收集 Zscaler DLP 記錄
支援的國家/地區:
Google SecOps
SIEM
本文說明如何設定 Google Security Operations 資訊提供,匯出 Zscaler DLP 記錄,以及記錄欄位如何對應至 Google SecOps Unified Data Model (UDM) 欄位。
詳情請參閱「資料擷取至 Google SecOps 總覽」。
一般部署作業包含 Zscaler DLP 和 Google SecOps Webhook 饋給,後者會設定為將記錄傳送至 Google SecOps。每個客戶的部署情況可能不同,也可能更複雜。
部署作業包含下列元件:
Zscaler DLP:收集記錄的平台。
Google SecOps 資訊提供:Google SecOps 資訊提供會從 Zscaler DLP 擷取記錄,並將記錄寫入 Google SecOps。
Google Security Operations:保留及分析記錄。
擷取標籤會識別剖析器,該剖析器會將原始記錄資料正規化為具結構性的 UDM 格式。本文件中的資訊適用於標示 ZSCALER_DLP 的剖析器。
事前準備
請確認您符合下列必要條件:
- 存取 Zscaler Internet Access 控制台。詳情請參閱「Secure Internet and SaaS Access ZIA Help」。
- Zscaler DLP 2024 以上版本
- 部署架構中的所有系統都已設定為世界標準時間時區。
- 在 Google Security Operations 中完成動態饋給設定時,需要使用 API 金鑰。詳情請參閱「設定 API 金鑰」。
設定動態饋給
如要設定這類記錄,請按照下列步驟操作:
- 依序前往「SIEM 設定」>「動態饋給」。
- 按一下「新增動態消息」。
- 按一下「Zscaler」Zscaler動態饋給套件。
- 找出所需記錄類型,然後按一下「新增動態消息」。
輸入下列輸入參數的值:
- 來源類型:Webhook (建議)
- 分割分隔符號:用於分隔記錄行的字元。如未使用分隔符號,請留空。
進階選項
- 動態饋給名稱:系統預先填入的值,用於識別動態饋給。
- 資產命名空間:與動態饋給相關聯的命名空間。
- 擷取標籤:套用至這個動態饋給中所有事件的標籤。
按一下「建立動態饋給」。
如要進一步瞭解如何為這個產品系列中的不同記錄類型設定多個動態饋給,請參閱「依產品設定動態饋給」。
設定 Zscaler DLP
- 在 Zscaler Internet Access 控制台中,依序前往「Administration」>「Nanolog Streaming Service」>「Cloud NSS Feeds」。
- 按一下「新增 Cloud NSS 動態饋給」。
- 在「動態饋給名稱」欄位中輸入動態饋給名稱。
- 在「NSS Type」中選取「NSS for Web」。
- 從「狀態」清單中選取狀態,即可啟用或停用 NSS 動態饋給。
- 將「SIEM Rate」(SIEM 速率) 選單中的值保留為「Unlimited」(無限制)。如要因授權或其他限制而抑制輸出串流,請變更值。
- 在「SIEM Type」(SIEM 類型) 清單中選取「Other」(其他)。
- 在「OAuth 2.0 驗證」清單中選取「已停用」。
- 根據 SIEM 的最佳做法,在「Max Batch Size」(批次大小上限) 中輸入個別 HTTP 要求酬載的大小上限 (例如 512 KB)。
在「API URL」中輸入 Chronicle API 端點的 HTTPS 網址,格式如下:
https://<CHRONICLE_REGION>-chronicle.googleapis.com/v1alpha/projects/<GOOGLE_PROJECT_NUMBER>/locations/<LOCATION>/instances/<CUSTOMER_ID>/feeds/<FEED_ID>:importPushLogsCHRONICLE_REGION:Google SecOps 執行個體的代管區域 (例如 US)。GOOGLE_PROJECT_NUMBER:自帶專案 (BYOP) 編號 (請向 C4 取得)。LOCATION:Google SecOps 區域 (例如 US)。CUSTOMER_ID:Google SecOps 客戶 ID (請向 C4 取得)。FEED_ID:新建立的 Webhook 顯示在動態饋給 UI 上的動態饋給 ID。
API 網址範例:
https://us-chronicle.googleapis.com/v1alpha/projects/12345678910/locations/US/instances/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/feeds/yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyyyyyyy:importPushLogs按一下「新增 HTTP 標頭」,然後新增 HTTP 標頭,格式如下:
Header 1:Key1:X-goog-api-key和 Value1:在 Google Cloud BYOP 的 API 憑證中產生的 API 金鑰。Header 2:Key2:X-Webhook-Access-Key和 Value2:在 Webhook 的「SECRET KEY」(密鑰) 中產生的 API 密鑰。
從「記錄類型」清單中選取「端點 DLP」。
在「動態饋給輸出類型」清單中選取「JSON」。
停用 JSON 陣列標記。
將「動態饋給逸出字元」設為
, \ "。如要將新欄位新增至動態饋給輸出格式,請在「動態饋給輸出類型」清單中選取「自訂」。
複製並貼上「動態饋給輸出格式」,然後新增欄位。確認鍵名與實際欄位名稱相符。
以下是預設的動態饋給輸出格式:
\{ "sourcetype" : "zscalernss-edlp", "event" :\{"time":"%s{time}","recordid":"%d{recordid}","login":"%s{user}","dept":"%s{department}","filetypename":"%s{filetypename}","filemd5":"%s{filemd5}","dlpdictnames":"%s{dlpdictnames}","dlpdictcount":"%s{dlpcounts}","dlpenginenames":"%s{dlpengnames}","channel":"%s{channel}","actiontaken":"%s{actiontaken}","severity":"%s{severity}","rulename":"%s{triggeredrulelabel}","itemdstname":"%s{itemdstname}"\}\}在「Timezone」(時區)清單中,選取輸出檔案「Time」(時間)欄位的時區。預設時區為貴機構的時區。
查看已設定的設定。
按一下「儲存」,測試連線。如果連線成功,系統會顯示綠色勾號,以及「Test Connectivity Successful: OK (200)」(測試連線成功:OK (200)) 訊息。
