Recolha registos do Zscaler CASB

Este documento descreve como pode exportar registos do Zscaler CASB configurando um feed do Google Security Operations e mapeando campos de registo para o modelo de dados unificado (UDM).

Para mais informações, consulte o artigo Vista geral da ingestão de dados no Google SecOps.

Uma implementação típica consiste no Zscaler CASB e num feed de webhook do Google SecOps configurado para enviar registos para o Google SecOps. No entanto, os detalhes da implementação podem variar consoante o cliente e podem ser mais complexos.

A implementação contém os seguintes componentes:

Zscaler CASB: a plataforma a partir da qual recolhe registos.
Feed do Google SecOps: o feed do Google SecOps que obtém registos do Zscaler CASB e escreve registos no Google SecOps.
Google SecOps: retém e analisa os registos.

Uma etiqueta de carregamento identifica o analisador que normaliza os dados de registo não processados para o formato UDM estruturado. Este documento aplica-se especificamente ao analisador associado à etiqueta de carregamento ZSCALER_CASB.

Antes de começar

Certifique-se de que tem acesso à consola do Zscaler Internet Access. Para mais informações, consulte o artigo Ajuda do ZIA sobre o acesso seguro à Internet e ao SaaS.
Certifique-se de que está a usar a versão 1.0 ou 2.0 do Zscaler CASB.
Certifique-se de que todos os sistemas na arquitetura de implementação estão configurados com o fuso horário UTC.
Certifique-se de que tem a chave da API necessária para concluir a configuração do feed no Google SecOps. Para mais informações, consulte o artigo Configurar chaves de API.

Configure feeds

Para configurar este tipo de registo, siga estes passos:

Aceda a Definições do SIEM > Feeds.
Clique em Adicionar novo feed.
Clique no pacote de feeds Zscaler.
Localize o tipo de registo necessário e clique em Adicionar novo feed.
Introduza valores para os seguintes parâmetros de entrada:
- Tipo de origem: webhook (recomendado)
- Delimitador de divisão: o caráter usado para separar linhas de registos. Deixe em branco se não for usado nenhum delimitador.
Opções avançadas
- Nome do feed: um valor pré-preenchido que identifica o feed.
- Espaço de nomes do recurso: espaço de nomes associado ao feed.
- Etiquetas de carregamento: etiquetas aplicadas a todos os eventos deste feed.
Clique em Criar feed.

Para mais informações sobre a configuração de vários feeds para diferentes tipos de registos nesta família de produtos, consulte o artigo Configure feeds por produto.

Configure o Zscaler CASB

Na consola do Zscaler Internet Access, clique em Administração > Serviço de streaming de nanologs > Feeds NSS na nuvem > Adicionar feed NSS na nuvem.
Na janela Adicionar feed do NSS na nuvem, introduza os detalhes.
No campo Nome do feed, introduza um nome exclusivo para o feed.
Selecione Zscaler for Web em Tipo de NSS.
Na lista Estado, selecione um estado para ativar ou desativar o feed NSS.
Deixe a Taxa de SIEM como Ilimitada, a menos que precise de limitar a stream de saída devido a licenciamento ou outras restrições.
Na lista Tipo de SIEM, selecione Outro.
Na lista Autenticação OAuth 2.0, selecione Desativada.
No campo Tamanho máximo do lote, introduza um limite de tamanho para uma carga útil de pedido HTTP individual de acordo com a prática recomendada do SIEM; por exemplo, 512 KB.
No campo URL da API, introduza o URL HTTPS do ponto final da API Chronicle no seguinte formato:
```
  https://<CHRONICLE_REGION>-chronicle.googleapis.com/v1alpha/projects/<GOOGLE_PROJECT_NUMBER>/locations/<LOCATION>/instances/<CUSTOMER_ID>/feeds/<FEED_ID>:importPushLogs
```
- CHRONICLE_REGION: região onde a sua instância do Google SecOps está alojada. Por exemplo, US.
- GOOGLE_PROJECT_NUMBER: o número do seu projeto BYOP. Obtenha-o a partir do C4.
- LOCATION: região do Chronicle (Google SecOps) (igual a CHRONICLE_REGION). Por exemplo, US.
- CUSTOMER_ID: o seu ID de cliente do Google SecOps. Obtenha a partir de C4.
- FEED_ID: ID do feed de webhook recém-criado (apresentado na IU do feed).
- URL da API de exemplo:
```
https://us-chronicle.googleapis.com/v1alpha/projects/12345678910/locations/US/instances/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/feeds/yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyyyyyyy:importPushLogs
```
Clique em Adicionar cabeçalho HTTP e, de seguida, adicione cabeçalhos HTTP no seguinte formato:
- Header 1: Key1: X-goog-api-key e Value1: chave da API gerada a partir das credenciais da API do Google Cloud BYOP.
- Header 2: Key2: X-Webhook-Access-Key e Value2: chave secreta da API gerada na "CHAVE SECRETA" do webhook.
Na lista Tipos de registos, selecione Segurança de SaaS ou Atividade de segurança de SaaS.
Na lista Tipo de saída do feed, selecione JSON.
Desative a notação de matriz JSON.
Defina o caráter de escape do feed como , \ ".
Na lista Tipo de saída do feed, selecione Personalizado para adicionar um novo campo ao Formato de saída do feed.
Copie e cole o Formato de saída do feed e, em seguida, adicione novos campos, conforme necessário. Certifique-se de que os nomes das chaves correspondem aos nomes dos campos reais.

