If you're having trouble at any stage please contact us at support@skyformation.com.
Preface
The below table details the SkyFormation app changes per release (aka release notes).
SkyFormation app "Release Notes"
Version: 2.4.113
| Fixes | |
|
OpenAPI / Accounts create and update - support account authn. Adding structure of 2.3.x as well as 2.4.x in requests input for backwards compatibility (response is always 2.4.x format) |
|
Version: 2.4.112
This is a major release with important SkyFormation platform internal/infrastructure changes.
We highly recommend on reading this https://support.skyformation.com/hc/en-us/articles/360024437653-New-SkyFormation-platform-2-4-X-changes-additions-overview 2.4 major changes overview page before you upgrade your SkyFormation instance to this new version.
| Enhancements / New Features | |
| *** New connector *** - Tenable IO | See : https://support.skyformation.com/hc/en-us/articles/360024409554-SkyFormation-for-Tenable-io-Connector-Overview |
| *** New connector *** - Symantec SEP mobile | See: https://support.skyformation.com/hc/en-us/articles/360022937514-SkyFormation-for-Symantec-Endpoint-Protection-Mobile-SEP-Mobile-Connector-Overview |
| *** New connector *** - Cisco Umbrella connector using the Cisco managed S3 bucket | For customers with their own AWS the SkyFormation Custom connector with Cisco Umbrella parser is recommended for high volume deployments. Please contact support@skyformation.com for more information |
| *** New connector *** - Palo Alto Aperture (CASB) | See: https://support.skyformation.com/hc/en-us/articles/360022203334-SkyFormation-for-Palo-Alto-Aperture-Connector-Overview |
| AWS connector - Support assume-role and instance-profile authentication methods | See: https://support.skyformation.com/hc/en-us/articles/211318969-Adding-AWS-Connector-To-SkyFormation-Platform for information on how to use any of these two new authentication methods. |
| Centrify connector - Support automatic token renewal in authentication scheme | Different authentication credentials are needed |
| Office365 connector - New Graph endpoints for Azure AD events (read carefully the notes section at the right side) |
Background
Two audit sources (aka endpoints) supported for a long time by the Office365 connector are:
* sigins-events
* audit-events
These endpoints include the main Azure AD important events as the login events and many others.
Microsoft have decided to add two new endpoints that would eventually replace the former for the Azure AD events. The new endpoints names are identical to the former and are available as part of the Graph API.
Meanwhile the former endpoints are still working but it seems they will be removed at some point (already removed from the Office 365 docs).
To make the two sets of endpoints (former and new) easily distinguished (having the same names) the new Office 365 connector renamed the former endpoints to:
* sigins-events deprecated
* audit-events deprecated
and the new one are named as-is, like the former.
Events compatibility challenge and SkyFormation fix
The two new endpoints do not keep events structure compatibility with the two former endpoints.
SkyFormation Office 365 connector however includes mapping of the new Azure AD events from the new two endpoints into the same events SkyFormation unified events structure used in two former endpoints.
It means for you that if your detection rules/monitors are using the SkyFormation unified events fields for events coming from these endpoints switching between the two former endpoints with the new one will have no impact on your rules/monitors!!!
Events duplication challenge and recommended solution
Since the new connector supports both former and new set of endpoints, if you will enable both sets you will get duplicated Azure AD events at your SIEM.
So we recommend on doing the following:
a. Give the needed permissions (see below)
* The two new endpoints are enabled by default and they will start working as soon as permission is granted
b. Disable the two old endpoints
c. Validate your rules/monitors using the Azure AD events works as expected.
You could do this process at your convenience but knowing the former endpoints could and would probably be removed we recommend on doing this switch soon.
How to enable the two new endpoints
To be able to get events from the two new endpoints you should add a new Graph API permission (
Microsoft Graph -> AuditLog.Read.All) to the Azure app used by the Office 365 connector.
see:
|
| Azure connector - Support authentication using ClientID + Certificate | See https://support.skyformation.com/hc/en-us/articles/211322249-Adding-Azure-Connector-To-SkyFormation-Platform |
| Office365 connector - Support authentication using ClientID + Certificate | See https://support.skyformation.com/hc/en-us/articles/211709705-Adding-Office-365-Connector-To-SkyFormation-Platform |
| GCP connector - Support GCP security center service | New audit endpoint |
| AWS connector - Support Shield and Inspector services | Using two new audit endpoints |
| Event Modeling | |
|
** Breaking compatibility change ** Adding to the entire SkyFormation events two new dimensions of: |
The CEF fields used now for these two new dimensions have been used in the following two SkyFormation unified events only: 1) Security Threat Detected 2) Traffic Flow Event So in case your detection rules/monitors are using any of the above two events at the specific connectors detailed above for each please consult with us at support@skyformation.com and we will guide you on how to upgrade safely and have no compatibility issues. |
|
New Skyformation Open-Api : version |
https://support.skyformation.com/hc/en-us/articles/360024610413-Version-API |
Version: 2.3.148
| Enhancements / New Features | |
| Azure connector/Azure Storage Analytics endpoint - Split the single endpoint into endpoint per storage account for granular control | |
| Event Modeling | |
| Okta connector - Map additional user type "AppUser" | |
| Fixes | |
| Office 365 connector/Graph identity protection endpoint - Handle cases where location field is missing or broken | High if the endpoint is in use in your environment |
| Office 365 connector - If an error occur while process an event the original JSON will be sent to SIEM in cs6 | In some cases instead of the original event in cs6 the java class error would be placed as raw |
| Office 365/Azure AD events - Handle multiple event formats for same event | |
| Azure connector/Azure Storage Analytics endpoint - Support national cloud | |
| Symantec WSS connector (High) - Better handle the API throttling restrictions | |
