Raccogli i log CASB di Zscaler

Questo documento descrive come esportare i log Zscaler CASB configurando un feed Google Security Operations e mappando i campi dei log al modello Unified Data Model (UDM).

Per saperne di più, consulta la panoramica dell'importazione dei dati in Google SecOps.

Un deployment tipico è costituito da Zscaler CASB e da un feed webhook di Google SecOps configurato per inviare i log a Google SecOps. Tuttavia, i dettagli del deployment possono variare in base al cliente e potrebbero essere più complessi.

Il deployment contiene i seguenti componenti:

Zscaler CASB: la piattaforma da cui raccogli i log.
Feed Google SecOps: il feed Google SecOps che recupera i log da Zscaler CASB e li scrive in Google SecOps.
Google SecOps: conserva e analizza i log.

Un'etichetta di importazione identifica il parser che normalizza i dati di log non elaborati nel formato UDM strutturato. Questo documento si applica in modo specifico al parser associato all'etichetta di importazione ZSCALER_CASB.

Prima di iniziare

Assicurati di avere accesso alla console Zscaler Internet Access. Per saperne di più, consulta Secure Internet and SaaS Access ZIA Help.
Assicurati di utilizzare Zscaler CASB versione 1.0 o 2.0.
Assicurati che tutti i sistemi nell'architettura di deployment siano configurati con il fuso orario UTC.
Assicurati di avere la chiave API necessaria per completare la configurazione del feed in Google SecOps. Per ulteriori informazioni, vedi Configurare le chiavi API.

Configurare i feed

Per configurare questo tipo di log:

Vai a Impostazioni SIEM > Feed.
Fai clic su Aggiungi nuovo feed.
Fai clic sul pacchetto di feed Zscaler.
Individua il tipo di log richiesto e fai clic su Aggiungi nuovo feed.
Inserisci i valori per i seguenti parametri di input:
- Tipo di origine: webhook (opzione consigliata)
- Delimitatore di divisione: il carattere utilizzato per separare le righe dei log. Lascia vuoto se non viene utilizzato alcun delimitatore.
Opzioni avanzate
- Nome feed: un valore precompilato che identifica il feed.
- Spazio dei nomi dell'asset: spazio dei nomi associato al feed.
- Etichette di importazione: etichette applicate a tutti gli eventi di questo feed.
Fai clic su Crea feed.

Per ulteriori informazioni sulla configurazione di più feed per diversi tipi di log all'interno di questa famiglia di prodotti, consulta Configurare i feed per prodotto.

Configurare Zscaler CASB

Nella console Zscaler Internet Access, fai clic su Amministrazione > Servizio di streaming Nanolog > Feed NSS cloud > Aggiungi feed NSS cloud.
Nella finestra Aggiungi feed NSS cloud, inserisci i dettagli.
Nel campo Nome feed, inserisci un nome univoco per il feed.
Seleziona Zscaler for Web in NSS Type (Tipo di NSS).
Nell'elenco Stato, seleziona uno stato per attivare o disattivare il feed NSS.
Lascia SIEM Rate (Frequenza SIEM) impostato su Unlimited (Illimitata), a meno che tu non debba limitare il flusso di output a causa di licenze o altri vincoli.
Nell'elenco Tipo di SIEM, seleziona Altro.
Nell'elenco Autenticazione OAuth 2.0, seleziona Disabilitata.
Nel campo Dimensione massima batch, inserisci un limite di dimensione per un singolo payload della richiesta HTTP in base alla best practice del SIEM, ad esempio 512 KB.
Nel campo URL API, inserisci l'URL HTTPS dell'endpoint dell'API Chronicle utilizzando il seguente formato:
```
  https://<CHRONICLE_REGION>-chronicle.googleapis.com/v1alpha/projects/<GOOGLE_PROJECT_NUMBER>/locations/<LOCATION>/instances/<CUSTOMER_ID>/feeds/<FEED_ID>:importPushLogs
```
- CHRONICLE_REGION: la regione in cui è ospitata l'istanza Google SecOps. Ad esempio, US.
- GOOGLE_PROJECT_NUMBER: il numero del progetto BYOP. Ottienilo da C4.
- LOCATION: la regione di Chronicle (Google SecOps) (uguale a CHRONICLE_REGION). Ad esempio, US.
- CUSTOMER_ID: il tuo ID cliente Google SecOps. Ottieni da C4.
- FEED_ID: l'ID del feed webhook appena creato (mostrato nell'interfaccia utente del feed).
- URL API di esempio:
```
https://us-chronicle.googleapis.com/v1alpha/projects/12345678910/locations/US/instances/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/feeds/yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyyyyyyy:importPushLogs
```
Fai clic su Aggiungi intestazione HTTP e poi aggiungi le intestazioni HTTP nel seguente formato:
- Header 1: Key1: X-goog-api-key e Value1: chiave API generata dalle credenziali API di Google Cloud BYOP.
- Header 2: Key2: X-Webhook-Access-Key e Value2: chiave segreta API generata in "SECRET KEY" (CHIAVE SEGRETA) del webhook.
Nell'elenco Tipi di log, seleziona SaaS Security o Attività di SaaS Security.
Nell'elenco Tipo di output feed, seleziona JSON.
Disattiva Notazione di array JSON.
Imposta Carattere di escape del feed su , \ ".
Nell'elenco Feed Output Type (Tipo di output feed), seleziona Personalizzato per aggiungere un nuovo campo a Feed Output Format (Formato output feed).
Copia e incolla il Formato output feed, quindi aggiungi nuovi campi in base alle necessità. Assicurati che i nomi delle chiavi corrispondano ai nomi dei campi effettivi.

