If you're having trouble at any stage please contact us at firstname.lastname@example.org.
The goal of this guide is to add SkyFormation Custom Connector to your SkyFormation Platform to be able to ingest audit events from customized data sources, and be able to transform them into meaningful detection-ready events. For more information see the SkyFormation Customer Connector Overview guide
(0) Allow SkyFormation access to the custom data source URL you intend to use
(1) Grant the SkyFormation application machine or user permission to read and list information from
the data source.
(2) The SQS and S3 bucket attributes needed to add a SkyFormation Custom Connector are:
- SQS URL
(See How to get my SQS URL)
- SQS Region
(See How to get my SQS region)
- S3 Bucket Region
(See How to get my S3 bucket region)
(3) Have (or create) a AWS IAM user that will be used by the SkyFormation Custom
Connector to integrate with the AWS APIs and ingest the audit events.
- If you need to create a new IAM user see Creating an IAM User in Your AWS Account
(4) Get the following IAM user's attributes
(See How to get an IAM user's Access Key ID and Access Key Key)
- Secret Access Key (e.g. see in the diagram an example)
- Access Key ID (e.g. see in the diagram an example)
Note: The Access Key ID and Secret Access Key in the diagram are not valid keys.
(5) The AWS IAM user mentioned above should have the following AWS permissions
(1) Use a dedicated user for the SkyFormation Custom Connector
1. Logon to your SkyFormation Platform:
2. Navigate via left navigation panel to "Settings" section
3. Navigate via New Settings left navigation panel to "Accounts" section
4. Click the "Add Account" bottom
5. At the "SELECT SERVICE TO ADD" choose "Custom Connector"
You will see the below screen:
5. Fill in the following information:
- Tenant (relevant only for the multi-tenant SkyFormation edition)
Choose the tenant the new connector will be attached to.
- Account Name
Give the custom connector a meaningful name for you. This will become your application
connector name displayed in the SkyFormation platform and added to entire events sent to your
SIEM/Log/Splunk system from this connector as identifier.
"Sales custom pricing app"
Add any text that describe the specific application and meaning for the business.
"Corp sales application to define and optimize sales pricing"
Put the IAM user's Access Key ID
- Secret (secret-key)
Put the IAM user's Secret Access Key
Put the S3 bucket region name, from the S3 bucket used for the central cloud trail we use
The SQS region
The URL of the SQS in use for the central audit.
Example (not a valid value to use)
Choose the processor from the drop-down list, that will determine the way the events ingested
will be parsed.
For better understanding of the way the processors works please refer to:
SkyFormation Customer Connector Overview
- Click "SAVE" bottom
Make sure the "STATUS" of the new AWS MT connector in the table is OK and green.
Your are done !