McAfee Skyhigh Cloud Access Security Broker¶
About¶
Skyhigh CASB provides unmatched data protection, device-based controls, and inline threat protection for all cloud applications using multi-mode cloud solution— all from a single platform. Skyhigh Security was purchased by McAfree in 2017.
Product Details¶
Vendor URL: Skyhigh CASB
Product Type: Monitoring
Product Tier: Tier III
Integration Method: Custom
Integration URL: N/A
Parser Details¶
Log Format: Syslog
Expected Normalization Rate: near 90%
Data Label: MCAFEE_SKYHIGH_CASB
UDM Fields (list of all UDM fields leveraged in the Parser):
Log File Field | UDM Event Classification |
---|---|
column2 | principal.user.userid |
column3 | target.asset.ip |
column7 | target.url |
column8 | target.url |
column12 | metadata.collected_timestamp |
column13 | network.application_protocol |
column14 | security_result.category_details |
column19 | network.http.response_code |
column20 | target.asset.ip |
column26 | principal.application |
column27 | principal.ip |
column28 | principal.port |
column29 | security_result.associations.country_code |
column38 | target.asset.ip |
column39 | target.asset.ip |
Product Event Types¶
Event | UDM Event Classification |
---|---|
all events | NETWORK_HTTP |
Log Sample¶
<190>Jun 13 13:08:44 Logging-Client "-1","domain1\\userone","172.16.1.2","CONNECT","4997","2000","clientone.example.com","/","OBSERVED","","1686657900","2023-06-13 12:05:00","https","Business, Software/Hardware","","","Minimal Risk","","200","10.0.2.3","","","Other","","","svchost.exe","172.16.2.3","443","GB","","f","f","f","f","f","","","10.0.1.2","192.168.2.3","8080"
Sample Parsing¶
metadata.event_type = "NETWORK_HTTP"
principal.user.userid = "domain1\\\\userone"
principal.ip = "172.16.2.3"
principal.port = 443
principal.application = "svchost.exe"
target.asset.ip = "172.16.1.2"
target.asset.ip = "10.0.2.3"
target.asset.ip = "10.0.1.2"
target.asset.ip = "192.168.2.3"
target.url = "https://clientone.example.com/"
security_result.category_details = "Business"
security_result.category_details = " Software/Hardware"
security_result.associations.country_code = "GB"
network.ip_protocol = TCP
network.application_protocol = HTTPS
network.http.method = "GET"
network.http.response_code = 200