Di seguito sono riportati i formati di output del feed predefiniti:

Sicurezza SaaS

\{ "sourcetype" : "zscalernss-casb", "event" :\{"datetime":"%s{time}","recordid":"%d{recordid}","company":"%s{company}","tenant":"%s{tenant}","login":"%s{user}","dept":"%s{department}","applicationname":"%s{applicationname}","filename":"%s{filename}","filesource":"%s{filesource}","filemd5":"%s{filemd5}","threatname":"%s{threatname}","policy":"%s{policy}","dlpdictnames":"%s{dlpdictnames}","dlpdictcount":"%s{dlpdictcount}","dlpenginenames":"%s{dlpenginenames}","fullurl":"%s{fullurl}","lastmodtime":"%s{lastmodtime}","filescantimems":"%d{filescantimems}","filedownloadtimems":"%d{filedownloadtimems}"\}\}

Attività di sicurezza SaaS

\{ "sourcetype" : "zscalernss-casb", "event" :\{"login":"%s{username}","tenant":"%s{tenant}","object_type":"%d{objtype1}","applicationname":"%s{appname}","object_name_1":"%s{objnames1}","object_name_2":"%s{objnames2}"\}\}

Dall'elenco Fuso orario, seleziona il fuso orario per il campo Ora nel file di output. Per impostazione predefinita, il fuso orario è impostato sul fuso orario della tua organizzazione.
Rivedi le impostazioni configurate.
Fai clic su Salva per verificare la connettività. Se la connessione è riuscita, viene visualizzato un segno di spunta verde accompagnato dal messaggio Test di connettività riuscito: OK (200).

Per ulteriori informazioni sui feed Google SecOps, consulta la documentazione sui feed Google SecOps. Per informazioni sui requisiti per ciascun tipo di feed, vedi Configurazione dei feed per tipo.

Se riscontri problemi durante la creazione dei feed, contatta l'assistenza Google SecOps.

Riferimento alla mappatura dei campi

Riferimento per la mappatura dei campi: ZSCALER_CASB

La tabella seguente elenca i campi di log del tipo di log ZSCALER_CASB e i relativi campi UDM.

