此页面由 Cloud Translation API 翻译。

收集 Zscaler CASB 日志

支持的平台：

Google SecOps SIEM

本文档介绍了如何通过设置 Google Security Operations Feed 来导出 Zscaler CASB 日志，以及日志字段如何映射到 Google SecOps Unified Data Model (UDM) 字段。

如需了解详情，请参阅将数据提取到 Google SecOps 概览。

典型的部署包括 Zscaler CASB 和配置为将日志发送到 Google SecOps 的 Google SecOps Webhook Feed。每个客户部署都可能不同，并且可能更复杂。

登录 Google SecOps 控制台。
依次前往 SIEM 设置 > 收集代理。
下载提取身份验证文件。将该文件安全地保存在将安装 BindPlane 的系统上。

Zscaler CASB：您要从中收集日志的平台。
Google SecOps Feed：Google SecOps Feed 用于从 Zscaler CASB 提取日志并将日志写入 Google SecOps。

安装 Bindplane Agent

Windows 安装

准备工作

确保您有权访问 Zscaler Internet Access 控制台。如需了解详情，请参阅 Secure Internet and SaaS Access ZIA Help。
确保您使用的是 Zscaler CASB 2024 或更高版本。
确保部署架构中的所有系统都使用世界协调时间 (UTC) 时区进行配置。
确保您拥有在 Google SecOps 中完成 Feed 设置所需的 API 密钥。如需了解详情，请参阅设置 API 密钥。

Linux 安装

依次前往 SIEM 设置 > Feed。
点击新增。
在Feed 名称字段中，输入 Feed 的名称（例如 Zscaler CASB 日志）。
选择 Webhook 作为来源类型。
选择 Zscaler CASB 作为日志类型。
点击下一步。
可选：为以下输入参数指定值：
1. 分隔符：用于分隔日志行（如果不使用分隔符，请留空）。
2. 资源命名空间：资源命名空间。
3. 提取标签：要应用于此 Feed 中的事件的标签。
点击下一步。
在最终确定界面中查看新的 Feed 配置，然后点击提交。
点击生成 Secret 密钥以生成用于对此 Feed 进行身份验证的 Secret 密钥。

设置 Zscaler CASB

其他安装资源

如需了解其他安装选项，请参阅此安装指南。

配置 Bindplane Agent 以提取 Syslog 并将其发送到 Google SecOps

访问配置文件：
- 找到 config.yaml 文件。通常，在 Linux 上，该目录位于 /etc/bindplane-agent/ 目录中；在 Windows 上，则位于安装目录中。
- 使用文本编辑器（例如 nano、vi 或记事本）打开该文件。

按如下方式修改 config.yaml 文件：

receivers:
    tcplog:
        # Replace the below port <54525> and IP <0.0.0.0> with your specific values
        listen_address: "0.0.0.0:54525" 

exporters:
    chronicle/chronicle_w_labels:
        compression: gzip
        # Adjust the creds location below according the placement of the credentials file you downloaded
        creds: '{ json file for creds }'
        # Replace <customer_id> below with your actual ID that you copied
        customer_id: <customer_id>
        endpoint: malachiteingestion-pa.googleapis.com
        # You can apply ingestion labels below as preferred
        ingestion_labels:
        log_type: SYSLOG
        namespace: vmware_nsx
        raw_log_field: body
service:
    pipelines:
        logs/source0__chronicle_w_labels-0:
            receivers:
                - tcplog
            exporters:
                - chronicle/chronicle_w_labels

CHRONICLE_REGION：Google SecOps 实例的托管区域（例如 US）。
GOOGLE_PROJECT_NUMBER：自助创建项目的项目编号（请从 C4 获取）。
LOCATION：Google SecOps 区域（例如 US）。
CUSTOMER_ID：Google SecOps 客户 ID（请从 C4 获取）。
FEED_ID：新创建的 webhook 的 Feed 界面上显示的 Feed ID。

API 网址示例：

重启 Bindplane 代理以应用更改

在 Linux 中，如需重启 Bindplane 代理，请运行以下命令：
```
sudo systemctl restart bindplane-agent
```
在 Windows 中，如需重启 Bindplane Agent，您可以使用服务控制台，也可以输入以下命令：
```
net stop BindPlaneAgent && net start BindPlaneAgent
```

