Skip to main content
Skyhigh Security

Cloud Connector Config SIEM Integration

You can export Anomalies, Threats, Incidents, and Audit Logs from Skyhigh CASB to your third-party SIEM systems (Security Information and Event management) using SIEM integration.

IMPORTANT:

  • You must have the Skyhigh Cloud Connector user role to configure Cloud Connector. For details, see About User Roles and Access Levels
  • You must access the Skyhigh CASB user interface from the same network that your Cloud Connector is on. Otherwise, you cannot enable the feature or configure settings. An error message displays, "SIEM settings cannot be accessed outside of your company's network. You need to be inside your company's network to turn on the feature."

clipboard_e8da0531b5499972bb7e16670e654420f.png

Field Description
SIEM Server Host Enter the SIEM server hostname. 
SIEM Server Port Enter the SIEM server port number.
SIEM Protocol

Select the SIEM server protocol from the menu:

  • TCP
  • UDP
  • TCP+TLS
Data Export Format Type

Select the data export format type from the menu:

  • Key Value Pairs
  • Log Event Extended Format
  • Common Event Format
Anomaly Export Type

Select the Anomaly export type from the menu: 

  • All Anomalies. All anomalies remaining in Skyhigh CASB are sent. 
  • New Anomalies Only. New anomalies after this configuration are sent. 
  • None. No anomalies are sent. 
Incident Export Type

Select the Incident export type from the menu: 

  • All Incidents. All incidents remaining in Skyhigh CASB are sent. 
  • New Incidents Only. New incidents after this configuration are sent. 
  • None. No anomalies are sent. 
Audit Log Export Type

Select the Audit Log export type from the menu. 

  • All. All events remaining in Skyhigh CASB are sent. 
  • New Only. New events after this configuration are sent. 
  • None. No events are sent. 

Advanced Settings 

Click Show Advanced Settings to display. 
clipboard_e01ea8efc99be239731b8345980c9c61d.png

Field Description
Audit Log Job Frequency Enter the frequency in milliseconds for Audit Log downloads. The default is 14400000 milliseconds. This property is only relevant when Audit Log import is enabled for SIEM
Incident Job Frequency Enter the frequency in milliseconds for Incident downloads. The default is 14400000 milliseconds. This property is only relevant when Incident import is enabled for SIEM.
Anomaly Job Frequency Enter the frequency in milliseconds for Anomaly downloads. The default is 14400000 milliseconds. This property is only relevant when Anomaly import is enabled for SIEM.
Disable SIEM Local Detokenization Select Yes to disable SIEM local detokenization. Select No to enable.
SIEM Escape CSV Type Select Yes to enable the SIEM escape CSV type. Select No to disable.
SIEM Incidents Import Limit Enter the number limit of SIEM incidents that can be imported.
Max Message Length Enter the number of Bytes for the maximum message length.
SIEM Export Max Field Length Enter the maximum field length in characters so that the data is truncated before it is exported to SIEM. Please enter 0 if no truncation is required.
Anomaly Endpoint Suffix Enter the suffix for the Anomaly import endpoint from the Skyhigh CASB API.
SIEM Audit Log Batch Size Enter the number limit of SIEM audit logs that can be imported.
Replaceable Keys If an attribute from the Skyhigh Security feed has the format “Username” but the SIEM expects the format “usr”, replace that attribute here.
Insert Keys Specify name-value pair text expected by the SIEM. For example, to identify your Cloud Connector instance.
Exclude Keys Enter any key and its value to be excluded from the data exporting to SIEM.
Exclude certain messages Filter and exclude or drop messages sent to the SIEM based on specified criteria. For example, certain messages that contain sensitive data. 
  • Was this article helpful?