Skip to content

NetIQ Access Manager

NetIQ Access Manager

About

NetIQ Access Manager manages and provides adaptive, context-based secure access to the right users on any device at any location while minimizing risk.

Product Details

Vendor URL: NetIQ

Product Type: Identity/Access Management

Product Tier: Tier II

Integration Method: Syslog

Integration URL: n/a

Log Guide: n/a

Parser Details

Log Format: Syslog + JSON

Expected Normalization Rate: near 100%

Data Label: NETIQ_ACCESS_MANAGEMENT

UDM Fields (list of all UDM fields leveraged in the Parser):

Log File Field UDM Field
timestamp metadata.event_timestamp
Statically Defined metadata.vendor_name
Statically Defined metadata.product_name
product_event_type metadata.product_event_type
eventCode metadata.description
guid metadata.product_log_id
observer observer.hostname
sourceAddress principal.ip
perpetratorID principal.user.userid
perpetratorDN principal.user.group_identifiers
type principal.user.attribute.roles
targetID target.user.userid
targetDN target.user.group_identifiers
xDasTaxonomy security_result.description
xDasOutcome security_result.action_details
narrative security_result.summary
targetLdapProfile additional.fields
perpetratorLdapProfile additional.fields

Product Event Types

Product Event Description UDM Event
EventCode =~ "PASSWORD" and has target info USER_CHANGE_PASSWORD
Default All other events USER_UNCATEGORIZED

Log Sample

<14>Mar  1 14:51:46 observer.net SSPR {"targetID":"targetUSERNAME","targetDN":"cn=targetUSERNAME,ou=Active Users,ou=Data,ou=Data,o=Data","targetLdapProfile":"default","perpetratorID":"principalUSERNAME","perpetratorDN":"cn=principalUSERNAME,ou=Active Users,ou=Data,ou=Data,o=Data","perpetratorLdapProfile":"default","sourceAddress":"10.70.10.253","sourceHost":"10.70.10.253","type":"HELPDESK","eventCode":"HELPDESK_UNLOCK_PASSWORD","guid":"GUID_NUMBER","timestamp":"2023-03-01T19:51:46Z","narrative":"Password has been unlocked for targetUSERNAME (cn=targetUSERNAME,ou=Active Users,ou=Data,ou=Data,o=Data) by help desk operator principalUSERNAME (cn=principalUSERNAME,ou=Active Users,ou=Data,ou=Data,o=Data)","xdasTaxonomy":"XDAS_AE_SET_CRED_ACCOUNT","xdasOutcome":"XDAS_OUT_SUCCESS"}

Sample Parsing

metadata.product_log_id = "GUID_NUMBER"
metadata.event_timestamp = 1677700306
metadata.vendor_name = "NET IQ"
metadata.product_name = "Access Manager"
metadata.event_type = "USER_CHANGE_PASSWORD"
metadata.product_event_type = "SSPR"
metadata.description = "HELPDESK_UNLOCK_PASSWORD"
additional.fields.key = "ldapProfile-Perpetrator"
additional.fields.value = "default"
additional.fields.key = "ldapProfile-Target"
additional.fields.value = "default"
principal.user.userid = "principalUSERNAME"
principal.user.attribute.roles.name = "HELPDESK"
principal.user.group_identifiers = "cn=principalUSERNAME,ou=Active Users,ou=Data,ou=Data,o=Data"
principal.ip = "10.70.10.253"
target.user.userid = "targetUSERNAME"
target.user.group_identifiers = "cn=targetUSERNAME,ou=Active Users,ou=Data,ou=Data,o=Data"
observer.hostname = "observer.net"
security_result.summary = "Password has been unlocked for targetUSERNAME (cn=targetUSERNAME,ou=Active Users,ou=Data,ou=Data,o=Data) by help desk operator principalUSERNAME (cn=principalUSERNAME,ou=Active Users,ou=Data,ou=Data,o=Data)"
security_result.description = "XDAS_AE_SET_CRED_ACCOUNT"
security_result.action_details = "XDAS_OUT_SUCCESS"