收集 Zscaler DNS 記錄
支援以下發布途徑:
Google secops
Siem
本文說明如何設定 Google Security Operations 動態饋給,以匯出 Zscaler DNS 記錄,以及記錄欄位如何對應至 Google SecOps 統一資料模型 (UDM) 欄位。
詳情請參閱「將資料匯入 Google SecOps 總覽」。
一般部署作業包括 Zscaler DNS 和 Google SecOps Webhook 動態饋給,可將記錄傳送至 Google SecOps。每個客戶的部署作業可能有所不同,且可能更為複雜。
部署作業包含下列元件:
Zscaler DNS:您收集記錄的平台。
Google SecOps 動態饋給:Google SecOps 動態饋給會從 Zscaler DNS 擷取記錄,並將記錄寫入 Google SecOps。
Google SecOps:保留並分析記錄檔。
擷取標籤可識別剖析器,將原始記錄資料正規化為具結構性的 UDM 格式。本文中的資訊適用於使用 ZSCALER_DNS 攝入標籤的剖析器。
事前準備
請確認您已完成下列必要條件:
- 存取 Zscaler Internet Access 主控台。詳情請參閱「Secure Internet and SaaS Access ZIA 說明」。
- Zscaler DNS 2024 以上版本
- 部署架構中的所有系統都已設定為使用世界標準時間 (UTC) 時區。
- 在 Google Security Operations 中完成動態饋給設定所需的 API 金鑰。詳情請參閱「設定 API 金鑰」。
設定動態饋給
在 Google SecOps 平台中,有兩個不同的入口可用來設定動態消息:
- SIEM 設定 > 動態饋給
- 內容中心 > 內容包
依序前往「SIEM 設定」>「動態」設定動態
如要針對這個產品系列中的不同記錄類型設定多個動態饋給,請參閱「依產品設定動態饋給」。
如要設定單一動態饋給,請按照下列步驟操作:
- 依序前往「SIEM 設定」>「動態饋給」。
- 按一下「新增動態消息」。
- 在下一頁中,按一下「設定單一動態饋給」。
- 在「動態饋給名稱」欄位中輸入動態饋給的名稱,例如「ZScaler DNS Logs」。
- 將「來源類型」設為「Webhook」。
- 選取「ZScaler DNS」做為「記錄類型」。
- 點選「下一步」。
- 選用:輸入下列輸入參數的值:
- 分隔符號:用於分隔記錄行。如果未使用分隔符號,請留空。
- Asset namespace:素材資源命名空間。
- 攝入標籤:要套用至這個動態饋給事件的標籤。
- 點選「下一步」。
- 在「完成」畫面中查看新的動態饋給設定,然後按一下「提交」。
- 按一下「產生密鑰」,產生用於驗證這則動態饋給的密鑰。
透過內容中心設定動態饋給
指定下列欄位的值:
- 分隔符號:用於分隔記錄資料列的符號,例如
\n。
進階選項
- 動態饋給名稱:預先填入的值,用於識別動態饋給。
- 來源類型:用於收集記錄並匯入 Google SecOps 的方法。
- 資產命名空間:資產命名空間。
- 攝入標籤:套用至這個動態饋給事件的標籤。
- 點選「下一步」。
- 在「Finalize」畫面中查看動態饋給設定,然後按一下「Submit」。
- 按一下「產生密鑰」,即可產生密鑰來驗證這項動態饋給。
設定 Zscaler DNS
- 在 Zscaler Internet Access 主控台中,依序點選「Administration」>「Nanolog Streaming Service」>「Cloud NSS Feeds」,然後點選「Add Cloud NSS Feed」。
- 系統會隨即顯示「Add Cloud NSS Feed」視窗。在「新增 Cloud NSS 動態饋給」視窗中輸入詳細資料。
- 在「動態饋給名稱」欄位中輸入動態饋給的名稱。
- 在「NSS Type」中選取「NSS for DNS」。
- 從「狀態」清單中選取狀態,即可啟用或停用 NSS 動態饋給。
- 請將「SIEM Rate」下拉式選單的值設為「Unlimited」。如要因授權或其他限制而抑制輸出串流,請變更該值。
- 在「SIEM 類型」清單中選取「其他」。
- 在「OAuth 2.0 驗證」清單中選取「已停用」。
- 在「最大批次大小」中,輸入 SIEM 最佳做法中個別 HTTP 要求酬載的大小上限。例如 512 KB。
請在 API 網址中輸入 Chronicle API 端點的 HTTPS 網址,格式如下:
https://<CHRONICLE_REGION>-chronicle.googleapis.com/v1alpha/projects/<GOOGLE_PROJECT_NUMBER>/locations/<LOCATION>/instances/<CUSTOMER_ID>/feeds/<FEED_ID>:importPushLogsCHRONICLE_REGION:Chronicle 執行個體所在的區域。例如美國。GOOGLE_PROJECT_NUMBER:BYOP 專案編號。請從 C4 取得這項資訊。LOCATION:Chronicle 區域。例如美國。CUSTOMER_ID:Chronicle 客戶 ID。從 C4 取得。FEED_ID:在建立的新 webhook 的動態饋給 UI 中顯示的動態饋給 ID- API 網址範例:
https://us-chronicle.googleapis.com/v1alpha/projects/12345678910/locations/US/instances/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/feeds/yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyyyyyyy:importPushLogs按一下「Add HTTP Header」,然後使用以下格式新增 HTTP 標頭:
Header 1:Key1:X-goog-api-key和 Value1:在 Google Cloud BYOP 的 API 憑證中產生的 API 金鑰。Header 2:Key2:X-Webhook-Access-Key和 Value2: 在 webhook 的「SECRET KEY」中產生的 API 密鑰。
在「記錄類型」清單中選取「DNS 記錄」。
在「動態饋給輸出類型」清單中選取「JSON」。
將「Feed Escape Character」設為
, \ "。如要新增欄位至動態饋給輸出格式,請在「動態饋給輸出類型」清單中選取「自訂」。
複製貼上動態饋給輸出格式,然後新增欄位。請確認鍵名稱與實際欄位名稱相符。
以下是預設的動態饋給輸出格式:
\{ "sourcetype" : "zscalernss-dns", "event" :\{"datetime":"%s{time}","user":"%s{elogin}","department":"%s{edepartment}","location":"%s{elocation}","reqaction":"%s{reqaction}","resaction":"%s{resaction}","reqrulelabel":"%s{reqrulelabel}","resrulelabel":"%s{resrulelabel}","dns_reqtype":"%s{reqtype}","dns_req":"%s{req}","dns_resp":"%s{res}","srv_dport":"%d{sport}","durationms":"%d{durationms}","clt_sip":"%s{cip}","srv_dip":"%s{sip}","category":"%s{domcat}","respipcategory":"%s{respipcat}","deviceowner":"%s{deviceowner}","devicehostname":"%s{devicehostname}"\}\}在「Timezone」清單中,選取輸出檔案中「Time」欄位的時區。根據預設,時區會設為貴機構的時區。
查看已設定的設定。
按一下「儲存」即可測試連線。如果連線成功,畫面上會顯示綠色勾號,並顯示「Test Connectivity Successful: OK (200)」訊息。