| Carbon Black connector (Critical) - Comply with the API throttling restrictions | |
Version: 2.3.140
| Enhancements / New Features | |
| AWS connector - Support Redshift events |
|
Version: 2.3.139
| Enhancements / New Features | |
| Custom connector:pass-through processor only -Add an option to filter out (not send to SIEM) some retrieved events, using config file |
|
| Symantec WSS - Add to the webapp an option to filter out (not send to SIEM) some retrieved events |
|
| Event Modeling | |
| Rapid7 InsightVM connector - Mapping the string "vulnerability detected" to CEF flexString1 field (native action name field) | |
| Custom connector - Cisco Umbrella processor - Support the new Cisco Umbrella data structure (version 4) | |
| Fixes | |
| Azure connector (high) - Support SSL in the iaas-storage-analytics |
If any of your storage accounts is configured to force SSL connection you must update to our latest version. |
Version: 2.3.137
| Enhancements / New Features | |
| New connector - Rapid7 InsightVM |
For more information see: |
| Event Modeling | |
| Fixes | |
| AWS connector - Handle invalid/unknown values | |
Version: 2.3.135
| Enhancements / New Features | |
| New connector - CB (Carbon Black) Defense | For more information see: https://support.skyformation.com/hc/en-us/articles/360019656833-SkyFormation-for-CB-Carbon-Black-Defense-Connector-Overview |
| AWS connector - Add CloudWatch Logs retrieval using S3 bucket | |
| Reduce default "max recovery period" settings from 7 days to 1 day | |
| Azure connector - Azure Security Center alerts retrieved via iaas-events (aka Activity Log) endpoint | Also accessible via EventHub if the Activity Log (iaas-events API) is forwarded to it and fetched. |
| Custom connector - Allow pre-processing of events using Sawmill syntax | See https://github.com/logzio/sawmill/wiki for syntax information |
| Event Modeling | |
| WSS connector - Network flows events modeled | |
| Fixes | |
| G-Suite - Handle too large response (responseTooLarge) API error | |
| DUO connector - Handle users pagination | |
Version: 2.3.130
| Enhancements / New Features | |
|
Support Azure National Clouds (aka Sovereign clouds) () Azure AD for US Government () Azure AD Germany () Azure AD China operated by 21Vianet |
Any existing SkyFormation for Azure connectors will keep on using the default Azure AD (Global service) and will have no impact. The default Azure National Clouds choose in a new SkyFormation for Azure connectors is the standard Azure AD (Global service).
For information on how to configure your SkyFormation for Azure connector to support any of the Azure National Clouds (not the global service) please refer to: |
| New connector - Symantec Web Security Service (WSS) | Connector Overview: https://support.skyformation.com/hc/en-us/articles/360018684393-SkyFormation-for-Symantec-Web-Security-Service-WSS-Connector-Overview |
| Custom connector - Support Parquet file format | |
| Fixes | |
| AWS connector - Handle undocumented entities | |
| DUO connector - Users sync | |
| (Medium) All connectors - Event duplication | Low probability |
Version: 2.3.120
| Enhancements / New Features | |
| New connector - Symantec Email Security.cloud (aka MessageLabs) | Connector overview: https://support.skyformation.com/hc/en-us/articles/360018542394-SkyFormation-for-Symantec-Email-Security-cloud-Connector-Overview |
| Fixes | |
| CrowdStrike FDR - Streamline performance | Bucket region automatically detected |
| Platform - Restrict concurrency | |
Version: 2.3.111
| Enhancements / New Features | |
| New Connector - CylanceProtect |
Connector overview: How-to add the connector guide:
|
| New Connector - Slack Enterprise Grid |
Connector overview: How-to add the connector guide: |
| CrowdStrike FDR - New endpoint in the CrowdStrike connector | |
| G-Suite connector - Allow settings of page size in endpoint level | Email support@skyformation.com for settings steps if needed. |
| Open API - Support setting to send all events collected by connectors directly to SIEM and bypass SkyFormation internal database. |
NOTE: Feature added for improved performance but will remove the SkyFormation app console feature. To use the new setting see the new ConnectorSyncSettings needed at: And how to use it guide at: |
| Reduce number of license validation calls to SkyFormation cloud service | |
| Add the indication of the tenant id in SkyFormation web app | Relevant for the SkyFormation multi-tenant edition and is available in the tenant settings page in the SkyFormation web app. |
| Events Modeling | |
|
Breaking compatibility change ! Replace the policy-checked unified event with a new security-threat-detected event. |
Impact background: 1. policy-checked event was introduced in SkyFormation version 2.3.84 released at 2. Impacted connectors/endpoints For a more detailed explanation on the change please see: |
| CrowdStrike connector - Parse the source event time and action name to the unified events | |
| Fixes | |
| All connectors - Extension fields with whitespace in name not sent | |
| AWS connector - Fix the AWS Macie endpoint (added SQS URL configuration) | |
| Remove the htaccess file from the deployment | The file is a remaining of an old web server not used for a long time and has no security implications when exist. |
| Office 365 connector - Fix parsing of events collected from few graph APIs with security threats and anomalies alerts |
|
Version: 2.3.92
| Fixes | |
| Okta connector security vulnerability is fixed. |
The fix was introduced in SkyFormation 2.3.84 version. The vulnerability is that the Okta token is sent to the Okta cloud service for authentication in the HTTP user-agent which might be stored by intermediate devices as proxies. In case your SkyFormation app version used is 2.3.84 or higher and you use a SkyFormation for Okta cloud connector we recommend on doing the following: a. Upgrade your SkyFormation app instance to the latest version b. Create a new Okta API key and configure your Okta cloud connector to use the new token. Invalidate the former token. |
Version: 2.3.91
| Enhancements / New Features | |
| New connector - Prooftpoint ATP | See: SkyFormation for Proofpoint ATP Connector Overview |
| Events Modeling | |
| Cisco AMP: Add modeling for "install started", "install failed", "multiple injected files" | |
| Sophos cloud: Model additional alerts and events | |
| Fixes | |
| Cisco AMP: Add region to the connector's credentials when not US region account is used | |
Version: 2.3.87
|
Fixes
|
|
