Skyformation

Overview

Use the SkyFormation integration to execute remediation actions on cloud applications when threats are detected by the SIEM and to activate SkyFormation automated remediation responses from a playbook using the cloud connector.

This integration works for SkyFormation v2.2 and later. It was integrated and tested with SkyFormation v2.2.6.

Limitations
  • Not all actions are supported, only the commands listed in the Use Cases .
  • SkyFormation 2.2.10 works with the following cloud applications:
    • Egnyte
    • DropBox
    • Azure
    • Office 365
    • Salesforce
    • ServiceNow

Use Cases

  • Get configured accounts
  • Suspend a user
  • Reactivate a user

Field Examples

A SIEM detects a potential "account compromised" in a cloud app (example: Office 365). The alert triggered is fetched by Demisto which identifies the alert name and executes the playbook
to suspend the Office 365 user until an incident check is performed.

A SIEM detects that a user who has left the company is still using a cloud app (example: Salesforce). The alert triggered is fetched by Demisto which identifies the alert name and executes the playbook to suspend the Salesforce user until an incident check is performed.


Prerequisites

Verify the following:

  1. Make sure that your SkyFormation application is running and events are sent to your selected SIEM.
  2. Obtain a Skyformation API Key. By default, API is disabled.
    • Contact the SkyFormation adminstrator for user-password-credentials, specifically for a user with API access.
    • Follow the instructions for SkyFormation API Authentication .
  3. Query/users that should be configured (+ required permissions for that user): As explained above

Configure SkyFormation on Demisto

  1. Navigate to Settings > Integrations > Servers & Services .
  2. Search for SkyFormation.
  3. Click Add instance to create and configure a new integration instance.
    • Name: a textual name for the integration instance
    • Server URL (example: https://35.158.26.15:8443)
    • C redentials and Password : Username and password must be of Skyformation user with API access. See Prerequisites.
  4. Click Test to validate the URLs and connection.

Commands


Get configured accounts

Returns all the configured accounts in SkyFormation.

Basic Command

skyformation-get-accounts

Input

There is no input for this command.

Context Output
Path Description
Skyformation.Account

Account object

Skyformation.Account.Name Account name
Skyformation.Account.Application Application name (example: Office 365, Sales Cloud)
Skyformation.Account.Id Account ID
Skyformation.Account.TenantName Tenant name
Skyformation.Account.TenantId Tenant ID

Command Example

!skyformation-get-accounts

Sample Execution
"Skyformation":{  
   "Account":[  
      {  
         "Application":"Office 365",
         "Id":"62ffd05b-2b45-47a9-955a-80030ef08382",
         "Name":"demisto",
         "TenantId":"default-tenant-id",
         "TenantName":"default-tenant"
      },
      {  
         "Application":"Sales Cloud",
         "Id":"e217f098-6fb3-4da1-a399-76210b27513c",
         "Name":"SK4-Salesforce",
         "TenantId":"default-tenant-id",
         "TenantName":"default-tenant"
      }
   ]
}
Raw Output
[  
   {  
      "application":"Office 365",
      "authn-data":{  
         "fields":[  
            {  
               "name":"client-id",
               "value":"5bd90c0a-a75e-483d-a573-d685f50f4716"
            },
            {  
               "name":"tenant-id",
               "value":"ebac1a16-81bf-449b-8d43-5732c3c1d999"
            },
            {  
               "name":"client-secret",
               "value":"minified-authn-value"
            }
         ],
         "type":"OAUTH2"
      },
      "description":"demisto",
      "id":"62ffd05b-2b45-47a9-955a-80030ef08382",
      "name":"demisto",
      "tenant":{  
         "id":"default-tenant-id",
         "name":"default-tenant"
      }
   },
   {  
      "application":"Sales Cloud",
      "authn-data":{  
         "fields":[  
            {  
               "name":"security-token",
               "value":"some-token"
            },
            {  
               "name":"username",
               "value":"testuser@demisto.com"
            },
            {  
               "name":"password",
               "value":"some-password"
            },
            {  
               "name":"authentication-endpoint",
               "value":"https://login.salesforce.com/services/Soap/u/38.0"
            }
         ],
         "type":"BASIC"
      },
      "description":null,
      "id":"e217f098-6fb3-4da1-a399-76210b27513c",
      "name":"SK4-Salesforce",
      "tenant":{  
         "id":"default-tenant-id",
         "name":"default-tenant"
      }
   }
]

Suspend a user

The command will suspend the user in the configured application.

Basic Command

skyformation-suspend-user

Input
Parameter Description/Notes
accountId

Account ID. You can get the account ID by executing skyformation-get-accounts.

userEmail

Email address of the user you want to suspend

Command example

!skyformation-suspend-user accountId=62ffd05b-2b45-47a9-955a-80030ef08382 userEmail=testuser@demisto.com


Reactivate a user

The command will reactivate the user in the configured application.

Basic Command

skyformation-unsuspend-user

Input
Parameter Description/Notes
accountId

Account ID, available by executing "skyformation-get-accounts." command

userEmail

Email of the user you want to reactivate

Command Example

!skyformation-unsuspend-user accountId=62ffd05b-2b45-47a9-955a-80030ef08382 userEmail=testuser@demisto.com


Troubleshooting

You might receive this error message if you try to suspend or reactivate a user who does not exist in the account.