收集 Zscaler Webproxy 日志

支持的平台:

本文档介绍了如何通过设置 Google 安全运营 Feed 来导出 Zscaler Webproxy 日志,以及日志字段如何映射到 Google SecOps 统一数据模型 (UDM) 字段。

如需了解详情,请参阅将数据提取到 Google SecOps 概览

典型的部署包括 Zscaler Webproxy 和配置为将日志发送到 Google SecOps 的 Google SecOps Webhook Feed。每个客户部署都可能不同,并且可能更复杂。

该部署包含以下组件:

  • Zscaler Webproxy:您要从中收集日志的平台。

  • Google SecOps Feed:Google SecOps Feed 用于从 Zscaler Webproxy 提取日志并将日志写入 Google SecOps。

  • Google SecOps:保留和分析日志。

注入标签标识将原始日志数据标准化为结构化 UDM 格式的解析器。本文档中的信息适用于具有 ZSCALER_WEBPROXY 注入标签的解析器。

准备工作

  • 确保您有权访问 Zscaler Internet Access 控制台。如需了解详情,请参阅 Secure Internet and SaaS Access ZIA Help
  • 确保您使用的是 Zscaler Webproxy 2024 或更高版本。
  • 确保部署架构中的所有系统都使用世界协调时间 (UTC) 时区进行配置。
  • 确保您拥有在 Google SecOps 中完成 Feed 设置所需的 API 密钥。如需了解详情,请参阅设置 API 密钥

在 Google SecOps 中设置提取 Feed,以提取 Zscaler Webproxy 日志

  1. 依次前往 SIEM 设置 > Feed
  2. 点击新增
  3. Feed 名称字段中,输入 Feed 的名称(例如 Zscaler Webproxy 日志)。
  4. 选择 Webhook 作为来源类型
  5. 选择 Zscaler 作为日志类型
  6. 点击下一步
  7. 可选:为以下输入参数输入值:
    1. 分隔符:用于分隔日志行的分隔符。如果不使用分隔符,请留空。
    2. 资源命名空间:资源命名空间。
    3. 提取标签:要应用于此 Feed 中的事件的标签。
  8. 点击下一步
  9. 检查新的 Feed 配置,然后点击提交
  10. 点击生成 Secret 密钥以生成用于对此 Feed 进行身份验证的 Secret 密钥。

设置 Zscaler Webproxy

  1. 在 Zscaler Internet Access 控制台中,依次点击管理 > Nanolog 流式传输服务 > Cloud NSS Feed,然后点击 Add Cloud NSS Feed(添加 Cloud NSS Feed)。
  2. 系统随即会显示 Add Cloud NSS Feed 窗口。在 Add Cloud NSS Feed 窗口中,输入详细信息。
  3. Feed 名称字段中输入 Feed 的名称。
  4. NSS 类型中,选择 NSS for Web
  5. 状态列表中选择状态,以启用或停用 NSS Feed。
  6. SIEM 速率下拉菜单中的值保留为不受限制。如需因许可或其他限制而抑制输出流,请更改此值。
  7. SIEM 类型列表中,选择其他
  8. OAuth 2.0 Authentication(OAuth 2.0 身份验证)列表中,选择 Disabled(已停用)。
  9. Max Batch Size(批量大小上限)中,输入单个 HTTP 请求载荷的大小限制,以遵循 SIEM 的最佳实践。例如,512 KB。

  10. 在 API 网址中输入 Chronicle API 端点的 HTTPS 网址,格式如下:

      https://<CHRONICLE_REGION>-chronicle.googleapis.com/v1alpha/projects/<GOOGLE_PROJECT_NUMBER>/locations/<LOCATION>/instances/<CUSTOMER_ID>/feeds/<FEED_ID>:importPushLogs
    • CHRONICLE_REGION:您的 Chronicle 实例的托管区域。例如,US。
    • GOOGLE_PROJECT_NUMBER:BYOP 项目编号。从 C4 获取此值。
    • LOCATION:Chronicle 区域。例如,US。
    • CUSTOMER_ID:Chronicle 客户 ID。从 C4 获取。
    • FEED_ID:新创建的 Webhook 的 Feed 界面上显示的 Feed ID
    • API 网址示例:
    https://us-chronicle.googleapis.com/v1alpha/projects/12345678910/locations/US/instances/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/feeds/yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyyyyyyy:importPushLogs

