Articles in this section

SkyFormation Unified Events

Avatar
Itai Hadayer
  • Updated
Follow

Version 2.0

This document represent the SkyFormation Unified Events ver 2.0.

Overview

This document describes the mapping of SkyFormation
security events into the CEF format. Based on the technical details
below any CEF based system will be able to interpret the security events
sent by SkyFormation form different cloud applications, employ
correlation rules and expect unified terminology across
applications.

To comment or ask for the latest edition of the
document contact SkyFormation at info@skyformation.com

SkyFormation Header Fields

Shared by the entire SkyFormation events

Mapped To Full Name CEF Key Name Data Type Meaning Value/s
CEF Header Fields Event time time Time and Date The event creation time as logged by the cloud service Event time and date
  CEF version version String CEF version used by SkyFormation product to encode events 2.0
  Product vendor device vendor String SkyFormation official vendor name SkyFormation
  SkyFormation product name device product String SkyFormation product name SkyFormation Cloud Apps Security
  SkyFormation product version device version String SkyFormation product version  
  SkyFormation event ID signature ID String Unique identifier for the SkyFormation event (e.g. sk4-login-success) Any SkyFormation unified event names
  SkyFormation event name name String Human readable description of the event added by SkyFormation (e.g. login-success)  
  Event severity severity Integer Severity assigned to the event by the SkyFormation product 1-10
CEF Extension Fields SkyFormation event desc msg String Detailed description of the event as produced by SkyFormation  
  Event Time end Time and Date The event end time as logged by the cloud service in milliseconds in epoch Event time and date 
  SkyFormation event category cat String SkyFormation event category (e.g User Management)  
  Source app type destinationServiceName String The application type (e.g. Office 365, Salesforce) the event ingested from  
  Source app module type sourceServiceName String The application module the event ingested from (e.g. Sharepoint in Office 365)  
  Application Connector name requestClientApplication String The friendly name given to the SkyFormation connector the events are ingested from (e.g. Corp O365)  
  Connector Endpoint name dproc String The name of the application endpoint (aka audit source) the event was ingested from  
  Status code request Enum The request result status Success, Failure, InProgress
  Severity dvcpid Integer Severity of the event 1-10 (10 is most severe) ; 0 to ignore
  Status message requestCookies String The request result message as sent by the application  
  Origin event name flexString1 String The origin name of the event as logged by the application in its audit event  
  Origin event message flexString2 String The origin description of the event as logged by the application in its audit event  
  Provider account name deviceProcessName String The name of the source app instance (aka account) in a multi apps audited via a single connector e.g. AWS account name in a Multi account environment
  Provider account ID devicePayloadId String The ID of the source app instance (aka account) in a multi apps audited via a single connector e.g. AWS account ID in a Multi account environment
  Tenant ID dtz String The ID of the tenant the connector is attached to  
  Raw event cs6 String The event as originally appeared in the cloud application audit log/source  
  Source event ID deviceInboundInterface String  The event id as originally appeared in the cloud application audit event  

 

SkyFormation Application Class Fields

Shared by all Application Data class events and mapped to CEF extension fields

Full Name CEF Key Name Data Type Meaning Value/s
Source IP src ipv4 \ ipv6 Event source IP  
Country Shost String Event origin country by source IP  
City dhost String Event origin city by source IP  
Latitude cfp3 Float Event origin latitude by source IP  
Longitude cfp3 Float Event origin longitude by source IP  
Source user ID suser String The source user ID value (e.g.johnd) as triggered by an interactive user or an application  
Source user ID type suid Enum The source user ID type (e.g. email) as triggered by an interactive user or an application email, id, username, display-name, system, anonymous, application-id, application-login-name, application-name
User privilege level smac String The administrative level of the source user in the source application admin, privileged, standard, guest
Delegated user ID sproc String The delegated user identifier value (e.g. johnd) when delegated user was used to trigger an event  
Delegated user ID type spriv String The delegated user ID type (e.g.email) when delegated user was used to trigger an event email, id, username, display-name, system, anonymous
Device category dvchost Enum Classification of client device Smart TV ,Smartphone , Tablet , Personal computer , IoT ,Unknown
Agent type sntdom Enum Classification of client agent Browser, API, Email client, Feed Reader, Unknown
Agent name sourceDnsDomain String Name of client agent (Chrome, Firefox/…)  
Agent version dntdom String Version of the client agent  
Device OS deviceNtDomain String OS name of the client device  
Device OS version deviceDnsDomain String OS version of client device  
TLS protocol app Enum TLS protocol used by the client 1.0, 1.1, 1.2
TLS cipher-suite destinationDnsDomain String TLS cipher suite used by the client  

 

Category: Access

System login and login attempts issues by users.

Login Success

This event is sent when a user successfully logins into the application

Field Type Full Name CEF Key Name Data Type Meaning Value/s
SkyFormation Header Fields SkyFormation event ID signature ID String   sk4-login-success
  SkyFormation event name name String   login-sucess
  SkyFormation event category cat String   access
SkyFormation Application Class Fields Entire Available Fields        
Event Specific Login type cs1 String The type of login performed application \ saml \ web-service \ oauth2 \ oauth1 \ remote access client \ partner product \ saml idp initiated sso \ unknown
  Is suspicious out int Is the login event identified by the app as suspicious 0=false, 1=true
  Keep user signed-in  cn1 int Will the user stay signed-in if the browser is closed and re-opened (no additional authentication needed) 0=false, 1=true 

 

Login Failed

This event is sent when a user fails to login into the application

Field Type Full Name CEF Key Name Data Type Meaning Value/s
SkyFormation Header Fields SkyFormation event ID signature ID String   sk4-login-failed
  SkyFormation event name name String   login-failed
  SkyFormation event category cat String   access
SkyFormation Application Class Fields Entire Available Fields        
Event Specific Login type cs1 String The type of login performed application \ saml \ web-service \ oauth2 \ oauth1 \ remote access client \ partner product \ saml idp initiated sso \ unknown
  Is suspicious out int Is the login event identified by the app as suspicious 0=false, 1=true
  Failure reason reason String Failed login reason as stated by the orig app  
  Number of failed login cn1 long Number of failed login since last successful login  

 

Logout

This event is sent when a user logs out of the application

Field Type Full Name CEF Key Name Data Type Meaning Value/s
SkyFormation Header Fields SkyFormation event ID signature ID String   sk4-logout
  SkyFormation event name name String   logout
  SkyFormation event category cat String   access
SkyFormation Application Class Fields Entire Available Fields        
Event Specific Login type cs1 String The type of login performed application \ saml \ web-service \ oauth2 \ oauth1 \ remote access client \ partner product \ saml idp initiated sso \ unknown

 

User Locked Out

This event is sent when a user is locked out of the application

Field Type Full Name CEF Key Name Data Type Meaning Value/s
SkyFormation Header Fields SkyFormation event ID signature ID String   sk4-user-locked-out
  SkyFormation event name name String   user-locked-out
  SkyFormation event category cat String   access
SkyFormation Application Class Fields Entire Available Fields        
Event Specific Destination user ID type duid Enum The user ID type of the locked-out user email, id, username, display-name, system, anonymous
  Destination user ID duser String The ID value of the locked-out user  
  Lockout reason reason String The lockout reason as stated by the orig app  

 

User Unlocked

This event is sent when a user is unlocked by admin

Field Type Full Name CEF Key Name Data Type Meaning Value/s
SkyFormation Header Fields SkyFormation event ID signature ID String   sk4-user-unlocked
  SkyFormation event name name String   user-unlockeded
  SkyFormation event category cat String   access
SkyFormation Application Class Fields Entire Available Fields        
Event Specific Destination user ID type duid Enum The ID type of the unlocked user email, id, username, display-name, system, anonymous
  Destination user ID duser String The ID value of the unlocked user  

 

Multi Factor Authentication (MFA) Step

This event is sent when a user authentication requires more than one authentication factor (i.e. an SMS, or hardware token)

