- Version
- Overview
- SkyFormation Header Fields
- SkyFormation Application Class Fields
- Category: Access
- Category: User Management
- Category: Password Management
- Category: Privilege Management
- Category: Application Data
- Category: Security Settings
- Category: Mobile Device Management
- Category: Integration
- Category: Identity Service
- Category: Audit
- Category: Network Traffic
- Category: Monitoring
- Category: Security Alert
- Category: Access
Version 2.0
This document represent the SkyFormation Unified Events ver 2.0.
Overview
This document describes the mapping of SkyFormation
security events into the CEF format. Based on the technical details
below any CEF based system will be able to interpret the security events
sent by SkyFormation form different cloud applications, employ
correlation rules and expect unified terminology across
applications.
To comment or ask for the latest edition of the
document contact SkyFormation at info@skyformation.com
SkyFormation Header Fields
Shared by the entire SkyFormation events
Mapped To | Full Name | CEF Key Name | Data Type | Meaning | Value/s |
---|---|---|---|---|---|
CEF Header Fields | Event time |
time |
Time and Date | The event creation time as logged by the cloud service | Event time and date |
CEF version |
version |
String | CEF version used by SkyFormation product to encode events | 2.0 | |
Product vendor |
device vendor |
String | SkyFormation official vendor name | SkyFormation | |
SkyFormation product name |
device product |
String | SkyFormation product name | SkyFormation Cloud Apps Security | |
SkyFormation product version |
device version |
String | SkyFormation product version | ||
SkyFormation event ID |
signature ID |
String | Unique identifier for the SkyFormation event (e.g. sk4-login-success) | Any SkyFormation unified event names | |
SkyFormation event name |
name |
String | Human readable description of the event added by SkyFormation (e.g. login-success) | ||
Event severity |
severity |
Integer | Severity assigned to the event by the SkyFormation product | 1-10 | |
CEF Extension Fields | SkyFormation event desc |
msg |
String | Detailed description of the event as produced by SkyFormation | |
Event Time |
end |
Time and Date | The event end time as logged by the cloud service in milliseconds in epoch | Event time and date | |
SkyFormation event category |
cat |
String | SkyFormation event category (e.g User Management) |
||
Source app type |
destinationServiceName |
String | The application type (e.g. Office 365, Salesforce) the event ingested from | ||
Source app module type |
sourceServiceName |
String | The application module the event ingested from (e.g. Sharepoint in Office 365) | ||
Application Connector name |
requestClientApplication |
String | The friendly name given to the SkyFormation connector the events are ingested from (e.g. Corp O365) | ||
Connector Endpoint name |
dproc |
String | The name of the application endpoint (aka audit source) the event was ingested from | ||
Status code |
request |
Enum | The request result status | Success, Failure, InProgress | |
Severity |
dvcpid |
Integer | Severity of the event | 1-10 (10 is most severe) ; 0 to ignore | |
Status message |
requestCookies |
String | The request result message as sent by the application | ||
Origin event name |
flexString1 |
String | The origin name of the event as logged by the application in its audit event | ||
Origin event message |
flexString2 |
String | The origin description of the event as logged by the application in its audit event | ||
Provider account name |
deviceProcessName |
String | The name of the source app instance (aka account) in a multi apps audited via a single connector | e.g. AWS account name in a Multi account environment | |
Provider account ID |
devicePayloadId |
String | The ID of the source app instance (aka account) in a multi apps audited via a single connector | e.g. AWS account ID in a Multi account environment | |
Tenant ID |
dtz |
String | The ID of the tenant the connector is attached to | ||
Raw event |
cs6 |
String | The event as originally appeared in the cloud application audit log/source | ||
Source event ID |
deviceInboundInterface | String | The event id as originally appeared in the cloud application audit event |
SkyFormation Application Class Fields
Shared by all Application Data class events and mapped to CEF extension fields
Full Name | CEF Key Name | Data Type | Meaning | Value/s |
---|---|---|---|---|
Source IP |
src |
ipv4 \ ipv6 | Event source IP | |
Country |
Shost |
String | Event origin country by source IP | |
City |
dhost |
String | Event origin city by source IP | |
Latitude |
cfp3 |
Float | Event origin latitude by source IP | |
Longitude |
cfp3 |
Float | Event origin longitude by source IP | |
Source user ID |
suser |
String | The source user ID value (e.g.johnd) as triggered by an interactive user or an application | |
Source user ID type |
suid |
Enum | The source user ID type (e.g. email) as triggered by an interactive user or an application | email, id, username, display-name, system, anonymous, application-id, application-login-name, application-name |
User privilege level |
smac |
String | The administrative level of the source user in the source application | admin, privileged, standard, guest |
Delegated user ID |
sproc |
String | The delegated user identifier value (e.g. johnd) when delegated user was used to trigger an event | |
Delegated user ID type |
spriv |
String | The delegated user ID type (e.g.email) when delegated user was used to trigger an event | email, id, username, display-name, system, anonymous |
Device category |
dvchost |
Enum | Classification of client device | Smart TV ,Smartphone , Tablet , Personal computer , IoT ,Unknown |
Agent type |
sntdom |
Enum | Classification of client agent | Browser, API, Email client, Feed Reader, Unknown |
Agent name |
sourceDnsDomain |
String | Name of client agent (Chrome, Firefox/…) | |
Agent version |
dntdom |
String | Version of the client agent | |
Device OS |
deviceNtDomain |
String | OS name of the client device | |
Device OS version |
deviceDnsDomain |
String | OS version of client device | |
TLS protocol |
app |
Enum | TLS protocol used by the client | 1.0, 1.1, 1.2 |
TLS cipher-suite |
destinationDnsDomain |
String | TLS cipher suite used by the client |
Category: Access
System login and login attempts issues by users.
Login Success
This event is sent when a user successfully logins into the application
Field Type | Full Name | CEF Key Name | Data Type | Meaning | Value/s |
---|---|---|---|---|---|
SkyFormation Header Fields | SkyFormation event ID |
signature ID |
String | sk4-login-success | |
SkyFormation event name |
name |
String | login-sucess | ||
SkyFormation event category |
cat |
String | access | ||
SkyFormation Application Class Fields | Entire Available Fields | ||||
Event Specific | Login type |
cs1 |
String | The type of login performed | application \ saml \ web-service \ oauth2 \ oauth1 \ remote access client \ partner product \ saml idp initiated sso \ unknown |
Is suspicious |
out |
int | Is the login event identified by the app as suspicious | 0=false, 1=true | |
Keep user signed-in |
cn1 | int | Will the user stay signed-in if the browser is closed and re-opened (no additional authentication needed) | 0=false, 1=true |
Login Failed
This event is sent when a user fails to login into the application
Field Type | Full Name | CEF Key Name | Data Type | Meaning | Value/s |
---|---|---|---|---|---|
SkyFormation Header Fields | SkyFormation event ID |
signature ID |
String | sk4-login-failed | |
SkyFormation event name |
name |
String | login-failed | ||
SkyFormation event category |
cat |
String | access | ||
SkyFormation Application Class Fields | Entire Available Fields | ||||
Event Specific | Login type |
cs1 |
String | The type of login performed | application \ saml \ web-service \ oauth2 \ oauth1 \ remote access client \ partner product \ saml idp initiated sso \ unknown |
Is suspicious |
out |
int | Is the login event identified by the app as suspicious | 0=false, 1=true | |
Failure reason |
reason |
String | Failed login reason as stated by the orig app | ||
Number of failed login |
cn1 |
long | Number of failed login since last successful login |
Logout
This event is sent when a user logs out of the application
Field Type | Full Name | CEF Key Name | Data Type | Meaning | Value/s |
---|---|---|---|---|---|
SkyFormation Header Fields | SkyFormation event ID |
signature ID |
String | sk4-logout | |
SkyFormation event name |
name |
String | logout | ||
SkyFormation event category |
cat |
String | access | ||
SkyFormation Application Class Fields | Entire Available Fields | ||||
Event Specific | Login type |
cs1 |
String | The type of login performed | application \ saml \ web-service \ oauth2 \ oauth1 \ remote access client \ partner product \ saml idp initiated sso \ unknown |
User Locked Out
This event is sent when a user is locked out of the application
Field Type | Full Name | CEF Key Name | Data Type | Meaning | Value/s |
---|---|---|---|---|---|
SkyFormation Header Fields | SkyFormation event ID |
signature ID |
String | sk4-user-locked-out | |
SkyFormation event name |
name |
String | user-locked-out | ||
SkyFormation event category |
cat |
String | access | ||
SkyFormation Application Class Fields | Entire Available Fields | ||||
Event Specific | Destination user ID type |
duid |
Enum | The user ID type of the locked-out user | email, id, username, display-name, system, anonymous |
Destination user ID |
duser |
String | The ID value of the locked-out user | ||
Lockout reason |
reason |
String | The lockout reason as stated by the orig app |
User Unlocked
This event is sent when a user is unlocked by admin
Field Type | Full Name | CEF Key Name | Data Type | Meaning | Value/s |
---|---|---|---|---|---|
SkyFormation Header Fields | SkyFormation event ID |
signature ID |
String | sk4-user-unlocked | |
SkyFormation event name |
name |
String | user-unlockeded | ||
SkyFormation event category |
cat |
String | access | ||
SkyFormation Application Class Fields | Entire Available Fields | ||||
Event Specific | Destination user ID type |
duid |
Enum | The ID type of the unlocked user | email, id, username, display-name, system, anonymous |
Destination user ID |
duser |
String | The ID value of the unlocked user |
Multi Factor Authentication (MFA) Step
This event is sent when a user authentication requires more than one authentication factor (i.e. an SMS, or hardware token)
Field Type | Full Name | CEF Key Name | Data Type | Meaning | Value/s |
---|---|---|---|---|---|
SkyFormation Header Fields | SkyFormation event ID |
signature ID |
String | sk4-mfa-step | |
SkyFormation event name |
name |
String | mfa-step | ||
SkyFormation event category |
cat |
String | access | ||
SkyFormation Application Class Fields | Entire Available Fields | ||||
Event Specific | Application ID |
fileId |
String | The application ID protected by the MFA | |
Application name |
fname |
String | The application name protected by the MFA | ||
Is-suspicious |
out |
Int | Indication for suspicious activity | 0 = false (not suspicious), 1 = true (suspicious) | |
Factor type |
cs1 |
String | Type of factor used in the MFA step | verification-code,mobile-application,trusted-network,trusted-device | |
Time-To-Live(TTL) |
cs2 |
String | TTL for the verification code | Immediate, long-term, infinite (Only for factor-type=verification-code.) | |
Is-One-Time-Code |
in | Int | Is the verification code a one time | 0 = false, 1=true (Only for factor-type=verification-code.) | |
Delivery method |
cs3 |
String | hardware-token, sms, phone-call, authenticator, inside-app | Only for factor-type=verification-code. | |
Hardware token type |
cs4 |
String | Type of hardware used for the challange token | Only for factor-type=verification-code with delivery-method=hardware-token | |
Phone number |
cs5 | String | The phone number to recieve the verification code | Only for factor-type=verification-code with delivery-method=sms OR phone-call | |
Authenticator name |
deviceExternalId |
String | The name of the authenticator | Only for factor-type=verification-code with delivery-method=authenticator | |
Generated-by |
act | String | Who generated the verification code | self, admin Only for factor-type=verification-code with delivery-method=inside-app | |
Mobile application name |
dpriv | String | Mobile app used to verify the code | Only for factor-type=mobile-application | |
Mobile application vendor |
oldFileHash | String | Vendor of the mobile app used to verify the code | Only for factor-type=mobile-application |
Category: User Management
This category contains events around user management issues, such as user creation, deletion and suspension.
