Mengumpulkan log Zscaler CASB

Dokumen ini menjelaskan cara mengekspor log Zscaler CASB dengan menyiapkan feed Google Security Operations dan memetakan kolom log ke Model Data Terpadu (UDM).

Untuk mengetahui informasi selengkapnya, lihat Ringkasan penyerapan data ke Google SecOps.

Deployment umum terdiri dari Zscaler CASB dan feed Webhook Google SecOps yang dikonfigurasi untuk mengirim log ke Google SecOps. Namun, detail deployment dapat berbeda menurut pelanggan dan bisa lebih kompleks.

Deployment berisi komponen berikut:

Zscaler CASB: Platform tempat Anda mengumpulkan log.
Feed Google SecOps: Feed Google SecOps yang mengambil log dari Zscaler CASB dan menulis log ke Google SecOps.
Google SecOps: Mempertahankan dan menganalisis log.

Label penyerapan mengidentifikasi parser yang menormalisasi data log mentah ke dalam format UDM terstruktur. Dokumen ini berlaku khusus untuk parser yang terkait dengan label penyerapan ZSCALER_CASB.

Sebelum memulai

Pastikan Anda memiliki akses ke konsol Zscaler Internet Access. Untuk mengetahui informasi selengkapnya, lihat Bantuan ZIA untuk Akses SaaS dan Internet yang Aman.
Pastikan Anda menggunakan Zscaler CASB versi 1.0 atau 2.0.
Pastikan semua sistem dalam arsitektur deployment dikonfigurasi dengan zona waktu UTC.
Pastikan Anda memiliki kunci API yang diperlukan untuk menyelesaikan penyiapan feed di Google SecOps. Untuk mengetahui informasi selengkapnya, lihat Menyiapkan kunci API.

Menyiapkan feed

Untuk mengonfigurasi jenis log ini, ikuti langkah-langkah berikut:

Buka Setelan SIEM > Feed.
Klik Tambahkan Feed Baru.
Klik paket feed Zscaler.
Cari jenis log yang diperlukan, lalu klik Tambahkan Feed Baru.
Masukkan nilai untuk parameter input berikut:
- Jenis Sumber: Webhook (Direkomendasikan)
- Pemisah pemisahan: karakter yang digunakan untuk memisahkan baris log. Biarkan kosong jika tidak ada pembatas yang digunakan.
Opsi lanjutan
- Nama Feed: Nilai yang telah diisi otomatis yang mengidentifikasi feed.
- Namespace Aset: Namespace yang terkait dengan feed.
- Label Penyerapan: Label yang diterapkan ke semua peristiwa dari feed ini.
Klik Buat Feed.

Untuk mengetahui informasi selengkapnya tentang cara mengonfigurasi beberapa feed untuk berbagai jenis log dalam keluarga produk ini, lihat Mengonfigurasi feed menurut produk.

Menyiapkan Zscaler CASB

Di Konsol Zscaler Internet Access, klik Administration > Nanolog Streaming Service > Cloud NSS Feeds > Add Cloud NSS Feed.
Di jendela Tambahkan Feed NSS Cloud, masukkan detailnya.
Di kolom Nama Feed, masukkan nama unik untuk feed.
Pilih Zscaler for Web di NSS Type.
Di daftar Status, pilih status untuk mengaktifkan atau menonaktifkan feed NSS.
Biarkan Kecepatan SIEM sebagai Tidak Terbatas, kecuali jika Anda perlu membatasi aliran output karena lisensi atau batasan lainnya.
Dalam daftar Jenis SIEM, pilih Lainnya.
Di daftar OAuth 2.0 Authentication, pilih Disabled.
Di kolom Ukuran Batch Maksimum, masukkan batas ukuran untuk payload permintaan HTTP individual sesuai praktik terbaik SIEM; misalnya, 512 KB.
Di kolom API URL, masukkan URL HTTPS endpoint Chronicle API menggunakan format berikut:
```
  https://<CHRONICLE_REGION>-chronicle.googleapis.com/v1alpha/projects/<GOOGLE_PROJECT_NUMBER>/locations/<LOCATION>/instances/<CUSTOMER_ID>/feeds/<FEED_ID>:importPushLogs
```
- CHRONICLE_REGION: Region tempat instance Google SecOps Anda dihosting. Contoh, US.
- GOOGLE_PROJECT_NUMBER: Nomor project BYOP Anda. Dapatkan ini dari C4.
- LOCATION: Region Chronicle (Google SecOps) (sama dengan CHRONICLE_REGION). Misalnya, US.
- CUSTOMER_ID: ID pelanggan Google SecOps Anda. Dapatkan dari C4.
- FEED_ID: ID feed webhook yang baru dibuat (ditampilkan di UI Feed).
- Contoh URL API:
```
https://us-chronicle.googleapis.com/v1alpha/projects/12345678910/locations/US/instances/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/feeds/yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyyyyyyy:importPushLogs
```
Klik Tambahkan Header HTTP, lalu tambahkan header HTTP dalam format berikut:
- Header 1: Key1: X-goog-api-key dan Value1: Kunci API yang dihasilkan dari Kredensial API BYOP Google Cloud .
- Header 2: Key2: X-Webhook-Access-Key dan Value2: Kunci rahasia API yang dihasilkan di "SECRET KEY" webhook.
Dalam daftar Jenis Log, pilih SaaS Security atau Aktivitas SaaS Security.
Dalam daftar Jenis Output Feed, pilih JSON.
Nonaktifkan Notasi Array JSON.
Tetapkan Feed Escape Character ke , \ ".
Di daftar Feed Output Type, pilih Custom untuk menambahkan kolom baru ke Feed Output Format.
Salin dan tempel Format Output Feed, lalu tambahkan kolom baru sesuai kebutuhan. Pastikan nama kunci cocok dengan nama kolom sebenarnya.