Field Type Full Name CEF Key Name Data Type Meaning Value/s
SkyFormation Header Fields SkyFormation event ID signature ID String   sk4-mfa-step
  SkyFormation event name name String   mfa-step
  SkyFormation event category cat String   access
SkyFormation Application Class Fields Entire Available Fields        
Event Specific Application ID fileId String The application ID protected by the MFA  
  Application name fname String The application name protected by the MFA  
  Is-suspicious out Int Indication for suspicious activity 0 = false (not suspicious), 1 = true (suspicious)
  Factor type cs1 String Type of factor used in the MFA step verification-code,mobile-application,trusted-network,trusted-device
  Time-To-Live(TTL) cs2 String TTL for the verification code Immediate, long-term, infinite (Only for factor-type=verification-code.)
  Is-One-Time-Code in Int Is the verification code a one time 0 = false, 1=true (Only for factor-type=verification-code.)
  Delivery method cs3 String hardware-token, sms, phone-call, authenticator, inside-app Only for factor-type=verification-code.
  Hardware token type cs4 String Type of hardware used for the challange token Only for factor-type=verification-code with delivery-method=hardware-token
  Phone number cs5 String The phone number to recieve the verification code Only for factor-type=verification-code with delivery-method=sms OR phone-call
  Authenticator name deviceExternalId String The name of the authenticator Only for factor-type=verification-code with delivery-method=authenticator
  Generated-by act String Who generated the verification code self, admin Only for factor-type=verification-code with delivery-method=inside-app
  Mobile application name dpriv String Mobile app used to verify the code Only for factor-type=mobile-application
  Mobile application vendor oldFileHash String Vendor of the mobile app used to verify the code Only for factor-type=mobile-application

 

Category: User Management

This category contains events around user management issues, such as user creation, deletion and suspension.

 

User Added

This event is sent when a user is a new user is created

Field Type Full Name CEF Key Name Data Type Meaning Value/s
SkyFormation Header Fields SkyFormation event ID signature ID String   sk4-user-unlocked
  SkyFormation event name name String   user-unlockeded
  SkyFormation event category cat String   user-management
SkyFormation Application Class Fields Entire Available Fields        
Event Specific Destination user ID type duid Enum The ID type of the added user email, id, username, display-name, system, anonymous
  Destination user ID duser String The ID value of the added user  

 

User Invited

This event is sent when a user is invited to join the organization

Field Type Full Name CEF Key Name Data Type Meaning Value/s
SkyFormation Header Fields SkyFormation event ID signature ID String   sk4-user-invited
  SkyFormation event name name String   user-invited
  SkyFormation event category cat String   user-management
SkyFormation Application Class Fields Entire Available Fields        
Event Specific Destination user ID type duid Enum The ID type of the invited user email, id, username, display-name, system, anonymous
  Destination user ID duser String The ID value of the added user  
  Destination org unit cs1 String Name of organization unit the user is invited to join  

 

User Invite canceled

This event is sent when an invitation previously issued to join the organization was canceled

Field Type Full Name CEF Key Name Data Type Meaning Value/s
SkyFormation Header Fields SkyFormation event ID signature ID String   sk4-user-invited-canceled
  SkyFormation event name name String   user-invited-canceled
  SkyFormation event category cat String   user-management
SkyFormation Application Class Fields Entire Available Fields        
Event Specific Destination user ID type duid Enum The ID type of the user his invitation was canceled email, id, username, display-name, system, anonymous
  Destination user ID duser String The ID value of the user his invitation was canceled  
  Destination org unit cs1 String Name of organization unit the user was invited to join  

 

User Deleted

This event is sent when a user is deleted

Field Type Full Name CEF Key Name Data Type Meaning Value/s
SkyFormation Header Fields SkyFormation event ID signature ID String   sk4-user-deleted
  SkyFormation event name name String   user-deleted
  SkyFormation event category cat String   user-management
SkyFormation Application Class Fields Entire Available Fields        
Event Specific Destination user ID type duid Enum The ID type of the deleted user email, id, username, display-name, system, anonymous
  Destination user ID duser String The ID value of the deleted user  

 

User Undeleted

This event is sent when a deleted user is undeleted

Field Type Full Name CEF Key Name Data Type Meaning Value/s
SkyFormation Header Fields SkyFormation event ID signature ID String   sk4-user-undeleted
  SkyFormation event name name String   user-undeleted
  SkyFormation event category cat String   user-management
SkyFormation Application Class Fields Entire Available Fields        
Event Specific Destination user ID type duid Enum The ID type of the undeleted user email, id, username, display-name, system, anonymous
  Destination user ID duser String The ID value of the undeleted user  

 

User Suspended

This event is sent when a user account is being suspended by another user

Field Type Full Name CEF Key Name Data Type Meaning Value/s
SkyFormation Header Fields SkyFormation event ID signature ID String   sk4-user-suspended
  SkyFormation event name name String   user-suspended
  SkyFormation event category cat String   user-management
SkyFormation Application Class Fields Entire Available Fields        
Event Specific Destination user ID type duid Enum The ID type of the undeleted user email, id, username, display-name, system, anonymous
  Destination user ID duser String The ID value of the undeleted user  
  Reason reason String The reason for the user suspension  

 

User Unsuspended

This event is sent when a user account is being unsuspended by another user

Field Type Full Name CEF Key Name Data Type Meaning Value/s
SkyFormation Header Fields SkyFormation event ID SkyFormation event ID signature ID     sk4-user-unsuspended
  SkyFormation event name name String   user-unsuspended
  SkyFormation event category cat String   user-management
SkyFormation Application Class Fields Entire Available Fields        
Event Specific Destination user ID type duid Enum The ID type of the undeleted user email, id, username, display-name, system, anonymous
  Destination user ID duser String The ID value of the undeleted user  

 

User Updated

This event is sent when a user’s profile has been updated

Field Type Full Name CEF Key Name Data Type Meaning Value/s
SkyFormation Header Fields SkyFormation event ID SkyFormation event ID signature ID String   sk4-user-updated
  SkyFormation event name name String   user-updated
  SkyFormation event category cat String   user-management
SkyFormation Application Class Fields Entire Available Fields        
Event Specific Destination User ID type duid Enum The ID type of the undeleted user email, id, username, display-name, system, anonymous
  Destination User ID duser String The ID value of the undeleted user  
  Property name cs3 String The name of the updated property  
  New number value cn1 Integer The new integer value of the updated property  
  Old number value cn2 Integer The old integer value of the updated property  
  New FPointvalue cfp1 Floating point The new floating point value of the updated property  
  Old FPointvalue cfp2 Floating point The old floating point value of the updated property  
  New string value cs1 String The new string value of the updated property  
  Old string value cs2 String The old string value of the updated property  
  New date value deviceCustomDate1 Date The new date value of the updated property  
  Old date value deviceCustomDate2 Date The old date value of the updated property  

 

Category: Password Management

This category includes events around password management, by user or admin

 

Password Reset

This event is sent when a self password reset is sent (For example, “I forgot my password” scenario) or when password is reset by an administrator.

Full name Full Name CEF Key Name Data Type Meaning Value/s
SkyFormation Header Fields SkyFormation event ID SkyFormation event ID signature ID String   sk4-password-reset
  SkyFormation event name name String   password-reset
  SkyFormation event category cat String   password-management
SkyFormation Application Class Fields Entire Available Fields        
  Destination user type duid Enum   email, id, username, display-name, system, anonymous
  Destination User duser String    
  Reset by cs1 Enum Is it a self reset or reset by admin self \ admin
  Outcome outcome Enum   success \ failure
  Effective from cs2 Enum When will come into effect immediately \ next-login

 

Password Changed

This event is sent when a user password has been changed by the user or admin

Full name Full Name CEF Key Name Data Type Meaning Value/s
SkyFormation Header Fields SkyFormation event ID SkyFormation event ID signature ID String   sk4-password-changed
  SkyFormation event name name String   password-changed
  SkyFormation event category cat String   password-management
SkyFormation Application Class Fields Entire Available Fields        
  Destination user type duid Enum   email, id, username, display-name, system, anonymous
  Destination User duser String    
  Outcome outcome Enum   success \ failure

 

Category: Privilege Management

This category includes events around privileges and permissions management for users and groups. Authorization group is equivalent to “Role” in some applications.