User Added
This event is sent when a user is a new user is created
Field Type | Full Name | CEF Key Name | Data Type | Meaning | Value/s |
---|---|---|---|---|---|
SkyFormation Header Fields | SkyFormation event ID |
signature ID |
String | sk4-user-unlocked | |
SkyFormation event name |
name |
String | user-unlockeded | ||
SkyFormation event category |
cat |
String | user-management | ||
SkyFormation Application Class Fields | Entire Available Fields | ||||
Event Specific | Destination user ID type |
duid |
Enum | The ID type of the added user | email, id, username, display-name, system, anonymous |
Destination user ID |
duser |
String | The ID value of the added user |
User Invited
This event is sent when a user is invited to join the organization
Field Type | Full Name | CEF Key Name | Data Type | Meaning | Value/s |
---|---|---|---|---|---|
SkyFormation Header Fields | SkyFormation event ID |
signature ID |
String | sk4-user-invited | |
SkyFormation event name |
name |
String | user-invited | ||
SkyFormation event category |
cat |
String | user-management | ||
SkyFormation Application Class Fields | Entire Available Fields | ||||
Event Specific | Destination user ID type |
duid |
Enum | The ID type of the invited user | email, id, username, display-name, system, anonymous |
Destination user ID |
duser |
String | The ID value of the added user | ||
Destination org unit |
cs1 |
String | Name of organization unit the user is invited to join |
User Invite canceled
This event is sent when an invitation previously issued to join the organization was canceled
Field Type | Full Name | CEF Key Name | Data Type | Meaning | Value/s |
---|---|---|---|---|---|
SkyFormation Header Fields | SkyFormation event ID |
signature ID |
String | sk4-user-invited-canceled | |
SkyFormation event name |
name |
String | user-invited-canceled | ||
SkyFormation event category |
cat |
String | user-management | ||
SkyFormation Application Class Fields | Entire Available Fields | ||||
Event Specific | Destination user ID type |
duid |
Enum | The ID type of the user his invitation was canceled | email, id, username, display-name, system, anonymous |
Destination user ID |
duser |
String | The ID value of the user his invitation was canceled | ||
Destination org unit |
cs1 |
String | Name of organization unit the user was invited to join |
User Deleted
This event is sent when a user is deleted
Field Type | Full Name | CEF Key Name | Data Type | Meaning | Value/s |
---|---|---|---|---|---|
SkyFormation Header Fields | SkyFormation event ID |
signature ID |
String | sk4-user-deleted | |
SkyFormation event name |
name |
String | user-deleted | ||
SkyFormation event category |
cat |
String | user-management | ||
SkyFormation Application Class Fields | Entire Available Fields | ||||
Event Specific | Destination user ID type |
duid |
Enum | The ID type of the deleted user | email, id, username, display-name, system, anonymous |
Destination user ID |
duser |
String | The ID value of the deleted user |
User Undeleted
This event is sent when a deleted user is undeleted
Field Type | Full Name | CEF Key Name | Data Type | Meaning | Value/s |
---|---|---|---|---|---|
SkyFormation Header Fields | SkyFormation event ID |
signature ID |
String | sk4-user-undeleted | |
SkyFormation event name |
name |
String | user-undeleted | ||
SkyFormation event category |
cat |
String | user-management | ||
SkyFormation Application Class Fields | Entire Available Fields | ||||
Event Specific | Destination user ID type |
duid |
Enum | The ID type of the undeleted user | email, id, username, display-name, system, anonymous |
Destination user ID |
duser |
String | The ID value of the undeleted user |
User Suspended
This event is sent when a user account is being suspended by another user
Field Type | Full Name | CEF Key Name | Data Type | Meaning | Value/s |
---|---|---|---|---|---|
SkyFormation Header Fields | SkyFormation event ID |
signature ID |
String | sk4-user-suspended | |
SkyFormation event name |
name |
String | user-suspended | ||
SkyFormation event category |
cat |
String | user-management | ||
SkyFormation Application Class Fields | Entire Available Fields | ||||
Event Specific | Destination user ID type |
duid |
Enum | The ID type of the undeleted user | email, id, username, display-name, system, anonymous |
Destination user ID |
duser |
String | The ID value of the undeleted user | ||
Reason |
reason |
String | The reason for the user suspension |
User Unsuspended
This event is sent when a user account is being unsuspended by another user
Field Type | Full Name | CEF Key Name | Data Type | Meaning | Value/s |
---|---|---|---|---|---|
SkyFormation Header Fields SkyFormation event ID |
SkyFormation event ID |
signature ID |
sk4-user-unsuspended | ||
SkyFormation event name |
name |
String | user-unsuspended | ||
SkyFormation event category |
cat |
String | user-management | ||
SkyFormation Application Class Fields | Entire Available Fields | ||||
Event Specific | Destination user ID type |
duid |
Enum | The ID type of the undeleted user | email, id, username, display-name, system, anonymous |
Destination user ID |
duser |
String | The ID value of the undeleted user |
User Updated
This event is sent when a user’s profile has been updated
Field Type | Full Name | CEF Key Name | Data Type | Meaning | Value/s |
---|---|---|---|---|---|
SkyFormation Header Fields SkyFormation event ID |
SkyFormation event ID |
signature ID |
String | sk4-user-updated | |
SkyFormation event name |
name |
String | user-updated | ||
SkyFormation event category |
cat |
String | user-management | ||
SkyFormation Application Class Fields | Entire Available Fields | ||||
Event Specific | Destination User ID type |
duid |
Enum | The ID type of the undeleted user | email, id, username, display-name, system, anonymous |
Destination User ID |
duser |
String | The ID value of the undeleted user | ||
Property name |
cs3 |
String | The name of the updated property | ||
New number value |
cn1 |
Integer | The new integer value of the updated property | ||
Old number value |
cn2 |
Integer | The old integer value of the updated property | ||
New FPointvalue |
cfp1 |
Floating point | The new floating point value of the updated property | ||
Old FPointvalue |
cfp2 |
Floating point | The old floating point value of the updated property | ||
New string value |
cs1 |
String | The new string value of the updated property | ||
Old string value |
cs2 |
String | The old string value of the updated property | ||
New date value |
deviceCustomDate1 |
Date | The new date value of the updated property | ||
Old date value |
deviceCustomDate2 |
Date | The old date value of the updated property |
Category: Password Management
This category includes events around password management, by user or admin
Password Reset
This event is sent when a self password reset is sent (For example, “I forgot my password” scenario) or when password is reset by an administrator.
Full name | Full Name | CEF Key Name | Data Type | Meaning | Value/s |
---|---|---|---|---|---|
SkyFormation Header Fields SkyFormation event ID |
SkyFormation event ID |
signature ID |
String | sk4-password-reset | |
SkyFormation event name |
name |
String | password-reset | ||
SkyFormation event category |
cat |
String | password-management | ||
SkyFormation Application Class Fields | Entire Available Fields | ||||
Destination user type |
duid |
Enum | email, id, username, display-name, system, anonymous | ||
Destination User |
duser |
String | |||
Reset by |
cs1 |
Enum | Is it a self reset or reset by admin | self \ admin | |
Outcome |
outcome |
Enum | success \ failure | ||
Effective from |
cs2 |
Enum | When will come into effect | immediately \ next-login |
Password Changed
This event is sent when a user password has been changed by the user or admin
Full name | Full Name | CEF Key Name | Data Type | Meaning | Value/s |
---|---|---|---|---|---|
SkyFormation Header Fields SkyFormation event ID |
SkyFormation event ID |
signature ID |
String | sk4-password-changed | |
SkyFormation event name |
name |
String | password-changed | ||
SkyFormation event category |
cat |
String | password-management | ||
SkyFormation Application Class Fields | Entire Available Fields | ||||
Destination user type |
duid |
Enum | email, id, username, display-name, system, anonymous | ||
Destination User |
duser |
String | |||
Outcome |
outcome |
Enum | success \ failure |
Category: Privilege Management
This category includes events around privileges and permissions management for users and groups. Authorization group is equivalent to “Role” in some applications.