Log field	UDM mapping	Logic
`sourcetype`	`additional.fields[sourcetype]`
`objnames2`	`about.resource.name`
`object_name_2`	`about.resource.name`
`objtypename2`	`about.resource.resource_subtype`
`externalownername`	`additional.fields[externalownername]`
`act_cnt`	`additional.fields[act_cnt]`
`attchcomponentfiletypes`	`additional.fields[attchcomponentfiletypes]`
`channel_name`	`additional.fields[channel_name]`
`collabscope`	`additional.fields[collabscope]`
`day`	`additional.fields[day]`
`dd`	`additional.fields[dd]`
`dlpdictcount`	`security_result.detection_fields[dlpdictcount]`	If the `dlpdictcount` log field value is not empty and the `dlpdictcount` log field value is not equal to `None`, then the `dlpdictcount` log field is mapped to the `security_result.detection_fields.dlpdictcount` UDM field.
`dlpenginenames`	`security_result.detection_fields[dlpenginenames]`	If the `dlpenginenames` log field value is not empty and the `dlpenginenames` log field value is not equal to `None`, then the `dlpenginenames` log field is mapped to the `security_result.detection_fields.dlpenginenames` UDM field.
`epochlastmodtime`	`additional.fields[epochlastmodtime]`
`extcollabnames`	`additional.fields[extcollabnames]`
`extownername`	`additional.fields[extownername]`
`file_msg_id`	`additional.fields[file_msg_id]`
`fileid`	`additional.fields[fileid]`
`filescantimems`	`additional.fields[filescantimems]`
`filetypecategory`	`additional.fields[filetypecategory]`
`hh`	`additional.fields[hh]`
`messageid`	`additional.fields[messageid]`
`mm`	`additional.fields[mm]`
`mon`	`additional.fields[mon]`
`msgsize`	`additional.fields[msgsize]`
`mth`	`additional.fields[mth]`
`num_ext_recpts`	`additional.fields[num_ext_recpts]`
`num_int_recpts`	`additional.fields[num_int_recpts]`
`numcollab`	`additional.fields[numcollab]`
`rtime`	`additional.fields[rtime]`
`ss`	`additional.fields[ss]`
`suburl`	`additional.fields[suburl]`
`tenant`	`additional.fields[tenant]`
`tz`	`additional.fields[tz]`
`upload_doctypename`	`additional.fields[upload_doctypename]`
`yyyy`	`additional.fields[yyyy]`
`collabnames`	`additional.fields[collabnames]`
`companyid`	`additional.fields[companyid]`
`component`	`additional.fields[component]`
`intcollabnames`	`additional.fields[intcollabnames]`	If `intcollabnames` log field value does not match the regular expression pattern `None` then, for `index` in `intcollabnames`, the `index` is mapped to the `additional.fields.value.list_value` UDM field.
`internal_collabnames`	`additional.fields[internal_collabnames]`
`external_collabnames`	`additional.fields[external_collabnames]`
`num_external_collab`	`additional.fields[num_external_collab]`
`num_internal_collab`	`additional.fields[num_internal_collab]`
`repochtime`	`additional.fields[repochtime]`
`eventtime`	`metadata.event_timestamp`	If the `eventtime` log field value is not empty, then the `eventtime` log field is mapped to the `metadata.event_timestamp` UDM field.
`epochtime`	`metadata.event_timestamp`	If the `epochtime` log field value is not empty, then the `epochtime` log field is mapped to the `metadata.event_timestamp` UDM field.
`time`	`metadata.event_timestamp`	If the `time` log field value is not empty, then the `time` log field is mapped to the `metadata.event_timestamp` UDM field.
`datetime`	`metadata.event_timestamp`	If the `datetime` log field value is not empty, then the `datetime` log field is mapped to the `metadata.event_timestamp` UDM field.
	`metadata.event_type`	If `principal.ip` is not empty or `principal.hostname` is not empty, and `target.ip` is not empty, then `metadata.event_type` is set to `NETWORK_CONNECTION`. Else if any of the following UDM fields are empty: `principal.user.userid`, `principal.user.email_addresses`, `principal.hostname`, `principal.asset_id`, `principal.ip`, `principal.mac`, `target.hostname`, `target.asset_id`, `target.ip`, `target.mac`, `target.user.email_addresses`, `target.user.userid`, then `metadata.event_type` is set to `USER_UNCATEGORIZED`. Else if any of the following UDM fields are empty: `principal.hostname`, `principal.asset_id`, `principal.ip`, `principal.mac`, then `metadata.event_type` is set to `STATUS_UPDATE`.
`act_type_name`	`metadata.product_event_type`
`recordid`	`metadata.product_log_id`
	`metadata.product_name`	The `metadata.product_name` UDM field is set to `CASB`.
	`metadata.vendor_name`	The `metadata.vendor_name` UDM field is set to `Zscaler`.
`sender`	`network.email.from`	If the `sender` log field value matches the regular expression pattern `(^.@.$)`, then the `sender` log field is mapped to the `network.email.from` UDM field.
`extrecptnames`	`network.email.to`	For `index` in `extrecptnames`, the `index` is mapped to the `network.email.to` UDM field.
`internal_recptnames`	`network.email.to`	For `index` in `internal_recptnames`, the `index` is mapped to the `network.email.to` UDM field.
