Recolha registos do proxy Web do Zscaler
Compatível com:
Google secops
SIEM
Este documento descreve como pode exportar registos do Zscaler Webproxy configurando um feed do Google Security Operations e como os campos de registo são mapeados para os campos do modelo de dados unificado (UDM) do Google SecOps.
Para mais informações, consulte o artigo Vista geral da ingestão de dados no Google SecOps.
Uma implementação típica consiste no Zscaler Webproxy e no feed de webhook do Google SecOps configurado para enviar registos para o Google SecOps. Cada implementação do cliente pode ser diferente e mais complexa.
A implementação contém os seguintes componentes:
Zscaler Webproxy: a plataforma a partir da qual recolhe registos.
Feed do Google SecOps: o feed do Google SecOps que obtém registos do Zscaler Webproxy e escreve registos no Google SecOps.
Google SecOps: retém e analisa os registos.
Uma etiqueta de carregamento identifica o analisador que normaliza os dados de registo não processados para o formato UDM estruturado. As informações neste documento aplicam-se ao analisador com a etiqueta de carregamento ZSCALER_WEBPROXY.
Antes de começar
Certifique-se de que cumpre os seguintes pré-requisitos:
- Acesso à consola do Zscaler Internet Access. Para mais informações, consulte o artigo Acesso seguro à Internet e ao SaaS: ajuda do ZIA.
- Zscaler Webproxy 2024 ou posterior
- Todos os sistemas na arquitetura de implementação estão configurados com o fuso horário UTC.
- A chave da API necessária para concluir a configuração do feed no Google Security Operations. Para mais informações, consulte o artigo Configurar chaves de API.
Configure feeds
Existem dois pontos de entrada diferentes para configurar feeds na plataforma Google SecOps:
- Definições do SIEM > Feeds
- Content Hub > Pacotes de conteúdo
Configure feeds a partir de Definições do SIEM > Feeds
Para configurar vários feeds para diferentes tipos de registos nesta família de produtos, consulte o artigo Configure feeds by product (Configure feeds by product).
Para configurar um único feed, siga estes passos:
- Aceda a Definições do SIEM > Feeds.
- Clique em Adicionar novo feed.
- Na página seguinte, clique em Configurar um único feed.
- No campo Nome do feed, introduza um nome para o feed; por exemplo, Registos do proxy Web Zscaler.
- Selecione Webhook como o Tipo de origem.
- Selecione Zscaler como o Tipo de registo.
- Clicar em Seguinte.
- Opcional: introduza valores para os seguintes parâmetros de entrada:
- Delimitador de divisão: o delimitador usado para separar as linhas dos registos. Deixe em branco se não for usado um delimitador.
- Espaço de nomes do recurso: o espaço de nomes do recurso.
- Etiquetas de carregamento: a etiqueta a aplicar aos eventos deste feed.
- Clicar em Seguinte.
- Reveja a nova configuração do feed e, de seguida, clique em Enviar.
- Clique em Gerar chave secreta para gerar uma chave secreta para autenticar este feed.
Configure feeds a partir do centro de conteúdo
Especifique valores para os seguintes campos:
- Delimitador de divisão: o delimitador usado para separar linhas de registo, como
\n.
Opções avançadas
- Nome do feed: um valor pré-preenchido que identifica o feed.
- Tipo de origem: método usado para recolher registos no Google SecOps.
- Espaço de nomes do recurso: o espaço de nomes do recurso.
- Etiquetas de carregamento: a etiqueta aplicada aos eventos deste feed.
- Clicar em Seguinte.
- Reveja a configuração do feed no ecrã Finalizar e, de seguida, clique em Enviar.
- Clique em Gerar chave secreta para gerar uma chave secreta para autenticar este feed.
Configure o Zscaler Webproxy
- Na consola do Zscaler Internet Access, clique em Administração > Serviço de streaming de nanologs > Feeds de NSS na nuvem e, de seguida, clique em Adicionar feed de NSS na nuvem.
- É apresentada a janela Adicionar feed NSS na nuvem. Na janela Adicionar feed NSS da nuvem, introduza os detalhes.
- Introduza um nome para o feed no campo Nome do feed.
- Selecione NSS para Web em Tipo de NSS.
- Selecione o estado na lista Estado para ativar ou desativar o feed NSS.
- Mantenha o valor no menu pendente Taxa de SIEM como Ilimitado. Para suprimir o fluxo de saída devido a licenciamento ou outras restrições, altere o valor.
