Cloud Connector SIEM Integration Formats
NOTE: See all the options for Group Name, and Category ID under CEF format. These are applicable for all three formats.
NOTE: Any previous reference to UBEA is now referred to as User and Entity Behavior Analytics (UEBA).
CEF Format
Use these Key-Value pairs for Skyhigh CASB 3.7 and later.
| Key-Value | Shadow Anomaly | Sanctioned Anomaly | DLP policy violation | Threat | Config Audit | Audit Log |
|---|---|---|---|---|---|---|
| Time VMName | <14>Mar 14 00:41:54 EC-test00.app.qa.sjc.shn | <14>Mar 16 21:40:39 EC-test00.app.qa.sjc.shn | <14>Mar 14 00:37:24 EC-test00.app.qa.sjc.shn | <14>Mar 15 21:23:24 EC-test00.app.qa.sjc.shn | <14>Mar 16 18:03:52 EC-test00.app.qa.sjc.shn | <14>Mar 16 18:03:52 EC-test00.app.qa.sjc.shn |
| Anomaly Category | informationAnomalyCategory=Aceess Anomalies | |||||
| Anomaly Cause | informationAnomalyCause=IMPOSSIBLE TRAVEL | |||||
| Format | CEF:0 | CEF:0 | CEF:0 | CEF:0 | CEF:0 | CEF:0 |
| Device Vendor | Skyhigh Security | Skyhigh Security | Skyhigh Security | Skyhigh Security | Skyhigh Security | Skyhigh Security |
| Device Product | Skyhigh CASB | Skyhigh CASB | Skyhigh CASB | Skyhigh CASB | Skyhigh CASB | Skyhigh CASB |
| Device Version | Anomalies.5.2.2.0 | Anomalies.5.2.2.0 | Anomalies.5.2.2.0 | Anomalies.5.2.2.0 | Anomalies.5.2.2.0 | Dashboard Audit Logs.5.2.2.0 |
| Device Event Class ID | Data Transfer | Data Download | Dlp | Suspicious Superhuman | Audit | 1002 |
| Mitre Tactics | informationMitreTactic=[Impact] | |||||
| Mitre Technique | informationMitreTechnique=[Data Destruction] | |||||
| Name | Alert.Data | Alert.Data | Alert.Policy | Threat.CompromisedAccount | Alert.Policy | User information edited |
| Severity | 3 | 3 | 3 | 9 | 9 | 10 |
| Created on time | start=Feb 16 2017 23:06:11.000 UTC | start=Jan 22 2017 21:44:10.000 UTC | start=Feb 10 2017 00:59:52.000 UTC | start=Feb 23 2017 07:48:25.000 UTC | start=Feb 23 2017 07:48:25.000 UTC | start=Feb 23 2017 07:48:25.000 UTC |
| Time Modified | timeModified=Mar 10 2017 02:09:26.000 UTC | timeModified=Jan 22 2017 21:44:08.957 UTC | timeModified=Feb 10 2017 01:01:55.951 UTC | timeModified=Feb 23 2017 07:54:07.510 UTC | timeModified=Mar 07 2017 03:04:34.186 UTC | |
| Status | status=NEW | status=OPENED | status=NEW | status=OPENED |
status=new |
|
| Service Name | serviceNames=[Western Digital - My Cloud] | serviceNames=[Box] | serviceNames=[Box] | serviceNames=[Box,Salesforce] |
serviceNames=[Microsoft Teams] |
|
| Incident Id | incidentId=SHW-46404749 | incidentId=ANO-139539 | incidentId=DLP-4616923 | incidentId=THR-12484 |
incidentId=AUD-4750 |
|
| Incident Risk Severity | incidentRiskSeverity=High | incidentRiskSeverity=high | incidentRiskSeverityId=0 | incidentRiskSeverity=high |
incidentRiskSeverityId=1 |
|
| Risk Severity | riskSeverity=low |
riskSeverity=medium |
||||
| Incident Severity (value) | 6 | 9 | 10 | 0 | ||
| User Name | suser=Unknown | suser=test15@shn.com | suser=testdlpa1@reallymymail.com | suser=threatmodelling_nll_0_1487836279_18063@shn.com | suser=N/A | suser=audittest@shn.com |
| Activity Names | activityNames=Denied | activityNames=-1 | activityName=[Email] |
activityName=[] |
||
| Response | response=Denied | response=Preview,Preview | response=Allowed |