Seguem-se os formatos de saída de feeds predefinidos:

Segurança de SaaS

\{ "sourcetype" : "zscalernss-casb", "event" :\{"datetime":"%s{time}","recordid":"%d{recordid}","company":"%s{company}","tenant":"%s{tenant}","login":"%s{user}","dept":"%s{department}","applicationname":"%s{applicationname}","filename":"%s{filename}","filesource":"%s{filesource}","filemd5":"%s{filemd5}","threatname":"%s{threatname}","policy":"%s{policy}","dlpdictnames":"%s{dlpdictnames}","dlpdictcount":"%s{dlpdictcount}","dlpenginenames":"%s{dlpenginenames}","fullurl":"%s{fullurl}","lastmodtime":"%s{lastmodtime}","filescantimems":"%d{filescantimems}","filedownloadtimems":"%d{filedownloadtimems}"\}\}

Atividade de segurança do SaaS

\{ "sourcetype" : "zscalernss-casb", "event" :\{"login":"%s{username}","tenant":"%s{tenant}","object_type":"%d{objtype1}","applicationname":"%s{appname}","object_name_1":"%s{objnames1}","object_name_2":"%s{objnames2}"\}\}

Na lista Fuso horário, selecione o fuso horário para o campo Hora no ficheiro de saída. Por predefinição, o fuso horário é definido como o fuso horário da sua organização.
Reveja as definições configuradas.
Clique em Guardar para testar a conetividade. Se a associação for bem-sucedida, é apresentado um visto verde acompanhado da mensagem Test Connectivity Successful: OK (200).

Para mais informações sobre feeds do Google SecOps, consulte a documentação de feeds do Google SecOps. Para obter informações sobre os requisitos de cada tipo de feed, consulte o artigo Configuração do feed por tipo.

Se tiver problemas ao criar feeds, contacte o apoio técnico da Google SecOps.

Referência de mapeamento de campos

Referência de mapeamento de campos: ZSCALER_CASB

A tabela seguinte apresenta os campos de registo do ZSCALER_CASB tipo de registo e os respetivos campos UDM.