Berikut adalah Format Output Feed default:

Keamanan SaaS

\{ "sourcetype" : "zscalernss-casb", "event" :\{"datetime":"%s{time}","recordid":"%d{recordid}","company":"%s{company}","tenant":"%s{tenant}","login":"%s{user}","dept":"%s{department}","applicationname":"%s{applicationname}","filename":"%s{filename}","filesource":"%s{filesource}","filemd5":"%s{filemd5}","threatname":"%s{threatname}","policy":"%s{policy}","dlpdictnames":"%s{dlpdictnames}","dlpdictcount":"%s{dlpdictcount}","dlpenginenames":"%s{dlpenginenames}","fullurl":"%s{fullurl}","lastmodtime":"%s{lastmodtime}","filescantimems":"%d{filescantimems}","filedownloadtimems":"%d{filedownloadtimems}"\}\}

Aktivitas Keamanan SaaS

\{ "sourcetype" : "zscalernss-casb", "event" :\{"login":"%s{username}","tenant":"%s{tenant}","object_type":"%d{objtype1}","applicationname":"%s{appname}","object_name_1":"%s{objnames1}","object_name_2":"%s{objnames2}"\}\}

Dari daftar Timezone, pilih zona waktu untuk kolom Time dalam file output. Secara default, zona waktu ditetapkan ke zona waktu organisasi Anda.
Tinjau setelan yang dikonfigurasi.
Klik Simpan untuk menguji konektivitas. Jika koneksi berhasil, tanda centang hijau yang disertai pesan Test Connectivity Successful: OK (200) akan muncul.

Untuk mengetahui informasi selengkapnya tentang feed Google SecOps, lihat dokumentasi feed Google SecOps. Untuk mengetahui informasi tentang persyaratan untuk setiap jenis feed, lihat Konfigurasi feed menurut jenis.

Jika Anda mengalami masalah saat membuat feed, hubungi dukungan SecOps Google.

Referensi pemetaan kolom

Referensi pemetaan kolom: ZSCALER_CASB

Tabel berikut mencantumkan kolom log jenis log ZSCALER_CASB dan kolom UDM yang sesuai.