Authorization group cloned
This event is sent when a new authorization group (aka Role) is cloned from another Authorization group
Full name | Full Name | CEF Key Name | Data Type | Meaning | Value/s |
---|---|---|---|---|---|
SkyFormation Header Fields SkyFormation event ID |
SkyFormation event ID |
signature ID |
String | sk4-authorization-group-cloned | |
SkyFormation event name |
name |
String | authorization-group-cloned | ||
SkyFormation event category |
cat |
String | privilege-management | ||
SkyFormation Application Class Fields | Entire Available Fields | ||||
Authorization group type |
ftype |
String | The type of authorization group in the application terminology | Common values: group, role, profile | |
Authorization group name |
fname |
String | The cloned authorization group friendly name | ||
Authorization group privilege |
spriv |
Enum | What is the authorization group level of privileges | system-administrator, n/a | |
Cloned from |
cs1 |
String | Name of the original group from which cloned |
Authorization group created
This event is sent when a new authorization group is created
Full name | Full Name | CEF Key Name | Data Type | Meaning | Value/s |
---|---|---|---|---|---|
SkyFormation Header Fields SkyFormation event ID |
SkyFormation event ID |
signature ID |
String | sk4-authorization-group-created | |
SkyFormation event name |
name |
String | authorization-group-created | ||
SkyFormation event category |
cat |
String | privilege-management | ||
SkyFormation Application Class Fields | Entire Available Fields | ||||
Authorization group type |
ftype |
String | The type of authorization group in the application terminology | Common values: group, role, profile | |
Authorization group name |
fname |
String | The created authorization group friendly name |
Authorization group deleted
This event is sent when a new authorization group is deleted
Full name | Full Name | CEF Key Name | Data Type | Meaning | Value/s |
---|---|---|---|---|---|
SkyFormation Header Fields SkyFormation event ID |
SkyFormation event ID |
signature ID |
String | sk4-authorization-group-deleted | |
SkyFormation event name |
name |
String | authorization-group-deleted | ||
SkyFormation event category |
cat |
String | privilege-management | ||
SkyFormation Application Class Fields | Entire Available Fields | ||||
Authorization group type |
ftype |
String | The type of authorization group in the application terminology | Common values: group, role, profile | |
Authorization group name |
fname |
String | The deleted authorization group friendly name |
Authorization group updated
This event is sent when a new authorization group is created
Full name | Full Name | CEF Key Name | Data Type | Meaning | Value/s |
---|---|---|---|---|---|
SkyFormation Header Fields SkyFormation event ID |
SkyFormation event ID |
signature ID |
String | sk4-authorization-group-updated | |
SkyFormation event name |
name |
String | authorization-group-updated | ||
SkyFormation event category |
cat |
String | privilege-management | ||
SkyFormation Application Class Fields | Entire Available Fields | ||||
Authorization group type |
ftype |
String | The type of authorization group in the application terminology | Common values: group, role, profile | |
Authorization group name |
fname |
String | The updated authorization group friendly name | ||
Property name |
cs3 |
String | The name of the updated property | ||
New number value |
cn1 |
Integer | The new integer value of the updated property | ||
Old number value |
cn2 |
Integer | The old integer value of the updated property | ||
New FPointvalue |
cfp1 |
Floating point | The new floating point value of the updated property | ||
Old FPointvalue |
cfp2 |
Floating point | The old floating point value of the updated property | ||
New string value |
cs1 |
String | The new string value of the updated property | ||
Old string value |
cs2 |
String | The old string value of the updated property | ||
New date value |
deviceCustomDate1 |
Date | The new date value of the updated property | ||
Old date value |
deviceCustomDate2 |
Date | The old date value of the updated property |
Authorization group renamed
This event is sent when a new authorization group is renamed
Full name | Full Name | CEF Key Name | Data Type | Meaning | Value/s |
---|---|---|---|---|---|
SkyFormation Header Fields SkyFormation event ID |
SkyFormation event ID |
signature ID |
String | sk4-authorization-group-renamed | |
SkyFormation event name |
name |
String | authorization-group-renamed | ||
SkyFormation event category |
cat |
String | privilege-management | ||
SkyFormation Application Class Fields | Entire Available Fields | ||||
Authorization group type |
ftype |
String | The type of authorization group in the application terminology | Common values: group, role, profile | |
Authorization group New Name |
fname |
String | The new name of the authorization group | ||
Authorization group Old Name |
cs1 |
String | The old name of the authorization group |
Authorization group assigned
This event is sent when an authorization group is assigned to a user, or other authorization group
Full name | Full Name | CEF Key Name | Data Type | Meaning | Value/s |
---|---|---|---|---|---|
SkyFormation Header Fields SkyFormation event ID |
SkyFormation event ID |
signature ID |
String | sk4-authorization-group-assigned | |
SkyFormation event name |
name |
String | authorization-group-assigned | ||
SkyFormation event category |
cat |
String | privilege-management | ||
SkyFormation Application Class Fields | Entire Available Fields | ||||
Authorization Group type |
ftype |
String | The type of the assigned authorization group in the application terminology | Common values: group, role, profile | |
Authorization Group name |
fname |
String | The assigned authorization group friendly name | ||
Destination user type |
duid |
Enum | email, id, username, display-name, system, anonymous | ||
Destination user |
duser |
String | The identifier value of the user assigned with the privileges | ||
Destination authorization group type |
cs1 |
String | The type of authorization group the authorization group was assigned to | Common values: group, role, profile | |
Destination authorization group name |
cs2 |
String | The name of the authorization group assigned with the privileges | ||
Scope restriction |
cs3 |
String | Identifying attributes of the scope to which the group was assigned | :: :: OR :: :: |
Authorization group unassigned
This event is sent when an authorization group is unassigned to a user, or other authorization group
Full name | Full Name | CEF Key Name | Data Type | Meaning | Value/s |
---|---|---|---|---|---|
SkyFormation Header Fields SkyFormation event ID |
SkyFormation event ID |
signature ID |
String | sk4-authorization-group-unassigned | |
SkyFormation event name |
name |
String | authorization-group-unassigned | ||
SkyFormation event category |
cat |
String | privilege-management | ||
SkyFormation Application Class Fields | Entire Available Fields | ||||
Authorization Group type |
ftype |
String | The type of the unassigned authorization group in the application terminology | Common values: group, role, profile | |
Authorization Group name |
fname |
String | The unassigned authorization group friendly name | ||
Destination user type |
duid |
Enum | The type of identifier of the user the authorization group was unassigned from | email, id, username, display-name, system, anonymous | |
Destination User |
duser |
String | The identifier value of the user unassigned with the privileges | ||
Destination Authorization group type |
cs1 |
String | The type of authorization group unassigned from | Common values: group, role, profile | |
Destination Authorization group name |
cs2 |
String | The name of the authorization group unassigned with the privileges | ||
Scope restriction |
cs3 |
String | Identifying attributes of the scope to which the group was assigned | :: :: OR :: :: |
Authorization group replaced
This event is sent when an authorization group is replaced from a user, or other authorization group to another
Full name | Full Name | CEF Key Name | Data Type | Meaning | Value/s |
---|---|---|---|---|---|
SkyFormation Header Fields SkyFormation event ID |
SkyFormation event ID |
signature ID |
String | sk4-authorization-group-replaced | |
SkyFormation event name |
name |
String | authorization-group-replaced | ||
SkyFormation event category |
cat |
String | privilege-management | ||
SkyFormation Application Class Fields | Entire Available Fields | ||||
Authorization Group type |
ftype |
String | The type of the replaced authorization group in the app terminology | Common values: group, role, profile | |
Authorization Group name |
fname |
String | The replaced authorization group friendly name | ||
Destination user type |
duid |
Enum | The type of identifier of the user the authorization group was replaced to | email, id, username, display-name, system, anonymous | |
Destination user |
duser |
String | The identifier value of the user the privileges were replaced to | ||
Destination authorization group type |
cs1 |
String | The type of authorization group replaced from | Common values: group, role, profile | |
Destination authorization group name |
cs2 |
String | The name of the authorization group replaced with the privileges | ||
Origin authorization group name |
cs3 |
String |
Permission updated
This event is sent when a permission is added, removed or replaced from either a user or authorization group
Full name | Full Name | CEF Key Name | Data Type | Meaning | Value/s |
---|---|---|---|---|---|
SkyFormation Header Fields SkyFormation event ID |
SkyFormation event ID |
signature ID |
String | sk4-permissions-updated | |
SkyFormation event name |
name |
String | permissions-updated | ||
SkyFormation event category |
cat |
String | privilege-management | ||
SkyFormation Application Class Fields | Entire Available Fields | ||||
Destination user type |
duid |
Enum | The type of identifier of the user the permission was updated to | email, id, username, display-name, system, anonymous | |
Destination User |
duser |
String | The identifier value of the user the permission was updated to | ||
Destination authorization group type |
cs1 |
String | The type of authorization group the permission were updated to | Common values: group, role, profile | |
Destination authorization group name |
cs2 |
String | The name of the authorization group updated with the permissions | ||
Permission action |
act |
Enum | Whether the permission was added, removed etc | added, removed, set | |
Permission type |
cs4 |
Enum | The entity level the permission was assigned to | general, type-level, field-level, instance-level | |
Object type |
ftype |
String | Holds entitys type for type and instance level Holds :: for field level Empty for general | ||
Object ID |
fid |
String | May hold the object ID if permission refer to specific instance | ||
Object name |
fname |
String | May hold the object name if permission refer to specific instance | ||
Privilege name |
filePermission |
String | The app friendly name of the permission refered to | ||
Scope |
dpriv |
String | Optional scoping of the permission update |
Resource ACL updated
This event is sent when a resource’s (e.g. file/folder) ACL (aka permissions) had been updated – removed, added or updated
