Collect Zscaler CASB logs
Supported in:
This document explains how to export Zscaler CASB logs by setting up a Google Security Operations feed and how log fields map to Google SecOps Unified Data Model (UDM) fields.
For more information, see Data ingestion to Google SecOps overview.
A typical deployment consists of Zscaler CASB and the Google SecOps Webhook feed configured to send logs to Google SecOps. Each customer deployment can differ and might be more complex.
- Sign in to the Google SecOps console.
- Go to SIEM Settings > Collection Agents.
- Download the Ingestion Authentication File. Save the file securely on the system where Bindplane will be installed.
Zscaler CASB: The platform from which you collect logs.
Google SecOps feed: The Google SecOps feed that fetches logs from Zscaler CASB and writes logs to Google SecOps.
Install Bindplane Agent
Windows installation
Before you begin
- Ensure that you have access to Zscaler Internet Access console. For more information, see Secure Internet and SaaS Access ZIA Help.
- Ensure that you are using Zscaler CASB 2024 or later.
- Ensure that all systems in the deployment architecture are configured with the UTC time zone.
- Ensure that you have the API key which is needed to complete feed setup in Google SecOps. For more information, see Setting up API keys.
Linux Iistallation
- Go to SIEM Settings > Feeds.
- Click Add new.
- In the Feed name field, enter a name for the feed (for example, Zscaler CASB Logs).
- Select Webhook as the Source Type.
- Select Zscaler CASB as the Log Type.
- Click Next.
- Optional: Specify values for the following input parameters:
- Split delimiter: the delimiter that is used to separate the logs lines (leave blank if a delimiter is not used).
- Asset namespace: the asset namespace.
- Ingestion labels: the label to be applied to the events from this feed.
- Click Next.
- Review your new feed configuration in the Finalize screen, and then click Submit.
- Click Generate Secret Key to generate a secret key to authenticate this feed.
Set up Zscaler CASB
Additional installation resources
- For additional installation options, consult this installation guide.
Configure Bindplane Agent to ingest Syslog and send to Google SecOps
Access the configuration file:
- Locate the
config.yamlfile. Typically, it's in the/etc/bindplane-agent/directory on Linux or in the installation directory on Windows. - Open the file using a text editor (for example,
nano,vi, or Notepad).
- Locate the
Edit the
config.yamlfile as follows:receivers: tcplog: # Replace the below port <54525> and IP <0.0.0.0> with your specific values listen_address: "0.0.0.0:54525" exporters: chronicle/chronicle_w_labels: compression: gzip # Adjust the creds location below according the placement of the credentials file you downloaded creds: '{ json file for creds }' # Replace <customer_id> below with your actual ID that you copied customer_id: <customer_id> endpoint: malachiteingestion-pa.googleapis.com # You can apply ingestion labels below as preferred ingestion_labels: log_type: SYSLOG namespace: vmware_nsx raw_log_field: body service: pipelines: logs/source0__chronicle_w_labels-0: receivers: - tcplog exporters: - chronicle/chronicle_w_labelsCHRONICLE_REGION: region where your Google SecOps instance is hosted (for example, US).GOOGLE_PROJECT_NUMBER: BYOP project number (obtain this from C4).LOCATION: Google SecOps region (for example, US).CUSTOMER_ID: Google SecOps customer ID (obtain this from C4).FEED_ID: Feed ID shown on the Feed UI on the new webhook created.
Sample API URL:
Restart Bindplane Agent to apply changes
In Linux, to restart the Bindplane Agent, run the following command:
sudo systemctl restart bindplane-agentIn Windows, to restart the Bindplane Agent, you can either use the Services console or enter the following command:
net stop BindPlaneAgent && net start BindPlaneAgent
Configure Zscaler Cloud Web Security
- Sign in to the Zscaler Analytics Admin console.
- Select Administration > Settings > Nanolog streaming service (NSS).