如要進一步瞭解 Google SecOps 動態消息,請參閱 Google SecOps 動態消息說明文件。如要瞭解各動態饋給類型的規定,請參閱「依類型設定動態饋給」。
如果在建立動態饋給時遇到問題,請與 Google SecOps 支援團隊聯絡。
支援的 Zscaler DLP 記錄格式
Zscaler DLP 剖析器支援 JSON 格式的記錄。
支援的 Zscaler DLP 記錄檔樣本
JSON:
{ "sourcetype": "zscalernss-edlp", "event": { "time": "Thu Jun 20 21:14:56 2024", "recordid": "7382697059455533057", "login": "dummy@domain.com", "dept": "General Group", "filetypename": "xlsx", "filemd5": "9a2d0d62c22994a98f65939ddcd3eb8f", "dlpdictnames": "Social Security Number (US): Detect leakage of United States Social Security Numbers|Credit Cards: Detect leakage of credit card information|Aadhaar Card Number (India): Detect Leakage of Indian Aadhaar Card Numbers", "dlpdictcount": "1428|141|81", "dlpenginenames": "Dummy Engine|cc|PCI|GLBA|HIPAA", "channel": "Removable Storage", "actiontaken": "Confirm Allow", "severity": "High Severity", "rulename": "Endpoint_DLP_", "itemdstname": "Removable Storage" } }
UDM 對應表
下表列出 ZSCALER_DLP 記錄類型的記錄欄位,以及對應的 UDM 欄位。
| Log field | UDM mapping | Logic |
|---|---|---|
mon |
additional.fields[mon] |
|
day |
additional.fields[day] |
|
scantime |
additional.fields[scantime] |
|
numdlpengids |
security_result.detection_fields[numdlpengids] |
|
numdlpdictids |
security_result.detection_fields[numdlpdictids] |
|
recordid |
metadata.product_log_id |
|
scanned_bytes |
additional.fields[scanned_bytes] |
|
dlpidentifier |
security_result.detection_fields[dlpidentifier] |
|
login |
principal.user.user_display_name |
|
b64user |
principal.user.user_display_name |
|
euser |
principal.user.user_display_name |
|
ouser |
principal.user.user_display_name |
|
dept |
principal.user.department |
|
b64department |
principal.user.department |
|
edepartment |
principal.user.department |
|
odepartment |
principal.user.department |
|
odevicename |
security_result.detection_fields[odevicename] |
|
devicetype |
principal.asset.attribute.labels[devicetype] |
|
|
principal.asset.platform_software.platform |
If the deviceostype log field value matches the regular expression pattern (?i)Windows, then the principal.asset.platform_software.platform UDM field is set to WINDOWS. |
devicename, b64devicename, edevicename, odevicename |
principal.asset.asset_id |
If the devicename log field value is not empty, then the asset_id:devicename log field is mapped to the principal.asset.asset_id UDM field.If the b64devicename log field value is not empty, then the asset_id:b64devicename log field is mapped to the principal.asset.asset_id UDM field.If the edevicename log field value is not empty, then the asset_id:edevicename log field is mapped to the principal.asset.asset_id UDM field.If the odevicename log field value is not empty, then the asset_id:odevicename log field is mapped to the principal.asset.asset_id UDM field. |
deviceplatform |
principal.asset.attribute.labels[deviceplatform] |
|
deviceosversion |
principal.asset.platform_software.platform_version |
|
devicemodel |
principal.asset.hardware.model |
|
deviceappversion |
principal.asset.software.version |
|
deviceowner |
principal.asset.attribute.labels[deviceowner] |
|
b64deviceowner |
principal.asset.attribute.labels[b64deviceowner] |
|
edeviceowner |