Log field	UDM mapping	Logic
`sourcetype`	`additional.fields[sourcetype]`
`objnames2`	`about.resource.name`
`object_name_2`	`about.resource.name`
`objtypename2`	`about.resource.resource_subtype`
`externalownername`	`additional.fields[externalownername]`
`act_cnt`	`additional.fields[act_cnt]`
`attchcomponentfiletypes`	`additional.fields[attchcomponentfiletypes]`
`channel_name`	`additional.fields[channel_name]`
`collabscope`	`additional.fields[collabscope]`
`day`	`additional.fields[day]`
`dd`	`additional.fields[dd]`
`dlpdictcount`	`security_result.detection_fields[dlpdictcount]`	If the `dlpdictcount` log field value is not empty and the `dlpdictcount` log field value is not equal to `None`, then the `dlpdictcount` log field is mapped to the `security_result.detection_fields.dlpdictcount` UDM field.
`dlpenginenames`	`security_result.detection_fields[dlpenginenames]`	If the `dlpenginenames` log field value is not empty and the `dlpenginenames` log field value is not equal to `None`, then the `dlpenginenames` log field is mapped to the `security_result.detection_fields.dlpenginenames` UDM field.
`epochlastmodtime`	`additional.fields[epochlastmodtime]`
`extcollabnames`	`additional.fields[extcollabnames]`
`extownername`	`additional.fields[extownername]`
`file_msg_id`	`additional.fields[file_msg_id]`
`fileid`	`additional.fields[fileid]`
`filescantimems`	`additional.fields[filescantimems]`
`filetypecategory`	`additional.fields[filetypecategory]`
`hh`	`additional.fields[hh]`
`messageid`	`additional.fields[messageid]`
`mm`	`additional.fields[mm]`
`mon`	`additional.fields[mon]`
`msgsize`	`additional.fields[msgsize]`
`mth`	`additional.fields[mth]`
`num_ext_recpts`	`additional.fields[num_ext_recpts]`
`num_int_recpts`	`additional.fields[num_int_recpts]`
`numcollab`	`additional.fields[numcollab]`
`rtime`	`additional.fields[rtime]`
`ss`	`additional.fields[ss]`
`suburl`	`additional.fields[suburl]`
`tenant`	`additional.fields[tenant]`
`tz`	`additional.fields[tz]`
`upload_doctypename`	`additional.fields[upload_doctypename]`
`yyyy`	`additional.fields[yyyy]`
`collabnames`	`additional.fields[collabnames]`
`companyid`	`additional.fields[companyid]`
`component`	`additional.fields[component]`
`intcollabnames`	`additional.fields[intcollabnames]`	If `intcollabnames` log field value does not match the regular expression pattern `None` then, for `index` in `intcollabnames`, the `index` is mapped to the `additional.fields.value.list_value` UDM field.
`internal_collabnames`	`additional.fields[internal_collabnames]`
`external_collabnames`	`additional.fields[external_collabnames]`
`num_external_collab`	`additional.fields[num_external_collab]`
`num_internal_collab`	`additional.fields[num_internal_collab]`
`repochtime`	`additional.fields[repochtime]`
`eventtime`	`metadata.event_timestamp`	If the `eventtime` log field value is not empty, then the `eventtime` log field is mapped to the `metadata.event_timestamp` UDM field.
`epochtime`	`metadata.event_timestamp`	If the `epochtime` log field value is not empty, then the `epochtime` log field is mapped to the `metadata.event_timestamp` UDM field.
`time`	`metadata.event_timestamp`	If the `time` log field value is not empty, then the `time` log field is mapped to the `metadata.event_timestamp` UDM field.
`datetime`	`metadata.event_timestamp`	If the `datetime` log field value is not empty, then the `datetime` log field is mapped to the `metadata.event_timestamp` UDM field.
	`metadata.event_type`	If `principal.ip` is not empty or `principal.hostname` is not empty, and `target.ip` is not empty, then `metadata.event_type` is set to `NETWORK_CONNECTION`. Else if any of the following UDM fields are empty: `principal.user.userid`, `principal.user.email_addresses`, `principal.hostname`, `principal.asset_id`, `principal.ip`, `principal.mac`, `target.hostname`, `target.asset_id`, `target.ip`, `target.mac`, `target.user.email_addresses`, `target.user.userid`, then `metadata.event_type` is set to `USER_UNCATEGORIZED`. Else if any of the following UDM fields are empty: `principal.hostname`, `principal.asset_id`, `principal.ip`, `principal.mac`, then `metadata.event_type` is set to `STATUS_UPDATE`.
`act_type_name`	`metadata.product_event_type`
`recordid`	`metadata.product_log_id`
	`metadata.product_name`	The `metadata.product_name` UDM field is set to `CASB`.
	`metadata.vendor_name`	The `metadata.vendor_name` UDM field is set to `Zscaler`.
`sender`	`network.email.from`	If the `sender` log field value matches the regular expression pattern `(^.@.$)`, then the `sender` log field is mapped to the `network.email.from` UDM field.
`extrecptnames`	`network.email.to`	For `index` in `extrecptnames`, the `index` is mapped to the `network.email.to` UDM field.
`internal_recptnames`	`network.email.to`	For `index` in `internal_recptnames`, the `index` is mapped to the `network.email.to` UDM field.