- Select NSS feeds.
- Click Add.
In the Add NSS feed window that appears, do the following:
- Feed name: enter the feed name.
- NSS type: select either NSS for web or NSS for firewall depending on your requirements.
- NSS name: select NSS virtual machine (VM) that collects logs from the cloud (only one NSS VM can be mapped to a feed).
- Status: select Enabled to activate the feed.
- SIEM IP: enter the syslog server/Bindplane IP address.
- SIEM TCP port: enter the syslog server/Bindplane port number for TCP communication (Zscaler supports only the TCP connection).
- Log type: select Web log or Firewall logs based on the NSS type selected.
- Feed output type: select Custom.
- Feed output format: specify the web log or firewall log.
- User obfuscation: select Disabled to display the login usernames in the output. For random values, select Enabled.
- Time zone: select the appropriate time zone (default time zone is GMT).
- Duplicate logs: enter the number of minutes that NSS takes to send the duplicate logs (you can select the time based on your requirements).
- Transactions filters: there are various parameters available based on which you can filter the logs sent by the NSS Virtual machine.
For more information on different filter sets, see NSS document section in the Help portal.
Use Policy admin console or Analytics admin console:
- To use Policy admin console, click Done.
- To use Analytics admin console, click Save. After the Add NSS feed window is closed, return to the previous window, and the added feed details display under the Configure feeds section.
Use Policy admin console or Analytics admin console:
- To use Policy admin console, do the following:
- In the Configure feeds section, click Save.
- Click Activate now (the status of the result appears in a new window).
- Click Done.
- To use Analytics admin console, click Activate now (the status of the result appears on top of the window).
- To use Policy admin console, do the following:
Configure web and firewall log feed
In the Feed output format field, use the following feeds:
If the collector supports customized format, specify the following web log feed:
|ZSCALER|DATE|%s{mon} %d{dd} %02d{hh}:%02d{mm}:%02d{ss}|NSSFEEDIP|%s{nsssvcip}|CLIENTINTIP|%s{cintip}|RECORDID|%d{recordid}|LOGINNAME|%s{login}|PROTOCOL|%s{proto}|URL|%s{url}|HOST|%s{host}|ACTION|%s{action}|REASON|%s{reason}|RISKSCORE|%d{riskscore}|APPNAME|%s{appname}|APPCLASS|%s{appclass}|REQSIZE|%d{reqsize}|RESPSIZE|%d{respsize}|CTIME|%d{ctime}|URLCLASS|%s{urlclass}|SUPERCAT|%s{urlsupercat}|URLCAT|%s{urlcat}|MALWARECAT|%s{malwarecat}|MALWARECLASS|%s{malwareclass}|THREATNAME|%s{threatname}|FILETYPE|%s{filetype}|FILECLASS|%s{fileclass}|DLPENGINE|%s{dlpeng}|DLPDICT|%s{dlpdict}|BWTHROTTLE|%s{bwthrottle}|LOCATION|%s{location}|DEPARTMENT|%s{dept}|CLIENTIP|%s{cip}|DESTINATIONIP|%s{sip}|REQMETHOD|%s{reqmethod}|RESPCODE|%s{respcode}|USERAGENT|%s{ua}|REFERER|%s{referer}|MD5HASH|%s{bamd5}|DLPRULENAME|%s{dlprulename}|DLPMD5|%s{dlpmd5}|DLPIDENTIFIER|%d{dlpidentifier}|DLPDICTHITCOUNT|%s{dlpdicthitcount}|\n ```
If the collector supports firewall feed subscription, specify the following firewall feed:
|ZSCALERFIREWALL|DATE|%s{mon}%d{dd} %02d{hh}:%02d{mm}:%02d{ss}|CLIENTIP|%s{csip}|RECORDID|%d{recordid}|LOGINNAME|%s{login}|PROTOCOL|%s{ipproto}|ACTION|%s{action}|DESTINATIONIP|%s{cdip}|SOURCEPORT|%d{csport}|DESTINATIONPORT|%d{cdport}|CLIENTTUNIP|%s{tsip}|CLIENTTUNPORT|%d{tsport}|LOCATION|%s{location}|DEPARTMENT|%s{dept}|DESTINATIONCOUNTRY|%s{destcountry}|INCOMINGBYTES|%ld{inbytes}|NETWORKAPP|%s{nwapp}|NETWORKSVC|%s{nwsvc}|RULELABEL|%s{rulelabel}|NATTING|%s{dnat}|SESSIONDURATION|%d{duration}|AGGREGATEDSESSION|%d{numsessions}|AVERAGEDURATION|%d{avgduration}|TUNNELTYPE|%s{ttype}|SERVERDESTPORT|%d{sdport}|SERVERSOURCEIP|%s{ssip}|SERVERSOURCEPORT|%d{ssport}|IPCAT|%s{ipcat}|\n- Select the time zone for the Time field in the output file in the Timezone list. By default, the time zone is set to your organization's time zone.