principal.asset.attribute.labels[edeviceowner] |
|
odeviceowner |
principal.asset.attribute.labels[odeviceowner] |
|
devicehostname |
principal.hostname |
|
b64devicehostname |
principal.hostname |
|
edevicehostname |
principal.hostname |
|
odevicehostname |
principal.hostname |
|
datacenter |
target.location.name |
|
datacentercity |
target.location.city |
|
datacentercountry |
target.location.country_or_region |
|
dsttype |
target.resource.resource_subtype |
|
filedoctype |
additional.fields[filedoctype] |
|
filedstpath |
target.file.full_path |
|
b64filedstpath |
target.file.full_path |
|
efiledstpath |
target.file.full_path |
|
filemd5 |
target.file.md5 |
If the filemd5 log field value matches the regular expression pattern ^[0-9a-f]+$, then the filemd5 log field is mapped to the target.file.md5 UDM field. |
filesha |
target.file.sha256 |
If the filesha log field value matches the regular expression pattern ^[0-9a-f]+$, then the filesha log field is mapped to the target.file.sha256 UDM field. |
filesrcpath |
src.file.full_path |
|
b64filesrcpath |
src.file.full_path |
|
efilesrcpath |
src.file.full_path |
|
filetypecategory |
additional.fields[filetypecategory] |
|
filetypename |
target.file.mime_type |
|
itemdstname |
target.resource.name |
|
b64itemdstname |
target.resource.name |
|
eitemdstname |
target.resource.name |
|
itemname |
target.resource.attribute.labels[itemname] |
|
b64itemname |
target.resource.attribute.labels[b64itemname] |
|
eitemname |
target.resource.attribute.labels[eitemname] |
|
itemsrcname |
src.resource.name |
|
b64itemsrcname |
src.resource.name |
|
eitemsrcname |
src.resource.name |
|
itemtype |
target.resource.attribute.labels[itemtype] |
|
ofiledstpath |
target.file.full_path |
|
ofilesrcpath |
src.file.full_path |
|
oitemdstname |
target.resource.name |
|
oitemname |
target.resource.attribute.labels[oitemname] |
|
odlpengnames |
security_result.detection_fields[odlpengnames] |
|
oitemsrcname |
src.resource.name |
|
srctype |
src.resource.resource_subtype |
|
actiontaken |
security_result.action_details |
|
|
security_result.action |
If the actiontaken log field value matches the regular expression pattern (?i)allow, then the security_result.action UDM field is set to ALLOW.Else, if the actiontaken log field value matches the regular expression pattern (?i)block, then the security_result.action UDM field is set to BLOCK. |
activitytype |
metadata.product_event_type |
|
addinfo |
additional.fields[addinfo] |
|
channel |
security_result.detection_fields[channel] |
|
confirmaction |
security_result.detection_fields[confirmaction] |
|
confirmjust |
security_result.description |
|
dlpdictcount |
security_result.detection_fields[dlpdictcount] |
|
dlpdictnames |
security_result.detection_fields[dlpdictnames] |
|
b64dlpdictnames |
security_result.detection_fields[b64dlpdictnames] |
|
edlpdictnames |
security_result.detection_fields[edlpdictnames] |
|
dlpenginenames |
security_result.detection_fields[dlpenginenames] |
|
b64dlpengnames |
security_result.detection_fields[b64dlpengnames] |
|
edlpengnames |
security_result.detection_fields[edlpengnames] |
|
expectedaction |
