Cloud Connector SIEM Integration Formats
NOTE: See all the options for Group Name, and Category ID under CEF format. These are applicable for all three formats.
NOTE: Any previous reference to UBEA is now referred to as User and Entity Behavior Analytics (UEBA).
Text in BLUE is UEBA based.
Text in GREEN is Static (non UEBA).
CEF Format
Use these Key-Value pairs for Skyhigh CASB 3.7 and later.
Key-Value | Shadow Anomaly | Sanctioned Anomaly | DLP policy violation | Threat | Config Audit | Audit Log |
---|---|---|---|---|---|---|
Time VMName | <14>Mar 14 00:41:54 EC-test00.app.qa.sjc.shn | <14>Mar 16 21:40:39 EC-test00.app.qa.sjc.shn | <14>Mar 14 00:37:24 EC-test00.app.qa.sjc.shn | <14>Mar 15 21:23:24 EC-test00.app.qa.sjc.shn | <14>Mar 16 18:03:52 EC-test00.app.qa.sjc.shn | <14>Mar 16 18:03:52 EC-test00.app.qa.sjc.shn |
Anomaly Category | informationAnomalyCategory=Aceess Anomalies | |||||
Anomaly Cause | informationAnomalyCause=IMPOSSIBLE TRAVEL | |||||
Format | CEF:0 | CEF:0 | CEF:0 | CEF:0 | CEF:0 | CEF:0 |
Device Vendor | Skyhigh Security | Skyhigh Security | Skyhigh Security | Skyhigh Security | Skyhigh Security | Skyhigh Security |
Device Product | Skyhigh CASB | Skyhigh CASB | Skyhigh CASB | Skyhigh CASB | Skyhigh CASB | Skyhigh CASB |
Device Version | Anomalies.5.2.2.0 | Anomalies.5.2.2.0 | Anomalies.5.2.2.0 | Anomalies.5.2.2.0 | Anomalies.5.2.2.0 | Dashboard Audit Logs.5.2.2.0 |
Device Event Class ID | Data Transfer | Data Download | Dlp | Suspicious Superhuman | Audit | 1002 |
Mitre Tactics | informationMitreTactic=[Impact] | |||||
Mitre Technique | informationMitreTechnique=[Data Destruction] | |||||
Name | Alert.Data | Alert.Data | Alert.Policy | Threat.CompromisedAccount | Alert.Policy | User information edited |
Severity | 3 | 3 | 3 | 9 | 9 | 10 |
Created on time | start=Feb 16 2017 23:06:11.000 UTC | start=Jan 22 2017 21:44:10.000 UTC | start=Feb 10 2017 00:59:52.000 UTC | start=Feb 23 2017 07:48:25.000 UTC | start=Feb 23 2017 07:48:25.000 UTC | start=Feb 23 2017 07:48:25.000 UTC |
Time Modified | timeModified=Mar 10 2017 02:09:26.000 UTC | timeModified=Jan 22 2017 21:44:08.957 UTC | timeModified=Feb 10 2017 01:01:55.951 UTC | timeModified=Feb 23 2017 07:54:07.510 UTC | timeModified=Mar 07 2017 03:04:34.186 UTC | |
Status | status=NEW | status=OPENED | status=NEW | status=OPENED |
status=new |
|
Service Name | serviceNames=[Western Digital - My Cloud] | serviceNames=[Box] | serviceNames=[Box] | serviceNames=[Box,Salesforce] |
serviceNames=[Microsoft Teams] |
|
Incident Id | incidentId=SHW-46404749 | incidentId=ANO-139539 | incidentId=DLP-4616923 | incidentId=THR-12484 |
incidentId=AUD-4750 |
|
Incident Risk Severity | incidentRiskSeverity=High | incidentRiskSeverity=high | incidentRiskSeverityId=0 | incidentRiskSeverity=high |
incidentRiskSeverityId=1 |
|
Risk Severity | riskSeverity=low |
riskSeverity=medium |
||||
Incident Severity (value) | 6 | 9 | 10 | 0 | ||
User Name | suser=Unknown | suser=test15@shn.com | suser=testdlpa1@reallymymail.com | suser=threatmodelling_nll_0_1487836279_18063@shn.com | suser=N/A | suser=audittest@shn.com |
Activity Names | activityNames=Denied | activityNames=-1 | activityName=[Email] |