  11. 点击添加 HTTP 标头,以添加包含键和值的更多 HTTP 标头。

    例如,标头 1:Key1:X-goog-api-key,Value1: Google Cloud BYOP 的 API 凭据中生成的 API 密钥。

  12. 日志类型列表中选择网站日志

  13. Feed 输出类型列表中,选择 JSON

  14. Feed 转义字符设置为 , \ "

  15. 如需向 Feed 输出格式添加新字段,请在 Feed 输出类型列表中选择自定义

  16. 复制并粘贴Feed 输出格式,然后添加新字段。确保键名称与实际字段名称一致。

  17. 以下是默认的Feed 输出格式

      \{ "sourcetype" : "zscalernss-web", "event" : \{"datetime":"%d{yy}-%02d{mth}-%02d{dd} %02d{hh}:%02d{mm}:%02d{ss}","reason":"%s{reason}","event_id":"%d{recordid}","protocol":"%s{proto}","action":"%s{action}","transactionsize":"%d{totalsize}","responsesize":"%d{respsize}","requestsize":"%d{reqsize}","urlcategory":"%s{urlcat}","serverip":"%s{sip}","requestmethod":"%s{reqmethod}","refererURL":"%s{ereferer}","useragent":"%s{eua}","product":"NSS","location":"%s{elocation}","ClientIP":"%s{cip}","status":"%s{respcode}","user":"%s{elogin}","url":"%s{eurl}","vendor":"Zscaler","hostname":"%s{ehost}","clientpublicIP":"%s{cintip}","threatcategory":"%s{malwarecat}","threatname":"%s{threatname}","filetype":"%s{filetype}","appname":"%s{appname}","pagerisk":"%d{riskscore}","threatseverity":"%s{threatseverity}","department":"%s{edepartment}","urlsupercategory":"%s{urlsupercat}","appclass":"%s{appclass}","dlpengine":"%s{dlpeng}","urlclass":"%s{urlclass}","threatclass":"%s{malwareclass}","dlpdictionaries":"%s{dlpdict}","fileclass":"%s{fileclass}","bwthrottle":"%s{bwthrottle}","contenttype":"%s{contenttype}","unscannabletype":"%s{unscannabletype}","deviceowner":"%s{deviceowner}","devicehostname":"%s{devicehostname}","keyprotectiontype":"%s{keyprotectiontype}"\}\}

  18. 时区列表中,为输出文件中的 Time 字段选择时区。默认情况下,时区会设置为贵组织的时区。

  19. 查看已配置的设置。

  20. 点击保存以测试连接。如果连接成功,系统会显示一个绿色对勾标记,以及消息 Test Connectivity Successful: OK (200)

如需详细了解 Google SecOps Feed,请参阅 Google SecOps Feed 文档。如需了解每种 Feed 类型的要求,请参阅按类型配置 Feed

如果您在创建 Feed 时遇到问题,请与 Google SecOps 支持团队联系。

字段映射参考文档

下表列出了 ZSCALER_WEBPROXY 日志类型的日志字段及其对应的 UDM 字段。

Log field UDM mapping Logic
metadata.vendor_name The metadata.vendor_name UDM field is set to Zscaler.
metadata.event_type If the ClientIP log field value is not empty and the serverip log field value is not empty and the proto log field value contain one of the following values, then the metadata.event_type UDM field is set to NETWORK_HTTP.
  • HTTPS
  • HTTP
Else, if the ClientIP log field value is not empty and the serverip log field value is not empty, then the metadata.event_type UDM field is set to NETWORK_CONNECTION.