配置 Zscaler Cloud Web Security

登录 Zscaler Analytics 管理控制台。
依次选择管理 > 设置 > Nanolog 流式传输服务 (NSS)。
选择 NSS Feed。
点击添加。
在随即显示的添加 NSS Feed 窗口中，执行以下操作：
1. Feed 名称：输入 Feed 名称。
2. NSS 类型：根据您的要求，选择 适用于网站的 NSS 或 适用于防火墙的 NSS。
3. NSS 名称：选择从云端收集日志的 NSS 虚拟机 (VM)（只能将一个 NSS VM 映射到一个 Feed）。
4. 状态：选择已启用以启用 Feed。
5. SIEM IP：输入 syslog 服务器/Bindplane IP 地址。
6. SIEM TCP 端口：输入用于 TCP 通信的 syslog 服务器/Bindplane 端口号（Zscaler 仅支持 TCP 连接）。
7. 日志类型：根据所选的 NSS 类型，选择网站日志或防火墙日志。
8. Feed 输出类型：选择自定义。
9. Feed 输出格式：指定网站日志或防火墙日志。
10. 用户混淆：选择已停用以在输出中显示登录用户名。对于随机值，请选择已启用。
11. 时区：选择适当的时区（默认时区为 GMT）。
12. 重复日志：输入 NSS 发送重复日志所需的分钟数（您可以根据自己的要求选择时间）。
13. 交易过滤条件：您可以根据各种参数过滤 NSS 虚拟机发送的日志。
如需详细了解不同的过滤器组，请参阅帮助门户中的 NSS 文档部分。

注意：不建议配置过滤条件。
使用政策管理控制台或 Google Analytics 管理控制台：
1. 如需使用政策管理控制台，请点击完成。
2. 如需使用 Google Analytics 管理控制台，请点击保存。关闭 Add NSS feed 窗口后，返回上一个窗口，添加的 Feed 详情会显示在 Configure feeds 部分下。
使用政策管理控制台或 Google Analytics 管理控制台：
1. 如需使用政策管理控制台，请执行以下操作：
  - 在配置 Feed 部分，点击保存。
  - 点击立即激活（结果的状态会显示在新窗口中）。
  - 点击完成。
2. 如需使用 Google Analytics 管理控制台，请点击立即启用（结果状态会显示在窗口顶部）。

配置网站和防火墙日志 Feed

在Feed 输出格式字段中，使用以下 Feed：

如果收集器支持自定义格式，请指定以下网站日志 Feed：

|ZSCALER|DATE|%s{mon} %d{dd} %02d{hh}:%02d{mm}:%02d{ss}|NSSFEEDIP|%s{nsssvcip}|CLIENTINTIP|%s{cintip}|RECORDID|%d{recordid}|LOGINNAME|%s{login}|PROTOCOL|%s{proto}|URL|%s{url}|HOST|%s{host}|ACTION|%s{action}|REASON|%s{reason}|RISKSCORE|%d{riskscore}|APPNAME|%s{appname}|APPCLASS|%s{appclass}|REQSIZE|%d{reqsize}|RESPSIZE|%d{respsize}|CTIME|%d{ctime}|URLCLASS|%s{urlclass}|SUPERCAT|%s{urlsupercat}|URLCAT|%s{urlcat}|MALWARECAT|%s{malwarecat}|MALWARECLASS|%s{malwareclass}|THREATNAME|%s{threatname}|FILETYPE|%s{filetype}|FILECLASS|%s{fileclass}|DLPENGINE|%s{dlpeng}|DLPDICT|%s{dlpdict}|BWTHROTTLE|%s{bwthrottle}|LOCATION|%s{location}|DEPARTMENT|%s{dept}|CLIENTIP|%s{cip}|DESTINATIONIP|%s{sip}|REQMETHOD|%s{reqmethod}|RESPCODE|%s{respcode}|USERAGENT|%s{ua}|REFERER|%s{referer}|MD5HASH|%s{bamd5}|DLPRULENAME|%s{dlprulename}|DLPMD5|%s{dlpmd5}|DLPIDENTIFIER|%d{dlpidentifier}|DLPDICTHITCOUNT|%s{dlpdicthitcount}|\n
        ```

