收集 Zscaler Web 代理日志
本文档介绍了如何通过设置 Google Security Operations Feed 来导出 Zscaler Webproxy 日志,以及日志字段如何映射到 Google SecOps Unified Data Model (UDM) 字段。
如需了解详情,请参阅 Google SecOps 数据提取概览。
典型部署包括 Zscaler Webproxy 和配置为将日志发送到 Google SecOps 的 Google SecOps Webhook Feed。每个客户部署都可能有所不同,并且可能更复杂。
部署包含以下组件:
- Zscaler Webproxy:您从中收集日志的平台。 
- Google SecOps Feed:从 Zscaler Webproxy 中提取日志并将日志写入 Google SecOps 的 Google SecOps Feed。 
- Google SecOps:保留并分析日志。 
注入标签用于标识将原始日志数据标准化为结构化 UDM 格式的解析器。本文档中的信息适用于具有 ZSCALER_WEBPROXY 注入标签的解析器。
准备工作
确保您满足以下前提条件:
- 访问 Zscaler Internet Access 控制台的权限。如需了解详情,请参阅 Secure Internet and SaaS Access ZIA 帮助。
- Zscaler Webproxy 2024 或更高版本
- 部署架构中的所有系统都使用世界协调时间 (UTC) 时区进行配置。
- 在 Google Security Operations 中完成 Feed 设置所需的 API 密钥。如需了解详情,请参阅设置 API 密钥。
设置 Feed
您可以通过两种不同的入口点在 Google SecOps 平台中设置 Feed:
- SIEM 设置 > Feed
- 内容中心 > 内容包
通过“SIEM 设置”>“Feed”设置 Feed
如需为相应产品系列中的不同日志类型配置多个 Feed,请参阅按产品配置 Feed。
如需配置单个 Feed,请按以下步骤操作:
- 依次前往 SIEM 设置> Feed。
- 点击添加新 Feed。
- 在下一页上,点击配置单个 Feed。
- 在 Feed 名称字段中,输入 Feed 的名称,例如 Zscaler Webproxy Logs。
- 选择 Webhook 作为来源类型。
- 选择 Zscaler 作为日志类型。
- 点击下一步。
- 可选:为以下输入参数输入值:
- 拆分分隔符:用于分隔日志行的分隔符。如果不使用分隔符,请留空。
- 资产命名空间:资产命名空间。
- 注入标签:要应用于此 Feed 中事件的标签。
 
- 点击下一步。
- 检查新 Feed 配置,然后点击提交。
- 点击生成 Secret 密钥,生成用于验证此 Feed 的 Secret 密钥。
设置来自内容中心的 Feed
为以下字段指定值:
- 拆分分隔符:用于分隔日志行的分隔符,例如 \n。
高级选项
- Feed 名称:用于标识 Feed 的预填充值。
- 来源类型:用于将日志收集到 Google SecOps 中的方法。
- 资产命名空间:资产命名空间。
- 注入标签:应用于此 Feed 中事件的标签。
- 点击下一步。
- 在最终确定界面中检查 Feed 配置,然后点击提交。
- 点击生成密钥,生成用于对此 Feed 进行身份验证的密钥。
设置 Zscaler Web 代理
- 在 Zscaler Internet Access 控制台中,依次点击管理 > Nanolog 流式传输服务 > Cloud NSS Feed,然后点击添加 Cloud NSS Feed。
- 系统随即会显示 Add Cloud NSS Feed 窗口。在添加 Cloud NSS Feed 窗口中,输入详细信息。
- 在Feed Name 字段中输入 Feed 的名称。
- 在 NSS 类型中选择 NSS for Web。
- 从状态列表中选择状态,以启用或停用 NSS Feed。
- 将 SIEM 速率下拉菜单中的值保留为无限制。如需因许可或其他限制而抑制输出流,请更改该值。
- 在 SIEM 类型列表中,选择其他。
- 在 OAuth 2.0 身份验证列表中,选择已停用。
- 根据 SIEM 的最佳实践,在 Max Batch Size 中输入单个 HTTP 请求载荷的大小限制。例如,512 KB。
- 在“API 网址”中,输入 Chronicle API 端点的 HTTPS 网址,格式如下: - https://<CHRONICLE_REGION>-chronicle.googleapis.com/v1alpha/projects/<GOOGLE_PROJECT_NUMBER>/locations/<LOCATION>/instances/<CUSTOMER_ID>/feeds/<FEED_ID>:importPushLogs- CHRONICLE_REGION:Chronicle 实例的托管区域。例如,美国。
- GOOGLE_PROJECT_NUMBER:自带项目编号。从 C4 获取此信息。
- LOCATION:Chronicle 区域。例如,美国。
- CUSTOMER_ID:Chronicle 客户 ID。从 C4 获取。
- FEED_ID:在创建的新 Webhook 的 Feed 界面上显示的 Feed ID
- API 网址示例:
 - https://us-chronicle.googleapis.com/v1alpha/projects/12345678910/locations/US/instances/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/feeds/yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyyyyyyy:importPushLogs
- 点击添加 HTTP 标头,然后添加以下格式的 HTTP 标头: - Header 1:Key1:- X-goog-api-key和 Value1:在 Google Cloud BYOP 的 API 凭据中生成的 API 密钥。
- Header 2:Key2:- X-Webhook-Access-Key和 Value2:在 Webhook 的“SECRET KEY”(密钥)中生成的 API 密钥。
 
- 在日志类型列表中选择 Web 日志。 
- 在 Feed 输出类型列表中,选择 JSON。 
- 将Feed 转义字符设置为 - , \ "。
- 如需向 Feed 输出格式添加新字段,请在 Feed 输出类型列表中选择自定义。 
- 复制粘贴 Feed Output Format 并添加新字段。确保键名与实际字段名称一致。 