| G-Suite connector - Changing the way we retrieve events from the APIs (from time ranges to cursor) for better stability | NOTE: After upgrading the last 24hours events will be synced again once. |
Version: 2.3.86
|
Enhancements / New Features |
|
| New connector - Netskope |
See the overview page in here. See the "how-to-add" guide in here. |
|
Events Modeling |
|
| LastPass connector - New event modeling - Require Password Change, Destroy All Sessions, Remove from Group, Account lockout, | |
|
Fixes |
|
| Updated existing connectors with new endpoints will now show-up | |
| Handle the case where connectors with cursors when API return null cursor | |
Version: 2.3.84
|
Enhancements / New Features |
|
| New connector - LastPass Enterprise |
For more information please see: |
| New connector - Cisco AMP |
For more information please see: |
| New connector - Centrify Cloud | For more information please see: https://support.skyformation.com/hc/en-us/articles/360012448994-SkyFormation-for-Centrify-Connector-Overview |
| Okta - New API (aka endpoint) "System Logs" support added (*** Endpoints are all disabled by default. Please enable the one you need) |
Important note on your API change impact: SkyFormation ensure the events retrieved from the new API in case same event as the one retrieved from the former API are mapped to the same SkyFormation unified events structure. If you already have any detection rules/monitor/analysis runing on the Okta event from the former API most likely you will see minimal to no impact. Please validate after using the new API to make sure. Currently none active by default (endpoint). It comes to replace the former API "Events" that is about to be deprecated soon. Important note on migration to new API: 2) For customers with Okta accounts: Please enable the API/endpoint you need. |
|
Events Modelling |
|
| content-inspected SkyFormation unified event (mostly for Malware & DLP events) is now modelled as policy-checked. |
Events changed by connector: |
|
Fixes |
|
| Salesforce connector - Reduce memory consumption when collecting Event Log File API/endpoint events. | |
Version: 2.3.82
|
Enhancements / New Features |
|
| Citrix ShareFile connector - Support oAuth2 interactive authorization | |
|
Events Modelling |
|
| Salesforce connector - Model suOrgAdminLogin event | |
|
Salesforce connector - fix processing of loginHistory event via mobile app |
|
|
Fixes |
|
| Salesforce connector - Fix field history processing | |
| AWS connector - Event retrieved from GuardDuty are also the updated findings (not only the created findings) | |
Version: 2.3.77
|
Enhancements / New Features |
|
| tenant id is now sent to the SkyFormation health service from SkyFormation apps | |
| Improving the connectors concurrency handling | Better performance and lower risk of event lose |
| Support AWS Kinesis for events retrieval of CloudWatch logs | NOTE: existing CloudWatch Logs endpoints will fail upon upgrade. See to this guide for required setup process |
| Support AWS SQS for event retrieval in the custom connector | Full events should reside in the SQS |
|
Events Modelling |
|
| Align with the new Office 365 management API modeling changes | |
| web-app added as a resource type in resource-event | |
| AWS GuardDuty alert description is mapped into the SkyFormation general alert description event | |
| AWS GaurdDuty raw event (CEF cs6 field) is coming as JSON | |
| Azure blob object is not mapped as file type not blob (CEF fileType) | |
| Adding native action name to the Azure storage analytics events (e.g. blob events) | In CEF flexString1 |
| Azure blob events present now the blob name without its full path | |
|
Fixes |
|
| Office 365 login-success with action named "saassuccess" were incorrectly mapped to login-failure | |
| Office 365 API error handling improvements | More resilient to API break |
| Office 365/OneDrive filename parsing error in ACL update events | |
| Custom connector when using Windows processor an empty JSON is not required now | |
Version: 2.3.53
|
Enhancements / New Features |
|
| Task management better handle large number of accounts (aka connectors). | |
|
Events Modeling |
|
| Azure NSG rule change event include new fields. | |
|
Fixes |
|
| Citrix ShareFile event date parsing. | |
| Start/Stop account's endpoint button behaviour. | |
Version: 2.3.51
|
Enhancements / New Features |
|
|
New Sophos Central connector |
See more details at: |
|
New Citrix ShareFile connector |
See more details at: |
|
Support account (aka connector) export and import via OpenAPI |
Allow SkyFormation account migration between SkyFormation instances. |
|
Events Modeling |
|
| Azure NSG rules modelled when target is also ASG | |
|
Fixes |
|
| Azure flow logs data retrieval error. | |
| Azure enrichment failure on Azure apps due to API changes. |
|
| Office 365 file share event aligned with new Microsoft event structure. | |
| Azure AD role assigned and unassigned share event aligned with new Microsoft event structure. | |
| Fix session timeout. | |
Version: 2.3.40
|
Events Modeling |
|
| New event's "Properties Bag" added to the entire SkyFormation's events. |
The "Properties Bag" includes the entire raw key/values automatically parsed and added as key-value pairs at the end of the events. Please make sure to carefully read our "Properties Bag" overview guide before start using it for monitoring/detection. |
|
Fixes |
|
| Entire connectors (Medium): Better handle connection closing. | Mostly affect Office 365 and Azure connectors in heavy load deployments. |
| When SIEM integration in SkyFormation is configured to send events as JSON some endpoints still used CEF encoding |
|
Version: 2.3.35
|
Enhancements / New Features |
|
|
G-Suite connector: Open API allows scopes to be optional (using default scopes now). |
|
|
SkyFormation webapp: Allow "cancel" in account edit page. |
|
|
Events Modeling |
|
| G-Suite connector: Model Google Group permission changed | |
| Box connector: SkyFormation events from Box will now extract from the Box events the user identity type to "email" type and not "username". | |
|
Box connector: SkyFormation events from Box when source user is "unknown" but exist in raw event will be correctly extracted. |
Exist in some login success and failed events. |
| Box connector: Model FILE_MARKED_MALICIOUS event as "content-inspected". | |
| Box connector: Model ITEM_SHARED_UPDATE event as "resource-acl-updated". | |
| Box connector: Enrich file related events with the file exposure scope (e.g. public exposed, password protected...). | |
| Box connector: Model COLLABORATION_REMOVE and COLLABORATION_ROLE_CHANGE events | |
| Box connector: Raw data (cs6) is now send as JSON object not string. | |