response=[Violation Detected] |
||
| Anomaly value | informationAnomalyValue=6 | informationAnomalyValue=NA | ||||
| Countries | informationCountries=[SE, US] | |||||
| Email Domain | informationEmailDomain=shn.com | |||||
| Is Part Of Threat | informationIsPartOfThreat=false | |||||
| Threat Category | informationtThreatCategory=Compromised Accounts | |||||
| Threshold Value | informationThresholdValue=4 | informationThresholdValue=-1 | ||||
| Threshold Duration | informationThresholdDuration=hourly | |||||
| Source IPs | informationSourceIps=[81.224.95.152, 74.217.98.19] | dvc=53.23.104.13 | ||||
| Policy ID | informationPolicyId=45507 |
policyId=646723 |
||||
| Policy Name | informationPolicyName=File Type Violation |
policyName=Ensure guest users cannot create or update Teams channels informationScanName=Security Configuration Audit Scan For Microsoft Teams (35380) |
||||
| Remediator Name | information RemediatorName=John Doe | |||||
| User Action | informationUserAction=Denied | |||||
| Collaboration Shared Link | informationCollaborationSharedLink=false | |||||
| Content Hierarchy | informationContentItemHierarchy=All Files | |||||
| Content Item Id | informationContentItemId=199908982144 |
contentItemId=3dd92596-1112-49db-a021-faa00681e151 |
||||
| Content Item Name | informationContentItemName=ssssn-document-sd1.docx |
contentItemName=test_team2 |
||||
| Content Item Size | informationContentItemSize=134489 | |||||
| Information Account ID |
informationAccountId=1283e3ee-3177-46d4-a2ec-2ba13589d8a5 |
|||||
| Information Category |
informationCategory=UnrestrictedAccess |
|||||
| Information Config Type |
informationConfigType=Team |
|||||
| Information Content Item Created On |
informationContentItemCreatedOn=2021-09-15T14:30:35.839Z |
|||||
| Information Event ID |
informationEventId=46 |
|||||
| Information Scan Run Date |
informationScanRunDate=2021-09-14T12:41:49.244Z |
|||||
| Instance ID |
instanceId=35380 |
|||||
| Instance Name |
instanceName=14Sep602 |
|||||
| Significantly Updated On |
significantlyUpdatedAt=2021-09-15T14:30:35.839Z |
|||||
| Updated On |
updatedOn=Sep 15 2021 14:30:35.839 UTC |
|||||
| External Collaborators | informationExternalCollaborators = SkyhighECinformationExternalCollaborators | |||||
| Content Item Type | informationContentItemType=file |
contentItemType=SAAS_RESOURCE |
||||
| Total Match Count | informationTotalMatchCount=1 | |||||
| Device IP | informationDeviceIp = SkyhighECinformationDeviceIP | |||||
| Actor ID Type | actorIdType = SkyhighECactorIdType | actorIdType = SkyhighECactorIdType | actorIdType=USER | actorIdType = SkyhighECactorIdType |
actorIdType=USER |
|
| Event Category ID | auditEventTypeEventCategoryId=100 | |||||
| Event Category Name | auditEventTypeEventCategoryName=Skyhigh Cloud Admin | |||||
| Event Type ID | auditEventTypeEventTypeId=1002 | |||||
| Event Type Name | auditEventTypeEventTypeName=Cloud Config synced to EC | |||||
| Sub Type ID | auditEventTypeSubTypeId=0 | |||||
| Event Info | eventInfo=User role change | |||||
| Insertion ID | insertionId=25832906 | |||||
| Object Name | objectName=User thirurao.ecqatiam@gmail.com | |||||
| Tenant ID | tenantId=98435 | |||||
