收集 Zscaler Webproxy 記錄

支援以下發布途徑:

本文說明如何設定 Google Security Operations 動態饋給,匯出 Zscaler Webproxy 記錄,以及記錄欄位如何對應至 Google SecOps 統一資料模型 (UDM) 欄位。

詳情請參閱「將資料匯入 Google SecOps 總覽」。

一般部署作業包括 Zscaler Webproxy 和 Google SecOps Webhook 動態饋給,可將記錄傳送至 Google SecOps。每個客戶的部署作業可能有所不同,且可能更為複雜。

部署作業包含下列元件:

  • Zscaler Webproxy:您收集記錄檔的平台。

  • Google SecOps 動態饋給:Google SecOps 動態饋給會從 Zscaler Webproxy 擷取記錄,並將記錄寫入 Google SecOps。

  • Google SecOps:保留並分析記錄檔。

擷取標籤可識別剖析器,將原始記錄資料正規化為具結構性的 UDM 格式。本文中的資訊適用於使用 ZSCALER_WEBPROXY 攝入標籤的剖析器。

事前準備

  • 請確認您可以存取 Zscaler Internet Access 控制台。詳情請參閱「Secure Internet and SaaS Access ZIA 說明」。
  • 請確認您使用的是 Zscaler Webproxy 2024 以上版本。
  • 請確認部署架構中的所有系統都已設定世界標準時間。
  • 請確認您已取得在 Google SecOps 中完成動態饋給設定所需的 API 金鑰。詳情請參閱「設定 API 金鑰」。

在 Google SecOps 中設定擷取動態饋給,以便擷取 Zscaler Webproxy 記錄

  1. 依序前往「SIEM 設定」>「動態」
  2. 按一下「新增」
  3. 在「動態饋給名稱」欄位中輸入動態饋給的名稱 (例如「Zscaler Webproxy Logs」)。
  4. 將「來源類型」設為「Webhook」
  5. 選取「Zscaler」做為「記錄類型」
  6. 點按「Next」
  7. 選用:輸入下列輸入參數的值:
    1. 分隔符號:用於分隔記錄資料列的分隔符號。如果未使用分隔符號,請留空。
    2. Asset namespace:資產命名空間。
    3. 攝入標籤:要套用至這個動態饋給事件的標籤。
  8. 點按「Next」
  9. 查看新的動態饋給設定,然後按一下「提交」
  10. 按一下「產生密鑰」,產生用於驗證這則動態饋給的密鑰。

設定 Zscaler Webproxy

  1. 在 Zscaler Internet Access 主控台中,依序點選「Administration」>「Nanolog Streaming Service」>「Cloud NSS Feeds」,然後點選「Add Cloud NSS Feed」
  2. 系統會隨即顯示「Add Cloud NSS Feed」視窗。在「新增 Cloud NSS 動態饋給」視窗中輸入詳細資料。
  3. 在「動態饋給名稱」欄位中輸入動態饋給的名稱。
  4. 在「NSS Type」中選取「NSS for Web」
  5. 從「狀態」清單中選取狀態,即可啟用或停用 NSS 動態饋給。
  6. 請將「SIEM 比率」下拉式選單的值設為「無限制」。如要因授權或其他限制而抑制輸出串流,請變更該值。
  7. 在「SIEM 類型」清單中選取「其他」
  8. 在「OAuth 2.0 驗證」清單中選取「已停用」
  9. 在「最大批次大小」中,輸入 SIEM 最佳做法中個別 HTTP 要求酬載的大小上限。例如 512 KB。
  10. 請在 API 網址中輸入 Chronicle API 端點的 HTTPS 網址,格式如下:

      https://<CHRONICLE_REGION>-chronicle.googleapis.com/v1alpha/projects/<GOOGLE_PROJECT_NUMBER>/locations/<LOCATION>/instances/<CUSTOMER_ID>/feeds/<FEED_ID>:importPushLogs
    