| Box connector: Model MOVE event. | |
| G-Suite connector: Model CREATE_DATA_TRANSFER_REQUEST, ENABLE_API_ACCESS, ADD_DOMAIN_ALIAS, CHANGE_ORGANIZATION_NAME, TOGGLE_SERVICE_ENABLED, FAILED_PASSWORD_ATTEMPTS_EVENT |
|
| G-Suite connector: Raw data (cs6) is now send as JSON object not string. | |
| G-Suite connector: Add ClientInformation.Device.model in CEF. | |
| Okta connector: Fix extraction of source user in a failed login events where source user is specified in a different place. | |
|
Fixes |
|
| G-Suite: SkyFormation Open API history tables enabled is now optional. | |
| (Critical bug fixed) Office 365 connector: Fix regression introduced at v2.3.31 that could cause events lose in Management Activity API in high load. |
|
| Office 365 connector: Fix pagination handling. | |
| SkyFormation webapp: Fix account deletion freeze in UI. | |
| SkyFormation webapp: Fix UI failure if "test connection" is pressed before "Done" when adding /editing account. | |
| SkyFormation webapp: When creating new account choosing "tenant" and "application" is now mandatory before account is created. | |
Version: 2.3.31
|
Enhancements / New Features |
|
|
Office 365: Support Microsoft Cloud App Security API (MCAS) |
|
|
Box connector: Change time to retrieve event to 10 minutes |
Due to API limits on business edition |
|
Events Modeling |
|
| Azure connector: Add subscription id andname to the Azure iaas-events, OMS, NSF flow logs and iaas-storage endpoints/audit sources | |
| Azure connector: Model event of audit policy changed on Azure SQL server | |
| Azure connector: Add name of service principle | |
| Azure connector: Model key vault events | |
| Box connector: Extract source event type | |
|
Fixes |
|
| Fix the SkyFormation support in proxy mode (deploy and run behind proxy) | |
| Fix timeout issue in Azure Event Hub endpoint | |
| Handle duplicated Office 365 events | Caused by the bug introduced at some of Office 365 management activity API |
Version: 2.3.23
|
Enhancements / New Features |
|
|
G-Suite connector: Reduce the permissions needed by the connector. |
For service account configuration guide with reduced scope please see: https://skyformation.zendesk.com/hc/en-us/articles/360000951194-Creating-a-Service-Credentials-Json-file- |
| Azure connector: Adding new mechanism to aggregate information across correlated events (e.g. start, accepted, ended) and send all in final event |
All intermediate events will be sent as audit-events, a final, modelled, event will be send with all the data collected for it. |
| Azure connector: Add support of Event Hub with source input from Activity Log, to parse and model Azure Security Center events as general-alert events | |
| Box connector: Improve events retrieval time |
Reduced from 15 to 3 minutes * Increase API call frequency from 10 minutes to 2 minutes intervals. |
|
Events Modeling |
|
| Azure connector: New identity enrichment mechanism | Enrich all identity types via their respective objectId to deduce it types (User, Group, Application, Service Account) and add their full info |
| Azure connector: New events modelling: SQL server admin created/deleted/updated, SQL server, SQL server auditing policy change, SQL server firewall rules write | |
| Azure connector: Accepted status in events translated now to SkyFormation InProgress status. | |
| G-Suite: Model the G-Suite event names to SkyFormation flexString1 CEF field | |
| G-Suite: New events modeling: group created/deleted/rename, enable/disable allow external members, | |
|
G-Suite: New event modeling: USERS_BULK_UPLOAD, USERS_BULK_UPLOAD, REVOKE_3LO_DEVICE_TOKENS, |
|
| Fix: All connectors: In user-updated events where information about the change is missing a modelled event will be sent. | |
| SkyFormation cs6 field is now the last one in event message | Reduce likelihood of other fields truncation |
| Box connector: Model the Box event type to SkyFormation flexString1 CEF field | |
| Github connector: Support authentication using token | |
| Azure connector: Put app ID in suser for Azure Service Principle when app name does not exist/available | When actions are triggered by a Service Principal the action's CEF suser will be occupied by the SP's id |
|
Fixes |
|
| Google Cloud, Box and G-Suite connectors: Account JWT JSON not sent to client now. Presented as password. | |
| Azure connector: Increase events retrieval time in Azure iaas-events endpoint from 1 minute to 10 minutes due to some late arriving events in endpoint | |
| CrowdStrike connector (Critical): Connector stopped syncing after first sync | |
| Event modeling events: In user-updated events where user information about the change does not exist N/A | |
Version: 2.3.8
|
Enhancements / New Features |
|
|
New cloud connector for GitHub version control service |
|
|
Azure connector: Support Azure Event Hub |
|
|
Office 365 connector: Improve events retrieval time of Office DLP management API endpoint |
Reduced from 15 to 5 minutes |
|
Office 365 connector: Improve events retrieval time in signin-events and Management Active Directory endpoints |
Reduced from 15 to 10 minutes |
|
Office 365 connector: Changed the events retrieval time in Management Active Directory endpoint to meet higher API latency encountered |
Changed from 15 to 25 minutes |
|
Egnyte connector: Reduce API calls |
To better handle the provider's API limitations |
|
Azure connector: Improve events retrieval time in Azure storage endpoints |
Reduced from "up to 1 hour" to 10 minutes |
|
Azure connector: Improve events retrieval time in Azure iaas-events endpoints |
Reduced from 15 minutes to 1 minute |
|
G-Suite connector: New endpoints added with un-modeled events: "mobile","calendar","groups","gplus","rules","saml" |
Events are sent as audit-events |
|
G-Suite connector: New endpoint "token" added with modeled events |
Token lifecycle events |
|
DLP enrichment: Adding support in Office 365 |
Classify files uploaded with existing DLP systems |
|
Sales Cloud connector: Optimize number of API calls usage |
|
|
Events Modeling |
|
| Entire events: New property of the app source event ID added to SkyFormation events (deviceInboundInterface in CEF) | Reflect the app source event ID |
| Entire events: General modeling change: New type of grantee added to reflect permissions granted based on another existing permission (e.g. edit file ACL permission granted to anyone with edit file permission) | |
| Entire events:Add to the SkyFormation modeled events the event's end-time timestamp in a new dedicated CEF field called end (aka End Time). | Added for better compatibility with Arcsight CEF parser. Same event timestamp exist already in the event syslog header. |