Log field	UDM mapping	Logic
`sourcetype`	`additional.fields[sourcetype]`
`objnames2`	`about.resource.name`
`object_name_2`	`about.resource.name`
`objtypename2`	`about.resource.resource_subtype`
`externalownername`	`additional.fields[externalownername]`
`act_cnt`	`additional.fields[act_cnt]`
`attchcomponentfiletypes`	`additional.fields[attchcomponentfiletypes]`
`channel_name`	`additional.fields[channel_name]`
`collabscope`	`additional.fields[collabscope]`
`day`	`additional.fields[day]`
`dd`	`additional.fields[dd]`
`dlpdictcount`	`security_result.detection_fields[dlpdictcount]`	If the `dlpdictcount` log field value is not empty and the `dlpdictcount` log field value is not equal to `None`, then the `dlpdictcount` log field is mapped to the `security_result.detection_fields.dlpdictcount` UDM field.
`dlpenginenames`	`security_result.detection_fields[dlpenginenames]`	If the `dlpenginenames` log field value is not empty and the `dlpenginenames` log field value is not equal to `None`, then the `dlpenginenames` log field is mapped to the `security_result.detection_fields.dlpenginenames` UDM field.
`epochlastmodtime`	`additional.fields[epochlastmodtime]`
`extcollabnames`	`additional.fields[extcollabnames]`
`extownername`	`additional.fields[extownername]`
`file_msg_id`	`additional.fields[file_msg_id]`
`fileid`	`additional.fields[fileid]`
`filescantimems`	`additional.fields[filescantimems]`
`filetypecategory`	`additional.fields[filetypecategory]`
`hh`	`additional.fields[hh]`
`messageid`	`additional.fields[messageid]`
`mm`	`additional.fields[mm]`
`mon`	`additional.fields[mon]`
`msgsize`	`additional.fields[msgsize]`
`mth`	`additional.fields[mth]`
`num_ext_recpts`	`additional.fields[num_ext_recpts]`
`num_int_recpts`	`additional.fields[num_int_recpts]`
`numcollab`	`additional.fields[numcollab]`
`rtime`	`additional.fields[rtime]`
`ss`	`additional.fields[ss]`
`suburl`	`additional.fields[suburl]`
`tenant`	`additional.fields[tenant]`
`tz`	`additional.fields[tz]`
`upload_doctypename`	`additional.fields[upload_doctypename]`
`yyyy`	`additional.fields[yyyy]`
`collabnames`	`additional.fields[collabnames]`
`companyid`	`additional.fields[companyid]`
`component`	`additional.fields[component]`
`intcollabnames`	`additional.fields[intcollabnames]`	If `intcollabnames` log field value does not match the regular expression pattern `None` then, for `index` in `intcollabnames`, the `index` is mapped to the `additional.fields.value.list_value` UDM field.
`internal_collabnames`	`additional.fields[internal_collabnames]`
`external_collabnames`	`additional.fields[external_collabnames]`
`num_external_collab`	`additional.fields[num_external_collab]`
`num_internal_collab`	`additional.fields[num_internal_collab]`
`repochtime`	`additional.fields[repochtime]`
`eventtime`	`metadata.event_timestamp`	If the `eventtime` log field value is not empty, then the `eventtime` log field is mapped to the `metadata.event_timestamp` UDM field.
`epochtime`	`metadata.event_timestamp`	If the `epochtime` log field value is not empty, then the `epochtime` log field is mapped to the `metadata.event_timestamp` UDM field.
`time`	`metadata.event_timestamp`	If the `time` log field value is not empty, then the `time` log field is mapped to the `metadata.event_timestamp` UDM field.
`datetime`	`metadata.event_timestamp`	If the `datetime` log field value is not empty, then the `datetime` log field is mapped to the `metadata.event_timestamp` UDM field.
	`metadata.event_type`	If `principal.ip` is not empty or `principal.hostname` is not empty, and `target.ip` is not empty, then `metadata.event_type` is set to `NETWORK_CONNECTION`. Else if any of the following UDM fields are empty: `principal.user.userid`, `principal.user.email_addresses`, `principal.hostname`, `principal.asset_id`, `principal.ip`, `principal.mac`, `target.hostname`, `target.asset_id`, `target.ip`, `target.mac`, `target.user.email_addresses`, `target.user.userid`, then `metadata.event_type` is set to `USER_UNCATEGORIZED`. Else if any of the following UDM fields are empty: `principal.hostname`, `principal.asset_id`, `principal.ip`, `principal.mac`, then `metadata.event_type` is set to `STATUS_UPDATE`.
`act_type_name`	`metadata.product_event_type`
`recordid`	`metadata.product_log_id`
	`metadata.product_name`	The `metadata.product_name` UDM field is set to `CASB`.
	`metadata.vendor_name`	The `metadata.vendor_name` UDM field is set to `Zscaler`.
`sender`	`network.email.from`	If the `sender` log field value matches the regular expression pattern `(^.@.$)`, then the `sender` log field is mapped to the `network.email.from` UDM field.
`extrecptnames`	`network.email.to`	For `index` in `extrecptnames`, the `index` is mapped to the `network.email.to` UDM field.
`internal_recptnames`	`network.email.to`	For `index` in `internal_recptnames`, the `index` is mapped to the `network.email.to` UDM field.