`external_recptnames`	`network.email.to`	For `index` in `external_recptnames`, the `index` is mapped to the `network.email.to` UDM field.
`intrecptnames`	`network.email.to`	For `index` in `intrecptnames`, the `index` is mapped to the `network.email.to` UDM field.
`applicationname`	`principal.application`	If the `applicationname` log field value is not empty, then the `applicationname` log field is mapped to the `principal.application` UDM field. Else, the `appname` log field is mapped to the `principal.application` UDM field.
`appname`	`principal.application`	If the `applicationname` log field value is not empty, then the `applicationname` log field is mapped to the `principal.application` UDM field. Else, the `appname` log field is mapped to the `principal.application` UDM field.
`src_ip`	`principal.ip`
`fullurl`	`principal.url`	If the `fullurl` log field is not empty and the `fullurl` log field value is not equal to `Unknown URL`, then the `fullurl` log field is mapped to the `principal.url` UDM field.
`is_admin_act`	`principal.user.attribute.labels[is_admin_act]`
	`principal.user.attribute.roles.type`	If the `is_admin_act` log field value is equal to `1`, then the `principal.user.attribute.roles.type` UDM field is set to `ADMINISTRATOR`.
`company`	`principal.user.company_name`
`department`	`principal.user.department`	If the `dept` log field value is not empty, then the `dept` log field is mapped to the `principal.user.department` UDM field. Else, the `department` log field is mapped to the `principal.user.department` UDM field.
`dept`	`principal.user.department`	If the `dept` log field value is not empty, then the `dept` log field is mapped to the `principal.user.department` UDM field. Else, the `department` log field is mapped to the `principal.user.department` UDM field.
`user`	`principal.user.email_addresses`	If the `user` log field value matches the regular expression pattern `(^.@.$)`, then the `user` log field is mapped to the `principal.user.email_addresses` UDM field.
`username`	`principal.user.email_addresses`	If the `username` log field value matches the regular expression pattern `(^.@.$)`, then the `username` log field is mapped to the `principal.user.email_addresses` UDM field.
`owner`	`principal.user.email_addresses`	If the `owner` log field value matches the regular expression pattern `(^.@.$)`, then the `owner` log field is mapped to the `principal.user.email_addresses` UDM field.
`login`	`principal.user.email_addresses`	If the `login` log field value matches the regular expression pattern `(^.@.$)`, then the `login` log field is mapped to the `principal.user.email_addresses` UDM field.
`login`	`principal.user.userid`	If the `login` log field value does not match the regular expression pattern `^.+@.+$`, then the `login` log field is mapped to the `principal.user.userid` UDM field.
`malware`	`security_result.associations.name`
	`security_result.associations.type`	If the `malware` log field value is not empty, then the `security_result.associations.type` UDM field is set to `MALWARE`.
`dlpdictnames`	`security_result.detection_fields[dlpdictnames]`
`dlpidentifier`	`security_result.detection_fields[dlpidentifier]`
`filedownloadtimems`	`additional.fields[filedownloadtimems]`
`malwareclass`	`security_result.threat_name`
`msgid`	`additional.fields[msgid]`
`oattchcomponentfilenames`	`target.file.names`
`obucketname`	`target.resource.name`
`obucketowner`	`target.resource.attribute.labels[obucketowner]`
`ochannel_name`	`additional.fields[ochannel_name]`
`ocollabnames`	`additional.fields[ocollabnames]`
`odlpdictnames`	`security_result.detection_fields[odlpdictnames]`
`odlpenginenames`	`security_result.detection_fields[odlpenginenames]`
`oextcollabnames`	`additional.fields[oextcollabnames]`
`oexternal_collabnames`	`additional.fields[oexternal_collabnames]`
`oexternal_recptnames`	`network.email.to`
`oexternalownername`	`additional.fields[oexternalownername]`
`oextownername`	`additional.fields[oextownername]`
`oextrecptnames`	`network.email.to`
`ofile_msg_id`	`additional.fields[ofile_msg_id]`
`ofileid`	`additional.fields[ofileid]`
`ofullurl`	`principal.url`	If the `ofullurl` log field is not empty and the `ofullurl` log field value is not equal to `Unknown URL`, then the `ofullurl` log field is mapped to the `principal.url` UDM field.
`ohostname`	`target.hostname`
`ointcollabnames`	`additional.fields[ointcollabnames]`
`ointernal_collabnames`	`additional.fields[ointernal_collabnames]`
`ointernal_recptnames`	`network.email.to`
`ointrecptnames`	`network.email.to`
`omessageid`	`additional.fields[omessageid]`
`omsgid`	`additional.fields[omsgid]`
`oowner`	`principal.user.email_addresses`	If the `oowner` log field value matches the regular expression pattern `(^.@.$)`, then the `oowner` log field is mapped to the `principal.user.email_addresses` UDM field.