- Selecione Outro na lista Tipo de SIEM.
- Selecione Desativado na lista Autenticação OAuth 2.0.
- Introduza um limite de tamanho para uma carga útil de pedido HTTP individual de acordo com a prática recomendada do SIEM em Tamanho máximo do lote. Por exemplo, 512 KB.
Introduza o URL HTTPS do ponto final da API Chronicle no URL da API no seguinte formato:
https://<CHRONICLE_REGION>-chronicle.googleapis.com/v1alpha/projects/<GOOGLE_PROJECT_NUMBER>/locations/<LOCATION>/instances/<CUSTOMER_ID>/feeds/<FEED_ID>:importPushLogsCHRONICLE_REGION: região onde a sua instância do Chronicle está alojada. Por exemplo, US.GOOGLE_PROJECT_NUMBER: número do projeto BYOP. Obtenha-o a partir do C4.LOCATION: região do Chronicle. Por exemplo, US.CUSTOMER_ID: ID de cliente do Chronicle. Obtenha a partir de C4.FEED_ID: ID do feed apresentado na IU do feed no novo webhook criado- URL da API de exemplo:
https://us-chronicle.googleapis.com/v1alpha/projects/12345678910/locations/US/instances/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/feeds/yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyyyyyyy:importPushLogsClique em Adicionar cabeçalho HTTP e, de seguida, adicione cabeçalhos HTTP no seguinte formato:
Header 1: Key1:X-goog-api-keye Value1: chave da API gerada nas credenciais da API do Google Cloud BYOP.Header 2: Key2:X-Webhook-Access-Keye Value2: chave secreta da API gerada na "CHAVE SECRETA" do webhook.
Selecione Registos Web na lista Tipos de registos.
Selecione JSON na lista Tipo de saída do feed.
Defina o caráter de escape do feed como
, \ ".Para adicionar um novo campo ao formato de saída do feed,selecione Personalizado na lista Tipo de saída do feed.
Copie e cole o Formato de saída do feed e adicione novos campos. Certifique-se de que os nomes das chaves correspondem aos nomes dos campos reais.
Segue-se o formato de saída do feed predefinido:
\{ "sourcetype" : "zscalernss-web", "event" : \{"datetime":"%d{yy}-%02d{mth}-%02d{dd} %02d{hh}:%02d{mm}:%02d{ss}","reason":"%s{reason}","event_id":"%d{recordid}","protocol":"%s{proto}","action":"%s{action}","transactionsize":"%d{totalsize}","responsesize":"%d{respsize}","requestsize":"%d{reqsize}","urlcategory":"%s{urlcat}","serverip":"%s{sip}","requestmethod":"%s{reqmethod}","refererURL":"%s{ereferer}","useragent":"%s{eua}","product":"NSS","location":"%s{elocation}","ClientIP":"%s{cip}","status":"%s{respcode}","user":"%s{elogin}","url":"%s{eurl}","vendor":"Zscaler","hostname":"%s{ehost}","clientpublicIP":"%s{cintip}","threatcategory":"%s{malwarecat}","threatname":"%s{threatname}","filetype":"%s{filetype}","appname":"%s{appname}","pagerisk":"%d{riskscore}","threatseverity":"%s{threatseverity}","department":"%s{edepartment}","urlsupercategory":"%s{urlsupercat}","appclass":"%s{appclass}","dlpengine":"%s{dlpeng}","urlclass":"%s{urlclass}","threatclass":"%s{malwareclass}","dlpdictionaries":"%s{dlpdict}","fileclass":"%s{fileclass}","bwthrottle":"%s{bwthrottle}","contenttype":"%s{contenttype}","unscannabletype":"%s{unscannabletype}","deviceowner":"%s{deviceowner}","devicehostname":"%s{devicehostname}","keyprotectiontype":"%s{keyprotectiontype}"\}\}Selecione o fuso horário para o campo Hora no ficheiro de saída na lista Fuso horário. Por predefinição, o fuso horário é definido como o fuso horário da sua organização.
Reveja as definições configuradas.
Clique em Guardar para testar a conetividade. Se a ligação for bem-sucedida, é apresentada uma marca de verificação verde acompanhada da mensagem Test Connectivity Successful: OK (200).
