Oracle CASB Cloud Service (hereafter referred to as CASB) quickly gives you visibility into security of your cloud applications and services to help ensure that your critical data is secure. CASB provides these capabilities by frequently pulling in audit log information from various supported cloud services, analyzing them, running machine learning algorithms on them and generating risk events. Customers’ SOC could view and analyze these risk events to take appropriate corrective action.
CASB classifies the risks that it detects into one of these categories:
You can find more information on each type of risk events created by CASB here.
Customers could view and analyze the risk events in CASB console. Some customers instead prefer to consolidate such events in a central SIEM system so that their SOC has to refer to only one system instead of multiple independent systems. Such customers could choose to export out these risk events to third party SIEM systems.
There are a couple of ways that customers can export risk events from CASB to upload into a SIEM system of their choice.
If the target SIEM system provides capabilities to import data in CSV format, customers can manually export events out of CASB console to a CSV file. Obviously, this is not a scalable approach and is useful only for ad hoc purposes. First let me show you how to perform this manual export and then I will describe at a high level, how to build an automated and scalable solution.
On the Risk Events UI page use the various attributes to select the desired data and click search. Once you have the results from this search operation, click the “Export to CSV” button as shown in the following screen capture:
Please note that in case the number of records to be exported exceed 1000, the export runs as a job and you can download the file once the job completes. Detailed steps for doing a CSV export are documented here.
With that out of our way, lets move on to how to build an automated solution. CASB provides a REST API that could be used to export events out of CASB. It is fairly straightforward to build an automated solution that could be used to periodically extract the risk events out of CASB and load them into a SIEM system. In the remainder of this blog post, I will describe the steps for building such a solution at a high level. This outline is language/platform agnostic. Customers could use anyone of the popular languages/frameworks to build this solution.
Let’s start by looking at the API exposed by CASB to extract the risk events. This API is called “Get all risk events” (API end point - "/api/v1/events/riskevents") and is documented here.
Following are the salient features of this API:
Please refer to the official documentation link above for detailed information. It has some examples of requests, responses, commonly useful filters as well as a sample code snippet to illustrate the pagination feature.
Before you could call this API, you need to obtain a valid API access token from CASB. Following is a sequence of high level steps needed: Detailed steps are documented here.
Now that we know how to get a CASB access token for making an API call and various features of “Get all risk events” API like – filtering and pagination, lets’ look at a solution design for building an automated solution (an agent, if you will) to periodically extract the risk events from CASB and import them into a SIEM solution. Because a picture is worth thousand words, following is a design schematic of this solution:
Following are high-level details of this solution design:
CASB Attribute Name | LEEF Field Name |
---|---|
appName | CloudApplication |
id | EventID |
priority | sev |
actor | usrName |
category | EventCategory |
createdon | devTime |
appinstance | CloudApplicationInstance |
audience | TargetUserAudience |
title | EventSummary |
And following is a sample mapping from CASB format to CEF format:
CASB Attribute Name | CEF Field Name |
---|---|
appName | CloudApplication |
id | EventID |
priority | sev |
actor | suser |
category | cat |
createdon | devTime |
appinstance | CloudApplicationInstance |
audience | TargetUserAudience |
title | EventSummary |
Hopefully this provides a good starting point and some direction for designing your CASB-SIEM integration solutions.
Previous Post
Next Post