`orulelabel`	`security_result.rule_name`
`osender`	`network.email.from`	If the `osender` log field value matches the regular expression pattern `(^.@.$)`, then the `osender` log field is mapped to the `network.email.from` UDM field.
`osharedchannel_hostname`	`target.hostname`
`otenant`	`additional.fields[otenant]`
`ouser`	`principal.user.email_addresses`	If the `ouser` log field value matches the regular expression pattern `(^.@.$)`, then the `ouser` log field is mapped to the `principal.user.email_addresses` UDM field.
`any_incident`	`security_result.detection_fields[any_incident]`
`is_inbound`	`security_result.detection_fields[is_inbound]`
`policy`	`security_result.rule_labels[policy]`
`ruletype`	`security_result.rule_labels[ruletype]`
`rulelabel`	`security_result.rule_name`
	`security_result.severity`	If the `severity` log field value is equal to `High`, then the `security_result.severity` UDM field is set to `HIGH`. Else, if the `severity` log field value is equal to `Medium`, then the `security_result.severity` UDM field is set to `MEDIUM`. Else, if the `severity` log field value is equal to `Low`, then the `security_result.sevrity` UDM field is set to `LOW`. Else, if the `severity` log field value is equal to `Information`, then the `security_result.severity` UDM field is set to `INFORMATIONAL`.
`threatname`	`security_result.threat_name`	If the `threatname` log field value is not empty and the `dlpdictcount` log field value is not equal to `None`, then the `threatname` log field is mapped to the `security_result.threat_name` UDM field.
`filesource`	`target.file.full_path`	If `filepath` is not empty, then the `filepath` log field is mapped to the `target.file.full_path` UDM field. Else if `filesource` is not empty, then the `filesource` log field is mapped to the `target.file.full_path` UDM field.
`filepath`	`target.file.full_path`	If `filepath` is not empty, then the `filepath` log field is mapped to the `target.file.full_path` UDM field. Else if `filesource` is not empty, then the `filesource` log field is mapped to the `target.file.full_path` UDM field.
`lastmodtime`	If the `file_msg_mod_time` log field value is not empty, then the `file_msg_mod_time` log field is mapped to the `target.file.last_modification_time` UDM field. Else if the `lastmodtime` log field value is not empty, then the `lastmodtime` log field is mapped to the `target.file.last_modification_time` UDM field.
`file_msg_mod_time`	`target.file.last_modification_time`	If the `file_msg_mod_time` log field value is not empty, then the `file_msg_mod_time` log field is mapped to the `target.file.last_modification_time` UDM field. Else if the `lastmodtime` log field value is not empty, then the `lastmodtime` log field is mapped to the `target.file.last_modification_time` UDM field.
`filemd5`	`target.file.md5`	If the `attchcomponentmd5s` log field value is not equal to empty and the `attchcomponentmd5s` log field value matches the regular expression pattern `^[a-fA-F0-9]{32}$`, then the `attchcomponentmd5s` log field is mapped to the `target.file.md5` UDM field. Else, if the `filemd5` log field value matches the regular expression pattern `^[a-fA-F0-9]{32}$`, then the `filemd5` log field is mapped to the `target.file.md5` UDM field.
`filetypename`	`target.file.mime_type`
`filename`	`target.file.names`
`attchcomponentfilenames`	`target.file.names`
`attchcomponentfilesizes`	`target.file.size`	If the `filesize` log field value is not empty, then the `filesize` log field is mapped to the `target.file.size` UDM field. Else if the `attchcomponentfilesizes` log field value is not empty, then the `attchcomponentfilesizes` log field is mapped to the `target.file.size` UDM field.
`b64attchcomponentfilesizes`	`target.file.size`	If the `filesize` log field value is not empty, then the `filesize` log field is mapped to the `target.file.size` UDM field. Else if the `b64attchcomponentfilesizes` log field value is not empty, then the `b64attchcomponentfilesizes` log field is mapped to the `target.file.size` UDM field.
`sha`	`target.file.sha256`	If the `sha` log field value matches the regular expression pattern `^[0-9a-f]+$`, then the `sha` log field is mapped to the `target.file.sha256` UDM field.
`filesize`	`target.file.size`	If the `filesize` log field value is not empty, then the `filesize` log field is mapped to the `target.file.size` UDM field. Else if the `attchcomponentfilesizes` log field value is not empty, then the `attchcomponentfilesizes` log field is mapped to the `target.file.size` UDM field.
`sharedchannel_hostname`	`target.hostname`
`hostname`	`target.hostname`	If the `sharedchannel_hostname` log field value is empty and the `osharedchannel_hostname` log field value is empty, then the `hostname` log field is mapped to the `target.hostname` UDM field.
