If you're having trouble at any stage please contact us at firstname.lastname@example.org.
The goal of this article is to provide an overview of the two event types supported by the different SkyFormation Cloud Connectors. The SkyFormation "Audit Event" and "Detection Event".
Each SkyFormation Cloud Connector extracts events from the cloud service log files and APIs,
and send them to the relevant organization’s security system for any need. The events being sent to the security system by the cloud connector will have one of two SkyFormation event type detailed below.
The SkyFormation platform admin could decide which of the two type of events she wishes to be sent into the Organization's security system (e.g. SIEM, central log, Splunk or else).
Each event type is used for different security or compliance functions. Please see below for more details.
Cloud Connectors Event Types supported
SkyFormation "Audit Event"
The events are sent to the organization's security system as they appear in the cloud service's audit logs and APIs.
Events used for:
(1) Retain long term full audit log for forensic
(2) Retain long term full audit log for compliance needs
(3) Retain long term full audit log for future investigation
SkyFormation "Detection Event"
The events are sent to the organization's security system in an actionable form ready for detection.
To make the original cloud connector event actionable SkyFormation Cloud Connectors will:
(1) Unify the event structure to the SkyFormation Unified Security Language
See SkyFormation Unified Event Structure in CEF for more information
(2) Add missing information and context as application or user context
(3) Add behavioral and correlation information needed
Events used for:
(1) Used in SIEM systems for detection
(2) Used in User Entity & Behavior Analytic (UEBA)
(3) Used in log management and investigation platform as Splunk
Sending each event type to your system
Each SkyFormation Cloud Connector has an identical configuration, that allows the SkyFormation admin to:
(1) Send the "Audit Events" to the security system integrated with SkyFormation
(2) Send "Detection Events" to the security system integrated with SkyFormation by their categories
Each "Detection Event" is linked to a specific SkyFormation Unified Events category. For example a
successful login events is named "Login Success" and linked to the "Access" category.
If the SkyFormation admin would like to send the "Login Success" event, formed as "Detection Event"
to the integrated security system, the "Access" category should be edited to send the events to the
SIEM system as illustrated at the below diagram.