CloudLock Cloud Security Fabric

The JSA DSM for CloudLock Cloud Security Fabric collects events from the CloudLock Cloud Security Fabric service.

The following table describes the specifications for the CloudLock Cloud Security Fabric DSM:

Table 1: CloudLock Cloud Security Fabric DSM Specifications

Specification	Value
Manufacturer	CloudLock
DSM name	CloudLock Cloud Security Fabric
RPM file name	`DSM-CloudLockCloudSecurityFabric-JSA_version-build_number .noarch.rpm`
Supported versions	NA
Protocol	Syslog
Event format	Log Event Extended Format (LEEF)
Recorded event types	Incidents
Automatically discovered?	Yes
Includes identity?	No
Includes custom properties?	No
More information	Cloud Cybersecurity (https://www.cloudlock.com/products/)

To integrate CloudLock Cloud Security Fabric with JSA, complete the following steps:

If automatic updates are not enabled, download and install the most recent version of the following RPMs on your JSA console in the order that they are listed:
- DSMCommon RPM
- CloudLock Cloud Security Fabric DSM RPM
Configure your CloudLock Cloud Security Fabric service to send Syslog events to JSA.
If JSA does not automatically detect the log source, add a CloudLock Cloud Security Fabric log source on the JSA Console. The following table describes the parameters that require specific values for CloudLock Cloud Security Fabric event collection:
Table 2: CloudLock Cloud Security Fabric Log Source Parameters
Parameter
Value
Log Source type
CloudLock Cloud Security Fabric
Protocol Configuration
Syslog

Parameter	Value
Log Source type	CloudLock Cloud Security Fabric
Protocol Configuration	Syslog

The following table provides a sample event message for the CloudLock Cloud Security Fabric DSM:

Table 3: CloudLock Cloud Security Fabric Sample Message Supported by the CloudLock Cloud Security Fabric Service

Event name	Low level category	Sample log message
New Incident	Suspicious Activity	LEEF: 1.0\|Cloudlock\|API\|v2\|Incidents\| match_count=2 sev=1 entity_id=ebR4q6DxvA entity_origin _type=document group=None url=https://drive.google.com/ a/cloudlockplus.com/file/d/0B3FwRBjOyR6wS0M1VUdaLWxQODg/ view?usp=drivesdk CloudLockID=NOpzejQ3v2 updated_at= 2016¬01-20T15:42:15.128356+0000 entity_owner_email= admin@cloudlockplus.com cat=NEW entity_origin_id= 0B3FwRBjOyR6wS0M1VUdaLWxQODg entity_mime_type=text/ plain devTime=2016¬01-20T15:42:14.913178+0000 policy=Custom Regex resource=confidential.txt usrName= Admin Admin realm=google policy_id=EW9zMXxNBY devTimeFormat=yyyy¬MM-dd'T'HH:mm:ss.SSSSSSZ

Event name

Low level category

Sample log message

New Incident

Suspicious Activity

LEEF: 1.0|Cloudlock|API|v2|Incidents|
match_count=2 sev=1 entity_id=ebR4q6DxvA entity_origin
_type=document group=None url=https://drive.google.com/
a/cloudlockplus.com/file/d/0B3FwRBjOyR6wS0M1VUdaLWxQODg/
view?usp=drivesdk CloudLockID=NOpzejQ3v2 updated_at=
2016¬01-20T15:42:15.128356+0000 entity_owner_email=
admin@cloudlockplus.com cat=NEW entity_origin_id=
0B3FwRBjOyR6wS0M1VUdaLWxQODg entity_mime_type=text/
plain devTime=2016¬01-20T15:42:14.913178+0000
 policy=Custom Regex resource=confidential.txt usrName=
Admin Admin realm=google policy_id=EW9zMXxNBY
 devTimeFormat=yyyy¬MM-dd'T'HH:mm:ss.SSSSSSZ