`external_recptnames`	`network.email.to`	For `index` in `external_recptnames`, the `index` is mapped to the `network.email.to` UDM field.
`intrecptnames`	`network.email.to`	For `index` in `intrecptnames`, the `index` is mapped to the `network.email.to` UDM field.
`applicationname`	`principal.application`	If the `applicationname` log field value is not empty, then the `applicationname` log field is mapped to the `principal.application` UDM field. Else, the `appname` log field is mapped to the `principal.application` UDM field.
`appname`	`principal.application`	If the `applicationname` log field value is not empty, then the `applicationname` log field is mapped to the `principal.application` UDM field. Else, the `appname` log field is mapped to the `principal.application` UDM field.
`src_ip`	`principal.ip`
`fullurl`	`principal.url`	If the `fullurl` log field is not empty and the `fullurl` log field value is not equal to `Unknown URL`, then the `fullurl` log field is mapped to the `principal.url` UDM field.
`is_admin_act`	`principal.user.attribute.labels[is_admin_act]`
	`principal.user.attribute.roles.type`	If the `is_admin_act` log field value is equal to `1`, then the `principal.user.attribute.roles.type` UDM field is set to `ADMINISTRATOR`.
`company`	`principal.user.company_name`
`department`	`principal.user.department`	If the `dept` log field value is not empty, then the `dept` log field is mapped to the `principal.user.department` UDM field. Else, the `department` log field is mapped to the `principal.user.department` UDM field.
`dept`	`principal.user.department`	If the `dept` log field value is not empty, then the `dept` log field is mapped to the `principal.user.department` UDM field. Else, the `department` log field is mapped to the `principal.user.department` UDM field.
`user`	`principal.user.email_addresses`	If the `user` log field value matches the regular expression pattern `(^.@.$)`, then the `user` log field is mapped to the `principal.user.email_addresses` UDM field.
`username`	`principal.user.email_addresses`	If the `username` log field value matches the regular expression pattern `(^.@.$)`, then the `username` log field is mapped to the `principal.user.email_addresses` UDM field.
`owner`	`principal.user.email_addresses`	If the `owner` log field value matches the regular expression pattern `(^.@.$)`, then the `owner` log field is mapped to the `principal.user.email_addresses` UDM field.
`login`	`principal.user.email_addresses`	If the `login` log field value matches the regular expression pattern `(^.@.$)`, then the `login` log field is mapped to the `principal.user.email_addresses` UDM field.
`login`	`principal.user.userid`	If the `login` log field value does not match the regular expression pattern `^.+@.+$`, then the `login` log field is mapped to the `principal.user.userid` UDM field.
`malware`	`security_result.associations.name`
	`security_result.associations.type`	If the `malware` log field value is not empty, then the `security_result.associations.type` UDM field is set to `MALWARE`.
`dlpdictnames`	`security_result.detection_fields[dlpdictnames]`
`dlpidentifier`	`security_result.detection_fields[dlpidentifier]`
`filedownloadtimems`	`additional.fields[filedownloadtimems]`
`malwareclass`	`security_result.threat_name`
`msgid`	`additional.fields[msgid]`
`oattchcomponentfilenames`	`target.file.names`
`obucketname`	`target.resource.name`
`obucketowner`	`target.resource.attribute.labels[obucketowner]`
`ochannel_name`	`additional.fields[ochannel_name]`
`ocollabnames`	`additional.fields[ocollabnames]`
`odlpdictnames`	`security_result.detection_fields[odlpdictnames]`
`odlpenginenames`	`security_result.detection_fields[odlpenginenames]`
`oextcollabnames`	`additional.fields[oextcollabnames]`
`oexternal_collabnames`	`additional.fields[oexternal_collabnames]`
`oexternal_recptnames`	`network.email.to`
`oexternalownername`	`additional.fields[oexternalownername]`
`oextownername`	`additional.fields[oextownername]`
`oextrecptnames`	`network.email.to`
`ofile_msg_id`	`additional.fields[ofile_msg_id]`
`ofileid`	`additional.fields[ofileid]`
`ofullurl`	`principal.url`	If the `ofullurl` log field is not empty and the `ofullurl` log field value is not equal to `Unknown URL`, then the `ofullurl` log field is mapped to the `principal.url` UDM field.
`ohostname`	`target.hostname`
`ointcollabnames`	`additional.fields[ointcollabnames]`
`ointernal_collabnames`	`additional.fields[ointernal_collabnames]`
`ointernal_recptnames`	`network.email.to`
`ointrecptnames`	`network.email.to`
`omessageid`	`additional.fields[omessageid]`
`omsgid`	`additional.fields[omsgid]`
`oowner`	`principal.user.email_addresses`	If the `oowner` log field value matches the regular expression pattern `(^.@.$)`, then the `oowner` log field is mapped to the `principal.user.email_addresses` UDM field.