`datacentercity`	`target.location.city`
`datacentercountry`	`target.location.country_or_region`
`datacenter`	`target.location.name`
`bucketowner`	`target.resource.attribute.labels[bucketowner]`
`projectname`	`target.resource.attribute.labels[projectname]`
`bucketname`	`target.resource.name`	If the `bucketname` log field value is not empty, then the `bucketname` log field is mapped to the `target.resource.name` UDM field.
`objnames1`	`target.resource.name`	If the `objnames1` log field value is not empty, then the `objnames1` log field is mapped to the `target.resource.name` UDM field.
`objectname`	`target.resource.name`	If the `objectname` log field value is not empty, then the `objectname` log field is mapped to the `target.resource.name` UDM field.
`reponame`	`target.resource.name`	If the `reponame` log field value is not empty, then the `reponame` log field is mapped to the `target.resource.name` UDM field.
`object_name_1`	`target.resource.name`	If the `object_name_1` log field value is not empty, then the `object_name_1` log field is mapped to the `target.resource.name` UDM field.
`bucketid`	`target.resource.product_object_id`
`objtypename1`	`target.resource.resource_subtype`	If the `objtypename1` log field value is not empty, then the `objtypename1` log field is mapped to the `target.resource.resource_subtype` UDM field.
`objecttype`	`target.resource.resource_subtype`	If the `objecttype` log field value is not empty, then the `objecttype` log field is mapped to the `target.resource.resource_subtype` UDM field.
`object_type`	`target.resource.resource_subtype`
	`target.resource.resource_type`	If the `bucketname` log field value is not empty, then the `target.resource.resource_type` UDM field is set to `STORAGE_BUCKET`. If the `reponame` log field value is not empty, then the `target.resource.resource_type` UDM field is set to `REPOSITORY`.
`departmentname`	`principal.user.department`
`extusername`	`target.user.userid`
`download_time`	`additional.fields[download_time]`
`runid`	`additional.fields[runid]`
`scan_time`	`additional.fields[scan_time]`
`scanid`	`additional.fields[scanid]`
`file_doctype`	`additional.fields[file_doctype]`
`filesha`	`additional.fields[filesha]`
`sender_type`	`additional.fields[sender_type]`
`last_edit_user`	`security_result.detection_fields[last_edit_user]`
`last_share_user`	`security_result.detection_fields[last_share_user]`
`last_shared_on`	`security_result.detection_fields[last_shared_on]`
`botname`	`security_result.detection_fields[botname]`
`dlpengnames`	`security_result.detection_fields[dlpengnames]`
`filetype`	`target.file.file_type`	If the `filetype` log field value is equal to `pdf`, then the `target.file.file_type` UDM field is set to `FILE_TYPE_PDF`. Else if the `filetype` log field value is equal to `ppt`, then the `target.file.file_type` UDM field is set to `FILE_TYPE_PPT`. Else, the `additional.fields.key` UDM field is set to `filetype` and the `filetype` log field is mapped to the `additional.fields.value.string_value` UDM field.
`extcollab_groups`	`security_result.detection_fields[extcollab_groups]`
`intcollab_groups`	`security_result.detection_fields[intcollab_groups]`
`oextcollab_groups`	`security_result.detection_fields[oextcollab_groups]`
`ointcollab_groups`	`security_result.detection_fields[ointcollab_groups]`
`dlpdictcnts`	`security_result.detection_fields[dlpdictcnts]`
`attchcomponentmd5s`	`target.file.md5`	If the `attchcomponentmd5s` log field value is not equal to empty and the `attchcomponentmd5s` log field value matches the regular expression pattern `^[a-fA-F0-9]{32}$`, then the `attchcomponentmd5s` log field is mapped to the `target.file.md5` UDM field. Else, if the `filemd5` log field value matches the regular expression pattern `^[a-fA-F0-9]{32}$`, then the `filemd5` log field is mapped to the `target.file.md5` UDM field.
`b64attchcomponentfilenames`	`target.file.names`
`b64attchcomponentfiletypes`	`additional.fields[b64attchcomponentfiletypes]`
`b64attchcomponentmd5s`	`target.file.md5`	If the `b64attchcomponentmd5s` log field value is not equal to empty and the `b64attchcomponentmd5s` log field value matches the regular expression pattern `^[a-fA-F0-9]{32}$`, then the `b64attchcomponentmd5s` log field is mapped to the `target.file.md5` UDM field. Else, if the `filemd5` log field value matches the regular expression pattern `^[a-fA-F0-9]{32}$`, then the `filemd5` log field is mapped to the `target.file.md5` UDM field.
`b64bucketname`	`target.resource.name`
`b64collabnames`	`additional.fields[b64collabnames]`
`b64department`	`principal.user.department`	If the `dept` log field value is not empty, then the `dept` log field is mapped to the `principal.user.department` UDM field. Else, the `b64department` log field is mapped to the `principal.user.department` UDM field.