Full name | Full Name | CEF Key Name | Data Type | Meaning | Value/s |
---|---|---|---|---|---|
SkyFormation Header Fields SkyFormation event ID |
SkyFormation event ID |
signature ID |
String | sk4-resource-acl-updated | |
SkyFormation event name |
name |
String | resource-acl-updated | ||
SkyFormation event category |
cat |
String | privilege-management | ||
SkyFormation Application Class Fields | Entire Available Fields | ||||
Resource type |
ftype |
Enum | The type of resources the ACL were updated to | File, Folder, App Entity | |
Resource name |
fname |
String | The name of the resource ACL were updated to | ||
Permission Action |
act |
Enum | Whether the ACL were added, removed etc | added, removed, set | |
Grantee user type |
duid |
Enum | The type of identifier of the user the ACL were updated to | email, id, username, display-name, system, anonymous | |
Grantee User |
duser |
String | The identifier value of the user the ACL were updated to | ||
Grantee group type |
cs1 |
String | The type of group the ACL were updated to | Common values: group, role, profile | |
Grantee group name |
cs2 |
String | The name of the group updated with the ACL. Note: on action updated, this is the new grantee | ||
Grantee scope |
cs3 |
Enum | The scope of the ACL change (e.g. internal, external with public) | public, public-with-link, within-organization, within-organization-with-link, public-authenticated | |
Permission |
filePermission |
String | ACL name. When action is updated, this is the new value | ||
Old grantee |
dpriv |
String | When action is updated and grantee was changed, this is either Grantee user (of same type as duid) or Group name (of same type of cs3) |
Permissions requested
This event is sent when permissions are requested for/by as user
Full name | Full Name | CEF Key Name | Data Type | Meaning | Value/s |
---|---|---|---|---|---|
SkyFormation Header Fields SkyFormation event ID |
SkyFormation event ID |
signature ID |
String | sk4-permissions-requested | |
SkyFormation event name |
name |
String | permissions-requested | ||
SkyFormation event category |
cat |
String | privilege-management | ||
SkyFormation Application Class Fields | Entire Available Fields | ||||
Resource type |
ftype |
Enum | The type of resources the ACL were requested for | File, Folder, App Entity | |
Resource name |
fname |
String | The name of the resource ACL were requested for | ||
Grantee user type |
duid |
Enum | The type of identifier of the user the ACL were requested for | email, id, username, display-name, system, anonymous | |
Grantee User |
duser |
String | The identifier value of the user the ACL were requested for | ||
Grantee group type |
cs1 |
String | The type of group the ACL were requested for | Common values: group, role, profile | |
Grantee group name |
cs2 |
String | The name of the group ACL were requested for | ||
Grantee scope |
cs3 |
Enum | The scope of the ACL requested (e.g. internal, external with public) | public, public-with-link, within-organization, within-organization-with-link, public-authenticated | |
Permission type |
cs4 |
Enum | The entity level the permission were requested for | general, type-level, field-level, instance-level | |
Object type |
ftype |
String | Holds entitys type for type and instance level Holds :: for field level Empty for general | ||
Object ID |
fid |
String | May hold the object ID if permission refer to specific instance | ||
Object name |
fname |
String | May hold the object name if permission refer to specific instance | ||
Privilege name |
filePermission |
String | The app friendly name of the permission refered to | ||
Scope |
dpriv |
String | Optional scoping of the permission update |
Category: Application Data
This category includes events around data access and manipulation.
Resource Viewed
This event is sent when a resource (e.g. file/folder/object) has been viewed
Full name | Full Name | CEF Key Name | Data Type | Meaning | Value/s |
---|---|---|---|---|---|
SkyFormation Header Fields SkyFormation event ID |
SkyFormation event ID |
signature ID |
String | sk4-resource-viewed | |
SkyFormation event name |
name |
String | resource-viewed | ||
SkyFormation event category |
cat |
String | application-data | ||
SkyFormation Application Class Fields | Entire Available Fields | ||||
Resource type |
ftype |
Enum | The type of resource viewed | File, Folder, App Entity | |
Resource name |
fname |
String | The name of the resource viewed | ||
Resource owner user type |
duid |
Enum | The type of identifier of the user own the resource | email, id, username, display-name, system, anonymous | |
Resource owner user |
duser |
String | User identifier value |
Resource Created
This event is sent when a resource (e.g. file/folder/object) has been added
Full name | Full Name | CEF Key Name | Data Type | Meaning | Value/s |
---|---|---|---|---|---|
SkyFormation Header Fields SkyFormation event ID |
SkyFormation event ID |
signature ID |
String | sk4-resource-created | |
SkyFormation event name |
name |
String | resource-created | ||
SkyFormation event category |
cat |
String | application-data | ||
SkyFormation Application Class Fields | Entire Available Fields | ||||
Resource type |
ftype |
Enum | The type of resource created | File, Folder, App Entity | |
Resource name |
fname |
String | The name of the resource created | ||
Resource owner user type |
duid |
Enum | The type of identifier of the user own the resource | email, id, username, display-name, system, anonymous | |
Resource owner user |
duser |
String | User identifier value |
Resource Created or Updated
This event is sent when it is unknown whether a resource (e.g. file/folder/object) has been added or an existing one updated, but it is one or the other
Full name | Full Name | CEF Key Name | Data Type | Meaning | Value/s |
---|---|---|---|---|---|
SkyFormation Header Fields SkyFormation event ID |
SkyFormation event ID |
signature ID |
String | sk4-resource-created-or-updated | |
SkyFormation event name |
name |
String | resource-created-or-updated | ||
SkyFormation event category |
cat |
String | application-data | ||
SkyFormation Application Class Fields | Entire Available Fields | ||||
Resource type |
ftype |
Enum | The type of resource created or updated | File, Folder, App Entity | |
Resource name |
fname |
String | The name of the resource created or updated | ||
Resource owner user type |
duid |
Enum | The type of identifier of the user own the resource | email, id, username, display-name, system, anonymous | |
Resource owner user |
duser |
String | User identifier value |
Resource Uploaded
This event is sent when a resource (e.g. file/folder/object) has been uploaded to the service
Full name | Full Name | CEF Key Name | Data Type | Meaning | Value/s |
---|---|---|---|---|---|
SkyFormation Header Fields SkyFormation event ID |
SkyFormation event ID |
signature ID |
String | sk4-resource-uploaded | |
SkyFormation event name |
name |
String | resource-uploaded | ||
SkyFormation event category |
cat |
String | application-data | ||
SkyFormation Application Class Fields | Entire Available Fields | ||||
Resource type |
ftype |
Enum | The type of resource uploaded | File, Folder, App Entity | |
Resource name |
fname |
String | The name of the resource uploaded | ||
Resource owner user type |
duid |
Enum | The type of identifier of the user own the resource | email, id, username, display-name, system, anonymous | |
Resource owner user |
duser |
String | User identifier value |
Resource Cloned
This event is sent when a resource (e.g. file/folder/object) has been cloned from another resource
Full name | Full Name | CEF Key Name | Data Type | Meaning | Value/s |
---|---|---|---|---|---|
SkyFormation Header Fields SkyFormation event ID |
SkyFormation event ID |
signature ID |
String | sk4-resource-cloned | |
SkyFormation event name |
name |
String | resource-cloned | ||
SkyFormation event category |
cat |
String | application-data | ||
SkyFormation Application Class Fields | Entire Available Fields | ||||
Resource type |
ftype |
Enum | The type of resource cloned | File, Folder, App Entity | |
Resource name |
fname |
String | The name of the resource cloned | ||
Resource owner user type |
duid |
Enum | The type of identifier of the user own the resource | email, id, username, display-name, system, anonymous | |
Resource owner user |
duser |
String | User identifier value | ||
Origin resource name |
cs1 |
String | The origin name of the cloned resource |
Resource Downloaded
This event is sent when a resource (e.g. file/folder/object) has been downloaded
Full name | Full Name | CEF Key Name | Data Type | Meaning | Value/s |
---|---|---|---|---|---|
SkyFormation Header Fields SkyFormation event ID |
SkyFormation event ID |
signature ID |
String | sk4-resource-downloaded | |
SkyFormation event name |
name |
String | resource-downloaded | ||
SkyFormation event category |
cat |
String | application-data | ||
SkyFormation Application Class Fields | Entire Available Fields | ||||
Resource type |
ftype |
Enum | The type of resource downloaded | File, Folder, App Entity | |
Resource name |
fname |
String | The name of the resource downloaded | ||
Resource owner user type |
duid |
Enum | The type of identifier of the user own the resource | email, id, username, display-name, system, anonymous | |
Resource owner user |
duser |
String | User identifier value |
Resource Deleted
This event is sent when a resource (e.g. file/folder/object) has been deleted
Full name | Full Name | CEF Key Name | Data Type | Meaning | Value/s |
---|---|---|---|---|---|
SkyFormation Header Fields SkyFormation event ID |
SkyFormation event ID |
signature ID |
String | sk4-resource-deleted | |
SkyFormation event name |
name |
String | resource-deleted | ||
SkyFormation event category |
cat |
String | application-data | ||
SkyFormation Application Class Fields | Entire Available Fields | ||||
Resource type |
ftype |
Enum | The type of resource deleted | File, Folder, App Entity | |
Resource name |
fname |
String | The name of the resource deleted | ||
Resource owner user type |
duid |
Enum | The type of identifier of the user own the resource | email, id, username, display-name, system, anonymous | |
Resource owner user |
duser |
String | User identifier value |
Resource Undeleted
This event is sent when a resource (e.g. file/folder/object) has been undeleted
Full name | Full Name | CEF Key Name | Data Type | Meaning | Value/s |
---|---|---|---|---|---|
SkyFormation Header Fields SkyFormation event ID |
SkyFormation event ID |
signature ID |
String | sk4-resource-undeleted | |
SkyFormation event name |
name |
String | resource-undeleted | ||
SkyFormation event category |
cat |
String | application-data | ||
SkyFormation Application Class Fields | Entire Available Fields | ||||
Resource type |
ftype |
Enum | The type of resource undeleted | File, Folder, App Entity | |
Resource name |
fname |
String | The name of the resource undeleted | ||
Resource owner user type |
duid |
Enum | The type of identifier of the user own the resource | email, id, username, display-name, system, anonymous | |
Resource owner user |
duser |
String | User identifier value |
Resource Content Updated
This event is sent when a resource (e.g. file/folder/object) content has been updated
Full name | Full Name | CEF Key Name | Data Type | Meaning | Value/s |
---|---|---|---|---|---|