`orulelabel`	`security_result.rule_name`
`osender`	`network.email.from`	If the `osender` log field value matches the regular expression pattern `(^.@.$)`, then the `osender` log field is mapped to the `network.email.from` UDM field.
`osharedchannel_hostname`	`target.hostname`
`otenant`	`additional.fields[otenant]`
`ouser`	`principal.user.email_addresses`	If the `ouser` log field value matches the regular expression pattern `(^.@.$)`, then the `ouser` log field is mapped to the `principal.user.email_addresses` UDM field.
`any_incident`	`security_result.detection_fields[any_incident]`
`is_inbound`	`security_result.detection_fields[is_inbound]`
`policy`	`security_result.rule_labels[policy]`
`ruletype`	`security_result.rule_labels[ruletype]`
`rulelabel`	`security_result.rule_name`
	`security_result.severity`	If the `severity` log field value is equal to `High`, then the `security_result.severity` UDM field is set to `HIGH`. Else, if the `severity` log field value is equal to `Medium`, then the `security_result.severity` UDM field is set to `MEDIUM`. Else, if the `severity` log field value is equal to `Low`, then the `security_result.sevrity` UDM field is set to `LOW`. Else, if the `severity` log field value is equal to `Information`, then the `security_result.severity` UDM field is set to `INFORMATIONAL`.
`threatname`	`security_result.threat_name`	If the `threatname` log field value is not empty and the `dlpdictcount` log field value is not equal to `None`, then the `threatname` log field is mapped to the `security_result.threat_name` UDM field.
`filesource`	`target.file.full_path`	If `filepath` is not empty, then the `filepath` log field is mapped to the `target.file.full_path` UDM field. Else if `filesource` is not empty, then the `filesource` log field is mapped to the `target.file.full_path` UDM field.
`filepath`	`target.file.full_path`	If `filepath` is not empty, then the `filepath` log field is mapped to the `target.file.full_path` UDM field. Else if `filesource` is not empty, then the `filesource` log field is mapped to the `target.file.full_path` UDM field.
`lastmodtime`	If the `file_msg_mod_time` log field value is not empty, then the `file_msg_mod_time` log field is mapped to the `target.file.last_modification_time` UDM field. Else if the `lastmodtime` log field value is not empty, then the `lastmodtime` log field is mapped to the `target.file.last_modification_time` UDM field.
`file_msg_mod_time`	`target.file.last_modification_time`	If the `file_msg_mod_time` log field value is not empty, then the `file_msg_mod_time` log field is mapped to the `target.file.last_modification_time` UDM field. Else if the `lastmodtime` log field value is not empty, then the `lastmodtime` log field is mapped to the `target.file.last_modification_time` UDM field.
`filemd5`	`target.file.md5`	If the `attchcomponentmd5s` log field value is not equal to empty and the `attchcomponentmd5s` log field value matches the regular expression pattern `^[a-fA-F0-9]{32}$`, then the `attchcomponentmd5s` log field is mapped to the `target.file.md5` UDM field. Else, if the `filemd5` log field value matches the regular expression pattern `^[a-fA-F0-9]{32}$`, then the `filemd5` log field is mapped to the `target.file.md5` UDM field.
`filetypename`	`target.file.mime_type`
`filename`	`target.file.names`
`attchcomponentfilenames`	`target.file.names`
`attchcomponentfilesizes`	`target.file.size`	If the `filesize` log field value is not empty, then the `filesize` log field is mapped to the `target.file.size` UDM field. Else if the `attchcomponentfilesizes` log field value is not empty, then the `attchcomponentfilesizes` log field is mapped to the `target.file.size` UDM field.
`b64attchcomponentfilesizes`	`target.file.size`	If the `filesize` log field value is not empty, then the `filesize` log field is mapped to the `target.file.size` UDM field. Else if the `b64attchcomponentfilesizes` log field value is not empty, then the `b64attchcomponentfilesizes` log field is mapped to the `target.file.size` UDM field.
`sha`	`target.file.sha256`	If the `sha` log field value matches the regular expression pattern `^[0-9a-f]+$`, then the `sha` log field is mapped to the `target.file.sha256` UDM field.
`filesize`	`target.file.size`	If the `filesize` log field value is not empty, then the `filesize` log field is mapped to the `target.file.size` UDM field. Else if the `attchcomponentfilesizes` log field value is not empty, then the `attchcomponentfilesizes` log field is mapped to the `target.file.size` UDM field.
`sharedchannel_hostname`	`target.hostname`
`hostname`	`target.hostname`	If the `sharedchannel_hostname` log field value is empty and the `osharedchannel_hostname` log field value is empty, then the `hostname` log field is mapped to the `target.hostname` UDM field.