Para mais informações sobre os feeds do Google SecOps, consulte a documentação dos feeds do Google SecOps. Para obter informações sobre os requisitos de cada tipo de feed, consulte o artigo Configuração do feed por tipo.
Se tiver problemas ao criar feeds, contacte o apoio técnico da Google SecOps.
Formatos de registo do proxy Web do Zscaler suportados
O analisador do proxy Web Zscaler suporta registos no formato JSON.
Registos de amostra do proxy Web Zscaler suportados
JSON
{ "event": { "ClientIP": "198.51.100.0", "action": "Allowed", "appclass": "Sales and Marketing", "appname": "Trend Micro", "bwthrottle": "NO", "clientpublicIP": "198.51.100.1", "contenttype": "Other", "datetime": "2024-05-06 10:56:04", "department": "Mid-Continent%20Companies", "devicehostname": "dummyhostname", "deviceowner": "dummydeviceowner", "dlpdictionaries": "None", "dlpengine": "None", "event_id": "7365838693731467265", "fileclass": "None", "filetype": "None", "hostname": "dummyhostname.com", "keyprotectiontype": "N/A", "location": "Road%20Warrior", "pagerisk": "0", "product": "NSS", "protocol": "HTTP_PROXY", "reason": "Allowed", "refererURL": "None", "requestmethod": "CONNECT", "requestsize": "606", "responsesize": "65", "serverip": "198.51.10.2", "status": "200", "threatcategory": "None", "threatclass": "None", "threatname": "None", "threatseverity": "None", "transactionsize": "671", "unscannabletype": "None", "url": "dummyurl.com:443", "urlcategory": "SSL - DNI - Bypass", "urlclass": "Bandwidth Loss", "urlsupercategory": "User-defined", "user": "abc@xyz.com", "useragent": "dummyuseragent", "vendor": "Zscaler" }, "sourcetype": "zscalernss-web" }
Referência de mapeamento de campos
A tabela seguinte apresenta os campos de registo do ZSCALER_WEBPROXY tipo de registo e os respetivos campos UDM.
| Log field | UDM mapping | Logic |
|---|---|---|
|
metadata.vendor_name |
The metadata.vendor_name UDM field is set to Zscaler. |
|
metadata.event_type |
If the ClientIP log field value is not empty and the serverip log field value is not empty and the proto log field value contain one of the following values, then the metadata.event_type UDM field is set to NETWORK_HTTP.
ClientIP log field value is not empty and the serverip log field value is not empty, then the metadata.event_type UDM field is set to NETWORK_CONNECTION.Else, if the user log field value is not empty or the deviceowner log field value is not empty, then the metadata.event_type UDM field is set to USER_UNCATEGORIZED.Else, the metadata.event_type UDM field is set to GENERIC_EVENT. |
|
metadata.product_name |
The metadata.product_name UDM field is set to Web Proxy. |
sourcetype |
additional.fields[sourcetype] |
|
datetime |
metadata.event_timestamp |
|
tz |
additional.fields[tz] |
|
ss |
additional.fields[ss] |
|
mm |
additional.fields[mm] |
|
hh |
additional.fields[hh] |
|
dd |
additional.fields[dd] |
|
mth |
additional.fields[mth] |
|
yyyy |
additional.fields[yyyy] |
|
mon |
additional.fields[mon] |
|
day |
additional.fields[day] |
|
department |
principal.user.department |
|
b64dept |
principal.user.department |
|
edepartment |
principal.user.department |
|
user |
principal.user.email_addresses |
|
b64login |
principal.user.email_addresses |
|
elogin |
principal.user.email_addresses |
|
ologin |
additional.fields[ologin] |
|
cloudname |
principal.user.attribute.labels[cloudname] |
|
company |
principal.user.company_name |
|
throttlereqsize |
security_result.detection_fields[throttlereqsize] |
|
throttlerespsize |
security_result.detection_fields[throttlerespsize] |
|
bwthrottle |
security_result.detection_fields[bwthrottle] |
|
|
security_result.category |
If the bwthrottle log field value is equal to Yes, then the security_result.category UDM field is set to POLICY_VIOLATION. |
bwclassname |
security_result.detection_fields[bwclassname] |
|
obwclassname |
security_result.detection_fields[obwclassname] |
|
bwrulename |
security_result.rule_name |
|
appname |
target.application |
|
appclass |
target.security_result.detection_fields[appclass] |
|
module |
target.security_result.detection_fields[module] |
|
app_risk_score |
target.security_result.risk_score |
If the app_risk_score log field value matches the regular expression pattern [0-9]+, then the app_risk_score log field is mapped to the security_result.risk_score UDM field. |
datacenter |
target.location.name |
|
datacentercity |
target.location.city |
|
datacentercountry |
target.location.country_or_region |
|
dlpdictionaries |
security_result.detection_fields[dlpdictionaries] |