- Review the configured settings.
- Click Save to test connectivity. If the connection is successful, a green tick accompanied by the message Test Connectivity Successful: OK (200) appears.
For more information about Google SecOps feeds, see Google SecOps feeds documentation. For information about requirements for each feed type, see Feed configuration by type.
If you encounter issues when you create feeds, contact Google SecOps support.
UDM Mapping Table
Field mapping reference: ZSCALER_CASB
The following table lists the log fields of the ZSCALER_CASB log type and their corresponding UDM fields.
| Log field | UDM mapping | Logic |
|---|---|---|
sourcetype |
security_result.detection_fields[sourcetype] |
|
objnames2 |
about.resource.name |
|
object_name_2 |
about.resource.name |
|
objtypename2 |
about.resource.resource_subtype |
|
externalownername |
additional.fields[externalownername] |
|
act_cnt |
additional.fields[act_cnt] |
|
attchcomponentfiletypes |
additional.fields[attchcomponentfiletypes] |
|
channel_name |
additional.fields[channel_name] |
|
collabscope |
additional.fields[collabscope] |
|
day |
additional.fields[day] |
|
dd |
additional.fields[dd] |
|
dlpdictcount |
security_result.detection_fields[dlpdictcount] |
If the dlpdictcount log field value is not empty and the dlpdictcount log field value is not equal to None, then the dlpdictcount log field is mapped to the security_result.detection_fields.dlpdictcount UDM field. |
dlpenginenames |
security_result.detection_fields[dlpenginenames] |
If the dlpenginenames log field value is not empty and the dlpenginenames log field value is not equal to None, then the dlpenginenames log field is mapped to the security_result.detection_fields.dlpenginenames UDM field. |
epochlastmodtime |
additional.fields[epochlastmodtime] |
|
extcollabnames |
additional.fields[extcollabnames] |
|
extownername |
additional.fields[extownername] |
|
file_msg_id |
additional.fields[file_msg_id] |
|
fileid |
additional.fields[fileid] |
|
filescantimems |
additional.fields[filescantimems] |
|
filetypecategory |
additional.fields[filetypecategory] |
|
hh |
additional.fields[hh] |
|
messageid |
additional.fields[messageid] |
|
mm |
additional.fields[mm] |
|
mon |
additional.fields[mon] |
|
msgsize |
additional.fields[msgsize] |
|
mth |
additional.fields[mth] |
|
num_ext_recpts |
additional.fields[num_ext_recpts] |
|
num_int_recpts |
additional.fields[num_int_recpts] |
|
numcollab |
additional.fields[numcollab] |
|
rtime |
additional.fields[rtime] |
|
ss |
additional.fields[ss] |
|
suburl |
additional.fields[suburl] |
|
tenant |
additional.fields[tenant] |
|
tz |
additional.fields[tz] |
|
upload_doctypename |
additional.fields[upload_doctypename] |
|
yyyy |
additional.fields[yyyy] |
|
collabnames |
additional.fields[collabnames] |
|
companyid |
additional.fields[companyid] |
|
component |
additional.fields[component] |
|
intcollabnames |
additional.fields[intcollabnames] |
If intcollabnames log field value does not match the regular expression pattern None then, for index in intcollabnames, the index is mapped to the additional.fields.value.list_value UDM field. |
internal_collabnames |
additional.fields[internal_collabnames] |
|
external_collabnames |
additional.fields[externalcollabnames] |
|
num_external_collab |
additional.fields[num_external_collab] |
|
num_internal_collab |
additional.fields[num_internal_collab] |
|
repochtime |
additional.fields[repochtime] |
|
eventtime |
metadata.event_timestamp |
If the eventtime log field value is not empty, then the eventtime log field is mapped to the metadata.event_timestamp UDM field. |
epochtime |
metadata.event_timestamp |
If the epochtime log field value is not empty, then the epochtime log field is mapped to the metadata.event_timestamp UDM field. |