| Timestamp | timestamp=Oct 07 2020 17:49:45.000 UTC | |||||
| User First Name | userInfoFirstName=thiruraoecqatiam | |||||
| User Last Name | userInfoLastName=iam | |||||
| User ID | userInfoUserId=85410 |
LEEF Format
| Key-Value | Shadow Anomaly | Sanctioned Anomaly | DLP policy violation | Threat | Config Audit | Audit Logs |
|---|---|---|---|---|---|---|
| Time VMName | <14>Mar 14 16:18:01 EC-test00.app.qa.sjc.shn | <14>Mar 16 21:53:53 EC-test00.app.qa.sjc.shn | <14>Mar 14 16:13:59 EC-test00.app.qa.sjc.shn | <14>Mar 15 22:58:00 EC-test00.app.qa.sjc.shn | <14>Mar 16 18:03:52 EC-test00.app.qa.sjc.shn | <14>Mar 16 18:03:52 EC-test00.app.qa.sjc.shn |
| LEEF: Version | LEEF:1.0 | LEEF:1.0 | LEEF:1.0 | LEEF:1.0 | LEEF:1.0 | LEEF:1.0 |
| Vendor | Skyhigh Security | Skyhigh Security | Skyhigh Security | Skyhigh Security | Skyhigh Security | Skyhigh Security |
| Product name | Skyhigh CASB | Skyhigh CASB | Skyhigh CASB | Skyhigh CASB | Skyhigh CASB | Skyhigh CASB |
| Product version | 5.2.2.0 | 5.2.2.0 | 5.2.2.0 | 5.2.2.0 | 5.2.2.0 | 5.2.2.0 |
| Event ID | Anomaly | Anomaly | Incident | Anomaly | Incident | AppAudit |
| IncidentType.CategoryID | cat=Alert.Data | cat=Alert.Access | cat=Alert.Policy | cat=Threat.PrivilegeAccess | cat=Alert.Policy.Audit | cat=User.Activity |
| Created on time format (specific to LEEF) | devTimeFormat=MMM dd yyyy HH:mm:ss.SSS zzz | devTimeFormat=MMM dd yyyy HH:mm:ss.SSS zzz | devTimeFormat=MMM dd yyyy HH:mm:ss.SSS zzz | devTimeFormat=MMM dd yyyy HH:mm:ss.SSS zzz |
devTimeFormat=MMM dd yyyy HH:mm:ss.SSS zzz |
devTimeFormat=MMM dd yyyy HH:mm:ss.SSS zzz |
| Created on time | devTime=Feb 16 2017 23:06:11.000 UTC | devTime=Jan 22 2017 21:44:10.000 UTC | devTime=Feb 10 2017 00:59:52.000 UTC | devTime=Feb 23 2017 07:48:25.000 UTC |
devTime=Sep 14 2021 12:41:49.809 UTC |
devTime=Oct 07 2020 17:49:45.000 UTC |
| User Name | usrName=Steve Robertson | usrName=test15@shn.com | usrName=testdlpa1@reallymymail.com | usrName=threatmodelling_nll_0_148783..._18063@shn.com |
usrName=N/A |
usrName=audittest@shn.com |
| Incident Severity # (L/M/H) | sev=6 | sev=9 | sev=10 | sev=0 | sev=7 | |
| Activity Name | activityName=Denied | activityName=-1 |
activityName=[] |
|||
|
Actor Id Type |
actorIdType=USER |
actorIdType=USER |
actorIdType=USER |
actorIdType=USER |
actorIdType=USER |
|
| Incident Id | incidentId=SHW-46404749 | incidentId=ANO-139539 | incidentId=DLP-95674 | incidentId=THR-12484 |
incidentId=AUD-4750 |
|
| Incident Severity | riskSeverity=High | riskSeverity=high | riskSeverity=high | riskSeverity=high |
riskSeverity=medium |
|
| Incident Risk Severity |
incidentRiskSeverityId=1 |
|||||
| Service Name | serviceNames=[Western Digital - My Cloud] | serviceNames=[Box] | serviceNames=[Box] | serviceNames=[Box,Salesforce] |
serviceNames=[Microsoft Teams] |
|
| Status | status=NEW | status=OPENED | status=NEW | status=OPENED |
status=new |
|
| Updated on time | updatedOn=Mar 10 2017 02:09:26.000 UTC | updatedOn=Jan 22 2017 21:44:08.957 UTC | updatedOn=Feb 10 2017 01:01:55.951 UTC | updatedOn=Feb 23 2017 07:54:07.510 UTC |
updatedOn=Sep 15 2021 14:30:35.839 UTC |
|
| Incident Group Name | RepeatOffender | Superhuman | Dlp | Misuse | SecurityMonitoring | |
| Response | response=Denied | response=Preview,Preview | response=Allowed |