- 以下是默认的Feed 输出格式: - \{ "sourcetype" : "zscalernss-web", "event" : \{"datetime":"%d{yy}-%02d{mth}-%02d{dd} %02d{hh}:%02d{mm}:%02d{ss}","reason":"%s{reason}","event_id":"%d{recordid}","protocol":"%s{proto}","action":"%s{action}","transactionsize":"%d{totalsize}","responsesize":"%d{respsize}","requestsize":"%d{reqsize}","urlcategory":"%s{urlcat}","serverip":"%s{sip}","requestmethod":"%s{reqmethod}","refererURL":"%s{ereferer}","useragent":"%s{eua}","product":"NSS","location":"%s{elocation}","ClientIP":"%s{cip}","status":"%s{respcode}","user":"%s{elogin}","url":"%s{eurl}","vendor":"Zscaler","hostname":"%s{ehost}","clientpublicIP":"%s{cintip}","threatcategory":"%s{malwarecat}","threatname":"%s{threatname}","filetype":"%s{filetype}","appname":"%s{appname}","pagerisk":"%d{riskscore}","threatseverity":"%s{threatseverity}","department":"%s{edepartment}","urlsupercategory":"%s{urlsupercat}","appclass":"%s{appclass}","dlpengine":"%s{dlpeng}","urlclass":"%s{urlclass}","threatclass":"%s{malwareclass}","dlpdictionaries":"%s{dlpdict}","fileclass":"%s{fileclass}","bwthrottle":"%s{bwthrottle}","contenttype":"%s{contenttype}","unscannabletype":"%s{unscannabletype}","deviceowner":"%s{deviceowner}","devicehostname":"%s{devicehostname}","keyprotectiontype":"%s{keyprotectiontype}"\}\}
- 在时区列表中,为输出文件中的时间字段选择时区。默认情况下,时区设置为组织的时区。 
- 查看配置的设置。 
- 点击保存以测试连接。如果连接成功,系统会显示一个绿色对勾标记,并显示消息连接测试成功:正常 (200)。 
如需详细了解 Google SecOps Feed,请参阅 Google SecOps Feed 文档。如需了解每种 Feed 类型的要求,请参阅按类型划分的 Feed 配置。
如果您在创建 Feed 时遇到问题,请与 Google SecOps 支持团队联系。
支持的 Zscaler Web 代理日志格式
Zscaler Webproxy 解析器支持 JSON 格式的日志。
支持的 Zscaler Web 代理示例日志
- JSON - { "event": { "ClientIP": "198.51.100.0", "action": "Allowed", "appclass": "Sales and Marketing", "appname": "Trend Micro", "bwthrottle": "NO", "clientpublicIP": "198.51.100.1", "contenttype": "Other", "datetime": "2024-05-06 10:56:04", "department": "Mid-Continent%20Companies", "devicehostname": "dummyhostname", "deviceowner": "dummydeviceowner", "dlpdictionaries": "None", "dlpengine": "None", "event_id": "7365838693731467265", "fileclass": "None", "filetype": "None", "hostname": "dummyhostname.com", "keyprotectiontype": "N/A", "location": "Road%20Warrior", "pagerisk": "0", "product": "NSS", "protocol": "HTTP_PROXY", "reason": "Allowed", "refererURL": "None", "requestmethod": "CONNECT", "requestsize": "606", "responsesize": "65", "serverip": "198.51.10.2", "status": "200", "threatcategory": "None", "threatclass": "None", "threatname": "None", "threatseverity": "None", "transactionsize": "671", "unscannabletype": "None", "url": "dummyurl.com:443", "urlcategory": "SSL - DNI - Bypass", "urlclass": "Bandwidth Loss", "urlsupercategory": "User-defined", "user": "abc@xyz.com", "useragent": "dummyuseragent", "vendor": "Zscaler" }, "sourcetype": "zscalernss-web" }
字段映射参考
下表列出了 ZSCALER_WEBPROXY 日志类型的日志字段及其对应的 UDM 字段。
| Log field | UDM mapping | Logic | 
|---|---|---|
|  | metadata.vendor_name | The metadata.vendor_nameUDM field is set toZscaler. | 
|  | metadata.event_type | If the ClientIPlog field value is not empty and theserveriplog field value is not empty and theprotolog field value contain one of the following values, then themetadata.event_typeUDM field is set toNETWORK_HTTP.
 ClientIPlog field value is not empty and theserveriplog field value is not empty, then themetadata.event_typeUDM field is set toNETWORK_CONNECTION.Else, if the userlog field value is not empty or thedeviceownerlog field value is not empty, then themetadata.event_typeUDM field is set toUSER_UNCATEGORIZED.Else, the metadata.event_typeUDM field is set toGENERIC_EVENT. | 
|  | metadata.product_name | The metadata.product_nameUDM field is set toWeb Proxy. | 
| sourcetype | additional.fields[sourcetype] | |
| datetime | metadata.event_timestamp | |
| tz | additional.fields[tz] | |
| ss | additional.fields[ss] | |
| mm | additional.fields[mm] | |
| hh | additional.fields[hh] | |
