Skip to main content
Skyhigh Security

Cloud Connector SIEM Integration Formats

NOTE: See all the options for Group Name, and Category ID under CEF format. These are applicable for all three formats.

NOTE: Any previous reference to UBEA is now referred to as User and Entity Behavior Analytics (UEBA). 

Text in BLUE is UEBA based. 

Text in GREEN is Static (non UEBA). 

CEF Format

Use these Key-Value pairs for Skyhigh CASB 3.7 and later. 

Key-Value Shadow Anomaly Sanctioned Anomaly DLP policy violation Threat Config Audit Audit Log
Time VMName <14>Mar 14 00:41:54 EC-test00.app.qa.sjc.shn <14>Mar 16 21:40:39 EC-test00.app.qa.sjc.shn  <14>Mar 14 00:37:24 EC-test00.app.qa.sjc.shn <14>Mar 15 21:23:24 EC-test00.app.qa.sjc.shn  <14>Mar 16 18:03:52 EC-test00.app.qa.sjc.shn  <14>Mar 16 18:03:52 EC-test00.app.qa.sjc.shn 
Anomaly Category   informationAnomalyCategory=Aceess Anomalies        
Anomaly Cause   informationAnomalyCause=IMPOSSIBLE TRAVEL        
Format CEF:0 CEF:0 CEF:0 CEF:0 CEF:0 CEF:0
Device Vendor Skyhigh Security Skyhigh Security Skyhigh Security Skyhigh Security Skyhigh Security Skyhigh Security
Device Product Skyhigh CASB Skyhigh CASB Skyhigh CASB Skyhigh CASB Skyhigh CASB Skyhigh CASB
Device Version Anomalies.5.2.2.0 Anomalies.5.2.2.0 Anomalies.5.2.2.0 Anomalies.5.2.2.0 Anomalies.5.2.2.0 Dashboard Audit Logs.5.2.2.0
Device Event Class ID Data Transfer Data Download Dlp Suspicious Superhuman Audit  1002
Mitre Tactics         informationMitreTactic=[Impact]  
Mitre Technique         informationMitreTechnique=[Data Destruction]  
Name  Alert.Data Alert.Data Alert.Policy Threat.CompromisedAccount Alert.Policy User information edited
Severity 3 3 3 9 9 10
Created on time start=Feb 16 2017 23:06:11.000 UTC start=Jan 22 2017 21:44:10.000 UTC  start=Feb 10 2017 00:59:52.000 UTC start=Feb 23 2017 07:48:25.000 UTC start=Feb 23 2017 07:48:25.000 UTC start=Feb 23 2017 07:48:25.000 UTC
Time Modified timeModified=Mar 10 2017 02:09:26.000 UTC  timeModified=Jan 22 2017 21:44:08.957 UTC timeModified=Feb 10 2017 01:01:55.951 UTC timeModified=Feb 23 2017 07:54:07.510 UTC timeModified=Mar 07 2017 03:04:34.186 UTC  
Status status=NEW  status=OPENED  status=NEW status=OPENED 

status=new

 
Service Name serviceNames=[Western Digital - My Cloud]  serviceNames=[Box] serviceNames=[Box] serviceNames=[Box,Salesforce] 

serviceNames=[Microsoft Teams]

 
Incident Id incidentId=SHW-46404749  incidentId=ANO-139539 incidentId=DLP-4616923 incidentId=THR-12484

incidentId=AUD-4750

 
Incident Risk Severity incidentRiskSeverity=High  incidentRiskSeverity=high  incidentRiskSeverityId=0 incidentRiskSeverity=high 

incidentRiskSeverityId=1

 
Risk Severity     riskSeverity=low  

riskSeverity=medium

 
Incident Severity (value) 6 9 10 0    
User Name suser=Unknown suser=test15@shn.com  suser=testdlpa1@reallymymail.com suser=threatmodelling_nll_0_1487836279_18063@shn.com suser=N/A  suser=audittest@shn.com
Activity Names activityNames=Denied  activityNames=-1  activityName=[Email]  

activityName=[]

 
Response response=Denied  response=Preview,Preview  response=Allowed  

response=[Violation Detected]