如果收集器支持防火墙 Feed 订阅，请指定以下防火墙 Feed：

|ZSCALERFIREWALL|DATE|%s{mon}%d{dd} %02d{hh}:%02d{mm}:%02d{ss}|CLIENTIP|%s{csip}|RECORDID|%d{recordid}|LOGINNAME|%s{login}|PROTOCOL|%s{ipproto}|ACTION|%s{action}|DESTINATIONIP|%s{cdip}|SOURCEPORT|%d{csport}|DESTINATIONPORT|%d{cdport}|CLIENTTUNIP|%s{tsip}|CLIENTTUNPORT|%d{tsport}|LOCATION|%s{location}|DEPARTMENT|%s{dept}|DESTINATIONCOUNTRY|%s{destcountry}|INCOMINGBYTES|%ld{inbytes}|NETWORKAPP|%s{nwapp}|NETWORKSVC|%s{nwsvc}|RULELABEL|%s{rulelabel}|NATTING|%s{dnat}|SESSIONDURATION|%d{duration}|AGGREGATEDSESSION|%d{numsessions}|AVERAGEDURATION|%d{avgduration}|TUNNELTYPE|%s{ttype}|SERVERDESTPORT|%d{sdport}|SERVERSOURCEIP|%s{ssip}|SERVERSOURCEPORT|%d{ssport}|IPCAT|%s{ipcat}|\n

在时区列表中，为输出文件中的 Time 字段选择时区。默认情况下，时区会设为贵组织的时区。
查看已配置的设置。
点击保存以测试连接。如果连接成功，系统会显示一个绿色对勾标记，以及消息 Test Connectivity Successful: OK (200)。

如需详细了解 Google SecOps Feed，请参阅 Google SecOps Feed 文档。如需了解每种 Feed 类型的要求，请参阅按类型配置 Feed。