SkyFormation Header Fields SkyFormation event ID |
SkyFormation event ID |
signature ID |
String | sk4-resource-content-update | |
SkyFormation event name |
name |
String | resource-content-update | ||
SkyFormation event category |
cat |
String | application-data | ||
SkyFormation Application Class Fields | Entire Available Fields | ||||
Resource type |
ftype |
Enum | The type of resource content updated | File, Folder, App Entity | |
Resource name |
fname |
String | The name of the resource content updated | ||
Resource owner user type |
duid |
Enum | The type of identifier of the user own the resource | email, id, username, display-name, system, anonymous | |
Resource owner user |
duser |
String | User identifier value |
Resource Property Updated
This event is sent when a resource (e.g. file/folder/object) property has been updated
Full name | Full Name | CEF Key Name | Data Type | Meaning | Value/s |
---|---|---|---|---|---|
SkyFormation Header Fields SkyFormation event ID |
SkyFormation event ID |
signature ID |
String | sk4-resource-properties-updated | |
SkyFormation event name |
name |
String | resource-properties-updated | ||
SkyFormation event category |
cat |
String | application-data | ||
SkyFormation Application Class Fields | Entire Available Fields | ||||
Resource type |
ftype |
Enum | The type of resource properties updated | File, Folder, App Entity | |
Resource name |
fname |
String | The name of the resource properties updated | ||
Resource owner user type |
duid |
Enum | The type of identifier of the user own the resource | email, id, username, display-name, system, anonymous | |
Resource owner user |
duser |
String | User identifier value | ||
Property name |
cs3 |
String | The name of the property updated | ||
New number value |
cn1 |
Integer | The new integer value of the updated property | ||
Old number value |
cn2 |
Integer | The old integer value of the updated property | ||
New FPointvalue |
cfp1 |
Floating point | The new floating point value of the updated property | ||
Old FPointvalue |
cfp2 |
Floating point | The old floating point value of the updated property | ||
New string value |
cs1 |
String | The new string value of the updated property | ||
Old string value |
cs2 |
String | The old string value of the updated property | ||
New date value |
deviceCustomDate1 |
Date | The new date value of the updated property | ||
Old date value |
deviceCustomDate2 |
Date | The old date value of the updated property |
Resource Renamed
This event is sent when a resource (e.g. file/folder/object) has been renamed
Full name | Full Name | CEF Key Name | Data Type | Meaning | Value/s |
---|---|---|---|---|---|
SkyFormation Header Fields SkyFormation event ID |
SkyFormation event ID |
signature ID |
String | sk4-resource-renamed | |
SkyFormation event name |
name |
String | resource-content-renamed | ||
SkyFormation event category |
cat |
String | application-data | ||
SkyFormation Application Class Fields | Entire Available Fields | ||||
Resource type |
ftype |
Enum | The type of resource renamed | File, Folder, App Entity | |
Resource name |
fname |
String | The name of the resource renamed | ||
Resource owner user type |
duid |
Enum | The type of identifier of the user own the resource | email, id, username, display-name, system, anonymous | |
Resource owner user |
duser |
String | User identifier value | ||
New resource name |
cs1 |
String | The new resource name | ||
Origin resource name |
cs2 |
String | The origin resource name |
Resource Moved
This event is sent when a resource (e.g. file/folder/object) has been moved from one place (container) to another
Full name | Full Name | CEF Key Name | Data Type | Meaning | Value/s |
---|---|---|---|---|---|
SkyFormation Header Fields SkyFormation event ID |
SkyFormation event ID |
signature ID |
String | sk4-resource-moved | |
SkyFormation event name |
name |
String | resource-content-moved | ||
SkyFormation event category |
cat |
String | application-data | ||
SkyFormation Application Class Fields | Entire Available Fields | ||||
Resource type |
ftype |
Enum | The type of resource moved | File, Folder, App Entity | |
Resource name |
fname |
String | The name of the resource moved | ||
Resource owner user type |
duid |
Enum | The type of identifier of the user own the resource | email, id, username, display-name, system, anonymous | |
Resource owner user |
duser |
String | User identifier value | ||
New resource name/path |
cs1 |
String | The new resource name | ||
Origin resource name/path |
cs2 |
String | The origin resource name |
Resource Event
This event is sent when a message is received/sent/deleted/undeleted/ etc.
Full name | Full Name | CEF Key Name | Data Type | Meaning | Value/s |
---|---|---|---|---|---|
SkyFormation Header Fields SkyFormation event ID |
SkyFormation event ID |
signature ID |
String | sk4-resource-event | |
SkyFormation event name |
name |
String | resource-content-event | ||
SkyFormation event category |
cat |
String | application-data | ||
SkyFormation Application Class Fields | Entire Available Fields | ||||
Resource type |
ftype |
Enum | The type of resource refered | message | |
Message ID |
filePath |
String | |||
Applicative name of message type |
fileHash |
String | The native application name for the type of message as email message | ||
Action |
act |
String | Which operation took place | view, create, delete, undelete, send, receive |
Category: Security Settings
This category includes events that describe security settings changes.
Password Policy Updated
This event is sent when the Password Policy of either the entire organization, a specific Org. Unit, or specific user has been modified
Full name | Full Name | CEF Key Name | Data Type | Meaning | Value/s |
---|---|---|---|---|---|
SkyFormation Header Fields SkyFormation event ID |
SkyFormation event ID |
signature ID |
String | sk4-password-policy-updated | |
SkyFormation event name |
name |
String | password-policy-updated | ||
SkyFormation event category |
cat |
String | security-settings | ||
SkyFormation Application Class Fields | Entire Available Fields | ||||
Target user type |
duid |
Enum | The type of identifier of the user made the change | email, id, username, display-name, system, anonymous | |
Target user |
duser |
String | User identifier value | ||
Scope of change |
cs4 |
String | What is the system/organizational scope of the change (e.g. module, service, group of users, all). ‘all’ when entire organization is effected | ||
Policy property type changed |
cs3 |
String | What is the password policy property/category type that was changed if known. If other the string format is ‘attr-name’ | min-length, max-length, complexity, days-for-expiration, history, failed-login-before-lockout, minutes-to-auto-unlock, other | |
New number value |
cn1 |
Integer | The new integer value of the updated property | ||
Old number value |
cn2 |
Integer | The old integer value of the updated property | ||
New FPointvalue |
cfp1 |
Floating point | The new floating point value of the updated property | ||
Old FPointvalue |
cfp2 |
Floating point | The old floating point value of the updated property | ||
New string value |
cs1 |
String | The new string value of the updated property | ||
Old string value |
cs2 |
String | The old string value of the updated property | ||
New date value |
deviceCustomDate1 |
Date | The new date value of the updated property | ||
Old date value |
deviceCustomDate2 |
Date | The old date value of the updated property |
Mobile Settings Updated
This event is sent when the mobile settings of either the entire organization, a specific Org. Unit, or specific user has been modified
Full name | Full Name | CEF Key Name | Data Type | Meaning | Value/s |
---|---|---|---|---|---|
SkyFormation Header Fields SkyFormation event ID |
SkyFormation event ID |
signature ID |
String | sk4-mobile-settings-updated | |
SkyFormation event name |
name |
String | mobile-settings-updated | ||
SkyFormation event category |
cat |
String | security-settings | ||
SkyFormation Application Class Fields | Entire Available Fields | ||||
Target user type |
duid |
Enum | The type of identifier of the user made the change | email, id, username, display-name, system, anonymous | |
Target user |
duser |
String | User identifier value | ||
Scope of change |
cs4 |
String | What is the system/organizational scope of the change (e.g. module, service, group of users, all). ‘all’ when entire organization is effected | ||
Policy property name |
cs3 |
String | What is the name of the mobile policy property/category changed. | ||
New number value |
cn1 |
Integer | The new integer value of the updated property | ||
Old number value |
cn2 |
Integer | The old integer value of the updated property | ||
New FPointvalue |
cfp1 |
Floating point | The new floating point value of the updated property | ||
Old FPointvalue |
cfp2 |
Floating point | The old floating point value of the updated property | ||
New string value |
cs1 |
String | The new string value of the updated property | ||
Old string value |
cs2 |
String | The old string value of the updated property | ||
New date value |
deviceCustomDate1 |
Date | The new date value of the updated property | ||
Old date value |
deviceCustomDate2 |
Date | The old date value of the updated property |
Authentication Settings Updated
This event is sent when the Authentication settings of either the entire organization, a specific Org. Unit, or specific user has been modified
Full name | Full Name | CEF Key Name | Data Type | Meaning | Value/s |
---|---|---|---|---|---|
SkyFormation Header Fields SkyFormation event ID |
SkyFormation event ID |
signature ID |
String | sk4-authn-settings-updated | |
SkyFormation event name |
name |
String | authn-settings-updated | ||
SkyFormation event category |
cat |
String | security-settings | ||
SkyFormation Application Class Fields | Entire Available Fields | ||||
Target user type |
duid |
Enum | The type of identifier of the target user affected by the change change | email, id, username, display-name, system, anonymous | |
Target user |
duser |
String | Target user identifier value | ||
Scope of change |
cs4 |
String | What is the system/organizational scope of the change (e.g. module, service, group of users, all). ‘all’ when entire organization is effected | ||
Policy property type updated |
cs3 |
Enum | What is the type of policy updated . | two-factored-authentication | |
New string value |
cs1 |
String | for attribute “two-factored-authentication” possibled values: “enabled”, “disabled” | ||
Old string value |
cs2 |
String | for attribute “two-factored-authentication” possibled values: “enabled”, “disabled” |
Network Access Updated
This event is sent when the network access IP restrictions have been modified
Full name | Full Name | CEF Key Name | Data Type | Meaning | Value/s |
---|---|---|---|---|---|
SkyFormation Header Fields SkyFormation event ID |
SkyFormation event ID |
signature ID |
String | sk4-network-access-updated | |
SkyFormation event name |
name |
String | network-access-updated | ||
SkyFormation event category |
cat |
String | security-settings | ||
SkyFormation Application Class Fields | Entire Available Fields | ||||
Action |
act |
Enum | What was the type of access action performed | added, removed, updated | |
New value |
cs1 |
String | No value for “removed” action Optional in “updated” action | Example: “192.10.0.0-192.10.0.255” | |