`external_recptnames`	`network.email.to`	For `index` in `external_recptnames`, the `index` is mapped to the `network.email.to` UDM field.
`intrecptnames`	`network.email.to`	For `index` in `intrecptnames`, the `index` is mapped to the `network.email.to` UDM field.
`applicationname`	`principal.application`	If the `applicationname` log field value is not empty, then the `applicationname` log field is mapped to the `principal.application` UDM field. Else, the `appname` log field is mapped to the `principal.application` UDM field.
`appname`	`principal.application`	If the `applicationname` log field value is not empty, then the `applicationname` log field is mapped to the `principal.application` UDM field. Else, the `appname` log field is mapped to the `principal.application` UDM field.
`src_ip`	`principal.ip`
`fullurl`	`principal.url`	If the `fullurl` log field is not empty and the `fullurl` log field value is not equal to `Unknown URL`, then the `fullurl` log field is mapped to the `principal.url` UDM field.
`is_admin_act`	`principal.user.attribute.labels[is_admin_act]`
	`principal.user.attribute.roles.type`	If the `is_admin_act` log field value is equal to `1`, then the `principal.user.attribute.roles.type` UDM field is set to `ADMINISTRATOR`.
`company`	`principal.user.company_name`
`department`	`principal.user.department`	If the `dept` log field value is not empty, then the `dept` log field is mapped to the `principal.user.department` UDM field. Else, the `department` log field is mapped to the `principal.user.department` UDM field.
`dept`	`principal.user.department`	If the `dept` log field value is not empty, then the `dept` log field is mapped to the `principal.user.department` UDM field. Else, the `department` log field is mapped to the `principal.user.department` UDM field.
`user`	`principal.user.email_addresses`	If the `user` log field value matches the regular expression pattern `(^.@.$)`, then the `user` log field is mapped to the `principal.user.email_addresses` UDM field.
`username`	`principal.user.email_addresses`	If the `username` log field value matches the regular expression pattern `(^.@.$)`, then the `username` log field is mapped to the `principal.user.email_addresses` UDM field.
`owner`	`principal.user.email_addresses`	If the `owner` log field value matches the regular expression pattern `(^.@.$)`, then the `owner` log field is mapped to the `principal.user.email_addresses` UDM field.
`login`	`principal.user.email_addresses`	If the `login` log field value matches the regular expression pattern `(^.@.$)`, then the `login` log field is mapped to the `principal.user.email_addresses` UDM field.
`login`	`principal.user.userid`	If the `login` log field value does not match the regular expression pattern `^.+@.+$`, then the `login` log field is mapped to the `principal.user.userid` UDM field.
`malware`	`security_result.associations.name`
	`security_result.associations.type`	If the `malware` log field value is not empty, then the `security_result.associations.type` UDM field is set to `MALWARE`.
`dlpdictnames`	`security_result.detection_fields[dlpdictnames]`
`dlpidentifier`	`security_result.detection_fields[dlpidentifier]`
`filedownloadtimems`	`additional.fields[filedownloadtimems]`
`malwareclass`	`security_result.threat_name`
`msgid`	`additional.fields[msgid]`
`oattchcomponentfilenames`	`target.file.names`
`obucketname`	`target.resource.name`
`obucketowner`	`target.resource.attribute.labels[obucketowner]`
`ochannel_name`	`additional.fields[ochannel_name]`
`ocollabnames`	`additional.fields[ocollabnames]`
`odlpdictnames`	`security_result.detection_fields[odlpdictnames]`
`odlpenginenames`	`security_result.detection_fields[odlpenginenames]`
`oextcollabnames`	`additional.fields[oextcollabnames]`
`oexternal_collabnames`	`additional.fields[oexternal_collabnames]`
`oexternal_recptnames`	`network.email.to`
`oexternalownername`	`additional.fields[oexternalownername]`
`oextownername`	`additional.fields[oextownername]`
`oextrecptnames`	`network.email.to`
`ofile_msg_id`	`additional.fields[ofile_msg_id]`
`ofileid`	`additional.fields[ofileid]`
`ofullurl`	`principal.url`	If the `ofullurl` log field is not empty and the `ofullurl` log field value is not equal to `Unknown URL`, then the `ofullurl` log field is mapped to the `principal.url` UDM field.
`ohostname`	`target.hostname`
`ointcollabnames`	`additional.fields[ointcollabnames]`
`ointernal_collabnames`	`additional.fields[ointernal_collabnames]`
`ointernal_recptnames`	`network.email.to`
`ointrecptnames`	`network.email.to`
`omessageid`	`additional.fields[omessageid]`
`omsgid`	`additional.fields[omsgid]`
`oowner`	`principal.user.email_addresses`	If the `oowner` log field value matches the regular expression pattern `(^.@.$)`, then the `oowner` log field is mapped to the `principal.user.email_addresses` UDM field.