 
Anomaly value informationAnomalyValue=6 informationAnomalyValue=NA         
Countries   informationCountries=[SE, US]         
Email Domain   informationEmailDomain=shn.com        
Is Part Of Threat   informationIsPartOfThreat=false         
Threat Category   informationtThreatCategory=Compromised Accounts         
Threshold Value informationThresholdValue=4  informationThresholdValue=-1         
Threshold Duration   informationThresholdDuration=hourly         
Source IPs   informationSourceIps=[81.224.95.152, 74.217.98.19]        dvc=53.23.104.13
Policy ID     informationPolicyId=45507  

policyId=646723

 
Policy Name     informationPolicyName=File Type Violation  

policyName=Ensure guest users cannot create or update Teams channels informationScanName=Security Configuration Audit Scan For Microsoft Teams (35380)

 
Remediator Name     information RemediatorName=John Doe      
User Action informationUserAction=Denied          
Collaboration Shared Link     informationCollaborationSharedLink=false       
Content Hierarchy     informationContentItemHierarchy=All Files      
Content Item Id     informationContentItemId=199908982144  

contentItemId=3dd92596-1112-49db-a021-faa00681e151

 
Content Item Name     informationContentItemName=ssssn-document-sd1.docx  

contentItemName=test_team2

 
Content Item Size     informationContentItemSize=134489      
Information Account ID        

informationAccountId=1283e3ee-3177-46d4-a2ec-2ba13589d8a5

 
Information Category        

informationCategory=UnrestrictedAccess

 
Information Config Type        

informationConfigType=Team

 
Information Content Item Created On        

informationContentItemCreatedOn=2021-09-15T14:30:35.839Z

 
Information Event ID        

informationEventId=46

 
Information Scan Run Date        

informationScanRunDate=2021-09-14T12:41:49.244Z

 
Instance ID        

instanceId=35380

 
Instance Name        

instanceName=14Sep602

 
Significantly Updated On        

significantlyUpdatedAt=2021-09-15T14:30:35.839Z

 
Updated On        

updatedOn=Sep 15 2021 14:30:35.839 UTC

 
External Collaborators   informationExternalCollaborators  = SkyhighECinformationExternalCollaborators        
Content Item Type     informationContentItemType=file  

contentItemType=SAAS_RESOURCE

 
Total Match Count     informationTotalMatchCount=1      
Device IP   informationDeviceIp = SkyhighECinformationDeviceIP        
Actor ID Type actorIdType = SkyhighECactorIdType actorIdType = SkyhighECactorIdType actorIdType=USER  actorIdType = SkyhighECactorIdType

actorIdType=USER

 
Event Category ID           auditEventTypeEventCategoryId=100
Event Category Name           auditEventTypeEventCategoryName=MVISION Cloud Admin
Event Type ID           auditEventTypeEventTypeId=1002
Event Type Name           auditEventTypeEventTypeName=Cloud Config synced to EC
Sub Type ID           auditEventTypeSubTypeId=0
Event Info           eventInfo=User role change
Insertion ID           insertionId=25832906
Object Name           objectName=User thirurao.ecqatiam@gmail.com
Tenant ID           tenantId=98435
Timestamp           timestamp=Oct 07 2020 17:49:45.000 UTC
User First Name           userInfoFirstName=thiruraoecqatiam
User Last Name           userInfoLastName=iam
User ID           userInfoUserId=85410

LEEF Format

 

Key-Value Shadow Anomaly Sanctioned Anomaly DLP policy violation Threat Config Audit Audit Logs
Time VMName <14>Mar 14 16:18:01 EC-test00.app.qa.sjc.shn <14>Mar 16 21:53:53 EC-test00.app.qa.sjc.shn  <14>Mar 14 16:13:59 EC-test00.app.qa.sjc.shn <14>Mar 15 22:58:00 EC-test00.app.qa.sjc.shn  <14>Mar 16 18:03:52 EC-test00.app.qa.sjc.shn  <14>Mar 16 18:03:52 EC-test00.app.qa.sjc.shn
LEEF: Version LEEF:1.0 LEEF:1.0 LEEF:1.0 LEEF:1.0 LEEF:1.0 LEEF:1.0
Vendor Skyhigh Security Skyhigh Security Skyhigh Security Skyhigh Security Skyhigh Security Skyhigh Security
Product name Skyhigh CASB Skyhigh CASB Skyhigh CASB Skyhigh CASB Skyhigh CASB Skyhigh CASB
Product version 5.2.2.0 5.2.2.0 5.2.2.0 5.2.2.0 5.2.2.0 5.2.2.0
Event ID Anomaly Anomaly Incident Anomaly Incident AppAudit
IncidentType.CategoryID cat=Alert.Data cat=Alert.Access     cat=Alert.Policy cat=Threat.PrivilegeAccess cat=Alert.Policy.Audit cat=User.Activity
Created on time format (specific to LEEF) devTimeFormat=MMM dd yyyy HH:mm:ss.SSS zzz devTimeFormat=MMM dd yyyy HH:mm:ss.SSS zzz devTimeFormat=MMM dd yyyy HH:mm:ss.SSS zzz devTimeFormat=MMM dd yyyy HH:mm:ss.SSS zzz