activityName=[] |
||
Response | response=Denied | response=Preview,Preview | response=Allowed |
response=[Violation Detected] |
||
Anomaly value | informationAnomalyValue=6 | informationAnomalyValue=NA | ||||
Countries | informationCountries=[SE, US] | |||||
Email Domain | informationEmailDomain=shn.com | |||||
Is Part Of Threat | informationIsPartOfThreat=false | |||||
Threat Category | informationtThreatCategory=Compromised Accounts | |||||
Threshold Value | informationThresholdValue=4 | informationThresholdValue=-1 | ||||
Threshold Duration | informationThresholdDuration=hourly | |||||
Source IPs | informationSourceIps=[81.224.95.152, 74.217.98.19] | dvc=53.23.104.13 | ||||
Policy ID | informationPolicyId=45507 |
policyId=646723 |
||||
Policy Name | informationPolicyName=File Type Violation |
policyName=Ensure guest users cannot create or update Teams channels informationScanName=Security Configuration Audit Scan For Microsoft Teams (35380) |
||||
Remediator Name | information RemediatorName=John Doe | |||||
User Action | informationUserAction=Denied | |||||
Collaboration Shared Link | informationCollaborationSharedLink=false | |||||
Content Hierarchy | informationContentItemHierarchy=All Files | |||||
Content Item Id | informationContentItemId=199908982144 |
contentItemId=3dd92596-1112-49db-a021-faa00681e151 |
||||
Content Item Name | informationContentItemName=ssssn-document-sd1.docx |
contentItemName=test_team2 |
||||
Content Item Size | informationContentItemSize=134489 | |||||
Information Account ID |
informationAccountId=1283e3ee-3177-46d4-a2ec-2ba13589d8a5 |
|||||
Information Category |
informationCategory=UnrestrictedAccess |
|||||
Information Config Type |
informationConfigType=Team |
|||||
Information Content Item Created On |
informationContentItemCreatedOn=2021-09-15T14:30:35.839Z |
|||||
Information Event ID |
informationEventId=46 |
|||||
Information Scan Run Date |
informationScanRunDate=2021-09-14T12:41:49.244Z |
|||||
Instance ID |
instanceId=35380 |
|||||
Instance Name |
instanceName=14Sep602 |
|||||
Significantly Updated On |
significantlyUpdatedAt=2021-09-15T14:30:35.839Z |
|||||
Updated On |
updatedOn=Sep 15 2021 14:30:35.839 UTC |
|||||
External Collaborators | informationExternalCollaborators = SkyhighECinformationExternalCollaborators | |||||
Content Item Type | informationContentItemType=file |
contentItemType=SAAS_RESOURCE |
||||
Total Match Count | informationTotalMatchCount=1 | |||||
Device IP | informationDeviceIp = SkyhighECinformationDeviceIP | |||||
Actor ID Type | actorIdType = SkyhighECactorIdType | actorIdType = SkyhighECactorIdType | actorIdType=USER | actorIdType = SkyhighECactorIdType |
actorIdType=USER |
|
Event Category ID | auditEventTypeEventCategoryId=100 | |||||
Event Category Name | auditEventTypeEventCategoryName=Skyhigh Cloud Admin | |||||
Event Type ID | auditEventTypeEventTypeId=1002 | |||||
Event Type Name | auditEventTypeEventTypeName=Cloud Config synced to EC | |||||
Sub Type ID | auditEventTypeSubTypeId=0 | |||||
Event Info | eventInfo=User role change | |||||
Insertion ID | insertionId=25832906 | |||||
Object Name | objectName=User thirurao.ecqatiam@gmail.com | |||||