    • CHRONICLE_REGION:Chronicle 執行個體的代管區域。例如美國。
    • GOOGLE_PROJECT_NUMBER:BYOP 專案編號。請從 C4 取得這項資訊。
    • LOCATION:Chronicle 區域。例如美國。
    • CUSTOMER_ID:Chronicle 客戶 ID。從 C4 取得。
    • FEED_ID:在建立的新 webhook 的動態饋給 UI 中顯示的動態饋給 ID
    • API 網址範例:
    https://us-chronicle.googleapis.com/v1alpha/projects/12345678910/locations/US/instances/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/feeds/yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyyyyyyy:importPushLogs
    
  11. 按一下「Add HTTP Header」,然後使用以下格式新增 HTTP 標頭:

    • Header 1Key1: X-goog-api-keyValue1:在 Google Cloud BYOP 的 API 憑證中產生的 API 金鑰。
    • Header 2Key2: X-Webhook-Access-KeyValue2: 在 webhook 的「SECRET KEY」中產生的 API 密鑰。
  12. 在「記錄類型」清單中選取「網頁記錄」

  13. 在「動態饋給輸出類型」清單中選取「JSON」

  14. 將「Feed Escape Character」設為 , \ "

  15. 如要將新欄位新增至動態饋給輸出格式,請在「動態饋給輸出類型」清單中選取「自訂」

  16. 複製貼上動態饋給輸出格式,然後新增欄位。請確認鍵名稱與實際欄位名稱相符。

  17. 以下是預設的動態饋給輸出格式

      \{ "sourcetype" : "zscalernss-web", "event" : \{"datetime":"%d{yy}-%02d{mth}-%02d{dd} %02d{hh}:%02d{mm}:%02d{ss}","reason":"%s{reason}","event_id":"%d{recordid}","protocol":"%s{proto}","action":"%s{action}","transactionsize":"%d{totalsize}","responsesize":"%d{respsize}","requestsize":"%d{reqsize}","urlcategory":"%s{urlcat}","serverip":"%s{sip}","requestmethod":"%s{reqmethod}","refererURL":"%s{ereferer}","useragent":"%s{eua}","product":"NSS","location":"%s{elocation}","ClientIP":"%s{cip}","status":"%s{respcode}","user":"%s{elogin}","url":"%s{eurl}","vendor":"Zscaler","hostname":"%s{ehost}","clientpublicIP":"%s{cintip}","threatcategory":"%s{malwarecat}","threatname":"%s{threatname}","filetype":"%s{filetype}","appname":"%s{appname}","pagerisk":"%d{riskscore}","threatseverity":"%s{threatseverity}","department":"%s{edepartment}","urlsupercategory":"%s{urlsupercat}","appclass":"%s{appclass}","dlpengine":"%s{dlpeng}","urlclass":"%s{urlclass}","threatclass":"%s{malwareclass}","dlpdictionaries":"%s{dlpdict}","fileclass":"%s{fileclass}","bwthrottle":"%s{bwthrottle}","contenttype":"%s{contenttype}","unscannabletype":"%s{unscannabletype}","deviceowner":"%s{deviceowner}","devicehostname":"%s{devicehostname}","keyprotectiontype":"%s{keyprotectiontype}"\}\}
    
  18. 在「Timezone」清單中,選取輸出檔案中「Time」欄位的時區。根據預設,時區會設為貴機構的時區。

  19. 查看已設定的設定。

  20. 按一下「儲存」即可測試連線。如果連線成功,畫面上就會顯示綠色勾號,並顯示「Test Connectivity Successful: OK (200)」訊息。

如要進一步瞭解 Google SecOps 動態饋給,請參閱 Google SecOps 動態饋給說明文件。如要瞭解各個動態饋給類型的規定,請參閱「依類型分類的動態饋給設定」。