 

Authorization group cloned

This event is sent when a new authorization group (aka Role) is cloned from another Authorization group 

Full name Full Name CEF Key Name Data Type Meaning Value/s
SkyFormation Header Fields SkyFormation event ID SkyFormation event ID signature ID String   sk4-authorization-group-cloned
  SkyFormation event name name String   authorization-group-cloned
  SkyFormation event category cat String   privilege-management
SkyFormation Application Class Fields Entire Available Fields        
  Authorization group type ftype String The type of authorization group in the application terminology Common values: group, role, profile
  Authorization group name fname String The cloned authorization group friendly name  
  Authorization group privilege spriv Enum What is the authorization group level of privileges system-administrator, n/a
  Cloned from cs1 String Name of the original group from which cloned  

 

Authorization group created

This event is sent when a new authorization group is created 

Full name Full Name CEF Key Name Data Type Meaning Value/s
SkyFormation Header Fields SkyFormation event ID SkyFormation event ID signature ID String   sk4-authorization-group-created
  SkyFormation event name name String   authorization-group-created
  SkyFormation event category cat String   privilege-management
SkyFormation Application Class Fields Entire Available Fields        
  Authorization group type ftype String The type of authorization group in the application terminology Common values: group, role, profile
  Authorization group name fname String The created authorization group friendly name  

 

Authorization group deleted

This event is sent when a new authorization group is deleted 

Full name Full Name CEF Key Name Data Type Meaning Value/s
SkyFormation Header Fields SkyFormation event ID SkyFormation event ID signature ID String   sk4-authorization-group-deleted
  SkyFormation event name name String   authorization-group-deleted
  SkyFormation event category cat String   privilege-management
SkyFormation Application Class Fields Entire Available Fields        
  Authorization group type ftype String The type of authorization group in the application terminology Common values: group, role, profile
  Authorization group name fname String The deleted authorization group friendly name  

 

Authorization group updated

This event is sent when a new authorization group is created 

Full name Full Name CEF Key Name Data Type Meaning Value/s
SkyFormation Header Fields SkyFormation event ID SkyFormation event ID signature ID String   sk4-authorization-group-updated
  SkyFormation event name name String   authorization-group-updated
  SkyFormation event category cat String   privilege-management
SkyFormation Application Class Fields Entire Available Fields        
  Authorization group type ftype String The type of authorization group in the application terminology Common values: group, role, profile
  Authorization group name fname String The updated authorization group friendly name  
  Property name cs3 String The name of the updated property  
  New number value cn1 Integer The new integer value of the updated property  
  Old number value cn2 Integer The old integer value of the updated property  
  New FPointvalue cfp1 Floating point The new floating point value of the updated property  
  Old FPointvalue cfp2 Floating point The old floating point value of the updated property  
  New string value cs1 String The new string value of the updated property  
  Old string value cs2 String The old string value of the updated property  
  New date value deviceCustomDate1 Date The new date value of the updated property  
  Old date value deviceCustomDate2 Date The old date value of the updated property  

 

Authorization group renamed

This event is sent when a new authorization group is renamed 

Full name Full Name CEF Key Name Data Type Meaning Value/s
SkyFormation Header Fields SkyFormation event ID SkyFormation event ID signature ID String   sk4-authorization-group-renamed
  SkyFormation event name name String   authorization-group-renamed
  SkyFormation event category cat String   privilege-management
SkyFormation Application Class Fields Entire Available Fields        
  Authorization group type ftype String The type of authorization group in the application terminology Common values: group, role, profile
  Authorization group New Name fname String The new name of the authorization group  
  Authorization group Old Name cs1 String The old name of the authorization group  

 

Authorization group assigned

This event is sent when an authorization group is assigned to a user, or other authorization group

Full name Full Name CEF Key Name Data Type Meaning Value/s
SkyFormation Header Fields SkyFormation event ID SkyFormation event ID signature ID String   sk4-authorization-group-assigned
  SkyFormation event name name String   authorization-group-assigned
  SkyFormation event category cat String   privilege-management
SkyFormation Application Class Fields Entire Available Fields        
  Authorization Group type ftype String The type of the assigned authorization group in the application terminology Common values: group, role, profile
  Authorization Group name fname String The assigned authorization group friendly name  
  Destination user type duid Enum   email, id, username, display-name, system, anonymous
  Destination user duser String The identifier value of the user assigned with the privileges  
  Destination authorization group type cs1 String The type of authorization group the authorization group was assigned to Common values: group, role, profile
  Destination authorization group name cs2 String The name of the authorization group assigned with the privileges  
  Scope restriction cs3 String Identifying attributes of the scope to which the group was assigned :: :: OR :: ::

 

Authorization group unassigned

This event is sent when an authorization group is unassigned to a user, or other authorization group

Full name Full Name CEF Key Name Data Type Meaning Value/s
SkyFormation Header Fields SkyFormation event ID SkyFormation event ID signature ID String   sk4-authorization-group-unassigned
  SkyFormation event name name String   authorization-group-unassigned
  SkyFormation event category cat String   privilege-management
SkyFormation Application Class Fields Entire Available Fields        
  Authorization Group type ftype String The type of the unassigned authorization group in the application terminology Common values: group, role, profile
  Authorization Group name fname String The unassigned authorization group friendly name  
  Destination user type duid Enum The type of identifier of the user the authorization group was unassigned from email, id, username, display-name, system, anonymous
  Destination User duser String The identifier value of the user unassigned with the privileges  
  Destination Authorization group type cs1 String The type of authorization group unassigned from Common values: group, role, profile
  Destination Authorization group name cs2 String The name of the authorization group unassigned with the privileges  
  Scope restriction cs3 String Identifying attributes of the scope to which the group was assigned :: :: OR :: ::

 

Authorization group replaced

This event is sent when an authorization group is replaced from a user, or other authorization group to another

Full name Full Name CEF Key Name Data Type Meaning Value/s
SkyFormation Header Fields SkyFormation event ID SkyFormation event ID signature ID String   sk4-authorization-group-replaced
  SkyFormation event name name String   authorization-group-replaced
  SkyFormation event category cat String   privilege-management
SkyFormation Application Class Fields Entire Available Fields        
  Authorization Group type ftype String The type of the replaced authorization group in the app terminology Common values: group, role, profile
  Authorization Group name fname String The replaced authorization group friendly name  
  Destination user type duid Enum The type of identifier of the user the authorization group was replaced to email, id, username, display-name, system, anonymous
  Destination user duser String The identifier value of the user the privileges were replaced to  
  Destination authorization group type cs1 String The type of authorization group replaced from Common values: group, role, profile
  Destination authorization group name cs2 String The name of the authorization group replaced with the privileges  
  Origin authorization group name cs3 String    

 

Permission updated

This event is sent when a permission is added, removed or replaced from either a user or authorization group

Full name Full Name CEF Key Name Data Type Meaning Value/s
SkyFormation Header Fields SkyFormation event ID SkyFormation event ID signature ID String   sk4-permissions-updated
  SkyFormation event name name String   permissions-updated
  SkyFormation event category cat String   privilege-management
SkyFormation Application Class Fields Entire Available Fields        
  Destination user type duid Enum The type of identifier of the user the permission was updated to email, id, username, display-name, system, anonymous
  Destination User duser String The identifier value of the user the permission was updated to  
  Destination authorization group type cs1 String The type of authorization group the permission were updated to Common values: group, role, profile
  Destination authorization group name cs2 String The name of the authorization group updated with the permissions  
  Permission action act Enum Whether the permission was added, removed etc added, removed,  set
  Permission type cs4 Enum The entity level the permission was assigned to general, type-level, field-level, instance-level
  Object type ftype String Holds entitys type for type and instance level Holds :: for field level Empty for general  
  Object ID fid String May hold the object ID if permission refer to specific instance  
  Object name fname String May hold the object name if permission refer to specific instance  
  Privilege name filePermission String The app friendly name of the permission refered to  
  Scope dpriv String Optional scoping of the permission update  

 