| SkyFormation Content Inspection event: Includes now the policy violation information in JSON. | |
| Azure: New events modeling: Azure log analytics now include in action field the source action | |
| Office 365: New SAML events modeling: login via ADFS federated token (SAML login type in SkyFormation events) | |
| Office 365: New exchange events modeling: send as, send on behalf, add/remove mailbox permissions, add/remove/modify folder permissions, set permissions to send on behalf, set mailbox forwarding, Add/Set-MailboxRule | |
| Office 365: New exchange modeling: Model another type of malware event from the Exchange Email Protection | |
| SkyFormation login-success event:Add CEF filed with keep-user-signed-in indication. | Added to Office 365 Management Active Diretory endpoint signin event. Add to CEF cn1 |
| G-Suite: New events modeling: Login challenge, create/revoke token, file move, change ACL | |
| G-Suite: Fix events modeling: G-Suite events modeling: change_user_access is modelled now as sk4-resource_acl_updated (and not sk4-permission-update as was before) | Breaking compatibility change !!! |
| G-Suite: Extend modeled events: Modeling change in G-Suite: change_acl_editors event is now modelled as sk4-acl-updated with the new permission grantee described above | |
| G-Suite: Improve noise events handling. For example: file being shared, falsely generates file edit (secondary) event in addition to the (primary) ACL update event | |
| Box: New events modeling: application created, disable/enable two-factor, file locked/unlocked | |
|
Fixes |
|
| Office 365 connector: Fix in the Microsoft API failures handling | |
| Office 365 connector: Fix Exchange endpoints Spam, Malware and DLP policy endpoints. | Only relevant for customers with fresh install of SkyFormation version 2.2.17 and configured the Exchange endpoints |
| Office 365 connector: Fix parsing of Role assign/ un-assign events due to API changes | No changes in the resulted SkyFormation unified events delivered |
| Azure connector: Fix in NSG flow logs | |
| Azure connector: Azure Log Analytics: Optimize raw events size | |
| Azure connector: Fix wrong timestamp parsing in iaas-events endpoint | |
| Sales Cloud connector: handle timeout during get SObject count query | |
| Okta connector: Fix missing source IP in some event scenarios | |
| Platform: Fix bug in endpoint activate and deactivate | |
| Platform: Fix bug: Handling large sized origin/raw events with truncating | SkyFormation events exceeding 12kb |
| Platform: Fix bug: Handling large sized events with truncating | SkyFormation events exceeding 16kb |
Version: 2.2.17
|
Enhancements / New Features |
||
|
Support proxy with Basic authentication |
||
|
Events Modeling |
||
| New modeling: G-Suite - Make a spreadsheet copy | ||
| New modeling: G-Suite - Remove/Add member from/to group | ||
| New modeling: G-Suite - Authorize/Remove API client access | ||
|
Fixes |
||
| Office 365: Fix parsing error with exchange DLP events | ||
| Fix critical regression bug introduced in 2.2.14 in task management | ||
Version: 2.2.14
| Enhancement/Fix | Summary | Notes |
|---|---|---|
|
Enhancements / New Features |
||
|
Improving the platform task management performance |
||
|
Events Modeling |
||
| New modeling: DropBox - Reset password to all users | ||
| New modeling: DropBox - Download file via shared link | ||
| New modeling: DropBox - Showcase change in sharing policy, change in download policy | ||
| New modeling: DropBox - File request change policy | ||
| New modeling: DropBox - Group user management change policy | ||
| New modeling: DropBox - Enable/Disable Google Identity Service | ||
| New modeling: DropBox - Team activity create report | ||
| New modeling: DropBox - Paper admin export start | ||
| New modeling: DropBox - Export members report | ||
| New modeling: DropBox - Smart synch create admin privilege report | ||
| New modeling: DropBox - Showcase - add remove members, CRUD operations | ||
| Fix modeling: Office 365 - Login failure from the management AD endpoint | ||
Version: 2.2.12
| Enhancement/Fix | Summary | Notes |
|---|---|---|
|
Events Modeling |
||
| New modeling: Salesforce add/remove IP restriction from profile | ||
|
Bug Fixes |
||
| Box connector: Handling pagination in data retrieval process | ||
| AWS connector: Fix issue with SQS URL setting param introduced in 2.2.10 | SQS Url connector configuration setting was a mandatory parameter, although is only optional. Without it the connector initialization failed | |
| Azure connector: Handle user deleted username w/ prefix of guid | ||
|
General Notes & Changes |
||
| Default historic sync when on-boarding a connector is now 24 hours (was 7 days) | ||
| Office365 connector - Microsoft have remove the exchange report UrlTrace API hence the connector correlated endpoint is no longer available | ||
Version: 2.2.10
| Enhancement/Fix | Summary | Notes |
|---|---|---|
| New cloud connector - Add Dropbox for Business cloud connector | ||
| New data protection capability - Add file public exposure indication to file CRUD events | New detection mechanism will add to file CRUD events a new indication if the file is publicly exposed or not (supported in AWS S3 in current version). | |
| New DLP integration - Add new integration to the SkyFormation DLP Extender with Google DLP API | Customers with DLP Extender license could now integrate SkyFormation DLP Extender to a Google DLP API account and have their files uploaded to their SkyFormation cloud connectors inspected for DLP violations (supported in Egnyte, Box, ServiceNow, Sales Cloud connectors in current version) | |
| New AWS connector audit source - Add new audit source of S3 data events (e.g. file viewed, deleted, uploaded etc) using SQS | ||
| S3 connector (aka Custom connector) - Add option to whitelist/blacklist windows events by type | ||
| Azure connector - Improve performance of NSG Flow Logs, OMS | ||
| Azure connector - Improve detection of Flow Logs endpoints | ||
| Azure connector - Update API calls used for enrichment align with Microsoft API changes | ||
| Office 365 connector - Break oAuth login process into two steps of redirect phase and login success/failure | ||
| Fix bug introduced in version 2.2.7 of missing raw data (aka cs6) in events |
Version: 2.2.7
| Enhancement/Fix | Summary | Notes |
|---|---|---|
| New SkyFormation for CrowdStrike Falcon Connector |
New cloud connector for CrowdStrike Falcon. |
To see how to install it go to: Adding CrowdStrike Falcon Connector to SkyFormation Platform |