Tenant ID | tenantId=98435 | |||||
Timestamp | timestamp=Oct 07 2020 17:49:45.000 UTC | |||||
User First Name | userInfoFirstName=thiruraoecqatiam | |||||
User Last Name | userInfoLastName=iam | |||||
User ID | userInfoUserId=85410 |
LEEF Format
Key-Value | Shadow Anomaly | Sanctioned Anomaly | DLP policy violation | Threat | Config Audit | Audit Logs |
---|---|---|---|---|---|---|
Time VMName | <14>Mar 14 16:18:01 EC-test00.app.qa.sjc.shn | <14>Mar 16 21:53:53 EC-test00.app.qa.sjc.shn | <14>Mar 14 16:13:59 EC-test00.app.qa.sjc.shn | <14>Mar 15 22:58:00 EC-test00.app.qa.sjc.shn | <14>Mar 16 18:03:52 EC-test00.app.qa.sjc.shn | <14>Mar 16 18:03:52 EC-test00.app.qa.sjc.shn |
LEEF: Version | LEEF:1.0 | LEEF:1.0 | LEEF:1.0 | LEEF:1.0 | LEEF:1.0 | LEEF:1.0 |
Vendor | Skyhigh Security | Skyhigh Security | Skyhigh Security | Skyhigh Security | Skyhigh Security | Skyhigh Security |
Product name | Skyhigh CASB | Skyhigh CASB | Skyhigh CASB | Skyhigh CASB | Skyhigh CASB | Skyhigh CASB |
Product version | 5.2.2.0 | 5.2.2.0 | 5.2.2.0 | 5.2.2.0 | 5.2.2.0 | 5.2.2.0 |
Event ID | Anomaly | Anomaly | Incident | Anomaly | Incident | AppAudit |
IncidentType.CategoryID | cat=Alert.Data | cat=Alert.Access | cat=Alert.Policy | cat=Threat.PrivilegeAccess | cat=Alert.Policy.Audit | cat=User.Activity |
Created on time format (specific to LEEF) | devTimeFormat=MMM dd yyyy HH:mm:ss.SSS zzz | devTimeFormat=MMM dd yyyy HH:mm:ss.SSS zzz | devTimeFormat=MMM dd yyyy HH:mm:ss.SSS zzz | devTimeFormat=MMM dd yyyy HH:mm:ss.SSS zzz |
devTimeFormat=MMM dd yyyy HH:mm:ss.SSS zzz |
devTimeFormat=MMM dd yyyy HH:mm:ss.SSS zzz |
Created on time | devTime=Feb 16 2017 23:06:11.000 UTC | devTime=Jan 22 2017 21:44:10.000 UTC | devTime=Feb 10 2017 00:59:52.000 UTC | devTime=Feb 23 2017 07:48:25.000 UTC |
devTime=Sep 14 2021 12:41:49.809 UTC |
devTime=Oct 07 2020 17:49:45.000 UTC |
User Name | usrName=Steve Robertson | usrName=test15@shn.com | usrName=testdlpa1@reallymymail.com | usrName=threatmodelling_nll_0_148783..._18063@shn.com |
usrName=N/A |
usrName=audittest@shn.com |
Incident Severity # (L/M/H) | sev=6 | sev=9 | sev=10 | sev=0 | sev=7 | |
Activity Name | activityName=Denied | activityName=-1 |
activityName=[] |
|||
Actor Id Type |
actorIdType=USER |
actorIdType=USER |
actorIdType=USER |
actorIdType=USER |
actorIdType=USER |
|
Incident Id | incidentId=SHW-46404749 | incidentId=ANO-139539 | incidentId=DLP-95674 | incidentId=THR-12484 |
incidentId=AUD-4750 |
|
Incident Severity | riskSeverity=High | riskSeverity=high | riskSeverity=high | riskSeverity=high |
riskSeverity=medium |
|
Incident Risk Severity |
incidentRiskSeverityId=1 |
|||||
Service Name | serviceNames=[Western Digital - My Cloud] | serviceNames=[Box] | serviceNames=[Box] | serviceNames=[Box,Salesforce] |
serviceNames=[Microsoft Teams] |
|
Status | status=NEW | status=OPENED | status=NEW | status=OPENED |
status=new |
|
Updated on time | updatedOn=Mar 10 2017 02:09:26.000 UTC | updatedOn=Jan 22 2017 21:44:08.957 UTC | updatedOn=Feb 10 2017 01:01:55.951 UTC | updatedOn=Feb 23 2017 07:54:07.510 UTC |
updatedOn=Sep 15 2021 14:30:35.839 UTC |
|
Incident Group Name | RepeatOffender | Superhuman | Dlp | Misuse | SecurityMonitoring | |
