跳至內容
部分或全部頁面已經過機器翻譯。
了解我們如何支援MDR。

頁面永久連結

參考此頁面時,請務必使用以下永久連結。在以後的說明版本中,它將保持不變。

https://docs.sophos.com/central/customer/help/zh-tw/index.html?contextId=Zscaler

Zscaler ZIA 整合

您可以將 Zscaler ZIA (Zscaler Internet Access) 與 Sophos Central 整合,讓其將警示傳送至 Sophos 進行分析。

本頁面提供此整合功能的概覽。

Zscaler ZIA 產品概覽

Zscaler ZIA 是一款安全服務邊緣(SSE)平台。ZIA 監控雲端並為軟體和資料庫更新、原則和組態設定以及威脅情報提供集中位置。

Sophos 說明文件

整合 Zscaler ZIA

我們擷取的內容

範例警示包括:

  • Reputation block outbound request: malicious URL
  • Reputation block outbound request: phishing site
  • Not allowed non-RFC compliant HTTP traffic
  • Not allowed to upload/download encrypted or password-protected archive files
  • IPS block outbound request: cross-site scripting (XSS) attack
  • Remote Backup Failed
  • IPS block: cryptomining & blockchain traffic
  • RDP Allow
  • Malware block: malicious file
  • Sandbox block inbound response: malicious file

我們也攝取了許多其他物質。

完整擷取警示

我們建議您在 NSS(Nanolog 串流服務)中設定以下類別:

  • Zscaler ZIA 防火牆記錄
  • Zscaler ZIA 網頁日誌
  • Zscaler ZIA DNS 日誌

資料篩選

我們對警示進行如下篩選。

在記錄 收集器處

在記錄收集器中,我們篩選以下內容:

  • 格式錯誤的數據 (CEF)
  • 高流量、低關注度的日誌,例如允許的流量日誌

在月台上

在平台上,我們會過濾掉若干不具安全事件價值的大量事件記錄,包括以下類型:

  • 原則存取記錄,例如社群媒體存取
  • 預設允許的連接範圍(標準防火牆原則內)
  • 大量瑣碎項目,例如 SSL 握手記錄

威脅對應範例

警示類型由CEF標頭中的 name欄位定義。

{"alertType":"Reputation block outbound request: malicious URL","threatId":"T1598.003","threatName":"Spearphishing Link",}
{"alertType":"Remote Backup Failed", "threatId":"T1020","threatName":"Automated Exfiltration",},
{"alertType":"Reputation block outbound request: malicious URL","threatId":"T1598.003","threatName":"Spearphishing Link",}
{"alertType":"IPS block: cryptomining & blockchain traffic","threatId":"T1496","threatName":"Resource Hijacking",}
{"alertType":"Reputation block outbound request: phishing site","threatId":"T1566","threatName":"Phishing",}
{"alertType":"RDP Allow","threatId":"T1021.001","threatName":"Remote Desktop Protocol",}
{"alertType":"IPS block outbound request: cross-site scripting (XSS) attack","threatId":"T1189","threatName":"Drive-by Compromise",}
{"alertType":"Malware block: malicious file","threatId":"T1204.002","threatName":"Malicious File",}
{"alertType":"Sandbox block inbound response: malicious file","threatId":"T1204.002","threatName":"Malicious File",}
{"alertType":"Not allowed non-RFC compliant HTTP traffic","threatId":"T1071","threatName":"Application Layer Protocol",}
{"alertType":"Not allowed to upload/download encrypted or password-protected archive files","threatId":"T1027","threatName":"Obfuscated Files or Information",}

原廠文件