response=[Violation Detected] |
||
| Anomaly value | anomalyValue=6 | anomalyValue=NA | ||||
| Countries | countries=[SE, US] | |||||
| Email Domain | emailDomain=shn.com | |||||
| Is Part Of Threat | isPartOfThreat=false | |||||
| Threat Category | threatCategory=Compromised Accounts | |||||
| Threshold Duration | thresholdDuration=hourly | |||||
| Threshold | thresholdValue=4 | thresholdValue=-1 | ||||
| Source IPs | src=81.224.95.152 | src=81.224.95.152 | ||||
| Additional Source Info | additionalSrcInfo=[81.224.95.152, 74.217.98.19] | additionalSrcInfo=[81.224.95.152, 74.217.98.19] | ||||
| Activity Count | informationActivityCount=1 | |||||
| Anomaly Category | informationAnomalyCategory=Aceess Anomalies | |||||
| Anomaly Cause | informationAnomalyCause=IMPOSSIBLE TRAVEL | |||||
| Cities | informationCities=[Tokyo, Seattle] | |||||
| Mitre Tactics | informationMitreTactic= [Initial Access] | informationMitreTactic=[Impact] | ||||
| Mitre Technique | informationMitreTechnique= [Valid Accounts] | informationMitreTechnique=[Data Destruction] | ||||
| Service and Accounts IDs | informationServicesAndAccountIds={"Office365":"","AzureAD":""} | |||||
| Source IP Orgs | informationSourceIpOrgs=[ISP internet] | |||||
| Significantly Updated Time | significantlyUpdatedAt=Dec 04 2020 02:17:05.840 UTC |
significantlyUpdatedAt=2021-09-15T14:30:35.839Z |
||||
| Policy ID | policyId=45507 |
policyId=646723 |
||||
| Policy Name | policyName=File Type Violation |
policyName=Ensure guest users cannot create or update Teams channels informationScanName=Security Configuration Audit Scan For Microsoft Teams (35380) |
||||
| Remediator Name | remediatorName=John Doe | |||||
| User Action | userAction=Denied | |||||
| Collaboration Shared Link | collaborationSharedLink=false | |||||
| Content Hierarchy | contentItemHierarchy=All Files | |||||
| Content Item Id | contentItemId=199908982144 |
contentItemId=3dd92596-1112-49db-a021-faa00681e151 |
||||
| Content Item Name | contentItemName=ssssn-document-sd1.docx |
contentItemName=test_team2 |
||||
| Content Item Size | contentItemSize=134489 | |||||
| Content Name | contentItemName=ecLDAPwithSSL_info.docx | contentItemName=vpc-fa73f193 | ||||
| Content Type | contentItemType=file | contentItemType=config_entity | ||||
| Content Item Type |
contentItemType=SAAS_RESOURCE |
|||||
| Information Account Id (specific to Config Audit) |
informationAccountId=1283e3ee-3177-46d4-a2ec-2ba13589d8a5 |
|||||
| Information Category (specific to Config Audit) |
informationCategory=UnrestrictedAccess |
|||||
| Information Config Type (specific to Config Audit) |
informationConfigType=Team |
|||||
| Information Content Item Created On (specific to Config Audit) |
informationContentItemCreatedOn=2021-09-15T14:30:35.839Z |
|||||
| Information Event ID (specific to Config Audit) |
informationEventId=46 |
|||||
| Information Scan Update |
informationScanRunDate=2021-09-14T12:41:49.244Z |
|||||
| Instance ID |
instanceId=35380 |
|||||
| Instance Name |
instanceName=14Sep602 |
|||||
| Total Match Count | totalMatchCount=1 | |||||
| Group ID |
groupID=98435 |
|||||
| Event Category ID |
auditEventTypeEventCategoryId=260 |
|||||
| Event Category Name |