如要進一步瞭解 Google SecOps 動態饋給,請參閱 Google SecOps 動態饋給說明文件。如要瞭解各個動態饋給類型的規定,請參閱「依類型分類的動態饋給設定」。
如果在建立動態饋給時遇到問題,請與 Google SecOps 支援團隊聯絡。
支援的 Zscaler DNS 記錄格式
Zscaler DNS 剖析器支援 JSON 格式的記錄。
支援的 Zscaler DNS 樣本記錄
JSON
{ "sourcetype": "zscalernss-dns", "event": { "srv_dport": "53", "durationms": "1306", "clt_sip": "1.1.1.1", "respipcategory": "Other", "datetime": "Sun Sep 18 22:41:05 2020", "reqaction": "Allow", "resaction": "Allow", "resrulelabel": "None", "category": "Finance", "devicehostname": "dummy_hostname", "user": "test.123@test.com", "location": "dummy", "deviceowner": "212582", "department": "Output%20Solutions", "reqrulelabel": "Default Firewall DNS Rule", "dns_reqtype": "SRV", "dns_req": "dummy.domains.com", "dns_resp": "NXDOMAIN", "srv_dip": "1.1.1.1" } }
欄位對應參考資料
欄位對應參考資料:ZSCALER_DNS
下表列出 ZSCALER_DNS 記錄類型的記錄欄位,以及對應的 UDM 欄位。
| Log field | UDM mapping | Logic |
|---|---|---|
|
metadata.event_type |
The metadata.event_type UDM field is set to NETWORK_DNS. |
|
metadata.product_name |
The metadata.product_name UDM field is set to DNS. |
|
metadata.vendor_name |
The metadata.vendor_name UDM field is set to Zscaler. |
|
metadata.description |
If the category log field value is not empty and the durationms log field value is not empty, then the NSSDNSLog | Duration: durationms ms | Category: category log field is mapped to the metadata.description UDM field.Else, if the category log field value is not empty, then the DNS request to \category\ log field is mapped to the metadata.description UDM field. |
recordid |
metadata.product_log_id |
|
datetime |
metadata.event_timestamp |
|
epochtime |
metadata.event_timestamp |
|
|
network.application_protocol |
The network.application_protocol UDM field is set to DNS. |
|
network.dns.response_code |
If the dns_resp log field value is equal to NOERROR, then the network.dns.response_code UDM field is set to 0.Else, if the dns_resp log field value is equal to FORMERR, then the network.dns.response_code UDM field is set to 1.Else, if the dns_resp log field value is equal to SERVFAIL, then the network.dns.response_code UDM field is set to 2.Else, if the dns_resp log field value is equal to NXDOMAIN, then the network.dns.response_code UDM field is set to 3.Else, if the dns_resp log field value is equal to NOTIMP, then the network.dns.response_code UDM field is set to 4.Else, if the dns_resp log field value is equal to REFUSED, then the network.dns.response_code UDM field is set to 5.Else, if the dns_resp log field value is equal to YXDOMAIN, then the network.dns.response_code UDM field is set to 6.Else, if the dns_resp log field value is equal to YXRRSET, then the network.dns.response_code UDM field is set to 7.Else, if the dns_resp log field value is equal to NXRRSET, then the network.dns.response_code UDM field is set to 8.Else, if the dns_resp log field value is equal to NOTAUTH, then the network.dns.response_code UDM field is set to 9.Else, if the dns_resp log field value is equal to NOTZONE, then the network.dns.response_code UDM field is set to 10. |
dns_resp |
network.dns.answers.data |
|
|
network.dns.answers.type |
If the restype log field value matches the regular expression pattern ipv4, then the network.dns.answers.type UDM field is set to 1.Else, if the restype log field value matches the regular expression pattern ipv6, then the network.dns.answers.type UDM field is set to 28. |
dns_req |
network.dns.questions.name |
|
|
network.dns.questions.type |