如果在建立動態饋給時遇到問題,請與 Google SecOps 支援團隊聯絡。

支援的 Zscaler Webproxy 記錄格式

Zscaler Webproxy 剖析器支援 JSON 格式的記錄。

支援的 Zscaler Webproxy 範例記錄

  • JSON

      {
        "event": {
          "ClientIP": "198.51.100.0",
          "action": "Allowed",
          "appclass": "Sales and Marketing",
          "appname": "Trend Micro",
          "bwthrottle": "NO",
          "clientpublicIP": "198.51.100.1",
          "contenttype": "Other",
          "datetime": "2024-05-06 10:56:04",
          "department": "Mid-Continent%20Companies",
          "devicehostname": "dummyhostname",
          "deviceowner": "dummydeviceowner",
          "dlpdictionaries": "None",
          "dlpengine": "None",
          "event_id": "7365838693731467265",
          "fileclass": "None",
          "filetype": "None",
          "hostname": "dummyhostname.com",
          "keyprotectiontype": "N/A",
          "location": "Road%20Warrior",
          "pagerisk": "0",
          "product": "NSS",
          "protocol": "HTTP_PROXY",
          "reason": "Allowed",
          "refererURL": "None",
          "requestmethod": "CONNECT",
          "requestsize": "606",
          "responsesize": "65",
          "serverip": "198.51.10.2",
          "status": "200",
          "threatcategory": "None",
          "threatclass": "None",
          "threatname": "None",
          "threatseverity": "None",
          "transactionsize": "671",
          "unscannabletype": "None",
          "url": "dummyurl.com:443",
          "urlcategory": "SSL - DNI - Bypass",
          "urlclass": "Bandwidth Loss",
          "urlsupercategory": "User-defined",
          "user": "abc@xyz.com",
          "useragent": "dummyuseragent",
          "vendor": "Zscaler"
        },
        "sourcetype": "zscalernss-web"
      }
    
    

欄位對應參考資料

下表列出 ZSCALER_WEBPROXY 記錄類型的記錄欄位,以及對應的 UDM 欄位。

Log field UDM mapping Logic
metadata.vendor_name The metadata.vendor_name UDM field is set to Zscaler.
metadata.event_type If the ClientIP log field value is not empty and the serverip log field value is not empty and the proto log field value contain one of the following values, then the metadata.event_type UDM field is set to NETWORK_HTTP.
  • HTTPS
  • HTTP
Else, if the ClientIP log field value is not empty and the serverip log field value is not empty, then the metadata.event_type UDM field is set to NETWORK_CONNECTION.

Else, if the user log field value is not empty or the deviceowner log field value is not empty, then the metadata.event_type UDM field is set to USER_UNCATEGORIZED.

