do Google SecOps.
Referência do mapeamento de campo
A tabela a seguir lista os campos de registro do tipo ZSCALER_WEBPROXY
e os campos correspondentes do UDM.
Log field | UDM mapping | Logic |
---|---|---|
|
metadata.vendor_name |
The metadata.vendor_name UDM field is set to Zscaler . |
|
metadata.event_type |
If the ClientIP log field value is not empty and the serverip log field value is not empty and the proto log field value contain one of the following values, then the metadata.event_type UDM field is set to NETWORK_HTTP .
ClientIP log field value is not empty and the serverip log field value is not empty, then the metadata.event_type UDM field is set to NETWORK_CONNECTION .Else, if the user log field value is not empty or the deviceowner log field value is not empty, then the metadata.event_type UDM field is set to USER_UNCATEGORIZED .Else, the metadata.event_type UDM field is set to GENERIC_EVENT . |
|
metadata.product_name |
The metadata.product_name UDM field is set to Web Proxy . |
sourcetype |
additional.fields[sourcetype] |
|
datetime |
metadata.event_timestamp |
|
tz |
additional.fields[tz] |
|
ss |
additional.fields[ss] |
|
mm |
additional.fields[mm] |
|
hh |
additional.fields[hh] |
|
dd |
additional.fields[dd] |
|
mth |
additional.fields[mth] |
|
yyyy |
additional.fields[yyyy] |
|
mon |
additional.fields[mon] |
|
day |
additional.fields[day] |
|
department |
principal.user.department |
|
b64dept |
principal.user.department |
|
edepartment |
principal.user.department |
|
user |
principal.user.email_addresses |
|
b64login |
principal.user.email_addresses |
|
elogin |
principal.user.email_addresses |
|
ologin |
additional.fields[ologin] |
|
cloudname |
principal.user.attribute.labels[cloudname] |
|
company |
principal.user.company_name |
|
throttlereqsize |
security_result.detection_fields[throttlereqsize] |
|
throttlerespsize |
security_result.detection_fields[throttlerespsize] |
|
bwthrottle |
security_result.detection_fields[bwthrottle] |
|
|
security_result.category |
If the bwthrottle log field value is equal to Yes , then the security_result.category UDM field is set to POLICY_VIOLATION . |
bwclassname |
security_result.detection_fields[bwclassname] |
|
obwclassname |
security_result.detection_fields[obwclassname] |
|
bwrulename |
security_result.rule_name |
|
appname |
target.application |
|
appclass |
target.security_result.detection_fields[appclass] |
|
module |
target.security_result.detection_fields[module] |
|
app_risk_score |
target.security_result.risk_score |
If the app_risk_score log field value matches the regular expression pattern [0-9]+ , then the app_risk_score log field is mapped to the security_result.risk_score UDM field. |
datacenter |
target.location.name |
|
datacentercity |
target.location.city |
|
datacentercountry |
target.location.country_or_region |
|
dlpdictionaries |
security_result.detection_fields[dlpdictionaries] |
|
odlpdict |
security_result.detection_fields[odlpdict] |
|
dlpdicthitcount |
security_result.detection_fields[dlpdicthitcount] |
|
dlpengine |
security_result.detection_fields[dlpengine] |
|
odlpeng |
security_result.detection_fields[odlpeng] |
|
dlpidentifier |
security_result.detection_fields[dlpidentifier] |
|
dlpmd5 |
security_result.detection_fields[dlpmd5] |
|
dlprulename |
security_result.rule_name |
|
odlprulename |
security_result.detection_fields[odlprulename] |
|
fileclass |
additional.fields[fileclass] |
|
filetype |
target.file.mime_type |
|
filename |
target.file.full_path |
|
b64filename |
target.file.full_path |
|
efilename |
target.file.full_path |
|
filesubtype |
additional.fields[filesubtype] |
|
upload_fileclass |
additional.fields[upload_fileclass] |
|
upload_filetype |
target.file.mime_type |
If the filetype log field value is equal to None and the upload_filetype log field value is not equal to None , then the upload_filetype log field is mapped to the target.file.mime_type UDM field. |
upload_filename |
target.file.full_path |
If the filename log field value is equal to None and the upload_filename log field value is not equal to None , then the upload_filename log field is mapped to the target.file.full_path UDM field. |
b64upload_filename |
target.file.full_path |
|
eupload_filename |
target.file.full_path |
|
upload_filesubtype |
additional.fields[upload_filesubtype] |
|
upload_doctypename |
additional.fields[upload_doctypename] |
|
unscannabletype |
security_result.detection_fields[unscannabletype] |
|
rdr_rulename |
intermediary.security_result.rule_name |
|
b64rdr_rulename |
intermediary.security_result.rule_name |
|
|
intermediary.resource.resource_type |
If the rdr_rulename log field value is not empty, then the intermediary.resource.resource_type UDM field is set to GATEWAY . |