security_result.detection_fields[expectedaction] |
|
logtype |
security_result.category_details |
|
odlpdictnames |
security_result.detection_fields[odlpdictnames] |
|
ootherrulelabels |
security_result.rule_labels[ootherrulelabels] |
|
otherrulelabels |
security_result.rule_labels[otherrulelabels] |
|
b64otherrulelabels |
security_result.rule_labels[b64otherrulelabels] |
|
eotherrulelabels |
security_result.rule_labels[eotherrulelabels] |
|
otriggeredrulelabel |
security_result.rule_name |
|
severity |
security_result.severity_details |
|
|
security_result.severity |
If the severity log field value matches the regular expression pattern (?i)High, then the security_result.severity UDM field is set to HIGH.Else, if the severity log field value matches the regular expression pattern (?i)Medium, then the security_result.severity UDM field is set to MEDIUM.Else, if the severity log field value matches the regular expression pattern (?i)Low, then the security_result.severity UDM field is set to LOW.Else, if the severity log field value matches the regular expression pattern (?i)Info, then the security_result.severity UDM field is set to INFORMATIONAL. |
rulename |
security_result.rule_name |
|
b64triggeredrulelabel |
security_result.rule_name |
|
etriggeredrulelabel |
security_result.rule_name |
|
zdpmode |
security_result.detection_fields[zdpmode] |
|
tz |
additional.fields[tz] |
|
ss |
additional.fields[ss] |
|
mm |
additional.fields[mm] |
|
hh |
additional.fields[hh] |
|
dd |
additional.fields[dd] |
|
mth |
additional.fields[mth] |
|
yyyy |
additional.fields[yyyy] |
|
sourcetype |
additional.fields[sourcetype] |
|
eventtime |
metadata.event_timestamp |
|
time |
metadata.collected_timestamp |
|
rtime |
additional.fields[rtime] |
|
|
metadata.vendor_name |
The metadata.vendor_name UDM field is set to Zscaler. |
|
metadata.product_name |
The metadata.product_name UDM field is set to DLP. |
|
metadata.event_type |
If the activitytype log field value is one of the following, then the metadata.event_type UDM field is set to FILE_UNCATEGORIZED:
activitytype log field value is File Copy, then the metadata.event_type UDM field is set to FILE_COPY.Else, if the activitytype log field value is File Read, then the metadata.event_type UDM field is set to FILE_READ.Else, if the activitytype log field value is File Write, then the metadata.event_type UDM field is set to FILE_MODIFICATION.Else, if the activitytype log field value is Email Sent, then the metadata.event_type UDM field is set to EMAIL_UNCATEGORIZED.Else, if the activitytype log field value is Print, then the metadata.event_type UDM field is set to STATUS_UPDATE.Else, if one of the devicehostname, b64devicehostname, edevicehostname, or odevicehostname log fields is not empty, and one of the filedstpath, b64filedstpath, efiledstpath, ofiledstpath, filemd5, filesha, or filetypename log fields is not empty, then if one of the filesrcpath, b64filesrcpath, efilesrcpath, or ofiledstpath log fields is not empty, the metadata.event_type UDM field is set to FILE_COPY, otherwise it is set to FILE_UNCATEGORIZED.Else, if one of the devicehostname, b64devicehostname, edevicehostname, or odevicehostname log fields is not empty, then the metadata.event_type UDM field is set to STATUS_UPDATE.Else, the metadata.event_type UDM field is set to GENERIC_EVENT. |