auditEventTypeEventCategoryName=Cloud Connector |
|||||
| Event Type ID |
auditEventTypeEventTypeId=2610 |
|||||
| Event Type Name |
auditEventTypeEventTypeName=Cloud Config synced to EC |
|||||
| Sub Type ID |
auditEventTypeSubTypeId=0 |
|||||
| Event Info |
eventInfo=Config Version: 86d0912ae91b4d148c6a47aa4b65a0b184e84ab4 |
|||||
| Insertion ID |
insertionId=25832906 |
|||||
| Object Name |
t98435-79475939.do.myshn.net |
|||||
| Timestamp |
timestamp=Oct 07 2020 17:49:45.000 UTC |
|||||
| User First Name |
userInfoFirstName=User |
|||||
| User Last Name |
userInfoLastName=Demo |
|||||
| User ID |
userInfoUserId=85410 |
|||||
| User Login Event |
isLoginEvent=false |
Skyhigh CASB Key Value Format
| Key-Value | Shadow Anomaly | Sanctioned Anomaly | DLP policy violation | Threat | Config Audit | Audit Logs |
|---|---|---|---|---|---|---|
| Time VMName | <14>Mar 14 17:04:35 EC-test00.app.qa.sjc.shn | <14>Mar 16 21:59:49 EC-test00.app.qa.sjc.shn | <14>Mar 14 17:00:16 EC-test00.app.qa.sjc.shn | <14>Mar 15 23:13:55 EC-test00.app.qa.sjc.shn | <14>Mar 16 19:04:41 EC-test00.app.qa.sjc.shn | <14>Mar 16 19:04:41 EC-test00.app.qa.sjc.shn |
| Created on time | createdOn="Feb 16 2017 23:06:11.000 UTC" | createdOn="Jan 22 2017 21:44:10.000 UTC" | createdOn="Feb 10 2017 00:59:52.000 UTC" | createdOn="Feb 23 2017 07:48:25.000 UTC" |
createdOn="Sep 14 2021 12:41:49.809 UTC" |
createdTime="Oct 07 2020 17:49:45.000 UTC", |
| Updated on time | updatedOn="Mar 10 2017 02:09:26.000 UTC" | updatedOn=Jan 22 2017 21:44:08.957 UTC | updatedOn="Feb 10 2017 01:01:55.951 UTC" | updatedOn="Feb 23 2017 07:54:07.510 UTC" |
updatedOn="Sep 15 2021 14:30:35.839 UTC" |
|
| Status | status=NEW | status=OPENED | status=NEW | status=OPENED |
status=new |
|
| Service Name | serviceNames="[Western Digital - My Cloud]" | serviceNames=[Box] | serviceNames=[Box] | serviceNames="[Box,Salesforce]" |
serviceNames="[Microsoft Teams]" |
|
| Incident Id | incidentId=SHW-46404749 | incidentId=ANO-139539 | incidentId=DLP-95674 | incidentId=THR-12484 |
incidentId=AUD-4750 |
|
| Incident Group Name | incidentGroup=Alert.Data.RepeatOffender | incidentGroup=Alert.Access.Superhuman | incidentGroup=Alert.Policy.Dlp | incidentGroup=Threat.PrivilegeAccess.Misuse |
incidentGroup=Alert.Policy.Audit |
|
| Incident Severity # (L/M/H) | riskScore=6.0 | riskScore=9.0 | riskScore=10.0 | riskScore=0.25 | riskScore=7.0 | |
| Incident Severity | riskSeverity=High | riskSeverity=high | riskSeverity=high | riskSeverity=high | riskSeverity=medium | |
| User Name | userDisplayName=Unknown | userDisplayName=test15@shn.com | userDisplayName=testdlpa1@reallymymail.com | userDisplayName=threatmodelling_nll_..._18063@shn.com | userDisplayName=N/A | |
| Activity Name | activityName=Denied | activityName=-1 |
activityName=[] |
|||
| Response | response=Denied | response=Preview,Preview | response=Allowed |
response="[Violation Detected]" |
||
| Anomaly value | anomalyValue=6 | anomalyValue=NA | ||||
| Mitre Tactics | informationMitreTactic=[Impact] | |||||
| Mitre Technique | informationMitreTechnique=[Data Destruction] | |||||
| Countries | countries=[SE, US] | |||||
| Email Domain | emailDomain=shn.com | |||||
| Is Part Of Threat | isPartOfThreat=false | |||||