| dd | additional.fields[dd] | |
| mth | additional.fields[mth] | |
| yyyy | additional.fields[yyyy] | |
| mon | additional.fields[mon] | |
| day | additional.fields[day] | |
| department | principal.user.department | |
| b64dept | principal.user.department | |
| edepartment | principal.user.department | |
| user | principal.user.email_addresses | |
| user | principal.user.userid | The EMAILLOCALPARTfield is extracted fromuserlog field using the Grok pattern, and theEMAILLOCALPARTlog field is mapped to theprincipal.user.useridUDM field. | 
| b64login | principal.user.email_addresses | |
| elogin | principal.user.email_addresses | |
| ologin | additional.fields[ologin] | |
| cloudname | principal.user.attribute.labels[cloudname] | |
| company | principal.user.company_name | |
| throttlereqsize | security_result.detection_fields[throttlereqsize] | |
| throttlerespsize | security_result.detection_fields[throttlerespsize] | |
| bwthrottle | security_result.detection_fields[bwthrottle] | |
|  | security_result.category | If the bwthrottlelog field value is equal toYes, then thesecurity_result.categoryUDM field is set toPOLICY_VIOLATION. | 
| bwclassname | security_result.detection_fields[bwclassname] | |
| obwclassname | security_result.detection_fields[obwclassname] | |
| bwrulename | security_result.rule_name | |
| appname | target.application | |
| appclass | target.security_result.detection_fields[appclass] | |
| module | target.security_result.detection_fields[module] | |
| app_risk_score | target.security_result.risk_score | If the app_risk_scorelog field value matches the regular expression pattern[0-9]+, then theapp_risk_scorelog field is mapped to thesecurity_result.risk_scoreUDM field. | 
| datacenter | target.location.name | |
| datacentercity | target.location.city | |
| datacentercountry | target.location.country_or_region | |
| dlpdictionaries | security_result.detection_fields[dlpdictionaries] | |
| odlpdict | security_result.detection_fields[odlpdict] | |
| dlpdicthitcount | security_result.detection_fields[dlpdicthitcount] | |
| dlpengine | security_result.detection_fields[dlpengine] | |
| odlpeng | security_result.detection_fields[odlpeng] | |
| dlpidentifier | security_result.detection_fields[dlpidentifier] | |
| dlpmd5 | security_result.detection_fields[dlpmd5] | |
| dlprulename | security_result.rule_name | |
| odlprulename | security_result.detection_fields[odlprulename] | |
| fileclass | additional.fields[fileclass] | |
| filetype | target.file.mime_type | |
| filename | target.file.full_path | |
| b64filename | target.file.full_path | |
| efilename | target.file.full_path | |
| filesubtype | additional.fields[filesubtype] | |
| upload_fileclass | additional.fields[upload_fileclass] | |
| upload_filetype | target.file.mime_type | If the filetypelog field value is equal toNoneand theupload_filetypelog field value is not equal toNone, then theupload_filetypelog field is mapped to thetarget.file.mime_typeUDM field. | 
| upload_filename | target.file.full_path | If the filenamelog field value is equal toNoneand theupload_filenamelog field value is not equal toNone, then theupload_filenamelog field is mapped to thetarget.file.full_pathUDM field.Else, if the filenamelog field value is not equal toNoneand theupload_filenamelog field value is not equal toNone, then theupload_filenamelog field is mapped to thetarget.resource.attribute.labels[upload_filename]UDM field. | 