Old value |
cs2 |
String | No value for “added” action Optional in “updated” action | Example: “192.10.0.0-192.10.0.255” | |
Restriction name |
cs3 |
String |
SSO Enabled
This event is sent when SSO authentication to the account is enabled
Full name | Full Name | CEF Key Name | Data Type | Meaning | Value/s |
---|---|---|---|---|---|
SkyFormation Header Fields SkyFormation event ID |
SkyFormation event ID |
signature ID |
String | sk4-sso-enabled | |
SkyFormation event name |
name |
String | sso-enabled | ||
SkyFormation event category |
cat |
String | security-settings | ||
SkyFormation Application Class Fields | Entire Available Fields |
SSO Disabled
This event is sent when SSO authentication to the account is disabled
Full name | Full Name | CEF Key Name | Data Type | Meaning | Value/s |
---|---|---|---|---|---|
SkyFormation Header Fields SkyFormation event ID |
SkyFormation event ID |
signature ID |
String | sk4-sso-disabled | |
SkyFormation event name |
name |
String | sso-disabled | ||
SkyFormation event category |
cat |
String | security-settings | ||
SkyFormation Application Class Fields | Entire Available Fields |
SSO Provider Added
This event is sent when a new SSO provider is added
Full name | Full Name | CEF Key Name | Data Type | Meaning | Value/s |
---|---|---|---|---|---|
SkyFormation Header Fields SkyFormation event ID |
SkyFormation event ID |
signature ID |
String | sk4-sso-provider-added | |
SkyFormation event name |
name |
String | sso-provider-added | ||
SkyFormation event category |
cat |
String | security-settings | ||
SkyFormation Application Class Fields | Entire Available Fields | ||||
Provider name |
fname |
string | |||
Provider issuer |
ftype |
string |
SSO Provider Deleted
This event is sent when SSO provider is deleted
Full name | Full Name | CEF Key Name | Data Type | Meaning | Value/s |
---|---|---|---|---|---|
SkyFormation Header Fields SkyFormation event ID |
SkyFormation event ID |
signature ID |
String | sk4-sso-provider-deleted | |
SkyFormation event name |
name |
String | sso-provider-deleted | ||
SkyFormation event category |
cat |
String | security-settings | ||
SkyFormation Application Class Fields | Entire Available Fields | ||||
Provider name |
fname |
string | |||
Provider issuer |
ftype |
string |
SSO Provider Renamed
This event is sent when SSO provider is renamed
Full name | Full Name | CEF Key Name | Data Type | Meaning | Value/s |
---|---|---|---|---|---|
SkyFormation Header Fields SkyFormation event ID |
SkyFormation event ID |
signature ID |
String | sk4-sso-provider-renamed | |
SkyFormation event name |
name |
String | sso-provider-renamed | ||
SkyFormation event category |
cat |
String | security-settings | ||
SkyFormation Application Class Fields | Entire Available Fields | ||||
New provider name |
fname |
string | |||
Provider issuer |
ftype |
string | |||
Origin provider name |
cs2 |
string |
SSO Provider Updated
This event is sent when SSO provider is updated
Full name | Full Name | CEF Key Name | Data Type | Meaning | Value/s |
---|---|---|---|---|---|
SkyFormation Header Fields SkyFormation event ID |
SkyFormation event ID |
signature ID |
String | sk4-sso-provider-updated | |
SkyFormation event name |
name |
String | sso-provider-updated | ||
SkyFormation event category |
cat |
String | security-settings | ||
SkyFormation Application Class Fields | Entire Available Fields | ||||
Provider name |
fname |
string | |||
Provider issuer |
ftype |
string | |||
Updated property name |
cs3 |
String | What is the name of the SSO provider property/category changed. | ||
New number value |
cn1 |
Integer | The new integer value of the updated property | ||
Old number value |
cn2 |
Integer | The old integer value of the updated property | ||
New FPointvalue |
cfp1 |
Floating point | The new floating point value of the updated property | ||
Old FPointvalue |
cfp2 |
Floating point | The old floating point value of the updated property | ||
New string value |
cs1 |
String | The new string value of the updated property | ||
Old string value |
cs2 |
String | The old string value of the updated property | ||
New date value |
deviceCustomDate1 |
Date | The new date value of the updated property | ||
Old date value |
deviceCustomDate2 |
Date | The old date value of the updated property |
Category: Mobile Device Management
This category includes events that describe events related to mobile device management in the organization.
Mobile device approved
This event is sent when a new mobile device is approved for use within the organization
Full name | Full Name | CEF Key Name | Data Type | Meaning | Value/s |
---|---|---|---|---|---|
SkyFormation Header Fields SkyFormation event ID |
SkyFormation event ID |
signature ID |
String | sk4-mobile-device-approved | |
SkyFormation event name |
name |
String | mobile-device-approved | ||
SkyFormation event category |
cat |
String | device-management | ||
SkyFormation Application Class Fields | Entire Available Fields | ||||
Destination user type |
duid |
Enum | The type of identifier of the user own the device approved | email, id, username, display-name, system, anonymous | |
Destination user |
duser |
String | The identifier/name of the user own the device approved | ||
Target Device id |
deviceExternalId |
String | |||
Target Device type |
deviceFacility |
String | |||
Reason |
reason |
String | The reason the device was approved |
Mobile device blocked
This event is sent when a mobile device is blocked for use within the organization
Full name | Full Name | CEF Key Name | Data Type | Meaning | Value/s |
---|---|---|---|---|---|
SkyFormation Header Fields SkyFormation event ID |
SkyFormation event ID |
signature ID |
String | sk4-mobile-device-blocked | |
SkyFormation event name |
name |
String | mobile-device-blocked | ||
SkyFormation event category |
cat |
String | device-management | ||
SkyFormation Application Class Fields | Entire Available Fields | ||||
Destination user type |
duid |
Enum | The type of identifier of the user own the device blocked | email, id, username, display-name, system, anonymous | |
Destination user |
duser |
String | The identifier/name of the user own the device blocked | ||
Target Device id |
deviceExternalId |
String | |||
Target Device type |
deviceFacility |
String | |||
Reason |
reason |
String | The reason the device was blocked |
Mobile device unblocked
This event is sent when a mobile device previously blocked for use within the organization, is now unblocked
Full name | Full Name | CEF Key Name | Data Type | Meaning | Value/s |
---|---|---|---|---|---|
SkyFormation Header Fields SkyFormation event ID |
SkyFormation event ID |
signature ID |
String | sk4-mobile-device-unblocked | |
SkyFormation event name |
name |
String | mobile-device-unblocked | ||
SkyFormation event category |
cat |
String | device-management | ||
SkyFormation Application Class Fields | Entire Available Fields | ||||
Destination user type |
duid |
Enum | The type of identifier of the user own the device unblocked | email, id, username, display-name, system, anonymous | |
Destination user |
duser |
String | The identifier/name of the user own the device unblocked | ||
Target Device id |
deviceExternalId |
String | |||
Target Device type |
deviceFacility |
String | |||
Reason |
reason |
String | The reason the device was unblocked |
Mobile device deleted
This event is sent when a mobile device previously approved for use within the organization has been deleted from the records
Full name | Full Name | CEF Key Name | Data Type | Meaning | Value/s |
---|---|---|---|---|---|
SkyFormation Header Fields SkyFormation event ID |
SkyFormation event ID |
signature ID |
String | sk4-mobile-device-deleted | |
SkyFormation event name |
name |
String | mobile-device-deleted | ||
SkyFormation event category |
cat |
String | device-management | ||
SkyFormation Application Class Fields | Entire Available Fields | ||||
Destination user type |
duid |
Enum | The type of identifier of the user own the device deleted | email, id, username, display-name, system, anonymous | |
Destination user |
duser |
String | The identifier/name of the user own the device deleted | ||
Target Device id |
deviceExternalId |
String | |||
Target Device type |
deviceFacility |
String | |||
Reason |
reason |
String | The reason the device was deleted |
Mobile device undeleted
This event is sent when a mobile device previously approved for use within the organization and has been deleted from the records has now been undeleted
Full name | Full Name | CEF Key Name | Data Type | Meaning | Value/s |
---|---|---|---|---|---|
SkyFormation Header Fields SkyFormation event ID |
SkyFormation event ID |
signature ID |
String | sk4-mobile-device-undeleted | |
SkyFormation event name |
name |
String | mobile-device-undeleted | ||
SkyFormation event category |
cat |
String | device-management | ||
SkyFormation Application Class Fields | Entire Available Fields | ||||
Destination user type |
duid |
Enum | The type of identifier of the user own the device undeleted | email, id, username, display-name, system, anonymous | |
Destination user |
duser |
String | The identifier/name of the user own the device undeleted | ||
Target Device id |
deviceExternalId |
String | |||
Target Device type |
deviceFacility |
String | |||
Reason |
reason |
String | The reason the device was undeleted |
Mobile device wiped
This event is sent when a mobile device’s content has been wiped
Full name | Full Name | CEF Key Name | Data Type | Meaning | Value/s |
---|---|---|---|---|---|
SkyFormation Header Fields SkyFormation event ID |
SkyFormation event ID |
signature ID |
String | sk4-mobile-device-wiped | |
SkyFormation event name |
name |
String | mobile-device-wiped | ||
SkyFormation event category |
cat |
String | device-management | ||
SkyFormation Application Class Fields | Entire Available Fields | ||||
Destination user type |
duid |
Enum | The type of identifier of the user own the device wiped | email, id, username, display-name, system, anonymous | |
Destination user |
duser |
String | The identifier/name of the user own the device wiped | ||
Target Device id |
deviceExternalId |
String | |||
Target Device type |
deviceFacility |
String | |||
Reason |
reason |
String | The reason the device was wiped |
Mobile device unwiped
This event is sent when a mobile device’s content that has been previously wiped has been unwiped
Full name | Full Name | CEF Key Name | Data Type | Meaning | Value/s |
---|---|---|---|---|---|
SkyFormation Header Fields SkyFormation event ID |
SkyFormation event ID |
signature ID |
String | sk4-mobile-device-unwiped | |
SkyFormation event name |
name |
String | mobile-device-unwiped | ||
SkyFormation event category |
cat |
String | device-management | ||
SkyFormation Application Class Fields | Entire Available Fields | ||||
Destination user type |
duid |
Enum | The type of identifier of the user own the device unwiped | email, id, username, display-name, system, anonymous | |
Destination user |
duser |
String | The identifier/name of the user own the device unwiped | ||
Target Device id |
deviceExternalId |
String | |||
Target Device type |
deviceFacility |
String | |||
Reason |
reason |
String | The reason the device was unwiped |
Category: Integration
This category includes events that describe integration changes.