如果您在创建 Feed 时遇到问题，请与 Google SecOps 支持团队联系。

UDM 映射表

字段映射参考：ZSCALER_CASB

下表列出了 ZSCALER_CASB 日志类型的日志字段及其对应的 UDM 字段。

Log field	UDM mapping	Logic
`sourcetype`	`security_result.detection_fields[sourcetype]`
`objnames2`	`about.resource.name`
`object_name_2`	`about.resource.name`
`objtypename2`	`about.resource.resource_subtype`
`externalownername`	`additional.fields[externalownername]`
`act_cnt`	`additional.fields[act_cnt]`
`attchcomponentfiletypes`	`additional.fields[attchcomponentfiletypes]`
`channel_name`	`additional.fields[channel_name]`
`collabscope`	`additional.fields[collabscope]`
`day`	`additional.fields[day]`
`dd`	`additional.fields[dd]`
`dlpdictcount`	`security_result.detection_fields[dlpdictcount]`	If the `dlpdictcount` log field value is not empty and the `dlpdictcount` log field value is not equal to `None`, then the `dlpdictcount` log field is mapped to the `security_result.detection_fields.dlpdictcount` UDM field.
`dlpenginenames`	`security_result.detection_fields[dlpenginenames]`	If the `dlpenginenames` log field value is not empty and the `dlpenginenames` log field value is not equal to `None`, then the `dlpenginenames` log field is mapped to the `security_result.detection_fields.dlpenginenames` UDM field.
`epochlastmodtime`	`additional.fields[epochlastmodtime]`
`extcollabnames`	`additional.fields[extcollabnames]`
`extownername`	`additional.fields[extownername]`
`file_msg_id`	`additional.fields[file_msg_id]`
`fileid`	`additional.fields[fileid]`
`filescantimems`	`additional.fields[filescantimems]`
`filetypecategory`	`additional.fields[filetypecategory]`
`hh`	`additional.fields[hh]`
`messageid`	`additional.fields[messageid]`
`mm`	`additional.fields[mm]`
`mon`	`additional.fields[mon]`
`msgsize`	`additional.fields[msgsize]`
`mth`	`additional.fields[mth]`
`num_ext_recpts`	`additional.fields[num_ext_recpts]`
`num_int_recpts`	`additional.fields[num_int_recpts]`
`numcollab`	`additional.fields[numcollab]`
`rtime`	`additional.fields[rtime]`
`ss`	`additional.fields[ss]`
`suburl`	`additional.fields[suburl]`
`tenant`	`additional.fields[tenant]`
`tz`	`additional.fields[tz]`
`upload_doctypename`	`additional.fields[upload_doctypename]`
`yyyy`	`additional.fields[yyyy]`
`collabnames`	`additional.fields[collabnames]`
`companyid`	`additional.fields[companyid]`
`component`	`additional.fields[component]`
`intcollabnames`	`additional.fields[intcollabnames]`	If `intcollabnames` log field value does not match the regular expression pattern `None` then, for `index` in `intcollabnames`, the `index` is mapped to the `additional.fields.value.list_value` UDM field.
`internal_collabnames`	`additional.fields[internal_collabnames]`
`external_collabnames`	`additional.fields[externalcollabnames]`
`num_external_collab`	`additional.fields[num_external_collab]`
`num_internal_collab`	`additional.fields[num_internal_collab]`
`repochtime`	`additional.fields[repochtime]`
`eventtime`	`metadata.event_timestamp`	If the `eventtime` log field value is not empty, then the `eventtime` log field is mapped to the `metadata.event_timestamp` UDM field.
`epochtime`	`metadata.event_timestamp`	If the `epochtime` log field value is not empty, then the `epochtime` log field is mapped to the `metadata.event_timestamp` UDM field.
`time`	`metadata.event_timestamp`	If the `time` log field value is not empty, then the `time` log field is mapped to the `metadata.event_timestamp` UDM field.
`datetime`	`metadata.event_timestamp`	If the `datetime` log field value is not empty, then the `datetime` log field is mapped to the `metadata.event_timestamp` UDM field.
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `USER_UNCATEGORIZED`.
`act_type_name`	`metadata.product_event_type`
`recordid`	`metadata.product_log_id`
	`metadata.product_name`	The `metadata.product_name` UDM field is set to `CASB`.
	`metadata.vendor_name`	The `metadata.vendor_name` UDM field is set to `Zscaler`.
`sender`	`network.email.from`	If the `sender` log field value matches the regular expression pattern `(^.@.$)`, then the `sender` log field is mapped to the `network.email.from` UDM field.
`extrecptnames`	`network.email.to`	For `index` in `extrecptnames`, the `index` is mapped to the `network.email.to` UDM field.
`internal_recptnames`	`network.email.to`	For `index` in `internal_recptnames`, the `index` is mapped to the `network.email.to` UDM field.
`external_recptnames`	`network.email.to`	For `index` in `external_recptnames`, the `index` is mapped to the `network.email.to` UDM field.
`intrecptnames`	`network.email.to`	For `index` in `intrecptnames`, the `index` is mapped to the `network.email.to` UDM field.
`applicationname`	`principal.application`	If the `applicationname` log field value is not empty, then the `applicationname` log field is mapped to the `principal.application` UDM field. Else, the `appname` log field is mapped to the `principal.application` UDM field.