Else, the metadata.event_type UDM field is set to GENERIC_EVENT.
metadata.product_name The metadata.product_name UDM field is set to Web Proxy.
sourcetype additional.fields[sourcetype]
datetime metadata.event_timestamp
tz additional.fields[tz]
ss additional.fields[ss]
mm additional.fields[mm]
hh additional.fields[hh]
dd additional.fields[dd]
mth additional.fields[mth]
yyyy additional.fields[yyyy]
mon additional.fields[mon]
day additional.fields[day]
department principal.user.department
b64dept principal.user.department
edepartment principal.user.department
user principal.user.email_addresses
b64login principal.user.email_addresses
elogin principal.user.email_addresses
ologin additional.fields[ologin]
cloudname principal.user.attribute.labels[cloudname]
company principal.user.company_name
throttlereqsize security_result.detection_fields[throttlereqsize]
throttlerespsize security_result.detection_fields[throttlerespsize]
bwthrottle security_result.detection_fields[bwthrottle]
security_result.category If the bwthrottle log field value is equal to Yes, then the security_result.category UDM field is set to POLICY_VIOLATION.
bwclassname security_result.detection_fields[bwclassname]
obwclassname security_result.detection_fields[obwclassname]
bwrulename security_result.rule_name
appname target.application
appclass target.security_result.detection_fields[appclass]
module target.security_result.detection_fields[module]
app_risk_score target.security_result.risk_score If the app_risk_score log field value matches the regular expression pattern [0-9]+, then the app_risk_score log field is mapped to the security_result.risk_score UDM field.
datacenter target.location.name
datacentercity target.location.city
datacentercountry target.location.country_or_region
dlpdictionaries security_result.detection_fields[dlpdictionaries]
odlpdict security_result.detection_fields[odlpdict]
dlpdicthitcount security_result.detection_fields[dlpdicthitcount]
dlpengine security_result.detection_fields[dlpengine]
odlpeng security_result.detection_fields[odlpeng]
dlpidentifier security_result.detection_fields[dlpidentifier]
dlpmd5 security_result.detection_fields[dlpmd5]
dlprulename security_result.rule_name
odlprulename security_result.detection_fields[odlprulename]
fileclass additional.fields[fileclass]
filetype target.file.mime_type
filename target.file.full_path
b64filename target.file.full_path
efilename target.file.full_path
filesubtype additional.fields[filesubtype]
upload_fileclass additional.fields[upload_fileclass]
upload_filetype target.file.mime_type If the filetype log field value is equal to None and the upload_filetype log field value is not equal to None, then the upload_filetype log field is mapped to the target.file.mime_type UDM field.
upload_filename target.file.full_path If the filename log field value is equal to None and the upload_filename log field value is not equal to None, then the upload_filename log field is mapped to the target.file.full_path UDM field.
b64upload_filename target.file.full_path
eupload_filename target.file.full_path
upload_filesubtype additional.fields[upload_filesubtype]
upload_doctypename additional.fields[upload_doctypename]
unscannabletype security_result.detection_fields[unscannabletype]
rdr_rulename intermediary.security_result.rule_name
b64rdr_rulename intermediary.security_result.rule_name
intermediary.resource.resource_type If the rdr_rulename log field value is not empty, then the intermediary.resource.resource_type UDM field is set to GATEWAY.
ordr_rulename additional.fields[ordr_rulename]
fwd_type intermediary.resource.attribute.labels[fwd_type]
fwd_gw_name intermediary.resource.name
b64fwd_gw_name intermediary.resource.name
ofwd_gw_name security_result.detection_fields[ofwd_gw_name]
fwd_gw_ip intermediary.ip
zpa_app_seg_name additional.fields[zpa_app_seg_name]
b64zpa_app_seg_name additional.fields[zpa_app_seg_name]
ozpa_app_seg_name additional.fields[ozpa_app_seg_name]
reqdatasize additional.fields[reqdatasize]
reqhdrsize additional.fields[reqhdrsize]
requestsize network.sent_bytes
respdatasize additional.fields[respdatasize]
resphdrsize additional.fields[resphdrsize]
responsesize network.received_bytes
transactionsize additional.fields[transactionsize]
contenttype additional.fields[contenttype]
df_hosthead security_result.detection_fields[df_hosthead]
df_hostname security_result.detection_fields[df_hostname]
hostname target.hostnametarget.asset.hostname
b64host target.hostnametarget.asset.hostname
ehost target.hostnametarget.asset.hostname
refererURL network.http.referral_url
b64referer network.http.referral_url
ereferer network.http.referral_url
erefererpath additional.fields[erefererpath]
refererhost additional.fields[refererhost]
erefererhost additional.fields[refererhost]
requestmethod network.http.method
reqversion additional.fields[reqversion]
status network.http.response_code
respversion additional.fields[respversion]
ua_token additional.fields[ua_token]
useragent network.http.user_agent
b64ua network.http.user_agent
eua network.http.user_agent
useragent network.http.parsed_user_agent
b64ua network.http.parsed_user_agent
eua network.http.parsed_user_agent
uaclass additional.fields[uaclass]
url target.url
b64url target.url
eurl target.url
eurlpath additional.fields[eurlpath]
mobappname additional.fields[mobappname]
b64mobappname additional.fields[mobappname]
emobappname additional.fields[mobappname]
mobappcat additional.fields[mobappcat]
mobdevtype additional.fields[mobdevtype]
clt_sport principal.port
ClientIP principal.ip
ocip security_result.detection_fields[ocip]
cpubip additional.fields[cpubip]
ocpubip additional.fields[ocpubip]
clientpublicIP principal.nat_ip
serverip target.ip
network.application_protocol If the protocol log field value contain one of the following values, then the network.application_protocol UDM field is set to HTTP.
  • HTTP
  • HTTP_PROXY
Else, if the protocol log field value contain one of the following values, then the network.application_protocol UDM field is set to HTTPS.
  • HTTPS
  • SSL
  • TUNNEL_SSL
  • DNSOVERHTTPS
  • TUNNEL
Else, the network.application_protocol UDM field is set to UNKNOWN_APPLICATION_PROTOCOL.
alpnprotocol additional.fields[alpnprotocol]
trafficredirectmethod intermediary.resource.attribute.labels[trafficredirectmethod]
location principal.location.name
elocation principal.location.name
userlocationname principal.location.name If the userlocationname log field value is not equal to None, then the userlocationname log field is mapped to the principal.location.name UDM field.
b64userlocationname principal.location.name
euserlocationname principal.location.name
rulelabel security_result.rule_name If the action log field value is equal to Blocked, then the rulelabel log field is mapped to the security_result.rule_name UDM field.
b64rulelabel security_result.rule_name
erulelabel security_result.rule_name
ruletype security_result.rule_type
reason security_result.description If the action log field value is equal to Blocked, then the reason log field is mapped to the security_result.description UDM field.
action security_result.action_details
security_result.action If the action log field value is equal to Allowed, then the security_result.action UDM field is set to ALLOW.

