NetIQ Access Manager¶
About¶
NetIQ Access Manager manages and provides adaptive, context-based secure access to the right users on any device at any location while minimizing risk.
Product Details¶
Vendor URL: NetIQ
Product Type: Identity/Access Management
Product Tier: Tier II
Integration Method: Syslog
Integration URL: n/a
Log Guide: n/a
Parser Details¶
Log Format: Syslog + JSON
Expected Normalization Rate: near 100%
Data Label: NETIQ_ACCESS_MANAGEMENT
UDM Fields (list of all UDM fields leveraged in the Parser):
Log File Field | UDM Field |
---|---|
timestamp | metadata.event_timestamp |
Statically Defined | metadata.vendor_name |
Statically Defined | metadata.product_name |
product_event_type | metadata.product_event_type |
eventCode | metadata.description |
guid | metadata.product_log_id |
observer | observer.hostname |
sourceAddress | principal.ip |
perpetratorID | principal.user.userid |
perpetratorDN | principal.user.group_identifiers |
type | principal.user.attribute.roles |
targetID | target.user.userid |
targetDN | target.user.group_identifiers |
xDasTaxonomy | security_result.description |
xDasOutcome | security_result.action_details |
narrative | security_result.summary |
targetLdapProfile | additional.fields |
perpetratorLdapProfile | additional.fields |
Product Event Types¶
Product Event | Description | UDM Event |
---|---|---|
EventCode =~ "PASSWORD" | and has target info | USER_CHANGE_PASSWORD |
Default | All other events | USER_UNCATEGORIZED |
Log Sample¶
<14>Mar 1 14:51:46 observer.net SSPR {"targetID":"targetUSERNAME","targetDN":"cn=targetUSERNAME,ou=Active Users,ou=Data,ou=Data,o=Data","targetLdapProfile":"default","perpetratorID":"principalUSERNAME","perpetratorDN":"cn=principalUSERNAME,ou=Active Users,ou=Data,ou=Data,o=Data","perpetratorLdapProfile":"default","sourceAddress":"10.70.10.253","sourceHost":"10.70.10.253","type":"HELPDESK","eventCode":"HELPDESK_UNLOCK_PASSWORD","guid":"GUID_NUMBER","timestamp":"2023-03-01T19:51:46Z","narrative":"Password has been unlocked for targetUSERNAME (cn=targetUSERNAME,ou=Active Users,ou=Data,ou=Data,o=Data) by help desk operator principalUSERNAME (cn=principalUSERNAME,ou=Active Users,ou=Data,ou=Data,o=Data)","xdasTaxonomy":"XDAS_AE_SET_CRED_ACCOUNT","xdasOutcome":"XDAS_OUT_SUCCESS"}
Sample Parsing¶
metadata.product_log_id = "GUID_NUMBER"
metadata.event_timestamp = 1677700306
metadata.vendor_name = "NET IQ"
metadata.product_name = "Access Manager"
metadata.event_type = "USER_CHANGE_PASSWORD"
metadata.product_event_type = "SSPR"
metadata.description = "HELPDESK_UNLOCK_PASSWORD"
additional.fields.key = "ldapProfile-Perpetrator"
additional.fields.value = "default"
additional.fields.key = "ldapProfile-Target"
additional.fields.value = "default"
principal.user.userid = "principalUSERNAME"
principal.user.attribute.roles.name = "HELPDESK"
principal.user.group_identifiers = "cn=principalUSERNAME,ou=Active Users,ou=Data,ou=Data,o=Data"
principal.ip = "10.70.10.253"
target.user.userid = "targetUSERNAME"
target.user.group_identifiers = "cn=targetUSERNAME,ou=Active Users,ou=Data,ou=Data,o=Data"
observer.hostname = "observer.net"
security_result.summary = "Password has been unlocked for targetUSERNAME (cn=targetUSERNAME,ou=Active Users,ou=Data,ou=Data,o=Data) by help desk operator principalUSERNAME (cn=principalUSERNAME,ou=Active Users,ou=Data,ou=Data,o=Data)"
security_result.description = "XDAS_AE_SET_CRED_ACCOUNT"
security_result.action_details = "XDAS_OUT_SUCCESS"