UDM 對應差異
下表列出舊版 ZSCALER DLP UDM 對應和新版 ZSCALER DLP UDM 對應之間的差異。
UDM Field Mapping Delta
| Raw Field | Old UDM Mapping | New UDM Mapping | Logic |
|---|---|---|---|
numdlpengids |
additional.fields[numdlpengids] |
security_result.detection_fields[numdlpengids] |
|
numdlpdictids |
additional.fields[numdlpdictids] |
security_result.detection_fields[numdlpdictids] |
|
ouser |
security_result.detection_fields[ouser] |
principal.user.user_display_name |
|
odepartment |
security_result.detection_fields[odepartment] |
principal.user.department |
|
odevicename |
security_result.detection_fields[odevicename] |
principal.asset.asset_id |
If the odevicename log field value is not empty, then the asset_id:odevicename log field is mapped to the principal.asset.asset_id UDM field. |
deviceappversion |
additional.fields[deviceappversion] |
principal.asset.software.version |
|
deviceowner |
principal.user.userid |
principal.asset.attribute.labels[deviceowner] |
|
b64deviceowner |
principal.user.userid |
principal.asset.attribute.labels[b64deviceowner] |
|
edeviceowner |
principal.user.userid |
principal.asset.attribute.labels[edeviceowner] |
|
odeviceowner |
security_result.detection_fields[odeviceowner] |
principal.asset.attribute.labels[odeviceowner] |
|
odevicehostname |
security_result.detection_fields[odevicehostname] |
principal.hostname |
|
eitemname |
target.resource.attribute.labels[itemname] |
target.resource.attribute.labels[eitemname] |
|
b64itemname |
target.resource.attribute.labels[itemname] |
target.resource.attribute.labels[b64itemname] |
|
ofiledstpath |
security_result.detection_fields[ofiledstpath] |
target.file.full_path |
|
ofilesrcpath |
security_result.detection_fields[ofilesrcpath] |
src.file.full_path |
|
oitemdstname |
security_result.detection_fields[oitemdstname] |
target.resource.name |
|
oitemname |
security_result.detection_fields[oitemname] |
target.resource.attribute.labels[oitemname] |
|
oitemsrcname |
security_result.detection_fields[oitemsrcname] |
src.resource.name |
|
edlpdictnames |
security_result.detection_fields[dlpdictnames] |
security_result.detection_fields[edlpdictnames] |
|
b64dlpdictnames |
security_result.detection_fields[dlpdictnames] |
security_result.detection_fields[b64dlpdictnames] |
|
edlpengnames |
security_result.detection_fields[dlpenginenames] |
security_result.detection_fields[edlpengnames] |
|
b64dlpengnames |
security_result.detection_fields[dlpenginenames] |
security_result.detection_fields[b64dlpengnames] |
|
ootherrulelabels |
security_result.detection_fields[ootherrulelabels] |
security_result.rule_labels[ootherrulelabels] |
|
eotherrulelabels |
security_result.rule_labels[otherrulelabels] |
security_result.rule_labels[eotherrulelabels] |
|
b64otherrulelabels |
security_result.rule_labels[otherrulelabels] |
security_result.rule_labels[b64otherrulelabels] |
|
otriggeredrulelabel |
security_result.rule_labels[otriggeredrulelabel] |
security_result.rule_name |
還有其他問題嗎?向社群成員和 Google SecOps 專業人員尋求答案。