Skip to main content

Check out Interactive Visual Stories to gain hands-on experience with the SSE product features. Click here.

Skyhigh Security

Export Anomalies, Threats, Incidents and the Audit Log to a SIEM

You can export anomalies, threats, incidents, and the Audit Log from Skyhigh CASB to your third-party SIEM systems using Syslog export. This export is handled through the Skyhigh Cloud Connector. Use this feature to export data to another system for further analysis or to drive data protection rules.

By default, Cloud Connector fetches incidents from Skyhigh CASB every four hours. You can customize this interval in the file using the property siem.frequency=. The value is in milliseconds. For assistance setting this property, contact Skyhigh CASB Support

NOTE: If tokenization for Skyhigh CASB Secure data is enabled, there may be situations where your data will not be detokenized before it is sent to your SIEM. Data can be detokenized automatically only when the user name associated with the user in Active Directory matches the user name used in the monitored CSP. 


Configure a SIEM Syslog Service

For SIEM configuration, see About EC Configuration

Export Format Details


All internal dates use the following format: YYYY-MM-DDTHH:MM:SS.SSSZ

For example, 2017-02-09T22:25:00.000Z

Key Value Pairs

Escaped characters:

If the value uses any of the following characters, the entire string will be quoted, and and internal quotes will be doubled:

  • comma: ,
  • equal: =
  • quote: " becomes""
  • space

For example, saying=he said, "hi" becomes "he said, ""hi""".

Log Event Extended Format (LEEF)

For the full definition, see Log Event Extended Format (LEEF) Guide

Escaped characters:

  • caret: ^ becomes <caret>
  • pipe: | becomes <pipe>
  • tab: <tab> becomes <tab>  (The real tab is exchanged for the string <tab>.)

Common Event Format

For the full definition, see the ArcSight Common Event Format Guide.  

Escaped characters:

  • backslash: \ becomes \\
  • equal: = becomes \=
  • pipe: | becomes \|

Supported Third-Party SIEMs for Integration with Skyhigh CASB

Skyhigh Security supports the following list of common third-party SIEM solutions for SIEM integration with Skyhigh CASB.

Supported SIEM Log Format
IBM QRadar

Log Event Extended Format (LEEF)

ArcSight Common Event Format (CEF),  LEEF


Splunk CEF, LEEF, and Skyhigh CASB Key Value
Trellix Enterprise Security Manager (ESM) CEF,  LEEF
Securonix CEF,  LEEF
AlienVault CEF,  LEEF
NetWitness CEF
Exabeam CEF,  LEEF
Broadcom Information Centric Analytics (ICA) CEF,  LEEF
SolarWinds Security Event Manager (SEM) CEF, LEEF
SolarWinds Loggly CEF
  • Was this article helpful?