| b64upload_filename | target.file.full_path | |
| eupload_filename | target.file.full_path | |
| upload_filesubtype | additional.fields[upload_filesubtype] | |
| upload_doctypename | additional.fields[upload_doctypename] | |
| unscannabletype | security_result.detection_fields[unscannabletype] | |
| rdr_rulename | intermediary.security_result.rule_name | |
| b64rdr_rulename | intermediary.security_result.rule_name | |
|  | intermediary.resource.resource_type | If the rdr_rulenamelog field value is not empty, then theintermediary.resource.resource_typeUDM field is set toGATEWAY. | 
| ordr_rulename | additional.fields[ordr_rulename] | |
| fwd_type | intermediary.resource.attribute.labels[fwd_type] | |
| fwd_gw_name | intermediary.resource.name | |
| b64fwd_gw_name | intermediary.resource.name | |
| ofwd_gw_name | security_result.detection_fields[ofwd_gw_name] | |
| fwd_gw_ip | intermediary.ip | |
| zpa_app_seg_name | additional.fields[zpa_app_seg_name] | |
| b64zpa_app_seg_name | additional.fields[zpa_app_seg_name] | |
| ozpa_app_seg_name | additional.fields[ozpa_app_seg_name] | |
| reqdatasize | additional.fields[reqdatasize] | |
| reqhdrsize | additional.fields[reqhdrsize] | |
| requestsize | network.sent_bytes | |
| respdatasize | additional.fields[respdatasize] | |
| resphdrsize | additional.fields[resphdrsize] | |
| responsesize | network.received_bytes | |
| transactionsize | additional.fields[transactionsize] | |
| contenttype | additional.fields[contenttype] | |
| df_hosthead | security_result.detection_fields[df_hosthead] | |
| df_hostname | security_result.detection_fields[df_hostname] | |
| hostname | target.hostnametarget.asset.hostname | |
| b64host | target.hostnametarget.asset.hostname | |
| ehost | target.hostnametarget.asset.hostname | |
| refererURL | network.http.referral_url | |
| b64referer | network.http.referral_url | |
| ereferer | network.http.referral_url | |
| erefererpath | additional.fields[erefererpath] | |
| refererhost | additional.fields[refererhost] | |
| erefererhost | additional.fields[refererhost] | |
| requestmethod | network.http.method | |
| reqversion | additional.fields[reqversion] | |
| status | network.http.response_code | |
| respversion | additional.fields[respversion] | |
| ua_token | additional.fields[ua_token] | |
| useragent | network.http.user_agent | |
| b64ua | network.http.user_agent | |
| eua | network.http.user_agent | |
| useragent | network.http.parsed_user_agent | |
| b64ua | network.http.parsed_user_agent | |
| eua | network.http.parsed_user_agent | |
| uaclass | additional.fields[uaclass] | |
| url | target.url | |
| b64url | target.url | |
| eurl | target.url | |
| eurlpath | additional.fields[eurlpath] | |
| mobappname | additional.fields[mobappname] | |
| b64mobappname | additional.fields[mobappname] | |
| emobappname | additional.fields[mobappname] | |
| mobappcat | additional.fields[mobappcat] | |
| mobdevtype | additional.fields[mobdevtype] | |
| clt_sport | principal.port | |
| ClientIP | principal.ip | |
| ocip | security_result.detection_fields[ocip] | |
| cpubip | additional.fields[cpubip] | |
| ocpubip | additional.fields[ocpubip] | |
| clientpublicIP | principal.nat_ip | |
| serverip | target.ip | |
|  | network.application_protocol | If the protocollog field value contain one of the following values, then thenetwork.application_protocolUDM field is set toHTTP.