Response | response=Denied | response=Preview,Preview | response=Allowed |
response=[Violation Detected] |
||
Anomaly value | anomalyValue=6 | anomalyValue=NA | ||||
Countries | countries=[SE, US] | |||||
Email Domain | emailDomain=shn.com | |||||
Is Part Of Threat | isPartOfThreat=false | |||||
Threat Category | threatCategory=Compromised Accounts | |||||
Threshold Duration | thresholdDuration=hourly | |||||
Threshold | thresholdValue=4 | thresholdValue=-1 | ||||
Source IPs | src=81.224.95.152 | src=81.224.95.152 | ||||
Additional Source Info | additionalSrcInfo=[81.224.95.152, 74.217.98.19] | additionalSrcInfo=[81.224.95.152, 74.217.98.19] | ||||
Activity Count | informationActivityCount=1 | |||||
Anomaly Category | informationAnomalyCategory=Aceess Anomalies | |||||
Anomaly Cause | informationAnomalyCause=IMPOSSIBLE TRAVEL | |||||
Cities | informationCities=[Tokyo, Seattle] | |||||
Mitre Tactics | informationMitreTactic= [Initial Access] | informationMitreTactic=[Impact] | ||||
Mitre Technique | informationMitreTechnique= [Valid Accounts] | informationMitreTechnique=[Data Destruction] | ||||
Service and Accounts IDs | informationServicesAndAccountIds={"Office365":"","AzureAD":""} | |||||
Source IP Orgs | informationSourceIpOrgs=[ISP internet] | |||||
Significantly Updated Time | significantlyUpdatedAt=Dec 04 2020 02:17:05.840 UTC |
significantlyUpdatedAt=2021-09-15T14:30:35.839Z |
||||
Policy ID | policyId=45507 |
policyId=646723 |
||||
Policy Name | policyName=File Type Violation |
policyName=Ensure guest users cannot create or update Teams channels informationScanName=Security Configuration Audit Scan For Microsoft Teams (35380) |
||||
Remediator Name | remediatorName=John Doe | |||||
User Action | userAction=Denied | |||||
Collaboration Shared Link | collaborationSharedLink=false | |||||
Content Hierarchy | contentItemHierarchy=All Files | |||||
Content Item Id | contentItemId=199908982144 |
contentItemId=3dd92596-1112-49db-a021-faa00681e151 |
||||
Content Item Name | contentItemName=ssssn-document-sd1.docx |
contentItemName=test_team2 |
||||
Content Item Size | contentItemSize=134489 | |||||
Content Name | contentItemName=ecLDAPwithSSL_info.docx | contentItemName=vpc-fa73f193 | ||||
Content Type | contentItemType=file | contentItemType=config_entity | ||||
Content Item Type |
contentItemType=SAAS_RESOURCE |
|||||
Information Account Id (specific to Config Audit) |
informationAccountId=1283e3ee-3177-46d4-a2ec-2ba13589d8a5 |
|||||
Information Category (specific to Config Audit) |
informationCategory=UnrestrictedAccess |
|||||
Information Config Type (specific to Config Audit) |
informationConfigType=Team |
|||||
Information Content Item Created On (specific to Config Audit) |
informationContentItemCreatedOn=2021-09-15T14:30:35.839Z |
|||||
Information Event ID (specific to Config Audit) |
informationEventId=46 |
|||||
Information Scan Update |
informationScanRunDate=2021-09-14T12:41:49.244Z |
|||||
Instance ID |
instanceId=35380 |
|||||
Instance Name |
instanceName=14Sep602 |
|||||
Total Match Count | totalMatchCount=1 | |||||
Group ID |
groupID=98435 |
|||||
Event Category ID |
auditEventTypeEventCategoryId=260 |
|||||