| Google Cloud Platform connector - Fix bug in thread management (High) | ||
| Custom connector - Fix bug in handle S3 object names with special chars (Medium) |
Version: 2.2.6
| Enhancement/Fix | Summary | Notes |
|---|---|---|
| To see the Egnyte events covered in the new connector go to here | To see how to install it go to: Adding Egnyte Connector to SkyFormation Platform |
|
|
Support Webhook in |
Adding to the SkyFormation for OneLogin Connector an option to work with the Webhook (in addition to the exiting supported API method) | The two different methods retrieve in some cases different data dimension for the same event. Consult SkyFormation support for more information and to help you deploy the new method if needed |
| Fix the SkyFormation for Office 365 identity protection endpoints | Change the way the connector communicate with the endpoints to support the new Microsoft Office 365 endpoints API | Update to make your SkyFormation for Office 365 work with the Identity protection end points |
| Bug fixed of sending audit event correctly in cs6 if modeling fails | ||
| Support new syslog JSON message format | An option to send the events over syslog using JSON format (in addition to the current CEF encoding). |
Version: 2.2.5
| Enhancement/Fix | Summary | Notes |
|---|---|---|
| (Fix) OneLogin connector handle users with missing email property | OneLogin - handle users with missing email property | |
| New remediation API | Adding new remediation Open API. See: SkyFormation Remediation API |
|
| (Fix) ServiceNow connector - handle application user with missing username | ||
| (Fix) Box connector test connection | ||
| New monitoring API | Adding new monitoring Open API. See: SkyFormation Monitoring API |
|
| Google G Suite connector (aka Google Apps) - Adding authentication method | Adding authentication method of service account in addition to the OAuth. see here | Could be used via Open API only if desired (no interactive OAuth needed) |
|
Box connector - Migrating to the new authentication mechanism * * Not backward compatible |
Migrating to the new recommended Box authentication mechanism. | Upgrade will move the Box connector to error state, then you will need to follow the instruction here to make it work again. |
| (Fix) Office 365 - Workaround for Microsoft API bug | Microsoft Office 365 API bug in get subscriptions is bypassed. | |
| Open API - support Json value in authentication field | ||
| (Fix) Moving the connectors initialization process to asynchronous |
Version: 2.2.4
| Enhancement/Fix | Summary | Notes |
|---|---|---|
| Office 365 connector - Fix paging handling (High) | Fix the way Office 365 connector handles paging when high volume of data retrieved from API | |
| Azure connector - Fix threads leakage (High) | Fix the mechanism handles multi threads in Azure connector | |
|
Office 365 connector - Fix API limit |
Send the customer's Office 365 tenant ID as the publisher ID to get separate API quota per customer | |
| Salesforce connector - Fix field history sync mechanism (Medium) | Fix the modeling of events coming from the field history | |
| Salesforce connector - Bypass a Salesforce API bug (High) | A Salesforce API might return empty response in some scenarios | |
| Adding connector level error | Connector that fails in initialization phase will be locked and return error | Please contact support@skyformation.com for more technical information |
| Salesforce connector - Reduce the amount of API calls (Medium) | SkyFormation Salesforce connector reduces API calls by optimizing calls for metadata | |
| Improve connector error messaging | Error message will present a simpler root cause message | |
| ServiceNow connector - Fix error handling (Low) | Fix error handling |
Version: 2.2.0
| Enhancement/Fix | Summary | Notes |
|---|---|---|
|
Fix threads management bug (High) in SkyFormation for Azure Cloud Connector. |
Handle a scenario where the Azure threads handler does not close threads. |
|
|
Fix endpoint sync report data bug (Low) in SkyFormation for Azure Cloud Connector. |
Fix an error where the Azure sync manager in some sync scenarios will returned latest sync results as empty list although exist. |
|
|
Improve the SkyFormation for Azure Cloud Connector event sync performance |
Adding more caching mechanism to the connector to allow faster event sync |
Version: 2.1.24
| Enhancement/Fix | Summary | Notes |
|---|---|---|
| Add support of Azure NSG flow logs | Add support of Azure Network Security Group (NSG) flow logs by ingesting them directly from Azure storage account in SkyFormation for Azure Cloud Connector. | Once you configure your Azure to send flow logs to any Azure storage account, your SkyFormation Azure connector will automatically detect and add it as a new disabled end-point in the running Azure connector. If you want to start ingesting the Azure flow-logs in a specific end-point go to the specific SkyFormation for Azure Cloud Connector end-points settings and start it. |
| Fix bug (High) in SkyFormation for AWS Cloud Connector cache pool management |
Fix a bug in the SkyFormation for AWS Cloud Connector where in some cases threads left in cache as idle for infinity. |
|
| Fix regression bug (Critical) of data retrieval management |
Fix a critical bug introduced in SkyFormation version 2.1.23 which causes events retrieval manager to fail ingesting events from cloud connectors. |
If you have installed SkyFormation 2.1.23 you must upgrade to 2.1.24 or above |
| Add a new key named security-group to the SkyFormation flow logs unified model |
Add a new key to the SkyFormation unified model for flow log events, named security-group. The new key will contain the security group or network security group relate to the flow log event (if exist) |
See the SkyFormation Unified Events Overview for more information |
Version: 2.1.23
| Enhancement/Fix | Summary | Notes |
|---|---|---|
| Add support of AWS GuardDuty alerts | Add support to SkyFormation for AWS Cloud Connector for the new AWS GuardDuty alerts |
To enable it you will need to add the permissions defined at our AWS connector guide first. Next you will see a new end-point in the AWS running connector dynamically being added. The new GuardDuty end-point is enabled by default. |
Version: 2.1.22
| Enhancement/Fix | Summary | Notes |
|---|---|---|
| Add support of syslog for RSA NetWitness | Add support of SkyFormation SIEM integration with RSA NetWitness |
Configure the RFC 3164 SHORT option in SIEM Integration settings |
|
Add new General Alert event to the SkyFormation Unified Events |