 protocollog field value contain one of the following values, then thenetwork.application_protocolUDM field is set toHTTPS.
 network.application_protocolUDM field is set toUNKNOWN_APPLICATION_PROTOCOL. | 
| alpnprotocol | additional.fields[alpnprotocol] | |
| trafficredirectmethod | intermediary.resource.attribute.labels[trafficredirectmethod] | |
| location | principal.location.name | |
| elocation | principal.location.name | |
| userlocationname | principal.location.name | If the userlocationnamelog field value is not equal toNone, then theuserlocationnamelog field is mapped to theprincipal.location.nameUDM field. | 
| b64userlocationname | principal.location.name | |
| euserlocationname | principal.location.name | |
| rulelabel | security_result.rule_name | If the actionlog field value is equal toBlocked, then therulelabellog field is mapped to thesecurity_result.rule_nameUDM field. | 
| b64rulelabel | security_result.rule_name | |
| erulelabel | security_result.rule_name | |
| ruletype | security_result.rule_type | |
| reason | security_result.description | If the actionlog field value is equal toBlocked, then thereasonlog field is mapped to thesecurity_result.descriptionUDM field. | 
| action | security_result.action_details | |
|  | security_result.action | If the actionlog field value is equal toAllowed, then thesecurity_result.actionUDM field is set toALLOW.Else, if the actionlog field value is equal toBlocked, then thesecurity_result.actionUDM field is set toBLOCK. | 
| urlfilterrulelabel | security_result.rule_name | |
| b64urlfilterrulelabel | security_result.rule_name | |
| eurlfilterrulelabel | security_result.rule_name | |
| ourlfilterrulelabel | security_result.detection_fields[ourlfilterrulelabel] | |
| apprulelabel | target.security_result.rule_name | |
| b64apprulelabel | target.security_result.rule_name | |
| oapprulelabel | security_result.detection_fields[oapprulelabel] | |
| bamd5 | target.file.md5 | |
| sha256 | target.file.sha256 | |
| ssldecrypted | security_result.detection_fields[ssldecrypted] | |
| externalspr | security_result.about.artifact.last_https_certificate.extension.certificate_policies | |
| keyprotectiontype | security_result.about.artifact.last_https_certificate.extension.key_usage | |
| clientsslcipher | network.tls.client.supported_ciphers | |
| clienttlsversion | network.tls.version | |
| clientsslsessreuse | security_result.detection_fields[clientsslsessreuse] | |
| cltsslfailreason | security_result.detection_fields[cltsslfailreason] | |
| cltsslfailcount | security_result.detection_fields[cltsslfailcount] | |
| srvsslcipher | network.tls.cipher | |
| srvtlsversion | security_result.detection_fields[srvtlsversion] | |
| srvocspresult | security_result.detection_fields[srvocspresult] | |
| srvcertchainvalpass | security_result.detection_fields[srvcertchainvalpass] | |
| srvwildcardcert | security_result.detection_fields[srvwildcardcert] | |
| serversslsessreuse | security_result.detection_fields[server_ssl_sess_reuse] | |
| srvcertvalidationtype | security_result.detection_fields[srvcertvalidationtype] | |
| srvcertvalidityperiod | security_result.detection_fields[srvcertvalidityperiod] | |
| is_ssluntrustedca | security_result.detection_fields[is_ssluntrustedca] | |
| is_sslselfsigned | security_result.detection_fields[is_sslselfsigned] | |
| is_sslexpiredca | security_result.detection_fields[is_sslexpiredca] | |
| pagerisk | security_result.risk_score | |
|  | security_result.severity | If the pagerisklog field value is greater than or equal to90and thepagerisklog field value is less than or equal to100, then thesecurity_result.severityUDM field is set toCRITICAL.If the pagerisklog field value is greater than or equal to75and thepagerisklog field value is less than or equal to89, then thesecurity_result.severityUDM field is set toHIGH.If the pagerisklog field value is greater than or equal to46and thepagerisklog field value is less than or equal to74, then thesecurity_result.severityUDM field is set toMEDIUM.If the pagerisklog field value is greater than or equal to1and thepagerisklog field value &is less than or equal to45, then thesecurity_result.severityUDM field is set toLOW.If the pagerisklog field value is equal to0, then thesecurity_result.severityUDM field is set toNONE. | 