Else, if the action log field value is equal to Blocked, then the security_result.action UDM field is set to BLOCK.
urlfilterrulelabel security_result.rule_name
b64urlfilterrulelabel security_result.rule_name
eurlfilterrulelabel security_result.rule_name
ourlfilterrulelabel security_result.detection_fields[ourlfilterrulelabel]
apprulelabel target.security_result.rule_name
b64apprulelabel target.security_result.rule_name
oapprulelabel security_result.detection_fields[oapprulelabel]
bamd5 target.file.md5
sha256 target.file.sha256
ssldecrypted security_result.detection_fields[ssldecrypted]
externalspr security_result.about.artifact.last_https_certificate.extension.certificate_policies
keyprotectiontype security_result.about.artifact.last_https_certificate.extension.key_usage
clientsslcipher network.tls.client.supported_ciphers
clienttlsversion network.tls.version
clientsslsessreuse security_result.detection_fields[clientsslsessreuse]
cltsslfailreason security_result.detection_fields[cltsslfailreason]
cltsslfailcount security_result.detection_fields[cltsslfailcount]
srvsslcipher network.tls.cipher
srvtlsversion security_result.detection_fields[srvtlsversion]
srvocspresult security_result.detection_fields[srvocspresult]
srvcertchainvalpass security_result.detection_fields[srvcertchainvalpass]
srvwildcardcert security_result.detection_fields[srvwildcardcert]
serversslsessreuse security_result.detection_fields[server_ssl_sess_reuse]
srvcertvalidationtype security_result.detection_fields[srvcertvalidationtype]
srvcertvalidityperiod security_result.detection_fields[srvcertvalidityperiod]
is_ssluntrustedca security_result.detection_fields[is_ssluntrustedca]
is_sslselfsigned security_result.detection_fields[is_sslselfsigned]
is_sslexpiredca security_result.detection_fields[is_sslexpiredca]
pagerisk security_result.risk_score
security_result.severity If the pagerisk log field value is greater than or equal to 90 and the pagerisk log field value is less than or equal to 100, then the security_result.severity UDM field is set to CRITICAL.