`datacentercity`	`target.location.city`
`datacentercountry`	`target.location.country_or_region`
`datacenter`	`target.location.name`
`bucketowner`	`target.resource.attribute.labels[bucketowner]`
`projectname`	`target.resource.attribute.labels[projectname]`
`bucketname`	`target.resource.name`	If the `bucketname` log field value is not empty, then the `bucketname` log field is mapped to the `target.resource.name` UDM field.
`objnames1`	`target.resource.name`	If the `objnames1` log field value is not empty, then the `objnames1` log field is mapped to the `target.resource.name` UDM field.
`objectname`	`target.resource.name`	If the `objectname` log field value is not empty, then the `objectname` log field is mapped to the `target.resource.name` UDM field.
`reponame`	`target.resource.name`	If the `reponame` log field value is not empty, then the `reponame` log field is mapped to the `target.resource.name` UDM field.
`object_name_1`	`target.resource.name`	If the `object_name_1` log field value is not empty, then the `object_name_1` log field is mapped to the `target.resource.name` UDM field.
`bucketid`	`target.resource.product_object_id`
`objtypename1`	`target.resource.resource_subtype`	If the `objtypename1` log field value is not empty, then the `objtypename1` log field is mapped to the `target.resource.resource_subtype` UDM field.
`objecttype`	`target.resource.resource_subtype`	If the `objecttype` log field value is not empty, then the `objecttype` log field is mapped to the `target.resource.resource_subtype` UDM field.
`object_type`	`target.resource.resource_subtype`
	`target.resource.resource_type`	If the `bucketname` log field value is not empty, then the `target.resource.resource_type` UDM field is set to `STORAGE_BUCKET`. If the `reponame` log field value is not empty, then the `target.resource.resource_type` UDM field is set to `REPOSITORY`.
`departmentname`	`principal.user.department`
`extusername`	`target.user.userid`
`download_time`	`additional.fields[download_time]`
`runid`	`additional.fields[runid]`
`scan_time`	`additional.fields[scan_time]`
`scanid`	`additional.fields[scanid]`
`file_doctype`	`additional.fields[file_doctype]`
`filesha`	`additional.fields[filesha]`
`sender_type`	`additional.fields[sender_type]`
`last_edit_user`	`security_result.detection_fields[last_edit_user]`
`last_share_user`	`security_result.detection_fields[last_share_user]`
`last_shared_on`	`security_result.detection_fields[last_shared_on]`
`botname`	`security_result.detection_fields[botname]`
`dlpengnames`	`security_result.detection_fields[dlpengnames]`
`filetype`	`target.file.file_type`	If the `filetype` log field value is equal to `pdf`, then the `target.file.file_type` UDM field is set to `FILE_TYPE_PDF`. Else if the `filetype` log field value is equal to `ppt`, then the `target.file.file_type` UDM field is set to `FILE_TYPE_PPT`. Else, the `additional.fields.key` UDM field is set to `filetype` and the `filetype` log field is mapped to the `additional.fields.value.string_value` UDM field.
`extcollab_groups`	`security_result.detection_fields[extcollab_groups]`
`intcollab_groups`	`security_result.detection_fields[intcollab_groups]`
`oextcollab_groups`	`security_result.detection_fields[oextcollab_groups]`
`ointcollab_groups`	`security_result.detection_fields[ointcollab_groups]`
`dlpdictcnts`	`security_result.detection_fields[dlpdictcnts]`
`attchcomponentmd5s`	`target.file.md5`	If the `attchcomponentmd5s` log field value is not equal to empty and the `attchcomponentmd5s` log field value matches the regular expression pattern `^[a-fA-F0-9]{32}$`, then the `attchcomponentmd5s` log field is mapped to the `target.file.md5` UDM field. Else, if the `filemd5` log field value matches the regular expression pattern `^[a-fA-F0-9]{32}$`, then the `filemd5` log field is mapped to the `target.file.md5` UDM field.
`b64attchcomponentfilenames`	`target.file.names`
`b64attchcomponentfiletypes`	`additional.fields[b64attchcomponentfiletypes]`
`b64attchcomponentmd5s`	`target.file.md5`	If the `b64attchcomponentmd5s` log field value is not equal to empty and the `b64attchcomponentmd5s` log field value matches the regular expression pattern `^[a-fA-F0-9]{32}$`, then the `b64attchcomponentmd5s` log field is mapped to the `target.file.md5` UDM field. Else, if the `filemd5` log field value matches the regular expression pattern `^[a-fA-F0-9]{32}$`, then the `filemd5` log field is mapped to the `target.file.md5` UDM field.
`b64bucketname`	`target.resource.name`
`b64collabnames`	`additional.fields[b64collabnames]`
`b64department`	`principal.user.department`	If the `dept` log field value is not empty, then the `dept` log field is mapped to the `principal.user.department` UDM field. Else, the `b64department` log field is mapped to the `principal.user.department` UDM field.
