Entrust KeyControl as a Service¶
About¶
Provides organizations with control of their cryptographic keys while leveraging the benefits of the cloud. Supports customer-managed keys including Bring Your Own Key (BYOK) and cloud-managed keys (or native keys) and externally stored keys including Hold Your Own Key (HYOK).
Product Details¶
Vendor URL: ENTR_KCAAS
Product Type: Audit
Product Tier: Tier III
Integration Method: Syslog
Parser Details¶
Log Format: JSON
Expected Normalization Rate: ~95%
Data Label: ENTR_KCAAS
UDM Fields (list of all UDM fields leveraged in the Parser):
| Log File Field | UDM Field |
|---|---|
| action | security_result.action_details |
| appName | principal.application |
| client_ip | principal.ip |
| level | security_result.severity |
| loggerFqcn | additional.fields |
| loggerName | intermediary.application |
| message | security_result.summary |
| method | network.http.referral_url |
| observer | observer.hostname |
| protocol | network.application_protocol |
| protocol_version | network.application_protocol_version |
| response_code | network.http.response_code |
| sent_bytes | network.sent_bytes |
| spanId | security_result.detection_fields |
| tenantUid | observer.asset.product_object_id |
| thread | principal.process.product_specific_process_id |
| threadId | principal.process.pid |
| threadPriority | security_result.priority_details |
| traceId | security_result.detection_fields |
Product Event Types¶
| Event | UDM Event Classification |
|---|---|
| Generic | GENERIC_EVENT |
Log Sample¶
ip-10-0-0-0.kcaas-preprod.cloud.example.com {"level": "INFO", "loggerName": "django.server", "message": "\"GET /admin/health/liveness HTTP/1.1\" 200 17", "tenantUid": "tpm", "thread": "Thread-45062", "threadId": 140583932782272, "timestamp": "2024-06-12 14:58:54,078", "traceId": "", "spanId": ""}
Sample Parsing¶
intermediary.application = "django.server"
metadata.event_type = "GENERIC_EVENT"
network.application_protocol = "HTTP"
network.application_protocol_version = "1.1"
network.http.method = "GET"
network.http.referral_url = "/admin/health/liveness"
network.http.response_code = 200
network.sent_bytes = 17
observer.asset.product_object_id = "tpm"
observer.domain.name = "kcaas-preprod.cloud.example.com"
observer.hostname = "ip-10-0-0-0"
principal.process.pid = "140583932782272"
principal.process.product_specific_process_id = "Thread: Thread-45062"
security_result.severity = "INFORMATIONAL"
security_result.severity_details = "INFO"
security_result.summary = "GET /admin/health/liveness HTTP/1.1 200 17"