If the record_type log field value is equal to A, then the network.dns.questions.type UDM field is set to 1.Else, if the record_type log field value is equal to NS, then the network.dns.questions.type UDM field is set to 2.Else, if the record_type log field value is equal to MD, then the network.dns.questions.type UDM field is set to 3.Else, if the record_type log field value is equal to MF, then the network.dns.questions.type UDM field is set to 4.Else, if the record_type log field value is equal to CNAME, then the network.dns.questions.type UDM field is set to 5.Else, if the record_type log field value is equal to SOA, then the network.dns.questions.type UDM field is set to 6.Else, if the record_type log field value is equal to MB, then the network.dns.questions.type UDM field is set to 7.Else, if the record_type log field value is equal to MG, then the network.dns.questions.type UDM field is set to 8.Else, if the record_type log field value is equal to MR, then the network.dns.questions.type UDM field is set to 9.Else, if the record_type log field value is equal to NULL, then the network.dns.questions.type UDM field is set to 10.Else, if the record_type log field value is equal to WKS, then the network.dns.questions.type UDM field is set to 11.Else, if the record_type log field value is equal to PTR, then the network.dns.questions.type UDM field is set to 12.Else, if the record_type log field value is equal to HINFO, then the network.dns.questions.type UDM field is set to 13.Else, if the record_type log field value is equal to MINFO, then the network.dns.questions.type UDM field is set to 14.Else, if the record_type log field value is equal to MX, then the network.dns.questions.type UDM field is set to 15.Else, if the record_type log field value is equal to TXT, then the network.dns.questions.type UDM field is set to 16.Else, if the record_type log field value is equal to RP, then the network.dns.questions.type UDM field is set to 17.Else, if the record_type log field value is equal to AFSDB, then the network.dns.questions.type UDM field is set to 18.Else, if the record_type log field value is equal to X25, then the network.dns.questions.type UDM field is set to 19.Else, if the record_type log field value is equal to ISDN, then the network.dns.questions.type UDM field is set to 20.Else, if the record_type log field value is equal to RT, then the network.dns.questions.type UDM field is set to 21.Else, if the record_type log field value is equal to NSAP, then the network.dns.questions.type UDM field is set to 22.Else, if the record_type log field value is equal to NSAP-PTR, then the network.dns.questions.type UDM field is set to 23.Else, if the record_type log field value is equal to SIG, then the network.dns.questions.type UDM field is set to 24.Else, if the record_type log field value is equal to KEY, then the network.dns.questions.type UDM field is set to 25.Else, if the record_type log field value is equal to PX, then the network.dns.questions.type UDM field is set to 26.Else, if the record_type log field value is equal to GPOS, then the network.dns.questions.type UDM field is set to 27.Else, if the record_type log field value is equal to AAAA, then the network.dns.questions.type UDM field is set to 28.Else, if the record_type log field value is equal to LOC, then the network.dns.questions.type UDM field is set to 29.Else, if the record_type log field value is equal to NXT, then the network.dns.questions.type UDM field is set to 30.Else, if the record_type log field value is equal to EID, then the network.dns.questions.type UDM field is set to 31.Else, if the record_type log field value is equal to NIMLOC, then the network.dns.questions.type