跳至內容
部分或全部頁面已經過機器翻譯。
了解我們如何支援MDR。

Zscaler Zia集成

您可以將 Zscaler ZIA (Zscaler Internet Access) 與 Sophos Central 整合,以便其將警示傳送到 Sophos 進行分析。

此頁面提供集成的概述。

Zscaler Zia產品概述

Zscaler Zia是SSE (安全服務邊緣)平臺。ZIA 監控雲端並為軟體和資料庫更新、原則和組態設定以及威脅情報提供集中位置。

Sophos 技術文檔

集成Zscaler Zia

我們攝取的東西

我們看到的示例警報:

  • Reputation block outbound request: malicious URL
  • Reputation block outbound request: phishing site
  • Not allowed non-RFC compliant HTTP traffic
  • Not allowed to upload/download encrypted or password-protected archive files
  • IPS block outbound request: cross-site scripting (XSS) attack
  • Remote Backup Failed
  • IPS block: cryptomining & blockchain traffic
  • RDP Allow
  • Malware block: malicious file
  • Sandbox block inbound response: malicious file

我們還攝取了許多其他東西。

已擷取完整警示

我們建議您在NSS (Nanolog Streaming Service)中配置以下類別:

  • Zscaler Zia防火牆日誌
  • Zscaler Zia Web日誌
  • Zscaler Zia DNS日誌

篩選

我們按以下方式篩選警報。

在日誌收集器上

在日誌收集器中,我們過濾以下內容:

  • 格式不正確的數據(CEF)
  • 大量,低興趣的日誌,例如允許的通信日誌

在平臺上

在該平臺上,我們篩選了一些不適合作為安全事件的大量日誌,包括以下內容:

  • 策略訪問日誌,例如社交媒體訪問
  • 標準防火牆原則內允許的預設連接
  • 大量的簡單項目,例如SSL握手日誌

威脅映射示例

警報類型由 name CEF 標題中的欄位定義。

{"alertType": "Reputation block outbound request: malicious URL","threatId": "T1598.003","threatName": "Spearphishing Link",}
{"alertType": "Remote Backup Failed", "threatId": "T1020","threatName": "Automated Exfiltration",},
{"alertType": "Reputation block outbound request: malicious URL","threatId": "T1598.003","threatName": "Spearphishing Link",}
{"alertType": "IPS block: cryptomining & blockchain traffic","threatId": "T1496","threatName": "Resource Hijacking",}
{"alertType": "Reputation block outbound request: phishing site","threatId": "T1566","threatName": "Phishing",}
{"alertType": "RDP Allow","threatId": "T1021.001","threatName": "Remote Desktop Protocol",}
{"alertType": "IPS block outbound request: cross-site scripting (XSS) attack","threatId": "T1189","threatName": "Drive-by Compromise",}
{"alertType": "Malware block: malicious file","threatId": "T1204.002","threatName": "Malicious File",}
{"alertType": "Sandbox block inbound response: malicious file","threatId": "T1204.002","threatName": "Malicious File",}
{"alertType": "Not allowed non-RFC compliant HTTP traffic","threatId": "T1071","threatName": "Application Layer Protocol",}
{"alertType": "Not allowed to upload/download encrypted or password-protected archive files","threatId": "T1027","threatName": "Obfuscated Files or Information",}

供應商文檔