Add new unified event that resemble general (e.g. security) alert ingested from underlying cloud applications/services, i.e. an Azure log-analytics custom alert rule was triggered. |
Please refer to General Alert for more information |
| Add client indication of the SkyFormation App Version | Add the SkyFormation App Version indication in the SkyFormation web application. |
See Get Your SkyFormation App Version guide |
| Add new severity attribute to CEF | Add new severity attribute to the SkyFormation Header Fields general header of the SkyFormation Unified Events CEF (CEF key dvcpid). |
Version: 2.1.21
| Enhancement/Fix | Summary | Notes |
|---|---|---|
| APIs to manage brand logo and name | Allow a replacement of the SkyFormation logo and name for white-label needs using APIs of set,get,reset |
|
| Upgrade to the new Log Analytics API in SkyFormation Azure Connector | Upgrade to the new Log Analytics API | |
|
Adding Field History log collection to SkyFormation Salesforce Connector
|
SkyFormation Salesforce connector will now dynamically create new sets of end-points for each SObject with field history enabled. | The end-points added will be inactive by default and could be activated in the connector's settings |
|
Fix: Synchronization of users in all cloud connectors |
Fix of duplicated users reported | |
|
Adding docker compose to SkyFormation app |
Adding to the SkyFormation application infrastructure the docker compose module to improve the SkyFormation app self management capabilities |
Version: 2.1.19
| Enhancement/Fix | Summary | Notes |
|---|---|---|
|
Fix: Error parsing timestamp in OMS Logs Analytics Data in Azure Connector |
Timestamp parsing in some OMS Log Analytics events failed. |
Version: 2.1.18
| SKIPPED |
|---|
Version: 2.1.17
| Enhancement/Fix | Summary | Notes |
|---|---|---|
|
Support to SQS events coming from SNS in custom connector added |
Support events coming into the SQS in the custom connector from SNS (in addition to SQS events coming directly to SQS). |
Version: 2.1.16
| Enhancement/Fix | Summary | Notes | ||||||
|---|---|---|---|---|---|---|---|---|
|
Adding properties to Exchange message flow events |
Adding properties to resource-event in case of mail messages sent (e.g. Exchange message trace). |
Properties added are: message size, sender (cs1), recipient (cs2) | ||||||
|
Fix: Resync events to SIEM bug fixed |
Resync Open API didn't run |
|||||||
|
Improve the Office 365 and Azure connectors test connection |
Removing obsolete connection tests from the connectors to improve response time | |||||||
|
Adding optional query param to Delete a Tenant API |
Add an optional "force" query param with default value of "false" | |||||||
|
Open API - Add ability to activate/deactivate health reports |
Allow health reports to be activated/deactivated via Open API | Docs | ||||||
|
Allow static endpoints activate and deactivate before account initialization |
Classifying account endpoints to static and dynamic to allow, via the open API, to activate or deactivate static endpoints even before account initialization is complete | |||||||
|
New events modeled to |
|
For the planned events please look at: |
||||||
|
Pass raw user agent header to CEF |
Pass raw user agent header, if exists, to CEF |
Version: 2.1.15
| Enhancement/Fix | Summary | Notes |
|---|---|---|
|
Improving the Account Status performance |
Improve the accounts status response time |
|
|
Fix: Azure end-point showed not relevant |
Remove irrelevant end-points from Azure connector |
|
|
Improve Salesforce connector handling of API limit response |
Adding proactive test to ignore the API limit response from Salesforce connector | |
|
Fix: Accounts settings in UI not persistent in some cases |
Update account settings in persistence on any change |
Version: 2.1.14
| Enhancement/Fix | Summary | Notes | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
New events modeled to |
|
For the planned events please look at: |
||||||||||||||||||||||
|
Existing Modeled Office 365 Events Adjusted |
In order to meet the new APIs (see below the API changes description) some already modeled events have been adjusted with new API information
|
|||||||||||||||||||||||
|
Adding read only support for Open API |
Support role with read only permissions for the SkyFormation Open API. |
|||||||||||||||||||||||
|
Reduce the Office 365 Exchange reports events ingestion latency |
The latency of the Exchange Advance Threat Defense reports as Malware, Spam, Spoof and others reduced from ~24-48 hours to 10-15 minutes |
|||||||||||||||||||||||
|
Adding Content Inspected event to the SkyFormation Unified Model |
A new event added to the SkyFormation Unified Model represent content being inspected by additional security systems. | |||||||||||||||||||||||
|
Support the new Office 365 APIs replacing the deprecated /reports API |
Microsoft announced its plan to deprecate the Azure AD reports API under https://graph.windows. |
In case you are using the SkyFormation Office 365 information in the CEF cs6 key please consult SkyFormation support on compatibility issues to expect | ||||||||||||||||||||||
|
New UI indication on endpoints status and ability to start/stop each |
Each cloud connector's end-point status is now presented in details in the UI, and an ability to stop/start each end-point is supported in the UI. |
Same capabilities already supported using the SkyFormation Open API in former version | ||||||||||||||||||||||
|
Office 365 |
Adding subtypes to SkyFormation audit-event ingested from Office 365 as actors, targets |
|||||||||||||||||||||||
|
Add SIEM Open API return the SIEM connection |
When calling add SIEM connection via the open API the new SIEM connection together with its generated ID is being returned | |||||||||||||||||||||||
|
Adding "noop" processor to the customer connector |
Allow a "noop" (no process) processor to the custom connector | To ingest unknown or undefined data sources | ||||||||||||||||||||||
|
Fix: Duo processor wrong json handler |
Fix a problem with handling corrupted json processed at the Duo processor used by the custom connector | |||||||||||||||||||||||
|
Office 365 message trace enrichment with advance threats information |
When Exchange message trace event indicate malware, spam or spoof indication the connector will enrich the event with advance threat information from the Exchange ATD service | |||||||||||||||||||||||
|
Fix:Wrong old errors showed in status API |
Remove wrong error indications from the status API | |||||||||||||||||||||||
|
New open API to re-send events to a tenant's SIEM |
New Open API allows the admin to trigger events already sent to the tenant's SIEM to be re-sent | |||||||||||||||||||||||