If the pagerisk log field value is greater than or equal to 75 and the pagerisk log field value is less than or equal to 89, then the security_result.severity UDM field is set to HIGH.

If the pagerisk log field value is greater than or equal to 46 and the pagerisk log field value is less than or equal to 74, then the security_result.severity UDM field is set to MEDIUM.

If the pagerisk log field value is greater than or equal to 1 and the pagerisk log field value &is less than or equal to 45, then the security_result.severity UDM field is set to LOW.

If the pagerisk log field value is equal to 0, then the security_result.severity UDM field is set to NONE.
security_result.severity_details If the pagerisk log field value is not empty and the threatseverity log field value is not empty, then the security_result.severity_details UDM field is set to %{pagerisk} - %{threatseverity}.

Else, if the threatseverity log field value is not empty, then the threatseverity log field is mapped to the security_result.severity_details UDM field.
activity additional.fields[activity]
is_dst_cntry_risky additional.fields[is_dst_cntry_risky]
is_src_cntry_risky additional.fields[is_src_cntry_risky]
prompt_req additional.fields[prompt_req]
srcip_country principal.ip_geo_artifact.location.country_or_region
pcapid security_result.about.file.full_path
all_dlprulenames security_result.rule_labels[all_dlprulenames]
other_dlprulenames security_result.rule_labels[other_dlprulenames]
trig_dlprulename security_result.rule_name
dstip_country target.ip_geo_artifact.location.country_or_region
srv_dport target.port
inst_level2_name target.resource_ancestors.name
inst_level3_name target.resource_ancestors.name
inst_level2_id target.resource_ancestors.product_object_id
inst_level3_id target.resource_ancestors.product_object_id
inst_level2_type target.resource_ancestors.resource_subtype
inst_level3_type target.resource_ancestors.resource_subtype
target.resource_ancestors.resource_type If the inst_level2_type log field value matches the regular expression pattern organization then, the target.resource_ancestors.resource_type UDM field is set to CLOUD_ORGANIZATION.
Else, if inst_level2_type log field value matches the regular expression pattern service then, the target.resource_ancestors.resource_type UDM field is set to BACKEND_SERVICE.
Else, if inst_level2_type log field value matches the regular expression pattern policy then, the target.resource_ancestors.resource_type UDM field is set to ACCESS_POLICY.
Else, if inst_level2_type log field value matches the regular expression pattern project then, the target.resource_ancestors.resource_type UDM field is set to CLOUD_PROJECT.
Else, if inst_level2_type log field value matches the regular expression pattern cluster then, the target.resource_ancestors.resource_type UDM field is set to CLUSTER.
Else, if inst_level2_type log field value matches the regular expression pattern container then, the target.resource_ancestors.resource_type UDM field is set to CONTAINER.
Else, if inst_level2_type log field value matches the regular expression pattern pod then, the target.resource_ancestors.resource_type UDM field is set to POD.
Else, if inst_level2_type log field value matches the regular expression pattern repository then, the target.resource_ancestors.resource_type UDM field is set to REPOSITORY.
If the inst_level3_type log field value matches the regular expression pattern organization then, the target.resource_ancestors.resource_type UDM field is set to CLOUD_ORGANIZATION.
Else, if inst_level3_type log field value matches the regular expression pattern service then, the target.resource_ancestors.resource_type UDM field is set to BACKEND_SERVICE.
Else, if inst_level3_type log field value matches the regular expression pattern policy then, the target.resource_ancestors.resource_type UDM field is set to ACCESS_POLICY.
Else, if inst_level3_type log field value matches the regular expression pattern project then, the target.resource_ancestors.resource_type UDM field is set to CLOUD_PROJECT.
Else, if inst_level3_type log field value matches the regular expression pattern cluster then, the target.resource_ancestors.resource_type UDM field is set to CLUSTER.
