Export Anomalies, Threats, Incidents and the Audit Log to a SIEM
You can export anomalies, threats, incidents, and the Audit Log from Skyhigh CASB to your third-party SIEM systems using Syslog export. This export is handled through the Skyhigh Cloud Connector. Use this feature to export data to another system for further analysis or to drive data protection rules.
By default, Cloud Connector fetches incidents from Skyhigh CASB every four hours. You can customize this interval in the logprocessor.local.properties file using the property siem.frequency=. The value is in milliseconds. For assistance setting this property, contact Skyhigh CASB Support.
NOTE: If tokenization for Skyhigh CASB Secure data is enabled, there may be situations where your data will not be detokenized before it is sent to your SIEM. Data can be detokenized automatically only when the user name associated with the user in Active Directory matches the user name used in the monitored CSP.
Configure a SIEM Syslog Service
For SIEM configuration, see About EC Configuration.
Export Format Details
Dates
All internal dates use the following format: YYYY-MM-DDTHH:MM:SS.SSSZ
For example, 2017-02-09T22:25:00.000Z
Key Value Pairs
Escaped characters:
If the value uses any of the following characters, the entire string will be quoted, and and internal quotes will be doubled:
- comma:
, - equal:
= - quote:
"becomes"" - space
For example, saying=he said, "hi" becomes "he said, ""hi""".
Log Event Extended Format (LEEF)
For the full definition, see Log Event Extended Format (LEEF) Guide.
Escaped characters:
- caret:
^becomes<caret> - pipe:
|becomes<pipe> - tab:
<tab>becomes<tab>(The real tab is exchanged for the string<tab>.)
Common Event Format
For the full definition, see the ArcSight Common Event Format Guide.
Escaped characters:
- backslash:
\becomes\\ - equal:
=becomes\= - pipe:
|becomes\|