ObserveIT¶
About¶
Today, 30% of data breaches are insider-driven—and the cost of these incidents has doubled in the last three years. In the past, we’ve relied on prevention-heavy and log-analysis approaches. But they can’t keep pace with today’s cloud connected, distributed and highly collaborative workforces.
Now there’s a better way. With Proofpoint Insider Threat Management, you can protect your IP from malicious, negligent or compromised users across your organization. We correlate activity and data movement with clean, first-party endpoint visibility. This empowers your security team to identify user risk, detect insider-led data breaches, and accelerate their security incident response time.
Product Details¶
Vendor URL: ObserveIT | Proofpoint Insider Threat Management
Product Type: Insider Threat Management
Product Tier: Tier I
Integration Method: Syslog
Integration URL: ObserveIT | Data Integration
Log Guide: ObserveIT | Monitoring Log Files
Parser Details¶
Log Format: CEF
Expected Normalization Rate: 90%
Data Label: OBSERVEIT
UDM Fields (list of all UDM fields leveraged in the Parser):
| Log File Field | UDM Field |
|---|---|
| cs1Label | additional.fields |
| cs2Label | additional.fields |
| cs3Label | additional.fields |
| cs4Label | additional.fields |
| cs5Label | additional.fields |
| cs6Label | additional.fields |
| cfp1Label | additional.fields |
| cfp2Label | additional.fields |
| cfp3Label | additional.fields |
| description | metadata.description |
| Statically Defined | metadata.event_type |
| product_event | metadata.product_event_type |
| product | metadata.product_name |
| version | metadata.product_version |
| vendor | metadata.vendor_name |
| observer_domain | observer.administrative_domain |
| observer | observer.hostname |
| observer | observer.ip |
| src_domain | principal.administrative_domain |
| sproc | principal.application |
| cs2 | principal.asset.platform_software.platform |
| src | principal.hostname |
| shost | principal.hostname |
| src | principal.ip |
| shost | principal.ip |
| duser | principal.user.user_display_name |
| duid | principal.user.userid |
| Statically Defined | security_result.action |
| Statically Defined | security_result.alert_state |
| Statically Defined | security_result.severity |
| cat | security_result.summary |
| suser | src.user.user_display_name |
| suid | src.user.userid |
| dntdom | target.administrative_domain |
| dst_domain | target.administrative_domain |
| destinationServiceName | target.application |
| dst | target.hostname |
| dvchost | target.hostname |
| dst | target.ip |
| dvchost | target.ip |
| request | target.url |
| cs3 | url_back_to_product |
Product Event Types¶
| type,subtype | severity | UDM Event Classification | alerting enabled |
|---|---|---|---|
| Default | GENERIC_EVENT | ||
| UserActivity | USER_UNCATEGORIZED |
Log Sample¶
hostname1.domain.com OBSERVEIT-NXLOG: Feb 14 2022 22:03:15 host CEF:0|ObserveIT|ObserveIT|7.12.1|400|ObserveITAlert|8|cat=[domain] Exfiltrating a file to the web by uploading externalId=1234567890 reason=An alert is triggered upon exfiltrating a file (both tracked file and non-tracked file) to the web by uploading it. Note that this rule will be triggered only for files that are specified in the dedicated list. cs1=File operation trigger:Upload;File name:WEBSITE-5.20.1.BETA-SETUP.EXE;:True;Original file name:WEBSITE-5.20.1.beta-Setup.exe;Original file name:WEBSITE-5.20.1.beta-Setup.exe;To website/web-application:WEBSITE_NET;:https_//WEBSITE1.com/download/WEBSITE-5.20.1.beta-setup_exe;To website category:0;Originated from website:WEBSITE_NET;:https_//WEBSITE_NET/download/WEBSITE-5.20.1.beta-setup_exe cs1Label=AlertDetails cs5=HTTPS_//OBSERVER_HOSTNAME.COMPANYNAME_net/ObserveIT/SlideViewer.aspx?SessionID\=1234567890 cs5Label=AlertDetailsURL cs2=Windows cs2Label=OS dhost=DHOST_NAME dntdom=domain.com cs3=HTTPS_//hostname1.domain.com/ObserveIT/SlideViewer.aspx?SessionID\=1234567890 cs3Label=ViewURL cs4= cs4Label=ScreenShot dproc=ObserveIT duid=john.doe duser=n/a dvchost=(local) dvc= msg=Downloading WEBSITE-5.20.1.beta-Setup.exe :: WEBSITE â Mozilla Firefox rt=Feb 14 2022 22:03:15 shost=(local) sproc=firefox src= sntdom=n/a suser=n/a suid=n/a destinationServiceName=WEBSITE_NET deviceProcessName=firefox sourceServiceName=1234567890 requestMethod=1234567890 end=Feb 15 2022 04:03:15 start=Feb 15 2022 04:03:15
Sample Parsing¶
metadata.event_timestamp = "2022-02-14T22:03:15Z"
metadata.event_type = "GENERIC_EVENT"
metadata.vendor_name = "ObserveIT"
metadata.product_name = "ObserveIT"
metadata.product_version = "7.12.1"
metadata.product_event_type = "ObserveITAlert"
metadata.description = "Downloading WEBSITE-5.20.1.beta-Setup.exe :: WEBSITE — Mozilla Firefox"
additional.AlertDetailsURL = "HTTPS_//OBSERVER_HOSTNAME.COMPANYNAME_net/ObserveIT/SlideViewer.aspx?SessionID\=1234567890"
additional.AlertDetails = "File operation trigger:Upload;File name:WEBSITE-5.20.1.BETA-SETUP.EXE;:True;Original file name:WEBSITE-5.20.1.beta-Setup.exe;Original file name:WEBSITE-5.20.1.beta-Setup.exe;To website/web-application:WEBSITE_NET;:https_//WEBSITE_NET/download/WEBSITE-5.20.1.beta-setup_exe;To website category:0;Originated from website:WEBSITE_NET;:https_//WEBSITE_NET/download/WEBSITE-5.20.1.beta-setup_exe"
principal.hostname = "hostname2"
principal.user.userid = "john.doe"
principal.application = "firefox"
principal.asset.platform_software.platform = "WINDOWS"
target.administrative_domain = "domain.com"
target.application = "WEBSITE1.com"
observer.hostname = "hostname1"
observer.administrative_domain = "domain.com"
security_result.summary = "[domain] Exfiltrating a file to the web by uploading"
security_result.severity = "LOW"
security_result.url_back_to_product = "HTTPS_//hostname1.domain.com/ObserveIT/SlideViewer.aspx?SessionID\=1234567890"
security_result.alert_state = "ALERTING"
Parser Alerting¶
This product currently does not have any Parser-based Alerting
Rules¶
Coming Soon