Else, if the user log field value is not empty or the deviceowner log field value is not empty, then the metadata.event_type UDM field is set to USER_UNCATEGORIZED.

Else, the metadata.event_type UDM field is set to GENERIC_EVENT.
metadata.product_name The metadata.product_name UDM field is set to Web Proxy.
sourcetype additional.fields[sourcetype]
datetime metadata.event_timestamp
tz additional.fields[tz]
ss additional.fields[ss]
mm additional.fields[mm]
hh additional.fields[hh]
dd additional.fields[dd]
mth additional.fields[mth]
yyyy additional.fields[yyyy]
mon additional.fields[mon]
day additional.fields[day]
department principal.user.department
b64dept principal.user.department
edepartment principal.user.department
user principal.user.email_addresses
b64login principal.user.email_addresses
elogin principal.user.email_addresses
ologin additional.fields[ologin]
cloudname principal.user.attribute.labels[cloudname]
company principal.user.company_name
throttlereqsize security_result.detection_fields[throttlereqsize]
throttlerespsize security_result.detection_fields[throttlerespsize]
bwthrottle security_result.detection_fields[bwthrottle]
security_result.category If the bwthrottle log field value is equal to Yes, then the security_result.category UDM field is set to POLICY_VIOLATION.
bwclassname security_result.detection_fields[bwclassname]
obwclassname security_result.detection_fields[obwclassname]
bwrulename security_result.rule_name
appname target.application
appclass target.security_result.detection_fields[appclass]
module target.security_result.detection_fields[module]
app_risk_score target.security_result.risk_score If the app_risk_score log field value matches the regular expression pattern [0-9]+, then the app_risk_score log field is mapped to the security_result.risk_score UDM field.
datacenter target.location.name
datacentercity target.location.city
datacentercountry target.location.country_or_region
dlpdictionaries security_result.detection_fields[dlpdictionaries]
odlpdict security_result.detection_fields[odlpdict]
dlpdicthitcount security_result.detection_fields[dlpdicthitcount]
dlpengine security_result.detection_fields[dlpengine]
odlpeng security_result.detection_fields[odlpeng]
dlpidentifier security_result.detection_fields[dlpidentifier]
dlpmd5 security_result.detection_fields[dlpmd5]
dlprulename security_result.rule_name
odlprulename security_result.detection_fields[odlprulename]
fileclass additional.fields[fileclass]
filetype target.file.mime_type
filename target.file.full_path
b64filename target.file.full_path
efilename target.file.full_path
filesubtype additional.fields[filesubtype]
upload_fileclass additional.fields[upload_fileclass]
upload_filetype target.file.mime_type If the filetype log field value is equal to None and the upload_filetype log field value is not equal to None, then the upload_filetype log field is mapped to the target.file.mime_type UDM field.
upload_filename target.file.full_path If the filename log field value is equal to None and the upload_filename log field value is not equal to None, then the upload_filename log field is mapped to the target.file.full_path UDM field.
b64upload_filename target.file.full_path
eupload_filename target.file.full_path
upload_filesubtype additional.fields[upload_filesubtype]
upload_doctypename additional.fields[upload_doctypename]
unscannabletype security_result.detection_fields[unscannabletype]
rdr_rulename intermediary.security_result.rule_name
b64rdr_rulename intermediary.security_result.rule_name
intermediary.resource.resource_type If the rdr_rulename log field value is not empty, then the intermediary.resource.resource_type UDM field is set to GATEWAY.
ordr_rulename additional.fields[ordr_rulename]
fwd_type intermediary.resource.attribute.labels[fwd_type]
fwd_gw_name intermediary.resource.name
b64fwd_gw_name intermediary.resource.name
ofwd_gw_name security_result.detection_fields[ofwd_gw_name]
fwd_gw_ip intermediary.ip
zpa_app_seg_name additional.fields[zpa_app_seg_name]
b64zpa_app_seg_name additional.fields[zpa_app_seg_name]
ozpa_app_seg_name additional.fields[ozpa_app_seg_name]
reqdatasize additional.fields[reqdatasize]
reqhdrsize additional.fields[reqhdrsize]
requestsize network.sent_bytes
respdatasize additional.fields[respdatasize]
resphdrsize additional.fields[resphdrsize]
responsesize network.received_bytes
transactionsize additional.fields[transactionsize]
contenttype additional.fields[contenttype]
df_hosthead security_result.detection_fields[df_hosthead]
df_hostname security_result.detection_fields[df_hostname]
hostname target.hostnametarget.asset.hostname
b64host target.hostnametarget.asset.hostname
ehost target.hostnametarget.asset.hostname
refererURL network.http.referral_url
b64referer network.http.referral_url
ereferer network.http.referral_url
erefererpath additional.fields[erefererpath]
refererhost additional.fields[refererhost]
erefererhost additional.fields[refererhost]
requestmethod network.http.method
reqversion additional.fields[reqversion]
status network.http.response_code
respversion additional.fields[respversion]
ua_token additional.fields[ua_token]
useragent network.http.user_agent
b64ua network.http.user_agent
eua network.http.user_agent
useragent network.http.parsed_user_agent
b64ua network.http.parsed_user_agent
eua network.http.parsed_user_agent
uaclass additional.fields[uaclass]
url target.url
b64url target.url
eurl target.url
eurlpath additional.fields[eurlpath]
mobappname additional.fields[mobappname]
b64mobappname additional.fields[mobappname]
emobappname additional.fields[mobappname]
mobappcat additional.fields[mobappcat]
mobdevtype additional.fields[mobdevtype]
clt_sport principal.port
ClientIP principal.ip
ocip security_result.detection_fields[ocip]
cpubip additional.fields[cpubip]
ocpubip additional.fields[ocpubip]
clientpublicIP principal.nat_ip
serverip target.ip
network.application_protocol If the protocol log field value contain one of the following values, then the network.application_protocol UDM field is set to HTTP.
  • HTTP
  • HTTP_PROXY
Else, if the protocol log field value contain one of the following values, then the network.application_protocol UDM field is set to HTTPS.
  • HTTPS
  • SSL
  • TUNNEL_SSL
  • DNSOVERHTTPS
  • TUNNEL
Else, the network.application_protocol UDM field is set to UNKNOWN_APPLICATION_PROTOCOL.
alpnprotocol additional.fields[alpnprotocol]
trafficredirectmethod intermediary.resource.attribute.labels[trafficredirectmethod]
location principal.location.name
elocation principal.location.name
userlocationname principal.location.name If the userlocationname log field value is not equal to None, then the userlocationname log field is mapped to the principal.location.name UDM field.
b64userlocationname principal.location.name
euserlocationname principal.location.name
rulelabel security_result.rule_name If the action log field value is equal to Blocked, then the rulelabel log field is mapped to the security_result.rule_name UDM field.
b64rulelabel security_result.rule_name
erulelabel security_result.rule_name
ruletype security_result.rule_type
reason security_result.description If the action log field value is equal to Blocked, then the reason log field is mapped to the security_result.description UDM field.
action security_result.action_details
security_result.action If the action log field value is equal to Allowed, then the security_result.action UDM field is set to ALLOW.