Resource ACL updated

This event is sent when a resource’s (e.g. file/folder) ACL (aka permissions) had been updated – removed, added or updated

Full name Full Name CEF Key Name Data Type Meaning Value/s
SkyFormation Header Fields SkyFormation event ID SkyFormation event ID signature ID String   sk4-resource-acl-updated
  SkyFormation event name name String   resource-acl-updated
  SkyFormation event category cat String   privilege-management
SkyFormation Application Class Fields Entire Available Fields        
  Resource type ftype Enum The type of resources the ACL were updated to File, Folder, App Entity
  Resource name fname String The name of the resource ACL were updated to  
  Permission Action act Enum Whether the ACL were added, removed etc added, removed,  set
  Grantee user type duid Enum The type of identifier of the user the ACL were updated to email, id, username, display-name, system, anonymous
  Grantee User duser String The identifier value of the user the ACL were updated to  
  Grantee group type cs1 String The type of group the ACL were updated to Common values: group, role, profile
  Grantee group name cs2 String The name of the group updated with the ACL. Note: on action updated, this is the new grantee  
  Grantee scope cs3 Enum The scope of the ACL change (e.g. internal, external with public) public, public-with-link, within-organization, within-organization-with-link, public-authenticated
  Permission filePermission String ACL name. When action is updated, this is the new value  
  Old grantee dpriv String When action is updated and grantee was changed, this is either Grantee user (of same type as duid) or Group name (of same type of cs3)  

 

Permissions requested

This event is sent when permissions are requested for/by as user

Full name Full Name CEF Key Name Data Type Meaning Value/s
SkyFormation Header Fields SkyFormation event ID SkyFormation event ID signature ID String   sk4-permissions-requested
  SkyFormation event name name String   permissions-requested
  SkyFormation event category cat String   privilege-management
SkyFormation Application Class Fields Entire Available Fields        
  Resource type ftype Enum The type of resources the ACL were requested for File, Folder, App Entity
  Resource name fname String The name of the resource ACL were requested for  
  Grantee user type duid Enum The type of identifier of the user the ACL were requested for email, id, username, display-name, system, anonymous
  Grantee User duser String The identifier value of the user the ACL were requested for  
  Grantee group type cs1 String The type of group the ACL were requested for Common values: group, role, profile
  Grantee group name cs2 String The name of the group ACL were requested for  
  Grantee scope cs3 Enum The scope of the ACL requested (e.g. internal, external with public) public, public-with-link, within-organization, within-organization-with-link, public-authenticated
  Permission type cs4 Enum The entity level the permission were requested for general, type-level, field-level, instance-level
  Object type ftype String Holds entitys type for type and instance level Holds :: for field level Empty for general  
  Object ID fid String May hold the object ID if permission refer to specific instance  
  Object name fname String May hold the object name if permission refer to specific instance  
  Privilege name filePermission String The app friendly name of the permission refered to  
  Scope dpriv String Optional scoping of the permission update  

 

Category: Application Data

This category includes events around data access and manipulation.

 

Resource Viewed

This event is sent when a resource (e.g. file/folder/object) has been viewed

Full name Full Name CEF Key Name Data Type Meaning Value/s
SkyFormation Header Fields SkyFormation event ID SkyFormation event ID signature ID String   sk4-resource-viewed
  SkyFormation event name name String   resource-viewed
  SkyFormation event category cat String   application-data
SkyFormation Application Class Fields Entire Available Fields        
  Resource type ftype Enum The type of resource viewed File, Folder, App Entity
  Resource name fname String The name of the resource viewed  
  Resource owner user type duid Enum The type of identifier of the user own the resource email, id, username, display-name, system, anonymous
  Resource owner user duser String User identifier value  

 

Resource Created

This event is sent when a resource (e.g. file/folder/object) has been added

Full name Full Name CEF Key Name Data Type Meaning Value/s
SkyFormation Header Fields SkyFormation event ID SkyFormation event ID signature ID String   sk4-resource-created
  SkyFormation event name name String   resource-created
  SkyFormation event category cat String   application-data
SkyFormation Application Class Fields Entire Available Fields        
  Resource type ftype Enum The type of resource created File, Folder, App Entity
  Resource name fname String The name of the resource created  
  Resource owner user type duid Enum The type of identifier of the user own the resource email, id, username, display-name, system, anonymous
  Resource owner user duser String User identifier value  

 

Resource Created or Updated

This event is sent when it is unknown whether a resource (e.g. file/folder/object) has been added or an existing one updated, but it is one or the other

Full name Full Name CEF Key Name Data Type Meaning Value/s
SkyFormation Header Fields SkyFormation event ID SkyFormation event ID signature ID String   sk4-resource-created-or-updated
  SkyFormation event name name String   resource-created-or-updated
  SkyFormation event category cat String   application-data
SkyFormation Application Class Fields Entire Available Fields        
  Resource type ftype Enum The type of resource created or updated File, Folder, App Entity
  Resource name fname String The name of the resource created or updated  
  Resource owner user type duid Enum The type of identifier of the user own the resource email, id, username, display-name, system, anonymous
  Resource owner user duser String User identifier value  

 

Resource Uploaded

This event is sent when a resource (e.g. file/folder/object) has been uploaded to the service

Full name Full Name CEF Key Name Data Type Meaning Value/s
SkyFormation Header Fields SkyFormation event ID SkyFormation event ID signature ID String   sk4-resource-uploaded
  SkyFormation event name name String   resource-uploaded
  SkyFormation event category cat String   application-data
SkyFormation Application Class Fields Entire Available Fields        
  Resource type ftype Enum The type of resource uploaded File, Folder, App Entity
  Resource name fname String The name of the resource uploaded  
  Resource owner user type duid Enum The type of identifier of the user own the resource email, id, username, display-name, system, anonymous
  Resource owner user duser String User identifier value  

 

Resource Cloned

This event is sent when a resource (e.g. file/folder/object) has been cloned from another resource

Full name Full Name CEF Key Name Data Type Meaning Value/s
SkyFormation Header Fields SkyFormation event ID SkyFormation event ID signature ID String   sk4-resource-cloned
  SkyFormation event name name String   resource-cloned
  SkyFormation event category cat String   application-data
SkyFormation Application Class Fields Entire Available Fields        
  Resource type ftype Enum The type of resource cloned File, Folder, App Entity
  Resource name fname String The name of the resource cloned  
  Resource owner user type duid Enum The type of identifier of the user own the resource email, id, username, display-name, system, anonymous
  Resource owner user duser String User identifier value  
  Origin resource name cs1 String The origin name of the cloned resource  

 

Resource Downloaded

This event is sent when a resource (e.g. file/folder/object) has been downloaded

Full name Full Name CEF Key Name Data Type Meaning Value/s
SkyFormation Header Fields SkyFormation event ID SkyFormation event ID signature ID String   sk4-resource-downloaded
  SkyFormation event name name String   resource-downloaded
  SkyFormation event category cat String   application-data
SkyFormation Application Class Fields Entire Available Fields        
  Resource type ftype Enum The type of resource downloaded File, Folder, App Entity
  Resource name fname String The name of the resource downloaded  
  Resource owner user type duid Enum The type of identifier of the user own the resource email, id, username, display-name, system, anonymous
  Resource owner user duser String User identifier value  

 

Resource Deleted

This event is sent when a resource (e.g. file/folder/object) has been deleted

Full name Full Name CEF Key Name Data Type Meaning Value/s
SkyFormation Header Fields SkyFormation event ID SkyFormation event ID signature ID String   sk4-resource-deleted
  SkyFormation event name name String   resource-deleted
  SkyFormation event category cat String   application-data
SkyFormation Application Class Fields Entire Available Fields        
  Resource type ftype Enum The type of resource deleted File, Folder, App Entity
  Resource name fname String The name of the resource deleted  
  Resource owner user type duid Enum The type of identifier of the user own the resource email, id, username, display-name, system, anonymous
  Resource owner user duser String User identifier value  

 

