Skip to content

McAfee Skyhigh Cloud Access Security Broker

Skyhigh CASB

About

Skyhigh CASB provides unmatched data protection, device-based controls, and inline threat protection for all cloud applications using multi-mode cloud solution— all from a single platform. Skyhigh Security was purchased by McAfree in 2017.

Product Details

Vendor URL: Skyhigh CASB

Product Type: Monitoring

Product Tier: Tier III

Integration Method: Custom

Integration URL: N/A

Parser Details

Log Format: Syslog

Expected Normalization Rate: near 90%

Data Label: MCAFEE_SKYHIGH_CASB

UDM Fields (list of all UDM fields leveraged in the Parser):

Log File Field UDM Event Classification
column2 principal.user.userid
column3 target.asset.ip
column7 target.url
column8 target.url
column12 metadata.collected_timestamp
column13 network.application_protocol
column14 security_result.category_details
column19 network.http.response_code
column20 target.asset.ip
column26 principal.application
column27 principal.ip
column28 principal.port
column29 security_result.associations.country_code
column38 target.asset.ip
column39 target.asset.ip

Product Event Types

Event UDM Event Classification
all events NETWORK_HTTP

Log Sample

<190>Jun 13 13:08:44 Logging-Client "-1","domain1\\userone","172.16.1.2","CONNECT","4997","2000","clientone.example.com","/","OBSERVED","","1686657900","2023-06-13 12:05:00","https","Business, Software/Hardware","","","Minimal Risk","","200","10.0.2.3","","","Other","","","svchost.exe","172.16.2.3","443","GB","","f","f","f","f","f","","","10.0.1.2","192.168.2.3","8080"

Sample Parsing

metadata.event_type = "NETWORK_HTTP"
principal.user.userid = "domain1\\\\userone"
principal.ip = "172.16.2.3"
principal.port = 443
principal.application = "svchost.exe"
target.asset.ip = "172.16.1.2"
target.asset.ip = "10.0.2.3"
target.asset.ip = "10.0.1.2"
target.asset.ip = "192.168.2.3"
target.url = "https://clientone.example.com/"
security_result.category_details = "Business"
security_result.category_details = " Software/Hardware"
security_result.associations.country_code = "GB"
network.ip_protocol = TCP
network.application_protocol = HTTPS
network.http.method = "GET"
network.http.response_code = 200