`b64dlpdictnames`	`security_result.detection_fields[b64dlpdictnames]`
`b64dlpenginenames`	`security_result.detection_fields[b64dlpenginenames]`
`b64external_collabnames`	`additional.fields[b64external_collabnames]`
`b64external_recptnames`	`network.email.to`
`b64extownername`	`additional.fields[b64extownername]`
`b64extrecptnames`	`network.email.to`
`b64filename`	`target.file.names`
`b64filepath`	`target.file.full_path`	If `b64filepath` is not empty, then the `b64filepath` log field is mapped to the `target.file.full_path` UDM field. Else if `filesource` is not empty, then the `filesource` log field is mapped to the `target.file.full_path` UDM field.
`b64filesource`	`target.file.full_path`	If `filepath` is not empty, then the `filepath` log field is mapped to the `target.file.full_path` UDM field. Else if `b64filesource` is not empty, then the `b64filesource` log field is mapped to the `target.file.full_path` UDM field.
`b64fullurl`	`principal.url`	If the `b64fullurl` log field is not empty and the `b64fullurl` log field value is not equal to `Unknown URL`, then the `b64fullurl` log field is mapped to the `principal.url` UDM field.
`b64hostname`	`target.hostname`	If the `sharedchannel_hostname` log field value is empty and the `osharedchannel_hostname` log field value is empty, then the `b64hostname` log field is mapped to the `target.hostname` UDM field.
`b64internal_collabnames`	`additional.fields[b64internal_collabnames]`
`b64internal_recptnames`	`network.email.to`
`b64intrecptnames`	`network.email.to`
`b64objectname`	`target.resource.name`
`b64owner`	`principal.user.email_addresses`	If the `b64owner` log field value matches the regular expression pattern `(^.@.$)`, then the `b64owner` log field is mapped to the `principal.user.email_addresses` UDM field.
`b64projectname`	`target.resource.attribute.labels[b64projectname]`
`b64reponame`	`target.resource.name`
`b64rulelabel`	`security_result.rule_name`
`b64sender`	`network.email.from`	If the `b64sender` log field value matches the regular expression pattern `(^.@.$)`, then the `b64sender` log field is mapped to the `network.email.from` UDM field.
`b64tenant`	`additional.fields[b64tenant]`
`b64threatname`	`security_result.threat_name`
`b64intcollab_groups`	`security_result.detection_fields[b64intcollab_groups]`
`b64extcollab_groups`	`security_result.detection_fields[b64extcollab_groups]`
`eattchcomponentfilenames`	`target.file.names`
`eattchcomponentfiletypes`	`additional.fields[eattchcomponentfiletypes]`
`ebucketname`	`target.resource.name`
`ebucketowner`	`target.resource.attribute.labels[ebucketowner]`
`ecollabnames`	`additional.fields[ecollabnames]`
`edepartment`	`principal.user.department`	If the `dept` log field value is not empty, then the `dept` log field is mapped to the `principal.user.department` UDM field. Else, the `edepartment` log field is mapped to the `principal.user.department` UDM field.
`edlpdictnames`	`security_result.detection_fields[edlpdictnames]`
`edlpenginenames`	`security_result.detection_fields[edlpenginenames]`
`eexternal_collabnames`	`additional.fields[eexternal_collabnames]`
`eextownername`	`additional.fields[eextownername]`
`eextrecptnames`	`network.email.to`
`efilename`	`target.file.names`
`efilepath`	`target.file.full_path`	If `efilepath` is not empty, then the `efilepath` log field is mapped to the `target.file.full_path` UDM field. Else if `filesource` is not empty, then the `filesource` log field is mapped to the `target.file.full_path` UDM field.
`efilesource`	`target.file.full_path`	If `filepath` is not empty, then the `filepath` log field is mapped to the `target.file.full_path` UDM field. Else if `efilesource` is not empty, then the `efilesource` log field is mapped to the `target.file.full_path` UDM field.
`efullurl`	`principal.url`	If the `efullurl` log field is not empty and the `efullurl` log field value is not equal to `Unknown URL`, then the `efullurl` log field is mapped to the `principal.url` UDM field.
`ehostname`	`target.hostname`
`einternal_collabnames`	`additional.fields[einternal_collabnames]`
`eintrecptnames`	`network.email.to`
`eobjectname`	`target.resource.name`
`eowner`	`principal.user.email_addresses`	If the `eowner` log field value matches the regular expression pattern `(^.@.$)`, then the `eowner` log field is mapped to the `principal.user.email_addresses` UDM field.
`eprojectname`	`target.resource.attribute.labels[eprojectname]`
`ereponame`	`target.resource.name`
`esender`	`network.email.from`	If the `esender` log field value matches the regular expression pattern `(^.@.$)`, then the `esender` log field is mapped to the `network.email.from` UDM field.
`ethreatname`	`security_result.threat_name`