| threatseverity | security_result.severity_details | If the pagerisklog field value is not empty and thethreatseveritylog field value is not empty, then thesecurity_result.severity_detailsUDM field is set to%{pagerisk} - %{threatseverity}.Else, if the threatseveritylog field value is not empty, then thethreatseveritylog field is mapped to thesecurity_result.severity_detailsUDM field. | 
| activity | additional.fields[activity] | |
| is_dst_cntry_risky | additional.fields[is_dst_cntry_risky] | |
| is_src_cntry_risky | additional.fields[is_src_cntry_risky] | |
| prompt_req | additional.fields[prompt_req] | |
| srcip_country | principal.ip_geo_artifact.location.country_or_region | |
| pcapid | security_result.about.file.full_path | |
| all_dlprulenames | security_result.rule_labels[all_dlprulenames] | |
| other_dlprulenames | security_result.rule_labels[other_dlprulenames] | |
| trig_dlprulename | security_result.rule_name | |
| dstip_country | target.ip_geo_artifact.location.country_or_region | |
| srv_dport | target.port | |
| inst_level2_name | target.resource_ancestors.name | |
| inst_level3_name | target.resource_ancestors.name | |
| inst_level2_id | target.resource_ancestors.product_object_id | |
| inst_level3_id | target.resource_ancestors.product_object_id | |
| inst_level2_type | target.resource_ancestors.resource_subtype | |
| inst_level3_type | target.resource_ancestors.resource_subtype | |
|  | target.resource_ancestors.resource_type | If the inst_level2_typelog field value matches the regular expression patternorganizationthen, thetarget.resource_ancestors.resource_typeUDM field is set toCLOUD_ORGANIZATION.Else, if inst_level2_typelog field value matches the regular expression patternservicethen, thetarget.resource_ancestors.resource_typeUDM field is set toBACKEND_SERVICE.Else, if inst_level2_typelog field value matches the regular expression patternpolicythen, thetarget.resource_ancestors.resource_typeUDM field is set toACCESS_POLICY.Else, if inst_level2_typelog field value matches the regular expression patternprojectthen, thetarget.resource_ancestors.resource_typeUDM field is set toCLOUD_PROJECT.Else, if inst_level2_typelog field value matches the regular expression patternclusterthen, thetarget.resource_ancestors.resource_typeUDM field is set toCLUSTER.Else, if inst_level2_typelog field value matches the regular expression patterncontainerthen, thetarget.resource_ancestors.resource_typeUDM field is set toCONTAINER.Else, if inst_level2_typelog field value matches the regular expression patternpodthen, thetarget.resource_ancestors.resource_typeUDM field is set toPOD.Else, if inst_level2_typelog field value matches the regular expression patternrepositorythen, thetarget.resource_ancestors.resource_typeUDM field is set toREPOSITORY.If the inst_level3_typelog field value matches the regular expression patternorganizationthen, thetarget.resource_ancestors.resource_typeUDM field is set toCLOUD_ORGANIZATION.Else, if inst_level3_typelog field value matches the regular expression patternservicethen, thetarget.resource_ancestors.resource_typeUDM field is set toBACKEND_SERVICE.Else, if inst_level3_typelog field value matches the regular expression patternpolicythen, thetarget.resource_ancestors.resource_typeUDM field is set toACCESS_POLICY.Else, if inst_level3_typelog field value matches the regular expression patternprojectthen, thetarget.resource_ancestors.resource_typeUDM field is set toCLOUD_PROJECT.Else, if inst_level3_typelog field value matches the regular expression patternclusterthen, thetarget.resource_ancestors.resource_typeUDM field is set toCLUSTER.Else, if inst_level3_typelog field value matches the regular expression patterncontainerthen, thetarget.resource_ancestors.resource_typeUDM field is set toCONTAINER.Else, if inst_level3_typelog field value matches the regular expression patternpodthen, thetarget.resource_ancestors.resource_typeUDM field is set toPOD.Else, if inst_level3_typelog field value matches the regular expression patternrepositorythen, thetarget.resource_ancestors.resource_typeUDM field is set toREPOSITORY. | 