time |
metadata.event_timestamp |
If the time log field value is not empty, then the time log field is mapped to the metadata.event_timestamp UDM field. |
datetime |
metadata.event_timestamp |
If the datetime log field value is not empty, then the datetime log field is mapped to the metadata.event_timestamp UDM field. |
|
metadata.event_type |
The metadata.event_type UDM field is set to USER_UNCATEGORIZED. |
act_type_name |
metadata.product_event_type |
|
recordid |
metadata.product_log_id |
|
|
metadata.product_name |
The metadata.product_name UDM field is set to CASB. |
|
metadata.vendor_name |
The metadata.vendor_name UDM field is set to Zscaler. |
sender |
network.email.from |
If the sender log field value matches the regular expression pattern (^.*@.*$), then the sender log field is mapped to the network.email.from UDM field. |
extrecptnames |
network.email.to |
For index in extrecptnames, the index is mapped to the network.email.to UDM field. |
internal_recptnames |
network.email.to |
For index in internal_recptnames, the index is mapped to the network.email.to UDM field. |
external_recptnames |
network.email.to |
For index in external_recptnames, the index is mapped to the network.email.to UDM field. |
intrecptnames |
network.email.to |
For index in intrecptnames, the index is mapped to the network.email.to UDM field. |
applicationname |
principal.application |
If the applicationname log field value is not empty, then the applicationname log field is mapped to the principal.application UDM field.Else, the appname log field is mapped to the principal.application UDM field. |
src_ip |
principal.ip |
|
fullurl |
principal.url |
If the fullurl log field is not empty and the fullurl log field value is not equal to Unknown URL, then the fullurl log field is mapped to the principal.url UDM field. |
is_admin_act |
principal.user.attribute.labels[is_admin_act] |
|
|
principal.user.attribute.roles.type |
If the is_admin_act log field value is equal to 1, then the principal.user.attribute.roles.type UDM field is set to ADMINISTRATOR. |
company |
principal.user.company_name |
|
department |
principal.user.department |
|
dept |
principal.user.department |
|
user |
principal.user.email_addresses |
If the user log field value matches the regular expression pattern (^.*@.*$), then the user log field is mapped to the principal.user.email_addresses UDM field. |
username |
principal.user.email_addresses |
If the username log field value matches the regular expression pattern (^.*@.*$), then the username log field is mapped to the principal.user.email_addresses UDM field. |
owner |
principal.user.email_addresses |
If the owner log field value matches the regular expression pattern (^.*@.*$), then the owner log field is mapped to the principal.user.email_addresses UDM field. |
login |
principal.user.email_addresses |
If the login log field value matches the regular expression pattern (^.*@.*$), then the login log field is mapped to the principal.user.email_addresses UDM field. |
login |
principal.user.userid |
If the login log field value does not match the regular expression pattern ^.+@.+$, then the login log field is mapped to the principal.user.userid UDM field. |
malware |
security_result.associations.name |
|
|
security_result.associations.type |
If the malware log field value is not empty, then the security_result.associations.type UDM field is set to MALWARE. |
dlpdictnames |
security_result.detection_fields[dlpdictnames] |
|
dlpidentifier |
security_result.detection_fields[dlpidentifier] |
|
filedownloadtimems |
additional.fields[filedownloadtimems] |
|
malwareclass |
security_result.detection_fields[malwareclass] |
|
msgid |