`b64dlpdictnames`	`security_result.detection_fields[b64dlpdictnames]`
`b64dlpenginenames`	`security_result.detection_fields[b64dlpenginenames]`
`b64external_collabnames`	`additional.fields[b64external_collabnames]`
`b64external_recptnames`	`network.email.to`
`b64extownername`	`additional.fields[b64extownername]`
`b64extrecptnames`	`network.email.to`
`b64filename`	`target.file.names`
`b64filepath`	`target.file.full_path`	If `b64filepath` is not empty, then the `b64filepath` log field is mapped to the `target.file.full_path` UDM field. Else if `filesource` is not empty, then the `filesource` log field is mapped to the `target.file.full_path` UDM field.
`b64filesource`	`target.file.full_path`	If `filepath` is not empty, then the `filepath` log field is mapped to the `target.file.full_path` UDM field. Else if `b64filesource` is not empty, then the `b64filesource` log field is mapped to the `target.file.full_path` UDM field.
`b64fullurl`	`principal.url`	If the `b64fullurl` log field is not empty and the `b64fullurl` log field value is not equal to `Unknown URL`, then the `b64fullurl` log field is mapped to the `principal.url` UDM field.
`b64hostname`	`target.hostname`	If the `sharedchannel_hostname` log field value is empty and the `osharedchannel_hostname` log field value is empty, then the `b64hostname` log field is mapped to the `target.hostname` UDM field.
`b64internal_collabnames`	`additional.fields[b64internal_collabnames]`
`b64internal_recptnames`	`network.email.to`
`b64intrecptnames`	`network.email.to`
`b64objectname`	`target.resource.name`
`b64owner`	`principal.user.email_addresses`	If the `b64owner` log field value matches the regular expression pattern `(^.@.$)`, then the `b64owner` log field is mapped to the `principal.user.email_addresses` UDM field.
`b64projectname`	`target.resource.attribute.labels[b64projectname]`
`b64reponame`	`target.resource.name`
`b64rulelabel`	`security_result.rule_name`
`b64sender`	`network.email.from`	If the `b64sender` log field value matches the regular expression pattern `(^.@.$)`, then the `b64sender` log field is mapped to the `network.email.from` UDM field.
`b64tenant`	`additional.fields[b64tenant]`
`b64threatname`	`security_result.threat_name`
`b64intcollab_groups`	`security_result.detection_fields[b64intcollab_groups]`
`b64extcollab_groups`	`security_result.detection_fields[b64extcollab_groups]`
`eattchcomponentfilenames`	`target.file.names`
`eattchcomponentfiletypes`	`additional.fields[eattchcomponentfiletypes]`
`ebucketname`	`target.resource.name`
`ebucketowner`	`target.resource.attribute.labels[ebucketowner]`
`ecollabnames`	`additional.fields[ecollabnames]`
`edepartment`	`principal.user.department`	If the `dept` log field value is not empty, then the `dept` log field is mapped to the `principal.user.department` UDM field. Else, the `edepartment` log field is mapped to the `principal.user.department` UDM field.
`edlpdictnames`	`security_result.detection_fields[edlpdictnames]`
`edlpenginenames`	`security_result.detection_fields[edlpenginenames]`
`eexternal_collabnames`	`additional.fields[eexternal_collabnames]`
`eextownername`	`additional.fields[eextownername]`
`eextrecptnames`	`network.email.to`
`efilename`	`target.file.names`
`efilepath`	`target.file.full_path`	If `efilepath` is not empty, then the `efilepath` log field is mapped to the `target.file.full_path` UDM field. Else if `filesource` is not empty, then the `filesource` log field is mapped to the `target.file.full_path` UDM field.
`efilesource`	`target.file.full_path`	If `filepath` is not empty, then the `filepath` log field is mapped to the `target.file.full_path` UDM field. Else if `efilesource` is not empty, then the `efilesource` log field is mapped to the `target.file.full_path` UDM field.
`efullurl`	`principal.url`	If the `efullurl` log field is not empty and the `efullurl` log field value is not equal to `Unknown URL`, then the `efullurl` log field is mapped to the `principal.url` UDM field.
`ehostname`	`target.hostname`
`einternal_collabnames`	`additional.fields[einternal_collabnames]`
`eintrecptnames`	`network.email.to`
`eobjectname`	`target.resource.name`
`eowner`	`principal.user.email_addresses`	If the `eowner` log field value matches the regular expression pattern `(^.@.$)`, then the `eowner` log field is mapped to the `principal.user.email_addresses` UDM field.
`eprojectname`	`target.resource.attribute.labels[eprojectname]`
`ereponame`	`target.resource.name`
`esender`	`network.email.from`	If the `esender` log field value matches the regular expression pattern `(^.@.$)`, then the `esender` log field is mapped to the `network.email.from` UDM field.
`ethreatname`	`security_result.threat_name`

