One Identity TPAM¶
About¶
One Identity Privileged Access Management (PAM) solutions mitigate security risks and enable compliance. Now available as a SaaS-delivered or traditional on-prem offering. You can secure, control, monitor, analyze and govern privileged access across multiple environments and platforms. Complete flexibility to provide the full credential when necessary or limit access to Zero Trust and least-privileged operating models.
Product Details¶
Vendor URL: Privileged Access Management - One Identity
Product Type: Identity and Access Management
Product Tier: Tier III
Integration Method: Syslog
Integration URL: Syslog Integration Guide
Log Guide: TPAM - Technical Documentation - One Identity Support
Parser Details¶
Log Format: Syslog
Expected Normalization Rate: 75%
Data Label: ONEIDENTITY_TPAM
UDM Fields (list of all UDM fields leveraged in the Parser):
| Log File Field | UDM Field |
|---|---|
| smb_host | additional.fields |
| smb_stage1 | additional.fields |
| smb_uid | additional.fields |
| Operation | metadata.product_event_type |
| UserName | principal.user.userid |
| ObjectType | target.asset.category |
| Target | target.asset.asset_id |
| Role | principal.user.group_identifiers |
| OtherInfo | metadata.description |
| Failed | security_result.action |
| TargetURL | target.url |
| From address | principal.hostname |
| Statically Defined | metadata.vendor_name |
| Statically Defined | metadata.product_name |
| From address | principal.ip |
| observer | observer.hostname |
| observer | observer.it |
Product Event Types¶
| type,subtype | severity | UDM Event Classification | alerting enabled |
|---|---|---|---|
| Default | GENERIC_EVENT | ||
| Retrieve Password | RESOURCE_READ | ||
| Add | RESOURCE_CREATION | ||
| Login | USER_LOGIN | ||
| Force Change | RESOURCE_WRITTEN |
Log Sample¶
Mar 29 06:22:54 10.10.10.32 PAR[64]: UserName: john.doe Operation: Retrieve Password ObjectType: Password Target: svc_account Role: ADMIN Failed? 0 OtherInfo: smb_host=smb_host_123 smb_stage1=1234567890123 smb_uid=smb_uid_123456 smb_timezone=EDT.
Sample Parsing¶
metadata.event_timestamp = "2022-03-29T10:22:54Z"
metadata.event_type = "RESOURCE_READ"
metadata.vendor_name = "One Identity"
metadata.product_name = "TPAM"
metadata.product_event_type = "Retrieve Password"
additional.smb_stage1 = "1234567890123"
additional.smb_host = "smb_host_123"
additional.smb_uid = "smb_uid_123456"
principal.user.userid = "john.doe"
principal.user.group_identifiers = "ADMIN"
target.asset.asset_id = ":svc_account"
target.asset.category = "Password"
observer.ip = "10.10.10.32"
security_result.summary = "Password"
security_result.action = "ALLOW"
Parser Alerting¶
This product currently does not have any Parser-based Alerting
Rules¶
Coming Soon