Event Category Name |
auditEventTypeEventCategoryName=Cloud Connector |
|||||
Event Type ID |
auditEventTypeEventTypeId=2610 |
|||||
Event Type Name |
auditEventTypeEventTypeName=Cloud Config synced to EC |
|||||
Sub Type ID |
auditEventTypeSubTypeId=0 |
|||||
Event Info |
eventInfo=Config Version: 86d0912ae91b4d148c6a47aa4b65a0b184e84ab4 |
|||||
Insertion ID |
insertionId=25832906 |
|||||
Object Name |
t98435-79475939.do.myshn.net |
|||||
Timestamp |
timestamp=Oct 07 2020 17:49:45.000 UTC |
|||||
User First Name |
userInfoFirstName=User |
|||||
User Last Name |
userInfoLastName=Demo |
|||||
User ID |
userInfoUserId=85410 |
|||||
User Login Event |
isLoginEvent=false |
Skyhigh CASB Key Value Format
Key-Value | Shadow Anomaly | Sanctioned Anomaly | DLP policy violation | Threat | Config Audit | Audit Logs |
---|---|---|---|---|---|---|
Time VMName | <14>Mar 14 17:04:35 EC-test00.app.qa.sjc.shn | <14>Mar 16 21:59:49 EC-test00.app.qa.sjc.shn | <14>Mar 14 17:00:16 EC-test00.app.qa.sjc.shn | <14>Mar 15 23:13:55 EC-test00.app.qa.sjc.shn | <14>Mar 16 19:04:41 EC-test00.app.qa.sjc.shn | <14>Mar 16 19:04:41 EC-test00.app.qa.sjc.shn |
Created on time | createdOn="Feb 16 2017 23:06:11.000 UTC" | createdOn="Jan 22 2017 21:44:10.000 UTC" | createdOn="Feb 10 2017 00:59:52.000 UTC" | createdOn="Feb 23 2017 07:48:25.000 UTC" |
createdOn="Sep 14 2021 12:41:49.809 UTC" |
createdTime="Oct 07 2020 17:49:45.000 UTC", |
Updated on time | updatedOn="Mar 10 2017 02:09:26.000 UTC" | updatedOn=Jan 22 2017 21:44:08.957 UTC | updatedOn="Feb 10 2017 01:01:55.951 UTC" | updatedOn="Feb 23 2017 07:54:07.510 UTC" |
updatedOn="Sep 15 2021 14:30:35.839 UTC" |
|
Status | status=NEW | status=OPENED | status=NEW | status=OPENED |
status=new |
|
Service Name | serviceNames="[Western Digital - My Cloud]" | serviceNames=[Box] | serviceNames=[Box] | serviceNames="[Box,Salesforce]" |
serviceNames="[Microsoft Teams]" |
|
Incident Id | incidentId=SHW-46404749 | incidentId=ANO-139539 | incidentId=DLP-95674 | incidentId=THR-12484 |
incidentId=AUD-4750 |
|
Incident Group Name | incidentGroup=Alert.Data.RepeatOffender | incidentGroup=Alert.Access.Superhuman | incidentGroup=Alert.Policy.Dlp | incidentGroup=Threat.PrivilegeAccess.Misuse |
incidentGroup=Alert.Policy.Audit |
|
Incident Severity # (L/M/H) | riskScore=6.0 | riskScore=9.0 | riskScore=10.0 | riskScore=0.25 | riskScore=7.0 | |
Incident Severity | riskSeverity=High | riskSeverity=high | riskSeverity=high | riskSeverity=high | riskSeverity=medium | |
User Name | userDisplayName=Unknown | userDisplayName=test15@shn.com | userDisplayName=testdlpa1@reallymymail.com | userDisplayName=threatmodelling_nll_..._18063@shn.com | userDisplayName=N/A | |
Activity Name | activityName=Denied | activityName=-1 |
activityName=[] |
|||
Response | response=Denied | response=Preview,Preview | response=Allowed |
response="[Violation Detected]" |
||
Anomaly value | anomalyValue=6 | anomalyValue=NA | ||||
Mitre Tactics | informationMitreTactic=[Impact] | |||||
Mitre Technique | informationMitreTechnique=[Data Destruction] | |||||
Countries | countries=[SE, US] | |||||
Email Domain | emailDomain=shn.com | |||||
Is Part Of Threat | isPartOfThreat=false | |||||