Delta de mapeamento do UDM

A tabela seguinte lista a diferença entre o mapeamento do UDM antigo de ZSCALER_CASB e o mapeamento do UDM novo de ZSCALER_CASB.

UDM Field Mapping Delta

Raw Field	Old UDM Mapping	New UDM Mapping
`oattchcomponentfilenames`	`security_result.detection_fields[oattchcomponentfilenames]`	`target.file.names`
`obucketname`	`security_result.detection_fields[obucketname]`	`target.resource.name`
`obucketowner`	`security_result.detection_fields[obucketowner]`	`target.resource.attribute.labels[obucketowner]`
`ochannel_name`	`security_result.detection_fields[ochannel_name]`	`additional.fields[ochannel_name]`
`ocollabnames`	`security_result.detection_fields[ocollabnames]`	`additional.fields[ocollabnames]`
`oextcollabnames`	`security_result.detection_fields[oextcollabnames]`	`additional.fields[oextcollabnames]`
`oexternal_collabnames`	`security_result.detection_fields[oexternal_collabnames]`	`additional.fields[oexternal_collabnames]`
`oexternal_recptnames`	`security_result.detection_fields[oexternal_recptnames]`	`network.email.to`
`oexternalownername`	`security_result.detection_fields[oexternalownername]`	`additional.fields[oexternalownername]`
`oextownername`	`security_result.detection_fields[oextownername]`	`additional.fields[oextownername]`
`oextrecptnames`	`security_result.detection_fields[oextrecptnames]`	`network.email.to`
`ofile_msg_id`	`security_result.detection_fields[ofile_msg_id]`	`additional.fields[ofile_msg_id]`
`ofileid`	`security_result.detection_fields[ofileid]`	`additional.fields[ofileid]`
`ofullurl`	`security_result.detection_fields[ofullurl]`	`principal.url`
`ohostname`	`security_result.detection_fields[ohostname]`	`target.hostname`
`ointcollabnames`	`security_result.detection_fields[ointcollabnames]`	`additional.fields[ointcollabnames]`
`ointernal_collabnames`	`security_result.detection_fields[ointernal_collabnames]`	`additional.fields[ointernal_collabnames]`
`ointernal_recptnames`	`security_result.detection_fields[ointernal_recptnames]`	`network.email.to`
`ointrecptnames`	`security_result.detection_fields[ointrecptnames]`	`network.email.to`
`omessageid`	`security_result.detection_fields[omessageid]`	`additional.fields[omessageid]`
`omsgid`	`security_result.detection_fields[omsgid]`	`additional.fields[omsgid]`
`oowner`	`security_result.detection_fields[oowner]`	`principal.user.email_addresses`
`orulelabel`	`security_result.detection_fields[orulelabel]`	`security_result.rule_name`
`osender`	`security_result.detection_fields[osender]`	`network.email.from`
`osharedchannel_hostname`	`security_result.detection_fields[osharedchannel_hostname]`	`target.hostname`
`otenant`	`security_result.detection_fields[otenant]`	`additional.fields[otenant]`
`ouser`	`security_result.detection_fields[ouser]`	`principal.user.email_addresses`
`ointcollab_groups`	`security_result.detection_fields[ointcollab_groups]`	`security_result.detection_fields[ointcollab_groups]`
`oextcollab_groups`	`security_result.detection_fields[oextcollab_groups]`	`security_result.detection_fields[oextcollab_groups]`
`malwareclass`	`security_result.detection_fields[malwareclass]`	`security_result.threat_name`
`msgid`	`security_result.detection_fields[msgid]`	`additional.fields[msgid]`
`sourcetype`	`security_result.detection_fields[sourcetype]`	`additional.fields[sourcetype]`

O que se segue?

Carregamento de dados para o Google SecOps

Precisa de mais ajuda? Receba respostas de membros da comunidade e profissionais da Google SecOps.