devTimeFormat=MMM dd yyyy HH:mm:ss.SSS zzz

devTimeFormat=MMM dd yyyy HH:mm:ss.SSS zzz
Created on time devTime=Feb 16 2017 23:06:11.000 UTC devTime=Jan 22 2017 21:44:10.000 UTC     devTime=Feb 10 2017 00:59:52.000 UTC devTime=Feb 23 2017 07:48:25.000 UTC

devTime=Sep 14 2021 12:41:49.809 UTC

devTime=Oct 07 2020 17:49:45.000 UTC
User Name usrName=Steve Robertson usrName=test15@shn.com   usrName=testdlpa1@reallymymail.com usrName=threatmodelling_nll_0_148783..._18063@shn.com

usrName=N/A

usrName=audittest@shn.com
Incident Severity # (L/M/H) sev=6 sev=9    sev=10 sev=0 sev=7     
Activity Name activityName=Denied activityName=-1    

activityName=[]

 

Actor Id Type

actorIdType=USER

actorIdType=USER

actorIdType=USER

actorIdType=USER

actorIdType=USER

 
Incident Id incidentId=SHW-46404749  incidentId=ANO-139539 incidentId=DLP-95674 incidentId=THR-12484

incidentId=AUD-4750

 
Incident Severity riskSeverity=High riskSeverity=high  riskSeverity=high riskSeverity=high

riskSeverity=medium

 
Incident Risk Severity        

incidentRiskSeverityId=1

 
Service Name serviceNames=[Western Digital - My Cloud] serviceNames=[Box] serviceNames=[Box] serviceNames=[Box,Salesforce]

serviceNames=[Microsoft Teams]

 
Status status=NEW status=OPENED  status=NEW status=OPENED

status=new

 
Updated on time updatedOn=Mar 10 2017 02:09:26.000 UTC updatedOn=Jan 22 2017 21:44:08.957 UTC updatedOn=Feb 10 2017 01:01:55.951 UTC updatedOn=Feb 23 2017 07:54:07.510 UTC

updatedOn=Sep 15 2021 14:30:35.839 UTC

 
Incident Group Name RepeatOffender Superhuman Dlp Misuse SecurityMonitoring  
Response response=Denied  response=Preview,Preview  response=Allowed   

response=[Violation Detected]

 
Anomaly value anomalyValue=6 anomalyValue=NA         
Countries   countries=[SE, US]         
Email Domain   emailDomain=shn.com        
Is Part Of Threat   isPartOfThreat=false         
Threat Category   threatCategory=Compromised Accounts         
Threshold Duration   thresholdDuration=hourly         
Threshold thresholdValue=4 thresholdValue=-1         
Source IPs   src=81.224.95.152        src=81.224.95.152 
Additional Source Info   additionalSrcInfo=[81.224.95.152, 74.217.98.19]        additionalSrcInfo=[81.224.95.152, 74.217.98.19] 
Activity Count   informationActivityCount=1        
Anomaly Category   informationAnomalyCategory=Aceess Anomalies        
Anomaly Cause   informationAnomalyCause=IMPOSSIBLE TRAVEL        
Cities   informationCities=[Tokyo, Seattle]        
Mitre Tactics   informationMitreTactic= [Initial Access]     informationMitreTactic=[Impact]  
Mitre Technique   informationMitreTechnique= [Valid Accounts]     informationMitreTechnique=[Data Destruction]  
Service and Accounts IDs   informationServicesAndAccountIds={​​​​"Office365":"","AzureAD":""}​​​​        
Source IP Orgs   informationSourceIpOrgs=[ISP internet]        
Significantly Updated Time   significantlyUpdatedAt=Dec 04
2020 02:17:05.840 UTC
   

significantlyUpdatedAt=2021-09-15T14:30:35.839Z

 
Policy ID     policyId=45507  

policyId=646723

 
Policy Name     policyName=File Type Violation  

policyName=Ensure guest users cannot create or update Teams channels informationScanName=Security Configuration Audit Scan For Microsoft Teams (35380)