Else, if the action log field value is equal to Blocked, then the security_result.action UDM field is set to BLOCK.
urlfilterrulelabel security_result.rule_name
b64urlfilterrulelabel security_result.rule_name
eurlfilterrulelabel security_result.rule_name
ourlfilterrulelabel security_result.detection_fields[ourlfilterrulelabel]
apprulelabel target.security_result.rule_name
b64apprulelabel target.security_result.rule_name
oapprulelabel security_result.detection_fields[oapprulelabel]
bamd5 target.file.md5
sha256 target.file.sha256
ssldecrypted security_result.detection_fields[ssldecrypted]
externalspr security_result.about.artifact.last_https_certificate.extension.certificate_policies
keyprotectiontype security_result.about.artifact.last_https_certificate.extension.key_usage
clientsslcipher network.tls.client.supported_ciphers
clienttlsversion network.tls.version
clientsslsessreuse security_result.detection_fields[clientsslsessreuse]
cltsslfailreason security_result.detection_fields[cltsslfailreason]
cltsslfailcount security_result.detection_fields[cltsslfailcount]
srvsslcipher network.tls.cipher
srvtlsversion security_result.detection_fields[srvtlsversion]
srvocspresult security_result.detection_fields[srvocspresult]
srvcertchainvalpass security_result.detection_fields[srvcertchainvalpass]
srvwildcardcert security_result.detection_fields[srvwildcardcert]
serversslsessreuse security_result.detection_fields[server_ssl_sess_reuse]
srvcertvalidationtype security_result.detection_fields[srvcertvalidationtype]
srvcertvalidityperiod security_result.detection_fields[srvcertvalidityperiod]
is_ssluntrustedca security_result.detection_fields[is_ssluntrustedca]
is_sslselfsigned security_result.detection_fields[is_sslselfsigned]
is_sslexpiredca security_result.detection_fields[is_sslexpiredca]
pagerisk security_result.risk_score
security_result.severity If the pagerisk log field value is greater than or equal to 90 and the pagerisk log field value is less than or equal to 100, then the security_result.severity UDM field is set to CRITICAL.