UDM field is set to 32.Else, if the record_type log field value is equal to SRV, then the network.dns.questions.type UDM field is set to 33.Else, if the record_type log field value is equal to ATMA, then the network.dns.questions.type UDM field is set to 34.Else, if the record_type log field value is equal to NAPTR, then the network.dns.questions.type UDM field is set to 35.Else, if the record_type log field value is equal to KX, then the network.dns.questions.type UDM field is set to 36.Else, if the record_type log field value is equal to CERT, then the network.dns.questions.type UDM field is set to 37.Else, if the record_type log field value is equal to A6, then the network.dns.questions.type UDM field is set to 38.Else, if the record_type log field value is equal to DNAME, then the network.dns.questions.type UDM field is set to 39.Else, if the record_type log field value is equal to SINK, then the network.dns.questions.type UDM field is set to 40.Else, if the record_type log field value is equal to OPT, then the network.dns.questions.type UDM field is set to 41.Else, if the record_type log field value is equal to APL, then the network.dns.questions.type UDM field is set to 42.Else, if the record_type log field value is equal to DS, then the network.dns.questions.type UDM field is set to 43.Else, if the record_type log field value is equal to SSHFP, then the network.dns.questions.type UDM field is set to 44.Else, if the record_type log field value is equal to IPSECKEY, then the network.dns.questions.type UDM field is set to 45.Else, if the record_type log field value is equal to RRSIG, then the network.dns.questions.type UDM field is set to 46.Else, if the record_type log field value is equal to NSEC, then the network.dns.questions.type UDM field is set to 47.Else, if the record_type log field value is equal to DNSKEY, then the network.dns.questions.type UDM field is set to 48.Else, if the record_type log field value is equal to DHCID, then the network.dns.questions.type UDM field is set to 49.Else, if the record_type log field value is equal to NSEC3, then the network.dns.questions.type UDM field is set to 50.Else, if the record_type log field value is equal to NSEC3PARAM, then the network.dns.questions.type UDM field is set to 51.Else, if the record_type log field value is equal to TLSA, then the network.dns.questions.type UDM field is set to 52.Else, if the record_type log field value is equal to SMIMEA, then the network.dns.questions.type UDM field is set to 53.Else, if the record_type log field value is equal to UNASSIGNED, then the network.dns.questions.type UDM field is set to 54.Else, if the record_type log field value is equal to HIP, then the network.dns.questions.type UDM field is set to 55.Else, if the record_type log field value is equal to NINFO, then the network.dns.questions.type UDM field is set to 56.Else, if the record_type log field value is equal to RKEY, then the network.dns.questions.type UDM field is set to 57.Else, if the record_type log field value is equal to TALINK, then the network.dns.questions.type UDM field is set to 58.Else, if the record_type log field value is equal to CDS, then the network.dns.questions.type UDM field is set to 59.Else, if the record_type log field value is equal to CDNSKEY, then the network.dns.questions.type UDM field is set to 60.Else, if the record_type log field value is equal to OPENPGPKEY, then the network.dns.questions.type UDM field is set to 61.Else, if the record_type log field value is equal to CSYNC, then the network.dns.questions.type UDM field is set to 62.Else, if