Resource Undeleted

This event is sent when a resource (e.g. file/folder/object) has been undeleted

Full name Full Name CEF Key Name Data Type Meaning Value/s
SkyFormation Header Fields SkyFormation event ID SkyFormation event ID signature ID String   sk4-resource-undeleted
  SkyFormation event name name String   resource-undeleted
  SkyFormation event category cat String   application-data
SkyFormation Application Class Fields Entire Available Fields        
  Resource type ftype Enum The type of resource undeleted File, Folder, App Entity
  Resource name fname String The name of the resource undeleted  
  Resource owner user type duid Enum The type of identifier of the user own the resource email, id, username, display-name, system, anonymous
  Resource owner user duser String User identifier value  

 

Resource Content Updated

This event is sent when a resource (e.g. file/folder/object) content has been updated

Full name Full Name CEF Key Name Data Type Meaning Value/s
SkyFormation Header Fields SkyFormation event ID SkyFormation event ID signature ID String   sk4-resource-content-update
  SkyFormation event name name String   resource-content-update
  SkyFormation event category cat String   application-data
SkyFormation Application Class Fields Entire Available Fields        
  Resource type ftype Enum The type of resource content updated File, Folder, App Entity
  Resource name fname String The name of the resource content updated  
  Resource owner user type duid Enum The type of identifier of the user own the resource email, id, username, display-name, system, anonymous
  Resource owner user duser String User identifier value  

 

Resource Property Updated

This event is sent when a resource (e.g. file/folder/object) property has been updated

Full name Full Name CEF Key Name Data Type Meaning Value/s
SkyFormation Header Fields SkyFormation event ID SkyFormation event ID signature ID String   sk4-resource-properties-updated
  SkyFormation event name name String   resource-properties-updated
  SkyFormation event category cat String   application-data
SkyFormation Application Class Fields Entire Available Fields        
  Resource type ftype Enum The type of resource properties updated File, Folder, App Entity
  Resource name fname String The name of the resource properties updated  
  Resource owner user type duid Enum The type of identifier of the user own the resource email, id, username, display-name, system, anonymous
  Resource owner user duser String User identifier value  
  Property name cs3 String The name of the property updated  
  New number value cn1 Integer The new integer value of the updated property  
  Old number value cn2 Integer The old integer value of the updated property  
  New FPointvalue cfp1 Floating point The new floating point value of the updated property  
  Old FPointvalue cfp2 Floating point The old floating point value of the updated property  
  New string value cs1 String The new string value of the updated property  
  Old string value cs2 String The old string value of the updated property  
  New date value deviceCustomDate1 Date The new date value of the updated property  
  Old date value deviceCustomDate2 Date The old date value of the updated property  

 

Resource Renamed

This event is sent when a resource (e.g. file/folder/object) has been renamed

Full name Full Name CEF Key Name Data Type Meaning Value/s
SkyFormation Header Fields SkyFormation event ID SkyFormation event ID signature ID String   sk4-resource-renamed
  SkyFormation event name name String   resource-content-renamed
  SkyFormation event category cat String   application-data
SkyFormation Application Class Fields Entire Available Fields        
  Resource type ftype Enum The type of resource renamed File, Folder, App Entity
  Resource name fname String The name of the resource renamed  
  Resource owner user type duid Enum The type of identifier of the user own the resource email, id, username, display-name, system, anonymous
  Resource owner user duser String User identifier value  
  New resource name cs1 String The new resource name  
  Origin resource name cs2 String The origin resource name  

 

Resource Moved

This event is sent when a resource (e.g. file/folder/object) has been moved from one place (container) to another

Full name Full Name CEF Key Name Data Type Meaning Value/s
SkyFormation Header Fields SkyFormation event ID SkyFormation event ID signature ID String   sk4-resource-moved
  SkyFormation event name name String   resource-content-moved
  SkyFormation event category cat String   application-data
SkyFormation Application Class Fields Entire Available Fields        
  Resource type ftype Enum The type of resource moved File, Folder, App Entity
  Resource name fname String The name of the resource moved  
  Resource owner user type duid Enum The type of identifier of the user own the resource email, id, username, display-name, system, anonymous
  Resource owner user duser String User identifier value  
  New resource name/path cs1 String The new resource name  
  Origin resource name/path cs2 String The origin resource name  

 

Resource Event

This event is sent when a message is received/sent/deleted/undeleted/ etc.

Full name Full Name CEF Key Name Data Type Meaning Value/s
SkyFormation Header Fields SkyFormation event ID SkyFormation event ID signature ID String   sk4-resource-event
  SkyFormation event name name String   resource-content-event
  SkyFormation event category cat String   application-data
SkyFormation Application Class Fields Entire Available Fields        
  Resource type ftype Enum The type of resource refered message
  Message ID filePath String    
  Applicative name of message type fileHash String The native application name for the type of message as email message  
  Action act String Which operation took place view, create, delete, undelete, send, receive

 

Category: Security Settings

This category includes events that describe security settings changes.

 

Password Policy Updated

This event is sent when the Password Policy of either the entire organization, a specific Org. Unit, or specific user has been modified

Full name Full Name CEF Key Name Data Type Meaning Value/s
SkyFormation Header Fields SkyFormation event ID SkyFormation event ID signature ID String   sk4-password-policy-updated
  SkyFormation event name name String   password-policy-updated
  SkyFormation event category cat String   security-settings
SkyFormation Application Class Fields Entire Available Fields        
  Target user type duid Enum The type of identifier of the user made the change email, id, username, display-name, system, anonymous
  Target user duser String User identifier value  
  Scope of change cs4 String What is the system/organizational scope of the change (e.g. module, service, group of users, all). ‘all’ when entire organization is effected  
  Policy property type changed cs3 String What is the password policy property/category type that was changed if known. If other the string format is ‘attr-name’ min-length, max-length, complexity, days-for-expiration,  history, failed-login-before-lockout, minutes-to-auto-unlock, other
  New number value cn1 Integer The new integer value of the updated property  
  Old number value cn2 Integer The old integer value of the updated property  
  New FPointvalue cfp1 Floating point The new floating point value of the updated property  
  Old FPointvalue cfp2 Floating point The old floating point value of the updated property  
  New string value cs1 String The new string value of the updated property  
  Old string value cs2 String The old string value of the updated property  
  New date value deviceCustomDate1 Date The new date value of the updated property  
  Old date value deviceCustomDate2 Date The old date value of the updated property  

 

Mobile Settings Updated

This event is sent when the mobile settings of either the entire organization, a specific Org. Unit, or specific user has been modified

Full name Full Name CEF Key Name Data Type Meaning Value/s
SkyFormation Header Fields SkyFormation event ID SkyFormation event ID signature ID String   sk4-mobile-settings-updated
  SkyFormation event name name String   mobile-settings-updated
  SkyFormation event category cat String   security-settings
SkyFormation Application Class Fields Entire Available Fields        
  Target user type duid Enum The type of identifier of the user made the change email, id, username, display-name, system, anonymous
  Target user duser String User identifier value  
  Scope of change cs4 String What is the system/organizational scope of the change (e.g. module, service, group of users, all). ‘all’ when entire organization is effected  
  Policy property name cs3 String What is the name of the mobile policy property/category changed.  
  New number value cn1 Integer The new integer value of the updated property  
  Old number value cn2 Integer The old integer value of the updated property  
  New FPointvalue cfp1 Floating point The new floating point value of the updated property  
  Old FPointvalue cfp2 Floating point The old floating point value of the updated property  
  New string value cs1 String The new string value of the updated property  
  Old string value cs2 String The old string value of the updated property  
  New date value deviceCustomDate1 Date The new date value of the updated property  
  Old date value deviceCustomDate2 Date The old date value of the updated property  

 

Authentication Settings Updated

This event is sent when the Authentication settings of either the entire organization, a specific Org. Unit, or specific user has been modified