ordr_rulename |
additional.fields[ordr_rulename] |
|
fwd_type |
intermediary.resource.attribute.labels[fwd_type] |
|
fwd_gw_name |
intermediary.resource.name |
|
b64fwd_gw_name |
intermediary.resource.name |
|
ofwd_gw_name |
security_result.detection_fields[ofwd_gw_name] |
|
fwd_gw_ip |
intermediary.ip |
|
zpa_app_seg_name |
additional.fields[zpa_app_seg_name] |
|
b64zpa_app_seg_name |
additional.fields[zpa_app_seg_name] |
|
ozpa_app_seg_name |
additional.fields[ozpa_app_seg_name] |
|
reqdatasize |
additional.fields[reqdatasize] |
|
reqhdrsize |
additional.fields[reqhdrsize] |
|
requestsize |
network.sent_bytes |
|
respdatasize |
additional.fields[respdatasize] |
|
resphdrsize |
additional.fields[resphdrsize] |
|
responsesize |
network.received_bytes |
|
transactionsize |
additional.fields[transactionsize] |
|
contenttype |
additional.fields[contenttype] |
|
df_hosthead |
security_result.detection_fields[df_hosthead] |
|
df_hostname |
security_result.detection_fields[df_hostname] |
|
hostname |
target.hostnametarget.asset.hostname |
|
b64host |
target.hostnametarget.asset.hostname |
|
ehost |
target.hostnametarget.asset.hostname |
|
refererURL |
network.http.referral_url |
|
b64referer |
network.http.referral_url |
|
ereferer |
network.http.referral_url |
|
erefererpath |
additional.fields[erefererpath] |
|
refererhost |
additional.fields[refererhost] |
|
erefererhost |
additional.fields[refererhost] |
|
requestmethod |
network.http.method |
|
reqversion |
additional.fields[reqversion] |
|
status |
network.http.response_code |
|
respversion |
additional.fields[respversion] |
|
ua_token |
additional.fields[ua_token] |
|
useragent |
network.http.user_agent |
|
b64ua |
network.http.user_agent |
|
eua |
network.http.user_agent |
|
useragent |
network.http.parsed_user_agent |
|
b64ua |
network.http.parsed_user_agent |
|
eua |
network.http.parsed_user_agent |
|
uaclass |
additional.fields[uaclass] |
|
url |
target.url |
|
b64url |
target.url |
|
eurl |
target.url |
|
eurlpath |
additional.fields[eurlpath] |
|
mobappname |
additional.fields[mobappname] |
|
b64mobappname |
additional.fields[mobappname] |
|
emobappname |
additional.fields[mobappname] |
|
mobappcat |
additional.fields[mobappcat] |
|
mobdevtype |
additional.fields[mobdevtype] |
|
clt_sport |
principal.port |
|
ClientIP |
principal.ip |
|
ocip |
security_result.detection_fields[ocip] |
|
cpubip |
additional.fields[cpubip] |
|
ocpubip |
additional.fields[ocpubip] |
|
clientpublicIP |
principal.nat_ip |
|
serverip |
target.ip |
|
|
network.application_protocol |
If the protocol log field value contain one of the following values, then the network.application_protocol UDM field is set to HTTP .
protocol log field value contain one of the following values, then the network.application_protocol UDM field is set to HTTPS .
network.application_protocol UDM field is set to UNKNOWN_APPLICATION_PROTOCOL . |
alpnprotocol |
additional.fields[alpnprotocol] |
|
trafficredirectmethod |
intermediary.resource.attribute.labels[trafficredirectmethod] |
|
location |
principal.location.name |
|
elocation |
principal.location.name |
|
userlocationname |
principal.location.name |
If the userlocationname log field value is not equal to None , then the userlocationname log field is mapped to the principal.location.name UDM field. |
b64userlocationname |
principal.location.name |
|
euserlocationname |
principal.location.name |
|
rulelabel |
security_result.rule_name |
If the action log field value is equal to Blocked , then the rulelabel log field is mapped to the security_result.rule_name UDM field. |
b64rulelabel |
security_result.rule_name |
|
erulelabel |
security_result.rule_name |
|
ruletype |
security_result.rule_type |
|
reason |
security_result.description |
If the action log field value is equal to Blocked , then the reason log field is mapped to the security_result.description UDM field. |
action |
security_result.action_details |
|
|
security_result.action |
If the action log field value is equal to Allowed , then the security_result.action UDM field is set to ALLOW .Else, if the action log field value is equal to Blocked , then the security_result.action UDM field is set to BLOCK . |
urlfilterrulelabel |
security_result.rule_name |
|
b64urlfilterrulelabel |
security_result.rule_name |
|
eurlfilterrulelabel |
security_result.rule_name |
|
ourlfilterrulelabel |
security_result.detection_fields[ourlfilterrulelabel] |
|
apprulelabel |
target.security_result.rule_name |
|
b64apprulelabel |
target.security_result.rule_name |
|
oapprulelabel |
security_result.detection_fields[oapprulelabel] |
|
bamd5 |
target.file.md5 |
|
sha256 |
target.file.sha256 |
|
ssldecrypted |
