Skyformation (Deprecated)

This Integration is part of the Skyformation (Deprecated) Pack.#

Deprecated

Vendor has declared end of life for this integration. No available replacement.

Overview

Deprecated. Vendor has declared end of life for this integration. No available replacement.

Limitations

Not all actions are supported, only the commands listed in the Use Cases .
SkyFormation 2.2.10 works with the following cloud applications:
- Egnyte
- DropBox
- Azure
- Office 365
- Salesforce
- ServiceNow

Use Cases

Get configured accounts
Suspend a user
Reactivate a user

Field Examples

A SIEM detects a potential "account compromised" in a cloud app (example: Office 365). The alert triggered is fetched by Cortex XSOAR which identifies the alert name and executes the playbook
to suspend the Office 365 user until an incident check is performed.

A SIEM detects that a user who has left the company is still using a cloud app (example: Salesforce). The alert triggered is fetched by Cortex XSOAR which identifies the alert name and executes the playbook to suspend the Salesforce user until an incident check is performed.

Prerequisites

Verify the following:

Make sure that your SkyFormation application is running and events are sent to your selected SIEM.
Obtain a Skyformation API Key. By default, API is disabled.
- Contact the SkyFormation adminstrator for user-password-credentials, specifically for a user with API access.
- Follow the instructions for SkyFormation API Authentication .
Query/users that should be configured (+ required permissions for that user): As explained above

Configure SkyFormation on Cortex XSOAR

Navigate to Settings > Integrations > Servers & Services .
Search for SkyFormation.
Click Add instance to create and configure a new integration instance.
- Name: a textual name for the integration instance
- Server URL (example: https://35.158.26.15:8443)
- C redentials and Password : Username and password must be of Skyformation user with API access. See Prerequisites.
Click Test to validate the URLs and connection.

Commands

Get configured accounts: skyformation-get-accounts
Suspend a user: skyformation-suspend-user
Reactivate a user: skyformation-unsuspend-user

Get configured accounts

Returns all the configured accounts in SkyFormation.

Basic Command

skyformation-get-accounts

Input

There is no input for this command.

Context Output

Path	Description
Skyformation.Account	Account object
Skyformation.Account.Name	Account name
Skyformation.Account.Application	Application name (example: Office 365, Sales Cloud)
Skyformation.Account.Id	Account ID
Skyformation.Account.TenantName	Tenant name
Skyformation.Account.TenantId	Tenant ID

Command Example

!skyformation-get-accounts

Sample Execution

"Skyformation":{  
   "Account":[  
      {  
         "Application":"Office 365",
         "Id":"62ffd05b-2b45-47a9-955a-80030ef08382",
         "Name":"demisto",
         "TenantId":"default-tenant-id",
         "TenantName":"default-tenant"
      },
      {  
         "Application":"Sales Cloud",
         "Id":"e217f098-6fb3-4da1-a399-76210b27513c",
         "Name":"SK4-Salesforce",
         "TenantId":"default-tenant-id",
         "TenantName":"default-tenant"
      }
   ]
}

Raw Output

[  
   {  
      "application":"Office 365",
      "authn-data":{  
         "fields":[  
            {  
               "name":"client-id",
               "value":"5bd90c0a-a75e-483d-a573-d685f50f4716"
            },
            {  
               "name":"tenant-id",
               "value":"ebac1a16-81bf-449b-8d43-5732c3c1d999"
            },
            {  
               "name":"client-secret",
               "value":"minified-authn-value"
            }
         ],
         "type":"OAUTH2"
      },
      "description":"demisto",
      "id":"62ffd05b-2b45-47a9-955a-80030ef08382",
      "name":"demisto",
      "tenant":{  
         "id":"default-tenant-id",
         "name":"default-tenant"
      }
   },
   {  
      "application":"Sales Cloud",
      "authn-data":{  
         "fields":[  
            {  
               "name":"security-token",
               "value":"some-token"
            },
            {  
               "name":"username",
               "value":"testuser@demisto.com"
            },
            {  
               "name":"password",
               "value":"some-password"
            },
            {  
               "name":"authentication-endpoint",
               "value":"https://login.salesforce.com/services/Soap/u/38.0"
            }
         ],
         "type":"BASIC"
      },
      "description":null,
      "id":"e217f098-6fb3-4da1-a399-76210b27513c",
      "name":"SK4-Salesforce",
      "tenant":{  
         "id":"default-tenant-id",
         "name":"default-tenant"
      }
   }
]

Suspend a user

The command will suspend the user in the configured application.

Basic Command

skyformation-suspend-user

Input

Parameter	Description/Notes
accountId	Account ID. You can get the account ID by executing skyformation-get-accounts.
userEmail	Email address of the user you want to suspend

Command example

!skyformation-suspend-user accountId=62ffd05b-2b45-47a9-955a-80030ef08382 userEmail=testuser@demisto.com

Reactivate a user

The command will reactivate the user in the configured application.

Basic Command

skyformation-unsuspend-user

Input

Parameter	Description/Notes
accountId	Account ID, available by executing "skyformation-get-accounts." command
userEmail	Email of the user you want to reactivate

Command Example

!skyformation-unsuspend-user accountId=62ffd05b-2b45-47a9-955a-80030ef08382 userEmail=testuser@demisto.com

Troubleshooting

You might receive this error message if you try to suspend or reactivate a user who does not exist in the account.