If the pagerisk log field value is greater than or equal to 75 and the pagerisk log field value is less than or equal to 89, then the security_result.severity UDM field is set to HIGH.

If the pagerisk log field value is greater than or equal to 46 and the pagerisk log field value is less than or equal to 74, then the security_result.severity UDM field is set to MEDIUM.

If the pagerisk log field value is greater than or equal to 1 and the pagerisk log field value &is less than or equal to 45, then the security_result.severity UDM field is set to LOW.

If the pagerisk log field value is equal to 0, then the security_result.severity UDM field is set to NONE.
threatname security_result.threat_name
b64threatname security_result.threat_name
threatcategory security_result.associations.name
threatclass security_result.associations.description
urlclass security_result.detection_fields[urlclass]
urlsupercategory security_result.category_details
urlcategory security_result.category_details
b64urlcat security_result.category_details
ourlcat security_result.detection_fields[ourlcat]
urlcatmethod security_result.detection_fields[urlcatmethod]
bypassed_traffic security_result.detection_fields[bypassed_traffic]
bypassed_etime security_result.detection_fields[bypassed_etime]
deviceappversion additional.fields[deviceappversion]
devicehostname principal.asset.hostname
odevicehostname security_result.detection_fields[odevicehostname]
devicemodel principal.asset.hardware.model
devicename principal.asset.asset_id
odevicename security_result.detection_fields[odevicename]
principal.asset.platform_software.platform If the deviceostype log field value matches the regular expression pattern (?i)iOS, then the principal.asset.platform_software.platform UDM field is set to IOS.

Else, if the deviceostype log field value matches the regular expression pattern (?i)Android, then the principal.asset.platform_software.platform UDM field is set to ANDROID.

Else, if the deviceostype log field value matches the regular expression pattern (?i)Windows, then the principal.asset.platform_software.platform UDM field is set to WINDOWS.

Else, if the deviceostype log field value matches the regular expression pattern (?i)MAC, then the principal.asset.platform_software.platform UDM field is set to MAC.

Else, if the deviceostype log field value matches the regular expression pattern (?i)Other, then the principal.asset.platform_software.platform UDM field is set to UNKNOWN_PLATFORM.
deviceosversion principal.asset.software.version
deviceowner principal.user.userid
odeviceowner security_result.detection_fields[odeviceowner]
devicetype principal.asset.category
external_devid additional.fields[external_devid]
flow_type additional.fields[flow_type]
ztunnelversion additional.fields[ztunnelversion]
event_id metadata.product_log_id
productversion metadata.product_version
nsssvcip about.ip
eedone additional.fields[eedone]