`orulelabel`	`security_result.rule_name`
`osender`	`network.email.from`	If the `osender` log field value matches the regular expression pattern `(^.@.$)`, then the `osender` log field is mapped to the `network.email.from` UDM field.
`osharedchannel_hostname`	`target.hostname`
`otenant`	`additional.fields[otenant]`
`ouser`	`principal.user.email_addresses`	If the `ouser` log field value matches the regular expression pattern `(^.@.$)`, then the `ouser` log field is mapped to the `principal.user.email_addresses` UDM field.
`any_incident`	`security_result.detection_fields[any_incident]`
`is_inbound`	`security_result.detection_fields[is_inbound]`
`policy`	`security_result.rule_labels[policy]`
`ruletype`	`security_result.rule_labels[ruletype]`
`rulelabel`	`security_result.rule_name`
	`security_result.severity`	If the `severity` log field value is equal to `High`, then the `security_result.severity` UDM field is set to `HIGH`. Else, if the `severity` log field value is equal to `Medium`, then the `security_result.severity` UDM field is set to `MEDIUM`. Else, if the `severity` log field value is equal to `Low`, then the `security_result.sevrity` UDM field is set to `LOW`. Else, if the `severity` log field value is equal to `Information`, then the `security_result.severity` UDM field is set to `INFORMATIONAL`.
`threatname`	`security_result.threat_name`	If the `threatname` log field value is not empty and the `dlpdictcount` log field value is not equal to `None`, then the `threatname` log field is mapped to the `security_result.threat_name` UDM field.
`filesource`	`target.file.full_path`	If `filepath` is not empty, then the `filepath` log field is mapped to the `target.file.full_path` UDM field. Else if `filesource` is not empty, then the `filesource` log field is mapped to the `target.file.full_path` UDM field.
`filepath`	`target.file.full_path`	If `filepath` is not empty, then the `filepath` log field is mapped to the `target.file.full_path` UDM field. Else if `filesource` is not empty, then the `filesource` log field is mapped to the `target.file.full_path` UDM field.
`lastmodtime`	If the `file_msg_mod_time` log field value is not empty, then the `file_msg_mod_time` log field is mapped to the `target.file.last_modification_time` UDM field. Else if the `lastmodtime` log field value is not empty, then the `lastmodtime` log field is mapped to the `target.file.last_modification_time` UDM field.
`file_msg_mod_time`	`target.file.last_modification_time`	If the `file_msg_mod_time` log field value is not empty, then the `file_msg_mod_time` log field is mapped to the `target.file.last_modification_time` UDM field. Else if the `lastmodtime` log field value is not empty, then the `lastmodtime` log field is mapped to the `target.file.last_modification_time` UDM field.
`filemd5`	`target.file.md5`	If the `attchcomponentmd5s` log field value is not equal to empty and the `attchcomponentmd5s` log field value matches the regular expression pattern `^[a-fA-F0-9]{32}$`, then the `attchcomponentmd5s` log field is mapped to the `target.file.md5` UDM field. Else, if the `filemd5` log field value matches the regular expression pattern `^[a-fA-F0-9]{32}$`, then the `filemd5` log field is mapped to the `target.file.md5` UDM field.
`filetypename`	`target.file.mime_type`
`filename`	`target.file.names`
`attchcomponentfilenames`	`target.file.names`
`attchcomponentfilesizes`	`target.file.size`	If the `filesize` log field value is not empty, then the `filesize` log field is mapped to the `target.file.size` UDM field. Else if the `attchcomponentfilesizes` log field value is not empty, then the `attchcomponentfilesizes` log field is mapped to the `target.file.size` UDM field.
`b64attchcomponentfilesizes`	`target.file.size`	If the `filesize` log field value is not empty, then the `filesize` log field is mapped to the `target.file.size` UDM field. Else if the `b64attchcomponentfilesizes` log field value is not empty, then the `b64attchcomponentfilesizes` log field is mapped to the `target.file.size` UDM field.
`sha`	`target.file.sha256`	If the `sha` log field value matches the regular expression pattern `^[0-9a-f]+$`, then the `sha` log field is mapped to the `target.file.sha256` UDM field.
`filesize`	`target.file.size`	If the `filesize` log field value is not empty, then the `filesize` log field is mapped to the `target.file.size` UDM field. Else if the `attchcomponentfilesizes` log field value is not empty, then the `attchcomponentfilesizes` log field is mapped to the `target.file.size` UDM field.
`sharedchannel_hostname`	`target.hostname`
`hostname`	`target.hostname`	If the `sharedchannel_hostname` log field value is empty and the `osharedchannel_hostname` log field value is empty, then the `hostname` log field is mapped to the `target.hostname` UDM field.