`src_ip`	`principal.ip`
`fullurl`	`principal.url`	If the `fullurl` log field is not empty and the `fullurl` log field value is not equal to `Unknown URL`, then the `fullurl` log field is mapped to the `principal.url` UDM field.
`is_admin_act`	`principal.user.attribute.labels[is_admin_act]`
	`principal.user.attribute.roles.type`	If the `is_admin_act` log field value is equal to `1`, then the `principal.user.attribute.roles.type` UDM field is set to `ADMINISTRATOR`.
`company`	`principal.user.company_name`
`department`	`principal.user.department`
`dept`	`principal.user.department`
`user`	`principal.user.email_addresses`	If the `user` log field value matches the regular expression pattern `(^.@.$)`, then the `user` log field is mapped to the `principal.user.email_addresses` UDM field.
`username`	`principal.user.email_addresses`	If the `username` log field value matches the regular expression pattern `(^.@.$)`, then the `username` log field is mapped to the `principal.user.email_addresses` UDM field.
`owner`	`principal.user.email_addresses`	If the `owner` log field value matches the regular expression pattern `(^.@.$)`, then the `owner` log field is mapped to the `principal.user.email_addresses` UDM field.
`login`	`principal.user.email_addresses`	If the `login` log field value matches the regular expression pattern `(^.@.$)`, then the `login` log field is mapped to the `principal.user.email_addresses` UDM field.
`login`	`principal.user.userid`	If the `login` log field value does not match the regular expression pattern `^.+@.+$`, then the `login` log field is mapped to the `principal.user.userid` UDM field.
`malware`	`security_result.associations.name`
	`security_result.associations.type`	If the `malware` log field value is not empty, then the `security_result.associations.type` UDM field is set to `MALWARE`.
`dlpdictnames`	`security_result.detection_fields[dlpdictnames]`
`dlpidentifier`	`security_result.detection_fields[dlpidentifier]`
`filedownloadtimems`	`additional.fields[filedownloadtimems]`
`malwareclass`	`security_result.detection_fields[malwareclass]`
`msgid`	`security_result.detection_fields[msgid]`
`oattchcomponentfilenames`	`security_result.detection_fields[oattchcomponentfilenames]`
`obucketname`	`security_result.detection_fields[obucketname]`
`obucketowner`	`security_result.detection_fields[obucketowner]`
`ochannel_name`	`security_result.detection_fields[ochannel_name]`
`ocollabnames`	`security_result.detection_fields[ocollabnames]`
`odlpdictnames`	`security_result.detection_fields[odlpdictnames]`
`odlpenginenames`	`security_result.detection_fields[odlpenginenames]`
`oextcollabnames`	`security_result.detection_fields[oextcollabnames]`
`oexternal_collabnames`	`security_result.detection_fields[oexternal_collabnames]`
`oexternal_recptnames`	`security_result.detection_fields[oexternal_recptnames]`
`oexternalownername`	`security_result.detection_fields[oexternalownername]`
`oextownername`	`security_result.detection_fields[oextownername]`
`oextrecptnames`	`security_result.detection_fields[oextrecptnames]`
`ofile_msg_id`	`security_result.detection_fields[ofile_msg_id]`
`ofileid`	`security_result.detection_fields[ofileid]`
`ofullurl`	`security_result.detection_fields[ofullurl]`
`ohostname`	`security_result.detection_fields[ohostname]`
`ointcollabnames`	`security_result.detection_fields[ointcollabnames]`
`ointernal_collabnames`	`security_result.detection_fields[ointernal_collabnames]`
`ointernal_recptnames`	`security_result.detection_fields[ointernal_recptnames]`
`ointrecptnames`	`security_result.detection_fields[ointrecptnames]`
`omessageid`	`security_result.detection_fields[omessageid]`
`omsgid`	`security_result.detection_fields[omsgid]`
`oowner`	`security_result.detection_fields[oowner]`
`orulelabel`	`security_result.detection_fields[orulelabel]`
`osender`	`security_result.detection_fields[osender]`
`osharedchannel_hostname`	`security_result.detection_fields[osharedchannel_hostname]`
`otenant`	`security_result.detection_fields[otenant]`
`ouser`	`security_result.detection_fields[ouser]`
`any_incident`	`security_result.detection_fields[any_incident]`
`is_inbound`	`security_result.detection_fields[is_inbound]`
`policy`	`security_result.rule_labels[policy]`
`ruletype`	`security_result.rule_labels[ruletype]`
`rulelabel`	`security_result.rule_name`
	`security_result.severity`	If the `severity` log field value is equal to `High`, then the `security_result.severity` UDM field is set to `HIGH`. Else, if the `severity` log field value is equal to `Medium`, then the `security_result.severity` UDM field is set to `MEDIUM`. Else, if the `severity` log field value is equal to `Low`, then the `security_result.sevrity` UDM field is set to `LOW`. Else, if the `severity` log field value is equal to `Information`, then the `security_result.severity` UDM field is set to `INFORMATIONAL`.