Integration Added
This event is sent when a new third party integration with the governed account is added
Full name | Full Name | CEF Key Name | Data Type | Meaning | Value/s |
---|---|---|---|---|---|
SkyFormation Header Fields SkyFormation event ID |
SkyFormation event ID |
signature ID |
String | sk4-integration-added | |
SkyFormation event name |
name |
String | integration-added | ||
SkyFormation event category |
cat |
String | integration | ||
SkyFormation Application Class Fields | Entire Available Fields | ||||
Integration id |
fileId |
String | The integrated app id in the cloud app native syntax | ||
Integration name |
fname |
String | The integrated app name in the cloud app native syntax |
Integration Deleted
This event is sent when a third party integration with the governed account is deleted
Full name | Full Name | CEF Key Name | Data Type | Meaning | Value/s |
---|---|---|---|---|---|
SkyFormation Header Fields SkyFormation event ID |
SkyFormation event ID |
signature ID |
String | sk4-integration-deleted | |
SkyFormation event name |
name |
String | integration-deleted | ||
SkyFormation event category |
cat |
String | integration | ||
SkyFormation Application Class Fields | Entire Available Fields | ||||
Integration id |
fileId |
String | The integrated app id in the cloud app native syntax | ||
Integration name |
fname |
String | The integrated app name in the cloud app native syntax |
Integration Blocked
This event is sent when a third-party integration with the governed account is blocked
Full name | Full Name | CEF Key Name | Data Type | Meaning | Value/s |
---|---|---|---|---|---|
SkyFormation Header Fields SkyFormation event ID |
SkyFormation event ID |
signature ID |
String | sk4-integration-blocked | |
SkyFormation event name |
name |
String | integration-blocked | ||
SkyFormation event category |
cat |
String | integration | ||
SkyFormation Application Class Fields | Entire Available Fields | ||||
Integration id |
fileId |
String | The integrated app id in the cloud app native syntax | ||
Integration name |
fname |
String | The integrated app name in the cloud app native syntax |
Integration Unblocked
This event is sent when a third party integration with the governed account is unblocked
Full name | Full Name | CEF Key Name | Data Type | Meaning | Value/s |
---|---|---|---|---|---|
SkyFormation Header Fields SkyFormation event ID |
SkyFormation event ID |
signature ID |
String | sk4-integration-unblocked | |
SkyFormation event name |
name |
String | integration-unblocked | ||
SkyFormation event category |
cat |
String | integration | ||
SkyFormation Application Class Fields | Entire Available Fields | ||||
Integration id |
fileId |
String | The integrated app id in the cloud app native syntax | ||
Integration name |
fname |
String | The integrated app name in the cloud app native syntax |
Integration Updated
This event is sent when a configuration of a third party integration with the governed account is updated
Full name | Full Name | CEF Key Name | Data Type | Meaning | Value/s |
---|---|---|---|---|---|
SkyFormation Header Fields SkyFormation event ID |
SkyFormation event ID |
signature ID |
String | sk4-integration-updated | |
SkyFormation event name |
name |
String | integration-updated | ||
SkyFormation event category |
cat |
String | integration | ||
SkyFormation Application Class Fields | Entire Available Fields | ||||
Integration id |
fileId |
String | The integrated app id in the cloud app native syntax | ||
Integration name |
fname |
String | The integrated app name in the cloud app native syntax | ||
Updated property name |
cs3 |
String | What is the name of the integrated app property/category changed. | ||
New number value |
cn1 |
Integer | The new integer value of the updated property | ||
Old number value |
cn2 |
Integer | The old integer value of the updated property | ||
New FPointvalue |
cfp1 |
Floating point | The new floating point value of the updated property | ||
Old FPointvalue |
cfp2 |
Floating point | The old floating point value of the updated property | ||
New string value |
cs1 |
String | The new string value of the updated property | ||
Old string value |
cs2 |
String | The old string value of the updated property | ||
New date value |
deviceCustomDate1 |
Date | The new date value of the updated property | ||
Old date value |
deviceCustomDate2 |
Date | The old date value of the updated property |
Category: Identity Service
This category describes identity provider events.
Single-Sign-On Access Initiated
This event is sent when an access flow is initiated
Full name | Full Name | CEF Key Name | Data Type | Meaning | Value/s |
---|---|---|---|---|---|
SkyFormation Header Fields SkyFormation event ID |
SkyFormation event ID |
signature ID |
String | sk4-sso-access-initiated | |
SkyFormation event name |
name |
String | sso-access-initiated | ||
SkyFormation event category |
cat |
String | identity-service | ||
SkyFormation Application Class Fields | Entire Available Fields | ||||
Application id |
fileId |
String | The service provider application ID | ||
Application name |
fname |
String | The service provider application name | ||
SSO type |
cs1 |
String | web, SAML2 | ||
SSO initiatore |
cs2 |
String | The one who initiated the SSO process | Identity Provider (IdP), Service Provider (SP) |
Category: Audit
This category includes events that were not previously modeled by this document
Audit event
This event is sent when an unknown event occurs, one that is not modeled in this document.
Full name | Full Name | CEF Key Name | Data Type | Meaning | Value/s |
---|---|---|---|---|---|
SkyFormation Header Fields SkyFormation event ID |
SkyFormation event ID |
signature ID |
String | sk4-audit | |
SkyFormation event name |
name |
String | integraudit | ||
SkyFormation event category |
cat |
String | integration |
Category: Network Traffic
This category describes firewall related events.
SkyFormation Network Traffic Class Fields
Shared by all Network Traffic class events and mapped to CEF extension fields
Full Name | CEF Key Name | Data Type | Meaning | Value |
---|---|---|---|---|
Start time |
start |
Date | ||
End time |
end |
Date | ||
Source device ID |
cs1 |
String | Network interface ID | |
Source device name |
cs2 |
String | Network interface name | |
Source machine ID |
deviceExternalId |
String | Machine ID | |
Source machine name |
dvchost |
String | Machine name | |
Source account ID |
cs3 |
String | Service Account ID | |
Source account name |
cs4 |
String | Service account name | |
Context |
requestMethod |
String | Identifier of the resource scope, i.e. AWS’s log stream ARN | |
Security Group ID |
cs5 |
String | Identifier of Network Security Group or Security Group |
Traffic Flow
This event is sent for every inbound and outbound traffic event
Full name | Full Name | CEF Key Name | Data Type | Meaning | Value/s |
---|---|---|---|---|---|
SkyFormation Header Fields SkyFormation event ID |
SkyFormation event ID |
signature ID |
String | sk4-traffic-flow | |
SkyFormation event name |
name |
String | traffic-flow | ||
SkyFormation event category |
cat |
String | network-traffic | ||
SkyFormation Application Class Fields | Entire Available Fields | ||||
Source IP |
src |
Ipv4 \ Ipv6 | |||
Source port |
spt |
Integer | |||
Destination IP |
dst |
ipv4 \ ipv6 | |||
Destination port |
dpt |
Integer | |||
Traffic direction |
deviceDirection |
Integer | 0 / 1 | 0 for inbound and 1 for outbound | |
Protocol |
proto |
String | Communication protocol | ||
Firewall action |
act |
Enum | accept, reject | ||
Number of packets |
cn1 |
Integer | Number of packets sent or received | ||
Number of inbound bytes |
in |
Integer | Number of bytes received | ||
Number of outbound bytes |
out |
Integer | Number of bytes sent |
No Traffic
This event is sent after a communication quite period – a time period with no inbound and outbound communication
Full name | Full Name | CEF Key Name | Data Type | Meaning | Value/s |
---|---|---|---|---|---|
SkyFormation Header Fields SkyFormation event ID |
SkyFormation event ID |
signature ID |
String | sk4-no-traffic | |
SkyFormation event name |
name |
String | no-traffic | ||
SkyFormation event category |
cat |
String | network-traffic | ||
SkyFormation Application Class Fields | Entire Available Fields |
Traffic Logging Skipped
This event is sent after a time period in which traffic data was not audited usually as a result of failure
Full name | Full Name | CEF Key Name | Data Type | Meaning | Value/s |
---|---|---|---|---|---|
SkyFormation Header Fields SkyFormation event ID |
SkyFormation event ID |
signature ID |
String | sk4-traffic-logging-skipped | |
SkyFormation event name |
name |
String | traffic-logging-skipped | ||
SkyFormation event category |
cat |
String | network-traffic | ||
SkyFormation Application Class Fields | Entire Available Fields |
Category: Monitoring
This category describes monitoring related events.