|
odlpdict |
security_result.detection_fields[odlpdict] |
|
dlpdicthitcount |
security_result.detection_fields[dlpdicthitcount] |
|
dlpengine |
security_result.detection_fields[dlpengine] |
|
odlpeng |
security_result.detection_fields[odlpeng] |
|
dlpidentifier |
security_result.detection_fields[dlpidentifier] |
|
dlpmd5 |
security_result.detection_fields[dlpmd5] |
|
dlprulename |
security_result.rule_name |
|
odlprulename |
security_result.detection_fields[odlprulename] |
|
fileclass |
additional.fields[fileclass] |
|
filetype |
target.file.mime_type |
|
filename |
target.file.full_path |
|
b64filename |
target.file.full_path |
|
efilename |
target.file.full_path |
|
filesubtype |
additional.fields[filesubtype] |
|
upload_fileclass |
additional.fields[upload_fileclass] |
|
upload_filetype |
target.file.mime_type |
If the filetype log field value is equal to None and the upload_filetype log field value is not equal to None, then the upload_filetype log field is mapped to the target.file.mime_type UDM field. |
upload_filename |
target.file.full_path |
If the filename log field value is equal to None and the upload_filename log field value is not equal to None, then the upload_filename log field is mapped to the target.file.full_path UDM field. |
b64upload_filename |
target.file.full_path |
|
eupload_filename |
target.file.full_path |
|
upload_filesubtype |
additional.fields[upload_filesubtype] |
|
upload_doctypename |
additional.fields[upload_doctypename] |
|
unscannabletype |
security_result.detection_fields[unscannabletype] |
|
rdr_rulename |
intermediary.security_result.rule_name |
|
b64rdr_rulename |
intermediary.security_result.rule_name |
|
|
intermediary.resource.resource_type |
If the rdr_rulename log field value is not empty, then the intermediary.resource.resource_type UDM field is set to GATEWAY. |
ordr_rulename |
additional.fields[ordr_rulename] |
|
fwd_type |
intermediary.resource.attribute.labels[fwd_type] |
|
fwd_gw_name |
intermediary.resource.name |
|
b64fwd_gw_name |
intermediary.resource.name |
|
ofwd_gw_name |
security_result.detection_fields[ofwd_gw_name] |
|
fwd_gw_ip |
intermediary.ip |
|
zpa_app_seg_name |
additional.fields[zpa_app_seg_name] |
|
b64zpa_app_seg_name |
additional.fields[zpa_app_seg_name] |
|
ozpa_app_seg_name |
additional.fields[ozpa_app_seg_name] |
|
reqdatasize |
additional.fields[reqdatasize] |
|
reqhdrsize |
additional.fields[reqhdrsize] |
|
requestsize |
network.sent_bytes |
|
respdatasize |
additional.fields[respdatasize] |
|
resphdrsize |
additional.fields[resphdrsize] |
|
responsesize |
network.received_bytes |
|
transactionsize |
additional.fields[transactionsize] |
|
contenttype |
additional.fields[contenttype] |
|
df_hosthead |
security_result.detection_fields[df_hosthead] |
|
df_hostname |
security_result.detection_fields[df_hostname] |
|
hostname |
target.hostnametarget.asset.hostname |
|
b64host |
target.hostnametarget.asset.hostname |
|
ehost |
target.hostnametarget.asset.hostname |
|
refererURL |
network.http.referral_url |
|
b64referer |
network.http.referral_url |
|
ereferer |
network.http.referral_url |
|
erefererpath |
additional.fields[erefererpath] |
|
refererhost |
additional.fields[refererhost] |
|
erefererhost |
additional.fields[refererhost] |
|
requestmethod |
network.http.method |
|
reqversion |
additional.fields[reqversion] |
|
status |
network.http.response_code |
|
respversion |
additional.fields[respversion] |
|
ua_token |
additional.fields[ua_token] |
|
useragent |
network.http.user_agent |
|
b64ua |
network.http.user_agent |
|
eua |
network.http.user_agent |
|
useragent |
network.http.parsed_user_agent |
|
b64ua |
network.http.parsed_user_agent |
|
eua |
network.http.parsed_user_agent |
|
uaclass |
additional.fields[uaclass] |
|
url |
target.url |
|
b64url |
target.url |
|
eurl |
target.url |
|
eurlpath |
additional.fields[eurlpath] |
|
mobappname |
additional.fields[mobappname] |
|
b64mobappname |
additional.fields[mobappname] |
|
emobappname |
additional.fields[mobappname] |
|
mobappcat |
additional.fields[mobappcat] |
|
mobdevtype |
additional.fields[mobdevtype] |
|
clt_sport |
principal.port |
|
ClientIP |
principal.ip |
|
ocip |
security_result.detection_fields[ocip] |
|
cpubip |
additional.fields[cpubip] |
|
ocpubip |
additional.fields[ocpubip] |
|
clientpublicIP |
principal.nat_ip |
|
serverip |
target.ip |
|
|
network.application_protocol |
If the protocol log field value contain one of the following values, then the network.application_protocol UDM field is set to HTTP.
