Skyhigh

Overview

Skyhigh Secure Web Gateway is a web security product that protects your network against web threats. These threats arise when users who work on-prem within your network access the web, for example, when they browse the web or download a file from there.

Integrating Skyhigh SWG into Hunters will allow ingestion of the data types into your datalake, and leveraging the data for various detection use cases.

Supported data types

Skyhigh SWG Logs

Table name: skyhigh_webgateway_alerts

Skyhigh Secure Web Gateway (SWG) Logs offer a comprehensive view into an organization's web traffic and security posture, providing detailed records of user activities, threat detections, and policy enforcement actions. These logs are instrumental for tracking and analyzing web access, identifying and responding to web-based threats, and ensuring compliance with data protection policies.

Learn more here.

Send data to Hunters

Hunters supports the ingestion of Skyhigh logs via an intermediary AWS S3 bucket.

To connect Skyhigh logs:

1. Follow this guide to collect the logs from your on prem appliances.

2. Ship the logs to an AWS S3 bucket.

3. Once the export is completed and the logs are collected to S3, follow the steps in this section.

Expected format

Logs are expected in Key Value format.

time_stamp="[17/Jan/2024:01:00:03 +0100]" auth_user="Ab_user" src_ip="123.10.210.12" server_ip="101.200.01.102" host="abc.example.com" url_port="80" status_code="304" bytes_from_client="123" bytes_to_client="233" categories="Software/Hardware" rep_level="Minimal Risk" method="GET" url="http://abc.example.com/download/update/v3/static/test/en/sample.cab?122456789" media_type="" application_name="" user_agent="Microsoft-testAPI/10.0" block_res="0" block_reason="" virus_name="" hash="" filename="sample.cab" filesize="0"