| Threat Category | threatCategory=Compromised Accounts | |||||
| Threshold Duration | thresholdDuration=hourly | |||||
| Threshold | thresholdValue=4 | thresholdValue=-1 | ||||
| Source IPs | sourceIps=[81.224.95.152, 74.217.98.19] | clientIpAddress =53.23.104.13 | ||||
| Policy ID | policyId=45507 |
policyId=646723 |
||||
| Policy Name | policyName="File Type Violation" |
policyName="Ensure guest users cannot create or update Teams channels" |
||||
| Remediator Name | remediatorName=John Doe | |||||
| User Action | userAction=Denied | |||||
| Collaboration Shared Link | collaborationSharedLink=false | |||||
| Content Hierarchy | contentItemHierarchy="All Files" | |||||
| Content Item Id | contentItemId=199908982144 |
contentItemId=3dd92596-1112-49db-a021-faa00681e151 |
||||
| Content Item Name | contentItemName=ssssn-document-sd1.docx |
contentItemName=test_team2 |
||||
| Content Item Size | contentItemSize=134489 | |||||
| Content Name | contentItemName=ecLDAPwithSSL_info.docx | contentItemName=vpc-fa73f193 | ||||
| Content Type | contentItemType=file |
contentItemType=SAAS_RESOURCE |
||||
| Account Id (specific to Config Audit) | accountId=674413271627 | |||||
| Config Type (specific to Config Audit) | configType=VPC | |||||
| Total Match Count | totalMatchCount=1 | |||||
|
Actor Id Type |
actorIdType=USER |
actorIdType=USER |
actorIdType=USER |
actorIdType=USER |
actorIdType=USER |
|
|
Actor Id |
actorId=“user name” |
actorId=“user name” |
actorId=“user name” |
actorId=“user name” |
actorId=N/A |
|
|
Incident Risk Score |
IncidentRiskScore=5 |
IncidentRiskScore=5 |
IncidentRiskScore=5 |
IncidentRiskScore=5 |
incidentRiskScore=7.0 |
|
| Risk Score |
riskSeverity=medium |
|||||
| Information Account ID |
informationAccountId=1283e3ee-3177-46d4-a2ec-2ba13589d8a5 |
|||||
| Information Category |
informationCategory=UnrestrictedAccess |
|||||
| Information Config Type |
informationConfigType=Team, |
|||||
| Information Content Item Created On |
informationContentItemCreatedOn=2021-09-15T14:30:35.839Z |
|||||
| Information Event ID |
informationEventId=46 |
|||||
| Information Scan Name |
informationScanName="Security Configuration Audit Scan For Microsoft Teams (35380)", |
|||||
| Information Scan Run Date |
informationScanRunDate=2021-09-14T12:41:49.244Z |
|||||
| Instance ID |
instanceId=35380 |
|||||
| Instance Name |
instanceName=14Sep602 |
|||||
| Significantly Updated On |
significantlyUpdatedAt=2021-09-15T14:30:35.839Z |
|||||
| Event Category ID | auditEventTypeEventCategoryId=100 | |||||
| Event Category Name | auditEventTypeEventCategoryName=Skyhigh Cloud Admin | |||||
| Event Type ID | auditEventTypeEventTypeId=1002 | |||||
| Event Type Name |
auditEventTypeEventTypeName=Cloud Config synced to EC |
|||||
| Sub Type ID | auditEventTypeSubTypeId=0 | |||||
| Event Info | eventInfo=User role change | |||||
| Insertion ID | insertionId=25832906 | |||||
| Object Name | objectName=User thirurao.ecqatiam@gmail.com | |||||
| Tenant ID | tenantId=98435 | |||||
| Timestamp | timestamp=Oct 07 2020 17:49:45.000 UTC | |||||
| User Email | userInfoEmail=audittest@shn.com | |||||
| User First Name |
userInfoFirstName=User |
|||||
| User Last Name |
userInfoLastName=Demo |
|||||
| User ID | userInfoUserId=85410 |