Else, if inst_level3_type log field value matches the regular expression pattern container then, the target.resource_ancestors.resource_type UDM field is set to CONTAINER.
Else, if inst_level3_type log field value matches the regular expression pattern pod then, the target.resource_ancestors.resource_type UDM field is set to POD.
Else, if inst_level3_type log field value matches the regular expression pattern repository then, the target.resource_ancestors.resource_type UDM field is set to REPOSITORY.
inst_level1_name target.resource.name
inst_level1_id target.resource.product_object_id
inst_level1_type target.resource.resource_subtype
target.resource.resource_type If the inst_level1_type log field value matches the regular expression pattern organization then, the target.resource.resource_type UDM field is set to CLOUD_ORGANIZATION.
Else, if inst_level1_type log field value matches the regular expression pattern service then, the target.resource.resource_type UDM field is set to BACKEND_SERVICE.
Else, if inst_level1_type log field value matches the regular expression pattern policy then, the target.resource.resource_type UDM field is set to ACCESS_POLICY.
Else, if inst_level1_type log field value matches the regular expression pattern project then, the target.resource.resource_type UDM field is set to CLOUD_PROJECT.
Else, if inst_level1_type log field value matches the regular expression pattern cluster then, the target.resource.resource_type UDM field is set to CLUSTER.
Else, if inst_level1_type log field value matches the regular expression pattern container then, the target.resource.resource_type UDM field is set to CONTAINER.
Else, if inst_level1_type log field value matches the regular expression pattern pod then, the target.resource.resource_type UDM field is set to POD.
Else, if inst_level1_type log field value matches the regular expression pattern repository then, the target.resource.resource_type UDM field is set to REPOSITORY.
app_status target.security_result.detection_fields[app_status]
threatname security_result.threat_name
b64threatname security_result.threat_name
threatcategory security_result.associations.name
threatclass security_result.associations.description
urlclass security_result.detection_fields[urlclass]
urlsupercategory security_result.category_details
urlcategory security_result.category_details
b64urlcat security_result.category_details
ourlcat security_result.detection_fields[ourlcat]
urlcatmethod security_result.detection_fields[urlcatmethod]
bypassed_traffic security_result.detection_fields[bypassed_traffic]
bypassed_etime security_result.detection_fields[bypassed_etime]
deviceappversion additional.fields[deviceappversion]
devicehostname principal.asset.hostname
odevicehostname security_result.detection_fields[odevicehostname]
devicemodel principal.asset.hardware.model
devicename principal.asset.asset_id
odevicename security_result.detection_fields[odevicename]
principal.asset.platform_software.platform If the deviceostype log field value matches the regular expression pattern (?i)iOS, then the principal.asset.platform_software.platform UDM field is set to IOS.

Else, if the deviceostype log field value matches the regular expression pattern (?i)Android, then the principal.asset.platform_software.platform UDM field is set to ANDROID.

Else, if the deviceostype log field value matches the regular expression pattern (?i)Windows, then the principal.asset.platform_software.platform UDM field is set to WINDOWS.

Else, if the deviceostype log field value matches the regular expression pattern (?i)MAC, then the principal.asset.platform_software.platform UDM field is set to MAC.

Else, if the deviceostype log field value matches the regular expression pattern (?i)Other, then the principal.asset.platform_software.platform UDM field is set to UNKNOWN_PLATFORM.
deviceosversion principal.asset.software.version
deviceowner principal.user.userid
odeviceowner security_result.detection_fields[odeviceowner]
devicetype principal.asset.category
external_devid additional.fields[external_devid]
flow_type additional.fields[flow_type]
ztunnelversion additional.fields[ztunnelversion]
event_id metadata.product_log_id
productversion metadata.product_version
nsssvcip about.ip
eedone additional.fields[eedone]

還有其他問題嗎?向社群成員和 Google SecOps 專家尋求解答。