 
Remediator Name     remediatorName=John Doe      
User Action userAction=Denied          
Collaboration Shared Link     collaborationSharedLink=false      
Content Hierarchy     contentItemHierarchy=All Files      
Content Item Id     contentItemId=199908982144  

contentItemId=3dd92596-1112-49db-a021-faa00681e151

 
Content Item Name     contentItemName=ssssn-document-sd1.docx  

contentItemName=test_team2

 
Content Item Size     contentItemSize=134489      
Content Name     contentItemName=ecLDAPwithSSL_info.docx   contentItemName=vpc-fa73f193   
Content Type     contentItemType=file   contentItemType=config_entity  
Content Item Type        

contentItemType=SAAS_RESOURCE

 
Information Account Id (specific to Config Audit)        

informationAccountId=1283e3ee-3177-46d4-a2ec-2ba13589d8a5

 
Information Category 
(specific to Config Audit)
       

informationCategory=UnrestrictedAccess

 
Information Config Type (specific to Config Audit)        

informationConfigType=Team

 
Information Content Item Created On (specific to Config Audit)        

informationContentItemCreatedOn=2021-09-15T14:30:35.839Z

 
Information Event ID (specific to Config Audit)        

informationEventId=46

 
Information Scan Update        

informationScanRunDate=2021-09-14T12:41:49.244Z

 
Instance ID        

instanceId=35380

 
Instance Name        

instanceName=14Sep602

 
Total Match Count     totalMatchCount=1      
Group ID          

groupID=98435

Event Category ID          

auditEventTypeEventCategoryId=260

Event Category Name          

auditEventTypeEventCategoryName=Cloud Connector

Event Type ID          

auditEventTypeEventTypeId=2610

Event Type Name          

auditEventTypeEventTypeName=Cloud Config synced to EC

Sub Type ID          

auditEventTypeSubTypeId=0

Event Info          

eventInfo=Config Version: 86d0912ae91b4d148c6a47aa4b65a0b184e84ab4

Insertion ID          

insertionId=25832906

Object Name          

t98435-79475939.do.myshn.net

Timestamp          

timestamp=Oct 07 2020 17:49:45.000 UTC

User First Name          

userInfoFirstName=User

User Last Name          

userInfoLastName=Demo

User ID          

userInfoUserId=85410

User Login Event          

isLoginEvent=false

 

Skyhigh CASB Key Value Format

Key-Value Shadow Anomaly Sanctioned Anomaly DLP policy violation Threat Config Audit Audit Logs
Time VMName <14>Mar 14 17:04:35 EC-test00.app.qa.sjc.shn <14>Mar 16 21:59:49 EC-test00.app.qa.sjc.shn  <14>Mar 14 17:00:16 EC-test00.app.qa.sjc.shn <14>Mar 15 23:13:55 EC-test00.app.qa.sjc.shn <14>Mar 16 19:04:41 EC-test00.app.qa.sjc.shn  <14>Mar 16 19:04:41 EC-test00.app.qa.sjc.shn 
Created on time createdOn="Feb 16 2017 23:06:11.000 UTC" createdOn="Jan 22 2017 21:44:10.000 UTC" createdOn="Feb 10 2017 00:59:52.000 UTC" createdOn="Feb 23 2017 07:48:25.000 UTC"

createdOn="Sep 14 2021 12:41:49.809 UTC"

createdTime="Oct 07 2020 17:49:45.000 UTC",
Updated on time updatedOn="Mar 10 2017 02:09:26.000 UTC" updatedOn=Jan 22 2017 21:44:08.957 UTC updatedOn="Feb 10 2017 01:01:55.951 UTC" updatedOn="Feb 23 2017 07:54:07.510 UTC"

updatedOn="Sep 15 2021 14:30:35.839 UTC"

 
Status status=NEW status=OPENED  status=NEW status=OPENED

status=new

 
Service Name serviceNames="[Western Digital - My Cloud]" serviceNames=[Box] serviceNames=[Box] serviceNames="[Box,Salesforce]"

serviceNames="[Microsoft Teams]"