`threatname`	`security_result.threat_name`	If the `threatname` log field value is not empty and the `dlpdictcount` log field value is not equal to `None`, then the `threatname` log field is mapped to the `security_result.threat_name` UDM field.
`filesource`	`target.file.full_path`	If the `filesource` log field value is not empty, then the `filesource` log field is mapped to the `target.file.full_path` UDM field.
`filepath`	`target.file.full_path`	If the `filesource` log field value is not empty, then the `filesource` log field is mapped to the `target.file.full_path` UDM field. Else if the `filepath` log field value is not empty, then the `filepath` log field is mapped to the `target.file.full_path` UDM field.
`lastmodtime`	`target.file.last_modification_time`	If the `lastmodtime` log field value is not empty, then the `lastmodtime` log field is mapped to the `target.file.last_modification_time` UDM field.
`file_msg_mod_time`	`target.file.last_modification_time`	If the `lastmodtime` log field value is not empty, then the `lastmodtime` log field is mapped to the `target.file.last_modification_time` UDM field. Else if the `file_msg_mod_time` log field value is not empty, then the `file_msg_mod_time` log field is mapped to the `target.file.fullpath` UDM field.
`filemd5`	`target.file.md5`	If the `filemd5` log field value is not equal to `None` and the `filemd5` log field value matches the regular expression pattern `^[a-fA-F0-9]{32}$`, then the `filemd5` log field is mapped to the `target.file.md5` UDM field. Else, if the `attchcomponentmd5s` log field value matches the regular expression pattern `^[a-fA-F0-9]{32}$`, then the `attchcomponentmd5s` log field is mapped to the `target.file.md5` UDM field.
`filetypename`	`target.file.mime_type`
`filename`	`target.file.names`
`attchcomponentfilenames`	`target.file.names`
`sha`	`target.file.sha256`
`attchcomponentfilesizes`	`target.file.size`	If the `attchcomponentfilesizes` log field value is not empty, then the `attchcomponentfilesizes` log field is mapped to the `target.file.size` UDM field.
`filesize`	`target.file.size`	If the `attchcomponentfilesizes` log field value is not empty, then the `attchcomponentfilesizes` log field is mapped to the `target.file.size` UDM field. Else if the `filesize` log field value is not empty, then the `filesize` log field is mapped to the `target.file.size` UDM field.
`sharedchannel_hostname`	`target.hostname`	If the `hostname` log field value is not empty, then the `hostname` log field is mapped to the `target.hostname` UDM field. Else if the `sharedchannel_hostname` log field value is not empty, then the `sharedchannel_hostname` log field is mapped to the `target.hostname` UDM field.
`hostname`	`target.hostname`	If the `hostname` log field value is not empty, then the `hostname` log field is mapped to the `target.hostname` UDM field.
`datacentercity`	`target.location.city`
`datacentercountry`	`target.location.country_or_region`
`datacenter`	`target.location.name`
`bucketowner`	`target.resource.attribute.labels[bucketowner]`
`projectname`	`target.resource.attribute.labels[projectname]`
`bucketname`	`target.resource.name`	If the `bucketname` log field value is not empty, then the `bucketname` log field is mapped to the `target.resource.name` UDM field.
`objnames1`	`target.resource.name`	If the `objnames1` log field value is not empty, then the `objnames1` log field is mapped to the `target.resource.name` UDM field.
`objectname`	`target.resource.name`	If the `objectname` log field value is not empty, then the `objectname` log field is mapped to the `target.resource.name` UDM field.
`reponame`	`target.resource.name`	If the `reponame` log field value is not empty, then the `reponame` log field is mapped to the `target.resource.name` UDM field.
`object_name_1`	`target.resource.name`	If the `object_name_1` log field value is not empty, then the `object_name_1` log field is mapped to the `target.resource.name` UDM field.
`bucketid`	`target.resource.product_object_id`
`objtypename1`	`target.resource.resource_subtype`	If the `objtypename1` log field value is not empty, then the `objtypename1` log field is mapped to the `target.resource.resource_subtype` UDM field.
`objecttype`	`target.resource.resource_subtype`	If the `objecttype` log field value is not empty, then the `objecttype` log field is mapped to the `target.resource.resource_subtype` UDM field.
`object_type`	`target.resource.resource_subtype`
	`target.resource.resource_type`	If the `bucketname` log field value is not empty, then the `target.resource.resource_type` UDM field is set to `STORAGE_BUCKET`. If the `reponame` log field value is not empty, then the `target.resource.resource_type` UDM field is set to `REPOSITORY`.