`datacentercity`	`target.location.city`
`datacentercountry`	`target.location.country_or_region`
`datacenter`	`target.location.name`
`bucketowner`	`target.resource.attribute.labels[bucketowner]`
`projectname`	`target.resource.attribute.labels[projectname]`
`bucketname`	`target.resource.name`	If the `bucketname` log field value is not empty, then the `bucketname` log field is mapped to the `target.resource.name` UDM field.
`objnames1`	`target.resource.name`	If the `objnames1` log field value is not empty, then the `objnames1` log field is mapped to the `target.resource.name` UDM field.
`objectname`	`target.resource.name`	If the `objectname` log field value is not empty, then the `objectname` log field is mapped to the `target.resource.name` UDM field.
`reponame`	`target.resource.name`	If the `reponame` log field value is not empty, then the `reponame` log field is mapped to the `target.resource.name` UDM field.
`object_name_1`	`target.resource.name`	If the `object_name_1` log field value is not empty, then the `object_name_1` log field is mapped to the `target.resource.name` UDM field.
`bucketid`	`target.resource.product_object_id`
`objtypename1`	`target.resource.resource_subtype`	If the `objtypename1` log field value is not empty, then the `objtypename1` log field is mapped to the `target.resource.resource_subtype` UDM field.
`objecttype`	`target.resource.resource_subtype`	If the `objecttype` log field value is not empty, then the `objecttype` log field is mapped to the `target.resource.resource_subtype` UDM field.
`object_type`	`target.resource.resource_subtype`
	`target.resource.resource_type`	If the `bucketname` log field value is not empty, then the `target.resource.resource_type` UDM field is set to `STORAGE_BUCKET`. If the `reponame` log field value is not empty, then the `target.resource.resource_type` UDM field is set to `REPOSITORY`.
`departmentname`	`principal.user.department`
`extusername`	`target.user.userid`
`download_time`	`additional.fields[download_time]`
`runid`	`additional.fields[runid]`
`scan_time`	`additional.fields[scan_time]`
`scanid`	`additional.fields[scanid]`
`file_doctype`	`additional.fields[file_doctype]`
`filesha`	`additional.fields[filesha]`
`sender_type`	`additional.fields[sender_type]`
`last_edit_user`	`security_result.detection_fields[last_edit_user]`
`last_share_user`	`security_result.detection_fields[last_share_user]`
`last_shared_on`	`security_result.detection_fields[last_shared_on]`
`botname`	`security_result.detection_fields[botname]`
`dlpengnames`	`security_result.detection_fields[dlpengnames]`
`filetype`	`target.file.file_type`	If the `filetype` log field value is equal to `pdf`, then the `target.file.file_type` UDM field is set to `FILE_TYPE_PDF`. Else if the `filetype` log field value is equal to `ppt`, then the `target.file.file_type` UDM field is set to `FILE_TYPE_PPT`. Else, the `additional.fields.key` UDM field is set to `filetype` and the `filetype` log field is mapped to the `additional.fields.value.string_value` UDM field.
`extcollab_groups`	`security_result.detection_fields[extcollab_groups]`
`intcollab_groups`	`security_result.detection_fields[intcollab_groups]`
`oextcollab_groups`	`security_result.detection_fields[oextcollab_groups]`
`ointcollab_groups`	`security_result.detection_fields[ointcollab_groups]`
`dlpdictcnts`	`security_result.detection_fields[dlpdictcnts]`
`attchcomponentmd5s`	`target.file.md5`	If the `attchcomponentmd5s` log field value is not equal to empty and the `attchcomponentmd5s` log field value matches the regular expression pattern `^[a-fA-F0-9]{32}$`, then the `attchcomponentmd5s` log field is mapped to the `target.file.md5` UDM field. Else, if the `filemd5` log field value matches the regular expression pattern `^[a-fA-F0-9]{32}$`, then the `filemd5` log field is mapped to the `target.file.md5` UDM field.
`b64attchcomponentfilenames`	`target.file.names`
`b64attchcomponentfiletypes`	`additional.fields[b64attchcomponentfiletypes]`
`b64attchcomponentmd5s`	`target.file.md5`	If the `b64attchcomponentmd5s` log field value is not equal to empty and the `b64attchcomponentmd5s` log field value matches the regular expression pattern `^[a-fA-F0-9]{32}$`, then the `b64attchcomponentmd5s` log field is mapped to the `target.file.md5` UDM field. Else, if the `filemd5` log field value matches the regular expression pattern `^[a-fA-F0-9]{32}$`, then the `filemd5` log field is mapped to the `target.file.md5` UDM field.
`b64bucketname`	`target.resource.name`
`b64collabnames`	`additional.fields[b64collabnames]`
`b64department`	`principal.user.department`	If the `dept` log field value is not empty, then the `dept` log field is mapped to the `principal.user.department` UDM field. Else, the `b64department` log field is mapped to the `principal.user.department` UDM field.
