If you're having trouble at any stage please contact us at support@skyformation.com. 

Preface

The goal of this article is to provide an overview of the two event types supported by the different SkyFormation Cloud Connectors. The SkyFormation "Audit Event" and "Detection Event".

Each SkyFormation Cloud Connector extracts events from the cloud service log files and APIs,
and send them to the relevant organization’s security system for any need. The events being sent to the security system by the cloud connector will have one of two SkyFormation event type detailed below.

The SkyFormation platform admin could decide which of the two type of events she wishes to be sent into the Organization's security system (e.g. SIEM, central log, Splunk or else).

Each event type is used for different security or compliance functions. Please see below for more details.

Cloud Connectors Event Types supported

SkyFormation "Audit Event" 

Events form:
The events are sent to the organization's security system as they appear in the cloud service's audit logs and APIs. 

Events used for:
(1) Retain long term full audit log for forensic

(2) Retain long term full audit log for compliance needs

(3) Retain long term full audit log for future investigation 

SkyFormation "Detection Event"

Events form:
The events are sent to the organization's security system in an actionable form ready for detection.
To make the original cloud connector event actionable SkyFormation Cloud Connectors will:
(1) Unify the event structure to the SkyFormation Unified Security Language
     See SkyFormation Unified Event Structure in CEF for more information
(2) Add missing information and context as application or user context
(3) Add behavioral and correlation information needed

Events used for:
(1) Used in SIEM systems for detection

(2) Used in User Entity & Behavior Analytic (UEBA)

(3) Used in log management and investigation platform as Splunk

Getting both event types in your SIEM

Both event types are sent to the configured SIEM automatically.