security_result.detection_fields[msgid] |
|
oattchcomponentfilenames |
security_result.detection_fields[oattchcomponentfilenames] |
|
obucketname |
security_result.detection_fields[obucketname] |
|
obucketowner |
security_result.detection_fields[obucketowner] |
|
ochannel_name |
security_result.detection_fields[ochannel_name] |
|
ocollabnames |
security_result.detection_fields[ocollabnames] |
|
odlpdictnames |
security_result.detection_fields[odlpdictnames] |
|
odlpenginenames |
security_result.detection_fields[odlpenginenames] |
|
oextcollabnames |
security_result.detection_fields[oextcollabnames] |
|
oexternal_collabnames |
security_result.detection_fields[oexternal_collabnames] |
|
oexternal_recptnames |
security_result.detection_fields[oexternal_recptnames] |
|
oexternalownername |
security_result.detection_fields[oexternalownername] |
|
oextownername |
security_result.detection_fields[oextownername] |
|
oextrecptnames |
security_result.detection_fields[oextrecptnames] |
|
ofile_msg_id |
security_result.detection_fields[ofile_msg_id] |
|
ofileid |
security_result.detection_fields[ofileid] |
|
ofullurl |
security_result.detection_fields[ofullurl] |
|
ohostname |
security_result.detection_fields[ohostname] |
|
ointcollabnames |
security_result.detection_fields[ointcollabnames] |
|
ointernal_collabnames |
security_result.detection_fields[ointernal_collabnames] |
|
ointernal_recptnames |
security_result.detection_fields[ointernal_recptnames] |
|
ointrecptnames |
security_result.detection_fields[ointrecptnames] |
|
omessageid |
security_result.detection_fields[omessageid] |
|
omsgid |
security_result.detection_fields[omsgid] |
|
oowner |
security_result.detection_fields[oowner] |
|
orulelabel |
security_result.detection_fields[orulelabel] |
|
osender |
security_result.detection_fields[osender] |
|
osharedchannel_hostname |
security_result.detection_fields[osharedchannel_hostname] |
|
otenant |
security_result.detection_fields[otenant] |
|
ouser |
security_result.detection_fields[ouser] |
|
any_incident |
security_result.detection_fields[any_incident] |
|
is_inbound |
security_result.detection_fields[is_inbound] |
|
policy |
security_result.rule_labels[policy] |
|
ruletype |
security_result.rule_labels[ruletype] |
|
rulelabel |
security_result.rule_name |
|
|
security_result.severity |
If the severity log field value is equal to High, then the security_result.severity UDM field is set to HIGH.Else, if the severity log field value is equal to Medium, then the security_result.severity UDM field is set to MEDIUM.Else, if the severity log field value is equal to Low, then the security_result.sevrity UDM field is set to LOW.Else, if the severity log field value is equal to Information, then the security_result.severity UDM field is set to INFORMATIONAL. |
threatname |
security_result.threat_name |
If the threatname log field value is not empty and the dlpdictcount log field value is not equal to None, then the threatname log field is mapped to the security_result.threat_name UDM field. |
filesource |
target.file.full_path |
If the filesource log field value is not empty, then the filesource log field is mapped to the target.file.full_path UDM field. |
filepath |
target.file.full_path |
If the filesource log field value is not empty, then the filesource log field is mapped to the target.file.full_path UDM field.Else if the filepath log field value is not empty, then the filepath log field is mapped to the target.file.full_path UDM field. |
lastmodtime |
target.file.last_modification_time |
If the lastmodtime log field value is not empty, then the lastmodtime log field is mapped to the target.file.last_modification_time UDM field. |
file_msg_mod_time |
target.file.last_modification_time |