`b64dlpdictnames`	`security_result.detection_fields[b64dlpdictnames]`
`b64dlpenginenames`	`security_result.detection_fields[b64dlpenginenames]`
`b64external_collabnames`	`additional.fields[b64external_collabnames]`
`b64external_recptnames`	`network.email.to`
`b64extownername`	`additional.fields[b64extownername]`
`b64extrecptnames`	`network.email.to`
`b64filename`	`target.file.names`
`b64filepath`	`target.file.full_path`	If `b64filepath` is not empty, then the `b64filepath` log field is mapped to the `target.file.full_path` UDM field. Else if `filesource` is not empty, then the `filesource` log field is mapped to the `target.file.full_path` UDM field.
`b64filesource`	`target.file.full_path`	If `filepath` is not empty, then the `filepath` log field is mapped to the `target.file.full_path` UDM field. Else if `b64filesource` is not empty, then the `b64filesource` log field is mapped to the `target.file.full_path` UDM field.
`b64fullurl`	`principal.url`	If the `b64fullurl` log field is not empty and the `b64fullurl` log field value is not equal to `Unknown URL`, then the `b64fullurl` log field is mapped to the `principal.url` UDM field.
`b64hostname`	`target.hostname`	If the `sharedchannel_hostname` log field value is empty and the `osharedchannel_hostname` log field value is empty, then the `b64hostname` log field is mapped to the `target.hostname` UDM field.
`b64internal_collabnames`	`additional.fields[b64internal_collabnames]`
`b64internal_recptnames`	`network.email.to`
`b64intrecptnames`	`network.email.to`
`b64objectname`	`target.resource.name`
`b64owner`	`principal.user.email_addresses`	If the `b64owner` log field value matches the regular expression pattern `(^.@.$)`, then the `b64owner` log field is mapped to the `principal.user.email_addresses` UDM field.
`b64projectname`	`target.resource.attribute.labels[b64projectname]`
`b64reponame`	`target.resource.name`
`b64rulelabel`	`security_result.rule_name`
`b64sender`	`network.email.from`	If the `b64sender` log field value matches the regular expression pattern `(^.@.$)`, then the `b64sender` log field is mapped to the `network.email.from` UDM field.
`b64tenant`	`additional.fields[b64tenant]`
`b64threatname`	`security_result.threat_name`
`b64intcollab_groups`	`security_result.detection_fields[b64intcollab_groups]`
`b64extcollab_groups`	`security_result.detection_fields[b64extcollab_groups]`
`eattchcomponentfilenames`	`target.file.names`
`eattchcomponentfiletypes`	`additional.fields[eattchcomponentfiletypes]`
`ebucketname`	`target.resource.name`
`ebucketowner`	`target.resource.attribute.labels[ebucketowner]`
`ecollabnames`	`additional.fields[ecollabnames]`
`edepartment`	`principal.user.department`	If the `dept` log field value is not empty, then the `dept` log field is mapped to the `principal.user.department` UDM field. Else, the `edepartment` log field is mapped to the `principal.user.department` UDM field.
`edlpdictnames`	`security_result.detection_fields[edlpdictnames]`
`edlpenginenames`	`security_result.detection_fields[edlpenginenames]`
`eexternal_collabnames`	`additional.fields[eexternal_collabnames]`
`eextownername`	`additional.fields[eextownername]`
`eextrecptnames`	`network.email.to`
`efilename`	`target.file.names`
`efilepath`	`target.file.full_path`	If `efilepath` is not empty, then the `efilepath` log field is mapped to the `target.file.full_path` UDM field. Else if `filesource` is not empty, then the `filesource` log field is mapped to the `target.file.full_path` UDM field.
`efilesource`	`target.file.full_path`	If `filepath` is not empty, then the `filepath` log field is mapped to the `target.file.full_path` UDM field. Else if `efilesource` is not empty, then the `efilesource` log field is mapped to the `target.file.full_path` UDM field.
`efullurl`	`principal.url`	If the `efullurl` log field is not empty and the `efullurl` log field value is not equal to `Unknown URL`, then the `efullurl` log field is mapped to the `principal.url` UDM field.
`ehostname`	`target.hostname`
`einternal_collabnames`	`additional.fields[einternal_collabnames]`
`eintrecptnames`	`network.email.to`
`eobjectname`	`target.resource.name`
`eowner`	`principal.user.email_addresses`	If the `eowner` log field value matches the regular expression pattern `(^.@.$)`, then the `eowner` log field is mapped to the `principal.user.email_addresses` UDM field.
`eprojectname`	`target.resource.attribute.labels[eprojectname]`
`ereponame`	`target.resource.name`
`esender`	`network.email.from`	If the `esender` log field value matches the regular expression pattern `(^.@.$)`, then the `esender` log field is mapped to the `network.email.from` UDM field.
`ethreatname`	`security_result.threat_name`