protocol log field value contain one of the following values, then the network.application_protocol UDM field is set to HTTPS.
network.application_protocol UDM field is set to UNKNOWN_APPLICATION_PROTOCOL. |
alpnprotocol |
additional.fields[alpnprotocol] |
|
trafficredirectmethod |
intermediary.resource.attribute.labels[trafficredirectmethod] |
|
location |
principal.location.name |
|
elocation |
principal.location.name |
|
userlocationname |
principal.location.name |
If the userlocationname log field value is not equal to None, then the userlocationname log field is mapped to the principal.location.name UDM field. |
b64userlocationname |
principal.location.name |
|
euserlocationname |
principal.location.name |
|
rulelabel |
security_result.rule_name |
If the action log field value is equal to Blocked, then the rulelabel log field is mapped to the security_result.rule_name UDM field. |
b64rulelabel |
security_result.rule_name |
|
erulelabel |
security_result.rule_name |
|
ruletype |
security_result.rule_type |
|
reason |
security_result.description |
If the action log field value is equal to Blocked, then the reason log field is mapped to the security_result.description UDM field. |
action |
security_result.action_details |
|
|
security_result.action |
If the action log field value is equal to Allowed, then the security_result.action UDM field is set to ALLOW.Else, if the action log field value is equal to Blocked, then the security_result.action UDM field is set to BLOCK. |
urlfilterrulelabel |
security_result.rule_name |
|
b64urlfilterrulelabel |
security_result.rule_name |
|
eurlfilterrulelabel |
security_result.rule_name |
|
ourlfilterrulelabel |
security_result.detection_fields[ourlfilterrulelabel] |
|
apprulelabel |
target.security_result.rule_name |
|
b64apprulelabel |
target.security_result.rule_name |
|
oapprulelabel |
security_result.detection_fields[oapprulelabel] |
|
bamd5 |
target.file.md5 |
|
sha256 |
target.file.sha256 |
|
ssldecrypted |
security_result.detection_fields[ssldecrypted] |
|
externalspr |
security_result.about.artifact.last_https_certificate.extension.certificate_policies |
|
keyprotectiontype |
security_result.about.artifact.last_https_certificate.extension.key_usage |
|
clientsslcipher |
network.tls.client.supported_ciphers |
|
clienttlsversion |
network.tls.version |
|
clientsslsessreuse |
security_result.detection_fields[clientsslsessreuse] |
|
cltsslfailreason |
security_result.detection_fields[cltsslfailreason] |
|
cltsslfailcount |
security_result.detection_fields[cltsslfailcount] |
|
srvsslcipher |
network.tls.cipher |
|
srvtlsversion |
security_result.detection_fields[srvtlsversion] |
|
srvocspresult |
security_result.detection_fields[srvocspresult] |
|
srvcertchainvalpass |
security_result.detection_fields[srvcertchainvalpass] |
|
srvwildcardcert |
security_result.detection_fields[srvwildcardcert] |
|
serversslsessreuse |
security_result.detection_fields[server_ssl_sess_reuse] |
|
srvcertvalidationtype |
security_result.detection_fields[srvcertvalidationtype] |
|
srvcertvalidityperiod |
security_result.detection_fields[srvcertvalidityperiod] |
|
is_ssluntrustedca |
security_result.detection_fields[is_ssluntrustedca] |
|
is_sslselfsigned |
security_result.detection_fields[is_sslselfsigned] |
|
is_sslexpiredca |
security_result.detection_fields[is_sslexpiredca] |
|
pagerisk |
security_result.risk_score |
|
|
security_result.severity |
If the pagerisk log field value is greater than or equal to 90 and the pagerisk log field value is less than or equal to 100, then the security_result.severity UDM field is set to CRITICAL.If the pagerisk log field value is greater than or equal to 75 and the pagerisk log field value is less than or equal to 89, then the security_result.severity UDM field is set to HIGH.If the pagerisk log field value is greater than or equal to 46 and the pagerisk log field value is less than or equal to 74, then the security_result.severity UDM field is set to MEDIUM.If the pagerisk log field value is greater than or equal to 1 and the pagerisk log field value &is less than or equal to 45, then the security_result.severity UDM field is set to LOW.If the pagerisk log field value is equal to 0, then the security_result.severity UDM field is set to NONE. |
