Blue Prism¶
About¶
Robotic process automation that combines your human and digital workforces.
Product Details¶
Vendor URL: Vendor website
Product Type: Automation
Product Tier: Tier III
Integration Method: Syslog
Integration URL: CYDERES Documentation
Log Guide: Not Available
Requirements¶
Blue Prism security logs are extracted from its management database, which requires the database owner to create a custom program to query the database and send logs through a syslog forwarder to CYDERES.
Parser Details¶
Log Format: JSON
Expected Normalization Rate: 100%
Data Label: BLUE_PRISM
UDM Fields (list of all UDM fields leveraged in the Parser):
| Log File Field | UDM Field |
|---|---|
| comments | additional.fields (queueID) |
| comments | additional.fields (itemID) |
| comments | security_result.description |
| comments | target.user.user_display_name |
| eventdatetime | metadata.event_timestamp |
| eventid | metadata.product_event_type |
| gSrcUserID | principal.user.userid |
| gTgtProcID | target.process.pid |
| gTgtResourceID | target.asset.product_object_id |
| gTgtUserID | target.user.userid |
| sCode | additional.fields (sCode) |
| sNarrative | extensions.auth.auth_details |
| sNarrative | metadata.event_type |
| sNarrative | principal.user.email_addresses |
| sNarrative | security_result.action |
| sNarrative | security_result.summary |
| sNarrative | target.hostname |
| sNarrative | target.resource.name |
| sNarrative | target.resource.type |
| sNarrative | target.user.userid |
| "AUTHTYPE_UNSPECIFIED" | extensions.auth.type |
| "Blue Prism" | metadata.vendor_name |
| "Blue Prism" | metadata.product_name |
| "NOT_ALERTING" | security_result.alert_state |
Product Event Types¶
| type | UDM Event Classification | alerting enabled |
|---|---|---|
| login | USER_LOGIN | FALSE |
| logout | USER_LOGOUT | FALSE |
| other | GENERIC_EVENT | FALSE |
Log Sample¶
{"eventdatetime":1655677874973,"eventid":1439,"sCode":"L001","sNarrative":"User 'john.doe@domain.com' logged into resource 'Hostname1' using Active Directory.","gSrcUserID":"09117546-E3C9-4ABB-8D35-1431C03A05AC","gTgtUserID":"F9EA4B07-E0CA-4943-B5B9-84AE97903EC7","gTgtProcID":"D3A10B3B-EB66-4637-B281-873C83707AC0","gTgtResourceID":"<redacted resource id guid>","comments":null,"EditSummary":null,"oldXML":null,"newXML":null}
Sample Parsing¶
metadata.event_timestamp = "2022-06-21T15:37:35Z"
metadata.event_type = "USER_LOGIN"
metadata.vendor_name = "Blue Prism"
metadata.product_name = "Blue Prism"
metadata.product_event_type = "1509"
metadata.ingested_timestamp = "2022-06-21T15:50:25.410930Z"
additional.s_code = "L001"
principal.user.userid = "26382243-29A5-4D74-BEFF-76946BB821AB"
principal.user.email_addresses = "john.doe@domain.com"
target.hostname = "Hostname1"
target.asset_id = "12345678901234567890"
target.asset.product_object_id = "8EB7C49A-CD89-4133-97C0-ACEE56E66CF2"
target.asset.hostname = "Hostname1"
target.asset.asset_id = "12345678901234567890"
security_result.summary = "User 'john.doe@domain.com' logged into resource 'Hostname1' using Active Directory."
security_result.action = "ALLOW"
security_result.alert_state = "NOT_ALERTING"
extensions.auth.auth_details = "Active Directory"
Parser Alerting¶
Parser does not generate alerts.
Rules¶
Coming Soon