Skip to content

Centrify SSO

Centrify SSO

About

Centrify is redefining the legacy approach to Privileged Access Management (PAM) with cloud-ready modern PAM founded on Zero Trust principles. This allows establishing trust, and then granting least privilege access just-in-time based on verifying who is requesting access, the context of the request, as well as the risk of the access environment.

Product Details

Vendor URL: Centrify SSO

Product Type: Authentication

Product Tier: Tier II

Integration Method: Custom

Integration URL: Centrify SSO

Log Guide: Sample Logs by Log Type

Parser Details

Log Format: Syslog

Expected Normalization Rate: 75%

Data Label: CENTRIFY_SSO

UDM Fields (list of all UDM fields leveraged in the Parser):

Log File Field UDM Field
ALLOW, BLOCK security_result.action
app principal.application
AuditId additional.fields
AuthMethod additional.fields
AuthMethod extensions.auth.type
AzDeploymentId additional.fields
AzRoleId additional.fields
AzRoleName principal.user.groupid
centrifyEventID additional.fields
CentrifyNativeClient additional.fields
Classification additional.fields
CloudHasSeenEntity additional.fields
CloudHasSeenUser additional.fields
DASessID additional.fields
DataVaultItemID additional.fields
dhost target.hostname
dhost target.ip
DirectoryServiceName additional.fields
DirectoryServiceNameLocalized additional.fields
DirectoryServiceUuid additional.fields
domain principal.administrative_domain
DSName additional.fields
dst target.hostname
dst target.ip
DSType additional.fields
DSUuid additional.fields
EndTime additional.fields
EventMessage metadata.description
fname target.file.full_path
GENERIC_EVENT, USER_LOGIN, STATUS_UNCATEGORIZED, USER_RESOURCE_ACCESS metadata.event_type
ID additional.fields
InternalSessionId additional.fields
InternalTrackingID additional.fields
IsPasswordChange additional.fields
LOW, MEDIUM, HIGH security_result.severity
observer observer.hostname
observer observer.ip
parameters additional.fields
pid principal.process.pid
product metadata.product_name
product_event metadata.product_event_type
reason additional.fields
request target.url
RequestIsMobileDevice additional.fields
RequestUserAgent network.http.user_agent
Scopes additional.fields
SecretName additional.fields
SecretType additional.fields
service principal.application
session_id additional.fields
shost principal.hostname
shost principal.ip
src principal.hostname
src principal.ip
StartTime additional.fields
status security_result.summary
sum additional.fields
suser principal.user.userid
Tenant additional.fields
ThreadType additional.fields
TokenType additional.fields
UserGuid additional.fields
UserType additional.fields
utc principal.application
Value additional.fields
vendor metadata.vendor_name
WhenLogged additional.fields
WhenOccurred additional.fields
whenoccurreddate additional.fields
WINDOWS principal.platform

Product Event Types

Event UDM Event Classification
Default GENERIC_EVENT
Filebucketed STATUS_UNCATEGORIZED
Started Session, New session USER_LOGIN
ViewSecret USER_RESOURCE_ACCESS

Log Sample

<30>Oct 28 13:57:01 desktop.company.com systemd[1]: Started Session 14 of user root.

Sample Parsing

metadata.event_timestamp = "2021-10-28T13:57:01Z"
metadata.event_type = "USER_LOGIN"
metadata.vendor_name = "Centrify"
metadata.product_name = "systemd"
metadata.product_event_type = "Started Session"
metadata.description = "Started Session 14 of user root."
metadata.ingested_timestamp = "2021-10-28T13:57:02.535003Z"
additional.Session ID = "14"
principal.hostname = "NULL"
principal.user.userid = "root"
principal.namespace = "company"
principal.asset.hostname = "null"
target.hostname = "NULL"
target.namespace = "company"
target.asset.hostname = "null"
observer.hostname = "desktop.domain.com"
observer.namespace = "company"
security_result.action = "ALLOW"

Parser Alerting

This product currently does not have any Parser-based Alerting

Rules

Coming Soon