McAfee Skyhigh Cloud Access Security Broker¶
About¶
Skyhigh CASB provides unmatched data protection, device-based controls, and inline threat protection for all cloud applications using multi-mode cloud solution— all from a single platform. Skyhigh Security was purchased by McAfree in 2017.
Product Details¶
Vendor URL: Skyhigh CASB
Product Type: Monitoring
Product Tier: Tier III
Integration Method: Custom
Integration URL: N/A
Parser Details¶
Log Format: Syslog
Expected Normalization Rate: near 90%
Data Label: MCAFEE_SKYHIGH_CASB
UDM Fields (list of all UDM fields leveraged in the Parser):
| Log File Field | UDM Event Classification |
|---|---|
| column2 | principal.user.userid |
| column3 | target.asset.ip |
| column7 | target.url |
| column8 | target.url |
| column12 | metadata.collected_timestamp |
| column13 | network.application_protocol |
| column14 | security_result.category_details |
| column19 | network.http.response_code |
| column20 | target.asset.ip |
| column26 | principal.application |
| column27 | principal.ip |
| column28 | principal.port |
| column29 | security_result.associations.country_code |
| column38 | target.asset.ip |
| column39 | target.asset.ip |
Product Event Types¶
| Event | UDM Event Classification |
|---|---|
| all events | NETWORK_HTTP |
Log Sample¶
<190>Jun 13 13:08:44 Logging-Client "-1","domain1\\userone","172.16.1.2","CONNECT","4997","2000","clientone.example.com","/","OBSERVED","","1686657900","2023-06-13 12:05:00","https","Business, Software/Hardware","","","Minimal Risk","","200","10.0.2.3","","","Other","","","svchost.exe","172.16.2.3","443","GB","","f","f","f","f","f","","","10.0.1.2","192.168.2.3","8080"
Sample Parsing¶
metadata.event_type = "NETWORK_HTTP"
principal.user.userid = "domain1\\\\userone"
principal.ip = "172.16.2.3"
principal.port = 443
principal.application = "svchost.exe"
target.asset.ip = "172.16.1.2"
target.asset.ip = "10.0.2.3"
target.asset.ip = "10.0.1.2"
target.asset.ip = "192.168.2.3"
target.url = "https://clientone.example.com/"
security_result.category_details = "Business"
security_result.category_details = " Software/Hardware"
security_result.associations.country_code = "GB"
network.ip_protocol = TCP
network.application_protocol = HTTPS
network.http.method = "GET"
network.http.response_code = 200