| inst_level1_name | target.resource.name | |
| inst_level1_id | target.resource.product_object_id | |
| inst_level1_type | target.resource.resource_subtype | |
|  | target.resource.resource_type | If the inst_level1_typelog field value matches the regular expression patternorganizationthen, thetarget.resource.resource_typeUDM field is set toCLOUD_ORGANIZATION.Else, if inst_level1_typelog field value matches the regular expression patternservicethen, thetarget.resource.resource_typeUDM field is set toBACKEND_SERVICE.Else, if inst_level1_typelog field value matches the regular expression patternpolicythen, thetarget.resource.resource_typeUDM field is set toACCESS_POLICY.Else, if inst_level1_typelog field value matches the regular expression patternprojectthen, thetarget.resource.resource_typeUDM field is set toCLOUD_PROJECT.Else, if inst_level1_typelog field value matches the regular expression patternclusterthen, thetarget.resource.resource_typeUDM field is set toCLUSTER.Else, if inst_level1_typelog field value matches the regular expression patterncontainerthen, thetarget.resource.resource_typeUDM field is set toCONTAINER.Else, if inst_level1_typelog field value matches the regular expression patternpodthen, thetarget.resource.resource_typeUDM field is set toPOD.Else, if inst_level1_typelog field value matches the regular expression patternrepositorythen, thetarget.resource.resource_typeUDM field is set toREPOSITORY. | 
| app_status | target.security_result.detection_fields[app_status] | |
| threatname | security_result.threat_name | |
| b64threatname | security_result.threat_name | |
| threatcategory | security_result.associations.name | |
| threatclass | security_result.associations.description | |
| urlclass | security_result.detection_fields[urlclass] | |
| urlsupercategory | security_result.category_details | |
| urlcategory | security_result.category_details | |
| b64urlcat | security_result.category_details | |
| ourlcat | security_result.detection_fields[ourlcat] | |
| urlcatmethod | security_result.detection_fields[urlcatmethod] | |
| bypassed_traffic | security_result.detection_fields[bypassed_traffic] | |
| bypassed_etime | security_result.detection_fields[bypassed_etime] | |
| deviceappversion | additional.fields[deviceappversion] | |
| devicehostname | principal.asset.hostname | |
| odevicehostname | security_result.detection_fields[odevicehostname] | |
| devicemodel | principal.asset.hardware.model | |
| devicename | principal.asset.asset_id | |
| odevicename | security_result.detection_fields[odevicename] | |
|  | principal.asset.platform_software.platform | If the deviceostypelog field value matches the regular expression pattern(?i)iOS, then theprincipal.asset.platform_software.platformUDM field is set toIOS.Else, if the deviceostypelog field value matches the regular expression pattern(?i)Android, then theprincipal.asset.platform_software.platformUDM field is set toANDROID.Else, if the deviceostypelog field value matches the regular expression pattern(?i)Windows, then theprincipal.asset.platform_software.platformUDM field is set toWINDOWS.Else, if the deviceostypelog field value matches the regular expression pattern(?i)MAC, then theprincipal.asset.platform_software.platformUDM field is set toMAC.Else, if the deviceostypelog field value matches the regular expression pattern(?i)Other, then theprincipal.asset.platform_software.platformUDM field is set toUNKNOWN_PLATFORM. | 
| deviceosversion | principal.asset.software.version | |
| deviceowner | principal.asset.attribute.labels[deviceowner] | |
| odeviceowner | security_result.detection_fields[odeviceowner] | |
| devicetype | principal.asset.category | |
| external_devid | additional.fields[external_devid] | |
| flow_type | additional.fields[flow_type] | |
| ztunnelversion | additional.fields[ztunnelversion] | |
| event_id | metadata.product_log_id | |
| productversion | metadata.product_version | |
| nsssvcip | about.ip | |
| eedone | additional.fields[eedone] | 
需要更多帮助?从社区成员和 Google SecOps 专业人士那里获得解答。