If you're having trouble at any stage please contact us at firstname.lastname@example.org.
The goal of this guide is to add a new SkyFormation for Symantec WSS connector to your SkyFormation Platform.
To add the Symantec connector to your SkyFormation app, you will need to have the following Symantec WSS account's information at hand:
- User API key (user and password)
To create a User API key please follow the steps detailed at the following Symantec "Near Real-Time Log Sync Solution Brief" guide:
Look for the section called: "Create a User API Key"
Steps to onboard the connector to SkyFormation app
1. Logon to your SkyFormation Platform:
2. Navigate via left navigation panel to "Settings" section
3. Navigate via New Settings left navigation panel to "Accounts" section
4. Click the "Add Account" bottom
5. At the "SELECT SERVICE TO ADD" choose "Symantec WSS". You will see the following screen:
6. Fill in the following information:
- Account Name
Give the Symantec WSS connector a meaningful name for you.
This will become your cloud app connector name displayed in the application and the
events sent to external systems as SIEM/Log management. This is a mandatory field.
e.g. "Corporate Secure Web Gateway"
Add a text that describes the Symantec WSS service account for you.
This is an optional field.
The user name obtained in the prerequisite section
The password obtained in the prerequisite section
Choose what event types to pull
We have divided the event types coming from Symantec WSS logs into 3 types for filtering. The types are:
- Informational events- connection events which passed successfully without any issue.
- Connection Failure events - connection attempts which were reset, failed or rejected by Symantec
- Security related events - the following events fall under this category:
- The URL that the connection was attempted to was classified by Symantec as "threat risk"
- The host that the connection was attempted to did not have the expected certificate
- Symantec has identified that the client environment has risk per the compliance policy.
- Symantec has identified DLP in the connection
- Symantec has identified malware in the connection
- The connection was denied for compliance reasons.
NOTE: Informational events + Connection failure events cover the 100% of the events (they include the security related events). If you want to cover 100% of the events choose "yes" for these 2 types. Only if you are interested in a smaller subset of the events which are security related per the definition above choose "no" for Informational and Connection failure, and "yes" only for Security related events.
At this point you can click on "TEST CONNECTION" to make sure the connection is set up successfully, or just click on "DONE".
Start the connector and make sure that the status becomes "OK" after a few seconds.