the record_type log field value is equal to ZONEMD, then the network.dns.questions.type UDM field is set to 63.Else, if the record_type log field value is equal to SVCB, then the network.dns.questions.type UDM field is set to 64.Else, if the record_type log field value is equal to HTTPS, then the network.dns.questions.type UDM field is set to 65.Else, if the record_type log field value is equal to SPF, then the network.dns.questions.type UDM field is set to 99.Else, if the record_type log field value is equal to UINFO, then the network.dns.questions.type UDM field is set to 100.Else, if the record_type log field value is equal to UID, then the network.dns.questions.type UDM field is set to 101.Else, if the record_type log field value is equal to GID, then the network.dns.questions.type UDM field is set to 102.Else, if the record_type log field value is equal to UNSPEC, then the network.dns.questions.type UDM field is set to 103.Else, if the record_type log field value is equal to NID, then the network.dns.questions.type UDM field is set to 104.Else, if the record_type log field value is equal to L32, then the network.dns.questions.type UDM field is set to 105.Else, if the record_type log field value is equal to L64, then the network.dns.questions.type UDM field is set to 106.Else, if the record_type log field value is equal to LP, then the network.dns.questions.type UDM field is set to 107.Else, if the record_type log field value is equal to EUI48, then the network.dns.questions.type UDM field is set to 108.Else, if the record_type log field value is equal to EUI64, then the network.dns.questions.type UDM field is set to 109.Else, if the record_type log field value is equal to TKEY, then the network.dns.questions.type UDM field is set to 249.Else, if the record_type log field value is equal to TSIG, then the network.dns.questions.type UDM field is set to 250.Else, if the record_type log field value is equal to IXFR, then the network.dns.questions.type UDM field is set to 251.Else, if the record_type log field value is equal to AXFR, then the network.dns.questions.type UDM field is set to 252.Else, if the record_type log field value is equal to MAILB, then the network.dns.questions.type UDM field is set to 253.Else, if the record_type log field value is equal to MAILA, then the network.dns.questions.type UDM field is set to 254.Else, if the record_type log field value is equal to ALL, then the network.dns.questions.type UDM field is set to 255.Else, if the record_type log field value is equal to URI, then the network.dns.questions.type UDM field is set to 256.Else, if the record_type log field value is equal to CAA, then the network.dns.questions.type UDM field is set to 257.Else, if the record_type log field value is equal to AVC, then the network.dns.questions.type UDM field is set to 258.Else, if the record_type log field value is equal to DOA, then the network.dns.questions.type UDM field is set to 259.Else, if the record_type log field value is equal to AMTRELAY, then the network.dns.questions.type UDM field is set to 260.Else, if the record_type log field value is equal to TA, then the network.dns.questions.type UDM field is set to 32768.Else, if the record_type log field value is equal to DLV, then the network.dns.questions.type UDM field is set to 32769. |
dns_reqtype |
additional.fields [dns_reqtype] |
|
http_code |
network.http.response_code |
|
protocol |
network.ip_protocol |
If the protocol log field value contain one of the following values, then the protocol log field is mapped to the network.ip_protocol UDM field.
