What is a SkyFormation event's "Properties Bag"
The event's "Properties Bag" is a new section added to each SkyFormation Unified Event which includes the entire raw/origin event key-value pairs (encoded in SkyFormation cs6),
where each pair is automatically parsed and mapped into a dedicated name:value pairs in the
final encoded event.
All JSON value types, including arrays and objects are supported by the "Properties Bag".
Values of the "Properties Bag"
We have added the "Properties Bag" so you would be able to:
- Add monitors quicker for events not yet in the SkyFormation unified event
- Add ad-hoc monitors using origin keys not included in the SkyFormation unified event
*** Please see below the recommended way of using the "Properties Bag" saftley
The key name normalization method
SkyFormation will use a normalization method that will transform the origin key name into a name better compatible with the leading SIEM/Log systems.
The normalization method will:
- Flatten nested elements, using underscore instead of dot-notation, and underscore instead of array delimiters
- Replace any non-alphanumeric char with underscore
- Add ext_ as a leading chars to the key name
An example of a "Properties Bag"
Original cs6 (origin event)
"c": "i'm a string",
"e1": "im a nested item",
"e21": "i'm a nested 2 levels deep"
"f": ["string in array",
"f0": "object w/ property in array"
["str in nested string"]
The "Properties Bag" created from the cs6
(spaces between the different key pairs are for breavity only)
ext_a=1 ext_b=3.43 ext_c=i'm a string ext_e_e1=i'm a nested item
ext_e_e2_e21=i'm a nested 2 levels deep ext_f_1__f0=object w/ property in array ext_f_0_=string in array ext_f_2__0_=str in nested string
Recommended use of the "Properties Bag"
SkyFormation Unified Event purpose is to allow cross services monitors and detection rules.
SkyFormation as a rule of thumb recommend to base monitors/detection rules only on its modeled events (the SkyFormation Unified Event beside the audit-event) and their mapped keys.
Implementing monitors or detection rules directly on values from the "Properties Bag" should only be used when a cloud service specific monitor/rule is needed and the SkyFormation Unified Event does not cover/unified the key already to a unified key.
If you encounter an important key in a "Properties Bag" you would like to use for a monitor or detection rule we highly recommend to email firstname.lastname@example.org the name of the property you will use with the original raw event.
SkyFormation will evaluate the ability and value of adding the key in its SkyFormation Unified Event and allow a more stable event base for the monitor.
The Cons of basing a monitor directly on a "Properties Bag" key/s
- Any change property name done by the cloud provider will break the monitor
- Large "Properties Bag" objects might be truncated by some SIEM systems
- No cross service value possible
Future compatibility note and flexString1
In the case where a customer will base its monitor on keys from the "Properties Bag" in a SkyFormation audit event we might at some point transform the event into one of our SkyFormation Unified Event. We will in that scenario keep the "Properties Bag" but will change the CEF event name and add additional keys according to the event type. If the monitor query is based on the origin event name mapped to the SkyFormation flexString1 CEF field the monitor will most likely not be impacted. So we recommend on using flexString1 as the main monitor query and not other keys.
For more information on the new "Properties Bag", how it works and else please consult with the SkyFormation technical support team at email@example.com