security_result.detection_fields[ssldecrypted] |
|
externalspr |
security_result.about.artifact.last_https_certificate.extension.certificate_policies |
|
keyprotectiontype |
security_result.about.artifact.last_https_certificate.extension.key_usage |
|
clientsslcipher |
network.tls.client.supported_ciphers |
|
clienttlsversion |
network.tls.version |
|
clientsslsessreuse |
security_result.detection_fields[clientsslsessreuse] |
|
cltsslfailreason |
security_result.detection_fields[cltsslfailreason] |
|
cltsslfailcount |
security_result.detection_fields[cltsslfailcount] |
|
srvsslcipher |
network.tls.cipher |
|
srvtlsversion |
security_result.detection_fields[srvtlsversion] |
|
srvocspresult |
security_result.detection_fields[srvocspresult] |
|
srvcertchainvalpass |
security_result.detection_fields[srvcertchainvalpass] |
|
srvwildcardcert |
security_result.detection_fields[srvwildcardcert] |
|
serversslsessreuse |
security_result.detection_fields[server_ssl_sess_reuse] |
|
srvcertvalidationtype |
security_result.detection_fields[srvcertvalidationtype] |
|
srvcertvalidityperiod |
security_result.detection_fields[srvcertvalidityperiod] |
|
is_ssluntrustedca |
security_result.detection_fields[is_ssluntrustedca] |
|
is_sslselfsigned |
security_result.detection_fields[is_sslselfsigned] |
|
is_sslexpiredca |
security_result.detection_fields[is_sslexpiredca] |
|
pagerisk |
security_result.risk_score |
|
|
security_result.severity |
If the pagerisk log field value is greater than or equal to 90 and the pagerisk log field value is less than or equal to 100 , then the security_result.severity UDM field is set to CRITICAL .If the pagerisk log field value is greater than or equal to 75 and the pagerisk log field value is less than or equal to 89 , then the security_result.severity UDM field is set to HIGH .If the pagerisk log field value is greater than or equal to 46 and the pagerisk log field value is less than or equal to 74 , then the security_result.severity UDM field is set to MEDIUM .If the pagerisk log field value is greater than or equal to 1 and the pagerisk log field value &is less than or equal to 45 , then the security_result.severity UDM field is set to LOW .If the pagerisk log field value is equal to 0 , then the security_result.severity UDM field is set to NONE . |
threatname |
security_result.threat_name |
|
b64threatname |
security_result.threat_name |
|
threatcategory |
security_result.associations.name |
|
threatclass |
security_result.associations.description |
|
urlclass |
security_result.detection_fields[urlclass] |
|
urlsupercategory |
security_result.category_details |
|
urlcategory |
security_result.category_details |
|
b64urlcat |
security_result.category_details |
|
ourlcat |
security_result.detection_fields[ourlcat] |
|
urlcatmethod |
security_result.detection_fields[urlcatmethod] |
|
bypassed_traffic |
security_result.detection_fields[bypassed_traffic] |
|
bypassed_etime |
security_result.detection_fields[bypassed_etime] |
|
deviceappversion |
additional.fields[deviceappversion] |
|
devicehostname |
principal.asset.hostname |
|
odevicehostname |
security_result.detection_fields[odevicehostname] |
|
devicemodel |
principal.asset.hardware.model |
|
devicename |
principal.asset.asset_id |
|
odevicename |
security_result.detection_fields[odevicename] |
|
|
principal.asset.platform_software.platform |
If the deviceostype log field value matches the regular expression pattern (?i)iOS , then the principal.asset.platform_software.platform UDM field is set to IOS .Else, if the deviceostype log field value matches the regular expression pattern (?i)Android , then the principal.asset.platform_software.platform UDM field is set to ANDROID .Else, if the deviceostype log field value matches the regular expression pattern (?i)Windows , then the principal.asset.platform_software.platform UDM field is set to WINDOWS .Else, if the deviceostype log field value matches the regular expression pattern (?i)MAC , then the principal.asset.platform_software.platform UDM field is set to MAC .Else, if the deviceostype log field value matches the regular expression pattern (?i)Other , then the principal.asset.platform_software.platform UDM field is set to UNKNOWN_PLATFORM . |
deviceosversion |
principal.asset.software.version |
|
deviceowner |
principal.user.userid |
|
odeviceowner |
security_result.detection_fields[odeviceowner] |
|
devicetype |
principal.asset.category |
|
external_devid |
additional.fields[external_devid] |
|
flow_type |
additional.fields[flow_type] |
|
ztunnelversion |
additional.fields[ztunnelversion] |
|
event_id |
metadata.product_log_id |
|
productversion |
metadata.product_version |
|
nsssvcip |
about.ip |
|
eedone |
additional.fields[eedone] |