If you're having trouble at any stage please contact us at support@skyformation.com.
Preface
SkyFormation uses its unified security events language/model. When SkyFormation send's its ingested audit events to the organization's SIEM/SOC system it encodes the information in a standard CEF (Common Event Format).
For the McAfee ESM to be able to automatically parse the SkyFormation CEF events, The
SkyFormation CEF events should go through an additional mapping process in McAfee ESM whereas each SkyFormation event is parsed and mapped into a known McAfee ESM event. Since the McAfee ESM supports a limited number of available event dimensions/objects per event, the SkyFormation events mapped will only leverage subset of the origin SkyFormation event.
McAfee ESM customers could review the mapping done in the attached parser, and customize the mapping in their own McAfee ESM instance to choose different objects over another in the mapping.
To ease the process of mapping each SkyFormation security event into a McAfee ESM well-known one SkyFormation have developed a custom parsing rules (aka Parser) which is available below for download and use by SkyFormation customers and partners.
See: Writing Custom Parsing Rules in McAfee ESM for more details on the process done.
Import Parser Steps
(1) Review the SkyFormation customer parser release notes below for the latest parser
available for download.
(2) If latest parser version fits your needs download the customer parser (attached xml file)
and import it into your SIEM according to your McAfee ESM instructions.
Done
Understand The Custom Parser Mapping
To see for each parser version the table of SkyFormation to McAfee ESM parser mapping table
please download the spreadsheet attached and look for the relevant SkyFormation event worksheet.
Parser Release notes
Parser version 1025
| Enhancement/Fix | Summary |
|---|---|
|
Adding origin action name |
Adding to the entire events a shared object called"Application Event Name" mapped to McAfee ESM "Event Class" Object and resembles the event/action name as found at the cloud application original audit event |
| Adding sk4-metric-alert event | Adding the event to the parser from metrics such as Azure metrics |
| Adding sk4-no-traffic event | Adding the event that reflects no log flow traffic exist for a period of time |
| Adding the missing "new value" to sk4-resource-property-updated | Adding the object to allow IaaS events with network security group information to detect scenarios based on NSG changes |
Parser version 1026
| Enhancement/Fix | Summary |
|---|---|
|
Adding sk4-sso-access-initiated event |
Event added to parser. |
Comments
0 comments
Please sign in to leave a comment.