|
Fix: When user agent header parsing fail send valid data |
When parsing user agent header fails - return client information with user agent header only | |||||||||||||||||||||||
|
Fix: OKTA events parsing resulted in anonymous |
Adding the existing suser information to the OKTA login failed and self reset password events instead of the anonymous indication |
Version: 2.1.13
| Enhancement/Fix | Summary | Notes | ||||||||
|---|---|---|---|---|---|---|---|---|---|---|
|
New events modeled to the SkyFormation Unified Model |
The following events were added:
|
For the planned events please look at: |
||||||||
|
Adding list of mail traffic event types |
Mail traffic event types are now: Malware, TransportRuleHits, SpamIPBlock, SpamDBEBFilter, |
|||||||||
|
Adjust exchange reports retrieval time |
Set the Exchange admin reports (Spam, Malware, DLP policy) retrieval time to 24 hours, to align with their creation time |
|||||||||
|
Fix: High CPU usage |
High CPU consumed by postgress | |||||||||
|
Fix: Open API activate and deactivate failure for endpoint |
Open API activate resulted in deactivated |
Version: 2.1.12
| Enhancement/Fix | Summary | Notes | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
New events modeled to the SkyFormation Unified Model |
The following events were added:
|
For the planned events please look at: |
||||||||||||||||||||||
|
Adding Health Report |
Adding additional information sent to the SkyFormation health service on server version, end-point level sync status and more |
|||||||||||||||||||||||
|
Add Open API for SIEM management |
Be able to create, read, update and remove SIEM configuration in SkyFormation | |||||||||||||||||||||||
|
Add Open API for Tenant Management |
Be able to create, read, update and remove SIEM configuration in SkyFormation | |||||||||||||||||||||||
|
Fix: Event report-anomalous-signin modeling |
Fix the modeling problem in the event | |||||||||||||||||||||||
|
Fix: Events synced but do not sent to SIEM |
In high volume deployments (over 20K events waiting to be send to SIEM) some events were not sent to the SIEM. |
Version: 2.1.11
| Enhancement/Fix | Summary | Notes |
|---|---|---|
|
Fix: Some API calls not working (Severity: High) |
Some API calls not working due to incorrect way of configuration settings persistence |
Version: 2.1.10
| Enhancement/Fix | Summary | Notes |
|---|---|---|
|
Fix: Events synced but not sent to SIEM (Severity: High) |
In high EPS deployments (mostly when IaaS connectors involved) some synced events would not be sent to SIEM. |
Version: 2.1.9
| Enhancement/Fix | Summary | Notes |
|---|---|---|
|
Improvement in the AWS connector API throttling mechanism |
Improving the API throttling mechanism used by the AWS connectors |
Version: 2.1.8
| Enhancement/Fix | Summary | Notes |
|---|---|---|
|
Adding integration identifier to Duo Security connector |
Adding integration identifier to the Duo Security connector |
Version: 2.1.7
| Enhancement/Fix | Summary | Notes |
|---|---|---|
|
Add clean/suspicious/infected as an action CEF value |
Adding to the CEF model the file infection level as returned from the malware/content inspection system when using the Malware Extender module. The dimension is added to the malware alert unified event | |
|
Fix: Race condition bug fix in event sync (Severity: Medium) |
Fix a race condition scenario when events are synced with the same millisecond value and are handled by different threads | |
|
Improve performance of syslog sending |
Improvement in syslog send task achieved by caching the SIEM definition | |
|
Fix: Event loss in Office 365/Azure connectors when connection is lost (Severity: High) |
Re-attempting mechanism fix in Office 365 and Azure connectors when sync is failing due to connectivity issues | |
|
Add configurable header to OKTA connector |
Attach to OKTA API calls header to identify SkyFormation platform | Allow partnership optimization with OKTA |
Version: 2.1.6
| Enhancement/Fix | Summary | Notes |
|---|---|---|
|
Fix: OKTA and SNOW connectors encryption property handling (Severity: Medium) |
Fix handling of authn property value to encrypted rather than clear text in Okta and SNOW |
Version: 2.1.5
| Enhancement/Fix | Summary | Notes |
|---|---|---|
|
Fix: CPU utilization bug (Severity: High) |
CPU utilization reach 100% in some scenarios |
looks like related to data eviction calls |
|
New Malware alert event |
Introducing new event for Malware detected as part of the new Malware extension module |
|
|
New Malware Extender module |
Introduce new module called "Malware Extender" that integrates with sandbox/content inspection systems and extend their coverage on cloud scenarios |
Support McAfee ATD at release |
Version: 2.1.4
| Enhancement/Fix | Summary | Notes |
|---|---|---|
| Open API for accounts |
Adding SkyFormation Open API to manage cloud connectors (aka accounts), get their running and health status and more. Please see: |
|
|
Bug fix (Severity: High) |
AWS Cloud Connector CloudTrail events wrongly processed because of incorrect ARN process |
Few events were incorrectly processed |
|
Bug fix |
On TCP connection dropped with SIEM, events were missing. A fix to the retry mechanism implemented. |
App will retry 10 consecutive tries to send existing event and if all fail will drop the task, which will be later picked again by tha pp for processing. |
Version: 2.1.3
| Enhancement/Fix | Summary | Notes |
|---|---|---|
|
New event OKTA events modeling |
The following OKTA events were modeled: Successful Okta Verify Push factor attempt, Successful Google Authenticator factor attempt, User Locked Out, Successful Okta Verify factor attempt, Rich client authentication failed, User logged in to the Admin app,User provisioned to app, User deprovisioned from app, Session created for user using API token, User updated their Okta password, User failed to update their okta password, User added to group All Employees by admin, Self-service password reset attempt denied, Read only admin privileges granted, Okta User profile updated, Okta user has been activated, Failed Google Authenticator factor attempt, Failed Okta Verify factor attempt,User removed from group All Employees by admin, Implicitly revoked tokens for client, API Token created, API Token created for client application Okta Mobile Client, App configuration updated |
|
|
Adding "Suspend User" and "Unsuspend User" support to Office 365 Remediation |
Office 365 cloud connector support now additional actions of "suspend user" and "unsuspend user" in the SkyFormation Remediation API |
Comments
0 comments
Article is closed for comments.