Note: does not share attributes from the common base attributes
Metric Alert
This event is sent for every metric rule alert
Full name | Full Name | CEF Key Name | Data Type | Meaning | Value/s |
---|---|---|---|---|---|
SkyFormation Header Fields SkyFormation event ID |
SkyFormation event ID |
signature ID |
String | sk4-metric-alert | |
SkyFormation event name |
name |
String | metric-alert | ||
SkyFormation event category |
cat |
String | monitoring | ||
Reason |
reason |
String | The reason for the alert in app syntax | ||
Metric freindly name |
fname |
String | Name assigned by person created the metric | ||
Metric formal name |
filePath |
String | Metric name provided by the cloud app | ||
Metric namespace |
requestContext |
String | |||
Metric operator |
act |
String | |||
Metric threshold |
cfp1 |
Float | |||
Time period |
cfp2 |
Float | |||
Time unit |
fileHash |
String | seconds |
Category: Security Alert
This category describes security alerts events.
Security Threat Detected
This event is sent when a security service/tool detects a threat as maleware/IOC
Full name | Full Name | CEF Key Name | Data Type | Meaning | Value/s |
---|---|---|---|---|---|
SkyFormation Header Fields SkyFormation event ID |
(SkyFormation) Event ID |
signature ID |
String | sk4-security-threat-detected | |
(SkyFormation) Event name |
name |
String | security-threat-detected | ||
(SkyFormation) Event category |
cat |
String | security-alert | ||
Detection Details | (SkyFormation) Threat category |
dpriv | String | DLP, MALWARE, PUA_PUP, THREAT_DETECTION, COMPLIANCE, METRIC, ADVISORY, SPAM, UNSAFE_LINKS, ANOMALY, PHISH, IMPOSTOR, COMPROMISED_CREDENTIALS, UNCATEGORIZED |
|
(SkyFormation) Confidence level |
cn3 |
Number | |||
(Source) Detection engine name | requestContext | String | |||
(Source) Threat subclass / Policy sub class | app | String | |||
(Source) Threat/policy name | proto | String | |||
(Source) Threat/policy id | dpid | String | |||
(SkyFormation) Violating / Non violating | cn1 | Boolean | |||
Suspicious/Triggering resource | (Source) Suspicious/triggering resource name | fname | String | ||
(SkyFormation) Suspicious/triggering resource Type | fileType | String | |||
(Source) Suspicious/triggering resource ID | filePath | String | |||
(Source) Suspicious resource hash value | fileHash | String | |||
(Source) Suspicious resource hash Type | filePermission | String | |||
(Source) Suspicious resource parent (process) name | deviceProcessName | String | |||
(Source)Suspicious resource parent (process) hash value | deviceFacility | String | |||
(Source) Suspicious resource parent (process) ID | spid | String | |||
(Source) Details of the suspected/triggering resource | reason | String | |||
(SkyFormation) Suspicious/triggering resource related resource type | oldFile | String | |||
(Source) Suspicious/triggering resource related resource name | fieldId | String | |||
(Source) Suspicious/triggering resource related resource id | oldFileName | String | |||
Affected/Source device details | (SkyFormation) Affected/Source Device Category | dvchost | String | ||
(source) Affected/Source Device Name | extenralID | String | |||
(Source) Affected/Source Device Id | Ignore | String | |||
(Source) Affected/Source Device IP | src | String | |||
(Source) Affected/Source Device MAC | deviceMacAddress | String | |||
(Source) Affected/Source Device OS | deviceNtDomain | String | |||
(Source) Affected/Source Device OS version | deviceDnsDomain | String | |||
(Source) Affected/Source Device Country | shost | String | |||
(Source) Affected/Source Device City | deviceExternalId | String | |||
(Source) Affected/Source Device Latitude | cfp3 | Number | |||
(Source) Affected/Source Device Longitude | cfp4 | Number | |||
Remote IPs | (Source) Remote IPs involved in the threat/alert | dpt | String | ||
Suspicious Action | (SkyFormation) Triggering action | act | String | ||
(SkyFormation) Triggering action status | deviceDirection | String | |||
(Source) Triggering action status msg | sourceDnsDomain | String | |||
Actor | (SkyFormation)Actor type | sntdom | String | ||
(SkyFormation) Actor Identifier Type | suid | String | |||
(Source) Actor Identifier | suser | String | |||
(SkyFormation) Delegated Identifier type | spriv | String | |||
(Source) Delegated Identifier | sproc | String | |||
Target Resource | (SkyFormation) Target Resource Type | oldFileType | String | ||
(Source) Target Resource Name | oldFilePath | String | |||
(Source) Target Resource hash Type | oldFileId | String | |||
(Source) Target Resource hash value | oldFileHash | String | |||
Target Device | (Source) Target Host Name | dhost | String | ||
(SkyFormation) Target Device Category | destinationTranslatedAddress | String | |||
(Source) Target IP | dst | String | |||
(Source) Target MAC | dmac | String | |||
(Source) Target Country | dntdom | String | |||
(Source) Target City | destinationDnsDomain | String | |||
(Source) Target Latitude | cfp1 | Number | |||
(Source) Target Longitude | cfp2 | Number | |||
Target User | (Source) Target User Identifier | duser | String | ||
Remediation Action Taken, Result Recommended Action to take | (SkyFormation) Remediation Action Taken | outcome | String | ||
(Source) Remediation action result | cn2 | Number | |||
(Source) Recommended Action | requestedMethod | String |
Compromised Credentials
This event is sent when someone detects that a principal (e.g. user) credential was found as compromised (e.g. was part of a breach)
Full name | Full Name | CEF Key Name | Data Type | Meaning | Value/s |
---|---|---|---|---|---|
SkyFormation Header Fields SkyFormation event ID |
SkyFormation event ID |
signature ID |
String | sk4-compromised-credentails | |
SkyFormation event name |
name |
String | compromised-credentails | ||
SkyFormation event category |
cat |
String | security-alert | ||
Detected By |
cs1 |
String | Name of underlying application/service that detected the incident. i.e. Office365’s ATP | ||
Reason |
cs2 |
String | Verbose reason for why this alert was triggered | ||
Credential Type |
cs3 |
String | Type of the credential that was exposed | password, private-key |
Spoof Mail
This event is sent when someone detects that an email was sent from a spoofed address
Full name | Full Name | CEF Key Name | Data Type | Meaning | Value/s |
---|---|---|---|---|---|
SkyFormation Header Fields SkyFormation event ID |
SkyFormation event ID |
signature ID |
String | sk4-spoof-mail | |
SkyFormation event name |
name |
String | spoof-mail | ||
SkyFormation event category |
cat |
String | security-alert | ||
Detected By |
cs1 |
String | Name of underlying application/service that detected the incident. i.e. Office365’s ATP | ||
True Sender Email |
cs2 |
String | Real email of the sender | ||
True Sender IP |
cs3 |
String | Real IP of the sender | password, private-key, other | |
Action |
act |
String | Action that was taken on this email | block, other |
Anomalous SignIn
This event is sent when someone determines that a sign-in activity is anomalous, e.g. after multiple failures, from IP with suspicious activity, from a device that might be infected, from multiple geographies at non-reasonable time differences, from unknown source (IP), irregular/atypical for the user’s normal patterns
Full name | Full Name | CEF Key Name | Data Type | Meaning | Value/s |
---|---|---|---|---|---|
SkyFormation Header Fields SkyFormation event ID |
SkyFormation event ID |
signature ID |
String | sk4-anomalous-signin | |
SkyFormation event name |
name |
String | anomalous-signin | ||
SkyFormation event category |
cat |
String | security-alert | ||
Detected By |
cs1 |
String | Name of underlying application/service that detected the incident. i.e. Office365’s ATP | ||
Reason |
cs2 |
String | Verbose reason of the trigger | Signins From Unknown Source:signins Count=3 |
General Alert
This event is similar to the [SkyFormation Audit Event](#Audit Event) only instead of sending general raw events from cloud applications/services, this event will send alerts ingested from underline cloud applications/services, i.e. an Azure log-analytics custom alert rule was triggered.
We recommend to use this general event only to become familiar with the alerts and whenever a general alert from a specific source should be used for further correlation please engage with support@skyformation.com to explore the option of creating a modeled dedicated alert from it.
Full name | Full Name | CEF Key Name | Data Type | Meaning | Value/s |
---|---|---|---|---|---|
SkyFormation Header Fields SkyFormation event ID |
SkyFormation event ID |
signature ID |
String | sk4-general-alert | |
SkyFormation event name |
name |
String | general-alert | ||
SkyFormation event category |
cat |
String | security-alert | ||
Name |
cs1 |
String | Name of the alert as configured in the underlying application, i.e. my-custom-alert-1 | ||
Description |
cs2 |
String | Verbose reason of the trigger |
Comments
0 comments
Please sign in to leave a comment.