If the lastmodtime log field value is not empty, then the lastmodtime log field is mapped to the target.file.last_modification_time UDM field.Else if the file_msg_mod_time log field value is not empty, then the file_msg_mod_time log field is mapped to the target.file.fullpath UDM field. |
filemd5 |
target.file.md5 |
If the filemd5 log field value is not equal to None and the filemd5 log field value matches the regular expression pattern ^[a-fA-F0-9]{32}$, then the filemd5 log field is mapped to the target.file.md5 UDM field.Else, if the attchcomponentmd5s log field value matches the regular expression pattern ^[a-fA-F0-9]{32}$, then the attchcomponentmd5s log field is mapped to the target.file.md5 UDM field. |
filetypename |
target.file.mime_type |
|
filename |
target.file.names |
|
attchcomponentfilenames |
target.file.names |
|
sha |
target.file.sha256 |
|
attchcomponentfilesizes |
target.file.size |
If the attchcomponentfilesizes log field value is not empty, then the attchcomponentfilesizes log field is mapped to the target.file.size UDM field. |
filesize |
target.file.size |
If the attchcomponentfilesizes log field value is not empty, then the attchcomponentfilesizes log field is mapped to the target.file.size UDM field.Else if the filesize log field value is not empty, then the filesize log field is mapped to the target.file.size UDM field. |
sharedchannel_hostname |
target.hostname |
If the hostname log field value is not empty, then the hostname log field is mapped to the target.hostname UDM field.Else if the sharedchannel_hostname log field value is not empty, then the sharedchannel_hostname log field is mapped to the target.hostname UDM field. |
hostname |
target.hostname |
If the hostname log field value is not empty, then the hostname log field is mapped to the target.hostname UDM field. |
datacentercity |
target.location.city |
|
datacentercountry |
target.location.country_or_region |
|
datacenter |
target.location.name |
|
bucketowner |
target.resource.attribute.labels[bucketowner] |
|
projectname |
target.resource.attribute.labels[projectname] |
|
bucketname |
target.resource.name |
If the bucketname log field value is not empty, then the bucketname log field is mapped to the target.resource.name UDM field. |
objnames1 |
target.resource.name |
If the objnames1 log field value is not empty, then the objnames1 log field is mapped to the target.resource.name UDM field. |
objectname |
target.resource.name |
If the objectname log field value is not empty, then the objectname log field is mapped to the target.resource.name UDM field. |
reponame |
target.resource.name |
If the reponame log field value is not empty, then the reponame log field is mapped to the target.resource.name UDM field. |
object_name_1 |
target.resource.name |
If the object_name_1 log field value is not empty, then the object_name_1 log field is mapped to the target.resource.name UDM field. |
bucketid |
target.resource.product_object_id |
|
objtypename1 |
target.resource.resource_subtype |
If the objtypename1 log field value is not empty, then the objtypename1 log field is mapped to the target.resource.resource_subtype UDM field. |
objecttype |
target.resource.resource_subtype |
If the objecttype log field value is not empty, then the objecttype log field is mapped to the target.resource.resource_subtype UDM field. |
object_type |
target.resource.resource_subtype |
|
|
target.resource.resource_type |
If the bucketname log field value is not empty, then the target.resource.resource_type UDM field is set to STORAGE_BUCKET.If the reponame log field value is not empty, then the target.resource.resource_type UDM field is set to REPOSITORY. |
Need more help? Get answers from Community members and Google SecOps professionals.