|
security_result.severity_details |
If the pagerisk log field value is not empty and the threatseverity log field value is not empty, then the security_result.severity_details UDM field is set to %{pagerisk} - %{threatseverity}.Else, if the threatseverity log field value is not empty, then the threatseverity log field is mapped to the security_result.severity_details UDM field. |
activity |
additional.fields[activity] |
|
is_dst_cntry_risky |
additional.fields[is_dst_cntry_risky] |
|
is_src_cntry_risky |
additional.fields[is_src_cntry_risky] |
|
prompt_req |
additional.fields[prompt_req] |
|
srcip_country |
principal.ip_geo_artifact.location.country_or_region |
|
pcapid |
security_result.about.file.full_path |
|
all_dlprulenames |
security_result.rule_labels[all_dlprulenames] |
|
other_dlprulenames |
security_result.rule_labels[other_dlprulenames] |
|
trig_dlprulename |
security_result.rule_name |
|
dstip_country |
target.ip_geo_artifact.location.country_or_region |
|
srv_dport |
target.port |
|
inst_level2_name |
target.resource_ancestors.name |
|
inst_level3_name |
target.resource_ancestors.name |
|
inst_level2_id |
target.resource_ancestors.product_object_id |
|
inst_level3_id |
target.resource_ancestors.product_object_id |
|
inst_level2_type |
target.resource_ancestors.resource_subtype |
|
inst_level3_type |
target.resource_ancestors.resource_subtype |
|
|
target.resource_ancestors.resource_type |
If the inst_level2_type log field value matches the regular expression pattern organization then, the target.resource_ancestors.resource_type UDM field is set to CLOUD_ORGANIZATION. Else, if inst_level2_type log field value matches the regular expression pattern service then, the target.resource_ancestors.resource_type UDM field is set to BACKEND_SERVICE. Else, if inst_level2_type log field value matches the regular expression pattern policy then, the target.resource_ancestors.resource_type UDM field is set to ACCESS_POLICY. Else, if inst_level2_type log field value matches the regular expression pattern project then, the target.resource_ancestors.resource_type UDM field is set to CLOUD_PROJECT. Else, if inst_level2_type log field value matches the regular expression pattern cluster then, the target.resource_ancestors.resource_type UDM field is set to CLUSTER. Else, if inst_level2_type log field value matches the regular expression pattern container then, the target.resource_ancestors.resource_type UDM field is set to CONTAINER. Else, if inst_level2_type log field value matches the regular expression pattern pod then, the target.resource_ancestors.resource_type UDM field is set to POD. Else, if inst_level2_type log field value matches the regular expression pattern repository then, the target.resource_ancestors.resource_type UDM field is set to REPOSITORY.If the inst_level3_type log field value matches the regular expression pattern organization then, the target.resource_ancestors.resource_type UDM field is set to CLOUD_ORGANIZATION. Else, if inst_level3_type log field value matches the regular expression pattern service then, the target.resource_ancestors.resource_type UDM field is set to BACKEND_SERVICE. Else, if inst_level3_type log field value matches the regular expression pattern policy then, the target.resource_ancestors.resource_type UDM field is set to ACCESS_POLICY. Else, if inst_level3_type log field value matches the regular expression pattern project then, the target.resource_ancestors.resource_type UDM field is set to CLOUD_PROJECT. Else, if inst_level3_type log field value matches the regular expression pattern cluster then, the target.resource_ancestors.resource_type UDM field is set to CLUSTER. Else, if inst_level3_type log field value matches the regular expression pattern container then, the target.resource_ancestors.resource_type UDM field is set to CONTAINER. Else, if inst_level3_type log field value matches the regular expression pattern pod then, the target.resource_ancestors.resource_type UDM field is set to POD. Else, if inst_level3_type log field value matches the regular expression pattern repository then, the target.resource_ancestors.resource_type UDM field is set to REPOSITORY. |