Threat Category | threatCategory=Compromised Accounts | |||||
Threshold Duration | thresholdDuration=hourly | |||||
Threshold | thresholdValue=4 | thresholdValue=-1 | ||||
Source IPs | sourceIps=[81.224.95.152, 74.217.98.19] | clientIpAddress =53.23.104.13 | ||||
Policy ID | policyId=45507 |
policyId=646723 |
||||
Policy Name | policyName="File Type Violation" |
policyName="Ensure guest users cannot create or update Teams channels" |
||||
Remediator Name | remediatorName=John Doe | |||||
User Action | userAction=Denied | |||||
Collaboration Shared Link | collaborationSharedLink=false | |||||
Content Hierarchy | contentItemHierarchy="All Files" | |||||
Content Item Id | contentItemId=199908982144 |
contentItemId=3dd92596-1112-49db-a021-faa00681e151 |
||||
Content Item Name | contentItemName=ssssn-document-sd1.docx |
contentItemName=test_team2 |
||||
Content Item Size | contentItemSize=134489 | |||||
Content Name | contentItemName=ecLDAPwithSSL_info.docx | contentItemName=vpc-fa73f193 | ||||
Content Type | contentItemType=file |
contentItemType=SAAS_RESOURCE |
||||
Account Id (specific to Config Audit) | accountId=674413271627 | |||||
Config Type (specific to Config Audit) | configType=VPC | |||||
Total Match Count | totalMatchCount=1 | |||||
Actor Id Type |
actorIdType=USER |
actorIdType=USER |
actorIdType=USER |
actorIdType=USER |
actorIdType=USER |
|
Actor Id |
actorId=“user name” |
actorId=“user name” |
actorId=“user name” |
actorId=“user name” |
actorId=N/A |
|
Incident Risk Score |
IncidentRiskScore=5 |
IncidentRiskScore=5 |
IncidentRiskScore=5 |
IncidentRiskScore=5 |
incidentRiskScore=7.0 |
|
Risk Score |
riskSeverity=medium |
|||||
Information Account ID |
informationAccountId=1283e3ee-3177-46d4-a2ec-2ba13589d8a5 |
|||||
Information Category |
informationCategory=UnrestrictedAccess |
|||||
Information Config Type |
informationConfigType=Team, |
|||||
Information Content Item Created On |
informationContentItemCreatedOn=2021-09-15T14:30:35.839Z |
|||||
Information Event ID |
informationEventId=46 |
|||||
Information Scan Name |
informationScanName="Security Configuration Audit Scan For Microsoft Teams (35380)", |
|||||
Information Scan Run Date |
informationScanRunDate=2021-09-14T12:41:49.244Z |
|||||
Instance ID |
instanceId=35380 |
|||||
Instance Name |
instanceName=14Sep602 |
|||||
Significantly Updated On |
significantlyUpdatedAt=2021-09-15T14:30:35.839Z |
|||||
Event Category ID | auditEventTypeEventCategoryId=100 | |||||
Event Category Name | auditEventTypeEventCategoryName=Skyhigh Cloud Admin | |||||
Event Type ID | auditEventTypeEventTypeId=1002 | |||||
Event Type Name |
auditEventTypeEventTypeName=Cloud Config synced to EC |
|||||
Sub Type ID | auditEventTypeSubTypeId=0 | |||||
Event Info | eventInfo=User role change | |||||
Insertion ID | insertionId=25832906 | |||||
Object Name | objectName=User thirurao.ecqatiam@gmail.com | |||||
Tenant ID | tenantId=98435 | |||||
Timestamp | timestamp=Oct 07 2020 17:49:45.000 UTC | |||||
User Email | userInfoEmail=audittest@shn.com | |||||
User First Name |
userInfoFirstName=User |
|||||
User Last Name |
userInfoLastName=Demo |
|||||
User ID | userInfoUserId=85410 |