Delta di mappatura UDM

La tabella seguente elenca la differenza tra la mappatura UDM precedente di ZSCALER_CASB e la nuova mappatura UDM di ZSCALER_CASB.

UDM Field Mapping Delta

Raw Field	Old UDM Mapping	New UDM Mapping
`oattchcomponentfilenames`	`security_result.detection_fields[oattchcomponentfilenames]`	`target.file.names`
`obucketname`	`security_result.detection_fields[obucketname]`	`target.resource.name`
`obucketowner`	`security_result.detection_fields[obucketowner]`	`target.resource.attribute.labels[obucketowner]`
`ochannel_name`	`security_result.detection_fields[ochannel_name]`	`additional.fields[ochannel_name]`
`ocollabnames`	`security_result.detection_fields[ocollabnames]`	`additional.fields[ocollabnames]`
`oextcollabnames`	`security_result.detection_fields[oextcollabnames]`	`additional.fields[oextcollabnames]`
`oexternal_collabnames`	`security_result.detection_fields[oexternal_collabnames]`	`additional.fields[oexternal_collabnames]`
`oexternal_recptnames`	`security_result.detection_fields[oexternal_recptnames]`	`network.email.to`
`oexternalownername`	`security_result.detection_fields[oexternalownername]`	`additional.fields[oexternalownername]`
`oextownername`	`security_result.detection_fields[oextownername]`	`additional.fields[oextownername]`
`oextrecptnames`	`security_result.detection_fields[oextrecptnames]`	`network.email.to`
`ofile_msg_id`	`security_result.detection_fields[ofile_msg_id]`	`additional.fields[ofile_msg_id]`
`ofileid`	`security_result.detection_fields[ofileid]`	`additional.fields[ofileid]`
`ofullurl`	`security_result.detection_fields[ofullurl]`	`principal.url`
`ohostname`	`security_result.detection_fields[ohostname]`	`target.hostname`
`ointcollabnames`	`security_result.detection_fields[ointcollabnames]`	`additional.fields[ointcollabnames]`
`ointernal_collabnames`	`security_result.detection_fields[ointernal_collabnames]`	`additional.fields[ointernal_collabnames]`
`ointernal_recptnames`	`security_result.detection_fields[ointernal_recptnames]`	`network.email.to`
`ointrecptnames`	`security_result.detection_fields[ointrecptnames]`	`network.email.to`
`omessageid`	`security_result.detection_fields[omessageid]`	`additional.fields[omessageid]`
`omsgid`	`security_result.detection_fields[omsgid]`	`additional.fields[omsgid]`
`oowner`	`security_result.detection_fields[oowner]`	`principal.user.email_addresses`
`orulelabel`	`security_result.detection_fields[orulelabel]`	`security_result.rule_name`
`osender`	`security_result.detection_fields[osender]`	`network.email.from`
`osharedchannel_hostname`	`security_result.detection_fields[osharedchannel_hostname]`	`target.hostname`
`otenant`	`security_result.detection_fields[otenant]`	`additional.fields[otenant]`
`ouser`	`security_result.detection_fields[ouser]`	`principal.user.email_addresses`
`ointcollab_groups`	`security_result.detection_fields[ointcollab_groups]`	`security_result.detection_fields[ointcollab_groups]`
`oextcollab_groups`	`security_result.detection_fields[oextcollab_groups]`	`security_result.detection_fields[oextcollab_groups]`
`malwareclass`	`security_result.detection_fields[malwareclass]`	`security_result.threat_name`
`msgid`	`security_result.detection_fields[msgid]`	`additional.fields[msgid]`
`sourcetype`	`security_result.detection_fields[sourcetype]`	`additional.fields[sourcetype]`

Passaggi successivi

Importazione dei dati in Google SecOps

Hai bisogno di ulteriore assistenza? Ricevi risposte dai membri della community e dai professionisti di Google SecOps.