Sentinel Skylight
App Vendor: Sentinel Skylight
App Category: Data Enrichment and Threat Intelligence
Connector Version: 1.0.0
API Version: v1
About App
The Sentinel Skylight connector allows security teams to perform queries on log data stored in Skylight Datalake.
The Sentinel Skylight app is configured with Cyware Orchestrate to perform the following actions:
Action Name | Description |
|---|---|
Perform Power Query | This action performs a power query by piping one or more search expressions together into a set of commands to transform, manipulate, group, and summarize your data. |
Perform Query | This action performs a query on Skylight Datalake based on the provided search expressions/query filters to get matching log records. |
Configuration Parameters
The following configuration parameters are required for the Sentinel Skylight app to communicate with the Sentinel Skylight enterprise application. The parameters can be configured by creating instances in the app.
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Base URL | Enter the base URL to access Sentinel Skylight. | Text | Required | |
Bearer Token | Enter the bearer token to access Sentinel Skylight. | Password | Required | |
Verify | Choose your preference to verify SSL while making requests. It is recommended to set this option to yes. If no is passed, it may result in an incorrect establishment of the connection, potentially causing it to break. | Boolean | Optional | |
Timeout | Enter the timeout value in seconds. This is the number of seconds that requests will wait to establish a connection with the Sentinel Skylight app. | Integer | Optional |
Action: Perform Power Query
This action performs a power query by piping one or more search expressions together into a set of commands to transform, manipulate, group, and summarize your data.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Query | Enter the power query search expression. Example: "status >= 100 status <= 599 | group count() by status" | Text | Required | Note: for JSON requests, single quotes are invalid, and you must add \" escape double quotes in strings. |
Start Time | Enter the start time of the query. | Text | Optional | Default value: 24 hrs If the start time is not set and the end time is set, then the query starts 24 hours before the end time. |
End Time | Enter the end time of the query. | Text | Optional | Default value: 24 hrs If the end time is not set but the start time is set, then the query starts from 24 hours from the start time. |
Priority | Set the execution priority of the query. | Text | Optional | Default value: low Allowed values:
Set "low" when a delay of approximately a second is acceptable. |
Team Emails | Enter an array of account emails to the query. | List | Optional | default value: [] (empty list) |
Example Request
[
{
"query": "status >= 100 status <=599 | group count() by status"
}
]Action: Perform Query
This action performs a query on Skylight Data Lake based on the provided search expressions/query filters to get matching log records.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Query Filter | A search expression to get matching events. Example: "status >= 400 status < 500". defaults to "". | Text | Optional | Note: For JSON requests, single quotes are invalid, and you must add \" escape double quotes in strings. |
Start Time | Enter the start time of the query. | Text | Optional | Default value: 24 hrs If the start time is not set and the end time is set, then the query starts 24 hours before the end time. |
End Time | Enter the end time of the query. | Text | Optional | Default value: 24 hrs If the end time is not set but the start time is set, then the query starts from 24 hours from the start time. |
Max Count | Enter the Maximum number of events to retrieve. | Integer | Optional | Default value: 100 Allowed range: 1-5000 |
Page Mode | Retrieves oldest or newest max_count mails. When the number of matching events exceeds Max Count, set to head to retrieve the older Max Count events, and tail to retrieve the newer Max Count events. | Text | Optional | Default value:
|
Columns | Enter a comma-delimited list of fields to retrieve for each log message. | Text | Optional | Defaults value: "" - all fields. |
Priority | Set the execution priority of the query. Set "low" when a delay of approximately a second is acceptable. | Text | Optional | Allowed values:
Default value: low |
Team Emails | Pass an array of account emails to query. | List | Optional | Defaults value: [] - empty list |
Example Request
[
{}
]