Full name Full Name CEF Key Name Data Type Meaning Value/s
SkyFormation Header Fields SkyFormation event ID SkyFormation event ID signature ID String   sk4-authn-settings-updated
  SkyFormation event name name String   authn-settings-updated
  SkyFormation event category cat String   security-settings
SkyFormation Application Class Fields Entire Available Fields        
  Target user type duid Enum The type of identifier of the target user affected by the change change email, id, username, display-name, system, anonymous
  Target user duser String Target user identifier value  
  Scope of change cs4 String What is the system/organizational scope of the change (e.g. module, service, group of users, all). ‘all’ when entire organization is effected  
  Policy property type updated cs3 Enum What is the type of policy updated . two-factored-authentication
  New string value cs1 String for attribute “two-factored-authentication” possibled values: “enabled”, “disabled”  
  Old string value cs2 String for attribute “two-factored-authentication” possibled values: “enabled”, “disabled”  

 

Network Access Updated

This event is sent when the network access IP restrictions have been modified

Full name Full Name CEF Key Name Data Type Meaning Value/s
SkyFormation Header Fields SkyFormation event ID SkyFormation event ID signature ID String   sk4-network-access-updated
  SkyFormation event name name String   network-access-updated
  SkyFormation event category cat String   security-settings
SkyFormation Application Class Fields Entire Available Fields        
  Action act Enum What was the type of access action performed added, removed,  updated
  New value cs1 String No value for “removed” action Optional in “updated” action Example: “192.10.0.0-192.10.0.255”
  Old value cs2 String No value for “added” action Optional in “updated” action Example: “192.10.0.0-192.10.0.255”
  Restriction name cs3 String    

 

SSO Enabled

This event is sent when SSO authentication to the account is enabled

Full name Full Name CEF Key Name Data Type Meaning Value/s
SkyFormation Header Fields SkyFormation event ID SkyFormation event ID signature ID String   sk4-sso-enabled
  SkyFormation event name name String   sso-enabled
  SkyFormation event category cat String   security-settings
SkyFormation Application Class Fields Entire Available Fields        

 

SSO Disabled

This event is sent when SSO authentication to the account is disabled

Full name Full Name CEF Key Name Data Type Meaning Value/s
SkyFormation Header Fields SkyFormation event ID SkyFormation event ID signature ID String   sk4-sso-disabled
  SkyFormation event name name String   sso-disabled
  SkyFormation event category cat String   security-settings
SkyFormation Application Class Fields Entire Available Fields        

 

SSO Provider Added

This event is sent when a new SSO provider is added

Full name Full Name CEF Key Name Data Type Meaning Value/s
SkyFormation Header Fields SkyFormation event ID SkyFormation event ID signature ID String   sk4-sso-provider-added
  SkyFormation event name name String   sso-provider-added
  SkyFormation event category cat String   security-settings
SkyFormation Application Class Fields Entire Available Fields        
  Provider name fname string    
  Provider issuer ftype string    

 

SSO Provider Deleted

This event is sent when SSO provider is deleted

Full name Full Name CEF Key Name Data Type Meaning Value/s
SkyFormation Header Fields SkyFormation event ID SkyFormation event ID signature ID String   sk4-sso-provider-deleted
  SkyFormation event name name String   sso-provider-deleted
  SkyFormation event category cat String   security-settings
SkyFormation Application Class Fields Entire Available Fields        
  Provider name fname string    
  Provider issuer ftype string    

 

SSO Provider Renamed

This event is sent when SSO provider is renamed

Full name Full Name CEF Key Name Data Type Meaning Value/s
SkyFormation Header Fields SkyFormation event ID SkyFormation event ID signature ID String   sk4-sso-provider-renamed
  SkyFormation event name name String   sso-provider-renamed
  SkyFormation event category cat String   security-settings
SkyFormation Application Class Fields Entire Available Fields        
  New provider name fname string    
  Provider issuer ftype string    
  Origin provider name cs2 string    

 

SSO Provider Updated

This event is sent when SSO provider is updated

Full name Full Name CEF Key Name Data Type Meaning Value/s
SkyFormation Header Fields SkyFormation event ID SkyFormation event ID signature ID String   sk4-sso-provider-updated
  SkyFormation event name name String   sso-provider-updated
  SkyFormation event category cat String   security-settings
SkyFormation Application Class Fields Entire Available Fields        
  Provider name fname string    
  Provider issuer ftype string    
  Updated property name cs3 String What is the name of the SSO provider property/category changed.  
  New number value cn1 Integer The new integer value of the updated property  
  Old number value cn2 Integer The old integer value of the updated property  
  New FPointvalue cfp1 Floating point The new floating point value of the updated property  
  Old FPointvalue cfp2 Floating point The old floating point value of the updated property  
  New string value cs1 String The new string value of the updated property  
  Old string value cs2 String The old string value of the updated property  
  New date value deviceCustomDate1 Date The new date value of the updated property  
  Old date value deviceCustomDate2 Date The old date value of the updated property  

 

Category: Mobile Device Management

This category includes events that describe events related to mobile device management in the organization.

 

Mobile device approved

This event is sent when a new mobile device is approved for use within the organization

Full name Full Name CEF Key Name Data Type Meaning Value/s
SkyFormation Header Fields SkyFormation event ID SkyFormation event ID signature ID String   sk4-mobile-device-approved
  SkyFormation event name name String   mobile-device-approved
  SkyFormation event category cat String   device-management
SkyFormation Application Class Fields Entire Available Fields        
  Destination user type duid Enum The type of identifier of the user own the device approved email, id, username, display-name, system, anonymous
  Destination user duser String The identifier/name of the user own the device approved  
  Target Device id deviceExternalId String    
  Target Device type deviceFacility String    
  Reason reason String The reason the device was approved  

 

Mobile device blocked

This event is sent when a mobile device is blocked for use within the organization

Full name Full Name CEF Key Name Data Type Meaning Value/s
SkyFormation Header Fields SkyFormation event ID SkyFormation event ID signature ID String   sk4-mobile-device-blocked
  SkyFormation event name name String   mobile-device-blocked
  SkyFormation event category cat String   device-management
SkyFormation Application Class Fields Entire Available Fields        
  Destination user type duid Enum The type of identifier of the user own the device blocked email, id, username, display-name, system, anonymous
  Destination user duser String The identifier/name of the user own the device blocked  
  Target Device id deviceExternalId String    
  Target Device type deviceFacility String    
  Reason reason String The reason the device was blocked  

 

Mobile device unblocked

This event is sent when a mobile device previously blocked for use within the organization, is now unblocked

Full name Full Name CEF Key Name Data Type Meaning Value/s
SkyFormation Header Fields SkyFormation event ID SkyFormation event ID signature ID String   sk4-mobile-device-unblocked
  SkyFormation event name name String   mobile-device-unblocked
  SkyFormation event category cat String   device-management
SkyFormation Application Class Fields Entire Available Fields        
  Destination user type duid Enum The type of identifier of the user own the device unblocked email, id, username, display-name, system, anonymous
  Destination user duser String The identifier/name of the user own the device unblocked  
  Target Device id deviceExternalId String    
  Target Device type deviceFacility String    
  Reason reason String The reason the device was unblocked  

 

Mobile device deleted

This event is sent when a mobile device previously approved for use within the organization has been deleted from the records

Full name Full Name CEF Key Name Data Type Meaning Value/s
SkyFormation Header Fields SkyFormation event ID SkyFormation event ID signature ID String   sk4-mobile-device-deleted
  SkyFormation event name name String   mobile-device-deleted
  SkyFormation event category cat String   device-management
SkyFormation Application Class Fields Entire Available Fields        
  Destination user type duid Enum The type of identifier of the user own the device deleted email, id, username, display-name, system, anonymous
  Destination user duser String The identifier/name of the user own the device deleted  
  Target Device id deviceExternalId String    
  Target Device type deviceFacility String    
  Reason reason String The reason the device was deleted  

 

Mobile device undeleted

This event is sent when a mobile device previously approved for use within the organization and has been deleted from the records has now been undeleted

Full name Full Name CEF Key Name Data Type Meaning Value/s
SkyFormation Header Fields SkyFormation event ID SkyFormation event ID signature ID String   sk4-mobile-device-undeleted
  SkyFormation event name name String   mobile-device-undeleted
  SkyFormation event category cat String   device-management
SkyFormation Application Class Fields Entire Available Fields        
  Destination user type duid Enum The type of identifier of the user own the device undeleted email, id, username, display-name, system, anonymous
  Destination user duser String The identifier/name of the user own the device undeleted  
  Target Device id deviceExternalId String    
  Target Device type deviceFacility String    
  Reason reason String The reason the device was undeleted  

