Centrify SSO¶

Centrify SSO

About¶

Centrify is redefining the legacy approach to Privileged Access Management (PAM) with cloud-ready modern PAM founded on Zero Trust principles. This allows establishing trust, and then granting least privilege access just-in-time based on verifying who is requesting access, the context of the request, as well as the risk of the access environment.

Product Details¶

Vendor URL: Centrify SSO

Product Type: Authentication

Product Tier: Tier II

Integration Method: Custom

Integration URL: Centrify SSO

Log Guide: Sample Logs by Log Type

Parser Details¶

Log Format: Syslog

Expected Normalization Rate: 75%

Data Label: CENTRIFY_SSO

UDM Fields (list of all UDM fields leveraged in the Parser):

Log File Field	UDM Field
ALLOW, BLOCK	security_result.action
app	principal.application
AuditId	additional.fields
AuthMethod	additional.fields
AuthMethod	extensions.auth.type
AzDeploymentId	additional.fields
AzRoleId	additional.fields
AzRoleName	principal.user.groupid
centrifyEventID	additional.fields
CentrifyNativeClient	additional.fields
Classification	additional.fields
CloudHasSeenEntity	additional.fields
CloudHasSeenUser	additional.fields
DASessID	additional.fields
DataVaultItemID	additional.fields
dhost	target.hostname
dhost	target.ip
DirectoryServiceName	additional.fields
DirectoryServiceNameLocalized	additional.fields
DirectoryServiceUuid	additional.fields
domain	principal.administrative_domain
DSName	additional.fields
dst	target.hostname
dst	target.ip
DSType	additional.fields
DSUuid	additional.fields
EndTime	additional.fields
EventMessage	metadata.description
fname	target.file.full_path
GENERIC_EVENT, USER_LOGIN, STATUS_UNCATEGORIZED, USER_RESOURCE_ACCESS	metadata.event_type
ID	additional.fields
InternalSessionId	additional.fields
InternalTrackingID	additional.fields
IsPasswordChange	additional.fields
LOW, MEDIUM, HIGH	security_result.severity
observer	observer.hostname
observer	observer.ip
parameters	additional.fields
pid	principal.process.pid
product	metadata.product_name
product_event	metadata.product_event_type
reason	additional.fields
request	target.url
RequestIsMobileDevice	additional.fields
RequestUserAgent	network.http.user_agent
Scopes	additional.fields
SecretName	additional.fields
SecretType	additional.fields
service	principal.application
session_id	additional.fields
shost	principal.hostname
shost	principal.ip
src	principal.hostname
src	principal.ip
StartTime	additional.fields
status	security_result.summary
sum	additional.fields
suser	principal.user.userid
Tenant	additional.fields
ThreadType	additional.fields
TokenType	additional.fields
UserGuid	additional.fields
UserType	additional.fields
utc	principal.application
Value	additional.fields
vendor	metadata.vendor_name
WhenLogged	additional.fields
WhenOccurred	additional.fields
whenoccurreddate	additional.fields
WINDOWS	principal.platform

Product Event Types¶

Event	UDM Event Classification
Default	GENERIC_EVENT
Filebucketed	STATUS_UNCATEGORIZED
Started Session, New session	USER_LOGIN
ViewSecret	USER_RESOURCE_ACCESS

Log Sample¶

<30>Oct 28 13:57:01 desktop.company.com systemd[1]: Started Session 14 of user root.

Sample Parsing¶

metadata.event_timestamp = "2021-10-28T13:57:01Z"
metadata.event_type = "USER_LOGIN"
metadata.vendor_name = "Centrify"
metadata.product_name = "systemd"
metadata.product_event_type = "Started Session"
metadata.description = "Started Session 14 of user root."
metadata.ingested_timestamp = "2021-10-28T13:57:02.535003Z"
additional.Session ID = "14"
principal.hostname = "NULL"
principal.user.userid = "root"
principal.namespace = "company"
principal.asset.hostname = "null"
target.hostname = "NULL"
target.namespace = "company"
target.asset.hostname = "null"
observer.hostname = "desktop.domain.com"
observer.namespace = "company"
security_result.action = "ALLOW"

Parser Alerting¶

This product currently does not have any Parser-based Alerting

Rules¶

Coming Soon