Zscaler Zia集成
您可以將 Zscaler ZIA (Zscaler Internet Access) 與 Sophos Central 整合,以便其將警示傳送到 Sophos 進行分析。
此頁面提供集成的概述。
Zscaler Zia產品概述
Zscaler Zia是SSE (安全服務邊緣)平臺。ZIA 監控雲端並為軟體和資料庫更新、原則和組態設定以及威脅情報提供集中位置。
Sophos 技術文檔
我們攝取的東西
我們看到的示例警報:
Reputation block outbound request: malicious URL
Reputation block outbound request: phishing site
Not allowed non-RFC compliant HTTP traffic
Not allowed to upload/download encrypted or password-protected archive files
IPS block outbound request: cross-site scripting (XSS) attack
Remote Backup Failed
IPS block: cryptomining & blockchain traffic
RDP Allow
Malware block: malicious file
Sandbox block inbound response: malicious file
我們還攝取了許多其他東西。
已擷取完整警示
我們建議您在NSS (Nanolog Streaming Service)中配置以下類別:
- Zscaler Zia防火牆日誌
- Zscaler Zia Web日誌
- Zscaler Zia DNS日誌
篩選
我們按以下方式篩選警報。
在日誌收集器上
在日誌收集器中,我們過濾以下內容:
- 格式不正確的數據(CEF)
- 大量,低興趣的日誌,例如允許的通信日誌
在平臺上
在該平臺上,我們篩選了一些不適合作為安全事件的大量日誌,包括以下內容:
- 策略訪問日誌,例如社交媒體訪問
- 標準防火牆原則內允許的預設連接
- 大量的簡單項目,例如SSL握手日誌
威脅映射示例
警報類型由 name
CEF
標題中的欄位定義。
{"alertType": "Reputation block outbound request: malicious URL","threatId": "T1598.003","threatName": "Spearphishing Link",}
{"alertType": "Remote Backup Failed", "threatId": "T1020","threatName": "Automated Exfiltration",},
{"alertType": "Reputation block outbound request: malicious URL","threatId": "T1598.003","threatName": "Spearphishing Link",}
{"alertType": "IPS block: cryptomining & blockchain traffic","threatId": "T1496","threatName": "Resource Hijacking",}
{"alertType": "Reputation block outbound request: phishing site","threatId": "T1566","threatName": "Phishing",}
{"alertType": "RDP Allow","threatId": "T1021.001","threatName": "Remote Desktop Protocol",}
{"alertType": "IPS block outbound request: cross-site scripting (XSS) attack","threatId": "T1189","threatName": "Drive-by Compromise",}
{"alertType": "Malware block: malicious file","threatId": "T1204.002","threatName": "Malicious File",}
{"alertType": "Sandbox block inbound response: malicious file","threatId": "T1204.002","threatName": "Malicious File",}
{"alertType": "Not allowed non-RFC compliant HTTP traffic","threatId": "T1071","threatName": "Application Layer Protocol",}
{"alertType": "Not allowed to upload/download encrypted or password-protected archive files","threatId": "T1027","threatName": "Obfuscated Files or Information",}