 

Mobile device wiped

This event is sent when a mobile device’s content has been wiped

Full name Full Name CEF Key Name Data Type Meaning Value/s
SkyFormation Header Fields SkyFormation event ID SkyFormation event ID signature ID String   sk4-mobile-device-wiped
  SkyFormation event name name String   mobile-device-wiped
  SkyFormation event category cat String   device-management
SkyFormation Application Class Fields Entire Available Fields        
  Destination user type duid Enum The type of identifier of the user own the device wiped email, id, username, display-name, system, anonymous
  Destination user duser String The identifier/name of the user own the device wiped  
  Target Device id deviceExternalId String    
  Target Device type deviceFacility String    
  Reason reason String The reason the device was wiped  

 

Mobile device unwiped

This event is sent when a mobile device’s content that has been previously wiped has been unwiped

Full name Full Name CEF Key Name Data Type Meaning Value/s
SkyFormation Header Fields SkyFormation event ID SkyFormation event ID signature ID String   sk4-mobile-device-unwiped
  SkyFormation event name name String   mobile-device-unwiped
  SkyFormation event category cat String   device-management
SkyFormation Application Class Fields Entire Available Fields        
  Destination user type duid Enum The type of identifier of the user own the device unwiped email, id, username, display-name, system, anonymous
  Destination user duser String The identifier/name of the user own the device unwiped  
  Target Device id deviceExternalId String    
  Target Device type deviceFacility String    
  Reason reason String The reason the device was unwiped  

 

Category: Integration

This category includes events that describe integration changes.

 

Integration Added

This event is sent when a new third party integration with the governed account is added

Full name Full Name CEF Key Name Data Type Meaning Value/s
SkyFormation Header Fields SkyFormation event ID SkyFormation event ID signature ID String   sk4-integration-added
  SkyFormation event name name String   integration-added
  SkyFormation event category cat String   integration
SkyFormation Application Class Fields Entire Available Fields        
  Integration id fileId String The integrated app id in the cloud app native syntax  
  Integration name fname String The integrated app name in the cloud app native syntax  

 

Integration Deleted

This event is sent when a third party integration with the governed account is deleted

Full name Full Name CEF Key Name Data Type Meaning Value/s
SkyFormation Header Fields SkyFormation event ID SkyFormation event ID signature ID String   sk4-integration-deleted
  SkyFormation event name name String   integration-deleted
  SkyFormation event category cat String   integration
SkyFormation Application Class Fields Entire Available Fields        
  Integration id fileId String The integrated app id in the cloud app native syntax  
  Integration name fname String The integrated app name in the cloud app native syntax  

 

Integration Blocked

This event is sent when a third-party integration with the governed account is blocked

Full name Full Name CEF Key Name Data Type Meaning Value/s
SkyFormation Header Fields SkyFormation event ID SkyFormation event ID signature ID String   sk4-integration-blocked
  SkyFormation event name name String   integration-blocked
  SkyFormation event category cat String   integration
SkyFormation Application Class Fields Entire Available Fields        
  Integration id fileId String The integrated app id in the cloud app native syntax  
  Integration name fname String The integrated app name in the cloud app native syntax  

 

Integration Unblocked

This event is sent when a third party integration with the governed account is unblocked

Full name Full Name CEF Key Name Data Type Meaning Value/s
SkyFormation Header Fields SkyFormation event ID SkyFormation event ID signature ID String   sk4-integration-unblocked
  SkyFormation event name name String   integration-unblocked
  SkyFormation event category cat String   integration
SkyFormation Application Class Fields Entire Available Fields        
  Integration id fileId String The integrated app id in the cloud app native syntax  
  Integration name fname String The integrated app name in the cloud app native syntax  

 

Integration Updated

This event is sent when a configuration of a third party integration with the governed account is updated

Full name Full Name CEF Key Name Data Type Meaning Value/s
SkyFormation Header Fields SkyFormation event ID SkyFormation event ID signature ID String   sk4-integration-updated
  SkyFormation event name name String   integration-updated
  SkyFormation event category cat String   integration
SkyFormation Application Class Fields Entire Available Fields        
  Integration id fileId String The integrated app id in the cloud app native syntax  
  Integration name fname String The integrated app name in the cloud app native syntax  
  Updated property name cs3 String What is the name of the integrated app property/category changed.  
  New number value cn1 Integer The new integer value of the updated property  
  Old number value cn2 Integer The old integer value of the updated property  
  New FPointvalue cfp1 Floating point The new floating point value of the updated property  
  Old FPointvalue cfp2 Floating point The old floating point value of the updated property  
  New string value cs1 String The new string value of the updated property  
  Old string value cs2 String The old string value of the updated property  
  New date value deviceCustomDate1 Date The new date value of the updated property  
  Old date value deviceCustomDate2 Date The old date value of the updated property  

 

Category: Identity Service

This category describes identity provider events.

 

Single-Sign-On Access Initiated

This event is sent when an access flow is initiated

Full name Full Name CEF Key Name Data Type Meaning Value/s
SkyFormation Header Fields SkyFormation event ID SkyFormation event ID signature ID String   sk4-sso-access-initiated
  SkyFormation event name name String   sso-access-initiated
  SkyFormation event category cat String   identity-service
SkyFormation Application Class Fields Entire Available Fields        
  Application id fileId String The service provider application ID  
  Application name fname String The service provider application name  
  SSO type cs1 String   web, SAML2
  SSO initiatore cs2 String The one who initiated the SSO process Identity Provider (IdP), Service Provider (SP)

 

Category: Audit

This category includes events that were not previously modeled by this document

 

Audit event

This event is sent when an unknown event occurs, one that is not modeled in this document.

Full name Full Name CEF Key Name Data Type Meaning Value/s
SkyFormation Header Fields SkyFormation event ID SkyFormation event ID signature ID String   sk4-audit
  SkyFormation event name name String   integraudit
  SkyFormation event category cat String   integration

 

Category: Network Traffic

This category describes firewall related events.

 

SkyFormation Network Traffic Class Fields

Shared by all Network Traffic class events and mapped to CEF extension fields

Full Name CEF Key Name Data Type Meaning Value
Start time start Date    
End time end Date    
Source device ID cs1 String Network interface ID  
Source device name cs2 String Network interface name  
Source machine ID deviceExternalId String Machine ID  
Source machine name dvchost String Machine name  
Source account ID cs3 String Service Account ID  
Source account name cs4 String Service account name  
Context requestMethod String Identifier of the resource scope, i.e. AWS’s log stream ARN  
Security Group ID cs5 String Identifier of Network Security Group or Security Group  

 

Traffic Flow

This event is sent for every inbound and outbound traffic event

Full name Full Name CEF Key Name Data Type Meaning Value/s
SkyFormation Header Fields SkyFormation event ID SkyFormation event ID signature ID String   sk4-traffic-flow
  SkyFormation event name name String   traffic-flow
  SkyFormation event category cat String   network-traffic
SkyFormation Application Class Fields Entire Available Fields        
  Source IP src Ipv4 \ Ipv6    
  Source port spt Integer    
  Destination IP dst ipv4 \ ipv6    
  Destination port dpt Integer    
  Traffic direction deviceDirection Integer 0 / 1 0 for inbound  and 1 for outbound
  Protocol proto String   Communication protocol
  Firewall action act Enum accept, reject  
  Number of packets cn1 Integer Number of packets sent or received  
  Number of inbound bytes in Integer Number of bytes received  
  Number of outbound bytes out Integer Number of bytes sent  

 

No Traffic

This event is sent after a communication quite period – a time period with no inbound and outbound communication

Full name Full Name CEF Key Name Data Type Meaning Value/s
SkyFormation Header Fields SkyFormation event ID SkyFormation event ID signature ID String   sk4-no-traffic
  SkyFormation event name name String   no-traffic
  SkyFormation event category cat String   network-traffic
SkyFormation Application Class Fields Entire Available Fields        

 

Traffic Logging Skipped

This event is sent after a time period in which traffic data was not audited usually as a result of failure

Full name Full Name CEF Key Name Data Type Meaning Value/s
SkyFormation Header Fields SkyFormation event ID SkyFormation event ID signature ID String   sk4-traffic-logging-skipped
  SkyFormation event name name String   traffic-logging-skipped
  SkyFormation event category cat String   network-traffic
SkyFormation Application Class Fields Entire Available Fields        

 

Category: Monitoring

This category describes monitoring related events.