 
Incident Id incidentId=SHW-46404749  incidentId=ANO-139539 incidentId=DLP-95674 incidentId=THR-12484

incidentId=AUD-4750

 
Incident Group Name incidentGroup=Alert.Data.RepeatOffender incidentGroup=Alert.Access.Superhuman incidentGroup=Alert.Policy.Dlp incidentGroup=Threat.PrivilegeAccess.Misuse

incidentGroup=Alert.Policy.Audit

 
Incident Severity # (L/M/H) riskScore=6.0 riskScore=9.0 riskScore=10.0 riskScore=0.25 riskScore=7.0  
Incident Severity riskSeverity=High riskSeverity=high  riskSeverity=high riskSeverity=high riskSeverity=medium   
User Name userDisplayName=Unknown userDisplayName=test15@shn.com userDisplayName=testdlpa1@reallymymail.com userDisplayName=threatmodelling_nll_..._18063@shn.com userDisplayName=N/A  
Activity Name activityName=Denied activityName=-1    

activityName=[]

 
Response response=Denied response=Preview,Preview  response=Allowed  

response="[Violation Detected]"

 
Anomaly value anomalyValue=6 anomalyValue=NA         
Mitre Tactics         informationMitreTactic=[Impact]  
Mitre Technique         informationMitreTechnique=[Data Destruction]  
Countries   countries=[SE, US]         
Email Domain   emailDomain=shn.com        
Is Part Of Threat   isPartOfThreat=false         
Threat Category   threatCategory=Compromised Accounts         
Threshold Duration   thresholdDuration=hourly         
Threshold thresholdValue=4 thresholdValue=-1         
Source IPs   sourceIps=[81.224.95.152, 74.217.98.19]        clientIpAddress =53.23.104.13
Policy ID     policyId=45507  

policyId=646723

 
Policy Name     policyName="File Type Violation"  

policyName="Ensure guest users cannot create or update Teams channels"

 
Remediator Name     remediatorName=John Doe      
User Action userAction=Denied          
Collaboration Shared Link     collaborationSharedLink=false      
Content Hierarchy     contentItemHierarchy="All Files"      
Content Item Id     contentItemId=199908982144  

contentItemId=3dd92596-1112-49db-a021-faa00681e151

 
Content Item Name     contentItemName=ssssn-document-sd1.docx  

contentItemName=test_team2

 
Content Item Size     contentItemSize=134489      
Content Name     contentItemName=ecLDAPwithSSL_info.docx   contentItemName=vpc-fa73f193   
Content Type     contentItemType=file  

contentItemType=SAAS_RESOURCE

 
Account Id (specific to Config Audit)         accountId=674413271627  
Config Type (specific to Config Audit)         configType=VPC   
Total Match Count     totalMatchCount=1      

Actor Id Type

actorIdType=USER

actorIdType=USER

actorIdType=USER

actorIdType=USER

actorIdType=USER

 

Actor Id

actorId=“user name”

actorId=“user name”

actorId=“user name”

actorId=“user name”

actorId=N/A

 

Incident Risk Score

IncidentRiskScore=5

IncidentRiskScore=5

IncidentRiskScore=5

IncidentRiskScore=5

incidentRiskScore=7.0

 
Risk Score        

riskSeverity=medium

 
Information Account ID        

informationAccountId=1283e3ee-3177-46d4-a2ec-2ba13589d8a5

 
Information Category        

informationCategory=UnrestrictedAccess

 
Information Config Type        

informationConfigType=Team,

 
Information Content Item Created On        

informationContentItemCreatedOn=2021-09-15T14:30:35.839Z

 
Information Event ID        

informationEventId=46

 
Information Scan Name        

informationScanName="Security Configuration Audit Scan For Microsoft Teams (35380)",

 
Information Scan Run Date        

informationScanRunDate=2021-09-14T12:41:49.244Z

 
Instance ID        

instanceId=35380

 
Instance Name        

instanceName=14Sep602

 
Significantly Updated On        

significantlyUpdatedAt=2021-09-15T14:30:35.839Z

 
Event Category ID           auditEventTypeEventCategoryId=100
Event Category Name           auditEventTypeEventCategoryName=MVISION Cloud Admin
Event Type ID           auditEventTypeEventTypeId=1002
Event Type Name          

auditEventTypeEventTypeName=Cloud Config synced to EC

Sub Type ID           auditEventTypeSubTypeId=0
Event Info           eventInfo=User role change
Insertion ID           insertionId=25832906
Object Name           objectName=User thirurao.ecqatiam@gmail.com
Tenant ID           tenantId=98435
Timestamp           timestamp=Oct 07 2020 17:49:45.000 UTC
User Email           userInfoEmail=audittest@shn.com
User First Name          

userInfoFirstName=User

User Last Name          

userInfoLastName=Demo

User ID           userInfoUserId=85410
  • Was this article helpful?