|
durationms |
network.session_duration.seconds |
|
devicemodel |
principal.asset.hardware.model |
|
devicename |
principal.asset.asset_id |
|
devicehostname |
principal.asset.hostname |
|
|
principal.asset.platform_software.platform |
If the deviceostype log field value matches the regular expression pattern (?i)win, then the principal.asset.platform_software.platform UDM field is set to WINDOWS.Else, if the deviceostype log field value matches the regular expression pattern (?i)lin, then the principal.asset.platform_software.platform UDM field is set to LINUX. |
deviceosversion |
principal.asset.platform_software.platform_version |
|
company |
principal.user.company_name |
|
department |
principal.user.department |
|
user |
principal.user.email_addresses |
If the user log field value matches the regular expression pattern (^.@.$) or the login log field value matches the regular expression pattern (^.@.$), then if the user log field value is not empty, then the user log field is mapped to the principal.user.email_addresses UDM field. |
login |
principal.user.email_addresses |
If the user log field value matches the regular expression pattern (^.@.$) or the login log field value matches the regular expression pattern (^.@.$), then if the user log field value is not empty, then else, the login log field is mapped to the principal.user.email_addresses UDM field. |
deviceowner |
principal.user.userid |
|
clt_sip |
principal.ip |
|
location |
principal.location.name |
|
reqrulelabel |
security_result.rule_name |
|
rule |
security_result.rule_name |
|
|
security_result.action |
If the reqaction log field value matches the regular expression pattern (?i)BLOCK, then the security_result.action UDM field is set to BLOCK.Else, if the reqaction log field value matches the regular expression pattern (?i)ALLOW, then the security_result.action UDM field is set to ALLOW. |
reqaction |
security_result.action_details |
|
|
security_result.category |
If the category log field value is not empty, then the security_result.category UDM field is set to NETWORK_CATEGORIZED_CONTENT. |
category |
security_result.category_details |
|
resrulelabel |
security_result.rule_name |
|
|
security_result.action |
If the resaction log field value matches the regular expression pattern (?i)BLOCK, then the security_result.action UDM field is set to BLOCK.Else, if the resaction log field value matches the regular expression pattern (?i)ALLOW, then the security_result.action UDM field is set to ALLOW. |
resaction |
security_result.action_details |
|
|
security_result.category |
If the respipcategory log field value is not empty, then the security_result.category UDM field is set to NETWORK_CATEGORIZED_CONTENT. |
respipcategory |
security_result.category_details |
|
ecs_slot |
security_result.rule_labels [ecs_slot] |
If the dnsgw_slot log field value is empty, then the ecs_slot log field is mapped to the security_result.rule_name UDM field. |
dnsgw_slot |
security_result.rule_name |
If the dnsgw_slot log field value is not empty, then the dnsgw_slot log field is mapped to the security_result.rule_name UDM field. |
ecs_slot |
security_result.rule_name |
If the dnsgw_slot log field value is not empty, then the ecs_slot log field is mapped to the security_result.rule_labels UDM field. |
dnsapp |
target.application |
|
srv_dip |
target.ip |
|
srv_dport |
target.port |
|
datacentercity |
target.location.city |
|
datacentercountry |
target.location.country_or_region |
|
datacenter |
target.location.name |
|
cloudname |
security_result.detection_fields [cloudname] |
|
dnsappcat |
security_result.detection_fields [dnsappcat] |
|
ecs_prefix |
security_result.detection_fields [ecs_prefix] |
|
error |
security_result.detection_fields [error] |
|
istcp |
security_result.detection_fields [istcp] |
|
ocip |
security_result.detection_fields [ocip] |
|
odevicehostname |
security_result.detection_fields [odevicehostname] |
|
odeviceowner |
security_result.detection_fields [odeviceowner] |
|
odevicename |
security_result.detection_fields [odevicename] |
|
odomcat |
security_result.detection_fields [odomcat] |
|
dnsgw_flags |
security_result.detection_fields[dnsgw_flags] |
|
dnsgw_srv_proto |
security_result.detection_fields[dnsgw_srv_proto] |
|
erulelabel |
security_result.rule_labels [erulelabel] |
|
ethreatname |
security_result.threat_name |
|
durationms |
additional.fields [durationms] |
If the durationms log field value is equal to 1, then the durationms log field is mapped to the additional.fields.durationms UDM field. |
sourcetype |
additional.fields[sourcetype] |
|
deviceappversion |
additional.fields [deviceappversion] |
|
devicetype |
additional.fields [devicetype] |
|
eedone |
additional.fields [eedone] |
|
tz |
additional.fields [tz] |
|
ss |
additional.fields [ss] |
|
mm |
additional.fields [mm] |
|
hh |
additional.fields [hh] |
|
dd |
additional.fields [dd] |
|
mth |
additional.fields [mth] |
|
yyyy |
additional.fields [yyyy] |
|
mon |
additional.fields [mon] |
|
day |
additional.fields [day] |
還有其他問題嗎?向社群成員和 Google SecOps 專家尋求解答。