Delta Pemetaan UDM

Tabel berikut mencantumkan perbedaan antara Pemetaan UDM Lama ZSCALER_CASB dan Pemetaan UDM Baru ZSCALER_CASB.

UDM Field Mapping Delta

Raw Field	Old UDM Mapping	New UDM Mapping
`oattchcomponentfilenames`	`security_result.detection_fields[oattchcomponentfilenames]`	`target.file.names`
`obucketname`	`security_result.detection_fields[obucketname]`	`target.resource.name`
`obucketowner`	`security_result.detection_fields[obucketowner]`	`target.resource.attribute.labels[obucketowner]`
`ochannel_name`	`security_result.detection_fields[ochannel_name]`	`additional.fields[ochannel_name]`
`ocollabnames`	`security_result.detection_fields[ocollabnames]`	`additional.fields[ocollabnames]`
`oextcollabnames`	`security_result.detection_fields[oextcollabnames]`	`additional.fields[oextcollabnames]`
`oexternal_collabnames`	`security_result.detection_fields[oexternal_collabnames]`	`additional.fields[oexternal_collabnames]`
`oexternal_recptnames`	`security_result.detection_fields[oexternal_recptnames]`	`network.email.to`
`oexternalownername`	`security_result.detection_fields[oexternalownername]`	`additional.fields[oexternalownername]`
`oextownername`	`security_result.detection_fields[oextownername]`	`additional.fields[oextownername]`
`oextrecptnames`	`security_result.detection_fields[oextrecptnames]`	`network.email.to`
`ofile_msg_id`	`security_result.detection_fields[ofile_msg_id]`	`additional.fields[ofile_msg_id]`
`ofileid`	`security_result.detection_fields[ofileid]`	`additional.fields[ofileid]`
`ofullurl`	`security_result.detection_fields[ofullurl]`	`principal.url`
`ohostname`	`security_result.detection_fields[ohostname]`	`target.hostname`
`ointcollabnames`	`security_result.detection_fields[ointcollabnames]`	`additional.fields[ointcollabnames]`
`ointernal_collabnames`	`security_result.detection_fields[ointernal_collabnames]`	`additional.fields[ointernal_collabnames]`
`ointernal_recptnames`	`security_result.detection_fields[ointernal_recptnames]`	`network.email.to`
`ointrecptnames`	`security_result.detection_fields[ointrecptnames]`	`network.email.to`
`omessageid`	`security_result.detection_fields[omessageid]`	`additional.fields[omessageid]`
`omsgid`	`security_result.detection_fields[omsgid]`	`additional.fields[omsgid]`
`oowner`	`security_result.detection_fields[oowner]`	`principal.user.email_addresses`
`orulelabel`	`security_result.detection_fields[orulelabel]`	`security_result.rule_name`
`osender`	`security_result.detection_fields[osender]`	`network.email.from`
`osharedchannel_hostname`	`security_result.detection_fields[osharedchannel_hostname]`	`target.hostname`
`otenant`	`security_result.detection_fields[otenant]`	`additional.fields[otenant]`
`ouser`	`security_result.detection_fields[ouser]`	`principal.user.email_addresses`
`ointcollab_groups`	`security_result.detection_fields[ointcollab_groups]`	`security_result.detection_fields[ointcollab_groups]`
`oextcollab_groups`	`security_result.detection_fields[oextcollab_groups]`	`security_result.detection_fields[oextcollab_groups]`
`malwareclass`	`security_result.detection_fields[malwareclass]`	`security_result.threat_name`
`msgid`	`security_result.detection_fields[msgid]`	`additional.fields[msgid]`
`sourcetype`	`security_result.detection_fields[sourcetype]`	`additional.fields[sourcetype]`

Langkah berikutnya

Penyerapan data ke Google SecOps

Perlu bantuan lain? Dapatkan jawaban dari anggota Komunitas dan profesional Google SecOps.