OpenAM¶
About¶
OpenAM provides an infrastructure for managing users, roles, and access to resources, and centralizes access control by handling both authentication and authorization.
Product Details¶
Vendor URL: OpenAM
Product Type: Identity/Access Management
Product Tier: Tier II
Integration Method: Syslog
Integration URL: n/a
Log Guide: n/a
Parser Details¶
Log Format: CSV and KV
Expected Normalization Rate: near 100%
Data Label: OPENAM
UDM Fields (list of all UDM fields leveraged in the Parser):
| Log File Field | UDM Field |
|---|---|
| Statically Defined | extensions.auth.type |
| eventName | metadata.product_event_type |
| description | metadata.description |
| ad.trackingIds | metadata.product_log_id |
| Statically Defined | metadata.product_name |
| Statically Defined | metadata.vendor_name |
| shost | principal.hostname |
| src_ip, client.ip, info.ipAddress | principal.ip |
| client.port | principal.port |
| nodeId | principal.resource.id |
| treeName | principal.resource.name |
| authLevel | principal.resource.resource_subtype |
| nodeType | principal.resource.type |
| am_user | principal.user.email_addresses |
| am_group | principal.user.group_identifiers |
| am_user | principal.user.userid |
| dhost | target.hostname |
| dst, serverip | target.ip |
| serverport | target.port |
| loginId, am_user | target.user.email_addresses |
| am_group | target.user.group_identifiers |
| am_user | target.user.userid |
| Statically Defined | network.application_protocol |
| requestMethod | network.http.method |
| request | network.http.referral_url |
| user-agent | network.http.user_agent |
Product Event Types¶
| Product Event | Description | UDM Event |
|---|---|---|
| AM-LOGIN | USER_LOGIN | |
| AM-SESSION-CREATED | USER_LOGIN | |
| AM-TREE-LOGIN-COMPLETED | USER_LOGIN | |
| AM-NODE-LOGIN-COMPLETED | USER_LOGIN | |
| AM_LOGOUT | USER_LOGOUT | |
| AM-SESSION-DESTROYED | USER_LOGOUT | |
| AM-SESSION-IDLE_TIMED_OUT | USER_LOGOUT | |
| AM-SESSION-LOGGED_OUT | USER_LOGOUT | |
| AM-NODE | USER_UNCATEGORIZED | |
| AM-ACCESS-OUTCOME | NETWORK_HTTP | |
| Default | src_ip not empty | STATUS_UPDATE |
| Default | All other events | GENERIC_EVENT |
Log Sample¶
Jul 25 15:50:13 10.10.10.10 CEF: 0|ForgeRock|OpenAM|||AM-TREE-LOGIN-COMPLETED|Unknown| eventId=eventid externalId=externalid art=1658778613794 rt=1658778613794 outcome=SUCCESSFUL shost=shost.com src=10.10.10.10 sourceZoneURI=/All Zones/ArcSight System/Private Address Space Zones/RFC1918: 10.0.0.0-10.255.255.255 sntdom=/associates suser=user destinationServiceName=Authentication cs2={"info":{"treeName":"Kerberos","ipAddress":"10.10.10.10","authLevel":"0"}} cs5=0 cs6=transactionId\=#transactionid# userId\=#id\=user, result\=#SUCCESSFUL# principal\=#["pr_user"]# context\=## entries\=#[{"info":{"treeName":"Kerberos","ipAddress":"10.10.10.10","authLevel":"0"}}]# component\=#Authentication# realm\=#/associates# cs1Label=Context cs2Label=Entries cs3Label=Auth Control Flag cs5Label=Auth Level flexString1Label=Node Outcome ahost=ahostname agt=10.10.10.10 agentZoneURI=/All Zones/ArcSight System/Private Address Space Zones/RFC1918: 10.0.0.0-10.255.255.255 amac=macAddress av=7.15.0.8295.0 atz=CST6CDT at=syslog ad.trackingIds=["trackingIds"] ad.TreeName=Kerberos ad.externalId=ad.externalid_value aid=aid_value
Sample Parsing¶
intermediary.ip = "10.10.10.10"
metadata.product_event_type = "AM-TREE-LOGIN-COMPLETED"
metadata.description = "Tree login completed"
metadata.event_timestamp = "1658764213"
metadata.vendor_name = "ForgeRock"
metadata.product_name = "OpenAM"
metadata.event_type = "USER_LOGIN"
metadata.product_log_id = "trackingIds"
principal.hostname = shost.com
target.user.userid = "user"
security_result.action = "ALLOW"
security_result.action_details = "#SUCCESSFUL#"
extensions.auth.type = "SSO"
Parser Alerting¶
This product currently does not have any Parser-based Alerting
Rules¶
Coming Soon