inst_level1_name |
target.resource.name |
|
inst_level1_id |
target.resource.product_object_id |
|
inst_level1_type |
target.resource.resource_subtype |
|
|
target.resource.resource_type |
If the inst_level1_type log field value matches the regular expression pattern organization then, the target.resource.resource_type UDM field is set to CLOUD_ORGANIZATION. Else, if inst_level1_type log field value matches the regular expression pattern service then, the target.resource.resource_type UDM field is set to BACKEND_SERVICE. Else, if inst_level1_type log field value matches the regular expression pattern policy then, the target.resource.resource_type UDM field is set to ACCESS_POLICY. Else, if inst_level1_type log field value matches the regular expression pattern project then, the target.resource.resource_type UDM field is set to CLOUD_PROJECT. Else, if inst_level1_type log field value matches the regular expression pattern cluster then, the target.resource.resource_type UDM field is set to CLUSTER. Else, if inst_level1_type log field value matches the regular expression pattern container then, the target.resource.resource_type UDM field is set to CONTAINER. Else, if inst_level1_type log field value matches the regular expression pattern pod then, the target.resource.resource_type UDM field is set to POD. Else, if inst_level1_type log field value matches the regular expression pattern repository then, the target.resource.resource_type UDM field is set to REPOSITORY. |
app_status |
target.security_result.detection_fields[app_status] |
|
threatname |
security_result.threat_name |
|
b64threatname |
security_result.threat_name |
|
threatcategory |
security_result.associations.name |
|
threatclass |
security_result.associations.description |
|
urlclass |
security_result.detection_fields[urlclass] |
|
urlsupercategory |
security_result.category_details |
|
urlcategory |
security_result.category_details |
|
b64urlcat |
security_result.category_details |
|
ourlcat |
security_result.detection_fields[ourlcat] |
|
urlcatmethod |
security_result.detection_fields[urlcatmethod] |
|
bypassed_traffic |
security_result.detection_fields[bypassed_traffic] |
|
bypassed_etime |
security_result.detection_fields[bypassed_etime] |
|
deviceappversion |
additional.fields[deviceappversion] |
|
devicehostname |
principal.asset.hostname |
|
odevicehostname |
security_result.detection_fields[odevicehostname] |
|
devicemodel |
principal.asset.hardware.model |
|
devicename |
principal.asset.asset_id |
|
odevicename |
security_result.detection_fields[odevicename] |
|
|
principal.asset.platform_software.platform |
If the deviceostype log field value matches the regular expression pattern (?i)iOS, then the principal.asset.platform_software.platform UDM field is set to IOS.Else, if the deviceostype log field value matches the regular expression pattern (?i)Android, then the principal.asset.platform_software.platform UDM field is set to ANDROID.Else, if the deviceostype log field value matches the regular expression pattern (?i)Windows, then the principal.asset.platform_software.platform UDM field is set to WINDOWS.Else, if the deviceostype log field value matches the regular expression pattern (?i)MAC, then the principal.asset.platform_software.platform UDM field is set to MAC.Else, if the deviceostype log field value matches the regular expression pattern (?i)Other, then the principal.asset.platform_software.platform UDM field is set to UNKNOWN_PLATFORM. |
deviceosversion |
principal.asset.software.version |
|
deviceowner |
principal.user.userid |
|
odeviceowner |
security_result.detection_fields[odeviceowner] |
|
devicetype |
principal.asset.category |
|
external_devid |
additional.fields[external_devid] |
|
flow_type |
additional.fields[flow_type] |
|
ztunnelversion |
additional.fields[ztunnelversion] |
|
event_id |
metadata.product_log_id |
|
productversion |
metadata.product_version |
|
nsssvcip |
about.ip |
|
eedone |
additional.fields[eedone] |
Precisa de mais ajuda? Receba respostas de membros da comunidade e profissionais da Google SecOps.