Note: does not share attributes from the common base attributes

 

Metric Alert

This event is sent for every metric rule alert

Full name Full Name CEF Key Name Data Type Meaning Value/s
SkyFormation Header Fields SkyFormation event ID SkyFormation event ID signature ID String   sk4-metric-alert
  SkyFormation event name name String   metric-alert
  SkyFormation event category cat String   monitoring
  Reason reason String The reason for the alert in app syntax  
  Metric freindly name fname String Name assigned by person created the metric  
  Metric formal name filePath String Metric name provided by the cloud app  
  Metric namespace requestContext String    
  Metric operator act String    
  Metric threshold cfp1 Float    
  Time period cfp2 Float    
  Time unit fileHash String seconds  

 

Category: Security Alert

This category describes security alerts events.

Security Threat Detected

This event is sent when a security service/tool detects a threat as maleware/IOC

Full name Full Name CEF Key Name Data Type Meaning Value/s
SkyFormation Header Fields SkyFormation event ID (SkyFormation) Event ID signature ID String   sk4-security-threat-detected
  (SkyFormation) Event name name String   security-threat-detected
  (SkyFormation) Event category cat String   security-alert
  Detection Details    (SkyFormation) Threat category dpriv String   DLP,
MALWARE,
PUA_PUP,
THREAT_DETECTION,
COMPLIANCE,
METRIC,
ADVISORY,
SPAM,
UNSAFE_LINKS,
ANOMALY,
PHISH,
IMPOSTOR,
COMPROMISED_CREDENTIALS,
UNCATEGORIZED
(SkyFormation) Confidence level cn3 Number    
(Source) Detection engine name requestContext String    
(Source) Threat subclass / Policy sub class app String    
(Source) Threat/policy name proto String    
(Source) Threat/policy id dpid String    
(SkyFormation) Violating / Non violating cn1 Boolean    
       Suspicious/Triggering resource     (Source) Suspicious/triggering resource name fname String    
(SkyFormation) Suspicious/triggering resource Type fileType String    
(Source) Suspicious/triggering resource ID filePath String    
(Source) Suspicious resource hash value  fileHash String    
(Source) Suspicious resource hash Type filePermission String    
(Source) Suspicious resource parent (process) name deviceProcessName String    
(Source)Suspicious resource parent (process) hash value deviceFacility String    
(Source) Suspicious resource parent (process) ID spid String    
(Source) Details of the suspected/triggering resource reason  String    
(SkyFormation) Suspicious/triggering resource related resource type oldFile String    
(Source) Suspicious/triggering resource related resource name fieldId String    
(Source) Suspicious/triggering resource related resource id oldFileName String    
 Affected/Source device details      (SkyFormation) Affected/Source Device Category dvchost String    
(source) Affected/Source Device Name extenralID String    
(Source) Affected/Source Device Id Ignore String    
(Source) Affected/Source Device IP src String    
(Source) Affected/Source Device MAC deviceMacAddress String    
(Source) Affected/Source Device OS deviceNtDomain String    
(Source) Affected/Source Device OS version deviceDnsDomain String    
(Source) Affected/Source Device Country shost String    
(Source) Affected/Source Device City deviceExternalId String    
(Source) Affected/Source Device Latitude cfp3 Number    
(Source) Affected/Source Device Longitude cfp4 Number    
 Remote IPs (Source) Remote IPs involved in the threat/alert dpt String    
 Suspicious Action (SkyFormation) Triggering action act String    
(SkyFormation) Triggering action status deviceDirection String    
(Source) Triggering action status msg sourceDnsDomain String    
 Actor    (SkyFormation)Actor type sntdom String    
(SkyFormation) Actor Identifier Type suid String    
(Source) Actor Identifier suser String    
(SkyFormation) Delegated Identifier type spriv String    
(Source) Delegated Identifier sproc String    
 Target Resource   (SkyFormation) Target Resource Type oldFileType String    
(Source) Target Resource Name oldFilePath String    
(Source) Target Resource hash Type oldFileId String    
(Source) Target Resource hash value oldFileHash String    
 Target Device   (Source) Target Host Name dhost String    
(SkyFormation) Target Device Category destinationTranslatedAddress  String    
(Source) Target IP dst String    
(Source) Target MAC dmac String    
(Source) Target Country dntdom String    
(Source) Target City destinationDnsDomain String    
(Source) Target Latitude cfp1 Number    
(Source) Target Longitude cfp2 Number    
 Target User (Source) Target User Identifier duser String    
 Remediation Action Taken, Result  Recommended Action to take   (SkyFormation) Remediation Action Taken outcome String    
(Source) Remediation action result cn2 Number    
(Source) Recommended Action requestedMethod String    

 

Compromised Credentials

This event is sent when someone detects that a principal (e.g. user) credential was found as compromised (e.g. was part of a breach)

Full name Full Name CEF Key Name Data Type Meaning Value/s
SkyFormation Header Fields SkyFormation event ID SkyFormation event ID signature ID String   sk4-compromised-credentails
  SkyFormation event name name String   compromised-credentails
  SkyFormation event category cat String   security-alert
  Detected By cs1 String Name of underlying application/service that detected the incident. i.e. Office365’s ATP  
  Reason cs2 String Verbose reason for why this alert was triggered  
  Credential Type cs3 String Type of the credential that was exposed password, private-key

 

Spoof Mail

This event is sent when someone detects that an email was sent from a spoofed address

Full name Full Name CEF Key Name Data Type Meaning Value/s
SkyFormation Header Fields SkyFormation event ID SkyFormation event ID signature ID String   sk4-spoof-mail
  SkyFormation event name name String   spoof-mail
  SkyFormation event category cat String   security-alert
  Detected By cs1 String Name of underlying application/service that detected the incident. i.e. Office365’s ATP  
  True Sender Email cs2 String Real email of the sender  
  True Sender IP cs3 String Real IP of the sender password, private-key, other
  Action act String Action that was taken on this email block, other

 

Anomalous SignIn

This event is sent when someone determines that a sign-in activity is anomalous, e.g. after multiple failures, from IP with suspicious activity, from a device that might be infected, from multiple geographies at non-reasonable time differences, from unknown source (IP), irregular/atypical for the user’s normal patterns

Full name Full Name CEF Key Name Data Type Meaning Value/s
SkyFormation Header Fields SkyFormation event ID SkyFormation event ID signature ID String   sk4-anomalous-signin
  SkyFormation event name name String   anomalous-signin
  SkyFormation event category cat String   security-alert
  Detected By cs1 String Name of underlying application/service that detected the incident. i.e. Office365’s ATP  
  Reason cs2 String Verbose reason of the trigger Signins From Unknown Source:signins Count=3

 

General Alert

This event is similar to the [SkyFormation Audit Event](#Audit Event) only instead of sending general raw events from cloud applications/services, this event will send alerts ingested from underline cloud applications/services, i.e. an Azure log-analytics custom alert rule was triggered.
We recommend to use this general event only to become familiar with the alerts and whenever a general alert from a specific source should be used for further correlation please engage with support@skyformation.com to explore the option of creating a modeled dedicated alert from it.

Full name Full Name CEF Key Name Data Type Meaning Value/s
SkyFormation Header Fields SkyFormation event ID SkyFormation event ID signature ID String   sk4-general-alert
  SkyFormation event name name String   general-alert
  SkyFormation event category cat String   security-alert
  Name cs1 String Name of the alert as configured in the underlying application, i.e. my-custom-alert-1  
  Description cs2 String Verbose reason of the trigger  

Related articles

Comments

0 comments

Please sign in to leave a comment.